SecurePlatform Shell

Note - All commands are case sensitive.

Right Arrow/^f

Move cursor right

Left Arrow/^b

Move cursor left

Home/^a

Move cursor to beginning of line

End/^e

Move cursor to end of line

Backspace/^h

Delete last char

^d

Delete char on cursor

^u

Delete line

^w

Delete word to the left

^k

Delete from cursor to end of line

Up arrow/^p

View previous command

Down arrow/^n

View next command

exit

expert

passwd

help

or

?

date [MM-DD-YYYY]

MM-DD-YYYY

The date to be set, first two digits (MM) are the month [01..12], next two digits (DD) are the day of month [01..31], and last four digits (YYYY) are the year

time [HH:MM]

HH:MM

The time to be set, first two digits (HH) are the hour [00..23], last two digits (MM) are the minute [00..59]

timezone [-show | --help]

if no parameters are entered, an interactive mode of time zone selection is displayed

-show

show currently selected time zone

--help

show usage message

ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]

ntp -n <interval> <server1> [<server2>[<server3>]]

MD5_secret

pre-shared secret used to authenticate against the NTP server; use "-n" when authentication is not required.

interval

polling interval, in seconds

server[1,2,3]

IP address or resolvable name of NTP server

ntpstop

ntpstart

audit setlines <number_of_lines>

audit show <number_of_lines>

audit clear <number_of_lines>

lines<number_of_lines>

restrict the length of the command history that can be shown to <number_of_lines>

show <number_of_lines>

show <number_of_lines> recent commands entered

clear

clear command history

backup -hbackup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] 
[--tftp <ServerIP> [-path <Path>] [<Filename>]]
[--scp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--file [-path <Path>] [<Filename>]]

-h

Obtain usage

-d

Debug flag

-l

Flag enables backup of the Check Point Security Gateway log (By default, logs are not backed up.)

-p or --purge

Delete old backups from previous backup attempts

[--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off]

schedule interval at which backup is to take place

• On - specify time and day of week, or day of month
• Off - disable schedule

--tftp <ServerIP> [-path <Path>][<Filename>]

List of IP addresses of TFTP servers, to which the configuration will be backed up, and optionally the filename.

--scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>]

List of IP addresses of SCP servers, to which the configuration will be backed up, the username and password used to access the SCP Server, and optionally the filename.

--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file [-path <Path>]<Filename>

When the backup is performed locally, specify an optional filename

Note - If a Filename is not specified, a default name will be provided with the following format: backup_hostname.domain-name_day of month_month_year_hour_minutes.tgz

For example: \backup_gateway1.mydomain.com_13_11_2003_12_47.tgz

backup –file –path /tmp filename 

backup

–tftp <ip1> -path tmp

–tftp <ip2> -path var file1

–scp <ip3> username1 password1 –path /bin file2

–file file3

--scp <ip4> username2 password2 file4

--scp <ip5> username3 password3 –path mybackup

reboot

Note - See the Release Notes for information about when to replace the patch utility with a more recent version.

patch add scp <ip_address> <patch_name> [password (in expert mode)]

patch add tftp <ip_address> <patch_name>

patch add cd <patch_name>

patch add <full_patch_path>

patch log

add

install a new patch

log

list all patches installed

scp

install from SCP

cd

install from DVD

tftp

install from TFTP server

ip

IP address of the tftp server containing the patch

patch_name

the name of the patch to be installed

password

password, in expert mode

full_patch_path

the full path for the patch file (for example, /var/tmp/mypatch.tgz)

restore [-h] [-d][[--tftp <ServerIP> <Filename>] | 
[--scp <ServerIP> <Username> <Password> <Filename>] | 
[--file <Filename>]]

Parameter

Description

-h

obtain usage

-d

debug flag

--tftp <ServerIP> [<Filename>]

IP address of TFTP server, from which the configuration is restored, and the filename.

--scp <ServerIP> <Username> <Password> [<Filename>]

IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP Server, and the filename.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

Specify a filename for restore operation, performed locally.

Choose one of the following:

-----------------------------------------------------------

[L]     Restore local backup package

[T]     Restore backup package from TFTP server

[S]     Restore backup package from SCP server

[V]     Restore backup package from FTP server

[R]     Remove local backup package

[Q]     Quit

-----------------------------------------------------------

shutdown

ver

Note - The amount of time it takes to perform a snapshot or revert depends on the amount of data (for example, logs) that is stored or restored. For example, it may take between 90 to 120 minutes to perform a snapshot or revert for Security Management Server, Log Server, Multi-Domain Security Management, etc.

revert [-h] [-d] [[--tftp <ServerIP> <Filename>]

[--scp <ServerIP> <Username> <Password> <Filename>

[--ftp <ServerIP> <Username> <Password> <Filename>

[--file <Filename>]]

-h

obtain usage

-d

debug flag

--tftp <ServerIP> <Filename>

IP address of the TFTP server, from which the snapshot is rebooted, as well as the filename of the snapshot.

--scp <ServerIP> <Username> <Password> <Filename>

IP address of the SCP server, from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

When the snapshot is made locally, specify a filename

snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>]

[--scp <ServerIP> <Username> <Password> <Filename>]

[--ftp <ServerIP> <Username> <Password> <Filename>

[--file <Filename>]]

-h

obtain usage

-d

debug flag

--tftp <ServerIP> <Filename>

IP address of the TFTP server, from which the snapshot is made, as well as the filename of the snapshot.

--scp <ServerIP> <Username> <Password> <Filename>

IP address of the SCP server, from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

When the snapshot is made locally, specify a filename

diag <log_file_name> tftp <tftp_host_ip_address>

log_file_name

name of the log file to be sent

tftp

use tftp to upload the diagnostic information (other upload methods can be added in the future)

tftp_host_ip_address

IP address of the host, that is to receive the diagnostic information

log --help

log list

log limit <log-index><max-size><backlog-copies>

log unlimit <log-index>

log show <log-index> [<lines>]

list

show the list of available log files

limit

apply log rotation parameters

unlimit

remove log size limitations

log-index

show the index of the log file, in the list

max-size

show the size of the log file, in bytes

backlog-copies

list the number of backlog copies of the log file

lines

select the number of lines of the log to display

top

ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize]

-c count

Stop after sending (and receiving) count ECHO_RESPONSE packets.

-d

Set the SO_DEBUG option for the socket being used.

-f

Flood ping. Outputs packets as fast as they come back, or one hundred times per second, whichever is greater. For every ECHO_REQUEST sent, a period ''.'' is printed, while for every ECHO_REPLY received, a backspace is printed. This provides a rapid display of how many packets are being dropped. Only the super-user may use this option. This can place a very heavy load on a network and should be used with caution.

-i wait

Wait: wait i seconds between sending each packet. The default is to wait for one second between each packet. This option is incompatible with the -f option.

-l

Preload: if preload is specified, ping sends that many packets as fast as possible before falling into its normal mode of behavior. Only the super-user may use this option.

-n

Numeric output only. No attempt will be made to lookup symbolic names for host addresses.

-p pattern

You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, ''-p ff'' will direct the sent packet to be filled with a series of ones (''1'').

-q

Quiet output. Nothing is displayed except the summary lines at the time of startup and finish.

-R

Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option.

-r

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

-s packetsize

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes, when combined with the 8 bytes of ICMP header data.

-v

Verbose (detailed) output. Lists ICMP packets (other than ECHO_RESPONSE) that are received.

traceroute [ -dFInrvx ] [ -f first_ttl ] [ -g gateway ] [ -i iface ]
[ -m max_ttl ] [ -p port ] [ -q nqueries ] [ -s src_addr ] [ -t tos ]
[ -w waittime ] host [ packetlen ]

-f first_ttl

Set the initial time-to-live, used in the first outgoing probe packet.

-F

Set the "don't fragment" bit.

-d

Enable socket level debugging.

-g

Gateway: specify a loose source route gateway (8 maximum).

-i

iface: specify a network interface, to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. (See the -s flag for another way to do this.)

-I

Use ICMP ECHO instead of UDP datagrams.

-m max_ttl

Set the max time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops (the same default used for TCP connections).

-n

Print hop addresses numerically, rather than symbolically and numerically (saves a name server address-to-name lookup, for each gateway found on the path).

-p port

Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.

-q nqueries

Number of queries to run.

-r

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

-s src_addr

Use the following IP address (which usually is given as an IP number, not a hostname) as the source address in out-going probe packets. On multi-homed hosts (those with more than one IP address), this option can be used to force the source address to be something, other than the IP address of the interface that the probe packet is sent on. If the IP address is not one of this machine's interface addresses, an error is returned and nothing is sent. (See the -i flag for another way to do this.)

-t tos

Set the type-of-service in probe packets to the following value (default zero). The value must be a decimal integer in the range 0 to 255. This option can be used to see if different types-of-service result in different paths. (If you are not running 4.4bsd, this may be irrelevant, since the normal network services like telnet and ftp don't let you control the TOS. Not all values of TOS are legal or meaningful, see the IP spec for definitions. Useful values are probably "-t 16" (low delay) and "-t 8" (high throughput).

-v

Verbose (detailed) output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.

-w waittime

Set the time (in seconds) to wait for a response to a probe (default is 5 seconds).

-x

Toggle checksums. Normally, this prevents traceroute from calculating checksums. In some cases, the operating system can overwrite parts of the outgoing packet, but not recalculate the checksum (In some cases, the default is not to calculate checksums. Using -x causes checksums to be calculated). Checksums are usually required for the last hop, when using ICMP ECHO probes (-I).

netstat [-veenNcCF] [<Af>] -r
netstat {-V|--version|-h|--help}

netstat [-vnNcaeol] [<Socket> ...]

netstat { [-veenNac] -i | [-cnNe] -M | -s }

-r

route

display routing table

-i

interfaces

display interface table

-g

groups

display multicast group memberships

-s

statistics

display networking statistics (like SNMP)

-M

masquerade

display masqueraded connections

-v

verbose

be verbose (detailed)

-n

numeric

do not resolve names

-N

symbolic

resolve hardware names

-e

extend

display other/more information

-p

programs

display PID/Program name for sockets

-c

continuous

continuous listing

-l

listening

display listening server sockets

-a

all, listening

display all sockets (default: connected)

-o

timers

display timers

-F

fib

display Forwarding Information Base (default)

-C

cache

display routing cache, instead of FIB

<Socket>

Type of socket, may be one of the following: {-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom

-A <AF>,

af <AF>

Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)

arp [-vn] [-H type] [-i if] -a [hostname]

arp [-v] [-i if] -d hostname [pub]

arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]

arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub

arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub

arp [-vnD] [-H type] [-i if] -f [filename]

addarp <hostname> <hwaddr>

delarp <hostname> <MAC>

-v

verbose

Tell the user the details of what is going on.

-n

numeric

shows numerical addresses instead of trying to determine symbolic host, port or user names.

-H type,

hw-type type

When setting, or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps Ethernet). Other values might include network technologies such as ARCnet (arcnet), PROnet (pronet), AX.25 (ax25) and NET/ROM (netrom).

-a [hostname]

display [hostname]

Shows the entries of the specified hosts. If the hostname parameter is not used, all entries will be displayed.

-d hostname

delete hostname

Remove any entry for the specified host. This can be used if the indicated host is brought down, for example.

-D

use-device

Use the interface ifa's hardware address.

-i If

device If

Select an interface. When dumping the ARP cache, only entries matching the specified interface will be printed. When setting a permanent, or temp ARP, entry this interface will be associated with the entry. If this option is not used, the kernel will guess, based on the routing table. For public entries, the specified interface is the interface, on which ARP requests will be answered.

-f filename

file filename

Similar to the -s option, only this time the address info is taken from file filename set up. The name of the data file is very often /etc/ethers. If no filename is specified /etc/ethers is used as default.

hosts add <IP-ADDRESS> <host1> [<host2> ...]

hosts remove <IP_ADDRESS> <host1> [<host2> ...]

hosts

Running hosts, with no parameters, displays the current host names to IP mappings.

add

IP-ADDRESS

IP address, to which hosts will be added.

host1, host2...

Hosts to be added.

remove

IP-ADDRESS

IP address, to which hosts will be removed.

host1, host2...

The name of the hosts to be removed.

ifconfig [-a] [-i] [-v] [-s] <interface> [[<AF>] <address>]
[add <address>[/<prefixlen>]]

[del <address>[/<prefixlen>]]

[[-]broadcast [<address>]] [[-]pointopoint [<address>]]

[netmask <address>] [dstaddr <address>] [tunnel <address>]

[outfill <NN>] [keepalive <NN>]

[hw <HW> <address>] [metric <NN>] [mtu <NN>]

[[-]trailers] [[-]arp] [[-]allmulti]

[multicast] [[-]promisc]

[mem_start <NN>] [io_addr <NN>] [irq <NN>] [media <type>]

[txqueuelen <NN>]

[[-]dynamic]

[up|down]

[--save]

interface

The name of the interface. This is usually a driver name, followed by a unit number, for example eth0 for the first Ethernet interface.

up

Causes the interface to be activated. It is implicitly specified if an address is assigned to the interface.

down

Causes the driver for this interface, to be shut down.

[-]arp

Enable or disable the use of the ARP protocol, on this interface.

[-]promisc

Enable or disable the promiscuous mode of the interface. If selected, all packets on the network will be received by the interface.

[-]allmulti

Enable or disable all-multicast mode. If selected, all multicast packets on the network will be received by the interface.

metric N

Sets the interface metric.

mtu N

Sets the Maximum Transfer Unit (MTU) of an interface.

dstaddr addr

Set the remote IP address for a point-to-point link (such as PPP). This keyword is now obsolete; use the point-to-point keyword instead.

netmask addr

Set the IP network mask, for this interface. This value defaults to the usual class A, B or C network mask (as derived from the interface IP address), but it can be set to any value.

irq addr

Set the interrupt line used by this device. Not all devices can dynamically change their IRQ setting.

io_addr addr

Set the start address in I/O space for this device.

mem_start addr

Set the start address for shared memory used by this device. Only a few devices need this parameter set.

media type

Set the physical port, or medium type, to be used by the device. Not all devices can change this setting, and those that can vary in what values they support. Typical values for type are 10base2 (thin Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external transceiver) and so on. The special, medium type of auto can be used to tell the driver to auto-sense the media. Not all drivers support this feature.

[-]broadcast [addr]

If the address argument is given, set the protocol broadcast address for this interface. Otherwise, set (or clear) the IFF_BROADCAST flag for the interface.

[-]pointopoint [addr]

This keyword enables the point-to-point mode of an interface, meaning that it is a direct link between two machines, with nobody else listening on it. If the address argument is also given, set the protocol address of the other side of the link, just like the obsolete dstaddr keyword does. Otherwise, set or clear the IFF_POINTOPOINT flag for the interface.

hw class address

Set the hardware address of this interface, if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include: ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).

multicast

Set the multicast flag on the interface. This should not normally be needed, as the drivers set the flag correctly themselves.

Address

The IP address to be assigned to this interface.

txqueuelen length

Set the length of the transmit queue of the device. It is useful to set this to small values, for slower devices with a high latency (modem links, ISDN), to prevent fast bulk transfers from disturbing interactive traffic, like telnet, too much.

--save

Saves the interface IP configuration. Not available when
UTM-1 is installed.

vconfig add [interface-name] [vlan_id]

vconfig rem [vlan-name]

interface-name

The name of the Ethernet card that hosts the VLAN.

vlan_id

The identifier (0-4095) of the VLAN.

skb_priority

The priority in the socket buffer (sk_buff).

vlan_qos

The 3 bit priority field in the VLAN header.

name-type

One of:

• VLAN_PLUS_VID (e.g. vlan0005),
• VLAN_PLUS_VID_NO_PAD (e.g. vlan5),
• DEV_PLUS_VID (e.g. eth0.0005),
• DEV_PLUS_VID_NO_PAD (e.g. eth0.5)

bind-type

One of:

• PER_DEVICE # Allows vlan 5 on eth0 and eth1 to be unique
• PER_KERNEL # Forces vlan 5 to be unique across all devices

flag-num

Either 0 or 1 (REORDER_HDR). If set, the VLAN device will move the Ethernet header around to make it look exactly like a real Ethernet device.

route [-nNvee] [-FC] [<AF>] List kernel routing tables

route [-v] [-FC] {add|del|flush} ... Modify routing table for AF.

route {-h|--help} [<AF>] Detailed usage syntax for specified AF.

route {-V|--version} Display version/author and exit.

route --save

-v

verbose

be verbose (detailed)

-n

numeric

do not resolve names

-N

symbolic

resolve hardware names

-e

extend

display other or more information

-F

fib

display Forwarding Information Base (default)

-C

cache

display routing cache, instead of FIB

-A <AF>

af <AF>

Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)

netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)

save

Save the routing configuration

hostname [--help]

hostname <host>

hostname <host> <external_ip_address>

show host name

host

new host name

external_ip_address

IP address of the interface to be assigned

help

show usage message

domainname [<domain>]

Show domainname

domain

Set domainname to domain

dns [add|del <ip_of_nameserver>]

show DNS servers configured

add

add new nameserver

del

delete existing nameserver

<ip_of_nameserver>

IP address of the nameserver

sysconfig

webui enable [https_port]

webui disable

enable [https_port]

enable the Web GUI on port https_port

disable

disable the Web GUI

adduser [-x EXTERNAL_AUTH] <user name>

deluser <user name>

showusers

lockout enable <attempts> <lock_period>

lockout disable

lockout show

enable attempts lock_period

Activate lockout after a specified number of unsuccessful attempts to login, and lock the account for lock_period minutes.

disable

Disable the lockout feature.

show

Display the current settings of the lockout feature.

unlockuser <username>

checkuserlock <username>