Page 1: Command Line
WatchGuard ® Command Line Interface User Guide WatchGuard Firebox Vclass 5.1...
Page 2 WatchGuard Technologies, Inc. TRADEMARK NOTES WatchGuard and LiveSecurity are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox, ServerLock, DVCP , and Designing peace of mind are trademarks of WatchGuard Technologies, Inc.
Page 3 (“SOFTWARE PRODUCT”). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully.
Page 4 SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S.
Page 5 SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY...
Page 6 THE SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE,...
Page 7 AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.
Page 8 WatchGuard Vclass 5.1...
Page 9: Table Of Contents
...............3 CLI limitations ..........3 CLI Guide text conventions ......5 Getting started with the WatchGuard CLI ..........5 Connecting to an appliance ..... 6 Logging into an appliance via a console connection Logging into an existing appliance via a network connection ........
Page 10 Logging out of the appliance ..19 Installing and configuring a WatchGuard appliance ..19 To log into a WatchGuard appliance for the first time: ..20 To assign network addresses to appliance interfaces ........20 To complete system configuration .......
Page 11 Level 2 High Availability configuration commands ....... 78 Level 2 IKE configuration commands ......82 Level 2 interface configuration commands ......95 Level 2 IPSec configuration commands . 100 Level 2 Quality of Service (QoS) configuration commands WatchGuard Command Line Interface Guide...
Page 12 ............137 rcinfo command ............137 reboot command ............ 138 rs_kdiag command ..........139 set_dos_if command ............139 slink command ........... 140 tcpdump command ..........140 traceroute command ..........141 verbose_trace command ............141 vinstall command WatchGuard Vclass 5.1...
Page 13 ..........158 Show SNMP command ..........158 Show statistics command ..........158 Show sysinfo command ........159 Show sysupgrade command ..........159 Show trace command ........159 Show tunnel_switch command ..........160 Show version command WatchGuard Command Line Interface Guide xiii...
Page 14 Index ................. 161 WatchGuard Vclass 5.1...
Page 15: Chapter 1 Using The Command Line Interface
Introducing the WatchGuard CLI The WatchGuard CLI (Command Line Interface) offers the experienced network administrator an efficient way to set up and manage WatchGuard Firebox Vclass security appliances via a terminal application. As the CLI architecture utilizes a model implemented in...
Page 16: Cli Capabilities
CHAPTER 1: Using the Command Line Interface attempting to use the CLI. Learning the WatchGuard Vcon- troller, its terms and processes, and the underlying “flow” of appliance administration, will establish a solid compe- tency with concepts and terms used extensively in the CLI.
Page 17: Cli Limitations
CLI Guide text conventions CLI limitations Please note that the WatchGuard CLI is not a complete replacement for the WatchGuard Vcontroller application, as you cannot do the following with the CLI: • Set up probes that monitor the current activities of the security appliance •...
Page 18 Space bar on the keyboard) are represented in a few instances in this Guide by the <sp> notation. In most cases, however, spaces are simply represented by actual spaces. For example, in: WG(config)#address -group exec_staff WatchGuard Vclass 5.1...
Page 19: Getting Started With The Watchguard Cli
All you need is (1) the IP address of a WatchGuard appliance data interface and (2) a currently active policy WatchGuard Command Line Interface Guide...
Page 20: Logging Into An Appliance Via A Console Connection
CHAPTER 1: Using the Command Line Interface permitting CLI console (Telnet/SSH) access to the system through that interface. This may be done by means of the CLI or the WatchGuard Vcontroller, once configuration is complete. If you attempt to log into a functioning, fully configured WatchGuard appliance with the CLI, you must enter “admin”...
Page 21: Logging Into An Existing Appliance Via A Network Connection
You can now work with the CLI. Logging into an existing appliance via a network connection To log into a currently active (configured) WatchGuard appliance over a network connection, follow these steps: Make sure that this appliance has an active policy permitting telnet/SSH access via a specific WatchGuard appliance interface.
Page 22: Understanding The Command Prompt
A new WG# prompt is displayed. Understanding the command prompt As you navigate through the WatchGuard Command Line Interface, the command prompt will always indicate what command level/mode you are in. For example: Command Prompt Command Level/Mode...
Page 23: Case Sensitivity
Getting started with the WatchGuard CLI Case sensitivity Commands, command arguments and keywords in the WatchGuard CLI are not case sensitive. For example, show policy is equivalent to SHow POLicy. Object name strings are case sensitive. Typing the address group name (string) “EveryBody_on_NET_A” is not the same as typing “everybody_on_net_a”! This covers all text...
Page 24: Deleting Text In The Command Line Interface
Adding entries to an existing item requires use of the “plus” character (+). If a setting or entry already exists in this WatchGuard appliance, add a “plus” character (+) before additional ele- ments to edit that setting. In the following example, an additional host with an IP address of 199.86.77.100 is added...
Page 25: Reviewing The Recently Used Commands
Reviewing the recently used commands The WatchGuard CLI stores up to 20 commands (at each level in every mode) in a History buffer, which you can use to view your most recent tasks.
Page 26 Server_port = 53 WG#^DNS^SSH #This command substitutes SSH for DNS and show service SSH execute Service Group: #This shows the results. Name = SSH Description = "Secure Shell (Remote Login Protocol)" Protocol = TCP Server_port = 22 WG#_ WatchGuard Vclass 5.1...
Page 27: Navigating Through The Cli
Getting started with the WatchGuard CLI Navigating through the CLI WG#!49 < Recall command line #49 #This is the command . #The next six lines are the result. show service DNS Service Group: Name = DNS Description = "Domain Name Services"...
Page 28: Common Navigation Commands
See “Reviewing the recently used commands” on page 11 for details. exit command WG(admin)#exit Effect Exits the current level of CLI and returns to the next-highest command level, all the way to the top- level WG# prompt. WatchGuard Vclass 5.1...
Page 29: Using Keywords
Getting started with the WatchGuard CLI Arguments None. Example WG(admin)#exit<ENTER> top command WG(admin)#top Effect Immediately returns to the top level of the WatchGuard CLI (the “WG#” prompt) from whatever level of CLI you are using. Arguments None. Example WG(admin)#top<ENTER> # As a result, the WG# prompt is displayed.
Page 30: Show Command/Argument ("Name") Usage
PING ALLOW_PING_FROM_PUB INTER PING ALLOW_PING_FROM_DMZ INTER PING ALLOW_OUTBOUND_DNAT DENY_INBOUND Deny HOST_OUT WG(config)#_ Executing the show command followed by a specific name displays only the details associated with that specific named object, as shown in the following example: WatchGuard Vclass 5.1...
Page 31: Viewing Context-Sensitive Online Help
Enter debug mode show Show current configuration and statistics history Show command history logout Exit the system exit Exit the system The WatchGuard CLI’s help system also lists a specific command’s argument options along with their specific WatchGuard Command Line Interface Guide...
Page 32: Logging Out Of The Appliance
<ENTER>. When the WG# prompt is displayed, type exit and press <ENTER>. You are logged out of the appliance. You can disconnect the terminal session, and physically disconnect your workstation from the appliance if necessary. WatchGuard Vclass 5.1...
Page 33: Installing And Configuring A Watchguard Appliance
Installing and configuring a WatchGuard appliance Installing and configuring a WatchGuard appliance You can use the WatchGuard CLI to perform almost all setup and configuration tasks. We’ve organized the follow- ing catalog of tasks into general categories, with references to the series of CLI commands you would use to perform specific tasks.
Page 34: To Assign Network Addresses To Appliance Interfaces
WG(config-sys)#route routes connect to a domain name server WG(config-sys)#dns connect to any SNMP management WG(config-sys)#snmp stations activate needed system activity WG(config-sys)#log logging connect this appliance to an LDAP WG(config-sys)#ldap server activate WatchGuard tunnelswitching WG(config)#tunnel_switch features WatchGuard Vclass 5.1...
Page 35: To Create And Apply Security Policies
Installing and configuring a WatchGuard appliance Command Description request and import needed certificates WG(config)#cert from CA’s customize anti-hacker protection for WG(config)#denial_of_service this appliance set up and activate a high-availability WG(config)#high_availability system, using the High Availibility feature includes event, traffic and alarm log...
Page 36: To Remove/Delete Items From A Watchguard Database
WG(config-ras)#database RAS policies create the actual policies WG(config)#policy To remove/delete items from a WatchGuard database To remove a particular object (policy, action, group profile, etc.), use this command: WG(config)#delete To save and apply your most recent changes To save and apply the latest changes and additions to this appliance’s configurations and policies, use this command:...
Page 37: To Restore An Appliance To The Factory-Default State
Installing and configuring a WatchGuard appliance Command Description display and configure the arp table WG(debug)#arp show network/connection states and statistics WG(debug)#netstat verify network connectivity WG(debug)#ping verify connection with a RADIUS server WG(debug)#radius_ping trace network packets WG(debug)#tcpdump trace a route to a specific destination...
Page 38: To Get On-Line Help While Working
CHAPTER 1: Using the Command Line Interface To get on-line help while working To get help with the WatchGuard CLI Command Description online help at any prompt, or at the end of any other command view a list of objects at the...
Page 39: Chapter 2 Administration Mode Commands
Administration Mode CHAPTER 2 Commands All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Administration Mode. Command syntax conventions used in this guide To help you better use this guide, the following text conventions are used.
Page 40 If you enter a command in the CLI, such as the following: WG(config)#policy and press <ENTER> without adding any arguments to the command line, the WatchGuard CLI will display a com- WatchGuard Vclass 5.1...
Page 41: Administration Mode Commands
“restore default command” on page 38 restore_default “shutdown command” on page 38 shutdown “upgrade command” on page 39 upgrade “history command” on page 14 history “exit command” on page 14 exit “top command” on page 15 WatchGuard Command Line Interface Guide...
Page 42: Account Command
In a text editor, create and save an ASCII text file with the following two lines: admin account -unlock admin In Vcontroller, click Diagnostics/CLI and select the CLI tab. This feature allows you to select a text file that contains CLI commands. WatchGuard Vclass 5.1...
Page 43: Downgrade Command
-all This command displays detailed information for all accounts on the device. Examples WG#admin<ENTER> WG(admin)#account -login_limit WG#admin<ENTER> WG(admin)#account -login_limit admin 5 WG#admin<ENTER> WG(admin)#account -unlock joe_user downgrade command WG#admin<ENTER> WG(admin)#downgrade WatchGuard Command Line Interface Guide...
Page 44: Export Command
Arguments None Example WG(admin)#downgrade<ENTER> If you apply this command, certain WatchGuard features incorporated in the current version may not be available afterwards. This will affect both configurations and policies in this appliance. You should make a careful review of this security appliance’s setup to prevent any problems.
Page 45: Flush Command
Resets all active connections, including SA’s. Arguments None. ha_sync command WG#admin<ENTER> WG(admin)#ha_sync only This command is available if the WatchGuard appliance you are currently logged into has High Availability enabled (using the “config-ha” command), is the Master appliance, WatchGuard Command Line Interface Guide...
Page 46: Import Command
CHAPTER 2: Administration Mode Commands and is connected to another security appliance assigned to a backup role. Effect Initiates the WatchGuard Firebox Vclass security appliance hotsync process, which copies the complete profile (configurations and policies) from this appliance to a designated backup appliance.
Page 47 WG(admin)#import cert -ftp wg:wg@ftp.watchguard.com:/pub/cert/ cert.p2<ENTER> xml command WG#admin<ENTER> WG(admin)import xml [-tftp] <host:/target/file_name> -ftp <[user[:passwd]@]host:/target/ file_name> -[console] Effect Imports an xml file via one of several possible methods. Arguments None Example WG(admin)#import xml -ftp wg:wg@ftp.watchguard.com:/pub/xml/ listfile.xml<ENTER> WatchGuard Command Line Interface Guide...
Page 48 To add blocked sites that do not expire, use only the IP address. Arguments blocked|allowed Specifies whether to import the contents of the text file to the blocked IP list, or to the allowed (exceptions) IP list. merge|override WatchGuard Vclass 5.1...
Page 49: Operation_Mode Command
- Non-qualified algorithms are disabled (MD5). - SSL3.0 is disabled. Support for TLS is still included. - A direct crypto interface to the Rapidcore and other crypto modules is provided for the startup WatchGuard Command Line Interface Guide...
Page 50: Passwd Command
Replaces the current “admin” super user access password text with a new entry. This command initiates a several-step process in which you will be prompted to enter the new password twice, before it takes effect. See “Process” immediately following for details. WatchGuard Vclass 5.1...
Page 51: Reboot Command
. If you forget the password and lose the note, contact WatchGuard for assistance. reboot command WG#admin<ENTER> WG(admin)#reboot Effect Shuts down, then restarts this WatchGuard Firebox Vclass security appliance. You will be WatchGuard Command Line Interface Guide...
Page 52: Restore Default Command
When the restoration is complete, the main login prompt will appear. You can now log into the appliance with the user name of “admin” and the password of “admin” to begin reconfiguration of this appliance. shutdown command WG#admin<ENTER> WG(admin)#shutdown Effect WatchGuard Vclass 5.1...
Page 53: Upgrade Command
Administration mode commands Shuts down this WatchGuard appliance. You will be automatically logged out of the appliance, at which time you can break the CLI connection. Arguments None. upgrade command WG(admin)#upgrade upgrade [-tftp] <host:/target/ upgrade.rsu > upgrade -ftp <[user[:passwd]@]host:/ target/ upgrade.rsu >...
Page 54 CHAPTER 2: Administration Mode Commands WatchGuard Vclass 5.1...
Page 55: Chapter 3 Configuration Mode Commands
Configuration Mode CHAPTER 3 Commands All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Configuration Mode. Top-level configuration mode commands The following catalog lists the top-level configuration mode commands, with a description of the arguments for each command and the values for each argument.
Page 56 See “tenant command” on page 65. tenant See “tunnel_switch command” on page 65. tunnel_switch See “history command” on page 66. show See “history command” on page 14. history See “exit command” on page 14. exit See “top command” on page 15. WatchGuard Vclass 5.1...
Page 57: Abort Command
(3) a subnet, and (4) a group of existing address entries that you may want to combine into a single entity. Arguments <"name"> This argument notes a new “name” for this group. You can then type one or more of the following WatchGuard Command Line Interface Guide...
Page 58 # Creating a new address group with a single host WG(config)# address my_nets -range 14.0.2.1- \ 14.0.2.125<ENTER> # Creating a new address group with a range of IP addresses WG(config)# address my_nets + -net 10.29.0.0/16<ENTER> # Add a new address to an existing address group WatchGuard Vclass 5.1...
Page 59: Certificate Command
None delete command WG#config<ENTER> WG(config)#delete <object_type "name"> Effect Deletes a specifically named object, such as an address group, policy, action, or service. Arguments <"name"> This argument records the exact name of the to-be- deleted item. WatchGuard Command Line Interface Guide...
Page 60: Denial_Of_Service Command
Activates ICMP flood protection with a user-noted threshold noted as packets per second; default = 1000. [no][-syn <threshold>] Activates TCP/SYN flood protection with a user- noted threshold; default=5000. [no][-udp <threshold>] Activates UDP flood protection with a user-noted threshold; default=1000. WatchGuard Vclass 5.1...
Page 61: High_Availability Commands
WG(config)#denial -syn 1000 no - udp<ENTER> high_availability commands High Availability commands will not be available to you if the WatchGuard appliance you are administering does not feature any HA ports. In addition, you need a High Availability feature license. Enter high availability configuration mode WG#config<ENTER>...
Page 62: Ike Command
Enters the IKE configuration mode, at which point you can enter IKE-specific commands and their arguments. Arguments None in this mode. See Also For more information about “IKE” mode commands, see “Level 2 IKE configuration commands” on page 78. WatchGuard Vclass 5.1...
Page 63: Interface Command
IPSec action- and proposal- specific commands and their arguments. Arguments None in this mode. See Also For more information about “IPSec” mode commands, see “Level 2 IPSec configuration commands” on page 95. license command WG#config<ENTER> WG(config)#license WatchGuard Command Line Interface Guide...
Page 64: Log Command
(log level) WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no <event|remote_log_server|traffic> Effect Disables logging for the specified log. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no traffic clear all command (log level) WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#no <event|remote_log_server|traffic> Effect Clears all logs. WatchGuard Vclass 5.1...
Page 65 WG(config-log)#diagnostics ha 1 [no] event command (log level) WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)# [no] event <critical|error|warning|administration|inf o> Effect Turns logging on (or off, if the command is preceded by “no”) for the specified error level. Arguments None WatchGuard Command Line Interface Guide...
Page 66 [-p2sa <facility> <priority>] [-ras <facility> <priority>] # facility:= [auth|authpriv|cron|daemon|ftp|kern|lpr|ma |news|syslog|user|uucp|local0|local1|...|l ocal7] # priority:= [original|debug|info|notice|warning |err|Crit|alert|emerg] Effect Turns remote logging on or off for the specified logs and error levels. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#remote 10.10.10.99 default WatchGuard Vclass 5.1...
Page 67 WG(config-log)#history Effect Shows up to the last 20 commands. Arguments None Example WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#history rename command (log level) WG#config<ENTER> WG(config)#log<ENTER> WG(config-log)#rename address rename address groups rename IKE actions/ policies ipsec rename IPSec actions/ proposals WatchGuard Command Line Interface Guide...
Page 68: Nat Command
VIP, DNAT or Static NAT. Arguments <"name"> If this is to be a load-balancing or static NAT action, enter a short, distinctive name for this new action following the NAT command prompt. -static_nat < -external <address group>> <-internal <address group>> WatchGuard Vclass 5.1...
Page 69 If you are entering the “server” argument, you must note (1) the IP address of the server, the port number it will watch and the proportion of traffic this server will be assigned, noted as a whole number. WatchGuard Command Line Interface Guide...
Page 70: No Command
CHAPTER 3: Configuration Mode Commands Note that dynamic NAT is already present in the WatchGuard database by default, and is ready for use in security policies. You can specify “dynamic_nat” as the NAT action when you create the appropriate policies Examples WG(config)#nat load_balancing –vip...
Page 71: Policy Command
Note: you should have already created the needed address groups, schedules, actions and services before creating this new policy. Arguments <source> <destination> These two arguments record the source and WatchGuard Command Line Interface Guide...
Page 72 -schedule: Enter the name of a schedule after this argument. -ipsec: Enter the name of an IPSec action after this argument. [{-tosF | -tosR} <bbbbbb>] This argument records the TOS marking direction and marking bit. “bbbbbb” represents the six bit WatchGuard Vclass 5.1...
Page 73 . Examples WG(config)#policy Allow_Outbound Any Any \ interface 0 -firewall pass -nat DYNAMIC_NAT <ENTER> WG(config)#policy HQ_BR_VPN HQ BR interface 0 \ -firewall pass -ipsec bi HQ_IPsec <ENTER> WG(config)#policy SJ_NY_VPN SJ NY interface 1 \ WatchGuard Command Line Interface Guide...
Page 74: Qos Command
QoS action- specific task commands and their arguments. Arguments None in this mode. See Also For more information about “QoS” mode commands, see “Level 2 Quality of Service (QoS) configuration commands” on page 100. WatchGuard Vclass 5.1...
Page 75: Ras Command
(for example) an IPSec action, an address group, a RAS user profile, etc. <old name> Use this command to enter the existing name. <new name> Use this command to enter the new name. Example WG(config)#rename address eng_net engineering<ENTER> WatchGuard Command Line Interface Guide...
Page 76: Schedule Command
Be sure to wrap the range in curly brackets, as shown in the examples below. Hours must be converted to and noted in military time– according to the 24-hour clock. A midnight start time should be entered as “0:00”. WatchGuard Vclass 5.1...
Page 77: Service Command
Use this argument to note the protocol and port number of a single service. -range {<protocol> <port-port>} Use this argument to note the protocol and two or more port numbers for a single service. -group {<service-group> [<service- group> \ <service-group>]} WatchGuard Command Line Interface Guide...
Page 78: System Command
None in this mode. See Also For more information about “system” mode commands, see “Level 2 System Configuration commands” on page 107. trace command WG#config<ENTER> WG(config)#trace [ike <level>] #level=1-6 [cmm <level>] [ nm <level>] [pmm <level>] [ ha <level>] WatchGuard Vclass 5.1...
Page 79: Tenant Command
WG#config<ENTER> WG(config)#tunnel_switch <enable|disable> Effect Enables (or disables) the tunnel switching capability of this WatchGuard appliance, according to the specific argument. (Must be done before applying specific tunnel-switching security policies.) Arguments <enable | disable> The default state is “disable”.
Page 80: History Command
5 denial WG(config)# Second level configuration mode commands The following sections detail the second-level configura- tion commands, has been divided into “task” or “topical” collections, which include the following: • “Level 2 certificate configuration commands” on page 67 WatchGuard Vclass 5.1...
Page 81: Level 2 Certificate Configuration Commands
Generates a VPN certificate request that can be sent to a certifying authority. After executing this command (with the required arguments), you must cut the resulting certificate text and paste it into the relevant form: an e-mail message, a Web-site WatchGuard Command Line Interface Guide...
Page 82 <encryption| \ signature|both>} This argument notes the key usage particulars, including RSA or DSA and the key length in bits. This argument also notes your choice of encryption or signature (or both.) Example WG(config-cert)request -cert1 -com BigCompany \ WatchGuard Vclass 5.1...
Page 83 Arguments None. Examples WG(config-cert)# import<ENTER> Results On-screen instructions appear, as shown here. Paste certificate below, then press Enter. -----BEGIN CERTIFICATE----- MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQE BBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKEx BSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0M jAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UE BhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8D CCtvvThQ2ug== -----END CERTIFICATE----- WatchGuard Command Line Interface Guide...
Page 84 [cert_id] This optional argument records a specific certificate ID. Examples WG(config-cert)# show<ENTER> OrdTYPE NAMESubjectCert idKeyAlgo 1 Pndg cn=a,o=WatchGuard,c=US cn=a,o=WatchGuard, c=20001 RSA 2 CA o=WatchGuard Inc.,c=US o=WatchGuard Inc., c=U 1075246528 RSA —OR— WG(config-cert)# show 20001<ENTER> Pending Certificate Name:cn=a,o=rapidstreaym,c=US Subject:cn=a,o=rapidstreaym,c=US Cert ID:20001 DNS Name:WatchGuard.com...
Page 85 <ip|"name"> Use this argument to enter either the IP address or host name of this security appliance. Example WG(config-ssl)# ssl rs101<ENTER> Creating certificate request could take several minutes. Please wait… -----BEGIN CERTIFICATE REQUEST----- MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTC BnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr WatchGuard Command Line Interface Guide...
Page 86: Level 2 High Availability Configuration Commands
YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/ 6YTj2uHMGPF/Y8FTYgCE -----END CERTIFICATE REQUEST----- Level 2 High Availability configuration commands show command (configure high availability level) WG#config<ENTER> WG(config)#high_availability <ENTER> WG(config-ha)#show Effect Displays the configuration settings for any High Availability ports in this WatchGuard appliance. Arguments None WatchGuard Vclass 5.1...
Page 87 HA1 IP 1.0.0.3 netmask 255.255.255.0 HA2 IP 10.10.10.27 netmask 255.255.0.0 HA Status HA Role: Primary DB Time Stamp: Primary: Thu Dec 5 16:38:58 2002 Secondary: Thu Dec 5 16:38:58 2002 Status: Primary: ACTIVE Secondary: ACTIVE WatchGuard Command Line Interface Guide...
Page 88 Effect Enables high availability in WatchGuard appliances with one or more HA interfaces, and assists you in entering precise HA system settings. Arguments active_standby | active_active This turns high availability on in either Active/ Standby mode or Active/Active mode.
Page 89 [no][shared_secret secret1] ha1_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the HA1 interface of the master and backup appliances. ha2_interface <master_ip> <backup_ip> \ </prefix|mask> This command configures the IP address of the WatchGuard Command Line Interface Guide...
Page 90 Y to do so. Arguments None Example WG(config-ha)#exit<ENTER> Commit (Y/N)?y<ENTER> … HA IP address is set to 12.10.1.2, please wait for it to take effect… WG(config-ha)# WatchGuard Vclass 5.1...
Page 91: High Availability
HA pair. ha2 <enable | disable> Allow you to enable the HA2 port for HA use. When this is enabled, and the HA2 ports are connected between the two appliances, in addition WatchGuard Command Line Interface Guide...
Page 92: Level 2 Ike Configuration Commands
<-main_mode|-aggressive_mode> [no] [-natt <enable|disable> [-natt_keepalive <seconds>] ] [extended_authentication] [+] \ -rsa {<g1|g2><des|3des><md5|sha><lifetime<min|h r> \ &|lifesize<KB|MB>>} \ -dss {<g1|g2><des|3des><md5|sha><lifetime [min|hr]&|lifesize [KB|MB]>} \ -preshared {<g1|g2><des|3des><md5|sha><lifetime \ [min|hr]|lifesize \ [KB|MB]} Effect Records a new IKE action, for use in IKE policies. WatchGuard Vclass 5.1...
Page 93 -dss {<g1|g2><des|3des><md5|sha> \ <lifetime[min|hr]>&| lifesize[KB|MB]>} This argument and its values detail the DSS IKE transform. -preshared {<g1|g2><des|3des><md5|sha> <lifetime[min|hr]&|lifesize[KB|MB]>} This argument and its values specify the pre- shared key IKE transform. In all of the three WatchGuard Command Line Interface Guide...
Page 94 WG(config-ike)#policy <"name"> \ <*|peer_address> -action <"ike_action_name"> \ -peer <any | [-address <"name"> &|-domain <"name"> \ &|-user_domain <"usr@host"> &|-X.500 <"name">] > \ [-local {<cert_id><ip_address|domain|user_domain |X500>} [-preshared <ascii_key|%hex_key> ] [-position <number>] Effect Records a new IKE policy, including actions. WatchGuard Vclass 5.1...
Page 95 <-user_domain> type. represents X.500 as the peer ID type. <-X.500> This optional argument specifies which ID [-local {<cert-id> type is used by this WatchGuard <ip-address|domain appliance. The argument is the same as |user-domain for -peer, as noted above. |X500>}] This optional argument records the text of...
Page 96: Level 2 Interface Configuration Commands
<number>] table. Example WG(config-ike)#policy "Remote Users" * - action \ remote_users -peer -domain WatchGuard.com \ -user_domain WatchGuard.com -local {20001 domain} WG(config-ike)#policy IKE_NY_SJ NY_Gateway \ -action psk_main -peer any -preshared \ "secret"<ENTER> Level 2 interface configuration commands Enter system interface configuration mode WG#config<ENTER>...
Page 97 = 00:01:21:10 :01:e6 interface 2: ip = 10.20.0.1 mask = 255.255.255.0 status = DOWN address = 00:01:21:10 :01:e7 interface 0 command (configure interface level) WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 0 [<a.b.c.d> </prefix|mask> [-mtu num] [-100_full_duplex | - 100_half_duplex| WatchGuard Command Line Interface Guide...
Page 98 [[no] dhcp_server -clients num [-lease_time num [hours|days]]] [dhcp_relay <a.b.c.d>] # -lease_time default is 7 days Effect Use this command to configure the network identity of a WatchGuard appliance's interface 0 (Private). Arguments <a.b.c.d> This argument records the IP address assigned to this interface.
Page 99 (configure interface level, V10 only) WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#private <a.b.c.d> </ prefix|mask> [no] dhcp_server -clients NUMBER [- lease_time NUMBER] Effect Use this command to configure DHCP server options assigned to a WatchGuard V10 appliance's Private (0) interface. WatchGuard Command Line Interface Guide...
Page 100 [-mtu num] | [-100_full_duplex | -100_half_duplex| -10_full_duplex|-10_half_duplex | -auto]] | [dhcp [host_id]] | [pppoe -user "name" -password "password" [<-dial_on_demand|-always_on> <num>]] [-unnumbered_pppoe <a.b.c.d>|disable]] [backup [ip <a.b.c.d> mask <a.b.c.d> gateway <a.b.c.d> ]| [dhcp [host_id] ] | [pppoe -user "name" -password "password"] WatchGuard Vclass 5.1...
Page 101 #ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20 #backup PPPoE connection only supports ALWAYS_ON. Effect Use this command to configure the network identity of a WatchGuard appliance’s interface 1 (Public), if it is a publicly routable, fixed IP address. Arguments <a.b.c.d>...
Page 102 PPPoE (always on) using the [pppoe -user "name" -password "password"] syntax. You can configure the backup WAN connection as unnumbered PPPoE using the syntax [unnumbered_pppoe <a.b.c.d>|disable] . You can disable the backup connection by using the option [disable] . WatchGuard Vclass 5.1...
Page 103 This causes a brief interruption in processing while the system restarts. In order to prevent frequent restarts, the final parameter, -pause_before_failback , is provided. This allows you to specify the amount of time that must elapse between failovers. WatchGuard Command Line Interface Guide...
Page 104 2 (DMZ) command (configure interface level) WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 2 <a.b.c.d> </ prefix|mask> [-mtu num] [-100_full_duplex | - 100_half_duplex| -10_full_duplex|- 10_half_duplex | -auto] Effect Use this command to configure the network identity of a WatchGuard appliance's interface 2 (DMZ), where applicable. WatchGuard Vclass 5.1...
Page 105 255.255.255.0 \ -mtu 1500 -10_full_duplex<ENTER> WG(config-if)#interface 2 10.12.12.9/24 -mtu 1500 \ -10_full_duplex<ENTER> interface 3 (DMZ2) command (configure interface level, V60 and V80 only) WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#interface 3 <a.b.c.d> </ prefix|mask> [-mtu num] [-100_full_duplex | - 100_half_duplex| WatchGuard Command Line Interface Guide...
Page 106 CHAPTER 3: Configuration Mode Commands -10_full_duplex|- 10_half_duplex | -auto] Effect Use this command to configure the network identity of a WatchGuard appliance's interface 3, where applicable. Arguments <a.b.c.d> This argument records the IP address assigned to this interface. </prefix|mask> This argument records the number of bits in the subnet mask (for example, “/16”...
Page 107 (configure interface level) WG#config<ENTER> WG(config)#interface<ENTER> WG(config-if)#ha1 <a.b.c.d> </prefix|mask> Effect Use this command to configure the network identity of a WatchGuard appliance's High Availability 1 interface, when this interface is used for management access instead of H-A functionality. Arguments <a.b.c.d>...
Page 108 An appliance can be switched from Transparent mode to Router mode in any configuration condition. A restart is required in order to for mode switching take effect. Arguments None Example WG(config-if)# mode router<ENTER> WatchGuard Vclass 5.1...
Page 109: Level 2 Ipsec Configuration Commands
WG(config)#ipsec <ENTER> WG(config-ipsec)#action <"name"> \ < -tunnel_mode <*|peer_ip|address>| - transport_mode> \ -auto_key [no] pfs_group <1|2> <"proposal- name">… \ <"proposal-name"> -manual_key \ -esp <local_spi> <peer_spi> <des|3des> \ <ascii_key|%hex_key> <md5|sha> <ascii_key|%hex_key> \ -ah <local_spi> <peer_spi> <md5|sha> \ <ascii_key|%hex_key> WatchGuard Command Line Interface Guide...
Page 110 If this action uses an automatic key, use this argument to enter the IKE proposal names (whether one or more.) -manual_key Enter this argument if this action employs a manual key. (If doing so, do not use the “auto_key” argument.) The following ten arguments (grouped WatchGuard Vclass 5.1...
Page 111 Use this argument to enter a unique number that represents the SPI of this appliance. The number should be between 256 and 65535. <peer_spi> Use this argument to enter a different, unique number that represents the SPI of the peer security WatchGuard Command Line Interface Guide...
Page 112: Encryption Algorithms
102.39.45.28 -man -esp 256 982 3des mankey<ENTER> # This command results in a tunnel-mode, manual-key IPSec action with a peer tunnel IP address of 102.39.45.28. It uses ESP-3DES (local SPI is 256, peer SPI is 982) and the key text is “mankey”. WatchGuard Vclass 5.1...
Page 113 If you want to include an AH transform in this proposal, type this argument, plus the necessary values–algorithm, life size, life time. Type this character before entering a new transform that will be added to an existing IPSec proposal. WatchGuard Command Line Interface Guide...
Page 114: Level 2 Quality Of Service (Qos) Configuration Commands
Records a new QoS action or modifies an existing action. Arguments <"name"> This argument, immediately following the command, notes the name assigned to this new QoS action. -bandwidth_weight <"1-100"> This argument (and the required value) determine the level of QoS based on the WFQ algorithm. WatchGuard Vclass 5.1...
Page 115 Enables (or disables) port shaping for either the interface 0 (private) or interface 1 (public) of a WatchGuard appliance, and enters the general QoS value for that interface. The value entered will be the sending throughput of that interface. To enable a system port-shaping action, the appliance will automatically restart in order to apply the policy.
Page 116: Level 2 Remote Access Service (Ras) Configuration Commands
[-session_time_out <number> <min|hr>] This argument limits the total time any one account user can continuously log into the network. The default time limit is 8 (hours). [-idle_time_out <number> <min|hr>] This argument sets the time limit for an inactive WatchGuard Vclass 5.1...
Page 117 [-concurrent_logins <"number">] Effect Enters a new remote access user account (or modifies an existing account) in an internal database in the WatchGuard appliance. Arguments <"name"> This argument records the login ID used by this remote user account, and should be between 1-15 characters in length.
Page 118 To review and confirm your entries, type this command: WG(config-ras)#show user jdoe<ENTER> The results are displayed, similar to this example: User Profile| Name = jdoe Full Name = "John Doe" Enabled Description = "" User Group Profile = admGroup WatchGuard Vclass 5.1...
Page 119 Arguments -internal This argument specifies the use of an internal database within the WatchGuard appliance, for RAS user authentication. -radius This argument specifies the use of a RADIUS server as the host for a RAS user authentication database.
Page 120 “user_group_profile” command to control session time and idle timeout for RADIUS users. Examples WG(config-ras)#database -radius primary -ip 12.10.1.2 -sec confidential \ -auth secure_id -user_group exec_staff<ENTER> WG(config-ras)#database - internal<ENTER> WG(config-ras)#database -radius backup -ip 12.10.1.3 \ -sec confidential<ENTER> WatchGuard Vclass 5.1...
Page 121: Level 2 System Configuration Commands
115 “tcp_syn_checking” on page 116 tcp_sync_checking “vlan_forwarding command (configure system vlan_forwarding level)” on page 116 “vpn command (configure system level)” on page 117 “No command” on page 143 “Show command” on page 144 show WatchGuard Command Line Interface Guide...
Page 122 This argument records the domain name of this security appliance. <-server <a.b.dc.d>> This argument records the IP address of the DNS server. Example WG(config)#dns my_company.com \ -server 24.12.2.1<ENTER> cpm command (configure system level) WG#config<ENTER> WG(config)#cpm <enable "text of password"|disable> WatchGuard Vclass 5.1...
Page 123 CPM as needed. If enabling CPM access, be sure to enter the CPM-access password immediately following the “enable” argument. Arguments enable Enter this argument to activate WatchGuard CPM access to this WatchGuard appliance. <password_text> Enter the text of the CPM access password after “enable”.
Page 124 Arguments None in this mode. See Also For more information on interface configuration mode, see “Level 2 interface configuration commands” on page 82. ldap command (configure system level) WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#[no] ldap <"IP_address"|"name"> \ [port_number] WatchGuard Vclass 5.1...
Page 125 Enters the log configuration mode, at which point you can enter log file-specific commands and their arguments. Arguments None in this mode. For more information about “log” mode commands, see “Level 3 log configuration commands” on page 124. WatchGuard Command Line Interface Guide...
Page 126 IP and TCP addressing, VLAN, ESP, PPPoE, AH, and UDP encapsulation. The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet WatchGuard Vclass 5.1...
Page 127 Arguments Describe arguments. route command (configure system level) WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#route Effect Enters the system route configuration mode, at which point you can enter route-specific commands and their arguments. Arguments None in this mode. WatchGuard Command Line Interface Guide...
Page 128 SNMP workstation. -community<"text_string"> This argument records the community string. [-trap|-no-trap] This optional argument activates (or deactivates) the SNMP trap settings. Example WG(config-sys)#snmp 128.13.44.2 \ -community 66gHf4D -trap<ENTER> Results To view the results, type this command: WG(config-sys)#show snmp<ENTER> WatchGuard Vclass 5.1...
Page 129 -time <hh:mm:ss> Use this argument to set the system time. -date <mm:dd:yy> Use this argument to set the system date. Example WG(config-sys)#sysinfo -name mucho \ -loc "Lot 49" \ -contact "O. Maas" -time 14:42:05 -date 10:15:02<ENTER> WatchGuard Command Line Interface Guide...
Page 130 (configure system level) WG#config<ENTER> WG(config)#system <ENTER> WG(config-sys)#vlan_forwarding [enable|disable] Effect Allows you to enable (or disable) the system-wide VLAN forwarding capability. Argument enable Turns on VLAN forwarding. disable Turns off VLAN forwarding (if it is active). WatchGuard Vclass 5.1...
Page 131: Level 2 License Commands (For Upgraded Or Additional Features)
Import command (config license level) WG#config<ENTER> WG(config)#license <ENTER> WG(config-license)#import Effect Imports a new license that upgrades or adds functionality to the appliance. Arguments None active_feature command (config license level) WG#config<ENTER> WG(config)#license WG(config-license)#active_feature <ENTER> WatchGuard Command Line Interface Guide...
Page 132 Displays a summary of the named license or lists all available licenses. Arguments None This will list all available licenses. <license_id> This argument notes an ID for the license and will list the details of that license. WatchGuard Vclass 5.1...
Page 133: Level 2 Tenant Configuration Commands
0|2|3 (default is 0) of tenant # e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1 Effect Records a new VLAN tenant entry, along with the appliance interface that VLAN tenant traffic will be expected to use. WatchGuard Command Line Interface Guide...
Page 134 192.168.12.34 \ -id 366 <ENTER> user_domain (configure tenant level) WG#config<ENTER> WG(config)#tenant<ENTER> WG(config-tenant)#user_domain <"name"> <-id num> [-public <default|<a.b.c.d/e>> <-idle_time_out m> <-radius_ip a.b.c.d>[- radius_port port] <-radius_secret 'secret'> [-backup_radius_ip a.b.c.d][- backup_radius_port port] [-backup_radius_secret 'secret'] <-radius_timeout sec> <-radius_retry n> [-use_login_id_with_domain_name <on|off>] WatchGuard Vclass 5.1...
Page 135 <-idle_timeout m> This argument sets the idle timeout for this entry in minutes. <-radius_ip a.b.c.d> This argument indicates the radius server and its IP address. [-radius_port port] This optional argument notes the port number of WatchGuard Command Line Interface Guide...
Page 136: Level 3 Configuration Mode Commands
“task” or “topi- cal” collections, which include the following: • Route configuration this page • Log configuration page 124 Level 3 route configuration commands Configure new static route WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#route<ENTER> WG(config-route)#static <destination> \ </prefix| mask> <gateway> interface <0|1|2> WatchGuard Vclass 5.1...
Page 137 Example WG(config-route)#static 0.0.0.0/0 \ 105.10.74.122 pub<ENTER> Configure dynamic routing WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#route<ENTER> WG(config-route)# [no] dynamic [import|restart] Effect Configures dynamic routing in this WatchGuard Firebox Vclass security appliance. WatchGuard Command Line Interface Guide...
Page 138: Level 3 Log Configuration Commands
This argument, when entered before the type of log file, will deactivate that log. Examples WG(config-log)#no traffic<ENTER> Configure events log file WG#config<ENTER> WG(config)#system<ENTER> WG(config-sys)#log<ENTER> WG(config-log)#event \ <critical|error|warning|admin|info> Effect Use this command to configure the events log file. WatchGuard Vclass 5.1...
Page 139 Commit before exit? (Y/N). This prompt is displayed if you have made changes but have not committed them to the WatchGuard appliance database. Type Y to commit your changes and return to the WG# prompt, or type WatchGuard Command Line Interface Guide...
Page 140 CHAPTER 3: Configuration Mode Commands N to void the changes and leave the database in its previous state. WatchGuard Vclass 5.1...
Page 141: Chapter 4 Debug Mode Commands
Debug Mode CHAPTER 4 Commands All WatchGuard CLI commands are organized into groups, which are presented as specific command modes. This chapter covers the commands available in Debug Mode. Debugging/troubleshooting commands The CLI Debug commands, detailed here, enable the use of standard Linux commands such as ping, tcp- dump, netstat, traceroute, and arp.
Page 142 See “verbose_trace command” on page 141. vinstall See “vinstall command” on page 141. show See “Show command” on page 144. history See “history command” on page 14. exit See “exit command” on page 14. See “top command” on page 15. WatchGuard Vclass 5.1...
Page 143: Arp Command
WG(debug)#config_http [enable | disable | logon_html [ standard | alternate ] ] enable Enable HTTPd disable Disable HTTPd logon_html standard Use default logon HTML page. logon_html alternate Use alternate logon HTML page. Effect Allows you to enable and disable debugging for HTTP. WatchGuard Command Line Interface Guide...
Page 144: Conn_Idle_Timeout Command
WG#debug conn_idle_timeout 600 WG#debug conn_idle_timeout set_default ha_instant_sync command WG#debug<ENTER> WG#debug ha_instant_sync [show | enable | disable | set_default | -h | -? ], where show Displays the current settings enable Enable instant state sync disable Disable instant state sync WatchGuard Vclass 5.1...
Page 145: Hwdiag Command
Options Type -h to get help for this option. ifconfig is a standard Linux command, and should be used by a knowledgeable administrator. For the interface names, use “eth0” through “eth5,” depending on WatchGuard Command Line Interface Guide...
Page 146: Importscreen Command
This command allows you to import a tar-archived set of files to replace the https firewall user authentication login screen. Prerequisites The default configuration includes the following files: - logon.html - cert_logon.html - user_auth_fail.html - index.html - user_auth_success.html WatchGuard Vclass 5.1...
Page 147: Kernel_Debug Command
These operations require a moderate level of HTML knowledge and editing skills. Example WG#debug<ENTER> WG(debug)#importscreen 10.10.0.98 ftpadmin ftppassword public/screens.tar kernel_debug command WG#debug<ENTER> WG(debug)#kernel_debug < on | off > Effect This command turns kernel debugging on or off. Arguments None. Example WG(debug)#kernel_debug on WatchGuard Command Line Interface Guide...
Page 148: Netstat Command
This argument records the IP address of the device/appliance to be pinged. Example WG(debug)#ping 122.13.2.9<ENTER> The WatchGuard CLI will send ping packets to the designated IP address. Enter ^c (Control-C) to stop the ping. The CLI will then display the results and return to the WG(debug)# prompt.
Page 149: Pppoe_Config Command
WG(debug)#radius_ping \ [-pap <"password">|-sid <"passcode">] \ [-p <port>] [-r <retries>] \ [-s <secret>] [-t <timeout>] \ [-u <username>] <source> <a.b.c.d> Effect Use this command to test the connections between this WatchGuard appliance and a RADIUS server. WatchGuard Command Line Interface Guide...
Page 150 This argument records the “secret” login password required by the RADIUS server. The default is “test123”. [-t <value>] This argument establishes the timeout value for each test message. The default value is “2”. [-u <value>] This argument records a RADIUS user name for WatchGuard Vclass 5.1...
Page 151: Rcinfo Command
WG(debug)#rcinfo Effect Shows debug information about the RapidCore chip in your appliance. This is used for troubleshooting purposes, with WatchGuard technical support. Example WG#debug<ENTER> WG(debug)#rcinfo reboot command WG#debug<ENTER> WG(debug)#reboot Effect Reboots the appliance. Example WG(debug)#reboot<ENTER> WatchGuard Command Line Interface Guide...
Page 152: Rs_Kdiag Command
CHAPTER 4: Debug Mode Commands rs_kdiag command WG#debug<ENTER> WG(debug)rs_kdiag Effect This command displays internal diagnostics information. Arguments None WatchGuard Vclass 5.1...
Page 153: Set_Dos_If Command
Effect This command sets the physical speed of a specific accelerated data interface. Arguments etho , eth1 , eth 2, eth3 Indicates the interface to be changed. mode auto = Auto negotiate WatchGuard Command Line Interface Guide...
Page 154: Tcpdump Command
This command may be used to track specific packets. Arguments None Example WG(debug)#tcpdump<ENTER> traceroute command WG#debug<ENTER> WG(debug)#traceroute <target_IP> Effect Displays the complete route information to the target device. This command utilizes the IP protocol “time to live” field and solicits an ICMP WatchGuard Vclass 5.1...
Page 155: Verbose_Trace Command
##e.g. vinstall 10.10.10.10 my_username my_password "path/encrypted_fbv.tgz" For V10, use non-encrypted file. For others, use encrypted file. Effect This allows you to downgrade to an earlier software version–from 5.0 to 4.0 or from 5.0 to 3.2. WatchGuard Command Line Interface Guide...
Page 156 CHAPTER 4: Debug Mode Commands This feature is not supported in software versions earlier than 5.0. Example WG#debug<ENTER> WG(debug)# vinstall 10.10.0.98 ftpadmin ftppass /upload/downgrade/encrypted.tgz WatchGuard Vclass 5.1...
Page 157: Chapter 5 Other Commands
(Adminis- tration, Configuration, and Debug). No command The no command is used before another command or argument to turn off or disable the specified feature. Rename command The rename command is used to rename objects. WatchGuard Command Line Interface Guide...
Page 158: Show Command
CHAPTER 5: Other Commands Show command As a way of viewing lists and details of a WatchGuard appliance’s configuration, the Show command (and its arguments) provides an adaptable means of cataloging such things as address groups, IPSec actions or RAS user profiles.
Page 159: Show Address Command
159. See “Show version command” on page 160. version Show address command Display current address groups WG#show address<ENTER> Effect Displays the current catalog of address groups stored in this WatchGuard Firebox Vclass security appliance WatchGuard Command Line Interface Guide...
Page 160: Show Alarm Command
(since the log was last cleared), 20 lines at a time. log follow This displays the last 5 line of the alarm log, and updates if more alarms get generated. Example WG#show alarm log more<ENTER> WatchGuard Vclass 5.1...
Page 161: Show All_Routes Command
Show command Show all_routes command WG#show all_routes<ENTER> Effect Displays a summary of the routes–static and dynamic–recorded in this WatchGuard appliance. Arguments None. Example WG#show all_routes<ENTER> Show certificate command WG#show certificate<ENTER> Effect Displays the complete collection of certificates, including pending requests root certificates and system certificates.
Page 162: Show Cpm Command
Effect Displays the DOS and DDOS configurations currently active in this appliance. Arguments None. Show diagnostics command WG#show diagnostics<ENTER> Effect Shows some diagnostic information for the appliance. Examples WG#show diagnostics<ENTER> Arguments None. Show DNS command WG#show dns<ENTER> WatchGuard Vclass 5.1...
Page 163: Show Ike Command
<"name" > This argument will display the contents of the named action. policy <"name" > This argument will display the contents of the named policy. Examples WG#show ike action basic<ENTER> WG#show ike policy secure_VPN<ENTER> WatchGuard Command Line Interface Guide...
Page 164: Show Interface Command
CHAPTER 5: Other Commands Show interface command WG#show interface<ENTER> Effect Displays a detailed summary of all data interfaces in this WatchGuard appliance. Arguments None Example WG#show interface<ENTER> Show IPSec command WG#show ipsec <action|proposal> <ENTER> Effect Displays the current catalog of IPSec proposals or actions--depending upon the argument.
Page 165: Show Ldap Command
Arguments None Example (show license without a license number) WG#show license License Name License ID Expiration Date DATE_11-6-2002_10:5 64DFC18A261A4771 04-02-2003 WatchGuard Command Line Interface Guide...
Page 166: Show Log Command
CLI will simply list the types of log files you can view. [more] This argument displays the complete contents of a specified log, one page at a time. Example WG#show log traffic<ENTER> Show mode command WG#show mode<ENTER> WatchGuard Vclass 5.1...
Page 167: Show Nat Command
Displays the configuration of a specifically named NAT action. Arguments <"name"> This argument represents the exact name of the NAT action you want to review. Example WG#show nat static_NAT1<ENTER> Show NTP command WG#show ntp<ENTER> Effect Displays the Network Time Protocol configuration. WatchGuard Command Line Interface Guide...
Page 168: Show Policy Command
Lists all active security policies stored in this WatchGuard appliance. Arguments None Example WG#show policy<ENTER> Show QoS command WG#show qos <system|action><ENTER> Effect Displays (1) the current system QoS configuration, or (2) a list of currently available QoS actions– depending upon your argument entry. WatchGuard Vclass 5.1...
Page 169: Show Ras Command
Displays a complete listing of the specified RAS component–group profiles, user profiles or database configuration. Arguments <group_profile|user_profile|database> This argument represents your preference–to review a list of group profiles, a list of user profiles or the database settings. Example WG#show ras database<ENTER> WatchGuard Command Line Interface Guide...
Page 170: Show Route Command
WG#show sa <p1|p2> [id]<ENTER> Effect Lists current phase one or phase two SA information, in some detail. If you add the “ID” of a specific phase-one SA or phase-two tunnel, the CLI will display details of the requested item. WatchGuard Vclass 5.1...
Page 171: Show Service Command
Displays a complete list of all service groups. Arguments None Example WG#show service<ENTER> Display service group settings WG#show service <"name"><ENTER> Effect Displays the settings for a named service group, including port numbers and any associated protocols. WatchGuard Command Line Interface Guide...
Page 172: Show Snmp Command
WG#show statistics show statistics ras [user_ID] show statistics p1sa [ID] show statistics p2sa [ID] Effect Displays statistics for RAS or phase 1 or phase 2 Arguments None. Example WG#show statistics ras ras_user<ENTER> Show sysinfo command WG#show sysinfo<ENTER> WatchGuard Vclass 5.1...
Page 173: Show Sysupgrade Command
Example WG#show sysinfo<ENTER> Show sysupgrade command WG#show sysupgrade<ENTER> Effect Displays a chronological record of recent system software upgrades (including version number and date) installed in this WatchGuard appliance. Arguments None Example WG#show sysupgrade<ENTER> Show trace command Show tunnel_switch command WG#show tunnel_switch<ENTER>...
Page 174: Show Version Command
CHAPTER 5: Other Commands Show version command WG#show version<ENTER> Effect Displays the version number of WatchGuard operating software. Arguments None Example WG#show version<ENTER> WatchGuard Vclass 5.1...
Page 175 ARP cache, display license ARP cache, manipulate available commands nat (dynamic action) available tasks policy rename schedule \ character, use of service WatchGuard Command Line Interface Guide...
Page 176 system (system\log) tenant static (system\route) tunnel_switch traffic (system\log) configuration, level 2 display arguments action (ike) show action (IPSec) show address action (QoS) show address <group_name> active_feature (license) database (RAS) show all_routes delete (license) show cert dns (system) show cert (by ID) enable (high_availability) show denial_of_service exit (high_availability)
Page 177 127–141 delete license delete specific configuration changes deleting items in database factory default appliance deleting text logging in denial of service parameter factory default restoration configuration FIPS operation mode WatchGuard Command Line Interface Guide...
Page 178 firewall authentication screens, interface configuration entry replacing interface configuration, enter interface configuration, level 2 commands 82–95 interfaces, show detailed summary internal diagnostics, display HA 2 interface configuration IP addresses, system level entry HA configuration IPSec action, recording HA configuration, display IPSec configuration HA enable IPSec configuration, level 2...
Page 179 + character, use of replace firewall authentication screens pppoe_config replacing settings and policies Private interface See interface 0 request VPN certificate profile reset connections WatchGuard Command Line Interface Guide...
Page 180 WatchGuard appliance view currently available SNMP workstations, record commands connection data for vinstall software version number, display VLAN forwarding disable...
Page 181 XML profile import WatchGuard Command Line Interface Guide...

This manual is also suitable for:

V80 Firebox vclass v100 V60 Firebox vclass v10 Firebox vclass v80 Firebox vclass v60

Watchguard V10 Command Line Interface Manual

CHAPTER 1 Using the Command Line Interface

CHAPTER 2 Administration Mode Commands

CHAPTER 3 Configuration Mode Commands

CHAPTER 4 Debug Mode Commands

CHAPTER 5 Other Commands

Quick Links

Command Line

User Guide

Need help?

Questions and answers

Related Manuals for Watchguard V10

Summary of Contents for Watchguard V10

This manual is also suitable for:

Table of Contents