v51cli Guide
-
Upload
vanessa-romero -
Category
Documents
-
view
13 -
download
2
Transcript of v51cli Guide
WatchGuard®
Command Line Interface User Guide
WatchGuard Firebox Vclass 5.1
CopyrightCopyright © 1998-2003 WatchGuard Technologies, Inc. All rights reserved.
Notice to UsersInformation in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchaser’s personal use, without prior written permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock, DVCP, and Designing peace of mind are trademarks of WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.Part No: 1200016
ii WatchGuard Vclass 5.1
WatchGuard Technologies, Inc.Firebox System Software End-User License Agreement
WatchGuard Firebox System (WFS) End-User License Agreement
IMPORTANT — READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE:
This WFS End-User License Agreement (“AGREEMENT”) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”)for the WATCHGUARD WFS software product identified above, which includes computer software and may include associated media, printed materials, and on-line or electronic documentation (“SOFTWARE PRODUCT”). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid.
1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the
WatchGuard Command Line Interface Guide iii
SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.
2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single computer at any single location. If you wish to use the SOFTWARE PRODUCT on a different computer, you must erase the SOFTWARE PRODUCT from the first computer on which you installed it before you install it onto a second.(B) To use the SOFTWARE PRODUCT on more than one computer at once, you must license an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it. (C)You may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only.
3. Prohibited Uses. You may not, without express written permission from WATCHGUARD:(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;(B) Use any backup or archival copy of the SOFTWARE PRODUCT(or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or(E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.
iv WatchGuard Vclass 5.1
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard Technologies or an authorized dealer:(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase.(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THIS SOFTWARE PRODUCT
WatchGuard Command Line Interface Guide v
WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).
Limitation of Liability. WATCHGUARD’s liability (whether in contract, tort, or otherwise; and notwithstanding any fault, negligence, strict liability or product liability) with regard to THE SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. United States Government Restricted Rights. The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.
vi WatchGuard Vclass 5.1
6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.
7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.
8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the contents of this package AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. No change or modification of this AGREEMENT will be valid unless it is in writing, and is signed by WATCHGUARD.
9. Canadian Transactions: If you obtained this SOFTWARE PRODUCT in Canada, you agree to the following:The parties hereto have expressly required that the present AGREEMENT and its Exhibits be drawn up in the English language. / Les parties aux presentes ont expressement exige que la presente conventions et ses Annexes soient redigees en la langue anglaise.
WatchGuard Command Line Interface Guide vii
viii WatchGuard Vclass 5.1
Contents
Contents .......................................................................ix
CHAPTER 1 Using the Command Line Interface ..........1Introducing the WatchGuard CLI .......................................1
CLI capabilities .............................................................2CLI limitations ...............................................................3
CLI Guide text conventions ...............................................3Getting started with the WatchGuard CLI ...........................5
Connecting to an appliance .............................................5Logging into an appliance via a console connection .............6Logging into an existing appliance via a network connection .7Understanding the command prompt ................................8Abbreviating commands and keywords ..............................8Case sensitivity .............................................................9Extending command lines ...............................................9Typing arguments in a command ......................................9Deleting text in the Command Line Interface ....................10Using the CLI to add to or replace existing settings and policies
...........................................................................10Grouping parameters in a command ...............................10Reviewing the recently used commands ...........................11
WatchGuard Command Line Interface Guide ix
Navigating through the CLI ........................................... 13Common Navigation commands .................................... 14Using keywords .......................................................... 15Show command/argument (“name”) usage ...................... 16Viewing context-sensitive online help ............................. 17Logging out of the appliance ........................................ 18
Installing and configuring a WatchGuard appliance .......... 19To log into a WatchGuard appliance for the first time: ........ 19To assign network addresses to appliance interfaces .......... 20To complete system configuration .................................. 20To create and apply security policies ............................... 21To remove/delete items from a WatchGuard database ....... 22To save and apply your most recent changes .................... 22To maintain an appliance .............................................. 22To troubleshoot an appliance ........................................ 22To restore an appliance to the factory-default state ........... 23To review the most recent tasks (at any level) .................... 23To get on-line help while working ................................... 24
CHAPTER 2 Administration Mode Commands .......... 25Command syntax conventions used in this guide ............. 25Administration mode commands .................................... 27
account command ...................................................... 28downgrade command ................................................. 29export command ........................................................ 30flush command ........................................................... 31ha_sync command ...................................................... 31import command ........................................................ 32operation_mode command .......................................... 35passwd command ....................................................... 36reboot command ........................................................ 37restore default command ............................................. 38shutdown command .................................................... 38upgrade command ..................................................... 39
x WatchGuard Vclass 5.1
CHAPTER 3 Configuration Mode Commands .............41Top-level configuration mode commands ........................41
abort command ..........................................................43address command .......................................................43certificate command ....................................................45commit command .......................................................45delete command .........................................................45denial_of_service command ..........................................46high_availability commands ...........................................47ike command ..............................................................48interface command ......................................................49ipsec command ..........................................................49license command ........................................................49log command .............................................................50nat command .............................................................54no command ..............................................................56policy command .........................................................57qos command ............................................................60ras command ..............................................................61rename command .......................................................61schedule command .....................................................62service command ........................................................63system command ........................................................64trace command ...........................................................64tenant command .........................................................65tunnel_switch command ...............................................65history command ........................................................66
Second level configuration mode commands ...................66Level 2 certificate configuration commands ......................67Level 2 High Availability configuration commands ..............72Level 2 IKE configuration commands ...............................78Level 2 interface configuration commands ........................82Level 2 IPSec configuration commands ............................95Level 2 Quality of Service (QoS) configuration commands .100
WatchGuard Command Line Interface Guide xi
Level 2 Remote Access Service (RAS) configuration commands........................................................................ 102
Level 2 System Configuration commands ...................... 107Level 2 license commands (for upgraded or additional features)
........................................................................ 117Level 2 tenant configuration commands ........................ 119
Level 3 configuration mode commands ......................... 122Level 3 route configuration commands .......................... 122Level 3 log configuration commands ............................ 124
CHAPTER 4 Debug Mode Commands ...................... 127Debugging/troubleshooting commands ........................ 127
arp command .......................................................... 129clear_logs ................................................................ 129config_http command ............................................... 129conn_idle_timeout command ...................................... 130ha_instant_sync command .......................................... 130hwdiag command ..................................................... 131ifconfig command ..................................................... 131importscreen command ............................................. 132kernel_debug command ............................................ 133netstat command ...................................................... 134ping command ......................................................... 134pppoe_config command ............................................ 135radius_ping command ............................................... 135rcinfo command ....................................................... 137reboot command ...................................................... 137rs_kdiag command .................................................... 138set_dos_if command ................................................. 139slink command ......................................................... 139tcpdump command ................................................... 140traceroute command ................................................. 140verbose_trace command ............................................ 141vinstall command ...................................................... 141
xii WatchGuard Vclass 5.1
CHAPTER 5 Other Commands ...................................143No command ...............................................................143Rename command .......................................................143Show command ...........................................................144
Show command general usage ....................................144Show address command .............................................145Show alarm command ................................................146Show all_routes command ..........................................147Show certificate command ..........................................147Show CPM command .................................................148Show denial_of_service command ................................148Show diagnostics command ........................................148Show DNS command .................................................148Show IKE command ...................................................149Show interface command ............................................150Show IPSec command ................................................150Show LDAP command ................................................151Show license command ..............................................151Show log command ...................................................152Show mode command ...............................................152Show NAT command .................................................153Show NTP command .................................................153Show policy command ...............................................154Show QoS command .................................................154Show RAS command ..................................................155Show route command ................................................156Show SA command ....................................................156Show service command ..............................................157Show SNMP command ...............................................158Show statistics command ............................................158Show sysinfo command ..............................................158Show sysupgrade command ........................................159Show trace command .................................................159Show tunnel_switch command .....................................159Show version command ..............................................160
WatchGuard Command Line Interface Guide xiii
Index ......................................................................... 161
xiv WatchGuard Vclass 5.1
CHAPTER 1 Using the Command Line Interface
Introducing the WatchGuard CLI
The WatchGuard CLI (Command Line Interface) offers the experienced network administrator an efficient way to set up and manage WatchGuard Firebox Vclass security appliances via a terminal application. As the CLI architecture utilizes a model implemented in many industry-standard routers, network administra-tors familiar with routers commonly deployed in net-work environments will find the WatchGuard CLI is both easy to learn and to use.
You can use the CLI to administer an appliance through a console port connection or through a net-work connection to any of the data interfaces via an SSH Client using protocol 2 or Telnet, once the appro-priate firewall-access policies have been created and configured on the target appliance.
While the CLI replicates most of the functionality of the WatchGuard Vcontroller™ application, we strongly recommend that you familiarize yourself with the use of WatchGuard Vcontroller before
WatchGuard Command Line Interface Guide 1
CHAPTER 1: Using the Command Line Interface
attempting to use the CLI. Learning the WatchGuard Vcon-troller, its terms and processes, and the underlying “flow” of appliance administration, will establish a solid compe-tency with concepts and terms used extensively in the CLI.
We also recommend that you review the latest Release Notes for your WatchGuard security appliances and verify that the most current versions of WatchGuard and Java soft-ware are being used. Electronic copies may be obtained from the WatchGuard Technical Support web site (www.watchguard.com/support/). The Technical Support Group can also assist in verifying that you have all of the latest WatchGuard software.
CLI capabilitiesThe WatchGuard command line interface (CLI) provides you with simple, fast, command-line access to any local WatchGuard Firebox Vclass security appliance to perform most major administrative tasks, including rebooting, resetting appliance interface IP addresses, entering remote access user accounts, and managing policies, actions and proposals stored in the appliance database.
An almost-complete list of CLI setup and administration tasks includes the following:• Configuring security appliance software• Interface (port) management• Viewing current system settings• Inserting new security policies• Editing or removing existing policies• Reorganizing sort order of policies• Configuring and using the High Availability feature• Opening and reviewing current log files• Displaying reports of tunnel and SA activities• Restoring factory-default configurations• Shutting down and restarting security appliances
2 WatchGuard Vclass 5.1
CLI Guide text conventions
CLI limitationsPlease note that the WatchGuard CLI is not a complete replacement for the WatchGuard Vcontroller application, as you cannot do the following with the CLI:• Set up probes that monitor the current activities of the
security appliance• Set up, activate, and review alarms that are triggered
by a range of operational circumstances• Import Certificate Revocation List (CRL) files or their
contents• Create “admin” access user accounts• Create firewall-access internal user accounts
CLI Guide text conventions
To help you better use this guide, the following text con-ventions are used.
Control key The symbol ̂ represents the Control (CTRL) key and is usually used in combination with other text. For example, when you see the key combinations ^Z or Ctrl-Z, this means you should hold down the Control key while pressing the Z key. In the guide, these keys may be printed in capital letters, but “Ctrl+letter” functions are not case-sensitive.
Text strings A text string is defined as a set of user-variable characters. Text strings (or, strings) are usually presented as example data, or the kind of thing one might type for a particular value. Such an example might be presented enclosed in
WatchGuard Command Line Interface Guide 3
CHAPTER 1: Using the Command Line Interface
quotation marks; however, you do not need to type quotes when entering a text string.
For example, we might say: set a user_profile name to “All_RAS_Users.” In this example, you could type your own user profile name (or string) in place of ALL_RAS_Users.
You should enclose a string in quotes in instances where the text entry includes spaces. For example, if entering a name like “Joan Smith,” with a space between the first and last name, you should enclose this entry in quotations to preserve it as a single entity.
For Example WG(config)#address -group exec_staff
WG(config)#address -group "exec staff"
Carriage returns Carriage returns are Enter key presses, and are represented by the <ENTER> or <CR> notation. Command examples may omit this notation for the sake of brevity.
Letter spaces Space characters (entered by pressing the Space bar on the keyboard) are represented in a few instances in this Guide by the <sp> notation. In most cases, however, spaces are simply represented by actual spaces. For example, in:
WG(config)#address -group exec_staff
4 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
There is a single space between “address” and “-group,” and “group” and “exec_staff.”
Comments Comments are presented as italicized text preceded by the “#” character.
# This is a sample comment.
More command-specific and argument-specific conventions are detailed in “Command syntax conventions used in this guide” on page 21
Getting started with the WatchGuard CLI
Connecting to an applianceThe WatchGuard CLI can be used to perform pre-installa-tion setup tasks, or to reconfigure or administer the appli-ance at any time. These comprise two distinct uses of the CLI, which in turn require different connections:• To use the CLI in pre-installation setup or to do direct
administration of a WatchGuard appliance, you can directly connect the appliance to your workstation by connecting a cable from the Console port on the front of the appliance to a serial port on your workstation. Your Vclass package includes an adapter for this purpose. After this connection is made, you can connect directly to the appliance via a terminal application.
• To use the CLI for administration after a WatchGuard appliance has been set up and configured, you can make use of existing network connections. All you need is (1) the IP address of a WatchGuard appliance data interface and (2) a currently active policy
WatchGuard Command Line Interface Guide 5
CHAPTER 1: Using the Command Line Interface
permitting CLI console (Telnet/SSH) access to the system through that interface. This may be done by means of the CLI or the WatchGuard Vcontroller, once configuration is complete.
NOTEIf you attempt to log into a functioning, fully configured WatchGuard appliance with the CLI, you must enter “admin” as the login (or “rsadmin” for legacy appliances), as the CLI will not permit use of any other “super admin” account names.
Logging into an appliance via a console connection
To log into a brand new “factory default” WatchGuard appliance by means of the CLI console and a console (serial port) connection, follow these steps:
1 Start any terminal application and open a new connection window.
2 Verify that the terminal has been set to VT100.NOTE
If the terminal is not set to VT100, various functions may not work—^c will not break, ESC will not work and you’ll have problems with special characters.
Connection parameters include: - 9600 bps - 8 data bits - No parity - 1 stop bit - Flow control: none
3 Press <ENTER> once after configuring the connection parameters.The connection should be immediate, at which time a welcome message is displayed, followed by a WatchGuard “Login” prompt.
6 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
4 As this is a new appliance, type “admin” (the default login text) and press <ENTER>. The login for a legacy appliance is “rsadmin.”A “Password” prompt is displayed.
5 Type “admin” (again, the default password text) and press <ENTER> to submit the password and log in to this security appliance. The default password for a legacy device is “rsadmin.”If the login connection is successful, a WG# prompt is displayed.
WatchGuard Firebox V100 (OS 4.0)<system_name> login:adminPassword:[type your password, nothing is displayed]
Welcome to the WatchGuard CLI ShellWG#
You can now work with the CLI.
Logging into an existing appliance via a network connection
To log into a currently active (configured) WatchGuard appliance over a network connection, follow these steps:1 Make sure that this appliance has an active policy
permitting telnet/SSH access via a specific WatchGuard appliance interface.
1 Start any telnet/SSH application and verify that your terminal emulation is “vt100” (necessary in Windows 2000).
2 Type the IP address or qualified network name of the appliance interface and press Enter.
3 When a WatchGuard “Login” prompt is displayed, type “admin” (or “rsadmin” for a legacy appliance) and press <ENTER>.
WatchGuard Command Line Interface Guide 7
CHAPTER 1: Using the Command Line Interface
NOTEThe CLI will not accept any other “superadmin” login names.
A “Password” prompt is displayed.4 Type the current password (the default is “admin”, or
“rsadmin” for a legacy appliance) and press <ENTER> to submit the password and log into this security appliance.A new WG# prompt is displayed.
Understanding the command promptAs you navigate through the WatchGuard Command Line Interface, the command prompt will always indicate what command level/mode you are in. For example:
Abbreviating commands and keywordsYou can abbreviate the available commands and keywords for each command group or mode, down to the minimum number of characters that can safely be used to represent a command, so that it cannot be mistaken for another com-mand by the CLI. For example, the command show can be abbreviated “sh” and the command dmz can be abbrevi-ated as “d.”
NOTEIn Administration mode, you cannot use abbreviated commands. Administration mode requires that you type the full word for each command.
Command Prompt Command Level/Mode
WG# indicates that you are at the root level
WG(config)# indicates that you are in Configuration mode
WG(config-system)# indicates that you are in Configuration mode at the System level
WG(config-if)# indicates that you are in Configuration mode at the System Interface level
8 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
Case sensitivityCommands, command arguments and keywords in the WatchGuard CLI are not case sensitive. For example, show policy is equivalent to SHow POLicy.
NOTEObject name strings are case sensitive. Typing the address group name (string) “EveryBody_on_NET_A” is not the same as typing “everybody_on_net_a”! This covers all text strings, whether enclosed in quotes or not.
Extending command linesLong command lines can be continued onto the next line of a terminal display by typing the backslash character (\) at the end of the command line, similar to the use of the back-slash character in C programming syntax. This permits you to type more information (parameters) without breaking the continuity of the entire command.
In the following example of a progression of four com-mands, the backslash character typed (\) right before the <ENTER> in the last command line enables the administra-tor to continue the contents of that command line onto the next line:
WG#<ENTER>WG#configure<ENTER>WG(config)#cert<ENTER>WG(config-cert)#req cert –com WatchGuard –cou US \<ENTER>-dns rs101.WatchGuard.com –key {rsa 1024 both}<ENTER>
Typing arguments in a commandBe sure to type a "-" (hyphen) before any arguments, or the CLI will ignore and omit that argument’s condition.
WatchGuard Command Line Interface Guide 9
CHAPTER 1: Using the Command Line Interface
Deleting text in the Command Line InterfaceTo delete characters to the left of the cursor, press the Back-space key, or press ^h.
To delete all characters from the current position of the cur-sor back to the beginning of the command line, press ^u.
Using the CLI to add to or replace existing settings and policies
Existing settings can be modified using the WatchGuard CLI in two ways:
1 An existing item can be overwritten/replaced with an entirely new item
2 Additional entries or qualifications can be appended to an existing item
Adding entries to an existing item requires use of the “plus” character (+).
If a setting or entry already exists in this WatchGuard appliance, add a “plus” character (+) before additional ele-ments to edit that setting. In the following example, an additional host with an IP address of 199.86.77.100 is added to the address group “VPNnet”
WG(config)#address VPNnet + -host 199.86.77.100<ENTER>WG(config)#exit<ENTER>Commit before exit? (Y/N):y<ENTER>WG#_
The named address group object VPNnet now has an addi-tional (host) member with an IP address of 199.86.77.100.
Grouping parameters in a commandGroups of parameters may be repeated in a command line by surrounding the groups with “curly” brackets ({group1 param1 param2} {group2 param1 param2} etc.). In the fol-
10 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
lowing example of command line block repetition, the IP addresses, port numbers, and weighting is assigned for three servers in a round-robin load balanced cluster:
Note too, that the command line in the above example was “extended” with the use of the backslash (\) character, so that more parameters could be included in the command.
Reviewing the recently used commandsThe WatchGuard CLI stores up to 20 commands (at each level in every mode) in a History buffer, which you can use to view your most recent tasks.• Type history <ENTER> at any prompt to review the
last twenty commands applied at that level of the CLI. The CLI will append a number to each line, to indicate its place in the overall chronology. The higher the number, the more recently that command was enacted. (Note that active command history listings may have multiple-digit numbers.)
• Type !! (two exclamation points) to recall and re-enact the most recently used command recorded in the buffer for this mode and level.
• Type !6 (exclamation point followed by a number) to display and enact the command identified as “6” in the buffer at this CLI level.
• Type !!<command argument> to display the most recent command and to append it with arguments and values as needed. For example, if the last command was “show”, you could type “!!address” to display the current list of address groups.
WG(config)#nat <"name"> –vip round –server \{10.10.0.100 80 1} {10.10.0.101 80 2} \{10.10.0.102 80 3}<ENTER>
WatchGuard Command Line Interface Guide 11
CHAPTER 1: Using the Command Line Interface
New or different command arguments may be “substi-tuted” in the most-recent command line recalled from his-tory. Use the format^old_command^new_command to effect a substitution as shown in the following example:
WG#!49 < Recall command line #49 #This is the command.show service DNS #The next six lines are the result.Service Group:Name = DNSDescription = "Domain Name Services"Protocol = UDPServer_port = 53
WG#^DNS^SSH #This command substitutes SSH for DNS and show service
SSH executeService Group: #This shows the results.Name = SSHDescription = "Secure Shell (Remote Login Protocol)"Protocol = TCPServer_port = 22WG#_
12 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
Navigating through the CLI
WG#!49 < Recall command line #49 #This is the command.show service DNS #The next six lines are the result.Service Group:Name = DNSDescription = "Domain Name Services"Protocol = UDPServer_port = 53
WG#^DNS^SSH #This command substitutes SSH for DNS and show service
SSH executeService Group: #This shows the results.Name = SSHDescription = "Secure Shell (Remote Login Protocol)"Protocol = TCPServer_port = 22WG#_
At every command level and in all command modes, the exit command moves the CLI user “up” one level (back to the parent command level) in the command tree structure. If you issue the exit command at the top (root) level, you will log out of the system. See the following example:
WG(config-system)#exit<ENTER>WG(config)#exit<ENTER>WG#exit<ENTER>#As a result, you are logged off the CLI and the display screen is cleared.WatchGuard (OS 4.0)
WatchGuard Command Line Interface Guide 13
CHAPTER 1: Using the Command Line Interface
At every command level except the top (root) level, entering the top command and pressing Enter “jumps” the CLI user from the current level to the top (root) command level. The top (root) command level does not have this command available as it isn’t necessary. See the following example:
WG(config-qos)#top<ENTER>WG#_
Common Navigation commandsThe following commands can be used at any level of any CLI mode.
history command
WG#admin<ENTER>WG(admin)#history
EffectLists the twenty most recently exercised commands at this level. (When this command is applied at other levels, it will result in the last twenty commands entered at that specific level. For more information on extending or adapting this command, see “Reviewing the recently used commands” on page 11.
ArgumentsThis command has several adaptations that extend its usefulness. See “Reviewing the recently used commands” on page 11 for details.
exit command
WG(admin)#exit
EffectExits the current level of CLI and returns to the next-highest command level, all the way to the top-level WG# prompt.
14 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
ArgumentsNone.
ExampleWG(admin)#exit<ENTER>
top command
WG(admin)#top
EffectImmediately returns to the top level of the WatchGuard CLI (the “WG#” prompt) from whatever level of CLI you are using.
ArgumentsNone.
ExampleWG(admin)#top<ENTER># As a result, the WG# prompt is displayed.
Using keywordsThe CLI provides keywords such as enable, disable, and no that perform specific functions with system parameters. For example, enable and disable are used to enable and disable existing configurations such as policy schedules and system QoS settings. The following example shows an existing schedule configuration named “24_7_Schedule” being enabled:
WG(config)#schedule 24_7_Schedule enable<ENTER>
The keyword no functions as a simple “on/off” switch for configuration components, as shown in the following example:
WG(config)#denial_of_service no -pingofdeath<ENTER>
WatchGuard Command Line Interface Guide 15
CHAPTER 1: Using the Command Line Interface
Show command/argument (“name”) usageEntering the show command along with a valid command name or argument will display all stored entries associated with the named term. See the following examples. These examples show only partial displays:
Example 1: Show all security policy records
WG(config)#show policy<ENTER>Ord NAME Dscpt SrcDest Svc1 PRIVATE_HTTPS ANY PRIVAHTTPS2 ALLOW_PING_FROM_PVT ANY INTERPING3 ALLOW_PING_FROM_PUB ANY INTERPING4 ALLOW_PING_FROM_DMZ ANY INTERPING5 ALLOW_OUTBOUND_DNAT ANY ANYANY6 DENY_INBOUND Deny ANYANY ANY7 HOST_OUT ANY ANYANYWG(config)#_
Executing the show command followed by a specific name displays only the details associated with that specific named object, as shown in the following example:
16 WatchGuard Vclass 5.1
Getting started with the WatchGuard CLI
Example 2: Show only “private_https” security policy settings
WG(config)#show policy PRIVATE_HTTPSSecurity PolicyName = PRIVATE_HTTPSDescription = * *Order = 1Source = ANYDestination = interface_0_IPService = HTTPS
Viewing context-sensitive online helpWhen you are logged into an appliance, you can use the built-in help system to view a list of currently available commands. These commands vary depending on your cur-rent location in the CLI. The types of help commands include the following:• Listing all available commands at a specific mode or
level of CLI• Listing all of a command’s arguments (and associated
values) along with their specific usage syntax
1 To list all commands available in a particular command mode or level, type a question mark (?)or enter “help” at the command prompt. For example, enter? at the top (root) level command to return the following list of top-level command options:
administration Enter administration mode configure Enter configuration mode debug Enter debug mode show Show current configuration and statistics history Show command history logout Exit the system exit Exit the system
2 The WatchGuard CLI’s help system also lists a specific command’s argument options along with their specific
WatchGuard Command Line Interface Guide 17
CHAPTER 1: Using the Command Line Interface
usage syntax. For example, here is a help command that requests (and obtains) the command argument options and syntax used to configure a security policy:
WG#configureWG(config)#policy? policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-vlan|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <"n] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ]
Logging out of the applianceAfter you have completed your setup or administration tasks, you can log out of the appliance by following these steps:
1 At the current prompt (at any level of the CLI), type top and press <ENTER>.
2 When the WG# prompt is displayed, type exit and press <ENTER>.You are logged out of the appliance. You can disconnect the terminal session, and physically disconnect your workstation from the appliance if necessary.
18 WatchGuard Vclass 5.1
Installing and configuring a WatchGuard appliance
Installing and configuring a WatchGuard appliance
You can use the WatchGuard CLI to perform almost all setup and configuration tasks. We’ve organized the follow-ing catalog of tasks into general categories, with references to the series of CLI commands you would use to perform specific tasks. We’ve also organized the following catalog to chronologically guide you through the tasks in the proper sequence.
The general flow of this series of categories and tasks fol-lows that of the printed WatchGuard Vclass User Guide, beginning with installation, and continuing on to adminis-tration and policy configuration tasks.
The tasks are sorted into the following general categories, and can be reviewed as noted here:• “To log into a WatchGuard appliance for the first time:”
on page 19• “To assign network addresses to appliance interfaces”
on page 20• “To complete system configuration” on page 20• “To create and apply security policies” on page 21• “To remove/delete items from a WatchGuard
database” on page 22• “To save and apply your most recent changes” on
page 22• “To maintain an appliance” on page 22• “To troubleshoot an appliance” on page 22• “To get on-line help while working” on page 24
To log into a WatchGuard appliance for the first time:
See the instructions detailed in “Logging into an appliance via a console connection” on page 6.
WatchGuard Command Line Interface Guide 19
CHAPTER 1: Using the Command Line Interface
To assign network addresses to appliance interfaces
To assign network addresses to the data interfaces, use these commands (along with the arguments and values noted later in this user guide):
To complete system configurationTo complete the initial system configuration, use these commands:
Command Additional Information
WG(config-if)#interface 0
WG(config-if)#interface 1
WG(config-if)#interface 2 if a DMZ interface is present
WG(config-if)#ha2 if an HA2 port is present
Command Description
WG(admin)#passwd change the default password to a new, secure password
WG(config-sys)#route includes both static and dynamic routes
WG(config-sys)#dns connect to a domain name server
WG(config-sys)#snmp connect to any SNMP management stations
WG(config-sys)#log activate needed system activity logging
WG(config-sys)#ldap connect this appliance to an LDAP server
WG(config)#tunnel_switch activate WatchGuard tunnelswitching features
20 WatchGuard Vclass 5.1
Installing and configuring a WatchGuard appliance
To create and apply security policiesTo create and apply security policies, use these commands:
WG(config)#cert request and import needed certificates from CA’s
WG(config)#denial_of_service customize anti-hacker protection for this appliance
WG(config)#high_availability set up and activate a high-availability system, using the High Availibility feature
WG(config)#log includes event, traffic and alarm log files
Command Description
Command Description
WG(config)#address create all the needed address groups for use in policies
WG(config)#service add new services or groups of related services
WG(config-ike)#action create IKE actions for use in IKE policies)
WG(config-ike)#policy create IKE policies for use in IPSec policies
WG(config-ipsec)#action create IPSec actions for use in IPSec proposals
WG(config-ipsec)#proposal create IPSec proposals for use in security policies
WG(config)#nat create NAT actions (DNAT, SNAT or VIP) for use in policies
WG(config)#vlan create VLAN IDs for use in policies
WG(config-qos)#action create QoS actions for use in policies
WG(config)#schedule create schedules for application to specific policies
WatchGuard Command Line Interface Guide 21
CHAPTER 1: Using the Command Line Interface
To remove/delete items from a WatchGuard database
To remove a particular object (policy, action, group profile, etc.), use this command:
WG(config)#delete
To save and apply your most recent changesTo save and apply the latest changes and additions to this appliance’s configurations and policies, use this command:
WG(config)#commit
To maintain an applianceTo perform security appliance maintenance, use these com-mands:
To troubleshoot an applianceTo perform troubleshooting tasks, use these commands:
WG(config-ras)#group_profile create RAS group profiles for use in RAS policies
WG(config-ras)#user_profile create RAS user accounts for use in RAS policies
WG(config-ras)#database set up the user authentication system for RAS policies
WG(config)#policy create the actual policies
Command Description
Command Description
WG(admin)#flush flush all current connections and SAs
WG(admin)#passwd replace the existing password with a new one
WG(admin)#reboot reboot the WatchGuard appliance
WG(admin)#shutdown shut down the WatchGuard appliance
22 WatchGuard Vclass 5.1
Installing and configuring a WatchGuard appliance
To restore an appliance to the factory-default state
WG(admin)#restore_default
To review the most recent tasks (at any level)
(CLI prompt)#history
Command Description
WG(debug)#arp display and configure the arp table
WG(debug)#netstat show network/connection states and statistics
WG(debug)#ping verify network connectivity
WG(debug)#radius_ping verify connection with a RADIUS server
WG(debug)#tcpdump trace network packets
WG(debug)#traceroute trace a route to a specific destination
WatchGuard Command Line Interface Guide 23
CHAPTER 1: Using the Command Line Interface
To get on-line help while workingTo get help with the WatchGuard CLI
Command Description
? online help at any prompt, or at the end of any other command
show view a list of objects at the # prompt
history view the last 20 commands entered at this level of the CLI; Enter at the # prompt
24 WatchGuard Vclass 5.1
CHAPTER 2 Administration Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Administration Mode.
Command syntax conventions used in this guide
To help you better use this guide, the following text conventions are used. These conventions are in addi-
WatchGuard Command Line Interface Guide 25
CHAPTER 2: Administration Mode Commands
tion to the text notation introduced in “CLI Guide text con-ventions” on page 3.
If you enter a command in the CLI, such as the following:WG(config)#policyand press <ENTER> without adding any arguments to the command line, the WatchGuard CLI will display a com-
Convention Description
<text> All required text is enclosed in angle brackets.
-<text> Some arguments must be preceded by a hyphen (“-”). If a hyphen is required, but you do not use it to precede the argument, that argument will be dropped.
[text] Optional text is enclosed in square brackets.
{text} Text wrapped in curly braces is optional, usually representing qualifications or values related to an argument.
itemA | itemB Text items separated by a pipe character (vertical bar) indicate two options, of which only one can be entered.
itemA &| itemB Text followed by an ampersand (&) and a pipe character (vertical bar) indicates two options, either or both of which can be entered.
[item_A, item_B, item_C]
A comma separating bracketed text indicates repeated options that may be entered one at a time or all at once.
+ item A plus (+) sign preceding specific text represents additional elements that are being added to an existing setting. For example, to add a new “member” to an existing address group, you would type a “+” prior to the address information of the new member.
no A “no” entered before an argument indicates that the argument is not to be included in the command. This is useful when entering a number of arguments, one of which should not be included yet must be entered in the command.
\ A backslash character at the end of a portion of command line signifies that the command line has been broken at that point, and continues on the next line.
26 WatchGuard Vclass 5.1
Administration mode commands
plete list of related arguments and values, in the form in which you should enter them. This is helpful when the CLI tells you that a command you just entered isn’t acceptable. You can call up this text to review requirements and syntax for a command or argument.
Administration mode commands
The following catalog lists all of the administration mode commands, along with a description of the arguments for each command and the relevant values for each argument
.
Command For more information, see
account “account command” on page 28
downgrade “downgrade command” on page 29
export “export command” on page 30
flush “flush command” on page 31
ha_sync “ha_sync command” on page 31
import “import command” on page 32
operation_mode “operation_mode command” on page 35
passwd “passwd command” on page 36
reboot “reboot command” on page 37
restore_default “restore default command” on page 38
shutdown “shutdown command” on page 38
upgrade “upgrade command” on page 39
history “history command” on page 14
exit “exit command” on page 14
top “top command” on page 15
WatchGuard Command Line Interface Guide 27
CHAPTER 2: Administration Mode Commands
account commandWG#admin<ENTER>WG(admin)#account -login_limit -login_limit <admin|user> <0-10> -status -unlock <name>|all -all
Effect
Allows you to view, set, and clear failed login attempt lim-its. Login limits provide a further level of security, and eliminate susceptibility to a “brute force” password hacks.
The account management feature is available in all three operation modes (normal, FIPS, and CC).
The CLI allows only the root superadmin “admin” to log in, while rejecting all other accounts, including user-defined superamin accounts. If you set the login_limit feature on the root superadmin user, it is possible for the superadmin to be locked out of the system.
To work around this possible problem:1 Create another superadmin account in addition to the
root superadmin “admin” account, using Vcontroller, before you set the login_limit for the root superadmin account. If the root superadmin “admin” is locked out because of exceeded login failures, you can use this separate, non-root-level superadmin account to login to Vcontroller with full administration privileges.
2 In a text editor, create and save an ASCII text file with the following two lines:admin
account -unlock admin
3 In Vcontroller, click Diagnostics/CLI and select the CLI tab. This feature allows you to select a text file that contains CLI commands.
28 WatchGuard Vclass 5.1
Administration mode commands
4 Click Open.A BrowseBrowseBrowseBrowse dialog appears.
5 Select the text file you created earlier, and click Select.The admin account is unlocked.
Arguments-login_limitThis command displays the current login limits set for admin and user on the device.
-login_limit <admin|user> <0-10>This command sets the limit for failed attempts for the specified user type (admin or user) to the number specified.
-statusThis command displays a table of failed login attempts for each user, provided the limit for the login name is greater than 0.
-unlock <name>|allThis command unlocks a login name or all login names, after the name or names are locked due to failed login attempts.
-allThis command displays detailed information for all accounts on the device.
ExamplesWG#admin<ENTER>WG(admin)#account -login_limit
WG#admin<ENTER>WG(admin)#account -login_limit admin 5
WG#admin<ENTER>WG(admin)#account -unlock joe_user
downgrade commandWG#admin<ENTER>WG(admin)#downgrade
WatchGuard Command Line Interface Guide 29
CHAPTER 2: Administration Mode Commands
EffectRestores the system software to the previously installed version.
ArgumentsNone
ExampleWG(admin)#downgrade<ENTER>
NOTEIf you apply this command, certain WatchGuard features incorporated in the current version may not be available afterwards. This will affect both configurations and policies in this appliance. You should make a careful review of this security appliance’s setup to prevent any problems.
export commandWG#admin<ENTER>WG(admin)#export
EffectExports certificate requests, the log archive, or an XML profile. The export command must be followed by a space and the name of the item to be exported:
cert_request to export certificate requests
log to export the log archive
xml to export an XML profile
ip to export the blocked or exception IP lists
Each export option requires specific syntax.
export cert_request:
export cert_request <CERT_ID> [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name> -[console]
30 WatchGuard Vclass 5.1
Administration mode commands
#ex: export cert_request 20001 10.10.0.100:/RS/cert/20001.req
export log:
export log [all|alarms|events|traffic|ras_user|p1sa|p2sa] [-tftp] <host:/target> -ftp <[user[:passwd]@]host:/target>
export xml:
export xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name> -[console]
export ip:
export ip {blocked|allowed} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name>
flush commandWG#admin<ENTER>WG(admin)#flush
EffectResets all active connections, including SA’s.
ArgumentsNone.
ha_sync commandWG#admin<ENTER>WG(admin)#ha_sync
NOTEThis command is available only if the WatchGuard appliance you are currently logged into has High Availability enabled (using the “config-ha” command), is the Master appliance,
WatchGuard Command Line Interface Guide 31
CHAPTER 2: Administration Mode Commands
and is connected to another security appliance assigned to a backup role.
EffectInitiates the WatchGuard Firebox Vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appliance to a designated backup appliance. After you restart the backup appliance, your “high availability” system is ready and active.
ArgumentsNone
ExampleWG(admin)#ha_sync<ENTER>
import commandThe import command allows you to import certificates. a certificate revocation list (CRL), an xml profile, or a list of blocked or allowed IPs.
cert command
WG#admin<ENTER>WG(admin)# import cert [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name -[console]
EffectImports an xml file via one of several possible methods.
ArgumentsNone
ExampleWG(admin)#import cert -ftp wg:[email protected]:/pub/cert/cert.p2<ENTER>
32 WatchGuard Vclass 5.1
Administration mode commands
crl command
WG#admin<ENTER>WG(admin)# import crl [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name -[console]
EffectImports an xml file via one of several possible methods.
ArgumentsNone
ExampleWG(admin)#import cert -ftp wg:[email protected]:/pub/cert/cert.p2<ENTER>
xml command
WG#admin<ENTER>WG(admin)import xml [-tftp] <host:/target/file_name>-ftp <[user[:passwd]@]host:/target/file_name>-[console]
EffectImports an xml file via one of several possible methods.
ArgumentsNone
ExampleWG(admin)#import xml -ftp wg:[email protected]:/pub/xml/listfile.xml<ENTER>
WatchGuard Command Line Interface Guide 33
CHAPTER 2: Administration Mode Commands
ip command
WG#admin<ENTER>WG(admin)#import ip {blocked|allowed} {override|merge} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@] host:/target/file_name>
EffectImports a list of blocked or allowed IP addresses to the appliance database.
PrerequisitesThe list of IP addresses must be a text file. The formatting information follows.
For blocked IP, each line of the file should include:
<IPaddr> [space]<mm/dd/yyyy> [space] <hh:mm:ss>
<mm/dd/yyyy> specifies the month, day, and year.
<hh:mm:ss> specifies the hour, minute, and second.
For example, a text file containing the following lines blocks these sites until the provided expiration time:
12.11.12.15 8/14/2003 14:00:0012.13.22.8 10/19/2004 1:21:05
To add blocked sites that do not expire, use only the IP address.
Argumentsblocked|allowed
Specifies whether to import the contents of the text file to the blocked IP list, or to the allowed (exceptions) IP list.
merge|override
34 WatchGuard Vclass 5.1
Administration mode commands
Merge merges the new IP addresses into the existing list of IP addresses.
Override replaces all of the existing IP addresses with the IP addresses on the imported list.
ExampleWG(admin)#WG(admin)# import ip blocked override –ftp 192.168.216.232:/tmp/blockedip.txt<ENTER>
operation_mode commandWG#admin<ENTER>WG(admin)#operation_mode <normal|FIPS|common_criteria>
EffectThis command changes the system mode to operate in normal, FIPS, or Common Criteria (CC) mode.
FIPS modeFIPS 140-2 is a standard that describes government requirements that cryptographic hardware or software products must meet. FIPS certification is required for products that are sold to the government.
FIPS mode disables or changes the following functionality:
- Shell access is disabled (for example, sucode). - Unprotected remote access is disabled, including
telnet and SSH. To login to the box using telnet requires a physical connection to the console port.
- Non-qualified algorithms are disabled (MD5). - SSL3.0 is disabled. Support for TLS is still
included. - A direct crypto interface to the Rapidcore and
other crypto modules is provided for the startup
WatchGuard Command Line Interface Guide 35
CHAPTER 2: Administration Mode Commands
crypto self-test, and random number generation can be tested.
- Object reuse is avoided. Keys are zeroed out when they are no longer in use.
Common Criteria (CC) modeCommon Criteria (CC) defines a language for defining and evaluating information technology security systems and products. The framework provided by Common Criteria allows US government agencies and other groups to define sets of specific requirements.
IT security products purchased by the US Government for National Security Systems, which handle Classified and some non-Classified information, are required to be Common Criteria certified.
Common Criteria mode conforms to EAL4 level.
Common Criteria mode disables or changes the following functionality:
- HTTPS uses 3DES-SHA1 encryption only. - User login failure count can be configured, and
users can be locked out after the failure count is met. See “account command” on page 28 for more information.
passwd commandWG#admin<ENTER>WG(admin)#passwd <ENTER>
EffectReplaces the current “admin” super user access password text with a new entry. This command initiates a several-step process in which you will be prompted to enter the new password twice, before it takes effect. See “Process” immediately following for details.
36 WatchGuard Vclass 5.1
Administration mode commands
ProcessType a space, then the text of the current password after the command.
When you press <ENTER>, a “New password:” prompt is displayed, at which you can type the new password, using between 6 and 20 characters.
NOTEALERT: Please note that no text will appear on-screen as you type.
When you press <ENTER> to submit the new password text, a “Reconfirm password:” prompt is displayed. Retype the same text (during which no text will appear on-screen.)
When you press <ENTER>, the new password will be confirmed and stored in the appliance, then immediately put into effect.
ExampleWG(admin)#passwd: <ENTER>New password: * <ENTER> # Remember, no text will appear when you type.
Reconfirm password: * <ENTER>Password change completed!WG(admin)#
NOTERemember to write the new password down and store the note in a safe place. If you forget the password and lose the note, contact WatchGuard for assistance.
reboot commandWG#admin<ENTER>WG(admin)#reboot
EffectShuts down, then restarts this WatchGuard Firebox Vclass security appliance. You will be
WatchGuard Command Line Interface Guide 37
CHAPTER 2: Administration Mode Commands
automatically logged out of the appliance, but after a few minutes (and a considerable display of status messages), the main login prompt will appear. You can log in again at this time.
ArgumentsNone.
restore default commandWG#admin<ENTER>WG(admin)#restore_default
EffectReinitializes this appliance and restores the original “factory default” configuration. Once this process is complete, you can log in again, then start over with appliance installation, configuration and policy creation, either by manual entry or importing of a profile from another appliance.
ArgumentsNone.
ResultsAfter applying this command, the CLI will immediately record a series of “restoring” status messages, along with “please wait…” messages. When the restoration is complete, the main login prompt will appear.
You can now log into the appliance with the user name of “admin” and the password of “admin” to begin reconfiguration of this appliance.
shutdown commandWG#admin<ENTER>WG(admin)#shutdown
Effect
38 WatchGuard Vclass 5.1
Administration mode commands
Shuts down this WatchGuard appliance. You will be automatically logged out of the appliance, at which time you can break the CLI connection.
ArgumentsNone.
upgrade commandWG(admin)#upgrade upgrade [-tftp] <host:/target/upgrade.rsu > upgrade -ftp <[user[:passwd]@]host:/target/ upgrade.rsu >
EffectUpgrades the system software, using a “.rsu” file, from a specific location.
Exampleupgrade -ftp wg:[email protected]:/patch/upgrade.rsu
WatchGuard Command Line Interface Guide 39
CHAPTER 2: Administration Mode Commands
40 WatchGuard Vclass 5.1
CHAPTER 3 Configuration Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Configuration Mode.
Top-level configuration mode commands
The following catalog lists the top-level configuration mode commands, with a description of the arguments for each command and the values for each argument. Also included, where applicable, is the sequence of “config” commands necessary to reach a specific com-mand level where a particular command can be entered and used.
WatchGuard Command Line Interface Guide 41
CHAPTER 3: Configuration Mode Commands
Command For more information
abort See “abort command” on page 43.
address See “address command” on page 43.
certificate See “certificate command” on page 45.
commit See “commit command” on page 45.
delete See “delete command” on page 45.
denial_of_service See “denial_of_service command” on page 46.
high_availability See “high_availability commands” on page 47.
ike See “ike command” on page 48.
interface See “interface command” on page 49.
ipsec See “ipsec command” on page 49.
license See “license command” on page 49.
log See “log command” on page 50.
nat See “nat command” on page 54.
no See “no command” on page 56.
policy See “policy command” on page 57.
qos See “qos command” on page 60.
ras See “ras command” on page 61.
rename See “rename command” on page 61.
schedule See “schedule command” on page 62.
service See “service command” on page 63.
system See “system command” on page 64.
trace See “trace command” on page 64.
tenant See “tenant command” on page 65.
tunnel_switch See “tunnel_switch command” on page 65.
show See “history command” on page 66.
history See “history command” on page 14.
exit See “exit command” on page 14.
top See “top command” on page 15.
42 WatchGuard Vclass 5.1
Top-level configuration mode commands
abort commandWG#config<ENTER>WG(config)#abort
EffectAborts (erases) all system configuration changes made since the last use of the WG(config)#commit command. This empties the cache of to-be-committed changes and additions.
ArgumentsNone
address commandWG#config<ENTER>WG(config)#address <"name"> [+] -host <a.b.c.d> \[<a.b.c.d>]… -net <a.b.c.d/e> [<a.b.c.d/e>]… -range \<a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>]… \-group <address_name> [<address_name>]…
EffectCreates a new address object or modifies an existing group, depending upon the use of the “+” character. This command must start with a new or existing “name” and can incorporate the following: (1) a single IP address, (2) a range of IP addresses, (3) a subnet, and (4) a group of existing address entries that you may want to combine into a single entity.
Arguments<"name">This argument notes a new “name” for this group. You can then type one or more of the following
WatchGuard Command Line Interface Guide 43
CHAPTER 3: Configuration Mode Commands
addressing arguments, depending upon the contents of this address.
-host <a.b.c.d> [a.b.c.d]…This argument notes a single IP address (omitting subnet information.)
-net <a.b.c.d/e> [a.b.c.d/e]…This argument notes a single subnet IP address and subnet mask (representing all the individual IP addresses in that subnet.)
-range <a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>]This argument notes a range of IP addresses.
-group <address_name> [address_name]…This argument notes a group of existing address entries that you want to combine into a single entity.
+This character, when inserted in the command line in the proper location, allows you to add a new address member to an existing group. You must have the exact name of the group – in its case-sensitive form, prior to adding new entries.
ExamplesWG(config)# address my_nets -host 10.10.1.1/16<ENTER># Creating a new address group with a single host
WG(config)# address my_nets -range 14.0.2.1- \14.0.2.125<ENTER># Creating a new address group with a range of IP addresses
WG(config)# address my_nets + -net 10.29.0.0/16<ENTER># Add a new address to an existing address group
44 WatchGuard Vclass 5.1
Top-level configuration mode commands
certificate commandWG#config<ENTER>WG(config)#certificate
EffectEnters the certificate-configuration mode, at which point you can enter certificate-specific task commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “certificate” mode commands, see “Level 2 certificate configuration commands” on page 67.
commit commandWG#config<ENTER>WG(config)#commit
EffectThis command applies all uncommitted policy, system configuration changes, and additions to the appliance.
ArgumentsNone
delete commandWG#config<ENTER>WG(config)#delete <object_type "name">
EffectDeletes a specifically named object, such as an address group, policy, action, or service.
Arguments<"name">This argument records the exact name of the to-be-deleted item.
WatchGuard Command Line Interface Guide 45
CHAPTER 3: Configuration Mode Commands
ExampleWG(config)#delete address exec_addresses<ENTER># This command deletes an address group named “exec_addresses”.
WG(config)#delete ike policy "HQ IKE"<ENTER># This command deletes an IKE policy named “HQ IKE”.
denial_of_service commandWG#config<ENTER>WG(config)#[no][-icmp [threshold]] #threshold packet/s;default=1000 [no][-syn [threshold]] #threshold packet/s;default=5000 [no][-udp [threshold]] #threshold packet/s;default=1000 [no][-pingofdeath] [no][-sourceroute] [no][-server_ddos [threshold]] #threshold connection/s;default=100 [no][-client_ddos [threshold]] #threshold connection/s;default=100
EffectRecords your preferences for denial-of-service defense parameters. You can enter any or all of the customizable arguments listed below.
Arguments[no][-icmp <threshold>]Activates ICMP flood protection with a user-noted threshold noted as packets per second; default = 1000.
[no][-syn <threshold>]Activates TCP/SYN flood protection with a user-noted threshold; default=5000.
[no][-udp <threshold>]Activates UDP flood protection with a user-noted threshold; default=1000.
46 WatchGuard Vclass 5.1
Top-level configuration mode commands
[no][-pingofdeath]Activates ping-of-death protection.
[no][-sourceroute]Activates source route protection by disallowing source route options.
[no][-server_ddos <threshold>]Activates server DDOS protection; the default threshold = 100, which controls the maximum number of connections permitted to any one server.
[no][-client_ddos <threshold>]Activates client DDOS protection; the default threshold=100, which controls the maximum number of connection requests permitted to a single client.
noEnter this before any options you want to deactivate in this appliance, as shown above.
ExampleWG(config)#denial -syn 1000 no -udp<ENTER>
high_availability commandsNOTE
High Availability commands will not be available to you if the WatchGuard appliance you are administering does not feature any HA ports. In addition, you need a High Availability feature license.
Enter high availability configuration mode
WG#config<ENTER>WG(config)# high_availability
WatchGuard Command Line Interface Guide 47
CHAPTER 3: Configuration Mode Commands
EffectEnters the high availability (HA) configuration mode, at which point you can enter HA specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “HA” mode commands, see “Level 2 High Availability configuration commands” on page 72.
Disable high availability mode
WG#config<ENTER>WG(config)#no high_availability
EffectDisables high availability if it is already in effect.
ArgumentsNone.
ike commandWG#config<ENTER>WG(config)#ike
EffectEnters the IKE configuration mode, at which point you can enter IKE-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “IKE” mode commands, see “Level 2 IKE configuration commands” on page 78.
48 WatchGuard Vclass 5.1
Top-level configuration mode commands
interface commandWG#config<ENTER>WG(config)#interface
EffectEnters the system interface configuration mode, at which point you can enter interface-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoSee “Level 2 interface configuration commands” on page 82 for details on specific “interface” mode commands.
ipsec commandWG#config<ENTER>WG(config)#ipsec
EffectEnters the IPSec configuration mode, at which point you can enter IPSec action- and proposal-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “IPSec” mode commands, see “Level 2 IPSec configuration commands” on page 95.
license commandWG#config<ENTER>WG(config)#license
WatchGuard Command Line Interface Guide 49
CHAPTER 3: Configuration Mode Commands
EffectEnters license parameter configuration mode, at which point you can enter license-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “license” mode commands, see “Level 2 license commands (for upgraded or additional features)” on page 117.
log command
no command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no <event|remote_log_server|traffic>
EffectDisables logging for the specified log.
ArgumentsNone
ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no traffic
clear all command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no <event|remote_log_server|traffic>
EffectClears all logs.
50 WatchGuard Vclass 5.1
Top-level configuration mode commands
ArgumentsNone
ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#clear_all
diagnostics command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#diagnostics [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]
EffectRuns log diagnostics for the specified feature.
ArgumentsNone
ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#diagnostics ha 1
[no] event command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)# [no] event <critical|error|warning|administration|info>
EffectTurns logging on (or off, if the command is preceded by “no”) for the specified error level.
ArgumentsNone
WatchGuard Command Line Interface Guide 51
CHAPTER 3: Configuration Mode Commands
Example
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#event administration
[no] remote command (log level)
WG(config-log)#[no] remote <server_ip> [default]
[-alarm <facility> <priority>]
[-event <facility> <priority>]
[-traffic <facility> <priority>]
[-p1sa <facility> <priority>]
[-p2sa <facility> <priority>]
[-ras <facility> <priority>]# facility:= [auth|authpriv|cron|daemon|ftp|kern|lpr|mail# |news|syslog|user|uucp|local0|local1|...|local7]# priority:= [original|debug|info|notice|warning# |err|Crit|alert|emerg]
EffectTurns remote logging on or off for the specified logs and error levels.
ArgumentsNone
Example
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#remote 10.10.10.99 default
52 WatchGuard Vclass 5.1
Top-level configuration mode commands
[no] traffic command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#[no] traffic
EffectTurns the traffic log on or off.
ArgumentsNone
Example
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#traffic
history command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#history
EffectShows up to the last 20 commands.
ArgumentsNone
Example
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#history
rename command (log level)
WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#rename address rename address groups ike rename IKE actions/policies ipsec rename IPSec actions/proposals
WatchGuard Command Line Interface Guide 53
CHAPTER 3: Configuration Mode Commands
nat rename NAT actions policy rename security policies qos rename QoS actions ras rename RAS group schedule rename schedule actions service rename service groups
EffectAllows you to rename various items.
See alsoSee “rename command” on page 61.
nat command
WG#config<ENTER>WG(config)#nat <"name"> [-static_nat <-external \<address_group>><-internal <address_group>>]| \[-vip <round_robin|wround_robin|random|wrandom| \least_connection|wleast_connection> -server [+] \{<ip|address> <port> [weight]}…>]
EffectRecords a new NAT action for use in security policies. You can create one of three possible NAT actions, choosing from VIP, DNAT or Static NAT.
Arguments<"name">If this is to be a load-balancing or static NAT action, enter a short, distinctive name for this new action following the NAT command prompt.
-static_nat < -external <address group>> \<-internal <address group>>
54 WatchGuard Vclass 5.1
Top-level configuration mode commands
(For one-to-one and subnet-to-subnet mapping) This argument specifies (1) that this is a static NAT action, and records the address groups associated with the internal and external sources. The address groups can be single IP addresses or subnets.
-vip <round-robin|wround-robin|random|wrandom| \least-connection|wleast-connection> | -server [+] \{<IP address> [IP address] …<port> <weight>}>This argument specifies that this is a load-balancing (virtual IP) NAT action, and records (1) the algorithm that will be applied and (2) the server addresses and port numbers. If a weighted algorithm is used, this argument adds (3) the per-server weight assignments.
The load-balancing algorithm argument values include the following entries:
round_robin: Denotes the round robin algorithmwround_robin: Denotes weighted round robinrandom: Denotes randomwrandom: Denotes weighted randomleast_connection: Denotes least connectionwleast_connection: Denotes weighted least connection
TIPIf you are adding a new server/weight to an existing VIP NAT action, prefix the new server record with a “+” character.
If you are entering the “server” argument, you must note (1) the IP address of the server, the port number it will watch and the proportion of traffic this server will be assigned, noted as a whole number.
WatchGuard Command Line Interface Guide 55
CHAPTER 3: Configuration Mode Commands
NOTENote that dynamic NAT is already present in the WatchGuard database by default, and is ready for use in security policies. You can specify “dynamic_nat” as the NAT action when you create the appropriate policies
ExamplesWG(config)#nat load_balancing –vip wround –server \{10.10.0.100 80 1} {10.10.0.101 80 2} \{10.10.0.102 80 3}WG(config)#nat natS -stat -ext pub1 -int \web_server1
Record dynamic security policy IP NAT action
WG#config<ENTER>WG(config)#nat <"name"> [-dynamic_nat <a.b.c.d>]
EffectRecords a new dynamic IP NAT action for use in security policies. You can create one of two possible DNAT options, choosing from the default IP address for interface 1 or a user-designated IP address
Arguments<"IP Address">If this is to be a user-designated IP address DNAT action, enter the IP address of your choice as the command argument. If you are using the default interface 1 IP address, enter that in the argument.
no commandWG#config<ENTER>WG(config)#no high_availability disable high availability
56 WatchGuard Vclass 5.1
Top-level configuration mode commands
EffectDisables the high availability feature.
ArgumentsNone
ExampleWG#config<ENTER>WG(config)#no high_availability
policy command
EffectAllows you to create a new security policy or revise an existing policy, pending your selection of traffic specifications and actions. Note: you should have already created the needed address groups, schedules, actions and services before creating this new policy.
Arguments<source> <destination>These two arguments record the source and
WG#config<ENTER>WG(config)#policy policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-tenant|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ] [-mss_adjustment_per_policy [auto|limit_to <num>|disable| use_global]]
WatchGuard Command Line Interface Guide 57
CHAPTER 3: Configuration Mode Commands
destination address groups to which this policy will be applied.
<interface [0|1|2|3]>This argument records the interface this policy will apply to.
[-position <num>]This argument records which numbered location this policy occupies in the policy table.
[-firewall <pass | block | authenticate | reject>]This argument allows you to specify which firewall option to apply.
[<-service|-tenant|-nat|-qos|-schedule\|-ipsec[no][bi_directional]>]These arguments allow you to combine various preexisting actions in this one policy, including: -service: Enter the name of a service group after this argument.-tenant: Enter the name of a tenant object after this argument.-nat: Enter the name of a NAT action after this argument.-qos: Enter the name of a QoS action after this argument.-schedule: Enter the name of a schedule after this argument.-ipsec: Enter the name of an IPSec action after this argument.
[{-tosF | -tosR} <bbbbbb>]This argument records the TOS marking direction and marking bit. “bbbbbb” represents the six bit
58 WatchGuard Vclass 5.1
Top-level configuration mode commands
positions that you can choose from. You pick a location and enter a “1” to mark that bit.
[-log_per_policy [enable|disable] ]
This argument allows you to enable or disable logging on a per-policy basis.
[-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ]
This argument allows you to implement ICMP error handling per policy, and specify error handling options.
[-mss_adjustment_per_policy [auto|limit_to <num>|disable|use_global]]
This argument allows you to specify a per-policy TCP Maximum Segment Size. See “mss_adjustment” on page 112 for more information on these settings. To use the global settings, use the argument use_global.
ExamplesWG(config)#policy Allow_Outbound Any Any \interface 0 -firewall pass -nat DYNAMIC_NAT <ENTER>
WG(config)#policy HQ_BR_VPN HQ BR interface 0 \-firewall pass -ipsec bi HQ_IPsec <ENTER>
WG(config)#policy SJ_NY_VPN SJ NY interface 1 \
WatchGuard Command Line Interface Guide 59
CHAPTER 3: Configuration Mode Commands
-firewall pass -ipsec SJ_NY_IPSec <ENTER>
WG(config)#policy SJ_LA_VPN \-mss_adjustment_per_policy \limit_to 1400
WG(config)#policy SJ_NY_VPN \-icmp_error_handling_per_policy all
WG(config)#policy SJ_NY_VPN -position 5 <ENTER>
The previous example shows a relocation of policy SJ_NY_VPN to the fifth position (row) in the policy table.
NOTEYou can combine a range of actions (“-vlan”, -“ipsec”, “-nat”, “-schedule”, etc.) in a single policy, as needed. For more information on policy action combinations, especially to determine what will and what won’t work, see the User Guide.
qos commandWG#config<ENTER>WG(config)#qos
EffectEnters the Quality of Service (QoS) configuration mode, at which point you can enter QoS action-specific task commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “QoS” mode commands, see “Level 2 Quality of Service (QoS) configuration commands” on page 100.
60 WatchGuard Vclass 5.1
Top-level configuration mode commands
ras commandWG#config<ENTER>WG(config)#ras
EffectEnters the remote access services (RAS) configuration mode, at which point you can enter RAS connection-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoSee “Level 2 Remote Access Service (RAS) configuration commands” on page 102 for details on specific “RAS” mode commands.
rename commandWG#config<ENTER>WG(config)#rename <object_type> <"old name"> \<"new name">
EffectSubstitutes a new name for an existing object name.
Arguments<object_type> Use this argument to enter the type of object this name is applied to, whether (for example) an IPSec action, an address group, a RAS user profile, etc.
<old name>Use this command to enter the existing name.
<new name>Use this command to enter the new name.
ExampleWG(config)#rename address eng_net engineering<ENTER>
WatchGuard Command Line Interface Guide 61
CHAPTER 3: Configuration Mode Commands
schedule commandWG#config<ENTER>WG(config)#schedule <”name”><enable|disable> [-all| \-mon|-tue|-wed|-thu|-fri|-sat|-sun] {hr:min-hr:min \[hr:min-hr:min ][hr:min-hr:min ][hr:min-hr:min ]}<ENTER>
EffectUse this command to set up a schedule for use in the application of policies. Schedules can be set up for the same hours for every day or for different daily schedules, depending upon the arguments.
Arguments<"name">Type a short, descriptive name for this schedule.
<enable|disable>This argument specifies whether this schedule is currently active or not.
-<day>This argument defines the days of the week. The values can either be noted as “all” for all seven days, or include any combination of days of the week–mon, tue, wed, thu, fri, sat, and sun.
{hour:minute-hour:minute}This argument (which can be repeated for different blocks of time) should note a range of hours, such as “9:00-12:00” (which indicates 9:00am to Noon.) Be sure to wrap the range in curly brackets, as shown in the examples below. Hours must be converted to and noted in military time–according to the 24-hour clock.
TIPA midnight start time should be entered as “0:00”.
62 WatchGuard Vclass 5.1
Top-level configuration mode commands
ExampleWG(config)#schedule workdays -mon \{8:00-12:00 13:00-19:00} (line break) -fri \{9:00-12:00} enable<ENTER>WG(config)#schedule 24_7 -all {0:00-24:00}<ENTER>
service commandWG#config<ENTER>WG(config)#service <”name”> [+] \<-single <protocol port>… | \-range <protocol port-port>… | \-group <service_group>… >
EffectRecords a new service entry (individual or group) for use in policies. The service must be noted as either a “single” service, a “range” of port numbers for a single service, or, as a “group” of existing related services.
Arguments<"name">Enter the name of this new service or group.
-single {<protocol> <port>}Use this argument to note the protocol and port number of a single service.
-range {<protocol> <port-port>}Use this argument to note the protocol and two or more port numbers for a single service.
-group {<service-group> [<service-group> \<service-group>]}
WatchGuard Command Line Interface Guide 63
CHAPTER 3: Configuration Mode Commands
Use this argument to note the names of two or more related services.
+Use this argument (the “+” character) to add an additional service to an existing group.)
ExamplesWG(config)# service ldap -single tcp 389WG(config)# service my_app -range tcp 6000-6006WG(config)# service my_app + -single udp 6010 WG(config)# service email -group "mail_SMTP" \-group "POP3"<ENTER>
system commandWG#config<ENTER>WG(config)#system
EffectEnters system parameter configuration mode, at which point you can enter system-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information about “system” mode commands, see “Level 2 System Configuration commands” on page 107.
trace commandWG#config<ENTER>WG(config)#trace [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]
64 WatchGuard Vclass 5.1
Top-level configuration mode commands
EffectRuns a trace for the specified object.
ArgumentsNone in this mode.
tenant commandWG#config<ENTER>WG(config)#tenant
EffectEnters the tenant configuration mode, at which point you can record a new tenant entry for either a VLAN or user-domain tenant.
ArgumentsNone in this level.
See AlsoSee “Level 2 tenant configuration commands” on page 119 for more information about the next level of tenant commands.
tunnel_switch commandWG#config<ENTER>WG(config)#tunnel_switch <enable|disable>
EffectEnables (or disables) the tunnel switching capability of this WatchGuard appliance, according to the specific argument. (Must be done before applying specific tunnel-switching security policies.)
Arguments<enable | disable>The default state is “disable”.
ExampleWG(config)#tunnel_switch enable<ENTER>
WatchGuard Command Line Interface Guide 65
CHAPTER 3: Configuration Mode Commands
history commandWG#config<ENTER>WG(config)#history
EffectShows the last 20 commands exercised at this level of CLI. Note, too, that you can apply it at any level of the CLI.
For example, you may apply the “history” command after extensive policy creation, and see a series of 20 commands, starting with “64” and ending with “83”–the most recent command being listed as 83.
ArgumentsNone
ExampleWG(config)#history<ENTER>
ResultsExecuted Commands:0 ike1 address2 address "pubs" -host 10.10.99.13 show address pubs4 dos5 denialWG(config)#
Second level configuration mode commands
The following sections detail the second-level configura-tion commands, has been divided into “task” or “topical” collections, which include the following:• “Level 2 certificate configuration commands” on
page 67
66 WatchGuard Vclass 5.1
Second level configuration mode commands
• “Level 2 High Availability configuration commands” on page 72
• “Level 2 IKE configuration commands” on page 78• “Level 2 interface configuration commands” on
page 82• “Level 2 IPSec configuration commands” on page 95• “Level 2 license commands (for upgraded or additional
features)” on page 117• “Level 2 Quality of Service (QoS) configuration
commands” on page 100• “Level 2 Remote Access Service (RAS) configuration
commands” on page 102• “Level 2 System Configuration commands” on
page 107• “Level 2 tenant configuration commands” on page 119
Level 2 certificate configuration commands
request command (configure certificate level)
WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#request <"name"> -company <"name"> \[-country<"name">] [-department <"name">] -dns_name \<"name"> [-ip_address <a.b.c.d>] [-user_domain \<[email protected]>] [-key_usage {<rsa|dsa> \<1024|512> <encryption|signature|both>}]
EffectGenerates a VPN certificate request that can be sent to a certifying authority. After executing this command (with the required arguments), you must cut the resulting certificate text and paste it into the relevant form: an e-mail message, a Web-site
WatchGuard Command Line Interface Guide 67
CHAPTER 3: Configuration Mode Commands
request or a text file, that you transmit to the proper authority.
Arguments<"name">This argument notes the host name of this appliance (omitting the remainder of the DNS entry.)
-company <"name">This argument notes the name of your company or organization.
-country <"name">This argument notes the name (or official abbreviation) of your country's name. The default is “US”.
-department <"text">This optional argument notes the specific department name.
-dns_name <"name">This argument notes the fully qualified DNS name of this appliance.
-ip_address <a.b.c.d>This argument notes the IP address of this appliance’s interface 1.
-user_domain <"name">This argument notes a user domain name, if any.
-key_usage {<rsa|dsa> <1024|512> <encryption| \signature|both>}This argument notes the key usage particulars, including RSA or DSA and the key length in bits. This argument also notes your choice of encryption or signature (or both.)
ExampleWG(config-cert)request -cert1 -com BigCompany \
68 WatchGuard Vclass 5.1
Second level configuration mode commands
-cou US -dns RS1.WatchGuard.com -key \{rsa 1024 both}<ENTER>
If this command is successful, the CLI will prompt you to cut and paste the results into the appropriate means of submitting this request to the authority.
import command (configure certificate level)
WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#import <"certificate text">
EffectAssists in the importing of the contents of a newly-received VPN or Web certificate into the WatchGuard appliance database.
To import a certificate, you must open the certificate file and copy the text, then paste it into the command in the proper location, as shown in the following example.
ArgumentsNone.
ExamplesWG(config-cert)# import<ENTER>
ResultsOn-screen instructions appear, as shown here.
Paste certificate below, then press Enter.
-----BEGIN CERTIFICATE-----MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQEBBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0MjAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8DCCtvvThQ2ug==-----END CERTIFICATE-----
WatchGuard Command Line Interface Guide 69
CHAPTER 3: Configuration Mode Commands
show command (configure certificate level)
WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#show [cert_id]
EffectDisplays the properties of a specific certificate or a certificate request. If no “specific certificate” argument is used, this command lists all the current certificates and pending certificate
Arguments[cert_id]This optional argument records a specific certificate ID.
ExamplesWG(config-cert)# show<ENTER>
OrdTYPE NAMESubjectCert idKeyAlgo
1 Pndg cn=a,o=WatchGuard,c=US cn=a,o=WatchGuard,c=20001 RSA
2 CA o=WatchGuard Inc.,c=US o=WatchGuard Inc.,c=U 1075246528 RSA
—OR—
WG(config-cert)# show 20001<ENTER>
Pending CertificateName:cn=a,o=rapidstreaym,c=USSubject:cn=a,o=rapidstreaym,c=USCert ID:20001DNS Name:WatchGuard.comKey Algorithm:RSALength: 1024Key Usage:bothIssued by:Valid Period:-
-----BEGIN CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx
70 WatchGuard Vclass 5.1
Second level configuration mode commands
MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscAhhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70DlpSx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbYtX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJDjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFAtGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkgK30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7TlNR5B1zDrFA==
-----END CERTIFICATE REQUEST-----
ssl command (configure certificate level)
WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#ssl <ip|"name">
EffectCreates a Web (SSL) certificate request for this appliance. After the request is generated, you must copy-and-paste the text to a text file and send it to a third party CA as part of a formal request for a Web certificate.
Arguments<ip|"name"> Use this argument to enter either the IP address or host name of this security appliance.
ExampleWG(config-ssl)# ssl rs101<ENTER>Creating certificate request could take several minutes.Please wait…
-----BEGIN CERTIFICATE REQUEST-----
MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr
WatchGuard Command Line Interface Guide 71
CHAPTER 3: Configuration Mode Commands
3Tg/jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2v+IPPoyDBOrfGHl4Icn8/ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/6YTj2uHMGPF/Y8FTYgCE
-----END CERTIFICATE REQUEST-----
Level 2 High Availability configuration commands
show command (configure high availability level)
WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#show
EffectDisplays the configuration settings for any High Availability ports in this WatchGuard appliance.
ArgumentsNone
72 WatchGuard Vclass 5.1
Second level configuration mode commands
ExampleWG(config-ha)#show<ENTER> HA Type: Active_Active Primary System Name =2026 Secondary System Name =2027 No Shared SecretInterfaces Primary IP Mask Secondary IP Mask Monitoring 0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON 1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON 2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF 3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFFAdvanced HA Parameters: HA1:Enabled HA2:Disabled Primary HA1 IP 1.0.0.1 netmask 255.255.255.0 HA2 IP 10.10.10.26 netmask 255.255.0.0 Secondary HA1 IP 1.0.0.3 netmask 255.255.255.0 HA2 IP 10.10.10.27 netmask 255.255.0.0 HA Status HA Role: Primary DB Time Stamp: Primary: Thu Dec 5 16:38:58 2002 Secondary: Thu Dec 5 16:38:58 2002 Status: Primary: ACTIVE Secondary: ACTIVE
WatchGuard Command Line Interface Guide 73
CHAPTER 3: Configuration Mode Commands
Enable high availability
WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)$ [active_standby | active_active] [advanced] Enter Advanced Setting Mode [disable] [hotsync] [monitor <[0] [1]...[N]> <ON|OFF>] [<primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1] show show current configuration and statistics history show command history exit go back to parent level top go back to root level
EffectEnables high availability in WatchGuard appliances with one or more HA interfaces, and assists you in entering precise HA system settings.
Argumentsactive_standby | active_active
This turns high availability on in either Active/Standby mode or Active/Active mode. For more information on these modes, see the Vcontroller User Guide.
advanced
This enters advanced High Availability configuration mode, and shows the following prompt: WG(config-ha-advanced)$
74 WatchGuard Vclass 5.1
Second level configuration mode commands
For more information, see “High Availability advanced configuration mode” on page 77
disable
Disables High Availability.
hotsync
Syncs the local appliance with its peer. In Active/Standby mode a hotsync should be performed every time the configuration of the Active box is changed. In Active/Active mode, a hotsync should only be performed during the initial setup, when the secondary appliance is in factory default configuration.
monitor {1 & | 2}This optional command specifies which interface (1 or 2) you want this appliance to monitor for link status. (Note that the 0 (private) interface is always being monitored.)
<primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1]
ha1_interface <master_ip> <backup_ip> \</prefix|mask>This command configures the IP address of the HA1 interface of the master and backup appliances.
ha2_interface <master_ip> <backup_ip> \</prefix|mask> This command configures the IP address of the
WatchGuard Command Line Interface Guide 75
CHAPTER 3: Configuration Mode Commands
HA2 interface of the master and backup appliances–if needed.
<enable|disable>This command will, depending on your use, activate or deactivate the HA system.
polling_interval <in seconds>This optional command establishes the HA polling interval. The default value is “1 second”, but you can increase it to “15” if you choose.
id <1-255>This optional command notes the VRRP group ID for this HA pairing, if one has been assigned to it. The number should be between 1 and 255.
ExampleWG(config-ha)# monitor {pub} poll 5<ENTER>
Apply high availability configuration changes
WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#exit
EffectInitiates the process of saving and applying any just-completed HA interface configurations. You will be asked to confirm the committing of these changes, at which time you can press Y to do so.
ArgumentsNone
ExampleWG(config-ha)#exit<ENTER>
Commit (Y/N)?y<ENTER>
…
HA IP address is set to 12.10.1.2,please wait for it to take effect…
WG(config-ha)#
76 WatchGuard Vclass 5.1
Second level configuration mode commands
High Availability advanced configuration mode
WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#advancedWG(config-ha-advanced)# [action <local | peer> <failover | restart>] [ha2 <enable | disable>] [primary <ha1|ha2> ip </prefix|mask>] [secondary <ha1 ip>| <ha2 ip </prefix|mask>>] show show current configuration and statistics history show command history rename rename an object exit go back to parent level top go back to root level
EffectAllows you to configure advanced settings for High Availability.
Argumentsaction <local | peer> <failover | restart>
Allows you to manually failover or restart the local or peer appliance of the HA pair. The local appliance is the one you are connected to, and the peer is its HA pair.
ha2 <enable | disable>
Allow you to enable the HA2 port for HA use. When this is enabled, and the HA2 ports are connected between the two appliances, in addition
WatchGuard Command Line Interface Guide 77
CHAPTER 3: Configuration Mode Commands
to the HA1 ports, an added level of redundancy is insured.
primary <ha1|ha2> ip </prefix|mask>secondary <ha1 ip>| <ha2 ip </prefix|mask>>
This allows you to set the IP addresses and netmasks for the primary and secondary device’s HA ports.
ExampleWG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#advancedWG(config-ha-advanced)#primary ha1 ip \ 10.10.10.11|255.255.0.0 \secondary ha1 ip 10.10.10.12
Level 2 IKE configuration commands
action command (configure IKE level)
WG#config<ENTER>WG(config)#ike <ENTER>WG(config-ike)#action <"name"> \<-main_mode|-aggressive_mode> [no][-natt <enable|disable> [-natt_keepalive <seconds>] ][extended_authentication] [+] \-rsa {<g1|g2><des|3des><md5|sha><lifetime<min|hr> \&|lifesize<KB|MB>>} \-dss {<g1|g2><des|3des><md5|sha><lifetime [min|hr]&|lifesize [KB|MB]>} \-preshared {<g1|g2><des|3des><md5|sha><lifetime \[min|hr]|lifesize \ [KB|MB]}
EffectRecords a new IKE action, for use in IKE policies.
78 WatchGuard Vclass 5.1
Second level configuration mode commands
Arguments<"name">Enter the name of this action prior to recording the arguments.
<-main-mode | -aggressive-mode> This argument specifies your choice of mode.
[-natt <enable|disable>[-natt_keepalive <seconds>]]-natt enables or disables NAT Traversal (UDP encapsulation). -natt_keepalive allows you to specify the time in seconds between keep-alive messages.
[extended_authentication] This argument, when present, activates extended authentication, used for remote access connection requests.
-rsa {<g1|g2><des|3des><md5|sha><lifetime \[min|hr]&|lifesize [KB|MB]>} This argument and its values detail the RSA IKE transform.
-dss {<g1|g2><des|3des><md5|sha> \<lifetime[min|hr]>&| lifesize[KB|MB]>}This argument and its values detail the DSS IKE transform.
-preshared {<g1|g2><des|3des><md5|sha> \<lifetime[min|hr]&|lifesize[KB|MB]>}This argument and its values specify the pre-shared key IKE transform. In all of the three
WatchGuard Command Line Interface Guide 79
CHAPTER 3: Configuration Mode Commands
preceding arguments, the following values are options you can apply:
ExampleWG(config-ike)#action my_act -main \ (line break)–rsa {g2 3des md5 10hr 100MB} {g1 des sha 45min} \–dss {g2 3des sha 8hr}
policy command (configure IKE level)
WG#config<ENTER>WG(config)#ike <ENTER>WG(config-ike)#policy <"name"> \<*|peer_address> -action <"ike_action_name"> \-peer <any | [-address <"name"> &|-domain <"name"> \&|-user_domain <"usr@host"> &|-X.500 <"name">] > \[-local {<cert_id><ip_address|domain|user_domain |X500>} [-preshared <ascii_key|%hex_key> ] \[-position <number>]
EffectRecords a new IKE policy, including actions.
Option Description
g1 and g2 the two Diffie-Hellman group options.
des|3des represent two encryption algorithm options.
md5|sha represent two other encryption algorithm options.
Lifetime-minutes/hours
represent a key lifetime setting, measured in time.
Lifesize-KB/MB represent a key lifetime, measured in kilo- or megabytes.
80 WatchGuard Vclass 5.1
Second level configuration mode commands
Arguments<"name"> This argument records a brief, descriptive name for this policy.
< * |peer_address>This argument notes either “any” (indicated by *) or the address group representing the peer appliance(s).
-action <ike_action>This argument notes the name of the IKE action used by this policy.
-peer <any> | -address <”name”> &| -domain \<”name”> &| -user_domain <”user@host”> &| -X.500 \0<”string”>]This argument specifies the means of identifying the peer appliance from these five options. You can enter “any” as the sole option or combine any of these options (and values) in this argument:
Option Description
<-address> represents an address group used as peer ID type.
<-domain> represents a domain name as the peer ID type.
<-user_domain> represents a user domain name as the peer ID type.
<-X.500> represents X.500 as the peer ID type.
[-local {<cert-id> This optional argument specifies which ID
<ip-address|domain type is used by this WatchGuard
|user-domain appliance. The argument is the same as
|X500>}] for -peer, as noted above.
[-preshared This optional argument records the text of
WatchGuard Command Line Interface Guide 81
CHAPTER 3: Configuration Mode Commands
ExampleWG(config-ike)#policy "Remote Users" * -action \remote_users -peer -domain WatchGuard.com \-user_domain WatchGuard.com -local {20001 domain}
WG(config-ike)#policy IKE_NY_SJ NY_Gateway \-action psk_main -peer any -preshared \"secret"<ENTER>
Level 2 interface configuration commands
Enter system interface configuration mode
WG#config<ENTER>WG(config)#interface<ENTER>
EffectEnters the system interface configuration mode.
ArgumentsNone. Please review the rest of this section for related commands.
show command (configure interface level)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#show
<ascii_key the pre-shared key, if one is used by
|%hex_key>] this policy. You must enter the actual key text as either ASCII text or hexadecimal notation.
[-position This argument records the numeric
<number>] position assigned to this policy in the IKE policy table.
Option Description
82 WatchGuard Vclass 5.1
Second level configuration mode commands
EffectDisplays the current network address settings for each of the main security appliance data interfaces–0 (private), 1 (public) or 2 (DMZ, where applicable.)
ArgumentsNone.
ExampleWG(config-if)# show<ENTER>
The results appear as shown in this example:
interface 0: ip = 10.10.13.101net mask = 255.255.0.0status = UPmac address = 00:01:21:10:01:e5
interface 1: ip = 16.10.203.121net mask = 255.255.255.0status = DOWNmac address = 00:01:21:10:01:e6
interface 2: ip = 10.20.0.1net mask = 255.255.255.0status = DOWNmac address = 00:01:21:10:01:e7
interface 0 command (configure interface level)WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 0 [<a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex|
WatchGuard Command Line Interface Guide 83
CHAPTER 3: Configuration Mode Commands
-10_full_duplex|-10_half_duplex | -auto]] | [[no] dhcp_server -clients num [-lease_time num [hours|days]]] [dhcp_relay <a.b.c.d>] # -lease_time default is 7 days
EffectUse this command to configure the network identity of a WatchGuard appliance's interface 0 (Private).
Arguments<a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu numThis allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |This setting allows you to specify the speed at which the interface will operate.
[[no] dhcp_server -clients num [-lease_time num [hours|days]]]This allows you to active the DHCP server service on this interface, and specify information for it, including the number of clients allowed DHCP access, and the leasing time for a DHCP address. The lease time default is 7 days.
84 WatchGuard Vclass 5.1
Second level configuration mode commands
Put “no” in front of this command to turn off the DHCP server on this interface.
[dhcp_relay <a.b.c.d>] This allows you to use a separate DHCP server on your network to serve DHCP addresses, with the Vclass acting as a DHCP agent.
ExampleWG(config-if)#interface 0 10.12.12.7 255.255.255.0 \-mtu 1500 -100_half_duplex no dhcp_server<ENTER>orWG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \-100_half_duplex no dhcp_server<ENTER>orWG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \-100_half_duplex dhcp_relay 10.0.0.253<ENTER>
private command (configure interface level, V10 only)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#private <a.b.c.d> </prefix|mask>[no] dhcp_server -clients NUMBER [-lease_time NUMBER]
EffectUse this command to configure DHCP server options assigned to a WatchGuard V10 appliance's Private (0) interface.
WatchGuard Command Line Interface Guide 85
CHAPTER 3: Configuration Mode Commands
Arguments<a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>This argument records the number of bits in the subnet mask, or the subnet mask.
dhcp_serverEnter this argument to activate DHCP server service on this appliance.
-clients NUMBERThis argument indicates the number of clients permitted DHCP access.
-lease_time NUMBERThis argument indicates the lease time for all client connections, and any limitations, recorded as minutes.
[no] dhcp_serverEnter this argument to disable any previously active DHCP service.
ExampleWG(config-if)#private 192.168.1.1 255.255.255.0 dhcp_server \-clients 3 -lease_time 60<ENTER>
interface 1 command (configure interface level)WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)# interface 1 [<a.b.c.d> </prefix|mask> | [-mtu num] | [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |[dhcp [host_id]] |[pppoe -user "name" -password "password" [<-dial_on_demand|-always_on> <num>]] [-unnumbered_pppoe <a.b.c.d>|disable]][backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ]| [dhcp [host_id] ] | [pppoe -user "name" -password "password"]
86 WatchGuard Vclass 5.1
Second level configuration mode commands
[-unnumbered_pppoe <a.b.c.d>|disable]] | [disable] | [switch_to_backup] | [tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ] #num is either auto reconnect delay in seconds. #or if dial_on_demand, the idle timeout in minutes. #ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20 #backup PPPoE connection only supports ALWAYS_ON.
EffectUse this command to configure the network identity of a WatchGuard appliance’s interface 1 (Public), if it is a publicly routable, fixed IP address.
Arguments<a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask> This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.
[-mtu num]This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |This setting allows you to specify the speed at which the interface will operate.
[dhcp ["host_id"]] |This allows you to obtain the IP address of interface 1 using DHCP.
[pppoe -user "name" -password "password"]This allows you to set Interface 1 to PPPoE. If the
WatchGuard Command Line Interface Guide 87
CHAPTER 3: Configuration Mode Commands
password contains the pound (#) character, it needs to be placed in double quotes.
[<-dial_on_demand|-always_on> <num>This allows you to set PPPoE to Dial-on-Demand or Always On mode. The function of <num> following this option differs in each mode. For Dial-on-Demand mode, this number indicates the inactivity timeout interval in minutes (default is 20 minutes). For Always On mode, this number indicates the auto-reconnect interval in seconds (default is 60 seconds).
[-unnumbered_pppoe <a.b.c.d>|disable]]This option allows you to use unnumbered PPPoE. For more information on unnumbered links, see RFC 1812 section 2.2.7.
[backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ] | [dhcp [host_id] ] | [pppoe -user "name" -password "password"][unnumbered_pppoe <a.b.c.d>|disable][disable][switch_to_backup]This allows you to enable a Backup WAN connection for Interface 1, for systems that have unreliable ISPs or network providers. You can configure the failover connection as static, by typing the IP address, netmask, and gateway. You can configure the failover connection as DHCP using the [dhcp ["host_id"]] syntax. You can configure the interface as PPPoE (always on) using the [pppoe -user "name" -password "password"] syntax. You can configure the backup WAN connection as unnumbered PPPoE using the syntax [unnumbered_pppoe <a.b.c.d>|disable].You can disable the backup connection by using the option [disable].
88 WatchGuard Vclass 5.1
Second level configuration mode commands
You can switch to the backup connection using the command switch_to_backup.
[tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ]For systems that configure a Backup WAN connection using the failover command, these settings must be specified. You can add up to three IP addresses that are used to determine WAN failure. These addresses are used with the -interval and -timeout values to determine when the WAN connection has failed. -interval determines the amount of time that elapses between attempts to ping all three specified tracking addresses. -timeout determines the amount of time that can elapse before a ping attempt is considered failed. All three specified IP addresses must fail to respond to the ping attempt within the specified time to consider the WAN connection failed.
In the event of failure, the WAN is switched over to the backup connection. This causes a brief interruption in processing while the system restarts. In order to prevent frequent restarts, the final parameter, -pause_before_failback, is provided. This allows you to specify the amount of time that must elapse between failovers.
WatchGuard Command Line Interface Guide 89
CHAPTER 3: Configuration Mode Commands
ExampleWG(config-if)#interface 1 10.10.12.8\255.255.0.0 -mtu 1500\-10_full_duplex<ENTER>orWG(config-if)#interface 1 10.10.12.8/16-mtu 1500 -10_full_duplex <ENTER>
Example (PPPoE)WG(config-if)#interface 1 pppoe\ -user joeuser -password joepass\-always_on 60
Example (DHCP)WG(config-if)#interface 1 dhcp dhcpsrvr
Example (Backup Connection)WG(config-if)#interface 1 10.10.12.8255.255.0.0 -mtu auto\-backup ip 10.10.24.16 mask 255.255.0.0\gateway 10.100.99.1 tracking -add 124.12.15.16
interface 2 (DMZ) command (configure interface level)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 2 <a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]
EffectUse this command to configure the network identity of a WatchGuard appliance's interface 2 (DMZ), where applicable.
90 WatchGuard Vclass 5.1
Second level configuration mode commands
Arguments<a.b.c.d>
This argument records the IP address assigned to this interface.
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |
This setting allows you to specify the speed at which the interface will operate.
ExampleWG(config-if)#interface 2 10.12.12.9 255.255.255.0 \-mtu 1500 -10_full_duplex<ENTER>orWG(config-if)#interface 2 10.12.12.9/24 -mtu 1500 \-10_full_duplex<ENTER>
interface 3 (DMZ2) command (configure interface level, V60 and V80 only)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 3 <a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex|
WatchGuard Command Line Interface Guide 91
CHAPTER 3: Configuration Mode Commands
-10_full_duplex|-10_half_duplex | -auto]
EffectUse this command to configure the network identity of a WatchGuard appliance's interface 3, where applicable.
Arguments<a.b.c.d>
This argument records the IP address assigned to this interface.
</prefix|mask>
This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.
-mtu num
This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.
[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |
This setting allows you to specify the speed at which the interface will operate.
ExampleWG(config-if)#interface 3 10.12.12.9 255.255.255.0 \-mtu 1500 -auto<ENTER>orWG(config-if)#interface 3 10.12.12.9/24 -mtu 1500 \-auto<ENTER>
92 WatchGuard Vclass 5.1
Second level configuration mode commands
ha1 command (configure interface level)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#ha1 <a.b.c.d> </prefix|mask>
EffectUse this command to configure the network identity of a WatchGuard appliance's High Availability 1 interface, when this interface is used for management access instead of H-A functionality.
Arguments<a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>This argument records the number of bits in the subnet mask, or the subnet mask.
ExampleWG(config-if)#ha1 10.0.0.1 255.255.255.0<ENTER>orWG(config-if)#ha1 10.0.0.1/24<ENTER>
ha2 command (configure interface level)
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#ha2 <a.b.c.d> </prefix|mask>
EffectUse this command to configure the network identity of a WatchGuard appliance's High Availability 2 interface, when this interface is used for management access instead of H-A functionality.
WatchGuard Command Line Interface Guide 93
CHAPTER 3: Configuration Mode Commands
Arguments<a.b.c.d> This argument records the IP address assigned to this interface.
</prefix|mask>This argument records the number of bits in the subnet mask, or the subnet mask.
ExampleWG(config-if)#ha2 10.0.0.1 255.255.255.0<ENTER>orWG(config-if)#ha2 10.0.0.1/24<ENTER>
mode command
WG(config-if)# mode router | transparent<ENTER>
EffectUse to switch the appliance between Router mode and Transparent mode.
An appliance can only be switched from Router mode (default) to Transparent mode when the appliance is in the factory default configuration state. You are prompted to restore the system to the factory default state when you attempt this switch.
An appliance can be switched from Transparent mode to Router mode in any configuration condition.
A restart is required in order to for mode switching take effect.
ArgumentsNone
ExampleWG(config-if)# mode router<ENTER>
94 WatchGuard Vclass 5.1
Second level configuration mode commands
Apply interface address changes to appliance
WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#exit
EffectUse this command to immediately apply any interface address changes to this appliance. The appliance will update you with status messages (as shown below) to inform you about the process.
ArgumentsNone
ExampleWG(config-if)# exit<ENTER>Commit (Y/N)?y<ENTER>
Results…
interface 1 IP address is set to 16.10.203.121,please wait for it to take effect…
WG(config)#
Level 2 IPSec configuration commands
action command (configure IPSec level)
WG#config<ENTER>WG(config)#ipsec <ENTER>WG(config-ipsec)#action <"name"> \< -tunnel_mode <*|peer_ip|address>| -transport_mode> \-auto_key [no] pfs_group <1|2> <"proposal-name">… \<"proposal-name"> -manual_key \-esp <local_spi> <peer_spi> <des|3des> \<ascii_key|%hex_key> <md5|sha> <ascii_key|%hex_key> \-ah <local_spi> <peer_spi> <md5|sha> \<ascii_key|%hex_key>
WatchGuard Command Line Interface Guide 95
CHAPTER 3: Configuration Mode Commands
EffectRecords a new IPSec action (manual key or automatic key), including one or more proposals which have been created beforehand.
Arguments<”name”> Type a unique name for this action.
<-tunnel_mode|-transport_mode>This argument determines whether this action is tunnel mode or transport mode.
<*|peer IP address|address group>If you enter tunnel mode, you must then qualify it with one of the following: (1) enter "*" to indicate ANY source, (2) enter a specific peer appliance’s IP address, or (3) enter the name of an address group containing the peer IP address.
-auto_keyEnter this argument if this action utilizes an automatic key. Do not use the “manual–key” if using an automatic key.
The following two arguments further qualify this automatic key exchange.
[no] pfs_group <1|2>If this action uses an automatic key, use this argument to specify which perfect forward security option (Diffie-Hellman Group 1 or 2) will be used. If none is used, you can preface this argument with “no”.
<"proposal_name"> [<"proposal_name">…]If this action uses an automatic key, use this argument to enter the IKE proposal names (whether one or more.)
-manual_keyEnter this argument if this action employs a manual key. (If doing so, do not use the “auto_key” argument.) The following ten arguments (grouped
96 WatchGuard Vclass 5.1
Second level configuration mode commands
around ESP and AH algorithms) qualify this manual key exchange.
-espEnter this argument if this action employs an ESP protocol for the manual key.
<local_spi>Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535.
<peer_spi>Use this argument to enter a different, unique number that represents the SPI of the peer security appliance. The number should be between 256 and 65535.
<des | 3des>Use this argument to pick either DES or 3DES encryption algorithms.
<ascii_key | %hex_key>This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation.
-ahEnter this argument if this action employs an AH protocol for the manual key.
<local_spi>Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535.
<peer_spi>Use this argument to enter a different, unique number that represents the SPI of the peer security
WatchGuard Command Line Interface Guide 97
CHAPTER 3: Configuration Mode Commands
appliance. The number should be between 256 and 65535.
<md5|sha>Use this argument to pick either MD5 or SHA encryption algorithms.
<ascii_key | %hex_key>This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation.
ExampleWG(config-ipsec)# action NY_IPSec -tunnel \NY_Gateway -auto no pfs_group MAX_SECURITY \ESP-3DES<ENTER>
# This command creates an auto-key IPSec action with peer tunnel. The IP is NY_Gateway, no PFS, the first proposal is MAX_SECURITY and the second is ESP_3DES.
WG(config-ipsec)# action remote_user_ipsec \-tunnel * -auto pfs_group 1 ESP-3DES-MD5 \ESP-DES-MD5<ENTER>
# This command creates a tunnel mode, auto-key IPSec action for remote users. The peer tunnel IP is * (ANY),PFS uses DH group 1, and there are two proposals: ESP-3DES-MD5 and ESP-DES-MD5.
WG(config-ipsec)# action SJ_Man -tunnel \102.39.45.28 -man -esp 256 982 3des mankey<ENTER>
# This command results in a tunnel-mode, manual-key IPSec action with a peer tunnel IP address of 102.39.45.28. It uses ESP-3DES (local SPI is 256, peer SPI is 982) and the key text is “mankey”.
98 WatchGuard Vclass 5.1
Second level configuration mode commands
proposal command (configure IPSec level)
WG#config<ENTER>WG(config)#ipsec <ENTER>WG(config-ipsec)#proposal <"name"> [+] \[-antireplay_window [0|32|64]] \-esp {<des|3des|md5|sha><lifetime<min|hr> \|lifesize<KB|MB>>} \-ah {<md5|sha><lifetime<min|hr>| lifesize<KB|MB>>}…
EffectCreates or modifies an IPSec proposal that can then be incorporated into IPSec actions (which can then be added to security policies.)
Arguments<"name">This argument notes the name assigned to this new proposal.
-antireplay_window <0|32|64>This argument (and the required value) sets the anti-replay window size.
-esp {<des|3des> [md5|sha] <lifetime <min|hrs>| \lifesize <KB|MB>>}If you want to include an ESP transform in this proposal, type this argument, plus the necessary values–algorithm, life size, life time.
-ah {<md5|sha> <lifetime <min|hrs>|lifesize \<KB|MB>>}If you want to include an AH transform in this proposal, type this argument, plus the necessary values–algorithm, life size, life time.
+Type this character before entering a new transform that will be added to an existing IPSec proposal.
WatchGuard Command Line Interface Guide 99
CHAPTER 3: Configuration Mode Commands
ExamplesWG(config-ipsec)#proposal "new_prop1" -antireplay \32 -esp {3des md5 10hrs} {des md5 5hr 10MB -ah \{sha 34min 100MB}<ENTER># This example shows the creation of a new proposal.
WG(config-ipsec)# prop my_proposal + -ah \{ sha 8hr }# This example shows the addition of a new AH transform to an existing proposal.
Level 2 Quality of Service (QoS) configuration commands
action command (configure Quality of Service level)
WG#config<ENTER>WG(config)#qos <ENTER>WG(config-qos)#action <"name"> -bandwidth_weight \<1-100>
EffectRecords a new QoS action or modifies an existing action.
Arguments<"name">This argument, immediately following the command, notes the name assigned to this new QoS action.
-bandwidth_weight <"1-100">This argument (and the required value) determine the level of QoS based on the WFQ algorithm.
100 WatchGuard Vclass 5.1
Second level configuration mode commands
ExamplesWG(config-qos)#action high_QoS -bandwidth 25<ENTER>
WG(config-qos)#action mid_QoS -bandwidth 5<ENTER>
Enable or disable port shaping for interface 0 or 1
WG#config<ENTER>WG(config)#qos <ENTER>WG(config-qos)#system [<interface 0|interface 1> \<<num>Kbps|Mbps>] [enable|disable]
EffectEnables (or disables) port shaping for either the interface 0 (private) or interface 1 (public) of a WatchGuard appliance, and enters the general QoS value for that interface. The value entered will be the sending throughput of that interface. To enable a system port-shaping action, the appliance will automatically restart in order to apply the policy.
Arguments<interface 0 | interface 1> Use this argument to enter one of these interfaces.
<<num>Kbps|Mbps>Use this argument to enter one option – Kbps or Mbps – plus the appropriate number value.
<enable | disable>Use this argument to enter one of these options.
ExampleWG(config-qos)#system interface 1 10Mbps enable<ENTER># This example shows a policy that restricts output-throughput of the Public interface to 10 megabits per second.
WatchGuard Command Line Interface Guide 101
CHAPTER 3: Configuration Mode Commands
Level 2 Remote Access Service (RAS) configuration commands
group_profile command (configure RAS level)
WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#group_profile <"name"> \[no][-address_pool <"address_group">] \[-dns <a.b.c.d>] [-session_time_out <number> <min|hr>] \[-idle_time_out <number> <min|hr>] \[-concurrent_logins_per_user <number>]
EffectCreates a new RAS group profile (or modifies an existing profile) that controls the connection parameters of all associated remote access user accounts.
Arguments<”name”>This argument records a name for this group profile, which will be used when creating individual user profile accounts.
[no] [-address_pool <”address_group”>]This argument specifies the name of an address group containing a pool of internal IP addresses assigned to remote access connections.
[-dns <a.b.c.d>]This argument assigns a DNS IP address to the remote users belong to this group.
[-session_time_out <number> <min|hr>]This argument limits the total time any one account user can continuously log into the network. The default time limit is 8 (hours).
[-idle_time_out <number> <min|hr>]This argument sets the time limit for an inactive
102 WatchGuard Vclass 5.1
Second level configuration mode commands
connection before it is automatically broken. The default is 15 (minutes.)
[-concurrent_logins_per_user <number>]This argument specifies the number of concurrent connections a user can establish. The default is 1.
ExampleWG(config-ras)#group consultants –address sjnet10 \ -dns 134.12.33.2 -session 2 hr -idle 5 min –con 1
user_profile command (configure RAS level)
WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#user_profile <"name"> \[enable|disable] \[-password "password"] \[-full_name <"name">] \[-group_profile "profile_name"] \[-pw_expiry <days|never>] \[-account_expiry <days|never>] \[-concurrent_logins <"number">]
EffectEnters a new remote access user account (or modifies an existing account) in an internal database in the WatchGuard appliance.
Arguments<"name">This argument records the login ID used by this remote user account, and should be between 1-15 characters in length.
<enable | disable]>This argument activates (or deactivates) this account. The default state is “enable”.
<-password ”password”>This argument records the initial password first
WatchGuard Command Line Interface Guide 103
CHAPTER 3: Configuration Mode Commands
used by this account, and should be between 6 and 8 characters in length.
[-full_name <”name”>]This argument notes the full name of the user, up to 15 characters in length.
[-group_profile “profile_name”]This argument specifies which user group profile affects this user account. The default choice is “default setting”.
[-pw_expiry <”days”|never>]This argument sets the number of days until the user’s password expires. The default is 90 days.
[-account_expiry <”days”|never>]This argument sets the number of days until this account expires. The default lifetime is 180 days.
[-concurrent_logins <”number”>]This argument limits the number of concurrent connections this account user can establish. The default is 1.
ExampleWG(config-ras)#user enable jdoe \-password jdsecret -full "John Doe" \-group admGroup -pw_expiry 60 -account 60 \-concurrent 1<ENTER>
ResultsTo review and confirm your entries, type this command:
WG(config-ras)#show user jdoe<ENTER>
The results are displayed, similar to this example:
User Profile|Name = jdoeFull Name = "John Doe"EnabledDescription = ""User Group Profile = admGroup
104 WatchGuard Vclass 5.1
Second level configuration mode commands
Password Expiresat Sat May 19 15:40:40 2001Password Epiry = 60 DaysAccount Expiresat Sat May 19 15:40:40 2001Account Epiry = 60 DaysConcurrent Logins = 1
database command (configure RAS level)
WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#database <-internal| \-radius [<primary|[no] backup> \-ip <a.b.c.d> -secret <"name">] [-port<number>] \[-authentication<pap|secure_id>] \[-user_group <"name">]>
EffectEstablishes whether the authentication database is stored on the RADIUS server or in this WatchGuard Firebox Vclass security appliance, then notes the parameters of this database.
Arguments-internalThis argument specifies the use of an internal database within the WatchGuard appliance, for RAS user authentication.
-radiusThis argument specifies the use of a RADIUS server as the host for a RAS user authentication database.
If you <ENTER> “-radius”, enter the following arguments:
<primary |[no] backup>This argument specifies whether the primary or backup RADIUS server is currently being configured. You’ll need to enter this command two
WatchGuard Command Line Interface Guide 105
CHAPTER 3: Configuration Mode Commands
times, to configure a primary and a backup server connection.
If you want to delete the configuration entries for a backup RADIUS server, enter the “no backup” argument.
-ip <a.b.c.d>This argument establishes the IP address of the RADIUS server that will be used.
-secret <”password_text”>This argument records the secret password allowing this appliance to contact the database in the RADIUS server.
[-authentication <pap|secure_id> ]This argument establishes which authentication is being used; PAP or SecurID.
[-port <number>]This optional argument records the RADIUS server port number, if needed.
[-user_group <"name">]This optional argument specifies the name of a user group profile used by RADIUS users. Be sure to use the “user_group_profile” command to control session time and idle timeout for RADIUS users.
ExamplesWG(config-ras)#database -radius primary \-ip 12.10.1.2 -sec confidential \-auth secure_id -user_group exec_staff<ENTER>
WG(config-ras)#database -internal<ENTER>
WG(config-ras)#database -radius backup \-ip 12.10.1.3 \-sec confidential<ENTER>
106 WatchGuard Vclass 5.1
Second level configuration mode commands
Level 2 System Configuration commands
Command For more information, see
dns “dns command (configure system level)” on page 108
cpm “cpm command (configure system level)” on page 108
fwuser “fwuser command (configure system level)” on page 109
icmp_error_handling “icmp_error_handling command (configure system level)” on page 110
interface “interface command (configure system level)” on page 110
ldap “ldap command (configure system level)” on page 110
log “log command (configure system level)” on page 111
mss_adjustment “mss_adjustment” on page 112
ntp “ntp command (configure system level)” on page 113
route “route command (configure system level)” on page 113
snmp “snmp command (configure system level)” on page 114
sysinfo “sysinfo command (configure system level)” on page 115
tcp_sync_checking “tcp_syn_checking” on page 116
vlan_forwarding “vlan_forwarding command (configure system level)” on page 116
vpn “vpn command (configure system level)” on page 117
no “No command” on page 143
show “Show command” on page 144
WatchGuard Command Line Interface Guide 107
CHAPTER 3: Configuration Mode Commands
dns command (configure system level)
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)# [no] dns <"domain_name"> \-server <a.b.c.d>[a.b.c.d]
EffectRecords the domain names and IP addresses of all relevant domain name servers.
ArgumentnoThis argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<"domain name">This argument records the domain name of this security appliance.
<-server <a.b.dc.d>>This argument records the IP address of the DNS server.
ExampleWG(config)#dns my_company.com \-server 24.12.2.1<ENTER>
cpm command (configure system level)
WG#config<ENTER>WG(config)#cpm <enable "text of password"|disable>
history “history command” on page 14
rename “Rename command” on page 143
exit “exit command” on page 14
top “top command” on page 15
Command For more information, see
108 WatchGuard Vclass 5.1
Second level configuration mode commands
EffectEnables this appliance to be managed by means of the WatchGuard Centralized Policy Manager (CPM). You can also use this command to disable CPM as needed. If enabling CPM access, be sure to enter the CPM-access password immediately following the “enable” argument.
ArgumentsenableEnter this argument to activate WatchGuard CPM access to this WatchGuard appliance.
<password_text>
Enter the text of the CPM access password after “enable”.
disableEnter this argument if you have already established CPM access and want to disable the connection.
ExampleWG(config)#cpm enable cpm_admit_1<ENTER>
fwuser command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#fwuser -t<idle_timeout> [seconds|minutes]
EffectAllows you to change the value for a firewall user connection idle timeout. The system default is two hours, and the default increment is "seconds".
Argument-t <idle_timeout> [seconds|minutes]
WatchGuard Command Line Interface Guide 109
CHAPTER 3: Configuration Mode Commands
icmp_error_handling command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#icmp_error_handling [all]| [[no] fragmentation_required] [[no] host_unreachable] [[no] time_exceeded] [[no] port_unreachable] [[no] network_unreachable]
EffectAllows you to turn on ICMP error handling for all events, or just for the events you specify.
interface command (configure system level)
WG#config<ENTER>WG(config)#interface
EffectEnters the interface configuration mode, at which point you can enter interface-specific commands and their arguments.
ArgumentsNone in this mode.
See AlsoFor more information on interface configuration mode, see “Level 2 interface configuration commands” on page 82.
ldap command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#[no] ldap <"IP_address"|"name"> \[port_number]
110 WatchGuard Vclass 5.1
Second level configuration mode commands
EffectActivates (or deactivates) a network connection to an LDAP server that this security appliance would use to look up certificate revocation lists during IKE key negotiations.
ArgumentsnoThis argument (when entered before the ldap command prompt) deactivates this LDAP connection.
<a.b.c.d|"name"> [port-number]This argument notes the pertinent IP address and LDAP server port number. You can enter either an IP address or a domain name, and, if the LDAP server port number is other than “389”, you must enter it.
To enter a host name, you must first record the DNS server connection, as noted elsewhere in this Guide.
ExampleWG(config-sys)#ldap 207.124.35.3 189<ENTER>
log command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#log
EffectEnters the log configuration mode, at which point you can enter log file-specific commands and their arguments.
ArgumentsNone in this mode. For more information about “log” mode commands, see “Level 3 log configuration commands” on page 124.
WatchGuard Command Line Interface Guide 111
CHAPTER 3: Configuration Mode Commands
mss_adjustmentWG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#mss_adjustment mss_adjustment [auto| limit_to <num> | disable] ## limit_to range - 40-1460 bytes
EffectSets the TCP Maximum Segment Size for the system. This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems:
- Oversized packets can result in fragmentation, degrading VPN performance.
- Proxies may require MSS adjustment to prevent fragmentation.
- Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.
Argumentsauto
Auto adjustment calculates the MSS automatically, using the following calculations:
Determines the lesser value of the input port MTU and the output port MTU. Subtracts packet overhead, including IP and TCP addressing, VLAN, ESP, PPPoE, AH, and UDP encapsulation. The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet
112 WatchGuard Vclass 5.1
Second level configuration mode commands
transmission. The results of this calculation are used as the MSS for the connection.
limit_to
This limits MSS to the specified size in bytes. You can specify a value between 40—1640 bytes.
disable
This specifies that no change be made to the TCP header. If you select this option, packets may fragment.
ExampleWG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#mss_adjustment limit_to 1400
ntp command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#ntp
EffectDiscuss effects
ArgumentsDescribe arguments.
route command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#route
EffectEnters the system route configuration mode, at which point you can enter route-specific commands and their arguments.
ArgumentsNone in this mode.
WatchGuard Command Line Interface Guide 113
CHAPTER 3: Configuration Mode Commands
See AlsoFor more information about route mode commands, see “Level 3 route configuration commands” on page 122.
snmp command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#snmp <a.b.c.d>[a.b.c.d] \[-community<"string">][-trap|-no_trap]
EffectRecords network connection data for all relevant SNMP management workstations that will receive traps generated by this security appliance.
ArgumentsnoThis argument, if entered before the “snmp” command prompt, removes/deactivates all recorded SNMP stations.
<a.b.c.d>This argument records the IP address for a specific SNMP workstation.
-community<"text_string">This argument records the community string.
[-trap|-no-trap] This optional argument activates (or deactivates) the SNMP trap settings.
ExampleWG(config-sys)#snmp 128.13.44.2 \-community 66gHf4D -trap<ENTER>
ResultsTo view the results, type this command:WG(config-sys)#show snmp<ENTER>
114 WatchGuard Vclass 5.1
Second level configuration mode commands
sysinfo command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#sysinfo <-name <"string"> &| \-location <"string"> &|-contact <"string">>
EffectApplies new system information to an existing security appliance, including appliance name, contact name and actual location of the appliance.
Arguments-name <”string”>Use this argument to record the DNS name of this security appliance – without the rest of the DNS entry.
-location <”string”>Use this argument to record the geographic location of this appliance.
-contact <”string”>Use this argument to record the name of the administrator.
-time <hh:mm:ss>Use this argument to set the system time.
-date <mm:dd:yy>Use this argument to set the system date.
ExampleWG(config-sys)#sysinfo -name mucho \-loc "Lot 49" \-contact "O. Maas"-time 14:42:05-date 10:15:02<ENTER>
WatchGuard Command Line Interface Guide 115
CHAPTER 3: Configuration Mode Commands
To review and confirm your entries, type this command:
WG(config-sys)#show sysinfo<ENTER>
The complete results will appear as suggested here (in eight lines):
System name=muchoSystem contact=O. MaasSystem location=Lot 49Version=4.0SerialNum=<D0YXA0A0D408>
tcp_syn_checking
WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#tcp_syn_checking <enable|disable>
EffectThis enables or disables TCP SYN checking.
vlan_forwarding command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#vlan_forwarding [enable|disable]
EffectAllows you to enable (or disable) the system-wide VLAN forwarding capability.
ArgumentenableTurns on VLAN forwarding.
disableTurns off VLAN forwarding (if it is active).
116 WatchGuard Vclass 5.1
Second level configuration mode commands
vpn command (configure system level)
WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#vpn [[no] ignore_DF_for_IPSec] [[no] IPSec_pass_through]
EffectThis allows you to set options for VPN.
Arguments[no] ignore_DF_for_IPSecThis enables fragments of large packets through the VPN tunnel. If you set this feature, the appliance ignores the don't fragment (DF) rule.
[no] IPSec_pass_throughThis allows IPSec pass-through.
Level 2 license commands (for upgraded or additional features)
Import command (config license level)
WG#config<ENTER>WG(config)#license <ENTER>WG(config-license)#import
EffectImports a new license that upgrades or adds functionality to the appliance.
ArgumentsNone
active_feature command (config license level)
WG#config<ENTER>WG(config)#licenseWG(config-license)#active_feature <ENTER>
WatchGuard Command Line Interface Guide 117
CHAPTER 3: Configuration Mode Commands
EffectLists all currently active extra features (obtained through licensing).
ArgumentsNone
delete command (config license level)
WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#delete <license_id>
EffectRemoves the named license from the appliance.
Arguments<license_id> This argument records the exact ID for a license to delete.
ExampleNone
show command (config license level)
WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show <license_id>
EffectDisplays a summary of the named license or lists all available licenses.
ArgumentsNone
This will list all available licenses.
<license_id>This argument notes an ID for the license and will list the details of that license.
118 WatchGuard Vclass 5.1
Second level configuration mode commands
ExampleWG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show
OrdLicense NameLicense IDExpiration Date1V80_3DES_HA_Bundle3293MXLD17-05-2022
or
WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show 3293MXLD
License Name:V80_3DES_HA_BundleLicense ID:3293MXLDFeature(s):HA3DESUPGRADEExpiration Date:17-05-2022
Level 2 tenant configuration commands
vlan command (configure tenant level)WG#configWG(config)#tenantWG(config-tenant)#vlan <"name"> <-id num> [-interface <0|2|3>] [-ip a.b.c.d/e] [-gateway a.b.c.d] [-public <default|<a.b.c.d/e>> # valid vlan -id range (1-4094) # -ip a.b.c.d/e if specified, the IP address/mask assigned for # interface 0|2|3 (default is 0) of tenant # e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1
EffectRecords a new VLAN tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.
WatchGuard Command Line Interface Guide 119
CHAPTER 3: Configuration Mode Commands
Arguments<"name">This argument records the name assigned to this VLAN tenant (for use in security policies.)
<-id num>This argument record the VLAN ID as "id" followed by the number (between 1 and 4096) assigned to this tenant.
<-interface [0 | 2| 3]>This argument specifies which interface (0, 2, or 3) this VLAN tenant is associated with.
[-ip a.b.c.d/e]This argument records the IP address and subnet assigned to the 0 (private) or 2 (DBZ) interface, if one of those are specified.
[-gateway a.b.c.d]This argument notes the gateway IP address for this tenant, if needed.
-public <default|<a.b.c.d/e>This allows you to specify a public VLAN IP address and gateway.
ExampleWG(config-tenant)#vlan <"execs"> -interface 1 192.168.12.34 \-id 366 <ENTER>
user_domain (configure tenant level)WG#config<ENTER>WG(config)#tenant<ENTER>WG(config-tenant)#user_domain <"name"> <-id num> [-public <default|<a.b.c.d/e>> <-idle_time_out m> <-radius_ip a.b.c.d>[-radius_port port] <-radius_secret 'secret'> [-backup_radius_ip a.b.c.d][-backup_radius_port port] [-backup_radius_secret 'secret'] <-radius_timeout sec> <-radius_retry n> [-use_login_id_with_domain_name <on|off>]
120 WatchGuard Vclass 5.1
Second level configuration mode commands
# valid user domain tenant -id must be from 5001 to 65535 # -idle_time_out m Idle timeout. m is the number in minutes # -radius_timeout sec Time out for radius request # -radius_retry n number of retries for radius query
EffectRecords a new VLAN-specific tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.
Argumentsuser_domainThis argument identifies which type of tenant this entry represents.
<"name">This argument records the name assigned to this VLAN tenant (for use in security policies.)
<-id num>This is "id" followed by the number (above 5000) assigned to this tenant.
-public <default|<a.b.c.d/e>This allows you to specify a public user domain IP address and gateway.
<-idle_timeout m>This argument sets the idle timeout for this entry in minutes.
<-radius_ip a.b.c.d>This argument indicates the radius server and its IP address.
[-radius_port port]This optional argument notes the port number of
WatchGuard Command Line Interface Guide 121
CHAPTER 3: Configuration Mode Commands
the Radius server, if another than the default port number is used.
<-radius_secret 'secret'>This argument indicates the Radius password and its text.
[-backup_radius_ip a.b.c.d] \[backup_radius_port NUMBER]This pair of arguments allows you to note a backup Radius server and its port number, if present.
ExampleWG(config-tenant)#user_domain <"MegaCo"> \-interface 1 192.168.12.34 -id 6666 -idle 720 \-radius 12.12.3.144 \-radius_secret "no_admit"<ENTER>
Level 3 configuration mode commands
The following section, detailing all the third-level configu-ration commands, has been divided into “task” or “topi-cal” collections, which include the following:• Route configuration this page• Log configuration page 124
Level 3 route configuration commands
Configure new static route
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#route<ENTER>WG(config-route)#static <destination> \</prefix| mask> <gateway> interface <0|1|2>
122 WatchGuard Vclass 5.1
Level 3 configuration mode commands
EffectConfigures a new static route utilized by traffic passing through this WatchGuard appliance.
Arguments<destination>Use this argument to record the IP address of the destination subnet.
</prefix|mask>Use this argument to record the number of bits in the subnet mask, or the destination subnet mask.
<gateway>Use this argument to record the IP address of the next gateway to the destination subnet.
interface <0|1|2>This argument specifies which interface in this security appliance is used for outgoing traffic using this route.
deleteType this argument before typing the arguments for a route, to deactivate that particular route.
ExampleWG(config-route)#static 0.0.0.0/0 \105.10.74.122 pub<ENTER>
Configure dynamic routing
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#route<ENTER>WG(config-route)# [no] dynamic [import|restart]
EffectConfigures dynamic routing in this WatchGuard Firebox Vclass security appliance.
WatchGuard Command Line Interface Guide 123
CHAPTER 3: Configuration Mode Commands
ArgumentsnoEnter this argument to deactivate dynamic routing altogether.
[import|restart]Use these options to import dynamic routing information, or to restart the system.
ExamplesWG(config-route)#dynamic import<ENTER>
WG(config-route)#dynamic restart<ENTER>
Level 3 log configuration commands
Activate or deactivate traffic log file
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#traffic
EffectUse this command to activate (or deactivate) a traffic log file.
ArgumentsnoThis argument, when entered before the type of log file, will deactivate that log.
ExamplesWG(config-log)#no traffic<ENTER>
Configure events log file
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#event \<critical|error|warning|admin|info>
EffectUse this command to configure the events log file.
124 WatchGuard Vclass 5.1
Level 3 configuration mode commands
Arguments<critical|error|warning|admin|info>Type one of the above-noted “log level” selections after the command prompt, to indicate what to include in this events log. If you type “critical”, the log will record only critical events, whereas if you type “info”, the log will record all of the other selections too.
noThis argument, when entered before “event”, will deactivate the event log.
ExampleWG(config-log)#event error<ENTER>
Set up remote log server connection
WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#remote_log_server <"ip_address">
EffectUse this command to set up a remote log server connection.
Arguments<ip_address>This argument records the IP address of the remote log server.
ExampleWG(config-log)#remote_log_server 128.19.3.77<ENTER>
NOTEWhen exiting “config” mode you may be prompted Commit before exit? (Y/N). This prompt is displayed if you have made changes but have not committed them to the WatchGuard appliance database. Type Y to commit your changes and return to the WG# prompt, or type
WatchGuard Command Line Interface Guide 125
CHAPTER 3: Configuration Mode Commands
N to void the changes and leave the database in its previous state.
126 WatchGuard Vclass 5.1
CHAPTER 4 Debug Mode Commands
All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Debug Mode.
Debugging/troubleshooting commands
The CLI Debug commands, detailed here, enable the use of standard Linux commands such as ping, tcp-dump, netstat, traceroute, and arp. Most commands such as “netstat,” “arp,” “ping,” “tcpdump,” and “traceroute” are similar to those provided on UNIX, Solaris and Linux systems. You can use these com-mands to troubleshoot network environments.
Debugging configuration information is not saved when the database is backed up or exported to an XML profile. Debuggging commands are available only for runtime debugging purposes.
WatchGuard Command Line Interface Guide 127
CHAPTER 4: Debug Mode Commands
Debugging information is not synced between HA appli-ances.
Command For more information
arp See “arp command” on page 129.
clear_logs See “clear_logs” on page 129.
config_http See “config_http command” on page 129.
conn_idle_timeout See “conn_idle_timeout command” on page 130.
ha_instant_sync See “ha_instant_sync command” on page 130.
hwdiag See “hwdiag command” on page 131.
ifconfig See “ifconfig command” on page 131.
importscreen See “importscreen command” on page 132.
kernel_debug See “kernel_debug command” on page 133.
netstat See “netstat command” on page 134.
ping See “ping command” on page 134.
pppoe_config See “pppoe_config command” on page 135.
radius_ping See “radius_ping command” on page 135.
rcinfo See “rcinfo command” on page 137.
reboot See “reboot command” on page 137.
rs_kdiag See “rs_kdiag command” on page 138.
set_dos_if See “set_dos_if command” on page 139.
slink See “slink command” on page 139.
tcpdump See “tcpdump command” on page 140.
traceroute See “traceroute command” on page 140.
verbose_trace See “verbose_trace command” on page 141.
vinstall See “vinstall command” on page 141.
show See “Show command” on page 144.
history See “history command” on page 14.
exit See “exit command” on page 14.
top See “top command” on page 15.
128 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
WG#dWG(d ] ]
arp commandWG#debug<ENTER>
WG(debug)#arp
EffectDisplays or manipulates the ARP cache.
ArgumentsNone
ExampleWG(debug)#arp<ENTER>
clear_logsWG#debug<ENTER>WG(debug)#clear_logs
EffectClear all log entries.
ArgumentNone
config_http command
EffectAllows you to enable and disable debugging for HTTP.
ebug<ENTER>ebug)#config_http [enable | disable | logon_html [ standard | alternate enable Enable HTTPd disable Disable HTTPd logon_html standard Use default logon HTML page. logon_html alternate Use alternate logon HTML page.
WatchGuard Command Line Interface Guide 129
CHAPTER 4: Debug Mode Commands
ArgumentsenableEnables HTTP debugging.
disableDisables HTTP debugging.
logon_html [standard | alternate ]Standard allows you to use the deault HTML logon debugging page. Alternate allows you to use the alternate HTML logon page.
ExampleWG#debug<ENTER>WG(debug)#config_http enable logon_html alternate
conn_idle_timeout commandWG#debug<ENTER>WG#debug conn_idle_timeout [show | set <idle timeout> | set_default | -h | -? ], where show Displays the current settings set <idle timeout> Set the connection idle timeout (in seconds, 1-86400)
EffectThis allows you to set the connection idle timeout between the Vclass appliance and the Management Station. The maximum time is 86,400 seconds (one day). The default is 180 seconds (3 minutes).
ExampleWG#debug conn_idle_timeout 600
WG#debug conn_idle_timeout set_default
ha_instant_sync commandWG#debug<ENTER>WG#debug ha_instant_sync [show | enable | disable | set_default | -h | -? ], where show Displays the current settings enable Enable instant state sync disable Disable instant state sync
130 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
set_default Restore the setting to the factory default value
EffectEnables or disables instant HA state synchronization. This is enabled by default.
ExampleWG#debug ha_instant_sync enable
hwdiag commandWG#debug<ENTER>WG(debug)#hwdiag < 1 | 2 >
EffectProvides diagnostic information for your hardware. Two diagnostic levels are available. Type the command “hwdiag 1<ENTER>” to perform level 1 hardware diagnostic tests, or “hwdiag 2<ENTER>” to perform level 2 tests.
Level 2 hardware diagnostics require that the system be rebooted after the tests complete.
ifconfig commandWG#debug<ENTER>WG#debug ifconfig
Effectifconfig is the standard Linux command for interface configuration. This command can be used to configure the interfaces, as an alternative to interface configuration in the configuration menu. Displays debugging information for the interfaces on the appliance.
OptionsType -h to get help for this option. ifconfig is a standard Linux command, and should be used by a knowledgeable administrator. For the interface names, use “eth0” through “eth5,” depending on
WatchGuard Command Line Interface Guide 131
CHAPTER 4: Debug Mode Commands
how many interfaces your device has.
Type ifconfig with no options or arguments to show detailed interface information.
NOTEWhen using the ifconfig command in transparent mode, you must use eth1, as in the following example:ifconfig eth1 ipaddress netmask maskYou cannot use ifconfig with any other interface (e.g. eth0, eth2, eth3) in transparent mode.
importscreen commandWG#debug<ENTER>WG(debug)#importscreen Import a tar file via ftp to customize Firewall User Login Screen.Syntax:importscreen <ftp_server> <ftp_username> <ftp_password> <path_filename>Example:importscreen 10.10.10.10 ftp any public/screen.tar
EffectThis command allows you to import a tar-archived set of files to replace the https firewall user authentication login screen.
PrerequisitesThe default configuration includes the following files:
- logon.html - cert_logon.html - user_auth_fail.html - index.html - user_auth_success.html
132 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
- images/rs_sublogo.gif
You can save these files from the login and result pages to your local system using your browser’s “Save” function. Once the files are saved, you can edit the files, adding images, replacing text, and changing the page layout. However, you should not change any of the form input submission information, or your pages will not work.
You must create a compressed tar file(*.tar) that includes all of the files you want to replace for the logon and result screens. When you have completed editing, tar the file (creating a *.tar file), and place this file in an accesible FTP upload directory. Then, use the CLI to FTP the file to the Vclass appliance.
NOTEThese operations require a moderate level of HTML knowledge and editing skills.
ExampleWG#debug<ENTER>WG(debug)#importscreen 10.10.0.98 ftpadmin ftppassword public/screens.tar
kernel_debug commandWG#debug<ENTER>WG(debug)#kernel_debug < on | off >
EffectThis command turns kernel debugging on or off.
ArgumentsNone.
ExampleWG(debug)#kernel_debug on
WatchGuard Command Line Interface Guide 133
CHAPTER 4: Debug Mode Commands
netstat commandWG#debug<ENTER>WG(debug)#netstat
EffectThis command displays the network status as seen from the security appliance’s point of view. To review the arguments for this command, type -?. The following are some of the available arguments.
Arguments-a Displays active network connections and their status-i Shows summaries sorted by appliance interface-s Shows statistics-r Shows routing table information
ExampleWG(debug)#netstat -i<ENTER>
ping commandWG#debug<ENTER>WG(debug)#ping <a.b.c.d>
EffectUse the ping command to send an ICMP ECHO_REQUEST to a designated device.
Arguments<a.b.c.d>This argument records the IP address of the device/appliance to be pinged.
ExampleWG(debug)#ping 122.13.2.9<ENTER>
The WatchGuard CLI will send ping packets to the designated IP address. Enter ̂ c (Control-C) to stop the ping. The CLI will then display the results and return to the WG(debug)# prompt.
134 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
pppoe_config command
EffectThis command allows you to set PPPoE echo (keep-alive) and re-authorization times and limits.
Arguments-i allows you to set the echo (keep-alive) interval, from 1—1200 seconds.-f allows you to set the threshold for echo (keep-alive) failure, from 1—60 seconds.-r allows you to set the re-authorization period, from 0—7200 minutes.-t alows you to set the re-autorization interval, from 0—120minutes.set_default allows you to set the default values for PPPoE echo and re-authorization.
ExampleWG(debug)#pppoe_config set -1 300 -f 5\ -r 1800 -t 60
radius_ping commandWG#debug<ENTER>WG(debug)#radius_ping \[-pap <"password">|-sid <"passcode">] \[-p <port>] [-r <retries>] \[-s <secret>] [-t <timeout>] \[-u <username>] <source> <a.b.c.d>
EffectUse this command to test the connections between this WatchGuard appliance and a RADIUS server.
pppoe_config [show | set <-i|-f|-r|-t> num | set_default] show Show current settings. set <-i|-f|-r|-t> num Set PPPoE parameters. -i is for echo interval (1-1200 Sec). -f is for echo failure (1-60). -r is for re-auth period (0-7200 Min). -t is for re-auth interval (0-120 Min). num is an integer. set_default Restore factory default value.
WatchGuard Command Line Interface Guide 135
CHAPTER 4: Debug Mode Commands
Pay special attention to the arguments for this command.
Arguments[-pap <password>]This optional argument specifies PAP as the authentication used by this RADIUS server, along with the PAP password.
[-sid <passcode>]This optional argument specifies SecurID as the authentication used by this RADIUS server, along with the SecurID passcode.
[-p <value>]This argument allows you to record a specific port number for the RADIUS server. The default port number is “1812” and you can ignore this argument if the port number was not changed.
[-r <value>]This argument specifies the maximum number of tries (between 1 and 10) made by this command. The default is “3”.
[-s <value>]This argument records the “secret” login password required by the RADIUS server. The default is “test123”.
[-t <value>]This argument establishes the timeout value for each test message.The default value is “2”.
[-u <value>]This argument records a RADIUS user name for
136 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
use in this ping attempt. The default entry is “test123”.
<source>This argument notes the IP address of the interface where the RADIUS request will be sent.
<a.b.c.d>This argument notes the IP address of the RADIUS server.
ExampleWG(debug)# radius_ping -u jsmith -pap johnsm \10.10.13.101 10.10.0.5<ENTER>
[no response from RADIUS server]
rcinfo commandWG#debug<ENTER>WG(debug)#rcinfo
EffectShows debug information about the RapidCore chip in your appliance. This is used for troubleshooting purposes, with WatchGuard technical support.
Example
WG#debug<ENTER>WG(debug)#rcinfo
reboot commandWG#debug<ENTER>WG(debug)#reboot
EffectReboots the appliance.
ExampleWG(debug)#reboot<ENTER>
WatchGuard Command Line Interface Guide 137
CHAPTER 4: Debug Mode Commands
rs_kdiag commandWG#debug<ENTER>WG(debug)rs_kdiag
EffectThis command displays internal diagnostics information.
ArgumentsNone
138 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
set_dos_if command
EffectThis sets denial of service (DOS) protection on individual interfaces. The default settings are 0000000f.
ExampleWG#debug<ENTER>WG(debug)set_dos_if set 0011
slink commandWG#debug<ENTER>WG(debug)# slink [ [-s] <Port> <Mode>] [show] -s : save configuration only Port: eth0, eth1, eth2, eth3 Mode: auto = Auto negotiate 1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show: current setting
EffectThis command sets the physical speed of a specific accelerated data interface.
Argumentsetho, eth1, eth2, eth3Indicates the interface to be changed.
modeauto = Auto negotiate
WG#debug<ENTER>WG(debug)set_dos_if [show | set <xyzv> | set_default | -h | -? ], where show Show the current settings. set xyzv Set DOS protection on interfaces. x,y,z,v must be 0 or 1. x is for interface 0, y for interface 1, z for interface 2, and v for interface 3. set_default Restore the setting to the factory default value
WatchGuard Command Line Interface Guide 139
CHAPTER 4: Debug Mode Commands
1000A = 1000BaseFX, AutoNegotiation enabled1000H = 1000BaseFX, AutoNegotiation disabled100F = 100BaseT, Full-duplex mode100H = 100BaseT, Half-duplex mode10F = 10BaseT, Full-duplex mode10H = 10BaseT, Half-duplex mode
showDisplays the current setting
ExampleWG#debug<ENTER>WG(debug)# slink eth1 10H
This sets interface 1 (public) to 10BaseT, Half-duplex mode.
tcpdump commandWG#debug<ENTER>WG(debug)#tcpdump
EffectDumps all traffic on a network. Tcpdump will captures all packets detected by the network interfaces of the appliance where “tcpdump” is executed. This command may be used to track specific packets.
ArgumentsNone
ExampleWG(debug)#tcpdump<ENTER>
traceroute commandWG#debug<ENTER>WG(debug)#traceroute <target_IP>
EffectDisplays the complete route information to the target device. This command utilizes the IP protocol “time to live” field and solicits an ICMP
140 WatchGuard Vclass 5.1
Debugging/troubleshooting commands
TIME_EXCEEDED response from each gateway along the path to the target device. You can use this command to troubleshoot network routing and connectivity.
ArgumentsBe sure to type the IP address of the target device, as shown in the example below.
ExampleWG(debug)#traceroute 207.188.12.3<ENTER>
verbose_trace commandWG#debug<ENTER>WG(debug)# verbose_trace [ on | off ]
EffectThis command enables/disables verbose tracing in the traffic log. If such is enabled, every firewall-dropped packet will be shown in the traffic log. All DNS packets will also be shown in the traffic log.
NOTEIf this feature is enabled, there will be an impact to the overall system performance due to heavy logging activity.
vinstall command
EffectThis allows you to downgrade to an earlier software version–from 5.0 to 4.0 or from 5.0 to 3.2.
WG#debug<ENTER>WG(debug)# vinstall <ftp_server> <ftp_username> <ftp_password> <"path_filename">
##This feature allows downgrade from 5.0 to 3.2 or 4.0 ##e.g. vinstall 10.10.10.10 my_username my_password "path/encrypted_fbv.tgz" ## For V10, use non-encrypted file. For others, use encrypted file.
WatchGuard Command Line Interface Guide 141
CHAPTER 4: Debug Mode Commands
NOTEThis feature is not supported in software versions earlier than 5.0.
ExampleWG#debug<ENTER>WG(debug)# vinstall 10.10.0.98 ftpadmin ftppass /upload/downgrade/encrypted.tgz
142 WatchGuard Vclass 5.1
CHAPTER 5 Other Commands
This chapter describes commands that do not belong to one of the three main command modes (Adminis-tration, Configuration, and Debug).
No command
The no command is used before another command or argument to turn off or disable the specified feature.
Rename command
The rename command is used to rename objects.
WatchGuard Command Line Interface Guide 143
CHAPTER 5: Other Commands
Show command
As a way of viewing lists and details of a WatchGuard appliance’s configuration, the Show command (and its arguments) provides an adaptable means of cataloging such things as address groups, IPSec actions or RAS user profiles. Once you determine what’s listed, you can then adapt the Show command to view the “contents” of a spe-cifically named item, including the settings or configura-tion entries that comprise that item.
Show command general usageWG#show<ENTER>
EffectIf you type “show” at the top-level CLI prompt, the WatchGuard CLI will display a complete list of “show” arguments (listed above in “Contents”), that enable you to list almost every kind of object in the WatchGuard database, from address groups to VLAN objects.
ArgumentsNone.
The current range of Show commands includes the follow-ing:
Command For more information
address See “Show address command” on page 145.
alarm See “Show alarm command” on page 146.
all_routes See “Show all_routes command” on page 147.
certificate See “Show certificate command” on page 147.
cpm See “Show CPM command” on page 148.
denial_of_service See “Show denial_of_service command” on page 148.
diagnostics See “Show diagnostics command” on page 148.
dns See “Show DNS command” on page 148.
144 WatchGuard Vclass 5.1
Show command
Show address command
Display current address groups
WG#show address<ENTER>
EffectDisplays the current catalog of address groups stored in this WatchGuard Firebox Vclass security appliance
ike See “Show IKE command” on page 149.
interface See “Show interface command” on page 150.
ipsec See “Show IPSec command” on page 150.
ldap See “Show LDAP command” on page 151.
license See “Show license command” on page 151.
log See “Show log command” on page 152.
mode See “Show log command” on page 152.
nat See “Show NAT command” on page 153.
ntp See “Show NTP command” on page 153.
policy See “Show policy command” on page 154.
qos See “Show QoS command” on page 154.
ras See “Show RAS command” on page 155.
route See “Show route command” on page 156.
sa See “Show SA command” on page 156.
service See “Show service command” on page 157.
statistics See “Show statistics command” on page 158.
sysinfo See “Show sysinfo command” on page 158.
sysupgrade See “Show sysupgrade command” on page 159.
trace See “Show trace command” on page 159.
tunnel_switch See “Show tunnel_switch command” on page 159.
version See “Show version command” on page 160.
Command For more information
WatchGuard Command Line Interface Guide 145
CHAPTER 5: Other Commands
ArgumentsNone.
Display contents of address group
WG#show address <"group_name"><ENTER>
EffectDisplays the current contents of a specifically named address group.
Arguments<"group_name">This argument notes the address group name.
ExampleWG#show address exec_staff<ENTER>
Show alarm commandWG#show alarm [definition|log [more|follow]]<ENTER>
EffectDisplays a summary of currnt outstanding alarms.
ArgumentsdefinitionThis displays a list of alarm definitions, and whether they are enabled.
log moreThis displays the log of all alarms that have been triggered in the past (since the log was last cleared), 20 lines at a time.
log followThis displays the last 5 line of the alarm log, and updates if more alarms get generated.
ExampleWG#show alarm log more<ENTER>
146 WatchGuard Vclass 5.1
Show command
Show all_routes commandWG#show all_routes<ENTER>
EffectDisplays a summary of the routes–static and dynamic–recorded in this WatchGuard appliance.
ArgumentsNone.
ExampleWG#show all_routes<ENTER>
Show certificate commandWG#show certificate<ENTER>
EffectDisplays the complete collection of certificates, including pending requests root certificates and system certificates.
ExamplesWG#show certificate<ENTER>
Display certificate settings
WG#show certificate [ca|sys|pending|"cert_id"]<ENTER>
EffectDisplays the settings of a certificate according to the specific identifying characteristic.
Arguments<ca|sys|pending>This argument specifies the type of certificates you want to review, whether root, system or pending.
<"cert_id">This argument notes an actual ID number from a certificate–whether root, system or pending.
Examples
WatchGuard Command Line Interface Guide 147
CHAPTER 5: Other Commands
WG#show certificate pending<ENTER>WG#show certificate 19478<ENTER>
Show CPM commandWG#show cpm<ENTER>
EffectShows whether CPM is enabled or disabled, and general CPM information.
ExamplesWG#show cpm<ENTER>
ArgumentsNone.
Show denial_of_service commandWG#show denial_of_service<ENTER>
EffectDisplays the DOS and DDOS configurations currently active in this appliance.
ArgumentsNone.
Show diagnostics commandWG#show diagnostics<ENTER>
EffectShows some diagnostic information for the appliance.
ExamplesWG#show diagnostics<ENTER>
ArgumentsNone.
Show DNS commandWG#show dns<ENTER>
148 WatchGuard Vclass 5.1
Show command
EffectDisplays any DNS configurations.
ArgumentsNone
Show IKE commandWG#show ike <action | policy><ENTER>
EffectDisplays the current catalog of IKE policies or actions, depending upon your choice of argument.
Arguments<action|policy>This argument allows you to specify whether the actions or policies are listed.
ExamplesWG#show ike action<ENTER>
Display IKE policy parameters
WG#show ike <action|policy> <"name"><ENTER>
EffectDisplays the parameters of a specifically named IKE policy or action.
Argumentsaction <"name" >This argument will display the contents of the named action.
policy <"name" >This argument will display the contents of the named policy.
ExamplesWG#show ike action basic<ENTER>WG#show ike policy secure_VPN<ENTER>
WatchGuard Command Line Interface Guide 149
CHAPTER 5: Other Commands
Show interface commandWG#show interface<ENTER>
EffectDisplays a detailed summary of all data interfaces in this WatchGuard appliance.
ArgumentsNone
ExampleWG#show interface<ENTER>
Show IPSec commandWG#show ipsec <action|proposal> <ENTER>
EffectDisplays the current catalog of IPSec proposals or actions--depending upon the argument.
Arguments<action|proposal>This argument specifies the type of IPSec component, action or proposal, that you want to review.
ExamplesWG#show ipsec proposal<ENTER>
Display an IPSec proposal or action
WG#show ipsec <action|proposal> <"item_name"><ENTER>
EffectDisplays the contents of a specifically named IPSec proposal or action. Type the action or proposal name after the "ipsec" command to view the specific settings.
Arguments<action|proposal>This argument specifies the type of IPSec
150 WatchGuard Vclass 5.1
Show command
component, action or proposal, that you want to review.
<"name">After entering the “action” or “proposal” argument, enter this value, which indicates the actual name of a specific proposal or action that you want to review in detail.
ExamplesWG#show ipsec proposal md5_sha<ENTER>WG#show ipsec action most_secure<ENTER>
Show LDAP commandWG#show ldap<ENTER>
EffectDisplays any current LDAP server connection settings.
ArgumentsNone
Show license commandWG#show license [license_id]<ENTER>
EffectDisplays the current license file information. You can copy the license ID shown with this command, and paste it after the show license command to see more details about a particular license.
ArgumentsNone
Example (show license without a license number)
WG#show licenseOrd License Name License ID Expiration Date
1 DATE_11-6-2002_10:5 64DFC18A261A4771 04-02-2003
WatchGuard Command Line Interface Guide 151
CHAPTER 5: Other Commands
Example (show license with a license number)
WG#show license 64DFC18A261A4771 License Name: DATE_11-6-2002_10:51 License ID: 64DFC18A261A4771 Feature(s): UPGRADE 3DES Expiration Date: 04-02-2003
Show log commandWG#show log <config|alarm|event|traffic \|ras_user|p1_sa|p2_sa> [more]<ENTER>
EffectDisplays the last 25 entries in a designated log file. If you enter “config” as the argument, the CLI will display the configuration settings for all logs.
Arguments<config>This argument will display the current configurations for server, traffic and event logs.
<alarm|event|traffic|ras_user|p1_sa|p2_sa>Enter one of these six log types in this argument. If you do not type a log type, the CLI will simply list the types of log files you can view.
[more]This argument displays the complete contents of a specified log, one page at a time.
ExampleWG#show log traffic<ENTER>
Show mode commandWG#show mode<ENTER>
152 WatchGuard Vclass 5.1
Show command
EffectDisplays whether the system is running in Router or Transparent Mode.
ArgumentsNone
ExampleWG#show mode<ENTER>
Show NAT commandWG#show nat<ENTER>
EffectLists any current NAT actions stored in this appliance database.
ArgumentsNone
Display NAT action configuration
WG#show nat <"name"><ENTER>
EffectDisplays the configuration of a specifically named NAT action.
Arguments<"name">This argument represents the exact name of the NAT action you want to review.
ExampleWG#show nat static_NAT1<ENTER>
Show NTP commandWG#show ntp<ENTER>
EffectDisplays the Network Time Protocol configuration.
WatchGuard Command Line Interface Guide 153
CHAPTER 5: Other Commands
ArgumentsNone.
ExampleWG#show ntp<ENTER>
Show policy commandWG#show policy <"policy_name"><ENTER>
EffectDisplays the parameters/settings for a specifically named security policy.
Arguments<"name_text">This argument notes the exact name of the security policy you want to review.
ExampleWG#show policy SJO-NYC_VPN<ENTER>
List active security policies
WG#show policy<ENTER>
EffectLists all active security policies stored in this WatchGuard appliance.
ArgumentsNone
ExampleWG#show policy<ENTER>
Show QoS commandWG#show qos <system|action><ENTER>
EffectDisplays (1) the current system QoS configuration, or (2) a list of currently available QoS actions–depending upon your argument entry.
154 WatchGuard Vclass 5.1
Show command
Arguments<system|action>This argument represents your preference–to review the current system QoS setting or the list of available QoS actions.
ExampleWG#show qos system<ENTER>
Show QoS action configuration
WG#show qos action <"name"><ENTER>
EffectDisplays the configuration of a specified QoS action.
Arguments<"name">This argument indicates, by exact name, the QoS action you want to review.
ExampleWG#show qos action slow_to_55<ENTER>
Show RAS commandWG#show ras <group_profile|user_profile|database><ENTER>
EffectDisplays a complete listing of the specified RAS component–group profiles, user profiles or database configuration.
Arguments<group_profile|user_profile|database>This argument represents your preference–to review a list of group profiles, a list of user profiles or the database settings.
ExampleWG#show ras database<ENTER>
WatchGuard Command Line Interface Guide 155
CHAPTER 5: Other Commands
Display specific RAS contents
WG#show ras <group_profile|user_profile> <"name"><ENTER>
EffectDisplays the contents of the specifically named RAS component–a user profile or group profile.
Arguments<group_profile|user_profile>This argument notes either group profile or user profile.
<"name">This argument records the name of the designated object that you want to review.
ExampleWG#show ras user_profile sales12<ENTER>
Show route commandWG#show route<ENTER>
EffectDisplays a list of active routes.
ArgumentsNone
ExampleWG#show route<ENTER>
Show SA commandWG#show sa <p1|p2> [id]<ENTER>
EffectLists current phase one or phase two SA information, in some detail. If you add the “ID” of a specific phase-one SA or phase-two tunnel, the CLI will display details of the requested item.
156 WatchGuard Vclass 5.1
Show command
Arguments<p1|p2>This argument specifies your choice of a list of phase-one SA’s or a list of phase-two tunnels. Either list provides a complete catalog of the requested item, in a table that includes considerable details about each item.
[id]This argument (when used with p1) will display a summary of the identified SA. When used with p2, this argument will display a summary of the requested tunnel activities.
ExampleWG#show sa p2 209<ENTER>
Show service command
List all service groups
WG#show service<ENTER>
EffectDisplays a complete list of all service groups.
ArgumentsNone
ExampleWG#show service<ENTER>
Display service group settings
WG#show service <"name"><ENTER>
EffectDisplays the settings for a named service group, including port numbers and any associated protocols.
WatchGuard Command Line Interface Guide 157
CHAPTER 5: Other Commands
Arguments<"name">This argument represents the exact name of the service group you want to review in detail.
ExampleWG#show service e-mail<ENTER>
Show SNMP commandWG#show snmp <ENTER>
EffectDisplays the SNMP settings for the appliance.
ArgumentsNone.
ExampleWG#show snmp <ENTER>
Show statistics commandWG#show statistics show statistics ras [user_ID] show statistics p1sa [ID] show statistics p2sa [ID]
EffectDisplays statistics for RAS or phase 1 or phase 2 SA.
ArgumentsNone.
ExampleWG#show statistics ras ras_user<ENTER>
Show sysinfo commandWG#show sysinfo<ENTER>
158 WatchGuard Vclass 5.1
Show command
EffectDisplays the basic "general" system configurations, including appliance name, location, and contact person's name.
ArgumentsNone
ExampleWG#show sysinfo<ENTER>
Show sysupgrade commandWG#show sysupgrade<ENTER>
EffectDisplays a chronological record of recent system software upgrades (including version number and date) installed in this WatchGuard appliance.
ArgumentsNone
ExampleWG#show sysupgrade<ENTER>
Show trace command
Show tunnel_switch commandWG#show tunnel_switch<ENTER>
EffectDisplays the status of tunnel switching hardware features in this appliance–OFF or ON.
ArgumentsNone
ExampleWG#show tunnel_switch<ENTER>
WatchGuard Command Line Interface Guide 159
CHAPTER 5: Other Commands
Show version commandWG#show version<ENTER>
EffectDisplays the version number of WatchGuard operating software.
ArgumentsNone
ExampleWG#show version<ENTER>
160 WatchGuard Vclass 5.1
Index
Aabbreviations 8abort system configuration
changes 43accelerated data interface, set
physical speed of 139adding settings and policies 10address group modification 43address group, display specific 146address groups, display all 145administration mode commands 15,
27appliance maintenance commands 22apply changes 22apply changes to interface
configuration 95apply recent configuration changes 45argument entry syntax 9argument options by command, list
of 17ARP cache, display 129ARP cache, manipulate 129available commands 17available tasks 2
B\ character, use of 9
Ccase sensitivity of object strings 9certificate configuration mode, entry
into 45certificate settings, display
specific 147certificate, import VPN 69certificate, request VPN 67certificate, show properties 70certificates, display all 147change system mode 94CLI by command
administration modedowngrade 29enable 108export 30flush 31ha_sync 31passwd 36reboot 37restore_default 38shutdown 38
all mode commandsexit 14history 14top 15
configuration, level 1abort 43address 43certificate 45commit 45delete 45denial_of_service 46high_availability 47high_availability (disable) 48history 66ike 48interface 49ipsec 49license 49nat 54nat (dynamic action) 56policy 57qos 60ras 61rename 61schedule 62service 63
WatchGuard Command Line Interface Guide
system 64tenant 65tunnel_switch 65
configuration, level 2action (ike) 78action (IPSec) 95action (QoS) 100active_feature (license) 117database (RAS) 105delete (license) 118dns (system) 108enable (high_availability) 74exit (high_availability) 76exit (interface) 95fwuser (system -
idle_timeout) 109group_profile (RAS) 102ha2 (interface) 93import 69import (license) 117interface 82interface (system) 110interface 0 (interface) 83interface 1 (interface) 86interface 2 (interface) 90ldap (system) 110log (system) 111mode 94policy (ike) 80private (interface) 85proposal (IPSec) 99request 67route (system) 113show 70show (high_availability) 72show (interface) 82show (license) 118snmp (system) 114ssl 71sysinfo (system) 115system (QoS enable/
disable) 101user_domain(tenant) 120user_profile (RAS) 103vlan(tenant) 119vlan_fowarding (system) 116
configuration, level 3dynamic (system\route) 123event (system\log) 124remote_log_server
(system\log) 125static (system\route) 122traffic (system\log) 124
display argumentsshow 145show address 145show address
<group_name> 146
show all_routes 147show cert 147show cert (by ID) 147show denial_of_service 148show dns 148show ike 149show ike (by name) 149show interface 150show ipsec 150show ldap 151show log 152show mode 152show nat 153show nat (by name) 153show policy 154show policy (by name) 154show qos 154show qos (by name) 155show ras 155show ras (by name) 156show route 156show sa 156show service 157show service (by name) 157show sysinfo 158show sysupgrade 159show tunnel_switch 159show version 160
troubleshootingarp 129clear_logs 129netstat 134ping 134radius_ping 135rs_kdiag 138slink 139tcpdump 140traceroute 140verbose_trace 141
CLI capabilites 2CLI commands
administration modedisable 108
CLI editingappending to recent command 11argument syntax 9use of \ character 9case sensitivity 9case sensitivity in object strings 9command abbreviation 8command prompt 8delete 10exchanging command arguments
in recent command 12grouping parameters 10help command 17keywords 15line continuation 9
CLI navigation 13command history 11command prompt, navigation with 8Common Criteria operation mode 35configuration, initial 20conn_idle_timeout 130connection to a workstation
direct 5connection to workstation,
through network 5conventions 3–5, 25–27currently available commands 17
Ddata interfaces, display address
settings 82data interfaces, show detailed
summary of 150DDOS
See denial of serviceDDOS configurations, show 148debug
information not exported to xml 127
debugging commands 127–141delete license 118delete specific configuration
changes 45deleting items in database 22deleting text 10denial of service parameter
configuration 46
DHCP server configuration options 85disable 108disable keyword 15disable port shaping 101disable tunnel switching 65display commands 144display interface addresses
See data interfacesDMZ
See interface 2DNS configurations, show 148domain name, system level entry 108DOS
See denial of serviceDOS configurations, show 148downgrade 29dump network traffic 140dynamic route, configure 123
Eenable 108enable keyword 15enable port shaping 101enable tunnel switching 65erase system configuration
changes 43event log configuration 124exchanging command arguments in
recent command 12!!<command argument>for
appending to most recent command 11
!! recall command 11!number to recall recent command by
number 11existing appliance
log in 7export 30export cr/xml/log/ip 30extra features active, licensed 117
Ffactory default appliance
logging in 6factory default restoration 38FIPS operation mode 35
WatchGuard Command Line Interface Guide
firewall authentication screens, replacing 132
HHA 2 interface configuration 93HA configuration 47HA configuration, display 72HA enable 74HA, apply configuration changes 76HA, disabling 48ha_instant_sync 130ha_sync 31help 17help online 17high availability
See HAhigh availability configuration, level
2 72–76history 14, 66history buffer 11history buffer, size of 11history command 11hotsync process, initiate 31
IICMP ECHO_REQUEST, send 134idle_timeout, changing firewall
user 109IKE action, record 78IKE configuration 48IKE configuration, level 2
commands 78–82IKE policies, display all 149IKE policy or action, show parameters
of 149IKE policy, record 80import
XML profile 33import license 117import VPN certificate 69importscreen 132initial configuration commands 20interface 0 configuration 83interface 1 configuration 86interface 2 configuration 90interface address settings, display 82
interface configuration entry 110interface configuration, enter 82interface configuration, level 2
commands 82–95interfaces, show detailed summary
of 150internal diagnostics, display 138IP addresses, system level entry 108IPSec action, recording 95IPSec configuration 49IPSec configuration, level 2
commands 95–100IPSec proposal or action, show details
of specific 150IPSec proposal, create or modify 99IPSec proposals or actions, show
catalog of 150
Kkeywords
disable 15enable 15no 15
LLDAP server connection settings,
show 151LDAP server, activate connection 110LDAP server, deactivate
connection 110Level 1 configuration mode 41Level 2 configuration mode 66–122Level 3 configuration mode 122–126license commands, level 2
commands 117–119license configuration 49license, delete 118license, import new 117license, summarize a 118licensed features, active 117licenses available, list 118limitations 3line continuation 9line continuation character 9log configuration 111
log configuration, level 3 commands 124–126
log entries, clear 129log file, show last 25 entries of
specific 152log into existing appliance 7log into factory default appliance 6log out 18
Mmaintenance commands 22MSS 59, 112mss_adjustment 112mss_adjustment_per_policy 59
NNAT action, record 54NAT action, show configuration of
specific 153NAT actions, list current 153NAT, dynamic IP 56network address translation
See NATnetwork status, view 134no keyword 15
Oobject strings, case sensitivity of 9online help 24operation modes 35operation_mode command 35
Ppasswd 36password, reset super user 36ping a device 134+ character, use of 10pppoe_config 135Private interface
See interface 0profile
import XML 33Public
See interface 1
QQoS action, record new 100QoS actions, show current
available 154QoS configuration entry 60QoS configuration, level 2
commands 100–101QoS configuration, show all current
system 154QoS configuration, show specific 155Quality of Service
See QoS? command 17
RRADIUS server, test connections to
security appliance 135RAS account, create or modify 103RAS authentification database, where
stored 105RAS configuration mode 61RAS configuration, level 2
commands 102–106RAS group profile, modify or
create 102RAS, show complete listing of 155RAS, show specific RAS
component 156reboot 37recall most recent command 11recalling a recent command, not most
recent 11recent commands list 14, 66reload old software 29remote log server connection,
configure 125rename an existing object 61replace firewall authentication
screens 132replacing settings and policies 10request VPN certificate 67reset connections 31
WatchGuard Command Line Interface Guide
reset Vclass appliance 37return to next highest level 14return to top command level 15route configuration entry 113route configuration, level 3
commands 122route information, display of 140routes, list all active 156routes, summarize all dynamic and
static 147
SSA information, show curent phase 1
or 2 156schedule a policy 62security policies, show active 154security policy commands 21security policy, create 57security policy, show parameters of
specific 154service entry (individual or group)
new 63service group, show specific 157service groups, show all 157set_dos_if 139show arguments, list 145show certificate properties 70show stored arguments 16show stored command entries 16showcommands 144shut down WatchGuard appliance 38SNMP workstations, record
connection data for 114software version number, display 160SSL certificate request 71static route configuration 122system configuration mode 64system configuration, level 2
commands 107–116system configuration, show
general 158system information, apply to security
appliance 115system interface configuration 49system interface configuration,
enter 82system mode, display 152
system software upgrades, show recent 159
Ttasks available 2tasks not available 3TCP Maximum Segment Size
(MSS) 59, 112tenant configuration mode entry 65tenant configuration, level 2
commands 119–122tenant entry, record 119text deletion 10top command 14traffic log file, activate 124traffic log file, deactivate 124troubleshooting commands 127–141tunnel switching, show hardware
status 159
Uunavailable tasks 3
Vverbose trace, disable 141verbose trace, enable 141view currently available
commands 17vinstall 141VLAN forwarding disable 116VLAN forwarding, enable 116VLAN specific tenant entry,
record 120VLAN tenant entry, record new 119
WWeb certificate
See SSL certificate
Xxml export
debugging information not exported 127
XML profileimport 33
WatchGuard Command Line Interface Guide