- DL manuals
- Watchguard
- Software
- Firebox V10
- Command Line Interface Manual
Watchguard Firebox V10 Command Line Interface Manual
Summary of Firebox V10
Page 1
Watchguard ® command line interface user guide watchguard firebox vclass 5.1.
Page 2
Ii watchguard vclass 5.1 copyright copyright © 1998-2003 watchguard technologies, inc. All rights reserved. Notice to users information in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copie...
Page 3
Watchguard command line interface guide iii watchguard technologies, inc. Firebox system software end-user license agreement watchguard firebox system (wfs) end-user license agreement important — read carefully before accessing watchguard software: this wfs end-user license agreement (“agreement”) i...
Page 4
Iv watchguard vclass 5.1 software product are owned by watchguard or its suppliers. Your rights to use the software product are as specified in this agreement, and watchguard retains all rights not expressly granted to you in this agreement. Nothing in this agreement constitutes a waiver of our righ...
Page 5
Watchguard command line interface guide v 4. Limited warranty. Watchguard makes the following limited warranties for a period of ninety (90) days from the date you obtained the software product from watchguard technologies or an authorized dealer: (a) media. The disks and documentation will be free ...
Page 6
Vi watchguard vclass 5.1 will meet your requirements, any warranty of uninterrupted or error-free operation, any obligation, liability, right, claim or remedy in tort, whether or not arising from the negligence (whether active, passive or imputed) or fault of watchguard and any obligation, liability...
Page 7
Watchguard command line interface guide vii 6. Export controls. You agree not to directly or indirectly transfer the software product or documentation to any country to which such transfer would be prohibited by the u.S. Export administration act and the regulations issued thereunder. 7. Termination...
Page 8
Viii watchguard vclass 5.1.
Page 9
Watchguard command line interface guide ix contents contents .......................................................................Ix chapter 1 using the command line interface ..........1 introducing the watchguard cli .......................................1 cli capabilities ........................
Page 10
X watchguard vclass 5.1 navigating through the cli ........................................... 13 common navigation commands .................................... 14 using keywords .......................................................... 15 show command/argument (“name”) usage ........................
Page 11
Watchguard command line interface guide xi chapter 3 configuration mode commands .............41 top-level configuration mode commands ........................41 abort command ..........................................................43 address command ..................................................
Page 12
Xii watchguard vclass 5.1 level 2 remote access service (ras) configuration commands ........................................................................ 102 level 2 system configuration commands ...................... 107 level 2 license commands (for upgraded or additional features) .............
Page 13
Watchguard command line interface guide xiii chapter 5 other commands ...................................143 no command ...............................................................143 rename command .......................................................143 show command .............................
Page 14
Xiv watchguard vclass 5.1 index ......................................................................... 161.
Page 15
Watchguard command line interface guide 1 chapter 1 using the command line interface introducing the watchguard cli the watchguard cli (command line interface) offers the experienced network administrator an efficient way to set up and manage watchguard firebox vclass security appliances via a termi...
Page 16
Chapter 1: using the command line interface 2 watchguard vclass 5.1 attempting to use the cli. Learning the watchguard vcon- troller, its terms and processes, and the underlying “flow” of appliance administration, will establish a solid compe- tency with concepts and terms used extensively in the cl...
Page 17
Cli guide text conventions watchguard command line interface guide 3 cli limitations please note that the watchguard cli is not a complete replacement for the watchguard vcontroller application, as you cannot do the following with the cli: • set up probes that monitor the current activities of the s...
Page 18
Chapter 1: using the command line interface 4 watchguard vclass 5.1 quotation marks; however, you do not need to type quotes when entering a text string. For example, we might say: set a user_profile name to “all_ras_users.” in this example, you could type your own user profile name (or string) in p...
Page 19
Getting started with the watchguard cli watchguard command line interface guide 5 there is a single space between “address” and “-group,” and “group” and “exec_staff.” comments comments are presented as italicized text preceded by the “#” character. # this is a sample comment. More command-specific ...
Page 20
Chapter 1: using the command line interface 6 watchguard vclass 5.1 permitting cli console (telnet/ssh) access to the system through that interface. This may be done by means of the cli or the watchguard vcontroller, once configuration is complete. N ote if you attempt to log into a functioning, ful...
Page 21
Getting started with the watchguard cli watchguard command line interface guide 7 4 as this is a new appliance, type “ admin ” (the default login text) and press . The login for a legacy appliance is “rsadmin.” a “ password ” prompt is displayed. 5 type “ admin ” (again, the default password text) a...
Page 22
Chapter 1: using the command line interface 8 watchguard vclass 5.1 n ote the cli will not accept any other “superadmin” login names. A “ password ” prompt is displayed. 4 type the current password (the default is “ admin ”, or “rsadmin” for a legacy appliance) and press to submit the password and l...
Page 23
Getting started with the watchguard cli watchguard command line interface guide 9 case sensitivity commands, command arguments and keywords in the watchguard cli are not case sensitive. For example, show policy is equivalent to show policy. N ote object name strings are case sensitive. Typing the ad...
Page 24
Chapter 1: using the command line interface 10 watchguard vclass 5.1 deleting text in the command line interface to delete characters to the left of the cursor, press the back- space key, or press ^h. To delete all characters from the current position of the cur- sor back to the beginning of the com...
Page 25
Getting started with the watchguard cli watchguard command line interface guide 11 lowing example of command line block repetition, the ip addresses, port numbers, and weighting is assigned for three servers in a round-robin load balanced cluster: note too, that the command line in the above example...
Page 26
Chapter 1: using the command line interface 12 watchguard vclass 5.1 new or different command arguments may be “substi- tuted” in the most-recent command line recalled from his- tory. Use the format ^old_command^new_command to effect a substitution as shown in the following example: wg#!49 #this is ...
Page 27
Getting started with the watchguard cli watchguard command line interface guide 13 navigating through the cli wg#!49 #this is the command . Show service dns #the next six lines are the result. Service group: name = dns description = "domain name services" protocol = udp server_port = 53 wg#^dns^ssh ...
Page 28
Chapter 1: using the command line interface 14 watchguard vclass 5.1 at every command level except the top (root) level, entering the top command and pressing enter “jumps” the cli user from the current level to the top (root) command level. The top (root) command level does not have this command av...
Page 29
Getting started with the watchguard cli watchguard command line interface guide 15 arguments none. Example wg(admin)#exit top command wg(admin)#top effect immediately returns to the top level of the watchguard cli (the “wg#” prompt) from whatever level of cli you are using. Arguments none. Example w...
Page 30
Chapter 1: using the command line interface 16 watchguard vclass 5.1 show command/argument (“name”) usage entering the show command along with a valid command name or argument will display all stored entries associated with the named term. See the following examples. These examples show only partial...
Page 31
Getting started with the watchguard cli watchguard command line interface guide 17 example 2: show only “private_https” security policy settings wg(config)#show policy private_https security policy name = private_https description = * * order = 1 source = any destination = interface_0_ip service = h...
Page 32
Chapter 1: using the command line interface 18 watchguard vclass 5.1 usage syntax. For example, here is a help command that requests (and obtains) the command argument options and syntax used to configure a security policy: wg#configure wg(config)#policy? Policy [ num>] [-position ] [-firewall ] [ [...
Page 33
Installing and configuring a watchguard appliance watchguard command line interface guide 19 installing and configuring a watchguard appliance you can use the watchguard cli to perform almost all setup and configuration tasks. We’ve organized the follow- ing catalog of tasks into general categories,...
Page 34
Chapter 1: using the command line interface 20 watchguard vclass 5.1 to assign network addresses to appliance interfaces to assign network addresses to the data interfaces, use these commands (along with the arguments and values noted later in this user guide): to complete system configuration to co...
Page 35
Installing and configuring a watchguard appliance watchguard command line interface guide 21 to create and apply security policies to create and apply security policies, use these commands: wg(config)#cert request and import needed certificates from ca’s wg(config)#denial_of_service customize anti-h...
Page 36
Chapter 1: using the command line interface 22 watchguard vclass 5.1 to remove/delete items from a watchguard database to remove a particular object (policy, action, group profile, etc.), use this command: wg(config)#delete to save and apply your most recent changes to save and apply the latest chan...
Page 37
Installing and configuring a watchguard appliance watchguard command line interface guide 23 to restore an appliance to the factory- default state wg(admin)#restore_default to review the most recent tasks (at any level) (cli prompt)#history command description wg(debug)#arp display and configure the...
Page 38
Chapter 1: using the command line interface 24 watchguard vclass 5.1 to get on-line help while working to get help with the watchguard cli command description ? Online help at any prompt, or at the end of any other command show view a list of objects at the # prompt history view the last 20 commands...
Page 39
Watchguard command line interface guide 25 chapter 2 administration mode commands all watchguard cli commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in administration mode. Command syntax conventions used in this guide to ...
Page 40
Chapter 2: administration mode commands 26 watchguard vclass 5.1 tion to the text notation introduced in “cli guide text con- ventions” on page 3. If you enter a command in the cli, such as the following: wg(config)#policy and press without adding any arguments to the command line, the watchguard cl...
Page 41
Administration mode commands watchguard command line interface guide 27 plete list of related arguments and values, in the form in which you should enter them. This is helpful when the cli tells you that a command you just entered isn’t acceptable. You can call up this text to review requirements an...
Page 43
Administration mode commands watchguard command line interface guide 29 4 click open. A browse browse browse browse dialog appears. 5 select the text file you created earlier, and click select. The admin account is unlocked. Arguments -login_limit this command displays the current login limits set f...
Page 44
Chapter 2: administration mode commands 30 watchguard vclass 5.1 effect restores the system software to the previously installed version. Arguments none example wg(admin)#downgrade n ote if you apply this command, certain watchguard features incorporated in the current version may not be available a...
Page 46
Chapter 2: administration mode commands 32 watchguard vclass 5.1 and is connected to another security appliance assigned to a backup role. Effect initiates the watchguard firebox vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appl...
Page 47
Administration mode commands watchguard command line interface guide 33 crl command wg#admin wg(admin)# import crl [-tftp] -ftp target/file_name -[console] effect imports an xml file via one of several possible methods. Arguments none example wg(admin)#import cert -ftp wg:wg@ftp.Watchguard.Com:/pub/...
Page 49
Administration mode commands watchguard command line interface guide 35 merge merges the new ip addresses into the existing list of ip addresses. Override replaces all of the existing ip addresses with the ip addresses on the imported list. Example wg(admin)#wg(admin)# import ip blocked override –ft...
Page 50
Chapter 2: administration mode commands 36 watchguard vclass 5.1 crypto self-test, and random number generation can be tested. - object reuse is avoided. Keys are zeroed out when they are no longer in use. Common criteria (cc) mode common criteria (cc) defines a language for defining and evaluating ...
Page 51
Administration mode commands watchguard command line interface guide 37 process type a space, then the text of the current password after the command. When you press , a “new password:” prompt is displayed, at which you can type the new password, using between 6 and 20 characters. N ote alert: pleas...
Page 52
Chapter 2: administration mode commands 38 watchguard vclass 5.1 automatically logged out of the appliance, but after a few minutes (and a considerable display of status messages), the main login prompt will appear. You can log in again at this time. Arguments none. Restore default command wg#admin ...
Page 53
Administration mode commands watchguard command line interface guide 39 shuts down this watchguard appliance. You will be automatically logged out of the appliance, at which time you can break the cli connection. Arguments none. Upgrade command wg(admin)#upgrade upgrade [-tftp] upgrade.Rsu > upgrade...
Page 54
Chapter 2: administration mode commands 40 watchguard vclass 5.1.
Page 55
Watchguard command line interface guide 41 chapter 3 configuration mode commands all watchguard cli commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in configuration mode. Top-level configuration mode commands the following...
Page 56
Chapter 3: configuration mode commands 42 watchguard vclass 5.1 command for more information abort see “abort command” on page 43. Address see “address command” on page 43. Certificate see “certificate command” on page 45. Commit see “commit command” on page 45. Delete see “delete command” on page 4...
Page 57
Top-level configuration mode commands watchguard command line interface guide 43 abort command wg#config wg(config)#abort effect aborts (erases) all system configuration changes made since the last use of the wg(config)#commit command. This empties the cache of to-be-committed changes and additions....
Page 58
Chapter 3: configuration mode commands 44 watchguard vclass 5.1 addressing arguments, depending upon the contents of this address. -host [a.B.C.D]… this argument notes a single ip address (omitting subnet information.) -net [a.B.C.D/e]… this argument notes a single subnet ip address and subnet mask ...
Page 59
Top-level configuration mode commands watchguard command line interface guide 45 certificate command wg#config wg(config)#certificate effect enters the certificate-configuration mode, at which point you can enter certificate-specific task commands and their arguments. Arguments none in this mode. Se...
Page 60
Chapter 3: configuration mode commands 46 watchguard vclass 5.1 example wg(config)#delete address exec_addresses # this command deletes an address group named “exec_addresses”. Wg(config)#delete ike policy "hq ike" # this command deletes an ike policy named “hq ike”. Denial_of_service command wg#con...
Page 61
Top-level configuration mode commands watchguard command line interface guide 47 [no][-pingofdeath] activates ping-of-death protection. [no][-sourceroute] activates source route protection by disallowing source route options. [no][-server_ddos ] activates server ddos protection; the default threshol...
Page 62
Chapter 3: configuration mode commands 48 watchguard vclass 5.1 effect enters the high availability (ha) configuration mode, at which point you can enter ha specific commands and their arguments. Arguments none in this mode. See also for more information about “ha” mode commands, see “level 2 high a...
Page 63
Top-level configuration mode commands watchguard command line interface guide 49 interface command wg#config wg(config)#interface effect enters the system interface configuration mode, at which point you can enter interface-specific commands and their arguments. Arguments none in this mode. See also...
Page 64
Chapter 3: configuration mode commands 50 watchguard vclass 5.1 effect enters license parameter configuration mode, at which point you can enter license-specific commands and their arguments. Arguments none in this mode. See also for more information about “license” mode commands, see “level 2 licen...
Page 65
Top-level configuration mode commands watchguard command line interface guide 51 arguments none example wg#config wg(config)#log wg(config-log)#clear_all diagnostics command (log level) wg#config wg(config)#log wg(config-log)#diagnostics [ike ] #level=1-6 [cmm ] [ nm ] [pmm ] [ ha ] effect runs log ...
Page 67
Top-level configuration mode commands watchguard command line interface guide 53 [no] traffic command (log level) wg#config wg(config)#log wg(config-log)#[no] traffic effect turns the traffic log on or off. Arguments none example wg#config wg(config)#log wg(config-log)#traffic history command (log l...
Page 68
Chapter 3: configuration mode commands 54 watchguard vclass 5.1 nat rename nat actions policy rename security policies qos rename qos actions ras rename ras group schedule rename schedule actions service rename service groups effect allows you to rename various items. See also see “rename command” o...
Page 69
Top-level configuration mode commands watchguard command line interface guide 55 (for one-to-one and subnet-to-subnet mapping) this argument specifies (1) that this is a static nat action, and records the address groups associated with the internal and external sources. The address groups can be sin...
Page 70
Chapter 3: configuration mode commands 56 watchguard vclass 5.1 n ote note that dynamic nat is already present in the watchguard database by default, and is ready for use in security policies. You can specify “dynamic_nat” as the nat action when you create the appropriate policies examples wg(config...
Page 71
Top-level configuration mode commands watchguard command line interface guide 57 effect disables the high availability feature. Arguments none example wg#config wg(config)#no high_availability policy command effect allows you to create a new security policy or revise an existing policy, pending your...
Page 72
Chapter 3: configuration mode commands 58 watchguard vclass 5.1 destination address groups to which this policy will be applied. This argument records the interface this policy will apply to. [-position ] this argument records which numbered location this policy occupies in the policy table. [-firew...
Page 74
Chapter 3: configuration mode commands 60 watchguard vclass 5.1 -firewall pass -ipsec sj_ny_ipsec wg(config)#policy sj_la_vpn \ -mss_adjustment_per_policy \ limit_to 1400 wg(config)#policy sj_ny_vpn \ -icmp_error_handling_per_policy all wg(config)#policy sj_ny_vpn -position 5 the previous example sh...
Page 75
Top-level configuration mode commands watchguard command line interface guide 61 ras command wg#config wg(config)#ras effect enters the remote access services (ras) configuration mode, at which point you can enter ras connection-specific commands and their arguments. Arguments none in this mode. See...
Page 78
Chapter 3: configuration mode commands 64 watchguard vclass 5.1 use this argument to note the names of two or more related services. + use this argument (the “+” character) to add an additional service to an existing group.) examples wg(config)# service ldap -single tcp 389 wg(config)# service my_ap...
Page 79
Top-level configuration mode commands watchguard command line interface guide 65 effect runs a trace for the specified object. Arguments none in this mode. Tenant command wg#config wg(config)#tenant effect enters the tenant configuration mode, at which point you can record a new tenant entry for eit...
Page 80
Chapter 3: configuration mode commands 66 watchguard vclass 5.1 history command wg#config wg(config)#history effect shows the last 20 commands exercised at this level of cli. Note, too, that you can apply it at any level of the cli. For example, you may apply the “history” command after extensive po...
Page 81
Second level configuration mode commands watchguard command line interface guide 67 • “level 2 high availability configuration commands” on page 72 • “level 2 ike configuration commands” on page 78 • “level 2 interface configuration commands” on page 82 • “level 2 ipsec configuration commands” on pa...
Page 82
Chapter 3: configuration mode commands 68 watchguard vclass 5.1 request or a text file, that you transmit to the proper authority. Arguments this argument notes the host name of this appliance (omitting the remainder of the dns entry.) -company this argument notes the name of your company or organiz...
Page 83
Second level configuration mode commands watchguard command line interface guide 69 -cou us -dns rs1.Watchguard.Com -key \ {rsa 1024 both} if this command is successful, the cli will prompt you to cut and paste the results into the appropriate means of submitting this request to the authority. Impor...
Page 84
Chapter 3: configuration mode commands 70 watchguard vclass 5.1 show command (configure certificate level) wg#config wg(config)#certificate wg(config-cert)#show [cert_id] effect displays the properties of a specific certificate or a certificate request. If no “specific certificate” argument is used,...
Page 85
Second level configuration mode commands watchguard command line interface guide 71 mbytcbnzanbgkqhkig9w0baqefaaobjqawgykcg yeaumih4lne7uh8+dvthrd2ltf+tyccvwbexsca hhzd92ipnxdeelulzhhpj8iccxnftmvtkx70dlp sx5do20ry+bqdgpjasg7wdeqdpt94kmbbybjyby tx1e1mukxxi546d2jnhyeqqjmtftnyuono4euni 48lfljq5xzvj7cca...
Page 86
Chapter 3: configuration mode commands 72 watchguard vclass 5.1 3tg/ jhzmii9maleoizyygy5rwtipdcucmop6zer/ q8uhrhbdjikb6j02cmxqfe6ecwnfqc8cjzhqwy2 v+ippoydborfghl4icn8/ zznjiv4lxaesmhdqso9tqruvklyh/td/ 6jf9x2v3gavnuzemk5+ltt/iedcrehhr/ yfxecaweaaaaebhn/nu1mstygjzqtp42izqm/ 6ytj2uhmgpf/y8ftygce -----e...
Page 87
Second level configuration mode commands watchguard command line interface guide 73 example wg(config-ha)#show ha type: active_active primary system name =2026 secondary system name =2027 no shared secret interfaces primary ip mask secondary ip mask monitoring 0: 192.168.104.64 255.255.255.0 192.168...
Page 89
Second level configuration mode commands watchguard command line interface guide 75 for more information, see “high availability advanced configuration mode” on page 77 disable disables high availability. Hotsync syncs the local appliance with its peer. In active/ standby mode a hotsync should be pe...
Page 90
Chapter 3: configuration mode commands 76 watchguard vclass 5.1 ha2 interface of the master and backup appliances–if needed. This command will, depending on your use, activate or deactivate the ha system. Polling_interval this optional command establishes the ha polling interval. The default value i...
Page 93
Second level configuration mode commands watchguard command line interface guide 79 arguments enter the name of this action prior to recording the arguments. This argument specifies your choice of mode. [-natt [-natt_keepalive ]] -natt enables or disables nat traversal (udp encapsulation). -natt_kee...
Page 94
Chapter 3: configuration mode commands 80 watchguard vclass 5.1 preceding arguments, the following values are options you can apply: example wg(config-ike)#action my_act -main \ (line break) –rsa {g2 3des md5 10hr 100mb} {g1 des sha 45min} \ –dss {g2 3des sha 8hr} policy command (configure ike level...
Page 95
Second level configuration mode commands watchguard command line interface guide 81 arguments this argument records a brief, descriptive name for this policy. This argument notes either “any” (indicated by *) or the address group representing the peer appliance(s). -action this argument notes the na...
Page 96
Chapter 3: configuration mode commands 82 watchguard vclass 5.1 example wg(config-ike)#policy "remote users" * - action \ remote_users -peer -domain watchguard.Com \ -user_domain watchguard.Com -local {20001 domain} wg(config-ike)#policy ike_ny_sj ny_gateway \ -action psk_main -peer any -preshared \...
Page 97
Second level configuration mode commands watchguard command line interface guide 83 effect displays the current network address settings for each of the main security appliance data interfaces–0 (private), 1 (public) or 2 (dmz, where applicable.) arguments none. Example wg(config-if)# show the resul...
Page 99
Second level configuration mode commands watchguard command line interface guide 85 put “no” in front of this command to turn off the dhcp server on this interface. [dhcp_relay ] this allows you to use a separate dhcp server on your network to serve dhcp addresses, with the vclass acting as a dhcp a...
Page 102
Chapter 3: configuration mode commands 88 watchguard vclass 5.1 password contains the pound (#) character, it needs to be placed in double quotes. [ this allows you to set pppoe to dial-on-demand or always on mode. The function of following this option differs in each mode. For dial-on- demand mode,...
Page 104
Chapter 3: configuration mode commands 90 watchguard vclass 5.1 example wg(config-if)#interface 1 10.10.12.8\ 255.255.0.0 -mtu 1500\ -10_full_duplex or wg(config-if)#interface 1 10.10.12.8/16 -mtu 1500 -10_full_duplex example (pppoe) wg(config-if)#interface 1 pppoe\ -user joeuser -password joepass\ ...
Page 109
Second level configuration mode commands watchguard command line interface guide 95 apply interface address changes to appliance wg#config wg(config)#interface wg(config-if)#exit effect use this command to immediately apply any interface address changes to this appliance. The appliance will update y...
Page 110
Chapter 3: configuration mode commands 96 watchguard vclass 5.1 effect records a new ipsec action (manual key or automatic key), including one or more proposals which have been created beforehand. Arguments type a unique name for this action. This argument determines whether this action is tunnel mo...
Page 111
Second level configuration mode commands watchguard command line interface guide 97 around esp and ah algorithms) qualify this manual key exchange. -esp enter this argument if this action employs an esp protocol for the manual key. Use this argument to enter a unique number that represents the spi o...
Page 112
Chapter 3: configuration mode commands 98 watchguard vclass 5.1 appliance. The number should be between 256 and 65535. Use this argument to pick either md5 or sha encryption algorithms. This argument will contain the actual manual key text, noted in ascii or hexadecimal notation. Example wg(config-i...
Page 114
Chapter 3: configuration mode commands 100 watchguard vclass 5.1 examples wg(config-ipsec)#proposal "new_prop1" - antireplay \ 32 -esp {3des md5 10hrs} {des md5 5hr 10mb -ah \ {sha 34min 100mb} # this example shows the creation of a new proposal. Wg(config-ipsec)# prop my_proposal + -ah \ { sha 8hr ...
Page 116
Chapter 3: configuration mode commands 102 watchguard vclass 5.1 level 2 remote access service (ras) configuration commands group_profile command (configure ras level) wg#config wg(config)#ras wg(config-ras)#group_profile \ [no][-address_pool ] \ [-dns ] [-session_time_out ] \ [-idle_time_out ] \ [-...
Page 117
Second level configuration mode commands watchguard command line interface guide 103 connection before it is automatically broken. The default is 15 (minutes.) [-concurrent_logins_per_user ] this argument specifies the number of concurrent connections a user can establish. The default is 1. Example ...
Page 118
Chapter 3: configuration mode commands 104 watchguard vclass 5.1 used by this account, and should be between 6 and 8 characters in length. [-full_name ] this argument notes the full name of the user, up to 15 characters in length. [-group_profile “profile_name”] this argument specifies which user gr...
Page 119
Second level configuration mode commands watchguard command line interface guide 105 password expiresat sat may 19 15:40:40 2001 password epiry = 60 days account expiresat sat may 19 15:40:40 2001 account epiry = 60 days concurrent logins = 1 database command (configure ras level) wg#config wg(confi...
Page 120
Chapter 3: configuration mode commands 106 watchguard vclass 5.1 times, to configure a primary and a backup server connection. If you want to delete the configuration entries for a backup radius server, enter the “no backup” argument. -ip this argument establishes the ip address of the radius server...
Page 121
Second level configuration mode commands watchguard command line interface guide 107 level 2 system configuration commands command for more information, see dns “dns command (configure system level)” on page 108 cpm “cpm command (configure system level)” on page 108 fwuser “fwuser command (configure...
Page 122
Chapter 3: configuration mode commands 108 watchguard vclass 5.1 dns command (configure system level) wg#config wg(config)#system wg(config-sys)# [no] dns \ -server [a.B.C.D] effect records the domain names and ip addresses of all relevant domain name servers. Argument no this argument (when entered...
Page 123
Second level configuration mode commands watchguard command line interface guide 109 effect enables this appliance to be managed by means of the watchguard centralized policy manager (cpm). You can also use this command to disable cpm as needed. If enabling cpm access, be sure to enter the cpm-acces...
Page 125
Second level configuration mode commands watchguard command line interface guide 111 effect activates (or deactivates) a network connection to an ldap server that this security appliance would use to look up certificate revocation lists during ike key negotiations. Arguments no this argument (when e...
Page 127
Second level configuration mode commands watchguard command line interface guide 113 transmission. The results of this calculation are used as the mss for the connection. Limit_to this limits mss to the specified size in bytes. You can specify a value between 40—1640 bytes. Disable this specifies th...
Page 130
Chapter 3: configuration mode commands 116 watchguard vclass 5.1 to review and confirm your entries, type this command: wg(config-sys)#show sysinfo the complete results will appear as suggested here (in eight lines): system name=mucho system contact=o. Maas system location=lot 49 version=4.0 serialn...
Page 131
Second level configuration mode commands watchguard command line interface guide 117 vpn command (configure system level) wg#config wg(config)#system wg(config-system)#vpn [[no] ignore_df_for_ipsec] [[no] ipsec_pass_through] effect this allows you to set options for vpn. Arguments [no] ignore_df_for...
Page 132
Chapter 3: configuration mode commands 118 watchguard vclass 5.1 effect lists all currently active extra features (obtained through licensing). Arguments none delete command (config license level) wg#config wg(config)#license wg(config-license)#delete effect removes the named license from the applia...
Page 133
Second level configuration mode commands watchguard command line interface guide 119 example wg#config wg(config)#license wg(config-license)#show ordlicense namelicense idexpiration date 1v80_3des_ha_bundle3293mxld17-05-2022 or wg#config wg(config)#license wg(config-license)#show 3293mxld license na...
Page 134
Chapter 3: configuration mode commands 120 watchguard vclass 5.1 arguments this argument records the name assigned to this vlan tenant (for use in security policies.) this argument record the vlan id as "id" followed by the number (between 1 and 4096) assigned to this tenant. This argument specifies...
Page 135
Second level configuration mode commands watchguard command line interface guide 121 # valid user domain tenant -id must be from 5001 to 65535 # -idle_time_out m idle timeout. M is the number in minutes # -radius_timeout sec time out for radius request # -radius_retry n number of retries for radius ...
Page 136
Chapter 3: configuration mode commands 122 watchguard vclass 5.1 the radius server, if another than the default port number is used. This argument indicates the radius password and its text. [-backup_radius_ip a.B.C.D] \ [backup_radius_port number] this pair of arguments allows you to note a backup ...
Page 139
Level 3 configuration mode commands watchguard command line interface guide 125 arguments type one of the above-noted “log level” selections after the command prompt, to indicate what to include in this events log. If you type “critical”, the log will record only critical events, whereas if you type...
Page 140
Chapter 3: configuration mode commands 126 watchguard vclass 5.1 n to void the changes and leave the database in its previous state..
Page 141
Watchguard command line interface guide 127 chapter 4 debug mode commands all watchguard cli commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in debug mode. Debugging/troubleshooting commands the cli debug commands, detaile...
Page 142
Chapter 4: debug mode commands 128 watchguard vclass 5.1 debugging information is not synced between ha appli- ances. Command for more information arp see “arp command” on page 129. Clear_logs see “clear_logs” on page 129. Config_http see “config_http command” on page 129. Conn_idle_timeout see “con...
Page 143
Debugging/troubleshooting commands watchguard command line interface guide 129 arp command wg#debug wg(debug)#arp effect displays or manipulates the arp cache. Arguments none example wg(debug)#arp clear_logs wg#debug wg(debug)#clear_logs effect clear all log entries. Argument none config_http comman...
Page 145
Debugging/troubleshooting commands watchguard command line interface guide 131 set_default restore the setting to the factory default value effect enables or disables instant ha state synchronization. This is enabled by default. Example wg#debug ha_instant_sync enable hwdiag command wg#debug wg(debu...
Page 146
Chapter 4: debug mode commands 132 watchguard vclass 5.1 how many interfaces your device has. Type ifconfig with no options or arguments to show detailed interface information. N ote when using the ifconfig command in transparent mode, you must use eth1, as in the following example: ifconfig eth1 ip...
Page 147
Debugging/troubleshooting commands watchguard command line interface guide 133 - images/rs_sublogo.Gif you can save these files from the login and result pages to your local system using your browser’s “save” function. Once the files are saved, you can edit the files, adding images, replacing text, ...
Page 148
Chapter 4: debug mode commands 134 watchguard vclass 5.1 netstat command wg#debug wg(debug)#netstat effect this command displays the network status as seen from the security appliance’s point of view. To review the arguments for this command, type -?. The following are some of the available argument...
Page 149
Debugging/troubleshooting commands watchguard command line interface guide 135 pppoe_config command effect this command allows you to set pppoe echo (keep- alive) and re-authorization times and limits. Arguments -i allows you to set the echo (keep-alive) interval, from 1—1200 seconds. -f allows you ...
Page 150
Chapter 4: debug mode commands 136 watchguard vclass 5.1 pay special attention to the arguments for this command. Arguments [-pap ] this optional argument specifies pap as the authentication used by this radius server, along with the pap password. [-sid ] this optional argument specifies securid as ...
Page 151
Debugging/troubleshooting commands watchguard command line interface guide 137 use in this ping attempt. The default entry is “test123”. This argument notes the ip address of the interface where the radius request will be sent. This argument notes the ip address of the radius server. Example wg(debu...
Page 152
Chapter 4: debug mode commands 138 watchguard vclass 5.1 rs_kdiag command wg#debug wg(debug)rs_kdiag effect this command displays internal diagnostics information. Arguments none.
Page 153
Debugging/troubleshooting commands watchguard command line interface guide 139 set_dos_if command effect this sets denial of service (dos) protection on individual interfaces. The default settings are 0000000f . Example wg#debug wg(debug)set_dos_if set 0011 slink command wg#debug wg(debug)# slink [ ...
Page 154
Chapter 4: debug mode commands 140 watchguard vclass 5.1 1000a = 1000basefx, autonegotiation enabled 1000h = 1000basefx, autonegotiation disabled 100f = 100baset, full-duplex mode 100h = 100baset, half-duplex mode 10f = 10baset, full-duplex mode 10h = 10baset, half-duplex mode show displays the curr...
Page 155
Debugging/troubleshooting commands watchguard command line interface guide 141 time_exceeded response from each gateway along the path to the target device. You can use this command to troubleshoot network routing and connectivity. Arguments be sure to type the ip address of the target device, as sh...
Page 156
Chapter 4: debug mode commands 142 watchguard vclass 5.1 n ote this feature is not supported in software versions earlier than 5.0. Example wg#debug wg(debug)# vinstall 10.10.0.98 ftpadmin ftppass /upload/downgrade/encrypted.Tgz.
Page 157
Watchguard command line interface guide 143 chapter 5 other commands this chapter describes commands that do not belong to one of the three main command modes (adminis- tration, configuration, and debug). No command the no command is used before another command or argument to turn off or disable the...
Page 158
Chapter 5: other commands 144 watchguard vclass 5.1 show command as a way of viewing lists and details of a watchguard appliance’s configuration, the show command (and its arguments) provides an adaptable means of cataloging such things as address groups, ipsec actions or ras user profiles. Once you...
Page 159
Show command watchguard command line interface guide 145 show address command display current address groups wg#show address effect displays the current catalog of address groups stored in this watchguard firebox vclass security appliance ike see “show ike command” on page 149. Interface see “show i...
Page 160
Chapter 5: other commands 146 watchguard vclass 5.1 arguments none. Display contents of address group wg#show address effect displays the current contents of a specifically named address group. Arguments this argument notes the address group name. Example wg#show address exec_staff show alarm comman...
Page 161
Show command watchguard command line interface guide 147 show all_routes command wg#show all_routes effect displays a summary of the routes–static and dynamic–recorded in this watchguard appliance. Arguments none. Example wg#show all_routes show certificate command wg#show certificate effect display...
Page 162
Chapter 5: other commands 148 watchguard vclass 5.1 wg#show certificate pending wg#show certificate 19478 show cpm command wg#show cpm effect shows whether cpm is enabled or disabled, and general cpm information. Examples wg#show cpm arguments none. Show denial_of_service command wg#show denial_of_s...
Page 163
Show command watchguard command line interface guide 149 effect displays any dns configurations. Arguments none show ike command wg#show ike effect displays the current catalog of ike policies or actions, depending upon your choice of argument. Arguments this argument allows you to specify whether t...
Page 164
Chapter 5: other commands 150 watchguard vclass 5.1 show interface command wg#show interface effect displays a detailed summary of all data interfaces in this watchguard appliance. Arguments none example wg#show interface show ipsec command wg#show ipsec effect displays the current catalog of ipsec ...
Page 165
Show command watchguard command line interface guide 151 component, action or proposal, that you want to review. After entering the “action” or “proposal” argument, enter this value, which indicates the actual name of a specific proposal or action that you want to review in detail. Examples wg#show ...
Page 167
Show command watchguard command line interface guide 153 effect displays whether the system is running in router or transparent mode. Arguments none example wg#show mode show nat command wg#show nat effect lists any current nat actions stored in this appliance database. Arguments none display nat ac...
Page 168
Chapter 5: other commands 154 watchguard vclass 5.1 arguments none. Example wg#show ntp show policy command wg#show policy effect displays the parameters/settings for a specifically named security policy. Arguments this argument notes the exact name of the security policy you want to review. Example...
Page 169
Show command watchguard command line interface guide 155 arguments this argument represents your preference–to review the current system qos setting or the list of available qos actions. Example wg#show qos system show qos action configuration wg#show qos action effect displays the configuration of ...
Page 170
Chapter 5: other commands 156 watchguard vclass 5.1 display specific ras contents wg#show ras effect displays the contents of the specifically named ras component–a user profile or group profile. Arguments this argument notes either group profile or user profile. This argument records the name of th...
Page 171
Show command watchguard command line interface guide 157 arguments this argument specifies your choice of a list of phase-one sa’s or a list of phase-two tunnels. Either list provides a complete catalog of the requested item, in a table that includes considerable details about each item. [id] this a...
Page 172
Chapter 5: other commands 158 watchguard vclass 5.1 arguments this argument represents the exact name of the service group you want to review in detail. Example wg#show service e-mail show snmp command wg#show snmp effect displays the snmp settings for the appliance. Arguments none. Example wg#show ...
Page 173
Show command watchguard command line interface guide 159 effect displays the basic "general" system configurations, including appliance name, location, and contact person's name. Arguments none example wg#show sysinfo show sysupgrade command wg#show sysupgrade effect displays a chronological record ...
Page 174
Chapter 5: other commands 160 watchguard vclass 5.1 show version command wg#show version effect displays the version number of watchguard operating software. Arguments none example wg#show version.
Page 175
Watchguard command line interface guide index a abbreviations 8 abort system configuration changes 43 accelerated data interface, set physical speed of 139 adding settings and policies 10 address group modification 43 address group, display specific 146 address groups, display all 145 administration...
Page 176
System 64 tenant 65 tunnel_switch 65 configuration, level 2 action (ike) 78 action (ipsec) 95 action (qos) 100 active_feature (license) 117 database (ras) 105 delete (license) 118 dns (system) 108 enable (high_availability) 74 exit (high_availability) 76 exit (interface) 95 fwuser (system - idle_tim...
Page 177
Watchguard command line interface guide administration mode disable 108 cli editing appending to recent command 11 argument syntax 9 use of \ character 9 case sensitivity 9 case sensitivity in object strings 9 command abbreviation 8 command prompt 8 delete 10 exchanging command arguments in recent c...
Page 178
Firewall authentication screens, replacing 132 h ha 2 interface configuration 93 ha configuration 47 ha configuration, display 72 ha enable 74 ha, apply configuration changes 76 ha, disabling 48 ha_instant_sync 130 ha_sync 31 help 17 help online 17 high availability see ha high availability configur...
Page 179
Watchguard command line interface guide log configuration, level 3 commands 124–126 log entries, clear 129 log file, show last 25 entries of specific 152 log into existing appliance 7 log into factory default appliance 6 log out 18 m maintenance commands 22 mss 59, 112 mss_adjustment 112 mss_adjustm...
Page 180
Reset vclass appliance 37 return to next highest level 14 return to top command level 15 route configuration entry 113 route configuration, level 3 commands 122 route information, display of 140 routes, list all active 156 routes, summarize all dynamic and static 147 s sa information, show curent ph...
Page 181
Watchguard command line interface guide x xml export debugging information not exported 127 xml profile import 33.