Watchguard Firebox V10, Command Line Interface Manual

Page 1: ...WatchGuard Command Line Interface User Guide WatchGuard Firebox Vclass 5 1...

Page 2: ...of this manual may be reproduced by any means electronic or mechanical for any purpose other than the purchaser s personal use without prior written permission from WatchGuard Technologies Inc TRADEMA...

Page 3: ...ead this Agreement carefully By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement If you do not agree to the terms of this AGREEMENT WATCHGUARD will not lic...

Page 4: ...mputer at once you must license an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it C You may make a single copy of the SOFTWARE PRODUCT for backup or a...

Page 5: ...f the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it along with a dated proof of purchase specifying the problems and they will provide you with a new versio...

Page 6: ...PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT FOR ANY INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS BUSINESS INTERRUPTION OR...

Page 7: ...ENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods as amended Th...

Page 8: ...viii WatchGuard Vclass 5 1...

Page 9: ...appliance 5 Logging into an appliance via a console connection 6 Logging into an existing appliance via a network connection 7 Understanding the command prompt 8 Abbreviating commands and keywords 8 C...

Page 10: ...move delete items from a WatchGuard database 22 To save and apply your most recent changes 22 To maintain an appliance 22 To troubleshoot an appliance 22 To restore an appliance to the factory default...

Page 11: ...and 50 nat command 54 no command 56 policy command 57 qos command 60 ras command 61 rename command 61 schedule command 62 service command 63 system command 64 trace command 64 tenant command 65 tunnel...

Page 12: ...4 CHAPTER 4 Debug Mode Commands 127 Debugging troubleshooting commands 127 arp command 129 clear_logs 129 config_http command 129 conn_idle_timeout command 130 ha_instant_sync command 130 hwdiag comma...

Page 13: ...48 Show DNS command 148 Show IKE command 149 Show interface command 150 Show IPSec command 150 Show LDAP command 151 Show license command 151 Show log command 152 Show mode command 152 Show NAT comman...

Page 14: ...xiv WatchGuard Vclass 5 1 Index 161...

Page 15: ...a tors familiar with routers commonly deployed in net work environments will find the WatchGuard CLI is both easy to learn and to use You can use the CLI to administer an appliance through a console p...

Page 16: ...capabilities The WatchGuard command line interface CLI provides you with simple fast command line access to any local WatchGuard Firebox Vclass security appliance to perform most major administrative...

Page 17: ...access internal user accounts CLI Guide text conventions To help you better use this guide the following text con ventions are used Control key The symbol represents the Control CTRL key and is usual...

Page 18: ...h with a space between the first and last name you should enclose this entry in quotations to preserve it as a single entity For Example WG config address group exec_staff WG config address group exec...

Page 19: ...at any time These comprise two distinct uses of the CLI which in turn require different connections To use the CLI in pre installation setup or to do direct administration of a WatchGuard appliance y...

Page 20: ...a console connection To log into a brand new factory default WatchGuard appliance by means of the CLI console and a console serial port connection follow these steps 1 Start any terminal application a...

Page 21: ...in Password type your password nothing is displayed Welcome to the WatchGuard CLI Shell WG You can now work with the CLI Logging into an existing appliance via a network connection To log into a curre...

Page 22: ...can abbreviate the available commands and keywords for each command group or mode down to the minimum number of characters that can safely be used to represent a command so that it cannot be mistaken...

Page 23: ...ping the backslash character at the end of the command line similar to the use of the back slash character in C programming syntax This permits you to type more information parameters without breaking...

Page 24: ...be appended to an existing item Adding entries to an existing item requires use of the plus character If a setting or entry already exists in this WatchGuard appliance add a plus character before add...

Page 25: ...y commands applied at that level of the CLI The CLI will append a number to each line to indicate its place in the overall chronology The higher the number the more recently that command was enacted N...

Page 26: ...bstitution as shown in the following example WG 49 Recall command line 49 This is the command show service DNS The next six lines are the result Service Group Name DNS Description Domain Name Services...

Page 27: ...SH execute Service Group This shows the results Name SSH Description Secure Shell Remote Login Protocol Protocol TCP Server_port 22 WG _ At every command level and in all command modes the exit comman...

Page 28: ...any CLI mode history command WG admin ENTER WG admin history Effect Lists the twenty most recently exercised commands at this level When this command is applied at other levels it will result in the...

Page 29: ...eywords The CLI provides keywords such as enable disable and no that perform specific functions with system parameters For example enable and disable are used to enable and disable existing configurat...

Page 30: ...Example 1 Show all security policy records WG config show policy ENTER Ord NAME Dscpt Src Dest Svc 1 PRIVATE_HTTPS ANY PRIVA HTTPS 2 ALLOW_PING_FROM_PVT ANY INTER PING 3 ALLOW_PING_FROM_PUB ANY INTER...

Page 31: ...de the following Listing all available commands at a specific mode or level of CLI Listing all of a command s arguments and associated values along with their specific usage syntax 1 To list all comma...

Page 32: ...1 msb from left log_per_policy enable disable icmp_error_handling_per_policy global all no fragmentation_required no time_exceeded no network_unreachable no host_unreachable no port_unreachable Loggi...

Page 33: ...er Guide beginning with installation and continuing on to adminis tration and policy configuration tasks The tasks are sorted into the following general categories and can be reviewed as noted here To...

Page 34: ...onfig if interface 0 WG config if interface 1 WG config if interface 2 if a DMZ interface is present WG config if ha2 if an HA2 port is present Command Description WG admin passwd change the default p...

Page 35: ...d Description Command Description WG config address create all the needed address groups for use in policies WG config service add new services or groups of related services WG config ike action creat...

Page 36: ...maintenance use these com mands To troubleshoot an appliance To perform troubleshooting tasks use these commands WG config ras group_profile create RAS group profiles for use in RAS policies WG confi...

Page 37: ...most recent tasks at any level CLI prompt history Command Description WG debug arp display and configure the arp table WG debug netstat show network connection states and statistics WG debug ping ver...

Page 38: ...on line help while working To get help with the WatchGuard CLI Command Description online help at any prompt or at the end of any other command show view a list of objects at the prompt history view...

Page 39: ...I commands are organized into groups which are presented as specific command modes This chapter covers the commands available in Administration Mode Command syntax conventions used in this guide To he...

Page 40: ...r vertical bar indicate two options of which only one can be entered itemA itemB Text followed by an ampersand and a pipe character vertical bar indicates two options either or both of which can be en...

Page 41: ...tion of the arguments for each command and the relevant values for each argument Command For more information see account account command on page 28 downgrade downgrade command on page 29 export expor...

Page 42: ...unts If you set the login_limit feature on the root superadmin user it is possible for the superadmin to be locked out of the system To work around this possible problem 1 Create another superadmin ac...

Page 43: ...e specified user type admin or user to the number specified status This command displays a table of failed login attempts for each user provided the limit for the login name is greater than 0 unlock n...

Page 44: ...a careful review of this security appliance s setup to prevent any problems export command WG admin ENTER WG admin export Effect Exports certificate requests the log archive or an XML profile The exp...

Page 45: ...name ftp user passwd host target file_name console export ip export ip blocked allowed tftp host target file_name ftp user passwd host target file_name flush command WG admin ENTER WG admin flush Effe...

Page 46: ...the backup appliance your high availability system is ready and active Arguments None Example WG admin ha_sync ENTER import command The import command allows you to import certificates a certificate...

Page 47: ...le via one of several possible methods Arguments None Example WG admin import cert ftp wg wg ftp watchguard com pub cert cert p2 ENTER xml command WG admin ENTER WG admin import xml tftp host target f...

Page 48: ...ows For blocked IP each line of the file should include IPaddr space mm dd yyyy space hh mm ss mm dd yyyy specifies the month day and year hh mm ss specifies the hour minute and second For example a t...

Page 49: ...rmal FIPS or Common Criteria CC mode FIPS mode FIPS 140 2 is a standard that describes government requirements that cryptographic hardware or software products must meet FIPS certification is required...

Page 50: ...ecurity Systems which handle Classified and some non Classified information are required to be Common Criteria certified Common Criteria mode conforms to EAL4 level Common Criteria mode disables or ch...

Page 51: ...ayed Retype the same text during which no text will appear on screen When you press ENTER the new password will be confirmed and stored in the appliance then immediately put into effect Example WG adm...

Page 52: ...on Once this process is complete you can log in again then start over with appliance installation configuration and policy creation either by manual entry or importing of a profile from another applia...

Page 53: ...out of the appliance at which time you can break the CLI connection Arguments None upgrade command WG admin upgrade upgrade tftp host target upgrade rsu upgrade ftp user passwd host target upgrade rsu...

Page 54: ...CHAPTER 2 Administration Mode Commands 40 WatchGuard Vclass 5 1...

Page 55: ...the commands available in Configuration Mode Top level configuration mode commands The following catalog lists the top level configuration mode commands with a description of the arguments for each co...

Page 56: ...ipsec See ipsec command on page 49 license See license command on page 49 log See log command on page 50 nat See nat command on page 54 no See no command on page 56 policy See policy command on page 5...

Page 57: ...me host a b c d a b c d net a b c d e a b c d e range a b c d a b c d a b c d a b c d group address_name address_name Effect Creates a new address object or modifies an existing group depending upon t...

Page 58: ...address_name This argument notes a group of existing address entries that you want to combine into a single entity This character when inserted in the command line in the proper location allows you t...

Page 59: ...re information about certificate mode commands see Level 2 certificate configuration commands on page 67 commit command WG config ENTER WG config commit Effect This command applies all uncommitted pol...

Page 60: ...threshold packet s default 1000 no pingofdeath no sourceroute no server_ddos threshold threshold connection s default 100 no client_ddos threshold threshold connection s default 100 Effect Records you...

Page 61: ...hold Activates client DDOS protection the default threshold 100 which controls the maximum number of connection requests permitted to a single client no Enter this before any options you want to deact...

Page 62: ...Availability configuration commands on page 72 Disable high availability mode WG config ENTER WG config no high_availability Effect Disables high availability if it is already in effect Arguments Non...

Page 63: ...s mode See Also See Level 2 interface configuration commands on page 82 for details on specific interface mode commands ipsec command WG config ENTER WG config ipsec Effect Enters the IPSec configurat...

Page 64: ...mmands see Level 2 license commands for upgraded or additional features on page 117 log command no command log level WG config ENTER WG config log ENTER WG config log no event remote_log_server traffi...

Page 65: ...nostics ike level level 1 6 cmm level nm level pmm level ha level Effect Runs log diagnostics for the specified feature Arguments None Example WG config ENTER WG config log ENTER WG config log diagnos...

Page 66: ...ity priority traffic facility priority p1sa facility priority p2sa facility priority ras facility priority facility auth authpriv cron daemon ftp kern lpr ma il news syslog user uucp local0 local1 l o...

Page 67: ...nfig ENTER WG config log ENTER WG config log traffic history command log level WG config ENTER WG config log ENTER WG config log history Effect Shows up to the last 20 commands Arguments None Example...

Page 68: ...onfig nat name static_nat external address_group internal address_group vip round_robin wround_robin random wrandom least_connection wleast_connection server ip address port weight Effect Records a ne...

Page 69: ...lied and 2 the server addresses and port numbers If a weighted algorithm is used this argument adds 3 the per server weight assignments The load balancing algorithm argument values include the followi...

Page 70: ...web_server1 Record dynamic security policy IP NAT action WG config ENTER WG config nat name dynamic_nat a b c d Effect Records a new dynamic IP NAT action for use in security policies You can create...

Page 71: ...groups schedules actions and services before creating this new policy Arguments source destination These two arguments record the source and WG config ENTER WG config policy policy name source destina...

Page 72: ...service tenant nat qos schedule ipsec no bi_directional These arguments allow you to combine various preexisting actions in this one policy including service Enter the name of a service group after t...

Page 73: ...rt_unreachable This argument allows you to implement ICMP error handling per policy and specify error handling options mss_adjustment_per_policy auto limit_to num disable use_global This argument allo...

Page 74: ...licy table NOTE You can combine a range of actions vlan ipsec nat schedule etc in a single policy as needed For more information on policy action combinations especially to determine what will and wha...

Page 75: ...S configuration commands on page 102 for details on specific RAS mode commands rename command WG config ENTER WG config rename object_type old name new name Effect Substitutes a new name for an existi...

Page 76: ...ame for this schedule enable disable This argument specifies whether this schedule is currently active or not day This argument defines the days of the week The values can either be noted as all for a...

Page 77: ...e_group Effect Records a new service entry individual or group for use in policies The service must be noted as either a single service a range of port numbers for a single service or as a group of ex...

Page 78: ...onfig service my_app single udp 6010 WG config service email group mail_SMTP group POP3 ENTER system command WG config ENTER WG config system Effect Enters system parameter configuration mode at which...

Page 79: ...nant Arguments None in this level See Also See Level 2 tenant configuration commands on page 119 for more information about the next level of tenant commands tunnel_switch command WG config ENTER WG c...

Page 80: ...see a series of 20 commands starting with 64 and ending with 83 the most recent command being listed as 83 Arguments None Example WG config history ENTER Results Executed Commands 0 ike 1 address 2 ad...

Page 81: ...ds on page 102 Level 2 System Configuration commands on page 107 Level 2 tenant configuration commands on page 119 Level 2 certificate configuration commands request command configure certificate leve...

Page 82: ...me The default is US department text This optional argument notes the specific department name dns_name name This argument notes the fully qualified DNS name of this appliance ip_address a b c d This...

Page 83: ...the contents of a newly received VPN or Web certificate into the WatchGuard appliance database To import a certificate you must open the certificate file and copy the text then paste it into the comm...

Page 84: ...ert_id This optional argument records a specific certificate ID Examples WG config cert show ENTER OrdTYPE NAMESubjectCert idKeyAlgo 1 Pndg cn a o WatchGuard c US cn a o WatchGuard c 20001 RSA 2 CA o...

Page 85: ...JqHkthVJosa06n0 wLDvFYsJNZ4Y7FayvTVQAp 5zBo 5mkkzsgN3q7 TlNR5B1zDrFA END CERTIFICATE REQUEST ssl command configure certificate level WG config ENTER WG config certificate ENTER WG config cert ssl ip n...

Page 86: ...JF9x2v3GaVNUZEmk5 LTT iEdCrehhr YfxECAwEAAaAeBHn nu1msTyGjzqtP42IzQM 6YTj2uHMGPF Y8FTYgCE END CERTIFICATE REQUEST Level 2 High Availability configuration commands show command configure high availabil...

Page 87: ...0 ON 1 192 128 134 32 255 255 255 0 192 128 134 33 255 255 255 0 ON 2 30 0 0 1 255 0 0 0 30 0 0 8 255 0 0 0 OFF 3 40 0 0 1 255 0 0 0 40 0 0 2 255 0 0 0 OFF Advanced HA Parameters HA1 Enabled HA2 Disa...

Page 88: ...ion and statistics history show command history exit go back to parent level top go back to root level Effect Enables high availability in WatchGuard appliances with one or more HA interfaces and assi...

Page 89: ...d only be performed during the initial setup when the secondary appliance is in factory default configuration monitor 1 2 This optional command specifies which interface 1 or 2 you want this appliance...

Page 90: ...he VRRP group ID for this HA pairing if one has been assigned to it The number should be between 1 and 255 Example WG config ha monitor pub poll 5 ENTER Apply high availability configuration changes W...

Page 91: ...guration and statistics history show command history rename rename an object exit go back to parent level top go back to root level Effect Allows you to configure advanced settings for High Availabili...

Page 92: ...vanced WG config ha advanced primary ha1 ip 10 10 10 11 255 255 0 0 secondary ha1 ip 10 10 10 12 Level 2 IKE configuration commands action command configure IKE level WG config ENTER WG config ike ENT...

Page 93: ...ify the time in seconds between keep alive messages extended_authentication This argument when present activates extended authentication used for remote access connection requests rsa g1 g2 des 3des m...

Page 94: ...ss action ike_action_name peer any address name domain name user_domain usr host X 500 name local cert_id ip_address domain user_domain X500 preshared ascii_key hex_key position number Effect Records...

Page 95: ...pecifies the means of identifying the peer appliance from these five options You can enter any as the sole option or combine any of these options and values in this argument Option Description address...

Page 96: ...guration mode WG config ENTER WG config interface ENTER Effect Enters the system interface configuration mode Arguments None Please review the rest of this section for related commands show command co...

Page 97: ...e results appear as shown in this example interface 0 ip 10 10 13 101 net mask 255 255 0 0 status UP mac address 00 01 21 10 01 e5 interface 1 ip 16 10 203 121 net mask 255 255 255 0 status DOWN mac a...

Page 98: ...s in the subnet mask for example 16 is equivalent to the address 255 255 0 0 or the actual subnet mask address mtu num This allows you to set the size of the Maximum Transmission Unit MTU The default...

Page 99: ...2 7 255 255 255 0 mtu 1500 100_half_duplex no dhcp_server ENTER or WG config if interface 0 10 12 12 7 24 mtu 1500 100_half_duplex no dhcp_server ENTER or WG config if interface 0 10 12 12 7 24 mtu 15...

Page 100: ...for all client connections and any limitations recorded as minutes no dhcp_server Enter this argument to disable any previously active DHCP service Example WG config if private 192 168 1 1 255 255 25...

Page 101: ...1 Public if it is a publicly routable fixed IP address Arguments a b c d This argument records the IP address assigned to this interface prefix mask This argument records the number of bits in the sub...

Page 102: ...e information on unnumbered links see RFC 1812 section 2 2 7 backup ip a b c d mask a b c d gateway a b c d dhcp host_id pppoe user name password password unnumbered_pppoe a b c d disable disable swit...

Page 103: ...ne when the WAN connection has failed interval determines the amount of time that elapses between attempts to ping all three specified tracking addresses timeout determines the amount of time that can...

Page 104: ...g if interface 1 dhcp dhcpsrvr Example Backup Connection WG config if interface 1 10 10 12 8 255 255 0 0 mtu auto backup ip 10 10 24 16 mask 255 255 0 0 gateway 10 100 99 1 tracking add 124 12 15 16 i...

Page 105: ...of the Maximum Transmission Unit MTU The default is 1500 bytes 100_full_duplex 100_half_duplex 10_full_duplex 10_half_duplex auto This setting allows you to specify the speed at which the interface w...

Page 106: ...ords the number of bits in the subnet mask for example 16 is equivalent to the address 255 255 0 0 or the actual subnet mask address mtu num This allows you to set the size of the Maximum Transmission...

Page 107: ...tionality Arguments a b c d This argument records the IP address assigned to this interface prefix mask This argument records the number of bits in the subnet mask or the subnet mask Example WG config...

Page 108: ...router transparent ENTER Effect Use to switch the appliance between Router mode and Transparent mode An appliance can only be switched from Router mode default to Transparent mode when the appliance...

Page 109: ...you about the process Arguments None Example WG config if exit ENTER Commit Y N y ENTER Results interface 1 IP address is set to 16 10 203 121 please wait for it to take effect WG config Level 2 IPSec...

Page 110: ...ame of an address group containing the peer IP address auto_key Enter this argument if this action utilizes an automatic key Do not use the manual key if using an automatic key The following two argum...

Page 111: ...e number that represents the SPI of the peer security appliance The number should be between 256 and 65535 des 3des Use this argument to pick either DES or 3DES encryption algorithms ascii_key hex_key...

Page 112: ...with peer tunnel The IP is NY_Gateway no PFS the first proposal is MAX_SECURITY and the second is ESP_3DES WG config ipsec action remote_user_ipsec tunnel auto pfs_group 1 ESP 3DES MD5 ESP DES MD5 EN...

Page 113: ...policies Arguments name This argument notes the name assigned to this new proposal antireplay_window 0 32 64 This argument and the required value sets the anti replay window size esp des 3des md5 sha...

Page 114: ...ew AH transform to an existing proposal Level 2 Quality of Service QoS configuration commands action command configure Quality of Service level WG config ENTER WG config qos ENTER WG config qos action...

Page 115: ...ard appliance and enters the general QoS value for that interface The value entered will be the sending throughput of that interface To enable a system port shaping action the appliance will automatic...

Page 116: ...rs of all associated remote access user accounts Arguments name This argument records a name for this group profile which will be used when creating individual user profile accounts no address_pool ad...

Page 117: ...config ENTER WG config ras ENTER WG config ras user_profile name enable disable password password full_name name group_profile profile_name pw_expiry days never account_expiry days never concurrent_lo...

Page 118: ...expires The default is 90 days account_expiry days never This argument sets the number of days until this account expires The default lifetime is 180 days concurrent_logins number This argument limits...

Page 119: ...p name Effect Establishes whether the authentication database is stored on the RADIUS server or in this WatchGuard Firebox Vclass security appliance then notes the parameters of this database Argument...

Page 120: ...ADIUS server authentication pap secure_id This argument establishes which authentication is being used PAP or SecurID port number This optional argument records the RADIUS server port number if needed...

Page 121: ...onfigure system level on page 110 ldap ldap command configure system level on page 110 log log command configure system level on page 111 mss_adjustment mss_adjustment on page 112 ntp ntp command conf...

Page 122: ...re the ldap command prompt deactivates this LDAP connection domain name This argument records the domain name of this security appliance server a b dc d This argument records the IP address of the DNS...

Page 123: ...e WatchGuard CPM access to this WatchGuard appliance password_text Enter the text of the CPM access password after enable disable Enter this argument if you have already established CPM access and wan...

Page 124: ...ror handling for all events or just for the events you specify interface command configure system level WG config ENTER WG config interface Effect Enters the interface configuration mode at which poin...

Page 125: ...and LDAP server port number You can enter either an IP address or a domain name and if the LDAP server port number is other than 389 you must enter it To enter a host name you must first record the D...

Page 126: ...result in fragmentation degrading VPN performance Proxies may require MSS adjustment to prevent fragmentation Some older systems do not support MTU to regulate packet size This feature works along wi...

Page 127: ...r If you select this option packets may fragment Example WG config ENTER WG config system ENTER WG config system mss_adjustment limit_to 1400 ntp command configure system level WG config ENTER WG conf...

Page 128: ...P management workstations that will receive traps generated by this security appliance Arguments no This argument if entered before the snmp command prompt removes deactivates all recorded SNMP statio...

Page 129: ...name and actual location of the appliance Arguments name string Use this argument to record the DNS name of this security appliance without the rest of the DNS entry location string Use this argument...

Page 130: ...4 0 SerialNum D0YXA0A0D408 tcp_syn_checking WG config ENTER WG config system ENTER WG config system tcp_syn_checking enable disable Effect This enables or disables TCP SYN checking vlan_forwarding co...

Page 131: ...e packets through the VPN tunnel If you set this feature the appliance ignores the don t fragment DF rule no IPSec_pass_through This allows IPSec pass through Level 2 license commands for upgraded or...

Page 132: ...Removes the named license from the appliance Arguments license_id This argument records the exact ID for a license to delete Example None show command config license level WG config ENTER WG config l...

Page 133: ...93MXLD Feature s HA 3DES UPGRADE Expiration Date 17 05 2022 Level 2 tenant configuration commands vlan command configure tenant level WG config WG config tenant WG config tenant vlan name id num inter...

Page 134: ...vate or 2 DBZ interface if one of those are specified gateway a b c d This argument notes the gateway IP address for this tenant if needed public default a b c d e This allows you to specify a public...

Page 135: ...will be expected to use Arguments user_domain This argument identifies which type of tenant this entry represents name This argument records the name assigned to this VLAN tenant for use in security p...

Page 136: ...fig tenant user_domain MegaCo interface 1 192 168 12 34 id 6666 idle 720 radius 12 12 3 144 radius_secret no_admit ENTER Level 3 configuration mode commands The following section detailing all the thi...

Page 137: ...argument to record the IP address of the next gateway to the destination subnet interface 0 1 2 This argument specifies which interface in this security appliance is used for outgoing traffic using th...

Page 138: ...ion commands Activate or deactivate traffic log file WG config ENTER WG config system ENTER WG config sys log ENTER WG config log traffic Effect Use this command to activate or deactivate a traffic lo...

Page 139: ...ent log Example WG config log event error ENTER Set up remote log server connection WG config ENTER WG config system ENTER WG config sys log ENTER WG config log remote_log_server ip_address Effect Use...

Page 140: ...CHAPTER 3 Configuration Mode Commands 126 WatchGuard Vclass 5 1 N to void the changes and leave the database in its previous state...

Page 141: ...mmands detailed here enable the use of standard Linux commands such as ping tcp dump netstat traceroute and arp Most commands such as netstat arp ping tcpdump and traceroute are similar to those provi...

Page 142: ...e kernel_debug command on page 133 netstat See netstat command on page 134 ping See ping command on page 134 pppoe_config See pppoe_config command on page 135 radius_ping See radius_ping command on pa...

Page 143: ...p ENTER clear_logs WG debug ENTER WG debug clear_logs Effect Clear all log entries Argument None config_http command Effect Allows you to enable and disable debugging for HTTP WG debug ENTER WG debug...

Page 144: ...ow set idle timeout set_default h where show Displays the current settings set idle timeout Set the connection idle timeout in seconds 1 86400 Effect This allows you to set the connection idle timeout...

Page 145: ...rdware diagnostic tests or hwdiag 2 ENTER to perform level 2 tests Level 2 hardware diagnostics require that the system be rebooted after the tests complete ifconfig command WG debug ENTER WG debug if...

Page 146: ...h0 eth2 eth3 in transparent mode importscreen command WG debug ENTER WG debug importscreen Import a tar file via ftp to customize Firewall User Login Screen Syntax importscreen ftp_server ftp_username...

Page 147: ...e a compressed tar file tar that includes all of the files you want to replace for the logon and result screens When you have completed editing tar the file creating a tar file and place this file in...

Page 148: ...ows summaries sorted by appliance interface s Shows statistics r Shows routing table information Example WG debug netstat i ENTER ping command WG debug ENTER WG debug ping a b c d Effect Use the ping...

Page 149: ...set_default allows you to set the default values for PPPoE echo and re authorization Example WG debug pppoe_config set 1 300 f 5 r 1800 t 60 radius_ping command WG debug ENTER WG debug radius_ping pa...

Page 150: ...D passcode p value This argument allows you to record a specific port number for the RADIUS server The default port number is 1812 and you can ignore this argument if the port number was not changed r...

Page 151: ...s of the RADIUS server Example WG debug radius_ping u jsmith pap johnsm 10 10 13 101 10 10 0 5 ENTER no response from RADIUS server rcinfo command WG debug ENTER WG debug rcinfo Effect Shows debug inf...

Page 152: ...CHAPTER 4 Debug Mode Commands 138 WatchGuard Vclass 5 1 rs_kdiag command WG debug ENTER WG debug rs_kdiag Effect This command displays internal diagnostics information Arguments None...

Page 153: ...FX AutoNegotiation disabled 100F 100BaseT Full duplex mode 100H 100BaseT Half duplex mode 10F 10BaseT Full duplex mode 10H 10BaseT Half duplex mode show current setting Effect This command sets the ph...

Page 154: ...nterface 1 public to 10BaseT Half duplex mode tcpdump command WG debug ENTER WG debug tcpdump Effect Dumps all traffic on a network Tcpdump will captures all packets detected by the network interfaces...

Page 155: ...bose tracing in the traffic log If such is enabled every firewall dropped packet will be shown in the traffic log All DNS packets will also be shown in the traffic log NOTE If this feature is enabled...

Page 156: ...g Mode Commands 142 WatchGuard Vclass 5 1 NOTE This feature is not supported in software versions earlier than 5 0 Example WG debug ENTER WG debug vinstall 10 10 0 98 ftpadmin ftppass upload downgrade...

Page 157: ...ribes commands that do not belong to one of the three main command modes Adminis tration Configuration and Debug No command The no command is used before another command or argument to turn off or dis...

Page 158: ...ou type show at the top level CLI prompt the WatchGuard CLI will display a complete list of show arguments listed above in Contents that enable you to list almost every kind of object in the WatchGuar...

Page 159: ...on page 152 mode See Show log command on page 152 nat See Show NAT command on page 153 ntp See Show NTP command on page 153 policy See Show policy command on page 154 qos See Show QoS command on page...

Page 160: ...xec_staff ENTER Show alarm command WG show alarm definition log more follow ENTER Effect Displays a summary of currnt outstanding alarms Arguments definition This displays a list of alarm definitions...

Page 161: ...ection of certificates including pending requests root certificates and system certificates Examples WG show certificate ENTER Display certificate settings WG show certificate ca sys pending cert_id E...

Page 162: ...PM information Examples WG show cpm ENTER Arguments None Show denial_of_service command WG show denial_of_service ENTER Effect Displays the DOS and DDOS configurations currently active in this applian...

Page 163: ...This argument allows you to specify whether the actions or policies are listed Examples WG show ike action ENTER Display IKE policy parameters WG show ike action policy name ENTER Effect Displays the...

Page 164: ...PSec proposals or actions depending upon the argument Arguments action proposal This argument specifies the type of IPSec component action or proposal that you want to review Examples WG show ipsec pr...

Page 165: ...t_secure ENTER Show LDAP command WG show ldap ENTER Effect Displays any current LDAP server connection settings Arguments None Show license command WG show license license_id ENTER Effect Displays the...

Page 166: ...a designated log file If you enter config as the argument the CLI will display the configuration settings for all logs Arguments config This argument will display the current configurations for server...

Page 167: ...s any current NAT actions stored in this appliance database Arguments None Display NAT action configuration WG show nat name ENTER Effect Displays the configuration of a specifically named NAT action...

Page 168: ...otes the exact name of the security policy you want to review Example WG show policy SJO NYC_VPN ENTER List active security policies WG show policy ENTER Effect Lists all active security policies stor...

Page 169: ...QoS action Arguments name This argument indicates by exact name the QoS action you want to review Example WG show qos action slow_to_55 ENTER Show RAS command WG show ras group_profile user_profile d...

Page 170: ...ile or user profile name This argument records the name of the designated object that you want to review Example WG show ras user_profile sales12 ENTER Show route command WG show route ENTER Effect Di...

Page 171: ...n used with p1 will display a summary of the identified SA When used with p2 this argument will display a summary of the requested tunnel activities Example WG show sa p2 209 ENTER Show service comman...

Page 172: ...command WG show snmp ENTER Effect Displays the SNMP settings for the appliance Arguments None Example WG show snmp ENTER Show statistics command WG show statistics show statistics ras user_ID show sta...

Page 173: ...d WG show sysupgrade ENTER Effect Displays a chronological record of recent system software upgrades including version number and date installed in this WatchGuard appliance Arguments None Example WG...

Page 174: ...PTER 5 Other Commands 160 WatchGuard Vclass 5 1 Show version command WG show version ENTER Effect Displays the version number of WatchGuard operating software Arguments None Example WG show version EN...

Page 175: ...nds 17 available tasks 2 B character use of 9 C case sensitivity of object strings 9 certificate configuration mode entry into 45 certificate settings display specific 147 certificate import VPN 69 ce...

Page 176: ...er_profile RAS 103 vlan tenant 119 vlan_fowarding system 116 configuration level 3 dynamic system route 123 event system log 124 remote_log_server system log 125 static system route 122 traffic system...

Page 177: ...ands 127 141 delete license 118 delete specific configuration changes 45 deleting items in database 22 deleting text 10 denial of service parameter configuration 46 DHCP server configuration options 8...

Page 178: ...erface 2 configuration 90 interface address settings display 82 interface configuration entry 110 interface configuration enter 82 interface configuration level 2 commands 82 95 interfaces show detail...

Page 179: ...port XML 33 Public See interface 1 Q QoS action record new 100 QoS actions show current available 154 QoS configuration entry 60 QoS configuration level 2 commands 100 101 QoS configuration show all c...

Page 180: ...r display 160 SSL certificate request 71 static route configuration 122 system configuration mode 64 system configuration level 2 commands 107 116 system configuration show general 158 system informat...

Page 181: ...WatchGuard Command Line Interface Guide X xml export debugging information not exported 127 XML profile import 33...