Hp Tippingpoint Next Generation Firewall Series Command Reference Guide NGFW_CLIGuide_5998 4803

2015-01-05

: Hp Hp-Tippingpoint-Next-Generation-Firewall-Series-Command-Reference-Guide-153569 hp-tippingpoint-next-generation-firewall-series-command-reference-guide-153569 hp pdf

Open the PDF directly: View PDF PDF.
Page Count: 252 [warning: Documents this large are best viewed by clicking the View PDF Link!]

HP TippingPoint
Next Generation Firewall Command Line
Interface Reference Guide
Version1.0.1
Abstract
This reference manual describes the Next Generation Firewall Command Line Interface (CLI) and the commands you
can use to configure and manage a NGFW appliance.
Part number: 5998-4803
Edition: August 2013, First
*5998-4803*
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or
translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any
kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
TippingPoint® , the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names
may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are
the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative
work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.
UNIX® is a registered trademark of The Open Group.
Printed in US or Puerto Rico
Next Generation Firewall Command Line Interface Reference Guide
Publication Part Number: 5998-4803
CLI Reference Guide i
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Command Line Interface Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Shortcut Navigation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Hierarchical Menu and Prompt display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Root Command Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Edit Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration File Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
commit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Root Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
log-configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
save-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
show aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
show agglink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show ndp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ii
show autoconf dhcpv4 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show autoconf dhcpv6 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show autoconf ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
show cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcp server lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
show dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
show ip bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
show ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
show ip mroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip pim-sm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
show ip rip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
show ip smr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
show ipv6 mld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 pim-sm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
show ipv6 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
show ipv6 route ospfv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
show ipv6 route ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show (ip|ipv6) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show l2tp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
show license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file FILE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
show log-file FILE_NAME stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show log-file summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show log-file boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
show mfg-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
show np engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
show np general statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
show np protocol-mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
show np reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np rule-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np softlinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
show np tier-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
show quarantine-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show system buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
show system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
show system statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show system xms memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
show terminal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
show traffic-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
show tse connection-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CLI Reference Guide iii
show tse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show user-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
sms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
snapshot remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
snapshot restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
traceroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
traceroute6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
user-disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4 Log Configure Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
log-file-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
log-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
log-test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5 Edit Running Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuration Contexts by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Monitor/System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Edit Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
actionsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
addressgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-filter-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
application-visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
autodv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
blockedStreams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
dst-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
gen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
global-inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
l2tp-serverX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
multicast-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
notifycontacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
iv
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
schedules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
segmentX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
src-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Contexts and Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
running-aaa-ldap-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
running-aaa-radius-group-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
running-actionsets Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
running-actionsets-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
running-addressgroups Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-addressgroups-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
running-agglinkX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
running-app-filter-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
running-app-groups-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
running-autodv-calendar Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
running-autodv-periodic Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-bgp-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
running-blockedStreams Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-bridgeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
running-captive-portal Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
running-captive-portal-rule-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
running-certificates Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
running-certificates-crl Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
running-cluster Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
running-cluster-tct Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
running-dhcp-relay Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
running-dhcp-server Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
running-dhcp-server-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
running-dnat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
running-dnat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
running-dns Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
running-ethernetX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
running-firewall Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-firewall-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
running-gen Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
running-global-inspection Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
running-greX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
running-high-availability Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
running-ips Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
running-ips-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
running-ipsec Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
running-ipsec-policy-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
running-ipsec-vpn-X Context Commands and their Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
running-l2tp-serverX Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
running-l2tpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
running-log Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
running-loopbackX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
running-manual-sa Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
running-mgmt Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
CLI Reference Guide v
running-multicast-registration Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
running-notifycontacts (email) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
running-notifycontacts-X (SNMP) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
running-ntp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 190
running-phase1-proposal-X Context Commands and their Usage . . . . . . . . . . . . . . . . . . . . . . . . . 191
running-ospf Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
running-ospfv3 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
running-pim-smv4 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
running-pim-smv6 Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
running-pppoeX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
running-pptpX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
running-rep Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
running-rep-X (group X) Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
running-rep-X (profile X) Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
running-rip Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
running-ripng Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
running-route-map Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
running-schedules Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
running-schedules-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
running-segmentX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
running-services Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
running-services-X Context Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
running-smr Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
running-snat Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
running-snat-rule-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
running-snmp Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
running-vlanX Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
running-zones Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
running-zones-X Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
vi
CLI reference guide 1
About This Guide
The Next Generation Firewall command line interface enables you to configure and manage the NGFW
Appliance from a command line. The NGFW commands can be used in custom scripts to automate tasks.
This section covers the following topics:
Target Audience, page 1
Related Documentation, page 1
Document Conventions, page 2
Customer Support, page 3
Target Audience
This guide is intended for security network administrators and specialists that have the responsibility of
monitoring, managing, and improving system security. The audience for this material is expected to be
familiar with the HP TippingPoint Next Generation Firewall.
Related Documentation
ccess the documentation at http://www.hp.com/support/manuals . For the most recent updates for your
products, check the HP Networking Support web site at http://www.hp.com/networking/support.
2
Document Conventions
This guide uses the following document conventions.
Typefaces, page 2
Document Messages, page 2
Typefaces
HP TippingPoint publications use the following typographic conventions for structuring information:
Table 1-1 Document Typographic conventions
Document Messages
Document messages are special text that is emphasized by font, format, and icons. This reference guide
contains the following types of messages:
Warning
Caution
Note
Tip
WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful
consequences.
CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow
directions could result in damage to equipment or loss of data.
NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific
importance in clarifying information or instructions are denoted as such.
Convention Element
Medium blue text: Figure 1 Cross-reference links and e-mail addresses
Blue, underlined text (http://www.hp.com)Web site addresses
Bold font Key names
Text typed into a GUI element, such as into a box
GUI elements that are clicked or selected, such as menu and list
items, buttons, and check boxes. Example: Click OK to accept.
Italics font Text emphasis, important terms, variables, and publication titles.
Monospace font File and directory names
System output
Code
Text typed at the command-line
Monospace, italic font Code variables
Command-line variables
Monospace, bold font Emphasis of file and directory names, system output, code, and text
typed at the command line
CLI reference guide 3
IMPORTANT: Another type of note that provides clarifying information or specific instructions.
TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more
easily or more efficiently.
Customer Support
HP is committed to providing quality customer support to all of its customers. Each customer is provided
with a customized support agreement that provides detailed customer and support contact information.
When you need technical support, use the following information to contact Customer Support.
Contact Information
For additional information or assistance, contact the HP Networking Support:
http://www.hp.com/networking/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
HP Contact Information
For the name of the nearest HP authorized reseller, see the contact HP worldwide web site:
http://www.hp.com/country/us/en/wwcontact.html
4
NGFW Command Line Interface Reference 5
1Command Line Interface
In addition to the Local System Manager (LSM) and the Centralized Management Capability of the
Security Management System (SMS), a Command-line Interface (CLI) can be used to configure and
manage the NGFW Appliance. The CLI is accessed directly through the console or remotely through SSH.
Non-secure connections, such as Telnet, are not permitted. For the initial set up, the "superuser" account is
set for the appliance. Once that is set, you can login from the console and set the management port IP
address. SSH and HTTPS are then accessible at the management port IP address.
NOTE: To access the most recent updates to the NGFW product documentation, go to
http://www.hp.com/support/manuals.
This chapter covers the following topics:
•”Overview” on page 5
•”Command Modes” on page 7
•”Configuration File Versions” on page 9
Overview
This chapter covers the hierarchical structure of the CLI, the command line syntax, and an overview on how
to edit, save and manage configuration files. Also provided, are a list of unix like utilities for monitoring
and troubleshooting the system. The show command provides easy to read sections from log files. The
display command displays sections of the running configuration file, or can be used to list a preview of
your configuration file edits before making a commitment to save.
Access to the NGFW is through the console to initially configure management access. The management
port is enabled by default for SSH and LSM management access. All access is determined by group
membership and the management of their roles. To configure granular levels of access, the aaa
(Authentication and Authorization and Auditing) context has the necessary utilities to modify users, groups,
roles, and their capabilities.
Command Line Interface Syntax
The following syntax is used in the CLI.
Example:
NGFW{}traceroute ? (displays help information)
NGFW{}traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
In the above example, arguments for the Traceroute command must either use a IP address or the
hostname. An optional argument can either be “from” a source IP address or the argument “mgmt”.
NGFW{}traceroute 198.162.0.1 from 198.162.0.2
NGFW{}traceroute 198.162.0.1 mgmt
Table 1-1 Command Line Syntax
Syntax Convention Explanation
UPPERCASE Uppercase replaced by a value that you supply
(x) Parentheses indicate a mandatory argument.
[x] Brackets indicate an optional argument.
| A vertical bar indicates a logical OR - such as alternatives within
parentheses or brackets.
6Command Line Interface
Shortcut Navigation Keys
The CLI has the ability to store typed commands in a circular memory. Typed commands can be recalled
with the UP and DOWN arrow keys.
The TAB key may be used to complete partial commands. If the partial command is ambiguous, pressing
the TAB key twice gives a list of possible commands.
Following is a list of shortcuts.
Hierarchical Menu and Prompt display
Prompts will be displayed based on the context level as shown in the following table.
Table 1-2 Shortcut Keys
Shortcut Description
ENTER Run the command
TAB Complete partial command
? Question mark at the root prompt or after a command (separated by
space) will list next valid sub-commands or command arguments.
Question mark can also be used after sub-commands for more
information. A question mark immediately following a character(s)
(no space) will list commands beginning with those characters.
! Exclamation mark before a command allows you to execute the
command from any feature context or sub-level. For example,
NGFW{running-gen}!ping 203.0.113.0
UP ARROW Show the previous command
DOWN ARROW Show the next command
Ctrl + P Show the previous command
Ctrl + N Show the next command
Ctrl + L Clear the screen, does not clear history
Ctrl + A Return to the start of the command you are typing
Ctrl + E Go to the end of the command you are typing
Ctrl + U Cut the whole line to a special clipboard
Ctrl + K Cut everything after the cursor to a special clipboard
Ctrl + Y Paste from the special clipboard used by Ctrl + U and Ctrl + K
Table 1-3 Root, Edit and Log configuration modes
Command Line prompt Description
NGFW{} Top level root command mode
NGFW{}edit From the root command line mode, enter the edit com-
mand to access configuration mode.
NGFW{running} Configuration mode - indicated with the prompt change
NGFW{running}firewall Enters the firewall configuration context
NGFW{running}display View current configuration and your changes
NGFW{running}commit Commits changes to the running configuration
NGFW{running}exit Leaves the current context mode
NGFW Command Line Interface Reference 7
Help
The help command provides a list of commands within the current context and the command line usage.
The help command can be executed with or without an argument.
•Enter help or ? to see a list of all commands. (question mark at any context level generates a list of
available commands within the context, along with a brief description)
•Enter help
commandname
to see the syntax for a command.
•Enter
commandname
? to list the options for a command. For example, ping ?.
•Enter
string
? to show the commands or keywords that match the string. For example, s?.
Command Modes
The NGFW uses a hierarchical menu structure. Within this structure, commands are grouped by functional
area within one of three command modes: Root Command mode, Edit Configuration mode (edit), and
Log Configuration mode (log-configure). At the top of the hierarchy is the Root command mode.
NGFW{} Root command line mode
NGFW{running} Edit configuration mode
NGFW{log-configure} Log configuration mode
A context is an environment in which a set of parameters can be configured for a feature or named
object. A context can be the name of an instance of an object set by the administrator, or can be the
feature itself. The current context is indicated in the command prompt, and it’s visibility is determined by
the user’s role.
Administrative access allows the ability to modify the configuration of the NGFW appliance. Not all
contexts may be visible.
The help and display commands are useful in becoming familiar with the context options. The question
mark (?) lists the next valid entry and help for this entry.
If the appliance is controlled by SMS, only read-only access will be available to the system resources. To
determine if the SMS controls the unit, or to change the control, see the sms command usage.
Root Command Mode
When you initially enter the NGFW Appliance, either through the console or SSH, you will be placed at
the top level root command line mode with the NGFW{} prompt. The commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available operational commands that apply to the unit as
a whole. To view the commands available at this level, type help[full|COMMAND] at the command
prompt.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt context of the edit mode. For example:
NGFW{}log-configure From the root command line mode, enter the log-config-
ure command to access the log configuration mode.
NGFW{log-configure} log configuration mode
NGFW{log-configure}help display list of valid commands and syntax usage
NGFW{log-configure}exit leave the log configuration mode
Table 1-3 Root, Edit and Log configuration modes
Command Line prompt Description
8Command Line Interface
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ? (displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
For a list of root commands and their usage see the Root Commands section.
NOTE: Your membership role determines your command line interface.
Edit Configuration Mode
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands. To enter the configuration mode, use the edit command. Once you have executed the edit
command the CLI prompt will indicate that you are in the Edit mode, and can make configuration
changes. Configuration options, and sub contexts are available for use until you exit. To exit the edit
configuration mode, type exit.
When exiting the configuration mode, the following warning appears:
“WARNING: Modifications will be lost. Are you sure to exit (y/n)? [n]”
y will discard any uncommitted changes you made to the configuration file, and n will keep you in the
edit context.
The display command is a helpful utility to view the current running configuration and to review your
configuration changes before you save the changes.
NGFW{running} display
A commit command must be used to save your changes to the running configuration.
The command hierarchy has two types of statements. The Container statement, which contain objects and
the Object statement, which are actual commands with options.
For example:
Container statement in edit mode:
NGFW{running}log
NGFW{running-log}? (help will list all the available entries)
Object statement:
NGFW{running} application-visibility enable|disable (help will display command options)
A brief overview of what you can do within the edit configuration mode:
Issue a command that configures a setting in the candidate configuration setting. The candidate
configuration allows you to make configuration changes without causing changes to the active
configuration until you can review your changes and issue the commit command.
Enter into a container context to access additional configuration settings.
•Run the display command to see your candidate configuration settings for a context. Any
modifications you make can be viewed using the display command.
•Run the Commit command to save any changes from your candidate configuration to the running
configuration.
Exit from a context.
NGFW Command Line Interface Reference 9
NOTE: As you move through the context menu hierarchies, the command prompt changes accordingly.
The help or display command can be entered at any level.
Configuration File Versions
When troubleshooting or needing to rollback a configuration, the current configuration setup can be
viewed. Reviewing network configuration files should be a necessary step to becoming knowledgeable
about your current system setup. When the device is initially configured, make sure the settings are saved
to the persistent configuration with the NGFW{}save-config command. It’s also advisable to create a
snapshot using the following command:
NGFW{}snapshot create orig_conf
Snapshots capture the configuration of a device, which can then be delivered to technical support for
troubleshooting. Users can also use snapshots to save and re-apply configurations. Snapshots include the
currently installed OS version, and cannot be restored on a device that is not running the same version of
the OS. If a snapshot restore needs to be completed, use the following command:
NGFW{}snapshot restore orig_conf
A warning message is displayed, followed by an automatic reboot when snapshot restore is completed.
The NGFW Appliance CLI uses the deferred-commit model. In this capacity, the architecture maintains a
set of configuration files to ensure that a working configuration is persistently maintained. This
configuration set includes the following configuration files.
Running configuration — this version is currently executing on the system. Any changes that
administrators make from the edit mode (except for IPS features, action sets and notification contacts)
will take effect once they have been committed, by issuing the Commit command. If changes are not
committed, all modifications are discarded on exit from the running context. If multiple
administrators are on the system, the version that was last committed is used as the current running
configuration and is visible to other administrators, once they have exited the edit mode. A warning
prompt is displayed if the committed changes would overwrite configuration that was made by
another administrator since the configuration was edited.
Saved (persistent) configuration — this is the running configuration that was last committed prior to
executing the save-config command. NGFW copies the saved configuration to the start
configuration when the system reboots.
Start configuration This is a backup copy of the configuration file saved at the time of system startup, and
is loaded at the next system bootup. The rollback-config command can be used to rollback to a
persistent and running configuration that was the last known good configuration.
NOTE: Future versions of the product will support multiple named saved configuration sets.
Utilities
The Display and Show commands are helpful for troubleshooting and monitoring the operational status of
the system. Command line usage can be found in Root Commands.
Display
Enter display to see your candidate configuration settings for a context. Any modifications you make can
be viewed using the display command. The output of the display command depends on where the
command is executed. If executed at the configuration level, it displays the entire configuration of the unit.
Executing the display command with a configuration name parameter, or from within a context displays
the contents of that particular configuration.
10 Command Line Interface
Show
The show command is most efficient in providing critical information, such as traffic usage, router platform
type, operating system revision, amount of memory, and the number of interfaces. The show command can
also be used to evaluate logging, troubleshooting, tracking resources, sessions, and security settings. To
view all the available show utilities, enter the help show command at the root command level. All the
available commands along with the correct command line usage are displayed.
NGFW Command Line Interface Reference 11
2 Global Commands
Global commands can be used in any context.
commit
Initiates all pending configuration changes in the edit mode.
NOTE: This command does not write the modifications to the startup configuration file. However, the
save-config command can be run from the edit configuration context by using the exclamation mark.
Syntax
commit
Example
NGFW{running}commit
NGFW{running}!save-config
exit
Exits the current context.
Syntax
exit
Example
NGFW{running-aaa}exit
NGFW{running}
help
Displays help information.
Syntax
help [full|COMMAND]
Example
NGFW{running}help log
Enter log context
Syntax: log
log Enter log context
Example
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
12 Global Commands
more
Set session to display output page by page.
Syntax
more (enable|disable)
Example
NGFW{running}more enable
display
Displays the current configuration, or the candidate configuration before a commit is issued. Display
options vary by context, enter the "help display" command in a context to view the available options.
Syntax
display
display [xml]
Example
NGFW{running-aaa-user-myuser1}display
# USER ID
user myuser1
NGFW Command Line Interface Reference 13
3 Root Commands
The top level root command line mode displays the NGFW{} prompt. Commands at this level are used for
managing and monitoring system operations for the various subsystems. From the root command mode,
you can access the configuration mode, and the available commands that apply to the appliance as a
whole. Enter help full or help COMMANDNAME at the command prompt to display a list of available
commands or help on a specific command.
NGFW{}help
The default NGFW{} command prompt can be changed using the host name command in the interface
mgmt context of the edit mode. For example:
NGFW{}edit
NGFW{running}interface mgmt
NGFW{running-mgmt}help host (displays valid entries for configuring management port host settings)
NGFW{running-mgmt}host ? (displays valid entries for host command)
NGFW{running-mgmt}host name yourhostname
boot
Manages software packages.
Syntax
boot (list-image|rollback)
Example
NGFW{}boot list-image
Index Version
------------------------------------------------------
0 1.0.0.3935
1 1.0.0.2923
2 1.0.0.3932
3 1.0.0.3917
Oldest Index is 2
Factory Reset Index is 3
clear
Clears system information.
Syntax
clear connection-table (blocks|trusts)
clear high-availability state-sync (all|firewall|ips|routing)
clear ip bgp (A.B.C.D|ASNUMBER|all|external) [soft] [in|out]
clear ip bgp peer-group NAME [soft] [in|out]
clear log-file
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock|
system|visibility|vpn)
clear np engine filter
clear np engine packet
clear np engine parse
clear np engine reputation dns
clear np engine reputation ip
clear np engine rule
clear np reassembly ip
clear np reassembly tcp
clear np rule-stats
14 Root Commands
clear np softlinx
clear np tier-stats
clear counter policy
clear rate-limit streams
clear users all [locked|ip-locked]
clear users (NAME|A.B.C.D|X:X::X:X) [locked]
Example
NGFW{}clear log-file vpn
Example
NGFW{}clear ip bgp 10.10.10.10 soft in
Not cleared BGP is not active
Example
NGFW{}clear ip bgp external soft
Example
NGFW{}clear users fred
date
Used alone to display the current date, or with arguments to configure the date in a 24 hour format. The
date command shows the current time in the time zone configured on the device and the "gmt" argument
shows the time in GMT (UTC).
Syntax
date [MMDDhhmm[[CC]YY][.ss]])
date gmt
Example
NGFW{}date 071718202013.59 (sets date to July 17 2013 6:20PM 59 seconds)
edit
The edit context modifies the configuration that identifies the security policy and interfaces that you can
configure for your firewall. Edit takes an instance of the running configuration file. This instance is your
version. After making modifications to this candidate configuration version, you have the option of saving
it to the running configuration, or discarding any changes you made. To discard, simply exit. To save
your candidates configuration, enter the commit command before exiting the edit context. To see
commands under the edit context, see edit configuration.
NGFW{}
NGFW{}edit
NGFW{running}
NGFW{running}commit
NGFW{running}exit
NGFW{}
flush
Flushes the following configuration items.
Syntax
flush (arp|ndp)
flush ipsec sa policy NAME [id ID]
flush ike sa [policy NAME [id ID]]
flush bgp [ip] A.B.C.D [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
NGFW Command Line Interface Reference 15
flush bgp ip A.B.C.D [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip A.B.C.D [vpnv4 unicast in|out|(soft [in|out])]
flush bgp ipv6 X:X::X:X [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
flush bgp [ip] dampening [A.B.C.D/M|(A.B.C.D [A.B.C.D])]
flush bgp [ip] external [(in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip external [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ipv6 external [(in prefix-filter)|(soft [in|out])]
flush bgp ipv6 external [peer WORD (in|out)]
flush bgp [ip] view WORD [soft [in|out]]
flush bgp [ip|ipv6] view WORD (A.B.C.D|X:X::X:X|all) rsclient
flush bgp ip view WORD [ipv4 (unicast|multicast)] (in prefix-filter)|(soft [in|out])
flush bgp [ip|ipv6] PEERAS [(in prefix-filter)|in|out|(soft [in|out])]
flush bgp ip PEERAS [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip PEERAS [vpnv4 unicast in|out|(soft [in|out])]
flush bgp [ip|ipv6] all [(in prefix-filter)|in|out|(soft [in|out])|rsclient]
flush bgp ip all [ipv4 (unicast|multicast) (in prefix-filter)|in|out|(soft
[in|out])]
flush bgp ip all [vpnv4 unicast in|out|(soft [in|out])]
flush bgp [ip|ipv6] peer-group [(in prefix-filter)|in|out|(soft [in|out])]
flush firewall-session (all|ID) [family (ipv4|ipv6)]
Example
NGFW{}flush firewall-session 134217756
Success
NGFW{}flush ipsec sa policy mytunnel
help
Displays help information at any context level.
high-availability
Manage high-availability devices.
Syntax
high-availability force (active|passive)
high-availability segment force (normal|fallback)
Example
NGFW{}high-availability segment force normal
Status: OK
list
Displays traffic capture file list.
Syntax
list traffic-file
Example
NGFW{}list traffic-file
log-configure
Enter log configuration context.
16 Root Commands
Syntax
log-configure
Example
NGFW{}log-configure
NGFW{log-configure}help
NGFW{log-configure}show log-file summary
Related Commands
Log Configure Commands
logout
Logs you out of the system.
Syntax
logout
Example
NGFW{} logout
master-key
The system master-key is used to encrypt the removable user-disk (the external CFast), and the system
keystore. The user-disk holds traffic logs, packet capture data, and system snapshots. The keystore retains
data such as device certificates and private keys.
The master-key has the following complexity requirements:
Must be between 9 and 32 characters in length.
Combination of upper and lower case alpha and numbers.
Must contain at least one “special” char (eg: !@#$%)
Set or clear the master key for keystore and external Cfast user-disk encryption.
Syntax
master-key (clear|get|set)
Example
Get the master key for keystore and user-disk encryption
NGFW{}master-key set
WARNING: Master key will be used to encrypt the keystore and external user disk.
Do you want to continue (y/n)? [n]: y
Enter Master Key : ****************
Re-enter Master Key: ****************
Success: Master key has been set.
Example
NGFW{}master-key get
Success: My.1.MasterKey!!
Example
NGFW{}master-key clear
WARNING: Clearing master key will remove encryption from the keystore and
external user disk.
Do you want to continue (y/n)? [n]: y
Success: Master key has been cleared.
NGFW Command Line Interface Reference 17
ping
Test connectivity with ICMP traffic. The mgmt option uses the management interface.
Syntax
ping (A.B.C.D|HOSTNAME) [count INT] [maxhop INT] [from A.B.C.D] [mgmt] [datasize INT]
ping (A.B.C.D|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [from A.B.C.D] [mgmt]
[datasize (64-65468)]
ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [interface INTERFACE] [from
X:X::X:X] [datasize INT]
ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping 192.168.1.1 mgmt
ping using mgmt port
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 vrfid=500 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 vrfid=500 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 vrfid=500 time=0.1 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.4 ms
ping6
Test connectivity with ICMPv6 traffic
Syntax
ping6 (X:X::X:X|HOSTNAME) [count (1-900000)] [maxhop (1-800)] [interface INTERFACE]
[from X:X::X:X] [datasize (64-65468)]
Example
NGFW{}ping6 100:0:0:0:0:0:0:1
ping using data ports
PING 100:0:0:0:0:0:0:1 (100:0:0:0:0:0:0:1): 56 data bytes
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=1 ttl=64 vrfid=0 time=0.3 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=2 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=3 ttl=64 vrfid=0 time=0.1 ms
64 bytes from 100:0:0:0:0:0:0:1: icmp_seq=4 ttl=64 vrfid=0 time=0.1 ms
--- 100:0:0:0:0:0:0:1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms
reboot
Reboots the system.
Syntax
reboot
Example
NGFW{}reboot
WARNING: Are you sure you want to reboot the system (y/n) [n]:
18 Root Commands
Reports
Configure data collection for on-box reports.
Syntax
reports (reset|enable|disable)
[all|cpu|disk|fan|memory|network|rate-limiter|temperature|traffic-profile|vpn]
Valid entries:
reset Delete report data
enable Start data collection for reports
disable Stop data collection for reports
all All reports (default)
cpu CPU utilization report
disk Disk utilization report
fan Fan speed report
memory Memory utilization report
network Network bandwidth report
rate-limiter Rate Limiter report
temperature Temperature report
traffic-profile Traffic Profile report
vpn VPN report
Example
NGFW{}reports enable cpu
NGFW{}reports reset cpu
WARNING: Are you sure you want to reset cpu reports (y/n)? [n]:
Related Commands
show reports
save-config
Saves the running configuration to a persistent configuration.
Syntax
save-config
Example
NGFW{}save-config
WARNING: Saving will apply this configuration at the next system start. Continue
(y/n)? [n]:
service-access
Enable or disable service access.
Syntax
service-access (enable|disable)
Example
NGFW{}service-access enable
Serial: X-NGF-S1020F-GENERIC-001
Salt: Zk0lenyg
NGFW{}service-access disable
NGFW Command Line Interface Reference 19
set
Syntax
set cli filtering rule (auto-comment|no-auto-comment|(last-auto-comment-value INT))
Example
NGFW{}set cli filtering rule auto-comment
NGFW{}set cli filtering rule no-auto-comment
show
The show command enables you to view current system configuration, status, and statistics.
Table 3-1 Show command
Command Description
show aaa show AAA information
show agglink Show agglink status
show arp Show Address Resolution Protocol entries
show autoconf dhcpv4 client IPv4 Dynamic Host Configuration Protocol
show autoconf dhcpv6 client IPv6 Dynamic Host Configuration Protocol
show autoconf ra Show autoconfig Router Advertisement information
show cluster Show cluster status
show date Show the current router date and time
show dhcp relay Show DHCPv4 Relay information
show dhcp server lease Display DHCP server leases history
show dhcpv6 Show DHCPv6 client lease
show dns Show Domain Name Service
show firewall Displays firewall rules and sessions.
show high-availability Show high-availability status
show interface Show network interface
show ip bgp Show the Border Gateway Protocol information
show ip igmp Show Internet Group Management Protocol
show ip mroute Show Multicast Static IP route
show ip ospf Show Open Shortest Path First (OSPF) information
show ip pim-sm Show PIM-SM routing information
show ip rip Show the RIP routes
show ip route Show the unicast routes
show ip smr Show SMR routing information
show ipv6 mld Show IPv6 routing information for MLD group or
interface
show ipv6 mroute Show IPv6 routing information for multicast routes
show ipv6 ospfv3 Show the OSPFv3 unicast routes
20 Root Commands
show ipv6 pim-sm Show ipv6 Protocol Independent Multicast - Sparse
Mode (PIM-SM) routing information
show ipv6 ripng Show RIPng routing information
show ipv6 route ripng Show ripng route information
show (ip|ipv6) route Show the unicast routes
show key Show local server SSH key information
show l2tp Show Layer 2 Tunneling Protocol information
show license Shows the license number and status
show log-file Shows the logfiles
show log-file boot Shows the boot file
show mfg-info Show manufacturing information
show ndp Show Neighbor Discovery Protocol
show np engine Show net processor statistics
show np general statistics Show general network processor information
show np protocol-mix Show network processor protocol-level statistics
show np reassembly Show network processor reassembly statistics
show np rule-stats Show network processor rules, number of flows,
successful matches
show np softlinx Show network processor softlinx statistics
show np tier-stats Show network processor throughput and utilization for
each tier
show quarantine-list Show quarantine list information
show reports Show status of data collection for reports
show service Show network service information
show sms Show status of SMS control
show snmp Show SNMP information
show system buffers Show Forwarding buffer state
show system connections Show active socket information
show system processes Show system processes
show system statistics Show system-wide protocol-related statistics
show system usage Show system usage
show system virtual-memory Show system virtual memory
show system xms memory Show xms memory usage
show terminal Show terminal settings
show traffic-file Show network traffic from file
show tse connection-table Show TSE connection-table information
Table 3-1 Show command
Command Description
NGFW Command Line Interface Reference 21
show aaa
Syntax
show aaa capabilities USER
Example
show aaa capabilities fred
NGFW{}show aaa capabilities fred
ID NAME STATE
---------------------------------------------
1 NGFW full
2 SECURITY full
3 FIREWALLRULES full
4 SECURITYZONES full
5 APPLICATIONGROUPS full
6 ADDRESSGROUPS full
7 SERVICES full
8 SCHEDULES full
9 INSPECTIONPROFILES full
10 IPS full
11 IPREPUTATION full
12 PROFILEGROUPS full
13 CAPTIVEPORTALRULES full
14 NATRULES full
15 ACTIONSETS full
16 SYSTEM full
17 SMSMANAGED full
18 MANAGEMENT full
19 DNS full
20 IPFILTERS full
21 UPGRADE full
22 NOTIFICATION full
23 LOGGING full
24 HIGHAVAILABILITY full
25 HACONFIGURATION full
26 HASTATE full
27 SNMP full
28 TIME full
29 FIPS full
30 UPDATE full
31 PACKAGES full
32 AUTODV full
33 SNAPSHOT full
34 USERAUTH full
35 LOCALUSER full
36 USERGROUP full
37 ROLES full
38 RADIUS full
39 LDAP full
show users Show users information
show version Show device version information
Table 3-1 Show command
Command Description
22 Root Commands
40 CAPTIVEPORTAL full
41 GENERAL full
42 X509CERT full
43 VPN full
44 IKE full
45 IKECONFIGURATION full
46 IKESTATUS full
47 IPSEC full
48 IPSECCONFIGURATION full
49 IPSECSTATUS full
50 L2TP full
51 L2TPCONFIGURATION full
52 L2TPSTATUS full
53 REPORTING full
54 LOG full
55 FIREWALLLOG full
56 IPSLOG full
57 REPUTATIONLOG full
58 VPNLOG full
59 SYSTEMLOG full
60 AUDITLOG full
61 SECURITYREPORTS full
62 NETWORKREPORTS full
63 DEBUGTOOLS full
64 REBOOT full
65 SHUTDOWN full
66 SERVICEACCESS full
67 NETWORK full
68 INTERFACES full
69 SEGMENTS full
70 DHCPSERVER full
71 DHCPRELAY full
72 ARPNDP full
73 STATICROUTES full
74 STATICMONITOREDROUTES full
75 DYNAMICROUTING full
76 ACCESSLISTS full
77 ROUTEMAPS full
78 OSPF full
79 RIP full
80 BGP full
81 MULTICAST full
82 ROUTINGTABLE full
83 COMPACTFLASH full
84 CUSTOMCATEGORIES full
85 APPLICATIONVISIBILITY full
86 GLOBALINSPECTIONPROFILE full
87 DEBUGNP full
show agglink
Displays information about whether or not the member ports are up in the aggregated link.
Syntax
show (agglink|INTERFACE)
NGFW Command Line Interface Reference 23
Example
NGFW{}show agglink
#AGGLINK TABLES
Service ETHGRP is inactive
show arp
Syntax
show arp
Example
NGFW{}show arp
IP Address Mac-Address Interface State
15.226.140.254 3c:e5:a6:13:7f:2a mgmt delay
show ndp
Syntax
show ndp
Example
NGFW{}show ndp
IP Address Mac-Address Interface State
fe80::3ee5:a6ff:fe13:7f2a 3c:e5:a6:13:7f:2a mgmt stale
show autoconf dhcpv4 client
Syntax
show autoconf dhcpv4 client (current|history)
Example
NGFW{}show autoconf dhcpv4 client
Example
NGFW{}show autoconf dhcpv4 client history
# DHCPCLIENT LEASES HISTORY
Service DHCP is inactive
show autoconf dhcpv6 client
Syntax
Show autoconf dhcpv6 client
Example
NGFW{}show autoconf dhcpv6 client
Service DHCPv6 client is inactive
show autoconf ra
Syntax
show autoconf ra (INTERFACE|all)
Example
NGFW{}show autoconf all
24 Root Commands
no data
show cluster
Syntax
show cluster
Example
cluster.3-device23{} show cluster
Cluster Status
--------------
Name: cluster
Identifier: 3
State: Enabled
Segment HA: Normal
Master: cluster.3-device23
Members
-------
Name: cluster.3-device23
HA State: Active
show date
This command shows the GMT time or the local time and timezone for the appliance.
Syntax
show date [gmt]
Example
NGFW{}show date
Sun Sept 15 04:29:59 2013 GMT
NGFW{}show date gmt
Wed Aug 21 21:51:13 2013 GMT
NGFW{}show date
Wed Aug 21 14:51:16 2013 America/Los_Angeles
show dhcp relay
Shows DHCPv4 Relay information.
Syntax
show dhcp relay
Example
NGFW{}show dhcp relay
DHCP Relay is not running
show dhcp server lease
Syntax
show dhcp server lease (current | history)
Example
NGFW{}show dhcp server lease current
Status: Inactive
NGFW Command Line Interface Reference 25
IP Address Mac Address Start date & time End date & time
show dhcpv6
Syntax
show dhcpv6
Example
NGFW{}show dhcpv6
Service DHCPv6 client is inactive
show dns
Syntax
show dns
Example
NGFW{}show dns
# DNS PROXY
Proxy Disabled
# STATIC DNS
# DYNAMIC V4 DNS
# DYNAMIC V6 DNS
show firewall
Displays firewall rules and sessions.
Syntax
show firewall rules [count MAX-RULES] [rule all|ID] [action-set ACTIONSET]
[src-zones SRC-ZONE] [dst-zones DST-ZONE] [services SERVICES] [schedules SCHEDULE]
[application APPS] [more]
show firewall sessions [count MAX-SESSIONS] [family FAMILY] [protocol PROTOCOL]
[direction DIRECTION] [more]
Example
NGFW{}show firewall sessions
ID Protocol State Direction Source(IP:PORT) Destination(IP:PORT) Bytes Expires
------------------------------------------------------------------------------------
3469 IGMP(2) unreplied original 192.168.1.1 224.0.0.2 32 75
reply 224.0.0.2 192.168.1.1 0
NGFW{}show firewall rules
1. Rule: 20000
Action set: Permit + Notify
2. Rule: 20010
Action set: Permit + Notify
show high-availability
Syntax
show high-availability (state-sync (all|FEATURE))
Example
NGFW{}show high-availability state-sync firewall
HA Synchronization State
26 Root Commands
------------------------
Name: firewall
State: enabled
Synchronization State: Not initialized
Reason: Unable to determine synchronization state
Total Entries: 353
Added Entries: 324
Deleted Entries: 0
Related Commands
high-availability force (active|passive)
high-availability segment force (normal|fallback)
show interface
Syntax
show interface [INTERFACE [statistics [update INT]]]
show interface [INTERFACE] multicast-registration
Examples
NGFW{}show interface ha
Interface ha
MAC Address 00:10:f3:2c:81:df
Enabled Yes
Link Down
Speed 10Mbps
Auto Negotiate Enabled
Duplex Half
MTU 9216
NGFW{}show interface mgmt
Interface mgmt
IP Address A.B.C.D/24
IPv6 Address fe80::210:f3ff:fe2c:81de/64 (Link Local)
MAC Address 00:10:f3:2c:81:de
Enabled Yes
Link Up
Speed 1000Mbps
Auto Negotiate Enabled
Duplex Full
MTU 1500
NGFW{}show interface bridge1
Interface bridge1
IPv6 Address fe80::210:f3ff:fe2c:81e2/64 (Link Local)
MAC Address 00:10:f3:2c:81:e2
Enabled Yes
Link Up
MTU 1500
NGFW{}show interface multicast-registration
default:
IGMP: igmpv3
MLD : mldv2
force:
IGMP: igmpv3
MLD : mldv2
NGFW Command Line Interface Reference 27
show ip bgp
Syntax
show ip bgp
show ip bgp debug
show ip bgp A.B.C.D/M
show ip bgp summary
show ip bgp neighbors
show ip bgp neighbors A.B.C.D
show ip bgp neighbors A.B.C.D (advertised-routes|routes)
show ip bgp filter-list FILTER-LIST-NAME
show ip bgp prefix-list PREFIX-LIST-NAME
show ip bgp route-map ROUTE-MAP-NAME
show ip bgp community-list COMMUNITY-LIST-NAME
show ip bgp community AA:NN|internet|local-as|no-export|no-advertise
Example
NGFW{}show ip bgp
BGP Router Default Instance (ASN 230)
BGP table version is 0, local router ID is 172.16.30.230
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 99.1.0.0/24 172.16.30.99 11 32768 ?
*> 99.2.0.98/32 172.16.30.99 11 32768 ?
*> 172.16.40.0/24 172.16.20.98 0 0 98 i
Total number of prefixes 3
show ip igmp
Shows IGMP interface information or group information.
Syntax
show ip igmp (interface|groups)
Example
NGFW{}show ip igmp interface
ethernet2 is up
Interface address: 172.16.30.230/24
IGMP on this interface: enabled
Multicast routing on this interface: enabled
Multicast TTL threshold: 1
Current IGMP router version: 3
IGMP query interval: 125 seconds
IGMP max query response time: 100 deciseconds
Last member query response interval: 10 deciseconds
IGMP Querier: 172.16.30.230
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
Startup Query Count: 2
General Query Timer Expiry: 00:00:07
Startup Query Timer Expiry: 00:00:07
Multicast groups joined:
28 Root Commands
show ip mroute
Shows the multicast routes.
Syntax
show ip mroute
Example
NGFW{}show ip mroute
Source Group In-interface Out-interface(s)
152.168.1.2 239.255.255.2 pimreg ethernet1
show ip ospf
Displays general information about Open Shortest Path First (OSPF) routing processes.
Syntax
show ip ospf ?
show ip ospf (database|interface[IFACE]|neighbor [debug]|redistribute|route[debug])
Example
NGFW{}show ip ospf
OSPF Router with ID (15.255.125.122)
OSPF Routing Process 0 [VRF 0], Router ID: 15.255.125.122
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is enabled
SPF schedule delay 200 secs, Hold time between two SPFs 1000 secs
Refresh timer 10 secs
Kernel delay 50 ms
This router is an ASBR (injecting external routing information)
Redistribute Configuration
Maximum-Prefix is not configured
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 1
Area has no authentication
SPF algorithm executed 8 times (in 0 ms)
Number of LSA 3
Number of router LSA 2. Checksum Sum 0x00015328
Number of network LSA 1. Checksum Sum 0x00000b59
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
show ip pim-sm
Syntax
show ip pim-sm (interface|neighbor|rp|bsr-router)
NGFW Command Line Interface Reference 29
Example
NGFW{}show ip pim-sm interface
Address Interface Mode Neighbor Hello DR DR Address
Count Intvl Pri
182.168.1.10 ethernet5 sparse 1 30 1 182.168.1.20
Example
ngfw{}show ip pim-sm neighbor
Interface Address
ethernet5 182.168.1.20
ngfw{}show ip pim-sm bsr-router
PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 182.168.1.10
Uptime: 00:00:26, BSR Priority: 10, Hash mask length: 30
Next bootstrap message in 00:00:34
ngfw{}show ip pim-sm rp
The PIM RP Set
Group: 239.255.255.2/32
RP: 182.168.1.10
Uptime: 00:00:51, Expires: 00:01:39, Priority: 10
show ip rip
Shows the RIP routes.
Syntax
show ip rip
Example
NGFW{}show ip rip
RIP Router Default Instance
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 29 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Mesage load balancing using 1 time slots
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Pri RIPv1BorderGW RIPv1IngrSumy Key-chain
ethernet1 2 1 2 7 Enable Enable
Split horizon
No authentication
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ip route
Syntax
show ip route (bgp|connected|debug|mgmt|ospf|rip|smr|static)
30 Root Commands
Example
NGFW{}show ip route debug
Codes: K - kernel route, C- connected, S - static, R - RIP, O - OSPF,
B - BGP, > - selected route, * - FIB route
K * 127.0.0.0/8 is directly connected, unknown(0) inactive, rej
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, ethernet13
C>* 192.168.100.0/24 is directly connected, ethernet14
K>* 224.0.0.2/32 is directly connected, lo501
S>* 0.0.0.0/0 [1/0] [vrf 500] via 15.220.140.254, mgmt
C>* 15.220.140.0/24 [vrf 500] is directly connected, mgmt
C>* 127.0.0.0/8 [vrf 500] is directly connected, lo500
C>* 127.0.0.0/8 [vrf 501] is directly connected, lo501
C>* 169.254.0.0/24 [vrf 501] is directly connected, ha
show ip smr
Show SMR routing information.
Syntax
show ip smr [status]
Example
NGFW{}show ip smr
Type Prefix NextHop Distance Probe Target
* 1.1.1.0/24 172.16.20.220 10
* 2.2.2.0/24 172.16.20.220 10
* 3.3.3.0/24 172.16.20.220 10
4.4.4.0/24 172.16.20.30 10
NGFW{} show ip smr status
3 route(s) active
1 route(s) inactive
Global round-trip avg/max 0.5/29.2 msec
10 packets/640 bytes sent last second
show ipv6 mld
Shows IPv6 routing information for MLD group or interface.
Syntax
show ipv6 mld (interface|groups)
Example
NGFW{}show ipv6 mld interface
ethernet1 is up
Interface address: fe80::210:f3ff:fe24:5b7e%ethernet1/64
MLD on this interface: enabled
Multicast routing on this interface: disabled
Current MLD router version: 2
MLD query interval: 125 seconds
MLD max query response time: 10 seconds
Last member query response interval: 10 deciseconds
MLD Querier: fe80::210:f3ff:fe24:5b7e%ethernet1
Robustness: 2
Require Router Alert: enabled
Startup Query Interval: 312 deciseconds
NGFW Command Line Interface Reference 31
Startup Query Count: 2
General Query Timer Expiry: 00:01:19
Multicast groups joined:
NGFW{}show ipv6 mld groups
MLD Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
ff1e:11::1 ethernet1 00:00:04 00:04:16 fe80::215:17ff:fe3c:edea%ethernet1
show ipv6 mroute
Shows IPv6 routing information for multicast routes.
Syntax
show ipv6 mroute
Example
NGFW{}show ipv6 mroute
Source Group In-interface Out-interface(s)
2001:300::2 ff1e:11::1 pimreg ethernet1
show ipv6 ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 ospfv3 (database|interface[IFACE]|neighbor[debug]|route)
Example
NGFW{}show ipv6 ospfv3
OSPFv3 Router with ID (172.16.30.230)
OSPFv3 Routing Process 0 [VRF 0] with Router-ID 172.16.30.230
Running 00:00:07
Graceful Restart: Enabled with interval 120
Status: restarting (left time 113s)
Graceful Restart Helper: Enabled
Redistribute Configuration
Maximum-Prefix is not configured
Number of AS scoped LSAs is 0
Number of AS scoped LSAs is 0
Number of areas in this router is 2
Area 0.0.0.0
Number of Area scoped LSAs is 0
Interface attached to this area: ethernet1
Area 0.0.0.9
Number of Area scoped LSAs is 0
Interface attached to this area:
show ipv6 pim-sm
Protocol Independent Multicast - Sparse Mode (PIM-SM) provides efficient communication between
members of sparsely distributed groups that are common. PIM-SM is designed to limit multicast traffic so
only switches interested in receiving traffic for a particular group receive the traffic.
Syntax
show ipv6 pim-sm (interface|neighbor|rp|bsr-router)
32 Root Commands
Example
NGFW{}show ipv6 pim-sm interface
Interface Mode Neighbor Hello DR
Count Interval Priority
ethernet5 sparse 1 30 1
Address: fe80::210:f3ff:fe24:5b82
DR Address: this system
NGFW{}show ipv6 pim-sm neighbor
Interface Address
ethernet5 fe80::210:f3ff:fe24:5b5b
PIM6v2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 2001:200::10
Uptime: 00:20:00, BSR Priority: 10, Hash mask length: 126
Next bootstrap message in 00:00:00
NGFW{}show ipv6 pim-sm rp
The PIM6 RP Set
Group: ff1e:11::1/128
RP: 2001:200::10
Uptime: 00:20:22, Expires: 00:01:59, Priority: 0
show ipv6 ripng
Shows the RIPng routes.
Syntax
show ipv6 ripng
Example
NGFW{}show ipv6 ripng
RIPng Router Default Instance
Routing Protocol is "RIPng"
Sending updates every 30 seconds with +/-50%, next due in 37 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Default redistribution metric is 1
Redistributing:
Default version control: send version 1, receive version 1
Interface Send Recv
ethernet1 1 1
Split horizon
Routing for Networks:
ethernet1
Routing Information Sources:
Gateway ReceivedPackets BadPackets BadRoutes Distance Last Update
Distance: (default is 120)
show ipv6 route ospfv3
Shows the OSPFv3 unicast routes.
Syntax
show ipv6 route ospfv3
Example
NGFW{}show ipv6 route ospfv3
NGFW Command Line Interface Reference 33
Codes: O - ospfv3, > - selected route, * - FIB route
O>* 1:1::/64 [110/2] via fe80::20c:29ff:fee0:c919, ethernet2, 00:00:28
O>* 2:2::2:2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::/64 [110/2] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
O>* 2100::2/128 [110/1] via fe80::72ca:9bff:fe76:16b1, ethernet2, 00:00:28
show ipv6 route ripng
Shows the RIPng routes.
Syntax
show ipv6 route ripng
Example
NGFW{}show ipv6 route ripng
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
I - ISIS, B - BGP, N - NAT-PT, D - Delegated Prefix, > - selected route,
* - FIB route, b - Backup route, < - delayed route, Q - Untyped route
R>* 4100::/64 [120/2] via fe80::210:f3ff:fe26:f375, ethernet2, 00:00:07
show (ip|ipv6) route
Syntax
show (ip|ipv6) route (debug|mgmt|static|connected)
Example
NGFW{}show ipv6 route static
Codes: S - static, > - selected route, * - FIB route
show key
Shows local server SSH key.
Syntax
show key
Example
NGFW{}show key
show l2tp
Shows layer 2 tunneling protocol information.
Syntax
show l2tp
Example
NGFW{}show l2tp
=============
Current sessions for L2TP:
L2TP server is not running.
34 Root Commands
show license
Syntax
show license
Example
NGFW{}show license
License: 1.0.0.11 (Transitional)
Feature Status Permit Expiration Details
-------- ------ ------- ---------- --------
License OK Allow 10/3/2013 Using the transitional license.
Update TOS OK Allow 10/3/2013
Update DV OK Allow 10/3/2013
Auxiliary DV Info Deny Never Not licensed to use feature.
ReputationDV Info Deny Never Not licensed to use feature.
show log-file
The following log files are available:
•system
•audit
•fwAlert
•fwBlock
•vpn
•ipsAlert
•ipsBlock
•reputationAlert
•reputationBlock
•quarantine
show log-file FILE_NAME
Syntax
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail
[COUNT])] [seqnum] [more]
NGFW Command Line Interface Reference 35
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])]
[seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC|(tail [COUNT])] [seqnum]
[more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search [(options)]{0,2}
PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN] [end END]]] [count
COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
[(options)]{0,2} PATTERN] [start-time START] [end-time END] [seqnum[ [begin BEGIN]
[end END]]] [count COUNT] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
36 Root Commands
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN
cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search
COLUMN cmp PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time
END] [seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] [ASC|DESC] [search COLUMN cmp
PATTERN [and|or COLUMN cmp PATTERN]{1,25}] [start-time START] [end-time END]
[seqnum[ [begin BEGIN] [end END]]] [count COUNT] [more]
show log-file audit [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file fwAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file fwBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file ipsAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file ipsBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file quarantine [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file reputationAlert [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file reputationBlock [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file summary [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file system [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file vpn [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file boot [raw|tab|csv|rawcsv] [addUUID] follow [seqnum] [more]
show log-file audit stat
show log-file fwAlert stat
show log-file fwBlock stat
show log-file ipsAlert stat
show log-file ipsBlock stat
show log-file quarantine stat
show log-file reputationAlert stat
show log-file reputationBlock stat
show log-file summary stat
show log-file system stat
show log-file vpn stat
show log-file boot stat
show log-file summary [verbose]
show log-file boot [tail COUNT] [more]
show log-file boot [search [(options)]{0,2} PATTERN] [count COUNT] [more]
Example
NGFW{}show log ipsAlert
NGFW Command Line Interface Reference 37
Example
NGFW{}show log quarantine
show log-file FILE_NAME stat
Shows the beginning sequence number, ending sequence number, and number of messages for the given
log file.
Syntax
show log-file FILE_NAME stat
Example
NGFW{}show log ipsBlock stat
Display limited to 500 lines...
1
241097
241097
show log-file summary
Syntax
show log-file summary [verbose]
Example
NGFW{}show log-file summary
File Total Entries First Entry Last Entry Allocated Used Location
--------------- -------------- -------------- -------------- ---------- ---- ------
system 2902 1 2902 174.32 MB 0% internal
audit 411 1 411 174.32 MB 0% internal
fwAlert 2135781 42054583 44190363 700.23 MB 66% ramdisk
fwBlock 0 0 0 700.23 MB 0% ramdisk
ipsAlert 0 0 0 350.11 MB 0% ramdisk
ipsBlock 0 0 0 350.11 MB 0% ramdisk
reputationAlert 0 0 0 175.06 MB 0% ramdisk
reputationBlock 0 0 0 175.06 MB 0% ramdisk
visibility 0 0 0 700.23 MB 0% ramdisk
quarantine 0 0 0 175.06 MB 0% ramdisk
vpn 0 0 0 175.06 MB 0% ramdisk
show log-file boot
Syntax
show log-file boot [tail [COUNT]] [more]
show log-file boot [search [<options>]{0,2} PATTERN] [count COUNT] [more]
If using the more option, the colon will display in the output, to indicate more information is available.
Press the Enter key for the scroll to continue, or enter a q’ to exit and return to the NGFW{} prompt.
Example
NGFW{} show log-file audit more
2013-07-05 ...(log info is displayed)
2013-07-05 ...
...
:q
NGFW{}show log-file boot search nocase ethernet7 count 7
NGFW{}show log-file boot search invert ethernet7 count 3
NGFW{}show log-file boot search ethernet7 count 2
38 Root Commands
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet7 entered promiscuous mode
Example
To tail the last 5 lines of the boot log file:
NGFW{}show log-file boot tail 5
bridge1: port 8(ethernet7) entering disabled state
bridge1: port 8(ethernet7) entering disabled state
ADDRCONF(NETDEV_UP): ethernet7: link is not ready
device ethernet8 left promiscuous mode
device ethernet7 left promiscuous mode
show mfg-info
Shows manufacturing information.
Syntax
show mfg-info
Example
NGFW{}show mfg-info
device34{}show mfg-info
ECO Version : 40AA
Manufacturer S/N : TBBC10021827
PCBA Assembly Date : 01/11/2012
Chassis Version : 00
Mfg System Revision : A905
HP Base Unit P/N : 5066-2732
HP Base Unit Revision : A1
Number of MACs : 12
MAC Address : 00:10:F3:2C:81:DE
Mgmt Port MAC Address : 00:10:F3:2C:81:DE
Ethernet1 MAC Address : 00:10:F3:2C:81:E2
HP Base Unit S/N : PR2AFQY003
Internal Disk Model : 4GB SATA Flash Drive
Internal Disk S/N : 11001420994500582125
External Disk Model : 4GB SATA Flash Drive
External Disk S/N : 00224192122400702578
BIOS Version : Z513-021
IPM Version : 1.d (working)
show np engine
Shows network processor information.
Syntax
show np engine(filter|packet|parse|reputation(ip|dns)|rule)
filter - Show filter-level statistics
packet - Show packet-layer statistics
parse - Show packet parsing statistics
reputation - Show reputation statistics on either IP or DNS
rule - Show rule statistics
Example
NGFW{}show np engine packet
Packet Statistics:
Rx packets OK = 275263890
Rx packets dropped = 0
NGFW Command Line Interface Reference 39
Rx packets dropped no pcb = 0
Tx packets OK = 275262516
Tx packets dropped = 1374
Tx packets dropped no pcb = 0
Rx bytes OK = 14864242660
Tx bytes OK = 16515754024
show np general statistics
Shows general network processor information.
Syntax
show np general statistics
Example
NGFW{}show np general statistics
General Statistics:
Incoming = 0
Outgoing = 0
Dropped = 0
Interface discards = 0
Second Tier = 0
Matched = 0
Blocked = 1376
Trusted = 0
Permitted = 0
Invalid = 0
Rate Limited = 0
show np protocol-mix
Syntax
show np protocol-mix
Example
NGFW{}show np protocol-mix
Network Traffic Protocol Statistics:
Packets Bytes
================= =================
EthType:
ARP 289096 17363292
IP 75851320 16817451395
IPv6 110966 91605367
Other 47087 31256790
IpVersion:
IPv4 75851320 16817451395
IPv6 110966 91605367
Other 9010 5444502
IpProtocol:
TCP 24779397 4847827560
UDP 49956647 11260655728
ICMP 112057 42551652
IPv4 in IPv4 0 0
IPv6 In IPv4 4536 597024
GRE 276372 45779027
AH 414 63180
40 Root Commands
Other 132843 65240426
Ipv6Protocol:
TCP 378 265014
UDP 1350 1135803
ICMPv6 3908 1406824
ICMP 0 0
IPv6 in IPv6 89760 77281416
IPv4 in IPv6 2442 1938618
GRE 1398 1106502
AH 0 0
Other 53034 44444961
show np reassembly
Syntax
show np reassembly (ip|tcp)
Example
NGFW{}show np reassembly ip
Summary:
Frags incoming = 0
Frags kept = 0
Frags outgoing = 0
Frags passed thru = 0
Frags dropped (duplicate) = 0
Frags recently reassembled = 0
Frags dropped (other) = 0
Dgrams completed = 0
show np rule-stats
Syntax
show np rule-stats
Example
NGFW{}show np rule-stats
Filter Flows Success % Total % Success
6281 9 0 21 0.00
6310 9 0 21 0.00
633 8 3 19 37.50
5337 8 0 19 0.00
2768 7 0 16 0.00
5881 1 0 2 0.00
Total number of flows: 42
show np softlinx
Syntax
show np softlinx
Example
NGFW{}show np softlinx
SoftLinx Statistics:
Matched both softlinx and a rule = 0
Matched softlinx, but not a rule = 0
Matched a rule, but not softlinx = 0
NGFW Command Line Interface Reference 41
Sleuth inspected packets = 0
Sleuth matched packets = 0
Matched HW (Sleuth) but not softLinx = 0
Sleuth gave up = 0
Sleuth bypassed = 0
Sleuth bypassed zero payload length = 0
Sleuth overflow = 0
Matched nothing = 281567607
Linx rules created = 0
Linx rules deleted = 0
Discarded by the softlinx = 0
Total packets sent to softlinx = 80
Embedded Trigger matches = 0
Engine Trigger matches = 0
Trigger matches = 0
False pkt matches = 80
Good pkt matches = 0
SoftLinx trigger match roll over = 0
Highest flow based trigger match = 0
show np tier-stats
Syntax
show np tier-stats
Example
NGFW{}show np tier-stats
----------------------------------------------------------
Tier 1:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Tx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx Packets/Sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to next tier = 0.0% (100.0%)
----------------------------------------------------------
Tier 2:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
----------------------------------------------------------
Tier 3:
----------------------------------------------------------
Rx Mbps = 0.0 (0.0)
Rx Packets/Sec = 0.0 (0.0)
Rx Trigger match = 0.0 (0.0)
Rx Reroute = 0.0 (0.0)
Rx TCP sequence = 0.0 (0.0)
Tx trust packets/sec = 0.0 (0.0)
Utilization = 0.0% (0.0%)
Ratio to best effort = 0.0% (0.0%)
Ratio to next tier = 0.0% (0.0%)
42 Root Commands
show quarantine-list
Syntax
show quarantine-list
Example
NGFW{}show quarantine-list
IP Reason
show reports
Show the status of the data collection for reports.
Syntax
show reports
Example
NGFW{}show reports
CPU Utilization: enabled
Disk Utilization: enabled
Fan Speed: enabled
Memory Utilization: enabled
Network Bandwidth: enabled
Rate Limiter: enabled
Temperature: enabled
Traffic Profile: enabled
VPN: enabled
show service
Shows the state of all the services.
Syntax
show service
Example
NGFW{}show service
Service SSH is active
Service TELNET is inactive
Service HTTP is active
Service IP Forwarding is active
Service IPv6 Forwarding is active
Service SNMP is inactive
Service DNS-PROXY is inactive
Service RIP is inactive
Service RIPng is inactive
Service OSPFv2 is inactive
Service OSPFv3 is inactive
Service BGP is inactive
Service SMR is inactive
Service PIM4SM is inactive
Service PIM6SM is inactive
Service VRRP is inactive
Service Multicast-proxy is inactive
Service DHCPSERVER is inactive
Service DHCP is inactive
Service DHCP RELAY is inactive
Service DHCPv6-CLIENT is inactive
NGFW Command Line Interface Reference 43
Service NTP is inactive
Service PPP-CtrlPlane is inactive
Service ETHGRP-LACP is inactive
show sms
Syntax
show sms
Example
NGFW{}show sms
Device is not under SMS control
show snmp
Syntax
show snmp
Example
NGFW{}show snmp
#SNMP Status
Enabled : Yes
Version : 2c, 3
Engine ID : 0x800029ee030010f327fe2e
Auth. Traps : Yes
System Name : S8020F
System Object ID : .1.3.6.1.4.1.10734.1.9.7
System ID : NGFW
System Contact : Administrator
System Location : Data Center
#SNMP Trap Sessions
Host : A.B.C.D
Version : 3
Port : 162
Security Name : trap
Level : authPriv
Authentication : SHA
Privacy : AES
Inform : Yes
show system buffers
Shows forwarding buffer state information, if you have administrator privileges.
Syntax
show system buffers
Example
NGFW{}show system buffers
show system connections
Syntax
show system connection [ipv4|ipv6|sctp|unix]
44 Root Commands
Example
NGFW{}show system connections ipv4
Active Internet connections (servers and established)
vrfid Proto Recv-Q Send-Q Local Address Foreign Address State
0 tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN
0 tcp 0 0 127.0.0.1:616 0.0.0.0:* LISTEN
Example
NGFW{}show system connections unix
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 40709
/var/tmp/apache2/logs/fcgidsock/7095.0
unix 2 [ ACC ] STREAM LISTENING 3871 /var/tmp/segmentdsock
unix 2 [ ACC ] STREAM LISTENING 2080 /var/run/nscd/socket
unix 2 [ ACC ] STREAM LISTENING 379 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 16968 /var/run/.xms.default
unix 2 [ ] DGRAM 16970 /tmp/.server.sockname
unix 2 [ ] DGRAM 17575 @/tmp/.has_xmsd
unix 2 [ ACC ] STREAM LISTENING 1436
/usr/local/var/syslog-ng.ctl
Example
NGFW{}show system connections sctp
ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT
LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC VRF
show system processes
Syntax
show system processes [LEVEL]
brief Brief process information
detail Detailed process information
extensive Extensive process information
summary Active process information
Example
NGFW{}show system processes brief
top - 02:23:22 up 5:08, 2 users, load average: 16.20, 16.23, 16.16
Tasks: 349 total, 6 running, 343 sleeping, 0 stopped, 0 zombie
Cpu(s): 37.8% us, 2.4% sy, 0.0% ni, 52.8% id, 0.0% wa, 0.0% hi, 6.9% si
Mem: 28681276k total, 10367048k used, 18314228k free, 100416k buffers
Swap: 0k total, 0k used, 0k free, 1638220k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3656 root 20 0 11.1g 4.6g 3.7g R 1200 16.7 3691:24 n0
3731 root 20 0 0 0 0 R 100 0.0 307:25.33 dpvi-task3
3730 root 20 0 0 0 0 R 98 0.0 303:42.33 dpvi-task2
3729 root 20 0 0 0 0 R 96 0.0 300:14.52 dpvi-task1
2941 root 20 0 84516 3976 2852 R 2 0.0 4:18.44 syslog-ng
4436 root 20 0 0 0 0 D 2 0.0 1:44.56 fpm-nfct-hf-tas
4216 root 20 0 21496 1112 772 D 0 0.0 0:21.46 sensormond
17380 root 20 0 13084 1292 800 R 0 0.0 0:00.01 top
NGFW Command Line Interface Reference 45
show system statistics
Syntax
show system statistics [PROTO] [non-zero]
Example
NGFW{}show system statistics
show system usage
Show system usage displays the overall system usage. You can run once, or display an updated version
every INT seconds. Ctrl-C will exit a re-occurring update.
Syntax
show system usage [update INT]
Example
NGFW{} show system usage update 12
show system virtual-memory
Shows the system’s kernel memory usage in a table with the following column headings.
•name
•active_objs
•num_objs
•objsize
•objperslab
• pagesperslab
•tunables
• limit
batchcount
•sharedfactor
slabdata
active_slabs
num_slabs
•sharedavail
Syntax
show system virtual-memory
Example
NGFW{}show system virtual-memory
show system xms memory
Shows xms memory statistics.
Syntax
show system xms memory (all| SERVICE)
Example
NGFW{}show system xms memory captive-portals
xmsd memory usage:
46 Root Commands
+ Service: captive-portals
+ captive-portal-config: 48 Bytes
Maximum amounts: 175 Bytes
Calls to alloc : 1 times
+ Service: misc
+ miscellaneous: 1383 Bytes
Maximum amounts: 1585 Bytes
Calls to alloc : 10 times
+ xmlMem: 4341373 Bytes
Maximum amounts: 85010535 Bytes
Calls to alloc : 53906 times
show terminal
Shows terminal type information.
Syntax
show terminal
Example
NGFW{}show terminal
=============
Terminal configuration:
type 6wind
columns 164
lines 46
show traffic-file
Syntax
show traffic-file FILENAME [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER]
[pager]
Options
traffic-file Show network traffic from file
FILENAME Capture file name
verbose Configure verbosity level
INT Verbosity level (0: minimum verbosity)
proto Configure captured packets protocol
PROTO Protocol name (default: all)
without Configure excluded packets protocol
PROTO Protocol name (default: all)
pcap Configure pcap-syntax filter
FILTER Pcap filter string (e.g. "src port 22")
pager Show all messages
Example
NGFW{}show traffic-file myfilename
show tse connection-table
Syntax
show tse connection-table TYPE
Example:
This example displays the basic IPS state synchronization by viewing the connection table on the active
and passive device.
NGFW Command Line Interface Reference 47
NGFW{}show tse connection-table blocks
Second device:
NGFW{}show tse connection-table blocks
The ‘TRHA’ indicates this is a connection created by state synchronization.
show tse
Shows threat suppression engine information.
Syntax
show tse (connection-table(blocks|trusts)|rate-limit)
Example
NGFW{}show tse connection-table blocks
Blocked connections: None found.
NGFW{}show tse rate-limit
show user-disk
Syntax
show user-disk
Example
NGFW{}show user-disk
External User Disk
Status: Mounted
Encryption: None
Capacity: 3952263168 bytes
Used: 784158720 bytes
Free: 2907357184 bytes
show users
Syntax
show users [locked|ip-locked]
Example
NGFW{}show users
USER IDLE INTERFACE LOGIN IP ADDRESS TYPE
myadminuser 00:00 SSH 2013-07-19 23:42:56 198.51.100.139 LOCAL
show version
Syntax
show version
Example
NGFW{}show version
Serial: X-NGF-S8020F-GENERIC-0001
Software: 1.0.0.3911 Build Date: "Apr 12 2013 02:13:12" Production
Digital Vaccine: 3.2.0.15172
Model: S8020F
HW Serial: PR2AFQ300P
HW Revision: A603
48 Root Commands
Failsafe: 1.0.0.1801
System Boot Time: Sun Sept 15 21:14:57 2013
Uptime: 05:17:01
shutdown
Allows you to shutdown the system.
Syntax
shutdown
Example
NGFW{}shutdown
You are about to shutdown the device.
Please use the front panel buttons to restart the device manually.
Make sure you have Committed all your changes, and clicked the Save
Configuration button if you wish these changes to be applied when the
device is restarted.
WARNING: Are you sure you want to shutdown the system (y/n) [n]:
sms
Allows you to configure SMS settings and release SMS.
Syntax
sms must-be-ip (A.B.C.D|A.B.C.D/M)
sms unmanage
Example
NGFW{}sms unmanage
NGFW{}sms must-be-ip 192.168.1.1
Related commands
show sms
snapshot create
Allows you to manage system snapshots.
Syntax
snapshot create NAME [(reputation|manual|network)]
Default is do not include the following:
manual Include manually defined reputation entries in snapshot
network Include Management port configuration in snapshot
reputation Include reputation package in snapshot
nonet Does not restore management port configuration if present in snapshot
Example
NGFW{}snapshot create s_041713
snapshot list
Syntax
snapshot list
NGFW Command Line Interface Reference 49
Example
NGFW{}snapshot list
Name Date OS Version DV Version Model Restore
---------------- -------------------------- ---------- ---------- ------- ------
s_041713 Wednesday, April 17 2013 1.0.0.3913 3.2.0.15172 S1020F Yes
snapshot remove
Syntax
snapshot remove
Example
NGFW{}snapshot remove s_041713
Success
snapshot restore
Restore system from saved snapshot.
Syntax
snapshot restore NAME
Example
NGFW{}snapshot restore s_041713
Success
tcpdump
Allows you to capture network traffic to the terminal or a file. You can specify a maximum packet count or
a maximum capture file size. If you record the capture to a file you must specify a maximum packet count
or maximum capture file size. Maxsize is the maximum size of the capture file in millions of bytes, which is
limited by the currently available disk allocation.
Syntax
tcpdump INTERFACE [record FILENAME [maxsizebytes 1-10000000]] [packetcount
1-10000000] [verbose 0-990000] [proto
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [without
(icmp|igmp|tcp|udp|esp|ah|pim|snp|vrrp|stp|isis|sctp)] [pcap FILTER] [cponly]
[pager] [background]
tcpdump stop
Example
NGFW{}tcpdump mgmt count 2
NGFW{}tcpdump bridge0 record mycapturefile count 100 proto tcp without udp pcap "dst
port 443" background
NGFW{}tcpdump6: listening on bridge0, link-type EN10MB (Ethernet), capture size
65535 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
NGFW{}tcpdump stop
All tcpdump processes stopped.
50 Root Commands
traceroute
Traceroute shows you the path a packet of information takes from your computer to your designation. It
lists all the routers it passes through until it reaches its destination, or fails. Traceroute tells you how long
router to router hops take.
Syntax
traceroute (A.B.C.D|HOSTNAME) [from A.B.C.D] [mgmt]
(traceroute|traceroute6) X:X::X:X [from X:X::X:X] [mgmt]
Example
NGFW{}traceroute 192.168.140.254
traceroute: Warning: ip checksums disabled
traceroute to 192.168.140.254 (192.168.140.254), 30 hops max, 46 byte packets
1 192.168.140.254 (192.168.140.254) 0.256 ms 0.249 ms 0.233 ms
traceroute6
Trace IPv6 network routes.
Example
NGFW{}traceroute6 192.168.140.1
user-disk
The external user-disk is available to mount, unmount, and format. Only a user-disk that the user manually
formats and mounts will be “auto-mounted” by the device at boot. The one exception to this is after an
initial install, the external cfast present in the box at the time of install will be “auto-mounted”.
The user-disk can be encrypted, but only if the system master-key has been set. Changing the encryption
status on the user-disk causes a ‘format’ to occur and erases any existing data.
User-disk encryption can also be enabled and disabled from the LSM at System->Settings->Log
Configuration.
Modify settings for the external user-disk.
Syntax
user-disk (encryption (enable|disable) | format | mount | unmount)
Example
NGFW{}user-disk unmount
WARNING: Unmounting the external user disk will disable snapshot and packet capture,
and traffic related logs will be stored in memory only.
Do you want to continue (y/n)? [n]: y
Success: User disk unmounted.
Example
NGFW{}user-disk mount
Note: The external user disk will be used for snapshots, packet captures and traffic
related logs. The external user disk will be automatically mounted on rebooted.
Do you want to continue (y/n)? [n]: y
Success: User disk mounted.
Example
NGFW{}user-disk format
WARNING: This action will erase all existing data on the external user disk!
Do you want to continue (y/n)? [n]: y
Success: User disk format completed.
NGFW Command Line Interface Reference 51
Example
NGFW{}user-disk encryption enable
WARNING: Changing the encryption status of the user disk will erase all traffic log,
snapshot, and packet capture data on the disk.
Do you want to continue (y/n)? [n]: y
Success: User disk encryption enabled.
Related commands
show user-disk
master-key
52 Root Commands
NGFW Command Line Interface Reference 53
4 Log Configure Commands
Enter the log-configure command to access the log configuration context. Enter a question mark (?) at
the NGFW{log-configure} prompt to display a list of valid command entries. Then enter help
commandname to display help for a specific command.
display
Displays log configuration settings.
Syntax
display [log-sessions] [xml|verbose]
Example
NGFW{log-configure}display
# LOG EMAIL SETTINGS
email set sleepSeconds 300
email set maxRequeue 2016
# LOG ROTATE SETTINGS
rotate set sleepSeconds 600
rotate set defaultFiles 5
rotate set defaultCheckRecords 500
rotate set maxFileSize 100 MB
# LOG FILE DISK ALLOCATION
log-storage external 90%
log-storage ramdisk 25%
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK
log-file-size system 50%
log-file-size audit 50%
# ----
# Total 100%
# EXTERNAL DISK (USER-DISK)
log-file-size fwAlert 20%
log-file-size fwBlock 20%
log-file-size ipsAlert 10%
log-file-size ipsBlock 10%
log-file-size reputationAlert 5%
log-file-size reputationBlock 5%
log-file-size visibility 20%
log-file-size quarantine 5%
log-file-size vpn 5%
# ----
# Total 100%
email
Allows you to set logging email daemon parameters.
Syntax
email set sleepSeconds SLEEPSEC
email set maxRequeue MAXREQUEUE
54 Log Configure Commands
email set queueFile QUEUEFILE
email set deadletter DEADLETTER
email delete (sleepSeconds|maxRequeue|queueFile|deadletter)
Example
NGFW{log-configure}email set sleepSeconds 600
NGFW{log-configure}email delete sleepSeconds
NGFW{log-configure}email set maxRequeue 1
NGFW{log-configure}email delete maxRequeue
NGFW{log-configure}email set queueFile myqueuefile
NGFW{log-configure}email delete queueFile
NGFW{log-configure}email set deadletter mydeadletterfile
NGFW{log-configure}email delete deadletter
log-file-size
Set log file allocation as a percentage of the total 100 percent allowed for all log files.
# LOG FILE ALLOCATION SETTINGS
# INTERNAL DISK
log-file-size system 50%
log-file-size audit 50%
# ----
# Total 100%
Syntax
log-file-size FILE_NAME USAGE[%]
log-file-size
(audit|fwAlert|fwBlock|ipsAlert|ipsBlock|quarantine|reputationAlert|reputationBlock|
system|visibility|vpn) USAGE[%]
system and audit log files are kept on the internal disk
fwAlert, fwBlock, ipsAlert, ipsBlock, quarantine, reputationAlert, reputationBlock,
visibility, and vpn log files are kept on the external or ramdisk drive
Example
NGFW{log-configure}log-file-size system 50
NGFW{log-configure}log-file-size fwAlert 20
NGFW{log-configure}log-file-size audit 60
ERROR: This would over allocate (110%) the Internal log disk!
log-storage
Set local log file allocation of external CFast disk space. Usage value can range from 50 to 99 percent.
Syntax
log-storage external USAGE[%]
log-storage ramdisk USAGE[%]
Example
NGFW{log-configure}log-storage external 90
log-test
Sends a test message to the logging system(s).
Syntax
log-test (all|audit|vpn|quarantine|logID LOGID) [emergency [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [alert [MESSAGE]]
NGFW Command Line Interface Reference 55
log-test (all|audit|vpn|quarantine|logID LOGID) [critical [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [error [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [warning [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [notice [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [info [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [debug [MESSAGE]]
log-test (all|audit|vpn|quarantine|logID LOGID) [msg MESSAGE]
Valid entries:
all All log systems
audit Audit system
vpn VPN (IPsec) system
quarantine Quarantine system
logID LogID system
LOGID Log-session ID to test
SEVERITY Set Severity level for log message (default: INFO)
Possible values for SEVERITY are:
emergency EMERG level
alert ALERT level
critical CRIT level
error ERR level
warning WARNING level
notice NOTICE level
info INFO level (default)
debug DEBUG level
msg Override default message
MESSAGE Message to send to logging system
Example
NGFW{log-configure}log-test logID 1 msg "my test message for logging"
NGFW{log-configure}log-test all
rotate
Sets log rotation parameters.
Syntax
rotate (set|delete) defaultCheckRecords (100-65535)
rotate (set|delete) defaultFiles (2-20)
rotate (set|delete) maxFileSize (10-500MB)
rotate (set|delete) sleepSeconds (1-65535)
rotate (set|delete) audit [Files (2-20)] [Records (100-65535)]
rotate (set|delete) fwAlert [Files (2-20)] [Records (100-65535)]
rotate (set|delete) fwBlock [Files (2-20)] [Records (100-65535)]
rotate (set|delete) ipsAlert [Files (2-20)] [Records (100-65535)]
rotate (set|delete) ipsBlock [Files (2-20)] [Records (100-65535)]
rotate (set|delete) quarantine [Files (2-20)] [Records (100-65535)]
rotate (set|delete) reputationAlert [Files (2-20)] [Records (100-65535)]
rotate (set|delete) reputationBlock [Files (2-20)] [Records (100-65535)]
rotate (set|delete) system [Files (2-20)] [Records (100-65535)]
rotate (set|delete) visibility [Files (2-20)] [Records (100-65535)]
rotate (set|delete) vpn [Files (2-20)] [Records (100-65535)]
sleepSeconds Logrotation sleep time between checks
SLEEPSEC Number of seconds logrotation waits between checks
defaultFiles Default number of logrotation files
NUMFILES Number of logrotation files (2 - 20)
defaultCheckRecords Default number of records between log daemon size checks
NUMRECORDS Number of records between log daemon size checks (100 - 65535)
56 Log Configure Commands
maxFileSize Max size a 'rotated' log file
MAXFILESIZE Max log rotation file size in MB (10 - 500)
MB Megabytes
FILE_NAME Local log file name
Files Number of logrotation files
Records Number of records between log daemon size checks
delete Delete the logrotation parameter
Example
NGFW{log-configure}rotate set sleepSeconds 10
NGFW{log-configure}rotate set visibility Files 5 Records 500
NGFW{log-configure}rotate set vpn Files 5 Records 500
NGFW{log-configure}rotate delete vpn Records
NGFW{log-configure}rotate delete vpn Files
NGFW{log-configure}rotate delete visibility
NGFW{log-configure}rotate set defaultCheckRecords 500
NGFW{log-configure}rotate set defaultFiles 5
NGFW Command Line Interface Reference 57
5 Edit Running Configuration Commands
Enter the edit command to access the configuration mode. In edit mode, you can perform numerous
configurations, such as firewall rules and policies, and authentication. Once you have executed the edit
command the CLI prompt will appear as NGFW{running}. Configuration options, and sub contexts are
available until you exit. To exit the edit configuration mode, enter exit.
The configuration mode enables administrators with the appropriate credentials to write configuration
changes to the active (running) configuration. The logon account used to configure the device must either
be associated with the Superuser role or the Administrator role to edit the configuration context. The
configuration mode has different context levels that provide access to a specific set of configuration
commands.
Configuration Contexts by Function
Monitor/System
Network
Table 5-1 Monitor and System Commands
running-blockedStreams Context Commands NGFW{running}blockedStreams
running-cluster Context Commands
running-cluster-tct Context Commands
NGFW{running}cluster
NGFW{running-cluster}tct
running-dns Context Commands NGFW{running}dns
running-gen Context Commands NGFW{running}gen
running-high-availability Context Commands NGFW{running}high-availability
running-log Context Commands NGFW{running}log
running-mgmt Context Commands NGFW{running}interface mgmt
running-ntp Context Commands NGFW{running}ntp
running-snmp Context Commands NGFW{running}snmp
Table 5-2 Network Commands
running-agglinkX Context Commands NGFW{running}interface agglink0
running-bridgeX Context Commands NGFW{running}interface bridge0
running-greX Context Commands NGFW{running}interface gre0
running-l2tp-serverX Context Commands NGFW{running}l2tp-server0
running-l2tpX Context Commands NGFW{running}interface l2tp0
running-loopbackX Context Commands NGFW{running}interface loopback0
running-pppoeX Context Commands NGFW{running}interface pppoe0
running-pptpX Context Commands NGFW{running}interface pptp0
running-vlanX Context Commands NGFW{running}interface vlan0
running-ethernetX Context Commands NGFW{running}interface ethernet1
running-segmentX Context Commands NGFW{running}segment0
58 Edit Running Configuration Commands
Policy
running-dhcp-relay Context Commands NGFW{running}dhcp relay
running-dhcp-server Context Commands NGFW{running}dhcp server
running-dhcp-server-X Context Commands NGFW{running-dhcp-server}scope myscope
Table 5-2 Network Commands
Table 5-3 Policy Commands
(immediate commit context)
running-actionsets Context Commands
running-actionsets-X Context Commands
NGFW{running}actionsets
NGFW{running-actionsets}actionset
myactionset1
running-addressgroups Context Commands
running-addressgroups-X Context Commands
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup
myaddressgroups
(immediate commit context)
running-app-filter-mgmt Context Commands NGFW{running}application-filter-mgmt
(immediate commit context)
running-app-groups Context Commands
running-app-groups-X Context Commands NGFW{running}application-groups
NGFW{running-app-groups}application-grou
p FaceBook
(immediate commit context)
running-autodv Context Commands
running-autodv-calendar Context Commands
running-autodv-periodic Context Commands
NGFW{running}autodv
NGFW{running-autodv}calendar
NGFW{running-autodv}periodic
running-captive-portal Context Commands
running-captive-portal-rule-X Context Commands
NGFW{running}captive-portal
NGFW{running-captive-portal}rule 20000
running-dnat Context Commands
running-dnat-rule-X Context Commands
NGFW{running}dst-nat
NGFW{running-dnat}rule 1
running-firewall Context Commands
running-firewall-rule-X Context Commands
NGFW{running}firewall
NGFW{running-firewall}rule myrule1
running-global-inspection Context Commands NGFW{running}global-inspection
(immediate commit context)
running-ips Context Commands
running-ips-X Context Commands NGFW{running}ips
NGFW{running-ips}profile 1
(immediate commit context)
running-notifycontacts (email) Context Commands
running-notifycontacts-X (SNMP) Context Com-
mands
NGFW{running-notifycontacts}contact
mycontact1 email
NGFW{running-notifycontacts}contact
mycontact1 snmp secret 192.168.1.1
(immediate commit context)
running-rep Context Commands
running-rep-X (group X) Context Commands
running-rep-X (profile X) Context Commands
NGFW{running}rep
NGFW{running-rep}group 1
NGFW{running-rep}profile abc
running-schedules Context Commands
running-schedules-X Context Commands
NGFW{running}schedules
NGFW{running-schedules}schedule myhours1
running-services Context Commands
running-services-X Context Commands
NGFW{running}services
NGFW{running-services}service myservice1
NGFW Command Line Interface Reference 59
Authentication
Routing
VPN
Edit Context Commands
aaa
Enter Authentication and Authorization and Auditing context mode.
Syntax
aaa
running-snat Context Commands
running-snat-rule-X Context Commands
NGFW{running}src-nat
NGFW{running-snat}rule snat1
running-zones Context Commands
running-zones-X Context Commands
NGFW{running}zones
NGFW{running-zones}zone myzone1
Table 5-3 Policy Commands
Table 5-4 Authentication Commands
running-aaa Context Commands
running-aaa-ldap-group-X Context Commands
running-aaa-radius-group-X Context Commands
NGFW{running-aaa}
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}radius-group mygroup
running-certificates Context Commands
running-certificates-crl Context Commands
NGFW{running}certificates
NGFW{running-certificates}crl
Table 5-5 Routing Commands
running-bgp-X Context Commands NGFW{running}router bgp 1
running-multicast-registration Context Commands NGFW{running}multicast-registration
running-ospf Context Commands NGFW{running}router ospf
running-ospfv3 Context Commands NGFW{running}router ospfv3
running-pim-smv4 Context Commands NGFW{running}router pim-smv4
running-pim-smv6 Context Commands NGFW{running}router pim-smv6
running-rip Context Commands NGFW{running}router rip
running-ripng Context Commands NGFW{running}router ripng
running-route-map Context Commands NGFW{running}route-map mymap permit 10
running-smr Context Commands NGFW{running}router smr
Table 5-6 VPN Commands
running-ipsec Context Commands NGFW{running}vpn ipsec
running-manual-sa Context Commands NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
60 Edit Running Configuration Commands
Example
NGFW{}edit
NGFW{running}aaa
NGFW{running-aaa}help
NGFW{running-aaa}display user fred xml
<?xml version="1.0"?>
<record>
<index>
<user>fred</user>
</index>
<parameters>
<password>$password$</password>
<epoch>1373049840</epoch>
</parameters>
</record>
NGFW{running-aaa}exit
Related commands
running-aaa Context Commands
actionsets
Enters action sets context mode. Changes are committed and take effect immediately.
Syntax
actionsets
Example
NGFW{}edit
NGFW{running}actionsets
NGFW{running-actionsets}help
Example
NGFW{running-actionsets}actionset myactionset
NGFW{running-actionsets-myactionset}help
NGFW{running-actionsets-myactionset}?
Valid entries at this position are:
action Set action type, available value: permit, rate-limit, block, trust
allow-access Allow quarantined host to access defined IP
bytes-to-capture Set bytes to capture for packet trace
contact Add a notify contact
delete Delete file or configuration item
display Display file or configuration item
help Display help information
http-block Set quarantine option to block HTTP traffic
http-custom Set or clear HTTP custom text display option
http-redirect Set redirect URL for HTTP redirect option
http-showdesc Set or clear HTTP show desc display option
http-showname Set or clear HTTP show name display option
limit-quarantine Add IP for limit quarantine
limit-rate Set the rate value for rate-limit action
no-quarantine Add IP for no quarantine
nonhttp-block Set quarantine option to block non-HTTP traffic
packet-trace Enable/disable packet trace option
priority Set packet trace priority
quarantine Set quarantine option, available value: no, immediate, threshold
tcp-reset Set tcp reset option for block action, can be disable, source,
dest or both
NGFW Command Line Interface Reference 61
threshold Set quarantine threshold value
verbosity Set packet trace verbosity
Related commands
running-actionsets Context Commands
addressgroups
Enters address group context.
Syntax
addressgroups
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}help
NGFW{running-addressgroups}?
Valid entries at this position are:
addressgroup Create or enter an address group context
delete Delete address group parameters
help Display help information
rename Rename address group
Related commands
running-addressgroups Context Commands
application-filter-mgmt
Enters application filter management context.
Syntax
application-filter-mgmt
Example
NGFW{}edit
NGFW{running}application-filter-mgmt
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-filter-mgmt}help
Valid commands are:
display
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE
filter FILTERNUMBER afcstate AFC_ENABLE_OR_DISABLE
filter FILTERNUMBER SYS_ENABLE_OR_DISABLE afcstate AFC_ENABLE_OR_DISABLE
help [full|COMMAND]
Related commands
running-app-filter-mgmt Context Commands
application-groups
Enters the application-group context mode. Application groups can be associated with firewall rules and
can only be defined by the LSM not the CLI. There are CLI commands that are similar in syntax to security
categories, but the criteria parameter is deliberately obfuscated. Also, like security categories, application
group queries are not editable from the CLI.
62 Edit Running Configuration Commands
NOTE: Attempting to create an application group from the CLI will result in an error while parsing the
CRITERIASTRING parameter.
The CRITERIASTRING format is deliberately obfuscated and not supported to prevent users from creating
or editing application group criteria from the CLI. Support for setting and getting criteria through the
obfuscated format is included so that users can still copy output of CLI display commands and paste them
back in.
Syntax
application-groups
Example
NGFW{running}application-groups
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}help
Valid commands are:
application-group NEWAPPNAME CRITERIASTRING
application-group APPNAME
delete application-group APPNAME
display
help [full|COMMAND]
rename application-group APPNAME NEWAPPNAME
Related commands
running-app-groups Context Commands
application-visibility
Enables or Disables application visibility.
Syntax
application-visibility (enable|disable)
Example
NGFW{running}application-visibility ?
Valid entries at this position are:
disable Disable application visibility
enable Enable application visibility
autodv
Enters auto digital vaccine context mode.
Syntax
autodv
Example
NGFW{running}autodv
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}help
Valid commands are:
calendar
delete proxy
delete proxy-password
delete proxy-username
disable
NGFW Command Line Interface Reference 63
display
enable
help [full|COMMAND]
list
periodic
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
update
NGFW{running-autodv}?
Valid entries at this position are:
calendar Enter Calender Style
delete Delete file or configuration item
disable Disable service
display Display file or configuration item
enable Enable service
help Display help information
list List Installed DVs
periodic Enter Periodic Style
proxy Configure proxy
proxy-password Proxy password
proxy-username Proxy username
update Update AutoDV
Related commands
running-autodv Context Commands
blockedStreams
Enters blockedStreams context mode.
Syntax
blockedStreams
Example
NGFW{running}blockedStreams
NGFW{running-blockedStreams}help
Valid commands are:
flushallstreams
flushstreams
help [full|COMMAND]
list
Related command
running-blockedStreams Context Commands
captive-portal
Enters captive portal context mode.
Syntax
captive-portal
Example
NGFW{running}captive-portal
NGFW{running-captive-portal}help
Valid commands are:
64 Edit Running Configuration Commands
delete rule all|RULEID
help [full|COMMAND]
rename rule RULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
set max-session-time MINUTES
set inactive-timeout MINUTES
set port PORT
set certificate CERTNAME
set login-page|status-page foreground-color|background-color HEX|COLOR
set login-page header-HTML|footer-HTML|failed-HTML
set status-page foreground-color|background-color HEX|COLOR
set status-page main-HTML
reset max-session-time|inactive-timeout|port|certificate
reset login-page|status-page foreground-color|background-color
reset login-page header-HTML|footer-HTML|failed-HTML
reset status-page main-HTML
Related commands
running-captive-portal Context Commands
certificates
Enters certificates context mode.
Syntax
certificates
Example
NGFW{running}certificates
NGFW{running-certificates}help
Valid commands are:
# Enter context
crl
# Other commands
ca-certificate CANAME
cert-request CERTREQUEST [key-size SIZE]
certificate CERTNAME
delete ca-certificate (all|CANAME)
delete cert-request (all|CERTREQUEST)
delete certificate (all|CERTNAME)
display ca-certificate CANAME [pem|text]
display cert-request CERTNAME
display certificate CERTNAME [pem|text]
display private-key CERTNAME
help [full|COMMAND]
private-key CERTNAME
Related commands
running-certificates Context Commands
cluster
Enters cluster context mode.
Syntax
cluster
NGFW Command Line Interface Reference 65
Example
NGFW{running}cluster
NGFW{running-cluster}help
Valid commands are:
check CHECK_TYPE enable|disable
cluster-name NAME
delete standby
enable|disable
help [full|COMMAND]
member-id ID
member-name NAME
standby
tct
NGFW{running-cluster}?
Valid entries at this position are:
check Perform consistency check
cluster-name Apply Cluster Name
delete Delete file or configuration item
disable Disable clustering
enable Enable clustering
help Display help information
member-id Cluster Member ID
member-name Cluster member name
standby Set the device on standby
tct Enter cluster traffic context
Related commands
running-cluster Context Commands
delete
Deletes file or configuration item.
Syntax
delete SEGNAME
delete interface agglinkX
delete interface bridgeX
delete interface greX
delete interface l2tpX
delete interface loopbackX
delete interface pppoeX
delete interface pptpX
delete interface vlanX
delete interface vrrpvXgY
delete ip access-list NAME (permit|deny) A.B.C.D/M
delete ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE]
delete ipv6 access-list NAME (permit|deny) X.X.X.X/M
delete l2tp-serverX
delete route-map ROUTE-MAP-NAME
delete route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
delete router bgp
delete router ospf
delete router ospfv3
delete router pim-smv6
delete router rip
delete router ripng
delete router smr
66 Edit Running Configuration Commands
Example
NGFW{running}delete segment78
NGFW{running}delete interface agglink0
NGFW{running}delete interface bridge0
NGFW{running}delete interface gre0
NGFW{running}delete interface l2tp0
NGFW{running}delete interface loopback0
NGFW{running}delete interface pppoe0
NGFW{running}delete interface pptp0
NGFW{running}delete interface vlan0
NGFW{running}delete ip access-list myaccesslist permit 0.0.0.0/0
NGFW{running}delete ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
NGFW{running}delete ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
NGFW{running}delete l2tp-server0
NGFW{running}delete route-map myroutemap
NGFW{running}delete route-map myroutemap permit 1
NGFW{running}delete router bgp
NGFW{running}delete router ospf
NGFW{running}delete router ospfv3
NGFW{running}delete router pim-smv6
NGFW{running}delete router rip
NGFW{running}delete router ripng
NGFW{running}delete router smr
dhcp
Enters DHCP context mode.
Syntax
dhcp relay
dhcp server
Example
NGFW{running}dhcp
Valid entries at this position are:
relay Enter DHCP relay context
server Server
Related commands
running-dhcp-relay Context Commands
running-dhcp-server Context Commands
dns
Enters DNS context mode.
Syntax
dns
Example
NGFW{running}dns
NGFW{running-dns}help
Valid commands are:
delete domain-name
delete name-server all|A.B.C.D|X:X::X:X
delete proxy cache cleaning interval
delete proxy cache forwarder all|A.B.C.D|X:X::X:X
NGFW Command Line Interface Reference 67
delete proxy cache maximum negative ttl
delete proxy cache maximum ttl
delete proxy cache size
domain-name NAME
domain-search primary NAME
help [full|COMMAND]
name-server A.B.C.D|X:X::X:X
proxy cache cleaning interval cache cleaning interval in minutes
proxy cache forwarder A.B.C.D|X:X::X:X
proxy cache maximum negative ttl cache maximum negative TTL in minutes
proxy cache maximum ttl cache maximum TTL in minutes
proxy cache size cache size in megabytes
proxy enable|disable
NGFW{running-dns}?
Valid entries at this position are:
delete Delete file or configuration item
domain-name Configure domain name
domain-search Configure domain search
help Display help information
name-server Configure DNS server
proxy Configure proxy
proxy Enable or disable proxy
Related commands
running-dns Context Commands
dst-nat
Enters destination NAT context mode.
Syntax
dst-nat
Example
NGFW{running}dst-nat
NGFW{running-dnat}help
Valid commands are:
delete rule all|DSTNATRULEID
help [full|COMMAND]
rule (auto|DSTNATRULEID) [POSITION_VALUE]
NGFW{running-dnat}?
Valid entries at this position are:
delete Delete destination NAT rule(s)
help Display help information
rename Rename destination NAT rule
rule Create or enter a rule context
Related commands
running-dnat Context Commands
firewall
Enters firewall context mode.
Syntax
firewall
68 Edit Running Configuration Commands
Example
NGFW{running}firewall
NGFW{running-firewall}help
Valid commands are:
default-block-rule DEFACTIONSET
delete rule all|XRULEID
help [full|COMMAND]
rename rule XRULEID NEWRULEID
rule (auto|RULEID) [POSITION_VALUE]
NGFW{running-firewall}?
Valid entries at this position are:
default-block-rule Apply action set for default block rule
delete Delete firewall rule
help Display help information
rename Rename a firewall rule
rule Create or enter a rule context
Related commands
running-firewall Context Commands
gen
Enters general context mode.
Usage
gen
Example
NGFW{running}gen
NGFW{running-gen}help
Valid commands are:
# System commands
timezone (GMT|(REGION CITY))
# Manage context
display [xml]
# Other commands
arp A.B.C.D INTERFACE MAC
auto-restart enable|disable
delete arp all|(ENTRY INTERFACE)
delete host NAME|all
delete ndp all|(ENTRY INTERFACE)
ephemeral-port-range default|(LOWRANGE HIGHRANGE)
forwarding ipv4|ipv6 enable|disable
help [full|COMMAND]
host NAME A.B.C.D|X:X::X:X
https enable|disable
inband-management enable|disable
management-service all|dns|email|ldap|ntp|radius|remote-syslog|snmp management
|network
ndp X:X::X:X INTERFACE MAC
ssh enable|disable
xmsd remote (port PORT [address A.B.C.D])|disable
NGFW{running-gen}?
Valid entries at this position are:
NGFW Command Line Interface Reference 69
arp Configure static ARP entry
auto-restart Enable/disable automatic restart on detection of critical
problem
delete Delete file or configuration item
display Display general context
ephemeral-port-range Set the range of the ephemeral port (default is 32768-61000)
forwarding Enable or disable IPv4/IPv6 forwarding
help Display help information
host Configure static address to host name association
https Enable or disable WEB server configuration
inband-management Inband Management
management-service Management of a service to use management port or network port
ndp Configure static NDP entry
ssh Enable or disable ssh service
timezone Display or configure time zone
Related commands
running-gen Context Commands
global-inspection
Enters global-inspection context mode.
Syntax
global-inspection
Example
NGFW{running}global-inspection
NGFW{running-global-inspection}help
Valid commands are:
default-inspection (ips-profile IPSPROFILE|none)|(reputation-profile
REPPROFILE|none)
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
display [xml]
help [full|COMMAND]
NGFW{running-global-inspection}?
Valid entries at this position are:
default-inspection Apply default inspection profile
display Display global inspection profile configuration
help Display help information
unknown-app Apply inspection profile during application detection phase
Related commands
running-global-inspection Context Commands
high-availability
Enters high-availability context mode.
Syntax
high-availability
Examples
NGFW{running}high-availability
NGFW{running-high-availability}help
Valid commands are:
delete failover-group base-mac
70 Edit Running Configuration Commands
delete failover-group name
enable|disable
failover-group base-mac X:X:X:X:X:X
failover-group name NAME
help [full|COMMAND]
state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level SEVERITY)])
NGFW{running-high-availability}?
Valid entries at this position are:
delete Delete file or configuration item
disable Disable high-availability
enable Enable high-availability
failover-group Failover Group
help Display help information
state-sync State synchronization
NGFW{running-high-availability}help state-sync
Enable or disable high-availability (enable|disable)
Syntax: state-sync (global [enable|disable])|(FEATURE [enable|disable|(log-level
SEVERITY)])
state-sync State synchronization
global Turn state synchronization on or off
enable Enable state synchronization
disable Disable state synchronization
FEATURE Specify a state synchronization table
Possible values for FEATURE are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
log-level Specify logging level
SEVERITY Log service severity
Possible values for SEVERITY are:
emergency Panic condition messages
alert Immediate problem condition messages
critical Critical condition messages
error Error messages
warning Warning messages
notice Special condition messages
info Informational messages
debug Debug messages
none Turn off messages
NGFW{running-high-availability}state-sync ?
Valid entries at this position are:
firewall Firewall state synchronization table
ips IPS state synchronization table
routing Routing state synchronization table
global Turn state synchronization on or off
Related commands
running-high-availability Context Commands
interface
Enters interface context mode. The X represents a number to be entered, such as bridge2.
Syntax
# Enter context
interface agglinkX
NGFW Command Line Interface Reference 71
interface bridgeX
interface ethernetX
interface greX
interface l2tpX
interface loopbackX
interface mgmt
interface pppoeX
interface pptpX
interface vlanX
Example
NGFW{running}interface bridge2
NGFW{running-bridge2}?
Valid entries at this position are:
arp/ndp Enable or disable ARP and NDP on interface
autoconfv6 Enable or disable IPv6 autoconfiguration on interface
bind Bind bridged network interface over ethernet/VLAN/agglink
delete Delete file or configuration item
description Enter description for the interface
help Display help information
ip Configure IP settings
ipaddress Configure IP address
ipv6 Configure IPv6 settings
mtu Configure interface MTU
prefix Configure IPv6 prefix
ra-autoconf-level Modify IPv6 Router Advertisement autoconfiguration level
ra-interval Modify IPv6 Router Advertisement interval value
ra-interval-transmit Modify IPv6 Router Advertisement interval transmit
ra-lifetime Modify IPv6 Router Advertisement prefix lifetime
ra-mtu Modify IPv6 Router Advertisement MTU value
ra-transmit-mode Modify IPv6 Router Advertisement transmit mode
router-advert Configure IPv6 Router Advertisement parameters
shutdown Shutdown logical interface state
tcp4mss Configure interface TCP MSS for IPv4
tcp6mss Configure interface TCP MSS for IPv6
NGFW{running-bridge2}help
Related commands
running-agglinkX Context Commands
running-bridgeX Context Commands
running-ethernetX Context Commands
running-greX Context Commands
running-l2tpX Context Commands
running-loopbackX Context Commands
running-mgmt Context Commands
running-pppoeX Context Commands
running-pptpX Context Commands
running-vlanX Context Commands
ip
IP configuration mode.
72 Edit Running Configuration Commands
Syntax
ip access-list NAME (permit|deny) A.B.C.D/M
ip as-path access-list NAME (permit|deny) ASN_FILTER
delete ip as-path access-list NAME (permit|deny) ASN_FILTER
ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export)
delete ip community-list NAME (permit|deny)
((AA:NN)|internet|local-as|no-advertise|no-export)
ip prefix-list NAME (permit|deny) A.B.C.D/M [ge GE-VALUE] [le LE-VALUE]
ip route A.B.C.D/M A.B.C.D|INTERFACE [DISTANCE]
ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE]
display ip route
Valid entries:
access-list Access list
as-path AS Path access list
community-list Community list
prefix-list Prefix list
route Add an IPv4 static route
Example
NGFW{running}ip access-list myaccesslist permit 0.0.0.0/0
NGFW{running}ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}delete ip as-path access-list myasnaccesslist permit ^64496$
NGFW{running}ip community-list mycommunitylist permit 64496:100
NGFW{running}ip community-list mycommunitylist permit internet
NGFW{running}delete ip community-list mycommunitylist permit 64496:100
NGFW{running}ip prefix-list myprefixlist permit 192.168.0.0/16 ge 24 le 24
NGFW{running}ip route 192.168.1.0/24 192.0.2.1 1
NGFW{running}ip route 192.168.1.0/24 ethernet5 1
NGFW{running}display ip route
# IPV4 ROUTES
ip route 192.168.1.0/24 192.0.2.1 1
ip route 192.168.1.0/24 ethernet5
ips
Enters IPS profile context mode.
Syntax
ips
Example
NGFW{running}ips
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}help
Valid commands are:
# Enter context
display-categoryrules
# Other commands
afc-mode AFCMODE
afc-severity SEVERITY
connection-table TIMEOUTTYPE SECONDS
delete profile XPROFILENAME
deployment-choices
display
gzip-decompression enable|disable
help [full|COMMAND]
NGFW Command Line Interface Reference 73
profile PROFILENAME
quarantine-duration DURATION
rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-ips}?
Valid entries at this position are:
afc-mode AFC mode
afc-severity AFC severity
connection-table Connection table timeout
delete Delete a profile
deployment-choices Get deployment choices
display Display all ips configuration and profiles
display-categoryrules Display category rules for all profiles
gzip-decompression GZIP decompression mode
help Display help information
profile Create/enter a IPS profile
quarantine-duration Quarantine duration
rename Rename a profile
Related commands
running-ips Context Commands
ipv6
IPv6 configuration
Syntax
ipv6 access-list NAME (permit|deny) X:X::X:X/M
ipv6 route X:X::X:X/M (X:X::X:X[%INTERFACE])|INTERFACE [DISTANCE]
display ipv6 route
Valid entries:
ipv6 IPv6 configuration
route Add static route
X:X::X:X/M Unicast IPv6 prefix address
X:X::X:X IPv6 address
INTERFACE Interface name
DISTANCE The distance value (1-255)
Example
NGFW{running}ipv6 access-list myipv6accesslist permit 100:0:0:0:0:0:0:0/64
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 ethernet5 1
NGFW{running}ipv6 route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:1 1
NGFW{running}display ipv6 route
# IPV6 ROUTES
ipv6 route 2001:2::/48 ethernet5
ipv6 route 2001:2::/48 100::1
l2tp-serverX
Enters L2TP Server context mode. The X represents a number, for example server0.
Syntax
l2tp-serverX
Example
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}help
74 Edit Running Configuration Commands
Valid commands are:
auth enable|disable
auth shared-secret A.B.C.D|any secret-key
bind none|any|(A.B.C.D [port])
delete auth shared-secret A.B.C.D|all
help [full|COMMAND]
hiding enable|disable
sequencing enable|disable
NGFW{running-l2tp-server0}?
Valid entries at this position are:
auth Authenticated configuration
bind Configure bind service of L2TP server
delete Delete file or configuration item
help Display help information
hiding Enable or disable hiding configuration
sequencing Enable or disable sequence configuration
Related commands
running-l2tp-serverX Context Commands
log
Enters log context mode. Note that the 'Management Console' notification contact for the Audit log can
not be modified.
Syntax
log
Example
NGFW{running}log
NGFW{running-log}help
Valid commands are:
delete log audit CONTACT-NAME
delete log quarantine CONTACT-NAME
delete log system CONTACT-NAME
delete log vpn CONTACT-NAME
delete log-option fib events|kernel|memory|packet [recv|send]
delete log-option ppp( all)|( DEL-PPP-LOG-OPTION){1,10}
delete log-option xmsd( all)|( LOG_OPTION)
help [full|COMMAND]
log audit CONTACT-NAME [ALL|none]
log quarantine CONTACT-NAME [ALL|none]
log system CONTACT-NAME [SEVERITY]
log vpn CONTACT-NAME [SEVERITY]
log-option fib events|kernel|memory|packet [recv|send]
log-option ppp( all)|( PPP-LOG-OPTION){1,255}
log-option xmsd( all)|( LOG_OPTION)
sub-system SUBSYSTEM [SEVERITY]
NGFW{running-log}?
Valid entries at this position are:
delete Delete file or configuration item
help Display help information
log Add a Notification Contact to a log service
log-option Add service log option
sub-system set sub-system log level
NGFW Command Line Interface Reference 75
NGFW{running-log}display
# LOG SERVICES
log system "Management Console" notice
#log audit "Management Console" ALL
log vpn "Management Console" info
log quarantine "Management Console" ALL
# SUB-SERVICES
sub-system INIT info
sub-system XMS notice
sub-system TOS info
sub-system HTTPD notice
sub-system GATED none
sub-system LOGIN notice
sub-system PACEMAKER error
sub-system COROSYNC notice
sub-system CRMADMIN none
Related commands
running-log Context Commands
multicast-registration
Enters multicast registration context mode.
Syntax
multicast-registration
Example
NGFW{running}multicast-registration
NGFW{running-multicast-registration}help
Valid commands are:
help [full|COMMAND]
igmp-version default|(mode MODE IGMPvX)
mld-version default|(mode MODE MLDvX)
NGFW{running-multicast-registration}?
Valid entries at this position are:
help Display help information
igmp-version Configure system IGMP version
mld-version Configure system MLD version
NGFW{running-multicast-registration}igmp-version mode ?
Valid entry at this position is:
MODE Define IGMP mode (force or default)
Related commands
running-multicast-registration Context Commands
notifycontacts
Enters notify contacts context mode.
Syntax
notifycontacts
Example
NGFW{running}notifycontacts
76 Edit Running Configuration Commands
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}help
Valid commands are:
contact CONTACTNAME
contact NEWNAME email
contact NEWNAME snmp COMMUNITY IP [PORT]
delete contact XCONTACTNAME
display
email-from-address EMAIL
email-from-domain DOMAIN
email-server IP
email-threshold THRESHOLD
email-to-default-address EMAIL
help [full|COMMAND]
rename contact XCONTACTNAME NEWNAME
NGFW{running-notifycontacts}?
Valid entries at this position are:
contact Create or edit a notify contact
delete Delete file or configuration item
display Display all available contacts
email-from-address From email address
email-from-domain From domain name
email-server Set mail server IP
email-threshold Set email threshold
email-to-default-address Default to email address
help Display help information
rename Rename contact with new name
Related commands
running-notifycontacts (email) Context Commands
ntp
Enters NTP context mode.
Syntax
ntp
Example
NGFW{running}ntp
NGFW{running-ntp}help
Valid commands are:
delete key all|ID
delete server all|HOST
help [full|COMMAND]
key (1-65535) VALUE
ntp enable|disable
polling-interval SECONDS
server dhcp|NAME [key ID] [prefer]
NGFW{running-ntp}?
Valid entries at this position are:
delete Delete file or configuration item
help Display help information
key Configure NTP authentication key
ntp Enable or disable NTP
polling-interval Configure minimum polling interval
NGFW Command Line Interface Reference 77
server Configure remote NTP server
Related commands
running-ntp Context Commands
reputation
Enters Reputation context mode.
Syntax
reputation
Example
NGFW{running}reputation
Entering Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}help
Valid commands are:
delete group USERGROUP
delete profile XPROFILENAME
display
group USERGROUP
help [full|COMMAND]
profile PROFILENAME
rename group USERGROUP NEWUSERGROUP
rename profile XPROFILENAME NEWPROFILENAME
NGFW{running-rep}?
Valid entries at this position are:
delete Delete file or configuration item
display Display all reputation profiles and groups
group Create/enter reputation group context
help Display help information
profile Create/enter reputation profile context
rename Rename a reputation profile or group
Related commands
running-rep Context Commands
route-map
Allows you to configure the route-map.
Syntax
route-map ROUTE-MAP-NAME (permit|deny) ENTRY-POSITION
Example
NGFW{running}help route-map
Enter the route-map context
Syntax: route-map ROUTE-MAP-NAME permit|deny ENTRY-POSITION
route-map Enter the route-map context
ROUTE-MAP-NAME Route-map name
permit Permit the network prefix
deny Deny the network prefix
ENTRY-POSITION Position of the route-map entry (1-65535)
Related commands
running-route-map Context Commands
78 Edit Running Configuration Commands
router
Enters the specified router protocol context.
Syntax
router bgp ASNUMBER
router ospf
router ospfv3
router pim-smv4
router pim-smv6
router rip
router ripng
router smr
Valid entries:
bgp Enter the BGP context
ASNUMBER The autonomous system number (1-2147483647)
ospf Enter the OSPF context
ospfv3 Enter the OSPFv3 context
pim-smv4 Enter the PIM-SM IPv4 context
pim-smv6 Enter the PIM-SM IPv6 context
rip Enter the RIP context
ripng Enter the RIPng context
smr Enter the SMR context
Example
NGFW{running}router ospf
NGFW{running}router ospfv3
NGFW{running}router pim-smv4
NGFW{running}router pim-smv6
NGFW{running}router rip
NGFW{running}router ripng
NGFW{running}router smr
NGFW{running}router bgp
Related commands
running-ospf Context Commands
running-ospfv3 Context Commands
running-bgp-X Context Commands
running-rip Context Commands
running-ripng Context Commands
running-pim-smv4 Context Commands
running-pim-smv6 Context Commands
running-smr Context Commands
schedules
Enters schedules context mode.
Syntax
schedules
Example
NGFW{running}schedules
NGFW{running-schedules}help
Valid commands are:
NGFW Command Line Interface Reference 79
delete schedule all|SCHEDULENAME
help [full|COMMAND]
rename schedule SCHEDULENAME NEWSCHEDULENAME
schedule SCHEDULENAME
NGFW{running-schedules}?
Valid entries at this position are:
delete Delete a schedule
help Display help information
rename Rename a schedule
schedule Create or enter a schedule context
Related commands
running-schedules Context Commands
segmentX
Enters Segment context mode. The X represents a segment number, for example segment0.
Syntax
segmentX
Example
NGFW{running}segment0
NGFW{running-segment0}help
Valid commands are:
# Enter context
bind bind
delete bind|high-availability|link-down
high-availability mode
link-down breaker [wait-time WAIT-TIME]
link-down hub
link-down wire [wait-time WAIT-TIME]
restart
# Other commands
description TEXT
help [full|COMMAND]
NGFW{running-segment0}?
Valid entries at this position are:
bind Bind ethernet port pairs to segment
delete Delete file or configuration item
description Enter description for the segment
help Display help information
high-availability Intrinsic HA Layer 2 Fallback action
link-down Link down synchronization mode
restart Restart both Ethernet ports of segment
NGFW{running-segment0}help bind
Bind ethernet port pairs to segment
Syntax: bind bind
bind Bind ethernet port pairs to segment
bind ethernet port pairs
Related commands
running-segmentX Context Commands
80 Edit Running Configuration Commands
services
Enters services context mode.
Syntax
services
Example
NGFW{running}services
NGFW{running-services}help
Valid commands are:
delete service all|USERSERVICENAME
help [full|COMMAND]
rename service USERSERVICENAME NEWSERVICENAME
restore-default
service SERVICENAME
NGFW{running-services}?
Valid entries at this position are:
delete Delete service(s)
help Display help information
rename Rename service
restore-default Restore default services
service Create or enter a service context
Related commands
running-services Context Commands
snmp
Enters SNMP context mode.
Syntax
snmp
Example
NGFW{running}snmp
NGFW{running-snmp}help
Valid commands are:
authtrap enable|disable
community COMMUNITY SOURCE
delete community COMMUNITY|all
delete trapsession (HOST ver VERSION)|all
delete username (USERNAME|all)
engineID ENGINE-ID
help [full|COMMAND]
snmp enable|disable
trapsession HOST [port PORT] ver 2c COMMUNITY [inform]
trapsession HOST [port PORT] ver 3 USERNAME level noAuthNoPriv [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authNoPriv authtype AUTHTYPE
AUTHPASS [inform]
trapsession HOST [port PORT] ver 3 USERNAME level authPriv authtype AUTHTYPE
AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
username USERNAME level noAuthNoPriv
username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS
username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
NGFW{running-snmp}?
NGFW Command Line Interface Reference 81
Valid entries at this position are:
authtrap Configure SNMP authentication failure trap
community Configure SNMP read-only community
delete Delete file or configuration item
engineID Configure SNMPv3 engine ID
help Display help information
snmp Enable or disable SNMP
trapsession Configure a trap/inform
username Configure SNMPv3 USM read-only user
Related commands
running-snmp Context Commands
src-nat
Enters source NAT context mode.
Syntax
src-nat
Example
NGFW{running}src-nat
NGFW{running-snat}help
Valid commands are:
delete rule all|SRCNATRULEID
help [full|COMMAND]
rule (auto|SRCNATRULEID) [POSITION_VALUE]
NGFW{running-snat}?
Valid entries at this position are:
delete Delete source NAT rule(s)
help Display help information
rename Rename source NAT rule
rule Create or enter a rule context
Related commands
running-snat Context Commands
vpn
Enters VPN context mode.
Syntax
vpn ipsec
Example
NGFW{running}vpn ipsec
NGFW{running-ipsec}help
Valid commands are:
delete log vpn CONTACT-NAME
delete phase1 proposal (all|NAME)
delete phase2 proposal (all|NAME)
delete policy (all|NAME)
delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any]
delete retransmit-timeout
delete retransmit-tries
delete trust (all|CANAME)
delete user
82 Edit Running Configuration Commands
delete vpn (all|NAME)
help [full|COMMAND]
ipsec enable|disable
log vpn CONTACT-NAME [SEVERITY]
manual
phase1 VERSION proposal NAME
phase2 VERSION proposal NAME
policy NAME [PRIORITY]
pre-shared-key local A.B.C.D|X:X::X:X|LFQDN remote A.B.C.D|X:X::X:X|RFQDN|any
retransmit-timeout TIMEOUT
retransmit-tries COUNT
trust CANAME
user
vpn NAME
NGFW{running-ipsec}?
Valid entries at this position are:
delete Delete file or configuration item
help Display help information
ipsec Enable or disable IPsec
log Add a Notification Contact to a log service
manual Enter manual Security Association context
phase1 Enter Phase1 proposal context
phase2 Enter Phase2 proposal context
policy Enter IPSec Policy context
pre-shared-key Configure pre-shared key (start with 0x for hexadecimal key)
retransmit-timeout Configure IKEv2 Dead Peer Detection retransmission timeout in
seconds
retransmit-tries Configure IKEv2 Dead Peer Detection maximum retransmission
tries
trust Configure certification authority trust
user Enter VPN user context
vpn Enter VPN context
Related commands
running-ipsec Context Commands
zones
Enters security zone context mode.
Syntax
zones
Example
NGFW{running}zones
NGFW{running-zones}help
Valid commands are:
delete zone all|ZONENAME
help [full|COMMAND]
rename zone ZONENAME NEWZONENAME
zone ZONENAME
NGFW{running-zones}?
Valid entries at this position are:
delete Delete security zone(s)
help Display help information
rename Rename a specified zone
zone Enter security zone context
NGFW Command Line Interface Reference 83
Related commands
running-zones Context Commands
Contexts and Related Commands
running-aaa Context Commands
NGFW{running-aaa}delete
Delete file or configuration item.
Syntax
delete ldap-group (LDAPNAME|all)
delete radius-group (RADIUSNAME|all)
delete role (ROLE|all)
delete user (USER|all)
delete user-group (USERGROUP|all)
Example
NGFW{running}aaa
NGFW{running-aaa}delete ldap-group group1
NGFW{running-aaa}delete radius-group group1
NGFW{running-aaa}delete role myrole1
NGFW{running-aaa}delete user myuser1
NGFW{running-aaa}delete user-group group1
NGFW{running-aaa}display
Display configuration.
Syntax
display ldap-group LDAPGROUP [xml]
display ldap-schema
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom) [xml]
display login-settings [xml]
display password-settings [xml]
display radius-group RADIUSGROUP [xml]
display remote-login-group [xml]
display role USER [xml]
display user USER [xml]
display usergroup USERGROUP [xml]
Example
NGFW{running-aaa}display ldap-group group1
NGFW{running-aaa}display ldap-schema active-directory
NGFW{running-aaa}display login-settings
NGFW{running-aaa}display password-settings
NGFW{running-aaa}display radius-group group1
NGFW{running-aaa}display remote-login-group
NGFW{running-aaa}display role superuserRole
NGFW{running-aaa}display user myuser1
NGFW{running-aaa}display usergroup group1
NGFW{running-aaa}ldap-group
Configure LDAP group. Maximum number of groups is two.
84 Edit Running Configuration Commands
Syntax
ldap-group LDAPNAME
Example
NGFW{running-aaa}ldap-group mygroup
NGFW{running-aaa}ldap-schema
Configure LDAP schema.
Syntax
ldap-schema SCHEMA
SCHEMA
(active-directory|novell-edirectory|fedora-ds|rfc2798|rfc2307nis|samba|custom)
Example
NGFW{running-aaa}ldap-schema custom
NGFW{running-aaa-ldap-schema-custom}
NGFW{running-aaa}login
Configure login settings.
Syntax
login maximum-attempts (0-10)
login failure-action (lockout|lockout-disable|audit)
login lockout-period MINUTES
login lockout-period (0-1440)
Example
NGFW{running-aaa}login failure-action lockout
NGFW{running-aaa}password
Configure password settings.
Syntax
password quality (basic|maximum|none)
password expiry-time (10d|20d|30d|45d|60d|90d|6m|1y)
password expiry-action (force-change|notify-user|disable-account)
Example
NGFW{running-aaa}password quality maximum
NGFW{running-aaa}password expiry-time 30d
NGFW{running-aaa}password expiry-action force-change
NGFW{running-aaa}radius-group
Configure Radius group. Maximum number of radius groups is 2.
Syntax
radius-group RADIUSNAME
Example
NGFW{running-aaa}radius-group group1
NGFW Command Line Interface Reference 85
NGFW{running-aaa}remote-login-group
Configure LDAP or RADIUS group to use for either network or administrative login.
Syntax
remote-login-group (network|administrator) (GROUP|none)
Example
NGFW{running-aaa}remote-login-group administrator group1
NGFW{running-aaa}role
Configure an access role.
Syntax
role ROLE [OLDROLE]
Example
NGFW{running-aaa}role myrole1
NGFW{running-aaa}user
Configure a name identified user.
Syntax
user NAME
Example
NGFW{running-aaa}user myuser1
NGFW{running-aaa}user-group
Configure a name identified usergroup.
Syntax
user-group GROUPNAME
Example
NGFW{running-aaa}user-group group1
running-aaa-ldap-group-X Context Commands
NGFW{running-aaa-ldap-group-mygroup1}base-dn
Configure base distinguished name (DN).
Syntax
base-dn DN
Example
NGFW{running-aaa}ldap-group mygroup1
NGFW{running-aaa-ldap-group-mygroup1}base-dn DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-dn
Configure bind distinguished name (DN).
86 Edit Running Configuration Commands
Syntax
bind-dn DN
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-dn CN=admin,OU=People,DC=example,DC=com
NGFW{running-aaa-ldap-group-mygroup1}bind-password
Configure LDAP bind password.
Syntax
bind-password PASSWORD
Example
NGFW{running-aaa-ldap-group-mygroup1}bind-password mysecret
NGFW{running-aaa-ldap-group-mygroup1}delete
Delete file or configuration item.
Syntax
delete server (ADDRESS|all)
Example
NGFW{running-aaa-ldap-group-mygroup1}delete server 192.168.1.1
NGFW{running-aaa-ldap-group-mygroup1}port
Configure LDAP port.
Syntax
port <0-65535>
Example
NGFW{running-aaa-ldap-group-mygroup1}port 389
NGFW{running-aaa-ldap-group-mygroup1}retries
Configure server(s) retries.
Syntax
retries RETRY
Example
NGFW{running-aaa-ldap-group-mygroup1}retries 3
NGFW{running-aaa-ldap-group-mygroup1}schema
Configure Schema.
Syntax
schema(active-directory|fedora-ds|novell-edirectory|rfc2307nis|rfc2798|samba|custom)
Example
NGFW{running-aaa-ldap-group-mygroup1}schema active-directory
NGFW Command Line Interface Reference 87
NGFW{running-aaa-ldap-group-mygroup1}server
Configure LDAP server address.
Syntax
server (A.B.C.D|X:X::X:X) priority (1-6)
Example
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.1 priority 1
NGFW{running-aaa-ldap-group-mygroup1}server 192.168.1.2 priority 2
NGFW{running-aaa-ldap-group-mygroup1}timeout
Configure timeout.
Syntax
timeout SECONDS
Example
NGFW{running-aaa-ldap-group-mygroup1}timeout 10
NGFW{running-aaa-ldap-group-mygroup1}tls
Configure TLS.
Syntax
tls (enable|disable)
tls start-tls (enable|disable)
tls require-valid-server-cert (enable|disable)
Example
NGFW{running-aaa-ldap-group-mygroup1}tls enable
NGFW{running-aaa-ldap-group-mygroup1}tls require-valid-server-cert enable
NGFW{running-aaa-ldap-group-mygroup1}tls start-tls enable
NGFW{running-aaa-ldap-group-mygroup1}version
Configure LDAP version.
Syntax
version (2|3)
Example
NGFW{running-aaa-ldap-group-mygroup1}version 3
running-aaa-radius-group-X Context Commands
NGFW{running-aaa-radius-group-2}default-usergroup
Default usergroup.
Syntax
default-usergroup GROUP|none
Example
NGFW{running-aaa}radius-group 2
NGFW{running-aaa-radius-group-2}default-usergroup administrator
88 Edit Running Configuration Commands
NGFW{running-aaa-radius-group-2}delete
Delete file or configuration item.
Syntax
delete server (A.B.C.D|X:X::X:X|all)
Example
NGFW{running-aaa-radius-group-2}delete server 192.168.1.1
NGFW{running-aaa-radius-group-2}retries
Configure server retries.
Syntax
retries (0-5)
Example
NGFW{running-aaa-radius-group-2}retries 3
NGFW{running-aaa-radius-group-2}server
Configure server.
Syntax
server (A.B.C.D|X:X::X:X) [PORT] password PASSWORD priority (1-6) timeout (0-300)
[nas-id NASID]
Example
NGFW{running-aaa-radius-group-2}server 192.168.1.1 1812 password mysecret priority 1
timeout 10 nas-id 1
NGFW{running-aaa-radius-group-2}server 192.168.1.7 1812 password mysecret priority 2
timeout 10 nas-id 1
running-actionsets Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-actionsets}actionset
Enter an action set context with defined name.
Syntax
actionset ACTIONSETNAME
Example
NGFW{running}actionsets
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets}delete
Delete file or configuration item.
Syntax
delete actionset ACTIONSETNAME
Example
NGFW{running-actionsets}delete actionset myactionset1
NGFW Command Line Interface Reference 89
NGFW{running-actionsets}rename
Rename action set oldname newname.
Syntax
rename actionset ACTIONSETNAME NEWACTIONSETNAME
Example
NGFW{running-actionsets}rename actionset myactionset1 myactionset2
running-actionsets-X Context Commands
NGFW{running-actionsets-myactionset1}action
Set action type. Available values: permit, rate-limit, block, trust.
Immediate Commit Feature. Changes take effect immediately.
Syntax
action (permit|rate-limit|block|trust)
Example
NGFW{running-actionsets}actionset myactionset1
NGFW{running-actionsets-myactionset1}action rate-limit
NGFW{running-actionsets-myactionset1}allow-access
Allow quarantined host to access defined IP.
Syntax
allow-access DESTIP
Example
NGFW{running-actionsets-myactionset1}allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}bytes-to-capture
Set bytes to capture for packet trace.
Syntax
bytes-to-capture BYTES
Example
NGFW{running-actionsets-myactionset1}bytes-to-capture 6144
NGFW{running-actionsets-myactionset1}contact
Add a notify contact.
Syntax
contact XCONTACTNAME
Example
NGFW{running-actionsets-myactionset1}contact mycontact1
NGFW{running-actionsets-myactionset1}contact "Management Console"
90 Edit Running Configuration Commands
NGFW{running-actionsets-myactionset1}delete
Delete file or configuration item.
Syntax
delete allow-access DESTIP
delete contact XCONTACTNAME
delete limit-quarantine SOURCEIP
delete no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}delete allow-access 192.168.1.1
NGFW{running-actionsets-myactionset1}delete contact mycontact1
NGFW{running-actionsets-myactionset1}delete limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}delete no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}http-block
Set quarantine option to block HTTP traffic.
Syntax
http-block
Example
NGFW{running-actionsets-myactionset1}http-block
NGFW{running-actionsets-myactionset1}http-custom
Set or clear HTTP custom text display option.
Syntax
http-custom TEXT
Example
NGFW{running-actionsets-myactionset1}http-custom "my custom message"
NGFW{running-actionsets-myactionset1}http-redirect
Set redirect URL for HTTP redirect option.
Syntax
http-redirect URL
Example
NGFW{running-actionsets-myactionset1}http-redirect https://www.example.com
NGFW{running-actionsets-myactionset1}http-showdesc
Set or clear HTTP show description display option.
Syntax
http-showdesc (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showdesc enable
NGFW Command Line Interface Reference 91
NGFW{running-actionsets-myactionset1}http-showname
Set or clear HTTP show name display option.
Syntax
http-showname (enable|disable)
Example
NGFW{running-actionsets-myactionset1}http-showname enable
NGFW{running-actionsets-myactionset1}limit-quarantine
Add IP for limit quarantine.
Syntax
limit-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}limit-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}limit-rate
Set the rate value for rate-limit action.
Syntax
limit-rate RATE
Example
NGFW{running-actionsets-myactionset1}limit-rate 1500
NGFW{running-actionsets-myactionset1}no-quarantine
Add IP for no quarantine.
Syntax
no-quarantine SOURCEIP
Example
NGFW{running-actionsets-myactionset1}no-quarantine 192.168.1.1
NGFW{running-actionsets-myactionset1}nonhttp-block
Set quarantine option to block non-HTTP traffic.
Syntax
nonhttp-block (enable|disable)
Example
NGFW{running-actionsets-myactionset1}nonhttp-block enable
NGFW{running-actionsets-myactionset1}packet-trace
Enable/disable packet trace option.
Syntax
packet-trace (enable|disable)
92 Edit Running Configuration Commands
Example
NGFW{running-actionsets-myactionset1}packet-trace enable
NGFW{running-actionsets-myactionset1}priority
Set packet trace priority.
Syntax
priority PRIORITY
Example
NGFW{running-actionsets-myactionset1}priority medium
NGFW{running-actionsets-myactionset1}quarantine
Set quarantine option. Available options: no, immediate, threshold.
Syntax
quarantine QUARANTINETYPE
Example
NGFW{running-actionsets-myactionset1}quarantine immediate
NGFW{running-actionsets-myactionset1}tcp-reset
Set tcp reset option for block action. Available options: none (disable), source, dest, or both.
Syntax
tcp-reset (none|source|dest|both)
Example
NGFW{running-actionsets-myactionset1}tcp-reset both
NGFW{running-actionsets-myactionset1}threshold
Set quarantine threshold value.
Syntax
threshold (2-10000) (1-60)
Example
NGFW{running-actionsets-myactionset1}threshold 200 5
NGFW{running-actionsets-myactionset1}verbosity
Set packet trace verbosity.
Syntax
verbosity (partial|full)
Example
NGFW{running-actionsets-myactionset1}verbosity full
NGFW Command Line Interface Reference 93
running-addressgroups Context Commands
NGFW{running-addressgroups}addressgroup
Create or enter an address group context.
Syntax
addressgroup GROUPNAME
Example
NGFW{running}addressgroups
NGFW{running-addressgroups}addressgroup mygroup1
NGFW{running-addressgroups-mygroup1}
NGFW{running-addressgroups}delete
Delete address group parameters.
Syntax
delete addressgroup (all|GROUPNAME)
Example
NGFW{running-addressgroups}delete addressgroup mygroup1
NGFW{running-addressgroups}delete addressgroup all
running-addressgroups-X Context Commands
NGFW{running-addressgroups-mygroup1}delete
Delete address group parameters.
Syntax
delete group (all|GROUPNAME)
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete range (all|A.B.C.D|X:X::X:X)
Example
NGFW{running-addressgroups}addressgroup myaddressgroups
NGFW{running-addressgroups-mygroup1}delete range 192.168.1.100 192.168.1.200
NGFW{running-addressgroups-mygroup1}description
Apply address group description.
Syntax
description TEXT
Example
NGFW{running-addressgroups-mygroup1}description "my address group 1"
NGFW{running-addressgroups-mygroup1}group
Add a group to this group.
Syntax
group GROUPNAME
94 Edit Running Configuration Commands
Example
NGFW{running-addressgroups-mygroup1}group mygroup2
NGFW{running-addressgroups-mygroup1}ipaddress
Apply IPv4 or IPv6 address.
Syntax
ipaddress (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.1
NGFW{running-addressgroups-mygroup1}ipaddress 192.168.1.0/24
NGFW{running-addressgroups-mygroup1}range
Apply IPv4 or IPv6 address range.
Syntax
range (A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X)
Example
NGFW{running-addressgroups-mygroup1}range 192.168.1.100 192.168.1.200
running-agglinkX Context Commands
NGFW{running}interface agglink0
NGFW{running-agglink0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-agglink0}arp/ndp enable
NGFW{running-agglink0}autoconfv6
Enable or disable IPv6 auto-configuration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-agglink0}autoconfv6 enable
NGFW{running-agglink0}bind
Bind agglink network interface over specific ethernet or bridge port.
Syntax
bind PORT mode (passive|static|active) [priority PRIORITY]
Port priority: (0-65535) default 32768, lowest value has highest priority
NGFW Command Line Interface Reference 95
Example
NGFW{running-agglink0}bind ethernet5 mode active priority 1
NGFW{running-agglink0}bind ethernet6 mode active priority 1
NGFW{running-agglink0}bind ethernet7 mode active priority 1
NGFW{running-agglink0}bind ethernet8 mode active priority 1
NGFW{running-agglink0}delete
Delete file or configuration item.
Syntax
delete bind (all|PORT)
delete ip igmp
delete ip igmp version
delete ip ospf area
delete ip ospf authentication mode md5 (1-255) KEY
delete ip ospf authentication mode text KEY
delete ip ospf cost (1-65535)
delete ip ospf dead-interval (1-65535)
delete ip ospf hello-interval (1-65535)
delete ip ospf priority (0-255)
delete ip ospf retransmit-interval (3-65535)
delete ip ospf transmit-delay (1-65535)
delete ip rip
delete ip rip authentication mode md5
delete ip rip authentication mode text
delete ip rip receive version (v1-only|v2-only|v1-or-v2)
delete ip rip send version (v1-only|v2-only|v1-or-v2)
delete ip rip split-horizon
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete ipaddress dhcpv4
delete ipaddress dhcpv6
delete ipv6 mld
delete ipv6 mld version
delete ipv6 ospfv3 area
delete ipv6 ospfv3 cost
delete ipv6 ospfv3 dead-interval
delete ipv6 ospfv3 hello-interval
delete ipv6 ospfv3 priority
delete ipv6 ospfv3 retransmit-interval
delete ipv6 ospfv3 transmit-delay
delete ipv6 ripng
delete ipv6 ripng split-horizon
delete prefix (all|X:X::X:X/M)
delete shutdown
Example
NGFW{running-agglink0}delete bind ethernet7
NGFW{running-agglink0}delete ip igmp version
NGFW{running-agglink0}delete ip ospf area
NGFW{running-agglink0}delete ip ospf authentication mode md5 1 mysecret
NGFW{running-agglink0}delete ip ospf authentication mode text mysecret
NGFW{running-agglink0}delete ip ospf cost
NGFW{running-agglink0}delete ip ospf dead-interval 1
NGFW{running-agglink0}delete ip ospf hello-interval 1
NGFW{running-agglink0}delete ip ospf priority 1
NGFW{running-agglink0}delete ip ospf retransmit-interval
NGFW{running-agglink0}delete ip ospf transmit-delay 1
96 Edit Running Configuration Commands
NGFW{running-agglink0}delete ip rip authentication mode md5
NGFW{running-agglink0}delete ip rip authentication mode text
NGFW{running-agglink0}delete ip rip receive version v2-only
NGFW{running-agglink0}delete ip rip send version v2-only
NGFW{running-agglink0}delete ip rip split-horizon
NGFW{running-agglink0}delete shutdown
NGFW{running-agglink0}delete ipaddress 192.168.1.1/24
NGFW{running-agglink0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-agglink0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-agglink0}description "Ethernet aggregated interface"
NGFW{running-agglink0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
ip ospf area A.B.C.D|(0-4294967295)
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535) [A.B.C.D]
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version VERSION
ip rip send version VERSION
ip rip split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ip igmp version 3
NGFW{running-agglink0}ip ospf area 1
NGFW{running-agglink0}ip ospf authentication mode md5 1 mysecret
NGFW{running-agglink0}ip ospf authentication mode text mysecret
NGFW{running-agglink0}ip ospf cost 1
NGFW{running-agglink0}ip ospf dead-interval 1
NGFW{running-agglink0}ip ospf hello-interval 1
NGFW{running-agglink0}ip ospf priority 1
NGFW{running-agglink0}ip ospf retransmit-interval 3
NGFW{running-agglink0}ip ospf transmit-delay 1
NGFW{running-agglink0}ip rip authentication mode md5 1 mysecret
NGFW{running-agglink0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-agglink0}ip rip receive version v2-only
NGFW{running-agglink0}ip rip send version v2-only
NGFW Command Line Interface Reference 97
NGFW{running-agglink0}ip rip split-horizon poison-reverse
NGFW{running-agglink0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-agglink0}ipaddress 192.168.1.1/24
NGFW{running-agglink0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-agglink0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
ipv6 ospfv3 area (A.B.C.D|(0-4294967295))
ipv6 ospfv3 cost (1-65535)
ipv6 ospfv3 dead-interval (1-65535)
ipv6 ospfv3 hello-interval (1-65535)
ipv6 ospfv3 priority (0-255)
ipv6 ospfv3 retransmit-interval (3-65535)
ipv6 ospfv3 transmit-delay (1-65535)
ipv6 ripng
ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-agglink0}ipv6 mld version 2
NGFW{running-agglink0}ipv6 ospfv3 area 1
NGFW{running-agglink0}ipv6 ospfv3 cost 1
NGFW{running-agglink0}ipv6 ospfv3 dead-interval 1
NGFW{running-agglink0}ipv6 ospfv3 hello-interval 1
NGFW{running-agglink0}ipv6 ospfv3 priority 1
NGFW{running-agglink0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-agglink0}ipv6 ospfv3 transmit-delay 1
NGFW{running-agglink0}ipv6 ripng split-horizon poison-reverse
NGFW{running-agglink0}load-balance
Configure the distribution mechanism.
Syntax
load-balance (round-robin|xor-ip|xor-ip-port|xor-mac|backup)
Example
NGFW{running-agglink0}load-balance xor-ip
NGFW{running-agglink0}mac-address
Configure Ethernet MAC address.
98 Edit Running Configuration Commands
Syntax
mac-address (automatic|X:X:X:X:X:X)
Example
NGFW{running-agglink0}mac-address a1:b2:c3:d4:e5:f6
NGFW{running-agglink0}mac-address automatic
NGFW{running-agglink0}mtu
Configure interface MTU in bytes.
Syntax
mtu (default|VALUE)
VALUE (68-9216)
Example
NGFW{running-agglink0}mtu 1500
NGFW{running-agglink0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-agglink0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-agglink0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level (none|address|other|full)
Example
NGFW{running-agglink0}ra-autoconf-level full
NGFW{running-agglink0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-agglink0}ra-interval 600
NGFW{running-agglink0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
NGFW Command Line Interface Reference 99
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-agglink0}ra-interval-transmit enable
NGFW{running-agglink0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-agglink0}ra-lifetime 1800
NGFW{running-agglink0}ra-mtu
Modify IPv6 Router Advertisement MTU value in bytes.
Syntax
ra-mtu (none|MTU)
MTU (68-9216)
Example
NGFW{running-agglink0}ra-mtu 1500
NGFW{running-agglink0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode (always|never|smart)
Example
NGFW{running-agglink0}ra-transmit-mode smart
NGFW{running-agglink0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-agglink0}shutdown
NGFW{running-agglink0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
VALUE 4-65535
100 Edit Running Configuration Commands
Example
NGFW{running-agglink0}tcp4mss automatic
NGFW{running-agglink0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
VALUE 4-65535
Example
NGFW{running-agglink0}tcp6mss automatic
running-app-filter-mgmt Context Commands
Immediate Commit Feature. Changes take effect immediately.
Change management settings for an application filter.
NGFW{running}application-filter-mgmt
NGFW{running-application-filter-mgmt}filter
Syntax
filter FILTERNUMBER (enable|disable)
filter FILTERNUMBER afcstate (enable|disable)
filter FILTERNUMBER (enable|disable) afcstate (enable|disable)
Valid entries:
display Display file or configuration item
filter Change management settings for an application filter
help Display help information
Example
NGFW{running-app-filter-mgmt}filter 642 afcstate enable
NGFW{running-app-filter-mgmt}filter 642 enable afcstate enable
WARNING: Are you sure you want to enable filter 642 system-wide (y/n)? [n]: y
NGFW{running-app-filter-mgmt}filter 642 disable
WARNING: Are you sure you want to disable filter 642 system-wide (y/n)? [n]: y
running-app-groups Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}application-groups
NGFW{running-app-groups}application-group
Create or enter application-group context.
Syntax
application-group NEWAPPNAME CRITERIASTRING
application-group APPNAME
Example
NGFW{running-app-groups}application-group FaceBook
NGFW Command Line Interface Reference 101
NGFW{running-app-groups}delete
Delete application-group.
Syntax
delete application-group APPNAME
Example
NGFW{running-app-groups}delete application-group FaceBook
NGFW{running-app-groups}rename
Rename application-group.
Syntax
rename application-group APPNAME NEWAPPNAME
Example
NGFW{running-app-groups}rename application-group FaceBook facebook1
running-app-groups-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-app-groups}application-group FaceBook
NGFW{running-app-groups-FaceBook}criteria
Update application-group criteria.
Syntax
criteria CRITERIASTRING
Example
NGFW{running-app-groups-FaceBook}criteria “string”
NGFW{running-app-groups-FaceBook}description
Update application-group description.
Syntax
description DESCSTRING
Example
NGFW{running-app-groups-FaceBook}description "facebook application group"
running-autodv Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}autodv
NGFW{running-autodv}calendar
Enter Calender Style.
Syntax
calendar
102 Edit Running Configuration Commands
Example
NGFW{running-autodv}calendar
NGFW{running-autodv}delete
Delete file or configuration item.
Syntax
delete proxy
delete proxy-password
delete proxy-username
Example
NGFW{running-autodv}delete proxy-password
NGFW{running-autodv}delete proxy-username
NGFW{running-autodv}delete proxy
NGFW{running-autodv}disable
Disable service.
Syntax
disable
Example
NGFW{running-autodv}disable
NGFW{running-autodv}enable
Enable service.
Syntax
enable
Example
NGFW{running-autodv}enable
NGFW{running-autodv}list
List Installed DVs.
Syntax
list
Example
NGFW{running-autodv}list
version 3.2.0.8458
NGFW{running-autodv}periodic
Enter Periodic Style.
Syntax
periodic
NGFW Command Line Interface Reference 103
Example
NGFW{running-autodv}periodic
NGFW{running-autodv}proxy
Configure proxy.
Syntax
proxy ADDR port PORT
proxy-password PASSWD
proxy-username USER
Example
NGFW{running-autodv}proxy 192.168.1.1 port 443
NGFW{running-autodv}proxy-password mypassword
NGFW{running-autodv}proxy-username myusername
NGFW{running-autodv}update
Update AutoDV.
Syntax
update
Example
NGFW{running-autodv}update
running-autodv-calendar Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}calendar
NGFW{running-autodv-calendar}day
Day of the week to update.
Syntax
day DAYNAME
Example
NGFW{running-autodv-calendar}day ?
Valid entries at this position are:
Sunday Sunday
Monday Monday
Tuesday Tuesday
Wednesday Wednesday
Thursday Thursday
Friday Friday
Saturday Saturday
NGFW{running-autodv-calendar}time
time HOURS:MINUTES
Syntax
time HOURS:MINUTES
104 Edit Running Configuration Commands
Example
NGFW{running-autodv-calendar}time ?
Valid entry at this position is:
HOURS Value range is 0 - 23
NGFW{running-autodv-calendar}time 17:00
running-autodv-periodic Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-autodv}periodic
NGFW{running-autodv-periodic}day
Day of the week to update.
Syntax
day (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)
Example
NGFW{running-autodv-periodic}day Sunday
NGFW{running-autodv-periodic}period
Set number of days between update checks.
Syntax
period PERIOD
PERIOD Value range is 0 - 99, unit is days
Example
NGFW{running-autodv-periodic}period 1
NGFW{running-autodv-periodic}time
Time of day to check for updates.
time HOURS:MINUTES
Syntax
time HOURS:MINUTES
HOURS Value range is 0 - 23
MINUTES Value range is 0 - 59
Example
NGFW{running-autodv-periodic}time 21:00
running-bgp-X Context Commands
NGFW{running}router bgp 1
NGFW{running-bgp-1}aggregate-address
Configure BGP aggregate entries.
Syntax
aggregate-address A.B.C.D/M [as-set] [summary-only]
NGFW Command Line Interface Reference 105
Example
NGFW{running-bgp-1}help aggregate-address
Configure BGP aggregate entries
Syntax: aggregate-address A.B.C.D/M [as-set] [summary-only]
aggregate-address Configure BGP aggregate entries
A.B.C.D/M Aggregate prefix
as-set Generate AS set path information
summary-only Filter more specific routes from updates
NGFW{running-bgp-1}always-compare-med
Always compare MEDs from neighbors in different AS.
Syntax
always-compare-med
NGFW{running-bgp-1}delete
Delete file or configuration item.
Syntax
delete aggregate-address A.B.C.D/M
delete always-compare-med
delete deterministic-med
delete distance
delete local-preference
delete neighbor A.B.C.D peer-group NAME
delete neighbor (A.B.C.D|NAME)
delete neighbor (A.B.C.D|NAME) description
delete neighbor (A.B.C.D|NAME) ebgp-multihop
delete neighbor (A.B.C.D|NAME) password
delete neighbor (A.B.C.D|NAME) soft-reconfiguration inbound
delete neighbor (A.B.C.D|NAME) route-reflector-client
delete neighbor (A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out)
delete neighbor (A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out)
delete neighbor (A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out)
delete neighbor (A.B.C.D|NAME) route-map ROUTE-MAP-NAME (in|out)
delete neighbor (A.B.C.D|NAME) send-community
delete neighbor (A.B.C.D|NAME) shutdown
delete neighbor (A.B.C.D|NAME) passive
delete neighbor (A.B.C.D|NAME) next-hop-self
delete neighbor (A.B.C.D|NAME) maximum-prefix
delete neighbor (A.B.C.D|NAME) weight
delete neighbor (A.B.C.D|NAME) update-source A.B.C.D
delete neighbor (A.B.C.D|NAME) remove-private-as
delete neighbor NAME peer-group
delete network A.B.C.D/M
delete redistribute (connected|ospf|rip|static)
delete router-id
delete timers
Example
NGFW{running-bgp-1}delete ?
Valid entries at this position are:
aggregate-address Delete BGP aggregate entries
always-compare-med Delete always compare MEDs from neighbors in different AS
deterministic-med Delete pick the best-MED route from the neighboring AS
106 Edit Running Configuration Commands
distance Delete administrative distances
graceful-restart Delete BGP graceful restart
local-preference Delete the default local preference configured
neighbor Delete BGP neighbor
network Delete a network to announce via BGP
redistribute Delete route redistribution from another routing protocol
router-id Delete the BGP router identifier
timers Delete BGP timers
NGFW{running-bgp-1}deterministic-med
Pick the best-MED route from the neighboring AS.
Syntax
deterministic-med
NGFW{running-bgp-1}disable
Disable BGP.
Syntax
disable
Example
NGFW{running-bgp-1}help disable
Disable Border Gateway Protocol (BGP)
Syntax: disable
disable Disable BGP
NGFW{running-bgp-1}distance
Define administrative distances.
Syntax
distance EXTERNAL INTERNAL LOCAL
distance (1-255) (1-255) (1-255)
Example
NGFW{running-bgp-1}help distance
Configure BGP administrative distances
Syntax: distance EXTERNAL INTERNAL LOCAL
distance Define administrative distances
EXTERNAL Distance for routes external to the AS (1-255)
INTERNAL Distance for routes internal to the AS (1-255)
LOCAL Distance for local routes (1-255)
NGFW{running-bgp-1}enable
Enable BGP.
Syntax
enable
Example
NGFW{running-bgp-1}help enable
Enable Border Gateway Protocol (BGP)
NGFW Command Line Interface Reference 107
Syntax: enable
enable Enable BGP
NGFW{running-bgp-1}graceful-restart
Set the BGP graceful restart.
Syntax
graceful-restart
Example
NGFW{running-bgp-1}help graceful-restart
Configure the BGP graceful restart
Syntax: graceful-restart
graceful-restart restart-time RESTART-TIME
graceful-restart stalepath-time STALEPATH-TIME
graceful-restart Set the BGP graceful restart
restart-time Set the restart-time for BGP graceful restart
RESTART-TIME BGP graceful restart time in the unit of seconds (1-3600)
stalepath-time Set the stalepath time for BGP graceful restart
STALEPATH-TIME BGP stalepath time in the unit of seconds (1-3600)
NGFW{running-bgp-1}local-preference
Set local preference (higher numbers take preference).
Syntax
local-preference LOCAL-PREFERENCE
LOCAL-PREFERENCE Default local preference (0-4294967295)
Example
NGFW{running-bgp-1}local-preference 10
NGFW{running-bgp-1}neighbor
Configure BGP neighbor or peer-group.
Syntax
neighbor A.B.C.D peer-group NAME
neighbor (A.B.C.D|NAME) distribute-list ACCESS-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) prefix-list PREFIX-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) filter-list FILTER-LIST-NAME (in|out)
neighbor (A.B.C.D|NAME) route-map NAME (in|out)
neighbor (A.B.C.D|NAME) send-community
neighbor (A.B.C.D|NAME) ebgp-multihop (1-255)
neighbor (A.B.C.D|NAME) description DESCRIPTION
neighbor (A.B.C.D|NAME) remote-as ASNUMBER
neighbor (A.B.C.D|NAME) password
neighbor (A.B.C.D|NAME) soft-reconfiguration inbound
neighbor (A.B.C.D|NAME) route-reflector-client
neighbor (A.B.C.D|NAME) shutdown
neighbor (A.B.C.D|NAME) passive
neighbor (A.B.C.D|NAME) next-hop-self
neighbor (A.B.C.D|NAME) maximum-prefix (1-4294967295)
neighbor (A.B.C.D|NAME) weight (0-65535)
neighbor (A.B.C.D|NAME) update-source A.B.C.D
neighbor (A.B.C.D|NAME) remove-private-as
108 Edit Running Configuration Commands
neighbor NAME peer-group
NGFW{running-bgp-1}network
Specify a network to announce through the BGP.
Syntax
network A.B.C.D/M
Example
NGFW{running-bgp-1}network 192.168.0.3/24
NGFW{running-bgp-1}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute (connected|ospf|rip|static) [metric VALUE] [route-map NAME]
Valid entries:
connected Connected
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
metric Metric for redistributed routes
VALUE Default metric (1-4294967295)
route-map Route map reference
NAME Pointer to route-map entries
Example
NGFW{running-bgp-1}redistribute connected
NGFW{running-bgp-1}router-id
Set the BGP router identifier.
Syntax
router-id A.B.C.D
Example
NGFW{running-bgp-1}help router-id
Syntax: router-id A.B.C.D
router-id Set the BGP router identifier
A.B.C.D BGP router-id in IP address format
NGFW{running-bgp-1}timers
Adjust BGP timers. The keepalive interval should be no more than one-third of holdtime.
Syntax
timers KEEPALIVE HOLDTIME
KEEPALIVE Keepalive interval (0-65535)
HOLDTIME Holdtime (0-65535)
Example
NGFW{running-bgp-1}timers 60 180
NGFW Command Line Interface Reference 109
running-blockedStreams Context Commands
NGFW{running}blockedStreams
NGFW{running-blockedStreams}flushallstreams
Flush All Reports.
Syntax
flushallstreams
Example
NGFW{running-blockedStreams}flushallstreams
NGFW{running-blockedStreams}flushstreams
Flush reports.
Syntax
flushstreams
Example
NGFW{running-blockedStreams}flushstreams
NGFW{running-blockedStreams}list
List reports.
Syntax
list
running-bridgeX Context Commands
NGFW{running}interface bridge0
NGFW{running-bridge0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-bridge0}arp/ndp enable
NGFW{running-bridge0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-bridge0}autoconfv6 enable
NGFW{running-bridge0}bind
Bind bridged network interface over ethernet/VLAN/agglink.
110 Edit Running Configuration Commands
Syntax
bind PORT
Example
NGFW{running-bridge0}bind ethernet5
NGFW{running-bridge0}bind ethernet6
NGFW{running-bridge0}bind ethernet7
NGFW{running-bridge0}bind ethernet8
NGFW{running-bridge0}delete
Delete file or configuration item.
Syntax
delete bind (all|PORT)
delete ip igmp
delete ip igmp version
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete ipaddress dhcpv4
delete ipaddress dhcpv6
delete ipv6 mld
delete ipv6 mld version
delete prefix (all|X:X::X:X/M)
delete shutdown
Example
NGFW{running-bridge0}delete bind ethernet8
NGFW{running-bridge0}delete bind all
NGFW{running-bridge0}delete ip igmp
NGFW{running-bridge0}delete ipaddress 192.168.1.1/24
NGFW{running-bridge0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-bridge0}delete ipv6 mld
NGFW{running-bridge0}delete prefix all
NGFW{running-bridge0}delete shutdown
NGFW{running-bridge0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-bridge0}description "Ethernet bridged interface"
NGFW{running-bridge0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
ip ospf area A.B.C.D|(0-4294967295)
ip ospf authentication mode md5 KEY_ID KEY
ip ospf authentication mode text KEY
ip ospf cost COST
ip ospf dead-interval VALUE
NGFW Command Line Interface Reference 111
ip ospf hello-interval VALUE [A.B.C.D]
ip ospf priority VALUE
ip ospf retransmit-interval VALUE
ip ospf transmit-delay VALUE
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version VERSION
ip rip send version VERSION
ip rip split-horizon [poison-reverse]
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipv6 mld
Example
NGFW{running-bridge0}ip igmp version 3
NGFW{running-bridge0}ip igmp
NGFW{running-bridge0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-bridge0}ipaddress 192.168.1.1/24
NGFW{running-bridge0}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-bridge0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
ipv6 ospfv3 area A.B.C.D|(0-4294967295)
ipv6 ospfv3 cost COST
ipv6 ospfv3 dead-interval VALUE
ipv6 ospfv3 hello-interval VALUE
ipv6 ospfv3 priority VALUE
ipv6 ospfv3 retransmit-interval VALUE
ipv6 ospfv3 transmit-delay VALUE
ipv6 ripng
ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-bridge0}ipv6 mld version 2
NGFW{running-bridge0}ipv6 ripng split-horizon poison-reverse
NGFW{running-bridge0}mtu
Configure interface MTU.
Syntax
mtu (default|VALUE)
VALUE (68-9216)
112 Edit Running Configuration Commands
Example
NGFW{running-bridge0}mtu 1280
NGFW{running-bridge0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
SECONDS (1-4294967295)
Example
NGFW{running-bridge0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-bridge0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
AUTOCONF Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
Example
NGFW{running-bridge0}help ra-autoconf-level full
NGFW{running-bridge0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-bridge0}ra-interval 600
NGFW{running-bridge0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-bridge0}ra-interval-transmit enable
NGFW{running-bridge0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
NGFW Command Line Interface Reference 113
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-bridge0}ra-lifetime 1800
NGFW{running-bridge0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|MTU)
MTU value advertised(68-9216)(0 if none)
Example
NGFW{running-bridge0}ra-mtu none
NGFW{running-bridge0}ra-mtu 1500
NGFW{running-bridge0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
MODE Router Advertisement Transmit mode
Possible values for MODE are:
always Router Advert message is always sent
never Router Advert message is never sent
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-bridge0}ra-transmit-mode smart
NGFW{running-bridge0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-bridge0}shutdown
NGFW{running-bridge0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|4-65535)
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
(4-65535) TCP MSS value for IPv4
Example
NGFW{running-bridge0}tcp4mss automatic
114 Edit Running Configuration Commands
NGFW{running-bridge0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|4-65535)
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
(4-65535) TCP MSS value for IPv6
Example
NGFW{running-bridge0}tcp6mss automatic
running-captive-portal Context Commands
NGFW{running}captive-portal
NGFW{running-captive-portal}delete
Delete captive portal rule(s).
Syntax
delete rule (all|RULEID)
Example
NGFW{running-captive-portal}delete rule 20010
NGFW{running-captive-portal}delete rule all
NGFW{running-captive-portal}rename
Rename a captive-portal rule.
Syntax
rename rule RULEID NEWRULEID
Example
NGFW{running-captive-portal}rename rule watershed 20010
NGFW{running-captive-portal}reset
Set a Captive Portal parameter to its DEFAULT value.
Syntax
reset (max-session-time|inactive-timeout|port|certificate)
reset login-page (foreground-color|background-color)
reset login-page (header-HTML|footer-HTML|failed-HTML)
reset status-page (foreground-color|background-color)
reset status-page main-HTML
Example
NGFW{running-captive-portal}reset certificate
NGFW{running-captive-portal}reset login-page foreground-color
NGFW{running-captive-portal}reset status-page main-HTML
NGFW{running-captive-portal}rule
Create or enter a rule context.
NGFW Command Line Interface Reference 115
Syntax
rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-captive-portal}rule auto
NGFW{running-captive-portal}rule 20010 1
NGFW{running-captive-portal}rule watershed
NGFW{running-captive-portal}set
Set a Captive Portal parameter.
Syntax
set max-session-time MINUTES
set inactive-timeout MINUTES
set port PORT
set certificate CERTNAME
set (login-page|status-page) (foreground-color|background-color) (HEX|COLOR)
set login-page (header-HTML|footer-HTML|failed-HTML)
set status-page (foreground-color|background-color) (HEX|COLOR)
set status-page main-HTML
Example
NGFW{running-captive-portal}set inactive-timeout 60
NGFW{running-captive-portal}set port 8443
NGFW{running-captive-portal}set status-page background-color #CD88B1
NGFW{running-captive-portal}set status-page foreground-color #FFEFD5
NGFW{running-captive-portal}set status-page foreground-color DodgerBlue
running-captive-portal-rule-X Context Commands
NGFW{running-captive-portal}rule 20000
NGFW{running-captive-portal-rule-20000}delete
Delete file or configuration item.
Syntax
delete src-address include group (all|ADDRESSGROUP)
delete src-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete src-address include range (all|A.B.C.D|X:X::X:X)
delete src-address exclude group (all|ADDRESSGROUP)
delete src-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete src-address exclude range (all|A.B.C.D|X:X::X:X)
delete dst-address include group (all|ADDRESSGROUP)
delete dst-address include ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete dst-address include range (all|A.B.C.D|X:X::X:X)
delete dst-address exclude group (all|ADDRESSGROUP)
delete dst-address exclude ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete dst-address exclude range (all|A.B.C.D|X:X::X:X)
delete src-zone (include all|ZONENAME)
delete src-zone (exclude all|ZONENAME)
Example
NGFW{running-captive-portal-rule-20000}delete dst-address include group mygroup1
NGFW{running-captive-portal-rule-20000}delete src-address exclude ipaddress all
NGFW{running-captive-portal-rule-20000}delete dst-address include ipaddress
192.168.1.1/32
116 Edit Running Configuration Commands
NGFW{running-captive-portal-rule-20000}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-captive-portal-rule-20000}description "captive portal rule"
NGFW{running-captive-portal-rule-20000}dst-address
Apply destination address.
Syntax
dst-address (include|exclude) group ADDRESSGROUP
dst-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X)
dst-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M)
dst-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}dst-address include group mygroup1
NGFW{running-captive-portal-rule-20000}dst-address include ipaddress 192.168.1.0/24
NGFW{running-captive-portal-rule-20000}dst-address exclude ipaddress 192.168.1.1
NGFW{running-captive-portal-rule-20000}dst-address include range 192.168.1.100
192.168.1.200
NGFW{running-captive-portal-rule-20000}move
Move rule position.
Syntax
move (after RULEID)|(before RULEID)|(to position VALUE)
Example
NGFW{running-captive-portal-rule-20000}move to position 1
NGFW{running-captive-portal-rule-20000}move before 20050
NGFW{running-captive-portal-rule-20000}move after 20040
NGFW{running-captive-portal-rule-20000}src-address
Apply source address.
Syntax
src-address (include|exclude) group ADDRESSGROUP
src-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X)
src-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M)
src-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-captive-portal-rule-20000}src-address include group mygroup1
NGFW{running-captive-portal-rule-20000}dst-address include ipaddress 192.168.1.0/24
NGFW{running-captive-portal-rule-20000}dst-address exclude ipaddress 192.168.1.1
NGFW{running-captive-portal-rule-20000}dst-address include range 192.168.1.100
192.168.1.200
NGFW Command Line Interface Reference 117
NGFW{running-captive-portal-rule-20000}src-zone
Apply source security zone.
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-captive-portal-rule-20000}src-zone include myzone1
NGFW{running-captive-portal-rule-20000}src-zone exclude myzone1
running-certificates Context Commands
NGFW{running}certificates
NGFW{running-certificates}ca-certificate
Add CA certificate.
Syntax
ca-certificate CANAME
Example
NGFW{running-certificates}ca-certificate myCAname
Please enter the PEM encoded CA certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93
bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3
a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs
npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}cert-request
Creates a certificate request for this device.
Syntax
cert-request CERTREQUEST [key-size SIZE]
CERTREQUEST Certificate Request identifier
key-size Specify private key size
SIZE Specify private key size bits
Possible values for SIZE are:
1024 1024-bit key size
1536 1536-bit key size
118 Edit Running Configuration Commands
2048 2048-bit key size (default)
4096 4096-bit key size
Example
NGFW{running-certificates}cert-request myrequest
(Enter 'exit' to abort the command)
Enter Common Name (string, required): www.example.com
Enter Country (two letter code or 'none')[none]: US
Enter State (string or 'none')[none]:
Enter Locality (string or 'none')[none]:
Enter Organization (string or 'none')[none]:
Enter Unit (string or 'none')[none]:
Enter E-mail (string or 'none')[none]:
Enter FQDN (a string or 'none')[none]: www.example.com
Enter User FQDN (string or 'none')[none]:
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWIxUWcq3vk3bBt
ivmAaNXtDLT+DMASIfnIIs4b/e8nS8k2HvrlqCqgDcm98iet2vOZ7G3bzLOWPL+a
K6hJSUaqW+cz9LVMyoIM7lsWLgt+46X/EKvSGpTLNuyvupJPa76iNjgzJLxcYgEO
C3vQGIZUlG6aiJ9ABiGAPC4GpUICnJFeo9JrkDGAcKh3hFN0VZyuPgDeLssj0luo
5HL9WO/oC0E+rdYGzgU7/+B04X2mQ4LiKCV92deGvnN2Fc0DP1EHFy5hS5nVlzG1
Y6yvIYVKL2IWfdNH5U6MDd1zJLAmhRUaphLUx87yluOLl5uVPXwm/EXlE6ql2MP+
fCg10+UCAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkwCwYDVR0PBAQDAgXgMBoGA1Ud
EQQTMBGCD3d3dy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOCAQEAGXPnvwZ3
cLLSjMOtNmizrKST+YdF1EzOOkXMBh+FZigXny5tCfQccmU5ir18KE/aKbMyQeii
sSeHhI4utZvOrjLL8lcbJlEU2xnC9BGXhmbGUmWynHFziTYom7Lpv8gq+p6+B1Ox
KDxJ+cMv1Ips+g3C8zZnQsN+dLgnWCb3X3NaJos5LHu4PK48+Zl3sic94Ixw0ZQF
HHhlJe7rfg8HMEYHXMiGowSpn9vnRMVh1K0o2Cdv9aIzjm+TH+WiTV9yYX5Dqys7
c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu
dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST-----
NGFW{running-certificates}certificate
Add device certificate.
Syntax
certificate CERTNAME
Example
NGFW{running-certificates}certificate mycertname
Please enter the PEM encoded certificate contents (including BEGIN CERTIFICATE and
END CERTIFICATE lines):
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHeRkMB4XDTA5MDQxNjE3MDUxNloDTA5MDUxNjE3MDUxNlowbDEQMA4G
A1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93
bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UEoxMHVW5wer93bjEQMA4GA1UEAxMH
VW5rbm93bjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AplEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3
a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgDNS53gXgLN9qXzf5AIs
npdKIhCaP6LOMaueQM2X9p51TWee8n95Ti9pUEoZSAgXKbV235WfqaQaIXhkXM7d
D/huz80xy3Pf5EzAEYhZLanL2GF6UL7g9z0ZtHI7E1yk2ylQrB8GI/fboIp213ug
NGFW Command Line Interface Reference 119
NQ9TR7THyOy9dwftwoKSXEmSMA0GCSqGSIb3DQEBBAUAA4GBAIzxQr3OK9Jzq+wh
ZfKLLd0S7PbNZH7BfO7voEGtuC5fSPqbziwmOt9FYAg+U0rvIrHQI2DxSPHoxOA9
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
NGFW{running-certificates}crl
Certificate revocation list.
Syntax
crl
Example
NGFW{running-certificates}crl
NGFW{running-certificates}delete
Delete file or configuration item.
Syntax
delete ca-certificate (all|CANAME)
delete cert-request (all|CERTREQUEST)
delete certificate (all|CERTNAME)
Example
NGFW{running-certificates}delete ca-certificate myCAname
NGFW{running-certificates}delete cert-request myrequest
NGFW{running-certificates}delete certificate mycertname
NGFW{running-certificates}display
Display file or configuration item.
Syntax
display ca-certificate CANAME [pem|text]
display cert-request CERTNAME
display certificate CERTNAME [pem|text]
display private-key CERTNAME
Example
NGFW{running-certificates}display
# CERTIFICATE AUTHORITIES
ca-certificate myCAname
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
# CERTIFICATES
certificate mycertname
-----BEGIN CERTIFICATE-----
SoIDQTCCAqoCCQDiEcSvKsrhKTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
...
PISrOJgU6A2+VTbkZTJB32/Zng/hTDUQUkyyjllskdmafS1b9SSs0Z7SPuLu6VDB
120 Edit Running Configuration Commands
zR6PBzoFwaWk3nX2lYsk/gFpf07z
-----END CERTIFICATE-----
# CERTIFICATE REQUESTS
cert-request myrequest key-size 2048
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMTD3d3dy5leGFtcGxl
...
c8vOS1+G6R6o5s6tHDGPNYyVfCD1W+vxdCXVGR5zLsoB5eTL7bDR1NFKu/77FvKu
dLTq8hPpOt7gvQ==
-----END CERTIFICATE REQUEST-----
# Subject Identity #
CN= www.example.com
C = US
ST= none
L = none
O = none
OU= none
Email= none
FQDN = www.example.com
User = none
# CRL
NGFW{running-certificates}private-key
Add device certificate private-key.
Syntax
private-key CERTNAME
Example
NGFW{running-certificates}private-key mycertname
Please enter the PEM encoded private key contents (including BEGIN PRIVATE KEY and
END PRIVATE KEY lines):
-----BEGIN DSA PRIVATE KEY-----
S0IBvAIBAAKBgQDjfcGLU+2NKUidI0mQ7EfiEWCc2/QLDYwfyl6t3YMMVRePWYUz
Pjom3A98G8VEhE8i+Ry3VMjmrmeRTljORWh7drvA+R48QIUC0sKbHY0TjshpNKjC
EpzX3s25mn2jeH9OLajjfT4AUKk629ajnA/tyE/Dg4a3J9PMrR/BOaJXjwIVAPq+
xXo8i7Jrjuo9pdu2A+12183HAoGBAMWQMBgsyvPRfXCDh+kaokahCJRZb7olAeN4
uSPrTmEdxn9jO+bfPCOx6Paljsjflw6uevWEBja9j0AmafxYPrKY8AhngKRFohoH
0Vwp9QKT+yVsCWghrBWQYj3myvrOGg0ydw6buDNIRYY71lYoVzQKw6NddseP3Gp9
4Pch6BKyAoGAGxqWTZsPe2lp/lz3LmmbpJoLRbE9OWBa5rVCuRM21qSRDDzQ0R4X
/cWW1kIC5n6NpVEMu+b70q3NyAK8AuFN+Ezfw+LgpvCI+Ae27bjj7AJxMD8161UG
e45Qiv20THFFqw/zP7DHG6tFdT06ss6xjw+ausphZGRhU8xBBR+NF3sCFQCiAvaI
xWsrP2Z1777kgMC45lKhqg==
-----END DSA PRIVATE KEY-----
running-certificates-crl Context Commands
NGFW{running-certificates}crl
NGFW{running-certificates-crl}add
Add a CRL URI or file for a specified CA.
Syntax
add CANAME (local-import|(uri CRLURI))
NGFW Command Line Interface Reference 121
Example
NGFW{running-certificates-crl}help add
Valid commands are:
# Enter context
addressgroups
# Other commands
add CANAME local-import|(uri CRLURI)
NGFW{running-certificates-crl}cache
Enable or disable CRL cache fetched via HTTP.
Syntax
cache (enable|disable)
Example
NGFW{running-certificates-crl}cache enable
NGFW{running-certificates-crl}delete
Delete a CRL URI or file for a specified Certificate Authority.
Syntax
delete crl (all|CANAME)
Valid entries:
all Delete all CRL URIs and local files
CANAME Delete CRL URI and local files for this Certificate Authority.
Example
NGFW{running-certificates-crl}delete crl all
NGFW{running-certificates-crl}mode
Set certificate revocation mode.
Syntax
mode (required|optional)
Valid entries:
required Fail authentication by certificate if CRL cannot be verified
optional Allow authentication by certificate if CRL cannot be verified
Example
NGFW{running-certificates-crl}mode required
running-cluster Context Commands
NGFW{running}cluster
NGFW{running-cluster}check
Perform consistency check.
Syntax
check CHECK_TYPE (enable|disable)
122 Edit Running Configuration Commands
Example
NGFW{running-cluster}check config enable
NGFW{running-cluster}cluster-name
Apply cluster name.
Syntax
cluster-name NAME
Example
NGFW{running-cluster}cluster-name ?
Valid entry at this position is:
NAME Cluster name (1-30 characters)
NGFW{running-cluster}delete
Delete file or configuration item.
Syntax
delete standby
Example
NGFW{running-cluster}delete ?
Valid entry at this position is:
standby Remove the device from standby
NGFW{running-cluster}disable
Disable clustering.
Syntax
disable
Example
NGFW{running-cluster}disable
NGFW{running-cluster}enable
Enable clustering.
Syntax
enable
Example
NGFW{running-cluster}enable
NGFW{running-cluster}member-id
Cluster Member ID.
Syntax
member-id ID
NGFW Command Line Interface Reference 123
Example
NGFW{running-cluster}member-id ?
Valid entry at this position is:
ID Member ID
NGFW{running-cluster}member-name
Cluster member name.
Syntax
member-name NAME
Example
NGFW{running-cluster}member-name ?
Valid entry at this position is:
NAME Member name (1-30 characters)
NGFW{running-cluster}standby
Sets the device on standby.
Syntax
standby
Example
NGFW{running-cluster}standby
NGFW{running-cluster}tct
Enter cluster traffic context.
Syntax
tct
Example
NGFW{running-cluster}tct
NGFW{running-cluster-tct}
running-cluster-tct Context Commands
NGFW{running-cluster}tct
NGFW{running-cluster-tct}delete
Delete file or configuration item.
Syntax
delete ipaddress
delete multicast
Example
NGFW{running-cluster-tct}delete ?
Valid entries at this position are:
ipaddress IPv4 address
multicast Apply multicast IPv4 address
124 Edit Running Configuration Commands
NGFW{running-cluster-tct}encryption
Apply encryption hash.
Syntax
encryption (enable|disable)
encryption hash (none|MD5|SHA1|SHA256|SHA384|SHA512)
encryption cipher (none|AES256)
encryption passphrase PASSPHRASE
hash Apply encryption hash
Possible values for HASH are:
MD5 MD5 hash algorithm
SHA1 SHA1 hash algorithm
SHA256 SHA256 hash algorithm
SHA384 SHA384 hash algorithm
SHA512 SHA512 hash algorithm
none No hash algorithm
cipher Apply encryption cipher
Possible values for CIPHER are:
none No cipher algorithm
AES256 AES256 cipher algorithm
passphrase Apply encryption passphrase
PASSPHRASE Apply encryption passphrase
enable Enable encryption
disable Disable encryption
Example
NGFW{running-cluster-tct}encryption enable
NGFW{running-cluster-tct}encryption disable
NGFW{running-cluster-tct}encryption hash SHA512
NGFW{running-cluster-tct}encryption cipher AES256
NGFW{running-cluster-tct}encryption passphrase mypassphrase
NGFW{running-cluster-tct}ipaddress
IPv4 address.
Syntax
ipaddress A.B.C.D/M
Example
NGFW{running-cluster-tct}help ipaddress
Apply IPv4 address
Syntax: ipaddress A.B.C.D/M
ipaddress IPv4 address
A.B.C.D/M IPv4 address with netmask
NGFW{running-cluster-tct}mgmt-port-failover
Failover to management port if HA ports unavailable.
Syntax
mgmt-port-failover (enable|disable)
Example
NGFW{running-cluster-tct}mgmt-port-failover enable
NGFW Command Line Interface Reference 125
NGFW{running-cluster-tct}mtu
Apply MTU.
Syntax
mtu (68-9216)
Example
NGFW{running-cluster-tct}mtu 1500
NGFW{running-cluster-tct}multicast
Apply multicast IPv4 address.
Syntax
multicast A.B.C.D
Example
NGFW{running-cluster-tct}multicast 192.168.0.32
NGFW{running-cluster-tct}physical-media
Apply physical-media settings. Auto-negotiation is the default.
Syntax
physical-media (auto-neg)|(SPEED-MODE)
auto-neg Enable auto-negotiation (default is on)
SPEED-MODE Set the port speed
Possible values for SPEED-MODE are:
10half Supported port speed and mode
10full Supported port speed and mode
100half Supported port speed and mode
100full Supported port speed and mode
1000full Supported port speed and mode
Example
NGFW{running-cluster-tct}physical-media 10full
NGFW{running-cluster-tct}port
Apply multicast UDP port number.
Syntax
port N
N Apply multicast UDP port number(1-65534)
Example
NGFW{running-cluster-tct}port 9
NGFW{running-cluster-tct}retry
Apply retry interval.
Syntax
retry N
N Apply retry interval value(1-10)
126 Edit Running Configuration Commands
Example
NGFW{running-cluster-tct}retry 3
NGFW{running-cluster-tct}timeout
Apply timeout.
Syntax
timeout N
N Apply timeout value(100-10000)
Example
NGFW{running-cluster-tct}timeout 160
NGFW{running-cluster-tct}ttl
Apply TTL.
Syntax
ttl N
N Apply TTL value(1-255)
Example
NGFW{running-cluster-tct}ttl 2
running-dhcp-relay Context Commands
NGFW{running}dhcp relay
NGFW{running-dhcp-relay}client
Configure client interface.
Syntax
client interface (all|IFNAME)
Example
NGFW{running-dhcp-relay}help client
Configure client interface
Syntax: client interface all|IFNAME
all Configure listening to all interfaces?
IFNAME Configure interface
NGFW{running-dhcp-relay}delete
Delete configuration item.
Syntax
delete client interface (all|IFNAME)
delete server (all|(interface IFNAME)|(address A.B.C.D))
Example
NGFW{running-dhcp-relay}delete client interface all
NGFW{running-dhcp-relay}disable
Disable service.
NGFW Command Line Interface Reference 127
Syntax
disable
Example
NGFW{running-dhcp-relay}help disable
Disable DHCP relay
Syntax: disable
disable Disable service
NGFW{running-dhcp-relay}enable
Enable service.
Syntax
enable
Example
NGFW{running-dhcp-relay}help enable
Enable DHCP relay
Syntax: enable
enable Enable service
NGFW{running-dhcp-relay}server
Configure server interface.
Syntax
server (interface IFNAME)|(address A.B.C.D)
Example
NGFW{running-dhcp-relay}help server address
Configure server address
Syntax: server (address A.B.C.D)
A.B.C.D Configure IPv4 address
NGFW{running-dhcp-relay}help server interface
Configure server interface
Syntax: server (interface IFNAME)
A.B.C.D Configure IPv4 address
running-dhcp-server Context Commands
NGFW{running}dhcp server
NGFW{running-dhcp-server}delete
Delete configuration item.
Syntax
delete scope (all|NAME)
Example
NGFW{running-dhcp-server}help delete
Delete scope
Syntax: delete scope all|NAME
all Delete all scopes
NAME Delete scope
128 Edit Running Configuration Commands
NGFW{running-dhcp-server}disable
Disable server.
Syntax
disable
Example
NGFW{running-dhcp-server}disable
NGFW{running-dhcp-server}display
Display configuration item.
Syntax
display scope NAME
Example
NGFW{running-dhcp-server}help display
Valid commands are:
# Manage context
display [xml]
# Other commands
display scope NAME [xml]
NGFW{running-dhcp-server}enable
Enable server.
Syntax
enable
Example
NGFW{running-dhcp-server}enable
NGFW{running-dhcp-server}scope
Configure scope.
Syntax
scope NAME
Example
NGFW{running-dhcp-server}scope myscope
running-dhcp-server-X Context Commands
NGFW{running-dhcp-server}scope myscope
NGFW{running-dhcp-server-myscope}address-range
Configure IP address range.
Syntax
address-range A.B.C.D A.B.C.D
NGFW Command Line Interface Reference 129
Example
NGFW{running-dhcp-server-myscope}help address-range
Configure IP address range
Syntax: address-range A.B.C.D A.B.C.D
A.B.C.D First address
A.B.C.D Last address
NGFW{running-dhcp-server-myscope}default-gateway
Configure default gateway.
Syntax
default-gateway (myself|A.B.C.D)
Example
NGFW{running-dhcp-server-myscope}help default-gateway
Configure default gateway
Syntax: default-gateway myself|A.B.C.D
myself Use subnets IP address as default gateway
A.B.C.D IPv4 address
NGFW{running-dhcp-server-myscope}delete
Delete configuration item.
Syntax
delete address-range (all|(A.B.C.D A.B.C.D))
delete default-gateway NAME
delete dns-server (all|A.B.C.D)
delete domain-name NAME
delete exclude (all|A.B.C.D)
delete host (all|NAME)
delete lease
delete option (all|NAME|NUMBER)
delete subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}delete ?
Valid entries at this position are:
address-range Delete IP address range
default-gateway Delete default gateway
dns-server Delete DNS server
domain-name Delete domain name
exclude Delete excluded IP address
host Delete host
lease Delete lease
option Delete option
subnet Delete subnet
NGFW{running-dhcp-server-myscope}dns-server
Configure DNS server.
Syntax
dns-server A.B.C.D (primary|secondary|tertiary)
130 Edit Running Configuration Commands
Example
NGFW{running-dhcp-server-myscope}help dns-server
Configure DNS server
Syntax: dns-server A.B.C.D primary|secondary|tertiary
A.B.C.D IPv4 address
primary Configure primary server
secondary Configure secondary server
tertiary Configure tertiary server
NGFW{running-dhcp-server-myscope}domain-name
Configure Domain Name.
Syntax
domain-name NAME
Example
NGFW{running-dhcp-server-myscope}domain-name americas
NGFW{running-dhcp-server-myscope}exclude
Configure excluded IP address.
Syntax
exclude A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help exclude
Configure excluded IP address
Syntax: exclude A.B.C.D
A.B.C.D IPv4 address
NGFW{running-dhcp-server-myscope}host
Configure host name.
Syntax
host NAME X:X:X:X:X:X A.B.C.D
Example
NGFW{running-dhcp-server-myscope}help host
Configure static IP address for client with mac address.
Syntax: host NAME X:X:X:X:X:X A.B.C.D
NAME Configure name
X:X:X:X:X:X Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Syntax: byte(:byte){5} byte MAC address byte
A.B.C.D IPv4 address
NGFW{running-dhcp-server-myscope}lease
Configure DHCPv4 lease in seconds.
Syntax
lease (0-1073741824)
Example
NGFW{running-dhcp-server-myscope}help lease
NGFW Command Line Interface Reference 131
Configure DHCPv4 lease
Syntax: lease <0-1073741824>
<0-1073741824> Lease value in seconds (0-1073741824)
NGFW{running-dhcp-server-myscope}option
Configure options.
Syntax
option (NAME|NUMBER) text Value 1
option (NAME|NUMBER) boolean Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) integer8 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) hex8 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) integer32 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) hex32 Value 1 [Value 2] [Value 3]
option (NAME|NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Refer to https://tools.ietf.org/html/rfc2132#section-3 or
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options for
known option names and numbers.
Example
NGFW{running-dhcp-server-myscope}help option
option Configure options
Syntax: option (NAME) Values
Values as specified in documents referenced above
Syntax: option (NUMBER) text Value 1
Value 1 can include up to 256 characters of any type including spaces and tabs
Syntax: option (NUMBER) boolean Value 1 [Value 2] [Value 3]
Value 1,2,3 must be string true or false
Syntax: option (NUMBER) integer8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 255
Syntax: option (NUMBER) hex8 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ff and entered as (0x0-0xff)
Syntax: option (NUMBER) integer32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in integer between 0 and 16777215
Syntax: option (NUMBER) hex32 Value 1 [Value 2] [Value 3]
Value 1,2,3 must be in hex integer between 0 and ffffff and entered as
(0x0-0xffffff)
Syntax: option (NUMBER) ipaddress (Value 1) [Value 2] [Value 3]
Value 1,2,3 can be a domain name of up to 255 characters or an IP address
NGFW{running-dhcp-server-myscope}subnet
Configure subnet.
Syntax
subnet A.B.C.D/M
Example
NGFW{running-dhcp-server-myscope}subnet ?
Valid entry at this position is:
A.B.C.D/M IPv4 address and mask length
running-dnat Context Commands
NGFW{running}dst-nat
NGFW{running-dnat}delete
Delete destination NAT rule(s).
132 Edit Running Configuration Commands
Syntax
delete rule (all|DSTNATRULEID)
Example
NGFW{running-dnat}delete rule 123
NGFW{running-dnat}rename
Rename destination NAT rule.
Syntax
rename dnat DSTNATRULEID NEWDSTNATRULEID
Example
NGFW{running-dnat}rename rule 123 dnat1
NGFW{running-dnat}rule
Create or enter a rule context.
Syntax
rule (auto|DSTNATRULEID) [POSITION_VALUE]
Example
NGFW{running-dnat}rule auto
NGFW{running-dnat}rule 123
running-dnat-rule-X Context Commands
NGFW{running-dnat}rule 1
NGFW{running-dnat-rule-dnat1}delete
Delete file or configuration item.
Syntax
delete port
delete dst-zone (include|exclude) ZONENAME
delete src-address (include|exclude) group ADDRESSGROUP
delete dst-address (include|exclude) group ADDRESSGROUP
delete src-address (include|exclude) ipaddress A.B.C.D
delete dst-address (include|exclude) ipaddress A.B.C.D
delete src-address (include|exclude) ipaddress A.B.C.D/M
delete dst-address (include|exclude) ipaddress A.B.C.D/M
delete src-address (include|exclude) range A.B.C.D A.B.C.D
delete dst-address (include|exclude) range A.B.C.D A.B.C.D
delete translate-to ipaddress (A.B.C.D|A.B.C.D/M)
delete translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}delete translate-to range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}delete src-zone include all
NGFW{running-dnat-rule-dnat1}delete dst-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}delete src-address exclude ipaddress 192.168.1.1
NGFW Command Line Interface Reference 133
NGFW{running-dnat-rule-dnat1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-dnat-rule-dnat1}description "destination nat rule"
NGFW{running-dnat-rule-dnat1}dst-address
Apply destination address.
Syntax
dst-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M)
dst-address (include|exclude) range A.B.C.D A.B.C.D
dst-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}move
Move rule position.
Syntax
move after DSTNATRULEID
move before DSTNATRULEID
move to position VALUE
Example
NGFW{running-dnat-rule-dnat1}move after dnat1
NGFW{running-dnat-rule-dnat1}move before dnat1
NGFW{running-dnat-rule-dnat1}move to position 1
NGFW{running-dnat-rule-dnat1}src-address
Apply source address.
Syntax
src-address (include|exclude) ipaddress (A.B.C.D|A.B.C.D/M)
src-address (include|exclude) range A.B.C.D A.B.C.D
src-address (include|exclude) group ADDRESSGROUP
Example
NGFW{running-dnat-rule-dnat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}src-zone
Apply source security zone.
134 Edit Running Configuration Commands
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-dnat-rule-dnat1}src-zone include myzone1
NGFW{running-dnat-rule-dnat1}src-zone exclude myzone1
NGFW{running-dnat-rule-dnat1}tcp
Create tcp protocol translation.
Syntax
tcp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}tcp dst-port 80 to 81 translate-to 8080 to 8081
NGFW{running-dnat-rule-dnat1}translate-to
Apply translation.
Syntax
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Example
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.1
NGFW{running-dnat-rule-dnat1}translate-to ipaddress 192.168.1.0/24
NGFW{running-dnat-rule-dnat1}translate-to range 192.168.1.100 192.168.1.200
NGFW{running-dnat-rule-dnat1}udp
Create udp protocol translation.
Syntax
udp dst-port PORT [to PORT] translate-to TRANS-PORT [to TRANS-PORT]
Example
NGFW{running-dnat-rule-dnat1}udp dst-port 53 translate-to 3853
running-dns Context Commands
NGFW{running}dns
NGFW{running-dns}delete
Delete file or configuration item. A secondary domain-search can only be deleted if no tertiary exists. A
primary domain-search can only be deleted if no secondary exists.
Syntax
delete domain-name
delete domain-search (primary|secondary|tertiary|all)
delete name-server (all|A.B.C.D|X:X::X:X)
delete proxy cache cleaning interval
delete proxy cache forwarder (all|A.B.C.D|X:X::X:X)
delete proxy cache maximum negative ttl
delete proxy cache maximum ttl
delete proxy cache size
NGFW Command Line Interface Reference 135
Example
NGFW{running-dns}delete proxy cache ?
Valid entries at this position are:
cleaning Delete cleaning
forwarder Delete forwarder
maximum Delete maximum
size Delete size
NGFW{running-dns}delete domain-search tertiary
NGFW{running-dns}delete domain-search secondary
NGFW{running-dns}delete domain-search primary
NGFW{running-dns}domain-name
Configure domain name.
Syntax
domain-name NAME
Example
NGFW{running-dns}help domain-name
Configure router domain name
Syntax: domain-name NAME
domain-name Configure domain name
NAME Domain name (e.g. hp.com)<1-256>
NGFW{running-dns}domain-search
Configure domain search. A secondary domain-search can only be entered after a primary is entered and
a tertiary can only be entered after a secondary is entered.
Syntax
domain-search (primary|secondary|tertiary) NAME
Example
NGFW{running-dns}domain-search primary example.com
NGFW{running-dns}domain-search secondary example.org
NGFW{running-dns}domain-search tertiary example.edu
NGFW{running-dns}name-server
Configure DNS server.
Syntax
name-server (A.B.C.D|X:X::X:X)
Example
NGFW{running-dns}help name-server
Configure DNS server
Syntax: name-server A.B.C.D|X:X::X:X
A.B.C.D IPv4 address
X:X::X:X IPv6 address
NGFW{running-dns}proxy
Configure proxy.
136 Edit Running Configuration Commands
Syntax
proxy (enable|disable)
proxy cache cleaning interval cache cleaning interval in minutes
proxy cache forwarder A.B.C.D|X:X::X:X
proxy cache maximum negative ttl cache maximum negative ttl in minutes
proxy cache maximum ttl cache maximum ttl in minutes
proxy cache size cache size in megabytes
Example
NGFW{running-dns}proxy enable
running-ethernetX Context Commands
NGFW{running}interface ethernet1
NGFW{running-ethernet1}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-ethernet1}arp/ndp enable
NGFW{running-ethernet1}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-ethernet1}autoconfv6 disable
NGFW{running-ethernet1}delete
Delete file or configuration item.
Syntax
delete ip igmp
delete ip igmp version
delete ip ospf area
delete ip ospf authentication mode md5 (1-255) KEY
delete ip ospf authentication mode text KEY
delete ip ospf cost (1-65535)
delete ip ospf dead-interval (1-65535)
delete ip ospf hello-interval (1-65535)
delete ip ospf priority (0-255)
delete ip ospf retransmit-interval (3-65535)
delete ip ospf transmit-delay (1-65535)
delete ip pim-sm
delete ip rip
delete ip rip authentication mode md5
delete ip rip authentication mode text
delete ip rip receive version (v1-only|v2-only|v1-or-v2)
delete ip rip send version (v1-only|v2-only|v1-or-v2)
delete ip rip split-horizon
NGFW Command Line Interface Reference 137
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete ipaddress dhcpv4
delete ipaddress dhcpv6
delete ipv6 mld
delete ipv6 mld version
delete ipv6 ospfv3 area
delete ipv6 ospfv3 cost
delete ipv6 ospfv3 dead-interval
delete ipv6 ospfv3 hello-interval
delete ipv6 ospfv3 priority
delete ipv6 ospfv3 retransmit-interval
delete ipv6 ospfv3 transmit-delay
delete ipv6 pim-sm
delete ipv6 ripng
delete ipv6 ripng split-horizon
delete prefix (all|X:X::X:X/M)
delete shutdown (shutdown logical interface state)
Example
NGFW{running-ethernet1}delete ip igmp version
NGFW{running-ethernet1}delete ip ospf area
NGFW{running-ethernet1}delete ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}delete ip ospf authentication mode text mysecret
NGFW{running-ethernet1}delete ip ospf cost 1
NGFW{running-ethernet1}delete ip ospf dead-interval 1
NGFW{running-ethernet1}delete ip ospf hello-interval 1
NGFW{running-ethernet1}delete ip ospf priority 1
NGFW{running-ethernet1}delete ip ospf retransmit-interval
NGFW{running-ethernet1}delete ip ospf transmit-delay 1
NGFW{running-ethernet1}delete ip pim-sm
NGFW{running-ethernet1}delete ip rip authentication mode md5
NGFW{running-ethernet1}delete ip rip authentication mode text
NGFW{running-ethernet1}delete ip rip receive version v2-only
NGFW{running-ethernet1}delete ip rip send version v2-only
NGFW{running-ethernet1}delete ip rip split-horizon
NGFW{running-ethernet1}delete prefix all
NGFW{running-ethernet1}delete shutdown
NGFW{running-ethernet1}delete ipaddress dhcpv6
WARNING: This command will remove the dhcpv6 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress dhcpv4
WARNING: This command will remove the dhcpv4 context. Do you want to continue (y/n)?
[n]: y
NGFW{running-ethernet1}delete ipaddress 192.168.1.1/24
NGFW{running-ethernet1}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-ethernet1}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-ethernet1}description "Ethernet port 1"
138 Edit Running Configuration Commands
NGFW{running-ethernet1}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
ip ospf area (A.B.C.D|(0-4294967295))
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535) [A.B.C.D]
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip pim-sm
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version VERSION (v1-only|v2-only|v1-or-v2)
ip rip send version VERSION
ip rip split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ip igmp version 3
NGFW{running-ethernet1}ip ospf area 1
NGFW{running-ethernet1}ip ospf authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip ospf authentication mode text mysecret
NGFW{running-ethernet1}ip ospf cost 1
NGFW{running-ethernet1}ip ospf dead-interval 1
NGFW{running-ethernet1}ip ospf hello-interval 1
NGFW{running-ethernet1}ip ospf priority 1
NGFW{running-ethernet1}ip ospf retransmit-interval 3
NGFW{running-ethernet1}ip ospf transmit-delay 1
NGFW{running-ethernet1}ip rip authentication mode md5 1 mysecret
NGFW{running-ethernet1}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-ethernet1}ip rip receive version v2-only
NGFW{running-ethernet1}ip rip send version v2-only
NGFW{running-ethernet1}ip rip split-horizon poison-reverse
NGFW{running-ethernet1}ip ?
NGFW{running-ethernet1}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-ethernet1}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-ethernet1}ipaddress 192.168.1.1/24
NGFW{running-ethernet1}ipaddress dhcpv4
NGFW{running-ethernet1-dhcpv4}?
Valid entries at this position are:
client Configure client parameters
defaultroute-request Ask for IPv4 default route or not
NGFW Command Line Interface Reference 139
delete Delete file or configuration item
dhcp Configure DHCPv4 client
dhcp Enable or disable DHCPv4 client service
display Display DHCPv4 client context
dns-request Ask for DNS server IPv4 address or not
help Display help information
ntp-request Ask for NTP server IPv4 address or not
option Configure DHCPv4 client option name
NGFW{running-ethernet1-dhcpv4}help
Valid commands are:
client identifier none|(hexa HEXA-ID)|(ascii ASCII-ID)
client name none|NAME
defaultroute-request enable|disable
delete option (NAME CODE)|all
dhcp enable|disable
dhcp server auto|A.B.C.D
display [xml]
dns-request enable|disable
help [full|COMMAND]
ntp-request enable|disable
option NAME CODE (boolean BOOLEAN)|(int8 INTEGER)|(uint8 INTEGER)|(int16
INTEGER)|(uint16 INTEGER)|(int32 INTEGER)|(uint32 INTEGER)|(ip-address
(A.B.C.D|DOMAIN))|(text TEXT)|(string (STRING|TEXT))|(array-of-boolean BOOLEAN,
BOOLEAN)|(array-of-int8 INTEGER, INTEGER)|(array-of-uint8 INTEGER,
INTEGER)|(array-of-int16 INTEGER, INTEGER)|(array-of-uint16 INTEGER,
INTEGER)|(array-of-int32 INTEGER, INTEGER)|(array-of-uint32 INTEGER,
INTEGER)|(array-of-ip-address (A.B.C.D, A.B.C.D|DOMAIN, DOMAIN))
NGFW{running-ethernet1}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
ipv6 ospfv3 area (A.B.C.D|(0-4294967295))
ipv6 ospfv3 cost (1-65535)
ipv6 ospfv3 dead-interval (1-65535)
ipv6 ospfv3 hello-interval (1-65535)
ipv6 ospfv3 priority (0-255)
ipv6 ospfv3 retransmit-interval (3-65535)
ipv6 ospfv3 transmit-delay (1-65535)
ipv6 pim-sm
ipv6 ripng
ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-ethernet1}ipv6 mld version 2
NGFW{running-ethernet1}ipv6 ospfv3 area 1
NGFW{running-ethernet1}ipv6 ospfv3 cost 1
NGFW{running-ethernet1}ipv6 ospfv3 dead-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 hello-interval 1
NGFW{running-ethernet1}ipv6 ospfv3 priority 1
NGFW{running-ethernet1}ipv6 ospfv3 retransmit-interval 3
NGFW{running-ethernet1}ipv6 ospfv3 transmit-delay 1
NGFW{running-ethernet1}ipv6 ripng split-horizon poison-reverse
NGFW{running-ethernet1}help ipv6 ripng split-horizon
Enable split-horizon / poison-reverse on this interface
Syntax: ipv6 ripng split-horizon [poison-reverse]
140 Edit Running Configuration Commands
ipv6 Configure IPv6 settings
ripng Configure RIPng over the interface
split-horizon Enable split-horizon
poison-reverse Enable poison-reverse
NGFW{running-ethernet1}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-ethernet1}mtu 1500
NGFW{running-ethernet1}physical-media
Apply physical-media settings. Auto-negotiation is the default or specify a supported port speed and
mode.
Syntax
physical-media (auto-neg|10half|10full|100half|100full|1000full)
Example
NGFW{running-ethernet1}physical-media 1000full
NGFW{running-ethernet1}physical-media auto-neg
NGFW{running-ethernet1}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime SECONDS] [preferred-lifetime SECONDS]
X:X::X:X/M IPv6 prefix
valid-lifetime Configure valid lifetime
(1-4294967295) Valid lifetime in seconds (default is 2592000)
preferred-lifetime Configure preferred lifetime
(1-4294967295) Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-ethernet1}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-ethernet1}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level (DHCP).
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
NGFW Command Line Interface Reference 141
Example
NGFW{running-ethernet1}ra-autoconf-level full
NGFW{running-ethernet1}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval MILLISECONDS
ra-interval (90-1800000)
Example
NGFW{running-ethernet1}ra-interval 600
NGFW{running-ethernet1}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-ethernet1}ra-interval-transmit enable
NGFW{running-ethernet1}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime SECONDS
ra-lifetime (0-9000000)
Example
NGFW{running-ethernet1}ra-lifetime 1800
NGFW{running-ethernet1}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
MTU value advertised (0 if none)
Example
NGFW{running-ethernet1}ra-mtu 1500
NGFW{running-ethernet1}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always Router Advert message is always sent
never Router Advert message is never sent
142 Edit Running Configuration Commands
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-ethernet1}ra-transmit-mode smart
NGFW{running-ethernet1}restart
Restart Ethernet port.
Syntax
restart
Example
NGFW{running-ethernet1}restart
NGFW{running-ethernet1}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-ethernet1}shutdown
NGFW{running-ethernet1}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535))
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
Example
NGFW{running-ethernet1}tcp4mss automatic
NGFW{running-ethernet1}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535))
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
TCP MSS value for IPv6
Example
NGFW{running-ethernet1}tcp6mss automatic
NGFW Command Line Interface Reference 143
running-firewall Context Commands
NGFW{running}firewall
NGFW{running-firewall}default-block-rule
Apply action set for default block rule.
Syntax
default-block-rule DEFACTIONSET
Example
NGFW{running-firewall}default-block-rule "Block + Notify + Trace"
NGFW{running-firewall}delete
Delete firewall rule.
Syntax
delete rule (all|XRULEID)
Example
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}delete rule myrule1
NGFW{running-firewall}rename
Rename a firewall rule.
Syntax
rename rule XRULEID NEWRULEID
Example
NGFW{running-firewall}rename rule myrule1 myrule2
NGFW{running-firewall}rule
Create or enter a rule context.
Syntax
rule (auto|RULEID) [POSITION_VALUE]
Example
NGFW{running-firewall}rule auto
NGFW{running-firewall}rule myrule1
running-firewall-rule-X Context Commands
NGFW{running-firewall}rule myrule1
NGFW{running-firewall-rule-myrule1}action
Apply action set.
Syntax
action ACTIONSETNAME
144 Edit Running Configuration Commands
Example
NGFW{running-firewall-rule-myrule1}action "Permit + Notify + Trace"
NGFW{running-firewall-rule-myrule1}application-group
Apply application group.
Syntax
application-group APPGROUPNAME
application-group ANONYMOUS CRITERIASTRING
Example
NGFW{running-firewall-rule-myrule1}application-group facebook
NGFW{running-firewall-rule-myrule1}application-group ANONYMOUS
NGFW{running-firewall-rule-myrule1}delete
Delete file or configuration item.
Syntax
delete application-group
delete comment
delete profile
delete schedule (include all|SCHEDULENAME)
delete schedule (exclude all|SCHEDULENAME)
delete services include (service all|SERVICENAME)
delete services include (protocol all|PROTONUM)
delete services include port all
delete services include tcp (all|PORT) [to PORT]
delete services include udp (all|PORT) [to PORT]
delete services include (icmp all|(CODENAME)|(TYPE [CODE]))
delete services include (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6]))
delete services exclude (service all|SERVICENAME)
delete services exclude (protocol all|PROTONUM)
delete services exclude port all
delete services exclude tcp (all|PORT) [to PORT]
delete services exclude udp (all|PORT) [to PORT]
delete services exclude (icmp all|(CODENAME)|(TYPE [CODE]))
delete services exclude (icmpv6 all|(CODENAME6)|(TYPE6 [CODE6]))
delete src-address include group (all|SADDRESSGROUP)
delete src-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M)
delete src-address include range (all|A.B.C.D|X:X::X:X)
delete src-address include ((any4)|(any6))
delete src-address exclude group (all|SADDRESSGROUP)
delete src-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M)
delete src-address exclude range (all|A.B.C.D|X:X::X:X)
delete src-address exclude ((any4)|(any6))
delete dst-address include group (all|DADDRESSGROUP)
delete dst-address include (ipaddress all|A.B.C.D/M|X:X::X:X/M)
delete dst-address include range (all|A.B.C.D|X:X::X:X)
delete dst-address include ((any4)|(any6))
delete dst-address exclude group (all|DADDRESSGROUP)
delete dst-address exclude (ipaddress all|A.B.C.D/M|X:X::X:X/M)
delete dst-address exclude range (all|A.B.C.D|X:X::X:X)
delete dst-address exclude ((any4)|(any6))
delete src-zone (include all|ZONENAME)
delete src-zone (exclude all|ZONENAME)
delete dst-zone (include all|ZONENAME)
NGFW Command Line Interface Reference 145
delete dst-zone (exclude all|ZONENAME)
delete user (include all|USERNAME)
delete user (exclude all|USERNAME)
delete user-group (include all|IN_GRP_NAME|IN_DN_GRP_NAME)
delete user-group (exclude all|EX_GRP_NAME|EX_DN_GRP_NAME)
Example
NGFW{running-firewall-rule-myrule1}delete application-group
NGFW{running-firewall-rule-myrule1}delete schedule exclude myhours1
NGFW{running-firewall-rule-myrule1}delete schedule include all
NGFW{running-firewall-rule-myrule1}delete services include port all
NGFW{running-firewall-rule-myrule1}delete services include service http
NGFW{running-firewall-rule-myrule1}delete services exclude icmp any
NGFW{running-firewall-rule-myrule1}delete dst-zone include myzone1
NGFW{running-firewall-rule-myrule1}delete src-zone include myzone1
NGFW{running-firewall-rule-myrule1}delete src-address include ipaddress
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete dst-address include ipaddress
192.168.1.0/24
NGFW{running-firewall-rule-myrule1}delete services include port tcp 443
NGFW{running-firewall-rule-myrule1}delete user include all
NGFW{running-firewall-rule-myrule1}delete user exclude myuser1
NGFW{running-firewall-rule-myrule1}delete user-group include mygroup
NGFW{running-firewall-rule-myrule1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-firewall-rule-myrule1}description "My Firewall Policy"
NGFW{running-firewall-rule-myrule1}disable
Disable rule.
Syntax
disable
Example
NGFW{running-firewall-rule-myrule1}disable
NGFW{running-firewall-rule-myrule1}dst-address
Apply destination addresses.
Syntax
dst-address (include|exclude) (any4|any6)
dst-address (include|exclude) group ADDRESSGROUP
dst-address (include|exclude) ipaddress (A.B.C.D|X:X::X:X)
dst-address (include|exclude) ipaddress (A.B.C.D/M|X:X::X:X/M)
dst-address (include|exclude) range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-firewall-rule-myrule1}dst-address include ipaddress 192.168.1.0/24
146 Edit Running Configuration Commands
NGFW{running-firewall-rule-myrule1}dst-address include range 192.168.1.100
192.168.1.200
NGFW{running-firewall-rule-myrule1}dst-address include group mygroup1
NGFW{running-firewall-rule-myrule1}dst-zone
Apply destination security zone.
Syntax
dst-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}dst-zone include myzone1
NGFW{running-firewall-rule-myrule1}dst-zone exclude myzone1
NGFW{running-firewall-rule-myrule1}enable
Enable rule.
Syntax
enable
Example
NGFW{running-firewall-rule-myrule1}enable
NGFW{running-firewall-rule-myrule1}move
Move firewall rule position in the rule table.
Syntax
move after XRULEID
move before XRULEID
move to position VALUE
Example
NGFW{running-firewall-rule-myrule1}move after myrule2
NGFW{running-firewall-rule-myrule1}move before myrule2
NGFW{running-firewall-rule-myrule1}move to position 1
NGFW{running-firewall-rule-myrule1}profile
Apply profile.
Syntax
profile (reputation REPPROFILE [ips IPSPROFILE])|(ips IPSPROFILE [reputation
REPPROFILE])
Example
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile" reputation
"Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}profile ips "Default IPS Profile"
NGFW{running-firewall-rule-myrule1}profile reputation "Default Reputation Profile"
NGFW{running-firewall-rule-myrule1}schedule
Apply schedule.
NGFW Command Line Interface Reference 147
Syntax
schedule (include|exclude) SCHEDULENAME
Example
NGFW{running-firewall-rule-myrule1}schedule include myhours1
NGFW{running-firewall-rule-myrule1}schedule exclude myhours1
NGFW{running-firewall-rule-myrule1}services
Apply IP Services.
Syntax
services (include|exclude) (service SERVICENAME)
services (include|exclude) (protocol PROTONUM)
services (include|exclude) (port tcp PORT [to PORT])
services (include|exclude) (port udp PORT [to PORT])
services (include|exclude) (icmp ICMP-CODENAMES|(TYPE [CODE]))
services (include|exclude) (icmpv6 ICMP6-CODENAMES|(TYPE [CODE]))
Example
NGFW{running-firewall-rule-myrule1}services include protocol 6
NGFW{running-firewall-rule-myrule1}services include port tcp 443
NGFW{running-firewall-rule-myrule1}services include service http
NGFW{running-firewall-rule-myrule1}services exclude icmpv6 any
NGFW{running-firewall-rule-myrule1}src-address
Apply source addresses.
Syntax
src-address include (any4|any6)
src-address include group ADDRESSGROUP
src-address include ipaddress (A.B.C.D|X:X::X:X)
src-address include ipaddress (A.B.C.D/M|X:X::X:X/M)
src-address include range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
src-address exclude (any4|any6)
src-address exclude group ADDRESSGROUP
src-address exclude ipaddress (A.B.C.D|X:X::X:X)
src-address exclude ipaddress (A.B.C.D/M|X:X::X:X/M)
src-address exclude range ((A.B.C.D A.B.C.D)|(X:X::X:X X:X::X:X))
Example
NGFW{running-firewall-rule-myrule1}src-address exclude ipaddress 192.168.1.1
NGFW{running-firewall-rule-myrule1}src-address include ipaddress 192.168.1.0/24
NGFW{running-firewall-rule-myrule1}src-address include range 192.168.1.100
192.168.1.200
NGFW{running-firewall-rule-myrule1}src-address include group mygroup1
NGFW{running-firewall-rule-myrule1}src-zone
Apply source security zone.
Syntax
src-zone (include|exclude) ZONENAME
Example
NGFW{running-firewall-rule-myrule1}src-zone include myzone1
NGFW{running-firewall-rule-myrule1}src-zone exclude myzone1
148 Edit Running Configuration Commands
NGFW{running-firewall-rule-myrule1}user
Apply user name.
Syntax
user (include|exclude) USER_NAME
Example
NGFW{running-firewall-rule-myrule1}user include myuser1
NGFW{running-firewall-rule-myrule1}user-group
Apply user group name or LDAP-group DN.
Syntax
user-group (include|exclude) (USER_GRP_NAME|LDAP_GROUP_DN)
Example
NGFW{running-firewall-rule-myrule1}user-group include group1
running-gen Context Commands
NGFW{running}gen
NGFW{running-gen}arp
Configure static ARP entry.
Syntax
arp A.B.C.D INTERFACE MAC
A.B.C.D IPv4 address
INTERFACE Interface name
MAC Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
Example
NGFW{running-gen}arp 192.168.1.1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}auto-restart
Enable or disable automatic restart on detection of a critical problem.
Syntax
auto-restart (enable|disable)
Example
NGFW{running-gen}auto-restart enable
NGFW{running-gen}delete
Delete file or configuration item.
Syntax
delete arp (all|(ENTRY INTERFACE))
delete host (NAME|all)
delete ndp (all|(ENTRY INTERFACE))
Example
NGFW{running-gen}delete arp 192.168.1.1 ethernet5
NGFW Command Line Interface Reference 149
NGFW{running-gen}delete host myhost
NGFW{running-gen}delete ndp 100::1 ethernet5
NGFW{running-gen}delete arp all
NGFW{running-gen}help delete arp
Delete configured static ARP entry
Syntax: delete arp all|(ENTRY INTERFACE)
delete Delete file or configuration item
arp Delete configured static ARP entry
all All settings
ENTRY IPv4 address of ARP entry
INTERFACE Interface of NDP entry
NGFW{running-gen}ephemeral-port-range
Set the range of the ephemeral port (default is 32768-61000).
Syntax
ephemeral-port-range (default|(LOWRANGE HIGHRANGE))
default Default port range value 32768-61000 is applied
LOWRANGE Value of the first port
HIGHRANGE Value of the last port
Example
NGFW{running-gen}ephemeral-port-range default
NGFW{running-gen}ephemeral-port-range 32768 61000
NGFW{running-gen}forwarding
Enable or disable IPv4/IPv6 forwarding.
Syntax
forwarding (ipv4|ipv6) (enable|disable)
Example
NGFW{running-gen}forwarding ipv4 enable
NGFW{running-gen}forwarding ipv6 enable
NGFW{running-gen}host
Configure static address to host name association.
Syntax
host NAME (A.B.C.D|X:X::X:X)
Example
NGFW{running-gen}host myhost 192.168.1.1
NGFW{running-gen}host myhost 100:0:0:0:0:0:0:1
NGFW{running-gen}https
Enable or disable WEB server configuration.
Syntax
https (enable|disable)
150 Edit Running Configuration Commands
Example
NGFW{running-gen}https enable
NGFW{running-gen}inband-management
Inband Management.
Syntax
inband-management (enable|disable)
Example
NGFW{running-gen}inband-management enable
NGFW{running-gen}management-service
Management of a service to use the management port or the network port.
Syntax
management-service all (management|network)
management-service dns (management|network)
management-service email (management|network)
management-service ldap (management|network)
management-service ntp (management|network)
management-service radius (management|network)
management-service remote-syslog (management|network)
management-service snmp (management|network)
Example
NGFW{running-gen}management-service all management
NGFW{running-gen}management-service all network
NGFW{running-gen}management-service ldap network
NGFW{running-gen}management-service email network
NGFW{running-gen}management-service snmp management
Example
NGFW{running-gen}help management-service
Set a management service to either use management port or network port
all Set all management services to use management port or network port
dns Set the DNS service to use the management port or the network port
email Set the email service to use management port or network port
ldap Set the LDAP service to use the management port or the network port
ntp Set the NTP service to use the management port or the network port
radius Set the RADIUS service to use management port or the network port
remote-syslog Set remote syslog service to use management port or network port
snmp Set the SNMP service to use the management port or the network port
management Set service to use management port
network Set service to use network port
NGFW{running-gen}ndp
Configure static NDP entry.
Syntax
ndp X:X::X:X INTERFACE MAC
X:X::X:X IPv6 address
INTERFACE Interface name
MAC Ethernet MAC address (e.g 00:02:b3:39:ba:d2)
NGFW Command Line Interface Reference 151
Example
NGFW{running-gen}ndp 100:0:0:0:0:0:0:1 ethernet5 a1:b2:c3:d4:e5:f6
NGFW{running-gen}ssh
Enable or disable ssh service.
Syntax
ssh (enable|disable)
Example
NGFW{running-gen}ssh enable
NGFW{running-gen}timezone
Display or configure time zone.
Syntax
timezone GMT
timezone REGION CITY
REGION
(Africa|America|Antarctica|Arctic|Asia|Atlantic|Australia|Europe|Indian|Pacific)
Example
NGFW{running-gen}timezone America Chicago
NGFW{running-gen}timezone GMT
running-global-inspection Context Commands
NGFW{running}global-inspection
NGFW{running-global-inspection}default-inspection
Apply default inspection profile.
Syntax
default-inspection ips-profile (IPSPROFILE|none)
default-inspection reputation-profile (REPPROFILE|none)
Example
NGFW{running-global-inspection}default-inspection reputation-profile ?
Valid entries at this position are:
REPPROFILE Existing reputation profile
none Disable security profile
NGFW{running-global-inspection}unknown-app
Apply inspection profile during application detection phase.
Syntax
unknown-app (ips-profile IPSPROFILE|none)|(reputation-profile REPPROFILE|none)
Example
NGFW{running-global-inspection}unknown-app ?
Valid entries at this position are:
ips-profile Apply IPS profile
reputation-profile Apply reputation profile
152 Edit Running Configuration Commands
running-greX Context Commands
NGFW{running}interface gre0
NGFW{running-gre0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-gre0}autoconfv6 enable
NGFW{running-gre0}bind
Configure the GRE tunnel encapsulation.
Syntax
bind (local global ip) (remote global ip)
bind A.B.C.D A.B.C.D
bind X:X::X:X X:X::X:X
Example
NGFW{running-gre0}bind 192.168.1.1 192.168.2.1
NGFW{running-gre0}bind 2001:2:0:0:0:0:0:1 2001:db8:0:0:0:0:0:1
NGFW{running-gre0}checksum
Enable or disable GRE Checksum.
Syntax
checksum (enable|disable)
Example
NGFW{running-gre0}checksum enable
NGFW{running-gre0}delete
Delete file or configuration item.
Syntax
delete bind
delete ip igmp
delete ip igmp version
delete ip ospf area
delete ip ospf authentication mode md5 KEY_ID KEY
delete ip ospf authentication mode text KEY
delete ip ospf cost COST
delete ip ospf dead-interval VALUE
delete ip ospf hello-interval VALUE
delete ip ospf priority VALUE
delete ip ospf retransmit-interval VALUE
delete ip ospf transmit-delay VALUE
delete ip rip
delete ip rip authentication mode md5
delete ip rip authentication mode text
delete ip rip receive version VERSION
NGFW Command Line Interface Reference 153
delete ip rip send version VERSION
delete ip rip split-horizon
delete ipaddress A.B.C.D
delete ipaddress X:X::X:X
delete ipaddress all
delete ipv6 mld
delete ipv6 mld version
delete ipv6 ospfv3 area
delete ipv6 ospfv3 cost
delete ipv6 ospfv3 dead-interval
delete ipv6 ospfv3 hello-interval
delete ipv6 ospfv3 priority
delete ipv6 ospfv3 retransmit-interval
delete ipv6 ospfv3 transmit-delay
delete ipv6 ripng
delete ipv6 ripng split-horizon
delete prefix all|X:X::X:X/M
delete shutdown
Example
NGFW{running-gre0}delete bind
NGFW{running-gre0}delete ip igmp version
NGFW{running-gre0}delete ip igmp
NGFW{running-gre0}delete ip ospf authentication mode md5 1 secret
NGFW{running-gre0}delete ip ospf authentication mode text secret
NGFW{running-gre0}delete ip ospf cost 1
NGFW{running-gre0}delete ip ospf dead-interval 1
NGFW{running-gre0}delete ip ospf hello-interval 1
NGFW{running-gre0}delete ip ospf priority 1
NGFW{running-gre0}delete ip ospf retransmit-interval 3
NGFW{running-gre0}delete ip ospf transmit-delay 1
NGFW{running-gre0}delete ip rip authentication mode md5
NGFW{running-gre0}delete ip rip authentication mode text
NGFW{running-gre0}delete ip rip receive version v2-only
NGFW{running-gre0}delete ip rip send version v2-only
NGFW{running-gre0}delete ip rip split-horizon poison-reverse
NGFW{running-gre0}delete ip rip split-horizon
NGFW{running-gre0}delete ipaddress 10.10.10.1 10.11.11.1
NGFW{running-gre0}delete ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
NGFW{running-gre0}delete ipv6 mld version
NGFW{running-gre0}delete ipv6 ospfv3 area
NGFW{running-gre0}delete ipv6 ospfv3 cost
NGFW{running-gre0}delete ipv6 ospfv3 dead-interval
NGFW{running-gre0}delete ipv6 ospfv3 hello-interval
NGFW{running-gre0}delete ipv6 ospfv3 priority
NGFW{running-gre0}delete ipv6 ospfv3 retransmit-interval
NGFW{running-gre0}delete ipv6 ospfv3 transmit-delay
NGFW{running-gre0}delete ipv6 ripng split-horizon poison-reverse
NGFW{running-gre0}delete ipv6 ripng split-horizon
NGFW{running-gre0}description
Enter description for the interface.
Syntax
description TEXT
154 Edit Running Configuration Commands
Example
NGFW{running-gre0}description "GRE tunnel 0"
NGFW{running-gre0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
ip ospf area (A.B.C.D|(0-4294967295))
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535) [A.B.C.D]
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon [poison-reverse]
Example
NGFW{running-gre0}ip igmp version 3
NGFW{running-gre0}ip ospf area 1
NGFW{running-gre0}ip ospf authentication mode md5 1 mysecret
NGFW{running-gre0}ip ospf authentication mode text mysecret
NGFW{running-gre0}ip ospf cost 1
NGFW{running-gre0}ip ospf dead-interval 1
NGFW{running-gre0}ip ospf hello-interval 1
NGFW{running-gre0}ip ospf priority 1
NGFW{running-gre0}ip ospf retransmit-interval 3
NGFW{running-gre0}ip ospf transmit-delay 1
NGFW{running-gre0}ip rip authentication mode md5 1 mysecret
NGFW{running-gre0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-gre0}ip rip receive version v2-only
NGFW{running-gre0}ip rip send version v2-only
NGFW{running-gre0}ip rip split-horizon poison-reverse
NGFW{running-gre0}ipaddress
Configure endpoints IP address.
Syntax
ipaddress (local gre endpoint ipaddress) (remote gre endpoint ipaddress)
ipaddress A.B.C.D A.B.C.D
ipaddress X:X::X:X X:X::X:X
Example
NGFW{running-gre0}ipaddress 10.10.10.1 10.11.11.1
NGFW{running-gre0}ipaddress 100:10:10:0:0:0:0:1 100:11:11:0:0:0:0:1
NGFW Command Line Interface Reference 155
NGFW{running-gre0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
ipv6 ospfv3 area (A.B.C.D|(0-4294967295))
ipv6 ospfv3 cost COST
ipv6 ospfv3 dead-interval VALUE
ipv6 ospfv3 hello-interval VALUE
ipv6 ospfv3 priority VALUE
ipv6 ospfv3 retransmit-interval VALUE
ipv6 ospfv3 transmit-delay VALUE
ipv6 ripng
ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-gre0}ipv6 mld version 2
NGFW{running-gre0}ipv6 ospfv3 area 1
NGFW{running-gre0}ipv6 ospfv3 cost 1
NGFW{running-gre0}ipv6 ospfv3 dead-interval 1
NGFW{running-gre0}ipv6 ospfv3 hello-interval 1
NGFW{running-gre0}ipv6 ospfv3 priority 1
NGFW{running-gre0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-gre0}ipv6 ospfv3 transmit-delay 1
NGFW{running-gre0}ipv6 ripng split-horizon poison-reverse
NGFW{running-gre0}key
Configure GRE key.
Syntax
key (enable|disable)
key (0-4294967295)
Enable GRE key - use a default key
Disable GRE key
Set GRE key value
Example
NGFW{running-gre0}key enable
NGFW{running-gre0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-gre0}mtu 1500
NGFW{running-gre0}shutdown
Shutdown logical interface state.
156 Edit Running Configuration Commands
Syntax
shutdown
Example
NGFW{running-gre0}shutdown
NGFW{running-gre0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|4-65535)
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
Example
NGFW{running-gre0}tcp4mss automatic
NGFW{running-gre0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|4-65535)
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6
Example
NGFW{running-gre0}tcp6mss automatic
running-high-availability Context Commands
NGFW{running}high-availability
NGFW{running-high-availability}delete
Delete file or configuration item.
Syntax
delete failover-group base-mac
delete failover-group name
base-mac Base MAC address
name Failover group name
Example
NGFW{running-high-availability}delete failover-group name
NGFW{running-high-availability}disable
Disable high-availability.
Syntax
disable
NGFW Command Line Interface Reference 157
Example
NGFW{running-high-availability}disable
NGFW{running-high-availability}enable
Enable high-availability.
Syntax
enable
Example
NGFW{running-high-availability}enable
NGFW{running-high-availability}failover-group
Allows you to define name and MAC address for a Failover Group.
Syntax
failover-group base-mac X:X:X:X:X:X
failover-group name NAME
Example
NGFW{running-high-availability}failover-group name mygroupname
NGFW{running-high-availability}state-sync
Allows you to define state synchronization.
Syntax
state-sync global [enable|disable]
state-sync firewall [enable|disable]
state-sync firewall [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
state-sync ips [enable|disable]
state-sync ips [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
state-sync routing [enable|disable]
state-sync routing [log-level
(alert|critical|debug|emergency|error|info|notice|warning|none)]
Example
NGFW{running-high-availability}state-sync firewall enable
running-ips Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}ips
NGFW{running-ips}afc-mode
Configures AFC mode.
Syntax
afc-mode AFCMODE
Example
NGFW{running-ips}afc-mode ?
Valid entries at this position are:
158 Edit Running Configuration Commands
automatic Automatic AFC mode
manual Manual AFC mode
NGFW{running-ips}afc-severity
Configures AFC severity level.
Syntax
afc-severity SEVERITY
Example
NGFW{running-ips}afc-severity ?
Valid entries for SEVERITY:
critical Critical severity
error Error severity
info Info severity
warning Warning severity
NGFW{running-ips}connection-table
Configures connection table timeout.
Syntax
connection-table TIMEOUTTYPE SECONDS
TIMEOUTTYPE Connection table timeout type
Possible values for TIMEOUTTYPE are:
non-tcp-timeout Connection table non-tcp timeout
timeout Connection table timeout
trust-timeout Connection table trust timeout
SECONDS Connection table timeout seconds
Example
NGFW{running-ips}connection-table trust-timeout 60
NGFW{running-ips}delete
Allows you to delete a profile.
Syntax
delete profile XPROFILENAME
Example
NGFW{running-ips}delete profile myprofile
NGFW{running-ips}deployment-choices
Gets deployment choices.
Syntax
deployment-choices
Example
NGFW{running-ips}deployment-choices ?
Name Description:
------------------------------------------------------------
Default "Recommended for general deployment."
NGFW Command Line Interface Reference 159
Aggressive "Offers a more aggressive security posture that may require tuning
based upon specific application protocol usage."
Core "Recommended for deployment in the network core."
Edge "Recommended for deployment in a Server Farm/DMZ."
Perimeter "Recommended for deployment at an Internet entry point."
NGFW{running-ips}display-categoryrules
Display category rules for all profiles.
Syntax
display-categoryrules
Example
NGFW{running-ips}display-categoryrules ?
category "Streaming Media" enabled actionset "Recommended"
category "Identity Theft" enabled actionset "Recommended"
category "Virus" enabled actionset "Recommended"
category "Spyware" enabled actionset "Recommended"
category "IM" enabled actionset "Recommended"
category "Network Equipment" enabled actionset "Recommended"
category "Traffic Normalization" enabled actionset "Recommended"
category "P2P" enabled actionset "Recommended"
category "Vulnerabilities" enabled actionset "Recommended"
category "Exploits" enabled actionset "Recommended"
category "Reconnaissance" enabled actionset "Recommended"
category "Security Policy" enabled actionset "Recommended"
NGFW{running-ips}gzip-decompression
Sets GZIP decompression mode.
Syntax
gzip-decompression (enable|disable)
Example
NGFW{running-ips}gzip-decompression enable
NGFW{running-ips}profile
Allows you to create or enter an IPS profile.
Syntax
profile PROFILENAME
Example
NGFW{running-ips}profile myprofile
NGFW{running-ips}quarantine-duration
Sets quarantine duration.
Syntax
quarantine-duration DURATION
DURATION value between 1 to 1440 minutes
160 Edit Running Configuration Commands
Example
NGFW{running-ips}quarantine-duration 60
NGFW{running-ips}rename
Renames a profile.
Syntax
rename profile PROFILENAME NEWPROFILENAME
Example
NGFW{running-ips}rename profile myprofile yourprofile
running-ips-X Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-ips}profile 1
NGFW{running-ips-1}categoryrule
Enters categoryrule context.
Syntax
categoryrule
Example
NGFW{running-ips-1}categoryrule
NGFW{running-ips-1-categoryrule}
NGFW{running-ips-1-categoryrule} ?
Valid entries at this position are:
category Custom category keyword
display Display category rules for profile
help Display help information
NGFW{running-ips-1-categoryrule}display
categoryrule
category "Network Equipment" enabled actionset "Recommended"
category "IM" enabled actionset "Recommended"
category "Spyware" enabled actionset "Recommended"
category "Virus" enabled actionset "Recommended"
category "Identity Theft" enabled actionset "Recommended"
category "Streaming Media" enabled actionset "Recommended"
category "Security Policy" enabled actionset "Recommended"
category "Reconnaissance" enabled actionset "Recommended"
category "Exploits" enabled actionset "Recommended"
category "Vulnerabilities" enabled actionset "Recommended"
category "P2P" enabled actionset "Recommended"
category "Traffic Normalization" enabled actionset "Recommended"
exit
NGFW{running-ips-1}delete
Delete file or configuration item.
Syntax
delete filter FILTERNUMBER
FILTERNUMBER Existing filter number
NGFW Command Line Interface Reference 161
Example
NGFW{running-ips-1}delete filter 9
NGFW{running-ips-1}deployment
Change deployment.
Syntax
deployment (Aggressive|Core|Default|Edge|Perimeter)
Example
NGFW{running-ips-1}deployment Default
NGFW{running-ips-1}description
Edit description for a profile.
Syntax
description DESCRIPTION
Example
NGFW{running-ips-1}description "my description"
NGFW{running-ips-1}filter
Creates or enters a filter context.
Syntax
filter FILTERNUMBER
Example
NGFW{running-ips-1}filter 200
running-ipsec Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}delete
Delete file or configuration item.
Syntax
delete log vpn CONTACT-NAME
delete phase1 proposal (all|NAME)
delete phase2 proposal (all|NAME)
delete policy (all|NAME)
delete pre-shared-keys (all|A.B.C.D|X:X::X:X|HOSTNAME) [vrf-id ID|any]
delete retransmit-timeout
delete retransmit-tries
delete trust (all|CANAME)
delete user
delete vpn (all|NAME)
Valid entries:
log Delete a Notification Contact from a log service
phase1 Delete Phase1 proposal
phase2 Delete Phase2 Proposal
policy Delete IPsec Policy
162 Edit Running Configuration Commands
pre-shared-keys Delete pre-shared-keys
retransmit-timeout Delete Dead Peer Detection retransmit-timeout
retransmit-tries Delete Dead Peer Detection retransmit-tries
trust Delete certification authority trust
user delete user context
vpn Delete IPsec Virtual Private Networks
Example
NGFW{running-ipsec}delete phase1 proposal all
NGFW{running-ipsec}ipsec
Enables or disables IPsec.
Syntax
ipsec (enable|disable)
Example
NGFW{running-ipsec}ipsec enable
NGFW{running-ipsec}log
Add log to a log session.
Syntax
log vpn CONTACT-NAME [SEVERITY]
Valid entries:
vpn Configure log for VPN (IPSec) services
CONTACT-NAME Notification Contact name
Example
NGFW{running-ipsec}log vpn fred warning
NGFW{running-ipsec}manual
Enters manual Security Association context.
Syntax
manual
Example
NGFW{running-ipsec}manual
NGFW{running-manual-sa}
NGFW{running-ipsec}phase1
Enters phase1 proposal context.
Syntax
phase1 VERSION proposal NAME
Valid entries:
VERSION 1 (IKE Version 1)
2 (IKE Version 2)
proposal Phase1 proposal
NAME Phase1 proposal name : alphanumeric, underscore, dash excluding 'all'
NGFW Command Line Interface Reference 163
Example
NGFW{running-ipsec}phase1 1 proposal propname
NGFW{running-phase1-proposal-propname}help
NGFW{running-phase1-proposal-propname}?
NGFW{running-ipsec}phase2
Enters phase2 proposal context.
Syntax
phase2 VERSION proposal NAME
Valid entries:
VERSION 1 (IKE Version 1)
2 (IKE Version 2)
proposal Phase1 proposal
NAME Phase1 proposal name : alphanumeric, underscore, dash excluding 'all'
Example
NGFW{running-ipsec}phase2 1 proposal propname
NGFW{running-phase2-proposal-propname}
NGFW{running-ipsec}policy
Enters IPSec Policy sub-context.
Syntax
policy NAME [PRIORITY]
Valid entries:
NAME IPsec Policy Name : alphanumeric, underscore, and dash excluding 'all'
PRIORITY Priority for NEW policy (1-5989)
Example
NGFW{running-ipsec}policy mypolicy 1
NGFW{running-ipsec-policy-mypolicy}
NGFW{running-ipsec}pre-shared-key
Configures pre-shared key (start with 0x for hexadecimal key).
Syntax
pre-shared-key local (A.B.C.D|X:X::X:X|LFQDN) remote (A.B.C.D|X:X::X:X|RFQDN|any)
Valid entries:
local Configure local host
A.B.C.D Local Peer IPv4 address
X:X::X:X Local Peer IPv6 address
LFQDN Hostname or user fqdn
remote Configure remote host
A.B.C.D Remote Peer IPv4 address
X:X::X:X Remote Peer IPv6 address
RFQDN Hostname or user fqdn
any any remote IP Address
Example
NGFW{running-ipsec}pre-shared-key local 100:0:0:0:0:0:0:1 remote
2001:db8:0:0:0:0:0:1
164 Edit Running Configuration Commands
Enter pre-shared key:**************
NGFW{running-ipsec}retransmit-timeout
Configures IKEv2 Dead Peer Detection retransmission timeout in seconds.
Syntax
retransmit-timeout TIMEOUT
TIMEOUT Configure IKEv2 Dead Peer Detection retransmission timeout in seconds
Example
NGFW{running-ipsec}retransmit-timeout 60
NGFW{running-ipsec}retransmit-tries
Configures IKEv2 Dead Peer Detection maximum retransmission tries.
Syntax
retransmit-tries COUNT
COUNT Configure IKEv2 Dead Peer Detection maximum retransmission tries
Example
NGFW{running-ipsec}retransmit-tries 4
NGFW{running-ipsec}trust
Configures certification authority trust.
Syntax
trust CANAME
CANAME Certification authority name
Example
NGFW{running-ipsec}trust mycertname
NGFW{running-ipsec}user
Enter vpn user context.
Syntax
user
Example
NGFW{running-ipsec}user
NGFW{running-ipsec-user}help
NGFW{running-ipsec}vpn
Enter VPN context.
Syntax
vpn NAME
Example
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}help
NGFW Command Line Interface Reference 165
NGFW{running-ipsec-vpn-myvpn}?
running-ipsec-policy-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}policy myipsecpolicy
NGFW{running-ipsec-policy-myipsecpolicy}mode
Configure encapsulation mode.
Syntax
mode MODE
Example
NGFW{running-ipsec-policy-myipsecpolicy}mode tunnel
NGFW{running-ipsec-policy-myipsecpolicy}policy
Enable or Disable IPsec Policy.
Syntax
policy enable|disable
Example
NGFW{running-ipsec-policy-myipsecpolicy}policy enable
NGFW{running-ipsec-policy-myipsecpolicy}rule
Configure IPsec traffic selector.
Syntax
rule SOURCE_ADDR REMOTE_ADDR PROTOCOL
Example
NGFW{running-ipsec-policy-myipsecpolicy}rule 172.16.1.1 172.16.2.2 any
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name
Configure the VPN to use for this policy.
Syntax
vpn-name VPNNAME
Example
NGFW{running-ipsec-policy-myipsecpolicy}vpn-name mytunnel
166 Edit Running Configuration Commands
running-ipsec-vpn-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}vpn myvpn
NGFW{running-ipsec-vpn-myvpn}certificate
Configure certificate name.
Syntax
certificate CERTNAME
Example
NGFW{running-ipsec-vpn-myvpn}delete
Delete file or configuration item.
Syntax
delete certificate
delete exchange-mode
delete identity
delete ip-pool
delete peers
delete proposal
delete user-group
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay
Configure Dead Peer Detection delay in seconds.
Syntax
dpddelay (SECONDS|disable)
dpddelay ((1-99999999999999999)|disable)
Example
NGFW{running-ipsec-vpn-myvpn}dpddelay 10
NGFW{running-ipsec-vpn-myvpn}dpddelay disable
NGFW{running-ipsec-vpn-myvpn}dpdtimeout
Configure IKEv1 Dead Peer Detection timeout interval in seconds.
Syntax
dpdtimeout SECONDS
dpdtimeout (1-99999999999999999)
Example
NGFW{running-ipsec-vpn-myvpn}dpdtimeout 90
NGFW{running-ipsec-vpn-myvpn}exchange-mode
Configure Phase1 Exchange Mode.
NGFW Command Line Interface Reference 167
Syntax
exchange-mode (main|aggressive)
Example
NGFW{running-ipsec-vpn-myvpn}exchange-mode aggressive
NGFW{running-ipsec-vpn-myvpn}identity
Configure local and remote IKE Identities.
Syntax
identity local ((ip-address A.B.C.D|X:X::X:X|anyLADDR)|(fqdn
HOSTNAME|anyLHOSTNAME)|(user-fqdn EMAILADDRESS|anyLEMAIL)|(asn1dn
asn1dn|anyLASNDNAME)) [remote (ip-address A.B.C.D|X:X::X:X|anyRADDR)|(fqdn
HOSTNAME|anyRHOSTNAME)|(user-fqdn EMAILADDRESS|anyREMAIL)|(asn1dn
asn1dn|anyRASNDNAME)]
Example
NGFW{running-ipsec-vpn-myvpn}identity local nearside.example.com remote
farside.example.com
NGFW{running-ipsec-vpn-myvpn}ip-compression
Enable or disable IP Compression.
Syntax
ip-compression (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}ip-compression enable
NGFW{running-ipsec-vpn-myvpn}ip-pool
Configure IP Pool for remote VPN clients.
Syntax
ip-pool (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-ipsec-vpn-myvpn}ip-pool 192.168.1.0/24
NGFW{running-ipsec-vpn-myvpn}key
Configure Key exchange type.
Syntax
key (ike|manual)
Example
NGFW{running-ipsec-vpn-myvpn}key ike
NGFW{running-ipsec-vpn-myvpn}nat-traversal
Enable or disable NAT Traversal mode.
Syntax
nat-traversal (enable|disable)
168 Edit Running Configuration Commands
Example
NGFW{running-ipsec-vpn-myvpn}nat-traversal enable
NGFW{running-ipsec-vpn-myvpn}peer
Configure local and remote VPN Peers.
Syntax
peer local (A.B.C.D|X:X::X:X) remote (A.B.C.D|X:X::X:X)
Example
NGFW{running-ipsec-vpn-myvpn}peer local 192.168.1.1 remote 192.168.2.2
NGFW{running-ipsec-vpn-myvpn}proposal
Configure Phase1 and Phase2 IKE proposals.
Syntax
proposal PHASE1 PHASE2
Example
NGFW{running-ipsec-vpn-myvpn}proposal myphase1 myphase2
NGFW{running-ipsec-vpn-myvpn}rekey
Enable or disable rekey.
Syntax
rekey (enable|disable)
Example
NGFW{running-ipsec-vpn-myvpn}rekey enable
NGFW{running-ipsec-vpn-myvpn}type
Configure VPN type.
Syntax
type (site-to-site|client-to-site)
Example
NGFW{running-ipsec-vpn-myvpn}type site-to-site
NGFW{running-ipsec-vpn-myvpn}user-group
Configure VPN user group.
Syntax
user-group GROUP
Example
NGFW{running-ipsec-vpn-myvpn}user-group myvpngroup
NGFW Command Line Interface Reference 169
running-l2tp-serverX Context Commands
NGFW{running}l2tp-server0
NGFW{running-l2tp-server0}auth
Authenticated configuration.
Syntax
auth (enable|disable)
auth shared-secret (A.B.C.D|any) secret-key
Example
NGFW{running-l2tp-server0}auth enable
NGFW{running-l2tp-server0}bind
Configures bind service of L2TP server.
Syntax
bind (none|any|(A.B.C.D [port]))
Valid entries:
none Remove bind configuration
any Configure any bind
A.B.C.D IPv4 address to bind
port Port range (1024-65535)
Example
NGFW{running-l2tp-server0}bind 198.152.100.0
NGFW{running-l2tp-server0}delete
Deletes file or configuration item.
Syntax
delete auth shared-secret (A.B.C.D|all)
Valid entries:
auth Delete authenticated configuration
shared-secret Shared secret for an IPv4 address
A.B.C.D IPv4 address
all All settings
Example
NGFW{running-l2tp-server0}delete auth shared-secret all
NGFW{running-l2tp-server0}hiding
Enables or disables hiding configuration.
Syntax
hiding (enable|disable)
Example
NGFW{running-l2tp-server0}hiding enable
170 Edit Running Configuration Commands
NGFW{running-l2tp-server0}sequencing
Enables or disables sequence configuration.
Syntax
sequencing (enable|disable)
Example
NGFW{running-l2tp-server0}sequencing enable
running-l2tpX Context Commands
NGFW{running}interface l2tp0
NGFW{running-l2tp0}auth
Authenticated configuration.
Syntax
auth l2tp (enable|disable)
auth l2tp shared-secret SECRET
auth ppp reply ALGORITHM
auth ppp user-id NAME PASSWORD
Valid entries:
l2tp Configure L2TP authenticated options
ppp Configure PPP authenticated options
Valid entries for ALGORITHM:
pap Pap authentication
chap Chap authentication
chap-md5 Chap md5 authentication
ms-chapv2 Ms chapv2 authentication
ms-chap Ms chap authentication
Example
NGFW{running-l2tp0}auth l2tp enable
NGFW{running-l2tp0}auth l2tp shared-secret secret
NGFW{running-l2tp0}auth ppp reply chap-md5
NGFW{running-l2tp0}auth ppp user-id myuser mypassword
NGFW{running-l2tp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-l2tp0}autoconfv6 enable
NGFW{running-l2tp0}autoconfv6 disable
NGFW{running-l2tp0}bind
Configure binding addresses of the L2TP tunnel.
Syntax
bind (none|(A.B.C.D A.B.C.D))
NGFW Command Line Interface Reference 171
Example
NGFW{running-l2tp0}bind 192.168.2.1 192.168.200.1
NGFW{running-l2tp0}bind none
NGFW{running-l2tp0}delete
Delete file or configuration item.
Syntax
delete auth l2tp shared-secret
delete auth ppp reply (all|AUTH-ALGO)
delete auth ppp user-id
delete ip igmp
delete ip igmp version
delete ipv6 mld
delete ipv6 mld version
delete log-option ppp all
delete log-option ppp DEL-PPP-LOG-OPTION {1,10}
delete prefix all|X:X::X:X/M
delete shutdown
Example
NGFW{running-l2tp0}delete auth l2tp shared-secret
NGFW{running-l2tp0}delete auth ppp reply chap-md5
NGFW{running-l2tp0}delete auth ppp user-id
NGFW{running-l2tp0}
NGFW{running-l2tp0}delete ip igmp version
NGFW{running-l2tp0}delete ip igmp
NGFW{running-l2tp0}delete ipv6 mld
NGFW{running-l2tp0}delete log-option ppp all
NGFW{running-l2tp0}delete prefix 100::/64
NGFW{running-l2tp0}delete shutdown
NGFW{running-l2tp0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-l2tp0}description "l2tp interface 0"
NGFW{running-l2tp0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-l2tp0}dns-request enable
NGFW{running-l2tp0}dns-request disable
172 Edit Running Configuration Commands
NGFW{running-l2tp0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-l2tp0}ip igmp
NGFW{running-l2tp0}ip igmp version 3
NGFW{running-l2tp0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-l2tp0}ipcp enable
NGFW{running-l2tp0}ipcp disable
NGFW{running-l2tp0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-l2tp0}ipv6 mld
NGFW{running-l2tp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-l2tp0}ipv6cp enable
NGFW{running-l2tp0}ipv6cp disable
NGFW{running-l2tp0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-l2tp0}keep-alive ppp default retry 1
NGFW{running-l2tp0}keep-alive ppp disable
NGFW Command Line Interface Reference 173
NGFW{running-l2tp0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
auth Link authentication events
ipcp IPCP events and negotiation
ipv6cp IPV6CP events and negotiation
l2tp L2TP high level events
l2tp2 L2TP more detailed events
l2tp3 L2TP packet dumps
pptp PPTP high level events
pptp2 PPTP more detailed events
pptp3 PPTP packet dumps
lcp LCP events and negotiation
phys Physical layer events
radius Radius authentication events
echo Keep-alive events
bund Bundle events
iface IP interface and route management events
link Link events
frame Dump all incoming and outgoing frames
fsm All state machine events (except echo and reset)
Example
NGFW{running-l2tp0}log-option ppp all
NGFW{running-l2tp0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-l2tp0}mru 1500
NGFW{running-l2tp0}mru default
NGFW{running-l2tp0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-l2tp0}mtu 1500
NGFW{running-l2tp0}prefix
Configure IPv6 prefix in seconds.
174 Edit Running Configuration Commands
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-l2tp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-l2tp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
Example
NGFW{running-l2tp0}ra-autoconf-level full
NGFW{running-l2tp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-l2tp0}ra-interval 600
NGFW{running-l2tp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-l2tp0}ra-interval-transmit enable
NGFW{running-l2tp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
(0 if none)
Example
NGFW{running-l2tp0}ra-lifetime 1800
NGFW Command Line Interface Reference 175
NGFW{running-l2tp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
none Not configured
(0 if none)
Example
NGFW{running-l2tp0}ra-mtu 1500
NGFW{running-l2tp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always Router Advert message is always sent
never Router Advert message is never sent
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-l2tp0}ra-transmit-mode smart
NGFW{running-l2tp0}sequencing
Enable the use of sequence numbers on data messages.
Syntax
sequencing (enable|disable)
Valid entries:
disable Disable sequencing parameters
enable Enable sequencing parameters
Example
NGFW{running-l2tp0}sequencing enable
NGFW{running-l2tp0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-l2tp0}shutdown
NGFW{running-l2tp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
176 Edit Running Configuration Commands
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-l2tp0}tcp4mss automatic
NGFW{running-l2tp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-l2tp0}tcp6mss automatic
running-log Context Commands
NGFW{running}log
NGFW{running-log}delete
Delete file or configuration item.
Syntax
delete log audit CONTACT-NAME
delete log ipsec CONTACT-NAME
delete log quarantine CONTACT-NAME
delete log system CONTACT-NAME
delete log-option fib (events|kernel|memory|packet) [recv|send]
delete log-option ppp (all|DEL-PPP-LOG-OPTION){1,10}
delete log-option xmsd (all|LOG_OPTION)
Example
NGFW{running-log}delete log-option ?
Valid entries at this position are:
fib Delete fib log-option
ppp Delete PPP log options
xmsd Delete xmsd log-options
NGFW{running-log}delete log-option fib ?
Valid entries at this position are:
events Delete log-option fib events
kernel Delete log-option fib kernel
memory Delete log-option fib memory
packet Delete log-option fib packet (include recv and send)
NGFW{running-log}delete log-option fib events ?
Valid entries at this position are:
<Enter> Execute command
recv Delete log-option fib packet-recv
send Delete log-option fib packet-send
NGFW Command Line Interface Reference 177
NGFW{running-log}delete log-option fib events recv
NGFW{running-log}delete log audit mycontactname ALL
NGFW{running-log}delete log vpn mycontactname error
NGFW{running-log}delete log quarantine mycontactname none
NGFW{running-log}delete log system mycontactname info
NGFW{running-log}log
Add log to a log session.
Syntax
log audit CONTACT-NAME [ALL|none]
log quarantine CONTACT-NAME [ALL|none]
log system CONTACT-NAME [SEVERITY]
log vpn CONTACT-NAME [SEVERITY]
Valid entries:
audit Configure log for audit services
quarantine Configure log for quarantine services
system Configure log for all services
vpn Configure log for VPN (IPSec) services
SEVERITY alert|critical|debug|emergency|error|info|notice|warning|none
Example
NGFW{running-log}log audit mycontactname ALL
NGFW{running-log}log vpn mycontactname error
NGFW{running-log}log quarantine mycontactname none
NGFW{running-log}log system mycontactname info
NGFW{running-log}log-option
Add service log option.
Syntax
log-option fib (events|kernel|memory|packet) [recv|send]
log-option ppp (all|PPP-LOG-OPTION)
log-option xmsd (all|LOG_OPTION)
Valid entries:
fib Configure FIB log options
Possible values for fib
events Enable logging fib events
kernel Enable logging fib kernel
memory Enable logging fib memory
packet Enable logging fib packet (include recv and send)
ppp Configure PPP log options
xmsd Configure xmsd log options
Possible values for ppp PPP-LOG-OPTION:
all Enable all optional log items
auth Link authentication events
ipcp IPCP events and negotiation
ipv6cp IPV6CP events and negotiation
l2tp L2TP high level events
l2tp2 L2TP more detailed events
l2tp3 L2TP packet dumps
pptp PPTP high level events
pptp2 PPTP more detailed events
178 Edit Running Configuration Commands
pptp3 PPTP packet dumps
lcp LCP events and negotiation
phys Physical layer events
radius Radius authentication events
echo Keep-alive events
bund Bundle events
iface IP interface and route management events
link Link events
frame Dump all incoming and outgoing frames
fsm All state machine events (except echo and reset)
Possible values for xmsd LOG_OPTION:
ethgrp Enable logging ethgrp
addressgroups Enable logging addressgroups
security-zones Enable logging security zones
bnet Enable logging bnet
bridge Enable logging bridgeport
captive-portal Enable logging captive portal
vlan Enable logging vlan
segments Enable logging segments
mgmt Enable logging mgmt
interface Enable logging interface
xms_configure Enable logging xms configure
xms_process Enable logging xms process
xms_stream Enable logging xms stream
aaa Enable logging aaa
accesspoint Enable logging accesspoint
bfd Enable logging bfd
cron Enable logging cron
dhcp4client Enable logging dhcp4 client
dhcp4sever Enable logging dhcp4 server
dhcp6client Enable logging dhcp6 client
dhcp6server Enable logging dhcp6 server
dhcprelay Enable logging dhcprelay
dns Enable logging dns
dyndns Enable logging dyndns
eapauth Enable logging eapauth
ethernet Enable logging ethernet
filter Enable logging filter
firewall Enable logging firewall
fmipv6 Enable logging fmipv6
fw_nat Enable logging firewall policy nat
gre Enable logging gre
ipsec Enable logging ipsec
l2tpserver Enable logging l2tpserver
linkmonitor Enable logging linkmonitor
log Enable logging log
loopback Enable logging loopback
lsn Enable logging nat lsn
dstm Enable logging dstm
mig6to4 Enable logging migration 6to4
migisatap Enable logging migration isatap
migXin4 Enable logging migration Xin4
migXin6 Enable logging migration Xin6
mobility Enable logging mobility
multicastreg Enable logging multicastreg
nat Enable logging nat
ntp Enable logging ntp
openvpn Enable logging openvpn
NGFW Command Line Interface Reference 179
osi Enable logging osi
pdh Enable logging pdh
pim4sm Enable logging pim4sm
pim6sm Enable logging pim6sm
ports Enable logging ports
ppp Enable logging ppp
pppoeserver Enable logging pppoeserver
pppserver Enable logging pppserver
routing Enable logging routing
schedules Enable logging schedules
serialport Enable logging serialport
services Enable logging services
snmp Enable logging snmp
snoop Enable logging snoop
svti Enable logging svti
system Enable logging system
qos Enable logging qos
xmsupdate Enable logging xmsupdate
vrf Enable logging vrf
vrrp Enable logging vrrp
wifi Enable logging wifi
xipc Enable logging xipc requests
Example
NGFW{running-log}log-option fib packet send
NGFW{running-log}log-option xmsd firewall
NGFW{running-log}log-option ppp auth
NGFW{running-log}sub-system
Sets sub-system log level.
Syntax
sub-system (COROSYNC|GATED|HTTPD|INIT|LOGIN|PACEMAKER|TOS|XMS|CRMADMIN)
[alert|critical|debug|emergency|error|info|notice|warning|none]
Possible values for SEVERITY are:
emergency Panic condition messages (TOS critical)
alert Immediate problem condition messages
critical Critical condition messages
error Error messages
warning Warning messages
notice Special condition messages
info Informational messages
debug Debug messages
debug0 TOS Debug0 messages
debug1 TOS Debug1 messages
debug2 TOS Debug2 messages
debug3 TOS Debug3 messages
none Turn off messages
Example
NGFW{running-log}sub-system LOGIN alert
180 Edit Running Configuration Commands
running-loopbackX Context Commands
NGFW{running}interface loopback0
NGFW{running-loopback0}delete
Delete file or configuration item.
Syntax
delete ip ospf area
delete ip ospf authentication mode md5 (1-255) KEY
delete ip ospf authentication mode text KEY
delete ip ospf cost (1-65535)
delete ip ospf dead-interval (1-65535)
delete ip ospf hello-interval (1-65535)
delete ip ospf priority (0-255)
delete ip ospf retransmit-interval (3-65535)
delete ip ospf transmit-delay (1-65535)
delete ip rip
delete ip rip authentication mode md5
delete ip rip authentication mode text
delete ip rip receive version (v1-only|v2-only|v1-or-v2)
delete ip rip send version (v1-only|v2-only|v1-or-v2)
delete ip rip split-horizon
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete ipaddress dhcpv4
delete ipaddress dhcpv6
delete ipv6 ospfv3 area
delete ipv6 ospfv3 cost
delete ipv6 ospfv3 dead-interval
delete ipv6 ospfv3 hello-interval
delete ipv6 ospfv3 priority
delete ipv6 ospfv3 retransmit-interval
delete ipv6 ospfv3 transmit-delay
delete ipv6 ripng
delete ipv6 ripng split-horizon
Example
NGFW{running-loopback0}delete ip rip split-horizon poison-reverse
NGFW{running-loopback0}delete ip rip split-horizon
NGFW{running-loopback0}delete ipaddress 192.168.1.1/24
NGFW{running-loopback0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-loopback0}delete ipv6 rip split-horizon poison-reverse
NGFW{running-loopback0}delete ipv6 rip split-horizon
NGFW{running-loopback0}delete ip ospf authentication mode md5 1 secret
NGFW{running-loopback0}delete ip ospf authentication mode text secret
NGFW{running-loopback0}delete ip ospf cost 1
NGFW{running-loopback0}delete ip ospf dead-interval 1
NGFW{running-loopback0}delete ip ospf hello-interval 1
NGFW{running-loopback0}delete ip ospf priority 1
NGFW{running-loopback0}delete ip ospf retransmit-interval 3
NGFW{running-loopback0}delete ip ospf transmit-delay 1
NGFW{running-loopback0}delete ip rip authentication mode md5
NGFW{running-loopback0}delete ip rip authentication mode text
NGFW{running-loopback0}delete ip rip receive version v2-only
NGFW{running-loopback0}delete ip rip send version v2-only
NGFW{running-loopback0}delete ipaddress 192.168.1.1/24
NGFW{running-loopback0}delete ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-loopback0}delete ipv6 ospfv3 area
NGFW{running-loopback0}delete ipv6 ospfv3 cost
NGFW Command Line Interface Reference 181
NGFW{running-loopback0}delete ipv6 ospfv3 dead-interval
NGFW{running-loopback0}delete ipv6 ospfv3 hello-interval
NGFW{running-loopback0}delete ipv6 ospfv3 priority
NGFW{running-loopback0}delete ipv6 ospfv3 retransmit-interval
NGFW{running-loopback0}delete ipv6 ospfv3 transmit-delay
NGFW{running-loopback0}delete ipv6 ripng split-horizon poison-reverse
NGFW{running-loopback0}delete ipv6 ripng split-horizon
NGFW{running-loopback0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-loopback0}description "loopback interface 0"
NGFW{running-loopback0}ip
Configure IP settings.
Syntax
ip ospf area (A.B.C.D|(0-4294967295))
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535) [A.B.C.D]
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ip ospf area 1
NGFW{running-loopback0}ip ospf authentication mode md5 1 mysecret
NGFW{running-loopback0}ip ospf authentication mode text mysecret
NGFW{running-loopback0}ip ospf cost 1
NGFW{running-loopback0}ip ospf dead-interval 1
NGFW{running-loopback0}ip ospf hello-interval 1
NGFW{running-loopback0}ip ospf priority 1
NGFW{running-loopback0}ip ospf retransmit-interval 3
NGFW{running-loopback0}ip ospf transmit-delay 1
NGFW{running-loopback0}ip rip authentication mode md5 1 mysecret
NGFW{running-loopback0}ip rip authentication mode text
Enter key: up to 16 characters:******
NGFW{running-loopback0}ip rip receive version v2-only
NGFW{running-loopback0}ip rip send version v2-only
NGFW{running-loopback0}ip rip split-horizon poison-reverse
182 Edit Running Configuration Commands
NGFW{running-loopback0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress dhcpv4
Example
NGFW{running-loopback0}ipaddress 192.168.1.1/24
NGFW{running-loopback0}ipaddress 100:0:0:0:0:0:0:1/64 primary
NGFW{running-loopback0}ipv6
Configure IPv6 settings.
Syntax
ipv6 ospfv3 area (A.B.C.D|(0-4294967295))
ipv6 ospfv3 cost COST
ipv6 ospfv3 dead-interval VALUE
ipv6 ospfv3 hello-interval VALUE
ipv6 ospfv3 priority VALUE
ipv6 ospfv3 retransmit-interval VALUE
ipv6 ospfv3 transmit-delay VALUE
ipv6 ripng
ipv6 ripng split-horizon [poison-reverse]
Example
NGFW{running-loopback0}ipv6 ospfv3 area 1
NGFW{running-loopback0}ipv6 ospfv3 cost 1
NGFW{running-loopback0}ipv6 ospfv3 dead-interval 1
NGFW{running-loopback0}ipv6 ospfv3 hello-interval 1
NGFW{running-loopback0}ipv6 ospfv3 priority 1
NGFW{running-loopback0}ipv6 ospfv3 retransmit-interval 3
NGFW{running-loopback0}ipv6 ospfv3 transmit-delay 1
NGFW{running-loopback0}ipv6 ripng split-horizon poison-reverse
NGFW{running-loopback0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-loopback0}mtu 1500
running-manual-sa Context Commands
NGFW{running}vpn ipsec
NGFW{running-ipsec}manual
NGFW{running-manual-sa}delete
Delete file or configuration item.
Syntax
delete sa esp all
NGFW Command Line Interface Reference 183
delete sa esp ((A.B.C.D|X:X::X:X) SPI)
Valid entries:
sa Configure Security Association
esp Delete ESP Security Associations
all Delete all ESP Security Associations
(A.B.C.D|X:X::X:X) Security Association remote address
SPI Security Parameter Index
Example
NGFW{running-manual-sa}delete sa esp 192.168.2.2 1
NGFW{running-manual-sa}sa
Configure Security Association.
Syntax
sa esp (A.B.C.D A.B.C.D) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY
sa esp (X:X::X:X X:X::X:X) SPI MODE ((CRYPTALGO CRYPTKEY)|null) AUTHALGO AUTHKEY
sa esp (A.B.C.D A.B.C.D) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY)
sa esp (X:X::X:X X:X::X:X) (1-4294967295) (tunnel|transport) ((3des-cbc
CRYPTKEY)|(aes-cbc CRYPTKEY)|null) (hmac-md5 AUTHKEY|hmac-sha1 AUTHKEY)
Valid entries:
esp ESP security association
A.B.C.D Security Association source IPv4 address
A.B.C.D Security Association destination IPv4 address
X:X::X:X Security Association source IPv6 address
X:X::X:X Security Association destination IPv6 address
SPI Security Parameter Index from 1 to 2^32-1 (e.g. 0x1 or 1 to 0xffffffff or
4294967295)
MODE IPsec processing mode
Possible values for MODE are:
tunnel Tunnel mode
transport Transport mode
CRYPTALGO IPsec encryption algorithm
Possible values for CRYPTALGO are:
3des-cbc Triple DES
aes-cbc AES
CRYPTKEY Encryption key
format: ASCII string ("abcdefgh1234#=+...")
hexadecimal value (0x123456789abcdef0)
192 bits (24 bytes) for 3des-cbc
128/192/256 bits (16/24/32 bytes) for aes-cbc
null ESP_NULL encryption (RFC2410)
AUTHALGO IPsec authentication algorithm
Possible values for AUTHALGO are:
hmac-md5 HMAC-MD5
hmac-sha1 HMAC-SHA1
AUTHKEY Authentication/integrity key
format: ASCII string ("abcdefgh1234#=+...")
hexadecimal value (0x123456789abcdef0)
length: 128 bits (16 bytes) for hmac-md5
160 bits (20 bytes) for hmac-sha1
Example
NGFW{running-manual-sa}sa esp 192.168.1.1 192.168.2.2 1 tunnel aes-cbc
0x4d7acaf0c08349ebbcbd86a2093eadf69786537755fc3ea23835c2d71450fdf5 hmac-sha1
0x6a4a71232e102e404979f8edef925a51b1ac098d
184 Edit Running Configuration Commands
running-mgmt Context Commands
NGFW{running}interface mgmt
NGFW{running-mgmt}delete
Delete file or configuration item.
Syntax
delete host (location|contact)
delete ip-filter ACTION SERVICE4 [ip ADDRESS4]
delete ip-filter ACTION SERVICE6 [ip ADDRESS6]
delete ip-filter ACTION ip (ADDRESS4|ADDRESS6)
delete ipaddress all|A.B.C.D/M|X:X::X:X/M
delete route A.B.C.D/M [A.B.C.D]
delete route X:X::X:X/M [X:X::X:X]
delete route all
Example
NGFW{running-mgmt}delete host contact
NGFW{running-mgmt}delete host location
NGFW{running-mgmt}delete ip-filter deny https ip 2001:2::1/128
NGFW{running-mgmt}delete ip-filter deny ip 192.168.1.1/32
NGFW{running-mgmt}delete route 192.168.0.0/24 192.168.0.2
NGFW{running-mgmt}delete route 2001:2::/48 100::2
NGFW{running-mgmt}delete route all
NGFW{running-mgmt}description
Enter description for the management interface.
Syntax
description TEXT
Example
NGFW{running-mgmt}description "management interface"
NGFW{running-mgmt}host
Configure the firewall host settings.
Syntax
host (name|location|contact) VALUE
Example
NGFW{running-mgmt}host contact "mycontact"
NGFW{running-mgmt}host location "mylocation"
NGFW{running-mgmt}host name "myfirewallname"
NGFW{running-mgmt}ip-filter
Create management IP filter rules.
Syntax
ip-filter (allow|deny) default
ip-filter (allow|deny) (https|icmp|snmp|ssh|ip) [ip
A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X]
NGFW Command Line Interface Reference 185
ip-filter (allow|deny) ip (A.B.C.D/M|X:X::X:X/M|A.B.C.D|X:X::X:X)
Valid entries:
allow Allow IPv4/IPv6 rule
deny Deny IPv4/IPv6 rule
default Default rule
Possible values for service are:
https allow/deny HTTPS. This will affect SMS which uses HTTPS
ssh allow/deny SSH
icmp allow/deny ICMP/ICMPv6
snmp allow/deny SNMP
ip IP address
A.B.C.D/M IPv4 address with netmask
X:X::X:X/M IPv6 address with prefix length
A.B.C.D IPv4 address
X:X::X:X IPv6 address
Example
NGFW{running-mgmt}ip-filter allow default
NGFW{running-mgmt}ip-filter allow https ip 192.168.1.0/24
NGFW{running-mgmt}ip-filter deny ip 192.168.1.1
NGFW{running-mgmt}ip-filter deny https ip 2001:2:0:0:0:0:0:1
NGFW{running-mgmt}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M)
Example
NGFW{running-mgmt}ipaddress 192.168.1.1/24
NGFW{running-mgmt}ipaddress 100:0:0:0:0:0:0:1/64
NGFW{running-mgmt}physical-media
Configure physical-media settings.
Syntax
physical-media (auto-neg)|(10half|10full|100half|100full|1000full)
Valid entries:
auto-neg Enable auto-negotiation (default is on)
SPEED-MODE Set the port speed
Possible values for SPEED-MODE are:
10half Supported port speed and mode
10full Supported port speed and mode
100half Supported port speed and mode
100full Supported port speed and mode
1000full Supported port speed and mode
Example
NGFW{running-mgmt}physical-media auto-neg
NGFW{running-mgmt}physical-media 1000full
186 Edit Running Configuration Commands
NGFW{running-mgmt}route
Add IPv4/IPv6 static route.
Syntax
route A.B.C.D/M A.B.C.D [DISTANCE]
route X:X::X:X/M X:X::X:X [DISTANCE]
A.B.C.D/M Unicast IPv4 prefix address
X:X::X:X/M Unicast IPv6 prefix address
Example
NGFW{running-mgmt}route 192.168.0.0/24 192.168.0.2 1
NGFW{running-mgmt}route 2001:2:0:0:0:0:0:0/48 100:0:0:0:0:0:0:2
running-multicast-registration Context Commands
NGFW{running}multicast-registration
NGFW{running-multicast-registration}igmp-version
Configure system IGMP version.
Syntax
igmp-version default
igmp-version mode (force|default) (igmpv1|igmpv2|igmpv3)
Valid entries:
default Restore default IGMP version (igmpv3)
mode Define IGMP version mode (force or default)
IGMPvX Define IGMP version
Example
NGFW{running-multicast-registration}igmp-version mode default igmpv3
NGFW{running-multicast-registration}mld-version
Configure system MLD version.
Syntax
mld-version default
mld-version mode (force|default) (mldv1|mldv2)
Valid entries:
default Restore default MLD version (mldv2)
mode Define MLD version mode
MODE Define MLD mode (force or default)
MLDvX Define MLD version
Example
NGFW{running-multicast-registration}mld-version mode default mldv2
running-notifycontacts (email) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}notifycontacts
NGFW{running-notifycontacts}contact
Create or edit a notify contact.
NGFW Command Line Interface Reference 187
Syntax
contact CONTACTNAME
contact NEWNAME email
contact NEWNAME snmp COMMUNITY IP [PORT]
Example
NGFW{running-notifycontacts}contact mycontact1 email
NGFW{running-notifycontacts}contact mycontact1 snmp mysecret 192.168.1.1
NGFW{running-notifycontacts}delete
Delete a contact.
Syntax
delete contact XCONTACTNAME
Example
NGFW{running-notifycontacts}delete contact mycontact1
WARNING: Are you sure you want to delete this contact (y/n)? [n]: y
NGFW{running-notifycontacts}email-from-address
From email address.
Syntax
email-from-address EMAIL
Example
NGFW{running-notifycontacts}email-from-address mycontact@example.com
NGFW{running-notifycontacts}email-from-domain
From domain name.
Syntax
email-from-domain DOMAIN
Example
NGFW{running-notifycontacts}email-from-domain example.com
NGFW{running-notifycontacts}email-server
Set mail server IP.
Syntax
email-server IP
Example
NGFW{running-notifycontacts}email-server 192.168.1.1
NGFW{running-notifycontacts}email-threshold
Set email threshold in minutes.
188 Edit Running Configuration Commands
Syntax
email-threshold THRESHOLD
Example
NGFW{running-notifycontacts}email-threshold 1
NGFW{running-notifycontacts}email-to-default-address
Default to email address.
Syntax
email-to-default-address EMAIL
Example
NGFW{running-notifycontacts}email-to-default-address mycontact@example.com
NGFW{running-notifycontacts}rename
Rename contact with new name.
Syntax
rename contact XCONTACTNAME NEWNAME
Example
NGFW{running-notifycontacts}rename contact mycontact1 mycontact2
running-notifycontacts-X (SNMP) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-notifycontacts}contact mycontact1
NGFW{running-notifycontacts-mycontact1}community
Sets SNMPv2 community name.
Syntax
community COMMUNITY
COMMUNITY SNMPv2 community name (1-32 characters)
Example
NGFW{running-notifycontacts-mycontact1}community mysecret
NGFW{running-notifycontacts-mycontact1}host
Sets SNMP host IP.
Syntax
host IP
Example
NGFW{running-notifycontacts-mycontact1}host 192.168.1.1
NGFW{running-notifycontacts-mycontact1}period
Set contact aggregation period in minutes.
NGFW Command Line Interface Reference 189
Syntax
period PERIOD
Example
NGFW{running-notifycontacts-mycontact1}period 1
NGFW{running-notifycontacts-mycontact1}port
Set SNMP host port.
Syntax
port PORT
Example
NGFW{running-notifycontacts-mycontact1}port 162
running-ntp Context Commands
NGFW{running}ntp
NGFW{running-ntp}delete
Delete file or configuration item.
Syntax
delete key (all|ID)
delete server (all|HOST)
Valid entries:
key Delete key from configuration
all Delete all keys
ID Key identifier
server Delete remote NTP server
all Delete all servers
HOST Remote server address or name
Example
NGFW{running-ntp}delete key 1
NGFW{running-ntp}delete key all
NGFW{running-ntp}delete server all
NGFW{running-ntp}delete server 192.168.1.1
NGFW{running-ntp}key
Configure NTP authentication key.
Syntax
key (1-65535) VALUE
Valid entries:
(1-65535) Key ID, required for authentication
VALUE Key value (1-32 characters)
Example
NGFW{running-ntp}key 1 myauthkey
190 Edit Running Configuration Commands
NGFW{running-ntp}ntp
Enable or disable NTP service.
Syntax
ntp (enable|disable)
Example
NGFW{running-ntp}ntp enable
NGFW{running-ntp}polling-interval
Configure NTP server minimum polling interval.
Syntax
polling-interval SECONDS
SECONDS Interval in seconds
Possible values for SECONDS are:
2 2 seconds
4 4 seconds
8 8 seconds
16 16 seconds
32 32 seconds
64 64 seconds
Example
NGFW{running-ntp}polling-interval 16
NGFW{running-ntp}server
Configure remote NTP server.
Syntax
server (dhcp|A.B.C.D|X:X::X:X|FQDN) [key ID] [prefer]
dhcp Get server address from dhcp
NAME NTP remote server
key Key to be used
ID Key identifier
prefer Mark server as preferred
Example
NGFW{running-ntp}server 192.168.1.1 key 1 prefer
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase1 2 proposal myphase1
NGFW{running-phase1-proposal-myphase1}auth
ISAKMP authentication mechanism.
Syntax
auth local (pre-shared-key|rsasig) remote
(eap-mschapv2|pre-shared-key|rsasig|eap-radius) [xauth (local|radius)]
NGFW Command Line Interface Reference 191
Example
NGFW{running-phase1-proposal-myphase1}auth local pre-shared-key remote
pre-shared-key
NGFW{running-phase1-proposal-myphase1}dh-group
ISAKMP Diffie-Hellman group.
Syntax
dh-group (1|2|5|14)
Example
NGFW{running-phase1-proposal-myphase1}dh-group 5
NGFW{running-phase1-proposal-myphase1}encryption
ISAKMP encryption algorithm.
Syntax
encryption (3des|aes128|aes192|aes256)
Example
NGFW{running-phase1-proposal-myphase1}encryption aes256
NGFW{running-phase1-proposal-myphase1}hash
ISAKMP hash algorithm.
Syntax
hash (md5|sha1)
Example
NGFW{running-phase1-proposal-myphase1}hash sha1
NGFW{running-phase1-proposal-myphase1}lifetime
ISAKMP security association lifetime. 86400 seconds commonly used in phase 1 is 24 hours.
Syntax
lifetime LIFE-DURATION LIFE-UNIT
lifetime (1-65535) (min|sec|hour)
Example
NGFW{running-phase1-proposal-myphase1}lifetime 24 hour
running-phase1-proposal-X Context Commands and their Usage
NGFW{running}vpn ipsec
NGFW{running-ipsec}phase2 2 proposal myphase2
NGFW{running-phase2-proposal-myphase2}auth2
IPsec authentication algorithm.
192 Edit Running Configuration Commands
Syntax
auth2 (hmac-md5|hmac-sha1) [hmac-sha1|hmac-md5]
Example
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-md5 hmac-sha1
NGFW{running-phase2-proposal-myphase2}auth2 hmac-sha1 hmac-md5
NGFW{running-phase2-proposal-myphase2}dh-group
Perfect Forward Secrecy Diffie-Hellman group.
Syntax
dh-group (1|2|5|14|none)
Example
NGFW{running-phase2-proposal-myphase2}dh-group 5
NGFW{running-phase2-proposal-myphase2}encryption2
IPsec encryption algorithm.
Syntax
encryption2 (3des|aes128|aes192|aes256|null) [3des|aes128|aes192|aes256|null]{0,4}
Example
NGFW{running-phase2-proposal-myphase2}encryption2 aes256 aes192 aes128 3des
NGFW{running-phase2-proposal-myphase2}encryption2 aes256
NGFW{running-phase2-proposal-myphase2}lifetime
IP security association lifetime.
Syntax
lifetime LIFE-DURATION LIFE-UNIT
lifetime (1-4,294,967,295) (hour|min|sec|byte)
Example
NGFW{running-phase2-proposal-myphase2}lifetime 4,718,592,000 byte
NGFW{running-phase2-proposal-myphase2}lifetime 3600 sec
running-ospf Context Commands
NGFW{running}router ospf
NGFW{running-ospf}area
Configure an OSPF area, area range, or virtual link.
Syntax
area (A.B.C.D|(0-4294967295)) range A.B.C.D/M [not-advertised]
area (A.B.C.D|(0-4294967295)) (stub|nssa|tsa)
area (A.B.C.D|(0-4294967295)) default-cost (0-16777215)
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D dead-interval VALUE
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D hello-interval VALUE
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D retransmit-interval VALUE
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D transmit-delay VALUE
NGFW Command Line Interface Reference 193
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication simple
SIMPLE-PASSWORD
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D authentication md5 KEY-ID
MD5-KEY-STRING
(0-4294967295) OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
Example
NGFW{running-ospf}area 1 ?
Valid entries at this position are:
default-cost Set the summary-default cost of a NSSA or stub area
nssa Configure a not-so-stubby area (NSSA)
range Summarize routes matching address/mask prefix
stub Configure a stubby area
tsa Configure a totally stubby area (TSA)
virtual-link Configure a virtual link
NGFW{running-ospf}default-metric
Set default metric of routes redistributed into OSPF.
Syntax
default-metric (1-16777214)
Example
NGFW{running-ospf}default-metric 1
NGFW{running-ospf}delete
Delete file or configuration item.
Syntax
delete area AREA-ID range A.B.C.D/M
delete area AREA-ID (stub|nssa|tsa)
delete area AREA-ID default-cost
delete area AREA-ID virtual-link A.B.C.D
delete area AREA-ID virtual-link A.B.C.D dead-interval
delete area AREA-ID virtual-link A.B.C.D hello-interval
delete area AREA-ID virtual-link A.B.C.D retransmit-interval
delete area AREA-ID virtual-link A.B.C.D transmit-delay
delete area AREA-ID virtual-link A.B.C.D authentication simple
delete area AREA-ID virtual-link A.B.C.D authentication md5 KEY-ID
delete default-metric
delete distance VALUE
delete distance (external|inter-area|intra-area) <1-255>
delete passive-interface INTERFACE
delete redistribute PROTOCOL
delete rfc1583-compatible
delete router-id
Example
NGFW{running-ospf}delete distance ?
Valid entries at this position are:
VALUE OSPF Administrative distance
external The distance for external routes
inter-area The distance for inter-area routes
intra-area The distance for intra-area routes
194 Edit Running Configuration Commands
NGFW{running-ospf}disable
Disable Open Shortest Path First (OSPF).
Syntax
disable
Example
NGFW{running-ospf}disable
NGFW{running-ospf}distance
Set OSPF administrative distance.
Syntax
distance (1-255)
distance (external|inter-area|intra-area) (1-255)
(1-255) OSPF Administrative distance
external Configure the distance for external routes
inter-area Configure the distance for inter-area routes
intra-area Configure the distance for intra-area routes
Example
NGFW{running-ospf}distance external 1
NGFW{running-ospf}enable
Enable Open Shortest Path First (OSPF).
Syntax
enable
Example
NGFW{running-ospf}enable
NGFW{running-ospf}passive-interface
Suppress routing updates on an interface.
Syntax
passive-interface INTERFACE
Example
NGFW{running-ospf}passive-interface name
NGFW{running-ospf}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
Possible values for PROTOCOL are:
connected Connected
static Static routes
NGFW Command Line Interface Reference 195
rip Routing Information Protocol (RIP)
bgp Border Gateway Protocol (BGP)
metric-type OSPF exterior metric type for redistributed routes
(1-2) Set OSPF exterior type metric
metric Metric
(0-16777214) Set metric for redistributed routes
route-map Route map reference
ROUTE-MAP Route map name
Example
NGFW{running-ospf}redistribute rip metric-type ?
Valid entry at this position is:
<1-2> Set OSPF exterior type metric
NGFW{running-ospf}redistribute rip metric-type 1 route-map name
NGFW{running-ospf}rfc1583-compatible
Enable RFC-1583 compatibility (Disabled by default).
Syntax
rfc1583-compatible
Example
NGFW{running-ospf}rfc1583-compatible
NGFW{running-ospf}router-id
OSPF router-id.
Syntax
router-id A.B.C.D
A.B.C.D OSPF router ID in IP address format
Example
NGFW{running-ospf}router-id 198.51.100.150
running-ospfv3 Context Commands
NGFW{running}router ospfv3
NGFW{running-ospfv3}area
Configure an OSPFv3 area, area range, or virtual link.
Syntax
area (A.B.C.D|(0-4294967295)) range X:X::X:X/M
area (A.B.C.D|(0-4294967295)) (stub|nssa|tsa)
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE]
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE] [transmit-delay VALUE]
area (A.B.C.D|(0-4294967295)) virtual-link A.B.C.D [hello-interval VALUE]
[retransmit-interval VALUE] [transmit-delay VALUE] [dead-interval VALUE]
Example
NGFW{running-ospfv3}area 2 ?
196 Edit Running Configuration Commands
Valid entries at this position are:
nssa Configure a not-so-stubby area (NSSA)
range Summarize routes matching address/mask (border routers only)
stub Configure a stubby area
tsa Configure a totally stubby area (TSA)
virtual-link Configure a virtual link over a transit area
NGFW{running-ospfv3}delete
Delete file or configuration item.
Syntax
delete area AREA-ID AREA-TYPE
delete area AREA-ID range X:X::X:X/M
delete area AREA-ID virtual-link A.B.C.D
delete area AREA-ID virtual-link A.B.C.D dead-interval
delete area AREA-ID virtual-link A.B.C.D hello-interval
delete area AREA-ID virtual-link A.B.C.D retransmit-interval
delete area AREA-ID virtual-link A.B.C.D transmit-delay
delete passive-interface INTERFACE
delete redistribute PROTOCOL
delete router-id
Valid entries:
area Delete OSPFv3 area
passive-interface Reactivate an interface
redistribute Delete route redistribution from another protocol
router-id Delete OSPFv3 router ID
Example
NGFW{running-ospfv3}delete area 1 range 100:0:0:0:0:0:0:0/64
NGFW{running-ospfv3}delete redistribute ?
Valid entries at this position are:
connected Connected
static Static routes
ripng Routing Information Protocol next generation (RIPng)
NGFW{running-ospfv3}disable
Disable Open Shortest Path First (OSPFv3).
Syntax
disable
Example
NGFW{running-ospfv3}disable
NGFW{running-ospfv3}enable
Enable Open Shortest Path First (OSPFv3).
Syntax
enable
Example
NGFW{running-ospfv3}enable
NGFW Command Line Interface Reference 197
NGFW{running-ospfv3}nsf
OSPFv3 non-stop forwarding.
Syntax
nsf (enable|disable)
enable Enable Graceful Restarts with Grace time of 120
disable Disable Graceful Restarts
Example
NGFW{running-ospfv3}nsf enable
NGFW{running-ospfv3}passive-interface
Suppress routing updates on an interface.
Syntax
passive-interface INTERFACE
Example
NGFW{running-ospfv3}passive-interface name
NGFW{running-ospfv3}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric-type (1-2)] [metric (0-16777214)] [route-map
ROUTE-MAP]
PROTOCOL OSPFv3 protocol list
Possible values for PROTOCOL are:
connected Connected
static Static routes
ripng Routing Information Protocol next generation (RIPng)
metric-type OSPFv3 exterior metric type for redistributed routes
(1-2) Set OSPFv3 exterior metric type
(0-16777214) Set metric for redistribute routes
route-map Route map reference
ROUTE-MAP Route map name
Example
NGFW{running-ospfv3}redistribute static metric 2
NGFW{running-ospfv3}router-id
OSPFv3 router-id.
Syntax
router-id ROUTER-ID
router-id OSPFv3 router ID
ROUTER-ID OSPFv3 router ID in IPv4 address format
Example
NGFW{running-ospfv3}router-id 198.51.100.1
198 Edit Running Configuration Commands
running-pim-smv4 Context Commands
NGFW{running}router pim-smv4
NGFW{running-pim-smv4}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax
bsr-candidate interface INTERFACE
bsr-candidate priority (0-255)
interface Interface that has global address for Bootstrap messages
priority Priority of the BSR candidate
Example
NGFW{running-pim-smv4}bsr-candidate priority 2
NGFW{running-pim-smv4}delete
Delete file or configuration item.
Syntax
delete bsr-candidate
delete dr-priority
delete rp-address (all|(A.B.C.D A.B.C.D/M))
delete rp-candidate
delete rp-candidate group (all|A.B.C.D/M)
delete threshold
Valid entries:
bsr-candidate Toggle bootstrap router (BSR) candidate
dr-priority Delete the DR priority set for the device
rp-address Static group-to-RP mapping
rp-candidate Delete the RP-candidate configuration
rp-candidate Toggle RP candidate
threshold Shortest path tree switch threshold
Example
NGFW{running-pim-smv4}delete bsr-candidate
NGFW{running-pim-smv4}disable
Disable PIM-SM IPv4 on the device.
Syntax
disable
Example
NGFW{running-pim-smv4}disable
NGFW{running-pim-smv4}dr-priority
Configure the DR priority for the device.
Syntax
dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR
NGFW Command Line Interface Reference 199
Example
NGFW{running-pim-smv4}dr-priority 2
NGFW{running-pim-smv4}enable
Enable PIM-SM IPv4 on the device.
Syntax
enable
Example
NGFW{running-pim-smv4}enable
NGFW{running-pim-smv4}rp-address
Static mapping of multicast groups to RP.
Syntax
rp-address A.B.C.D A.B.C.D/M
A.B.C.D IPv4 address for static RP
A.B.C.D/M IPv4 multicast group for static RP
Example
NGFW{running-pim-smv4}rp-address 198.51.0.100
NGFW{running-pim-smv4}rp-candidate
Toggle RP candidate.
Syntax
rp-candidate group A.B.C.D/M
rp-candidate interface INTERFACE
rp-candidate priority (0-255)
group Specifies multicast group range for RP candidate
interface Interface that has global address for Candidate RP advertising
priority Priority of the RP candidate
Example
NGFW{running-pim-smv4}rp-candidate priority 1
NGFW{running-pim-smv4}threshold
Data rate that triggers shortest path tree switch.
Syntax
threshold RATE
threshold Shortest path tree switch threshold
RATE The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s.
Example
NGFW{running-pim-smv4}threshold 1000
200 Edit Running Configuration Commands
running-pim-smv6 Context Commands
NGFW{running}router pim-smv6
NGFW{running-pim-smv6}bsr-candidate
Toggle bootstrap router (BSR) candidate.
Syntax
bsr-candidate interface INTERFACE
bsr-candidate priority (0-255)
Interface Interface that has global address for Bootstrap messages
priority Priority of the BSR
Example
NGFW{running-pim-smv6}bsr-candidate priority 1
NGFW{running-pim-smv6}delete
Delete file or configuration item.
Syntax
delete bsr-candidate
delete dr-priority
delete rp-address (all|(X:X::X:X X:X::X:X/M))
delete rp-candidate
delete rp-candidate group (all|X:X::X:X/M)
delete threshold
Valid entries:
bsr-candidate Toggle bootstrap router (BSR) candidate
dr-priority Delete the DR priority set for the device
rp-address Delete group-to-RP mapping
rp-candidate Delete the RP-candidate configuration
rp-candidate Toggle RP candidate
threshold Shortest path tree switch threshold
Example
NGFW{running-pim-smv6}delete rp-address ?
Valid entries at this position are:
X:X::X:X Specified static RP IPv6 address
all Delete ALL group-to-RP mapping
NGFW{running-pim-smv6}disable
Disable PIM-SM IPv6 on the device.
Syntax
disable
Example
NGFW{running-pim-smv6}disable
NGFW{running-pim-smv6}dr-priority
Configure the DR priority for the device.
NGFW Command Line Interface Reference 201
Syntax
dr-priority (0-4294967295)
(0-4294967295) The priority used to elect the DR.
Example
NGFW{running-pim-smv6}dr-priority 2
NGFW{running-pim-smv6}enable
Enable PIM-SM IPv6 on the device.
Syntax
enable
Example
NGFW{running-pim-smv6}enable
NGFW{running-pim-smv6}rp-address
Static mapping of multicast groups to RP.
Syntax
rp-address X:X::X:X X:X::X:X/M
rp-address Static group-to-RP mapping
X:X::X:X IPv6 address for staic RP
X:X::X:X/M IPv6 multicast group prefix for static RP
Example
NGFW{running-pim-smv6}rp-address ?
Valid entry at this position is:
X:X::X:X IPv6 address for staic RP
NGFW{running-pim-smv6}rp-candidate
Toggle RP candidate.
Syntax
rp-candidate group X:X::X:X/M
rp-candidate interface INTERFACE
rp-candidate priority <0-255>
group Specifies multicast group range for RP candidate
interface Interface that have global address for Candidate RP advertising
priority Priority of the RP
Example
NGFW{running-pim-smv6}rp-candidate priority 2
NGFW{running-pim-smv6}threshold
Data rate at which to perform shortest path tree switch.
Syntax
threshold RATE
threshold Shortest path tree switch threshold
202 Edit Running Configuration Commands
RATE The rate for shortest path tree switching (1-4294967295 bytes/s).
Default: 1000 bytes/s
Example
NGFW{running-pim-smv6}threshold 1000
running-pppoeX Context Commands
NGFW{running}interface pppoe0
NGFW{running-pppoe0}auth
Authenticated configuration.
Syntax
auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
auth ppp user-id USER PASSWORD
ppp Configure PPP authenticated options
Example
NGFW{running-pppoe0}auth ppp reply chap-md5
NGFW{running-pppoe0}auth ppp user-id myuser mypassword
NGFW{running-pppoe0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-pppoe0}autoconfv6 enable
NGFW{running-pppoe0}bind
Bind PPPoE interface to specific ethernet port.
Syntax
bind (none|ethernetX)
ethX Ethernet port name
none Do not bind this PPPoE interface
Example
NGFW{running-pppoe0}bind ethernet5
NGFW{running-pppoe0}bind none
NGFW{running-pppoe0}delete
Delete file or configuration item.
Syntax
delete auth ppp reply all
delete auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
delete auth ppp user-id
delete ip igmp
delete ip igmp version
delete ipv6 mld
NGFW Command Line Interface Reference 203
delete ipv6 mld version
delete log-option ppp all
delete log-option ppp PPP-LOG-OPTION
delete prefix (all|X:X::X:X/M)
delete shutdown
Valid entries:
auth Authenticated configuration
ip Delete IP settings
ipv6 Delete IPv6
log-option Delete service log option
prefix Delete IPv6 prefix
shutdown Shutdown logical interface state
Example
NGFW{running-pppoe0}delete auth ppp reply chap-md5
NGFW{running-pppoe0}delete auth ppp user-id
NGFW{running-pppoe0}delete ip igmp version
NGFW{running-pppoe0}delete ip igmp
NGFW{running-pppoe0}delete ipv6 mld
NGFW{running-pppoe0}delete log-option ppp auth
NGFW{running-pppoe0}delete prefix 100::/64
NGFW{running-pppoe0}delete shutdown
NGFW{running-pppoe0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-pppoe0}description "pppoe interface 0"
NGFW{running-pppoe0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-pppoe0}dns-request enable
NGFW{running-pppoe0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-pppoe0}ip igmp version 3
204 Edit Running Configuration Commands
NGFW{running-pppoe0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-pppoe0}ipcp enable
NGFW{running-pppoe0}ipcp disable
NGFW{running-pppoe0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-pppoe0}ipv6 mld version 2
NGFW{running-pppoe0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-pppoe0}ipv6cp enable
NGFW{running-pppoe0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pppoe0}keep-alive ppp default retry 1
NGFW{running-pppoe0}keep-alive ppp disable
NGFW{running-pppoe0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
all Enable all optional log items
auth Link authentication events
ipcp IPCP events and negotiation
ipv6cp IPV6CP events and negotiation
NGFW Command Line Interface Reference 205
l2tp L2TP high level events
l2tp2 L2TP more detailed events
l2tp3 L2TP packet dumps
pptp PPTP high level events
pptp2 PPTP more detailed events
pptp3 PPTP packet dumps
lcp LCP events and negotiation
phys Physical layer events
radius Radius authentication events
echo Keep-alive events
bund Bundle events
iface IP interface and route management events
link Link events
frame Dump all incoming and outgoing frames
fsm All state machine events (except echo and reset)
Example
NGFW{running-pppoe0}log-option ppp auth
NGFW{running-pppoe0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-pppoe0}mru 1500
NGFW{running-pppoe0}mru default
NGFW{running-pppoe0}mtu
Configure interface MTU.
Syntax
mtu (default|(68-9216))
Example
NGFW{running-pppoe0}mtu default
NGFW{running-pppoe0}mtu 1500
NGFW{running-pppoe0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
X:X::X:X/M IPv6 prefix
valid-lifetime Configure valid lifetime
<1-4294967295> Valid lifetime in seconds (default is 2592000)
preferred-lifetime Configure preferred lifetime
<1-4294967295> Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
206 Edit Running Configuration Commands
Example
NGFW{running-pppoe0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-pppoe0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Possible values for AUTOCONF are:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
Example
NGFW{running-pppoe0}ra-autoconf-level full
NGFW{running-pppoe0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval (90-1800000)
INTERVAL Router Advert emission period (in milliseconds)
Example
NGFW{running-pppoe0}ra-interval 600
NGFW{running-pppoe0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-pppoe0}ra-interval-transmit enable
NGFW{running-pppoe0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-pppoe0}ra-lifetime 1800
NGFW{running-pppoe0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
NGFW Command Line Interface Reference 207
Syntax
ra-mtu (none|(68-9216))
none Not configured
MTU MTU value advertised (0 if none)
Example
NGFW{running-pppoe0}ra-mtu 1500
NGFW{running-pppoe0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
Possible values for MODE are:
always Router Advert message is always sent
never Router Advert message is never sent
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-pppoe0}ra-transmit-mode smart
NGFW{running-pppoe0}service
Configure PPPoE service name.
Syntax
service (none|NAME)
Example
NGFW{running-pppoe0}service myPPPoEservice
NGFW{running-pppoe0}service none
NGFW{running-pppoe0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-pppoe0}shutdown
NGFW{running-pppoe0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535))
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4
208 Edit Running Configuration Commands
Example
NGFW{running-pppoe0}tcp4mss automatic
NGFW{running-pppoe0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535))
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6
Example
NGFW{running-pppoe0}tcp6mss automatic
running-pptpX Context Commands
NGFW{running}interface pptp0
NGFW{running-pptp0}always-ack
Enable or disable always-ack option.
Syntax
always-ack (enable|disable)
Example
NGFW{running-pptp0}always-ack enable
NGFW{running-pptp0}always-ack disable
NGFW{running-pptp0}auth
Authenticated configuration.
Syntax
auth ppp reply ALGORITHM
auth ppp user-id USER PASSWORD
Example
NGFW{running-pptp0}auth ppp reply chap-md5
NGFW{running-pptp0}auth ppp user-id myuser mypassword
NGFW{running-pptp0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-pptp0}autoconfv6 enable
NGFW Command Line Interface Reference 209
NGFW{running-pptp0}bind
Configure binding addresses of the pptp tunnel.
Syntax
bind (none|(A.B.C.D A.B.C.D))
Example
NGFW{running-pptp0}bind 192.168.1.1 192.168.100.1
NGFW{running-pptp0}delayed-ack
Enable or disable delayed-ack option.
Syntax
delayed-ack (enable|disable)
Example
NGFW{running-pptp0}delayed-ack enable
NGFW{running-pptp0}delete
Delete file or configuration item.
Syntax
delete auth ppp reply all
delete auth ppp reply (chap|chap-md5|ms-chapv2|pap|ms-chap)
delete auth ppp user-id
delete ip igmp
delete ip igmp version
delete ipv6 mld
delete ipv6 mld version
delete log-option ppp all
delete log-option ppp PPP-LOG-OPTION
delete prefix (all|X:X::X:X/M)
delete shutdown
Example
NGFW{running-pptp0}delete auth ppp reply chap-md5
NGFW{running-pptp0}delete auth ppp user-id
NGFW{running-pptp0}delete ip igmp version
NGFW{running-pptp0}delete ip igmp
NGFW{running-pptp0}delete ipv6 mld
NGFW{running-pptp0}delete log-option ppp all
NGFW{running-pptp0}delete prefix 100::/64
NGFW{running-pptp0}delete shutdown
NGFW{running-pptp0}description
Enter description for the interface.
Syntax
description TEXT
Example
NGFW{running-pptp0}description "pptp interface 0"
210 Edit Running Configuration Commands
NGFW{running-pptp0}dns-request
Configure IP DNS server address request.
Syntax
dns-request (enable|disable)
Example
NGFW{running-pptp0}dns-request enable
NGFW{running-pptp0}dns-request disable
NGFW{running-pptp0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
Example
NGFW{running-pptp0}ip igmp version 3
NGFW{running-pptp0}ipcp
Enable or disable IPCP for IPv4.
Syntax
ipcp (enable|disable)
Example
NGFW{running-pptp0}ipcp enable
NGFW{running-pptp0}ipcp disable
NGFW{running-pptp0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
ipv6 mld version (1|2)
Example
NGFW{running-pptp0}ipv6 mld version 2
NGFW{running-pptp0}ipv6cp
Enable or disable IPCP for IPv6.
Syntax
ipv6cp (enable|disable)
Example
NGFW{running-pptp0}ipv6cp enable
NGFW Command Line Interface Reference 211
NGFW{running-pptp0}keep-alive
LCP keep alive period in seconds.
Syntax
keep-alive ppp disable
keep-alive ppp (default|(0-600)) [retry (0-600)]
Example
NGFW{running-pptp0}keep-alive ppp default retry 1
NGFW{running-pptp0}keep-alive ppp disable
NGFW{running-pptp0}log-option
Add service log option.
Syntax
log-option ppp all
log-option ppp (PPP-LOG-OPTION)
PPP-LOG-OPTION valid entries:
all Enable all optional log items
auth Link authentication events
ipcp IPCP events and negotiation
ipv6cp IPV6CP events and negotiation
l2tp L2TP high level events
l2tp2 L2TP more detailed events
l2tp3 L2TP packet dumps
pptp PPTP high level events
pptp2 PPTP more detailed events
pptp3 PPTP packet dumps
lcp LCP events and negotiation
phys Physical layer events
radius Radius authentication events
echo Keep-alive events
bund Bundle events
iface IP interface and route management events
link Link events
frame Dump all incoming and outgoing frames
fsm All state machine events (except echo and reset)
Example
NGFW{running-pptp0}log-option ppp all
NGFW{running-pptp0}mru
Configure interface MRU.
Syntax
mru (default|(64-65535))
Example
NGFW{running-pptp0}mru 1500
NGFW{running-pptp0}mru default
NGFW{running-pptp0}mtu
Configure interface MTU.
212 Edit Running Configuration Commands
Syntax
mtu (default|(68-9216))
Example
NGFW{running-pptp0}mtu 1500
NGFW{running-pptp0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Example
NGFW{running-pptp0}prefix 100:0:0:0:0:0:0:0/64 valid-lifetime 2592000
preferred-lifetime 604800
NGFW{running-pptp0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level (none|address|other|full)
Valid entries:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
Example
NGFW{running-pptp0}ra-autoconf-level full
NGFW{running-pptp0}ra-autoconf-level ?
NGFW{running-pptp0}ra-interval
Modify IPv6 Router Advertisement interval value in milliseconds.
Syntax
ra-interval (90-1800000)
Example
NGFW{running-pptp0}ra-interval 600
NGFW{running-pptp0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Example
NGFW{running-pptp0}ra-interval-transmit enable
NGFW Command Line Interface Reference 213
NGFW{running-pptp0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-pptp0}ra-lifetime 1800
NGFW{running-pptp0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|(68-9216))
Example
NGFW{running-pptp0}ra-mtu 1500
NGFW{running-pptp0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode (always|never|smart)
Valid entries:
always Router Advert message is always sent
never Router Advert message is never sent
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-pptp0}ra-transmit-mode smart
NGFW{running-pptp0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-pptp0}shutdown
NGFW{running-pptp0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp4mss automatic
214 Edit Running Configuration Commands
NGFW{running-pptp0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|(4-65535)
Example
NGFW{running-pptp0}tcp6mss automatic
NGFW{running-pptp0}windowing
Enable or disable windowing option.
Syntax
windowing (enable|disable)
Example
NGFW{running-pptp0}windowing enable
NGFW{running-pptp0}windowing disable
running-rep Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running}rep
NGFW{running-rep}delete
Delete file or configuration item.
Syntax
delete group REPGROUP
delete profile REPPROFILE
Valid entries:
group Reputation group
profile Delete reputation profile
Example
NGFW{running-rep}delete group myrepgroup
WARNING: Are you sure you want to delete reputation group (y/n)? [n]: y
NGFW{running-rep}delete profile myrepprofile
WARNING: Are you sure you want to delete profile (y/n)? [n]: y
NGFW{running-rep}group
Create or enter reputation group context.
Syntax
group REPGROUP
Valid entries:
REPGROUP Reputation usergroup name
Example
NGFW{running-rep}group myrepgroup
NGFW{running-rep-myrepgroup}
NGFW{running-rep-myrepgroup}help
Valid commands are:
NGFW Command Line Interface Reference 215
delete domain DOMAINNAME
delete ip SOURCEIP
description DESCRIPTION
display
domain NEWDOMAINNAME
help [full|COMMAND]
ip SOURCEIP
NGFW{running-rep}profile
Create or enter reputation profile context.
Syntax
profile REPPROFILE
Example
NGFW{running-rep}profile myprofile
NGFW{running-rep-myprofile}help
Valid commands are:
CHECK-ADDRESS ACTION
action-when-pending ACTION
delete dns-except DOMAINNAME
delete filter ALLGROUPNAME
delete ip-except SOURCEIP DESTINATIONIP
display
dns-except NEWDOMAINNAME
filter ALLGROUPNAME( enable [threshold [XACTIONSETNAME]])|( disable)
help [full|COMMAND]
ip-except SOURCEIP DESTINATIONIP
NGFW{running-rep}rename
Rename a reputation profile or group.
Syntax
rename group REPGROUP NEWREPGROUP
rename profile REPPROFILE NEWREPPROFILE
Valid entries:
group Reputation group
profile Reputation profile
Example
NGFW{running-rep}rename profile oldname newname
running-rep-X (group X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}group 1
NGFW{running-rep-1}delete
Delete file or configuration item.
Syntax
delete domain DOMAINNAME
delete ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
216 Edit Running Configuration Commands
Valid entries:
domain Domain name
ip IP address IPv4/IPv6/CIDR
Example
NGFW{running-rep-1}delete domain example.com
NGFW{running-rep-1}delete ip 192.168.1.1
NGFW{running-rep-1}delete ip 100:0:0:0:0:0:0:0/64
NGFW{running-rep-1}description
Add a description to the reputation group.
Syntax
description DESCRIPTION
Example
NGFW{running-rep-1}description "Rep Group 1"
NGFW{running-rep-1}domain
New domain name.
Syntax
domain NEWDOMAIN
Example
NGFW{running-rep-1}domain example.com
NGFW{running-rep-1}ip
IP address IPv4/IPv6.
Syntax
ip (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-1}ip 192.168.1.1
NGFW{running-rep-1}ip 192.168.1.0/24
NGFW{running-rep-1}ip 100:0:0:0:0:0:0:1
NGFW{running-rep-1}ip 100:0:0:0:0:0:0:0/64
running-rep-X (profile X) Context Commands
Immediate Commit Feature. Changes take effect immediately.
NGFW{running-rep}profile abc
NGFW{running-rep-abc}action-when-pending
Set pending action to permit or drop.
Syntax
action-when-pending (permit|drop)
Example
NGFW{running-rep-abc}action-when-pending permit
NGFW Command Line Interface Reference 217
NGFW{running-rep-abc}check-source-address
Enables or disables check source address.
Syntax
check-source-address (enable|disable)
Valid entries:
enable Enable check source address
disable Disable check source address
Example
NGFW{running-rep-abc}check-source-address enable
NGFW{running-rep-abc}check-destination-address
Enables or disables check destination address.
Syntax
check-destination-address (enable|disable)
Example
NGFW{running-rep-abc}check-destination-address enable
NGFW{running-rep-abc}delete
Delete file or configuration item.
Syntax
delete dns-except DOMAINNAME
delete filter REPGROUP
delete ip-except (A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
(A.B.C.D|A.B.C.D/M|X:X::X:X|X:X::X:X/M)
Example
NGFW{running-rep-abc}delete dns-except example.com
NGFW{running-rep-abc}delete filter "myrepgroup"
NGFW{running-rep-abc}delete ip-except 192.168.1.1 192.168.2.2
NGFW{running-rep-abc}delete ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
NGFW{running-rep-abc}dns-except
DNS domain exception.
Syntax
dns-except DOMAINNAME
Example
NGFW{running-rep-abc}dns-except example.com
NGFW{running-rep-abc}filter
Add a reputation filter rule.
Syntax
filter REPGROUP disable
filter REPGROUP enable [THRESHOLD [ACTIONSET]]
218 Edit Running Configuration Commands
Valid entries:
enable Enable filter rule
THRESHOLD Set threshold (0-100)
ACTIONSET Apply action set name
disable Disable filter rule
Example
NGFW{running-rep-abc}filter "myrepgroup" enable
NGFW{running-rep-abc}filter "myrepgroup" enable 0 "Block + Notify"
NGFW{running-rep-abc}ip-except
Add IP address exception.
Syntax
ip-except SOURCEIP DESTINATIONIP
SOURCEIP A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
DESTINATIONIP A.B.C.D or A.B.C.D/M or X:X::X:X or X:X::X:X/M
Example
NGFW{running-rep-abc}ip-except 192.168.1.1 192.168.2.2
NGFW{running-rep-abc}ip-except 2001:2:0:0:0:0:0:0/48 2001:db8:0:0:0:0:0:0/32
running-rip Context Commands
NGFW{running}router rip
NGFW{running-rip}default-metric
Set default metric for imported routes.
Syntax
default-metric (1-16)
Example
NGFW{running-rip}default-metric 2
NGFW{running-rip}delete
Delete file or configuration item.
Syntax
delete default-metric (1-16)
delete distance (1-255)
delete equal-cost (2-255)
delete passive-interface INTERFACE
delete redistribute (connected|ospf|static|bgp)
delete timers basic
delete triggered-updates
delete version (1|2)
Valid entries:
default-metric Reset default metric for imported routes
distance Reset administrative distance for routes learned via RIP to
default
equal-cost Reset equal-cost to default
passive-interface Enable RIP routing updates on an interface
redistribute Delete redistribute routes from another routing protocol
timers Reset basic RIP timers to default
NGFW Command Line Interface Reference 219
triggered-updates Disable triggered-updates
version Reset RIP version to default
Example
NGFW{running-rip}delete default-metric 1
NGFW{running-rip}delete distance 120
NGFW{running-rip}delete equal-cost 2
NGFW{running-rip}delete passive-interface ethernet1
NGFW{running-rip}delete redistribute static
NGFW{running-rip}delete timers basic
NGFW{running-rip}delete triggered-updates
NGFW{running-rip}delete version 2
NGFW{running-rip}disable
Disable Routing Information Protocol (RIP).
Syntax
disable
Example
NGFW{running-rip}disable
NGFW{running-rip}distance
Set administrative distance for routes learned via RIP.
Syntax
distance (1-255)
Example
NGFW{running-rip}distance 120
NGFW{running-rip}distribute-list
Filter networks for RIP routing updates.
Syntax
distribute-list ACCESS-LIST (in|out) INTERFACE
Example
NGFW{running-rip}distribute-list myaccesslist in ethernet5
NGFW{running-rip}enable
Enable Routing Information Protocol (RIP).
Syntax
enable
Example
NGFW{running-rip}enable
NGFW{running-rip}equal-cost
Set the equal cost for ECMP.
220 Edit Running Configuration Commands
Syntax
equal-cost (2-255)
Example
NGFW{running-rip}equal-cost 2
NGFW{running-rip}passive-interface
Suppress RIP routing updates on an interface.
Syntax
passive-interface (default|INTERFACE)
Valid entries:
default "default" for all interfaces
INTERFACE Interface name
Example
NGFW{running-rip}passive-interface ethernet1
NGFW{running-rip}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute (connected|ospf|static|bgp) [metric (0-15)] [route-map ROUTE-MAP]
Valid entries:
connected Connected
static Static routes
ospf Open Shortest Path First (OSPF)
bgp Border Gateway Protocol (BGP)
metric Metric
(0-15) Metric for redistributed routes
route-map Route map reference
ROUTE-MAP Pointer to route-map entries
Example
NGFW{running-rip}redistribute static metric 1 route-map myroutemap1
NGFW{running-rip}timers
Set basic RIP timers.
Syntax
timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries:
basic Set basic RIP timers
ROUTING-TABLE-UPDATE Routing table update timer value (0-65535)
ROUTING-INFORMATION-TIMEOUT Routing information timeout timer value (0-65535)
GARBAGE-COLLECTION Garbage collection timer value (0-65535)
Example
NGFW{running-rip}timers basic 30 180 120
NGFW Command Line Interface Reference 221
NGFW{running-rip}triggered-updates
Enable RIP triggered-updates.
Syntax
triggered-updates
Example
NGFW{running-rip}triggered-updates
NGFW{running-rip}version
Set RIP version.
Syntax
version (1-2)
Example
NGFW{running-rip}version 2
running-ripng Context Commands
NGFW{running}router ripng
NGFW{running-ripng}default-metric
Set default metric for imported routes.
Syntax
default-metric DEFAULT-METRIC
DEFAULT-METRIC (1-16)
Example
NGFW{running-ripng}default-metric 1
NGFW{running-ripng}delete
Delete file or configuration item.
Syntax
delete default-metric DEFAULT-METRIC
delete distance DISTANCE
delete distribute-list ACCESS-LIST (in|out) INTERFACE
delete equal-cost COST
delete passive-interface INTERFACE
delete redistribute PROTOCOL
delete timers basic
delete triggered-updates
Valid entries:
default-metric Reset default metric for imported routes
distance Reset administrative distance for routes learned via RIPng to
default
distribute-list Delete RIPng distribute list entry
equal-cost Reset equal-cost to default
passive-interface Enable RIPng routing updates on an interface
redistribute Delete redistribute routes from another routing protocol
timers Reset basic RIPng timers to default
triggered-updates Disable triggered-updates
222 Edit Running Configuration Commands
Example
NGFW{running-ripng}delete triggered-updates
NGFW{running-ripng}disable
Disable Routing Information Protocol next generation (RIPng).
Syntax
disable
Example
NGFW{running-ripng}disable
NGFW{running-ripng}distance
Set administrative distance for routes learned by way of RIPng.
Syntax
distance DISTANCE
DISTANCE Distance (1-255)
Example
NGFW{running-ripng}distance 2
NGFW{running-ripng}distribute-list
Filter networks in RIPng routing updates.
Syntax
distribute-list ACCESS-LIST (in|out) INTERFACE
Valid entries:
distribute-list Filter networks in RIPng routing updates
ACCESS-LIST Access list name
in Incoming
out Outbound
INTERFACE Interface name
Example
NGFW{running-ripng}distribute-list mylist in ?
Valid entry at this position is:
INTERFACE Interface name
NGFW{running-ripng}enable
Enable Routing Information Protocol next generation (RIPng).
Syntax
enable
Example
NGFW{running-ripng}enable
NGFW{running-ripng}equal-cost
Set the equal cost for ECMP.
NGFW Command Line Interface Reference 223
Syntax
equal-cost EQUAL-COST
EQUAL-COST (2-255)
Example
NGFW{running-ripng}equal-cost 2
NGFW{running-ripng}passive-interface
Suppress RIPng routing updates on an interface.
Syntax
passive-interface (default|INTERFACE)
default "default" for all interfaces
INTERFACE Interface name
Example
NGFW{running-ripng}passive-interface default
NGFW{running-ripng}redistribute
Redistribute routes from another routing protocol.
Syntax
redistribute PROTOCOL [metric (0-16)] [route-map ROUTE-MAP]
Possible values for PROTOCOL are:
connected Connected
static Static routes
ospfv3 Open Shortest Path First (OSPFv3)
metric Metric
(0-16) Metric for redistributed routes
route-map Route map reference
ROUTE-MAP Pointer to route-map entries
Example
NGFW{running-ripng}redistribute connected
NGFW{running-ripng}timers
Set basic RIPng timers.
Syntax
timers basic ROUTING-TABLE-UPDATE ROUTING-INFORMATION-TIMEOUT GARBAGE-COLLECTION
Valid entries:
basic Set basic RIPng timers
ROUTING-TABLE-UPDATE Routing table update timer value (0-65535)
ROUTING-INFORMATION-TIMEOUT Routing information timeout timer value (0-65535)
GARBAGE-COLLECTION Garbage collection timer value (0-65535)
Example
NGFW{running-ripng}timers basic 60 90 120
224 Edit Running Configuration Commands
NGFW{running-ripng}triggered-updates
Enable RIPng triggered-updates.
Syntax
triggered-updates
Example
NGFW{running-ripng}triggered-updates
running-route-map Context Commands
NGFW{running}route-map mymap permit 10
NGFW{running-route-map}delete
Delete file or configuration item.
Syntax
delete match as-path
delete match community-list
delete match ip address ACCESS-LIST-NAME
delete match ip next-hop A.B.C.D
delete match metric
delete set as-path prepend
delete set comm-list
delete set community
delete set ip next-hop A.B.C.D
delete set local-preference
delete set metric
Example
NGFW{running-route-map}delete match as-path
NGFW{running-route-map}delete match community-list
NGFW{running-route-map}delete match ip next-hop 198.162.0.24
NGFW{running-route-map}delete match metric
NGFW{running-route-map}delete set as-path prepend
NGFW{running-route-map}match
Specifies the matching condition.
Syntax
match as-path ASPATH-LIST-NAME
match community-list COMMUNITY-LIST-NAME
match ip address ACCESS-LIST-NAME
match ip next-hop A.B.C.D
match metric (1-65535)
Example
NGFW{running-route-map}match metric 2
NGFW{running-route-map}set
Sets the route attributes.
Syntax
set as-path prepend( ASNUMBER){1,24}
set comm-list COMMUNITY-LIST-NAME delete
NGFW Command Line Interface Reference 225
set community ((AA:NN)|internet|local-as|no-advertise|no-export)
set ip next-hop A.B.C.D
set local-preference (0-65535)
set metric (1-65535)
Example
NGFW{running-route-map}set as-path prepend 64497
NGFW{running-route-map}set as-path prepend 64496 64511 65536 65551
running-schedules Context Commands
NGFW{running}schedules
NGFW{running-schedules}delete
Deletes a schedule.
Syntax
delete schedule (all|SCHEDULENAME)
Example
NGFW{running-schedules}delete schedule myhours1
NGFW{running-schedules}delete schedule all
NGFW{running-schedules}rename
Rename a schedule.
Syntax
rename schedule SCHEDULENAME NEWSCHEDULENAME
Example
NGFW{running-schedules}rename schedule myhours1 myhours2
NGFW{running-schedules}schedule
Create or enter a schedule context.
Syntax
schedule SCHEDULENAME
Example
NGFW{running-schedules}schedule myhours1
running-schedules-X Context Commands
NGFW{running-schedules}schedule myhours1
NGFW{running-schedule-myhours1}delete
Delete a schedule-entry.
Syntax
delete schedule-entry (all|SCHEDULENAME)
Example
NGFW{running-schedule-myhours1}delete schedule-entry -mtwtf- from 09:00 to 10:00
226 Edit Running Configuration Commands
NGFW{running-schedule-myhours1}description
Enter description for the segment.
Syntax
description TEXT
Example
NGFW{running-schedule-myhours1}description "After Normal Business Hours"
NGFW{running-schedule-myhours1}schedule-entry
Add a schedule entry.
Syntax
schedule-entry DAYS START-TIME
Example
NGFW{running-schedule-myhours1}schedule-entry s-----s from 00:00 to 23:59
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 18:00 to 23:59
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 00:00 to 07:00
NGFW{running-schedule-myhours1}schedule-entry -mtwtf- from 09:00 to 10:00
running-segmentX Context Commands
NGFW{running}segment0
NGFW{running-segment0}bind
Bind ethernet port pairs to segment.
Syntax
bind (ethernet1+ethernet2 | ethernet3+ethernet4 | ethernet5+ethernet6 |
ethernet7+ethernet8)
Example
NGFW{running-segment0}bind ethernet1+ethernet2
NGFW{running-segment0}delete
Delete binding.
Syntax
delete (bind|high-availability|link-down)
Valid entries:
bind Unbind ethernet port pairs
high-availability Intrinsic HA Layer 2 Fallback action
link-down Link down synchronization mode
Example
NGFW{running-segment0}delete bind
NGFW{running-segment0}delete high-availability
NGFW{running-segment0}delete link-down
NGFW{running-segment0}description
Enter description for the segment.
NGFW Command Line Interface Reference 227
Syntax
description TEXT
Example
NGFW{running-segment0}description “My Segment”
NGFW{running-segment0}high-availability
Intrinsic HA Layer 2 Fallback action block or permit.
Syntax
high-availability (block|permit)
block Enable block all
permit Enable permit all
Example
NGFW{running-segment0}high-availability permit
NGFW{running-segment0}link-down
Link down synchronization mode.
Syntax
link-down breaker [wait-time WAIT-TIME]
link-down hub
link-down wire [wait-time WAIT-TIME]
Valid entries:
breaker Enable breaker action
hub Enable hub action
wire Enable wire action
WAIT-TIME Time to wait before synchronizing in seconds
Example
NGFW{running-segment0}link-down wire wait-time 30
NGFW{running-segment0}restart
Restart both ethernet ports of segment.
Syntax
restart
Example
NGFW{running-segment0}restart
running-services Context Commands
NGFW{running}services
NGFW{running-services}delete
Delete service(s).
Syntax
delete service (all|SERVICENAME)
228 Edit Running Configuration Commands
Example
NGFW{running-services}delete service myservice2
NGFW{running-services}delete service all
NGFW{running-services}rename
Rename service.
Syntax
rename service SERVICENAME NEWSERVICENAME
Example
NGFW{running-services}rename service myservice1 myservice2
NGFW{running-services}service
Create or enter a service context.
Syntax
service SERVICENAME
Example
NGFW{running-services}service myservice1
running-services-X Context Commands
NGFW{running-services}service myservice1
NGFW{running-services-myservice1}delete
Delete service parameters.
Syntax
delete icmp (all|NAME|NUMBER)
delete icmpv6 (all|NAME|NUMBER)
delete port tcp PORT [to LASTPORT]
delete port udp PORT [to LASTPORT]
delete port tcp all
delete port udp all
delete protocol (all|PROTONUM)
delete service (all|SERVICENAME)
Valid entries:
icmp Delete ICMPv4
icmpv6 Delete ICMPv6
port Delete port(s)
protocol Delete packet protocol number(s)
service Delete member service
Example
NGFW{running-services-myservice1}delete icmp any
NGFW{running-services-myservice1}delete icmpv6 any
NGFW{running-services-myservice1}delete port udp 53
NGFW{running-services-myservice1}delete port tcp all
NGFW{running-services-myservice1}delete protocol 6
NGFW{running-services-myservice1}delete service http
NGFW{running-services-myservice1}delete service dns
NGFW Command Line Interface Reference 229
NGFW{running-services-myservice1}description
Apply service description.
Syntax
description TEXT
Example
NGFW{running-services-myservice1}description "my service 1"
NGFW{running-services-myservice1}icmp
Apply ICMPv4.
Syntax
icmp (NAME|NUMBER)
ICMP-CODENAMES Apply ICMPv4 code name
NUMBER Apply ICMP type number (0-255)
Example
NGFW{running-services-myservice1}icmp any
NGFW{running-services-myservice1}icmp 0
NGFW{running-services-myservice1}icmp echo-reply
NGFW{running-services-myservice1}icmpv6
Apply ICMPv6.
Syntax
icmpv6 (NAME|NUMBER)
ICMP6-CODENAMES Apply ICMPv6 code name
NUMBER Apply ICMPv6 type number (0-255)
Example
NGFW{running-services-myservice1}icmpv6 any
NGFW{running-services-myservice1}icmpv6 129
NGFW{running-services-myservice1}icmpv6 echo-reply
NGFW{running-services-myservice1}port
Apply TCP or UDP port number.
Syntax
port tcp PORT [to LASTPORT]
port udp PORT [to LASTPORT]
Valid entries:
tcp Apply TCP
PORT Apply port number
to Set port range to
LAST-PORT Apply last port of range
udp Apply UDP
Example
NGFW{running-services-myservice1}port tcp 80 to 88
NGFW{running-services-myservice1}port udp 53
230 Edit Running Configuration Commands
NGFW{running-services-myservice1}protocol
Apply protocol number.
Syntax
protocol IPPROTOCOL
IPPROTOCOL Apply packet protocol number
Example
NGFW{running-services-myservice1}protocol 6
NGFW{running-services-myservice1}service
Apply member service.
Syntax
service SERVICENAME
SERVICENAME Existing service name
Example
NGFW{running-services-myservice1}service http
NGFW{running-services-myservice1}service dns
running-smr Context Commands
NGFW{running}router smr
NGFW{running-smr}delete
Delete file or configuration item.
Syntax
delete dscp xmit
delete monitor A.B.C.D/M A.B.C.D [INTERFACE]
delete timer
delete ttl xmit
Valid entries:
dscp Delete the DSCP value in the outbound ICMP packets
monitor Monitored route
timer Base timer
ttl Delete the TTL setting for ICMP packets
Example
NGFW{running-smr}delete dscp xmit
NGFW{running-smr}delete timer
NGFW{running-smr}delete monitor 198.162.0.100/24 ?
Valid entry at this position is:
A.B.C.D The Gateway of the route
NGFW{running-smr}dscp
Define the global DSCP value.
Syntax
dscp xmit 0xXX
xmit Define the DSCP in the outbound ICMP packets
0xXX 6-bit Hexadecimal value (0x0 - 0x3f)
NGFW Command Line Interface Reference 231
Example
NGFW{running-smr}dscp xmit 0x0
NGFW{running-smr}monitor
Define monitoring parameters for a route.
Syntax
monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE [A.B.C.D]
monitor A.B.C.D/M A.B.C.D MULT MAXFAILURE distance DISTANCE [A.B.C.D]
monitor Monitor a static route
A.B.C.D/M The monitored route
A.B.C.D The Gateway of the route
MULT Timer multiplier for the polling (range: 1-255)
MAXFAILURE Failure limit for the polling (range: 1-16)
A.B.C.D Probe target different from the route gateway
distance Administrative distance of the route
DISTANCE Administrative distance value (default: 10, range: 1-255)
Example
NGFW{running-smr}monitor 192.168.0.100/24 192.168.0.102 2 3
NGFW{running-smr}timer
Define time base for polling.
Syntax
timer MSEC
MSEC base timer in milliseconds (50-300000). Default: 200
Example
NGFW{running-smr}timer 200
NGFW{running-smr}ttl
Define TTL of ICMP packets.
Syntax
ttl recv (1-255)
ttl xmit (1-255)
Valid entries:
recv Define expected TTL of received ICMP packets
xmit Define TTL of transmitted ICMP echo packets
Example
NGFW{running-smr}ttl recv 10
running-snat Context Commands
NGFW{running}src-nat
NGFW{running-snat}delete
Delete source NAT rule(s).
232 Edit Running Configuration Commands
Syntax
delete rule (all|SRCNATRULEID)
Example
NGFW{running-snat}delete rule 123
NGFW{running-snat}rename
Rename source NAT rule.
Syntax
rename rule SRCNATRULEID NEWSRCNATRULEID
Example
NGFW{running-snat}rename rule 123 snat1
NGFW{running-snat}rule
Create or enter a rule context.
Syntax
rule (auto|SRCNATRULEID) [POSITION_VALUE]
Example
NGFW{running-snat}rule 123
running-snat-rule-X Context Commands
NGFW{running-snat}rule snat1
NGFW{running-snat-rule-snat1}delete
Delete file or configuration item.
Syntax
delete dst-zone (include|exclude) (all|ZONENAME)
delete src-address (include|exclude) group ADDRESSGROUP
delete dst-address (include|exclude) group ADDRESSGROUP
delete src-address (include|exclude) ipaddress A.B.C.D
delete dst-address (include|exclude) ipaddress A.B.C.D
delete src-address (include|exclude) ipaddress A.B.C.D/M
delete dst-address (include|exclude) ipaddress A.B.C.D/M
delete src-address (include|exclude) range A.B.C.D A.B.C.D
delete dst-address (include|exclude) range A.B.C.D A.B.C.D
delete translate-to interface
delete translate-to ipaddress (A.B.C.D|A.B.C.D/M)
delete translate-to range A.B.C.D A.B.C.D
Valid entries:
dst-address Delete destination addresses
dst-zone Delete destination security zone
src-address Delete source addresses
translate-to Apply translation
Example
NGFW{running-snat-rule-snat1}delete translate-to range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}delete dst-zone include all
NGFW{running-snat-rule-snat1}delete dst-address include ipaddress 192.168.1.0/24
NGFW Command Line Interface Reference 233
NGFW{running-snat-rule-snat1}delete src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}description
Apply rule description.
Syntax
description TEXT
Example
NGFW{running-snat-rule-snat1}description "source nat rule 1"
NGFW{running-snat-rule-snat1}dst-address
Apply destination address.
Syntax
dst-address (include|exclude) group ADDRESSGROUP
dst-address (include|exclude) ipaddress A.B.C.D
dst-address (include|exclude) ipaddress A.B.C.D/M
dst-address (include|exclude) range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}dst-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}dst-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}dst-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}dst-zone
Apply destination security zone.
Syntax
dst-zone (include|exclude) ZONENAME
Example
NGFW{running-snat-rule-snat1}dst-zone include myzone1
NGFW{running-snat-rule-snat1}dst-zone exclude myzone1
NGFW{running-snat-rule-snat1}move
Move rule position in the rule table.
Syntax
move after SRCNATRULEID
move before SRCNATRULEID
move to position VALUE
Valid entries:
after Move rule position after the rule identifier
SRCNATRULEID Apply source NAT rule identifier
before Move rule position before the rule identifier
to Move to rule position
position Apply rule position
VALUE Apply rule position number
Example
NGFW{running-snat-rule-snat1}move after snat1
234 Edit Running Configuration Commands
NGFW{running-snat-rule-snat1}move before snat1
NGFW{running-snat-rule-snat1}move to position 1
NGFW{running-snat-rule-snat1}src-address
Apply source address.
Syntax
src-address (include|exclude) group ADDRESSGROUP
src-address (include|exclude) ipaddress A.B.C.D
src-address (include|exclude) ipaddress A.B.C.D/M
src-address (include|exclude) range A.B.C.D A.B.C.D
Example
NGFW{running-snat-rule-snat1}src-address include ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}src-address exclude ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}src-address include range 192.168.1.100 192.168.1.200
NGFW{running-snat-rule-snat1}translate-to
Apply translation.
Syntax
translate-to interface
translate-to ipaddress (A.B.C.D|A.B.C.D/M)
translate-to range A.B.C.D A.B.C.D
Valid entries:
interface Apply translate interface
ipaddress Apply IP address
range Apply IP address range
Example
NGFW{running-snat-rule-snat1}translate-to interface
NGFW{running-snat-rule-snat1}translate-to ipaddress 192.168.1.1
NGFW{running-snat-rule-snat1}translate-to ipaddress 192.168.1.0/24
NGFW{running-snat-rule-snat1}translate-to range 192.168.1.100 192.168.1.200
running-snmp Context Commands
NGFW{running}snmp
NGFW{running-snmp}authtrap
Enable or disable SNMP authentication failure trap.
Syntax
authtrap (enable|disable)
Example
NGFW{running-snmp}authtrap enable
NGFW{running-snmp}community
Configure SNMP read-only community.
Syntax
community COMMUNITY [SOURCE]
NGFW Command Line Interface Reference 235
COMMUNITY Text to identify SNMP system community
SOURCE IP (A.B.C.D|X:X::X:X), subnet (A.B.C.D/M|X:X::X:X/M), or "default"
default allow any IPv4/6 source
Example
NGFW{running-snmp}community mycommunity default
NGFW{running-snmp}delete
Delete file or configuration item.
Syntax
delete community (COMMUNITY|all)
delete trapsession ((A.B.C.D|X:X::X:X|FQDN) ver VERSION)|all)
delete username (USERNAME|all)
Valid entries:
community Delete SNMP read-only community
trapsession Delete a configured trap session
username Delete a configured user
Example
NGFW{running-snmp}delete community mycommunity
NGFW{running-snmp}delete community all
NGFW{running-snmp}delete trapsession 192.168.1.1 ver 3
NGFW{running-snmp}delete trapsession all
NGFW{running-snmp}engineID
Configure SNMPv3 engine ID.
Syntax
engineID ENGINE-ID
ENGINE-ID SNMPv3 Engine ID (1-32 hex octets, ex: 0x800012ef0302a11aab33f4)
Example
NGFW{running-snmp}engineID 0x800012ef0302a11aab33f4
NGFW{running-snmp}snmp
Enable or disable SNMP.
Syntax
snmp (enable|disable)
Example
NGFW{running-snmp}snmp enable
NGFW{running-snmp}trapsession
Configure SNMP v2c or v3 trap destinations.
Syntax
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 2c COMMUNITY [inform]
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level noAuthNoPriv
[inform]
236 Edit Running Configuration Commands
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authNoPriv
authtype (MD5|SHA) AUTHPASS [inform]
trapsession (A.B.C.D|X:X::X:X|FQDN) [port PORT] ver 3 USERNAME level authPriv
authtype (MD5|SHA) AUTHPASS privproto PRIVPROTO [PRIVPASS] [inform]
Valid entries:
HOST IP address or DNS host name
port Configure SNMP port
PORT SNMP port (default 162)
ver Configure SNMP version (2c, or 3)
2c SNMPv2c
COMMUNITY Text to identify SNMP system community
inform Send information message instead of a trap
3 SNMPv3
USERNAME Text to identify USM user name (for authentication/privacy)
level Configure security level (noAuthNoPriv|authNoPriv/|authPriv)
noAuthNoPriv No authentication, no privacy
authNoPriv Authentication, no privacy
authtype Configure authentication type (MD5|SHA)
AUTHTYPE Authentication type
Possible values for AUTHTYPE are:
MD5 Message Digest 5
SHA Secure Hash Algorithm
AUTHPASS Authentication passphrase - must be at least 8 characters
authPriv Authentication and privacy
privproto Configure privacy protocol (DES|AES)
PRIVPROTO Privacy protocol
Possible values for PRIVPROTO are:
DES Data Encryption Security
AES Advanced Encryption Security
PRIVPASS Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}trapsession snmpserver.example.com ver 2c mycommunity inform
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 2c mycommunity
NGFW{running-snmp}trapsession 192.168.1.1 port 162 ver 3 mysnmpusername level
authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}trapsession 100:0:0:0:0:0:0:1 ver 3 mysnmpusername level
authNoPriv authtype SHA mysnmppassword inform
NGFW{running-snmp}username
Configure SNMPv3 USM read-only user.
Syntax
username USERNAME level noAuthNoPriv
username USERNAME level authNoPriv authtype AUTHTYPE AUTHPASS
username USERNAME level authPriv authtype AUTHTYPE AUTHPASS privproto PRIVPROTO
[PRIVPASS]
Valid entries:
USERNAME Text to identify USM user name (for authentication/privacy)
level Configure security level (noAuthNoPriv|authNoPriv/|authPriv)
noAuthNoPriv No authentication, no privacy
authNoPriv Authentication, no privacy
authtype Configure authentication type (MD5|SHA)
AUTHTYPE Authentication type
Possible values for AUTHTYPE are:
MD5 Message Digest 5
SHA Secure Hash Algorithm
NGFW Command Line Interface Reference 237
AUTHPASS Authentication passphrase - must be at least 8 characters
authPriv Authentication and privacy
privproto Configure privacy protocol (DES|AES)
PRIVPROTO Privacy protocol
Possible values for PRIVPROTO are:
DES Data Encryption Security
AES Advanced Encryption Security
PRIVPASS Optional privacy passphrase - must be at least 8 characters
Example
NGFW{running-snmp}username mysnmpusername level noAuthNoPriv
NGFW{running-snmp}username mysnmpusername level authNoPriv authtype SHA
mysnmppassword
NGFW{running-snmp}username mysnmpusername level authPriv authtype SHA mysnmppassword
privproto AES mysnmpprivpassword
running-vlanX Context Commands
NGFW{running}interface vlan0
NGFW{running-vlan0}arp/ndp
Enable or disable ARP and NDP on interface.
Syntax
arp/ndp (enable|disable)
Example
NGFW{running-vlan0}arp/ndp enable
NGFW{running-vlan0}autoconfv6
Enable or disable IPv6 autoconfiguration on interface.
Syntax
autoconfv6 (enable|disable)
Example
NGFW{running-vlan0}autoconfv6 enable
NGFW{running-vlan0}bind
Bind an interface to vlan.
Syntax
bind PORT id vlanid
PORT Bind interface over ethernet, aggregated link or VLAN port
id VLAN ID
vlanid VLAN ID
Example
NGFW{running-vlan0}bind ethernet2 ?
Valid entry at this position is:
id VLAN ID
NGFW{running-vlan0}delete
Delete file or configuration item.
238 Edit Running Configuration Commands
Syntax
delete bind
delete ip igmp
delete ip igmp version
delete ip ospf area
delete ip ospf authentication mode md5 (1-255) KEY
delete ip ospf authentication mode text KEY
delete ip ospf cost (1-65535)
delete ip ospf dead-interval (1-65535)
delete ip ospf hello-interval (1-65535)
delete ip ospf priority (0-255)
delete ip ospf retransmit-interval (3-65535)
delete ip ospf transmit-delay (1-65535)
delete ip pim-sm
delete ip rip
delete ip rip authentication mode md5
delete ip rip authentication mode text
delete ip rip receive version (v1-only|v2-only|v1-or-v2)
delete ip rip send version (v1-only|v2-only|v1-or-v2)
delete ip rip split-horizon
delete ipaddress (all|A.B.C.D/M|X:X::X:X/M)
delete ipaddress dhcpv4
delete ipaddress dhcpv6
delete ipv6 mld
delete ipv6 mld version
delete ipv6 ospfv3 area
delete ipv6 ospfv3 cost
delete ipv6 ospfv3 dead-interval
delete ipv6 ospfv3 hello-interval
delete ipv6 ospfv3 priority
delete ipv6 ospfv3 retransmit-interval
delete ipv6 ospfv3 transmit-delay
delete ipv6 pim-sm
delete ipv6 ripng
delete ipv6 ripng split-horizon
delete prefix (all|X:X::X:X/M)
delete shutdown
Valid entries:
bind Bind an interface to vlan
ip Configure IP settings
ip Delete IP settings
ipaddress Delete DHCPv4 client context
ipaddress Delete DHCPv6 client context
ipaddress Delete IP address
ipv6 Configure IPv6 settings
ipv6 Delete IPv6
prefix Delete IPv6 prefix
shutdown Shutdown logical interface state
Example
NGFW{running-vlan0}delete bind
NGFW{running-vlan0}delete ip igmp
NGFW{running-vlan0}delete ip rip authentication mode md5
NGFW{running-vlan0}description
Enter description for the interface.
NGFW Command Line Interface Reference 239
Syntax
description TEXT
Example
NGFW{running-vlan0}description "My interface description"
NGFW{running-vlan0}ip
Configure IP settings.
Syntax
ip igmp
ip igmp version (1|2|3)
ip ospf area (A.B.C.D|(0-4294967295))
ip ospf authentication mode md5 (1-255) KEY
ip ospf authentication mode text KEY
ip ospf cost (1-65535)
ip ospf dead-interval (1-65535)
ip ospf hello-interval (1-65535) [A.B.C.D]
ip ospf priority (0-255)
ip ospf retransmit-interval (3-65535)
ip ospf transmit-delay (1-65535)
ip pim-sm
ip rip
ip rip authentication mode md5 (0-2147483647) KEY
ip rip authentication mode text
ip rip receive version (v1-only|v2-only|v1-or-v2)
ip rip send version (v1-only|v2-only|v1-or-v2)
ip rip split-horizon [poison-reverse]
Example
NGFW{running-vlan0}ip igmp
NGFW{running-vlan0}ip ospf area 192.168.0.24
NGFW{running-vlan0}ipaddress
Configure IP address.
Syntax
ipaddress (A.B.C.D/M|X:X::X:X/M) [primary]
ipaddress (dhcpv4|dhcpv6)
Valid entries:
A.B.C.D/M IPv4 address with netmask length
X:X::X:X/M IPv6 address with prefix length
dhcpv4 Configure DHCPv4 client
dhcpv6 Enter DHCPv6 client context
Example
NGFW{running-vlan0}ipaddress dhcpv4
NGFW{running-vlan0}ipv6
Configure IPv6 settings.
Syntax
ipv6 mld
240 Edit Running Configuration Commands
ipv6 mld version (1|2)
ipv6 ospfv3 area (A.B.C.D|<0-4294967295>)
ipv6 ospfv3 cost COST
ipv6 ospfv3 dead-interval VALUE
ipv6 ospfv3 hello-interval VALUE
ipv6 ospfv3 priority VALUE
ipv6 ospfv3 retransmit-interval VALUE
ipv6 ospfv3 transmit-delay VALUE
ipv6 pim-sm
ipv6 ripng
ipv6 ripng split-horizon (simple|poison-reverse|inactive)
Valid entries:
mld Configure MLD settings
ospfv3 Configure OSPFv3 over the interface
pim-sm Configure PIM-SM over the interface
ripng Configure RIPng over the interface
area Enable the interface in an OSPFv3 area
<0-4294967295> OSPFv3 area ID as a decimal value
A.B.C.D OSPFv3 area ID in IP address format
cost OSPFv3 interface cost
COST Cost value (1-65535)
dead-interval Interval after which a neighbor is declared dead
VALUE Dead interval value (1-65535)
hello-interval Interval between HELLO packets
VALUE Hello interval value (1-65535)
priority OSPFv3 interface priority
VALUE Priority value (0-255)
retransmit-interval Interval between retransmitting lost link state advertisements
VALUE Retransmit interval value (3-65535)
transmit-delay Link state transmit delay
VALUE Transmit delay value (1-65535)
Example
NGFW{running-vlan0}ipv6 mld
NGFW{running-vlan0}ipv6 ripng split-horizon simple
NGFW{running-vlan0}mtu
Configure interface MTU.
Syntax
mtu (default|VALUE)
default Default value is applied
VALUE Interface MTU value (68-9216)
Example
NGFW{running-vlan0}mtu default
NGFW{running-vlan0}prefix
Configure IPv6 prefix.
Syntax
prefix X:X::X:X/M [valid-lifetime (1-4294967295)] [preferred-lifetime
(1-4294967295)]
Valid entries:
X:X::X:X/M IPv6 prefix
NGFW Command Line Interface Reference 241
valid-lifetime Configure valid lifetime
(1-4294967295) Valid lifetime in seconds (default is 2592000)
preferred-lifetime Configure preferred lifetime
(1-4294967295) Preferred lifetime in seconds
(default is 604800 - cannot exceed valid lifetime)
Example
NGFW{running-vlan0}prefix 2001:db8::/32
NGFW{running-vlan0}prefix 2001:db8::/32 valid-lifetime 2592000
NGFW{running-vlan0}ra-autoconf-level
Modify IPv6 Router Advertisement autoconfiguration level.
Syntax
ra-autoconf-level AUTOCONF
Valid entries:
AUTOCONF Router Advert Autoconfiguration level (DHCP)
Possible values for AUTOCONF are:
none No parameter is autoconfigured
address Address is autoconfigured
other Some other parameters are autoconfigured
full Most parameters are autoconfigured
Example
NGFW{running-vlan0}ra-autoconf-level full
NGFW{running-vlan0}ra-interval
Modify IPv6 Router Advertisement interval value.
Syntax
ra-interval INTERVAL
Valid entries:
INTERVAL Router Advert emission period (in milliseconds)
Example
NGFW{running-vlan0}ra-interval 240
NGFW{running-vlan0}ra-interval-transmit
Modify IPv6 Router Advertisement interval transmit.
Syntax
ra-interval-transmit (enable|disable)
Valid entries:
enable Enable router advertisement
disable Disable router advertisement
Example
NGFW{running-vlan0}ra-interval-transmit enable
242 Edit Running Configuration Commands
NGFW{running-vlan0}ra-lifetime
Modify IPv6 Router Advertisement prefix lifetime in seconds.
Syntax
ra-lifetime (0-9000000)
Example
NGFW{running-vlan0}ra-lifetime 9000000
NGFW{running-vlan0}ra-mtu
Modify IPv6 Router Advertisement MTU value.
Syntax
ra-mtu (none|MTU)
none Not configured
MTU MTU value advertised (68-9216)(0 if none)
Example
NGFW{running-vlan0}ra-mtu 9216
NGFW{running-vlan0}ra-transmit-mode
Modify IPv6 Router Advertisement transmit mode.
Syntax
ra-transmit-mode MODE
MODE Router Advertisement transmit mode
Possible values for MODE are:
always Router Advert message is always sent
never Router Advert message is never sent
smart Router Advert message is sent if a prefix is defined
Example
NGFW{running-vlan0}ra-transmit-mode always
NGFW{running-vlan0}shutdown
Shutdown logical interface state.
Syntax
shutdown
Example
NGFW{running-vlan0}shutdown
NGFW{running-vlan0}tcp4mss
Configure interface TCP MSS for IPv4.
Syntax
tcp4mss (disable|automatic|VALUE)
Valid entries:
disable Disable service
NGFW Command Line Interface Reference 243
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv4 (4-65535)
Example
NGFW{running-vlan0}tcp4mss 4
NGFW{running-vlan0}tcp6mss
Configure interface TCP MSS for IPv6.
Syntax
tcp6mss (disable|automatic|VALUE)
Valid entries:
disable Disable service
automatic Automatically select TCP MSS based on interface MTU
VALUE TCP MSS value for IPv6 (4-65535)
Example
NGFW{running-vlan0}tcp6mss automatic
running-zones Context Commands
NGFW{running}zones
NGFW{running-zones}delete
Delete security zone(s).
Syntax
delete zone (all|ZONENAME)
Valid entries:
zone Delete security zone(s)
all All settings
ZONENAME Existing security zone name
Example
NGFW{running-zones}delete zone all
NGFW{running-zones}delete zone myzone1
NGFW{running-zones}rename
Rename a specified zone.
Syntax
rename zone ZONENAME NEWZONENAME
Valid entries:
zone Enter security zone context
ZONENAME Existing security zone name
NEWZONENAME New security zone name
Example
NGFW{running-zones}rename zone myzone1 myzone2
NGFW{running-zones}zone
Enter security zone context.
244 Edit Running Configuration Commands
Syntax
zone ZONENAME
Example
NGFW{running-zones}zone myzone1
running-zones-X Context Commands
NGFW{running-zones}zone myzone1
NGFW{running-zones-myzone1}application-visibility
Enable or Disable application visibility.
Syntax
application-visibility (enable|disable)
Example
NGFW{running-zones-myzone1}application-visibility enable
NGFW{running-zones-myzone1}bind
Bind interfaces to zones.
Syntax
bind INTERFACE
Example
NGFW{running-zones-myzone1}bind ethernet5
NGFW{running-zones-myzone1}delete
Delete file or configuration item.
Syntax
delete bind (INTERFACE|all)
Valid entries:
bind Bind interfaces to zones
INTERFACE Delete interface from zone
all Delete all interfaces bound to the zone
Example
NGFW{running-zones-myzone1}delete bind ethernet5
NGFW{running-zones-myzone1}description
Enter description for the zone.
Syntax
description TEXT
Example
NGFW{running-zones-myzone1}description "my zone 1"

Navigation menu