Professional Documents
Culture Documents
Copyright
Copyright 1998-2003 WatchGuard Technologies, Inc. All rights reserved.
Notice to Users
Information in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchasers personal use, without prior written permission from WatchGuard Technologies, Inc. TRADEMARK NOTES WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock, DVCP , and Designing peace of mind are trademarks of WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. Part No: 1200016
ii
SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty. 2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single computer at any single location. If you wish to use the SOFTWARE PRODUCT on a different computer, you must erase the SOFTWARE PRODUCT from the first computer on which you installed it before you install it onto a second. (B) To use the SOFTWARE PRODUCT on more than one computer at once, you must license an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it. (C)You may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only. 3. Prohibited Uses. You may not, without express written permission from WATCHGUARD: (A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT; (B) Use any backup or archival copy of the SOFTWARE PRODUCT(or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective; (C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT; (D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.
iv
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard Technologies or an authorized dealer: (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase. (B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election. Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THIS SOFTWARE PRODUCT
WatchGuard Command Line Interface Guide v
WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT). Limitation of Liability. WATCHGUARDs liability (whether in contract, tort, or otherwise; and notwithstanding any fault, negligence, strict liability or product liability) with regard to THE SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 5. United States Government Restricted Rights. The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.22719, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.
vi
6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder. 7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession. 8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the contents of this package AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. No change or modification of this AGREEMENT will be valid unless it is in writing, and is signed by WATCHGUARD. 9. Canadian Transactions: If you obtained this SOFTWARE PRODUCT in Canada, you agree to the following: The parties hereto have expressly required that the present AGREEMENT and its Exhibits be drawn up in the English language. / Les parties aux presentes ont expressement exige que la presente conventions et ses Annexes soient redigees en la langue anglaise.
vii
viii
Contents
Contents .......................................................................ix
CHAPTER 1 Using the Command Line Interface .......... 1 Introducing the WatchGuard CLI ....................................... 1
............................................................. 2 ...............................................................3 CLI Guide text conventions ............................................... 3 Getting started with the WatchGuard CLI ........................... 5 Connecting to an appliance ............................................. 5 Logging into an appliance via a console connection ............. 6 Logging into an existing appliance via a network connection . 7 Understanding the command prompt ................................ 8 Abbreviating commands and keywords ..............................8 Case sensitivity ............................................................. 9 Extending command lines ............................................... 9 Typing arguments in a command ...................................... 9 Deleting text in the Command Line Interface .................... 10
CLI capabilities CLI limitations Using the CLI to add to or replace existing settings and policies
...........................................................................10
Grouping parameters in a command ............................... 10 Reviewing the recently used commands ........................... 11
WatchGuard Command Line Interface Guide ix
13 14 15 16 17 18 Installing and configuring a WatchGuard appliance .......... 19 To log into a WatchGuard appliance for the first time: ........ 19 To assign network addresses to appliance interfaces .......... 20 To complete system configuration .................................. 20 To create and apply security policies ............................... 21 To remove/delete items from a WatchGuard database ....... 22 To save and apply your most recent changes .................... 22 To maintain an appliance .............................................. 22 To troubleshoot an appliance ........................................ 22 To restore an appliance to the factory-default state ........... 23 To review the most recent tasks (at any level) .................... 23 To get on-line help while working ................................... 24
CHAPTER 2 Administration Mode Commands .......... 25 Command syntax conventions used in this guide ............. 25 Administration mode commands .................................... 27
account command ...................................................... downgrade command ................................................. export command ........................................................ flush command ........................................................... ha_sync command ...................................................... import command ........................................................ operation_mode command .......................................... passwd command ....................................................... reboot command ........................................................ restore default command ............................................. shutdown command .................................................... upgrade command .....................................................
Navigating through the CLI ........................................... Common Navigation commands .................................... Using keywords .......................................................... Show command/argument (name) usage ...................... Viewing context-sensitive online help ............................. Logging out of the appliance ........................................
28 29 30 31 31 32 35 36 37 38 38 39
CHAPTER 3 Configuration Mode Commands ............. 41 Top-level configuration mode commands ........................ 41
abort command .......................................................... 43 address command ....................................................... 43 certificate command .................................................... 45 commit command ....................................................... 45 delete command ......................................................... 45 denial_of_service command ..........................................46 high_availability commands ........................................... 47 ike command .............................................................. 48 interface command ...................................................... 49 ipsec command .......................................................... 49 license command ........................................................49 log command .............................................................50 nat command .............................................................54 no command .............................................................. 56 policy command ......................................................... 57 qos command ............................................................ 60 ras command .............................................................. 61 rename command ....................................................... 61 schedule command ..................................................... 62 service command ........................................................63 system command ........................................................64 trace command ........................................................... 64 tenant command ......................................................... 65 tunnel_switch command ...............................................65 history command ........................................................66
...................66
Level 2 certificate configuration commands ...................... 67 Level 2 High Availability configuration commands ..............72 Level 2 IKE configuration commands ............................... 78 Level 2 interface configuration commands ........................ 82 Level 2 IPSec configuration commands ............................95 Level 2 Quality of Service (QoS) configuration commands . 100
xi
........................................................................ 117 Level 2 tenant configuration commands ........................ 119 Level 3 configuration mode commands ......................... 122 Level 3 route configuration commands .......................... 122 Level 3 log configuration commands ............................ 124
CHAPTER 4 Debug Mode Commands ...................... 127 Debugging/troubleshooting commands ........................ 127
arp command .......................................................... clear_logs ................................................................ config_http command ............................................... conn_idle_timeout command ...................................... ha_instant_sync command .......................................... hwdiag command ..................................................... ifconfig command ..................................................... importscreen command ............................................. kernel_debug command ............................................ netstat command ...................................................... ping command ......................................................... pppoe_config command ............................................ radius_ping command ............................................... rcinfo command ....................................................... reboot command ...................................................... rs_kdiag command .................................................... set_dos_if command ................................................. slink command ......................................................... tcpdump command ................................................... traceroute command ................................................. verbose_trace command ............................................ vinstall command ......................................................
129 129 129 130 130 131 131 132 133 134 134 135 135 137 137 138 139 139 140 140 141 141
xii
CHAPTER 5 Other Commands ................................... 143 No command ............................................................... 143 Rename command ....................................................... 143 Show command ...........................................................144
Show command general usage .................................... 144 Show address command .............................................145 Show alarm command ................................................ 146 Show all_routes command .......................................... 147 Show certificate command .......................................... 147 Show CPM command ................................................. 148 Show denial_of_service command ................................ 148 Show diagnostics command ........................................148 Show DNS command ................................................. 148 Show IKE command ................................................... 149 Show interface command ............................................ 150 Show IPSec command ................................................ 150 Show LDAP command ................................................ 151 Show license command .............................................. 151 Show log command ................................................... 152 Show mode command ............................................... 152 Show NAT command ................................................. 153 Show NTP command ................................................. 153 Show policy command ............................................... 154 Show QoS command ................................................. 154 Show RAS command .................................................. 155 Show route command ................................................ 156 Show SA command .................................................... 156 Show service command .............................................. 157 Show SNMP command ............................................... 158 Show statistics command ............................................ 158 Show sysinfo command .............................................. 158 Show sysupgrade command ........................................159 Show trace command ................................................. 159 Show tunnel_switch command ..................................... 159 Show version command .............................................. 160
xiii
xiv
CHAPTER 1
attempting to use the CLI. Learning the WatchGuard Vcontroller, its terms and processes, and the underlying flow of appliance administration, will establish a solid competency with concepts and terms used extensively in the CLI. We also recommend that you review the latest Release Notes for your WatchGuard security appliances and verify that the most current versions of WatchGuard and Java software are being used. Electronic copies may be obtained from the WatchGuard Technical Support web site (www.watchguard.com/support/). The Technical Support Group can also assist in verifying that you have all of the latest WatchGuard software.
CLI capabilities
The WatchGuard command line interface (CLI) provides you with simple, fast, command-line access to any local WatchGuard Firebox Vclass security appliance to perform most major administrative tasks, including rebooting, resetting appliance interface IP addresses, entering remote access user accounts, and managing policies, actions and proposals stored in the appliance database. An almost-complete list of CLI setup and administration tasks includes the following: Configuring security appliance software Interface (port) management Viewing current system settings Inserting new security policies Editing or removing existing policies Reorganizing sort order of policies Configuring and using the High Availability feature Opening and reviewing current log files Displaying reports of tunnel and SA activities Restoring factory-default configurations Shutting down and restarting security appliances
CLI limitations
Please note that the WatchGuard CLI is not a complete replacement for the WatchGuard Vcontroller application, as you cannot do the following with the CLI: Set up probes that monitor the current activities of the security appliance Set up, activate, and review alarms that are triggered by a range of operational circumstances Import Certificate Revocation List (CRL) files or their contents Create admin access user accounts Create firewall-access internal user accounts
quotation marks; however, you do not need to type quotes when entering a text string. For example, we might say: set a user_profile name to All_RAS_Users. In this example, you could type your own user profile name (or string) in place of ALL_RAS_Users. You should enclose a string in quotes in instances where the text entry includes spaces. For example, if entering a name like Joan Smith, with a space between the first and last name, you should enclose this entry in quotations to preserve it as a single entity. For Example
WG(config)#address -group exec_staff WG(config)#address -group "exec staff"
Carriage returns
Carriage returns are Enter key presses, and are represented by the <ENTER> or <CR> notation. Command examples may omit this notation for the sake of brevity. Space characters (entered by pressing the Space bar on the keyboard) are represented in a few instances in this Guide by the <sp> notation. In most cases, however, spaces are simply represented by actual spaces. For example, in:
WG(config)#address -group exec_staff
Letter spaces
There is a single space between address and -group, and group and exec_staff. Comments Comments are presented as italicized text preceded by the # character. # This is a sample comment. More command-specific and argument-specific conventions are detailed in Command syntax conventions used in this guide on page 21
permitting CLI console (Telnet/SSH) access to the system through that interface. This may be done by means of the CLI or the WatchGuard Vcontroller, once configuration is complete. NOTE If you attempt to log into a functioning, fully configured WatchGuard appliance with the CLI, you must enter admin as the login (or rsadmin for legacy appliances), as the CLI will not permit use of any other super admin account names.
1 2
Start any terminal application and open a new connection window. Verify that the terminal has been set to VT100. NOTE If the terminal is not set to VT100, various functions may not work^c will not break, ESC will not work and youll have problems with special characters.
Connection parameters include: - 9600 bps - 8 data bits - No parity - 1 stop bit - Flow control: none
As this is a new appliance, type admin (the default login text) and press <ENTER>. The login for a legacy appliance is rsadmin. A Password prompt is displayed. Type admin (again, the default password text) and press <ENTER> to submit the password and log in to this security appliance. The default password for a legacy device is rsadmin. If the login connection is successful, a WG# prompt is displayed.
WatchGuard Firebox V100 (OS 4.0) <system_name> login:admin Password:[type your password, nothing is displayed] Welcome to the WatchGuard CLI Shell WG#
Make sure that this appliance has an active policy permitting telnet/SSH access via a specific WatchGuard appliance interface. Start any telnet/SSH application and verify that your terminal emulation is vt100 (necessary in Windows 2000). Type the IP address or qualified network name of the appliance interface and press Enter. When a WatchGuard Login prompt is displayed, type admin (or rsadmin for a legacy appliance) and press <ENTER>.
2 3
The CLI will not accept any other superadmin login names.
A Password prompt is displayed.
NOTE
Type the current password (the default is admin, or rsadmin for a legacy appliance) and press <ENTER> to submit the password and log into this security appliance. A new WG# prompt is displayed.
NOTE
Case sensitivity
Commands, command arguments and keywords in the WatchGuard CLI are not case sensitive. For example, show policy is equivalent to SHow POLicy.
Object name strings are case sensitive. Typing the address group name (string) EveryBody_on_NET_A is not the same as typing everybody_on_net_a! This covers all text strings, whether enclosed in quotes or not.
NOTE
1 2
An existing item can be overwritten/replaced with an entirely new item Additional entries or qualifications can be appended to an existing item
Adding entries to an existing item requires use of the plus character (+). If a setting or entry already exists in this WatchGuard appliance, add a plus character (+) before additional elements to edit that setting. In the following example, an additional host with an IP address of 199.86.77.100 is added to the address group VPNnet
WG(config)#address VPNnet + -host 199.86.77.100<ENTER> WG(config)#exit<ENTER> Commit before exit? (Y/N):y<ENTER> WG#_
The named address group object VPNnet now has an additional (host) member with an IP address of 199.86.77.100.
10
lowing example of command line block repetition, the IP addresses, port numbers, and weighting is assigned for three servers in a round-robin load balanced cluster:
WG(config)#nat <"name"> vip round server \ {10.10.0.100 80 1} {10.10.0.101 80 2} \ {10.10.0.102 80 3}<ENTER>
Note too, that the command line in the above example was extended with the use of the backslash (\) character, so that more parameters could be included in the command.
11
New or different command arguments may be substituted in the most-recent command line recalled from history. Use the format ^old_command^new_command to effect a substitution as shown in the following example:
WG#!49 < Recall command line #49 #This is the command. show service DNS #The next six lines are the result. Service Group: Name = DNS Description = "Domain Name Services" Protocol = UDP Server_port = 53 WG#^DNS^SSH #This command substitutes SSH for DNS and show service SSH execute Service Group: #This shows the results. Name = SSH Description = "Secure Shell (Remote Login Protocol)" Protocol = TCP Server_port = 22 WG#_
12
At every command level and in all command modes, the exit command moves the CLI user up one level (back to the parent command level) in the command tree structure. If you issue the exit command at the top (root) level, you will log out of the system. See the following example:
WG(config-system)#exit<ENTER> WG(config)#exit<ENTER> WG#exit<ENTER> #As a result, you are logged off the CLI and the display screen is cleared. WatchGuard (OS 4.0)
13
At every command level except the top (root) level, entering the top command and pressing Enter jumps the CLI user from the current level to the top (root) command level. The top (root) command level does not have this command available as it isnt necessary. See the following example:
WG(config-qos)#top<ENTER> WG#_
history command
WG#admin<ENTER> WG(admin)#history
Effect Lists the twenty most recently exercised commands at this level. (When this command is applied at other levels, it will result in the last twenty commands entered at that specific level. For more information on extending or adapting this command, see Reviewing the recently used commands on page 11. Arguments This command has several adaptations that extend its usefulness. See Reviewing the recently used commands on page 11 for details.
exit command
WG(admin)#exit
Effect Exits the current level of CLI and returns to the next-highest command level, all the way to the toplevel WG# prompt.
14
top command
WG(admin)#top
Effect Immediately returns to the top level of the WatchGuard CLI (the WG# prompt) from whatever level of CLI you are using. Arguments None. Example WG(admin)#top<ENTER> # As a result, the WG# prompt is displayed.
Using keywords
The CLI provides keywords such as enable, disable, and no that perform specific functions with system parameters. For example, enable and disable are used to enable and disable existing configurations such as policy schedules and system QoS settings. The following example shows an existing schedule configuration named 24_7_Schedule being enabled: WG(config)#schedule 24_7_Schedule enable<ENTER> The keyword no functions as a simple on/off switch for configuration components, as shown in the following example: WG(config)#denial_of_service no pingofdeath<ENTER>
15
Dscpt Src ANY ANY ANY ANY ANY Deny ANY PRIVA INTER INTER INTER ANY ANY ANY
Executing the show command followed by a specific name displays only the details associated with that specific named object, as shown in the following example:
16
To list all commands available in a particular command mode or level, type a question mark (?)or enter help at the command prompt. For example, enter? at the top (root) level command to return
the following list of top-level command options:
Enter administration mode Enter configuration mode Enter debug mode Show current configuration and Show command history Exit the system Exit the system
The WatchGuard CLIs help system also lists a specific commands argument options along with their specific
17
usage syntax. For example, here is a help command that requests (and obtains) the command argument options and syntax used to configure a security policy:
WG#configure WG(config)#policy? policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-vlan|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <"n] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ]
1 2
At the current prompt (at any level of the CLI), type top and press <ENTER>. When the WG# prompt is displayed, type exit and press <ENTER>.
You are logged out of the appliance. You can disconnect the terminal session, and physically disconnect your workstation from the appliance if necessary.
18
19
Additional Information
Description change the default password to a new, secure password includes both static and dynamic routes connect to a domain name server connect to any SNMP management stations activate needed system activity logging connect this appliance to an LDAP server activate WatchGuard tunnelswitching features
20
Command
WG(config)#cert WG(config)#denial_of_service WG(config)#high_availability
Description request and import needed certificates from CAs customize anti-hacker protection for this appliance set up and activate a high-availability system, using the High Availibility feature includes event, traffic and alarm log files
WG(config)#log
Description create all the needed address groups for use in policies add new services or groups of related services create IKE actions for use in IKE policies) create IKE policies for use in IPSec policies create IPSec actions for use in IPSec proposals create IPSec proposals for use in security policies create NAT actions (DNAT, SNAT or VIP) for use in policies create VLAN IDs for use in policies create QoS actions for use in policies create schedules for application to specific policies
21
Command
WG(config-ras)#group_profile WG(config-ras)#user_profile WG(config-ras)#database WG(config)#policy
Description create RAS group profiles for use in RAS policies create RAS user accounts for use in RAS policies set up the user authentication system for RAS policies create the actual policies
To maintain an appliance
To perform security appliance maintenance, use these commands:
Command
WG(admin)#flush WG(admin)#passwd WG(admin)#reboot WG(admin)#shutdown
Description flush all current connections and SAs replace the existing password with a new one reboot the WatchGuard appliance shut down the WatchGuard appliance
To troubleshoot an appliance
To perform troubleshooting tasks, use these commands:
22
Command
WG(debug)#arp WG(debug)#netstat WG(debug)#ping WG(debug)#radius_ping WG(debug)#tcpdump WG(debug)#traceroute
Description display and configure the arp table show network/connection states and statistics verify network connectivity verify connection with a RADIUS server trace network packets trace a route to a specific destination
23
Description online help at any prompt, or at the end of any other command view a list of objects at the # prompt view the last 20 commands entered at this level of the CLI; Enter at the # prompt
24
CHAPTER 2
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Administration Mode.
25
tion to the text notation introduced in CLI Guide text conventions on page 3.
Convention
<text> -<text>
Description All required text is enclosed in angle brackets. Some arguments must be preceded by a hyphen (-). If a hyphen is required, but you do not use it to precede the argument, that argument will be dropped. Optional text is enclosed in square brackets. Text wrapped in curly braces is optional, usually representing qualifications or values related to an argument. Text items separated by a pipe character (vertical bar) indicate two options, of which only one can be entered. Text followed by an ampersand (&) and a pipe character (vertical bar) indicates two options, either or both of which can be entered. A comma separating bracketed text indicates repeated options that may be entered one at a time or all at once. A plus (+) sign preceding specific text represents additional elements that are being added to an existing setting. For example, to add a new member to an existing address group, you would type a + prior to the address information of the new member. A no entered before an argument indicates that the argument is not to be included in the command. This is useful when entering a number of arguments, one of which should not be included yet must be entered in the command. A backslash character at the end of a portion of command line signifies that the command line has been broken at that point, and continues on the next line.
[text] {text}
itemA | itemB
no
If you enter a command in the CLI, such as the following: WG(config)#policy and press <ENTER> without adding any arguments to the command line, the WatchGuard CLI will display a com-
26
plete list of related arguments and values, in the form in which you should enter them. This is helpful when the CLI tells you that a command you just entered isnt acceptable. You can call up this text to review requirements and syntax for a command or argument.
27
account command
WG#admin<ENTER> WG(admin)#account -login_limit -login_limit <admin|user> <0-10> -status -unlock <name>|all -all
Effect Allows you to view, set, and clear failed login attempt limits. Login limits provide a further level of security, and eliminate susceptibility to a brute force password hacks. The account management feature is available in all three operation modes (normal, FIPS, and CC). The CLI allows only the root superadmin admin to log in, while rejecting all other accounts, including userdefined superamin accounts. If you set the login_limit feature on the root superadmin user, it is possible for the superadmin to be locked out of the system. To work around this possible problem:
Create another superadmin account in addition to the root superadmin admin account, using Vcontroller, before you set the login_limit for the root superadmin account.
If the root superadmin admin is locked out because of exceeded login failures, you can use this separate, non-root-level superadmin account to login to Vcontroller with full administration privileges.
In a text editor, create and save an ASCII text file with the following two lines: admin account -unlock admin In Vcontroller, click Diagnostics/CLI and select the CLI tab.
This feature allows you to select a text file that contains CLI commands.
28
4 5
Click Open.
Select the text file you created earlier, and click Select.
The admin account is unlocked.
Arguments -login_limit This command displays the current login limits set for admin and user on the device.
-login_limit <admin|user> <0-10> This command sets the limit for failed attempts for the specified user type (admin or user) to the number specified. -status This command displays a table of failed login attempts for each user, provided the limit for the login name is greater than 0. -unlock <name>|all This command unlocks a login name or all login names, after the name or names are locked due to failed login attempts. -all This command displays detailed information for all accounts on the device.
downgrade command
WG#admin<ENTER> WG(admin)#downgrade
29
Effect Restores the system software to the previously installed version. Arguments None Example WG(admin)#downgrade<ENTER>
If you apply this command, certain WatchGuard features incorporated in the current version may not be available afterwards. This will affect both configurations and policies in this appliance. You should make a careful review of this security appliances setup to prevent any problems.
NOTE
export command
WG#admin<ENTER> WG(admin)#export
Effect Exports certificate requests, the log archive, or an XML profile. The export command must be followed by a space and the name of the item to be exported:
cert_request to export certificate requests log to export the log archive xml to export an XML profile ip to export the blocked or exception IP lists
30
export log:
export log [all|alarms|events|traffic|ras_user|p1sa|p2sa] [-tftp] <host:/target> -ftp <[user[:passwd]@]host:/target>
export xml:
export xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/ file_name> -[console]
export ip:
export ip {blocked|allowed} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name>
flush command
WG#admin<ENTER> WG(admin)#flush
ha_sync command
WG#admin<ENTER> WG(admin)#ha_sync This command is available only if the WatchGuard appliance you are currently logged into has High Availability enabled (using the config-ha command), is the Master appliance,
NOTE
31
Effect Initiates the WatchGuard Firebox Vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appliance to a designated backup appliance. After you restart the backup appliance, your high availability system is ready and active. Arguments None Example WG(admin)#ha_sync<ENTER>
import command
The import command allows you to import certificates. a certificate revocation list (CRL), an xml profile, or a list of blocked or allowed IPs.
cert command
WG#admin<ENTER> WG(admin)# import cert [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/ target/file_name -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import cert -ftp wg:wg@ftp.watchguard.com:/pub/cert/ cert.p2<ENTER>
32
crl command
WG#admin<ENTER> WG(admin)# import crl [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/ target/file_name -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import cert -ftp wg:wg@ftp.watchguard.com:/pub/cert/ cert.p2<ENTER>
xml command
WG#admin<ENTER> WG(admin)import xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/ file_name> -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import xml -ftp wg:wg@ftp.watchguard.com:/pub/xml/ listfile.xml<ENTER>
33
ip command
WG#admin<ENTER> WG(admin)#import ip {blocked|allowed} {override|merge} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@] host:/target/file_name>
Effect Imports a list of blocked or allowed IP addresses to the appliance database. Prerequisites The list of IP addresses must be a text file. The formatting information follows. For blocked IP, each line of the file should include: <IPaddr> [space]<mm/dd/yyyy> [space] <hh:mm:ss> <mm/dd/yyyy> specifies the month, day, and year. <hh:mm:ss> specifies the hour, minute, and second. For example, a text file containing the following lines blocks these sites until the provided expiration time:
12.11.12.15 8/14/2003 14:00:00 12.13.22.8 10/19/2004 1:21:05
To add blocked sites that do not expire, use only the IP address. Arguments blocked|allowed Specifies whether to import the contents of the text file to the blocked IP list, or to the allowed (exceptions) IP list. merge|override
34
Merge merges the new IP addresses into the existing list of IP addresses. Override replaces all of the existing IP addresses with the IP addresses on the imported list.
operation_mode command
WG#admin<ENTER> WG(admin)#operation_mode <normal|FIPS|common_criteria>
Effect This command changes the system mode to operate in normal, FIPS, or Common Criteria (CC) mode. FIPS mode FIPS 140-2 is a standard that describes government requirements that cryptographic hardware or software products must meet. FIPS certification is required for products that are sold to the government. FIPS mode disables or changes the following functionality: - Shell access is disabled (for example, sucode). - Unprotected remote access is disabled, including telnet and SSH. To login to the box using telnet requires a physical connection to the console port. - Non-qualified algorithms are disabled (MD5). - SSL3.0 is disabled. Support for TLS is still included. - A direct crypto interface to the Rapidcore and other crypto modules is provided for the startup
35
crypto self-test, and random number generation can be tested. - Object reuse is avoided. Keys are zeroed out when they are no longer in use. Common Criteria (CC) mode Common Criteria (CC) defines a language for defining and evaluating information technology security systems and products. The framework provided by Common Criteria allows US government agencies and other groups to define sets of specific requirements. IT security products purchased by the US Government for National Security Systems, which handle Classified and some non-Classified information, are required to be Common Criteria certified. Common Criteria mode conforms to EAL4 level. Common Criteria mode disables or changes the following functionality: - HTTPS uses 3DES-SHA1 encryption only. - User login failure count can be configured, and users can be locked out after the failure count is met. See account command on page 28 for more information.
passwd command
WG#admin<ENTER> WG(admin)#passwd <ENTER>
Effect Replaces the current admin super user access password text with a new entry. This command initiates a several-step process in which you will be prompted to enter the new password twice, before it takes effect. See Process immediately following for details.
36
Process Type a space, then the text of the current password after the command. When you press <ENTER>, a New password: prompt is displayed, at which you can type the new password, using between 6 and 20 characters.
NOTE ALERT: Please note that no text will appear on-screen as you type.
When you press <ENTER> to submit the new password text, a Reconfirm password: prompt is displayed. Retype the same text (during which no text will appear on-screen.) When you press <ENTER>, the new password will be confirmed and stored in the appliance, then immediately put into effect. Example WG(admin)#passwd: <ENTER> New password: * <ENTER> # Remember, no text will appear when you type.
Reconfirm password: * <ENTER> Password change completed! WG(admin)# Remember to write the new password down and store the note in a safe place. If you forget the password and lose the note, contact WatchGuard for assistance.
NOTE
reboot command
WG#admin<ENTER> WG(admin)#reboot
Effect Shuts down, then restarts this WatchGuard Firebox Vclass security appliance. You will be
37
automatically logged out of the appliance, but after a few minutes (and a considerable display of status messages), the main login prompt will appear. You can log in again at this time. Arguments None.
Effect Reinitializes this appliance and restores the original factory default configuration. Once this process is complete, you can log in again, then start over with appliance installation, configuration and policy creation, either by manual entry or importing of a profile from another appliance. Arguments None. Results After applying this command, the CLI will immediately record a series of restoring status messages, along with please wait messages. When the restoration is complete, the main login prompt will appear. You can now log into the appliance with the user name of admin and the password of admin to begin reconfiguration of this appliance.
shutdown command
WG#admin<ENTER> WG(admin)#shutdown
Effect
38
Shuts down this WatchGuard appliance. You will be automatically logged out of the appliance, at which time you can break the CLI connection. Arguments None.
upgrade command
WG(admin)#upgrade upgrade [-tftp] <host:/target/ upgrade.rsu > upgrade -ftp <[user[:passwd]@]host:/ target/ upgrade.rsu >
Effect Upgrades the system software, using a .rsu file, from a specific location. Example upgrade -ftp wg:wg@ftp.watchguard.com:/patch/ upgrade.rsu
39
40
CHAPTER 3
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Configuration Mode.
41
Command
abort address certificate commit delete denial_of_service high_availability ike interface ipsec license log nat no policy qos ras rename schedule service system trace tenant tunnel_switch show history exit top
For more information See abort command on page 43. See address command on page 43. See certificate command on page 45. See commit command on page 45. See delete command on page 45. See denial_of_service command on page 46. See high_availability commands on page 47. See ike command on page 48. See interface command on page 49. See ipsec command on page 49. See license command on page 49. See log command on page 50. See nat command on page 54. See no command on page 56. See policy command on page 57. See qos command on page 60. See ras command on page 61. See rename command on page 61. See schedule command on page 62. See service command on page 63. See system command on page 64. See trace command on page 64. See tenant command on page 65. See tunnel_switch command on page 65. See history command on page 66. See history command on page 14. See exit command on page 14. See top command on page 15.
42
abort command
WG#config<ENTER> WG(config)#abort
Effect Aborts (erases) all system configuration changes made since the last use of the WG(config)#commit command. This empties the cache of to-be-committed changes and additions. Arguments None
address command
WG#config<ENTER> WG(config)#address <"name"> [+] -host <a.b.c.d> \ [<a.b.c.d>] -net <a.b.c.d/e> [<a.b.c.d/ e>] -range \ <a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>] \ -group <address_name> [<address_name>]
Effect Creates a new address object or modifies an existing group, depending upon the use of the + character. This command must start with a new or existing name and can incorporate the following: (1) a single IP address, (2) a range of IP addresses, (3) a subnet, and (4) a group of existing address entries that you may want to combine into a single entity. Arguments <"name"> This argument notes a new name for this group. You can then type one or more of the following
43
Examples WG(config)# address my_nets -host 10.10.1.1/16<ENTER> # Creating a new address group with a single host
WG(config)# address my_nets -range 14.0.2.1- \ 14.0.2.125<ENTER> # Creating a new address group with a range of IP addresses WG(config)# address my_nets + -net 10.29.0.0/16<ENTER> # Add a new address to an existing address group
44
certificate command
WG#config<ENTER> WG(config)#certificate
Effect Enters the certificate-configuration mode, at which point you can enter certificate-specific task commands and their arguments. Arguments None in this mode. See Also For more information about certificate mode commands, see Level 2 certificate configuration commands on page 67.
commit command
WG#config<ENTER> WG(config)#commit
Effect This command applies all uncommitted policy, system configuration changes, and additions to the appliance. Arguments None
delete command
WG#config<ENTER> WG(config)#delete <object_type "name">
Effect Deletes a specifically named object, such as an address group, policy, action, or service. Arguments <"name"> This argument records the exact name of the to-bedeleted item.
45
Example WG(config)#delete address exec_addresses<ENTER> # This command deletes an address group named exec_addresses.
WG(config)#delete ike policy "HQ IKE"<ENTER> # This command deletes an IKE policy named HQ IKE.
denial_of_service command
WG#config<ENTER> WG(config)#[no][-icmp [threshold]] #threshold packet/s;default=1000 [no][-syn [threshold]] #threshold packet/s;default=5000 [no][-udp [threshold]] #threshold packet/s;default=1000 [no][-pingofdeath] [no][-sourceroute] [no][-server_ddos [threshold]] #threshold connection/s;default=100 [no][-client_ddos [threshold]] #threshold connection/s;default=100
Effect Records your preferences for denial-of-service defense parameters. You can enter any or all of the customizable arguments listed below. Arguments [no][-icmp <threshold>] Activates ICMP flood protection with a user-noted threshold noted as packets per second; default = 1000.
[no][-syn <threshold>] Activates TCP/SYN flood protection with a usernoted threshold; default=5000. [no][-udp <threshold>] Activates UDP flood protection with a user-noted threshold; default=1000.
46
[no][-pingofdeath] Activates ping-of-death protection. [no][-sourceroute] Activates source route protection by disallowing source route options. [no][-server_ddos <threshold>] Activates server DDOS protection; the default threshold = 100, which controls the maximum number of connections permitted to any one server. [no][-client_ddos <threshold>] Activates client DDOS protection; the default threshold=100, which controls the maximum number of connection requests permitted to a single client. no Enter this before any options you want to deactivate in this appliance, as shown above.
high_availability commands
High Availability commands will not be available to you if the WatchGuard appliance you are administering does not feature any HA ports. In addition, you need a High Availability feature license.
NOTE
47
Effect Enters the high availability (HA) configuration mode, at which point you can enter HA specific commands and their arguments. Arguments None in this mode. See Also For more information about HA mode commands, see Level 2 High Availability configuration commands on page 72.
ike command
WG#config<ENTER> WG(config)#ike
Effect Enters the IKE configuration mode, at which point you can enter IKE-specific commands and their arguments. Arguments None in this mode. See Also For more information about IKE mode commands, see Level 2 IKE configuration commands on page 78.
48
interface command
WG#config<ENTER> WG(config)#interface
Effect Enters the system interface configuration mode, at which point you can enter interface-specific commands and their arguments. Arguments None in this mode. See Also See Level 2 interface configuration commands on page 82 for details on specific interface mode commands.
ipsec command
WG#config<ENTER> WG(config)#ipsec
Effect Enters the IPSec configuration mode, at which point you can enter IPSec action- and proposalspecific commands and their arguments. Arguments None in this mode. See Also For more information about IPSec mode commands, see Level 2 IPSec configuration commands on page 95.
license command
WG#config<ENTER> WG(config)#license
49
Effect Enters license parameter configuration mode, at which point you can enter license-specific commands and their arguments. Arguments None in this mode. See Also For more information about license mode commands, see Level 2 license commands (for upgraded or additional features) on page 117.
log command
no command (log level)
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no <event|remote_log_server|traffic>
Effect Disables logging for the specified log. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no traffic
50
Effect Runs log diagnostics for the specified feature. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#diagnostics ha 1
Effect Turns logging on (or off, if the command is preceded by no) for the specified error level. Arguments None
51
Example
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#event administration
Effect Turns remote logging on or off for the specified logs and error levels. Arguments None Example
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#remote 10.10.10.99 default
52
53
rename NAT actions rename security rename QoS actions rename RAS group rename schedule actions rename service groups
Effect Allows you to rename various items. See also See rename command on page 61.
nat command
WG#config<ENTER> WG(config)#nat <"name"> [-static_nat <external \ <address_group>><-internal <address_group>>]| \ [-vip <round_robin|wround_robin|random|wrandom| \ least_connection|wleast_connection> server [+] \ {<ip|address> <port> [weight]}>]
Effect Records a new NAT action for use in security policies. You can create one of three possible NAT actions, choosing from VIP, DNAT or Static NAT. Arguments <"name"> If this is to be a load-balancing or static NAT action, enter a short, distinctive name for this new action following the NAT command prompt.
-static_nat < -external <address group>> \ <-internal <address group>>
54
(For one-to-one and subnet-to-subnet mapping) This argument specifies (1) that this is a static NAT action, and records the address groups associated with the internal and external sources. The address groups can be single IP addresses or subnets.
-vip <round-robin|wroundrobin|random|wrandom| \ least-connection|wleast-connection> | server [+] \ {<IP address> [IP address] <port> <weight>}> This argument specifies that this is a loadbalancing (virtual IP) NAT action, and records (1) the algorithm that will be applied and (2) the server addresses and port numbers. If a weighted algorithm is used, this argument adds (3) the perserver weight assignments.
TIP If you are adding a new server/weight to an existing VIP NAT action, prefix the new server record with a + character. If you are entering the server argument, you must note (1) the IP address of the server, the port number it will watch and the proportion of traffic this server will be assigned, noted as a whole number.
55
Note that dynamic NAT is already present in the WatchGuard database by default, and is ready for use in security policies. You can specify dynamic_nat as the NAT action when you create the appropriate policies
NOTE
Examples WG(config)#nat load_balancing vip wround server \ {10.10.0.100 80 1} {10.10.0.101 80 2} \ {10.10.0.102 80 3} WG(config)#nat natS -stat -ext pub1 -int \ web_server1
Effect Records a new dynamic IP NAT action for use in security policies. You can create one of two possible DNAT options, choosing from the default IP address for interface 1 or a user-designated IP address Arguments <"IP Address"> If this is to be a user-designated IP address DNAT action, enter the IP address of your choice as the command argument. If you are using the default interface 1 IP address, enter that in the argument.
no command
WG#config<ENTER> WG(config)#no high_availability availability disable high
56
Effect Disables the high availability feature. Arguments None Example WG#config<ENTER> WG(config)#no high_availability
policy command
WG#config<ENTER> WG(config)#policy policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-tenant|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ] [-mss_adjustment_per_policy [auto|limit_to <num>|disable| use_global]]
Effect Allows you to create a new security policy or revise an existing policy, pending your selection of traffic specifications and actions. Note: you should have already created the needed address groups, schedules, actions and services before creating this new policy. Arguments <source> <destination> These two arguments record the source and
57
58
positions that you can choose from. You pick a location and enter a 1 to mark that bit.
[-log_per_policy [enable|disable] ]
This argument allows you to implement ICMP error handling per policy, and specify error handling options.
[-mss_adjustment_per_policy [auto| limit_to <num>|disable|use_global]]
This argument allows you to specify a per-policy TCP Maximum Segment Size. See mss_adjustment on page 112 for more information on these settings. To use the global settings, use the argument use_global. Examples WG(config)#policy Allow_Outbound Any Any \ interface 0 -firewall pass -nat DYNAMIC_NAT <ENTER>
WG(config)#policy HQ_BR_VPN HQ BR interface 0 \ -firewall pass -ipsec bi HQ_IPsec <ENTER> WG(config)#policy SJ_NY_VPN SJ NY interface 1 \
59
-firewall pass -ipsec SJ_NY_IPSec <ENTER> WG(config)#policy SJ_LA_VPN \ -mss_adjustment_per_policy \ limit_to 1400 WG(config)#policy SJ_NY_VPN \ -icmp_error_handling_per_policy all WG(config)#policy SJ_NY_VPN -position 5 <ENTER>
The previous example shows a relocation of policy SJ_NY_VPN to the fifth position (row) in the policy table.
You can combine a range of actions (-vlan, -ipsec, nat, -schedule, etc.) in a single policy, as needed. For more information on policy action combinations, especially to determine what will and what wont work, see the User Guide.
NOTE
qos command
WG#config<ENTER> WG(config)#qos
Effect Enters the Quality of Service (QoS) configuration mode, at which point you can enter QoS actionspecific task commands and their arguments. Arguments None in this mode. See Also For more information about QoS mode commands, see Level 2 Quality of Service (QoS) configuration commands on page 100.
60
ras command
WG#config<ENTER> WG(config)#ras
Effect Enters the remote access services (RAS) configuration mode, at which point you can enter RAS connection-specific commands and their arguments. Arguments None in this mode. See Also See Level 2 Remote Access Service (RAS) configuration commands on page 102 for details on specific RAS mode commands.
rename command
WG#config<ENTER> WG(config)#rename <object_type> <"old name"> \ <"new name">
Effect Substitutes a new name for an existing object name. Arguments <object_type> Use this argument to enter the type of object this name is applied to, whether (for example) an IPSec action, an address group, a RAS user profile, etc.
<old name> Use this command to enter the existing name. <new name> Use this command to enter the new name.
61
schedule command
WG#config<ENTER> WG(config)#schedule <name><enable|disable> [-all| \ -mon|-tue|-wed|-thu|-fri|-sat|-sun] {hr:min-hr:min \ [hr:min-hr:min ][hr:min-hr:min ][hr:minhr:min ]}<ENTER>
Effect Use this command to set up a schedule for use in the application of policies. Schedules can be set up for the same hours for every day or for different daily schedules, depending upon the arguments. Arguments <"name"> Type a short, descriptive name for this schedule.
<enable|disable> This argument specifies whether this schedule is currently active or not. -<day> This argument defines the days of the week. The values can either be noted as all for all seven days, or include any combination of days of the weekmon, tue, wed, thu, fri, sat, and sun. {hour:minute-hour:minute} This argument (which can be repeated for different blocks of time) should note a range of hours, such as 9:00-12:00 (which indicates 9:00am to Noon.) Be sure to wrap the range in curly brackets, as shown in the examples below. Hours must be converted to and noted in military time according to the 24-hour clock.
62
Example WG(config)#schedule workdays -mon \ {8:00-12:00 13:00-19:00} (line break) fri \ {9:00-12:00} enable<ENTER> WG(config)#schedule 24_7 -all {0:0024:00}<ENTER>
service command
WG#config<ENTER> WG(config)#service <name> [+] \ <-single <protocol port> | \ -range <protocol port-port> | \ -group <service_group> >
Effect Records a new service entry (individual or group) for use in policies. The service must be noted as either a single service, a range of port numbers for a single service, or, as a group of existing related services. Arguments <"name"> Enter the name of this new service or group.
-single {<protocol> <port>} Use this argument to note the protocol and port number of a single service. -range {<protocol> <port-port>} Use this argument to note the protocol and two or more port numbers for a single service. -group {<service-group> [<servicegroup> \ <service-group>]}
63
Use this argument to note the names of two or more related services.
+ Use this argument (the + character) to add an additional service to an existing group.)
Examples WG(config)# service ldap -single tcp 389 WG(config)# service my_app -range tcp 6000-6006 WG(config)# service my_app + -single udp 6010 WG(config)# service email -group "mail_SMTP" \ -group "POP3"<ENTER>
system command
WG#config<ENTER> WG(config)#system
Effect Enters system parameter configuration mode, at which point you can enter system-specific commands and their arguments. Arguments None in this mode. See Also For more information about system mode commands, see Level 2 System Configuration commands on page 107.
trace command
WG#config<ENTER> WG(config)#trace [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]
64
Effect Runs a trace for the specified object. Arguments None in this mode.
tenant command
WG#config<ENTER> WG(config)#tenant
Effect Enters the tenant configuration mode, at which point you can record a new tenant entry for either a VLAN or user-domain tenant. Arguments None in this level. See Also See Level 2 tenant configuration commands on page 119 for more information about the next level of tenant commands.
tunnel_switch command
WG#config<ENTER> WG(config)#tunnel_switch <enable|disable>
Effect Enables (or disables) the tunnel switching capability of this WatchGuard appliance, according to the specific argument. (Must be done before applying specific tunnel-switching security policies.) Arguments <enable | disable> The default state is disable. Example WG(config)#tunnel_switch enable<ENTER>
65
history command
WG#config<ENTER> WG(config)#history
Effect Shows the last 20 commands exercised at this level of CLI. Note, too, that you can apply it at any level of the CLI. For example, you may apply the history command after extensive policy creation, and see a series of 20 commands, starting with 64 and ending with 83the most recent command being listed as 83. Arguments None Example WG(config)#history<ENTER> Results Executed Commands: 0 ike 1 address 2 address "pubs" -host 10.10.99.1 3 show address pubs 4 dos 5 denial WG(config)#
66
Level 2 High Availability configuration commands on page 72 Level 2 IKE configuration commands on page 78 Level 2 interface configuration commands on page 82 Level 2 IPSec configuration commands on page 95 Level 2 license commands (for upgraded or additional features) on page 117 Level 2 Quality of Service (QoS) configuration commands on page 100 Level 2 Remote Access Service (RAS) configuration commands on page 102 Level 2 System Configuration commands on page 107 Level 2 tenant configuration commands on page 119
Effect Generates a VPN certificate request that can be sent to a certifying authority. After executing this command (with the required arguments), you must cut the resulting certificate text and paste it into the relevant form: an e-mail message, a Web-site
67
request or a text file, that you transmit to the proper authority. Arguments <"name"> This argument notes the host name of this appliance (omitting the remainder of the DNS entry.)
-company <"name"> This argument notes the name of your company or organization. -country <"name"> This argument notes the name (or official abbreviation) of your country's name. The default is US. -department <"text"> This optional argument notes the specific department name. -dns_name <"name"> This argument notes the fully qualified DNS name of this appliance. -ip_address <a.b.c.d> This argument notes the IP address of this appliances interface 1. -user_domain <"name"> This argument notes a user domain name, if any. -key_usage {<rsa|dsa> <1024|512> <encryption| \ signature|both>} This argument notes the key usage particulars, including RSA or DSA and the key length in bits. This argument also notes your choice of encryption or signature (or both.)
68
If this command is successful, the CLI will prompt you to cut and paste the results into the appropriate means of submitting this request to the authority.
Effect Assists in the importing of the contents of a newlyreceived VPN or Web certificate into the WatchGuard appliance database. To import a certificate, you must open the certificate file and copy the text, then paste it into the command in the proper location, as shown in the following example. Arguments None. Examples WG(config-cert)# import<ENTER> Results On-screen instructions appear, as shown here.
Paste certificate below, then press Enter. -----BEGIN CERTIFICATE----MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQE BBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKEx BSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0M jAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UE BhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8D CCtvvThQ2ug== -----END CERTIFICATE-----
69
Effect Displays the properties of a specific certificate or a certificate request. If no specific certificate argument is used, this command lists all the current certificates and pending certificate Arguments [cert_id] This optional argument records a specific certificate ID. Examples WG(config-cert)# show<ENTER>
OrdTYPE NAMESubjectCert idKeyAlgo 1 Pndg cn=a,o=WatchGuard,c=US cn=a,o=WatchGuard, c=20001 RSA 2 CA o=WatchGuard Inc.,c=US o=WatchGuard Inc., c=U 1075246528 RSA OR WG(config-cert)# show 20001<ENTER> Pending Certificate Name:cn=a,o=rapidstreaym,c=US Subject:cn=a,o=rapidstreaym,c=US Cert ID:20001 DNS Name:WatchGuard.com Key Algorithm:RSALength: 1024 Key Usage:both Issued by: Valid Period:-----BEGIN CERTIFICATE REQUEST----MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTA TBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx
70
MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg YEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscA hhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70Dlp Sx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbY tX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI 48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJ DjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAo GCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3 RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFA tGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkg K30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS 0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0 wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7 TlNR5B1zDrFA== -----END CERTIFICATE REQUEST-----
Effect Creates a Web (SSL) certificate request for this appliance. After the request is generated, you must copy-and-paste the text to a text file and send it to a third party CA as part of a formal request for a Web certificate. Arguments <ip|"name"> Use this argument to enter either the IP address or host name of this security appliance. Example WG(config-ssl)# ssl rs101<ENTER> Creating certificate request could take several minutes. Please wait
-----BEGIN CERTIFICATE REQUEST----MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTC BnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr
71
3Tg/ jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/ q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2 v+IPPoyDBOrfGHl4Icn8/ ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/ 6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/ YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/ 6YTj2uHMGPF/Y8FTYgCE -----END CERTIFICATE REQUEST-----
Effect Displays the configuration settings for any High Availability ports in this WatchGuard appliance. Arguments None
72
Example
WG(config-ha)#show<ENTER> HA Type: Active_Active Primary System Name =2026 Secondary System Name =2027 No Shared Secret Interfaces Primary IP Mask Secondary IP Mask Monitoring 0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON 1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON 2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF 3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFF Advanced HA Parameters: HA1:Enabled HA2:Disabled Primary HA1 IP 1.0.0.1 netmask 255.255.255.0 HA2 IP 10.10.10.26 netmask 255.255.0.0 Secondary HA1 IP 1.0.0.3 netmask 255.255.255.0 HA2 IP 10.10.10.27 netmask 255.255.0.0 HA Status HA Role: Primary DB Time Stamp: Primary: Thu Dec 5 16:38:58 2002 Secondary: Thu Dec 5 16:38:58 2002 Status: Primary: ACTIVE Secondary: ACTIVE
73
Effect Enables high availability in WatchGuard appliances with one or more HA interfaces, and assists you in entering precise HA system settings. Arguments active_standby | active_active This turns high availability on in either Active/ Standby mode or Active/Active mode. For more information on these modes, see the Vcontroller User Guide.
advanced
This enters advanced High Availability configuration mode, and shows the following prompt: WG(config-ha-advanced)$
74
For more information, see High Availability advanced configuration mode on page 77
disable
Syncs the local appliance with its peer. In Active/ Standby mode a hotsync should be performed every time the configuration of the Active box is changed. In Active/Active mode, a hotsync should only be performed during the initial setup, when the secondary appliance is in factory default configuration.
monitor {1 & | 2} This optional command specifies which interface (1 or 2) you want this appliance to monitor for link status. (Note that the 0 (private) interface is always being monitored.) <primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1] ha1_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the HA1 interface of the master and backup appliances. ha2_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the
75
Effect Initiates the process of saving and applying any just-completed HA interface configurations. You will be asked to confirm the committing of these changes, at which time you can press Y to do so. Arguments None Example WG(config-ha)#exit<ENTER>
Commit (Y/N)?y<ENTER> HA IP address is set to 12.10.1.2, please wait for it to take effect WG(config-ha)#
76
Effect Allows you to configure advanced settings for High Availability. Arguments action <local | peer> <failover | restart> Allows you to manually failover or restart the local or peer appliance of the HA pair. The local appliance is the one you are connected to, and the peer is its HA pair.
ha2 <enable | disable>
Allow you to enable the HA2 port for HA use. When this is enabled, and the HA2 ports are connected between the two appliances, in addition
77
This allows you to set the IP addresses and netmasks for the primary and secondary devices HA ports. Example WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#advanced WG(config-ha-advanced)#primary ha1 ip \ 10.10.10.11|255.255.0.0 \ secondary ha1 ip 10.10.10.12
78
Arguments <"name"> Enter the name of this action prior to recording the arguments.
<-main-mode | -aggressive-mode> This argument specifies your choice of mode. [-natt <enable|disable>[-natt_keepalive <seconds>]] -natt enables or disables NAT Traversal (UDP encapsulation). -natt_keepalive allows you to specify the time in seconds between keep-alive messages. [extended_authentication] This argument, when present, activates extended authentication, used for remote access connection requests. -rsa {<g1|g2><des|3des><md5|sha><lifetime \ [min|hr]&|lifesize [KB|MB]>} This argument and its values detail the RSA IKE transform. -dss {<g1|g2><des|3des><md5|sha> \ <lifetime[min|hr]>&| lifesize[KB|MB]>} This argument and its values detail the DSS IKE transform. -preshared {<g1|g2><des|3des><md5|sha> \ <lifetime[min|hr]&|lifesize[KB|MB]>} This argument and its values specify the preshared key IKE transform. In all of the three
79
preceding arguments, the following values are options you can apply:
Option g1 and g2 des|3des md5|sha Lifetimeminutes/hours Lifesize-KB/MB Description the two Diffie-Hellman group options. represent two encryption algorithm options. represent two other encryption algorithm options. represent a key lifetime setting, measured in time. represent a key lifetime, measured in kilo- or megabytes.
Example WG(config-ike)#action my_act -main \ (line break) rsa {g2 3des md5 10hr 100MB} {g1 des sha 45min} \ dss {g2 3des sha 8hr}
80
Arguments <"name"> This argument records a brief, descriptive name for this policy.
< * |peer_address> This argument notes either any (indicated by *) or the address group representing the peer appliance(s). -action <ike_action> This argument notes the name of the IKE action used by this policy. -peer <any> | -address <name> &| domain \ <name> &| -user_domain <user@host> &| -X.500 \ 0<string>] This argument specifies the means of identifying the peer appliance from these five options. You can enter any as the sole option or combine any of these options (and values) in this argument: Option <-address> <-domain> <-user_domain> <-X.500> [-local {<cert-id> <ip-address|domain |user-domain |X500>}] [-preshared Description represents an address group used as peer ID type. represents a domain name as the peer ID type. represents a user domain name as the peer ID type. represents X.500 as the peer ID type. This optional argument specifies which ID type is used by this WatchGuard appliance. The argument is the same as for -peer, as noted above. This optional argument records the text of
81
Description the pre-shared key, if one is used by this policy. You must enter the actual key text as either ASCII text or hexadecimal notation. This argument records the numeric position assigned to this policy in the IKE policy table.
Example WG(config-ike)#policy "Remote Users" * action \ remote_users -peer -domain WatchGuard.com \ -user_domain WatchGuard.com -local {20001 domain}
WG(config-ike)#policy IKE_NY_SJ NY_Gateway \ -action psk_main -peer any -preshared \ "secret"<ENTER>
Effect Enters the system interface configuration mode. Arguments None. Please review the rest of this section for related commands.
82
Effect Displays the current network address settings for each of the main security appliance data interfaces0 (private), 1 (public) or 2 (DMZ, where applicable.) Arguments None. Example WG(config-if)# show<ENTER> The results appear as shown in this example:
interface 0: ip = 10.10.13.101 net mask = 255.255.0.0 status = UP mac address = 00:01:21:10 :01:e5 ip = 16.10.203.121 net mask = 255.255.255.0 status = DOWN mac address = 00:01:21:10 :01:e6 ip = 10.20.0.1 net mask = 255.255.255.0 status = DOWN mac address = 00:01:21:10 :01:e7
interface 1:
interface 2:
83
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 0 (Private). Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address. -mtu num This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes. [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] | This setting allows you to specify the speed at which the interface will operate. [[no] dhcp_server -clients num [lease_time num [hours|days]]] This allows you to active the DHCP server service on this interface, and specify information for it, including the number of clients allowed DHCP access, and the leasing time for a DHCP address. The lease time default is 7 days.
84
Put no in front of this command to turn off the DHCP server on this interface. [dhcp_relay <a.b.c.d>] This allows you to use a separate DHCP server on your network to serve DHCP addresses, with the Vclass acting as a DHCP agent. Example WG(config-if)#interface 0 10.12.12.7 255.255.255.0 \ -mtu 1500 -100_half_duplex no dhcp_server<ENTER> or WG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \ -100_half_duplex no dhcp_server<ENTER> or WG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \ -100_half_duplex dhcp_relay 10.0.0.253<ENTER>
Effect Use this command to configure DHCP server options assigned to a WatchGuard V10 appliance's Private (0) interface.
85
Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask. dhcp_server Enter this argument to activate DHCP server service on this appliance. -clients NUMBER This argument indicates the number of clients permitted DHCP access. -lease_time NUMBER This argument indicates the lease time for all client connections, and any limitations, recorded as minutes. [no] dhcp_server Enter this argument to disable any previously active DHCP service.
86
Effect Use this command to configure the network identity of a WatchGuard appliances interface 1 (Public), if it is a publicly routable, fixed IP address. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address. [-mtu num] This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes. [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] | This setting allows you to specify the speed at which the interface will operate. [dhcp ["host_id"]] | This allows you to obtain the IP address of interface 1 using DHCP. [pppoe -user "name" -password "password"] This allows you to set Interface 1 to PPPoE. If the
WatchGuard Command Line Interface Guide 87
password contains the pound (#) character, it needs to be placed in double quotes.
[<-dial_on_demand|-always_on> <num> This allows you to set PPPoE to Dial-on-Demand or Always On mode. The function of <num> following this option differs in each mode. For Dial-onDemand mode, this number indicates the inactivity timeout interval in minutes (default is 20 minutes). For Always On mode, this number indicates the auto-reconnect interval in seconds (default is 60 seconds). [-unnumbered_pppoe <a.b.c.d>|disable]] This option allows you to use unnumbered PPPoE. For more information on unnumbered links, see RFC 1812 section 2.2.7. [backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ] | [dhcp [host_id] ] | [pppoe -user "name" -password "password"] [unnumbered_pppoe <a.b.c.d>|disable] [disable] [switch_to_backup] This allows you to enable a Backup WAN connection for Interface 1, for systems that have unreliable ISPs or network providers. You can configure the failover connection as static, by typing the IP address, netmask, and gateway. You can configure the failover connection as DHCP using the [dhcp ["host_id"]] syntax. You can configure the interface as PPPoE (always on) using the [pppoe -user "name" -password "password"] syntax. You can configure the backup WAN connection as unnumbered PPPoE using the syntax [unnumbered_pppoe <a.b.c.d>|disable]. You can disable the backup connection by using the option [disable].
88
You can switch to the backup connection using the command switch_to_backup.
[tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ] For systems that configure a Backup WAN connection using the failover command, these settings must be specified. You can add up to three IP addresses that are used to determine WAN failure. These addresses are used with the -interval and -timeout values to determine when the WAN connection has failed. -interval determines the amount of time that elapses between attempts to ping all three specified tracking addresses. -timeout determines the amount of time that can elapse before a ping attempt is considered failed. All three specified IP addresses must fail to respond to the ping attempt within the specified time to consider the WAN connection failed.
In the event of failure, the WAN is switched over to the backup connection. This causes a brief interruption in processing while the system restarts. In order to prevent frequent restarts, the final parameter, -pause_before_failback, is provided. This allows you to specify the amount of time that must elapse between failovers.
89
Example WG(config-if)#interface 1 10.10.12.8\ 255.255.0.0 -mtu 1500\ -10_full_duplex<ENTER> or WG(config-if)#interface 1 10.10.12.8/16 -mtu 1500 -10_full_duplex <ENTER> Example (PPPoE) WG(config-if)#interface 1 pppoe\ -user joeuser -password joepass\ -always_on 60 Example (DHCP) WG(config-if)#interface 1 dhcp dhcpsrvr Example (Backup Connection) WG(config-if)#interface 1 10.10.12.8 255.255.0.0 -mtu auto\ -backup ip 10.10.24.16 mask 255.255.0.0\ gateway 10.100.99.1 tracking -add 124.12.15.16
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 2 (DMZ), where applicable.
90
Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] |
This setting allows you to specify the speed at which the interface will operate. Example WG(config-if)#interface 2 10.12.12.9 255.255.255.0 \ -mtu 1500 -10_full_duplex<ENTER> or WG(config-if)#interface 2 10.12.12.9/24 -mtu 1500 \ -10_full_duplex<ENTER>
interface 3 (DMZ2) command (configure interface level, V60 and V80 only)
WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 3 <a.b.c.d> </ prefix|mask> [-mtu num] [-100_full_duplex | 100_half_duplex|
91
-10_full_duplex|10_half_duplex | -auto]
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 3, where applicable. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] |
This setting allows you to specify the speed at which the interface will operate. Example WG(config-if)#interface 3 10.12.12.9 255.255.255.0 \ -mtu 1500 -auto<ENTER> or WG(config-if)#interface 3 10.12.12.9/24 -mtu 1500 \ -auto<ENTER>
92
Effect Use this command to configure the network identity of a WatchGuard appliance's High Availability 1 interface, when this interface is used for management access instead of H-A functionality. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask.
Effect Use this command to configure the network identity of a WatchGuard appliance's High Availability 2 interface, when this interface is used for management access instead of H-A functionality.
93
Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask.
mode command
WG(config-if)# mode router | transparent<ENTER>
Effect Use to switch the appliance between Router mode and Transparent mode. An appliance can only be switched from Router mode (default) to Transparent mode when the appliance is in the factory default configuration state. You are prompted to restore the system to the factory default state when you attempt this switch. An appliance can be switched from Transparent mode to Router mode in any configuration condition. A restart is required in order to for mode switching take effect. Arguments None Example WG(config-if)# mode router<ENTER>
94
Effect Use this command to immediately apply any interface address changes to this appliance. The appliance will update you with status messages (as shown below) to inform you about the process. Arguments None Example WG(config-if)# exit<ENTER> Commit (Y/N)?y<ENTER> Results
interface 1 IP address is set to 16.10.203.121, please wait for it to take effect WG(config)#
Effect Records a new IPSec action (manual key or automatic key), including one or more proposals which have been created beforehand. Arguments <name> Type a unique name for this action. <-tunnel_mode|-transport_mode> This argument determines whether this action is tunnel mode or transport mode.
<*|peer IP address|address group> If you enter tunnel mode, you must then qualify it with one of the following: (1) enter "*" to indicate ANY source, (2) enter a specific peer appliances IP address, or (3) enter the name of an address group containing the peer IP address. -auto_key Enter this argument if this action utilizes an automatic key. Do not use the manualkey if using an automatic key.
The following two arguments further qualify this automatic key exchange.
[no] pfs_group <1|2> If this action uses an automatic key, use this argument to specify which perfect forward security option (Diffie-Hellman Group 1 or 2) will be used. If none is used, you can preface this argument with no. <"proposal_name"> [<"proposal_name">] If this action uses an automatic key, use this argument to enter the IKE proposal names (whether one or more.) -manual_key Enter this argument if this action employs a manual key. (If doing so, do not use the auto_key argument.) The following ten arguments (grouped
96
97
Example WG(config-ipsec)# action NY_IPSec tunnel \ NY_Gateway -auto no pfs_group MAX_SECURITY \ ESP-3DES<ENTER> # This command creates an auto-key IPSec action with peer tunnel. The IP is NY_Gateway, no PFS, the first proposal is MAX_SECURITY and the second is ESP_3DES.
WG(config-ipsec)# action remote_user_ipsec \ -tunnel * -auto pfs_group 1 ESP-3DES-MD5 \ ESP-DES-MD5<ENTER>
# This command creates a tunnel mode, auto-key IPSec action for remote users. The peer tunnel IP is * (ANY),PFS uses DH group 1, and there are two proposals: ESP-3DES-MD5 and ESP-DES-MD5.
WG(config-ipsec)# action SJ_Man -tunnel \ 102.39.45.28 -man -esp 256 982 3des mankey<ENTER>
# This command results in a tunnel-mode, manual-key IPSec action with a peer tunnel IP address of 102.39.45.28. It uses ESP-3DES (local SPI is 256, peer SPI is 982) and the key text is mankey.
98
Effect Creates or modifies an IPSec proposal that can then be incorporated into IPSec actions (which can then be added to security policies.) Arguments <"name"> This argument notes the name assigned to this new proposal.
-antireplay_window <0|32|64> This argument (and the required value) sets the anti-replay window size. -esp {<des|3des> [md5|sha] <lifetime <min|hrs>| \ lifesize <KB|MB>>} If you want to include an ESP transform in this proposal, type this argument, plus the necessary valuesalgorithm, life size, life time. -ah {<md5|sha> <lifetime <min|hrs>|lifesize \ <KB|MB>>} If you want to include an AH transform in this proposal, type this argument, plus the necessary valuesalgorithm, life size, life time.
+ Type this character before entering a new transform that will be added to an existing IPSec proposal.
99
Examples WG(config-ipsec)#proposal "new_prop1" antireplay \ 32 -esp {3des md5 10hrs} {des md5 5hr 10MB -ah \ {sha 34min 100MB}<ENTER> # This example shows the creation of a new proposal.
WG(config-ipsec)# prop my_proposal + -ah \ { sha 8hr } # This example shows the addition of a new AH transform to an existing proposal.
Effect Records a new QoS action or modifies an existing action. Arguments <"name"> This argument, immediately following the command, notes the name assigned to this new QoS action.
-bandwidth_weight <"1-100"> This argument (and the required value) determine the level of QoS based on the WFQ algorithm.
100
Effect Enables (or disables) port shaping for either the interface 0 (private) or interface 1 (public) of a WatchGuard appliance, and enters the general QoS value for that interface. The value entered will be the sending throughput of that interface. To enable a system port-shaping action, the appliance will automatically restart in order to apply the policy. Arguments <interface 0 | interface 1> Use this argument to enter one of these interfaces.
<<num>Kbps|Mbps> Use this argument to enter one option Kbps or Mbps plus the appropriate number value. <enable | disable> Use this argument to enter one of these options.
Example WG(config-qos)#system interface 1 10Mbps enable<ENTER> # This example shows a policy that restricts outputthroughput of the Public interface to 10 megabits per second.
101
Effect Creates a new RAS group profile (or modifies an existing profile) that controls the connection parameters of all associated remote access user accounts. Arguments <name> This argument records a name for this group profile, which will be used when creating individual user profile accounts.
[no] [-address_pool <address_group>] This argument specifies the name of an address group containing a pool of internal IP addresses assigned to remote access connections. [-dns <a.b.c.d>] This argument assigns a DNS IP address to the remote users belong to this group. [-session_time_out <number> <min|hr>] This argument limits the total time any one account user can continuously log into the network. The default time limit is 8 (hours). [-idle_time_out <number> <min|hr>] This argument sets the time limit for an inactive
102
Example WG(config-ras)#group consultants address sjnet10 \ -dns 134.12.33.2 -session 2 hr -idle 5 min con 1
Effect Enters a new remote access user account (or modifies an existing account) in an internal database in the WatchGuard appliance. Arguments <"name"> This argument records the login ID used by this remote user account, and should be between 1-15 characters in length.
<enable | disable]> This argument activates (or deactivates) this account. The default state is enable. <-password password> This argument records the initial password first
103
Example WG(config-ras)#user enable jdoe \ -password jdsecret -full "John Doe" \ -group admGroup -pw_expiry 60 -account 60 \ -concurrent 1<ENTER> Results To review and confirm your entries, type this command:
WG(config-ras)#show user jdoe<ENTER>
Password Expiresat Sat May 19 15:40:40 2001 Password Epiry = 60 Days Account Expiresat Sat May 19 15:40:40 2001 Account Epiry = 60 Days Concurrent Logins = 1
Effect Establishes whether the authentication database is stored on the RADIUS server or in this WatchGuard Firebox Vclass security appliance, then notes the parameters of this database. Arguments -internal This argument specifies the use of an internal database within the WatchGuard appliance, for RAS user authentication.
-radius This argument specifies the use of a RADIUS server as the host for a RAS user authentication database.
105
times, to configure a primary and a backup server connection. If you want to delete the configuration entries for a backup RADIUS server, enter the no backup argument.
-ip <a.b.c.d> This argument establishes the IP address of the RADIUS server that will be used. -secret <password_text> This argument records the secret password allowing this appliance to contact the database in the RADIUS server. [-authentication <pap|secure_id> ] This argument establishes which authentication is being used; PAP or SecurID. [-port <number>] This optional argument records the RADIUS server port number, if needed. [-user_group <"name">] This optional argument specifies the name of a user group profile used by RADIUS users. Be sure to use the user_group_profile command to control session time and idle timeout for RADIUS users.
Examples WG(config-ras)#database -radius primary \ -ip 12.10.1.2 -sec confidential \ -auth secure_id -user_group exec_staff<ENTER>
WG(config-ras)#database internal<ENTER> WG(config-ras)#database -radius backup \ -ip 12.10.1.3 \ -sec confidential<ENTER>
106
For more information, see dns command (configure system level) on page 108 cpm command (configure system level) on page 108 fwuser command (configure system level) on page 109 icmp_error_handling command (configure system level) on page 110 interface command (configure system level) on page 110 ldap command (configure system level) on page 110 log command (configure system level) on page 111 mss_adjustment on page 112 ntp command (configure system level) on page 113 route command (configure system level) on page 113 snmp command (configure system level) on page 114 sysinfo command (configure system level) on page 115 tcp_syn_checking on page 116 vlan_forwarding command (configure system level) on page 116 vpn command (configure system level) on page 117 No command on page 143 Show command on page 144
107
Command
history rename exit top
For more information, see history command on page 14 Rename command on page 143 exit command on page 14 top command on page 15
Effect Records the domain names and IP addresses of all relevant domain name servers. Argument no This argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<"domain name"> This argument records the domain name of this security appliance. <-server <a.b.dc.d>> This argument records the IP address of the DNS server.
108
Effect Enables this appliance to be managed by means of the WatchGuard Centralized Policy Manager (CPM). You can also use this command to disable CPM as needed. If enabling CPM access, be sure to enter the CPM-access password immediately following the enable argument. Arguments enable Enter this argument to activate WatchGuard CPM access to this WatchGuard appliance. <password_text>
Effect Allows you to change the value for a firewall user connection idle timeout. The system default is two hours, and the default increment is "seconds". Argument -t <idle_timeout> [seconds|minutes]
109
Effect Allows you to turn on ICMP error handling for all events, or just for the events you specify.
Effect Enters the interface configuration mode, at which point you can enter interface-specific commands and their arguments. Arguments None in this mode. See Also For more information on interface configuration mode, see Level 2 interface configuration commands on page 82.
110
Effect Activates (or deactivates) a network connection to an LDAP server that this security appliance would use to look up certificate revocation lists during IKE key negotiations. Arguments no This argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<a.b.c.d|"name"> [port-number] This argument notes the pertinent IP address and LDAP server port number. You can enter either an IP address or a domain name, and, if the LDAP server port number is other than 389, you must enter it.
To enter a host name, you must first record the DNS server connection, as noted elsewhere in this Guide. Example WG(config-sys)#ldap 207.124.35.3 189<ENTER>
Effect Enters the log configuration mode, at which point you can enter log file-specific commands and their arguments. Arguments None in this mode. For more information about log mode commands, see Level 3 log configuration commands on page 124.
111
mss_adjustment
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#mss_adjustment mss_adjustment [auto| limit_to <num> | disable] ## limit_to range - 40-1460 bytes
Effect Sets the TCP Maximum Segment Size for the system. This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems: - Oversized packets can result in fragmentation, degrading VPN performance. - Proxies may require MSS adjustment to prevent fragmentation. - Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU. Arguments auto Auto adjustment calculates the MSS automatically, using the following calculations: Determines the lesser value of the input port MTU and the output port MTU. Subtracts packet overhead, including IP and TCP addressing, VLAN, ESP, PPPoE, AH, and UDP encapsulation. The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet
112
transmission. The results of this calculation are used as the MSS for the connection.
limit_to
This limits MSS to the specified size in bytes. You can specify a value between 401640 bytes.
disable
This specifies that no change be made to the TCP header. If you select this option, packets may fragment. Example
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#mss_adjustment limit_to 1400
Effect Enters the system route configuration mode, at which point you can enter route-specific commands and their arguments. Arguments None in this mode.
113
See Also For more information about route mode commands, see Level 3 route configuration commands on page 122.
Effect Records network connection data for all relevant SNMP management workstations that will receive traps generated by this security appliance. Arguments no This argument, if entered before the snmp command prompt, removes/deactivates all recorded SNMP stations.
<a.b.c.d> This argument records the IP address for a specific SNMP workstation. -community<"text_string"> This argument records the community string. [-trap|-no-trap] This optional argument activates (or deactivates) the SNMP trap settings.
Example WG(config-sys)#snmp 128.13.44.2 \ -community 66gHf4D -trap<ENTER> Results To view the results, type this command: WG(config-sys)#show snmp<ENTER>
114
Effect Applies new system information to an existing security appliance, including appliance name, contact name and actual location of the appliance. Arguments -name <string> Use this argument to record the DNS name of this security appliance without the rest of the DNS entry.
-location <string> Use this argument to record the geographic location of this appliance. -contact <string> Use this argument to record the name of the administrator. -time <hh:mm:ss> Use this argument to set the system time. -date <mm:dd:yy> Use this argument to set the system date.
Example WG(config-sys)#sysinfo -name mucho \ -loc "Lot 49" \ -contact "O. Maas" -time 14:42:05 -date 10:15:02<ENTER>
115
The complete results will appear as suggested here (in eight lines):
System name=mucho System contact=O. Maas System location=Lot 49 Version=4.0 SerialNum=<D0YXA0A0D408>
tcp_syn_checking
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#tcp_syn_checking <enable|disable>
Effect Allows you to enable (or disable) the system-wide VLAN forwarding capability. Argument enable Turns on VLAN forwarding.
disable Turns off VLAN forwarding (if it is active).
116
Effect This allows you to set options for VPN. Arguments [no] ignore_DF_for_IPSec This enables fragments of large packets through the VPN tunnel. If you set this feature, the appliance ignores the don't fragment (DF) rule.
[no] IPSec_pass_through This allows IPSec pass-through.
Effect Imports a new license that upgrades or adds functionality to the appliance. Arguments None
117
Effect Lists all currently active extra features (obtained through licensing). Arguments None
Effect Removes the named license from the appliance. Arguments <license_id> This argument records the exact ID for a license to delete. Example None
Effect Displays a summary of the named license or lists all available licenses. Arguments None This will list all available licenses.
<license_id> This argument notes an ID for the license and will list the details of that license.
118
or
WG#config<ENTER> WG(config)#license<ENTER> WG(config-license)#show 3293MXLD License Name:V80_3DES_HA_Bundle License ID:3293MXLD Feature(s):HA 3DES UPGRADE Expiration Date:17-05-2022
Effect Records a new VLAN tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.
119
Arguments <"name"> This argument records the name assigned to this VLAN tenant (for use in security policies.)
<-id num> This argument record the VLAN ID as "id" followed by the number (between 1 and 4096) assigned to this tenant. <-interface [0 | 2| 3]> This argument specifies which interface (0, 2, or 3) this VLAN tenant is associated with. [-ip a.b.c.d/e] This argument records the IP address and subnet assigned to the 0 (private) or 2 (DBZ) interface, if one of those are specified. [-gateway a.b.c.d] This argument notes the gateway IP address for this tenant, if needed. -public <default|<a.b.c.d/e> This allows you to specify a public VLAN IP address and gateway.
120
Effect Records a new VLAN-specific tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use. Arguments user_domain This argument identifies which type of tenant this entry represents.
<"name"> This argument records the name assigned to this VLAN tenant (for use in security policies.) <-id num> This is "id" followed by the number (above 5000) assigned to this tenant. -public <default|<a.b.c.d/e> This allows you to specify a public user domain IP address and gateway. <-idle_timeout m> This argument sets the idle timeout for this entry in minutes. <-radius_ip a.b.c.d> This argument indicates the radius server and its IP address. [-radius_port port] This optional argument notes the port number of
121
the Radius server, if another than the default port number is used.
<-radius_secret 'secret'> This argument indicates the Radius password and its text. [-backup_radius_ip a.b.c.d] \ [backup_radius_port NUMBER] This pair of arguments allows you to note a backup Radius server and its port number, if present.
Example WG(config-tenant)#user_domain <"MegaCo"> \ -interface 1 192.168.12.34 -id 6666 idle 720 \ -radius 12.12.3.144 \ -radius_secret "no_admit"<ENTER>
122
Effect Configures a new static route utilized by traffic passing through this WatchGuard appliance. Arguments <destination> Use this argument to record the IP address of the destination subnet.
</prefix|mask> Use this argument to record the number of bits in the subnet mask, or the destination subnet mask. <gateway> Use this argument to record the IP address of the next gateway to the destination subnet. interface <0|1|2> This argument specifies which interface in this security appliance is used for outgoing traffic using this route. delete Type this argument before typing the arguments for a route, to deactivate that particular route.
Effect Configures dynamic routing in this WatchGuard Firebox Vclass security appliance.
123
Effect Use this command to activate (or deactivate) a traffic log file. Arguments no This argument, when entered before the type of log file, will deactivate that log. Examples WG(config-log)#no traffic<ENTER>
Arguments <critical|error|warning|admin|info> Type one of the above-noted log level selections after the command prompt, to indicate what to include in this events log. If you type critical, the log will record only critical events, whereas if you type info, the log will record all of the other selections too.
no This argument, when entered before event, will deactivate the event log.
Effect Use this command to set up a remote log server connection. Arguments <ip_address> This argument records the IP address of the remote log server. Example WG(config-log)#remote_log_server 128.19.3.77<ENTER>
When exiting config mode you may be prompted Commit before exit? (Y/N). This prompt is displayed if you have made changes but have not committed them to the WatchGuard appliance database. Type Y to commit your changes and return to the WG# prompt, or type
NOTE
125
N to void the changes and leave the database in its previous state.
126
CHAPTER 4
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Debug Mode.
Debugging/troubleshooting commands
The CLI Debug commands, detailed here, enable the use of standard Linux commands such as ping, tcpdump, netstat, traceroute, and arp. Most commands such as netstat, arp, ping, tcpdump, and traceroute are similar to those provided on UNIX, Solaris and Linux systems. You can use these commands to troubleshoot network environments. Debugging configuration information is not saved when the database is backed up or exported to an XML profile. Debuggging commands are available only for runtime debugging purposes.
127
128
Debugging/troubleshooting commands
arp command
WG#debug<ENTER> WG(debug)#arp
Effect Displays or manipulates the ARP cache. Arguments None Example WG(debug)#arp<ENTER>
clear_logs
WG#debug<ENTER> WG(debug)#clear_logs
config_http command
WG#debug<ENTER> WG(debug)#config_http [enable | disable | logon_html [ standard | alternate ] ] enable Enable HTTPd disable Disable HTTPd logon_html standard Use default logon HTML page. logon_html alternate Use alternate logon HTML page.
129
conn_idle_timeout command
WG#debug<ENTER> WG#debug conn_idle_timeout [show | set <idle timeout> | set_default | -h | -? ], where show Displays the current settings set <idle timeout> Set the connection idle timeout (in seconds, 1-86400)
Effect This allows you to set the connection idle timeout between the Vclass appliance and the Management Station. The maximum time is 86,400 seconds (one day). The default is 180 seconds (3 minutes). Example WG#debug conn_idle_timeout 600
WG#debug conn_idle_timeout set_default
ha_instant_sync command
WG#debug<ENTER> WG#debug ha_instant_sync [show | enable | disable | set_default | -h | -? ], where show Displays the current settings enable Enable instant state sync disable Disable instant state sync
130
Debugging/troubleshooting commands
set_default default value Restore the setting to the factory
Effect Enables or disables instant HA state synchronization. This is enabled by default. Example WG#debug ha_instant_sync enable
hwdiag command
WG#debug<ENTER> WG(debug)#hwdiag < 1 | 2 >
Effect Provides diagnostic information for your hardware. Two diagnostic levels are available. Type the command hwdiag 1<ENTER> to perform level 1 hardware diagnostic tests, or hwdiag 2<ENTER> to perform level 2 tests. Level 2 hardware diagnostics require that the system be rebooted after the tests complete.
ifconfig command
WG#debug<ENTER> WG#debug ifconfig
Effect ifconfig is the standard Linux command for interface configuration. This command can be used to configure the interfaces, as an alternative to interface configuration in the configuration menu. Displays debugging information for the interfaces on the appliance. Options Type -h to get help for this option. ifconfig is a standard Linux command, and should be used by a knowledgeable administrator. For the interface names, use eth0 through eth5, depending on
WatchGuard Command Line Interface Guide 131
how many interfaces your device has. Type ifconfig with no options or arguments to show detailed interface information.
When using the ifconfig command in transparent mode, you must use eth1, as in the following example: ifconfig eth1 ipaddress netmask mask You cannot use ifconfig with any other interface (e.g. eth0, eth2, eth3) in transparent mode.
NOTE
importscreen command
WG#debug<ENTER> WG(debug)#importscreen Import a tar file via ftp to customize Firewall User Login Screen. Syntax: importscreen <ftp_server> <ftp_username> <ftp_password> <path_filename> Example: importscreen 10.10.10.10 ftp any public/screen.tar
Effect This command allows you to import a tar-archived set of files to replace the https firewall user authentication login screen. Prerequisites The default configuration includes the following files: logon.html cert_logon.html user_auth_fail.html index.html user_auth_success.html
132
Debugging/troubleshooting commands
- images/rs_sublogo.gif You can save these files from the login and result pages to your local system using your browsers Save function. Once the files are saved, you can edit the files, adding images, replacing text, and changing the page layout. However, you should not change any of the form input submission information, or your pages will not work. You must create a compressed tar file(*.tar) that includes all of the files you want to replace for the logon and result screens. When you have completed editing, tar the file (creating a *.tar file), and place this file in an accesible FTP upload directory. Then, use the CLI to FTP the file to the Vclass appliance.
These operations require a moderate level of HTML knowledge and editing skills.
NOTE
kernel_debug command
WG#debug<ENTER> WG(debug)#kernel_debug < on | off >
Effect This command turns kernel debugging on or off. Arguments None. Example WG(debug)#kernel_debug on
133
netstat command
WG#debug<ENTER> WG(debug)#netstat
Effect This command displays the network status as seen from the security appliances point of view. To review the arguments for this command, type -?. The following are some of the available arguments. Arguments -a Displays active network connections and their status -i Shows summaries sorted by appliance interface -s Shows statistics -r Shows routing table information Example WG(debug)#netstat -i<ENTER>
ping command
WG#debug<ENTER> WG(debug)#ping <a.b.c.d>
Effect Use the ping command to send an ICMP ECHO_REQUEST to a designated device. Arguments <a.b.c.d> This argument records the IP address of the device/appliance to be pinged. Example WG(debug)#ping 122.13.2.9<ENTER> The WatchGuard CLI will send ping packets to the designated IP address. Enter ^c (Control-C) to stop the ping. The CLI will then display the results and return to the WG(debug)# prompt.
134
Debugging/troubleshooting commands
pppoe_config command
pppoe_config [show | set <-i|-f|-r|-t> num | set_default] show Show current settings. set <-i|-f|-r|-t> num Set PPPoE parameters. -i is for echo interval (1-1200 Sec). -f is for echo failure (1-60). -r is for re-auth period (0-7200 Min). -t is for re-auth interval (0-120 Min). num is an integer. set_default Restore factory default value.
Effect This command allows you to set PPPoE echo (keepalive) and re-authorization times and limits. Arguments -i allows you to set the echo (keep-alive) interval, from 11200 seconds. -f allows you to set the threshold for echo (keepalive) failure, from 160 seconds. -r allows you to set the re-authorization period, from 07200 minutes. -t alows you to set the re-autorization interval, from 0120minutes. set_default allows you to set the default values for PPPoE echo and re-authorization. Example WG(debug)#pppoe_config set -1 300 -f 5\ -r 1800 -t 60
radius_ping command
WG#debug<ENTER> WG(debug)#radius_ping \ [-pap <"password">|-sid <"passcode">] \ [-p <port>] [-r <retries>] \ [-s <secret>] [-t <timeout>] \ [-u <username>] <source> <a.b.c.d>
Effect Use this command to test the connections between this WatchGuard appliance and a RADIUS server.
WatchGuard Command Line Interface Guide 135
Pay special attention to the arguments for this command. Arguments [-pap <password>] This optional argument specifies PAP as the authentication used by this RADIUS server, along with the PAP password.
[-sid <passcode>] This optional argument specifies SecurID as the authentication used by this RADIUS server, along with the SecurID passcode. [-p <value>] This argument allows you to record a specific port number for the RADIUS server. The default port number is 1812 and you can ignore this argument if the port number was not changed. [-r <value>] This argument specifies the maximum number of tries (between 1 and 10) made by this command. The default is 3. [-s <value>] This argument records the secret login password required by the RADIUS server. The default is test123. [-t <value>] This argument establishes the timeout value for each test message. The default value is 2. [-u <value>] This argument records a RADIUS user name for
136
Debugging/troubleshooting commands
Example WG(debug)# radius_ping -u jsmith -pap johnsm \ 10.10.13.101 10.10.0.5<ENTER> [no response from RADIUS server]
rcinfo command
WG#debug<ENTER> WG(debug)#rcinfo
Effect Shows debug information about the RapidCore chip in your appliance. This is used for troubleshooting purposes, with WatchGuard technical support. Example
WG#debug<ENTER> WG(debug)#rcinfo
reboot command
WG#debug<ENTER> WG(debug)#reboot
137
rs_kdiag command
WG#debug<ENTER> WG(debug)rs_kdiag
138
Debugging/troubleshooting commands
set_dos_if command
WG#debug<ENTER> WG(debug)set_dos_if [show | set <xyzv> | set_default | -h | -? ], where show Show the current settings. set xyzv Set DOS protection on interfaces. x,y,z,v must be 0 or 1. x is for interface 0, y for interface 1, z for interface 2, and v for interface 3. set_default Restore the setting to the factory default value
Effect This sets denial of service (DOS) protection on individual interfaces. The default settings are 0000000f. Example WG#debug<ENTER> WG(debug)set_dos_if set 0011
slink command
WG#debug<ENTER> WG(debug)# slink [ [-s] <Port> <Mode>] [show] -s : save configuration only Port: eth0, eth1, eth2, eth3 Mode: auto = Auto negotiate 1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show: current setting
Effect This command sets the physical speed of a specific accelerated data interface. Arguments etho, eth1, eth2, eth3 Indicates the interface to be changed.
mode auto = Auto negotiate
139
1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show Displays the current setting
Example WG#debug<ENTER> WG(debug)# slink eth1 10H This sets interface 1 (public) to 10BaseT, Halfduplex mode.
tcpdump command
WG#debug<ENTER> WG(debug)#tcpdump
Effect Dumps all traffic on a network. Tcpdump will captures all packets detected by the network interfaces of the appliance where tcpdump is executed. This command may be used to track specific packets. Arguments None Example WG(debug)#tcpdump<ENTER>
traceroute command
WG#debug<ENTER> WG(debug)#traceroute <target_IP>
Effect Displays the complete route information to the target device. This command utilizes the IP protocol time to live field and solicits an ICMP
140
Debugging/troubleshooting commands
TIME_EXCEEDED response from each gateway along the path to the target device. You can use this command to troubleshoot network routing and connectivity. Arguments Be sure to type the IP address of the target device, as shown in the example below. Example WG(debug)#traceroute 207.188.12.3<ENTER>
verbose_trace command
WG#debug<ENTER> WG(debug)# verbose_trace [ on | off ]
Effect This command enables/disables verbose tracing in the traffic log. If such is enabled, every firewalldropped packet will be shown in the traffic log. All DNS packets will also be shown in the traffic log.
If this feature is enabled, there will be an impact to the overall system performance due to heavy logging activity.
NOTE
vinstall command
WG#debug<ENTER> WG(debug)# vinstall <ftp_server> <ftp_username> <ftp_password> <"path_filename"> ##This feature allows downgrade from 5.0 to 3.2 or 4.0 ##e.g. vinstall 10.10.10.10 my_username my_password "path/encrypted_fbv.tgz" ## For V10, use non-encrypted file. For others, use encrypted file.
Effect This allows you to downgrade to an earlier software versionfrom 5.0 to 4.0 or from 5.0 to 3.2.
141
NOTE
142
CHAPTER 5
Other Commands
This chapter describes commands that do not belong to one of the three main command modes (Administration, Configuration, and Debug).
No command
The no command is used before another command or argument to turn off or disable the specified feature.
Rename command
The rename command is used to rename objects.
143
Show command
As a way of viewing lists and details of a WatchGuard appliances configuration, the Show command (and its arguments) provides an adaptable means of cataloging such things as address groups, IPSec actions or RAS user profiles. Once you determine whats listed, you can then adapt the Show command to view the contents of a specifically named item, including the settings or configuration entries that comprise that item.
Effect If you type show at the top-level CLI prompt, the WatchGuard CLI will display a complete list of show arguments (listed above in Contents), that enable you to list almost every kind of object in the WatchGuard database, from address groups to VLAN objects. Arguments None. The current range of Show commands includes the following:
Command address alarm all_routes certificate cpm denial_of_service diagnostics dns For more information See Show address command on page 145. See Show alarm command on page 146. See Show all_routes command on page 147. See Show certificate command on page 147. See Show CPM command on page 148. See Show denial_of_service command on page 148. See Show diagnostics command on page 148. See Show DNS command on page 148.
144
Show command
Command ike interface ipsec ldap license log mode nat ntp policy qos ras route sa service statistics sysinfo sysupgrade trace tunnel_switch version
For more information See Show IKE command on page 149. See Show interface command on page 150. See Show IPSec command on page 150. See Show LDAP command on page 151. See Show license command on page 151. See Show log command on page 152. See Show log command on page 152. See Show NAT command on page 153. See Show NTP command on page 153. See Show policy command on page 154. See Show QoS command on page 154. See Show RAS command on page 155. See Show route command on page 156. See Show SA command on page 156. See Show service command on page 157. See Show statistics command on page 158. See Show sysinfo command on page 158. See Show sysupgrade command on page 159. See Show trace command on page 159. See Show tunnel_switch command on page 159. See Show version command on page 160.
Effect Displays the current catalog of address groups stored in this WatchGuard Firebox Vclass security appliance
145
Arguments None.
Effect Displays the current contents of a specifically named address group. Arguments <"group_name"> This argument notes the address group name. Example WG#show address exec_staff<ENTER>
Effect Displays a summary of currnt outstanding alarms. Arguments definition This displays a list of alarm definitions, and whether they are enabled.
log more This displays the log of all alarms that have been triggered in the past (since the log was last cleared), 20 lines at a time. log follow This displays the last 5 line of the alarm log, and updates if more alarms get generated.
146
Show command
Effect Displays a summary of the routesstatic and dynamicrecorded in this WatchGuard appliance. Arguments None. Example WG#show all_routes<ENTER>
Effect Displays the complete collection of certificates, including pending requests root certificates and system certificates. Examples WG#show certificate<ENTER>
Effect Displays the settings of a certificate according to the specific identifying characteristic. Arguments <ca|sys|pending> This argument specifies the type of certificates you want to review, whether root, system or pending.
<"cert_id"> This argument notes an actual ID number from a certificatewhether root, system or pending.
Examples
147
Effect Shows whether CPM is enabled or disabled, and general CPM information. Examples WG#show cpm<ENTER> Arguments None.
Effect Displays the DOS and DDOS configurations currently active in this appliance. Arguments None.
Effect Shows some diagnostic information for the appliance. Examples WG#show diagnostics<ENTER> Arguments None.
148
Show command
Effect Displays the current catalog of IKE policies or actions, depending upon your choice of argument. Arguments <action|policy> This argument allows you to specify whether the actions or policies are listed. Examples WG#show ike action<ENTER>
Effect Displays the parameters of a specifically named IKE policy or action. Arguments action <"name" > This argument will display the contents of the named action.
policy <"name" > This argument will display the contents of the named policy.
149
Effect Displays a detailed summary of all data interfaces in this WatchGuard appliance. Arguments None Example WG#show interface<ENTER>
Effect Displays the current catalog of IPSec proposals or actions--depending upon the argument. Arguments <action|proposal> This argument specifies the type of IPSec component, action or proposal, that you want to review. Examples WG#show ipsec proposal<ENTER>
Effect Displays the contents of a specifically named IPSec proposal or action. Type the action or proposal name after the "ipsec" command to view the specific settings. Arguments <action|proposal> This argument specifies the type of IPSec
150
Show command
Effect Displays any current LDAP server connection settings. Arguments None
Effect Displays the current license file information. You can copy the license ID shown with this command, and paste it after the show license command to see more details about a particular license. Arguments None Example (show license without a license number)
WG#show license Ord License Name Date 1 License ID Expiration
DATE_11-6-2002_10:5 64DFC18A261A4771
04-02-2003
151
Effect Displays the last 25 entries in a designated log file. If you enter config as the argument, the CLI will display the configuration settings for all logs. Arguments <config> This argument will display the current configurations for server, traffic and event logs.
<alarm|event|traffic|ras_user|p1_sa|p2_ sa> Enter one of these six log types in this argument. If you do not type a log type, the CLI will simply list the types of log files you can view. [more] This argument displays the complete contents of a specified log, one page at a time.
152
Show command
Effect Displays whether the system is running in Router or Transparent Mode. Arguments None Example WG#show mode<ENTER>
Effect Lists any current NAT actions stored in this appliance database. Arguments None
Effect Displays the configuration of a specifically named NAT action. Arguments <"name"> This argument represents the exact name of the NAT action you want to review. Example WG#show nat static_NAT1<ENTER>
153
Effect Displays the parameters/settings for a specifically named security policy. Arguments <"name_text"> This argument notes the exact name of the security policy you want to review. Example WG#show policy SJO-NYC_VPN<ENTER>
Effect Lists all active security policies stored in this WatchGuard appliance. Arguments None Example WG#show policy<ENTER>
Effect Displays (1) the current system QoS configuration, or (2) a list of currently available QoS actions depending upon your argument entry.
154
Show command
Arguments <system|action> This argument represents your preferenceto review the current system QoS setting or the list of available QoS actions. Example WG#show qos system<ENTER>
Effect Displays the configuration of a specified QoS action. Arguments <"name"> This argument indicates, by exact name, the QoS action you want to review. Example WG#show qos action slow_to_55<ENTER>
Effect Displays a complete listing of the specified RAS componentgroup profiles, user profiles or database configuration. Arguments <group_profile|user_profile|database> This argument represents your preferenceto review a list of group profiles, a list of user profiles or the database settings. Example WG#show ras database<ENTER>
155
Effect Displays the contents of the specifically named RAS componenta user profile or group profile. Arguments <group_profile|user_profile> This argument notes either group profile or user profile.
<"name"> This argument records the name of the designated object that you want to review.
Effect Displays a list of active routes. Arguments None Example WG#show route<ENTER>
Show SA command
WG#show sa <p1|p2> [id]<ENTER>
Effect Lists current phase one or phase two SA information, in some detail. If you add the ID of a specific phase-one SA or phase-two tunnel, the CLI will display details of the requested item.
156
Show command
Arguments <p1|p2> This argument specifies your choice of a list of phase-one SAs or a list of phase-two tunnels. Either list provides a complete catalog of the requested item, in a table that includes considerable details about each item.
[id] This argument (when used with p1) will display a summary of the identified SA. When used with p2, this argument will display a summary of the requested tunnel activities.
Effect Displays a complete list of all service groups. Arguments None Example WG#show service<ENTER>
Effect Displays the settings for a named service group, including port numbers and any associated protocols.
157
Arguments <"name"> This argument represents the exact name of the service group you want to review in detail. Example WG#show service e-mail<ENTER>
Effect Displays the SNMP settings for the appliance. Arguments None. Example WG#show snmp <ENTER>
Effect Displays statistics for RAS or phase 1 or phase 2 SA. Arguments None. Example WG#show statistics ras ras_user<ENTER>
158
Show command
Effect Displays the basic "general" system configurations, including appliance name, location, and contact person's name. Arguments None Example WG#show sysinfo<ENTER>
Effect Displays a chronological record of recent system software upgrades (including version number and date) installed in this WatchGuard appliance. Arguments None Example WG#show sysupgrade<ENTER>
Effect Displays the status of tunnel switching hardware features in this applianceOFF or ON. Arguments None Example WG#show tunnel_switch<ENTER>
159
Effect Displays the version number of WatchGuard operating software. Arguments None Example WG#show version<ENTER>
160
case sensitivity of object strings 9 certificate configuration mode, entry into 45 certificate settings, display specific 147 certificate, import VPN 69 certificate, request VPN 67 certificate, show properties 70 certificates, display all 147 change system mode 94 CLI by command administration mode downgrade 29 enable 108 export 30 flush 31 ha_sync 31 passwd 36 reboot 37 restore_default 38 abbreviations 8 shutdown 38 abort system configuration all mode commands changes 43 exit 14 accelerated data interface, set history 14 physical speed of 139 top 15 adding settings and policies 10 configuration, level 1 address group modification 43 abort 43 address group, display specific 146 address 43 address groups, display all 145 certificate 45 administration mode commands 15, commit 45 27 delete 45 appliance maintenance commands 22 denial_of_service 46 apply changes 22 high_availability 47 apply changes to interface configuration 95 high_availability (disable) 48 apply recent configuration changes 45 history 66 argument entry syntax 9 ike 48 argument options by command, list interface 49 of 17 ipsec 49 ARP cache, display 129 license 49 ARP cache, manipulate 129 nat 54 available commands 17 nat (dynamic action) 56 available tasks 2 policy 57 qos 60 ras 61 rename 61 schedule 62 \ character, use of 9 service 63
Index
system 64 (system\log) 125 tenant 65 static (system\route) 122 tunnel_switch 65 traffic (system\log) 124 configuration, level 2 display arguments action (ike) 78 show 145 action (IPSec) 95 show address 145 action (QoS) 100 show address <group_name> 14 active_feature (license) 117 6 database (RAS) 105 show all_routes 147 delete (license) 118 show cert 147 dns (system) 108 show cert (by ID) 147 enable (high_availability) 74 show denial_of_service 148 exit (high_availability) 76 show dns 148 exit (interface) 95 show ike 149 fwuser (system show ike (by name) 149 idle_timeout) 109 show interface 150 group_profile (RAS) 102 show ipsec 150 ha2 (interface) 93 show ldap 151 import 69 show log 152 import (license) 117 show mode 152 interface 82 show nat 153 interface (system) 110 show nat (by name) 153 interface 0 (interface) 83 show policy 154 interface 1 (interface) 86 show policy (by name) 154 interface 2 (interface) 90 show qos 154 ldap (system) 110 show qos (by name) 155 log (system) 111 show ras 155 mode 94 show ras (by name) 156 policy (ike) 80 show route 156 private (interface) 85 show sa 156 proposal (IPSec) 99 show service 157 request 67 show service (by name) 157 route (system) 113 show sysinfo 158 show 70 show sysupgrade 159 show (high_availability) 72 show tunnel_switch 159 show (interface) 82 show version 160 show (license) 118 troubleshooting snmp (system) 114 arp 129 ssl 71 clear_logs 129 sysinfo (system) 115 netstat 134 system (QoS enable/ ping 134 disable) 101 radius_ping 135 user_domain(tenant) 120 rs_kdiag 138 user_profile (RAS) 103 slink 139 vlan(tenant) 119 tcpdump 140 vlan_fowarding (system) 116 configuration, level 3 traceroute 140 verbose_trace 141 dynamic (system\route) 123 event (system\log) 124 CLI capabilites 2 remote_log_server CLI commands
administration mode disable 108 CLI editing appending to recent command 11 argument syntax 9 use of \ character 9 case sensitivity 9 case sensitivity in object strings 9 command abbreviation 8 command prompt 8 delete 10 exchanging command arguments in recent command 12 grouping parameters 10 help command 17 keywords 15 line continuation 9 CLI navigation 13 command history 11 command prompt, navigation with 8 Common Criteria operation mode 35 configuration, initial 20 conn_idle_timeout 130 connection to a workstation direct 5 connection to workstation, through network 5 conventions 35, 2527 currently available commands 17
DHCP server configuration options 85 disable 108 disable keyword 15 disable port shaping 101 disable tunnel switching 65 display commands 144 display interface addresses See data interfaces DMZ See interface 2 DNS configurations, show 148 domain name, system level entry 108 DOS See denial of service DOS configurations, show 148 downgrade 29 dump network traffic 140 dynamic route, configure 123
E
enable 108 enable keyword 15 enable port shaping 101 enable tunnel switching 65 erase system configuration changes 43 event log configuration 124 exchanging command arguments in recent command 12 !!<command argument>for appending to most recent command 11 !! recall command 11 !number to recall recent command by number 11 existing appliance log in 7 export 30 export cr/xml/log/ip 30 extra features active, licensed 117
D
data interfaces, display address settings 82 data interfaces, show detailed summary of 150 DDOS See denial of service DDOS configurations, show 148 debug information not exported to xml 127 debugging commands 127141 delete license 118 delete specific configuration changes 45 deleting items in database 22 deleting text 10 denial of service parameter configuration 46
F
factory default appliance logging in 6 factory default restoration 38 FIPS operation mode 35
H
HA 2 interface configuration 93 HA configuration 47 HA configuration, display 72 HA enable 74 HA, apply configuration changes 76 HA, disabling 48 ha_instant_sync 130 ha_sync 31 help 17 help online 17 high availability See HA high availability configuration, level 2 7276 history 14, 66 history buffer 11 history buffer, size of 11 history command 11 hotsync process, initiate 31
interface configuration entry 110 interface configuration, enter 82 interface configuration, level 2 commands 8295 interfaces, show detailed summary of 150 internal diagnostics, display 138 IP addresses, system level entry 108 IPSec action, recording 95 IPSec configuration 49 IPSec configuration, level 2 commands 95100 IPSec proposal or action, show details of specific 150 IPSec proposal, create or modify 99 IPSec proposals or actions, show catalog of 150
K
keywords
disable 15 enable 15 no 15
I
ICMP ECHO_REQUEST, send 134 idle_timeout, changing firewall user 109 IKE action, record 78 IKE configuration 48 IKE configuration, level 2 commands 7882 IKE policies, display all 149 IKE policy or action, show parameters of 149 IKE policy, record 80 import XML profile 33 import license 117 import VPN certificate 69 importscreen 132 initial configuration commands 20 interface 0 configuration 83 interface 1 configuration 86 interface 2 configuration 90 interface address settings, display 82
L
LDAP server connection settings, show 151 LDAP server, activate connection 110 LDAP server, deactivate connection 110 Level 1 configuration mode 41 Level 2 configuration mode 66122 Level 3 configuration mode 122126 license commands, level 2 commands 117119 license configuration 49 license, delete 118 license, import new 117 license, summarize a 118 licensed features, active 117 licenses available, list 118 limitations 3 line continuation 9 line continuation character 9 log configuration 111
log configuration, level 3 commands 124126 log entries, clear 129 log file, show last 25 entries of specific 152 log into existing appliance 7 log into factory default appliance 6 log out 18
Q
QoS action, record new 100 QoS actions, show current available 154 QoS configuration entry 60 QoS configuration, level 2 commands 100101 QoS configuration, show all current system 154 QoS configuration, show specific 155 Quality of Service See QoS ? command 17
M
maintenance commands 22 MSS 59, 112 mss_adjustment 112 mss_adjustment_per_policy 59
N
NAT action, record 54 NAT action, show configuration of specific 153 NAT actions, list current 153 NAT, dynamic IP 56 network address translation See NAT network status, view 134 no keyword 15
R
RADIUS server, test connections to security appliance 135 RAS account, create or modify 103 RAS authentification database, where stored 105 RAS configuration mode 61 RAS configuration, level 2 commands 102106 RAS group profile, modify or create 102 RAS, show complete listing of 155 RAS, show specific RAS component 156 reboot 37 recall most recent command 11 recalling a recent command, not most recent 11 recent commands list 14, 66 reload old software 29 remote log server connection, configure 125 rename an existing object 61 replace firewall authentication screens 132 replacing settings and policies 10 request VPN certificate 67 reset connections 31
O
object strings, case sensitivity of 9 online help 24 operation modes 35 operation_mode command 35
P
passwd 36 password, reset super user 36 ping a device 134 + character, use of 10 pppoe_config 135 Private interface See interface 0 profile
reset Vclass appliance 37 return to next highest level 14 return to top command level 15 route configuration entry 113 route configuration, level 3 commands 122 route information, display of 140 routes, list all active 156 routes, summarize all dynamic and static 147
T
tasks available 2 tasks not available 3 TCP Maximum Segment Size (MSS) 59, 112 tenant configuration mode entry 65 tenant configuration, level 2 commands 119122 tenant entry, record 119 text deletion 10 top command 14 traffic log file, activate 124 traffic log file, deactivate 124 troubleshooting commands 127141 tunnel switching, show hardware status 159
S
SA information, show curent phase 1 or 2 156 schedule a policy 62 security policies, show active 154 security policy commands 21 security policy, create 57 security policy, show parameters of specific 154 service entry (individual or group) new 63 service group, show specific 157 service groups, show all 157 set_dos_if 139 show arguments, list 145 show certificate properties 70 show stored arguments 16 show stored command entries 16 showcommands 144 shut down WatchGuard appliance 38 SNMP workstations, record connection data for 114 software version number, display 160 SSL certificate request 71 static route configuration 122 system configuration mode 64 system configuration, level 2 commands 107116 system configuration, show general 158 system information, apply to security appliance 115 system interface configuration 49 system interface configuration, enter 82 system mode, display 152
U
unavailable tasks 3
V
verbose trace, disable 141 verbose trace, enable 141 view currently available commands 17 vinstall 141 VLAN forwarding disable 116 VLAN forwarding, enable 116 VLAN specific tenant entry, record 120 VLAN tenant entry, record new 119
W
Web certificate See SSL certificate
X
xml export debugging information not exported 127 XML profile import 33