v51cli Guide

WatchGuard®

Command Line Interface User Guide

WatchGuard Firebox Vclass 5.1

CopyrightCopyright © 1998-2003 WatchGuard Technologies, Inc. All rights reserved.

Notice to UsersInformation in this document is subject to change and revision without notice. This documentation and the software described herein is subject to and may only be used and copied as outlined in the Firebox System software end-user license agreement. No part of this manual may be reproduced by any means, electronic or mechanical, for any purpose other than the purchaser’s personal use, without prior written permission from WatchGuard Technologies, Inc.

TRADEMARK NOTES

WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock, DVCP, and Designing peace of mind are trademarks of WatchGuard Technologies, Inc. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.Part No: 1200016

ii WatchGuard Vclass 5.1

WatchGuard Technologies, Inc.Firebox System Software End-User License Agreement

WatchGuard Firebox System (WFS) End-User License Agreement

IMPORTANT — READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE:

This WFS End-User License Agreement (“AGREEMENT”) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”)for the WATCHGUARD WFS software product identified above, which includes computer software and may include associated media, printed materials, and on-line or electronic documentation (“SOFTWARE PRODUCT”). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid.

1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the

WatchGuard Command Line Interface Guide iii

SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.

2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single computer at any single location. If you wish to use the SOFTWARE PRODUCT on a different computer, you must erase the SOFTWARE PRODUCT from the first computer on which you installed it before you install it onto a second.(B) To use the SOFTWARE PRODUCT on more than one computer at once, you must license an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it. (C)You may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only.

3. Prohibited Uses. You may not, without express written permission from WATCHGUARD:(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;(B) Use any backup or archival copy of the SOFTWARE PRODUCT(or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or(E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.

iv WatchGuard Vclass 5.1

4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard Technologies or an authorized dealer:(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase.(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election.

Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THIS SOFTWARE PRODUCT

WatchGuard Command Line Interface Guide v

WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).

Limitation of Liability. WATCHGUARD’s liability (whether in contract, tort, or otherwise; and notwithstanding any fault, negligence, strict liability or product liability) with regard to THE SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5. United States Government Restricted Rights. The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.

vi WatchGuard Vclass 5.1

6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.

7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.

8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the contents of this package AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. No change or modification of this AGREEMENT will be valid unless it is in writing, and is signed by WATCHGUARD.

9. Canadian Transactions: If you obtained this SOFTWARE PRODUCT in Canada, you agree to the following:The parties hereto have expressly required that the present AGREEMENT and its Exhibits be drawn up in the English language. / Les parties aux presentes ont expressement exige que la presente conventions et ses Annexes soient redigees en la langue anglaise.

WatchGuard Command Line Interface Guide vii

viii WatchGuard Vclass 5.1

Contents

Contents .......................................................................ix

CHAPTER 1 Using the Command Line Interface ..........1Introducing the WatchGuard CLI .......................................1

CLI capabilities .............................................................2CLI limitations ...............................................................3

CLI Guide text conventions ...............................................3Getting started with the WatchGuard CLI ...........................5

Connecting to an appliance .............................................5Logging into an appliance via a console connection .............6Logging into an existing appliance via a network connection .7Understanding the command prompt ................................8Abbreviating commands and keywords ..............................8Case sensitivity .............................................................9Extending command lines ...............................................9Typing arguments in a command ......................................9Deleting text in the Command Line Interface ....................10Using the CLI to add to or replace existing settings and policies

...........................................................................10Grouping parameters in a command ...............................10Reviewing the recently used commands ...........................11

WatchGuard Command Line Interface Guide ix

Navigating through the CLI ........................................... 13Common Navigation commands .................................... 14Using keywords .......................................................... 15Show command/argument (“name”) usage ...................... 16Viewing context-sensitive online help ............................. 17Logging out of the appliance ........................................ 18

Installing and configuring a WatchGuard appliance .......... 19To log into a WatchGuard appliance for the first time: ........ 19To assign network addresses to appliance interfaces .......... 20To complete system configuration .................................. 20To create and apply security policies ............................... 21To remove/delete items from a WatchGuard database ....... 22To save and apply your most recent changes .................... 22To maintain an appliance .............................................. 22To troubleshoot an appliance ........................................ 22To restore an appliance to the factory-default state ........... 23To review the most recent tasks (at any level) .................... 23To get on-line help while working ................................... 24

CHAPTER 2 Administration Mode Commands .......... 25Command syntax conventions used in this guide ............. 25Administration mode commands .................................... 27

account command ...................................................... 28downgrade command ................................................. 29export command ........................................................ 30flush command ........................................................... 31ha_sync command ...................................................... 31import command ........................................................ 32operation_mode command .......................................... 35passwd command ....................................................... 36reboot command ........................................................ 37restore default command ............................................. 38shutdown command .................................................... 38upgrade command ..................................................... 39

x WatchGuard Vclass 5.1

CHAPTER 3 Configuration Mode Commands .............41Top-level configuration mode commands ........................41

abort command ..........................................................43address command .......................................................43certificate command ....................................................45commit command .......................................................45delete command .........................................................45denial_of_service command ..........................................46high_availability commands ...........................................47ike command ..............................................................48interface command ......................................................49ipsec command ..........................................................49license command ........................................................49log command .............................................................50nat command .............................................................54no command ..............................................................56policy command .........................................................57qos command ............................................................60ras command ..............................................................61rename command .......................................................61schedule command .....................................................62service command ........................................................63system command ........................................................64trace command ...........................................................64tenant command .........................................................65tunnel_switch command ...............................................65history command ........................................................66

Second level configuration mode commands ...................66Level 2 certificate configuration commands ......................67Level 2 High Availability configuration commands ..............72Level 2 IKE configuration commands ...............................78Level 2 interface configuration commands ........................82Level 2 IPSec configuration commands ............................95Level 2 Quality of Service (QoS) configuration commands .100

WatchGuard Command Line Interface Guide xi

Level 2 Remote Access Service (RAS) configuration commands........................................................................ 102

Level 2 System Configuration commands ...................... 107Level 2 license commands (for upgraded or additional features)

........................................................................ 117Level 2 tenant configuration commands ........................ 119

Level 3 configuration mode commands ......................... 122Level 3 route configuration commands .......................... 122Level 3 log configuration commands ............................ 124

CHAPTER 4 Debug Mode Commands ...................... 127Debugging/troubleshooting commands ........................ 127

arp command .......................................................... 129clear_logs ................................................................ 129config_http command ............................................... 129conn_idle_timeout command ...................................... 130ha_instant_sync command .......................................... 130hwdiag command ..................................................... 131ifconfig command ..................................................... 131importscreen command ............................................. 132kernel_debug command ............................................ 133netstat command ...................................................... 134ping command ......................................................... 134pppoe_config command ............................................ 135radius_ping command ............................................... 135rcinfo command ....................................................... 137reboot command ...................................................... 137rs_kdiag command .................................................... 138set_dos_if command ................................................. 139slink command ......................................................... 139tcpdump command ................................................... 140traceroute command ................................................. 140verbose_trace command ............................................ 141vinstall command ...................................................... 141

xii WatchGuard Vclass 5.1

CHAPTER 5 Other Commands ...................................143No command ...............................................................143Rename command .......................................................143Show command ...........................................................144

Show command general usage ....................................144Show address command .............................................145Show alarm command ................................................146Show all_routes command ..........................................147Show certificate command ..........................................147Show CPM command .................................................148Show denial_of_service command ................................148Show diagnostics command ........................................148Show DNS command .................................................148Show IKE command ...................................................149Show interface command ............................................150Show IPSec command ................................................150Show LDAP command ................................................151Show license command ..............................................151Show log command ...................................................152Show mode command ...............................................152Show NAT command .................................................153Show NTP command .................................................153Show policy command ...............................................154Show QoS command .................................................154Show RAS command ..................................................155Show route command ................................................156Show SA command ....................................................156Show service command ..............................................157Show SNMP command ...............................................158Show statistics command ............................................158Show sysinfo command ..............................................158Show sysupgrade command ........................................159Show trace command .................................................159Show tunnel_switch command .....................................159Show version command ..............................................160

WatchGuard Command Line Interface Guide xiii

Index ......................................................................... 161

xiv WatchGuard Vclass 5.1

CHAPTER 1 Using the Command Line Interface

Introducing the WatchGuard CLI

The WatchGuard CLI (Command Line Interface) offers the experienced network administrator an efficient way to set up and manage WatchGuard Firebox Vclass security appliances via a terminal application. As the CLI architecture utilizes a model implemented in many industry-standard routers, network administra-tors familiar with routers commonly deployed in net-work environments will find the WatchGuard CLI is both easy to learn and to use.

You can use the CLI to administer an appliance through a console port connection or through a net-work connection to any of the data interfaces via an SSH Client using protocol 2 or Telnet, once the appro-priate firewall-access policies have been created and configured on the target appliance.

While the CLI replicates most of the functionality of the WatchGuard Vcontroller™ application, we strongly recommend that you familiarize yourself with the use of WatchGuard Vcontroller before

WatchGuard Command Line Interface Guide 1

CHAPTER 1: Using the Command Line Interface

attempting to use the CLI. Learning the WatchGuard Vcon-troller, its terms and processes, and the underlying “flow” of appliance administration, will establish a solid compe-tency with concepts and terms used extensively in the CLI.

We also recommend that you review the latest Release Notes for your WatchGuard security appliances and verify that the most current versions of WatchGuard and Java soft-ware are being used. Electronic copies may be obtained from the WatchGuard Technical Support web site (www.watchguard.com/support/). The Technical Support Group can also assist in verifying that you have all of the latest WatchGuard software.

CLI capabilitiesThe WatchGuard command line interface (CLI) provides you with simple, fast, command-line access to any local WatchGuard Firebox Vclass security appliance to perform most major administrative tasks, including rebooting, resetting appliance interface IP addresses, entering remote access user accounts, and managing policies, actions and proposals stored in the appliance database.

An almost-complete list of CLI setup and administration tasks includes the following:• Configuring security appliance software• Interface (port) management• Viewing current system settings• Inserting new security policies• Editing or removing existing policies• Reorganizing sort order of policies• Configuring and using the High Availability feature• Opening and reviewing current log files• Displaying reports of tunnel and SA activities• Restoring factory-default configurations• Shutting down and restarting security appliances

2 WatchGuard Vclass 5.1

http://www.watchguard.com/support/

CLI Guide text conventions

CLI limitationsPlease note that the WatchGuard CLI is not a complete replacement for the WatchGuard Vcontroller application, as you cannot do the following with the CLI:• Set up probes that monitor the current activities of the

security appliance• Set up, activate, and review alarms that are triggered

by a range of operational circumstances• Import Certificate Revocation List (CRL) files or their

contents• Create “admin” access user accounts• Create firewall-access internal user accounts

CLI Guide text conventions

To help you better use this guide, the following text con-ventions are used.

Control key The symbol ̂ represents the Control (CTRL) key and is usually used in combination with other text. For example, when you see the key combinations ^Z or Ctrl-Z, this means you should hold down the Control key while pressing the Z key. In the guide, these keys may be printed in capital letters, but “Ctrl+letter” functions are not case-sensitive.

Text strings A text string is defined as a set of user-variable characters. Text strings (or, strings) are usually presented as example data, or the kind of thing one might type for a particular value. Such an example might be presented enclosed in



quotation marks; however, you do not need to type quotes when entering a text string.

For example, we might say: set a user_profile name to “All_RAS_Users.” In this example, you could type your own user profile name (or string) in place of ALL_RAS_Users.

You should enclose a string in quotes in instances where the text entry includes spaces. For example, if entering a name like “Joan Smith,” with a space between the first and last name, you should enclose this entry in quotations to preserve it as a single entity.

For Example WG(config)#address -group exec_staff

WG(config)#address -group "exec staff"

Carriage returns Carriage returns are Enter key presses, and are represented by the <ENTER> or <CR> notation. Command examples may omit this notation for the sake of brevity.

Letter spaces Space characters (entered by pressing the Space bar on the keyboard) are represented in a few instances in this Guide by the <sp> notation. In most cases, however, spaces are simply represented by actual spaces. For example, in:

WG(config)#address -group exec_staff


Getting started with the WatchGuard CLI

There is a single space between “address” and “-group,” and “group” and “exec_staff.”

Comments Comments are presented as italicized text preceded by the “#” character.

# This is a sample comment.

More command-specific and argument-specific conventions are detailed in “Command syntax conventions used in this guide” on page 21


Connecting to an applianceThe WatchGuard CLI can be used to perform pre-installa-tion setup tasks, or to reconfigure or administer the appli-ance at any time. These comprise two distinct uses of the CLI, which in turn require different connections:• To use the CLI in pre-installation setup or to do direct

administration of a WatchGuard appliance, you can directly connect the appliance to your workstation by connecting a cable from the Console port on the front of the appliance to a serial port on your workstation. Your Vclass package includes an adapter for this purpose. After this connection is made, you can connect directly to the appliance via a terminal application.

• To use the CLI for administration after a WatchGuard appliance has been set up and configured, you can make use of existing network connections. All you need is (1) the IP address of a WatchGuard appliance data interface and (2) a currently active policy



permitting CLI console (Telnet/SSH) access to the system through that interface. This may be done by means of the CLI or the WatchGuard Vcontroller, once configuration is complete.

NOTEIf you attempt to log into a functioning, fully configured WatchGuard appliance with the CLI, you must enter “admin” as the login (or “rsadmin” for legacy appliances), as the CLI will not permit use of any other “super admin” account names.

Logging into an appliance via a console connection

To log into a brand new “factory default” WatchGuard appliance by means of the CLI console and a console (serial port) connection, follow these steps:

1 Start any terminal application and open a new connection window.

2 Verify that the terminal has been set to VT100.NOTE

If the terminal is not set to VT100, various functions may not work—^c will not break, ESC will not work and you’ll have problems with special characters.

Connection parameters include: - 9600 bps - 8 data bits - No parity - 1 stop bit - Flow control: none

3 Press <ENTER> once after configuring the connection parameters.The connection should be immediate, at which time a welcome message is displayed, followed by a WatchGuard “Login” prompt.



4 As this is a new appliance, type “admin” (the default login text) and press <ENTER>. The login for a legacy appliance is “rsadmin.”A “Password” prompt is displayed.

5 Type “admin” (again, the default password text) and press <ENTER> to submit the password and log in to this security appliance. The default password for a legacy device is “rsadmin.”If the login connection is successful, a WG# prompt is displayed.

WatchGuard Firebox V100 (OS 4.0)<system_name> login:adminPassword:[type your password, nothing is displayed]

Welcome to the WatchGuard CLI ShellWG#

You can now work with the CLI.

Logging into an existing appliance via a network connection

To log into a currently active (configured) WatchGuard appliance over a network connection, follow these steps:1 Make sure that this appliance has an active policy

permitting telnet/SSH access via a specific WatchGuard appliance interface.

1 Start any telnet/SSH application and verify that your terminal emulation is “vt100” (necessary in Windows 2000).

2 Type the IP address or qualified network name of the appliance interface and press Enter.

3 When a WatchGuard “Login” prompt is displayed, type “admin” (or “rsadmin” for a legacy appliance) and press <ENTER>.



NOTEThe CLI will not accept any other “superadmin” login names.

A “Password” prompt is displayed.4 Type the current password (the default is “admin”, or

“rsadmin” for a legacy appliance) and press <ENTER> to submit the password and log into this security appliance.A new WG# prompt is displayed.

Understanding the command promptAs you navigate through the WatchGuard Command Line Interface, the command prompt will always indicate what command level/mode you are in. For example:

Abbreviating commands and keywordsYou can abbreviate the available commands and keywords for each command group or mode, down to the minimum number of characters that can safely be used to represent a command, so that it cannot be mistaken for another com-mand by the CLI. For example, the command show can be abbreviated “sh” and the command dmz can be abbrevi-ated as “d.”

NOTEIn Administration mode, you cannot use abbreviated commands. Administration mode requires that you type the full word for each command.

Command Prompt Command Level/Mode

WG# indicates that you are at the root level

WG(config)# indicates that you are in Configuration mode

WG(config-system)# indicates that you are in Configuration mode at the System level

WG(config-if)# indicates that you are in Configuration mode at the System Interface level



Case sensitivityCommands, command arguments and keywords in the WatchGuard CLI are not case sensitive. For example, show policy is equivalent to SHow POLicy.

NOTEObject name strings are case sensitive. Typing the address group name (string) “EveryBody_on_NET_A” is not the same as typing “everybody_on_net_a”! This covers all text strings, whether enclosed in quotes or not.

Extending command linesLong command lines can be continued onto the next line of a terminal display by typing the backslash character (\) at the end of the command line, similar to the use of the back-slash character in C programming syntax. This permits you to type more information (parameters) without breaking the continuity of the entire command.

In the following example of a progression of four com-mands, the backslash character typed (\) right before the <ENTER> in the last command line enables the administra-tor to continue the contents of that command line onto the next line:

WG#<ENTER>WG#configure<ENTER>WG(config)#cert<ENTER>WG(config-cert)#req cert –com WatchGuard –cou US \<ENTER>-dns rs101.WatchGuard.com –key {rsa 1024 both}<ENTER>

Typing arguments in a commandBe sure to type a "-" (hyphen) before any arguments, or the CLI will ignore and omit that argument’s condition.



Deleting text in the Command Line InterfaceTo delete characters to the left of the cursor, press the Back-space key, or press ^h.

To delete all characters from the current position of the cur-sor back to the beginning of the command line, press ^u.

Using the CLI to add to or replace existing settings and policies

Existing settings can be modified using the WatchGuard CLI in two ways:

1 An existing item can be overwritten/replaced with an entirely new item

2 Additional entries or qualifications can be appended to an existing item

Adding entries to an existing item requires use of the “plus” character (+).

If a setting or entry already exists in this WatchGuard appliance, add a “plus” character (+) before additional ele-ments to edit that setting. In the following example, an additional host with an IP address of 199.86.77.100 is added to the address group “VPNnet”

WG(config)#address VPNnet + -host 199.86.77.100<ENTER>WG(config)#exit<ENTER>Commit before exit? (Y/N):y<ENTER>WG#_

The named address group object VPNnet now has an addi-tional (host) member with an IP address of 199.86.77.100.

Grouping parameters in a commandGroups of parameters may be repeated in a command line by surrounding the groups with “curly” brackets ({group1 param1 param2} {group2 param1 param2} etc.). In the fol-



lowing example of command line block repetition, the IP addresses, port numbers, and weighting is assigned for three servers in a round-robin load balanced cluster:

Note too, that the command line in the above example was “extended” with the use of the backslash (\) character, so that more parameters could be included in the command.

Reviewing the recently used commandsThe WatchGuard CLI stores up to 20 commands (at each level in every mode) in a History buffer, which you can use to view your most recent tasks.• Type history <ENTER> at any prompt to review the

last twenty commands applied at that level of the CLI. The CLI will append a number to each line, to indicate its place in the overall chronology. The higher the number, the more recently that command was enacted. (Note that active command history listings may have multiple-digit numbers.)

• Type !! (two exclamation points) to recall and re-enact the most recently used command recorded in the buffer for this mode and level.

• Type !6 (exclamation point followed by a number) to display and enact the command identified as “6” in the buffer at this CLI level.

• Type !!<command argument> to display the most recent command and to append it with arguments and values as needed. For example, if the last command was “show”, you could type “!!address” to display the current list of address groups.

WG(config)#nat <"name"> –vip round –server \{10.10.0.100 80 1} {10.10.0.101 80 2} \{10.10.0.102 80 3}<ENTER>



New or different command arguments may be “substi-tuted” in the most-recent command line recalled from his-tory. Use the format^old_command^new_command to effect a substitution as shown in the following example:

WG#!49 < Recall command line #49 #This is the command.show service DNS #The next six lines are the result.Service Group:Name = DNSDescription = "Domain Name Services"Protocol = UDPServer_port = 53

WG#^DNS^SSH #This command substitutes SSH for DNS and show service

SSH executeService Group: #This shows the results.Name = SSHDescription = "Secure Shell (Remote Login Protocol)"Protocol = TCPServer_port = 22WG#_



Navigating through the CLI

WG#!49 < Recall command line #49 #This is the command.show service DNS #The next six lines are the result.Service Group:Name = DNSDescription = "Domain Name Services"Protocol = UDPServer_port = 53

WG#^DNS^SSH #This command substitutes SSH for DNS and show service

SSH executeService Group: #This shows the results.Name = SSHDescription = "Secure Shell (Remote Login Protocol)"Protocol = TCPServer_port = 22WG#_

At every command level and in all command modes, the exit command moves the CLI user “up” one level (back to the parent command level) in the command tree structure. If you issue the exit command at the top (root) level, you will log out of the system. See the following example:

WG(config-system)#exit<ENTER>WG(config)#exit<ENTER>WG#exit<ENTER>#As a result, you are logged off the CLI and the display screen is cleared.WatchGuard (OS 4.0)



At every command level except the top (root) level, entering the top command and pressing Enter “jumps” the CLI user from the current level to the top (root) command level. The top (root) command level does not have this command available as it isn’t necessary. See the following example:

WG(config-qos)#top<ENTER>WG#_

Common Navigation commandsThe following commands can be used at any level of any CLI mode.

history command

WG#admin<ENTER>WG(admin)#history

EffectLists the twenty most recently exercised commands at this level. (When this command is applied at other levels, it will result in the last twenty commands entered at that specific level. For more information on extending or adapting this command, see “Reviewing the recently used commands” on page 11.

ArgumentsThis command has several adaptations that extend its usefulness. See “Reviewing the recently used commands” on page 11 for details.

exit command

WG(admin)#exit

EffectExits the current level of CLI and returns to the next-highest command level, all the way to the top-level WG# prompt.



ArgumentsNone.

ExampleWG(admin)#exit<ENTER>

top command

WG(admin)#top

EffectImmediately returns to the top level of the WatchGuard CLI (the “WG#” prompt) from whatever level of CLI you are using.

ArgumentsNone.

ExampleWG(admin)#top<ENTER># As a result, the WG# prompt is displayed.

Using keywordsThe CLI provides keywords such as enable, disable, and no that perform specific functions with system parameters. For example, enable and disable are used to enable and disable existing configurations such as policy schedules and system QoS settings. The following example shows an existing schedule configuration named “24_7_Schedule” being enabled:

WG(config)#schedule 24_7_Schedule enable<ENTER>

The keyword no functions as a simple “on/off” switch for configuration components, as shown in the following example:

WG(config)#denial_of_service no -pingofdeath<ENTER>



Show command/argument (“name”) usageEntering the show command along with a valid command name or argument will display all stored entries associated with the named term. See the following examples. These examples show only partial displays:

Example 1: Show all security policy records

WG(config)#show policy<ENTER>Ord NAME Dscpt SrcDest Svc1 PRIVATE_HTTPS ANY PRIVAHTTPS2 ALLOW_PING_FROM_PVT ANY INTERPING3 ALLOW_PING_FROM_PUB ANY INTERPING4 ALLOW_PING_FROM_DMZ ANY INTERPING5 ALLOW_OUTBOUND_DNAT ANY ANYANY6 DENY_INBOUND Deny ANYANY ANY7 HOST_OUT ANY ANYANYWG(config)#_

Executing the show command followed by a specific name displays only the details associated with that specific named object, as shown in the following example:



Example 2: Show only “private_https” security policy settings

WG(config)#show policy PRIVATE_HTTPSSecurity PolicyName = PRIVATE_HTTPSDescription = * *Order = 1Source = ANYDestination = interface_0_IPService = HTTPS

Viewing context-sensitive online helpWhen you are logged into an appliance, you can use the built-in help system to view a list of currently available commands. These commands vary depending on your cur-rent location in the CLI. The types of help commands include the following:• Listing all available commands at a specific mode or

level of CLI• Listing all of a command’s arguments (and associated

values) along with their specific usage syntax

1 To list all commands available in a particular command mode or level, type a question mark (?)or enter “help” at the command prompt. For example, enter? at the top (root) level command to return the following list of top-level command options:

administration Enter administration mode configure Enter configuration mode debug Enter debug mode show Show current configuration and statistics history Show command history logout Exit the system exit Exit the system

2 The WatchGuard CLI’s help system also lists a specific command’s argument options along with their specific



usage syntax. For example, here is a help command that requests (and obtains) the command argument options and syntax used to configure a security policy:

WG#configureWG(config)#policy? policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-vlan|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <"n] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ]

Logging out of the applianceAfter you have completed your setup or administration tasks, you can log out of the appliance by following these steps:

1 At the current prompt (at any level of the CLI), type top and press <ENTER>.

2 When the WG# prompt is displayed, type exit and press <ENTER>.You are logged out of the appliance. You can disconnect the terminal session, and physically disconnect your workstation from the appliance if necessary.


Installing and configuring a WatchGuard appliance


You can use the WatchGuard CLI to perform almost all setup and configuration tasks. We’ve organized the follow-ing catalog of tasks into general categories, with references to the series of CLI commands you would use to perform specific tasks. We’ve also organized the following catalog to chronologically guide you through the tasks in the proper sequence.

The general flow of this series of categories and tasks fol-lows that of the printed WatchGuard Vclass User Guide, beginning with installation, and continuing on to adminis-tration and policy configuration tasks.

The tasks are sorted into the following general categories, and can be reviewed as noted here:• “To log into a WatchGuard appliance for the first time:”

on page 19• “To assign network addresses to appliance interfaces”

on page 20• “To complete system configuration” on page 20• “To create and apply security policies” on page 21• “To remove/delete items from a WatchGuard

database” on page 22• “To save and apply your most recent changes” on

page 22• “To maintain an appliance” on page 22• “To troubleshoot an appliance” on page 22• “To get on-line help while working” on page 24

To log into a WatchGuard appliance for the first time:

See the instructions detailed in “Logging into an appliance via a console connection” on page 6.



To assign network addresses to appliance interfaces

To assign network addresses to the data interfaces, use these commands (along with the arguments and values noted later in this user guide):

To complete system configurationTo complete the initial system configuration, use these commands:

Command Additional Information

WG(config-if)#interface 0

WG(config-if)#interface 1

WG(config-if)#interface 2 if a DMZ interface is present

WG(config-if)#ha2 if an HA2 port is present

Command Description

WG(admin)#passwd change the default password to a new, secure password

WG(config-sys)#route includes both static and dynamic routes

WG(config-sys)#dns connect to a domain name server

WG(config-sys)#snmp connect to any SNMP management stations

WG(config-sys)#log activate needed system activity logging

WG(config-sys)#ldap connect this appliance to an LDAP server

WG(config)#tunnel_switch activate WatchGuard tunnelswitching features



To create and apply security policiesTo create and apply security policies, use these commands:

WG(config)#cert request and import needed certificates from CA’s

WG(config)#denial_of_service customize anti-hacker protection for this appliance

WG(config)#high_availability set up and activate a high-availability system, using the High Availibility feature

WG(config)#log includes event, traffic and alarm log files

Command Description

Command Description

WG(config)#address create all the needed address groups for use in policies

WG(config)#service add new services or groups of related services

WG(config-ike)#action create IKE actions for use in IKE policies)

WG(config-ike)#policy create IKE policies for use in IPSec policies

WG(config-ipsec)#action create IPSec actions for use in IPSec proposals

WG(config-ipsec)#proposal create IPSec proposals for use in security policies

WG(config)#nat create NAT actions (DNAT, SNAT or VIP) for use in policies

WG(config)#vlan create VLAN IDs for use in policies

WG(config-qos)#action create QoS actions for use in policies

WG(config)#schedule create schedules for application to specific policies



To remove/delete items from a WatchGuard database

To remove a particular object (policy, action, group profile, etc.), use this command:

WG(config)#delete

To save and apply your most recent changesTo save and apply the latest changes and additions to this appliance’s configurations and policies, use this command:

WG(config)#commit

To maintain an applianceTo perform security appliance maintenance, use these com-mands:

To troubleshoot an applianceTo perform troubleshooting tasks, use these commands:

WG(config-ras)#group_profile create RAS group profiles for use in RAS policies

WG(config-ras)#user_profile create RAS user accounts for use in RAS policies

WG(config-ras)#database set up the user authentication system for RAS policies

WG(config)#policy create the actual policies

Command Description

Command Description

WG(admin)#flush flush all current connections and SAs

WG(admin)#passwd replace the existing password with a new one

WG(admin)#reboot reboot the WatchGuard appliance

WG(admin)#shutdown shut down the WatchGuard appliance



To restore an appliance to the factory-default state

WG(admin)#restore_default

To review the most recent tasks (at any level)

(CLI prompt)#history

Command Description

WG(debug)#arp display and configure the arp table

WG(debug)#netstat show network/connection states and statistics

WG(debug)#ping verify network connectivity

WG(debug)#radius_ping verify connection with a RADIUS server

WG(debug)#tcpdump trace network packets

WG(debug)#traceroute trace a route to a specific destination



To get on-line help while workingTo get help with the WatchGuard CLI

Command Description

? online help at any prompt, or at the end of any other command

show view a list of objects at the # prompt

history view the last 20 commands entered at this level of the CLI; Enter at the # prompt


CHAPTER 2 Administration Mode Commands

All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Administration Mode.

Command syntax conventions used in this guide

To help you better use this guide, the following text conventions are used. These conventions are in addi-


CHAPTER 2: Administration Mode Commands

tion to the text notation introduced in “CLI Guide text con-ventions” on page 3.

If you enter a command in the CLI, such as the following:WG(config)#policyand press <ENTER> without adding any arguments to the command line, the WatchGuard CLI will display a com-

Convention Description

<text> All required text is enclosed in angle brackets.

-<text> Some arguments must be preceded by a hyphen (“-”). If a hyphen is required, but you do not use it to precede the argument, that argument will be dropped.

[text] Optional text is enclosed in square brackets.

{text} Text wrapped in curly braces is optional, usually representing qualifications or values related to an argument.

itemA | itemB Text items separated by a pipe character (vertical bar) indicate two options, of which only one can be entered.

itemA &| itemB Text followed by an ampersand (&) and a pipe character (vertical bar) indicates two options, either or both of which can be entered.

[item_A, item_B, item_C]

A comma separating bracketed text indicates repeated options that may be entered one at a time or all at once.

+ item A plus (+) sign preceding specific text represents additional elements that are being added to an existing setting. For example, to add a new “member” to an existing address group, you would type a “+” prior to the address information of the new member.

no A “no” entered before an argument indicates that the argument is not to be included in the command. This is useful when entering a number of arguments, one of which should not be included yet must be entered in the command.

\ A backslash character at the end of a portion of command line signifies that the command line has been broken at that point, and continues on the next line.


Administration mode commands

plete list of related arguments and values, in the form in which you should enter them. This is helpful when the CLI tells you that a command you just entered isn’t acceptable. You can call up this text to review requirements and syntax for a command or argument.


The following catalog lists all of the administration mode commands, along with a description of the arguments for each command and the relevant values for each argument

.

Command For more information, see

account “account command” on page 28

downgrade “downgrade command” on page 29

export “export command” on page 30

flush “flush command” on page 31

ha_sync “ha_sync command” on page 31

import “import command” on page 32

operation_mode “operation_mode command” on page 35

passwd “passwd command” on page 36

reboot “reboot command” on page 37

restore_default “restore default command” on page 38

shutdown “shutdown command” on page 38

upgrade “upgrade command” on page 39

history “history command” on page 14

exit “exit command” on page 14

top “top command” on page 15



account commandWG#admin<ENTER>WG(admin)#account -login_limit -login_limit <admin|user> <0-10> -status -unlock <name>|all -all

Effect

Allows you to view, set, and clear failed login attempt lim-its. Login limits provide a further level of security, and eliminate susceptibility to a “brute force” password hacks.

The account management feature is available in all three operation modes (normal, FIPS, and CC).

The CLI allows only the root superadmin “admin” to log in, while rejecting all other accounts, including user-defined superamin accounts. If you set the login_limit feature on the root superadmin user, it is possible for the superadmin to be locked out of the system.

To work around this possible problem:1 Create another superadmin account in addition to the

root superadmin “admin” account, using Vcontroller, before you set the login_limit for the root superadmin account. If the root superadmin “admin” is locked out because of exceeded login failures, you can use this separate, non-root-level superadmin account to login to Vcontroller with full administration privileges.

2 In a text editor, create and save an ASCII text file with the following two lines:admin

account -unlock admin

3 In Vcontroller, click Diagnostics/CLI and select the CLI tab. This feature allows you to select a text file that contains CLI commands.



4 Click Open.A BrowseBrowseBrowseBrowse dialog appears.

5 Select the text file you created earlier, and click Select.The admin account is unlocked.

Arguments-login_limitThis command displays the current login limits set for admin and user on the device.

-login_limit <admin|user> <0-10>This command sets the limit for failed attempts for the specified user type (admin or user) to the number specified.

-statusThis command displays a table of failed login attempts for each user, provided the limit for the login name is greater than 0.

-unlock <name>|allThis command unlocks a login name or all login names, after the name or names are locked due to failed login attempts.

-allThis command displays detailed information for all accounts on the device.

ExamplesWG#admin<ENTER>WG(admin)#account -login_limit

WG#admin<ENTER>WG(admin)#account -login_limit admin 5

WG#admin<ENTER>WG(admin)#account -unlock joe_user

downgrade commandWG#admin<ENTER>WG(admin)#downgrade



EffectRestores the system software to the previously installed version.

ArgumentsNone

ExampleWG(admin)#downgrade<ENTER>

NOTEIf you apply this command, certain WatchGuard features incorporated in the current version may not be available afterwards. This will affect both configurations and policies in this appliance. You should make a careful review of this security appliance’s setup to prevent any problems.

export commandWG#admin<ENTER>WG(admin)#export

EffectExports certificate requests, the log archive, or an XML profile. The export command must be followed by a space and the name of the item to be exported:

cert_request to export certificate requests

log to export the log archive

xml to export an XML profile

ip to export the blocked or exception IP lists

Each export option requires specific syntax.

export cert_request:

export cert_request <CERT_ID> [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name> -[console]



#ex: export cert_request 20001 10.10.0.100:/RS/cert/20001.req

export log:

export log [all|alarms|events|traffic|ras_user|p1sa|p2sa] [-tftp] <host:/target> -ftp <[user[:passwd]@]host:/target>

export xml:

export xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name> -[console]

export ip:

export ip {blocked|allowed} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name>

flush commandWG#admin<ENTER>WG(admin)#flush

EffectResets all active connections, including SA’s.

ArgumentsNone.

ha_sync commandWG#admin<ENTER>WG(admin)#ha_sync

NOTEThis command is available only if the WatchGuard appliance you are currently logged into has High Availability enabled (using the “config-ha” command), is the Master appliance,



and is connected to another security appliance assigned to a backup role.

EffectInitiates the WatchGuard Firebox Vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appliance to a designated backup appliance. After you restart the backup appliance, your “high availability” system is ready and active.

ArgumentsNone

ExampleWG(admin)#ha_sync<ENTER>

import commandThe import command allows you to import certificates. a certificate revocation list (CRL), an xml profile, or a list of blocked or allowed IPs.

cert command

WG#admin<ENTER>WG(admin)# import cert [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name -[console]

EffectImports an xml file via one of several possible methods.

ArgumentsNone

ExampleWG(admin)#import cert -ftp wg:[email protected]:/pub/cert/cert.p2<ENTER>



crl command

WG#admin<ENTER>WG(admin)# import crl [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/file_name -[console]


ArgumentsNone

ExampleWG(admin)#import cert -ftp wg:[email protected]:/pub/cert/cert.p2<ENTER>

xml command

WG#admin<ENTER>WG(admin)import xml [-tftp] <host:/target/file_name>-ftp <[user[:passwd]@]host:/target/file_name>-[console]


ArgumentsNone

ExampleWG(admin)#import xml -ftp wg:[email protected]:/pub/xml/listfile.xml<ENTER>



ip command

WG#admin<ENTER>WG(admin)#import ip {blocked|allowed} {override|merge} [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@] host:/target/file_name>

EffectImports a list of blocked or allowed IP addresses to the appliance database.

PrerequisitesThe list of IP addresses must be a text file. The formatting information follows.

For blocked IP, each line of the file should include:

<IPaddr> [space]<mm/dd/yyyy> [space] <hh:mm:ss>

<mm/dd/yyyy> specifies the month, day, and year.

<hh:mm:ss> specifies the hour, minute, and second.

For example, a text file containing the following lines blocks these sites until the provided expiration time:

12.11.12.15 8/14/2003 14:00:0012.13.22.8 10/19/2004 1:21:05

To add blocked sites that do not expire, use only the IP address.

Argumentsblocked|allowed

Specifies whether to import the contents of the text file to the blocked IP list, or to the allowed (exceptions) IP list.

merge|override



Merge merges the new IP addresses into the existing list of IP addresses.

Override replaces all of the existing IP addresses with the IP addresses on the imported list.

ExampleWG(admin)#WG(admin)# import ip blocked override –ftp 192.168.216.232:/tmp/blockedip.txt<ENTER>

operation_mode commandWG#admin<ENTER>WG(admin)#operation_mode <normal|FIPS|common_criteria>

EffectThis command changes the system mode to operate in normal, FIPS, or Common Criteria (CC) mode.

FIPS modeFIPS 140-2 is a standard that describes government requirements that cryptographic hardware or software products must meet. FIPS certification is required for products that are sold to the government.

FIPS mode disables or changes the following functionality:

- Shell access is disabled (for example, sucode). - Unprotected remote access is disabled, including

telnet and SSH. To login to the box using telnet requires a physical connection to the console port.

- Non-qualified algorithms are disabled (MD5). - SSL3.0 is disabled. Support for TLS is still

included. - A direct crypto interface to the Rapidcore and

other crypto modules is provided for the startup



crypto self-test, and random number generation can be tested.

- Object reuse is avoided. Keys are zeroed out when they are no longer in use.

Common Criteria (CC) modeCommon Criteria (CC) defines a language for defining and evaluating information technology security systems and products. The framework provided by Common Criteria allows US government agencies and other groups to define sets of specific requirements.

IT security products purchased by the US Government for National Security Systems, which handle Classified and some non-Classified information, are required to be Common Criteria certified.

Common Criteria mode conforms to EAL4 level.

Common Criteria mode disables or changes the following functionality:

- HTTPS uses 3DES-SHA1 encryption only. - User login failure count can be configured, and

users can be locked out after the failure count is met. See “account command” on page 28 for more information.

passwd commandWG#admin<ENTER>WG(admin)#passwd <ENTER>

EffectReplaces the current “admin” super user access password text with a new entry. This command initiates a several-step process in which you will be prompted to enter the new password twice, before it takes effect. See “Process” immediately following for details.



ProcessType a space, then the text of the current password after the command.

When you press <ENTER>, a “New password:” prompt is displayed, at which you can type the new password, using between 6 and 20 characters.

NOTEALERT: Please note that no text will appear on-screen as you type.

When you press <ENTER> to submit the new password text, a “Reconfirm password:” prompt is displayed. Retype the same text (during which no text will appear on-screen.)

When you press <ENTER>, the new password will be confirmed and stored in the appliance, then immediately put into effect.

ExampleWG(admin)#passwd: <ENTER>New password: * <ENTER> # Remember, no text will appear when you type.

Reconfirm password: * <ENTER>Password change completed!WG(admin)#

NOTERemember to write the new password down and store the note in a safe place. If you forget the password and lose the note, contact WatchGuard for assistance.

reboot commandWG#admin<ENTER>WG(admin)#reboot

EffectShuts down, then restarts this WatchGuard Firebox Vclass security appliance. You will be



automatically logged out of the appliance, but after a few minutes (and a considerable display of status messages), the main login prompt will appear. You can log in again at this time.

ArgumentsNone.

restore default commandWG#admin<ENTER>WG(admin)#restore_default

EffectReinitializes this appliance and restores the original “factory default” configuration. Once this process is complete, you can log in again, then start over with appliance installation, configuration and policy creation, either by manual entry or importing of a profile from another appliance.

ArgumentsNone.

ResultsAfter applying this command, the CLI will immediately record a series of “restoring” status messages, along with “please wait…” messages. When the restoration is complete, the main login prompt will appear.

You can now log into the appliance with the user name of “admin” and the password of “admin” to begin reconfiguration of this appliance.

shutdown commandWG#admin<ENTER>WG(admin)#shutdown

Effect



Shuts down this WatchGuard appliance. You will be automatically logged out of the appliance, at which time you can break the CLI connection.

ArgumentsNone.

upgrade commandWG(admin)#upgrade upgrade [-tftp] <host:/target/upgrade.rsu > upgrade -ftp <[user[:passwd]@]host:/target/ upgrade.rsu >

EffectUpgrades the system software, using a “.rsu” file, from a specific location.

Exampleupgrade -ftp wg:[email protected]:/patch/upgrade.rsu


CHAPTER 3 Configuration Mode Commands

All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Configuration Mode.

Top-level configuration mode commands

The following catalog lists the top-level configuration mode commands, with a description of the arguments for each command and the values for each argument. Also included, where applicable, is the sequence of “config” commands necessary to reach a specific com-mand level where a particular command can be entered and used.


CHAPTER 3: Configuration Mode Commands

Command For more information

abort See “abort command” on page 43.

address See “address command” on page 43.

certificate See “certificate command” on page 45.

commit See “commit command” on page 45.

delete See “delete command” on page 45.

denial_of_service See “denial_of_service command” on page 46.

high_availability See “high_availability commands” on page 47.

ike See “ike command” on page 48.

interface See “interface command” on page 49.

ipsec See “ipsec command” on page 49.

license See “license command” on page 49.

log See “log command” on page 50.

nat See “nat command” on page 54.

no See “no command” on page 56.

policy See “policy command” on page 57.

qos See “qos command” on page 60.

ras See “ras command” on page 61.

rename See “rename command” on page 61.

schedule See “schedule command” on page 62.

service See “service command” on page 63.

system See “system command” on page 64.

trace See “trace command” on page 64.

tenant See “tenant command” on page 65.

tunnel_switch See “tunnel_switch command” on page 65.

show See “history command” on page 66.

history See “history command” on page 14.

exit See “exit command” on page 14.

top See “top command” on page 15.



abort commandWG#config<ENTER>WG(config)#abort

EffectAborts (erases) all system configuration changes made since the last use of the WG(config)#commit command. This empties the cache of to-be-committed changes and additions.

ArgumentsNone

address commandWG#config<ENTER>WG(config)#address <"name"> [+] -host <a.b.c.d> \[<a.b.c.d>]… -net <a.b.c.d/e> [<a.b.c.d/e>]… -range \<a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>]… \-group <address_name> [<address_name>]…

EffectCreates a new address object or modifies an existing group, depending upon the use of the “+” character. This command must start with a new or existing “name” and can incorporate the following: (1) a single IP address, (2) a range of IP addresses, (3) a subnet, and (4) a group of existing address entries that you may want to combine into a single entity.

Arguments<"name">This argument notes a new “name” for this group. You can then type one or more of the following



addressing arguments, depending upon the contents of this address.

-host <a.b.c.d> [a.b.c.d]…This argument notes a single IP address (omitting subnet information.)

-net <a.b.c.d/e> [a.b.c.d/e]…This argument notes a single subnet IP address and subnet mask (representing all the individual IP addresses in that subnet.)

-range <a.b.c.d-a.b.c.d> [<a.b.c.d-a.b.c.d>]This argument notes a range of IP addresses.

-group <address_name> [address_name]…This argument notes a group of existing address entries that you want to combine into a single entity.

+This character, when inserted in the command line in the proper location, allows you to add a new address member to an existing group. You must have the exact name of the group – in its case-sensitive form, prior to adding new entries.

ExamplesWG(config)# address my_nets -host 10.10.1.1/16<ENTER># Creating a new address group with a single host

WG(config)# address my_nets -range 14.0.2.1- \14.0.2.125<ENTER># Creating a new address group with a range of IP addresses

WG(config)# address my_nets + -net 10.29.0.0/16<ENTER># Add a new address to an existing address group



certificate commandWG#config<ENTER>WG(config)#certificate

EffectEnters the certificate-configuration mode, at which point you can enter certificate-specific task commands and their arguments.

ArgumentsNone in this mode.

See AlsoFor more information about “certificate” mode commands, see “Level 2 certificate configuration commands” on page 67.

commit commandWG#config<ENTER>WG(config)#commit

EffectThis command applies all uncommitted policy, system configuration changes, and additions to the appliance.

ArgumentsNone

delete commandWG#config<ENTER>WG(config)#delete <object_type "name">

EffectDeletes a specifically named object, such as an address group, policy, action, or service.

Arguments<"name">This argument records the exact name of the to-be-deleted item.



ExampleWG(config)#delete address exec_addresses<ENTER># This command deletes an address group named “exec_addresses”.

WG(config)#delete ike policy "HQ IKE"<ENTER># This command deletes an IKE policy named “HQ IKE”.

denial_of_service commandWG#config<ENTER>WG(config)#[no][-icmp [threshold]] #threshold packet/s;default=1000 [no][-syn [threshold]] #threshold packet/s;default=5000 [no][-udp [threshold]] #threshold packet/s;default=1000 [no][-pingofdeath] [no][-sourceroute] [no][-server_ddos [threshold]] #threshold connection/s;default=100 [no][-client_ddos [threshold]] #threshold connection/s;default=100

EffectRecords your preferences for denial-of-service defense parameters. You can enter any or all of the customizable arguments listed below.

Arguments[no][-icmp <threshold>]Activates ICMP flood protection with a user-noted threshold noted as packets per second; default = 1000.

[no][-syn <threshold>]Activates TCP/SYN flood protection with a user-noted threshold; default=5000.

[no][-udp <threshold>]Activates UDP flood protection with a user-noted threshold; default=1000.



[no][-pingofdeath]Activates ping-of-death protection.

[no][-sourceroute]Activates source route protection by disallowing source route options.

[no][-server_ddos <threshold>]Activates server DDOS protection; the default threshold = 100, which controls the maximum number of connections permitted to any one server.

[no][-client_ddos <threshold>]Activates client DDOS protection; the default threshold=100, which controls the maximum number of connection requests permitted to a single client.

noEnter this before any options you want to deactivate in this appliance, as shown above.

ExampleWG(config)#denial -syn 1000 no -udp<ENTER>

high_availability commandsNOTE

High Availability commands will not be available to you if the WatchGuard appliance you are administering does not feature any HA ports. In addition, you need a High Availability feature license.

Enter high availability configuration mode

WG#config<ENTER>WG(config)# high_availability



EffectEnters the high availability (HA) configuration mode, at which point you can enter HA specific commands and their arguments.


See AlsoFor more information about “HA” mode commands, see “Level 2 High Availability configuration commands” on page 72.

Disable high availability mode

WG#config<ENTER>WG(config)#no high_availability

EffectDisables high availability if it is already in effect.

ArgumentsNone.

ike commandWG#config<ENTER>WG(config)#ike

EffectEnters the IKE configuration mode, at which point you can enter IKE-specific commands and their arguments.


See AlsoFor more information about “IKE” mode commands, see “Level 2 IKE configuration commands” on page 78.



interface commandWG#config<ENTER>WG(config)#interface

EffectEnters the system interface configuration mode, at which point you can enter interface-specific commands and their arguments.


See AlsoSee “Level 2 interface configuration commands” on page 82 for details on specific “interface” mode commands.

ipsec commandWG#config<ENTER>WG(config)#ipsec

EffectEnters the IPSec configuration mode, at which point you can enter IPSec action- and proposal-specific commands and their arguments.


See AlsoFor more information about “IPSec” mode commands, see “Level 2 IPSec configuration commands” on page 95.

license commandWG#config<ENTER>WG(config)#license



EffectEnters license parameter configuration mode, at which point you can enter license-specific commands and their arguments.


See AlsoFor more information about “license” mode commands, see “Level 2 license commands (for upgraded or additional features)” on page 117.

log command

no command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no <event|remote_log_server|traffic>

EffectDisables logging for the specified log.

ArgumentsNone

ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no traffic

clear all command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#no <event|remote_log_server|traffic>

EffectClears all logs.



ArgumentsNone

ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#clear_all

diagnostics command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#diagnostics [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]

EffectRuns log diagnostics for the specified feature.

ArgumentsNone

ExampleWG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#diagnostics ha 1

[no] event command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)# [no] event <critical|error|warning|administration|info>

EffectTurns logging on (or off, if the command is preceded by “no”) for the specified error level.

ArgumentsNone



[no] traffic command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#[no] traffic

EffectTurns the traffic log on or off.

ArgumentsNone

Example

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#traffic

history command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#history

EffectShows up to the last 20 commands.

ArgumentsNone

Example

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#history

rename command (log level)

WG#config<ENTER>WG(config)#log<ENTER>WG(config-log)#rename address rename address groups ike rename IKE actions/policies ipsec rename IPSec actions/proposals



nat rename NAT actions policy rename security policies qos rename QoS actions ras rename RAS group schedule rename schedule actions service rename service groups

EffectAllows you to rename various items.

See alsoSee “rename command” on page 61.

nat command

WG#config<ENTER>WG(config)#nat <"name"> [-static_nat <-external \<address_group>><-internal <address_group>>]| \[-vip <round_robin|wround_robin|random|wrandom| \least_connection|wleast_connection> -server [+] \{<ip|address> <port> [weight]}…>]

EffectRecords a new NAT action for use in security policies. You can create one of three possible NAT actions, choosing from VIP, DNAT or Static NAT.

Arguments<"name">If this is to be a load-balancing or static NAT action, enter a short, distinctive name for this new action following the NAT command prompt.

-static_nat < -external <address group>> \<-internal <address group>>



(For one-to-one and subnet-to-subnet mapping) This argument specifies (1) that this is a static NAT action, and records the address groups associated with the internal and external sources. The address groups can be single IP addresses or subnets.

-vip <round-robin|wround-robin|random|wrandom| \least-connection|wleast-connection> | -server [+] \{<IP address> [IP address] …<port> <weight>}>This argument specifies that this is a load-balancing (virtual IP) NAT action, and records (1) the algorithm that will be applied and (2) the server addresses and port numbers. If a weighted algorithm is used, this argument adds (3) the per-server weight assignments.

The load-balancing algorithm argument values include the following entries:

round_robin: Denotes the round robin algorithmwround_robin: Denotes weighted round robinrandom: Denotes randomwrandom: Denotes weighted randomleast_connection: Denotes least connectionwleast_connection: Denotes weighted least connection

TIPIf you are adding a new server/weight to an existing VIP NAT action, prefix the new server record with a “+” character.

If you are entering the “server” argument, you must note (1) the IP address of the server, the port number it will watch and the proportion of traffic this server will be assigned, noted as a whole number.



NOTENote that dynamic NAT is already present in the WatchGuard database by default, and is ready for use in security policies. You can specify “dynamic_nat” as the NAT action when you create the appropriate policies

ExamplesWG(config)#nat load_balancing –vip wround –server \{10.10.0.100 80 1} {10.10.0.101 80 2} \{10.10.0.102 80 3}WG(config)#nat natS -stat -ext pub1 -int \web_server1

Record dynamic security policy IP NAT action

WG#config<ENTER>WG(config)#nat <"name"> [-dynamic_nat <a.b.c.d>]

EffectRecords a new dynamic IP NAT action for use in security policies. You can create one of two possible DNAT options, choosing from the default IP address for interface 1 or a user-designated IP address

Arguments<"IP Address">If this is to be a user-designated IP address DNAT action, enter the IP address of your choice as the command argument. If you are using the default interface 1 IP address, enter that in the argument.

no commandWG#config<ENTER>WG(config)#no high_availability disable high availability



EffectDisables the high availability feature.

ArgumentsNone

ExampleWG#config<ENTER>WG(config)#no high_availability

policy command

EffectAllows you to create a new security policy or revise an existing policy, pending your selection of traffic specifications and actions. Note: you should have already created the needed address groups, schedules, actions and services before creating this new policy.

Arguments<source> <destination>These two arguments record the source and

WG#config<ENTER>WG(config)#policy policy <"name"> [<source> <destination> <interface num>] [-position <num>] [-firewall <pass|block|authenticate|reject>] [<-service|-tenant|-nat|-qos|-schedule|-ipsec [no] [bi_directional]> <] [<-tosF|-tosR> <bbbbbb>] # b is <0|1>;msb from left. [-log_per_policy [enable|disable] ] [-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ] ] [-mss_adjustment_per_policy [auto|limit_to <num>|disable| use_global]]



destination address groups to which this policy will be applied.

<interface [0|1|2|3]>This argument records the interface this policy will apply to.

[-position <num>]This argument records which numbered location this policy occupies in the policy table.

[-firewall <pass | block | authenticate | reject>]This argument allows you to specify which firewall option to apply.

[<-service|-tenant|-nat|-qos|-schedule\|-ipsec[no][bi_directional]>]These arguments allow you to combine various preexisting actions in this one policy, including: -service: Enter the name of a service group after this argument.-tenant: Enter the name of a tenant object after this argument.-nat: Enter the name of a NAT action after this argument.-qos: Enter the name of a QoS action after this argument.-schedule: Enter the name of a schedule after this argument.-ipsec: Enter the name of an IPSec action after this argument.

[{-tosF | -tosR} <bbbbbb>]This argument records the TOS marking direction and marking bit. “bbbbbb” represents the six bit



positions that you can choose from. You pick a location and enter a “1” to mark that bit.

[-log_per_policy [enable|disable] ]

This argument allows you to enable or disable logging on a per-policy basis.

[-icmp_error_handling_per_policy [[global | all] | [[no] fragmentation_required] [[no] time_exceeded] [[no] network_unreachable] [[no] host_unreachable] [[no] port_unreachable] ]

This argument allows you to implement ICMP error handling per policy, and specify error handling options.

[-mss_adjustment_per_policy [auto|limit_to <num>|disable|use_global]]

This argument allows you to specify a per-policy TCP Maximum Segment Size. See “mss_adjustment” on page 112 for more information on these settings. To use the global settings, use the argument use_global.

ExamplesWG(config)#policy Allow_Outbound Any Any \interface 0 -firewall pass -nat DYNAMIC_NAT <ENTER>

WG(config)#policy HQ_BR_VPN HQ BR interface 0 \-firewall pass -ipsec bi HQ_IPsec <ENTER>

WG(config)#policy SJ_NY_VPN SJ NY interface 1 \



-firewall pass -ipsec SJ_NY_IPSec <ENTER>

WG(config)#policy SJ_LA_VPN \-mss_adjustment_per_policy \limit_to 1400

WG(config)#policy SJ_NY_VPN \-icmp_error_handling_per_policy all

WG(config)#policy SJ_NY_VPN -position 5 <ENTER>

The previous example shows a relocation of policy SJ_NY_VPN to the fifth position (row) in the policy table.

NOTEYou can combine a range of actions (“-vlan”, -“ipsec”, “-nat”, “-schedule”, etc.) in a single policy, as needed. For more information on policy action combinations, especially to determine what will and what won’t work, see the User Guide.

qos commandWG#config<ENTER>WG(config)#qos

EffectEnters the Quality of Service (QoS) configuration mode, at which point you can enter QoS action-specific task commands and their arguments.


See AlsoFor more information about “QoS” mode commands, see “Level 2 Quality of Service (QoS) configuration commands” on page 100.



ras commandWG#config<ENTER>WG(config)#ras

EffectEnters the remote access services (RAS) configuration mode, at which point you can enter RAS connection-specific commands and their arguments.


See AlsoSee “Level 2 Remote Access Service (RAS) configuration commands” on page 102 for details on specific “RAS” mode commands.

rename commandWG#config<ENTER>WG(config)#rename <object_type> <"old name"> \<"new name">

EffectSubstitutes a new name for an existing object name.

Arguments<object_type> Use this argument to enter the type of object this name is applied to, whether (for example) an IPSec action, an address group, a RAS user profile, etc.

<old name>Use this command to enter the existing name.

<new name>Use this command to enter the new name.

ExampleWG(config)#rename address eng_net engineering<ENTER>



schedule commandWG#config<ENTER>WG(config)#schedule <”name”><enable|disable> [-all| \-mon|-tue|-wed|-thu|-fri|-sat|-sun] {hr:min-hr:min \[hr:min-hr:min ][hr:min-hr:min ][hr:min-hr:min ]}<ENTER>

EffectUse this command to set up a schedule for use in the application of policies. Schedules can be set up for the same hours for every day or for different daily schedules, depending upon the arguments.

Arguments<"name">Type a short, descriptive name for this schedule.

<enable|disable>This argument specifies whether this schedule is currently active or not.

-<day>This argument defines the days of the week. The values can either be noted as “all” for all seven days, or include any combination of days of the week–mon, tue, wed, thu, fri, sat, and sun.

{hour:minute-hour:minute}This argument (which can be repeated for different blocks of time) should note a range of hours, such as “9:00-12:00” (which indicates 9:00am to Noon.) Be sure to wrap the range in curly brackets, as shown in the examples below. Hours must be converted to and noted in military time–according to the 24-hour clock.

TIPA midnight start time should be entered as “0:00”.



ExampleWG(config)#schedule workdays -mon \{8:00-12:00 13:00-19:00} (line break) -fri \{9:00-12:00} enable<ENTER>WG(config)#schedule 24_7 -all {0:00-24:00}<ENTER>

service commandWG#config<ENTER>WG(config)#service <”name”> [+] \<-single <protocol port>… | \-range <protocol port-port>… | \-group <service_group>… >

EffectRecords a new service entry (individual or group) for use in policies. The service must be noted as either a “single” service, a “range” of port numbers for a single service, or, as a “group” of existing related services.

Arguments<"name">Enter the name of this new service or group.

-single {<protocol> <port>}Use this argument to note the protocol and port number of a single service.

-range {<protocol> <port-port>}Use this argument to note the protocol and two or more port numbers for a single service.

-group {<service-group> [<service-group> \<service-group>]}



Use this argument to note the names of two or more related services.

+Use this argument (the “+” character) to add an additional service to an existing group.)

ExamplesWG(config)# service ldap -single tcp 389WG(config)# service my_app -range tcp 6000-6006WG(config)# service my_app + -single udp 6010 WG(config)# service email -group "mail_SMTP" \-group "POP3"<ENTER>

system commandWG#config<ENTER>WG(config)#system

EffectEnters system parameter configuration mode, at which point you can enter system-specific commands and their arguments.


See AlsoFor more information about “system” mode commands, see “Level 2 System Configuration commands” on page 107.

trace commandWG#config<ENTER>WG(config)#trace [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>]



EffectRuns a trace for the specified object.


tenant commandWG#config<ENTER>WG(config)#tenant

EffectEnters the tenant configuration mode, at which point you can record a new tenant entry for either a VLAN or user-domain tenant.

ArgumentsNone in this level.

See AlsoSee “Level 2 tenant configuration commands” on page 119 for more information about the next level of tenant commands.

tunnel_switch commandWG#config<ENTER>WG(config)#tunnel_switch <enable|disable>

EffectEnables (or disables) the tunnel switching capability of this WatchGuard appliance, according to the specific argument. (Must be done before applying specific tunnel-switching security policies.)

Arguments<enable | disable>The default state is “disable”.

ExampleWG(config)#tunnel_switch enable<ENTER>



history commandWG#config<ENTER>WG(config)#history

EffectShows the last 20 commands exercised at this level of CLI. Note, too, that you can apply it at any level of the CLI.

For example, you may apply the “history” command after extensive policy creation, and see a series of 20 commands, starting with “64” and ending with “83”–the most recent command being listed as 83.

ArgumentsNone

ExampleWG(config)#history<ENTER>

ResultsExecuted Commands:0 ike1 address2 address "pubs" -host 10.10.99.13 show address pubs4 dos5 denialWG(config)#

Second level configuration mode commands

The following sections detail the second-level configura-tion commands, has been divided into “task” or “topical” collections, which include the following:• “Level 2 certificate configuration commands” on

page 67



• “Level 2 High Availability configuration commands” on page 72

• “Level 2 IKE configuration commands” on page 78• “Level 2 interface configuration commands” on

page 82• “Level 2 IPSec configuration commands” on page 95• “Level 2 license commands (for upgraded or additional

features)” on page 117• “Level 2 Quality of Service (QoS) configuration

commands” on page 100• “Level 2 Remote Access Service (RAS) configuration

commands” on page 102• “Level 2 System Configuration commands” on

page 107• “Level 2 tenant configuration commands” on page 119

Level 2 certificate configuration commands

request command (configure certificate level)

WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#request <"name"> -company <"name"> \[-country<"name">] [-department <"name">] -dns_name \<"name"> [-ip_address <a.b.c.d>] [-user_domain \<[email protected]>] [-key_usage {<rsa|dsa> \<1024|512> <encryption|signature|both>}]

EffectGenerates a VPN certificate request that can be sent to a certifying authority. After executing this command (with the required arguments), you must cut the resulting certificate text and paste it into the relevant form: an e-mail message, a Web-site



request or a text file, that you transmit to the proper authority.

Arguments<"name">This argument notes the host name of this appliance (omitting the remainder of the DNS entry.)

-company <"name">This argument notes the name of your company or organization.

-country <"name">This argument notes the name (or official abbreviation) of your country's name. The default is “US”.

-department <"text">This optional argument notes the specific department name.

-dns_name <"name">This argument notes the fully qualified DNS name of this appliance.

-ip_address <a.b.c.d>This argument notes the IP address of this appliance’s interface 1.

-user_domain <"name">This argument notes a user domain name, if any.

-key_usage {<rsa|dsa> <1024|512> <encryption| \signature|both>}This argument notes the key usage particulars, including RSA or DSA and the key length in bits. This argument also notes your choice of encryption or signature (or both.)

ExampleWG(config-cert)request -cert1 -com BigCompany \



-cou US -dns RS1.WatchGuard.com -key \{rsa 1024 both}<ENTER>

If this command is successful, the CLI will prompt you to cut and paste the results into the appropriate means of submitting this request to the authority.

import command (configure certificate level)

WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#import <"certificate text">

EffectAssists in the importing of the contents of a newly-received VPN or Web certificate into the WatchGuard appliance database.

To import a certificate, you must open the certificate file and copy the text, then paste it into the command in the proper location, as shown in the following example.

ArgumentsNone.

ExamplesWG(config-cert)# import<ENTER>

ResultsOn-screen instructions appear, as shown here.

Paste certificate below, then press Enter.

-----BEGIN CERTIFICATE-----MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQEBBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0MjAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8DCCtvvThQ2ug==-----END CERTIFICATE-----



show command (configure certificate level)

WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#show [cert_id]

EffectDisplays the properties of a specific certificate or a certificate request. If no “specific certificate” argument is used, this command lists all the current certificates and pending certificate

Arguments[cert_id]This optional argument records a specific certificate ID.

ExamplesWG(config-cert)# show<ENTER>

OrdTYPE NAMESubjectCert idKeyAlgo

1 Pndg cn=a,o=WatchGuard,c=US cn=a,o=WatchGuard,c=20001 RSA

2 CA o=WatchGuard Inc.,c=US o=WatchGuard Inc.,c=U 1075246528 RSA

—OR—

WG(config-cert)# show 20001<ENTER>

Pending CertificateName:cn=a,o=rapidstreaym,c=USSubject:cn=a,o=rapidstreaym,c=USCert ID:20001DNS Name:WatchGuard.comKey Algorithm:RSALength: 1024Key Usage:bothIssued by:Valid Period:-

-----BEGIN CERTIFICATE REQUEST-----

MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx



MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscAhhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70DlpSx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbYtX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJDjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFAtGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkgK30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7TlNR5B1zDrFA==

-----END CERTIFICATE REQUEST-----

ssl command (configure certificate level)

WG#config<ENTER>WG(config)#certificate <ENTER>WG(config-cert)#ssl <ip|"name">

EffectCreates a Web (SSL) certificate request for this appliance. After the request is generated, you must copy-and-paste the text to a text file and send it to a third party CA as part of a formal request for a Web certificate.

Arguments<ip|"name"> Use this argument to enter either the IP address or host name of this security appliance.

ExampleWG(config-ssl)# ssl rs101<ENTER>Creating certificate request could take several minutes.Please wait…

-----BEGIN CERTIFICATE REQUEST-----

MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr



3Tg/jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2v+IPPoyDBOrfGHl4Icn8/ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/6YTj2uHMGPF/Y8FTYgCE

-----END CERTIFICATE REQUEST-----

Level 2 High Availability configuration commands

show command (configure high availability level)

WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#show

EffectDisplays the configuration settings for any High Availability ports in this WatchGuard appliance.

ArgumentsNone



ExampleWG(config-ha)#show<ENTER> HA Type: Active_Active Primary System Name =2026 Secondary System Name =2027 No Shared SecretInterfaces Primary IP Mask Secondary IP Mask Monitoring 0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON 1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON 2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF 3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFFAdvanced HA Parameters: HA1:Enabled HA2:Disabled Primary HA1 IP 1.0.0.1 netmask 255.255.255.0 HA2 IP 10.10.10.26 netmask 255.255.0.0 Secondary HA1 IP 1.0.0.3 netmask 255.255.255.0 HA2 IP 10.10.10.27 netmask 255.255.0.0 HA Status HA Role: Primary DB Time Stamp: Primary: Thu Dec 5 16:38:58 2002 Secondary: Thu Dec 5 16:38:58 2002 Status: Primary: ACTIVE Secondary: ACTIVE



Enable high availability

WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)$ [active_standby | active_active] [advanced] Enter Advanced Setting Mode [disable] [hotsync] [monitor <[0] [1]...[N]> <ON|OFF>] [<primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1] show show current configuration and statistics history show command history exit go back to parent level top go back to root level

EffectEnables high availability in WatchGuard appliances with one or more HA interfaces, and assists you in entering precise HA system settings.

Argumentsactive_standby | active_active

This turns high availability on in either Active/Standby mode or Active/Active mode. For more information on these modes, see the Vcontroller User Guide.

advanced

This enters advanced High Availability configuration mode, and shows the following prompt: WG(config-ha-advanced)$



For more information, see “High Availability advanced configuration mode” on page 77

disable

Disables High Availability.

hotsync

Syncs the local appliance with its peer. In Active/Standby mode a hotsync should be performed every time the configuration of the Active box is changed. In Active/Active mode, a hotsync should only be performed during the initial setup, when the secondary appliance is in factory default configuration.

monitor {1 & | 2}This optional command specifies which interface (1 or 2) you want this appliance to monitor for link status. (Note that the 0 (private) interface is always being monitored.)

<primary|secondary> [interface N ip ] | [-name systemName2] ] [no][shared_secret secret1]

ha1_interface <master_ip> <backup_ip> \</prefix|mask>This command configures the IP address of the HA1 interface of the master and backup appliances.

ha2_interface <master_ip> <backup_ip> \</prefix|mask> This command configures the IP address of the



HA2 interface of the master and backup appliances–if needed.

<enable|disable>This command will, depending on your use, activate or deactivate the HA system.

polling_interval <in seconds>This optional command establishes the HA polling interval. The default value is “1 second”, but you can increase it to “15” if you choose.

id <1-255>This optional command notes the VRRP group ID for this HA pairing, if one has been assigned to it. The number should be between 1 and 255.

ExampleWG(config-ha)# monitor {pub} poll 5<ENTER>

Apply high availability configuration changes

WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#exit

EffectInitiates the process of saving and applying any just-completed HA interface configurations. You will be asked to confirm the committing of these changes, at which time you can press Y to do so.

ArgumentsNone

ExampleWG(config-ha)#exit<ENTER>

Commit (Y/N)?y<ENTER>

…

HA IP address is set to 12.10.1.2,please wait for it to take effect…

WG(config-ha)#



High Availability advanced configuration mode

WG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#advancedWG(config-ha-advanced)# [action <local | peer> <failover | restart>] [ha2 <enable | disable>] [primary <ha1|ha2> ip </prefix|mask>] [secondary <ha1 ip>| <ha2 ip </prefix|mask>>] show show current configuration and statistics history show command history rename rename an object exit go back to parent level top go back to root level

EffectAllows you to configure advanced settings for High Availability.

Argumentsaction <local | peer> <failover | restart>

Allows you to manually failover or restart the local or peer appliance of the HA pair. The local appliance is the one you are connected to, and the peer is its HA pair.

ha2 <enable | disable>

Allow you to enable the HA2 port for HA use. When this is enabled, and the HA2 ports are connected between the two appliances, in addition



to the HA1 ports, an added level of redundancy is insured.

primary <ha1|ha2> ip </prefix|mask>secondary <ha1 ip>| <ha2 ip </prefix|mask>>

This allows you to set the IP addresses and netmasks for the primary and secondary device’s HA ports.

ExampleWG#config<ENTER>WG(config)#high_availability <ENTER>WG(config-ha)#advancedWG(config-ha-advanced)#primary ha1 ip \ 10.10.10.11|255.255.0.0 \secondary ha1 ip 10.10.10.12

Level 2 IKE configuration commands

action command (configure IKE level)

WG#config<ENTER>WG(config)#ike <ENTER>WG(config-ike)#action <"name"> \<-main_mode|-aggressive_mode> [no][-natt <enable|disable> [-natt_keepalive <seconds>] ][extended_authentication] [+] \-rsa {<g1|g2><des|3des><md5|sha><lifetime<min|hr> \&|lifesize<KB|MB>>} \-dss {<g1|g2><des|3des><md5|sha><lifetime [min|hr]&|lifesize [KB|MB]>} \-preshared {<g1|g2><des|3des><md5|sha><lifetime \[min|hr]|lifesize \ [KB|MB]}

EffectRecords a new IKE action, for use in IKE policies.



Arguments<"name">Enter the name of this action prior to recording the arguments.

<-main-mode | -aggressive-mode> This argument specifies your choice of mode.

[-natt <enable|disable>[-natt_keepalive <seconds>]]-natt enables or disables NAT Traversal (UDP encapsulation). -natt_keepalive allows you to specify the time in seconds between keep-alive messages.

[extended_authentication] This argument, when present, activates extended authentication, used for remote access connection requests.

-rsa {<g1|g2><des|3des><md5|sha><lifetime \[min|hr]&|lifesize [KB|MB]>} This argument and its values detail the RSA IKE transform.

-dss {<g1|g2><des|3des><md5|sha> \<lifetime[min|hr]>&| lifesize[KB|MB]>}This argument and its values detail the DSS IKE transform.

-preshared {<g1|g2><des|3des><md5|sha> \<lifetime[min|hr]&|lifesize[KB|MB]>}This argument and its values specify the pre-shared key IKE transform. In all of the three



preceding arguments, the following values are options you can apply:

ExampleWG(config-ike)#action my_act -main \ (line break)–rsa {g2 3des md5 10hr 100MB} {g1 des sha 45min} \–dss {g2 3des sha 8hr}

policy command (configure IKE level)

WG#config<ENTER>WG(config)#ike <ENTER>WG(config-ike)#policy <"name"> \<*|peer_address> -action <"ike_action_name"> \-peer <any | [-address <"name"> &|-domain <"name"> \&|-user_domain <"usr@host"> &|-X.500 <"name">] > \[-local {<cert_id><ip_address|domain|user_domain |X500>} [-preshared <ascii_key|%hex_key> ] \[-position <number>]

EffectRecords a new IKE policy, including actions.

Option Description

g1 and g2 the two Diffie-Hellman group options.

des|3des represent two encryption algorithm options.

md5|sha represent two other encryption algorithm options.

Lifetime-minutes/hours

represent a key lifetime setting, measured in time.

Lifesize-KB/MB represent a key lifetime, measured in kilo- or megabytes.



Arguments<"name"> This argument records a brief, descriptive name for this policy.

< * |peer_address>This argument notes either “any” (indicated by *) or the address group representing the peer appliance(s).

-action <ike_action>This argument notes the name of the IKE action used by this policy.

-peer <any> | -address <”name”> &| -domain \<”name”> &| -user_domain <”user@host”> &| -X.500 \0<”string”>]This argument specifies the means of identifying the peer appliance from these five options. You can enter “any” as the sole option or combine any of these options (and values) in this argument:

Option Description

<-address> represents an address group used as peer ID type.

<-domain> represents a domain name as the peer ID type.

<-user_domain> represents a user domain name as the peer ID type.

<-X.500> represents X.500 as the peer ID type.

[-local {<cert-id> This optional argument specifies which ID

<ip-address|domain type is used by this WatchGuard

|user-domain appliance. The argument is the same as

|X500>}] for -peer, as noted above.

[-preshared This optional argument records the text of



ExampleWG(config-ike)#policy "Remote Users" * -action \remote_users -peer -domain WatchGuard.com \-user_domain WatchGuard.com -local {20001 domain}

WG(config-ike)#policy IKE_NY_SJ NY_Gateway \-action psk_main -peer any -preshared \"secret"<ENTER>

Level 2 interface configuration commands

Enter system interface configuration mode

WG#config<ENTER>WG(config)#interface<ENTER>

EffectEnters the system interface configuration mode.

ArgumentsNone. Please review the rest of this section for related commands.

show command (configure interface level)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#show

<ascii_key the pre-shared key, if one is used by

|%hex_key>] this policy. You must enter the actual key text as either ASCII text or hexadecimal notation.

[-position This argument records the numeric

<number>] position assigned to this policy in the IKE policy table.

Option Description



EffectDisplays the current network address settings for each of the main security appliance data interfaces–0 (private), 1 (public) or 2 (DMZ, where applicable.)

ArgumentsNone.

ExampleWG(config-if)# show<ENTER>

The results appear as shown in this example:

interface 0: ip = 10.10.13.101net mask = 255.255.0.0status = UPmac address = 00:01:21:10:01:e5

interface 1: ip = 16.10.203.121net mask = 255.255.255.0status = DOWNmac address = 00:01:21:10:01:e6

interface 2: ip = 10.20.0.1net mask = 255.255.255.0status = DOWNmac address = 00:01:21:10:01:e7

interface 0 command (configure interface level)WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 0 [<a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex|



-10_full_duplex|-10_half_duplex | -auto]] | [[no] dhcp_server -clients num [-lease_time num [hours|days]]] [dhcp_relay <a.b.c.d>] # -lease_time default is 7 days

EffectUse this command to configure the network identity of a WatchGuard appliance's interface 0 (Private).

Arguments<a.b.c.d> This argument records the IP address assigned to this interface.

</prefix|mask> This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.

-mtu numThis allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.

[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |This setting allows you to specify the speed at which the interface will operate.

[[no] dhcp_server -clients num [-lease_time num [hours|days]]]This allows you to active the DHCP server service on this interface, and specify information for it, including the number of clients allowed DHCP access, and the leasing time for a DHCP address. The lease time default is 7 days.



Put “no” in front of this command to turn off the DHCP server on this interface.

[dhcp_relay <a.b.c.d>] This allows you to use a separate DHCP server on your network to serve DHCP addresses, with the Vclass acting as a DHCP agent.

ExampleWG(config-if)#interface 0 10.12.12.7 255.255.255.0 \-mtu 1500 -100_half_duplex no dhcp_server<ENTER>orWG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \-100_half_duplex no dhcp_server<ENTER>orWG(config-if)#interface 0 10.12.12.7/24 -mtu 1500 \-100_half_duplex dhcp_relay 10.0.0.253<ENTER>

private command (configure interface level, V10 only)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#private <a.b.c.d> </prefix|mask>[no] dhcp_server -clients NUMBER [-lease_time NUMBER]

EffectUse this command to configure DHCP server options assigned to a WatchGuard V10 appliance's Private (0) interface.




</prefix|mask>This argument records the number of bits in the subnet mask, or the subnet mask.

dhcp_serverEnter this argument to activate DHCP server service on this appliance.

-clients NUMBERThis argument indicates the number of clients permitted DHCP access.

-lease_time NUMBERThis argument indicates the lease time for all client connections, and any limitations, recorded as minutes.

[no] dhcp_serverEnter this argument to disable any previously active DHCP service.

ExampleWG(config-if)#private 192.168.1.1 255.255.255.0 dhcp_server \-clients 3 -lease_time 60<ENTER>

interface 1 command (configure interface level)WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)# interface 1 [<a.b.c.d> </prefix|mask> | [-mtu num] | [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |[dhcp [host_id]] |[pppoe -user "name" -password "password" [<-dial_on_demand|-always_on> <num>]] [-unnumbered_pppoe <a.b.c.d>|disable]][backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ]| [dhcp [host_id] ] | [pppoe -user "name" -password "password"]



[-unnumbered_pppoe <a.b.c.d>|disable]] | [disable] | [switch_to_backup] | [tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ] #num is either auto reconnect delay in seconds. #or if dial_on_demand, the idle timeout in minutes. #ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20 #backup PPPoE connection only supports ALWAYS_ON.

EffectUse this command to configure the network identity of a WatchGuard appliance’s interface 1 (Public), if it is a publicly routable, fixed IP address.


</prefix|mask> This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.

[-mtu num]This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.

[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |This setting allows you to specify the speed at which the interface will operate.

[dhcp ["host_id"]] |This allows you to obtain the IP address of interface 1 using DHCP.

[pppoe -user "name" -password "password"]This allows you to set Interface 1 to PPPoE. If the



password contains the pound (#) character, it needs to be placed in double quotes.

[<-dial_on_demand|-always_on> <num>This allows you to set PPPoE to Dial-on-Demand or Always On mode. The function of <num> following this option differs in each mode. For Dial-on-Demand mode, this number indicates the inactivity timeout interval in minutes (default is 20 minutes). For Always On mode, this number indicates the auto-reconnect interval in seconds (default is 60 seconds).

[-unnumbered_pppoe <a.b.c.d>|disable]]This option allows you to use unnumbered PPPoE. For more information on unnumbered links, see RFC 1812 section 2.2.7.

[backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ] | [dhcp [host_id] ] | [pppoe -user "name" -password "password"][unnumbered_pppoe <a.b.c.d>|disable][disable][switch_to_backup]This allows you to enable a Backup WAN connection for Interface 1, for systems that have unreliable ISPs or network providers. You can configure the failover connection as static, by typing the IP address, netmask, and gateway. You can configure the failover connection as DHCP using the [dhcp ["host_id"]] syntax. You can configure the interface as PPPoE (always on) using the [pppoe -user "name" -password "password"] syntax. You can configure the backup WAN connection as unnumbered PPPoE using the syntax [unnumbered_pppoe <a.b.c.d>|disable].You can disable the backup connection by using the option [disable].


http://www.ietf.org/rfc/rfc1812.txt


You can switch to the backup connection using the command switch_to_backup.

[tracking -remove|-add <a.b.c.d> -interval <seconds> -timeout <seconds> -pause_before_failback <minutes> ] ]For systems that configure a Backup WAN connection using the failover command, these settings must be specified. You can add up to three IP addresses that are used to determine WAN failure. These addresses are used with the -interval and -timeout values to determine when the WAN connection has failed. -interval determines the amount of time that elapses between attempts to ping all three specified tracking addresses. -timeout determines the amount of time that can elapse before a ping attempt is considered failed. All three specified IP addresses must fail to respond to the ping attempt within the specified time to consider the WAN connection failed.

In the event of failure, the WAN is switched over to the backup connection. This causes a brief interruption in processing while the system restarts. In order to prevent frequent restarts, the final parameter, -pause_before_failback, is provided. This allows you to specify the amount of time that must elapse between failovers.



ExampleWG(config-if)#interface 1 10.10.12.8\255.255.0.0 -mtu 1500\-10_full_duplex<ENTER>orWG(config-if)#interface 1 10.10.12.8/16-mtu 1500 -10_full_duplex <ENTER>

Example (PPPoE)WG(config-if)#interface 1 pppoe\ -user joeuser -password joepass\-always_on 60

Example (DHCP)WG(config-if)#interface 1 dhcp dhcpsrvr

Example (Backup Connection)WG(config-if)#interface 1 10.10.12.8255.255.0.0 -mtu auto\-backup ip 10.10.24.16 mask 255.255.0.0\gateway 10.100.99.1 tracking -add 124.12.15.16

interface 2 (DMZ) command (configure interface level)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 2 <a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]

EffectUse this command to configure the network identity of a WatchGuard appliance's interface 2 (DMZ), where applicable.



Arguments<a.b.c.d>

This argument records the IP address assigned to this interface.

</prefix|mask>

This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.

-mtu num

This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.

[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |

This setting allows you to specify the speed at which the interface will operate.

ExampleWG(config-if)#interface 2 10.12.12.9 255.255.255.0 \-mtu 1500 -10_full_duplex<ENTER>orWG(config-if)#interface 2 10.12.12.9/24 -mtu 1500 \-10_full_duplex<ENTER>

interface 3 (DMZ2) command (configure interface level, V60 and V80 only)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#interface 3 <a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | -100_half_duplex|



-10_full_duplex|-10_half_duplex | -auto]

EffectUse this command to configure the network identity of a WatchGuard appliance's interface 3, where applicable.

Arguments<a.b.c.d>

This argument records the IP address assigned to this interface.

</prefix|mask>

This argument records the number of bits in the subnet mask (for example, “/16” is equivalent to the address 255.255.0.0), or the actual subnet mask address.

-mtu num

This allows you to set the size of the Maximum Transmission Unit (MTU). The default is 1500 bytes.

[-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] |

This setting allows you to specify the speed at which the interface will operate.

ExampleWG(config-if)#interface 3 10.12.12.9 255.255.255.0 \-mtu 1500 -auto<ENTER>orWG(config-if)#interface 3 10.12.12.9/24 -mtu 1500 \-auto<ENTER>



ha1 command (configure interface level)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#ha1 <a.b.c.d> </prefix|mask>

EffectUse this command to configure the network identity of a WatchGuard appliance's High Availability 1 interface, when this interface is used for management access instead of H-A functionality.



ExampleWG(config-if)#ha1 10.0.0.1 255.255.255.0<ENTER>orWG(config-if)#ha1 10.0.0.1/24<ENTER>

ha2 command (configure interface level)

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#ha2 <a.b.c.d> </prefix|mask>

EffectUse this command to configure the network identity of a WatchGuard appliance's High Availability 2 interface, when this interface is used for management access instead of H-A functionality.





ExampleWG(config-if)#ha2 10.0.0.1 255.255.255.0<ENTER>orWG(config-if)#ha2 10.0.0.1/24<ENTER>

mode command

WG(config-if)# mode router | transparent<ENTER>

EffectUse to switch the appliance between Router mode and Transparent mode.

An appliance can only be switched from Router mode (default) to Transparent mode when the appliance is in the factory default configuration state. You are prompted to restore the system to the factory default state when you attempt this switch.

An appliance can be switched from Transparent mode to Router mode in any configuration condition.

A restart is required in order to for mode switching take effect.

ArgumentsNone

ExampleWG(config-if)# mode router<ENTER>



Apply interface address changes to appliance

WG#config<ENTER>WG(config)#interface<ENTER>WG(config-if)#exit

EffectUse this command to immediately apply any interface address changes to this appliance. The appliance will update you with status messages (as shown below) to inform you about the process.

ArgumentsNone

ExampleWG(config-if)# exit<ENTER>Commit (Y/N)?y<ENTER>

Results…

interface 1 IP address is set to 16.10.203.121,please wait for it to take effect…

WG(config)#

Level 2 IPSec configuration commands

action command (configure IPSec level)

WG#config<ENTER>WG(config)#ipsec <ENTER>WG(config-ipsec)#action <"name"> \< -tunnel_mode <*|peer_ip|address>| -transport_mode> \-auto_key [no] pfs_group <1|2> <"proposal-name">… \<"proposal-name"> -manual_key \-esp <local_spi> <peer_spi> <des|3des> \<ascii_key|%hex_key> <md5|sha> <ascii_key|%hex_key> \-ah <local_spi> <peer_spi> <md5|sha> \<ascii_key|%hex_key>



EffectRecords a new IPSec action (manual key or automatic key), including one or more proposals which have been created beforehand.

Arguments<”name”> Type a unique name for this action.

<-tunnel_mode|-transport_mode>This argument determines whether this action is tunnel mode or transport mode.

<*|peer IP address|address group>If you enter tunnel mode, you must then qualify it with one of the following: (1) enter "*" to indicate ANY source, (2) enter a specific peer appliance’s IP address, or (3) enter the name of an address group containing the peer IP address.

-auto_keyEnter this argument if this action utilizes an automatic key. Do not use the “manual–key” if using an automatic key.

The following two arguments further qualify this automatic key exchange.

[no] pfs_group <1|2>If this action uses an automatic key, use this argument to specify which perfect forward security option (Diffie-Hellman Group 1 or 2) will be used. If none is used, you can preface this argument with “no”.

<"proposal_name"> [<"proposal_name">…]If this action uses an automatic key, use this argument to enter the IKE proposal names (whether one or more.)

-manual_keyEnter this argument if this action employs a manual key. (If doing so, do not use the “auto_key” argument.) The following ten arguments (grouped



around ESP and AH algorithms) qualify this manual key exchange.

-espEnter this argument if this action employs an ESP protocol for the manual key.

<local_spi>Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535.

<peer_spi>Use this argument to enter a different, unique number that represents the SPI of the peer security appliance. The number should be between 256 and 65535.

<des | 3des>Use this argument to pick either DES or 3DES encryption algorithms.

<ascii_key | %hex_key>This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation.

-ahEnter this argument if this action employs an AH protocol for the manual key.

<local_spi>Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535.

<peer_spi>Use this argument to enter a different, unique number that represents the SPI of the peer security



appliance. The number should be between 256 and 65535.

<md5|sha>Use this argument to pick either MD5 or SHA encryption algorithms.

<ascii_key | %hex_key>This argument will contain the actual manual key text, noted in ASCII or hexadecimal notation.

ExampleWG(config-ipsec)# action NY_IPSec -tunnel \NY_Gateway -auto no pfs_group MAX_SECURITY \ESP-3DES<ENTER>

# This command creates an auto-key IPSec action with peer tunnel. The IP is NY_Gateway, no PFS, the first proposal is MAX_SECURITY and the second is ESP_3DES.

WG(config-ipsec)# action remote_user_ipsec \-tunnel * -auto pfs_group 1 ESP-3DES-MD5 \ESP-DES-MD5<ENTER>

# This command creates a tunnel mode, auto-key IPSec action for remote users. The peer tunnel IP is * (ANY),PFS uses DH group 1, and there are two proposals: ESP-3DES-MD5 and ESP-DES-MD5.

WG(config-ipsec)# action SJ_Man -tunnel \102.39.45.28 -man -esp 256 982 3des mankey<ENTER>

# This command results in a tunnel-mode, manual-key IPSec action with a peer tunnel IP address of 102.39.45.28. It uses ESP-3DES (local SPI is 256, peer SPI is 982) and the key text is “mankey”.



proposal command (configure IPSec level)

WG#config<ENTER>WG(config)#ipsec <ENTER>WG(config-ipsec)#proposal <"name"> [+] \[-antireplay_window [0|32|64]] \-esp {<des|3des|md5|sha><lifetime<min|hr> \|lifesize<KB|MB>>} \-ah {<md5|sha><lifetime<min|hr>| lifesize<KB|MB>>}…

EffectCreates or modifies an IPSec proposal that can then be incorporated into IPSec actions (which can then be added to security policies.)

Arguments<"name">This argument notes the name assigned to this new proposal.

-antireplay_window <0|32|64>This argument (and the required value) sets the anti-replay window size.

-esp {<des|3des> [md5|sha] <lifetime <min|hrs>| \lifesize <KB|MB>>}If you want to include an ESP transform in this proposal, type this argument, plus the necessary values–algorithm, life size, life time.

-ah {<md5|sha> <lifetime <min|hrs>|lifesize \<KB|MB>>}If you want to include an AH transform in this proposal, type this argument, plus the necessary values–algorithm, life size, life time.

+Type this character before entering a new transform that will be added to an existing IPSec proposal.



ExamplesWG(config-ipsec)#proposal "new_prop1" -antireplay \32 -esp {3des md5 10hrs} {des md5 5hr 10MB -ah \{sha 34min 100MB}<ENTER># This example shows the creation of a new proposal.

WG(config-ipsec)# prop my_proposal + -ah \{ sha 8hr }# This example shows the addition of a new AH transform to an existing proposal.

Level 2 Quality of Service (QoS) configuration commands

action command (configure Quality of Service level)

WG#config<ENTER>WG(config)#qos <ENTER>WG(config-qos)#action <"name"> -bandwidth_weight \<1-100>

EffectRecords a new QoS action or modifies an existing action.

Arguments<"name">This argument, immediately following the command, notes the name assigned to this new QoS action.

-bandwidth_weight <"1-100">This argument (and the required value) determine the level of QoS based on the WFQ algorithm.



ExamplesWG(config-qos)#action high_QoS -bandwidth 25<ENTER>

WG(config-qos)#action mid_QoS -bandwidth 5<ENTER>

Enable or disable port shaping for interface 0 or 1

WG#config<ENTER>WG(config)#qos <ENTER>WG(config-qos)#system [<interface 0|interface 1> \<<num>Kbps|Mbps>] [enable|disable]

EffectEnables (or disables) port shaping for either the interface 0 (private) or interface 1 (public) of a WatchGuard appliance, and enters the general QoS value for that interface. The value entered will be the sending throughput of that interface. To enable a system port-shaping action, the appliance will automatically restart in order to apply the policy.

Arguments<interface 0 | interface 1> Use this argument to enter one of these interfaces.

<<num>Kbps|Mbps>Use this argument to enter one option – Kbps or Mbps – plus the appropriate number value.

<enable | disable>Use this argument to enter one of these options.

ExampleWG(config-qos)#system interface 1 10Mbps enable<ENTER># This example shows a policy that restricts output-throughput of the Public interface to 10 megabits per second.



Level 2 Remote Access Service (RAS) configuration commands

group_profile command (configure RAS level)

WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#group_profile <"name"> \[no][-address_pool <"address_group">] \[-dns <a.b.c.d>] [-session_time_out <number> <min|hr>] \[-idle_time_out <number> <min|hr>] \[-concurrent_logins_per_user <number>]

EffectCreates a new RAS group profile (or modifies an existing profile) that controls the connection parameters of all associated remote access user accounts.

Arguments<”name”>This argument records a name for this group profile, which will be used when creating individual user profile accounts.

[no] [-address_pool <”address_group”>]This argument specifies the name of an address group containing a pool of internal IP addresses assigned to remote access connections.

[-dns <a.b.c.d>]This argument assigns a DNS IP address to the remote users belong to this group.

[-session_time_out <number> <min|hr>]This argument limits the total time any one account user can continuously log into the network. The default time limit is 8 (hours).

[-idle_time_out <number> <min|hr>]This argument sets the time limit for an inactive



connection before it is automatically broken. The default is 15 (minutes.)

[-concurrent_logins_per_user <number>]This argument specifies the number of concurrent connections a user can establish. The default is 1.

ExampleWG(config-ras)#group consultants –address sjnet10 \ -dns 134.12.33.2 -session 2 hr -idle 5 min –con 1

user_profile command (configure RAS level)

WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#user_profile <"name"> \[enable|disable] \[-password "password"] \[-full_name <"name">] \[-group_profile "profile_name"] \[-pw_expiry <days|never>] \[-account_expiry <days|never>] \[-concurrent_logins <"number">]

EffectEnters a new remote access user account (or modifies an existing account) in an internal database in the WatchGuard appliance.

Arguments<"name">This argument records the login ID used by this remote user account, and should be between 1-15 characters in length.

<enable | disable]>This argument activates (or deactivates) this account. The default state is “enable”.

<-password ”password”>This argument records the initial password first



used by this account, and should be between 6 and 8 characters in length.

[-full_name <”name”>]This argument notes the full name of the user, up to 15 characters in length.

[-group_profile “profile_name”]This argument specifies which user group profile affects this user account. The default choice is “default setting”.

[-pw_expiry <”days”|never>]This argument sets the number of days until the user’s password expires. The default is 90 days.

[-account_expiry <”days”|never>]This argument sets the number of days until this account expires. The default lifetime is 180 days.

[-concurrent_logins <”number”>]This argument limits the number of concurrent connections this account user can establish. The default is 1.

ExampleWG(config-ras)#user enable jdoe \-password jdsecret -full "John Doe" \-group admGroup -pw_expiry 60 -account 60 \-concurrent 1<ENTER>

ResultsTo review and confirm your entries, type this command:

WG(config-ras)#show user jdoe<ENTER>

The results are displayed, similar to this example:

User Profile|Name = jdoeFull Name = "John Doe"EnabledDescription = ""User Group Profile = admGroup



Password Expiresat Sat May 19 15:40:40 2001Password Epiry = 60 DaysAccount Expiresat Sat May 19 15:40:40 2001Account Epiry = 60 DaysConcurrent Logins = 1

database command (configure RAS level)

WG#config<ENTER>WG(config)#ras<ENTER>WG(config-ras)#database <-internal| \-radius [<primary|[no] backup> \-ip <a.b.c.d> -secret <"name">] [-port<number>] \[-authentication<pap|secure_id>] \[-user_group <"name">]>

EffectEstablishes whether the authentication database is stored on the RADIUS server or in this WatchGuard Firebox Vclass security appliance, then notes the parameters of this database.

Arguments-internalThis argument specifies the use of an internal database within the WatchGuard appliance, for RAS user authentication.

-radiusThis argument specifies the use of a RADIUS server as the host for a RAS user authentication database.

If you <ENTER> “-radius”, enter the following arguments:

<primary |[no] backup>This argument specifies whether the primary or backup RADIUS server is currently being configured. You’ll need to enter this command two



times, to configure a primary and a backup server connection.

If you want to delete the configuration entries for a backup RADIUS server, enter the “no backup” argument.

-ip <a.b.c.d>This argument establishes the IP address of the RADIUS server that will be used.

-secret <”password_text”>This argument records the secret password allowing this appliance to contact the database in the RADIUS server.

[-authentication <pap|secure_id> ]This argument establishes which authentication is being used; PAP or SecurID.

[-port <number>]This optional argument records the RADIUS server port number, if needed.

[-user_group <"name">]This optional argument specifies the name of a user group profile used by RADIUS users. Be sure to use the “user_group_profile” command to control session time and idle timeout for RADIUS users.

ExamplesWG(config-ras)#database -radius primary \-ip 12.10.1.2 -sec confidential \-auth secure_id -user_group exec_staff<ENTER>

WG(config-ras)#database -internal<ENTER>

WG(config-ras)#database -radius backup \-ip 12.10.1.3 \-sec confidential<ENTER>



Level 2 System Configuration commands


dns “dns command (configure system level)” on page 108

cpm “cpm command (configure system level)” on page 108

fwuser “fwuser command (configure system level)” on page 109

icmp_error_handling “icmp_error_handling command (configure system level)” on page 110

interface “interface command (configure system level)” on page 110

ldap “ldap command (configure system level)” on page 110

log “log command (configure system level)” on page 111

mss_adjustment “mss_adjustment” on page 112

ntp “ntp command (configure system level)” on page 113

route “route command (configure system level)” on page 113

snmp “snmp command (configure system level)” on page 114

sysinfo “sysinfo command (configure system level)” on page 115

tcp_sync_checking “tcp_syn_checking” on page 116

vlan_forwarding “vlan_forwarding command (configure system level)” on page 116

vpn “vpn command (configure system level)” on page 117

no “No command” on page 143

show “Show command” on page 144



dns command (configure system level)

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)# [no] dns <"domain_name"> \-server <a.b.c.d>[a.b.c.d]

EffectRecords the domain names and IP addresses of all relevant domain name servers.

ArgumentnoThis argument (when entered before the ldap command prompt) deactivates this LDAP connection.

<"domain name">This argument records the domain name of this security appliance.

<-server <a.b.dc.d>>This argument records the IP address of the DNS server.

ExampleWG(config)#dns my_company.com \-server 24.12.2.1<ENTER>

cpm command (configure system level)

WG#config<ENTER>WG(config)#cpm <enable "text of password"|disable>

history “history command” on page 14

rename “Rename command” on page 143

exit “exit command” on page 14

top “top command” on page 15




EffectEnables this appliance to be managed by means of the WatchGuard Centralized Policy Manager (CPM). You can also use this command to disable CPM as needed. If enabling CPM access, be sure to enter the CPM-access password immediately following the “enable” argument.

ArgumentsenableEnter this argument to activate WatchGuard CPM access to this WatchGuard appliance.

<password_text>

Enter the text of the CPM access password after “enable”.

disableEnter this argument if you have already established CPM access and want to disable the connection.

ExampleWG(config)#cpm enable cpm_admit_1<ENTER>

fwuser command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#fwuser -t<idle_timeout> [seconds|minutes]

EffectAllows you to change the value for a firewall user connection idle timeout. The system default is two hours, and the default increment is "seconds".

Argument-t <idle_timeout> [seconds|minutes]



icmp_error_handling command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#icmp_error_handling [all]| [[no] fragmentation_required] [[no] host_unreachable] [[no] time_exceeded] [[no] port_unreachable] [[no] network_unreachable]

EffectAllows you to turn on ICMP error handling for all events, or just for the events you specify.

interface command (configure system level)

WG#config<ENTER>WG(config)#interface

EffectEnters the interface configuration mode, at which point you can enter interface-specific commands and their arguments.


See AlsoFor more information on interface configuration mode, see “Level 2 interface configuration commands” on page 82.

ldap command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#[no] ldap <"IP_address"|"name"> \[port_number]



EffectActivates (or deactivates) a network connection to an LDAP server that this security appliance would use to look up certificate revocation lists during IKE key negotiations.

ArgumentsnoThis argument (when entered before the ldap command prompt) deactivates this LDAP connection.

<a.b.c.d|"name"> [port-number]This argument notes the pertinent IP address and LDAP server port number. You can enter either an IP address or a domain name, and, if the LDAP server port number is other than “389”, you must enter it.

To enter a host name, you must first record the DNS server connection, as noted elsewhere in this Guide.

ExampleWG(config-sys)#ldap 207.124.35.3 189<ENTER>

log command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#log

EffectEnters the log configuration mode, at which point you can enter log file-specific commands and their arguments.

ArgumentsNone in this mode. For more information about “log” mode commands, see “Level 3 log configuration commands” on page 124.



mss_adjustmentWG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#mss_adjustment mss_adjustment [auto| limit_to <num> | disable] ## limit_to range - 40-1460 bytes

EffectSets the TCP Maximum Segment Size for the system. This feature works in conjunction with the MTU settings to limit the size of packets, if configured. This feature overcomes the following problems:

- Oversized packets can result in fragmentation, degrading VPN performance.

- Proxies may require MSS adjustment to prevent fragmentation.

- Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.

Argumentsauto

Auto adjustment calculates the MSS automatically, using the following calculations:

Determines the lesser value of the input port MTU and the output port MTU. Subtracts packet overhead, including IP and TCP addressing, VLAN, ESP, PPPoE, AH, and UDP encapsulation. The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet



transmission. The results of this calculation are used as the MSS for the connection.

limit_to

This limits MSS to the specified size in bytes. You can specify a value between 40—1640 bytes.

disable

This specifies that no change be made to the TCP header. If you select this option, packets may fragment.

ExampleWG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#mss_adjustment limit_to 1400

ntp command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#ntp

EffectDiscuss effects

ArgumentsDescribe arguments.

route command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#route

EffectEnters the system route configuration mode, at which point you can enter route-specific commands and their arguments.




See AlsoFor more information about route mode commands, see “Level 3 route configuration commands” on page 122.

snmp command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#snmp <a.b.c.d>[a.b.c.d] \[-community<"string">][-trap|-no_trap]

EffectRecords network connection data for all relevant SNMP management workstations that will receive traps generated by this security appliance.

ArgumentsnoThis argument, if entered before the “snmp” command prompt, removes/deactivates all recorded SNMP stations.

<a.b.c.d>This argument records the IP address for a specific SNMP workstation.

-community<"text_string">This argument records the community string.

[-trap|-no-trap] This optional argument activates (or deactivates) the SNMP trap settings.

ExampleWG(config-sys)#snmp 128.13.44.2 \-community 66gHf4D -trap<ENTER>

ResultsTo view the results, type this command:WG(config-sys)#show snmp<ENTER>



sysinfo command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#sysinfo <-name <"string"> &| \-location <"string"> &|-contact <"string">>

EffectApplies new system information to an existing security appliance, including appliance name, contact name and actual location of the appliance.

Arguments-name <”string”>Use this argument to record the DNS name of this security appliance – without the rest of the DNS entry.

-location <”string”>Use this argument to record the geographic location of this appliance.

-contact <”string”>Use this argument to record the name of the administrator.

-time <hh:mm:ss>Use this argument to set the system time.

-date <mm:dd:yy>Use this argument to set the system date.

ExampleWG(config-sys)#sysinfo -name mucho \-loc "Lot 49" \-contact "O. Maas"-time 14:42:05-date 10:15:02<ENTER>



To review and confirm your entries, type this command:

WG(config-sys)#show sysinfo<ENTER>

The complete results will appear as suggested here (in eight lines):

System name=muchoSystem contact=O. MaasSystem location=Lot 49Version=4.0SerialNum=<D0YXA0A0D408>

tcp_syn_checking

WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#tcp_syn_checking <enable|disable>

EffectThis enables or disables TCP SYN checking.

vlan_forwarding command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-sys)#vlan_forwarding [enable|disable]

EffectAllows you to enable (or disable) the system-wide VLAN forwarding capability.

ArgumentenableTurns on VLAN forwarding.

disableTurns off VLAN forwarding (if it is active).



vpn command (configure system level)

WG#config<ENTER>WG(config)#system <ENTER>WG(config-system)#vpn [[no] ignore_DF_for_IPSec] [[no] IPSec_pass_through]

EffectThis allows you to set options for VPN.

Arguments[no] ignore_DF_for_IPSecThis enables fragments of large packets through the VPN tunnel. If you set this feature, the appliance ignores the don't fragment (DF) rule.

[no] IPSec_pass_throughThis allows IPSec pass-through.

Level 2 license commands (for upgraded or additional features)

Import command (config license level)

WG#config<ENTER>WG(config)#license <ENTER>WG(config-license)#import

EffectImports a new license that upgrades or adds functionality to the appliance.

ArgumentsNone

active_feature command (config license level)

WG#config<ENTER>WG(config)#licenseWG(config-license)#active_feature <ENTER>



EffectLists all currently active extra features (obtained through licensing).

ArgumentsNone

delete command (config license level)

WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#delete <license_id>

EffectRemoves the named license from the appliance.

Arguments<license_id> This argument records the exact ID for a license to delete.

ExampleNone

show command (config license level)

WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show <license_id>

EffectDisplays a summary of the named license or lists all available licenses.

ArgumentsNone

This will list all available licenses.

<license_id>This argument notes an ID for the license and will list the details of that license.



ExampleWG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show

OrdLicense NameLicense IDExpiration Date1V80_3DES_HA_Bundle3293MXLD17-05-2022

or

WG#config<ENTER>WG(config)#license<ENTER>WG(config-license)#show 3293MXLD

License Name:V80_3DES_HA_BundleLicense ID:3293MXLDFeature(s):HA3DESUPGRADEExpiration Date:17-05-2022

Level 2 tenant configuration commands

vlan command (configure tenant level)WG#configWG(config)#tenantWG(config-tenant)#vlan <"name"> <-id num> [-interface <0|2|3>] [-ip a.b.c.d/e] [-gateway a.b.c.d] [-public <default|<a.b.c.d/e>> # valid vlan -id range (1-4094) # -ip a.b.c.d/e if specified, the IP address/mask assigned for # interface 0|2|3 (default is 0) of tenant # e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1

EffectRecords a new VLAN tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.



Arguments<"name">This argument records the name assigned to this VLAN tenant (for use in security policies.)

<-id num>This argument record the VLAN ID as "id" followed by the number (between 1 and 4096) assigned to this tenant.

<-interface [0 | 2| 3]>This argument specifies which interface (0, 2, or 3) this VLAN tenant is associated with.

[-ip a.b.c.d/e]This argument records the IP address and subnet assigned to the 0 (private) or 2 (DBZ) interface, if one of those are specified.

[-gateway a.b.c.d]This argument notes the gateway IP address for this tenant, if needed.

-public <default|<a.b.c.d/e>This allows you to specify a public VLAN IP address and gateway.

ExampleWG(config-tenant)#vlan <"execs"> -interface 1 192.168.12.34 \-id 366 <ENTER>

user_domain (configure tenant level)WG#config<ENTER>WG(config)#tenant<ENTER>WG(config-tenant)#user_domain <"name"> <-id num> [-public <default|<a.b.c.d/e>> <-idle_time_out m> <-radius_ip a.b.c.d>[-radius_port port] <-radius_secret 'secret'> [-backup_radius_ip a.b.c.d][-backup_radius_port port] [-backup_radius_secret 'secret'] <-radius_timeout sec> <-radius_retry n> [-use_login_id_with_domain_name <on|off>]



# valid user domain tenant -id must be from 5001 to 65535 # -idle_time_out m Idle timeout. m is the number in minutes # -radius_timeout sec Time out for radius request # -radius_retry n number of retries for radius query

EffectRecords a new VLAN-specific tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use.

Argumentsuser_domainThis argument identifies which type of tenant this entry represents.

<"name">This argument records the name assigned to this VLAN tenant (for use in security policies.)

<-id num>This is "id" followed by the number (above 5000) assigned to this tenant.

-public <default|<a.b.c.d/e>This allows you to specify a public user domain IP address and gateway.

<-idle_timeout m>This argument sets the idle timeout for this entry in minutes.

<-radius_ip a.b.c.d>This argument indicates the radius server and its IP address.

[-radius_port port]This optional argument notes the port number of



the Radius server, if another than the default port number is used.

<-radius_secret 'secret'>This argument indicates the Radius password and its text.

[-backup_radius_ip a.b.c.d] \[backup_radius_port NUMBER]This pair of arguments allows you to note a backup Radius server and its port number, if present.

ExampleWG(config-tenant)#user_domain <"MegaCo"> \-interface 1 192.168.12.34 -id 6666 -idle 720 \-radius 12.12.3.144 \-radius_secret "no_admit"<ENTER>

Level 3 configuration mode commands

The following section, detailing all the third-level configu-ration commands, has been divided into “task” or “topi-cal” collections, which include the following:• Route configuration this page• Log configuration page 124

Level 3 route configuration commands

Configure new static route

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#route<ENTER>WG(config-route)#static <destination> \</prefix| mask> <gateway> interface <0|1|2>



EffectConfigures a new static route utilized by traffic passing through this WatchGuard appliance.

Arguments<destination>Use this argument to record the IP address of the destination subnet.

</prefix|mask>Use this argument to record the number of bits in the subnet mask, or the destination subnet mask.

<gateway>Use this argument to record the IP address of the next gateway to the destination subnet.

interface <0|1|2>This argument specifies which interface in this security appliance is used for outgoing traffic using this route.

deleteType this argument before typing the arguments for a route, to deactivate that particular route.

ExampleWG(config-route)#static 0.0.0.0/0 \105.10.74.122 pub<ENTER>

Configure dynamic routing

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#route<ENTER>WG(config-route)# [no] dynamic [import|restart]

EffectConfigures dynamic routing in this WatchGuard Firebox Vclass security appliance.



ArgumentsnoEnter this argument to deactivate dynamic routing altogether.

[import|restart]Use these options to import dynamic routing information, or to restart the system.

ExamplesWG(config-route)#dynamic import<ENTER>

WG(config-route)#dynamic restart<ENTER>

Level 3 log configuration commands

Activate or deactivate traffic log file

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#traffic

EffectUse this command to activate (or deactivate) a traffic log file.

ArgumentsnoThis argument, when entered before the type of log file, will deactivate that log.

ExamplesWG(config-log)#no traffic<ENTER>

Configure events log file

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#event \<critical|error|warning|admin|info>

EffectUse this command to configure the events log file.



Arguments<critical|error|warning|admin|info>Type one of the above-noted “log level” selections after the command prompt, to indicate what to include in this events log. If you type “critical”, the log will record only critical events, whereas if you type “info”, the log will record all of the other selections too.

noThis argument, when entered before “event”, will deactivate the event log.

ExampleWG(config-log)#event error<ENTER>

Set up remote log server connection

WG#config<ENTER>WG(config)#system<ENTER>WG(config-sys)#log<ENTER>WG(config-log)#remote_log_server <"ip_address">

EffectUse this command to set up a remote log server connection.

Arguments<ip_address>This argument records the IP address of the remote log server.

ExampleWG(config-log)#remote_log_server 128.19.3.77<ENTER>

NOTEWhen exiting “config” mode you may be prompted Commit before exit? (Y/N). This prompt is displayed if you have made changes but have not committed them to the WatchGuard appliance database. Type Y to commit your changes and return to the WG# prompt, or type



N to void the changes and leave the database in its previous state.


CHAPTER 4 Debug Mode Commands

All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Debug Mode.

Debugging/troubleshooting commands

The CLI Debug commands, detailed here, enable the use of standard Linux commands such as ping, tcp-dump, netstat, traceroute, and arp. Most commands such as “netstat,” “arp,” “ping,” “tcpdump,” and “traceroute” are similar to those provided on UNIX, Solaris and Linux systems. You can use these com-mands to troubleshoot network environments.

Debugging configuration information is not saved when the database is backed up or exported to an XML profile. Debuggging commands are available only for runtime debugging purposes.


CHAPTER 4: Debug Mode Commands

Debugging information is not synced between HA appli-ances.


arp See “arp command” on page 129.

clear_logs See “clear_logs” on page 129.

config_http See “config_http command” on page 129.

conn_idle_timeout See “conn_idle_timeout command” on page 130.

ha_instant_sync See “ha_instant_sync command” on page 130.

hwdiag See “hwdiag command” on page 131.

ifconfig See “ifconfig command” on page 131.

importscreen See “importscreen command” on page 132.

kernel_debug See “kernel_debug command” on page 133.

netstat See “netstat command” on page 134.

ping See “ping command” on page 134.

pppoe_config See “pppoe_config command” on page 135.

radius_ping See “radius_ping command” on page 135.

rcinfo See “rcinfo command” on page 137.

reboot See “reboot command” on page 137.

rs_kdiag See “rs_kdiag command” on page 138.

set_dos_if See “set_dos_if command” on page 139.

slink See “slink command” on page 139.

tcpdump See “tcpdump command” on page 140.

traceroute See “traceroute command” on page 140.

verbose_trace See “verbose_trace command” on page 141.

vinstall See “vinstall command” on page 141.

show See “Show command” on page 144.

history See “history command” on page 14.

exit See “exit command” on page 14.

top See “top command” on page 15.



WG#dWG(d ] ]

arp commandWG#debug<ENTER>

WG(debug)#arp

EffectDisplays or manipulates the ARP cache.

ArgumentsNone

ExampleWG(debug)#arp<ENTER>

clear_logsWG#debug<ENTER>WG(debug)#clear_logs

EffectClear all log entries.

ArgumentNone

config_http command

EffectAllows you to enable and disable debugging for HTTP.

ebug<ENTER>ebug)#config_http [enable | disable | logon_html [ standard | alternate enable Enable HTTPd disable Disable HTTPd logon_html standard Use default logon HTML page. logon_html alternate Use alternate logon HTML page.



ArgumentsenableEnables HTTP debugging.

disableDisables HTTP debugging.

logon_html [standard | alternate ]Standard allows you to use the deault HTML logon debugging page. Alternate allows you to use the alternate HTML logon page.

ExampleWG#debug<ENTER>WG(debug)#config_http enable logon_html alternate

conn_idle_timeout commandWG#debug<ENTER>WG#debug conn_idle_timeout [show | set <idle timeout> | set_default | -h | -? ], where show Displays the current settings set <idle timeout> Set the connection idle timeout (in seconds, 1-86400)

EffectThis allows you to set the connection idle timeout between the Vclass appliance and the Management Station. The maximum time is 86,400 seconds (one day). The default is 180 seconds (3 minutes).

ExampleWG#debug conn_idle_timeout 600

WG#debug conn_idle_timeout set_default

ha_instant_sync commandWG#debug<ENTER>WG#debug ha_instant_sync [show | enable | disable | set_default | -h | -? ], where show Displays the current settings enable Enable instant state sync disable Disable instant state sync



set_default Restore the setting to the factory default value

EffectEnables or disables instant HA state synchronization. This is enabled by default.

ExampleWG#debug ha_instant_sync enable

hwdiag commandWG#debug<ENTER>WG(debug)#hwdiag < 1 | 2 >

EffectProvides diagnostic information for your hardware. Two diagnostic levels are available. Type the command “hwdiag 1<ENTER>” to perform level 1 hardware diagnostic tests, or “hwdiag 2<ENTER>” to perform level 2 tests.

Level 2 hardware diagnostics require that the system be rebooted after the tests complete.

ifconfig commandWG#debug<ENTER>WG#debug ifconfig

Effectifconfig is the standard Linux command for interface configuration. This command can be used to configure the interfaces, as an alternative to interface configuration in the configuration menu. Displays debugging information for the interfaces on the appliance.

OptionsType -h to get help for this option. ifconfig is a standard Linux command, and should be used by a knowledgeable administrator. For the interface names, use “eth0” through “eth5,” depending on



how many interfaces your device has.

Type ifconfig with no options or arguments to show detailed interface information.

NOTEWhen using the ifconfig command in transparent mode, you must use eth1, as in the following example:ifconfig eth1 ipaddress netmask maskYou cannot use ifconfig with any other interface (e.g. eth0, eth2, eth3) in transparent mode.

importscreen commandWG#debug<ENTER>WG(debug)#importscreen Import a tar file via ftp to customize Firewall User Login Screen.Syntax:importscreen <ftp_server> <ftp_username> <ftp_password> <path_filename>Example:importscreen 10.10.10.10 ftp any public/screen.tar

EffectThis command allows you to import a tar-archived set of files to replace the https firewall user authentication login screen.

PrerequisitesThe default configuration includes the following files:

- logon.html - cert_logon.html - user_auth_fail.html - index.html - user_auth_success.html



- images/rs_sublogo.gif

You can save these files from the login and result pages to your local system using your browser’s “Save” function. Once the files are saved, you can edit the files, adding images, replacing text, and changing the page layout. However, you should not change any of the form input submission information, or your pages will not work.

You must create a compressed tar file(*.tar) that includes all of the files you want to replace for the logon and result screens. When you have completed editing, tar the file (creating a *.tar file), and place this file in an accesible FTP upload directory. Then, use the CLI to FTP the file to the Vclass appliance.

NOTEThese operations require a moderate level of HTML knowledge and editing skills.

ExampleWG#debug<ENTER>WG(debug)#importscreen 10.10.0.98 ftpadmin ftppassword public/screens.tar

kernel_debug commandWG#debug<ENTER>WG(debug)#kernel_debug < on | off >

EffectThis command turns kernel debugging on or off.

ArgumentsNone.

ExampleWG(debug)#kernel_debug on



netstat commandWG#debug<ENTER>WG(debug)#netstat

EffectThis command displays the network status as seen from the security appliance’s point of view. To review the arguments for this command, type -?. The following are some of the available arguments.

Arguments-a Displays active network connections and their status-i Shows summaries sorted by appliance interface-s Shows statistics-r Shows routing table information

ExampleWG(debug)#netstat -i<ENTER>

ping commandWG#debug<ENTER>WG(debug)#ping <a.b.c.d>

EffectUse the ping command to send an ICMP ECHO_REQUEST to a designated device.

Arguments<a.b.c.d>This argument records the IP address of the device/appliance to be pinged.

ExampleWG(debug)#ping 122.13.2.9<ENTER>

The WatchGuard CLI will send ping packets to the designated IP address. Enter ̂ c (Control-C) to stop the ping. The CLI will then display the results and return to the WG(debug)# prompt.



pppoe_config command

EffectThis command allows you to set PPPoE echo (keep-alive) and re-authorization times and limits.

Arguments-i allows you to set the echo (keep-alive) interval, from 1—1200 seconds.-f allows you to set the threshold for echo (keep-alive) failure, from 1—60 seconds.-r allows you to set the re-authorization period, from 0—7200 minutes.-t alows you to set the re-autorization interval, from 0—120minutes.set_default allows you to set the default values for PPPoE echo and re-authorization.

ExampleWG(debug)#pppoe_config set -1 300 -f 5\ -r 1800 -t 60

radius_ping commandWG#debug<ENTER>WG(debug)#radius_ping \[-pap <"password">|-sid <"passcode">] \[-p <port>] [-r <retries>] \[-s <secret>] [-t <timeout>] \[-u <username>] <source> <a.b.c.d>

EffectUse this command to test the connections between this WatchGuard appliance and a RADIUS server.

pppoe_config [show | set <-i|-f|-r|-t> num | set_default] show Show current settings. set <-i|-f|-r|-t> num Set PPPoE parameters. -i is for echo interval (1-1200 Sec). -f is for echo failure (1-60). -r is for re-auth period (0-7200 Min). -t is for re-auth interval (0-120 Min). num is an integer. set_default Restore factory default value.



Pay special attention to the arguments for this command.

Arguments[-pap <password>]This optional argument specifies PAP as the authentication used by this RADIUS server, along with the PAP password.

[-sid <passcode>]This optional argument specifies SecurID as the authentication used by this RADIUS server, along with the SecurID passcode.

[-p <value>]This argument allows you to record a specific port number for the RADIUS server. The default port number is “1812” and you can ignore this argument if the port number was not changed.

[-r <value>]This argument specifies the maximum number of tries (between 1 and 10) made by this command. The default is “3”.

[-s <value>]This argument records the “secret” login password required by the RADIUS server. The default is “test123”.

[-t <value>]This argument establishes the timeout value for each test message.The default value is “2”.

[-u <value>]This argument records a RADIUS user name for



use in this ping attempt. The default entry is “test123”.

<source>This argument notes the IP address of the interface where the RADIUS request will be sent.

<a.b.c.d>This argument notes the IP address of the RADIUS server.

ExampleWG(debug)# radius_ping -u jsmith -pap johnsm \10.10.13.101 10.10.0.5<ENTER>

[no response from RADIUS server]

rcinfo commandWG#debug<ENTER>WG(debug)#rcinfo

EffectShows debug information about the RapidCore chip in your appliance. This is used for troubleshooting purposes, with WatchGuard technical support.

Example

WG#debug<ENTER>WG(debug)#rcinfo

reboot commandWG#debug<ENTER>WG(debug)#reboot

EffectReboots the appliance.

ExampleWG(debug)#reboot<ENTER>



rs_kdiag commandWG#debug<ENTER>WG(debug)rs_kdiag

EffectThis command displays internal diagnostics information.

ArgumentsNone



set_dos_if command

EffectThis sets denial of service (DOS) protection on individual interfaces. The default settings are 0000000f.

ExampleWG#debug<ENTER>WG(debug)set_dos_if set 0011

slink commandWG#debug<ENTER>WG(debug)# slink [ [-s] <Port> <Mode>] [show] -s : save configuration only Port: eth0, eth1, eth2, eth3 Mode: auto = Auto negotiate 1000A = 1000BaseFX, AutoNegotiation enabled 1000H = 1000BaseFX, AutoNegotiation disabled 100F = 100BaseT, Full-duplex mode 100H = 100BaseT, Half-duplex mode 10F = 10BaseT, Full-duplex mode 10H = 10BaseT, Half-duplex mode show: current setting

EffectThis command sets the physical speed of a specific accelerated data interface.

Argumentsetho, eth1, eth2, eth3Indicates the interface to be changed.

modeauto = Auto negotiate

WG#debug<ENTER>WG(debug)set_dos_if [show | set <xyzv> | set_default | -h | -? ], where show Show the current settings. set xyzv Set DOS protection on interfaces. x,y,z,v must be 0 or 1. x is for interface 0, y for interface 1, z for interface 2, and v for interface 3. set_default Restore the setting to the factory default value



1000A = 1000BaseFX, AutoNegotiation enabled1000H = 1000BaseFX, AutoNegotiation disabled100F = 100BaseT, Full-duplex mode100H = 100BaseT, Half-duplex mode10F = 10BaseT, Full-duplex mode10H = 10BaseT, Half-duplex mode

showDisplays the current setting

ExampleWG#debug<ENTER>WG(debug)# slink eth1 10H

This sets interface 1 (public) to 10BaseT, Half-duplex mode.

tcpdump commandWG#debug<ENTER>WG(debug)#tcpdump

EffectDumps all traffic on a network. Tcpdump will captures all packets detected by the network interfaces of the appliance where “tcpdump” is executed. This command may be used to track specific packets.

ArgumentsNone

ExampleWG(debug)#tcpdump<ENTER>

traceroute commandWG#debug<ENTER>WG(debug)#traceroute <target_IP>

EffectDisplays the complete route information to the target device. This command utilizes the IP protocol “time to live” field and solicits an ICMP



TIME_EXCEEDED response from each gateway along the path to the target device. You can use this command to troubleshoot network routing and connectivity.

ArgumentsBe sure to type the IP address of the target device, as shown in the example below.

ExampleWG(debug)#traceroute 207.188.12.3<ENTER>

verbose_trace commandWG#debug<ENTER>WG(debug)# verbose_trace [ on | off ]

EffectThis command enables/disables verbose tracing in the traffic log. If such is enabled, every firewall-dropped packet will be shown in the traffic log. All DNS packets will also be shown in the traffic log.

NOTEIf this feature is enabled, there will be an impact to the overall system performance due to heavy logging activity.

vinstall command

EffectThis allows you to downgrade to an earlier software version–from 5.0 to 4.0 or from 5.0 to 3.2.

WG#debug<ENTER>WG(debug)# vinstall <ftp_server> <ftp_username> <ftp_password> <"path_filename">

##This feature allows downgrade from 5.0 to 3.2 or 4.0 ##e.g. vinstall 10.10.10.10 my_username my_password "path/encrypted_fbv.tgz" ## For V10, use non-encrypted file. For others, use encrypted file.



NOTEThis feature is not supported in software versions earlier than 5.0.

ExampleWG#debug<ENTER>WG(debug)# vinstall 10.10.0.98 ftpadmin ftppass /upload/downgrade/encrypted.tgz


CHAPTER 5 Other Commands

This chapter describes commands that do not belong to one of the three main command modes (Adminis-tration, Configuration, and Debug).

No command

The no command is used before another command or argument to turn off or disable the specified feature.

Rename command

The rename command is used to rename objects.


CHAPTER 5: Other Commands

Show command

As a way of viewing lists and details of a WatchGuard appliance’s configuration, the Show command (and its arguments) provides an adaptable means of cataloging such things as address groups, IPSec actions or RAS user profiles. Once you determine what’s listed, you can then adapt the Show command to view the “contents” of a spe-cifically named item, including the settings or configura-tion entries that comprise that item.

Show command general usageWG#show<ENTER>

EffectIf you type “show” at the top-level CLI prompt, the WatchGuard CLI will display a complete list of “show” arguments (listed above in “Contents”), that enable you to list almost every kind of object in the WatchGuard database, from address groups to VLAN objects.

ArgumentsNone.

The current range of Show commands includes the follow-ing:


address See “Show address command” on page 145.

alarm See “Show alarm command” on page 146.

all_routes See “Show all_routes command” on page 147.

certificate See “Show certificate command” on page 147.

cpm See “Show CPM command” on page 148.

denial_of_service See “Show denial_of_service command” on page 148.

diagnostics See “Show diagnostics command” on page 148.

dns See “Show DNS command” on page 148.


Show command

Show address command

Display current address groups

WG#show address<ENTER>

EffectDisplays the current catalog of address groups stored in this WatchGuard Firebox Vclass security appliance

ike See “Show IKE command” on page 149.

interface See “Show interface command” on page 150.

ipsec See “Show IPSec command” on page 150.

ldap See “Show LDAP command” on page 151.

license See “Show license command” on page 151.

log See “Show log command” on page 152.

mode See “Show log command” on page 152.

nat See “Show NAT command” on page 153.

ntp See “Show NTP command” on page 153.

policy See “Show policy command” on page 154.

qos See “Show QoS command” on page 154.

ras See “Show RAS command” on page 155.

route See “Show route command” on page 156.

sa See “Show SA command” on page 156.

service See “Show service command” on page 157.

statistics See “Show statistics command” on page 158.

sysinfo See “Show sysinfo command” on page 158.

sysupgrade See “Show sysupgrade command” on page 159.

trace See “Show trace command” on page 159.

tunnel_switch See “Show tunnel_switch command” on page 159.

version See “Show version command” on page 160.




ArgumentsNone.

Display contents of address group

WG#show address <"group_name"><ENTER>

EffectDisplays the current contents of a specifically named address group.

Arguments<"group_name">This argument notes the address group name.

ExampleWG#show address exec_staff<ENTER>

Show alarm commandWG#show alarm [definition|log [more|follow]]<ENTER>

EffectDisplays a summary of currnt outstanding alarms.

ArgumentsdefinitionThis displays a list of alarm definitions, and whether they are enabled.

log moreThis displays the log of all alarms that have been triggered in the past (since the log was last cleared), 20 lines at a time.

log followThis displays the last 5 line of the alarm log, and updates if more alarms get generated.

ExampleWG#show alarm log more<ENTER>


Show command

Show all_routes commandWG#show all_routes<ENTER>

EffectDisplays a summary of the routes–static and dynamic–recorded in this WatchGuard appliance.

ArgumentsNone.

ExampleWG#show all_routes<ENTER>

Show certificate commandWG#show certificate<ENTER>

EffectDisplays the complete collection of certificates, including pending requests root certificates and system certificates.

ExamplesWG#show certificate<ENTER>

Display certificate settings

WG#show certificate [ca|sys|pending|"cert_id"]<ENTER>

EffectDisplays the settings of a certificate according to the specific identifying characteristic.

Arguments<ca|sys|pending>This argument specifies the type of certificates you want to review, whether root, system or pending.

<"cert_id">This argument notes an actual ID number from a certificate–whether root, system or pending.

Examples



WG#show certificate pending<ENTER>WG#show certificate 19478<ENTER>

Show CPM commandWG#show cpm<ENTER>

EffectShows whether CPM is enabled or disabled, and general CPM information.

ExamplesWG#show cpm<ENTER>

ArgumentsNone.

Show denial_of_service commandWG#show denial_of_service<ENTER>

EffectDisplays the DOS and DDOS configurations currently active in this appliance.

ArgumentsNone.

Show diagnostics commandWG#show diagnostics<ENTER>

EffectShows some diagnostic information for the appliance.

ExamplesWG#show diagnostics<ENTER>

ArgumentsNone.

Show DNS commandWG#show dns<ENTER>


Show command

EffectDisplays any DNS configurations.

ArgumentsNone

Show IKE commandWG#show ike <action | policy><ENTER>

EffectDisplays the current catalog of IKE policies or actions, depending upon your choice of argument.

Arguments<action|policy>This argument allows you to specify whether the actions or policies are listed.

ExamplesWG#show ike action<ENTER>

Display IKE policy parameters

WG#show ike <action|policy> <"name"><ENTER>

EffectDisplays the parameters of a specifically named IKE policy or action.

Argumentsaction <"name" >This argument will display the contents of the named action.

policy <"name" >This argument will display the contents of the named policy.

ExamplesWG#show ike action basic<ENTER>WG#show ike policy secure_VPN<ENTER>



Show interface commandWG#show interface<ENTER>

EffectDisplays a detailed summary of all data interfaces in this WatchGuard appliance.

ArgumentsNone

ExampleWG#show interface<ENTER>

Show IPSec commandWG#show ipsec <action|proposal> <ENTER>

EffectDisplays the current catalog of IPSec proposals or actions--depending upon the argument.

Arguments<action|proposal>This argument specifies the type of IPSec component, action or proposal, that you want to review.

ExamplesWG#show ipsec proposal<ENTER>

Display an IPSec proposal or action

WG#show ipsec <action|proposal> <"item_name"><ENTER>

EffectDisplays the contents of a specifically named IPSec proposal or action. Type the action or proposal name after the "ipsec" command to view the specific settings.

Arguments<action|proposal>This argument specifies the type of IPSec


Show command

component, action or proposal, that you want to review.

<"name">After entering the “action” or “proposal” argument, enter this value, which indicates the actual name of a specific proposal or action that you want to review in detail.

ExamplesWG#show ipsec proposal md5_sha<ENTER>WG#show ipsec action most_secure<ENTER>

Show LDAP commandWG#show ldap<ENTER>

EffectDisplays any current LDAP server connection settings.

ArgumentsNone

Show license commandWG#show license [license_id]<ENTER>

EffectDisplays the current license file information. You can copy the license ID shown with this command, and paste it after the show license command to see more details about a particular license.

ArgumentsNone

Example (show license without a license number)

WG#show licenseOrd License Name License ID Expiration Date

1 DATE_11-6-2002_10:5 64DFC18A261A4771 04-02-2003



Example (show license with a license number)

WG#show license 64DFC18A261A4771 License Name: DATE_11-6-2002_10:51 License ID: 64DFC18A261A4771 Feature(s): UPGRADE 3DES Expiration Date: 04-02-2003

Show log commandWG#show log <config|alarm|event|traffic \|ras_user|p1_sa|p2_sa> [more]<ENTER>

EffectDisplays the last 25 entries in a designated log file. If you enter “config” as the argument, the CLI will display the configuration settings for all logs.

Arguments<config>This argument will display the current configurations for server, traffic and event logs.

<alarm|event|traffic|ras_user|p1_sa|p2_sa>Enter one of these six log types in this argument. If you do not type a log type, the CLI will simply list the types of log files you can view.

[more]This argument displays the complete contents of a specified log, one page at a time.

ExampleWG#show log traffic<ENTER>

Show mode commandWG#show mode<ENTER>


Show command

EffectDisplays whether the system is running in Router or Transparent Mode.

ArgumentsNone

ExampleWG#show mode<ENTER>

Show NAT commandWG#show nat<ENTER>

EffectLists any current NAT actions stored in this appliance database.

ArgumentsNone

Display NAT action configuration

WG#show nat <"name"><ENTER>

EffectDisplays the configuration of a specifically named NAT action.

Arguments<"name">This argument represents the exact name of the NAT action you want to review.

ExampleWG#show nat static_NAT1<ENTER>

Show NTP commandWG#show ntp<ENTER>

EffectDisplays the Network Time Protocol configuration.



ArgumentsNone.

ExampleWG#show ntp<ENTER>

Show policy commandWG#show policy <"policy_name"><ENTER>

EffectDisplays the parameters/settings for a specifically named security policy.

Arguments<"name_text">This argument notes the exact name of the security policy you want to review.

ExampleWG#show policy SJO-NYC_VPN<ENTER>

List active security policies

WG#show policy<ENTER>

EffectLists all active security policies stored in this WatchGuard appliance.

ArgumentsNone

ExampleWG#show policy<ENTER>

Show QoS commandWG#show qos <system|action><ENTER>

EffectDisplays (1) the current system QoS configuration, or (2) a list of currently available QoS actions–depending upon your argument entry.


Show command

Arguments<system|action>This argument represents your preference–to review the current system QoS setting or the list of available QoS actions.

ExampleWG#show qos system<ENTER>

Show QoS action configuration

WG#show qos action <"name"><ENTER>

EffectDisplays the configuration of a specified QoS action.

Arguments<"name">This argument indicates, by exact name, the QoS action you want to review.

ExampleWG#show qos action slow_to_55<ENTER>

Show RAS commandWG#show ras <group_profile|user_profile|database><ENTER>

EffectDisplays a complete listing of the specified RAS component–group profiles, user profiles or database configuration.

Arguments<group_profile|user_profile|database>This argument represents your preference–to review a list of group profiles, a list of user profiles or the database settings.

ExampleWG#show ras database<ENTER>



Display specific RAS contents

WG#show ras <group_profile|user_profile> <"name"><ENTER>

EffectDisplays the contents of the specifically named RAS component–a user profile or group profile.

Arguments<group_profile|user_profile>This argument notes either group profile or user profile.

<"name">This argument records the name of the designated object that you want to review.

ExampleWG#show ras user_profile sales12<ENTER>

Show route commandWG#show route<ENTER>

EffectDisplays a list of active routes.

ArgumentsNone

ExampleWG#show route<ENTER>

Show SA commandWG#show sa <p1|p2> [id]<ENTER>

EffectLists current phase one or phase two SA information, in some detail. If you add the “ID” of a specific phase-one SA or phase-two tunnel, the CLI will display details of the requested item.


Show command

Arguments<p1|p2>This argument specifies your choice of a list of phase-one SA’s or a list of phase-two tunnels. Either list provides a complete catalog of the requested item, in a table that includes considerable details about each item.

[id]This argument (when used with p1) will display a summary of the identified SA. When used with p2, this argument will display a summary of the requested tunnel activities.

ExampleWG#show sa p2 209<ENTER>

Show service command

List all service groups

WG#show service<ENTER>

EffectDisplays a complete list of all service groups.

ArgumentsNone

ExampleWG#show service<ENTER>

Display service group settings

WG#show service <"name"><ENTER>

EffectDisplays the settings for a named service group, including port numbers and any associated protocols.



Arguments<"name">This argument represents the exact name of the service group you want to review in detail.

ExampleWG#show service e-mail<ENTER>

Show SNMP commandWG#show snmp <ENTER>

EffectDisplays the SNMP settings for the appliance.

ArgumentsNone.

ExampleWG#show snmp <ENTER>

Show statistics commandWG#show statistics show statistics ras [user_ID] show statistics p1sa [ID] show statistics p2sa [ID]

EffectDisplays statistics for RAS or phase 1 or phase 2 SA.

ArgumentsNone.

ExampleWG#show statistics ras ras_user<ENTER>

Show sysinfo commandWG#show sysinfo<ENTER>


Show command

EffectDisplays the basic "general" system configurations, including appliance name, location, and contact person's name.

ArgumentsNone

ExampleWG#show sysinfo<ENTER>

Show sysupgrade commandWG#show sysupgrade<ENTER>

EffectDisplays a chronological record of recent system software upgrades (including version number and date) installed in this WatchGuard appliance.

ArgumentsNone

ExampleWG#show sysupgrade<ENTER>

Show trace command

Show tunnel_switch commandWG#show tunnel_switch<ENTER>

EffectDisplays the status of tunnel switching hardware features in this appliance–OFF or ON.

ArgumentsNone

ExampleWG#show tunnel_switch<ENTER>



Show version commandWG#show version<ENTER>

EffectDisplays the version number of WatchGuard operating software.

ArgumentsNone

ExampleWG#show version<ENTER>


Index

Aabbreviations 8abort system configuration

changes 43accelerated data interface, set

physical speed of 139adding settings and policies 10address group modification 43address group, display specific 146address groups, display all 145administration mode commands 15,

27appliance maintenance commands 22apply changes 22apply changes to interface

configuration 95apply recent configuration changes 45argument entry syntax 9argument options by command, list

of 17ARP cache, display 129ARP cache, manipulate 129available commands 17available tasks 2

B\ character, use of 9

Ccase sensitivity of object strings 9certificate configuration mode, entry

into 45certificate settings, display

specific 147certificate, import VPN 69certificate, request VPN 67certificate, show properties 70certificates, display all 147change system mode 94CLI by command

administration modedowngrade 29enable 108export 30flush 31ha_sync 31passwd 36reboot 37restore_default 38shutdown 38

all mode commandsexit 14history 14top 15

configuration, level 1abort 43address 43certificate 45commit 45delete 45denial_of_service 46high_availability 47high_availability (disable) 48history 66ike 48interface 49ipsec 49license 49nat 54nat (dynamic action) 56policy 57qos 60ras 61rename 61schedule 62service 63

WatchGuard Command Line Interface Guide

system 64tenant 65tunnel_switch 65

configuration, level 2action (ike) 78action (IPSec) 95action (QoS) 100active_feature (license) 117database (RAS) 105delete (license) 118dns (system) 108enable (high_availability) 74exit (high_availability) 76exit (interface) 95fwuser (system -

idle_timeout) 109group_profile (RAS) 102ha2 (interface) 93import 69import (license) 117interface 82interface (system) 110interface 0 (interface) 83interface 1 (interface) 86interface 2 (interface) 90ldap (system) 110log (system) 111mode 94policy (ike) 80private (interface) 85proposal (IPSec) 99request 67route (system) 113show 70show (high_availability) 72show (interface) 82show (license) 118snmp (system) 114ssl 71sysinfo (system) 115system (QoS enable/

disable) 101user_domain(tenant) 120user_profile (RAS) 103vlan(tenant) 119vlan_fowarding (system) 116

configuration, level 3dynamic (system\route) 123event (system\log) 124remote_log_server

(system\log) 125static (system\route) 122traffic (system\log) 124

display argumentsshow 145show address 145show address

<group_name> 146

show all_routes 147show cert 147show cert (by ID) 147show denial_of_service 148show dns 148show ike 149show ike (by name) 149show interface 150show ipsec 150show ldap 151show log 152show mode 152show nat 153show nat (by name) 153show policy 154show policy (by name) 154show qos 154show qos (by name) 155show ras 155show ras (by name) 156show route 156show sa 156show service 157show service (by name) 157show sysinfo 158show sysupgrade 159show tunnel_switch 159show version 160

troubleshootingarp 129clear_logs 129netstat 134ping 134radius_ping 135rs_kdiag 138slink 139tcpdump 140traceroute 140verbose_trace 141

CLI capabilites 2CLI commands

administration modedisable 108

CLI editingappending to recent command 11argument syntax 9use of \ character 9case sensitivity 9case sensitivity in object strings 9command abbreviation 8command prompt 8delete 10exchanging command arguments

in recent command 12grouping parameters 10help command 17keywords 15line continuation 9

CLI navigation 13command history 11command prompt, navigation with 8Common Criteria operation mode 35configuration, initial 20conn_idle_timeout 130connection to a workstation

direct 5connection to workstation,

through network 5conventions 3–5, 25–27currently available commands 17

Ddata interfaces, display address

settings 82data interfaces, show detailed

summary of 150DDOS

See denial of serviceDDOS configurations, show 148debug

information not exported to xml 127

debugging commands 127–141delete license 118delete specific configuration

changes 45deleting items in database 22deleting text 10denial of service parameter

configuration 46

DHCP server configuration options 85disable 108disable keyword 15disable port shaping 101disable tunnel switching 65display commands 144display interface addresses

See data interfacesDMZ

See interface 2DNS configurations, show 148domain name, system level entry 108DOS

See denial of serviceDOS configurations, show 148downgrade 29dump network traffic 140dynamic route, configure 123

Eenable 108enable keyword 15enable port shaping 101enable tunnel switching 65erase system configuration

changes 43event log configuration 124exchanging command arguments in

recent command 12!!<command argument>for

appending to most recent command 11

!! recall command 11!number to recall recent command by

number 11existing appliance

log in 7export 30export cr/xml/log/ip 30extra features active, licensed 117

Ffactory default appliance

logging in 6factory default restoration 38FIPS operation mode 35


firewall authentication screens, replacing 132

HHA 2 interface configuration 93HA configuration 47HA configuration, display 72HA enable 74HA, apply configuration changes 76HA, disabling 48ha_instant_sync 130ha_sync 31help 17help online 17high availability

See HAhigh availability configuration, level

2 72–76history 14, 66history buffer 11history buffer, size of 11history command 11hotsync process, initiate 31

IICMP ECHO_REQUEST, send 134idle_timeout, changing firewall

user 109IKE action, record 78IKE configuration 48IKE configuration, level 2

commands 78–82IKE policies, display all 149IKE policy or action, show parameters

of 149IKE policy, record 80import

XML profile 33import license 117import VPN certificate 69importscreen 132initial configuration commands 20interface 0 configuration 83interface 1 configuration 86interface 2 configuration 90interface address settings, display 82

interface configuration entry 110interface configuration, enter 82interface configuration, level 2

commands 82–95interfaces, show detailed summary

of 150internal diagnostics, display 138IP addresses, system level entry 108IPSec action, recording 95IPSec configuration 49IPSec configuration, level 2

commands 95–100IPSec proposal or action, show details

of specific 150IPSec proposal, create or modify 99IPSec proposals or actions, show

catalog of 150

Kkeywords

disable 15enable 15no 15

LLDAP server connection settings,

show 151LDAP server, activate connection 110LDAP server, deactivate

connection 110Level 1 configuration mode 41Level 2 configuration mode 66–122Level 3 configuration mode 122–126license commands, level 2

commands 117–119license configuration 49license, delete 118license, import new 117license, summarize a 118licensed features, active 117licenses available, list 118limitations 3line continuation 9line continuation character 9log configuration 111

log configuration, level 3 commands 124–126

log entries, clear 129log file, show last 25 entries of

specific 152log into existing appliance 7log into factory default appliance 6log out 18

Mmaintenance commands 22MSS 59, 112mss_adjustment 112mss_adjustment_per_policy 59

NNAT action, record 54NAT action, show configuration of

specific 153NAT actions, list current 153NAT, dynamic IP 56network address translation

See NATnetwork status, view 134no keyword 15

Oobject strings, case sensitivity of 9online help 24operation modes 35operation_mode command 35

Ppasswd 36password, reset super user 36ping a device 134+ character, use of 10pppoe_config 135Private interface

See interface 0profile

import XML 33Public

See interface 1

QQoS action, record new 100QoS actions, show current

available 154QoS configuration entry 60QoS configuration, level 2

commands 100–101QoS configuration, show all current

system 154QoS configuration, show specific 155Quality of Service

See QoS? command 17

RRADIUS server, test connections to

security appliance 135RAS account, create or modify 103RAS authentification database, where

stored 105RAS configuration mode 61RAS configuration, level 2

commands 102–106RAS group profile, modify or

create 102RAS, show complete listing of 155RAS, show specific RAS

component 156reboot 37recall most recent command 11recalling a recent command, not most

recent 11recent commands list 14, 66reload old software 29remote log server connection,

configure 125rename an existing object 61replace firewall authentication

screens 132replacing settings and policies 10request VPN certificate 67reset connections 31


reset Vclass appliance 37return to next highest level 14return to top command level 15route configuration entry 113route configuration, level 3

commands 122route information, display of 140routes, list all active 156routes, summarize all dynamic and

static 147

SSA information, show curent phase 1

or 2 156schedule a policy 62security policies, show active 154security policy commands 21security policy, create 57security policy, show parameters of

specific 154service entry (individual or group)

new 63service group, show specific 157service groups, show all 157set_dos_if 139show arguments, list 145show certificate properties 70show stored arguments 16show stored command entries 16showcommands 144shut down WatchGuard appliance 38SNMP workstations, record

connection data for 114software version number, display 160SSL certificate request 71static route configuration 122system configuration mode 64system configuration, level 2

commands 107–116system configuration, show

general 158system information, apply to security

appliance 115system interface configuration 49system interface configuration,

enter 82system mode, display 152

system software upgrades, show recent 159

Ttasks available 2tasks not available 3TCP Maximum Segment Size

(MSS) 59, 112tenant configuration mode entry 65tenant configuration, level 2

commands 119–122tenant entry, record 119text deletion 10top command 14traffic log file, activate 124traffic log file, deactivate 124troubleshooting commands 127–141tunnel switching, show hardware

status 159

Uunavailable tasks 3

Vverbose trace, disable 141verbose trace, enable 141view currently available

commands 17vinstall 141VLAN forwarding disable 116VLAN forwarding, enable 116VLAN specific tenant entry,

record 120VLAN tenant entry, record new 119

WWeb certificate

See SSL certificate

Xxml export

debugging information not exported 127

XML profileimport 33


v51cli Guide

Documents

Transcript of v51cli Guide