Using Command Line Reference

In This Section:

You can make changes to your appliance with the WebUI or Command Line Interface (CLI). When using CLI note these aspects:

The CLI default shell (clish) covers all the operations that are supported from the WebUI. It also supports auto-completion capabilities, similar to Gaia. For advanced operations that require direct access to the file system (such as redirecting debug output to a file), log in to Expert mode.
SSH to the appliance is supported and is enabled through the WebUI.
You can enable login directly to expert mode. To do this:
- Login to Expert mode using the "Expert" password.
- Run the command bashUser on
- You will now always login directly to expert mode (this mode is not deleted during reboot)
- To turn this mode off, run the command bashUser off
SCP to the appliance is supported but you need to enable direct login to Expert mode. Note that SFTP that is commonly used by winSCP is not supported. For more information, see sk52763.

CLISH Auto-completion

All CLISH commands support auto-completion. Standard Check Point and native Linux commands can be used from the CLISH shell but do not support auto-completion. These are examples of the different commands:

CLISH - fetch, set, show
Standard Check Point - cphaprob, fw, vpn
Native Linux - ping, tcpdump, traceroute

CLI Syntax

The CLI commands are formatted according to these syntax rules.

Notation	Description
Text without brackets	Items you must type as shown
<Text inside angle brackets>	Placeholder for which you must supply a value
[Text inside square brackets]	Optional items
Vertical pipe (\|)	Separator for mutually exclusive items; choose one
{Text inside curly brackets}	Set of required items; choose one
Ellipsis (…)	Multiple values or parameters can be entered

Running Clish Commands from Expert Mode

You can run clish commands from Expert mode.

Syntax

clish [ -A -i { -c Cmd | -f File -v} -h -C ]

Parameters

Parameter	Description
`-c Cmd`	Single command to execute
`-f File`	File to load commands from
`-v`	Verbose
`-i`	Ignore cmd failure in batch mode and continue
`-A`	Run as admin
`-C`	List available commands
`-h`	Help (this message)

Note - If the default shell you logged in with was clish, and then you logged in to expert from it, you cannot run clish from expert (running clish->expert->clish does not work, but expert->clish works).

Supported Linux Commands

These standard Linux commands are also supported by the Check Point Small and Medium Business Appliance CLI.

arp
netstat
nslookup
ping
resize
sleep
tcpdump
top
traceroute
uptime

access-rule type outgoing

add access-rule type outgoing

Description

Adds a new firewall access rule to the outgoing (clear) traffic Rule Base.

Syntax

add access-rule type outgoing [ action <action> ] [ log <log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination <destination> ] [ destination-negate <destination-negate> ] [ service <service> ] [ service-negate <service-negate> ] [ disabled <disabled> ] [ comment <comment> ] [ hours-range-enabled { true hours-range-from <hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position <position> | position-above <position-above> | position-below <position-below> } ] [ name <name> ] [ { [ application-name <application-name> ] | [ application-id <application-id> ] } ] [ application-negate <application-negate> ] [ limit-application-download { true limit <limit> | false } ] [ limit-application-upload { true limit <limit> | false } ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
application-id	Applications or web sites that are accepted or blocked
application-name	Applications or web sites that are accepted or blocked
application-negate	If true, the rule accepts or blocks all applications but the selected application Type: Boolean (true/false)
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hours-range-to	Time in the format HH:MM Type: A time format hh:mm
limit	Applications traffic upload limit (in kbps) Type: A number with no fractional part (integer)
limit-application-download	If true, download is limited Type: Boolean (true/false)
limit-application-upload	If true, upload is limited Type: Boolean (true/false)
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)

Example

add access-rule type outgoing action block log none source TEXT source-negate true destination TEXT destination-negate true service TEXT service-negate true disabled true comment “This is a comment.” hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position 2 name word application-name hasOne application-negate true limit-application-download true limit 200 limit-application-upload true limit 5

Output

Failure shows an appropriate error message.

delete access-rule type outgoing

Deletes an existing firewall access rule to the outgoing (clear) traffic Rule Base.

delete access-rule type outgoing

Description

Deletes an existing firewall access rule to the outgoing (clear) traffic Rule Base by rule position.

Syntax

delete access-rule type outgoing position <position>

Parameters

Parameter	Description
position	The order of the rule in comparison to other manual rules Type: Decimal number

Parameter

Description

position

The order of the rule in comparison to other manual rules

Type: Decimal number

Example

delete access-rule type outgoing position 2

Output

Failure shows an appropriate error message.

delete access-rule type outgoing

Description

Deletes an existing firewall access rule to the outgoing (clear) traffic Rule Base by rule name.

Syntax

delete access-rule type outgoing name <name>

Parameters

Parameter	Description
name	name Type: A string of alphanumeric characters without space between them

Example

delete access-rule type outgoing name word

Output

Failure shows an appropriate error message.

set access-rule type outgoing

Configures an existing firewall access rule to the outgoing (clear) traffic Rule Base.

set access-rule type outgoing

Description

Configures an existing firewall access rule to the outgoing (clear) traffic Rule Base by position.

Syntax

set access-rule type outgoing position <position> [ action <action>

] [ log <log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination <destination> ] [ destination-negate <destination-negate> ] [ service <service> ] [ service-negate <service-negate> ] [ disabled <disabled>

] [ comment <comment> ] [ hours-range-enabled { true hours-range-from

<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position <position> | position-above <position-above> | position-below

<position-below> } ] [ name <name> ] [ { [ application-name <application-name>

] | [ application-id <application-id> ] } ] [ application-negate

<application-negate> ] [ limit-application-download { true limit <limit> | false } ] [ limit-application-upload { true limit <limit> | false } ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
application-id	Applications or web sites that are accepted or blocked
application-name	Applications or web sites that are accepted or blocked
application-negate	If true, the rule accepts or blocks all applications but the selected application Type: Boolean (true/false)
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hours-range-to	Time in the format HH:MM Type: A time format hh:mm
limit	Applications traffic upload limit (in kbps) Type: A number with no fractional part (integer)
limit-application-download	If true, download is limited Type: Boolean (true/false)
limit-application-upload	If true, upload is limited Type: Boolean (true/false)
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)

Example

set access-rule type outgoing position 2 action block log none source TEXT source-negate true destination TEXT destination-negate true

service TEXT service-negate true disabled true comment “This is a comment.” hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position 2 name word application-name hasOne application-negate true

limit-application-download true limit 100 limit-application-upload true limit 5

Output

Failure shows an appropriate error message.

set access-rule type outgoing

Description

Configures an existing firewall access rule to the outgoing (clear) traffic Rule Base by name.

Syntax

set access-rule type outgoing name <name> [ action <action> ] [ log

<log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination

<destination> ] [ destination-negate <destination-negate> ] [ service

<service> ] [ service-negate <service-negate> ] [ disabled <disabled>

] [ comment <comment> ] [ hours-range-enabled { true hours-range-from

<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position <position> | position-above <position-above> | position-below

<position-below> } ] [ name <name> ] [ { [ application-name <application-name>

] | [ application-id <application-id> ] } ] [ application-negate

<application-negate> ] [ limit-application-download { true limit <limit> | false } ] [ limit-application-upload { true limit <limit> | false } ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
application-id	Applications or web sites that are accepted or blocked
application-name	Applications or web sites that are accepted or blocked
application-negate	If true, the rule accepts or blocks all applications but the selected application Type: Boolean (true/false)
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hours-range-to	Time in the format HH:MM Type: A time format hh:mm
limit	Applications traffic upload limit (in kbps) Type: A number with no fractional part (integer)
limit-application-download	If true, download is limited Type: Boolean (true/false)
limit-application-upload	If true, upload is limited Type: Boolean (true/false)
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)

Example

set access-rule type outgoing name word action block log none source TEXT source-negate true destination TEXT destination-negate true service TEXT service-negate true disabled true comment “This is a comment.”

hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position 2 name word application-name hasOne application-negate true

limit-application-download true limit 100 limit-application-upload true limit 5

Output

Failure shows an appropriate error message.

show access-rule type outgoing

Shows firewall access rules of the outgoing (clear) traffic Rule Base.

show access-rule type outgoing

Description

Shows a firewall access rule in the outgoing (clear) traffic<tp_ rule> according to name.

Syntax

show access-rule type outgoing name <name>

Parameters

Parameter	Description
name	name Type: A string of alphanumeric characters without space between them

Example

show access-rule type outgoing name word

Output

Failure shows an appropriate error message.

show access-rule type outgoing

Description

Shows a firewall access rule in the outgoing (clear) traffic Rule Base according to position

Syntax

show access-rule type outgoing position <position>

Parameters

Parameter	Description
position	The order of a manual rule in comparison to other manual rules Type: Decimal number

Parameter

Description

position

The order of a manual rule in comparison to other manual rules

Type: Decimal number

Example

show access-rule type outgoing position 2

Output

Failure shows an appropriate error message.

access-rule type incoming-internal-and-vpn

add access-rule type incoming-internal-and-vpn

Description

Adds a new firewall access rule to the incoming/internal/VPN traffic Rule Base.

Syntax

add access-rule type incoming-internal-and-vpn [ action <action> ] [ log

<log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination

<destination> ] [ destination-negate <destination-negate> ] [ service

<service> ] [ service-negate <service-negate> ] [ disabled <disabled>

] [ comment <comment> ] [ hours-range-enabled { true hours-range-from

<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position

<position> | position-above <position-above> | position-below <position-below>

} ] [ name <name> ] [ vpn <vpn> ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hours-range-to	Time in the format HH:MM Type: A time format hh:mm
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)
vpn	Indicates if traffic is matched on encrypted traffic only or all traffic Type: Boolean (true/false)

Example

add access-rule type incoming-internal-and-vpn action block log none source TEXT source-negate true destination TEXT destination-negate true service TEXT service-negate true disabled true comment “This is a comment.” hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position

2 name word vpn true

Output

Failure shows an appropriate error message.

delete access-rule type incoming-internal-and-vpn

Deletes an existing firewall access rule to the incoming/internal/VPN traffic Rule Base.

delete access-rule type incoming-internal-and-vpn

Description

Deletes an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by rule name.

Syntax

delete access-rule type incoming-internal-and-vpn name <name>

Parameters

Parameter	Description
name	Name Type: A string of alphanumeric characters without space between them

Example

delete access-rule type incoming-internal-and-vpn name word

Output

Failure shows an appropriate error message.

delete access-rule type incoming-internal-and-vpn

Description

Deletes an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by rule position.

Syntax

delete access-rule type incoming-internal-and-vpn position <position>

Parameters

Parameter	Description
position	The order of the rule in comparison to other manual rules Type: Decimal number

Parameter

Description

position

The order of the rule in comparison to other manual rules

Type: Decimal number

Example

delete access-rule type incoming-internal-and-vpn position 2

Output

Failure shows an appropriate error message.

set access-rule type incoming-internal-and-vpn

Configures an existing firewall access rule to the incoming/internal/VPN traffic Rule Base.

set access-rule type incoming-internal-and-vpn

Description

Configures an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by position.

Syntax

set access-rule type incoming-internal-and-vpn position <position> [ action

<action> ] [ log <log> ] [ source <source> ] [ source-negate <source-negate>

] [ destination <destination> ] [ destination-negate <destination-negate> ] [ service <service> ] [ service-negate <service-negate> ] [ disabled <disabled>

] [ comment <comment> ] [ hours-range-enabled { true hours-range-from

<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position

<position> | position-above <position-above> | position-below <position-below>

} ] [ name <name> ] [ vpn <vpn> ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hour-range-to	Time in the format HH:MM Type: A time format hh:mm
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)
vpn	Indicates if traffic is matched on encrypted traffic only or all traffic Type: Boolean (true/false)

Example

set access-rule type incoming-internal-and-vpn position 2 action block log none source TEXT source-negate true destination TEXT destination-negate

true service TEXT service-negate true disabled true comment “This is a comment.” hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position

2 name word vpn true

Output

Failure shows an appropriate error message.

set access-rule type incoming-internal-and-vpn

Description

Configures an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by name.

Syntax

set access-rule type incoming-internal-and-vpn name <name> [ action <action>

] [ comment <comment> ] [ hours-range-enabled { true hours-range-from

<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position

<position> | position-above <position-above> | position-below <position-below>

} ] [ name <name> ] [ vpn <vpn> ]

Parameters

Parameter	Description
action	The action taken when there is a match on the rule Options: block, accept, ask, inform, block-inform
comment	Description of the rule Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
destination	Network object that is the target of the connection
destination-negate	If true, the destination is all traffic except what is defined in the destination field Type: Boolean (true/false)
disabled	Indicates if the rule is disabled Type: Boolean (true/false)
hours-range-enabled	If true, time is configured Type: Boolean (true/false)
hours-range-from	Time in the format HH:MM Type: A time format hh:mm
hours-range-to	Time in the format HH:MM Type: A time format hh:mm
log	Defines which logging method to use: None - do not log, Log - Create log, Alert - log with alert, Account - account rule Options: none, log, alert, account
name	name Type: A string of alphanumeric characters without space between them
position	The order of the rule in comparison to other manual rules Type: Decimal number
position-above	The order of the rule in comparison to other manual rules Type: Decimal number
position-below	The order of the rule in comparison to other manual rules Type: Decimal number
service	The network service object that the rule should match to
service-negate	If true, the service is everything except what is defined in the service field Type: Boolean (true/false)
source	Network object or user group that initiates the connection
source-negate	If true, the source is all traffic except what is defined in the source field Type: Boolean (true/false)
vpn	Indicates if traffic is matched on encrypted traffic only or all traffic Type: Boolean (true/false)

Example

set access-rule type incoming-internal-and-vpn name word action block log none source TEXT source-negate true destination TEXT destination-negate true service TEXT service-negate true disabled true comment “This is a comment.” hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position

2 name word vpn true

Output

Failure shows an appropriate error message.

show access-rule type incoming-internal-and-vpn

Shows firewall access rules of the incoming/internal/VPN traffic Rule Base.

show access-rule type incoming-internal-and-vpn

Description

Shows a firewall access rule in the incoming/internal/VPN traffic Rule Base according to position.

Syntax

show access-rule type incoming-internal-and-vpn position <position>

Parameters

Parameter	Description
position	The order of a manual rule in comparison to other manual rules Type: Decimal number

Parameter

Description

position

The order of a manual rule in comparison to other manual rules

Type: Decimal number

Example

show access-rule type incoming-internal-and-vpn position 2

Output

Failure shows an appropriate error message.

show access-rule type incoming-internal-and-vpn

Description

Shows a firewall access rule in the incoming/internal/VPN traffic Rule Base according to name

Syntax

show access-rule type incoming-internal-and-vpn name <name>

Parameters

Parameter	Description
name	name Type: A string of alphanumeric characters without space between them

Example

show access-rule type incoming-internal-and-vpn name word

Output

Failure shows an appropriate error message.

additional-hw-settings

set additional-hw-settings

Description

Configures various hardware settings.

Syntax

set additional-hw-settings [ reset-timeout <reset-timeout> ]

Parameters

Parameter	Description
reset-timeout	Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image Type: A number with no fractional part (integer)

Parameter

Description

reset-timeout

Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image

Type: A number with no fractional part (integer)

Example

set additional-hw-settings reset-timeout 15

Output

Failure shows an appropriate error message.

show additional-hw-settings

Description

Shows advanced hardware related setings.

Syntax

show additional-hw-settings

Parameters

Parameter	Description
n/a

Example

show additional-hw-settings

Output

Failure shows an appropriate error message.

ad-server

add ad-server

Description

Adds a new AD server object.

Syntax

add ad-server domain <domain> ipv4-address <ipv4-address> username <username> password <password> user-dn <user-dn> use-branch-path { true branch-path <branch-path> | false }

Parameters

Parameter	Description
branch-path	The branch of the domain to be used Type: An LDAP DN
domain	Domain name Type: Host name
ipv4-address	Domain controller IP address
password	The user’s password Type: A string that contains alphanumeric and special characters
use-branch-path	Select only if you want to use only part of the user database defined in the Active Directory Type: Boolean (true/false)
user-dn	FQDN of the user Type: An LDAP DN
username	A user name with administrator privileges to communicate with the AD server Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

add ad-server domain myHost.com ipv4-address 192.168.1.1 username admin password a(&7Ba user-dn cn=John Doe,dc=example,dc=com use-branch-path true branch-path cn=John Doe,dc=example,dc=com

Output

Failure shows an appropriate error message.

delete ad-server

Description

Deletes an existing AD server object.

Syntax

delete ad-server <domain>

Parameters

Parameter	Description
domain	Domain name Type: Host name

Parameter

Description

domain

Domain name

Type: Host name

Example

delete ad-server myHost.com

Output

Failure shows an appropriate error message.

set ad-server

Description

Configures an existing AD server object.

Syntax

set ad-server <domain> [ ipv4-address <ipv4-address> ] [ username <username>

] [ password <password> ] [ user-dn <user-dn> ] [ use-branch-path { true [ branch-path <branch-path> ] | false } ]

Parameters

Parameter	Description
branch-path	The branch of the domain to be used Type: An LDAP DN
domain	Domain name Type: Host name
ipv4-address	Domain controller IP address
password	The user’s password Type: A string that contains alphanumeric and special characters
use-branch-path	Select only if you want to use only part of the user database defined in the Active Directory Type: Boolean (true/false)
user-dn	FQDN of the user Type: An LDAP DN
username	A user name with administrator privileges to communicate with the AD server Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

set ad-server myHost.com ipv4-address 192.168.1.1 username admin password a(&7Ba user-dn cn=John Doe,dc=example,dc=com use-branch-path true branch-path cn=John Doe,dc=example,dc=com

Output

Failure shows an appropriate error message.

show ad-server

Description

Shows settings of a configured AD server object.

Syntax

show ad-server <domain>

Parameters

Parameter	Description
domain	Domain name Type: Host name

Parameter

Description

domain

Domain name

Type: Host name

Example

show ad-server myHost.com

Output

Failure shows an appropriate error message.

show ad-servers

Description

Shows settings of all configured AD server objects.

Syntax

show ad-servers

Parameters

Parameter	Description
n/a

Example

show ad-servers

Output

Failure shows an appropriate error message.

address-range

add address-range

Description

Adds a new IP address range object.

Syntax

add address-range name <name> start-ipv4 <start-ipv4> end-ipv4 <end-ipv4> [ dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]

Parameters

Parameter	Description
dhcp-exclude-ip-addr	Indicates if the object’s IP address(es) is excluded from internal DHCP daemon Options: on, off
end-ipv4	The end of the IP range
name	Network Object name Type: String
start-ipv4	The beginning of the IP range

Example

add address-range name TEXT start-ipv4 192.168.1.1 end-ipv4 192.168.1.1 dhcp-exclude-ip-addr on

Output

failure shows an appropriate error message.

delete address-range

Description

Deletes an existing address range object.

Syntax

delete address-range <name>

Parameters

Parameter	Description
name	Network Object name Type: String

Example

delete address-range TEXT

Output

Failure shows an appropriate error message.

set address-range

Description

Configures an existing IP address range object.

Syntax

set address-range <name> [ name <name> ] [ start-ipv4 <start-ipv4> ] [ end-ipv4 <end-ipv4> ] [ dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]

Parameters

Parameter	Description
dhcp-exclude-ip-addr	Indicates if the object’s IP address(es) is excluded from internal DHCP daemon Options: on, off
end-ipv4	The end of the IP range
name	Network Object name Type: String
start-ipv4	The beginning of the IP range

Example

set address-range TEXT name TEXT start-ipv4 192.168.1.1 end-ipv4 192.168.1.1 dhcp-exclude-ip-addr on

Output

Failure shows an appropriate error message.

show address-range

Description

Shows settings of a configured IP address range object.

Syntax

show address-range <name>

Parameters

Parameter	Description
name	Network Object name Type: String

Example

show address-range TEXT

Output

Failure shows an appropriate error message.

show address-ranges

Description

Shows settings of all configured IP address range objects.

Syntax

show address-ranges

Parameters

Parameter	Description
n/a

Example

show address-ranges

Output

Failure shows an appropriate error message.

admin-access

add admin access

Description

Adds a specific IPv4 address or a network IPv4 address from which the administrator can remotely access the appliance.

Syntax

add admin-access-ipv4-address
{single-ipv4-address|network-ipv4-address} <ip_addr> {subnet-mask <netmask>|mask-length <mask_length>}

Parameters

Parameter	Description
ip_addr	IPv4 address
mask_length	Interface mask length, a value between 1 - 32
netmask	Interface IPv4 address subnet mask

Return Value

0 on success, 1 on failure

Example

add admin-access-ipv4-address network-ipv4-address 1.1.1.1 subnet-mask 255.255.255.0

Output

Success shows OK. Failure shows an appropriate error message.

set admin-access

Description

Configures various parameters for administrator access to the device via web/SSH.

Syntax

set admin-access [ interfaces { Wireless access <access> | VPN access

<access> | LAN access <access> | any access { allow | block } | WAN access

<access> } ] [ web-access-port <web-access-port> ] [ ssh-access-port

<ssh-access-port> ] [ support-weak-tls-version <support-weak-tls-version> ] [ allowed-ipv4-addresses <allowed-ipv4-addresses> ]

Parameters

Parameter	Description
access	Enable administrator access from the Internet (clear traffic from external interfaces) Type: Boolean (true/false)
allowed-ipv4- addresses	Administrator access permissions policy for source IP addresses Options: any, from-ip-list, any-except-internet
ssh-access-port	SSH Port Type: Port number
support-weak-tls- version	For security reasons, it is highly recommended never to change this parameter’s value. Support of TLSv1.0 will be added back to the administration portal to allow connectivity with old browsers (usually ones released prior to 2014). Changing the default of this parameter exposes the administration portal to at- tacks that use vulnerabilities like Heartbleed (CVE-2014-0160). Type: Boolean (true/false)
web-access-port	Web Port (HTTPS) Type: Port number

Example

set admin-access interfaces Wireless access true web-access-port 8080

ssh-access-port 8080 support-weak-tls-version true allowed-ipv4-addresses any

Output

Failure shows an appropriate error message.

show admin-access

Description

Shows settings of administrator access configuration.

Syntax

show admin-access

Parameters

Parameter	Description
n/a

Example

show admin-access

Output

Failure shows an appropriate error message.

admin-access-ip-addresses

show admin-access-ip-addresses

Description

Show all the configured IP addresses that are permitted for administrator access to the appliance.

Syntax

show admin-access-ip-addresses

Parameters

Parameter	Description
n/a

Example

show admin-access-ip-addresses

Output

Failure shows an appropriate error message.

delete admin-access-ip-address-all

Description

Delete all the reserved IP addresses for administrator access.

Syntax

delete admin-access-ip-address-all

Parameters

Parameter	Description
n/a

Example

delete admin-access-ip-address-all

Output

Failure shows an appropriate error message.

admin-access-ipv4-address

add admin-access-ipv4-address

Adds a specific IPv4 address or an IPv4 address network and mask from which the administrator can remotely access the appliance according to configuration.

add admin-access-ipv4-address

Description

Adds a specific IPv4 address from which the administrator can remotely access the appliance according to configuration.

Syntax

add admin-access-ipv4-address single-ipv4-address <single-ipv4-address>

Parameters

Parameter	Description
single-ipv4-address	IP address Type: IP address

Parameter

Description

single-ipv4-address

IP address

Type: IP address

Example

add admin-access-ipv4-address single-ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

add admin-access-ipv4-address

Description

Adds an IPv4 address network and mask from which the administrator can remotely access the appliance according to configuration.

Syntax

add admin-access-ipv4-address network-ipv4-address <network-ipv4-address> { subnet-mask <subnet-mask> | [ mask-length <mask-length> ] }

Parameters

Parameter	Description
mask-length	Subnet mask length Type: A string that contains numbers only
network-ipv4-address	IP address Type: IP address
subnet-mask	Subnet mask Type: Subnet mask

Parameter

Description

mask-length

Subnet mask length

Type: A string that contains numbers only

network-ipv4-address

IP address

Type: IP address

subnet-mask

Subnet mask

Type: Subnet mask

Example

add admin-access-ipv4-address network-ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

Output

Failure shows an appropriate error message

delete admin-access-ipv4-address

Description

Deletes a specific IPv4 address or an IPv4 network and subnet from which the administrator can remotely access the appliance according to configuration.

Syntax

delete admin-access-ipv4-address <ipv4-address>

Parameters

Parameter	Description
ipv4-address	IP address Type: IP address

Parameter

Description

ipv4-address

IP address

Type: IP address

Example

delete admin-access-ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

show admin-access-ipv4-addresses

Description

Shows allowed IP addresses for admin access.

Syntax

show admin-access-ipv4-addresses

Parameters

Parameter	Description
n/a

Example

show admin-access-ipv4-addresses

Output

Failure shows an appropriate error message.

delete admin-access-ipv4-address-all

Description

Deletes all configured IPv4 addresses from which the administrator can remotely access the appliance according to configuration.

Syntax

delete admin-access-ipv4-address-all

Parameters

Parameter	Description
n/a

Example

delete admin-access-ipv4-address-all

Output

Failure shows an appropriate error message.