1.

Introduction This document describes the command line interface (CLI) for managing NETGEAR ProSafeTM FVX538 and FVS 338 VPN routers running the TeamF1 VPN Platform. 1.1 Scope and Audience This document is a Command Line Interface (CLI) reference for advanced users of NETGEAR ProSafeTM FVX538 and FVS 338 VPN Firewall routers running the TeamF1 VPN Platform. The CLI requires advanced knowledge about the configuration of the system and should be used only by those users who are familiar with CLI-based configuration. 1.2 Document Conventions This document uses the following conventions: wan1Hostname command names and argument names are written in courier font. <primaryId> - Required arguments are enclosed in angle brackets (<>). [wan1Hostname] Optional arguments are enclosed in square brackets ([]). Note that the argument names in the angle brackets must be specified verbatim before specifying the argument values. For example: if a command specifies <primaryId> as the argument, which has the value "1", the argument would take the form "primaryId 1" 1.3 CLI Usage 1.3.1 Command Arguments The CLI requires the argument names to be specified before argument values. The exact names are specified in the synopsis section of each command description. For example, to specify the interface device ID (ifDevId) for the ifShow command, the command should be executed as follows: > ifShow ifDevId 0 where ifDevId is the argument name and 0 is the value for the argument. 1.3.2 Command Hierarchy The CLI commands are grouped into a hierarchy of logical command groups. This hierarchy appears similar to a UNIX hierarchical directory structure in the CLI user interface. The available command groups appear similar to directories in a UNIX environment and are separated by forward slash (/) characters on the command line. The cd command can be used to navigate between the command groups. The pwd command prints the current location in the command hierarchy. The ls command lists the commands and command groups available at any level. CLI Command Reference

9 1.3.3 Executing a Command A command can be executed with an absolute path from root or using a relative path starting at the current level. For example: > cd /netConf/lanSetup/lanStatic > ifShow 2

and > /netConf/lanSetup/lanStatic/ifShow 2 are equivalent. 1.3.4 Command Line Editing and History The CLI user interface supports command line editing similar to a UNIX bash shell. Command line editing allows can be achieved using left/right arrow keys to move to different parts of the command being edited. Emacs-style key bindings are also supported for common character navigation commands. Command history can also be navigated using up/down arrow keys or with Emacs-style vertical navigation commands. Command completion is available using the <TAB> key. 1.3.5 Command Help The help command provides detailed description of CLI commands and arguments for the commands. For help on any command, run help with the command name as the first argument. For example: > help netConf/lanSetup/lanStatic/ifShow prints the description of the ifShow command, along with the names of the arguments and their descriptions. CLI Command Reference

10 2. Command Reference 2.1 Global Commands cd This command is used to change to a different command group in CLI command hierarchy. Synopsis: cd <group> Arguments: <group> Name of the group to change to. Example: cd netConf/lanSetup cls This command is used to clear screen contents. Synopsis: cls Arguments: N/A Example: cls help This command prints help text for a command. Synopsis: help <command> Arguments: command name of the command for which help is being requested. Example: help fw/mac/add ls

This command prints the list of groups and commands available at the current command hierarchy level. Synopsis: ls Arguments: CLI Command Reference

11 N/A Example: ls pwd This command prints the current position in the command hierarchy level. Synopsis: pwd Arguments: N/A Example: pwd reboot This command reboots the device. Synopsis: reboot Arguments: N/A Example: reboot 2.2 Administrative Commands admin/remoteMgmt/config This command sets the secure HTTP server configuration Synopsis: config <status> <accessType> [startAddr] [endAddr] [port] Arguments: status remote management status 0 disable remote management 1 enable remote management accessType Access Type 0 Everyone 1 Address Range 2 Only single PC startAddr Starting address of Address Range CLI Command Reference

12 endAddr Ending Address of Address Range port Port Number Example: config status 1 accessType 1 startAddr 192.168.1.95 endAddr 192.168.1.99 port 443 admin/remoteMgmt/show This command displays the current configuration of remote management Synopsis: show Arguments: N/A Example: admin/remoteMgmt/show

admin/resetConfig This command resets the configuration to factory defaults Synopsis: resetConfig Arguments: N/A Example: admin/resetConfig admin/saveConfig This command saves the routers configuration to persistent storage. Synopsis: saveConfig Arguments: N/A Example: admin/saveConfig admin/snmp/sysInfo/config This command configures system related MIBs. CLI Command Reference

13 Synopsis: config <sysContact> <sysLoc> <sysName> Arguments: sysContact system contact information sysLoc system location sysName system name Example: admin/snmp/sysInfo/config sysContact netgear sysLoc netgear sysName netgear admin/snmp/sysInfo/show This command is used to display the current system configuration MIBs. Synopsis: show Arguments: N/A Example: admin/snmp/sysInfo/show admin/snmp/trap/add This command adds a trap community. Synopsis: add <community> <dst> <port> Arguments: community trap community name dst destination IP address port destination port Example: admin/snmp/trap/add community trap dst 192.168.1.30 port 162 admin/snmp/trap/del This command deletes a trap community. Synopsis: del <snmpId> Arguments: snmpId id of trap community entry to be deleted. CLI Command Reference

14 Example: admin/snmp/trap/del snmpId 2

admin/snmp/trap/get This command is used for displaying list of SNMP trap communities already configured in the system. Synopsis: get Arguments: N/A Example: admin/snmp/trap/get admin/timzone/get This command is used to retrieve time zone information along with current local time. Synopsis: get Arguments: N/A Example: admin/timzone/get admin/timezone/save This command saves the time zone information. Synopsis: save <tz> <daylightsaving> <usedefaultservers> <primaryserver> <secondaryserver> Arguments: tz local timezone to be used. This is of form -630 for America and 530 for India. daylightsaving choose to apply day light savings 0 = do not apply day light savings 1 = apply day light savings usedefaultservers usage of default ntp servers 0 = do not use default ntp servers. 1 = use default ntp servers. CLI Command Reference

15 primaryserver primary ntp server to be used in case no default server is selected (FQDN or IP) secondaryserver secondary ntp server to be used in case no default server is selected (FQDN or IP) Example: admin/timezone/save tz 330 daylightsaving 0 daylightsaving 1 usedefaultservers 0 primaryserver 0.pool.ntp.org secondaryserver 76.89.22.11 admin/userdb/userAdd This command adds admin and guest users. Synopsis: admin/userdb/userAdd <adminUser> <adminPassword> <guestUser> <guestPassword> Arguments: adminUser admin user name adminPassword admin password guestUser guest user name guestPassword guest password Example: admin/userdb/userAdd adminUser Admin adminPassword passwd guestUser guest guestPassword pass

2.3 Firewall Commands fw/mac/add This command adds a source MAC filter to the table. Synopsis: add <mac> Arguments: mac MAC Address (48 bits) Example: fw/mac/add mac 00:01:02:03:04:05 fw/mac/delete This command deletes a source MAC filter from the table. CLI Command Reference

16 Synopsis: delete <id> Arguments: id id of an existing MAC address. Example: fw/mac/delete id 1 fw/mac/statusGet This command displays the current status of the source MAC filter table. Synopsis: statusGet Arguments: N/A Example: fw/mac/statusGet fw/mac/statusSet This command enables/disables the source MAC filter table. Synopsis: statusSet <value> Arguments: 0 - Disable 1 - Enable Example: fw/mac/statusSet 1 fw/mac/show This command displays all the source MAC filters. Synopsis: show Arguments: N/A Example: fw/mac/show CLI Command Reference

17 fw/ptrgr/add This command adds a port-triggering rule to the table. Synopsis: add <triggerName> <trgrStatus> <proto> <matchPortStart> <matchPortEnd> <trgrPortStart> <trgrPortEnd> Arguments: triggerName - Name of Port Triggering Rule. trgrStatus Trigger Status 0 - Disable 1 - Enable proto Protocol

6 - TCP 17 - UDP matchPortStart start port number of outgoing port(1~65534) matchPortEnd end port number of outgoing port(1~65534) trgrPortStart start port number of trigger port(1~65534) trgrPortEnd end port number of trigger port(1~65534) Example: fw/ptrgr/add triggerName test trgrStatus 1 proto 17 matchPortStart 1000 matchPortEnd 5000 trgrPortStart 6000 trgrPortEnd 10000 fw/ptrgr/del This command deletes the port triggering rule Synopsis: del <id> Arguments: id id of an existing port triggering rule. Example: fw/ptrgr/del id 3 fw/ptrgr/disable This command disables the port triggering rule. disable <id> Arguments: id id of an existing port triggering rule. CLI Command Reference

18 Example: fw/ptrgr/disable id 1 fw/ptrgr/edit This command edits an existing port triggering rule Synopsis: edit <id> <triggerName> <trgrStatus> <proto> <matchPortStart> <matchPortEnd> <trgrPortStart> <trgrPortEnd> Arguments: id id of an existing port triggering rule. triggerName Name of Port Triggering Rule. trgrStatus Trigger Status 0 - Disable 1 - Enable proto Protocol 6 - TCP 17 - UDP matchPortStart start port number of outgoing port(1~65534) matchPortEnd end port number of outgoing port(1~65534) trgrPortStart start port number of trigger port(1~65534) trgrPortEnd end port number of trigger port(1~65534) Example: fw/ptrgr/edit id 2 triggerName test-2 trgrStatus 1 proto 6 matchPortStart 1000 matchPortEnd 2000 trgrPortStart 3000 trgrPortEnd 10000 fw/ptrgr/enable This command enables the port triggering rule. Synopsis: enable <id> Arguments: id id of an existing port triggering rule. Example:

fw/ptrgr/enable id 1 CLI Command Reference

19 fw/ptrgr/show This command displays all the port triggering rules Synopsis: show Arguments: N/A Example: fw/ptrgr/show fw/ptrgr/status This command displays the status of the triggered rules. Synopsis: status Arguments: N/A Example: fw/ptrgr/status fw/rules/attackChecks/configure This command enables attack checks such as dnsproxy, tcpflood, extping, and is also used to enable ipsec passthrough, pptp passthrough and l2tp passthrough. Synopsis: configure <dnsproxy> <tcpflood> <extping> <ipsec> <pptp> <l2tp> Arguments: dnsproxy enable DNS proxy 0 - disable DNS proxy 1 enable DNS proxy tcpflood block syn flood 0 - disable tcpflood 1 enable tcpflood extping allow/block ping on external interface 0 - disable external ping 1 enable external ping ipsec allow IPsec passthrough 0 - disable IPsec passthrough 1 enable IPsec passthrough pptp allow pptp pass through 0 - disable pptp passthrough 1 enable pptp passthrough CLI Command Reference

20 l2tp allow l2tp pass through 0 - disable l2tp pass through 1 enable l2tp pass through Example: fw/rules/attackChecks/configure dnsproxy 1 tcpflood 1 extping 1 ipsec 1 pptp 1 l2tp 1 fw/rules/attackChecks/status This command displays the status of attack checks. Synopsis: status

Arguments: N/A Example: fw/rules/attackChecks/status fw/rules/dmzWan/inbound/add This command adds a rule to the inbound services table. When the box is operating as a NAT gateway, the dmzServer, dmzPort, publicAddrType tokens must be specified. In a router mode dmzAddrType must be specified. Synopsis: add <status> <serviceName> <action> <schedule> <wanAddrType> [srcAddr1] [srcAddr2] <<dmzServer> [dmzPort] <publicAddrType> || <dmzAddrType>> [dstAddr1] [dstAddr2] [qos] [log] Arguments: status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 wanAddrType The WAN address types 0 - Any Address 1 - Single Address CLI Command Reference

21 2 - Range Address srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation dmzServer The server on the DMZ to which the matched traffic has to be forwarded dmzPort The server number of the DMZ Server on which the matched traffic has to be forwarded publicAddrType The external (public) IP address in dotted notation 11 - WAN1 12 - WAN2 1 - Other IP(For Aliases) dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - DMZ Group1 4 - DMZ Group2 5 - DMZ Group3 6 - DMZ Group4

7 - DMZ Group5 8 - DMZ Group6 9 - DMZ Group7 10 - DMZ Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/dmzWan/inbound/add status 1 serviceName ftp action 2 schedule 1 wanAddrType 0 dmzServer 192.168.16.1 dmzPort 21 publicAddrType 11 fw/rules/dmzWan/inbound/delete This is a command to delete a rule in the inbound services table. Synopsis: delete <id> Arguments: id identifier for the rule CLI Command Reference

22 Example: fw/rules/dmzWan/inbound/delete id 1 fw/rules/dmzWan/inbound/disable This command disables a rule in the inbound services table. Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/dmzWan/inbound/disable id 1 fw/rules/dmzWan/inbound/edit This command edits a rule in the inbound services table. When the box is operating as a NAT gateway, the dmzServer,dmzPort,publicAddrType tokens must be specified. In a router mode dmzAddrType must be specified. Synopsis: edit <id> <status> <serviceName> <action> <schedule> <wanAddrType> [srcAddr1] [srcAddr2] <<dmzServer> [dmzPort] <publicAddrType> || <dmzAddrType>> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block

schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address CLI Command Reference

23 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation dmzServer The server on the DMZ to which the matched traffic has to be forwarded dmzPort The server number of the dmzServer on which the matched traffic has to be forwarded publicAddrType The external (public) IP address in dotted notation 11 - WAN1 12 - WAN2 1 - Other IP(For Aliases) dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - DMZ Group1 4 - DMZ Group2 5 - DMZ Group3 6 - DMZ Group4 7 - DMZ Group5 8 - DMZ Group6 9 - DMZ Group7 10 - DMZ Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/dmzWan/inbound/edit id 1 status 1 serviceName ftp action 1 schedule 1 wanAddrType 0 dmzServer 192.168.16.1 dmzPort 21 publicAddrType 11 fw/rules/dmzWan/inbound/enable This command enables a rule in the inbound services table. Synopsis: enable <id> Arguments: id identifier for the rule CLI Command Reference

24 Example: fw/rules/dmzWan/inbound/enable id 1 fw/rules/dmzWan/inbound/move This command moves a rule in the inbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved Example: fw/rules/dmzWan/inbound/move dstId 3 srcId 1 fw/rules/dmzWan/inbound/show This command shows all the rules in the inbound services table. Synopsis: show Arguments: N/A Example: fw/rules/dmzWan/inbound/show fw/rules/dmzWan/outbound/add This command adds a rule to the outbound services table. Synopsis: add <status> <serviceName> <action> <schedule> <dmzAddrType> [srcAddr1] [srcAddr2] <wanAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow CLI Command Reference

25 4 - Allow by Schedule, otherwise block schedule schedule idetifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - DMZ Group1 4 - DMZ Group2 5 - DMZ Group3 6 - DMZ Group4 7 - DMZ Group5 8 - DMZ Group6 9 - DMZ Group7 10 - DMZ Group8 srcAddr1 source IP address in dotted notation

srcAddr2 source IP address in dotted notation wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/dmzWan/outbound/add status 1 serviceName telnet action 2 schedule 1 dmzAddrType 0 wanAddrType 0 fw/rules/dmzWan/outbound/delete This command deletes a rule in the outbound services table. Synopsis: delete <id> Arguments: id identifier for the rule CLI Command Reference

26 Example: fw/rules/dmzWan/outbound/delete id 1 fw/rules/dmzWan/outbound/disable This command disables a rule in the outbound services table. Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/dmzWan/outbound/disable id 1 fw/rules/dmzWan/outbound/edit This command edits a rule in the outbound services table. Synopsis: edit <id> <status> <serviceName> <action> <schedule> <dmzAddrType> [srcAddr1] [srcAddr2] <wanAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3

dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - DMZ Group1 4 - DMZ Group2 5 - DMZ Group3 CLI Command Reference

27 6 - DMZ Group4 7 - DMZ Group5 8 - DMZ Group6 9 - DMZ Group7 10 - DMZ Group8 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/dmzWan/outbound/edit id 1 status 1 serviceName telnet action 1 schedule 1 dmzAddrType 0 wanAddrType 0 fw/rules/dmzWan/outbound/enable This command enables a rule in the outbound services table. Synopsis: enable <id> Arguments: id identifier for the rule Example: fw/rules/dmzWan/outbound/enable id 1 fw/rules/dmzWan/outbound/move This command moves a rule in the outbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved CLI Command Reference

28 Example: fw/rules/dmzWan/outbound/move dstId 3 srcId 1 fw/rules/dmzWan/outbound/show This command displays all the rules in the outbound services table.

Synopsis: show Arguments: N/A Example: fw/rules/dmzWan/outbound/show fw/rules/lanDmz/inbound/add This command adds a rule to the inbound LAN-DMZ rules table. Synopsis: add <status> <serviceName> <action> <schedule> <dmzAddrType> [srcAddr1] [srcAddr2] <lanAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation lanAddrType The LAN address types 0 - Any Address CLI Command Reference

29 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never

1 - Always Example: fw/rules/lanDmz/inbound/add status 1 serviceName ftp action 2 schedule 1 dmzAddrType 0 lanAddrType 0 fw/rules/lanDmz/inbound/delete This command deletes a rule in the inbound services table. Synopsis: delete <id> Arguments: id identifier for the rule Example: fw/rules/lanDmz/inbound/delete id 1 fw/rules/lanDmz/inbound/disable This command disables a rule in the inbound services table. Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/lanDmz/inbound/disable id 1 CLI Command Reference

30 fw/rules/lanDmz/inbound/edit This command edits a rule in the inbound LAN-DMZ rules table. Synopsis: add <id> <status> <serviceName> <action> <schedule> <dmzAddrType> [srcAddr1] [srcAddr2] <lanAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2

5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 None (no quality of service) 2 6 qos parameter CLI Command Reference

31 log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/lanDmz/inbound/add status 1 serviceName ftp action 1 schedule 1 dmzAddrType 0 lanAddrType 0 fw/rules/lanDmz/inbound/enable This command enables a rule in the inbound services table. Synopsis: enable <id> Arguments: id identifier for the rule Example: fw/rules/lanDmz/inbound/enable id 1 fw/rules/lanDmz/inbound/move This command moves a rule in the inbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved Example: fw/rules/lanDmz/inbound/move dstId 3 srcId 1 fw/rules/lanDmz/inbound/show This command shows all the rules in the inbound services table. Synopsis: show Arguments: N/A Example: fw/rules/lanDmz/inbound/show CLI Command Reference

32 fw/rules/lanDmz/outbound/add This command adds a rule to the outbound services table. Synopsis: add <status> <serviceName> <action> <schedule> <lanAddrType> [srcAddr1] [srcAddr2] <dmzAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: status Status of the rule

0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never CLI Command Reference

33 1 - Always Example: fw/rules/lanDmz/outbound/add status 1 serviceName telnet action 2 schedule 1 lanAddrType 0 dmzAddrType 0 fw/rules/lanDmz/outbound/delete This command deletes a rule in the outbound services table. Synopsis: delete <id> Arguments: id identifier for the rule Example: fw/rules/lanDmz/outbound/delete id 1 fw/rules/lanDmz/outbound/disable

This command disables a rule in the outbound services table. Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/lanDmz/outbound/disable id 1 fw/rules/lanDmz/outbound/edit This command edits a rule in the outbound services table. Synopsis: edit <id> <status> <serviceName> <action> <schedule> <lanAddrType> [srcAddr1] [srcAddr2] <dmzAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. CLI Command Reference

34 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation dmzAddrType The DMZ address types 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter

log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/lanDmz/outbound/edit id 1 status 1 serviceName telnet action 1 schedule 1 lanAddrType 0 dmzAddrType 0 fw/rules/lanDmz/outbound/enable This command enables a rule in the outbound services table. Synopsis: enable <id> Arguments: CLI Command Reference

35 id identifier for the rule Example: fw/rules/lanDmz/outbound/enable id 1 fw/rules/lanDmz/outbound/move This command moves a rule in the outbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved Example: fw/rules/lanDmz/outbound/move dstId 3 srcId 1 fw/rules/lanDmz/outbound/show This command shows all the rules in the outbound services table. Synopsis: show Arguments: N/A Example: fw/rules/lanDmz/outbound/show fw/rules/lanWan/inbound/add This is a command to add a rule to the inbound services table. When the box is operating as a NAT gateway, the lanServer, lanPort, publicAddrType tokens must be specified. In a router mode lanAddrType must be specified. Synopsis: add <status> <serviceName> <action> <schedule> <wanAddrType> [srcAddr1] [srcAddr2] <<lanServer> [lanPort] <publicAddrType> || <lanAddrType>> [dstAddr1] [dstAddr2] [qos] [log] Arguments: status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. CLI Command Reference

36 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow

4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation lanServer The server on the LAN to which the matched traffic has to be forwarded lanPort The server number of the lanServer on which the matched traffic has to be forwarded publicAddrType The external (public) IP address in dotted notation 11 - WAN1 12 - WAN2 1 - Other IP(For Aliases) lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 None (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always CLI Command Reference

37 Example: fw/rules/lanWan/inbound/add status 1 serviceName ftp action 2 schedule 1 wanAddrType 0 lanServer 192.168.16.1 lanPort 21 publicAddrType 11 fw/rules/lanWan/inbound/delete This command deletes a rule in the inbound services table. Synopsis: delete <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/inbound/delete id 1

fw/rules/lanWan/inbound/disable This command disables a rule in the inbound services table. Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/inbound/disable id 1 fw/rules/lanWan/inbound/edit This command edits a rule in the inbound services table. When the box is operating as a NAT gateway, the lanServer, lanPort, publicAddrType tokens must be specified. In a router mode lanAddrType must be specified. Synopsis: edit <id> <status> <serviceName> <action> <schedule> <wanAddrType> [srcAddr1] [srcAddr2] <<lanServer> [lanPort] <publicAddrType> || <lanAddrType>> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name CLI Command Reference

38 action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule identifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation lanServer The server on the LAN to which the matched traffic has to be forwarded lanPort The server number of the lanServer on which the matched traffic has to be forwarded publicAddrType The external (public) IP address in dotted notation 11 - WAN1 12 - WAN2 1 - Other IP(For Aliases) lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address

3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always CLI Command Reference

39 Example: fw/rules/lanWan/inbound/edit id 1 status 1 serviceName ftp action 1 schedule 1 wanAddrType 0 lanServer 192.168.16.1 lanPort 21 publicAddrType 11 fw/rules/lanWan/inbound/enable This command enables a rule in the inbound services table. Synopsis: enable <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/inbound/enable id 1 fw/rules/lanWan/inbound/move This command moves a rule in the inbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved Example: fw/rules/lanWan/inbound/move dstId 3 srcId 1 fw/rules/lanWan/inbound/show This command shows all the rules in the inbound services table. Synopsis: show Arguments: N/A Example: fw/rules/lanWan/inbound/show fw/rules/lanWan/outbound/add This command adds a rule to the outbound services table. CLI Command Reference

40 Synopsis: add <status> <serviceName> <action> <schedule> <lanAddrType> [srcAddr1] [srcAddr2] <wanAddrType> [dstAddr1] [dstAddr2]

[qos] [log] Arguments: status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule idetifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1 4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation wanAddrType The WAN address types 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always CLI Command Reference

41 Example: fw/rules/lanWan/outbound/add status 1 serviceName telnet action 2 schedule 1 lanAddrType 0 wanAddrType 0 fw/rules/lanWan/outbound/defaultGet This is a command displays the default policy for outbound traffic. Synopsis: defaultGet Arguments: N/A

Example: fw/rules/lanWan/outbound/defaultGet fw/rules/lanWan/outbound/defaultSet This command sets the default policy for the outbound traffic Synopsis: defaultSet <policy> Arguments: policy The default policy for the table. 50 - DROP 51 - ACCEPT Example: fw/rules/lanWan/outbound/defaultSet policy 50 fw/rules/lanWan/outbound/delete This command deletes a rule in the outbound services table. Synopsis: delete <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/outbound/delete id 1 fw/rules/lanWan/outbound/disable This command disables a rule in the outbound services table. CLI Command Reference

42 Synopsis: disable <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/outbound/disable id 1 fw/rules/lanWan/outbound/edit This command edits a rule in the outbound services table. Synopsis: edit <id> <status> <serviceName> <action> <schedule> <lanAddrType> [srcAddr1] [srcAddr2] <wanAddrType> [dstAddr1] [dstAddr2] [qos] [log] Arguments: id identifier for the rule status Status of the rule 0 - disabled 1 - enabled serviceName service name action The action to be taken for the traffic that matches this rule. 1 - Block Always 2 - Allow Always 3 - Block By Schedule, otherwise allow 4 - Allow by Schedule, otherwise block schedule schedule idetifier 1 - Schedule 1 2 - Schedule 2 3 - Schedule 3 lanAddrType The LAN address types 0 - Any Address 1 - Single Address 2 - Range Address 3 - LAN Group1

4 - LAN Group2 5 - LAN Group3 6 - LAN Group4 7 - LAN Group5 8 - LAN Group6 9 - LAN Group7 10 - LAN Group8 srcAddr1 source IP address in dotted notation srcAddr2 source IP address in dotted notation wanAddrType The WAN address types CLI Command Reference

43 0 - Any Address 1 - Single Address 2 - Range Address dstAddr1 destination IP address in dotted notation dstAddr2 destination IP address in dotted notation qos The QoS for this traffic 0 none (no quality of service) 2 6 qos parameter log Log when traffic matches this rule 0 - Never 1 - Always Example: fw/rules/lanWan/outbound/edit id 1 status 1 serviceName telnet action 1 schedule 1 lanAddrType 0 wanAddrType 0 fw/rules/lanWan/outbound/enable This command enables a rule in the outbound services table. Synopsis: enable <id> Arguments: id identifier for the rule Example: fw/rules/lanWan/outbound/enable id 1 fw/rules/lanWan/outbound/move This command moves a rule in the outbound services table. Synopsis: move <dstId> <srcId> Arguments: dstId id of the destination rule after which this rule has to be placed srcId id of the rule that needs to be moved Example: fw/rules/lanWan/outbound/move dstId 3 srcId 1 fw/rules/lanWan/outbound/show This command displays all the rules in the outbound services table. CLI Command Reference

44 Synopsis: show Arguments: N/A Example: fw/rules/lanWan/outbound/show

fw/sched/change This command modifies a firewall schedule. Synopsis: change <id> <allWeek> <days> <allDay> <startHour> <startMin> <startMeridian> <endHour> <endMin> <endMeridian> Arguments: id Schedule identifier 1- Schedule 1 2- Schedule 2 3- Schedule 3 allWeek All week schedule status 0 - disable 1 - enable days Specific days schedule status 0 - disable 1 - enable startHour - Start hour of the schedule startMin Start minute of the schedule startMeridian Start Meridian 0 - AM 1 - PM endHour End hour of the schedule endMin End minute of the schedule endMeridian End Meridian 0 - AM 1 - PM Example: fw/sched/change id 3 allWeek 1 days 0 allDay 0 startHour 6 startMin 20 startMeridian 1 endHour 7 endMin 30 endMeridian 1 fw/sched/show This command displays all current schedules CLI Command Reference

45 Synopsis: show Arguments: N/A Example: fw/sched/show fw/svc/add This command adds a firewall custom service Synopsis: add <service> <proto> <startPort> <endPort> <qos> Arguments: service Name of the Service proto Protocol 1 - ICMP 6 - TCP 17 - UDP startPort Starting Port Number (0-65536) endPort - End Port Number (0-65536) qos Quality of Service Parameters 0 none (no quality of service) 2 6 qos parameter Example:

fw/svc/add service test-5 proto 6 startPort 1000 endPort 2000 qos 2 fw/svc/customsvcshow This command shows all the custom firewall services. Synopsis: customsvcshow Arguments: N/A Example: fw/svc/customsvcshow fw/svc/defaultsvcshow This command displays all the default firewall services. Synopsis: defaultsvcshow CLI Command Reference

46 Arguments: N/A Example: fw/svc/defaultsvcshow fw/svc/delete This command deletes a custom firewall service. Synopsis: delete <id> Arguments: id Id of an existing firewall service Example: fw/svc/delete id 57 fw/svc/edit This command will edit an existing firewall custom service. Synopsis: edit <id> <service> <proto> <startPort> <endPort> <qos> Arguments: id Id of an existing service service Name of the Service proto Protocol 1 - ICMP 6 - TCP 17 - UDP startPort Starting Port Number(0-65536) endPort End Port Number(0-65536) qos Quality of Service 0 none (no quality of service) 2 6 qos parameter Example: fw/svc/edit id 55 service test-6 proto 6 startPort 1000 endPort 2000 qos 3 fw/trendMicro/enforce/configure This command is used to configure TrendMicro virus check enforcement. CLI Command Reference

47 Synopsis: configure <enfEnable> <serIp> <cliCommPort> <serHttpPort> <serRefRate> <cliRefRate> Arguments: enfEnable Enable or disable the Enforcement Rule. 0 disable

1 enable serIp IP address of the Trendmicro server. cliCommPort TrendMicro Client communication port. serHttpPort TrendMicro server Port. serRefRate Server refresh rate. cliRefRate Client refresh rate. Example: fw/trendMicro/enforce/configure enfEnable 1 serIp 40.0.0.1 cliCommPort 4000 serHttpPort 2000 serRefRate 100 cliRefRate 60 fw/trendMicro/enforce/get This command displays TrendMicro virus check enforcement details. Synopsis: get Arguments: N/A Example: fw/trendMicro/enforce/get fw/trendMicro/hostList/add This command adds a host in the host list. Synopsis: add <hostExclu> Arguments: hostExclu Host IP address to be excluded Example: fw/trendMicro/hostList/add hostExclu 40.0.0.1 fw/trendMicro/hostList/del This command deletes an existing host from the host list. CLI Command Reference

48 Synopsis: del <hostId> Arguments: hostId Host identifier Example: fw/trendMicro/hostList/del hostId 1 fw/trendMicro/hostList/get This command displays the host list Synopsis: get Arguments: N/A Example: fw/trendMicro/hostList/get fw/web/blockWebComp This command configures the blocking of the specified Web Components. Synopsis: blockWebComp <webproxy> <java> <activex> <cookie> Arguments: webproxy web component to be blocked 0 - disable 1 - enable java web component to be blocked 0 - disable 1 - enable activex web component to be blocked 0 - disable 1 - enable

cookie web component to be blocked 0 - disable 1 - enable Example: fw/web/blockWebComp webproxy 1 java 1 activex 1 cookie 1 fw/web/keyword/add This command adds a keyword to the blocked keyword list. CLI Command Reference

49 Synopsis: add keyword <value> Arguments: keyword Name of the keyword to be blocked Example: fw/web/keyword/add keyword cricket fw/web/keyword/blockGroup This command applies a keyword blocking for a given LAN group. Synopsis: blockGroup <groupName> Arguments: groupName name of the LAN group Example: fw/web/keyword/blockGroup groupName Group1 fw/web/keyword/delete This command deletes a keyword from the blocked list. Synopsis: delete id <value> Arguments: id id of an existing blocked keyword Example: fw/web/keyword/delete id 2 fw/web/keyword/flush This command flushes the list of blocked keywords. Synopsis: flush Arguments: N/A Example: fw/web/keyword/flush fw/web/keyword/statusSet This command enables/disables the keyword blocking. CLI Command Reference

50 Synopsis: statusSet <value> Arguments: 0 - disable 1 - enable Example: fw/web/keyword/statusSet 1 fw/web/keyword/statusGet This command displays the current status of keyword blocking. Synopsis: statusGet Arguments: N/A Example: fw/web/keyword/statusGet

fw/web/keyword/groupShow This command displays the list of groups for which keyword blocking is enabled. Synopsis: groupShow Arguments: N/A Example: fw/web/keyword/groupShow fw/web/keyword/show This command displays all the blocked keywords. Synopsis: show Arguments: N/A Example: fw/web/keyword/show CLI Command Reference

51 fw/web/keyword/unblockGroup This command disables keyword blocking for the given LAN group. Synopsis: unblockGroup <groupName> Arguments: groupName name of the LAN group Example: fw/web/keyword/unblockGroup groupName Group1 fw/web/status This command displays the status of web filtering security checks. Synopsis: status Arguments: N/A Example: fw/web/status fw/web/trustedDomain/add This command adds a domain to the trusted domain list Synopsis: add <trustedDomain> Arguments: trustedDomain Name of trusted web domain Example: fw/web/trustedDomain/add trustedDomain www.cricketinfo.com fw/web/trustedDomain/delete This command deletes a trusted domain for the given id. Synopsis: delete <id> Arguments: id Id of an existing trusted domain. Example: fw/web/trustedDomain/delete id 2 CLI Command Reference

52 fw/web/trustedDomain/flush This command flushes all the trusted domains. Synopsis: flush Arguments: N/A

Example: fw/web/trustedDomain/flush fw/web/trustedDomain/show This command displays all the trusted domains. Synopsis: show Arguments: N/A Example: fw/web/trustedDomain/show 2.4 Monitoring Commands monitor/diag/nsLookup This command displays the IP address of a specified domain name Synopsis: nsLookup <dns> Arguments: dns destination domain name Example: monitor/diag/nsLookup dns www.teamf1.com monitor/diag/ping This command checks if a destination host can be reached. Synopsis: ping <pingDst> Arguments: pingDst destination IP address CLI Command Reference

53 Example: monitor/diag/ping pingDst 192.168.1.16 monitor/diag/reboot This command reboots the system. Synopsis: reboot Arguments: N/A Example: monitor/diag/reboot monitor/diag/routeDisplay This command displays the IP routing table. Synopsis: routeDisplay Arguments: N/A Example: monitor/diag/routeDisplay monitor/diag/tcpdumpStart This command captures the network packets on a specified interface. Synopsis: tcpdumpStart <ifName> Arguments: ifName interface name monitor/diag/tcpdumpStart ifName eth0 monitor/diag/tcpdumpStop This command stops tcpdump packet capture on a specified interface. Synopsis: tcpdumpStop <ifName> Arguments: ifName interface name CLI Command Reference

54 monitor/diag/tcpdumpStop ifName eth0 monitor/diag/traceRoute This command traces out the route for a particular destination IP. Synopsis: traceRoute <trDst> Arguments: trDst destination IP address Example: monitor/diag/traceRoute trDst 192.168.1.16 monitor/firewallLogs/logger/start This command logs alerts and attacks. Synopsis: monitor/firewallLogs/logger/start <syslogStatus> <server> <facility> <logIdent> <errMsg> <denyPolicy> <allowPolicy> <contentFiltering> <dataInspection> <genralAttacks> <unavailablePolicies> <adminLogin> <configChanges> <accessStatics> <verbose> <synFlood> <pingOfDeath> <ipSpoofing> <loginFailure> <winNuke> <ipOptionAttack> Arguments: syslogStatus Syslog Server's current status 0 disable 1 - enable server Syslog Server's IP address facility Facility of syslog server logIdent Log Identifier errMsg include or exclude error messages logs 1-include error messages 0-exclude error messages denyPolicy include or exclude deny policy logs 1-include deny policy logs 0-exclude deny policy logs allowPolicy include or exclude allow policy logs 1-include allow policy logs 0-exclude allow policy logs contentFiltering include or exclude content filtering logs 1-include content filtering logs 0-exclude content filtering logs dataInspection include or exclude data inspection logs CLI Command Reference

55 1-include data inspection logs 0-exclude data inspection logs genralAttacks include or exclude general attacks logs 1-include genral attacks logs 0-exclude genral attacks logs unavailablePolicies include or exclude unavailable policies logs 1-include unavaileble policies logs 0-exclude unavaileble policies logs adminLogin include or exclude admin login logs 1-include admin login logs 0-exclude admin login logs configChanges include or exclude configuration changes logs

1-include configuration changes logs 0-exclude configuration changes logs accessStatics include or exclude access statistics logs 1-include access statistics logs 0-exclude access statistics logs verbose include or exclude verbose logs 1-include verbose logs 0-exclude verbose logs synFlood include or exclude syn flood attack logs 1-include syn flood attack logs 0-exclude syn flood attack logs pingOfDeath include or exclude ping of death attack logs 1-include ping of death attack logs 0-exclude ping of death attack logs ipSpoofing include or exclude ip spoofing attack logs 1-include ip spoofing attack logs 0-exclude ip spoofing attack logs loginFailure include or exclude login failure logs 1-include login failure logs 0-exclude login failure logs winNuke include or exclude win nuke attack logs 1-include win nuke attack logs 0-exclude win nuke attack logs ipOptionAttack include or exclude ip option attack logs 1-include ip option attack logs 0-exclude ip option attack logs CLI Command Reference

56 Example: monitor/firewallLogs/logger/start syslogStatus 1 server 192.168.1.30 facility 1 errMsg 1 denyPolicy 1 allowPolicy 1 contentFiltering 0 dataInspection 0 generalAttacks 0 unavailablePolicies 1 adminLogin 0 configChanges 1 accessStatics 0 verbose 1 synFlood 1 pingOfDeath 1 ipSpoofing 0 loginFailure 1 winNuke 1 ipOptionAttack 0 monitor/firewallLogs/logEnable This command disables keyword blocking for the given LAN group. Synopsis: logEnable <lan2WanAccept> <lan2WanDrop> <wan2LanAccept> <wan2LanDrop> <lan2DmzAccept> <lan2DmzDrop> <dmz2LanAccept> <dmz2LanDrop> <dmz2WanAccept> <dmz2WanDrop> <wan2DmzAccept> <wan2DmzDrop> Arguments: lan2WanAccept Log packets accepted from LAN to WAN lan2WanDrop Log packets dropped from LAN to WAN wan2LanAccept Log packets accepted from LAN to WAN wan2LanDrop Log packets dropped from LAN to WAN lan2DmzAccept Log packets accepted from LAN to WAN lan2DmzDrop Log packets dropped from LAN to WAN dmz2LanAccept Log packets accepted from LAN to WAN dmz2LanDrop Log packets dropped from LAN to WAN dmz2WanAccept Log packets accepted from LAN to WAN dmz2WanDrop Log packets dropped from LAN to WAN wan2DmzAccept Log packets accepted from LAN to WAN

wan2DmzDrop Log packets dropped from LAN to WAN Example: fw/web/keyword/unblockGroup groupName Group1 monitor/firewallLogs/logger/viewLog This command displays the log messages. Synopsis: viewLog Arguments: N/A CLI Command Reference

57 Example: monitor/firewallLogs/logger/viewLog monitor/firewallLogs/logger/clearLog This command clears the log messages. Synopsis: clearLog Arguments: N/A Example: monitor/firewallLogs/logger/clearLog monitor/firewallLogs/logger/get This command displays the log messages. Synopsis: get Arguments: N/A Example: monitor/firewallLogs/logger/get monitor/firewallLogs/logger/stop This command stops the logger. Synopsis: stop Arguments: N/A Example: monitor/firewallLogs/logger/stop monitor/firewallLogs/logstatus This command stops the logger. Synopsis: stop Arguments: CLI Command Reference

58 N/A Example: monitor/firewallLogs/logstatus monitor/firewallLogs/mail/config This command configures an SMTP client Synopsis: monitor/firewallLogs/mail/config <enable> <auth> <ident> <to> <from> [user] [password] <mailserver> Arguments: enable enable smtp client to send mail 1 - enable 0 - disable auth authentication method with server

n - no authentication p - plain authentication C - CRAM-MD5 authentication ident respond to ident server 1 - enable responding to ident query 0 - disable responding to ident query to recipient email address from sender email address user account name password account password mailserver IP address of email server Example: monitor/firewallLogs/mail/config enable 1 auth p ident 0 to admin@domain.com from user@domain.com user eit password eit123 mailserver 192.168.1.16 monitor/firewallLogs/mail/get This command displays the current smtp configuration Synopsis: get Arguments: N/A CLI Command Reference

59 monitor/firewallLogs/cron/show This command displays the current cron configuration. Synopsis: show Arguments: N/A monitor/firewallLogs/cron/start This command adds A cron job. Synopsis: start <schedule> <day> <time> <meridiem> Arguments: schedule schedule of cron's jobs 1 - hourly 2 daily 3 weekly day day for running cron job 0 - sunday 1 Monday 6 - saturday time time for running cron job 1 1:00 2 2:00 12 12:00 Meridiem meridian of cron job 1 a.m. 2 p.m. monitor/firewallLogs/cron/stop This command removes cron job in cron Synopsis: stop Arguments:

N/A monitor/trafficMtr/configure This command configures traffic metering for the WAN side. Synopsis: configure <wanId> <status> <direction> <limit> <extra> <restart> <hour> <minute> <meridian> <day> <email> <ctrRestart> <block> <blockAlert> CLI Command Reference

60 Arguments: wanId WAN Identifier for the traffic meter 1 - WAN1 2 - WAN2 status The status of the traffic meter 1 - Enabled 0 - Disabled direction The direction of the traffic Meter. 0 - No Limi 1- Downlaod Only 2 -Both Directions limit The monthly limit for the meter extra The monthly exceed limit for the meter restart flag to restart the traffic counter ctrRestart Restart Time 1 - Restart Now, 0 - Restart at a given time hour The restart hour 0-12 minute The restart minute 0-60 meridian The restart meridian 0-60 day The restart day 0-31 email flag to send email when the counter is restarted block Block the traffic when the limit is reached. 1 - blocking all traffic 2 - Block all traffic except e-mail blockAlert Send e-mail that the traffic has blocked Example: monitor/trafficMtr/configure wanId <value> status <value> direction <value limit <value> extra <value> restart <value> hour <value> minute <value> meridian <value> day <value> email <value> ctrRestart <value> block <value> blockAlert <value> monitor/trafficMtr/trafByProtoShow This command displays traffic statistics by protocol. Synopsis: trafByProtoShow <wanId> CLI Command Reference

61 Arguments: wanId wan port identification number

0 - wan1 1 - wan2 Example: monitor/trafficMtr/trafByProtoShow wanId 1 monitor/trafficMtr/summary This command displays traffic metering summary. Synopsis: summary <wanId> Arguments: wanId WAN port identification number 0 - WAN1 1 - WAN2 Example: monitor/trafficMtr/summary wanId 1 monitor/trafficMtr/show This command displays current traffic meter configuration for specified wan id. Synopsis: show <wanId> Arguments: wanId wan port identification number 0 WAN1 1 WAN2 Example: monitor/trafficMtr/show wanId 1 monitor/vpnLogs/clear This command clears the VPN log. Synopsis: clear Arguments: N/A CLI Command Reference

62 Example: monitor/vpnLogs/clear monitor/vpnLogs/get This command displays the VPN log. Synopsis: get Arguments: N/A Example: monitor/vpnLogs/get monitor/vpnLogs/refresh This command refreshes the VPN log. Synopsis: refresh Arguments: N/A Example: monitor/vpnLogs/refresh 2.5 Network Configuration Commands netConf/dmzSetup/config This command is used to configure the DMZ port. Synopsis: config <status> <ipAddr> <mask> Arguments: status status of DMZ 0 - Disable 1 - Enable

ipAddr IP Address to be configured mask Subnet mask Example: netConf/dmzSetup/config status 1 ipAddr 90.0.0.10 mask 255.255.255.0 CLI Command Reference

63 netConf/dmzSetup/show The following command is used to display the current configuration of the DMZ port. Arguments: N/A Example: netConf/dmzSetup/show netConf/lanGrps/add This command adds a known host in the LAN to LAN groups. Synopsis: add <mac> [hostname] [hostip] [groupid] Arguments: mac address of the network interface card of the LAN host. hostname name of the LAN host. hostip IP address of the LAN host. groupid group id into which this host is grouped. 0 - Default 1 - Marketing 2 - Sales 3 - Wareshous 4 - Support 5 - Lab1 6 - Lab2 7 - Others Example: netConf/lanGrps/add mac 00:fe:23:11:ef:2e hostname guestpc hostip 192.168.1.200 groupid 3 netConf/lanGrps/del This command is used to remove any LAN host from LAN groups Synopsis: del <mac> Arguments: mac address of the network interface card of the LAN host Example: netConf/lanGrps/del 00:fe:23:11:ef:2e CLI Command Reference

64 netConf/lanGrps/edit This command edits a known host in a LAN group. Synopsis: edit <mac> [hostname] [hostip] [groupid] Arguments: mac address of the network interface card of the LAN host. hostname name of the LAN host. hostip IP address of the LAN host. groupid group id into which this host is grouped. 0 - Default 1 - Marketing

2 - Sales 3 - Wareshous 4 - Support 5 - Lab1 6 - Lab2 7 - Others Example: netConf/lanGrps/edit mac 00:fe:23:11:ef:2e hostname guestpc hostip 192.168.1.200 groupid 3 netConf/lanGrps/get This command is used to retrieve LAN host information Synopsis: get <mac> Arguments: mac address of the network interface card of the LAN host Example: netConf/lanGrps/get mac 00:fe:23:11:ef:2e netConf/lanGrps/getAdded This command displays list of all nodes in configuration. Synopsis: getAdded <mac> Arguments: mac address of the network interface card of the LAN host Example: netConf/lanGrps/getAdded mac 00:fe:23:11:ef:2e CLI Command Reference

65 netConf/lanGrps/list This command retrieves all the known and discovered hosts on the LAN Synopsis: list Arguments: N/A Example: netConf/lanGrps/list netConf/lanSetup/dhcpd/config This command is used to configure the DHCP server on the LAN interface. Synopsis: config <interface> <status> <subnet> <mask> <rangeLow> <rangeHigh> <domain> <leaseTime> [wins] Arguments: interface Interface Id for DHCP server configuration 2 Interface Id for LAN 3 Inferface Id for DMZ status Status of DHCP server 0 Disable 1 (Not Supported) 2 - Enable subnet Subnet Address for DHCP server configuration mask Network Mask for DHCP server configuration rangeLow Starting Range of IP Address for DHCP server configuration rangeHigh Ending Range of IP Address for DHCP server configuration domain Domain Name Server for DHCP server configuration leaseTime Lease Time of DHCP server configuration wins WINS Server IP Address for DHCP server configuration Example:

netConf/lanSetup/dhcpd/config interface 2 status 2 subnet 192.168.1.0 mask 255.255.255.0 rangeLow 192.168.1.100 rangeHigh 192.168.1.250 domain www.netgear.com leaseTime 24 netConf/lanSetup/dhcpd/show This command is used to display the current DHCP server configuration. Synopsis: show <interface> Arguments: CLI Command Reference

66 interface Interface Id for DHCP server configuration 2 Interface Id for LAN 3 Inferface Id for DMZ Example: netConf/lanSetup/dhcpd/show interface 2 netConf/lanSetup/lanStatic/ifConf This command is used for LAN network interface configuration. Synopsis: ifConf <ifDevId> <ipAddr> <subnetMask> Arguments: ifDevId Interface Id for configure 2 LAN 3 DMZ ipAddr IP Address for static interface configuration subnetMask Subnet Mask for static interface configuration Example: netConf/lanSetup/lanStatic/ifConf ifDevId 2 ipAddr 192.168.1.1 subnetMask 255.255.255.0 netConf/lanSetup/lanStatic/ifDel This command is used to disable the interface configuration. Synopsis: ifDel <ifDevId> Arguments: ifDevId Interface Id for configure 2 LAN 3 DMZ Example: netConf/lanSetup/lanStatic/ifDel ifDevId 3 netConf/lanSetup/lanStatic/ifShow This command displays LAN network interface details Synopsis: ifShow <ifDevId> Arguments: CLI Command Reference

67 ifDevId Interface Id to show LAN network interface details 2 LAN 3 DMZ Example: netConf/lanSetup/lanStatic/ifShow ifDevId 2 netConf/lanSetup/lanStatic/ipAConf This command is used for IP alias (multi home IP) configuration. Synopsis: ipAConf <ipAIfDevId> <ipAIpAddr> <ipASMask> <ipAliasid> Arguments: ipAIfDevId Interface Id for configuring secondary IP

2 LAN 3 DMZ ipAIpAddr Secondary IP Address for IP alias ipASMask Subnet mask of an IP Alias ipAliasid IP Alias id for an IP alias Example: netConf/lanSetup/lanStatic/ipAConf ipAIfDevId 2 ipAIpAddr 176.16.1.0 ipASMask 255.255.255.0 ipAliasid 1 netConf/lanSetup/lanStatic/ipADel This command is used to delete IP alias configuration. Synopsis: ipADel <ipAliasIdnt> Arguments: ipAliasIdnt IP Alias list id Example: netConf/lanSetup/lanStatic/ipADel ipAliasIdnt 1 netConf/lanSetup/lanStatic/ipALShow This command is used to display the list of current IP alias configurations. Synopsis: ipALShow Arguments: CLI Command Reference

68 N/A Example: netConf/lanSetup/lanStatic/ipALShow netConf/lanSetup/lanStatic/ipAShow This command is used to display the current IP alias configuration. Synopsis: ipAShow <ipAliasIdnt> Arguments: ipAliasIdnt IP Alias list id Example: netConf/lanSetup/lanStatic/ipAShow ipAliasIdnt 1 netConf/routing/rip/conf This command configures RIP (Routing Information Protocol). Synopsis: conf <dir> <ver> <auth> [keyid1] [key1] [from1] [till1] [keyid2] [key2] [from2] [till2] dir RIP direction 0 - None 1 - In 2 - Out 3 - Both ver RIP version 0 - Disabled 1 - RIPv1 2 - RIPv2 Bcast 3 - RIPv2 Mcast auth enable/disable RIP-2B/2M authentication 0 - Disable 1 - Enable keyid1 a unique key identifier key1 a 16-char key from1 time from which key is valid till1 time till which key is valid

keyid2 a unique key identifier key2 a 16-char key from2 time from which key is valid till2 time till which key is valid CLI Command Reference

69 Example: netConf/routing/rip/conf dir 3 ver 2 auth 0 netConf/routing/rip/show This command displays the current RIP configuration. Synopsis: show Arguments: N/A Example: netConf/routing/rip/show netConf/routing/static/add This command adds a static route. Synopsis: add <name> <active> <private> <dst> <mask> <gateway> "<device> <metric> Arguments: name Name of the route active Enable the route 1 - Active 0 - Dative private To add the route in the local or main table. 1 - private 0 - public dst Destination IP Address mask Network Mask gateway Gateway device Interface ID 0 - WAN1 1 - WAN2 2 - LAN 3 - DMZ metric Is a integer which adds interface metric. Example: netConf/routing/static/add name rt1 active 1 private 0 dst 192.168.1.0 mask 255.255.255.0 gateway 192.168.1.2 device 2 metric 3 CLI Command Reference

70 netConf/routing/static/del This command deletes a static route Synopsis: del <routeId> Arguments: routeId Id of the route that to be deleted. Example: netConf/routing/static/del routeId 1 netConf/routing/static/edit This command edits and existing static route.

Synopsis: edit <routeId> <name> <active> <private> <dst> <mask> <gateway> <device> <metric> Arguments: routeId Id of the route that to be edited. name Name of the route active To Enable or Disable the route. private To add the route in the local or main table. dst Destination IP Address. mask Network Mask gateway Gateway device Interface ID 0 - WAN1 1 - WAN2 2 - LAN 3 - DMZ metric Is a integer which adds interface metric Example: netConf/routing/static/edit routeId 1 name siva active 1 private 0 dst 10.38.0.0 mask 255.255.0.0 gateway 192.168.1.2 device 2 metric 3 netConf/routing/static/get This command displays the list of routes already configured in the system. Synopsis: get [routeId] Arguments: CLI Command Reference

71 routeId Id of the route that to be displayed. If no arguments are given, then it displays all the routes else it displays the route with mentioned routeId. Example: netConf/routing/static/get routeId 1 netConf/wan/ddns/get This command prints out the current Dynamic DNS configuration. Synopsis: get Arguments: N/A Example: netConf/wan/ddns/get netConf/wan/ddns/start This command is used for configuring Dynamic DNS client. Synopsis: start <primaryId> <mode> [wan1Service] [wan1Hostname] [wan1Username] [wan1Password] [wan1TimePeriod] [wan1Wildflag] [wan2Service] [wan2Hostname] [wan2Username] [wan2Password] [wan2TimePeriod] [wan2Wildflag] Arguments: primaryId WAN port to be configured, choose WAN1 or WAN2. 0 - WAN1 1 - WAN2 mode Wan mode i.e. Auto-Failover, Load-Balancing or single port 0 - Auto-Failover 1 Load-Balancing 2 Single port wan1Service Dynamic DNS service provider for WAN1 port 0 - DynDns.org

1 - TZO.com 2 - Oray.com wan1Hostname Registered hostname or domain name of the host providing the above service. e.g. test.dyndns.org for WAN1 port wan1Username Registered username with DDNS service provider for WAN1 port wan1Password Registered password with DDNS service provider for WAN1 port wan1TimePeriod Time period for DDNS Update for WAN1 port CLI Command Reference

72 0 - Disable 1 - 30 days wan1Wildflag Accept wildcards for DDNS name for WAN1 port. 0 - on 1 - off wan2Service Dynamic DNS service provider for WAN2 port 0 - DynDns.org 1 - TZO.com 2 - Oray.com wan2Hostname Registered hostname or nomain name of the host providing the above service for WAN2 port . e.g. test.dyndns.org wan2Username Registered username with DDNS service for WAN2 port wan2Password Registered password with DDNS service for WAN2 port wan2TimePeriod Time period for DDNS update for WAN2 port 0 - Disable 1 - 30 days wan2Wildflag Accept wildcards for DDNS name for WAN2 port. 0 - on 1 - off Example: netConf/wan/ddns/start primaryId 1 mode 1 wan1Service 0 wan1Hostname test.dyndns.org wan1Username test wan1Password test wan1TimePeriod 1 wan1Wildflag 1 wan2Service 1 wan2Hostname test.MyNetGear.net wan2Username test@teamf1.com wan2Password G308693881151876 wan2TimePeriod 1 wan2Wildflag 0 netConf/wan/ddns/stop This command is used to stop the Dynamic DNS client. Synopsis: stop Arguments: N/A Example: netConf/wan/ddns/stop netConf/wan/wanOption/configure This command is used to stop the Dynamic DNS client. CLI Command Reference

73 Synopsis: Configure <wanId> <useDefaultMTU> <mtuSize> <portSpeed> <bandWith>

Arguments: wanId wan port index 0 - WAN1 1 - WAN2 useDefaultMTU default MTU to be used 0 user specified MTU to be used 1 default MTU to be used mtuSize MTU size portSpeed port speed. 0 autosense 1 10baseT half 2 10baseT full 3 100baseT half 4 100baseT full bandWith bandwidth Example: netConf/wan/wanOption/configure wanId 0 useDefaultMTU 0 mtuSize 1500 portSpeed 4 bandWidth netConf/wan/wanMode/configure Configures the WAN mode. Synopsis: configure <nat> <loadManagement> <failureFind> <failureIp> <failTime> <failNumber> <primaryWan> Arguments: nat Use NAT or classical routing. 0 - Use classical routing 1 - Use NAT loadManagement Type of load management 0 - AutoRollover 1 - Load balancing 2 - Primary Port only 3 - Dedicated Dialup failureFind Method for detecting WAN port failure 0 - DNS lookup using configured DNS server 1 - DNS lookup using specified DNS server 2 - ping to specified IP failureIp IP address to be used for WAN port fialure detection. failTime Detect WAN failure after specified seconds. failNumber Number of times failure is detected before confirming failure CLI Command Reference

74 primaryWan Use this WAN port as primary load management 0 - WAN1 1 - WAN2 Example: netConf/wan/wanMode/configure nat 1 loadManagement 1 failureFind 2 failureIp 63.65.1.5 failTime 10 failNumber 5 primaryWan 0 netConf/wan/wanMode/show Display the WAN mode configuration. Synopsis: show Arguments: N/A Example:

netConf/wan/wanMode/show netConf/wan/wanSetup/configure This command is used to configure a WAN port. Synopsis: configure <wanId> <connectionMethod> <connectionType> <requiresLogin> <useIpDynamically> <ipAddr> <subnetMask> <gateway> <useDnsDynamically> <primaryDNS> <secondaryDNS> <accountName> <domainName> <loginServer> <login> <password> <idleTOType> <idleTimeOut> <myIp> <serverIp> <telephoneNum> <altTelephoneNum> <serialLineSpeed> <modemType> Arguments: wanId WAN port identification number 0 - WAN1 1 - WAN2 connectionMethod This argument describes the way the connection is established. 0 - Automatic 1 - Manual connectionType Type of connection or ISP to be configured 1 - DHCP 2 - STATIC 3 - PPPOE 4 - PPTP 5 - BIG POND 6 - DIAL UP CLI Command Reference

75 requiresLogin Specify whether your ISP requires a login to establish a connection 0 - No login required 1 - Requires Logging in useIpDynamically Specify whether ISP provides an IP address dynamically. 0 - no 1 - yes (ISP provides IP address dynamically) ipAddr IP address to be assigned to the WAN port. Specify only if useIpDynamically is 0 subnetMask subnet mask to be used for this WAN port. Specify only if useIpDynamically is 0 gateway Gateway IP address to be used by this WAN port useDnsDynamically use DNS IP addresses dynamically assigned by the ISP. 0 - no: use specified DNS IP addresses 1 - yes: use DNS IP address dynamically obtained from ISP primaryDNS Primary DNS server IP addressed to be used. Specify only if useDnsDynamically is 0 secondaryDNS Secondary DNS server IP addressed to be used. Specify only if useDnsDynamically is 0 accountName Account name if specified by the ISP domainName Domain name if specified by the ISP loginServer Login server provided by Bigpond ISP login Login name provided by the ISP password Password provided by the ISP idleTOType Specify a connect option 0 - keep connected

1 - Disconnect after specified minutes. idleTimeOut If idle for specified number of minutes disconnect the WAN connection. myIp local (WAN port) IP address provided by PPTP ISP. serverIp server IP address provided by PPTP ISP. telephoneNum Telephone number to be dialed to connect to the ISP. altTelephoneNum Alternate telephone number provided by ISP serialLineSpeed Serial line baud rate to be used for dialup connection. modemType Index of supported Modem type in case of dialup connection. 0 U.S Robotics 56K FAX EXT 1 3Com U.S Robotics ISDN TA 2 Hayes Accura 56K FAX Modem 4703US 3 Hayes Accura 56K 4 Hayes Optima 336 V.34 CLI Command Reference

76 Example: netConf/wan/wanSetup/configure wanId 0 connectionType 2 requiresLogin 0 useIpDynamically 0 ipAddr 192.168.1.225 subnetMask 255.255.255.0 gateway 192.168.1.2 useDnsDynamically 0 primaryDNS 192.168.1.16 secondaryDNS 192.168.1.24 netConf/wan/wanSetup/detect Detects the connection type available on the specified WAN port. Synopsis: detect <wanId> Arguments: wanId WAN port identification number 0 - WAN1 1 - WAN2 Example: netConf/wan/wanSetup/detect wanId 0 netConf/wan/wanSetup/show Display the current configuration of the WAN port Synopsis: show <wanId> Arguments: wanId WAN port Id number 0 - WAN1 1 - WAN2 Example: netConf/wan/wanSetup/show wanId 0 netConf/wan/wanSetup/status Show the current status of the specified WAN port Synopsis: status <wanId> Arguments: wanId WAN port identification number 0 - WAN1 1 - WAN2 CLI Command Reference

77 Example: netConf/wan/wanSetup/status wanId 0

2.6 VPN Commands vpn/certificate/caDel This command is used for deleting the CA certificate. Synopsis: caDel <caId> Arguments: caId CA certificate entry ID to be deleted. Example: vpn/certificate/caDel caId 1 vpn/certificate/caGetAll This command is used for displaying the list of CA certificates. Synopsis: caGetAll Arguments: N/A Example: vpn/certificate/caGetAll vpn/certificate/certDel This command is used for deleting the active self certificate. Synopsis: certDel <certId> Arguments: certId Certificate entry ID to be deleted Example: vpn/certificate/certDel certId 1 vpn/certificate/certGetAll This command is used for displaying the active self certificate. CLI Command Reference

78 Synopsis: certGetAll Arguments: N/A Example: vpn/certificate/certGetAll vpn/certificate/crlDel This command is used for deleting the CRL entry. Synopsis: crlDel <crlId> Arguments: crlId CRL entry ID to be deleted Example: vpn/certificate/crlDel crlId 1 vpn/certificate/crlGetAll This command is used for displaying the Certificate Revocation List (CRL). Synopsis: crlGetAll Arguments: N/A Example: vpn/certificate/crlGetAll vpn/certificate/csrDel This command is used for deleting the certificate request entry. Synopsis: csrDel <csrId> Arguments: csrId CSR entry ID to be deleted Example: vpn/certificate/csrDel csrId 1 CLI Command Reference

79 vpn/certificate/csrGen This command is used for generating certificate requests, which are used to request certificates for IKE authentication of peers. Synopsis: csrGen <csrName> <csrSubj> <hashAlgo> <signAlgo> <keyLen> [ipAddr] [domName] [emailId] Arguments: csrName certificate request entry name csrSubj certificate request subject hashAlgo hash algorithm to be used 1 - MD5 2 - SHA1 signAlgo signature algorith to be used 1 - RSA keyLen key length to be used in certificate 512 - 512 1024 - 1024 2048 - 2048 ipAddr gateway's IP, must when used for XAUTH domName domain name emailId email id Example: vpn/certificate/csrGen csrName server csrSubj C=AU,ST=SomeState,O=InternetWidgitsPtyLtd hashAlgo 1 signAlgo 1 keyLen 512 ipAddr 192.168.1.107 domName www.x.com emailId server@x.com vpn/certificate/csrGetAll This command is used for displaying the list of certificate requests. Synopsis: csrGetAll Arguments: N/A Example: vpn/certificate/csrGetAll vpn/policies/ikePolicies/add This command is used for adding an IKE policy CLI Command Reference

80 Synopsis: add <name> <direction> <mode> <localIDType> <localID> <remoteIDType> <remoteID> <encrAlg> <authAlg> <authMeth> <authString> <dhGroup> <lifeTime> <xAuthStatus> <userName> <password> Arguments: name IKE policy name direction IKE policy direction 0 - Initiator 1 - Responder 2 - Both mode IKE policy mode 0 - Main 1 - Aggressive localIDType local tunnel ID type

0 - Local WAN IP 1 - FQDN 2 - User-FQDN 3 - DER ASN1 DN localID local tunnel ID remoteIDType remote tunnel ID type 0 - Remote WAN IP 1 - FQDN 2 - User-FQDN 3 - DER ASN1 DN remoteID remote tunnel ID encrAlg IKE encryption algorithm 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 authAlg IKE hash algorithm Values: 1 - MD5 2 - SHA1 authMeth IKE authentication type 0 Pre Shared key 1 RSA Signature authString IKE authentication data dhGroup IKE DH group 1 - Group1 2 - Group2 lifeTime IKE SA lifetime in seconds xAuthStatus XAUTH client status CLI Command Reference

81 0 - Disable 1 - Enable userName XAUTH client username password XAUTH client password Example: vpn/policies/ikePolicies/add name ikeP1 direction 2 mode 0 localIDType 0 localID 90.0.0.10 remoteIDType 0 remoteID 70.0.0.2 encrAlg 2 authAlg 1 authMeth 0 authString allowme dhGroup 1 lifeTime 3600 xAuthStatus 0 userName admin password pwd vpn/policies/ikePolicies/del This command is used for deleting an IKE policy by ID. Synopsis: del <policyID> Arguments: policyID IKE policy ID Example: vpn/policies/ikePolicies/del policyID 1 vpn/policies/ikePolicies/edit This command is used for editing an existing IKE policy Synopsis: edit <policyID> <name> <direction> <mode> <localIDType> <localID> <remoteIDType> <remoteID> <encrAlg> <authAlg>

<authMeth> <authString> <dhGroup> <lifeTime> <xAuthStatus> <userName> <password> Arguments: policyID IKE policy ID name IKE policy name direction IKE policy direction 0 - Initiator 1 - Responder 2 - Both mode IKE policy mode 0 - Main 1 - Aggressive localIDType local tunnel ID type 0 - Local Wan IP 1 - Fqdn 2 - User-FQDN CLI Command Reference

82 3 - DER ASN1 DN localID local tunnel ID remoteIDType remote tunnel ID type 0 - Remote WAN IP 1 - Fqdn 2 - User-FQDN 3 - DER ASN1 DN remoteID remote tunnel ID encrAlg IKE encryption algorithm 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 authAlg IKE hash algorithm 1 - MD5 2 - SHA1 authMeth IKE authentication type 0 Pre Shared key 1 - RSA Signature authString IKE authentication data dhGroup IKE DH group 1 - Group1 2 - Group2 lifeTime IKE SA lifetime in seconds xAuthStatus XAuth client status 0 - Disable 1 - Enable userName Xauth client username password Xauth client password Example: vpn/policies/ikePolicies/edit policyID 1 name ikeP2 direction 2 mode 0 localIDType 0 localID 80.0.0.10 remoteIDType 0 remoteID 60.0.0.2

encrAlg 2 authAlg 1 authMeth 0 authString TF1 dhGroup 1 lifeTime 100 xAuthStatus 0 userName admin password pwd vpn/policies/ikePolicies/get This command is used for displaying an IKE policy by ID. Synopsis: get <policyID> Arguments: policyID IKE policy ID CLI Command Reference

83 Example: vpn/policies/ikePolicies/get policyID 1 vpn/policies/ikePolicies/getAll This command is used for displaying all the IKE policies. Synopsis: getAll Arguments: N/A Example: vpn/policies/ikePolicies/getAll vpn/policies/vpnPolicy/action This command is used to connect or disconnect the VPN connection to the remote gateway. Synopsis: action <vpnPolicyID> <action> Arguments: vpnPolicyID VPN policy ID action VPN policy action 1 Connect 0 - Disconnect Example: vpn/policies/vpnPolicy/action vpnPolicyID 1 action 1 vpn/policies/vpnPolicy/apply This command is used to disable/enable VPN policies. Synopsis: apply <vpnPolicyID> <policyStatus> Arguments: vpnPolicyID VPN policy ID policyStatus VPN policy status 0 - Disable 1 Enable Example: vpn/policies/vpnPolicy/apply vpnPolicyID 1 policyStatus 0 CLI Command Reference

84 vpn/policies/vpnPolicy/autoAdd This command is used for adding a VPN auto policy. A policy match will directly look up the security association data base and an IKE negotiation is triggered if it fails to find a security association. Synopsis: autoAdd <name> <policyType> <localGw> <remoteEndType> <remoteEndData> <netBiosStatus> <localIPType> <localStartIP> <localEndIP> <localMask> <remoteIPType> <remoteStartIP> <remoteEndIP> <remoteMask> <saLifeTime> <saLifeByte>

<pfsStatus> <pfsGroup> <ikePolicyID> <encrAlg> <intAlg> Arguments: name VPN policy name policyType VPN policy Type 1 - AutoPolicy 2 ManualPolicy localGw local gateway port 0 - WAN1 1 - WAN2 remoteEndType remote tunnel-end type 0 - IPAddress 1 FQDN remoteEndData remote tunnel IP or name netBiosStatus netbios status 0 - Disable 1 Enable localIPType local LAN IP type 0 - Any 1 - Single 2 - Range 3 Subnet localStartIP local LAN starting IP address of the address range localEndIP local LAN ending IP address of the address range localMask local LAN subnet mask remoteIPType remote LAN IP Type 0 - Any 1 - Single 2 - Range 3 - Subnet remoteStartIP remote LAN starting IP address of the address range remoteEndIP remote LAN ending IP address of the address range remoteMask remote LAN subnet mask saLifeTime SA lifetime in seconds saLifeByte SA lifetime in bytes CLI Command Reference

85 pfsStatus PFS status 0 - Disable 1 - Enable pfsGroup PFS group 1 - Group1 2 - Group2 ikePolicyID IKE policy ID encrAlg IPsec encryption algorithm 0 - NULL 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 intAlg ESP - integrity algorithm

1 - MD5 2 - SHA-1 Example: vpn/policies/vpnPolicy/autoAdd name autoP1 policyType 1 localGw 0 remoteEndType 0 remoteEndData 10.0.0.4 netBiosStatus 0 localIPType 3 localStartIP 90.0.0.2 localMask 255.255.255.255 remoteIPType 3 remoteStartIP 70.0.0.2 remoteMask 255.255.255.255 saLifeTime 3600 saLifeByte 1 pfsStatus 1 pfsGroup 2 ikePolicyID 1 encrAlg 1 intAlg 2 vpn/policies/vpnPolicy/autoEdit This command is used for editing an existing VPN auto policy. Synopsis: autoEdit <vpnPolicyID> <name> <policyType> <localGw> <remoteEndType> <remoteEndData> <netBiosStatus> <localIPType> <localStartIP> <localEndIP> <localMask> <remoteIPType> <remoteStartIP> <remoteEndIP> <remoteMask> <saLifeTime> <saLifeByte> <pfsStatus> <pfsGroup> <ikePolicyID> <encrAlg> <intAlg> Arguments: vpnPolicyID VPN policy ID name VPN policy name policyType VPN policy type 1 - AutoPolicy 2 ManualPolicy localGw local gateway port 0 - WAN1 1 - WAN2 remoteEndType remote tunnel-end type CLI Command Reference

86 0 - IPAddress 1 FQDN remoteEndData remote tunnel IP or name netBiosStatus netbios status 0 - Disable 1 Enable localIPType local LAN IP type 0 - Any 1 - Single 2 - Range 3 Subnet localStartIP local LAN starting IP address of the address range localEndIP local LAN ending IP address of the address range localMask local LAN subnet mask remoteIPType remote LAN IP Type 0 - Any 1 - Single 2 - Range 3 - Subnet remoteStartIP remote LAN starting IP address of the address range remoteEndIP remote LAN ending IP address of the address range remoteMask remote LAN subnet mask saLifeTime SA lifetime in seconds saLifeByte SA lifetime in bytes

pfsStatus PFS status 0 - Disable 1 - Enable pfsGroup PFS group 1 - Group1 2 - Group2 ikePolicyID IKE policy ID encrAlg IPsec encryption algorithm 0 - NULL 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 intAlg ESP - integrity algorithm 1 - MD5 2 - SHA1 CLI Command Reference

87 Example: vpn/policies/vpnPolicy/autoEdit vpnPolicyID 1 name autoP2 policyType 1 localGw 0 remoteEndType 0 remoteEndData 11.0.0.4 netBiosStatus 0 localIPType 1 localStartIP 50.0.0.2 localEndIP 0.0.0.0 localMask 0.0.0.0 remoteIPType 1 remoteStartIP 40.0.0.2 remoteEndIP 0.0.0.0 remoteMask 0.0.0.0 saLifeTime 6000 saLifeByte 1 pfsStatus 1 pfsGroup 2 ikePolicyID 1 encrAlg 2 intAlg 1 vpn/policies/vpnPolicy/del This command is used to delete a VPN policy. Synopsis: del <vpnPolicyID> Arguments: vpnPolicyID VPN policy ID Example: vpn/policies/vpnPolicy/del vpnPolicyID 1 vpn/policies/vpnPolicy/get This command is used for displaying a VPN policy. Synopsis: get <vpnPolicyID> Arguments: vpnPolicyID VPN policy ID vpn/policies/vpnPolicy/get vpnPolicyID 1 vpn/policies/vpnPolicy/getAll This command is used for displaying all the VPN policies that are configured in the system. Synopsis: getAll Arguments: N/A vpn/policies/vpnPolicy/getAll vpn/policies/vpnPolicy/manualAdd This command is used for adding a VPN manual policy. A policy match will directly look up the security association database. CLI Command Reference

88 Synopsis: manualAdd <name> <policyType> <localGw> <remoteEndType> <remoteEndData> <netBiosStatus> <localIPType> <localStartIP> <localEndIP> <localMask> <remoteIPType> <remoteStartIP> <remoteEndIP> <remoteMask> <encrAlg> <intAlg> <espInSpi> <espOutSpi> <espInKey> <espOutKey> <intInKey> <intOutKey> Arguments: name VPN policy name policyType VPN policy Type 1 - AutoPolicy 2 ManualPolicy localGw local gateway port 0 - WAN1 1 - WAN2 remoteEndType remote tunnel-end type 0 - IPAddress 1 FQDN remoteEndData remote tunnel IP or name netBiosStatus netbios status 0 - Disable 1 Enable localIPType local LAN IP type 0 - Any 1 - Single 2 - Range 3 Subnet localStartIP local LAN starting IP address of the address range localEndIP local LAN ending IP address of the address range localMask local LAN subnet mask remoteIPType remote LAN IP Type 0 - Any 1 - Single 2 - Range 3 - Subnet remoteStartIP remote LAN starting IP address of the address range remoteEndIP remote LAN ending IP address of the address range remoteMask remote LAN subnet mask encrAlg IPsec encryption algorithm 0 - NULL 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 intAlg ESP - integrity algorithm CLI Command Reference

89 1 - MD5 2 - SHA1 espInSpi ESP - inbound SPI value

espOutSpi ESP - outbound SPI value espInKey ESP - inbound KEY value espOutKey ESP - outbound KEY value intInKey ESP - integrity - inbound KEY value intOutKey ESP - integrity - outbound KEY value Example: vpn/policies/vpnPolicy/manualAdd name manP1 policyType 2 localGw 0 remoteEndType 0 remoteEndData 12.0.0.4 netBiosStatus 0 localIPType 1 localStartIP 50.0.0.2 localEndIP 0.0.0.0 localMask 0.0.0.0 remoteIPType 1 remoteStartIP 60.0.0.2 remoteEndIP 0.0.0.0 remoteMask 0.0.0.0 encrAlg 1 intAlg 1 espInSpi 0x1234 espOutSpi 0x1234 espInKey kamekame espOutKey kamekame intInKey kamekamekamekame intOutKey kamekamekamekame vpn/policies/vpnPolicy/manualEdit This command is used for editing an existing VPN manual policy. Synopsis: manualEdit <vpnPolicyID> <name> <policyType> <localGw> <remoteEndType> <remoteEndData> <netBiosStatus> <localIPType> <localStartIP> <localEndIP> <localMask> <remoteIPType> <remoteStartIP> <remoteEndIP> <remoteMask> <encrAlg> <intAlg> <espInSpi> <espOutSpi> <espInKey> <espOutKey> <intInKey> <intOutKey> Arguments: vpnPolicyID VPN policy ID name VPN policy name policyType VPN policy Type 1 - AutoPolicy 2 ManualPolicy localGw local gateway port 0 - WAN1 1 - WAN2 remoteEndType remote tunnel-end type 0 - IPAddress 1 FQDN remoteEndData remote tunnel IP or name netBiosStatus netbios status 0 - Disable CLI Command Reference

90 1 Enable localIPType local LAN IP type 0 - Any 1 - Single 2 - Range 3 Subnet localStartIP local LAN starting IP address of the address range localEndIP local LAN ending IP address of the address range localMask local LAN subnet MASK remoteIPType remote LAN IP Type 0 - Any 1 - Single 2 - Range 3 - Subnet

remoteStartIP remote LAN starting IP address of the address range remoteEndIP remote LAN ending IP address of the address range remoteMask remote LAN subnet mask encrAlg IPsec encryption algorithm 0 - NULL 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 intAlg ESP - integrity algorithm 1 - MD5 2 - SHA1 espInSpi ESP - inbound SPI value espOutSpi ESP - outbound SPI value espInKey ESP - inbound KEY value espOutKey ESP - outbound KEY value intInKey ESP - integrity - inbound KEY value intOutKey ESP - integrity - outbound KEY value Example: vpn/policies/vpnPolicy/manualEdit vpnPolicyID 2 name manP2 policyType 2 localGw 0 remoteEndType 0 remoteEndData 13.0.0.4 netBiosStatus 0 localIPType 1 localStartIP 60.0.0.2 localEndIP 0.0.0.0 localMask 0.0.0.0 remoteIPType 1 remoteStartIP 70.0.0.2 remoteEndIP 0.0.0.0 remoteMask 0.0.0.0 encrAlg 1 intAlg 2 espInSpi 0x2345 espOutSpi 0x2345 espInKey myespinkey espOutKey myespoutkey intInKey myintinkey intOutKey myintoutkey CLI Command Reference

91 vpn/policies/vpnPolicy/status This command is used for displaying the status of the VPN. Synopsis: status Arguments: N/A Example: vpn/policies/vpnPolicy/status vpn/xauth/radClient/config This command is used for configuring the RADIUS client. Synopsis: config <primStatus> <primIpAddr> <primSecPhrase> <primNasIdent> <secStatus> <secIpAddr> <secSecPhrase> <secNasIdent> <timeoutPeriod> <retry> Arguments: primStatus Status of Primary Server 0 = disable 1 = enable primIpAddr Primary server's IP Address primSecPhrase Primary server's secret phrase primNasIdent Primary server's NAS identifier secStatus Secondary server's status secIpAddr Secondary server's IP address secSecPhrase Secondary server's secret phrase secNasIdent Secondary server's NAS Identifier

timeoutPeriod Maximum timeout period in seconds before retry retry Maximum number of retries Example: vpn/xauth/radClient/config primStatus 1 primIpAddr 192.168.1.30 primSecPhrase secretKey primNasIdent teamf1 secStatus 1 secIpAddr 192.168.1.16 secSecPhrase psk secNasIdent eit timeoutPeriod 5 retry 3 vpn/xauth/radClient/del The following command is used to delete the current RADIUS client configuration. Synopsis: del Arguments: CLI Command Reference

92 N/A Example: vpn/xauth/radClient/del vpn/xauth/radclient/show The following command is used to display current RADIUS client configuration. Synopsis: show Arguments: N/A Example: vpn/xauth/radClient/show vpn/xauth/xauthServer/config This command is used for adding a Xauth (extended authentication) server policy. The XAUTH server is the responder to the Xauth client. This command will result in adding both a VPN policy and an IKE policy. This is an extended authentication used at the end of IKE phase 1. This supports two modes of authenticating an Xauth client which are system and RADIUS. Synopsis: config <status> <mode> <ikeEncrAlg> <ikeAuthAlg> <authMeth> <authString> <dhGroup> <ikeLifeTime> <poolIP1> <poolIP2> <winsServer> <dnsServer> <pfsGroup> <authType> <localGw> <ipsecPfsGroup> <ipsecLifeTime> <ipsecLifeByte> <ipsecEncrAlg> <ipsecIntAlg> Arguments: status XAUTH server status 0 - Disable 1 - Enable mode IKE exchange mode 0 - Main 1 - Aggressive ikeEncrAlg IKE encryption algorithm 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 ikeAuthAlg IKE hash algorithm 1 - MD5 2 - SHA-1

authMeth IKE authentication type CLI Command Reference

93 0 - Pre-Shared key 1 - RSA-Signature authString IKE authentication data dhGroup IKE DH group 1 - Group1 2 - Group2 ikeLifeTime IKE SA lifetime poolIP1 mode config - pool starting IP address poolIP2 mode config - pool ending IP address winsServer mode config - WINS server IP dnsServer mode config - DNS server IP pfsGroup mode config - PFS group Values: 1 - Group1 2 - Group2 authType mode config - authentication 0 - System 1 - Radius-CHAP 2 - Radius-PAP localGw local gateway port 0 - WAN1 1 - WAN2 ipsecPfsGroup IPsec - PFS group 1 - Group1 2 - Group2 ipsecLifeTime IPsec - SA lifetime ipsecLifeByte IPsec - SA lifebyte ipsecEncrAlg IPsec encryption algorithm 0 - NULL 1 - DES 2 - 3DES 3 - AES128 4 - AES192 5 - AES256 ipsecIntAlg ESP - integrity algorithm 1 - MD5 2 - SHA1 CLI Command Reference

94 Example: vpn/xauth/xauthserver/config status 1 mode 0 ikeEncrAlg 2 ikeAuthAlg 1 authMeth 0 authString INDIA dhGroup 1 ikeLifeTime 3600 poolIP1 90.0.0.2 poolIP2 90.0.0.5 winsServer 10.0.0.1 dnsServer 20.0.0.1 pfsGroup 1 authType 0 localGw 0 ipsecPfsGroup 1 ipsecLifeTime 3600 ipsecLifeByte 1 ipsecEncrAlg 1 ipsecIntAlg 1 vpn/xauth/xauthServer/get This command is used for displaying an XAUTH server configuration.

Synopsis: get Arguments: N/A Example: vpn/xauth/xauthServer/get vpn/xauth/xauthUser/add This command is used for adding an Xauth user to the user database. Synopsis: add <userName> <passwd> Arguments: userName Xauth user name passwd Xauth password Example: vpn/xauth/xauthUser/add userName xauthuser passwd xauthPasswd vpn/xauth/xauthUser/edit This command is used for editing an existing entry from the Xauth user database. Synopsis: edit <userName> <passwd> <xauthId> Arguments: userName Xauth user name passwd Xauth password xauthId existing user ID CLI Command Reference

95 Example: vpn/xauth/xauthUser/edit userName newxauthuser passwd newpassword xauthId 1 vpn/xauth/xauthUser/delete This command is used for deleting an Xauth user to the user database. Synopsis: delete <xauthId> Arguments: xauthId Xauth user ID Example: vpn/xauth/xauthUser/delete xauthId 1 vpn/xauth/xauthUser/getAll This command is used for displaying the Xauth users. Synopsis: getAll Arguments: N/A Example: vpn/xauth/xauthUser/getAll CLI Command Reference

96 3. Command Hierarchy Command Group Description admin/ Administrative commands admin/remoteMgmt/ Remote management commands admin/snmp/ SNMP commands admin/snmp/sysInfo/ SNMP System information commands admin/snmp/trap/ SNMP Trap commands admin/timezone/ Timezone configuration admin/userdb/ User database administration fw/ Firewall commands

fw/groups/ Firewall groups fw/mac/ Firewall source MAC Filter commands fw/ptrgr/ Firewall port triggering commands fw/rules/ Firewall rule configuration commands fw/rules/attackChecks/ Firewall attack check configuration commands fw/rules/dmzWan/ Firewall DMZ/WAN configuration fw/rules/dmzWan/inbound/ Firewall DMZ/WAN inbound configuration commands fw/rules/dmzWan/outbound/ Firewall DMZ/WAN outbound configuration commands fw/rules/lanDmz/ Firewall LAN/DMZ configuration fw/rules/lanDmz/outbound/ Firewall LAN/DMZ outbound configuration commands fw/rules/lanWan/ Firewall LAN/WAN configuration fw/rules/lanWan/inbound/ Firewall LAN/WAN inbound configuration commands fw/rules/lanWan/outbound/ Firewall LAN/WAN outbound configuration commands fw/sched/ Firewall schedules configuration commands fw/svc/ Firewall service configuration commands fw/trendMicro/ Trend micro anti-virus configuration commands fw/trendMicro/enforce/ Trend micro anti-virus enforcement configuration commands fw/trendMicro/hostList/ Host exclusion list configuration CLI Command Reference

97 Command Group Description fw/web/ Firewall web configuration fw/web/keyword/ Firewall key word blocking configuration fw/web/trustedDomain/ Firewall trusted domain configuration monitor/ Device monitoring commands monitor/diag/ Device diagnostic commands monitor/firewallLogs/ Firewall log monitoring, configuration & viewing monitor/firewallLogs/cron/ Firewall log cron job configuration monitor/firewallLogs/logger/ Firewall logger configuration monitor/firewallLogs/mail/ Firewall log email configuration monitor/trafficMtr/ Traffic metering configuration monitor/vpnLogs/ VPN Log monitoring configuration netConf/ Network configuration commands netConf/dmzSetup/ DMZ setup commands netConf/lanGrps/ LAN group configuration commands netConf/lanSetup/ LAN setup commands netConf/lanSetup/dhcpd/ DHCP configuration commands netConf/lanSetup/static/ Static LAN parameter configuration commands netConf/routing/ Routing configuration netConf/routing/rip/ RIP configuration netConf/routing/static/ Static route configuration netConf/wan/ WAN configuration commands netConf/wan/ddns/ DDNS configuration

netConf/wan/wanMode/ WAN mode configuration netConf/wan/wanMode/ wan1ProtoBind/ WAN1 protocol binding specification commands netConf/wan/wanMode/ wan2ProtoBind/ WAN2 protocol binding specification commands netConf/wan/wanOption/ WAN option configuration netConf/wan/wanSetup/ WAN setup commands vpn/ VPN commands vpn/certificate/ VPN Certificate configuration commands vpn/policies/ VPN policy configuration CLI Command Reference

98 Command Group Description vpn/policies/ikePolicies/ IKE policy addition, editing, display and removal vpn/policies/vpnPolicy/ VPN policy addition, editing, display and removal vpn/xauth/ Xauth configuration of IKE vpn/xauth/radClient/ Xauth configuration of IKE with RADIUS client vpn/xauth/xauthUser/ Xauth user configuration