V51cli Guide

WatchGuard Command Line Interface User Guide
WatchGuard Firebox Vclass 5.1
Copyright
Copyright 1998-2003 WatchGuard Technologies, Inc. All rights reserved.
Notice to Users
Information in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchasers personal use, without prior written permission from WatchGuard Technologies, Inc. TRADEMARK NOTES WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock, DVCP , and Designing peace of mind are trademarks of WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. Part No: 1200016
ii
WatchGuard Vclass 5.1
WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement

WatchGuard Firebox System (WFS) End-User License Agreement IMPORTANT READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE: This WFS End-User License Agreement (AGREEMENT) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (WATCHGUARD)for the WATCHGUARD WFS software product identified above, which includes computer software and may include associated media, printed materials, and online or electronic documentation (SOFTWARE PRODUCT). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid. 1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the
WatchGuard Command Line Interface Guide iii
SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty. 2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single computer at any single location. If you wish to use the SOFTWARE PRODUCT on a different computer, you must erase the SOFTWARE PRODUCT from the first computer on which you installed it before you install it onto a second. (B) To use the SOFTWARE PRODUCT on more than one computer at once, you must license an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it. (C)You may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only. 3. Prohibited Uses. You may not, without express written permission from WATCHGUARD: (A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT; (B) Use any backup or archival copy of the SOFTWARE PRODUCT(or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective; (C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT; (D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.
iv
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard Technologies or an authorized dealer: (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase. (B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election. Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THIS SOFTWARE PRODUCT
WatchGuard Command Line Interface Guide v
WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT). Limitation of Liability. WATCHGUARDs liability (whether in contract, tort, or otherwise; and notwithstanding any fault, negligence, strict liability or product liability) with regard to THE SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 5. United States Government Restricted Rights. The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.22719, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.
vi
6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder. 7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession. 8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the contents of this package AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. No change or modification of this AGREEMENT will be valid unless it is in writing, and is signed by WATCHGUARD. 9. Canadian Transactions: If you obtained this SOFTWARE PRODUCT in Canada, you agree to the following: The parties hereto have expressly required that the present AGREEMENT and its Exhibits be drawn up in the English language. / Les parties aux presentes ont expressement exige que la presente conventions et ses Annexes soient redigees en la langue anglaise.
WatchGuard Command Line Interface Guide
vii
viii
Contents
Contents .......................................................................ix
CHAPTER 1 Using the Command Line Interface .......... 1 Introducing the WatchGuard CLI ....................................... 1
............................................................. 2 ...............................................................3 CLI Guide text conventions ............................................... 3 Getting started with the WatchGuard CLI ........................... 5 Connecting to an appliance ............................................. 5 Logging into an appliance via a console connection ............. 6 Logging into an existing appliance via a network connection . 7 Understanding the command prompt ................................ 8 Abbreviating commands and keywords ..............................8 Case sensitivity ............................................................. 9 Extending command lines ............................................... 9 Typing arguments in a command ...................................... 9 Deleting text in the Command Line Interface .................... 10
CLI capabilities CLI limitations Using the CLI to add to or replace existing settings and policies
...........................................................................10
Grouping parameters in a command ............................... 10 Reviewing the recently used commands ........................... 11
WatchGuard Command Line Interface Guide ix
13 14 15 16 17 18 Installing and configuring a WatchGuard appliance .......... 19 To log into a WatchGuard appliance for the first time: ........ 19 To assign network addresses to appliance interfaces .......... 20 To complete system configuration .................................. 20 To create and apply security policies ............................... 21 To remove/delete items from a WatchGuard database ....... 22 To save and apply your most recent changes .................... 22 To maintain an appliance .............................................. 22 To troubleshoot an appliance ........................................ 22 To restore an appliance to the factory-default state ........... 23 To review the most recent tasks (at any level) .................... 23 To get on-line help while working ................................... 24
CHAPTER 2 Administration Mode Commands .......... 25 Command syntax conventions used in this guide ............. 25 Administration mode commands .................................... 27
account command ...................................................... downgrade command ................................................. export command ........................................................ flush command ........................................................... ha_sync command ...................................................... import command ........................................................ operation_mode command .......................................... passwd command ....................................................... reboot command ........................................................ restore default command ............................................. shutdown command .................................................... upgrade command .....................................................
Navigating through the CLI ........................................... Common Navigation commands .................................... Using keywords .......................................................... Show command/argument (name) usage ...................... Viewing context-sensitive online help ............................. Logging out of the appliance ........................................
28 29 30 31 31 32 35 36 37 38 38 39
CHAPTER 3 Configuration Mode Commands ............. 41 Top-level configuration mode commands ........................ 41
abort command .......................................................... 43 address command ....................................................... 43 certificate command .................................................... 45 commit command ....................................................... 45 delete command ......................................................... 45 denial_of_service command ..........................................46 high_availability commands ........................................... 47 ike command .............................................................. 48 interface command ...................................................... 49 ipsec command .......................................................... 49 license command ........................................................49 log command .............................................................50 nat command .............................................................54 no command .............................................................. 56 policy command ......................................................... 57 qos command ............................................................ 60 ras command .............................................................. 61 rename command ....................................................... 61 schedule command ..................................................... 62 service command ........................................................63 system command ........................................................64 trace command ........................................................... 64 tenant command ......................................................... 65 tunnel_switch command ...............................................65 history command ........................................................66
Second level configuration mode commands
...................66
Level 2 certificate configuration commands ...................... 67 Level 2 High Availability configuration commands ..............72 Level 2 IKE configuration commands ............................... 78 Level 2 interface configuration commands ........................ 82 Level 2 IPSec configuration commands ............................95 Level 2 Quality of Service (QoS) configuration commands . 100
xi
Level 2 Remote Access Service (RAS) configuration commands
........................................................................ 102 Level 2 System Configuration commands ...................... 107

Level 2 license commands (for upgraded or additional features)
........................................................................ 117 Level 2 tenant configuration commands ........................ 119 Level 3 configuration mode commands ......................... 122 Level 3 route configuration commands .......................... 122 Level 3 log configuration commands ............................ 124
CHAPTER 4 Debug Mode Commands ...................... 127 Debugging/troubleshooting commands ........................ 127
arp command .......................................................... clear_logs ................................................................ config_http command ............................................... conn_idle_timeout command ...................................... ha_instant_sync command .......................................... hwdiag command ..................................................... ifconfig command ..................................................... importscreen command ............................................. kernel_debug command ............................................ netstat command ...................................................... ping command ......................................................... pppoe_config command ............................................ radius_ping command ............................................... rcinfo command ....................................................... reboot command ...................................................... rs_kdiag command .................................................... set_dos_if command ................................................. slink command ......................................................... tcpdump command ................................................... traceroute command ................................................. verbose_trace command ............................................ vinstall command ......................................................
129 129 129 130 130 131 131 132 133 134 134 135 135 137 137 138 139 139 140 140 141 141
xii
CHAPTER 5 Other Commands ................................... 143 No command ............................................................... 143 Rename command ....................................................... 143 Show command ...........................................................144
Show command general usage .................................... 144 Show address command .............................................145 Show alarm command ................................................ 146 Show all_routes command .......................................... 147 Show certificate command .......................................... 147 Show CPM command ................................................. 148 Show denial_of_service command ................................ 148 Show diagnostics command ........................................148 Show DNS command ................................................. 148 Show IKE command ................................................... 149 Show interface command ............................................ 150 Show IPSec command ................................................ 150 Show LDAP command ................................................ 151 Show license command .............................................. 151 Show log command ................................................... 152 Show mode command ............................................... 152 Show NAT command ................................................. 153 Show NTP command ................................................. 153 Show policy command ............................................... 154 Show QoS command ................................................. 154 Show RAS command .................................................. 155 Show route command ................................................ 156 Show SA command .................................................... 156 Show service command .............................................. 157 Show SNMP command ............................................... 158 Show statistics command ............................................ 158 Show sysinfo command .............................................. 158 Show sysupgrade command ........................................159 Show trace command ................................................. 159 Show tunnel_switch command ..................................... 159 Show version command .............................................. 160
xiii
Index ......................................................................... 161
xiv
CHAPTER 1
Using the Command Line Interface
Introducing the WatchGuard CLI

The WatchGuard CLI (Command Line Interface) offers the experienced network administrator an efficient way to set up and manage WatchGuard Firebox Vclass security appliances via a terminal application. As the CLI architecture utilizes a model implemented in many industry-standard routers, network administrators familiar with routers commonly deployed in network environments will find the WatchGuard CLI is both easy to learn and to use. You can use the CLI to administer an appliance through a console port connection or through a network connection to any of the data interfaces via an SSH Client using protocol 2 or Telnet, once the appropriate firewall-access policies have been created and configured on the target appliance. While the CLI replicates most of the functionality of the WatchGuard Vcontroller application, we strongly recommend that you familiarize yourself with the use of WatchGuard Vcontroller before
CHAPTER 1: Using the Command Line Interface
attempting to use the CLI. Learning the WatchGuard Vcontroller, its terms and processes, and the underlying flow of appliance administration, will establish a solid competency with concepts and terms used extensively in the CLI. We also recommend that you review the latest Release Notes for your WatchGuard security appliances and verify that the most current versions of WatchGuard and Java software are being used. Electronic copies may be obtained from the WatchGuard Technical Support web site (www.watchguard.com/support/). The Technical Support Group can also assist in verifying that you have all of the latest WatchGuard software.
CLI capabilities
The WatchGuard command line interface (CLI) provides you with simple, fast, command-line access to any local WatchGuard Firebox Vclass security appliance to perform most major administrative tasks, including rebooting, resetting appliance interface IP addresses, entering remote access user accounts, and managing policies, actions and proposals stored in the appliance database. An almost-complete list of CLI setup and administration tasks includes the following: Configuring security appliance software Interface (port) management Viewing current system settings Inserting new security policies Editing or removing existing policies Reorganizing sort order of policies Configuring and using the High Availability feature Opening and reviewing current log files Displaying reports of tunnel and SA activities Restoring factory-default configurations Shutting down and restarting security appliances
CLI Guide text conventions
CLI limitations
Please note that the WatchGuard CLI is not a complete replacement for the WatchGuard Vcontroller application, as you cannot do the following with the CLI: Set up probes that monitor the current activities of the security appliance Set up, activate, and review alarms that are triggered by a range of operational circumstances Import Certificate Revocation List (CRL) files or their contents Create admin access user accounts Create firewall-access internal user accounts
CLI Guide text conventions

To help you better use this guide, the following text conventions are used. Control key The symbol ^ represents the Control (CTRL) key and is usually used in combination with other text. For example, when you see the key combinations ^Z or Ctrl-Z, this means you should hold down the Control key while pressing the Z key. In the guide, these keys may be printed in capital letters, but Ctrl+letter functions are not casesensitive. Text strings A text string is defined as a set of user-variable characters. Text strings (or, strings) are usually presented as example data, or the kind of thing one might type for a particular value. Such an example might be presented enclosed in
3
quotation marks; however, you do not need to type quotes when entering a text string. For example, we might say: set a user_profile name to All_RAS_Users. In this example, you could type your own user profile name (or string) in place of ALL_RAS_Users. You should enclose a string in quotes in instances where the text entry includes spaces. For example, if entering a name like Joan Smith, with a space between the first and last name, you should enclose this entry in quotations to preserve it as a single entity. For Example
WG(config)#address -group exec_staff WG(config)#address -group "exec staff"
Carriage returns
Carriage returns are Enter key presses, and are represented by the <ENTER> or <CR> notation. Command examples may omit this notation for the sake of brevity. Space characters (entered by pressing the Space bar on the keyboard) are represented in a few instances in this Guide by the <sp> notation. In most cases, however, spaces are simply represented by actual spaces. For example, in:
WG(config)#address -group exec_staff
Letter spaces
Getting started with the WatchGuard CLI
There is a single space between address and -group, and group and exec_staff. Comments Comments are presented as italicized text preceded by the # character. # This is a sample comment. More command-specific and argument-specific conventions are detailed in Command syntax conventions used in this guide on page 21

Connecting to an appliance
The WatchGuard CLI can be used to perform pre-installation setup tasks, or to reconfigure or administer the appliance at any time. These comprise two distinct uses of the CLI, which in turn require different connections: To use the CLI in pre-installation setup or to do direct administration of a WatchGuard appliance, you can directly connect the appliance to your workstation by connecting a cable from the Console port on the front of the appliance to a serial port on your workstation. Your Vclass package includes an adapter for this purpose. After this connection is made, you can connect directly to the appliance via a terminal application. To use the CLI for administration after a WatchGuard appliance has been set up and configured, you can make use of existing network connections. All you need is (1) the IP address of a WatchGuard appliance data interface and (2) a currently active policy
permitting CLI console (Telnet/SSH) access to the system through that interface. This may be done by means of the CLI or the WatchGuard Vcontroller, once configuration is complete. NOTE If you attempt to log into a functioning, fully configured WatchGuard appliance with the CLI, you must enter admin as the login (or rsadmin for legacy appliances), as the CLI will not permit use of any other super admin account names.
Logging into an appliance via a console connection

To log into a brand new factory default WatchGuard appliance by means of the CLI console and a console (serial port) connection, follow these steps:
1 2
Start any terminal application and open a new connection window. Verify that the terminal has been set to VT100. NOTE If the terminal is not set to VT100, various functions may not work^c will not break, ESC will not work and youll have problems with special characters.
Connection parameters include: - 9600 bps - 8 data bits - No parity - 1 stop bit - Flow control: none
Press <ENTER> once after configuring the connection parameters.

The connection should be immediate, at which time a welcome message is displayed, followed by a WatchGuard Login prompt.
As this is a new appliance, type admin (the default login text) and press <ENTER>. The login for a legacy appliance is rsadmin. A Password prompt is displayed. Type admin (again, the default password text) and press <ENTER> to submit the password and log in to this security appliance. The default password for a legacy device is rsadmin. If the login connection is successful, a WG# prompt is displayed.
WatchGuard Firebox V100 (OS 4.0) <system_name> login:admin Password:[type your password, nothing is displayed] Welcome to the WatchGuard CLI Shell WG#
You can now work with the CLI.
Logging into an existing appliance via a network connection

To log into a currently active (configured) WatchGuard appliance over a network connection, follow these steps:
Make sure that this appliance has an active policy permitting telnet/SSH access via a specific WatchGuard appliance interface. Start any telnet/SSH application and verify that your terminal emulation is vt100 (necessary in Windows 2000). Type the IP address or qualified network name of the appliance interface and press Enter. When a WatchGuard Login prompt is displayed, type admin (or rsadmin for a legacy appliance) and press <ENTER>.
2 3
The CLI will not accept any other superadmin login names.
A Password prompt is displayed.
NOTE
Type the current password (the default is admin, or rsadmin for a legacy appliance) and press <ENTER> to submit the password and log into this security appliance. A new WG# prompt is displayed.
Understanding the command prompt

As you navigate through the WatchGuard Command Line Interface, the command prompt will always indicate what command level/mode you are in. For example:
Command Prompt WG# WG(config)# WG(config-system)# WG(config-if)# Command Level/Mode indicates that you are at the root level indicates that you are in Configuration mode indicates that you are in Configuration mode at the System level indicates that you are in Configuration mode at the System Interface level
Abbreviating commands and keywords

You can abbreviate the available commands and keywords for each command group or mode, down to the minimum number of characters that can safely be used to represent a command, so that it cannot be mistaken for another command by the CLI. For example, the command show can be abbreviated sh and the command dmz can be abbreviated as d.
In Administration mode, you cannot use abbreviated commands. Administration mode requires that you type the full word for each command.
NOTE
Case sensitivity
Commands, command arguments and keywords in the WatchGuard CLI are not case sensitive. For example, show policy is equivalent to SHow POLicy.
Object name strings are case sensitive. Typing the address group name (string) EveryBody_on_NET_A is not the same as typing everybody_on_net_a! This covers all text strings, whether enclosed in quotes or not.
NOTE
Extending command lines

Long command lines can be continued onto the next line of a terminal display by typing the backslash character (\) at the end of the command line, similar to the use of the backslash character in C programming syntax. This permits you to type more information (parameters) without breaking the continuity of the entire command. In the following example of a progression of four commands, the backslash character typed (\) right before the <ENTER> in the last command line enables the administrator to continue the contents of that command line onto the next line:
WG#<ENTER> WG#configure<ENTER> WG(config)#cert<ENTER> WG(config-cert)#req cert com WatchGuard cou US \ <ENTER> -dns rs101.WatchGuard.com key {rsa 1024 both}<ENTER>
Typing arguments in a command

Be sure to type a "-" (hyphen) before any arguments, or the CLI will ignore and omit that arguments condition.
Deleting text in the Command Line Interface

To delete characters to the left of the cursor, press the Backspace key, or press ^h. To delete all characters from the current position of the cursor back to the beginning of the command line, press ^u.
Using the CLI to add to or replace existing settings and policies

Existing settings can be modified using the WatchGuard CLI in two ways:
1 2
An existing item can be overwritten/replaced with an entirely new item Additional entries or qualifications can be appended to an existing item
Adding entries to an existing item requires use of the plus character (+). If a setting or entry already exists in this WatchGuard appliance, add a plus character (+) before additional elements to edit that setting. In the following example, an additional host with an IP address of 199.86.77.100 is added to the address group VPNnet
WG(config)#address VPNnet + -host 199.86.77.100<ENTER> WG(config)#exit<ENTER> Commit before exit? (Y/N):y<ENTER> WG#_
The named address group object VPNnet now has an additional (host) member with an IP address of 199.86.77.100.
Grouping parameters in a command

Groups of parameters may be repeated in a command line by surrounding the groups with curly brackets ({group1 param1 param2} {group2 param1 param2} etc.). In the fol-
10
lowing example of command line block repetition, the IP addresses, port numbers, and weighting is assigned for three servers in a round-robin load balanced cluster:
WG(config)#nat <"name"> vip round server \ {10.10.0.100 80 1} {10.10.0.101 80 2} \ {10.10.0.102 80 3}<ENTER>
Note too, that the command line in the above example was extended with the use of the backslash (\) character, so that more parameters could be included in the command.
Reviewing the recently used commands

The WatchGuard CLI stores up to 20 commands (at each level in every mode) in a History buffer, which you can use to view your most recent tasks. Type history <ENTER> at any prompt to review the last twenty commands applied at that level of the CLI. The CLI will append a number to each line, to indicate its place in the overall chronology. The higher the number, the more recently that command was enacted. (Note that active command history listings may have multiple-digit numbers.) Type !! (two exclamation points) to recall and re-enact the most recently used command recorded in the buffer for this mode and level. Type !6 (exclamation point followed by a number) to display and enact the command identified as 6 in the buffer at this CLI level. Type !!<command argument> to display the most recent command and to append it with arguments and values as needed. For example, if the last command was show, you could type !!address to display the current list of address groups.
11
New or different command arguments may be substituted in the most-recent command line recalled from history. Use the format ^old_command^new_command to effect a substitution as shown in the following example:
WG#!49 < Recall command line #49 #This is the command. show service DNS #The next six lines are the result. Service Group: Name = DNS Description = "Domain Name Services" Protocol = UDP Server_port = 53 WG#^DNS^SSH #This command substitutes SSH for DNS and show service SSH execute Service Group: #This shows the results. Name = SSH Description = "Secure Shell (Remote Login Protocol)" Protocol = TCP Server_port = 22 WG#_
12
Navigating through the CLI

WG#!49 < Recall command line #49 #This is the command. show service DNS #The next six lines are the result. Service Group: Name = DNS Description = "Domain Name Services" Protocol = UDP Server_port = 53 WG#^DNS^SSH #This command substitutes SSH for DNS and show service SSH execute Service Group: #This shows the results. Name = SSH Description = "Secure Shell (Remote Login Protocol)" Protocol = TCP Server_port = 22 WG#_
At every command level and in all command modes, the exit command moves the CLI user up one level (back to the parent command level) in the command tree structure. If you issue the exit command at the top (root) level, you will log out of the system. See the following example:
WG(config-system)#exit<ENTER> WG(config)#exit<ENTER> WG#exit<ENTER> #As a result, you are logged off the CLI and the display screen is cleared. WatchGuard (OS 4.0)
13
At every command level except the top (root) level, entering the top command and pressing Enter jumps the CLI user from the current level to the top (root) command level. The top (root) command level does not have this command available as it isnt necessary. See the following example:
WG(config-qos)#top<ENTER> WG#_
Common Navigation commands

The following commands can be used at any level of any CLI mode.
history command
WG#admin<ENTER> WG(admin)#history
Effect Lists the twenty most recently exercised commands at this level. (When this command is applied at other levels, it will result in the last twenty commands entered at that specific level. For more information on extending or adapting this command, see Reviewing the recently used commands on page 11. Arguments This command has several adaptations that extend its usefulness. See Reviewing the recently used commands on page 11 for details.
exit command
WG(admin)#exit
Effect Exits the current level of CLI and returns to the next-highest command level, all the way to the toplevel WG# prompt.
14
Arguments None. Example WG(admin)#exit<ENTER>
top command
WG(admin)#top
Effect Immediately returns to the top level of the WatchGuard CLI (the WG# prompt) from whatever level of CLI you are using. Arguments None. Example WG(admin)#top<ENTER> # As a result, the WG# prompt is displayed.
Using keywords
The CLI provides keywords such as enable, disable, and no that perform specific functions with system parameters. For example, enable and disable are used to enable and disable existing configurations such as policy schedules and system QoS settings. The following example shows an existing schedule configuration named 24_7_Schedule being enabled: WG(config)#schedule 24_7_Schedule enable<ENTER> The keyword no functions as a simple on/off switch for configuration components, as shown in the following example: WG(config)#denial_of_service no pingofdeath<ENTER>
15
Show command/argument (name) usage

Entering the show command along with a valid command name or argument will display all stored entries associated with the named term. See the following examples. These examples show only partial displays:
Example 1: Show all security policy records

WG(config)#show policy<ENTER> Ord NAME Dest Svc 1 PRIVATE_HTTPS HTTPS 2 ALLOW_PING_FROM_PVT PING 3 ALLOW_PING_FROM_PUB PING 4 ALLOW_PING_FROM_DMZ PING 5 ALLOW_OUTBOUND_DNAT ANY 6 DENY_INBOUND ANY ANY 7 HOST_OUT ANY WG(config)#_
Dscpt Src ANY ANY ANY ANY ANY Deny ANY PRIVA INTER INTER INTER ANY ANY ANY
Executing the show command followed by a specific name displays only the details associated with that specific named object, as shown in the following example:
16
Example 2: Show only private_https security policy settings

WG(config)#show policy PRIVATE_HTTPS Security Policy Name = PRIVATE_HTTPS Description = * * Order = 1 Source = ANY Destination = interface_0_IP Service = HTTPS
Viewing context-sensitive online help

When you are logged into an appliance, you can use the built-in help system to view a list of currently available commands. These commands vary depending on your current location in the CLI. The types of help commands include the following: Listing all available commands at a specific mode or level of CLI Listing all of a commands arguments (and associated values) along with their specific usage syntax
To list all commands available in a particular command mode or level, type a question mark (?)or enter help at the command prompt. For example, enter? at the top (root) level command to return
the following list of top-level command options:
Enter administration mode Enter configuration mode Enter debug mode Show current configuration and Show command history Exit the system Exit the system
administration configure debug show statistics history logout exit
The WatchGuard CLIs help system also lists a specific commands argument options along with their specific
17
usage syntax. For example, here is a help command that requests (and obtains) the command argument options and syntax used to configure a security policy:
WG#configure WG(config)#policy? policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-vlan|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <"n] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ]
Logging out of the appliance

After you have completed your setup or administration tasks, you can log out of the appliance by following these steps:
1 2
At the current prompt (at any level of the CLI), type top and press <ENTER>. When the WG# prompt is displayed, type exit and press <ENTER>.
You are logged out of the appliance. You can disconnect the terminal session, and physically disconnect your workstation from the appliance if necessary.
18
Installing and configuring a WatchGuard appliance

You can use the WatchGuard CLI to perform almost all setup and configuration tasks. Weve organized the following catalog of tasks into general categories, with references to the series of CLI commands you would use to perform specific tasks. Weve also organized the following catalog to chronologically guide you through the tasks in the proper sequence. The general flow of this series of categories and tasks follows that of the printed WatchGuard Vclass User Guide, beginning with installation, and continuing on to administration and policy configuration tasks. The tasks are sorted into the following general categories, and can be reviewed as noted here: To log into a WatchGuard appliance for the first time: on page 19 To assign network addresses to appliance interfaces on page 20 To complete system configuration on page 20 To create and apply security policies on page 21 To remove/delete items from a WatchGuard database on page 22 To save and apply your most recent changes on page 22 To maintain an appliance on page 22 To troubleshoot an appliance on page 22 To get on-line help while working on page 24
To log into a WatchGuard appliance for the first time:

See the instructions detailed in Logging into an appliance via a console connection on page 6.
19
To assign network addresses to appliance interfaces

To assign network addresses to the data interfaces, use these commands (along with the arguments and values noted later in this user guide):
Command
WG(config-if)#interface 0 WG(config-if)#interface 1 WG(config-if)#interface 2 WG(config-if)#ha2
Additional Information
if a DMZ interface is present if an HA2 port is present
To complete system configuration

To complete the initial system configuration, use these commands:
Command
WG(admin)#passwd WG(config-sys)#route WG(config-sys)#dns WG(config-sys)#snmp WG(config-sys)#log WG(config-sys)#ldap WG(config)#tunnel_switch
Description change the default password to a new, secure password includes both static and dynamic routes connect to a domain name server connect to any SNMP management stations activate needed system activity logging connect this appliance to an LDAP server activate WatchGuard tunnelswitching features
20
Command
WG(config)#cert WG(config)#denial_of_service WG(config)#high_availability
Description request and import needed certificates from CAs customize anti-hacker protection for this appliance set up and activate a high-availability system, using the High Availibility feature includes event, traffic and alarm log files
WG(config)#log
To create and apply security policies

To create and apply security policies, use these commands:
Command
WG(config)#address WG(config)#service WG(config-ike)#action WG(config-ike)#policy WG(config-ipsec)#action WG(config-ipsec)#proposal WG(config)#nat WG(config)#vlan WG(config-qos)#action WG(config)#schedule
Description create all the needed address groups for use in policies add new services or groups of related services create IKE actions for use in IKE policies) create IKE policies for use in IPSec policies create IPSec actions for use in IPSec proposals create IPSec proposals for use in security policies create NAT actions (DNAT, SNAT or VIP) for use in policies create VLAN IDs for use in policies create QoS actions for use in policies create schedules for application to specific policies
21
Command
WG(config-ras)#group_profile WG(config-ras)#user_profile WG(config-ras)#database WG(config)#policy
Description create RAS group profiles for use in RAS policies create RAS user accounts for use in RAS policies set up the user authentication system for RAS policies create the actual policies
To remove/delete items from a WatchGuard database

To remove a particular object (policy, action, group profile, etc.), use this command:
WG(config)#delete
To save and apply your most recent changes

To save and apply the latest changes and additions to this appliances configurations and policies, use this command:
WG(config)#commit
To maintain an appliance
To perform security appliance maintenance, use these commands:
Command
WG(admin)#flush WG(admin)#passwd WG(admin)#reboot WG(admin)#shutdown
Description flush all current connections and SAs replace the existing password with a new one reboot the WatchGuard appliance shut down the WatchGuard appliance
To troubleshoot an appliance
To perform troubleshooting tasks, use these commands:
22
Command
WG(debug)#arp WG(debug)#netstat WG(debug)#ping WG(debug)#radius_ping WG(debug)#tcpdump WG(debug)#traceroute
Description display and configure the arp table show network/connection states and statistics verify network connectivity verify connection with a RADIUS server trace network packets trace a route to a specific destination
To restore an appliance to the factorydefault state

WG(admin)#restore_default
To review the most recent tasks (at any level)

(CLI prompt)#history
23
To get on-line help while working

To get help with the WatchGuard CLI
Command
? show history
Description online help at any prompt, or at the end of any other command view a list of objects at the # prompt view the last 20 commands entered at this level of the CLI; Enter at the # prompt
24
CHAPTER 2
Administration Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Administration Mode.
Command syntax conventions used in this guide

To help you better use this guide, the following text conventions are used. These conventions are in addi-
25
CHAPTER 2: Administration Mode Commands
tion to the text notation introduced in CLI Guide text conventions on page 3.
Convention
<text> -<text>
Description All required text is enclosed in angle brackets. Some arguments must be preceded by a hyphen (-). If a hyphen is required, but you do not use it to precede the argument, that argument will be dropped. Optional text is enclosed in square brackets. Text wrapped in curly braces is optional, usually representing qualifications or values related to an argument. Text items separated by a pipe character (vertical bar) indicate two options, of which only one can be entered. Text followed by an ampersand (&) and a pipe character (vertical bar) indicates two options, either or both of which can be entered. A comma separating bracketed text indicates repeated options that may be entered one at a time or all at once. A plus (+) sign preceding specific text represents additional elements that are being added to an existing setting. For example, to add a new member to an existing address group, you would type a + prior to the address information of the new member. A no entered before an argument indicates that the argument is not to be included in the command. This is useful when entering a number of arguments, one of which should not be included yet must be entered in the command. A backslash character at the end of a portion of command line signifies that the command line has been broken at that point, and continues on the next line.
[text] {text}
itemA | itemB
itemA &| itemB
[item_A, item_B, item_C] + item
no
If you enter a command in the CLI, such as the following: WG(config)#policy and press <ENTER> without adding any arguments to the command line, the WatchGuard CLI will display a com-
26
Administration mode commands
plete list of related arguments and values, in the form in which you should enter them. This is helpful when the CLI tells you that a command you just entered isnt acceptable. You can call up this text to review requirements and syntax for a command or argument.

The following catalog lists all of the administration mode commands, along with a description of the arguments for each command and the relevant values for each argument .
Command account downgrade export flush ha_sync import operation_mode passwd reboot restore_default shutdown upgrade history exit top For more information, see account command on page 28 downgrade command on page 29 export command on page 30 flush command on page 31 ha_sync command on page 31 import command on page 32 operation_mode command on page 35 passwd command on page 36 reboot command on page 37 restore default command on page 38 shutdown command on page 38 upgrade command on page 39 history command on page 14 exit command on page 14 top command on page 15
27
account command
WG#admin<ENTER> WG(admin)#account -login_limit -login_limit <admin|user> <0-10> -status -unlock <name>|all -all
Effect Allows you to view, set, and clear failed login attempt limits. Login limits provide a further level of security, and eliminate susceptibility to a brute force password hacks. The account management feature is available in all three operation modes (normal, FIPS, and CC). The CLI allows only the root superadmin admin to log in, while rejecting all other accounts, including userdefined superamin accounts. If you set the login_limit feature on the root superadmin user, it is possible for the superadmin to be locked out of the system. To work around this possible problem:
Create another superadmin account in addition to the root superadmin admin account, using Vcontroller, before you set the login_limit for the root superadmin account.
If the root superadmin admin is locked out because of exceeded login failures, you can use this separate, non-root-level superadmin account to login to Vcontroller with full administration privileges.
In a text editor, create and save an ASCII text file with the following two lines: admin account -unlock admin In Vcontroller, click Diagnostics/CLI and select the CLI tab.
This feature allows you to select a text file that contains CLI commands.
28
4 5
Click Open.
A Browse dialog appears.
Select the text file you created earlier, and click Select.
The admin account is unlocked.
Arguments -login_limit This command displays the current login limits set for admin and user on the device.
-login_limit <admin|user> <0-10> This command sets the limit for failed attempts for the specified user type (admin or user) to the number specified. -status This command displays a table of failed login attempts for each user, provided the limit for the login name is greater than 0. -unlock <name>|all This command unlocks a login name or all login names, after the name or names are locked due to failed login attempts. -all This command displays detailed information for all accounts on the device.
Examples WG#admin<ENTER> WG(admin)#account -login_limit

WG#admin<ENTER> WG(admin)#account -login_limit admin 5 WG#admin<ENTER> WG(admin)#account -unlock joe_user
downgrade command
WG#admin<ENTER> WG(admin)#downgrade
29
Effect Restores the system software to the previously installed version. Arguments None Example WG(admin)#downgrade<ENTER>
If you apply this command, certain WatchGuard features incorporated in the current version may not be available afterwards. This will affect both configurations and policies in this appliance. You should make a careful review of this security appliances setup to prevent any problems.
NOTE
export command
WG#admin<ENTER> WG(admin)#export
Effect Exports certificate requests, the log archive, or an XML profile. The export command must be followed by a space and the name of the item to be exported:
cert_request to export certificate requests log to export the log archive xml to export an XML profile ip to export the blocked or exception IP lists
Each export option requires specific syntax. export cert_request:

export cert_request <CERT_ID> [-tftp] <host:/target/ file_name> -ftp <[user[:passwd]@]host:/ target/file_name> -[console]
30

#ex: export cert_request 20001 10.10.0.100:/RS/cert/ 20001.req
export log:
export log [all|alarms|events|traffic|ras_user|p1sa|p2sa] [-tftp] <host:/target> -ftp <[user[:passwd]@]host:/target>
export xml:
export xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/ file_name> -[console]
export ip:
export ip {blocked|allowed} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name>
flush command
WG#admin<ENTER> WG(admin)#flush
Effect Resets all active connections, including SAs. Arguments None.
ha_sync command
WG#admin<ENTER> WG(admin)#ha_sync This command is available only if the WatchGuard appliance you are currently logged into has High Availability enabled (using the config-ha command), is the Master appliance,
NOTE
31
and is connected to another security appliance assigned to a backup role.
Effect Initiates the WatchGuard Firebox Vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appliance to a designated backup appliance. After you restart the backup appliance, your high availability system is ready and active. Arguments None Example WG(admin)#ha_sync<ENTER>
import command
The import command allows you to import certificates. a certificate revocation list (CRL), an xml profile, or a list of blocked or allowed IPs.
cert command
WG#admin<ENTER> WG(admin)# import cert [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/ target/file_name -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import cert -ftp wg:wg@ftp.watchguard.com:/pub/cert/ cert.p2<ENTER>
32
crl command
WG#admin<ENTER> WG(admin)# import crl [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/ target/file_name -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import cert -ftp wg:wg@ftp.watchguard.com:/pub/cert/ cert.p2<ENTER>
xml command
WG#admin<ENTER> WG(admin)import xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/ file_name> -[console]
Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import xml -ftp wg:wg@ftp.watchguard.com:/pub/xml/ listfile.xml<ENTER>
33
ip command
WG#admin<ENTER> WG(admin)#import ip {blocked|allowed} {override|merge} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@] host:/target/file_name>
Effect Imports a list of blocked or allowed IP addresses to the appliance database. Prerequisites The list of IP addresses must be a text file. The formatting information follows. For blocked IP, each line of the file should include: <IPaddr> [space]<mm/dd/yyyy> [space] <hh:mm:ss> <mm/dd/yyyy> specifies the month, day, and year. <hh:mm:ss> specifies the hour, minute, and second. For example, a text file containing the following lines blocks these sites until the provided expiration time:
12.11.12.15 8/14/2003 14:00:00 12.13.22.8 10/19/2004 1:21:05
To add blocked sites that do not expire, use only the IP address. Arguments blocked|allowed Specifies whether to import the contents of the text file to the blocked IP list, or to the allowed (exceptions) IP list. merge|override
34
Merge merges the new IP addresses into the existing list of IP addresses. Override replaces all of the existing IP addresses with the IP addresses on the imported list.
Example WG(admin)#WG(admin)# import ip blocked override ftp 192.168.216.232:/tmp/ blockedip.txt<ENTER>
operation_mode command
WG#admin<ENTER> WG(admin)#operation_mode <normal|FIPS|common_criteria>
Effect This command changes the system mode to operate in normal, FIPS, or Common Criteria (CC) mode. FIPS mode FIPS 140-2 is a standard that describes government requirements that cryptographic hardware or software products must meet. FIPS certification is required for products that are sold to the government. FIPS mode disables or changes the following functionality: - Shell access is disabled (for example, sucode). - Unprotected remote access is disabled, including telnet and SSH. To login to the box using telnet requires a physical connection to the console port. - Non-qualified algorithms are disabled (MD5). - SSL3.0 is disabled. Support for TLS is still included. - A direct crypto interface to the Rapidcore and other crypto modules is provided for the startup
35
crypto self-test, and random number generation can be tested. - Object reuse is avoided. Keys are zeroed out when they are no longer in use. Common Criteria (CC) mode Common Criteria (CC) defines a language for defining and evaluating information technology security systems and products. The framework provided by Common Criteria allows US government agencies and other groups to define sets of specific requirements. IT security products purchased by the US Government for National Security Systems, which handle Classified and some non-Classified information, are required to be Common Criteria certified. Common Criteria mode conforms to EAL4 level. Common Criteria mode disables or changes the following functionality: - HTTPS uses 3DES-SHA1 encryption only. - User login failure count can be configured, and users can be locked out after the failure count is met. See account command on page 28 for more information.
passwd command
WG#admin<ENTER> WG(admin)#passwd <ENTER>
Effect Replaces the current admin super user access password text with a new entry. This command initiates a several-step process in which you will be prompted to enter the new password twice, before it takes effect. See Process immediately following for details.
36
Process Type a space, then the text of the current password after the command. When you press <ENTER>, a New password: prompt is displayed, at which you can type the new password, using between 6 and 20 characters.
NOTE ALERT: Please note that no text will appear on-screen as you type.
When you press <ENTER> to submit the new password text, a Reconfirm password: prompt is displayed. Retype the same text (during which no text will appear on-screen.) When you press <ENTER>, the new password will be confirmed and stored in the appliance, then immediately put into effect. Example WG(admin)#passwd: <ENTER> New password: * <ENTER> # Remember, no text will appear when you type.
Reconfirm password: * <ENTER> Password change completed! WG(admin)# Remember to write the new password down and store the note in a safe place. If you forget the password and lose the note, contact WatchGuard for assistance.
NOTE
reboot command
WG#admin<ENTER> WG(admin)#reboot
Effect Shuts down, then restarts this WatchGuard Firebox Vclass security appliance. You will be
37
automatically logged out of the appliance, but after a few minutes (and a considerable display of status messages), the main login prompt will appear. You can log in again at this time. Arguments None.
restore default command

WG#admin<ENTER> WG(admin)#restore_default
Effect Reinitializes this appliance and restores the original factory default configuration. Once this process is complete, you can log in again, then start over with appliance installation, configuration and policy creation, either by manual entry or importing of a profile from another appliance. Arguments None. Results After applying this command, the CLI will immediately record a series of restoring status messages, along with please wait messages. When the restoration is complete, the main login prompt will appear. You can now log into the appliance with the user name of admin and the password of admin to begin reconfiguration of this appliance.
shutdown command
WG#admin<ENTER> WG(admin)#shutdown
Effect
38
Shuts down this WatchGuard appliance. You will be automatically logged out of the appliance, at which time you can break the CLI connection. Arguments None.
upgrade command
WG(admin)#upgrade upgrade [-tftp] <host:/target/ upgrade.rsu > upgrade -ftp <[user[:passwd]@]host:/ target/ upgrade.rsu >
Effect Upgrades the system software, using a .rsu file, from a specific location. Example upgrade -ftp wg:wg@ftp.watchguard.com:/patch/ upgrade.rsu
39
40
CHAPTER 3
Configuration Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Configuration Mode.
Top-level configuration mode commands

The following catalog lists the top-level configuration mode commands, with a description of the arguments for each command and the values for each argument. Also included, where applicable, is the sequence of config commands necessary to reach a specific command level where a particular command can be entered and used.
41
CHAPTER 3: Configuration Mode Commands
Command
abort address certificate commit delete denial_of_service high_availability ike interface ipsec license log nat no policy qos ras rename schedule service system trace tenant tunnel_switch show history exit top
For more information See abort command on page 43. See address command on page 43. See certificate command on page 45. See commit command on page 45. See delete command on page 45. See denial_of_service command on page 46. See high_availability commands on page 47. See ike command on page 48. See interface command on page 49. See ipsec command on page 49. See license command on page 49. See log command on page 50. See nat command on page 54. See no command on page 56. See policy command on page 57. See qos command on page 60. See ras command on page 61. See rename command on page 61. See schedule command on page 62. See service command on page 63. See system command on page 64. See trace command on page 64. See tenant command on page 65. See tunnel_switch command on page 65. See history command on page 66. See history command on page 14. See exit command on page 14. See top command on page 15.
42
abort command
WG#config<ENTER> WG(config)#abort
Effect Aborts (erases) all system configuration changes made since the last use of the WG(config)#commit command. This empties the cache of to-be-committed changes and additions. Arguments None
address command
WG#config<ENTER> WG(config)#address <"name"> [+] -host <a.b.c.d> \ [<a.b.c.d>] -net <a.b.c.d/e> [<a.b.c.d/ e>] -range \ <a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>] \ -group <address_name> [<address_name>]
Effect Creates a new address object or modifies an existing group, depending upon the use of the + character. This command must start with a new or existing name and can incorporate the following: (1) a single IP address, (2) a range of IP addresses, (3) a subnet, and (4) a group of existing address entries that you may want to combine into a single entity. Arguments <"name"> This argument notes a new name for this group. You can then type one or more of the following
43
addressing arguments, depending upon the contents of this address.

-host <a.b.c.d> [a.b.c.d] This argument notes a single IP address (omitting subnet information.) -net <a.b.c.d/e> [a.b.c.d/e] This argument notes a single subnet IP address and subnet mask (representing all the individual IP addresses in that subnet.) -range <a.b.c.d-a.b.c.d> [<a.b.c.da.b.c.d>] This argument notes a range of IP addresses. -group <address_name> [address_name] This argument notes a group of existing address entries that you want to combine into a single entity. + This character, when inserted in the command line in the proper location, allows you to add a new address member to an existing group. You must have the exact name of the group in its casesensitive form, prior to adding new entries.
Examples WG(config)# address my_nets -host 10.10.1.1/16<ENTER> # Creating a new address group with a single host
WG(config)# address my_nets -range 14.0.2.1- \ 14.0.2.125<ENTER> # Creating a new address group with a range of IP addresses WG(config)# address my_nets + -net 10.29.0.0/16<ENTER> # Add a new address to an existing address group
44
certificate command
WG#config<ENTER> WG(config)#certificate
Effect Enters the certificate-configuration mode, at which point you can enter certificate-specific task commands and their arguments. Arguments None in this mode. See Also For more information about certificate mode commands, see Level 2 certificate configuration commands on page 67.
commit command
WG#config<ENTER> WG(config)#commit
Effect This command applies all uncommitted policy, system configuration changes, and additions to the appliance. Arguments None
delete command
WG#config<ENTER> WG(config)#delete <object_type "name">
Effect Deletes a specifically named object, such as an address group, policy, action, or service. Arguments <"name"> This argument records the exact name of the to-bedeleted item.
45
Example WG(config)#delete address exec_addresses<ENTER> # This command deletes an address group named exec_addresses.
WG(config)#delete ike policy "HQ IKE"<ENTER> # This command deletes an IKE policy named HQ IKE.
denial_of_service command
WG#config<ENTER> WG(config)#[no][-icmp [threshold]] #threshold packet/s;default=1000 [no][-syn [threshold]] #threshold packet/s;default=5000 [no][-udp [threshold]] #threshold packet/s;default=1000 [no][-pingofdeath] [no][-sourceroute] [no][-server_ddos [threshold]] #threshold connection/s;default=100 [no][-client_ddos [threshold]] #threshold connection/s;default=100
Effect Records your preferences for denial-of-service defense parameters. You can enter any or all of the customizable arguments listed below. Arguments [no][-icmp <threshold>] Activates ICMP flood protection with a user-noted threshold noted as packets per second; default = 1000.
[no][-syn <threshold>] Activates TCP/SYN flood protection with a usernoted threshold; default=5000. [no][-udp <threshold>] Activates UDP flood protection with a user-noted threshold; default=1000.
46
[no][-pingofdeath] Activates ping-of-death protection. [no][-sourceroute] Activates source route protection by disallowing source route options. [no][-server_ddos <threshold>] Activates server DDOS protection; the default threshold = 100, which controls the maximum number of connections permitted to any one server. [no][-client_ddos <threshold>] Activates client DDOS protection; the default threshold=100, which controls the maximum number of connection requests permitted to a single client. no Enter this before any options you want to deactivate in this appliance, as shown above.
Example WG(config)#denial -syn 1000 no udp<ENTER>
high_availability commands
High Availability commands will not be available to you if the WatchGuard appliance you are administering does not feature any HA ports. In addition, you need a High Availability feature license.
NOTE
Enter high availability configuration mode

WG#config<ENTER> WG(config)# high_availability
47
Effect Enters the high availability (HA) configuration mode, at which point you can enter HA specific commands and their arguments. Arguments None in this mode. See Also For more information about HA mode commands, see Level 2 High Availability configuration commands on page 72.
Disable high availability mode

WG#config<ENTER> WG(config)#no high_availability
Effect Disables high availability if it is already in effect. Arguments None.
ike command
WG#config<ENTER> WG(config)#ike
Effect Enters the IKE configuration mode, at which point you can enter IKE-specific commands and their arguments. Arguments None in this mode. See Also For more information about IKE mode commands, see Level 2 IKE configuration commands on page 78.
48
interface command
WG#config<ENTER> WG(config)#interface
Effect Enters the system interface configuration mode, at which point you can enter interface-specific commands and their arguments. Arguments None in this mode. See Also See Level 2 interface configuration commands on page 82 for details on specific interface mode commands.
ipsec command
WG#config<ENTER> WG(config)#ipsec
Effect Enters the IPSec configuration mode, at which point you can enter IPSec action- and proposalspecific commands and their arguments. Arguments None in this mode. See Also For more information about IPSec mode commands, see Level 2 IPSec configuration commands on page 95.
license command
WG#config<ENTER> WG(config)#license
49
Effect Enters license parameter configuration mode, at which point you can enter license-specific commands and their arguments. Arguments None in this mode. See Also For more information about license mode commands, see Level 2 license commands (for upgraded or additional features) on page 117.
log command
no command (log level)
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no <event|remote_log_server|traffic>
Effect Disables logging for the specified log. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no traffic
clear all command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no <event|remote_log_server|traffic>
Effect Clears all logs.
50
Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#clear_all
diagnostics command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#diagnostics [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]
Effect Runs log diagnostics for the specified feature. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#diagnostics ha 1
[no] event command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)# [no] event <critical|error|warning|administration|inf o>
Effect Turns logging on (or off, if the command is preceded by no) for the specified error level. Arguments None
51
Example
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#event administration
[no] remote command (log level)

WG(config-log)#[no] remote <server_ip> [default] [-alarm <facility> <priority>] [-event <facility> <priority>] [-traffic <facility> <priority>] [-p1sa <facility> <priority>] [-p2sa <facility> <priority>] [-ras <facility> <priority>] # facility:= [auth|authpriv|cron|daemon|ftp|kern|lpr|ma il # |news|syslog|user|uucp|local0|local1|...|l ocal7] # priority:= [original|debug|info|notice|warning # |err|Crit|alert|emerg]
Effect Turns remote logging on or off for the specified logs and error levels. Arguments None Example
WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#remote 10.10.10.99 default
52
[no] traffic command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#[no] traffic
Effect Turns the traffic log on or off. Arguments None Example

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#traffic
history command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#history
Effect Shows up to the last 20 commands. Arguments None Example

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#history
rename command (log level)

WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#rename address rename address groups ike rename IKE actions/ policies ipsec rename IPSec actions/ proposals
53
nat policy policies qos ras schedule service
rename NAT actions rename security rename QoS actions rename RAS group rename schedule actions rename service groups
Effect Allows you to rename various items. See also See rename command on page 61.
nat command
WG#config<ENTER> WG(config)#nat <"name"> [-static_nat <external \ <address_group>><-internal <address_group>>]| \ [-vip <round_robin|wround_robin|random|wrandom| \ least_connection|wleast_connection> server [+] \ {<ip|address> <port> [weight]}>]
Effect Records a new NAT action for use in security policies. You can create one of three possible NAT actions, choosing from VIP, DNAT or Static NAT. Arguments <"name"> If this is to be a load-balancing or static NAT action, enter a short, distinctive name for this new action following the NAT command prompt.
-static_nat < -external <address group>> \ <-internal <address group>>
54
(For one-to-one and subnet-to-subnet mapping) This argument specifies (1) that this is a static NAT action, and records the address groups associated with the internal and external sources. The address groups can be single IP addresses or subnets.
-vip <round-robin|wroundrobin|random|wrandom| \ least-connection|wleast-connection> | server [+] \ {<IP address> [IP address] <port> <weight>}> This argument specifies that this is a loadbalancing (virtual IP) NAT action, and records (1) the algorithm that will be applied and (2) the server addresses and port numbers. If a weighted algorithm is used, this argument adds (3) the perserver weight assignments.
The load-balancing algorithm argument values include the following entries:

round_robin: Denotes the round robin algorithm wround_robin: Denotes weighted round robin random: Denotes random wrandom: Denotes weighted random least_connection: Denotes least connection wleast_connection: Denotes weighted least connection
TIP If you are adding a new server/weight to an existing VIP NAT action, prefix the new server record with a + character. If you are entering the server argument, you must note (1) the IP address of the server, the port number it will watch and the proportion of traffic this server will be assigned, noted as a whole number.
55
Note that dynamic NAT is already present in the WatchGuard database by default, and is ready for use in security policies. You can specify dynamic_nat as the NAT action when you create the appropriate policies
NOTE
Examples WG(config)#nat load_balancing vip wround server \ {10.10.0.100 80 1} {10.10.0.101 80 2} \ {10.10.0.102 80 3} WG(config)#nat natS -stat -ext pub1 -int \ web_server1
Record dynamic security policy IP NAT action

WG#config<ENTER> WG(config)#nat <"name"> [-dynamic_nat <a.b.c.d>]
Effect Records a new dynamic IP NAT action for use in security policies. You can create one of two possible DNAT options, choosing from the default IP address for interface 1 or a user-designated IP address Arguments <"IP Address"> If this is to be a user-designated IP address DNAT action, enter the IP address of your choice as the command argument. If you are using the default interface 1 IP address, enter that in the argument.
no command
WG#config<ENTER> WG(config)#no high_availability availability disable high
56
Effect Disables the high availability feature. Arguments None Example WG#config<ENTER> WG(config)#no high_availability
policy command
WG#config<ENTER> WG(config)#policy policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-tenant|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ] [-mss_adjustment_per_policy [auto|limit_to <num>|disable| use_global]]
Effect Allows you to create a new security policy or revise an existing policy, pending your selection of traffic specifications and actions. Note: you should have already created the needed address groups, schedules, actions and services before creating this new policy. Arguments <source> <destination> These two arguments record the source and
57
destination address groups to which this policy will be applied.

<interface [0|1|2|3]> This argument records the interface this policy will apply to. [-position <num>] This argument records which numbered location this policy occupies in the policy table. [-firewall <pass | block | authenticate | reject>] This argument allows you to specify which firewall option to apply. [<-service|-tenant|-nat|-qos|-schedule\ |-ipsec[no][bi_directional]>] These arguments allow you to combine various preexisting actions in this one policy, including: -service: Enter the name of a service group after this argument. -tenant: Enter the name of a tenant object after this argument. -nat: Enter the name of a NAT action after this argument. -qos: Enter the name of a QoS action after this argument. -schedule: Enter the name of a schedule after this argument. -ipsec: Enter the name of an IPSec action after this argument. [{-tosF | -tosR} <bbbbbb>] This argument records the TOS marking direction and marking bit. bbbbbb represents the six bit
58
positions that you can choose from. You pick a location and enter a 1 to mark that bit.
[-log_per_policy [enable|disable] ]
This argument allows you to enable or disable logging on a per-policy basis.

[-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ]
This argument allows you to implement ICMP error handling per policy, and specify error handling options.
[-mss_adjustment_per_policy [auto| limit_to <num>|disable|use_global]]
This argument allows you to specify a per-policy TCP Maximum Segment Size. See mss_adjustment on page 112 for more information on these settings. To use the global settings, use the argument use_global. Examples WG(config)#policy Allow_Outbound Any Any \ interface 0 -firewall pass -nat DYNAMIC_NAT <ENTER>
WG(config)#policy HQ_BR_VPN HQ BR interface 0 \ -firewall pass -ipsec bi HQ_IPsec <ENTER> WG(config)#policy SJ_NY_VPN SJ NY interface 1 \
59
-firewall pass -ipsec SJ_NY_IPSec <ENTER> WG(config)#policy SJ_LA_VPN \ -mss_adjustment_per_policy \ limit_to 1400 WG(config)#policy SJ_NY_VPN \ -icmp_error_handling_per_policy all WG(config)#policy SJ_NY_VPN -position 5 <ENTER>
The previous example shows a relocation of policy SJ_NY_VPN to the fifth position (row) in the policy table.
You can combine a range of actions (-vlan, -ipsec, nat, -schedule, etc.) in a single policy, as needed. For more information on policy action combinations, especially to determine what will and what wont work, see the User Guide.
NOTE
qos command
WG#config<ENTER> WG(config)#qos
Effect Enters the Quality of Service (QoS) configuration mode, at which point you can enter QoS actionspecific task commands and their arguments. Arguments None in this mode. See Also For more information about QoS mode commands, see Level 2 Quality of Service (QoS) configuration commands on page 100.
60
ras command
WG#config<ENTER> WG(config)#ras
Effect Enters the remote access services (RAS) configuration mode, at which point you can enter RAS connection-specific commands and their arguments. Arguments None in this mode. See Also See Level 2 Remote Access Service (RAS) configuration commands on page 102 for details on specific RAS mode commands.
rename command
WG#config<ENTER> WG(config)#rename <object_type> <"old name"> \ <"new name">
Effect Substitutes a new name for an existing object name. Arguments <object_type> Use this argument to enter the type of object this name is applied to, whether (for example) an IPSec action, an address group, a RAS user profile, etc.
<old name> Use this command to enter the existing name. <new name> Use this command to enter the new name.
Example WG(config)#rename address eng_net engineering<ENTER>
61
schedule command
WG#config<ENTER> WG(config)#schedule <name><enable|disable> [-all| \ -mon|-tue|-wed|-thu|-fri|-sat|-sun] {hr:min-hr:min \ [hr:min-hr:min ][hr:min-hr:min ][hr:minhr:min ]}<ENTER>
Effect Use this command to set up a schedule for use in the application of policies. Schedules can be set up for the same hours for every day or for different daily schedules, depending upon the arguments. Arguments <"name"> Type a short, descriptive name for this schedule.
<enable|disable> This argument specifies whether this schedule is currently active or not. -<day> This argument defines the days of the week. The values can either be noted as all for all seven days, or include any combination of days of the weekmon, tue, wed, thu, fri, sat, and sun. {hour:minute-hour:minute} This argument (which can be repeated for different blocks of time) should note a range of hours, such as 9:00-12:00 (which indicates 9:00am to Noon.) Be sure to wrap the range in curly brackets, as shown in the examples below. Hours must be converted to and noted in military time according to the 24-hour clock.
TIP A midnight start time should be entered as 0:00.
62
Example WG(config)#schedule workdays -mon \ {8:00-12:00 13:00-19:00} (line break) fri \ {9:00-12:00} enable<ENTER> WG(config)#schedule 24_7 -all {0:0024:00}<ENTER>
service command
WG#config<ENTER> WG(config)#service <name> [+] \ <-single <protocol port> | \ -range <protocol port-port> | \ -group <service_group> >
Effect Records a new service entry (individual or group) for use in policies. The service must be noted as either a single service, a range of port numbers for a single service, or, as a group of existing related services. Arguments <"name"> Enter the name of this new service or group.
-single {<protocol> <port>} Use this argument to note the protocol and port number of a single service. -range {<protocol> <port-port>} Use this argument to note the protocol and two or more port numbers for a single service. -group {<service-group> [<servicegroup> \ <service-group>]}
63
Use this argument to note the names of two or more related services.
+ Use this argument (the + character) to add an additional service to an existing group.)
Examples WG(config)# service ldap -single tcp 389 WG(config)# service my_app -range tcp 6000-6006 WG(config)# service my_app + -single udp 6010 WG(config)# service email -group "mail_SMTP" \ -group "POP3"<ENTER>
system command
WG#config<ENTER> WG(config)#system
Effect Enters system parameter configuration mode, at which point you can enter system-specific commands and their arguments. Arguments None in this mode. See Also For more information about system mode commands, see Level 2 System Configuration commands on page 107.
trace command
WG#config<ENTER> WG(config)#trace [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]
64
Effect Runs a trace for the specified object. Arguments None in this mode.
tenant command
WG#config<ENTER> WG(config)#tenant
Effect Enters the tenant configuration mode, at which point you can record a new tenant entry for either a VLAN or user-domain tenant. Arguments None in this level. See Also See Level 2 tenant configuration commands on page 119 for more information about the next level of tenant commands.
tunnel_switch command
WG#config<ENTER> WG(config)#tunnel_switch <enable|disable>
Effect Enables (or disables) the tunnel switching capability of this WatchGuard appliance, according to the specific argument. (Must be done before applying specific tunnel-switching security policies.) Arguments <enable | disable> The default state is disable. Example WG(config)#tunnel_switch enable<ENTER>
65
history command
WG#config<ENTER> WG(config)#history
Effect Shows the last 20 commands exercised at this level of CLI. Note, too, that you can apply it at any level of the CLI. For example, you may apply the history command after extensive policy creation, and see a series of 20 commands, starting with 64 and ending with 83the most recent command being listed as 83. Arguments None Example WG(config)#history<ENTER> Results Executed Commands: 0 ike 1 address 2 address "pubs" -host 10.10.99.1 3 show address pubs 4 dos 5 denial WG(config)#

The following sections detail the second-level configuration commands, has been divided into task or topical collections, which include the following: Level 2 certificate configuration commands on page 67
66
Level 2 High Availability configuration commands on page 72 Level 2 IKE configuration commands on page 78 Level 2 interface configuration commands on page 82 Level 2 IPSec configuration commands on page 95 Level 2 license commands (for upgraded or additional features) on page 117 Level 2 Quality of Service (QoS) configuration commands on page 100 Level 2 Remote Access Service (RAS) configuration commands on page 102 Level 2 System Configuration commands on page 107 Level 2 tenant configuration commands on page 119
Level 2 certificate configuration commands

request command (configure certificate level)
WG#config<ENTER> WG(config)#certificate <ENTER> WG(config-cert)#request <"name"> -company <"name"> \ [-country<"name">] [-department <"name">] -dns_name \ <"name"> [-ip_address <a.b.c.d>] [user_domain \ <admin@domain.com>] [-key_usage {<rsa|dsa> \ <1024|512> <encryption|signature|both>}]
Effect Generates a VPN certificate request that can be sent to a certifying authority. After executing this command (with the required arguments), you must cut the resulting certificate text and paste it into the relevant form: an e-mail message, a Web-site
67
request or a text file, that you transmit to the proper authority. Arguments <"name"> This argument notes the host name of this appliance (omitting the remainder of the DNS entry.)
-company <"name"> This argument notes the name of your company or organization. -country <"name"> This argument notes the name (or official abbreviation) of your country's name. The default is US. -department <"text"> This optional argument notes the specific department name. -dns_name <"name"> This argument notes the fully qualified DNS name of this appliance. -ip_address <a.b.c.d> This argument notes the IP address of this appliances interface 1. -user_domain <"name"> This argument notes a user domain name, if any. -key_usage {<rsa|dsa> <1024|512> <encryption| \ signature|both>} This argument notes the key usage particulars, including RSA or DSA and the key length in bits. This argument also notes your choice of encryption or signature (or both.)
Example WG(config-cert)request -cert1 -com BigCompany \
68
-cou US -dns RS1.WatchGuard.com -key \ {rsa 1024 both}<ENTER>
If this command is successful, the CLI will prompt you to cut and paste the results into the appropriate means of submitting this request to the authority.
import command (configure certificate level)

WG#config<ENTER> WG(config)#certificate <ENTER> WG(config-cert)#import <"certificate text">
Effect Assists in the importing of the contents of a newlyreceived VPN or Web certificate into the WatchGuard appliance database. To import a certificate, you must open the certificate file and copy the text, then paste it into the command in the proper location, as shown in the following example. Arguments None. Examples WG(config-cert)# import<ENTER> Results On-screen instructions appear, as shown here.
Paste certificate below, then press Enter. -----BEGIN CERTIFICATE----MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQE BBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKEx BSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0M jAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UE BhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8D CCtvvThQ2ug== -----END CERTIFICATE-----
69
show command (configure certificate level)

WG#config<ENTER> WG(config)#certificate <ENTER> WG(config-cert)#show [cert_id]
Effect Displays the properties of a specific certificate or a certificate request. If no specific certificate argument is used, this command lists all the current certificates and pending certificate Arguments [cert_id] This optional argument records a specific certificate ID. Examples WG(config-cert)# show<ENTER>
OrdTYPE NAMESubjectCert idKeyAlgo 1 Pndg cn=a,o=WatchGuard,c=US cn=a,o=WatchGuard, c=20001 RSA 2 CA o=WatchGuard Inc.,c=US o=WatchGuard Inc., c=U 1075246528 RSA OR WG(config-cert)# show 20001<ENTER> Pending Certificate Name:cn=a,o=rapidstreaym,c=US Subject:cn=a,o=rapidstreaym,c=US Cert ID:20001 DNS Name:WatchGuard.com Key Algorithm:RSALength: 1024 Key Usage:both Issued by: Valid Period:-----BEGIN CERTIFICATE REQUEST----MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTA TBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx
70
MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg YEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscA hhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70Dlp Sx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbY tX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI 48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJ DjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAo GCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3 RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFA tGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkg K30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS 0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0 wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7 TlNR5B1zDrFA== -----END CERTIFICATE REQUEST-----
ssl command (configure certificate level)

WG#config<ENTER> WG(config)#certificate <ENTER> WG(config-cert)#ssl <ip|"name">
Effect Creates a Web (SSL) certificate request for this appliance. After the request is generated, you must copy-and-paste the text to a text file and send it to a third party CA as part of a formal request for a Web certificate. Arguments <ip|"name"> Use this argument to enter either the IP address or host name of this security appliance. Example WG(config-ssl)# ssl rs101<ENTER> Creating certificate request could take several minutes. Please wait
-----BEGIN CERTIFICATE REQUEST----MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTC BnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr
71
3Tg/ jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/ q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2 v+IPPoyDBOrfGHl4Icn8/ ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/ 6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/ YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/ 6YTj2uHMGPF/Y8FTYgCE -----END CERTIFICATE REQUEST-----
Level 2 High Availability configuration commands

show command (configure high availability level)
WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#show
Effect Displays the configuration settings for any High Availability ports in this WatchGuard appliance. Arguments None
72
Example
WG(config-ha)#show<ENTER> HA Type: Active_Active Primary System Name =2026 Secondary System Name =2027 No Shared Secret Interfaces Primary IP Mask Secondary IP Mask Monitoring 0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON 1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON 2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF 3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFF Advanced HA Parameters: HA1:Enabled HA2:Disabled Primary HA1 IP 1.0.0.1 netmask 255.255.255.0 HA2 IP 10.10.10.26 netmask 255.255.0.0 Secondary HA1 IP 1.0.0.3 netmask 255.255.255.0 HA2 IP 10.10.10.27 netmask 255.255.0.0 HA Status HA Role: Primary DB Time Stamp: Primary: Thu Dec 5 16:38:58 2002 Secondary: Thu Dec 5 16:38:58 2002 Status: Primary: ACTIVE Secondary: ACTIVE
73
Enable high availability

WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)$ [active_standby | active_active] [advanced] Enter Advanced Setting Mode [disable] [hotsync] [monitor <[0] [1]...[N]> <ON|OFF>] [<primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1] show show current configuration and statistics history show command history exit go back to parent level top go back to root level
Effect Enables high availability in WatchGuard appliances with one or more HA interfaces, and assists you in entering precise HA system settings. Arguments active_standby | active_active This turns high availability on in either Active/ Standby mode or Active/Active mode. For more information on these modes, see the Vcontroller User Guide.
advanced
This enters advanced High Availability configuration mode, and shows the following prompt: WG(config-ha-advanced)$
74
For more information, see High Availability advanced configuration mode on page 77
disable
Disables High Availability.

hotsync
Syncs the local appliance with its peer. In Active/ Standby mode a hotsync should be performed every time the configuration of the Active box is changed. In Active/Active mode, a hotsync should only be performed during the initial setup, when the secondary appliance is in factory default configuration.
monitor {1 & | 2} This optional command specifies which interface (1 or 2) you want this appliance to monitor for link status. (Note that the 0 (private) interface is always being monitored.) <primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1] ha1_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the HA1 interface of the master and backup appliances. ha2_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the
75
HA2 interface of the master and backup appliancesif needed.

<enable|disable> This command will, depending on your use, activate or deactivate the HA system. polling_interval <in seconds> This optional command establishes the HA polling interval. The default value is 1 second, but you can increase it to 15 if you choose. id <1-255> This optional command notes the VRRP group ID for this HA pairing, if one has been assigned to it. The number should be between 1 and 255.
Example WG(config-ha)# monitor {pub} poll 5<ENTER>
Apply high availability configuration changes

WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#exit
Effect Initiates the process of saving and applying any just-completed HA interface configurations. You will be asked to confirm the committing of these changes, at which time you can press Y to do so. Arguments None Example WG(config-ha)#exit<ENTER>
Commit (Y/N)?y<ENTER> HA IP address is set to 12.10.1.2, please wait for it to take effect WG(config-ha)#
76
High Availability advanced configuration mode

WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#advanced WG(config-ha-advanced)# [action <local | peer> <failover | restart>] [ha2 <enable | disable>] [primary <ha1|ha2> ip </ prefix|mask>] [secondary <ha1 ip>| <ha2 ip </prefix|mask>>] show show current configuration and statistics history show command history rename rename an object exit go back to parent level top go back to root level
Effect Allows you to configure advanced settings for High Availability. Arguments action <local | peer> <failover | restart> Allows you to manually failover or restart the local or peer appliance of the HA pair. The local appliance is the one you are connected to, and the peer is its HA pair.
ha2 <enable | disable>
Allow you to enable the HA2 port for HA use. When this is enabled, and the HA2 ports are connected between the two appliances, in addition
77
to the HA1 ports, an added level of redundancy is insured.

primary <ha1|ha2> ip </prefix|mask> secondary <ha1 ip>| <ha2 ip </ prefix|mask>>
This allows you to set the IP addresses and netmasks for the primary and secondary devices HA ports. Example WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#advanced WG(config-ha-advanced)#primary ha1 ip \ 10.10.10.11|255.255.0.0 \ secondary ha1 ip 10.10.10.12
Level 2 IKE configuration commands

action command (configure IKE level)
WG#config<ENTER> WG(config)#ike <ENTER> WG(config-ike)#action <"name"> \ <-main_mode|-aggressive_mode> [no] [-natt <enable|disable> [-natt_keepalive <seconds>] ] [extended_authentication] [+] \ -rsa {<g1|g2><des|3des><md5|sha><lifetime<min|h r> \ &|lifesize<KB|MB>>} \ -dss {<g1|g2><des|3des><md5|sha><lifetime [min|hr]&|lifesize [KB|MB]>} \ -preshared {<g1|g2><des|3des><md5|sha><lifetime \ [min|hr]|lifesize \ [KB|MB]}
Effect Records a new IKE action, for use in IKE policies.
78
Arguments <"name"> Enter the name of this action prior to recording the arguments.
<-main-mode | -aggressive-mode> This argument specifies your choice of mode. [-natt <enable|disable>[-natt_keepalive <seconds>]] -natt enables or disables NAT Traversal (UDP encapsulation). -natt_keepalive allows you to specify the time in seconds between keep-alive messages. [extended_authentication] This argument, when present, activates extended authentication, used for remote access connection requests. -rsa {<g1|g2><des|3des><md5|sha><lifetime \ [min|hr]&|lifesize [KB|MB]>} This argument and its values detail the RSA IKE transform. -dss {<g1|g2><des|3des><md5|sha> \ <lifetime[min|hr]>&| lifesize[KB|MB]>} This argument and its values detail the DSS IKE transform. -preshared {<g1|g2><des|3des><md5|sha> \ <lifetime[min|hr]&|lifesize[KB|MB]>} This argument and its values specify the preshared key IKE transform. In all of the three
79
preceding arguments, the following values are options you can apply:
Option g1 and g2 des|3des md5|sha Lifetimeminutes/hours Lifesize-KB/MB Description the two Diffie-Hellman group options. represent two encryption algorithm options. represent two other encryption algorithm options. represent a key lifetime setting, measured in time. represent a key lifetime, measured in kilo- or megabytes.
Example WG(config-ike)#action my_act -main \ (line break) rsa {g2 3des md5 10hr 100MB} {g1 des sha 45min} \ dss {g2 3des sha 8hr}
policy command (configure IKE level)

WG#config<ENTER> WG(config)#ike <ENTER> WG(config-ike)#policy <"name"> \ <*|peer_address> -action <"ike_action_name"> \ -peer <any | [-address <"name"> &|-domain <"name"> \ &|-user_domain <"usr@host"> &|-X.500 <"name">] > \ [-local {<cert_id><ip_address|domain|user_domain |X500>} [-preshared <ascii_key|%hex_key> ] \ [-position <number>]
Effect Records a new IKE policy, including actions.
80
Arguments <"name"> This argument records a brief, descriptive name for this policy.
< * |peer_address> This argument notes either any (indicated by *) or the address group representing the peer appliance(s). -action <ike_action> This argument notes the name of the IKE action used by this policy. -peer <any> | -address <name> &| domain \ <name> &| -user_domain <user@host> &| -X.500 \ 0<string>] This argument specifies the means of identifying the peer appliance from these five options. You can enter any as the sole option or combine any of these options (and values) in this argument: Option <-address> <-domain> <-user_domain> <-X.500> [-local {<cert-id> <ip-address|domain |user-domain |X500>}] [-preshared Description represents an address group used as peer ID type. represents a domain name as the peer ID type. represents a user domain name as the peer ID type. represents X.500 as the peer ID type. This optional argument specifies which ID type is used by this WatchGuard appliance. The argument is the same as for -peer, as noted above. This optional argument records the text of
81
Option <ascii_key |%hex_key>] [-position <number>]
Description the pre-shared key, if one is used by this policy. You must enter the actual key text as either ASCII text or hexadecimal notation. This argument records the numeric position assigned to this policy in the IKE policy table.
Example WG(config-ike)#policy "Remote Users" * action \ remote_users -peer -domain WatchGuard.com \ -user_domain WatchGuard.com -local {20001 domain}
WG(config-ike)#policy IKE_NY_SJ NY_Gateway \ -action psk_main -peer any -preshared \ "secret"<ENTER>
Level 2 interface configuration commands

Enter system interface configuration mode
WG#config<ENTER> WG(config)#interface<ENTER>
Effect Enters the system interface configuration mode. Arguments None. Please review the rest of this section for related commands.
show command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#show
82
Effect Displays the current network address settings for each of the main security appliance data interfaces0 (private), 1 (public) or 2 (DMZ, where applicable.) Arguments None. Example WG(config-if)# show<ENTER> The results appear as shown in this example:
interface 0: ip = 10.10.13.101 net mask = 255.255.0.0 status = UP mac address = 00:01:21:10 :01:e5 ip = 16.10.203.121 net mask = 255.255.255.0 status = DOWN mac address = 00:01:21:10 :01:e6 ip = 10.20.0.1 net mask = 255.255.255.0 status = DOWN mac address = 00:01:21:10 :01:e7
interface 1:
interface 2:
interface 0 command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 0 [<a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | 100_half_duplex|
83

-10_full_duplex|-10_half_duplex | -auto]] | [[no] dhcp_server -clients num [-lease_time num [hours|days]]] [dhcp_relay <a.b.c.d>] # -lease_time default is 7 days
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 0 (Private). Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address. -mtu num This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes. [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] | This setting allows you to specify the speed at which the interface will operate. [[no] dhcp_server -clients num [lease_time num [hours|days]]] This allows you to active the DHCP server service on this interface, and specify information for it, including the number of clients allowed DHCP access, and the leasing time for a DHCP address. The lease time default is 7 days.
84
Put no in front of this command to turn off the DHCP server on this interface. [dhcp_relay <a.b.c.d>] This allows you to use a separate DHCP server on your network to serve DHCP addresses, with the Vclass acting as a DHCP agent. Example WG(config-if)#interface 0 10.12.12.7 255.255.255.0 \ -mtu 1500 -100_half_duplex no dhcp_server<ENTER> or WG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \ -100_half_duplex no dhcp_server<ENTER> or WG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \ -100_half_duplex dhcp_relay 10.0.0.253<ENTER>
private command (configure interface level, V10 only)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#private <a.b.c.d> </ prefix|mask> [no] dhcp_server -clients NUMBER [lease_time NUMBER]
Effect Use this command to configure DHCP server options assigned to a WatchGuard V10 appliance's Private (0) interface.
85
Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask. dhcp_server Enter this argument to activate DHCP server service on this appliance. -clients NUMBER This argument indicates the number of clients permitted DHCP access. -lease_time NUMBER This argument indicates the lease time for all client connections, and any limitations, recorded as minutes. [no] dhcp_server Enter this argument to disable any previously active DHCP service.
Example WG(config-if)#private 192.168.1.1 255.255.255.0 dhcp_server \ -clients 3 -lease_time 60<ENTER>
interface 1 command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)# interface 1 [<a.b.c.d> </prefix|mask> | [-mtu num] | [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] | [dhcp [host_id]] | [pppoe -user "name" -password "password" [<-dial_on_demand|-always_on> <num>]] [-unnumbered_pppoe <a.b.c.d>|disable]] [backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ]| [dhcp [host_id] ] | [pppoe -user "name" -password "password"]
86

[-unnumbered_pppoe <a.b.c.d>|disable]] | [disable] | [switch_to_backup] | [tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ] #num is either auto reconnect delay in seconds. #or if dial_on_demand, the idle timeout in minutes. #ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20 #backup PPPoE connection only supports ALWAYS_ON.
Effect Use this command to configure the network identity of a WatchGuard appliances interface 1 (Public), if it is a publicly routable, fixed IP address. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address. [-mtu num] This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes. [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] | This setting allows you to specify the speed at which the interface will operate. [dhcp ["host_id"]] | This allows you to obtain the IP address of interface 1 using DHCP. [pppoe -user "name" -password "password"] This allows you to set Interface 1 to PPPoE. If the
WatchGuard Command Line Interface Guide 87
password contains the pound (#) character, it needs to be placed in double quotes.
[<-dial_on_demand|-always_on> <num> This allows you to set PPPoE to Dial-on-Demand or Always On mode. The function of <num> following this option differs in each mode. For Dial-onDemand mode, this number indicates the inactivity timeout interval in minutes (default is 20 minutes). For Always On mode, this number indicates the auto-reconnect interval in seconds (default is 60 seconds). [-unnumbered_pppoe <a.b.c.d>|disable]] This option allows you to use unnumbered PPPoE. For more information on unnumbered links, see RFC 1812 section 2.2.7. [backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ] | [dhcp [host_id] ] | [pppoe -user "name" -password "password"] [unnumbered_pppoe <a.b.c.d>|disable] [disable] [switch_to_backup] This allows you to enable a Backup WAN connection for Interface 1, for systems that have unreliable ISPs or network providers. You can configure the failover connection as static, by typing the IP address, netmask, and gateway. You can configure the failover connection as DHCP using the [dhcp ["host_id"]] syntax. You can configure the interface as PPPoE (always on) using the [pppoe -user "name" -password "password"] syntax. You can configure the backup WAN connection as unnumbered PPPoE using the syntax [unnumbered_pppoe <a.b.c.d>|disable]. You can disable the backup connection by using the option [disable].
88
You can switch to the backup connection using the command switch_to_backup.
[tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ] For systems that configure a Backup WAN connection using the failover command, these settings must be specified. You can add up to three IP addresses that are used to determine WAN failure. These addresses are used with the -interval and -timeout values to determine when the WAN connection has failed. -interval determines the amount of time that elapses between attempts to ping all three specified tracking addresses. -timeout determines the amount of time that can elapse before a ping attempt is considered failed. All three specified IP addresses must fail to respond to the ping attempt within the specified time to consider the WAN connection failed.
In the event of failure, the WAN is switched over to the backup connection. This causes a brief interruption in processing while the system restarts. In order to prevent frequent restarts, the final parameter, -pause_before_failback, is provided. This allows you to specify the amount of time that must elapse between failovers.
89
Example WG(config-if)#interface 1 10.10.12.8\ 255.255.0.0 -mtu 1500\ -10_full_duplex<ENTER> or WG(config-if)#interface 1 10.10.12.8/16 -mtu 1500 -10_full_duplex <ENTER> Example (PPPoE) WG(config-if)#interface 1 pppoe\ -user joeuser -password joepass\ -always_on 60 Example (DHCP) WG(config-if)#interface 1 dhcp dhcpsrvr Example (Backup Connection) WG(config-if)#interface 1 10.10.12.8 255.255.0.0 -mtu auto\ -backup ip 10.10.24.16 mask 255.255.0.0\ gateway 10.100.99.1 tracking -add 124.12.15.16
interface 2 (DMZ) command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 2 <a.b.c.d> </ prefix|mask> [-mtu num] [-100_full_duplex | 100_half_duplex| -10_full_duplex|10_half_duplex | -auto]
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 2 (DMZ), where applicable.
90
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] |
This setting allows you to specify the speed at which the interface will operate. Example WG(config-if)#interface 2 10.12.12.9 255.255.255.0 \ -mtu 1500 -10_full_duplex<ENTER> or WG(config-if)#interface 2 10.12.12.9/24 -mtu 1500 \ -10_full_duplex<ENTER>
interface 3 (DMZ2) command (configure interface level, V60 and V80 only)
WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 3 <a.b.c.d> </ prefix|mask> [-mtu num] [-100_full_duplex | 100_half_duplex|
91
-10_full_duplex|10_half_duplex | -auto]
Effect Use this command to configure the network identity of a WatchGuard appliance's interface 3, where applicable. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, /16 is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | auto]] |
This setting allows you to specify the speed at which the interface will operate. Example WG(config-if)#interface 3 10.12.12.9 255.255.255.0 \ -mtu 1500 -auto<ENTER> or WG(config-if)#interface 3 10.12.12.9/24 -mtu 1500 \ -auto<ENTER>
92
ha1 command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#ha1 <a.b.c.d> </prefix|mask>
Effect Use this command to configure the network identity of a WatchGuard appliance's High Availability 1 interface, when this interface is used for management access instead of H-A functionality. Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask.
Example WG(config-if)#ha1 10.0.0.1 255.255.255.0<ENTER> or WG(config-if)#ha1 10.0.0.1/24<ENTER>
ha2 command (configure interface level)

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#ha2 <a.b.c.d> </prefix|mask>
Effect Use this command to configure the network identity of a WatchGuard appliance's High Availability 2 interface, when this interface is used for management access instead of H-A functionality.
93
</prefix|mask> This argument records the number of bits in the subnet mask, or the subnet mask.
Example WG(config-if)#ha2 10.0.0.1 255.255.255.0<ENTER> or WG(config-if)#ha2 10.0.0.1/24<ENTER>
mode command
WG(config-if)# mode router | transparent<ENTER>
Effect Use to switch the appliance between Router mode and Transparent mode. An appliance can only be switched from Router mode (default) to Transparent mode when the appliance is in the factory default configuration state. You are prompted to restore the system to the factory default state when you attempt this switch. An appliance can be switched from Transparent mode to Router mode in any configuration condition. A restart is required in order to for mode switching take effect. Arguments None Example WG(config-if)# mode router<ENTER>
94
Apply interface address changes to appliance

WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#exit
Effect Use this command to immediately apply any interface address changes to this appliance. The appliance will update you with status messages (as shown below) to inform you about the process. Arguments None Example WG(config-if)# exit<ENTER> Commit (Y/N)?y<ENTER> Results
interface 1 IP address is set to 16.10.203.121, please wait for it to take effect WG(config)#
Level 2 IPSec configuration commands

action command (configure IPSec level)
WG#config<ENTER> WG(config)#ipsec <ENTER> WG(config-ipsec)#action <"name"> \ < -tunnel_mode <*|peer_ip|address>| transport_mode> \ -auto_key [no] pfs_group <1|2> <"proposalname"> \ <"proposal-name"> -manual_key \ -esp <local_spi> <peer_spi> <des|3des> \ <ascii_key|%hex_key> <md5|sha> <ascii_key|%hex_key> \ -ah <local_spi> <peer_spi> <md5|sha> \ <ascii_key|%hex_key>
Effect Records a new IPSec action (manual key or automatic key), including one or more proposals which have been created beforehand. Arguments <name> Type a unique name for this action. <-tunnel_mode|-transport_mode> This argument determines whether this action is tunnel mode or transport mode.
<*|peer IP address|address group> If you enter tunnel mode, you must then qualify it with one of the following: (1) enter "*" to indicate ANY source, (2) enter a specific peer appliances IP address, or (3) enter the name of an address group containing the peer IP address. -auto_key Enter this argument if this action utilizes an automatic key. Do not use the manualkey if using an automatic key.
The following two arguments further qualify this automatic key exchange.
[no] pfs_group <1|2> If this action uses an automatic key, use this argument to specify which perfect forward security option (Diffie-Hellman Group 1 or 2) will be used. If none is used, you can preface this argument with no. <"proposal_name"> [<"proposal_name">] If this action uses an automatic key, use this argument to enter the IKE proposal names (whether one or more.) -manual_key Enter this argument if this action employs a manual key. (If doing so, do not use the auto_key argument.) The following ten arguments (grouped
96
around ESP and AH algorithms) qualify this manual key exchange.

-esp Enter this argument if this action employs an ESP protocol for the manual key. <local_spi> Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535. <peer_spi> Use this argument to enter a different, unique number that represents the SPI of the peer security appliance. The number should be between 256 and 65535. <des | 3des> Use this argument to pick either DES or 3DES encryption algorithms. <ascii_key | %hex_key> This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation. -ah Enter this argument if this action employs an AH protocol for the manual key. <local_spi> Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535. <peer_spi> Use this argument to enter a different, unique number that represents the SPI of the peer security
97
appliance. The number should be between 256 and 65535.

<md5|sha> Use this argument to pick either MD5 or SHA encryption algorithms. <ascii_key | %hex_key> This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation.
Example WG(config-ipsec)# action NY_IPSec tunnel \ NY_Gateway -auto no pfs_group MAX_SECURITY \ ESP-3DES<ENTER> # This command creates an auto-key IPSec action with peer tunnel. The IP is NY_Gateway, no PFS, the first proposal is MAX_SECURITY and the second is ESP_3DES.
WG(config-ipsec)# action remote_user_ipsec \ -tunnel * -auto pfs_group 1 ESP-3DES-MD5 \ ESP-DES-MD5<ENTER>
# This command creates a tunnel mode, auto-key IPSec action for remote users. The peer tunnel IP is * (ANY),PFS uses DH group 1, and there are two proposals: ESP-3DES-MD5 and ESP-DES-MD5.
WG(config-ipsec)# action SJ_Man -tunnel \ 102.39.45.28 -man -esp 256 982 3des mankey<ENTER>
# This command results in a tunnel-mode, manual-key IPSec action with a peer tunnel IP address of 102.39.45.28. It uses ESP-3DES (local SPI is 256, peer SPI is 982) and the key text is mankey.
98
proposal command (configure IPSec level)

WG#config<ENTER> WG(config)#ipsec <ENTER> WG(config-ipsec)#proposal <"name"> [+] \ [-antireplay_window [0|32|64]] \ -esp {<des|3des|md5|sha><lifetime<min|hr> \ |lifesize<KB|MB>>} \ -ah {<md5|sha><lifetime<min|hr>| lifesize<KB|MB>>}
Effect Creates or modifies an IPSec proposal that can then be incorporated into IPSec actions (which can then be added to security policies.) Arguments <"name"> This argument notes the name assigned to this new proposal.
-antireplay_window <0|32|64> This argument (and the required value) sets the anti-replay window size. -esp {<des|3des> [md5|sha] <lifetime <min|hrs>| \ lifesize <KB|MB>>} If you want to include an ESP transform in this proposal, type this argument, plus the necessary valuesalgorithm, life size, life time. -ah {<md5|sha> <lifetime <min|hrs>|lifesize \ <KB|MB>>} If you want to include an AH transform in this proposal, type this argument, plus the necessary valuesalgorithm, life size, life time.
+ Type this character before entering a new transform that will be added to an existing IPSec proposal.
99
Examples WG(config-ipsec)#proposal "new_prop1" antireplay \ 32 -esp {3des md5 10hrs} {des md5 5hr 10MB -ah \ {sha 34min 100MB}<ENTER> # This example shows the creation of a new proposal.
WG(config-ipsec)# prop my_proposal + -ah \ { sha 8hr } # This example shows the addition of a new AH transform to an existing proposal.
Level 2 Quality of Service (QoS) configuration commands

action command (configure Quality of Service level)
WG#config<ENTER> WG(config)#qos <ENTER> WG(config-qos)#action <"name"> bandwidth_weight \ <1-100>
Effect Records a new QoS action or modifies an existing action. Arguments <"name"> This argument, immediately following the command, notes the name assigned to this new QoS action.
-bandwidth_weight <"1-100"> This argument (and the required value) determine the level of QoS based on the WFQ algorithm.
100
Examples WG(config-qos)#action high_QoS bandwidth 25<ENTER>

WG(config-qos)#action mid_QoS bandwidth 5<ENTER>
Enable or disable port shaping for interface 0 or 1

WG#config<ENTER> WG(config)#qos <ENTER> WG(config-qos)#system [<interface 0|interface 1> \ <<num>Kbps|Mbps>] [enable|disable]
Effect Enables (or disables) port shaping for either the interface 0 (private) or interface 1 (public) of a WatchGuard appliance, and enters the general QoS value for that interface. The value entered will be the sending throughput of that interface. To enable a system port-shaping action, the appliance will automatically restart in order to apply the policy. Arguments <interface 0 | interface 1> Use this argument to enter one of these interfaces.
<<num>Kbps|Mbps> Use this argument to enter one option Kbps or Mbps plus the appropriate number value. <enable | disable> Use this argument to enter one of these options.
Example WG(config-qos)#system interface 1 10Mbps enable<ENTER> # This example shows a policy that restricts outputthroughput of the Public interface to 10 megabits per second.
101
Level 2 Remote Access Service (RAS) configuration commands

group_profile command (configure RAS level)
WG#config<ENTER> WG(config)#ras<ENTER> WG(config-ras)#group_profile <"name"> \ [no][-address_pool <"address_group">] \ [-dns <a.b.c.d>] [-session_time_out <number> <min|hr>] \ [-idle_time_out <number> <min|hr>] \ [-concurrent_logins_per_user <number>]
Effect Creates a new RAS group profile (or modifies an existing profile) that controls the connection parameters of all associated remote access user accounts. Arguments <name> This argument records a name for this group profile, which will be used when creating individual user profile accounts.
[no] [-address_pool <address_group>] This argument specifies the name of an address group containing a pool of internal IP addresses assigned to remote access connections. [-dns <a.b.c.d>] This argument assigns a DNS IP address to the remote users belong to this group. [-session_time_out <number> <min|hr>] This argument limits the total time any one account user can continuously log into the network. The default time limit is 8 (hours). [-idle_time_out <number> <min|hr>] This argument sets the time limit for an inactive
102
connection before it is automatically broken. The default is 15 (minutes.)

[-concurrent_logins_per_user <number>] This argument specifies the number of concurrent connections a user can establish. The default is 1.
Example WG(config-ras)#group consultants address sjnet10 \ -dns 134.12.33.2 -session 2 hr -idle 5 min con 1
user_profile command (configure RAS level)

WG#config<ENTER> WG(config)#ras<ENTER> WG(config-ras)#user_profile <"name"> \ [enable|disable] \ [-password "password"] \ [-full_name <"name">] \ [-group_profile "profile_name"] \ [-pw_expiry <days|never>] \ [-account_expiry <days|never>] \ [-concurrent_logins <"number">]
Effect Enters a new remote access user account (or modifies an existing account) in an internal database in the WatchGuard appliance. Arguments <"name"> This argument records the login ID used by this remote user account, and should be between 1-15 characters in length.
<enable | disable]> This argument activates (or deactivates) this account. The default state is enable. <-password password> This argument records the initial password first
103
used by this account, and should be between 6 and 8 characters in length.

[-full_name <name>] This argument notes the full name of the user, up to 15 characters in length. [-group_profile profile_name] This argument specifies which user group profile affects this user account. The default choice is default setting. [-pw_expiry <days|never>] This argument sets the number of days until the users password expires. The default is 90 days. [-account_expiry <days|never>] This argument sets the number of days until this account expires. The default lifetime is 180 days. [-concurrent_logins <number>] This argument limits the number of concurrent connections this account user can establish. The default is 1.
Example WG(config-ras)#user enable jdoe \ -password jdsecret -full "John Doe" \ -group admGroup -pw_expiry 60 -account 60 \ -concurrent 1<ENTER> Results To review and confirm your entries, type this command:
WG(config-ras)#show user jdoe<ENTER>
The results are displayed, similar to this example:

User Profile| Name = jdoe Full Name = "John Doe" Enabled Description = "" User Group Profile = admGroup
104 WatchGuard Vclass 5.1
Password Expiresat Sat May 19 15:40:40 2001 Password Epiry = 60 Days Account Expiresat Sat May 19 15:40:40 2001 Account Epiry = 60 Days Concurrent Logins = 1
database command (configure RAS level)

WG#config<ENTER> WG(config)#ras<ENTER> WG(config-ras)#database <-internal| \ -radius [<primary|[no] backup> \ -ip <a.b.c.d> -secret <"name">] [port<number>] \ [-authentication<pap|secure_id>] \ [-user_group <"name">]>
Effect Establishes whether the authentication database is stored on the RADIUS server or in this WatchGuard Firebox Vclass security appliance, then notes the parameters of this database. Arguments -internal This argument specifies the use of an internal database within the WatchGuard appliance, for RAS user authentication.
-radius This argument specifies the use of a RADIUS server as the host for a RAS user authentication database.
If you <ENTER> -radius, enter the following arguments:

<primary |[no] backup> This argument specifies whether the primary or backup RADIUS server is currently being configured. Youll need to enter this command two
105
times, to configure a primary and a backup server connection. If you want to delete the configuration entries for a backup RADIUS server, enter the no backup argument.
-ip <a.b.c.d> This argument establishes the IP address of the RADIUS server that will be used. -secret <password_text> This argument records the secret password allowing this appliance to contact the database in the RADIUS server. [-authentication <pap|secure_id> ] This argument establishes which authentication is being used; PAP or SecurID. [-port <number>] This optional argument records the RADIUS server port number, if needed. [-user_group <"name">] This optional argument specifies the name of a user group profile used by RADIUS users. Be sure to use the user_group_profile command to control session time and idle timeout for RADIUS users.
Examples WG(config-ras)#database -radius primary \ -ip 12.10.1.2 -sec confidential \ -auth secure_id -user_group exec_staff<ENTER>
WG(config-ras)#database internal<ENTER> WG(config-ras)#database -radius backup \ -ip 12.10.1.3 \ -sec confidential<ENTER>
106
Level 2 System Configuration commands

Command
dns cpm fwuser icmp_error_handling interface ldap log mss_adjustment ntp route snmp sysinfo tcp_sync_checking vlan_forwarding vpn no show
For more information, see dns command (configure system level) on page 108 cpm command (configure system level) on page 108 fwuser command (configure system level) on page 109 icmp_error_handling command (configure system level) on page 110 interface command (configure system level) on page 110 ldap command (configure system level) on page 110 log command (configure system level) on page 111 mss_adjustment on page 112 ntp command (configure system level) on page 113 route command (configure system level) on page 113 snmp command (configure system level) on page 114 sysinfo command (configure system level) on page 115 tcp_syn_checking on page 116 vlan_forwarding command (configure system level) on page 116 vpn command (configure system level) on page 117 No command on page 143 Show command on page 144
107
Command
history rename exit top
For more information, see history command on page 14 Rename command on page 143 exit command on page 14 top command on page 15
dns command (configure system level)

WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)# [no] dns <"domain_name"> \ -server <a.b.c.d>[a.b.c.d]
Effect Records the domain names and IP addresses of all relevant domain name servers. Argument no This argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<"domain name"> This argument records the domain name of this security appliance. <-server <a.b.dc.d>> This argument records the IP address of the DNS server.
Example WG(config)#dns my_company.com \ -server 24.12.2.1<ENTER>
cpm command (configure system level)

WG#config<ENTER> WG(config)#cpm <enable "text of password"|disable>
108
Effect Enables this appliance to be managed by means of the WatchGuard Centralized Policy Manager (CPM). You can also use this command to disable CPM as needed. If enabling CPM access, be sure to enter the CPM-access password immediately following the enable argument. Arguments enable Enter this argument to activate WatchGuard CPM access to this WatchGuard appliance. <password_text>
Enter the text of the CPM access password after enable.

disable Enter this argument if you have already established CPM access and want to disable the connection. Example WG(config)#cpm enable cpm_admit_1<ENTER>
fwuser command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#fwuser -t<idle_timeout> [seconds|minutes]
Effect Allows you to change the value for a firewall user connection idle timeout. The system default is two hours, and the default increment is "seconds". Argument -t <idle_timeout> [seconds|minutes]
109
icmp_error_handling command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#icmp_error_handling [all]| [[no] fragmentation_required] [[no] host_unreachable] [[no] time_exceeded] [[no] port_unreachable] [[no] network_unreachable]
Effect Allows you to turn on ICMP error handling for all events, or just for the events you specify.
interface command (configure system level)

WG#config<ENTER> WG(config)#interface
Effect Enters the interface configuration mode, at which point you can enter interface-specific commands and their arguments. Arguments None in this mode. See Also For more information on interface configuration mode, see Level 2 interface configuration commands on page 82.
ldap command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#[no] ldap <"IP_address"|"name"> \ [port_number]
110
Effect Activates (or deactivates) a network connection to an LDAP server that this security appliance would use to look up certificate revocation lists during IKE key negotiations. Arguments no This argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<a.b.c.d|"name"> [port-number] This argument notes the pertinent IP address and LDAP server port number. You can enter either an IP address or a domain name, and, if the LDAP server port number is other than 389, you must enter it.
To enter a host name, you must first record the DNS server connection, as noted elsewhere in this Guide. Example WG(config-sys)#ldap 207.124.35.3 189<ENTER>
log command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#log
Effect Enters the log configuration mode, at which point you can enter log file-specific commands and their arguments. Arguments None in this mode. For more information about log mode commands, see Level 3 log configuration commands on page 124.
111
mss_adjustment
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#mss_adjustment mss_adjustment [auto| limit_to <num> | disable] ## limit_to range - 40-1460 bytes
Effect Sets the TCP Maximum Segment Size for the system. This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems: - Oversized packets can result in fragmentation, degrading VPN performance. - Proxies may require MSS adjustment to prevent fragmentation. - Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU. Arguments auto Auto adjustment calculates the MSS automatically, using the following calculations: Determines the lesser value of the input port MTU and the output port MTU. Subtracts packet overhead, including IP and TCP addressing, VLAN, ESP, PPPoE, AH, and UDP encapsulation. The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet
112
transmission. The results of this calculation are used as the MSS for the connection.
limit_to
This limits MSS to the specified size in bytes. You can specify a value between 401640 bytes.
disable
This specifies that no change be made to the TCP header. If you select this option, packets may fragment. Example
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#mss_adjustment limit_to 1400
ntp command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#ntp
Effect Discuss effects Arguments Describe arguments.
route command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#route
Effect Enters the system route configuration mode, at which point you can enter route-specific commands and their arguments. Arguments None in this mode.
113
See Also For more information about route mode commands, see Level 3 route configuration commands on page 122.
snmp command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#snmp <a.b.c.d>[a.b.c.d] \ [-community<"string">][-trap|-no_trap]
Effect Records network connection data for all relevant SNMP management workstations that will receive traps generated by this security appliance. Arguments no This argument, if entered before the snmp command prompt, removes/deactivates all recorded SNMP stations.
<a.b.c.d> This argument records the IP address for a specific SNMP workstation. -community<"text_string"> This argument records the community string. [-trap|-no-trap] This optional argument activates (or deactivates) the SNMP trap settings.
Example WG(config-sys)#snmp 128.13.44.2 \ -community 66gHf4D -trap<ENTER> Results To view the results, type this command: WG(config-sys)#show snmp<ENTER>
114
sysinfo command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#sysinfo <-name <"string"> &| \ -location <"string"> &|-contact <"string">>
Effect Applies new system information to an existing security appliance, including appliance name, contact name and actual location of the appliance. Arguments -name <string> Use this argument to record the DNS name of this security appliance without the rest of the DNS entry.
-location <string> Use this argument to record the geographic location of this appliance. -contact <string> Use this argument to record the name of the administrator. -time <hh:mm:ss> Use this argument to set the system time. -date <mm:dd:yy> Use this argument to set the system date.
Example WG(config-sys)#sysinfo -name mucho \ -loc "Lot 49" \ -contact "O. Maas" -time 14:42:05 -date 10:15:02<ENTER>
115
To review and confirm your entries, type this command:

WG(config-sys)#show sysinfo<ENTER>
The complete results will appear as suggested here (in eight lines):
System name=mucho System contact=O. Maas System location=Lot 49 Version=4.0 SerialNum=<D0YXA0A0D408>
tcp_syn_checking
WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#tcp_syn_checking <enable|disable>
Effect This enables or disables TCP SYN checking.
vlan_forwarding command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#vlan_forwarding [enable|disable]
Effect Allows you to enable (or disable) the system-wide VLAN forwarding capability. Argument enable Turns on VLAN forwarding.
disable Turns off VLAN forwarding (if it is active).
116
vpn command (configure system level)

WG#config<ENTER> WG(config)#system <ENTER> WG(config-system)#vpn [[no] ignore_DF_for_IPSec] [[no] IPSec_pass_through]
Effect This allows you to set options for VPN. Arguments [no] ignore_DF_for_IPSec This enables fragments of large packets through the VPN tunnel. If you set this feature, the appliance ignores the don't fragment (DF) rule.
[no] IPSec_pass_through This allows IPSec pass-through.
Level 2 license commands (for upgraded or additional features)

Import command (config license level)
WG#config<ENTER> WG(config)#license <ENTER> WG(config-license)#import
Effect Imports a new license that upgrades or adds functionality to the appliance. Arguments None
active_feature command (config license level)

WG#config<ENTER> WG(config)#license WG(config-license)#active_feature <ENTER>
117
Effect Lists all currently active extra features (obtained through licensing). Arguments None
delete command (config license level)

WG#config<ENTER> WG(config)#license<ENTER> WG(config-license)#delete <license_id>
Effect Removes the named license from the appliance. Arguments <license_id> This argument records the exact ID for a license to delete. Example None
show command (config license level)

WG#config<ENTER> WG(config)#license<ENTER> WG(config-license)#show <license_id>
Effect Displays a summary of the named license or lists all available licenses. Arguments None This will list all available licenses.
<license_id> This argument notes an ID for the license and will list the details of that license.
118
Example WG#config<ENTER> WG(config)#license<ENTER> WG(config-license)#show

OrdLicense NameLicense IDExpiration Date 1V80_3DES_HA_Bundle3293MXLD17-05-2022
or
WG#config<ENTER> WG(config)#license<ENTER> WG(config-license)#show 3293MXLD License Name:V80_3DES_HA_Bundle License ID:3293MXLD Feature(s):HA 3DES UPGRADE Expiration Date:17-05-2022
Level 2 tenant configuration commands

vlan command (configure tenant level)
WG#config WG(config)#tenant WG(config-tenant)#vlan <"name"> <-id num> [-interface <0|2|3>] [-ip a.b.c.d/e] [-gateway a.b.c.d] [-public <default|<a.b.c.d/e>> # valid vlan -id range (1-4094) # -ip a.b.c.d/e if specified, the IP address/mask assigned for # interface 0|2|3 (default is 0) of tenant # e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1
Effect Records a new VLAN tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.
119
Arguments <"name"> This argument records the name assigned to this VLAN tenant (for use in security policies.)
<-id num> This argument record the VLAN ID as "id" followed by the number (between 1 and 4096) assigned to this tenant. <-interface [0 | 2| 3]> This argument specifies which interface (0, 2, or 3) this VLAN tenant is associated with. [-ip a.b.c.d/e] This argument records the IP address and subnet assigned to the 0 (private) or 2 (DBZ) interface, if one of those are specified. [-gateway a.b.c.d] This argument notes the gateway IP address for this tenant, if needed. -public <default|<a.b.c.d/e> This allows you to specify a public VLAN IP address and gateway.
Example WG(config-tenant)#vlan <"execs"> -interface 1 192.168.12.34 \ -id 366 <ENTER>
user_domain (configure tenant level)

WG#config<ENTER> WG(config)#tenant<ENTER> WG(config-tenant)#user_domain <"name"> <-id num> [-public <default|<a.b.c.d/e>> <-idle_time_out m> <-radius_ip a.b.c.d>[radius_port port] <-radius_secret 'secret'> [-backup_radius_ip a.b.c.d][backup_radius_port port] [-backup_radius_secret 'secret'] <-radius_timeout sec> <-radius_retry n> [-use_login_id_with_domain_name <on|off>]
120

# valid user domain tenant -id must be from 5001 to 65535 # -idle_time_out m Idle timeout. m is the number in minutes # -radius_timeout sec Time out for radius request # -radius_retry n number of retries for radius query
Effect Records a new VLAN-specific tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use. Arguments user_domain This argument identifies which type of tenant this entry represents.
<"name"> This argument records the name assigned to this VLAN tenant (for use in security policies.) <-id num> This is "id" followed by the number (above 5000) assigned to this tenant. -public <default|<a.b.c.d/e> This allows you to specify a public user domain IP address and gateway. <-idle_timeout m> This argument sets the idle timeout for this entry in minutes. <-radius_ip a.b.c.d> This argument indicates the radius server and its IP address. [-radius_port port] This optional argument notes the port number of
121
the Radius server, if another than the default port number is used.
<-radius_secret 'secret'> This argument indicates the Radius password and its text. [-backup_radius_ip a.b.c.d] \ [backup_radius_port NUMBER] This pair of arguments allows you to note a backup Radius server and its port number, if present.
Example WG(config-tenant)#user_domain <"MegaCo"> \ -interface 1 192.168.12.34 -id 6666 idle 720 \ -radius 12.12.3.144 \ -radius_secret "no_admit"<ENTER>
Level 3 configuration mode commands

The following section, detailing all the third-level configuration commands, has been divided into task or topical collections, which include the following: Route configuration this page Log configuration page 124
Level 3 route configuration commands

Configure new static route
WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#route<ENTER> WG(config-route)#static <destination> \ </prefix| mask> <gateway> interface <0|1|2>
122
Effect Configures a new static route utilized by traffic passing through this WatchGuard appliance. Arguments <destination> Use this argument to record the IP address of the destination subnet.
</prefix|mask> Use this argument to record the number of bits in the subnet mask, or the destination subnet mask. <gateway> Use this argument to record the IP address of the next gateway to the destination subnet. interface <0|1|2> This argument specifies which interface in this security appliance is used for outgoing traffic using this route. delete Type this argument before typing the arguments for a route, to deactivate that particular route.
Example WG(config-route)#static 0.0.0.0/0 \ 105.10.74.122 pub<ENTER>
Configure dynamic routing

WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#route<ENTER> WG(config-route)# [no] dynamic [import|restart]
Effect Configures dynamic routing in this WatchGuard Firebox Vclass security appliance.
123
Arguments no Enter this argument to deactivate dynamic routing altogether.

[import|restart] Use these options to import dynamic routing information, or to restart the system.
Examples WG(config-route)#dynamic import<ENTER>

WG(config-route)#dynamic restart<ENTER>
Level 3 log configuration commands

Activate or deactivate traffic log file
WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#log<ENTER> WG(config-log)#traffic
Effect Use this command to activate (or deactivate) a traffic log file. Arguments no This argument, when entered before the type of log file, will deactivate that log. Examples WG(config-log)#no traffic<ENTER>
Configure events log file

WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#log<ENTER> WG(config-log)#event \ <critical|error|warning|admin|info>
Effect Use this command to configure the events log file.

124 WatchGuard Vclass 5.1
Arguments <critical|error|warning|admin|info> Type one of the above-noted log level selections after the command prompt, to indicate what to include in this events log. If you type critical, the log will record only critical events, whereas if you type info, the log will record all of the other selections too.
no This argument, when entered before event, will deactivate the event log.
Example WG(config-log)#event error<ENTER>
Set up remote log server connection

WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#log<ENTER> WG(config-log)#remote_log_server <"ip_address">
Effect Use this command to set up a remote log server connection. Arguments <ip_address> This argument records the IP address of the remote log server. Example WG(config-log)#remote_log_server 128.19.3.77<ENTER>
When exiting config mode you may be prompted Commit before exit? (Y/N). This prompt is displayed if you have made changes but have not committed them to the WatchGuard appliance database. Type Y to commit your changes and return to the WG# prompt, or type
NOTE
125
N to void the changes and leave the database in its previous state.
126
CHAPTER 4
Debug Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Debug Mode.
Debugging/troubleshooting commands
The CLI Debug commands, detailed here, enable the use of standard Linux commands such as ping, tcpdump, netstat, traceroute, and arp. Most commands such as netstat, arp, ping, tcpdump, and traceroute are similar to those provided on UNIX, Solaris and Linux systems. You can use these commands to troubleshoot network environments. Debugging configuration information is not saved when the database is backed up or exported to an XML profile. Debuggging commands are available only for runtime debugging purposes.
127
CHAPTER 4: Debug Mode Commands
Debugging information is not synced between HA appliances.

Command arp clear_logs config_http conn_idle_timeout ha_instant_sync hwdiag ifconfig importscreen kernel_debug netstat ping pppoe_config radius_ping rcinfo reboot rs_kdiag set_dos_if slink tcpdump traceroute verbose_trace vinstall show history exit top For more information See arp command on page 129. See clear_logs on page 129. See config_http command on page 129. See conn_idle_timeout command on page 130. See ha_instant_sync command on page 130. See hwdiag command on page 131. See ifconfig command on page 131. See importscreen command on page 132. See kernel_debug command on page 133. See netstat command on page 134. See ping command on page 134. See pppoe_config command on page 135. See radius_ping command on page 135. See rcinfo command on page 137. See reboot command on page 137. See rs_kdiag command on page 138. See set_dos_if command on page 139. See slink command on page 139. See tcpdump command on page 140. See traceroute command on page 140. See verbose_trace command on page 141. See vinstall command on page 141. See Show command on page 144. See history command on page 14. See exit command on page 14. See top command on page 15.
128
arp command
WG#debug<ENTER> WG(debug)#arp
Effect Displays or manipulates the ARP cache. Arguments None Example WG(debug)#arp<ENTER>
clear_logs
WG#debug<ENTER> WG(debug)#clear_logs
Effect Clear all log entries. Argument None
config_http command
WG#debug<ENTER> WG(debug)#config_http [enable | disable | logon_html [ standard | alternate ] ] enable Enable HTTPd disable Disable HTTPd logon_html standard Use default logon HTML page. logon_html alternate Use alternate logon HTML page.
Effect Allows you to enable and disable debugging for HTTP.
129
Arguments enable Enables HTTP debugging.

disable Disables HTTP debugging. logon_html [standard | alternate ] Standard allows you to use the deault HTML logon debugging page. Alternate allows you to use the alternate HTML logon page.
Example WG#debug<ENTER> WG(debug)#config_http enable logon_html alternate
conn_idle_timeout command
WG#debug<ENTER> WG#debug conn_idle_timeout [show | set <idle timeout> | set_default | -h | -? ], where show Displays the current settings set <idle timeout> Set the connection idle timeout (in seconds, 1-86400)
Effect This allows you to set the connection idle timeout between the Vclass appliance and the Management Station. The maximum time is 86,400 seconds (one day). The default is 180 seconds (3 minutes). Example WG#debug conn_idle_timeout 600
WG#debug conn_idle_timeout set_default
ha_instant_sync command
WG#debug<ENTER> WG#debug ha_instant_sync [show | enable | disable | set_default | -h | -? ], where show Displays the current settings enable Enable instant state sync disable Disable instant state sync
130
set_default default value Restore the setting to the factory
Effect Enables or disables instant HA state synchronization. This is enabled by default. Example WG#debug ha_instant_sync enable
hwdiag command
WG#debug<ENTER> WG(debug)#hwdiag < 1 | 2 >
Effect Provides diagnostic information for your hardware. Two diagnostic levels are available. Type the command hwdiag 1<ENTER> to perform level 1 hardware diagnostic tests, or hwdiag 2<ENTER> to perform level 2 tests. Level 2 hardware diagnostics require that the system be rebooted after the tests complete.
ifconfig command
WG#debug<ENTER> WG#debug ifconfig
Effect ifconfig is the standard Linux command for interface configuration. This command can be used to configure the interfaces, as an alternative to interface configuration in the configuration menu. Displays debugging information for the interfaces on the appliance. Options Type -h to get help for this option. ifconfig is a standard Linux command, and should be used by a knowledgeable administrator. For the interface names, use eth0 through eth5, depending on
how many interfaces your device has. Type ifconfig with no options or arguments to show detailed interface information.
When using the ifconfig command in transparent mode, you must use eth1, as in the following example: ifconfig eth1 ipaddress netmask mask You cannot use ifconfig with any other interface (e.g. eth0, eth2, eth3) in transparent mode.
NOTE
importscreen command
WG#debug<ENTER> WG(debug)#importscreen Import a tar file via ftp to customize Firewall User Login Screen. Syntax: importscreen <ftp_server> <ftp_username> <ftp_password> <path_filename> Example: importscreen 10.10.10.10 ftp any public/screen.tar
Effect This command allows you to import a tar-archived set of files to replace the https firewall user authentication login screen. Prerequisites The default configuration includes the following files: logon.html cert_logon.html user_auth_fail.html index.html user_auth_success.html
132
- images/rs_sublogo.gif You can save these files from the login and result pages to your local system using your browsers Save function. Once the files are saved, you can edit the files, adding images, replacing text, and changing the page layout. However, you should not change any of the form input submission information, or your pages will not work. You must create a compressed tar file(*.tar) that includes all of the files you want to replace for the logon and result screens. When you have completed editing, tar the file (creating a *.tar file), and place this file in an accesible FTP upload directory. Then, use the CLI to FTP the file to the Vclass appliance.
These operations require a moderate level of HTML knowledge and editing skills.
NOTE
Example WG#debug<ENTER> WG(debug)#importscreen 10.10.0.98 ftpadmin ftppassword public/screens.tar
kernel_debug command
WG#debug<ENTER> WG(debug)#kernel_debug < on | off >
Effect This command turns kernel debugging on or off. Arguments None. Example WG(debug)#kernel_debug on
133
netstat command
WG#debug<ENTER> WG(debug)#netstat
Effect This command displays the network status as seen from the security appliances point of view. To review the arguments for this command, type -?. The following are some of the available arguments. Arguments -a Displays active network connections and their status -i Shows summaries sorted by appliance interface -s Shows statistics -r Shows routing table information Example WG(debug)#netstat -i<ENTER>
ping command
WG#debug<ENTER> WG(debug)#ping <a.b.c.d>
Effect Use the ping command to send an ICMP ECHO_REQUEST to a designated device. Arguments <a.b.c.d> This argument records the IP address of the device/appliance to be pinged. Example WG(debug)#ping 122.13.2.9<ENTER> The WatchGuard CLI will send ping packets to the designated IP address. Enter ^c (Control-C) to stop the ping. The CLI will then display the results and return to the WG(debug)# prompt.
134
pppoe_config command
pppoe_config [show | set <-i|-f|-r|-t> num | set_default] show Show current settings. set <-i|-f|-r|-t> num Set PPPoE parameters. -i is for echo interval (1-1200 Sec). -f is for echo failure (1-60). -r is for re-auth period (0-7200 Min). -t is for re-auth interval (0-120 Min). num is an integer. set_default Restore factory default value.
Effect This command allows you to set PPPoE echo (keepalive) and re-authorization times and limits. Arguments -i allows you to set the echo (keep-alive) interval, from 11200 seconds. -f allows you to set the threshold for echo (keepalive) failure, from 160 seconds. -r allows you to set the re-authorization period, from 07200 minutes. -t alows you to set the re-autorization interval, from 0120minutes. set_default allows you to set the default values for PPPoE echo and re-authorization. Example WG(debug)#pppoe_config set -1 300 -f 5\ -r 1800 -t 60
radius_ping command
WG#debug<ENTER> WG(debug)#radius_ping \ [-pap <"password">|-sid <"passcode">] \ [-p <port>] [-r <retries>] \ [-s <secret>] [-t <timeout>] \ [-u <username>] <source> <a.b.c.d>
Effect Use this command to test the connections between this WatchGuard appliance and a RADIUS server.
Pay special attention to the arguments for this command. Arguments [-pap <password>] This optional argument specifies PAP as the authentication used by this RADIUS server, along with the PAP password.
[-sid <passcode>] This optional argument specifies SecurID as the authentication used by this RADIUS server, along with the SecurID passcode. [-p <value>] This argument allows you to record a specific port number for the RADIUS server. The default port number is 1812 and you can ignore this argument if the port number was not changed. [-r <value>] This argument specifies the maximum number of tries (between 1 and 10) made by this command. The default is 3. [-s <value>] This argument records the secret login password required by the RADIUS server. The default is test123. [-t <value>] This argument establishes the timeout value for each test message. The default value is 2. [-u <value>] This argument records a RADIUS user name for
136
use in this ping attempt. The default entry is test123.

<source> This argument notes the IP address of the interface where the RADIUS request will be sent. <a.b.c.d> This argument notes the IP address of the RADIUS server.
Example WG(debug)# radius_ping -u jsmith -pap johnsm \ 10.10.13.101 10.10.0.5<ENTER> [no response from RADIUS server]
rcinfo command
WG#debug<ENTER> WG(debug)#rcinfo
Effect Shows debug information about the RapidCore chip in your appliance. This is used for troubleshooting purposes, with WatchGuard technical support. Example
WG#debug<ENTER> WG(debug)#rcinfo
reboot command
WG#debug<ENTER> WG(debug)#reboot
Effect Reboots the appliance. Example WG(debug)#reboot<ENTER>
137
rs_kdiag command
WG#debug<ENTER> WG(debug)rs_kdiag
Effect This command displays internal diagnostics information. Arguments None
138
set_dos_if command
WG#debug<ENTER> WG(debug)set_dos_if [show | set <xyzv> | set_default | -h | -? ], where show Show the current settings. set xyzv Set DOS protection on interfaces. x,y,z,v must be 0 or 1. x is for interface 0, y for interface 1, z for interface 2, and v for interface 3. set_default Restore the setting to the factory default value
Effect This sets denial of service (DOS) protection on individual interfaces. The default settings are 0000000f. Example WG#debug<ENTER> WG(debug)set_dos_if set 0011
slink command
WG#debug<ENTER> WG(debug)# slink [ [-s] <Port> <Mode>] [show] -s : save configuration only Port: eth0, eth1, eth2, eth3 Mode: auto = Auto negotiate 1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show: current setting
Effect This command sets the physical speed of a specific accelerated data interface. Arguments etho, eth1, eth2, eth3 Indicates the interface to be changed.
mode auto = Auto negotiate
139
1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show Displays the current setting
Example WG#debug<ENTER> WG(debug)# slink eth1 10H This sets interface 1 (public) to 10BaseT, Halfduplex mode.
tcpdump command
WG#debug<ENTER> WG(debug)#tcpdump
Effect Dumps all traffic on a network. Tcpdump will captures all packets detected by the network interfaces of the appliance where tcpdump is executed. This command may be used to track specific packets. Arguments None Example WG(debug)#tcpdump<ENTER>
traceroute command
WG#debug<ENTER> WG(debug)#traceroute <target_IP>
Effect Displays the complete route information to the target device. This command utilizes the IP protocol time to live field and solicits an ICMP
140
TIME_EXCEEDED response from each gateway along the path to the target device. You can use this command to troubleshoot network routing and connectivity. Arguments Be sure to type the IP address of the target device, as shown in the example below. Example WG(debug)#traceroute 207.188.12.3<ENTER>
verbose_trace command
WG#debug<ENTER> WG(debug)# verbose_trace [ on | off ]
Effect This command enables/disables verbose tracing in the traffic log. If such is enabled, every firewalldropped packet will be shown in the traffic log. All DNS packets will also be shown in the traffic log.
If this feature is enabled, there will be an impact to the overall system performance due to heavy logging activity.
NOTE
vinstall command
WG#debug<ENTER> WG(debug)# vinstall <ftp_server> <ftp_username> <ftp_password> <"path_filename"> ##This feature allows downgrade from 5.0 to 3.2 or 4.0 ##e.g. vinstall 10.10.10.10 my_username my_password "path/encrypted_fbv.tgz" ## For V10, use non-encrypted file. For others, use encrypted file.
Effect This allows you to downgrade to an earlier software versionfrom 5.0 to 4.0 or from 5.0 to 3.2.
141
This feature is not supported in software versions earlier than 5.0.
NOTE
Example WG#debug<ENTER> WG(debug)# vinstall 10.10.0.98 ftpadmin ftppass /upload/downgrade/encrypted.tgz
142
CHAPTER 5
Other Commands
This chapter describes commands that do not belong to one of the three main command modes (Administration, Configuration, and Debug).
No command
The no command is used before another command or argument to turn off or disable the specified feature.
Rename command
The rename command is used to rename objects.
143
CHAPTER 5: Other Commands
Show command
As a way of viewing lists and details of a WatchGuard appliances configuration, the Show command (and its arguments) provides an adaptable means of cataloging such things as address groups, IPSec actions or RAS user profiles. Once you determine whats listed, you can then adapt the Show command to view the contents of a specifically named item, including the settings or configuration entries that comprise that item.
Show command general usage

WG#show<ENTER>
Effect If you type show at the top-level CLI prompt, the WatchGuard CLI will display a complete list of show arguments (listed above in Contents), that enable you to list almost every kind of object in the WatchGuard database, from address groups to VLAN objects. Arguments None. The current range of Show commands includes the following:
Command address alarm all_routes certificate cpm denial_of_service diagnostics dns For more information See Show address command on page 145. See Show alarm command on page 146. See Show all_routes command on page 147. See Show certificate command on page 147. See Show CPM command on page 148. See Show denial_of_service command on page 148. See Show diagnostics command on page 148. See Show DNS command on page 148.
144
Show command
Command ike interface ipsec ldap license log mode nat ntp policy qos ras route sa service statistics sysinfo sysupgrade trace tunnel_switch version
For more information See Show IKE command on page 149. See Show interface command on page 150. See Show IPSec command on page 150. See Show LDAP command on page 151. See Show license command on page 151. See Show log command on page 152. See Show log command on page 152. See Show NAT command on page 153. See Show NTP command on page 153. See Show policy command on page 154. See Show QoS command on page 154. See Show RAS command on page 155. See Show route command on page 156. See Show SA command on page 156. See Show service command on page 157. See Show statistics command on page 158. See Show sysinfo command on page 158. See Show sysupgrade command on page 159. See Show trace command on page 159. See Show tunnel_switch command on page 159. See Show version command on page 160.
Show address command

Display current address groups
WG#show address<ENTER>
Effect Displays the current catalog of address groups stored in this WatchGuard Firebox Vclass security appliance
145
Arguments None.
Display contents of address group

WG#show address <"group_name"><ENTER>
Effect Displays the current contents of a specifically named address group. Arguments <"group_name"> This argument notes the address group name. Example WG#show address exec_staff<ENTER>
Show alarm command

WG#show alarm [definition|log [more|follow]]<ENTER>
Effect Displays a summary of currnt outstanding alarms. Arguments definition This displays a list of alarm definitions, and whether they are enabled.
log more This displays the log of all alarms that have been triggered in the past (since the log was last cleared), 20 lines at a time. log follow This displays the last 5 line of the alarm log, and updates if more alarms get generated.
Example WG#show alarm log more<ENTER>
146
Show command
Show all_routes command

WG#show all_routes<ENTER>
Effect Displays a summary of the routesstatic and dynamicrecorded in this WatchGuard appliance. Arguments None. Example WG#show all_routes<ENTER>
Show certificate command

WG#show certificate<ENTER>
Effect Displays the complete collection of certificates, including pending requests root certificates and system certificates. Examples WG#show certificate<ENTER>
Display certificate settings

WG#show certificate [ca|sys|pending|"cert_id"]<ENTER>
Effect Displays the settings of a certificate according to the specific identifying characteristic. Arguments <ca|sys|pending> This argument specifies the type of certificates you want to review, whether root, system or pending.
<"cert_id"> This argument notes an actual ID number from a certificatewhether root, system or pending.
Examples
147
WG#show certificate pending<ENTER> WG#show certificate 19478<ENTER>
Show CPM command

WG#show cpm<ENTER>
Effect Shows whether CPM is enabled or disabled, and general CPM information. Examples WG#show cpm<ENTER> Arguments None.
Show denial_of_service command

WG#show denial_of_service<ENTER>
Effect Displays the DOS and DDOS configurations currently active in this appliance. Arguments None.
Show diagnostics command

WG#show diagnostics<ENTER>
Effect Shows some diagnostic information for the appliance. Examples WG#show diagnostics<ENTER> Arguments None.
Show DNS command

WG#show dns<ENTER>
148
Show command
Effect Displays any DNS configurations. Arguments None
Show IKE command

WG#show ike <action | policy><ENTER>
Effect Displays the current catalog of IKE policies or actions, depending upon your choice of argument. Arguments <action|policy> This argument allows you to specify whether the actions or policies are listed. Examples WG#show ike action<ENTER>
Display IKE policy parameters

WG#show ike <action|policy> <"name"><ENTER>
Effect Displays the parameters of a specifically named IKE policy or action. Arguments action <"name" > This argument will display the contents of the named action.
policy <"name" > This argument will display the contents of the named policy.
Examples WG#show ike action basic<ENTER> WG#show ike policy secure_VPN<ENTER>
149
Show interface command

WG#show interface<ENTER>
Effect Displays a detailed summary of all data interfaces in this WatchGuard appliance. Arguments None Example WG#show interface<ENTER>
Show IPSec command

WG#show ipsec <action|proposal> <ENTER>
Effect Displays the current catalog of IPSec proposals or actions--depending upon the argument. Arguments <action|proposal> This argument specifies the type of IPSec component, action or proposal, that you want to review. Examples WG#show ipsec proposal<ENTER>
Display an IPSec proposal or action

WG#show ipsec <action|proposal> <"item_name"><ENTER>
Effect Displays the contents of a specifically named IPSec proposal or action. Type the action or proposal name after the "ipsec" command to view the specific settings. Arguments <action|proposal> This argument specifies the type of IPSec
150
Show command
component, action or proposal, that you want to review.

<"name"> After entering the action or proposal argument, enter this value, which indicates the actual name of a specific proposal or action that you want to review in detail.
Examples WG#show ipsec proposal md5_sha<ENTER> WG#show ipsec action most_secure<ENTER>
Show LDAP command

WG#show ldap<ENTER>
Effect Displays any current LDAP server connection settings. Arguments None
Show license command

WG#show license [license_id]<ENTER>
Effect Displays the current license file information. You can copy the license ID shown with this command, and paste it after the show license command to see more details about a particular license. Arguments None Example (show license without a license number)
WG#show license Ord License Name Date 1 License ID Expiration
DATE_11-6-2002_10:5 64DFC18A261A4771
04-02-2003
151
Example (show license with a license number)

WG#show license 64DFC18A261A4771 License Name: DATE_11-6-2002_10:51 License ID: 64DFC18A261A4771 Feature(s): UPGRADE 3DES Expiration Date: 04-02-2003
Show log command

WG#show log <config|alarm|event|traffic \ |ras_user|p1_sa|p2_sa> [more]<ENTER>
Effect Displays the last 25 entries in a designated log file. If you enter config as the argument, the CLI will display the configuration settings for all logs. Arguments <config> This argument will display the current configurations for server, traffic and event logs.
<alarm|event|traffic|ras_user|p1_sa|p2_ sa> Enter one of these six log types in this argument. If you do not type a log type, the CLI will simply list the types of log files you can view. [more] This argument displays the complete contents of a specified log, one page at a time.
Example WG#show log traffic<ENTER>
Show mode command

WG#show mode<ENTER>
152
Show command
Effect Displays whether the system is running in Router or Transparent Mode. Arguments None Example WG#show mode<ENTER>
Show NAT command

WG#show nat<ENTER>
Effect Lists any current NAT actions stored in this appliance database. Arguments None
Display NAT action configuration

WG#show nat <"name"><ENTER>
Effect Displays the configuration of a specifically named NAT action. Arguments <"name"> This argument represents the exact name of the NAT action you want to review. Example WG#show nat static_NAT1<ENTER>
Show NTP command

WG#show ntp<ENTER>
Effect Displays the Network Time Protocol configuration.
153
Arguments None. Example WG#show ntp<ENTER>
Show policy command

WG#show policy <"policy_name"><ENTER>
Effect Displays the parameters/settings for a specifically named security policy. Arguments <"name_text"> This argument notes the exact name of the security policy you want to review. Example WG#show policy SJO-NYC_VPN<ENTER>
List active security policies

WG#show policy<ENTER>
Effect Lists all active security policies stored in this WatchGuard appliance. Arguments None Example WG#show policy<ENTER>
Show QoS command

WG#show qos <system|action><ENTER>
Effect Displays (1) the current system QoS configuration, or (2) a list of currently available QoS actions depending upon your argument entry.
154
Show command
Arguments <system|action> This argument represents your preferenceto review the current system QoS setting or the list of available QoS actions. Example WG#show qos system<ENTER>
Show QoS action configuration

WG#show qos action <"name"><ENTER>
Effect Displays the configuration of a specified QoS action. Arguments <"name"> This argument indicates, by exact name, the QoS action you want to review. Example WG#show qos action slow_to_55<ENTER>
Show RAS command

WG#show ras <group_profile|user_profile|database><ENTER>
Effect Displays a complete listing of the specified RAS componentgroup profiles, user profiles or database configuration. Arguments <group_profile|user_profile|database> This argument represents your preferenceto review a list of group profiles, a list of user profiles or the database settings. Example WG#show ras database<ENTER>
155
Display specific RAS contents

WG#show ras <group_profile|user_profile> <"name"><ENTER>
Effect Displays the contents of the specifically named RAS componenta user profile or group profile. Arguments <group_profile|user_profile> This argument notes either group profile or user profile.
<"name"> This argument records the name of the designated object that you want to review.
Example WG#show ras user_profile sales12<ENTER>
Show route command

WG#show route<ENTER>
Effect Displays a list of active routes. Arguments None Example WG#show route<ENTER>
Show SA command
WG#show sa <p1|p2> [id]<ENTER>
Effect Lists current phase one or phase two SA information, in some detail. If you add the ID of a specific phase-one SA or phase-two tunnel, the CLI will display details of the requested item.
156
Show command
Arguments <p1|p2> This argument specifies your choice of a list of phase-one SAs or a list of phase-two tunnels. Either list provides a complete catalog of the requested item, in a table that includes considerable details about each item.
[id] This argument (when used with p1) will display a summary of the identified SA. When used with p2, this argument will display a summary of the requested tunnel activities.
Example WG#show sa p2 209<ENTER>
Show service command

List all service groups
WG#show service<ENTER>
Effect Displays a complete list of all service groups. Arguments None Example WG#show service<ENTER>
Display service group settings

WG#show service <"name"><ENTER>
Effect Displays the settings for a named service group, including port numbers and any associated protocols.
157
Arguments <"name"> This argument represents the exact name of the service group you want to review in detail. Example WG#show service e-mail<ENTER>
Show SNMP command

WG#show snmp <ENTER>
Effect Displays the SNMP settings for the appliance. Arguments None. Example WG#show snmp <ENTER>
Show statistics command

WG#show statistics show statistics ras [user_ID] show statistics p1sa [ID] show statistics p2sa [ID]
Effect Displays statistics for RAS or phase 1 or phase 2 SA. Arguments None. Example WG#show statistics ras ras_user<ENTER>
Show sysinfo command

WG#show sysinfo<ENTER>
158
Show command
Effect Displays the basic "general" system configurations, including appliance name, location, and contact person's name. Arguments None Example WG#show sysinfo<ENTER>
Show sysupgrade command

WG#show sysupgrade<ENTER>
Effect Displays a chronological record of recent system software upgrades (including version number and date) installed in this WatchGuard appliance. Arguments None Example WG#show sysupgrade<ENTER>
Show trace command
Show tunnel_switch command

WG#show tunnel_switch<ENTER>
Effect Displays the status of tunnel switching hardware features in this applianceOFF or ON. Arguments None Example WG#show tunnel_switch<ENTER>
159
Show version command

WG#show version<ENTER>
Effect Displays the version number of WatchGuard operating software. Arguments None Example WG#show version<ENTER>
160
case sensitivity of object strings 9 certificate configuration mode, entry into 45 certificate settings, display specific 147 certificate, import VPN 69 certificate, request VPN 67 certificate, show properties 70 certificates, display all 147 change system mode 94 CLI by command administration mode downgrade 29 enable 108 export 30 flush 31 ha_sync 31 passwd 36 reboot 37 restore_default 38 abbreviations 8 shutdown 38 abort system configuration all mode commands changes 43 exit 14 accelerated data interface, set history 14 physical speed of 139 top 15 adding settings and policies 10 configuration, level 1 address group modification 43 abort 43 address group, display specific 146 address 43 address groups, display all 145 certificate 45 administration mode commands 15, commit 45 27 delete 45 appliance maintenance commands 22 denial_of_service 46 apply changes 22 high_availability 47 apply changes to interface configuration 95 high_availability (disable) 48 apply recent configuration changes 45 history 66 argument entry syntax 9 ike 48 argument options by command, list interface 49 of 17 ipsec 49 ARP cache, display 129 license 49 ARP cache, manipulate 129 nat 54 available commands 17 nat (dynamic action) 56 available tasks 2 policy 57 qos 60 ras 61 rename 61 schedule 62 \ character, use of 9 service 63
Index
system 64 (system\log) 125 tenant 65 static (system\route) 122 tunnel_switch 65 traffic (system\log) 124 configuration, level 2 display arguments action (ike) 78 show 145 action (IPSec) 95 show address 145 action (QoS) 100 show address <group_name> 14 active_feature (license) 117 6 database (RAS) 105 show all_routes 147 delete (license) 118 show cert 147 dns (system) 108 show cert (by ID) 147 enable (high_availability) 74 show denial_of_service 148 exit (high_availability) 76 show dns 148 exit (interface) 95 show ike 149 fwuser (system show ike (by name) 149 idle_timeout) 109 show interface 150 group_profile (RAS) 102 show ipsec 150 ha2 (interface) 93 show ldap 151 import 69 show log 152 import (license) 117 show mode 152 interface 82 show nat 153 interface (system) 110 show nat (by name) 153 interface 0 (interface) 83 show policy 154 interface 1 (interface) 86 show policy (by name) 154 interface 2 (interface) 90 show qos 154 ldap (system) 110 show qos (by name) 155 log (system) 111 show ras 155 mode 94 show ras (by name) 156 policy (ike) 80 show route 156 private (interface) 85 show sa 156 proposal (IPSec) 99 show service 157 request 67 show service (by name) 157 route (system) 113 show sysinfo 158 show 70 show sysupgrade 159 show (high_availability) 72 show tunnel_switch 159 show (interface) 82 show version 160 show (license) 118 troubleshooting snmp (system) 114 arp 129 ssl 71 clear_logs 129 sysinfo (system) 115 netstat 134 system (QoS enable/ ping 134 disable) 101 radius_ping 135 user_domain(tenant) 120 rs_kdiag 138 user_profile (RAS) 103 slink 139 vlan(tenant) 119 tcpdump 140 vlan_fowarding (system) 116 configuration, level 3 traceroute 140 verbose_trace 141 dynamic (system\route) 123 event (system\log) 124 CLI capabilites 2 remote_log_server CLI commands
administration mode disable 108 CLI editing appending to recent command 11 argument syntax 9 use of \ character 9 case sensitivity 9 case sensitivity in object strings 9 command abbreviation 8 command prompt 8 delete 10 exchanging command arguments in recent command 12 grouping parameters 10 help command 17 keywords 15 line continuation 9 CLI navigation 13 command history 11 command prompt, navigation with 8 Common Criteria operation mode 35 configuration, initial 20 conn_idle_timeout 130 connection to a workstation direct 5 connection to workstation, through network 5 conventions 35, 2527 currently available commands 17
DHCP server configuration options 85 disable 108 disable keyword 15 disable port shaping 101 disable tunnel switching 65 display commands 144 display interface addresses See data interfaces DMZ See interface 2 DNS configurations, show 148 domain name, system level entry 108 DOS See denial of service DOS configurations, show 148 downgrade 29 dump network traffic 140 dynamic route, configure 123
E
enable 108 enable keyword 15 enable port shaping 101 enable tunnel switching 65 erase system configuration changes 43 event log configuration 124 exchanging command arguments in recent command 12 !!<command argument>for appending to most recent command 11 !! recall command 11 !number to recall recent command by number 11 existing appliance log in 7 export 30 export cr/xml/log/ip 30 extra features active, licensed 117
D
data interfaces, display address settings 82 data interfaces, show detailed summary of 150 DDOS See denial of service DDOS configurations, show 148 debug information not exported to xml 127 debugging commands 127141 delete license 118 delete specific configuration changes 45 deleting items in database 22 deleting text 10 denial of service parameter configuration 46
F
factory default appliance logging in 6 factory default restoration 38 FIPS operation mode 35
firewall authentication screens, replacing 132
H
HA 2 interface configuration 93 HA configuration 47 HA configuration, display 72 HA enable 74 HA, apply configuration changes 76 HA, disabling 48 ha_instant_sync 130 ha_sync 31 help 17 help online 17 high availability See HA high availability configuration, level 2 7276 history 14, 66 history buffer 11 history buffer, size of 11 history command 11 hotsync process, initiate 31
interface configuration entry 110 interface configuration, enter 82 interface configuration, level 2 commands 8295 interfaces, show detailed summary of 150 internal diagnostics, display 138 IP addresses, system level entry 108 IPSec action, recording 95 IPSec configuration 49 IPSec configuration, level 2 commands 95100 IPSec proposal or action, show details of specific 150 IPSec proposal, create or modify 99 IPSec proposals or actions, show catalog of 150
K
keywords
disable 15 enable 15 no 15
I
ICMP ECHO_REQUEST, send 134 idle_timeout, changing firewall user 109 IKE action, record 78 IKE configuration 48 IKE configuration, level 2 commands 7882 IKE policies, display all 149 IKE policy or action, show parameters of 149 IKE policy, record 80 import XML profile 33 import license 117 import VPN certificate 69 importscreen 132 initial configuration commands 20 interface 0 configuration 83 interface 1 configuration 86 interface 2 configuration 90 interface address settings, display 82
L
LDAP server connection settings, show 151 LDAP server, activate connection 110 LDAP server, deactivate connection 110 Level 1 configuration mode 41 Level 2 configuration mode 66122 Level 3 configuration mode 122126 license commands, level 2 commands 117119 license configuration 49 license, delete 118 license, import new 117 license, summarize a 118 licensed features, active 117 licenses available, list 118 limitations 3 line continuation 9 line continuation character 9 log configuration 111
log configuration, level 3 commands 124126 log entries, clear 129 log file, show last 25 entries of specific 152 log into existing appliance 7 log into factory default appliance 6 log out 18
import XML 33 Public See interface 1
Q
QoS action, record new 100 QoS actions, show current available 154 QoS configuration entry 60 QoS configuration, level 2 commands 100101 QoS configuration, show all current system 154 QoS configuration, show specific 155 Quality of Service See QoS ? command 17
M
maintenance commands 22 MSS 59, 112 mss_adjustment 112 mss_adjustment_per_policy 59
N
NAT action, record 54 NAT action, show configuration of specific 153 NAT actions, list current 153 NAT, dynamic IP 56 network address translation See NAT network status, view 134 no keyword 15
R
RADIUS server, test connections to security appliance 135 RAS account, create or modify 103 RAS authentification database, where stored 105 RAS configuration mode 61 RAS configuration, level 2 commands 102106 RAS group profile, modify or create 102 RAS, show complete listing of 155 RAS, show specific RAS component 156 reboot 37 recall most recent command 11 recalling a recent command, not most recent 11 recent commands list 14, 66 reload old software 29 remote log server connection, configure 125 rename an existing object 61 replace firewall authentication screens 132 replacing settings and policies 10 request VPN certificate 67 reset connections 31
O
object strings, case sensitivity of 9 online help 24 operation modes 35 operation_mode command 35
P
passwd 36 password, reset super user 36 ping a device 134 + character, use of 10 pppoe_config 135 Private interface See interface 0 profile
reset Vclass appliance 37 return to next highest level 14 return to top command level 15 route configuration entry 113 route configuration, level 3 commands 122 route information, display of 140 routes, list all active 156 routes, summarize all dynamic and static 147
system software upgrades, show recent 159
T
tasks available 2 tasks not available 3 TCP Maximum Segment Size (MSS) 59, 112 tenant configuration mode entry 65 tenant configuration, level 2 commands 119122 tenant entry, record 119 text deletion 10 top command 14 traffic log file, activate 124 traffic log file, deactivate 124 troubleshooting commands 127141 tunnel switching, show hardware status 159
S
SA information, show curent phase 1 or 2 156 schedule a policy 62 security policies, show active 154 security policy commands 21 security policy, create 57 security policy, show parameters of specific 154 service entry (individual or group) new 63 service group, show specific 157 service groups, show all 157 set_dos_if 139 show arguments, list 145 show certificate properties 70 show stored arguments 16 show stored command entries 16 showcommands 144 shut down WatchGuard appliance 38 SNMP workstations, record connection data for 114 software version number, display 160 SSL certificate request 71 static route configuration 122 system configuration mode 64 system configuration, level 2 commands 107116 system configuration, show general 158 system information, apply to security appliance 115 system interface configuration 49 system interface configuration, enter 82 system mode, display 152
U
unavailable tasks 3
V
verbose trace, disable 141 verbose trace, enable 141 view currently available commands 17 vinstall 141 VLAN forwarding disable 116 VLAN forwarding, enable 116 VLAN specific tenant entry, record 120 VLAN tenant entry, record new 119
W
Web certificate See SSL certificate
X
xml export debugging information not exported 127 XML profile import 33

V51cli Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

V51cli Guide

Uploaded by

Copyright:

Available Formats

WatchGuard Command Line Interface User Guide

WatchGuard Firebox Vclass 5.1

WatchGuard Vclass 5.1

WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement

WatchGuard Vclass 5.1

WatchGuard Vclass 5.1

WatchGuard Command Line Interface Guide

WatchGuard Vclass 5.1

WatchGuard Vclass 5.1

Second level configuration mode commands

WatchGuard Command Line Interface Guide

Level 2 Remote Access Service (RAS) configuration commands

........................................................................ 102 Level 2 System Configuration commands ...................... 107

WatchGuard Vclass 5.1

WatchGuard Command Line Interface Guide

Index ......................................................................... 161

WatchGuard Vclass 5.1

Using the Command Line Interface

Introducing the WatchGuard CLI

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

WatchGuard Vclass 5.1

CLI Guide text conventions

CLI Guide text conventions

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

WatchGuard Vclass 5.1

Getting started with the WatchGuard CLI

Getting started with the WatchGuard CLI

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

Logging into an appliance via a console connection

Press <ENTER> once after configuring the connection parameters.

WatchGuard Vclass 5.1

Getting started with the WatchGuard CLI

You can now work with the CLI.

Logging into an existing appliance via a network connection

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

Understanding the command prompt

Abbreviating commands and keywords

WatchGuard Vclass 5.1

Getting started with the WatchGuard CLI

Extending command lines

Typing arguments in a command

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

Deleting text in the Command Line Interface

Using the CLI to add to or replace existing settings and policies

Grouping parameters in a command

WatchGuard Vclass 5.1

Getting started with the WatchGuard CLI

Reviewing the recently used commands

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

WatchGuard Vclass 5.1

Getting started with the WatchGuard CLI

Navigating through the CLI

WatchGuard Command Line Interface Guide

CHAPTER 1: Using the Command Line Interface

Common Navigation commands

WatchGuard Vclass 5.1