1. Manuals
  2. Brands
  3. Freedom9 Manuals
  4. Firewall
  5. freeGuard Blaze 2100
  6. Cli reference manual

Freedom9 freeGuard Blaze 2100 Cli Reference Manual

Freedom9 freeguard blaze 2100 firewall module: reference guide
Hide thumbs Also See for freeGuard Blaze 2100:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Manual
freeGuard Blaze 2100 CLI Reference
Guide
Version 3R2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the freeGuard Blaze 2100 and is the answer not in the manual?

Questions and answers

Related Manuals for Freedom9 freeGuard Blaze 2100

Summary of Contents for Freedom9 freeGuard Blaze 2100

  • Page 1 Blaze 2100 CLI Reference Guide Version 3R2...
  • Page 2 COPYRIGHT NOTICE © Copyright 2007 Freedom9 Inc. ALL RI GHTS RESERV ED. Under the copyright law, this manual and the software described within can not be copied in whole or part, without written permission of the manufacturer, except in the normal use of the software to make a backup copy.

  • Page 3: Table Of Contents

    Contents 1. Preface... 5 2. Command Descriptions ... 9 address...10 admin...12 all...14 arp...15 clock ...16 config...18 console...19 counter...21 delete ...22 dhcp ...23 dns ...24 domain...26 exit...27 file ...28 group ...29 ha ...32 hostname ...34 ike...35 ike-cookie...43 image ...44 interface...45 ip...52 log...53 ntp...57 ping...59...
  • Page 4 C o n t e n t s session ... 85 snmp... 86 ssh ... 88 syslog ... 90 system ... 92 tech-support ... 93 trace-route ... 94 transparent... 95 vpn ... 97 vrouter ... 101 zone ... 104 CLI Reference Guide Version 3R2...

  • Page 5: Preface

    REFACE Contents • About This Guide on page 6 • CLI Syntax on page 6 • Dependency Delimiters on page 6 • Object Name Conventions on page 6 • CLI Variables on page 6 Version 3R2 CLI Reference Guide...
  • Page 6 P R E F A C E About This Guide This guide describes the commands used to configure and manage the freeGuard Blaze 2100 from a management interface. CLI Syntax The CLI syntax may include options, switches, parameters, and other features. Some command descriptions use dependency delimiters.
  • Page 7 Variable Notation The variable notation used in this manual consists of italicized parameter identifiers. For example, the set arp command uses four identifiers, as shown here: set arp ip_addr mac_addr interface | age number where • ip_addr represents an IP address. •...
  • Page 8 P R E F A C E CLI Reference Guide Version 3R2...

  • Page 9: Command Descriptions

    OMMAND ESCRIPTIONS This chapter lists and describes the Command Line Interface (CLI) commands. Version 3R2 CLI Reference Guide...

  • Page 10: Address

    C O M M A N D D E S C R I P T I O N S address address The address command is used to define entries in the address book of a security zone. An address book is a list containing all addresses, address groups, and domain names defined for a security zone.
  • Page 11 C O M M A N D D E S C R I P T I O N S address name name name_str The name of an individual address book entry. You can use an address group in a security policy definition to specify a single address.

  • Page 12: Admin

    The admin command is used to configure or display administrative parameters for the freeGuard Blaze 2100. There will be two accounts on the device: Read/Write Administrator (admin) and Read-Only Administrator (admin-r). The Read-only Administrator only has read privileges. The Read/Write Administrator will have full rights to create, modify and remove settings on the box.
  • Page 13 Example The following command configures the email address john@abc.com to receive updates concern- ing administrative issues: set admin mail mail-addr1 john@abc.com mail-addr2 set admin mail mail-addr2 name_str Example The following command configures the secondary email address pat@acme.com to receive up- dates concerning administrative issues: set admin mail mail-addr2 pat@acme.com password...

  • Page 14: All

    C O M M A N D D E S C R I P T I O N S The all command is used to return all configuration settings and software to the factory default settings. The configuration file, which stores the saved configuration settings of the box, is re- stored to factory default.

  • Page 15: Arp

    The MAC address of a network device for which you want to make a mac_addr static entry in the ARP table. The name of the interface through which the freeGuard Blaze 2100 can interface direct traffic to reach the network device with the specified IP address and MAC address.

  • Page 16: Clock

    C O M M A N D D E S C R I P T I O N S clock clock The clock commands are used to get and set the system time. Syntax get clock set clock {date time | dst-off | ntp | timezone number } unset unset clock {dst-off | ntp | timezone } Keywords and Variables...
  • Page 17 C O M M A N D D E S C R I P T I O N S clock timezone Sets the time zone value. This value indicates the time difference between GMT standard time and the current local time (when DST is OFF). When DST is ON and the clock is already set forward one hour, decrease the time difference by one hour and set the minutes accurately.

  • Page 18: Config

    C O M M A N D D E S C R I P T I O N S config config Use the config command to display the configuration settings for the device. You can display a current configuration setting (stored in RAM), or saved configurations (stored in flash memory). The config file can be saved to flash memory with the save command.

  • Page 19: Console

    console Use the console commands to define or list the CLI console parameters. The console parameters determine the following: • Whether the device displays messages in the active console window • The number of lines that may appear on a console window page •...
  • Page 20 C O M M A N D D E S C R I P T I O N S console Resize the console size to window size. timeout set console timeout number unset console timeout timeout Determines how many minutes the device waits before closing an inactive administrator session.

  • Page 21: Counter

    Use the counter commands to clear or display the values contained in traffic counters. Traffic counters provide processing information, which you can use to monitor traffic flow. The freeGuard Blaze 2100 maintains the following categories of counters: • Screen counters, for monitoring firewall behavior for the entire zone or for a particular interface •...

  • Page 22: Delete

    C O M M A N D D E S C R I P T I O N S delete delete Use delete to delete persistent information in flash memory. Syntax delete delete file filename | ssl certificate Keywords and Variables file delete file filename filename...

  • Page 23: Dhcp

    dhcp The dhcp command is used to configure the Dynamic Host Configuration Protocol. get dhcp relay-server set dhcp relay-server string interface interface unset unset dhcp relay-server string interface interface Keywords and Variables interface set dhcp relay-server string interface interface unset dhcp relay-server string interface interface Sets/unsets the relay server and interface.

  • Page 24: Dns

    C O M M A N D D E S C R I P T I O N S The dns command is used to configure Domain Name System (DNS) or to display DNS configu- ration information. DNS allows network devices to identify each other using domain names in- stead of IP addresses.
  • Page 25 Using the name option with set places an entry in the DNS table, representing a host device with a host name and IP address. This allows you to reach a host using the host name. For example, executing set dns host name MyHost 3.3.3.18 creates a DNS table entry for a host at address 3.3.3.18, with a host name of MyHost.

  • Page 26: Domain

    C O M M A N D D E S C R I P T I O N S domain domain The domain commands are used to set or get the domain name of the device. A domain name is a character string that identifies the security device. This domain name allows other devices to access the local device through a DNS server.

  • Page 27: Exit

    C O M M A N D D E S C R I P T I O N S exit exit The exit command is used to terminate and log out from a CLI session. Syntax exit Keywords and Variables None.

  • Page 28: File

    C O M M A N D D E S C R I P T I O N S file file The file command is used to clear or display information for files stored in the flash memory. Syntax get file [ filename | info ] Keywords and Variables Variable Parameters clear [ ...

  • Page 29: Group

    group The group commands are used to group multiple addresses or multiple services together in one group. A group allows to reference a group of addresses or services by a single name in a policy. This eliminates the need for a separate policy for each address or service. [NOTE] Although a single policy might reference a service group with three members, the device generates multiple internal rules from that policy.
  • Page 30 C O M M A N D D E S C R I P T I O N S group address Performs the operation on an address group. The zone value specifies the zone to which the address group is bound. This zone is either a default security zone or a user-defined zone. Adds an address or service named mbr_name.
  • Page 31 C O M M A N D D E S C R I P T I O N S group • From the console, you can add only one member to a group at a time. service grp_name Performs the operation on a service group. CLI Reference Guide Version 3R2...
  • Page 32 C O M M A N D D E S C R I P T I O N S This command is used to set high availability parameters on a node in the group. Syntax get ha link set ha priority node-priority hb-interval interval-in-ms hb-threshold threshold...
  • Page 33 link Displays HA link information. peer-ip ip-address-of-peer The ip-address (destination) of the peers. preempt This command is permitted only the secondary and used to preempt the primary node and takeover the role of primary node. The existing primary will reboot and join the cluster as a secondary node.

  • Page 34: Hostname

    C O M M A N D D E S C R I P T I O N S hostname hostname The hostname commands are used to define the device name. This name always appears in the console command prompt. The host name is a character string that identifies the device. If you define a host name for the device (such as MyGateWay) and a domain name for the device (such as “MyDomain,”...

  • Page 35: Ike

    • In Phase 2, the peer devices negotiate the IPSec SAs for encrypting and authenticating the ensuing exchanges of user data. The gateway commands identify the devices or remote users with which the freeGuard Blaze 2100 establishes the VPN tunnel. The NAT traversal command is used to enable and manage the NAT traversal feature.
  • Page 36 C O M M A N D D E S C R I P T I O N S Syntax get ike unset unset ike gateway [ name_str ] p1-proposal name_str | p2-proposal name_str | Phase 1 Proposal set ike p1-proposal name_str CLI Reference Guide cert | gateway [ name_str ] |...
  • Page 37 Phase 2 Proposal set ike p2-proposal name_str [ group1 | group2 | group5 | no-pfs ] esp [ 3des | des | aes128 | aes196 | aes256 | null ] Gateway Tunnel set ike gateway name_str [ aggressive | main ] [ local-id id_str ] [ outgoing-interface interface ] [ preshare key_str ] set ike gateway name_string dpd always-send...
  • Page 38 C O M M A N D D E S C R I P T I O N S address Defines the remote IKE gateway address either as an IP address or as a hostname. Use this option to set up a site-to-site VPN. Example The following command specifies mygateway.com as the address of a remote IKE gateway named mtt1, define the preshared key as aabbccd, and a security proposal named prop1:...
  • Page 39 Enables or disables IPsec NAT Traversal, a feature that allows transmission of encrypted traffic through a freeGuard Blaze 2100 configured for NAT. The NAT Traversal feature encapsulates ESP packets into UDP packets. This prevents the NAT device from altering ESP packet headers in transit, thus preventing authentication failure on the peer device.
  • Page 40 C O M M A N D D E S C R I P T I O N S esp Specifies Encapsulating Security Payload protocol, which provides encryption and authentication. des | 3des | aes128 | aes192 | aes256 Specifies the encryption algorithm. md5 | sha-1 Specifies the authentication (hashing) algorithm used in ESP protocol.
  • Page 41 The following parameters define the elapsed time between each attempt to renegotiate a security association. The minimum allowable lifetime is 180 seconds. The default lifetime is 28800 seconds. days number hours number minutes number seconds number Example The following command specifies Phase 2 proposal g2-esp-3des-null: •...
  • Page 42 C O M M A N D D E S C R I P T I O N S RADIUS server supports CHAP challenge to the remote access user, IKE will then forward the challenges to the remote user. Defaults •...

  • Page 43: Ike-Cookie

    ike-cookie Use the ike-cookie command to remove IKE-related cookies from the device. Syntax clear clear ike-cookie { all | ip_addr } Keywords and Variables Variable Parameter clear ike-cookie ip_addr ip_addr Directs the device to remove cookies based on a IP address (ip_addr). Example The following command removes all cookies based on the IP address 10.1.10.10: clear ike-cookie 10.1.10.10...

  • Page 44: Image

    C O M M A N D D E S C R I P T I O N S image image Use the image command to manage software images on the unit. After a software image is down- loaded onto the unit with the tftp command, the image command allows to set the downloaded image as active.

  • Page 45: Interface

    C O M M A N D D E S C R I P T I O N S interface interface Use the interface commands to define or display interface settings. Interfaces are physical or logical connections that handle network traffic. CLI Reference Guide Version 3R2...
  • Page 46 C O M M A N D D E S C R I P T I O N S interface Syntax get interface [ all | interface [ dip [ dip_num ] ] set interface interface dhcp-relay enable | dip dip_num ip_addr1 [ ip_addr2 ] [fix-port] | shift-from ip_addr3 to ip_addr4 [ ip_addr5 ] [fix-port] ip ip_addr/mask |...
  • Page 47 set interface interface.id_num (sub-interfaces) dhcp-relay enable | dip dip_num ip_addr1 [ ip_addr2 ] [fix-port] | shift-from ip_addr3 to ip_addr4 [ ip_addr5 ] [fix-port] ip ip_addr/mask | manage { http | https | ping | snmp | ssh | telnet } | nat | protocol rip enable | route |...
  • Page 48 C O M M A N D D E S C R I P T I O N S interface set interface interface dip dip_num ip_addr1 [ ip_addr2 ] unset interface interface dip dip_num Sets a Dynamic IP (DIP) pool. Each DIP pool consists of a range of addresses. The device can use the pool to dynamically or deterministicaly allocate source addresses when the device applies source address translation (NAT-src) to packets traversing the specified interface.
  • Page 49 set interface interface ip ip_addr/mask unset interface interface ip ip_addr The IP address ip_addr and netmask mask for the specified interface or subinterface. Example The following commands create logical interface eth0.2, bind it to the Trust zone, and assign it IP address 10.1.1.23/24: set interface eth0.2 zone trust set interface eth0.2 ip 10.1.1.23/24...
  • Page 50 C O M M A N D D E S C R I P T I O N S interface set interface interface nat protocol set interface interface protocol protocol unset interface interface protocol set interface interface phy { ... } unset interface interface phy Defines the physical connection mode on the specified interface.
  • Page 51 zone set interface interface zone zone zone Binds the interface to specified security zone. Example The following command binds the interface eth1.1 to the “trust” zone: set interface eth1.1 zone trust Version 3R2 C O M M A N D D E S C R I P T I O N S interface CLI Reference Guide...
  • Page 52 Use the ip commands to set or display IP parameters for communication with a TFTP server. The freeGuard Blaze 2100 can use TFTP servers to save or import external files. These files can con- tain configuration settings, software versions, public keys, error messages, certificates, and other items.

  • Page 53: Log

    Use the log commands to configure the device for message logging. The log commands allow you to perform the following: • Display the current log status according to severity level, policy, service, software module, source, destination, or duration. • Determine which log information to display or omit. •...
  • Page 54 C O M M A N D D E S C R I P T I O N S set log module arp level [*] destination [**] | cfg level [*] destination [**] | dhcrelay level [*] destination [**] | dos level [*] destination [**] | edk level [*] destination [**] | fup level [*] destination [**] |...
  • Page 55 unset unset log module arp level [*] destination [**] | cfg level [*] destination [**] | dhcrelay level [*] destination [**] | dos level [*] destination [**] | edk level [*] destination [**] | fup level [*] destination [**] | ike level [*] destination [**] | interface level [*] destination [**] | ip level [*] destination [**] |...
  • Page 56 C O M M A N D D E S C R I P T I O N S level set log module name_str level string destination string unset log module name_str level string destination string level Specifies the urgency level of the generated log messages. Starting with the most urgent, these levels are emergency, alert, critical, error, warning, notification, information, and debugging.

  • Page 57: Ntp

    Use the ntp commands to configure the device for Simple Network Time Protocol (SNTP). SNTP is a simplified version of NTP, which is a protocol used for synchronizing computer clocks in the Internet. This version is adequate for devices that do not require a high level of synchronization and accuracy.
  • Page 58 C O M M A N D D E S C R I P T I O N S module ip_addr The IP address of the primary NTP server with which the device can synchronize its system clock time. dom_name The domain name of the primary NTP server with which the device can synchronize its system clock time.

  • Page 59: Ping

    ping Use the ping command to check the network connection to another system. Syntax ping [ ip_addr | name_str ] [ count number [ size number [ time-out number ] ] ] Keywords and Variables Variable Parameters ping [ ip_addr | name_str ] [ ... ] ip_addr | name_str Pings the host at address (ip_addr) or with name (name_str).
  • Page 60 C O M M A N D D E S C R I P T I O N S ping • Ping count of 4 • Packet size 1000 • Ping timeout of three seconds: ping 10.100.2.11 count 4 size 1000 time-out 3 CLI Reference Guide Version 3R2...

  • Page 61: Pki

    The PKI (Public Key Infrastructure) commands provide PKI and X509 certificate services to the configuration agent. Syntax get pki set pki Version 3R2 authority idnum | x509 [ pkcs10 number ] | [ cert number ] | [ dn ] | [ list ca-cert | cert |...
  • Page 62 C O M M A N D D E S C R I P T I O N S unset unset pki exec exec pki Keywords and Variables authority CA's authority references. get pki authority idnum set pki authority idnum | cert-path [ full | partial ] cert-path Sets the X509 certificate path validation level to full or partial.
  • Page 63 refresh The crl refresh interval. server-name The LDAP server name. The URL of CRL storage. cert-status, revocation-check Uses the CRL to check the certificate status. None Disable CRL checking. ldap Default LDAP server configuration. set pki ldap set pki ldap [ crl-url | server-name ] crl-url Set the default LDAP URL for CRL.
  • Page 64 C O M M A N D D E S C R I P T I O N S Set the IP address. local-name Set the locality. name Set the name in a common name field. org-name Set the organization name. org-unit-name Set the organization unit name.

  • Page 65: Policy

    C O M M A N D D E S C R I P T I O N S policy policy Use the policy commands to define policies to control network and VPN traffic. A policy is a set of rules that determines how traffic passes between security zones (interzone policy), between interfaces bound to the same zone (intrazone policy), and between addresses in the Global zone (global policy).
  • Page 66 C O M M A N D D E S C R I P T I O N S policy Syntax get policy set policy [ global ] [id pol_num1 ] [top | before pol_num2 ] nat [ src [ dip-id id_num ] deny | permit | reject |...
  • Page 67 unset unset policy { pol_num | id pol_num } disable unset policy default-permit-all unset policy global port-attack Keywords and Variables get policy all Displays information about all security policies. before set policy before pol_num1 { ... } before Specifies the position of the policy before another policy (pol_num) in the access control list (ACL).
  • Page 68 C O M M A N D D E S C R I P T I O N S policy deny | permit | reject set policy [ global ] { ... } permit | deny | reject [ ... ] deny | permit | reject deny Blocks the service at the firewall.
  • Page 69 get policy [ global ] id pol_num set policy [ global ] id pol_num1 { ... } unset policy id pol_num [ disable ] id pol_num Specifies an policy ID number. (The disable switch disables the policy.) Example The following command assigns the policy an ID value of 10 and permits FTP-GET traffic from any address in the Trust zone to any address in the Untrust zone: set policy id 10 from trust to untrust any any ftp-get permit move...
  • Page 70 C O M M A N D D E S C R I P T I O N S policy src Performs NAT-src on traffic to which the policy applies. The device can perform NAT-src using the egress interface IP address (in which case, you do not specify a DIP pool) or with addresses from a Dynamic IP (DIP) pool: dip-id id_num Specifies the ID number of a DIP pool.
  • Page 71 small-servers ini-killer Ini-Killer is a Trojan Horse attack that allows an attacker to destroy .ini files on a remote computer communicating over TCP port 9989. Netbus NetBus is a Trojan Horse attack for Windows 95/98/NT that, once executed on a remote computer, will allow an attacker to perform illicit activities such as opening and closing the CD-ROM, starting applications, showing different messages or even redirecting a web browser to a specific URL on the Internet Netspy NetSpy is a Trojan Horse attack that allows an attacker to perform illicit...
  • Page 72 C O M M A N D D E S C R I P T I O N S policy Example The following command: • Permits any kind of service from any address in the Trust zone to any address in the Untrust zone •...

  • Page 73: Pppoe

    pppoe Use the pppoe command to set/unset the ppp/pppoe configuration. Syntax get pppoe all | statistics set pppoe ac string | authentication [ any | chap | pap ] | enable | interface name | netmask sring | ppp [ lcp-echo-retries | lcp-echo-timeout ] | service string | static-ip | username string password string...
  • Page 74 C O M M A N D D E S C R I P T I O N S pppoe pap - Only pap is acceptable enable Enable the PPP/PPPoE link. interface set pppoe interface name name The interface to which to bind PPPoE. netmask set pppoe netmask string string...

  • Page 75: Reset

    reset Use the reset command to restart the device. Syntax reset reset no-prompt | save-config { no | yes } Keywords and Variables no-prompt reset no-prompt no-prompt Indicates no confirmation. save-config reset save-config [ no | yes ] save-config no Directs the device to not save the current configuration before resetting. yes Directs the device to save the current configuration before resetting.

  • Page 76: Route

    C O M M A N D D E S C R I P T I O N S route route Use the route commands to display entries in the static route table and add entries to the static route table. The get route command displays: The IP address, netmask, interface, gateway, protocol, pref- erence, metric.
  • Page 77 route set route ip_addr/mask [ ...] unset route ip_addr/mask [ ... ] route Configures routes for the routing table. ip_addr/mask Specifies the IP address that appears in the routing table. gateway ip_addr Specifies the gateway for the next hop. id id_num Displays information for the route that matches the ID number. The ID number is a system-assigned number that you can see when you enter the get route command with no options interface interface Specifies the interface on which a packet for this route is to be...
  • Page 78 C O M M A N D D E S C R I P T I O N S Use the sa commands to display active or inactive security associations (SAs) or to clear a spec- ified SA. A security association (SA) is a unidirectional agreement between VPN participants regarding the methods and parameters to use while securing a communication channel.

  • Page 79: Save

    save Use the save commands to save images to the device, and configuration settings to or from the device. Syntax save save save config save config from save software save software from flash to tftp ip_addr filename save software from tftp ip_addr filename boot { pri | sec } | mos { pri | sec } Keywords and Variables...
  • Page 80 C O M M A N D D E S C R I P T I O N S save on a TFTP server (192.168.0.3): save config from flash to tftp 192.168.0.3 output.txt tftp save config from tftp ip_addr filename to { ... } save software from tftp ip_addr filename to { ...

  • Page 81: Scheduler

    scheduler Applies the policy only at times defined in the specified schedule. Syntax get scheduler name name_string get scheduler once get scheduler recurrent set scheduler name_string unset unset scheduler name_string Example Create a schedule named “Mkt_Sched.” set schedule Mkt_Sched Version 3R2 C O M M A N D D E S C R I P T I O N S scheduler CLI Reference Guide...

  • Page 82: Service

    C O M M A N D D E S C R I P T I O N S service service The service commands are used to create custom service definitions, modify existing service def- initions, or display the current entries in the service definition list. Use service definitions in pol- icies to specify how the device provides a service during a secure session.
  • Page 83 protocol - Defines the service by IP protocol. - Defines a protocol for the specified service. ptcl_num specifies the protocol by protocol number. tcp specifies a TCP-based service. udp specifies a UDP-based service. icmp specifies an ICMP-based service. Example The following command sets a service named “ipsec” that uses protocol 50: set service ipsec protocol 50 src-port | dst-port svc_name...
  • Page 84 C O M M A N D D E S C R I P T I O N S service user Displays all user-defined services. Defaults The default timeout for TCP connections is 30 minutes. The default timeout for UDP connections is 1 minute. Using the get service command without any arguments displays all pre-defined, user-defined, and service group information in the service book.

  • Page 85: Session

    session Use the session commands to clear or display entries in the session table. The session table contains information about individual sessions between hosts that communicate through the device. Every time the device initiates a new session, it creates a session entry and uses the information in the entry while processing subsequent traffic between the hosts.

  • Page 86: Snmp

    C O M M A N D D E S C R I P T I O N S snmp snmp Use the snmp command to manage SNMP network settings. Syntax get snmp community | settings | statistics set snmp community name_str [ host host_namestring ] | contact string | location string |...
  • Page 87 host set snmp community comm_string host hostname_string host Defines the community name string and the name of the SNMP management host. The mask value defines a SNMP community member as a subnet. location set snmp location string unset snmp location location Defines the physical location of the system.

  • Page 88: Ssh

    C O M M A N D D E S C R I P T I O N S Use the ssh commands to configure the Secure Shell (SSH) server task. The SSH server task is an SSH-compatible server application that resides on the device. When you enable the SSH server task, SSH client applications can manage the device through a secure connection.
  • Page 89 C O M M A N D D E S C R I P T I O N S report get ssh report report Displays SSHv2 key and session information for the device on which SSH is currently enabled. CLI Reference Guide Version 3R2...

  • Page 90: Syslog

    C O M M A N D D E S C R I P T I O N S syslog syslog Use the syslog commands to configure the device to send traffic and event messages to up to four syslog hosts, or to display the current syslog configuration. [NOTE] The syslog host must be enabled before you can enable syslog.
  • Page 91 enable Enables the device to send messages to the syslog host(s). facilities set syslog config { name_str | ip_addr } facility local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 facilities Defines the facility level for each syslog host that you specify. Example The following command sets the syslog host configuration to report all logs: set syslog config 172.16.20.249 facility local0...

  • Page 92: System

    C O M M A N D D E S C R I P T I O N S system system Use the get system command to display general system information. The information displayed by the get system command includes: •...

  • Page 93: Tech-Support

    tech-support Use the tech-support command to display technical support information. Syntax get tech-support dump [ all | spu | memory | interrupts | pib_pob | dump parser ] | read { read* string string } * = 8,16,32,64 Keywords and Variables get tech-support get tech-support dump all dump...

  • Page 94: Trace-Route

    C O M M A N D D E S C R I P T I O N S trace-route trace-route Use the trace-route command to display the route to a host. Syntax trace-route { ip_addr | name_str } [ hop number [ time-out number ] ] Keywords Variable Parameters trace-route ip_addr...

  • Page 95: Transparent

    transparent The transparent command is used to enable or disable transparent mode configuration param- eters. The transparent mode feature enables a VPN-firewall device to function as a simple 2-port layer-2/bridge device so that it can be deployed as a bump-in-the-wire device with minimal changes to the existing network (especially from the routing point of view).
  • Page 96 C O M M A N D D E S C R I P T I O N S transparent bmcast Enable/disable bridging of non-IP (neither ARP nor MPLS) broadcast and multicast packets. The default setting is to NOT to bypass (allow) the bridging of non-IP broadcast and multicast packets.

  • Page 97: Vpn

    The vpn command is used to create and delete a Virtual Private Network (VPN) tunnel, or to show VPN tunnel already configured. A VPN tunnel is a way to secure network traffic across a public network. A VPN tunnel consists of a pair of unidirectional security associations (SAs), one at each end of the tunnel, that specify the security parameter index (SPI), destination IP address, and security protocol (Authentication Header or Encapsulating Security Payload) used to exchange packets through the tunnel.
  • Page 98 C O M M A N D D E S C R I P T I O N S Example The following command displays a VPN tunnel named “TunnelA”: get vpn tunnnela set vpn tunn_str manual spi_num1 spi_num2 gateway ip_addr [ ... ] ah { ...
  • Page 99 or SHA-1. The key key_str value defines a 16-byte (MD5) or 20-byte (SHA-1) hexidecimal key. Example The following command creates a Manual Key VPN tunnel named “Mkt_vpn”. • Specifies local and remote SPI values 2002 and 3003 • Specifies the IP address of the remote gateway 2.2.2.2 •...
  • Page 100 C O M M A N D D E S C R I P T I O N S • The Phase 2 proposal consists of the following components: Diffie-Hellman group 2 to protect the keying information during Phase 2 key exchanges Encapsulating Security Payload (ESP) to provide both confidentiality through encryption and encapsulation of the original IP packet and integrity through...

  • Page 101: Vrouter

    vrouter Use the vrouter commands to control the virtual interface. Use the rip commands to specify and control the Routing Information Protocol (RIP). Syntax get vrouter name protocol rip advertise-def-route | reject-default-route interface name protocol rip enable | vrouter default rip enable | protocol rip reject-def-route unset...
  • Page 102 C O M M A N D D E S C R I P T I O N S vrouter set vrouter-id number To disable RIP instance: unset vrouter rip Enabling RIP on Interfaces By default, RIP is disabled on all interfaces and you must explicitly enable it on an interface. When you disable RIP at the interface level, RIP does not transmit or receive packets on the specified interface.
  • Page 103 set interface name protocol rip authentication mode [text | md5 <abcedef123>] set interface name protocol rip passive-mode Queries If a RIP-2 router receives a RIP-1 Request, it should respond with a RIP-1 Response. If the router is configured to send only RIP-2 messages, it should not respond to a RIP-1 Request. Get/Show Commands get protocol rip advertise-def-route get protocol rip default-metric...

  • Page 104: Zone

    C O M M A N D D E S C R I P T I O N S zone zone Use the zone commands to create, remove, or display a security zone, and to set screen options. A security zone is a method for sectioning the network into segments to which you can apply se- curity options.
  • Page 105 Syntax get zone id id_num | set zone name zone zone unset unset zone zone block | screen Keywords and Variables Variable Parameters get zone zone [ ... ] set zone zone { ... } unset zone zone { ... } zone The name of the zone.
  • Page 106 C O M M A N D D E S C R I P T I O N S zone get zone all [ ... ] Displays information on all existing zones. block set zone zone block unset zone zone block block Imposes intra-zone traffic blocking.
  • Page 107 Example The following command enables the icmp-fragments firewall service for the trust zone: set zone trust screen icmp-fragments Creating Interfaces Example The following example shows how to: • Create a new zone named marketing • Enable syn-flood screening • Bind interface eth0 to the zone: set zone name marketing set zone engineering screen syn-flood set interface eth0 zone marketing...
  • Page 108 C O M M A N D D E S C R I P T I O N S zone CLI Reference Guide Version 3R2...

Table of Contents