Print Download PDF Send Feedback

Previous

add administrator

Description

Adds a new user who can access the administration web portal and SSH.

Syntax

add administrator username <username> [ password-hash <password-hash> ] permission <permission>

Parameters

Parameter

Description

password-hash

Virtual field used for calculating a hashed password

Type: An encrypted password

permission

The administrator role and permissions

Options: read-write, readonly, networking

username

Indicates the administrator user name

Type: A string that contains [A-Z], [0-9], and ’_’ characters

Example

add administrator username admin password-hash TZXPLs20bN0RA permission read-write

Output

Failure shows an appropriate error message.

delete administrator

Description

Deletes an existing defined administrator. The system will not allow deletion of the last administrator.

Syntax

delete administrator username <username>

Parameters

Parameter

Description

username

Indicates the administrator user name

Type: A string that contains [A-Z], [0-9], and ’_’ characters

Example

delete administrator username admin

Output

Failure shows an appropriate error message.

set administrator

Configures an existing user with administrator privileges.

set administrator

Description

Configures a new password for an existing administrator. You will be prompted to add a new password following this command (this command cannot be used in a script).

Syntax

set administrator username <username> password

Parameters

Parameter

Description

username

Indicates the administrator user name

Type: A string that contains [A-Z], [0-9], and ’_’ characters

Example

set administrator username admin password

Output

Failure shows an appropriate error message.

set administrator

Description

Configures an existing administrator’s permission level and password (by hash).

Syntax

set administrator username <username> permission <permission> [ password-hash <password-hash> ]

Parameters

Parameter

Description

password-hash

Virtual field used for calculating a hashed password

Type: An encrypted password

permission

The administrator role and permissions

Options: read-write, readonly, networking

username

Indicates the administrator user name

Type: A string that contains [A-Z], [0-9], and ’_’ characters

Example

set administrator username admin permission read-write password-hash TZXPLs20bN0RA

Output

Failure shows an appropriate error message.

set administrators

Configure users with administrator privileges through a RADIUS server.

set administrators

Description

Configures users with administrator privileges through a RADIUS server.

Syntax

set administrators radius-auth { true [ use-radius-groups { true

radius-groups <radius-groups> | false } ] [ permission <permission> ] | false

}

Parameters

Parameter

Description

permission

Administrators role

Options: read-write, readonly, networking

radius-auth

Administrators RADIUS authentication

Type: Boolean (true/false)

radius-groups

RADIUS groups for authentication. Example: RADIUS-group1, RADIUS-class2

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’, ’,’ and space characters

use-radius-groups

Use RADIUS groups for authentication

Type: Boolean (true/false)

Example

set administrators radius-auth true use-radius-groups true radius-groups My group permission read-write

Output

Failure shows an appropriate error message.

show administrator

Description

Shows settings of an existing user with administrator privileges.

Syntax

show administrator username <username>

Parameters

Parameter

Description

username

Indicates the administrator user name

Type: A string that contains [A-Z], [0-9], and ’_’ characters

Example

show administrator username admin

Output

Failure shows an appropriate error message.

show administrators

Shows settings of all users with administrator privileges.

show administrators

Description

Shows settings of all users with administrator privileges.

Syntax

show administrators

Parameters

Parameter

Description

n/a

 

Example

show administrators

Output

Failure shows an appropriate error message.

show administrators

Description

Shows advanced settings of all users with administrator privileges.

Syntax

show administrators advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show administrators advanced-settings

Output

Failure shows an appropriate error message.

administrators radius-auth

show administrators radius-auth

Description

Shows RADIUS related settings for users with administrator privileges.

Syntax

show administrators radius-auth

Parameters

Parameter

Description

n/a

 

Example

show administrators radius-auth

Output

Failure shows an appropriate error message.

administrator session-settings

set administrator session-settings

Description

Configures session settings for administrators. The settings are global for all administrators.

Syntax

set administrator session-settings [ lockout-enable <lockout-enable> ] [ max-lockout-attempts <max-lockout-attempts> ] [ lock-period <lock-period>

] [ inactivity-timeout <inactivity-timeout> ] [ password-complexity-level

<password-complexity-level> ] [ password-expiration-timeout

<password-expiration-timeout> ]

Parameters

Parameter

Description

inactivity-timeout

Allowed web interface session idle time before automatic logout is executed (in minutes)

Type: A number with no fractional part (integer)

lock-period

Once locked out, the administrator will be unable to login for this long

Type: A number with no fractional part (integer)

lockout-enable

Limit administrators login failure attempts

Options: on, off

max-lockout-attempts

The maximum number of consecutive login failure attempts before the administrator is locked out

Type: A number with no fractional part (integer)

password-complexity-level

Set of additional restrictions on administrator passwords, according to the selected mode

Options: low, high

password-expiration-timeout

Number of days before administrator is required to change his password. Takes effect only if password complexity level is set to ’high’

Type: A number with no fractional part (integer)

Example

set administrator session-settings lockout-enable on max-lockout-attempts

5 lock-period 5 inactivity-timeout 5 password-complexity-level

low password-expiration-timeout 5

Output

Failure shows an appropriate error message.

show administrator session-settings

Description

Shows session settings for users with administrator privileges.

Syntax

show administrator session-settings

Parameters

Parameter

Description

n/a

 

Example

show administrator session-settings

Output

Failure shows an appropriate error message.

show adsl statistics

Description

Shows statistics regarding the DSL internet connection (applicable on appliance models with DSL).

Syntax

show adsl statistics

Parameters

Parameter

Description

n/a

 

Example

show adsl statistics

Output

Failure shows an appropriate error message.

aggressive-aging

set aggressive-aging

Configures aggressive aging feature’s behavior. Aggressive Aging is designed to optimize how the device is dealing with a large connection number by aggressively reducing the timeout of existing connections when necessary.

set aggressive-aging

Description

Configures aggressive aging default reduced timeouts.

Syntax

set aggressive-aging [ icmp-timeout <icmp-timeout> ] [ icmp-timeout-enable

<icmp-timeout-enable> ] [ other-timeout <other-timeout> ] [ other-timeout-enable <other-timeout-enable> ] [ pending-timeout

<pending-timeout> ] [ pending-timeout-enable <pending-timeout-enable>

] [ tcp-end-timeout <tcp-end-timeout> ] [ tcp-end-timeout-enable

<tcp-end-timeout-enable> ] [ tcp-start-timeout <tcp-start-timeout> ] [ tcp-start-timeout-enable <tcp-start-timeout-enable> ] [ tcp-timeout

<tcp-timeout> ] [ tcp-timeout-enable <tcp-timeout-enable> ] [

udp-timeout <udp-timeout> ] [ udp-timeout-enable <udp-timeout-enable>

] [ general <general> ] [ log <log> ] [ connt-limit-high-watermark-pct

<connt-limit-high-watermark-pct> ] [ connt-mem-high-watermark-pct

<connt-mem-high-watermark-pct> ] [ memory-conn-status <memory-conn-status> ]

Parameters

Parameter

Description

connt-limit-high- watermark-pct

Connection table percentage limit

Type: A number with no fractional part (integer)

connt-mem-high- watermark-pct

Memory consumption percentage limit

Type: A number with no fractional part (integer)

general

Enable aggressive aging of connections

Type: Boolean (true/false)

icmp-timeout

ICMP connections reduced timeout

Type: A number with no fractional part (integer)

icmp-timeout-enable

Enable reduced timeout for ICMP connections

Type: Boolean (true/false)

log

Tracking options for aggressive aging

Options: log, none

memory-conn-status

Choose when aggressive aging timeouts are enforced

Options: both, connections, memory

other-timeout

Other IP protocols reduced timeout

Type: A number with no fractional part (integer)

other-timeout-enable

Enable reduced timeout for non TCP/UDP/ICMP connections

Type: Boolean (true/false)

pending-timeout

Pending Data connections reduced timeout

Type: A number with no fractional part (integer)

pending-timeout- enable

Enable reduced timeout for non TCP/UDP/ICMP connections

Type: Boolean (true/false)

tcp-end-timeout

TCP termination reduced timeout

Type: A number with no fractional part (integer)

tcp-end-timeout- enable

Enable reduced timeout for TCP termination

Type: Boolean (true/false)

tcp-start-timeout

TCP handshake reduced timeout

Type: A number with no fractional part (integer)

tcp-start-timeout- enable

Enable reduced timeout for TCP handshake

Type: Boolean (true/false)

tcp-timeout

TCP session reduced timeout

Type: A number with no fractional part (integer)

tcp-timeout-enable

Enable reduced timeout for TCP session

Type: Boolean (true/false)

udp-timeout

UDP connections reduced timeout

Type: A number with no fractional part (integer)

udp-timeout-enable

Enable reduced timeout for UDP connections

Type: Boolean (true/false)

Example

set aggressive-aging icmp-timeout 30 icmp-timeout-enable true other-timeout 30 other-timeout-enable true pending-timeout 30 pending-timeout-enable true tcp-end-timeout 3600 tcp-end-timeout-enable true tcp-start-timeout 3600 tcp-start-timeout-enable true tcp-timeout

3600 tcp-timeout-enable true udp-timeout 3600 udp-timeout-enable true general true log log connt-limit-high-watermark-pct 80

connt-mem-high-watermark-pct 80 memory-conn-status both

Output

Failure shows an appropriate error message.

set aggressive-aging

Description

Configures aggressive aging advanced settings.

Syntax

set aggressive-aging advanced-settings connections [ other-timeout-enable

<other-timeout-enable> ] [ connt-limit-high-watermark-pct <connt-limit-high-watermark-pct>

] [ tcp-start-timeout-enable <tcp-start-timeout-enable> ] [ icmp-timeout-enable <icmp-timeout-enable> ] [ general <general>

] [ tcp-timeout-enable <tcp-timeout-enable> ] [ tcp-timeout

<tcp-timeout> ] [ tcp-start-timeout <tcp-start-timeout> ] [

udp-timeout-enable <udp-timeout-enable> ] [ udp-timeout <udp-timeout>

] [ pending-timeout-enable <pending-timeout-enable> ] [ log <log>

] [ connt-mem-high-watermark-pct <connt-mem-high-watermark-pct> ] [ tcp-end-timeout-enable <tcp-end-timeout-enable> ] [ icmp-timeout

<icmp-timeout> ] [ tcp-end-timeout <tcp-end-timeout> ] [ memory-conn-status

<memory-conn-status> ] [ pending-timeout <pending-timeout> ] [ other-timeout

<other-timeout> ]

Parameters

Parameter

Description

n/a

 

Example

set aggressive-aging advanced-settings connections other-timeout-enable true connt-limit-high-watermark-pct -1000000 tcp-start-timeout-enable true icmp-timeout-enable true general true tcp-timeout-enable true tcp-timeout

-1000000 tcp-start-timeout -1000000 udp-timeout-enable true udp-timeout

-1000000 pending-timeout-enable true log log connt-mem-high-watermark-pct

-1000000 tcp-end-timeout-enable true icmp-timeout -1000000 tcp-end-timeout

-1000000 memory-conn-status both pending-timeout -1000000 other-timeout

-1000000

Output

Failure shows an appropriate error message.

show aggressive-aging

Shows aggressive aging settings.

show aggressive-aging

Description

Shows aggressive aging settings.

Syntax

show aggressive-aging

Parameters

Parameter

Description

n/a

 

Example

show aggressive-aging

Output

Failure shows an appropriate error message.

show aggressive-aging

Description

Shows aggressive aging advanced settings.

Syntax

show aggressive-aging advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show aggressive-aging advanced-settings

Output

Failure shows an appropriate error message.

antispam

set antispam

Configures policy for Anti-Spam blade.

set antispam

Description

Configures the policy for Anti-Spam blade.

Syntax

set antispam [ mode <mode> ] [ detection-method <detection-method> ] [ log <log> ] [ action-spam-email-content <action-spam-email-content> ] [ flag-subject-stamp <flag-subject-stamp> ] [ detect-mode <detect-mode>

] [ specify-suspected-spam-settings { true [ suspected-spam-log

<suspected-spam-log> ] [ action-suspected-spam-email-content

<action-suspected-spam-email-content> ] [ flag-suspected-spam-subject-stamp

<flag-suspected-spam-subject-stamp> ] | false } ]

Parameters

Parameter

Description

action-spam-email- content

Action to be used upon spam detection in email content: block, flag-header, flag-subject

Options: block, flag-header, flag-subject

action-suspected- spam-email-content

Action to be used upon suspected spam detection in email content: block, flag-header, flag-subject

Options: block, flag-header, flag-subject

detect-mode

Detect-Only mode: on, off

Type: Boolean (true/false)

detection-method

Type of spam detection: Either Sender’s IP address or both Sender’s IP address and content based detection

Options: email-content, sender-ipaddr-reputation-only

flag-subject-stamp

Text to add to spam emails’ subject (depends on action chosen for detected spam)

Type: A string of alphanumeric characters with space between them

flag-suspected-spam- subject-stamp

Text to add to suspected spam emails subject (depends on action chosen for detected spam)

Type: A string of alphanumeric characters with space between them

log

Tracking options for spam emails: log, alert or none

Options: none, log, alert

mode

Anti-Spam blade mode: on, off

Options: on, off

specify-suspected- spam-settings

Handle suspected spam emails differently from spam emails

Type: Boolean (true/false)

suspected-spam-log

Tracking options for suspected spam emails: log, alert or none

Options: none, log, alert

Example

set antispam mode on detection-method email-content log none

action-spam-email-content block flag-subject-stamp several words detect-mode true specify-suspected-spam-settings true suspected-spam-log none

action-suspected-spam-email-content block flag-suspected-spam-subject-stamp several words

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings ip-rep-fail-open <ip-rep-fail-open>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings ip-rep-fail-open true

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings email-size-scan <email-size-scan>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings email-size-scan 1024

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings scan-outgoing <scan-outgoing>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings scan-outgoing true

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings spam-engine-timeout <spam-engine-timeout>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings spam-engine-timeout 15

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings allow-mail-track <allow-mail-track>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings allow-mail-track none

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings transparent-proxy <transparent-proxy>

Parameters

Parameter

Description

n/a

 

Example

text

set antispam advanced-settings transparent-proxy true

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings ip-rep-timeout <ip-rep-timeout>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings ip-rep-timeout 15

Output

Failure shows an appropriate error message.

set antispam

Description

Configures advanced setting for the Anti-Spam blade.

Syntax

set antispam advanced-settings spam-engine-all-mail-track

<spam-engine-all-mail-track>

Parameters

Parameter

Description

n/a

 

Example

set antispam advanced-settings spam-engine-all-mail-track none

Output

Failure shows an appropriate error message.

show antispam

Shows the configured policy for the Anti-Spam blade.

show antispam

Description

Shows the configured policy for the Anti-Spam blade.

Syntax

show antispam

Parameters

Parameter

Description

n/a

 

Example

show antispam

Output

Failure shows an appropriate error message.

show antispam

Description

Shows the advanced settings in the configured policy for the Anti-Spam blade.

Syntax

show antispam advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show antispam advanced-settings

Output

Failure shows an appropriate error message.

antispam allowed-sender

add antispam allowed-sender

Adds a new Anti-Spam "allow" exception.

add antispam allowed-sender

Description

Adds a new Anti-Spam "allow" exception for a specific IP address.

Syntax

add antispam allowed-sender ipv4-addr <ipv4-addr>

Parameters

Parameter

Description

ipv4-addr

Anti-Spam allowed IP address

Type: IP address

Example

add antispam allowed-sender ipv4-addr 192.168.1.1

Output

Failure shows an appropriate error message.

add antispam allowed-sender

Description

Adds a new Anti-Spam "allow" exception for a sender email or domain.

Syntax

add antispam allowed-sender sender-or-domain <sender-or-domain>

Parameters

Parameter

Description

sender-or-domain

Anti-Spam allowed domain or sender

Type: A domain or email address

Example

text

add antispam allowed-sender sender-or-domain myEmail@mail.com

Output

Failure shows an appropriate error message.

delete antispam allowed-sender

Deletes an existing Anti-Spam “allow” exception.

delete antispam allowed-sender

Description

Deletes all existing Anti-Spam “allow” exceptions.

Syntax

delete antispam allowed-sender all

Parameters

Parameter

Description

n/a

 

Example

delete antispam allowed-sender all

Output

Failure shows an appropriate error message.

delete antispam allowed-sender

Description

Deletes an existing Anti-Spam “allow” exception for sender’s email or domain.

Syntax

delete antispam allowed-sender sender-or-domain <sender-or-domain>

Parameters

Parameter

Description

sender-or-domain

Anti-Spam allowed domain or sender

Type: A domain name or email address

Example

delete antispam allowed-sender sender-or-domain myEmail@mail.com

Output

Failure shows an appropriate error message.

delete antispam allowed-sender

Description

Deletes an existing Anti-Spam “allow” exception for a specific IPv4 address.

Syntax

delete antispam allowed-sender ipv4-addr <ipv4-addr>

Parameters

Parameter

Description

ipv4-addr

Anti-Spam allowed IP address

Type: IP address

Example

delete antispam allowed-sender ipv4-addr 192.168.1.1

Output

Failure shows an appropriate error message.

show antispam allowed-senders

Description

Shows the “allowed” exceptions for the Anti-Spam blade.

Syntax

show antispam allowed-senders

Parameters

Parameter

Description

n/a

 

Example

show antispam allowed-senders

Output

Failure shows an appropriate error message.

antispam blocked-sender

add antispam blocked-sender

Adds a new Anti-Spam "block" exception.

add antispam blocked-sender

Description

Adds a new Anti-Spam "block" exception for a specific IP address.

Syntax

add antispam blocked-sender ipv4-addr <ipv4-addr>

Parameters

Parameter

Description

ipv4-addr

Anti-Spam blocked IP address

Type: IP address

Example

add antispam blocked-sender ipv4-addr 192.168.1.1

Output

Failure shows an appropriate error message.

add antispam blocked-sender

Description

Adds a new Anti-Spam "block" exception for a sender email or domain.

Syntax

add antispam blocked-sender sender-or-domain <sender-or-domain>

Parameters

Parameter

Description

sender-or-domain

Anti-Spam blocked domain or sender

Type: A domain name or email address

Example

add antispam blocked-sender sender-or-domain myEmail@mail.com

Output

Failure shows an appropriate error message.

delete antispam blocked-sender

Deletes an existing Anti-Spam "block" exception.

delete antispam blocked-sender

Description

Deletes all existing Anti-Spam “block” exceptions.

Syntax

delete antispam blocked-sender all

Parameters

Parameter

Description

n/a

 

Example

delete antispam blocked-sender all

Output

Failure shows an appropriate error message.

delete antispam blocked-sender

Description

Deletes an existing Anti-Spam “block” exception for sender’s email or domain.

Syntax

delete antispam blocked-sender sender-or-domain <sender-or-domain>

Parameters

Parameter

Description

sender-or-domain

Anti-Spam blocked domain or sender

Type: A domain name or email address

Example

delete antispam blocked-sender sender-or-domain myEmail@mail.com

Output

Failure shows an appropriate error message.

delete antispam blocked-sender

Description

Deletes an existing Anti-Spam “block” exception for a specific IPv4 address.

Syntax

delete antispam blocked-sender ipv4-addr <ipv4-addr>

Parameters

Parameter

Description

ipv4-addr

Anti-Spam blocked IP address

Type: IP address

Example

delete antispam blocked-sender ipv4-addr 192.168.1.1

Output

Failure shows an appropriate error message.

show antispam blocked-senders

Description

Shows the “blocked” exceptions for the Anti-Spam blade.

Syntax

show antispam blocked-senders

Parameters

Parameter

Description

n/a

 

Example

show antispam blocked-senders

Output

Failure shows an appropriate error message.

application

add application

Adds a new custom application object (string or regular expression signature over URL).

add application

Description

Adds a new custom application object (string or regular expression signature over URL).

Syntax

add application application-name <application-name> category <category> [ regex-url <regex-url> ] application-url <application-url>

Parameters

Parameter

Description

application-name

Application name

Type: URL

application-url

Contains the URLs related to this application

category

The primary category for the application (the category which is the most relevant)

regex-url

Indicates if regular expressions are used instead of partial strings

Type: Boolean (true/false)

Example

add application application-name http://somehost.example.com category TEXT regex-url true application-url http://somehost.example.com

Output

Failure shows an appropriate error message.

add application

Description

Simplified method for adding a new custom application object (string over URL)

Syntax

add application-url <application-url>

Parameters

Parameter

Description

application-url

Application URL

Example

add application-url http://somehost.example.com

Output

Failure shows an appropriate error message.

delete application

Deletes an existing custom application object (string or regular expression signature over URL).

delete application

Description

Deletes an existing custom application object by application ID.

Syntax

delete application application-id <application-id>

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

Example

delete application application-id 1000000

Output

Failure shows an appropriate error message.

delete application

Description

Deletes an existing custom application object by application name.

Syntax

delete application application-name <application-name>

Parameters

Parameter

Description

application-name

Application name

Type: URL

Example

delete application application-name http://somehost.example.com

Output

Failure shows an appropriate error message.

find application

Description

Find an application by name (or partial string) to view further details regarding it.

Syntax

find application <application-name>

Parameters

Parameter

Description

application-name

Application or group name

Type: String

Example

find application TEXT

Output

Failure shows an appropriate error message.

set application

Configures an existing custom application object.

set application

Description

Adds a URL to an existing custom application object by name.

Syntax

set application application-name <application-name> add url <url>

Parameters

Parameter

Description

application-name

Application name

Type: URL

url

Application URL

Example

set application application-name http://somehost.example.com add url http://somehost.example.com

Output

Failure shows an appropriate error message.

set application

Description

Removes a URL from an existing custom application object by name.

Syntax

set application application-name <application-name> remove url <url>

Parameters

Parameter

Description

application-name

Application name

Type: URL

url

Application URL

Example

set application application-name http://somehost.example.com remove url http://somehost.example.com

Output

Failure shows an appropriate error message.

set application

Description

Adds a URL to an existing custom application object by ID.

Syntax

set application application-id <application-id> add url <url>

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

url

Application URL

Example

set application application-id 12345678 add url http://somehost.example.com

Output

Failure shows an appropriate error message.

set application

Description

Removes a URL from an existing custom application object by ID.

Syntax

set application application-id <application-id> remove url <url>

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

url

Application URL

Example

set application application-id 12345678 remove url http://somehost.example.com

Output

Failure shows an appropriate error message.

set application

Description

Adds a category to an existing custom application object by name.

Syntax

set application application-name <application-name> add category <category>

Parameters

Parameter

Description

application-name

Application name

Type: URL

category

Category name

Example

set application application-name http://somehost.example.com add category TEXT

Output

Failure shows an appropriate error message.

set application

Description

Removes a category from an existing custom application object by name.

Syntax

set application application-name <application-name> remove category <category>

Parameters

Parameter

Description

application-name

Application name

Type: URL

category

Category name

Example

set application application-name http://somehost.example.com remove category TEXT

Output

Failure shows an appropriate error message.

set application

Description

Adds a category to an existing custom application object by ID.

Syntax

set application application-id <application-id> add category <category>

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

category

Category name

Example

set application application-id 12345678 add category TEXT

Output

Failure shows an appropriate error message.

set application

Description

Removes a category from an existing custom application object by ID.

Syntax

set application application-id <application-id> remove category <category>

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

category

Category name

Example

set application application-id 12345678 remove category TEXT

Output

Failure shows an appropriate error message.

set application

Description

Configures an existing custom application by ID.

Syntax

set application application-id <application-id> [ category <category> ] [ regex-url <regex-url> ]

Parameters

Parameter

Description

application-id

The ID of the application

Type: A number with no fractional part (integer)

category

The primary category for the application (the category which is the most relevant)

regex-url

Indicates if regular expressions are used instead of partial strings

Type: Boolean (true/false)

Example

set application application-id 12345678 category TEXT regex-url true

Output

Failure shows an appropriate error message.

set application

Description

Configures an existing custom application by name.

Syntax

set application application-name <application-name> [ category <category> ] [ regex-url <regex-url> ]

Parameters

Parameter

Description

application-name

Application name

Type: URL

category

The primary category for the application (the category which is the most relevant)

regex-url

Indicates if regular expressions are used instead of partial strings

Type: Boolean (true/false)

Example

set application application-name http://somehost.example.com category TEXT regex-url true

Output

Failure shows an appropriate error message.

show application

Shows details for a specific application in the Application Control database.

show application

Description

Shows details for a specific application in the Application Control database by application name.

Syntax

show application application-name <application-name>

Parameters

Parameter

Description

application-name

Application or group name

Type: String

Example

show application application-name TEXT

Output

Failure shows an appropriate error message.

show application

Description

Shows details for a specific application in the Application Control database by application ID.

Syntax

show application application-id <application-id>

Parameters

Parameter

Description

application-id

The ID of the application or the group

Type: A number with no fractional part (integer)

Example

show application application-id 12345678

Output

Failure shows an appropriate error message.

show applications

Description

Shows details of all applications.

Syntax

show applications

Parameters

Parameter

Description

n/a

 

Example

show applications

Output

Failure shows an appropriate error message.

application-control

set application-control

Description

Configures the default policy for the Application Control and URL filtering blades.

Syntax

set application-control [ mode <mode> ] [ url-flitering-only

<url-flitering-only> ] [ block-security-categories <block-security-categories> ] [ block-inappropriate-content <block-inappropriate-content> ] [ block-other-undesired-applications <block-other-undesired-applications> ] [ block-file-sharing-applications <block-file-sharing-applications> ] [ limit-bandwidth { true [ limit-upload { true set-limit <set-limit> | false } ] [ limit-download { true set-limit <set-limit> | false } ] | false } ]

Parameters

Parameter

Description

block-file-sharing- applications

Block file sharing using torrents and peer-to-peer applications

Type: Boolean (true/false)

block-inappropriate- content

Control content by blocking Internet access to websites with inappropriate content such as sex, violence, weapons, gambling, and alcohol

Type: Boolean (true/false)

block-other-undesired- applications

Manually add and block applications or categories of URLs to a group of undesired applications

Type: Boolean (true/false)

block-security- categories

Block applications and URLs that can be a security risk and are categorized as spyware, phishing, botnet, spam, anonymizer, or hacking

Type: Boolean (true/false)

limit-bandwidth

Indicates if applications that use a lot of bandwidth are limited (also used for QoS)

Type: Boolean (true/false)

limit-download

If true, traffic for downloading is limited to the value in maxLimitedDownload

Type: Boolean (true/false)

limit-upload

If true, traffic for uploading is limited to the value in maxLimitedDownload

Type: Boolean (true/false)

mode

Applications & URLs mode - true for on, false for off

Type: Boolean (true/false)

set-limit

The limit, in kbps, for downloading

Type: A number with no fractional part (integer)

url-flitering-only

Indicates if enable URL Filtering and detection only mode is enabled

Type: Boolean (true/false)

Example

set application-control mode true url-flitering-only true block-security-categories true block-inappropriate-content true

block-other-undesired-applications true block-file-sharing-applications true limit-bandwidth true limit-upload true set-limit 5 limit-download true set-limit 100

Output

Failure shows an appropriate error message.

show application-control

Description

Shows the configured policy for the Application Control blade

Syntax

show application-control

Parameters

Parameter

Description

n/a

 

Example

show application-control

Output

Failure shows an appropriate error message.

show application-control other-undesired-applications

Description

Shows the content of the custom “Other Undesired Applications” group. This group can be chosen to be blocked by default by the Application Control policy.

Syntax

show application-control other-undesired-applications

Parameters

Parameter

Description

n/a

 

Example

show application-control other-undesired-applications

Output

Failure shows an appropriate error message.

application-control-engine-settings

set application-control-engine-settings

Configures Application Control blade’s advanced engine settings.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings fail-mode <fail-mode>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings fail-mode allow-all-requests

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings

block-requests-when-web-service-unavailable <block-requests-when-web-service-unavailable>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings block-requests-when-web-service-unavailable true

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings enforce-safe-search <enforce-safe-search>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings enforce-safe-search true

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings web-site-categorization-mode <web-site-categorization-mode>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings web-site-categorization-mode background

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings track-browse-time

<track-browse-time>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings track-browse-time true

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings http-referrer-identification <http-referrer-identification>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings http-referrer-identification true

Output

Failure shows an appropriate error message.

set application-control-engine-settings

Description

Configures Application Control blade’s advanced engine settings.

Syntax

set application-control-engine-settings advanced-settings

categorize-cached-and-translated-pages <categorize-cached-and-translated-pages>

Parameters

Parameter

Description

n/a

 

Example

set application-control-engine-settings advanced-settings categorize-cached-and-translated-pages true

Output

Failure shows an appropriate error message.

show application-control-engine-settings

Description

Shows advanced settings of the Application Control blade.

Syntax

show application-control-engine-settings advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show application-control-engine-settings advanced-settings

Output

Failure shows an appropriate error message.

application-group

add application-group

Description

Adds a new group object for applications.

Syntax

add application-group name <name>

Parameters

Parameter

Description

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

add application-group name users

Output

Failure shows an appropriate error message.

delete application-group

Deletes an existing group object of applications.

delete application-group

Description

Deletes an existing group object of applications by group object name.

Syntax

delete application-group name <name>

Parameters

Parameter

Description

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

delete application-group name users

Output

Failure shows an appropriate error message.

delete application-group

Description

Deletes an existing group object of applications by group object ID.

Syntax

delete application-group application-group-id <application-group-id>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

Example

delete application-group application-group-id 12345678

Output

Failure shows an appropriate error message.

set application-group

Configures an existing application group object.

set application-group

Description

Adds an application to an existing application group object by application’s name.

Syntax

set application-group name <name> add application-name <application-name>

Parameters

Parameter

Description

application-name

Application or group name

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

set application-group name users add application-name hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Removes an application from an existing application group object by application’s name.

Syntax

set application-group name <name> remove application-name <application-name>

Parameters

Parameter

Description

application-name

Application or group name

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

set application-group name users remove application-name hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Adds an application to an existing application group object by application’s ID.

Syntax

set application-group name <name> add application-id <application-id>

Parameters

Parameter

Description

application-id

The ID of the application or the group

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

set application-group name users add application-id hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Removes an application from an existing application group object by application’s ID.

Syntax

set application-group name <name> remove application-id <application-id>

Parameters

Parameter

Description

application-id

The ID of the application or the group

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

set application-group name users remove application-id hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Adds an application to an existing application group object by application’s name using group object’s ID.

Syntax

set application-group application-group-id <application-group-id> add application-name <application-name>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

application-name

Application or group name

Example

set application-group application-group-id 12345678 add application-name hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Removes an application from an existing application group object by application’s name using group object’s ID.

Syntax

set application-group application-group-id <application-group-id> remove application-name <application-name>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

application-name

Application or group name

Example

set application-group application-group-id 12345678 remove application-name hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Adds an application to an existing application group object by application’s ID using group object’s ID.

Syntax

set application-group application-group-id <application-group-id> add application-id <application-id>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

application-id

The ID of the application or the group

Example

set application-group application-group-id 12345678 add application-id hasMany

Output

Failure shows an appropriate error message.

set application-group

Description

Removes an application from an existing application group object by application’s ID using group object’s ID.

Syntax

set application-group application-group-id <application-group-id> remove application-id <application-id>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

application-id

The ID of the application or the group

Example

set application-group application-group-id 12345678 remove application-id hasMany

Output

Failure shows an appropriate error message.

show application-group

shows the configuration of the Application group objects.

show application-group

Description

Shows the configuration of a specific application group object by ID.

Syntax

show application-group application-group-id <application-group-id>

Parameters

Parameter

Description

application-group-id

The ID of the application group

Type: A number with no fractional part (integer)

Example

show application-group application-group-id 12345678

Output

Failure shows an appropriate error message.

show application-group

Description

Shows the configuration of a specific application group object by name.

Syntax

show application-group name <name>

Parameters

Parameter

Description

name

Application group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - . &) characters without spaces

Example

show application-group name users

Output

Failure shows an appropriate error message.

show application-groups

Description

Shows the configuration of all specific application group objects.

Syntax

show application-groups

Parameters

Parameter

Description

n/a

 

Example

show application-groups

Output

Failure shows an appropriate error message.

antispoofing

set antispoofing

Description

Configures the activation of the IP address Anti-Spoofing feature.

Syntax

set antispoofing advanced-settings global-activation <global-activation>

Parameters

Parameter

Description

n/a

 

Example

set antispoofing advanced-settings global-activation true

Output

Failure shows an appropriate error message.

show antispoofing

Description

Shows the configuration for IP addresses Anti-Spoofing functionality.

Syntax

show antispoofing advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show antispoofing advanced-settings

Output

Failure shows an appropriate error message.

backup settings

Description

Creates a backup file that contains the current settings for the appliance and saves them to a file. The file is saved to either a USB device or TFTP server. You can use these options when the backup file is created:

Syntax

backup settings to {usb|tftp server <serverIP>} [filename <filename>] [file-encryption {off|on password <pass>}] [backup-policy {on|off}] [add-comment <comment>]

Parameters

Parameter

Description

comment

Comment that is added to the file.

filename

Name of the backup file.

pass

Password for the file. Alphanumeric and special characters are allowed.

serverIP

IPv4 address of the TFTP server.

Return Value

0 on success, 1 on failure

Example

backup settings to usb file-encryption on password admin backup-policy on add-comment check_point_new_configuration

Output

Success prints OK. Failure shows an appropriate error message.

Comments

When saving the backup file to a USB device, the backup settings command fails if there are two USB devices connected to the appliance.

show backup settings

Description

Shows previous backup information of the appliance's settings.

show backup-settings-log shows the log file of previous backup settings operations.

Syntax

show backup-settings-{log|info {from tftp server <server> filename <file>|from usb filename <file>}}

Parameters

Parameter

Description

server

IP address or host name of the TFTP server

file

Name of backup file

Example

show backup-settings-log

show backup-settings-info from usb filename backup

Output

Success shows backup settings information. Failure shows an appropriate error message.

blade-update-schedule

set blade-update-schedule

Configures schedule for Software Blade updates.

set blade-update-schedule

Description

Configures schedule forSoftware Blades updates.

Syntax

set blade-update-schedule [ schedule-ips <schedule-ips> ] [ schedule-anti-bot <schedule-anti-bot> ] [ schedule-anti-virus <schedule-anti-virus> ] [ schedule-appi <schedule-appi> ] [ recurrence { daily time <time> | weekly day-of-week <day-of-week> time <time> | hourly hour-interval <hour-interval> | monthly day-of-month <day-of-month> time <time> } ]

Parameters

Parameter

Description

day-of-month

If the update occurs monthly, this is the day in which it occurs

Type: A number with no fractional part (integer)

day-of-week

If the update occurs weekly, this is the weekday in which it occurs

Options: sunday, monday, tuesday, wednesday, thursday, friday, saturday

hour-interval

If the update occurs hourly, this indicates the hour interval between each update

Type: A number with no fractional part (integer)

recurrence

The recurrence of the updates - hourly, daily, weekly or monthly

Type: Press TAB to see available options

schedule-anti-bot

Indicates if Anti-Bot blade is automatically updated according to configured

schedule

Type: Boolean (true/false)

schedule-anti-virus

Indicates if Anti-Virus blade is automatically updated according to configured schedule

Type: Boolean (true/false)

schedule-appi

Indicates if Application Control blade is automatically updated according to configured schedule

Type: Boolean (true/false)

schedule-ips

Indicates if IPS blade is automatically updated according to configured schedule

Type: Boolean (true/false)

time

The hour of the update (Format: HH:MM in 24 hour clock)

Type: A time format hh:mm

Example

set blade-update-schedule schedule-ips true schedule-anti-bot true schedule-anti-virus true schedule-appi true recurrence daily time 23:20

Output

Failure shows an appropriate error message.

set blade-update-schedule

Description

Configures advanced settings for Software Blade updates.

Syntax

set blade-update-schedule advanced-settings max-num-of-retries <max-num-of-retries>

Parameters

Parameter

Description

n/a

 

Example

set blade-update-schedule advanced-settings max-num-of-retries 10

Output

Failure shows an appropriate error message.

set blade-update-schedule

Description

Configures advanced settings for Software Blade updates.

Syntax

set blade-update-schedule advanced-settings timeout-until-retry <timeout-until-retry>

Parameters

Parameter

Description

n/a

 

Example

set blade-update-schedule advanced-settings timeout-until-retry 10

Output

Failure shows an appropriate error message.

show blade-update-schedule

Shows the configuration of Software Blade updates schedule.

show blade-update-schedule

Description

Shows the configuration of Software Blade updates schedule

Syntax

show blade-update-schedule

Parameters

Parameter

Description

n/a

 

Example

show blade-update-schedule

Output

Failure shows an appropriate error message.

show blade-update-schedule

Description

Shows advanced settings of Software Blade updates schedule.

Syntax

show blade-update-schedule advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show blade-update-schedule advanced-settings

Output

Failure shows an appropriate error message.

bookmark

add bookmark

Description

Adds a new bookmark link that will appear for VPN remote access users in the SNX VPN remote access landing page.

Syntax

add bookmark label <label> url <url> [ tooltip <tooltip> ] [ type <type> ] [ is-global <is-global> ] [ user-name <user-name> ] [ password <password> ] [ screen-width <screen-width> ] [ screen-height <screen-height> ]

Parameters

Parameter

Description

is-global

Indicates if the bookmark will be displayed for all remote access users

Type: Boolean (true/false)

label

Text for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

password

The password for remote desktop connection

Type: A string that contains alphanumeric and special characters

screen-height

The height of the screen when the bookmark is remote desktop

Type: A number with no fractional part (integer)

screen-width

The width of the screen when the bookmark is remote desktop

Type: A number with no fractional part (integer)

tooltip

Tooltip for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

type

The type of the bookmark - link or remote desktop connection

Options: link, rdp

url

Bookmark URL - should start with http:// or https:// for a bookmark of type link

Type: URL

user-name

The user name for remote desktop connection

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

add bookmark label myLabel url http://www.checkpoint.com/ tooltip “This is a comment.” type link is-global true user-name admin password a(&7Ba screen-width 1920 screen-height 1080

Output

failure shows an appropriate error message.

delete bookmark

Deletes an existing bookmark link that appears in the SNX VPN remote access landing page.

delete bookmark

Description

Deletes an existing bookmark link by label.

Syntax

delete bookmark label <label>

Parameters

Parameter

Description

label

Text for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

Example

delete bookmark label myLabel

Output

Failure shows an appropriate error message.

delete bookmark

Description

Deletes all existing bookmark links.

Syntax

delete bookmark all

Parameters

Parameter

Description

n/a

 

Example

delete bookmark all

Output

Failure shows an appropriate error message.

set bookmark

Description

Configures an existing bookmark shown to users in the SNX landing page.

Syntax

set bookmark [ label <label> ] [ new-label <new-label> ] [ url <url> ] [ tooltip <tooltip> ] [ type <type> ] [ is-global <is-global> ] [ user-name <user-name> ] [ password <password> ] [ screen-width <screen-width> ] [ screen-height <screen-height> ]

Parameters

Parameter

Description

is-global

Indicates if the bookmark will be displayed for all remote access users

Type: Boolean (true/false)

label

Text for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

new-label

Text for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

password

The password for remote desktop connection

Type: A string that contains alphanumeric and special characters

screen-height

The height of the screen when the bookmark is remote desktop

Type: A number with no fractional part (integer)

screen-width

The width of the screen when the bookmark is remote desktop

Type: A number with no fractional part (integer)

tooltip

Tooltip for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

type

The type of the bookmark - link or remote desktop connection

Options: link, rdp

url

Bookmark URL - should start with http:// or https:// for a bookmark of type link

Type: URL

user-name

The user name for remote desktop connection

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

set bookmark label myLabel new-label myNewLabel url http://www.checkpoint.com/ tooltip myToolTip type link is-global true user-name admin password a(&7Ba screen-width 1920 screen-height

1080

Output

Failure shows an appropriate error message.

show bookmark

Description

Shows the configuration of a bookmark defined to be shown to users when connecting to the SNX portal using remote access VPN.

Syntax

show bookmark label <label>

Parameters

Parameter

Description

label

Text for the bookmark in the SSL Network Extender portal

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

Example

show bookmark label myLabel

Output

Failure shows an appropriate error message.

show bookmarks

Description

Shows all bookmarks defined to be shown to users when connecting to the SNX portal using remote access VPN.

Syntax

show bookmarks

Parameters

Parameter

Description

n/a

 

Example

show bookmarks

Output

Failure shows an appropriate error message.

bridge

add bridge

Description

Adds a new bridge.

Syntax

add bridge [ name <name> ]

Parameters

Parameter

Description

name

Bridge name

Type: A bridge name should be br0-9

Example

add bridge name br7

Output

Failure shows an appropriate error message.

delete bridge

Description

Deletes an existing bridge.

Syntax

delete bridge <name>

Parameters

Parameter

Description

name

Bridge name

Type: A bridge name should be br0-9

Example

delete brdige br7

Output

Failure shows an appropriate error message.

set bridge

Configures an existing bridge interface.

set bridge

Description

Configures an existing bridge interface.

Syntax

set bridge <name> stp <stp>

Parameters

Parameter

Description

name

Bridge name

Type: A bridge name should be br0-9

stp

Spanning Tree Protocol mode

Options: on, off

Example

set bridge br7 stp on

Output

Failure shows an appropriate error message.

set bridge

Description

Adds an existing network/interface to an existing bridge.

Syntax

set bridge <name> add member <member>

Parameters

Parameter

Description

member

Network name

name

Bridge name

Type: A bridge name should be br0-9

Example

set bridge br7 add member My_Network

Output

Failure shows an appropriate error message.

set bridge

Description

Removes an existing network/interface from an existing bridge.

Syntax

set bridge <name> remove member <member>

Parameters

Parameter

Description

member

Network name

name

Bridge name

Type: A bridge name should be br0-9

Example

set bridge br7 remove member My_Network

Output

Failure shows an appropriate error message.

show bridge

Description

Shows configuration and statistics of a defined bridge.

Syntax

show bridge <name>

Parameters

Parameter

Description

name

Bridge name

Type: A bridge name should be br0-9

Example

show bridge br7

Output

Failure shows an appropriate error message.

show bridges

Description

Shows details of all defined bridges.

Syntax

show bridges

Parameters

Parameter

Description

n/a

 

Example

show bridges

Output

Failure shows an appropriate error message.

show clock

Description

Shows current system date and time.

Syntax

show clock

Parameters

Parameter

Description

n/a

 

Example

show clock

Output

Success shows date and time. Failure shows an appropriate error message.

cloud-deployment

set cloud-deployment

Description

Configures different settings for zero-touch deployment. Command is relevant to preset files.

Syntax

set cloud-deployment [ cloud-url <cloud-url> ] [ gateway-name <gateway-name>

] [ template <template> ] [ container <container> ]

Parameters

Parameter

Description

cloud-url

The DNS or IP address through which the device will connect to the cloud service

Type: URL

container

Container

Type: String

gateway-name

The appliance name used to identify the gateway

Type: A string that contains [A-Z], [0-9] and ’-’ characters

template

Template

Type: String

Example

set cloud-deployment cloud-url http://www.checkpoint.com/ gateway-name My-appliance template TEXT container TEXT

Output

Failure shows an appropriate error message.

show cloud-deployment

Description

Shows the configuration of cloud management connection.

Syntax

show cloud-deployment

Parameters

Parameter

Description

n/a

 

Example

show cloud-deployment

Output

Failure shows an appropriate error message.

send cloud-report

Description

Force sending a report to Cloud Services.

Syntax

send cloud-report type <type>

Parameters

Parameter

Description

type

The report type

Options: top-last-hour, top-last-day, top-last-week, top-last-month, 3d

Example

send cloud-report type top-last-hour

Output

Failure shows an appropriate error message.

cloud-services

reconnect cloud-services

Description

Force a manual reconnection to Cloud Services.

Syntax

reconnect cloud-services

Parameters

Parameter

Description

n/a

 

Example

reconnect cloud-services

Output

Failure shows an appropriate error message.

set cloud-services

Configures settings for cloud/SMP management connection.

set cloud-services

Description

Configures settings for cloud/SMP management connection.

Syntax

set cloud-services [ { [ activation-key <activation-key> ] | [ [ service-center <service-center> ] [ gateway-id <gateway-id> ] [

registration-key <registration-key> ] ] } ] [ confirm-untrusted-certificate

<confirm-untrusted-certificate> ] [ mode <mode> ]

Parameters

Parameter

Description

activation-key

A key received from the Cloud Services provider which is used to initialize the connection to the Cloud Services

Type: String

confirm-untrusted-certificate

Is the service center URL is a trusted certificate

Type: Boolean (true/false)

gateway-id

Gateway id (in the format <gateway name>.<portal name>). This is not needed if an activation-key was configured.

Type: cloudGwName

mode

Indicates if the device is managed by a cloud service

Options: off, on

registration-key

Registration key that acts as a password when connecting to the cloud service for the first time. This is not needed if an activation-key was configured.

Type: A registration key

service-center

The DNS or IP address through which the device will connect to the cloud service for the first time. This is not needed if an activation-key was configured.

Type: URL

Example

set cloud-services activation-key TEXT confirm-untrusted-certificate true mode off

Output

Failure shows an appropriate error message.

set cloud-services

Description

Configures advanced settings for cloud/SMP management connection.

Syntax

set cloud-services advanced-settings cloud-management-configuration [ smp-login <smp-login> ] [ show-mgmt-server-details-on-login

<show-mgmt-server-details-on-login> ]

Parameters

Parameter

Description

n/a

 

Example

set cloud-services advanced-settings cloud-management-configuration smp-login true show-mgmt-server-details-on-login true

Output

Failure shows an appropriate error message.

show cloud-services

Description

Shows advanced settings of cloud management connection.

Syntax

show cloud-services advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show cloud-services advanced-settings

Output

Failure shows an appropriate error message.

show cloud-services connection-details

Description

Shows connection details for cloud management connection.

Syntax

show cloud-services connection-details

Parameters

Parameter

Description

n/a

 

Example

show cloud-services connection-details

Output

Failure shows an appropriate error message.

cloud-services-firmware-upgrade

set cloud-services-firmware-upgrade

Configure settings for the “firmware upgrade” Cloud Services.

set cloud-services-firmware-upgrade

Description

Configures settings for the “firmware upgrade” Cloud Services.

Syntax

set cloud-services-firmware-upgrade [ activate <activate> ] frequency

{ immediately-when-available | daily time <time> | monthly day-of-month

<day-of-month> time <time> | weekly day-of-week <day-of-week> time <time> }

Parameters

Parameter

Description

activate

Enable auto firmware upgrades. Upgrades may occur immediately or be scheduled according to a predefined frequency

Type: Boolean (true/false)

day-of-month

Choose the desired day of the month

Type: A number with no fractional part (integer)

day-of-week

Choose the desired day of week

Options: sunday, monday, tuesday, wednesday, thursday, friday, saturday

frequency

Indicates the preferred time to perform upgrade once a new firmware is detected

Type: Press TAB to see available options

time

The hour of the upgrade (Format: HH:MM in 24 hour clock)

Type: A time format hh:mm

Example

set cloud-services-firmware-upgrade activate true frequency immediately-when-available

Output

Failure shows an appropriate error message.

set cloud-services-firmware-upgrade

Description

Configures advanced settings for the “firmware upgrade” Cloud Services.

Syntax

set cloud-services-firmware-upgrade advanced-settings max-num-of-retries

<max-num-of-retries>

Parameters

Parameter

Description

n/a

 

Example

set cloud-services-firmware-upgrade advanced-settings max-num-of-retries

15

Output

Failure shows an appropriate error message.

set cloud-services-firmware-upgrade

Description

Configures advanced settings for the “firmware upgrade” Cloud Services.

Syntax

set cloud-services-firmware-upgrade advanced-settings timeout-until-retry

<timeout-until-retry>

Parameters

Parameter

Description

n/a

 

Example

set cloud-services-firmware-upgrade advanced-settings timeout-until-retry

15

Output

Failure shows an appropriate error message.

show cloud-services-firmware-upgrade

Shows configuration of the "Firmware Upgrade" Cloud Services.

show cloud-services-firmware-upgrade

Description

Shows configuration of the “Firmware Upgrade” Cloud Services.

Syntax

show cloud-services-firmware-upgrade

Parameters

Parameter

Description

n/a

 

Example

show cloud-services-firmware-upgrade

Output

Failure shows an appropriate error message.

show cloud-services-firmware-upgrade

Description

Shows advanced settings of the “Firmware Upgrade” Cloud Services.

Syntax

show cloud-services-firmware-upgrade advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show cloud-services-firmware-upgrade advanced-settings

Output

Failure shows an appropriate error message.

show cloud-service managed-blades

Description

Shows the currently managed blades by the cloud management.

Syntax

show cloud-services managed-blades

Parameters

Parameter

Description

n/a

 

Example

show cloud-services managed-blades

Output

Failure shows an appropriate error message.

show cloud-services managed-services

Description

Shows the currently managed services by the cloud management.

Syntax

show cloud-services managed-services

Parameters

Parameter

Description

n/a

 

Example

show cloud-services managed-services

Output

Failure shows an appropriate error message.

fetch cloud-services policy

Description

Fetch configuration now from your Cloud Services Security Management Server.

Syntax

fetch cloud-services policy

Parameters

Parameter

Description

n/a

 

Example

fetch cloud-services policy

Output

Failure shows an appropriate error message.

show cloud-services status

Description

Shows the current status of the cloud management connection.

Syntax

show cloud-services status

Parameters

Parameter

Description

n/a

 

Example

show cloud-services status

Output

Failure shows an appropriate error message.

show commands

Description

Shows all available CLI commands.

Syntax

show commands

Parameters

Parameter

Description

n/a

 

Example

show commands

Output

List of all available CLI commands.

cphaprob

Description

Defines and manages the critical cluster member properties of the appliance. When a critical process fails, the appliance is considered to have failed.

Syntax

cphaprob [-i[a]] [-d <device>] [-s {ok|init|problem}] [-f <file>] [-p] [register|unregister|report|list|state|if]

Parameters

Parameter

Description

register

Registers <appliance> as a critical process.

-a

Lists all devices in the cluster.

-d <device>

The name of the device as it appears in the output of the cphaprob list.

-p

The configuration change is permanent and applies after the appliance reboots.

-t <timeout>

If <device> fails to contact ClusterXL in <timeout> seconds, <device> is considered to have failed.

To disable this parameter, enter the value 0.

-s

Status to be reported.

ok – <appliance> is alive

init – <appliance> is initializing

problem – <appliance> has failed

-f <file> register

Option to automatically register several appliances. The file defined in the <file> field should contain the list of appliances with these parameters:

  • <device>
  • <timeout>
  • Status

unregister

Unregisters <device> as a critical process.

report

Reports the status of the <device> to the gateway.

list

Displays that state of:

-i – Internal (as well as external) devices, such as interface check and High Availability initialization.

-e – External devices, such as devices registered by the user or outside the kernel. For example, fwd, sync, filter.

-ia – All devices, including those used for internal purposes, such as note initialization and load-balance configuration.

state

Displays the state of all the gateways in the High Availability configuration.

if

Displays the state of interfaces.

Example

cphaprob -d $process -t 0 -s ok -p register

Output

Success prints OK. Failure shows an appropriate error message.

These are some typical scenarios for the cphaprob command.

Argument

Description

cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register

Register <device> as a critical process, and add it to the list of devices that must be running for the cluster member to be considered active.

cphaprob -f <file> register

Register all the user defined critical devices listed in <file>.

cphaprob -d <device> [-p] unregister

Unregister a user defined <device> as a critical process. This means that this device is no longer considered critical.

cphaprob -a unregister

Unregister all the user defined <device>.

cphaprob -d <device> -s <ok|init|problem> report

Report the status of a user defined critical device to ClusterXL.

cphaprob [-i[a]] [-e] list

View the list of critical devices on a cluster member, and of all the other machines in the cluster.

cphaprob state

View the status of a cluster member, and of all the other members of the cluster.

cphaprob [-a] if

View the state of the cluster member interfaces and the virtual cluster interfaces.

Examples

cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register
cphaprob -f <file> register
cphaprob -d <device> [-p] unregister
cphaprob -a unregister
cphaprob -d <device> -s <ok|init|problem> report
cphaprob [-i[a]] [-e] list
cphaprob state
cphaprob [-a] if

cphastop

Description

Disables High Availability on the appliance. Running cphastop on an appliance that is a cluster member stops the appliance from passing traffic. State synchronization also stops.

Syntax

cphastop

Parameters

Parameter

Description

n/a

 

Return Value

0 on success, 1 on failure

Example

cphastop

Output

Success prints OK. Failure shows an appropriate error message.

cpinfo

Description

Creates a Check Point Support Information (CPinfo) file on a machine at the time of execution.

The files is saved to a USB drive or TFTP server.

The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location.

Syntax

cpinfo {to-tftp <ipaddr>|to-usb}

Parameters

Parameter

Description

ipaddr

IPv4 address

Return Value

0 on success, 1 on failure

Example

cpinfo to-usb

Output

Success prints Creating cpinfo.txt file. Failure shows an appropriate error message.

cpstart

Start all Check Point processes and applications running on a machine.

Description

Starts firewall services.

Syntax

cpstart

Parameters

Parameter

Description

n/a

 

Return Value

0 on success, 1 on failure

Example

cpstart

Output

Success shows Starting CP products.... Failure shows an appropriate error message.

cpstat

Description

Shows Check Point statistics for applications.

Syntax

cpstat [-p <port>] [-s <SICname>] [-f <flavor>] [-o <polling>] [-c <count>] [-e <period>] [-x] [-j] [-d] application_flag <flag>

Parameters

Parameter

Description

-p <port>

Port number of the server. The default is the standard server port (18192).

-s <SICname>

Secure Internal Communication (SIC) name of the server.

-f <flavor>

The flavor of the output (as it appears in the configuration file). The default is the first flavor found in the configuration file.

-o <polling>

Polling interval (seconds) specifies the pace of the results.

The default is 0, meaning the results are shown only once.

-c <count>

Specifies how many times the results are shown. The default is 0, meaning the results are repeatedly shown.

-e <period>

Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for regular olds.

-x

XML output mode

-j

Json output mode

-d

Debug mode.

<flag>

One of these applications is displayed:

One of the following:

fw — Firewall component of the Security Gateway

vpn — VPN component of the Security Gateway

fg — QoS (formerly FloodGate-1)

ha — ClusterXL (High Availability)

os — OS Status

mg — for the Security Management Server

persistency - for historical status values

polsrv

uas

svr

cpsemd

cpsead

asm

ls

ca

Return Value

0 on success, 1 on failure

Example

cpstat -c 3 -o 3 fw

Output

Success shows OK. Failure shows an appropriate error message.

The following flavors can be added to the application flags:

cpstop

Description

Stops firewall services and terminates all Check Point processes and applications running on the appliance.

Syntax

cpstop

Parameters

Parameter

Description

n/a

 

Return Value

0 on success, 1 on failure

Example

cpstop

Output

Success shows Uninstalling Security Policy.... Failure shows an appropriate error message.

cpwd_admin

Description

The cpwd_admin utility can be used to verify if a process is running and to stop and start a process if necessary.

Syntax

cpwd_admin {del <name>|detach <name>|list|kill|exist|start_monitor|stop_monitor|
monitor_list}

Parameters

Parameter

Description

del

Deletes process

detach

Detaches process

list

Print status of processes

kill

Stops cpWatchDog

exist

Checks if cpWatchDog is running

start_monitor

cpwd starts monitoring this machine

stop_monitor

cpwd stops monitoring this machine

monitor_list

Displays list of monitoring processes

<name>

Name of process

Return Value

0 on success, 1 on failure

Example

cpwd_admin start_monitor

Output

Success shows OK. Failure shows an appropriate error message.

date

set date

Configures the device’s date and time.

set date

Description

Manually configure the device’s date.

Syntax

set date <date>

Parameters

Parameter

Description

date

Date in the format YYYY-MM-DD

Type: A date format yyyy-mm-dd

Example

set date 2000-01-01

Output

Failure shows an appropriate error message.

set date

Description

Manually configure the device’s time.

Syntax

set time <time>

Parameters

Parameter

Description

time

Time in the format HH:MM

Type: A time format hh:mm

Example

set time 23:20

Output

Failure shows an appropriate error message.

set date

Description

Manually configure the device’s time zone.

Syntax

set timezone <timezone>

Parameters

Parameter

Description

timezone

Timezone location

Example

set timezone GMT-11:00(Midway-Island)

Output

Failure shows an appropriate error message.

set date

Description

Configures if the daylight savings will be changed automatically.

Syntax

set timezone-dst automatic <timezone-dst automatic>

Parameters

Parameter

Description

timezone-dst automatic

Automatic adjustment clock for daylight saving changes flag

Options: on, off

Example

set timezone-dst automatic on

Output

Failure shows an appropriate error message.

show date

Shows date and time.

show date

Description

Shows current date of the appliance.

Syntax

show date

Parameters

Parameter

Description

n/a

 

Example

show date

Output

Failure shows an appropriate error message.

show date

Description

Shows current time of the appliance.

Syntax

show time

Parameters

Parameter

Description

n/a

 

Example

show time

Output

Failure shows an appropriate error message.

show date

Description

Shows current time zone of the appliance.

Syntax

show timezone

Parameters

Parameter

Description

n/a

 

Example

show timezone

Output

Failure shows an appropriate error message.

show date

Description

Shows current daylight savings configuration of the appliance.

Syntax

show timezone-dst

Parameters

Parameter

Description

n/a

 

Example

show timezone-dst

Output

Failure shows an appropriate error message.

restore default-settings

Description

Restores the default settings of the appliance without affecting the software image. All the custom user settings for the appliance are deleted.

Syntax

restore default-settings [preserve-sic {yes|no}|preserve-license {yes|no}|force {yes|no}]

Parameters

Parameter

Description

preserve-sic

Select whether to preserve your current SIC settings.

preserve-license

Select whether to preserve your current license.

force

Skip the confirmation question.

Return Value

0 on success, 1 on failure

Example

restore default-settings preserve-sic yes

Output

n/a

Comments

The appliance automatically reboots after the default settings are restored.

dhcp-relay

set dhcp-relay

Description

Configures advanced settings for DHCP Relay functionality.

Syntax

set dhcp-relay advanced-settings use-internal-ip-addrs-as-source <use-internal-ip-addrs-as-source>

Parameters

Parameter

Description

n/a

 

Example

set dhcp-relay advanced-settings use-internal-ip-addrs-as-source true

Output

Failure shows an appropriate error message.

show dhcp-relay

Description

Shows advanced settings for DHCP relay.

Syntax

show dhcp-relay advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show dhcp-relay advanced-settings

Output

Failure shows an appropriate error message.

show dhcp servers

Description

Shows configuration for all DHCP servers.

Syntax

show dhcp servers

Parameters

Parameter

Description

n/a

 

Example

show dhcp servers

Output

Failure shows an appropriate error message.

dhcp server interface

delete dhcp server interface

Description

Deletes the configured exclude range from the DHCP server settings of a specific network/interface.

Syntax

delete dhcp server interface <name> exclude-range

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

delete dhcp server interface My_Network exclude-range

Output

Failure shows an appropriate error message.

set dhcp server interface

Configures DHCP server settings.

set dhcp server interface

Description

Configures a custom DHCP option.

Syntax

set dhcp server interface <cliName> custom-option name <custom-option name> type <type> tag <tag> data <data>

Parameters

Parameter

Description

cliName

cliName

Type: virtual

custom-option name

Set the name of the object

Type: A string that contains alphanumeric characters or hyphen

data

Set the desired value of the object

Type: String

tag

Select a unique tag for the object

Type: A number with no fractional part (integer)

type

Select the appropriate type to store your object

Options: string, int8, int16, int32, uint8, uint16, uint32, boolean, ipv4-address, ipv4-address-array, hex-string

Example

set dhcp server interface LAN1 custom-option name MyOption type string tag 43 data TEXT

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures if a DHCP server is active or not on an existing network/interface.

Syntax

set dhcp server interface <name> { disable | enable }

Parameters

Parameter

Description

dhcp

Use DHCP Server with a specified IP address range

Options: off, on, relay

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network off

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures DHCP relay functionality on an existing network/interface.

Syntax

set dhcp server interface <name> relay relay-to <relay relay-to> { [ secondary <secondary> ] | [ relay-secondary <relay-secondary> ] }

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

relay relay-to

Enter the DHCP server IP address

Type: IP address

relay-secondary

This field is deprecated. Please use field ’secondary’

secondary

Enter the secondary DHCP server IP address

Type: IP address

Example

set dhcp server interface My_Network relay relay-to 192.168.1.1 secondary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures an IP address pool for a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> include-ip-pool <include-ip-pool>

Parameters

Parameter

Description

include-ip-pool

DHCP range

Type: A range of IP addresses

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network include-ip-pool 192.168.1.1-192.168.1.10

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the default gateway provided by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> default-gateway <default-gateway>

Parameters

Parameter

Description

default-gateway

A virtual field calculated by the values of the fields: dhcpGwMode & dhcpGw

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network default-gateway auto

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the WINS mode provided by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> wins-mode <wins-mode>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

wins-mode

Configure the WINS Server

Example

set dhcp server interface My_Network wins-mode auto

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the WINS servers IP addresses provided by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> wins primary <wins primary> [ secondary

<secondary> ]

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

secondary

Configure the IP address for the second WINS server

wins primary

Configure the IP address for the first WINS server

Example

set dhcp server interface My_Network wins primary 192.168.1.1 secondary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the lease time used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> lease-time <lease-time>

Parameters

Parameter

Description

lease-time

Configure the timeout in hours for a single device to retain a dynamically acquired IP address

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network lease-time 30

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the domain used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> domain <domain>

Parameters

Parameter

Description

domain

The domain name of the DHCP

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network domain myHost.com

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the NTP servers used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> ntp <ntp> [ secondary <secondary> ]

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

ntp

Configure the first NTP (Network Time Protocol) server to be distributed to DHCP client

secondary

Configure the second NTP (Network Time Protocol) server to be distributed to DHCP client

Example

set dhcp server interface My_Network ntp 192.168.1.1 secondary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the TFTP server used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> tftp <tftp>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

tftp

Configure TFTP server to be distributed to DHCP client

Example

set dhcp server interface My_Network tftp 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the TFTP bootfile used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> file <file>

Parameters

Parameter

Description

file

Configure TFTP bootfile to be distributed to DHCP client

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network file word

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the Call Manager servers used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> callmgr <callmgr> [ secondary <secondary> ]

Parameters

Parameter

Description

callmgr

Configure the first Call manager server to be distributed to DHCP client

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

secondary

Configure the second Call manager server to be distributed to DHCP client

Example

set dhcp server interface My_Network callmgr 192.168.1.1 secondary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the X-Windows display manager server used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> xwin-display-mgr <xwin-display-mgr>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

xwin-display-mgr

Configure X-Windows display manager to be distributed to DHCP client

Example

set dhcp server interface My_Network xwin-display-mgr 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the Avaya Manager server used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> avaya-voip <avaya-voip>

Parameters

Parameter

Description

avaya-voip

Configure Avaya IP phone to be distributed to DHCP client

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network avaya-voip 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the Nortel Manager server used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> nortel-voip <nortel-voip>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

nortel-voip

Configure Nortel IP phone to be distributed to DHCP client

Example

set dhcp server interface My_Network nortel-voip 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the Thomson Manager server used by a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> thomson-voip <thomson-voip>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

thomson-voip

Configure Thomson IP phone to be distributed to DHCP client

Example

set dhcp server interface My_Network thomson-voip 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the DNS servers provided by a DHCP server on an existing network/interface. In automatic mode the device will provide its own IP address when configured as DNS proxy, and the DNS servers it is configured with otherwise.

Syntax

set dhcp server interface <name> dns { none | manual [ primary <primary> ] [ secondary <secondary> ] [ tertiary <tertiary> ] | auto }

Parameters

Parameter

Description

dns

Configure the DNS Server

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

primary

Configure the IP address for the first DNS server

secondary

Configure the IP address for the second DNS server

tertiary

Configure the IP address for the third DNS server

Example

set dhcp server interface My_Network dns none

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the primary DNS server provided by a DHCP server on an existing network/interface in manual mode.

Syntax

set dhcp server interface <name> dns primary <dns primary>

Parameters

Parameter

Description

dns primary

Configure the IP address for the first DNS server

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network dns primary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the secondary DNS server provided by a DHCP server on an existing network/interface in manual mode.

Syntax

set dhcp server interface <name> dns secondary <dns secondary>

Parameters

Parameter

Description

dns secondary

Configure the IP address for the second DNS server

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network dns secondary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Configures the tertiary DNS server provided by a DHCP server on an existing network/interface in manual mode.

Syntax

set dhcp server interface <name> dns tertiary <dns tertiary>

Parameters

Parameter

Description

dns tertiary

Configure the IP address for the third DNS server

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network dns tertiary 192.168.1.1

Output

Failure shows an appropriate error message.

set dhcp server interface

Description

Removes a custom DHCP option from a DHCP server on an existing network/interface.

Syntax

set dhcp server interface <name> remove custom-option <custom-option>

Parameters

Parameter

Description

custom-option

Set the name of the object

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set dhcp server interface My_Network remove custom-option MyOption

Output

Failure shows an appropriate error message.

show dhcp server interface

Shows configuration of DHCP servers.

show dhcp server interface

Description

Shows the configuration of a DHCP server configured on a specific interface/network.

Syntax

show dhcp server interface <name>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

show dhcp server interface My_Network

Output

Failure shows an appropriate error message.

show dhcp server interface

Description

Shows the IP address pool of a DHCP server configured on a specific interface/network.

Syntax

show dhcp server interface <name> ip-pool

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

show dhcp server interface My_Network ip-pool

Output

Failure shows an appropriate error message.

show diag

Description

Shows information about your appliance, such as the current firmware version and additional details.

Syntax

show diag

Parameters

Parameter

Description

n/a

 

Example

show diag

Output

Current system information.

show disk usage

Description

Shows the file system space used and space available.

Syntax

show disk-usage [-h|-m|-k]

Parameters

Parameter

Description

-h

Human readable (e.g. 1K 243M 2G)

-m

1024*1024 blocks

-k

1024 blocks

Example

show disk-usage -h

Output

Current file system space used and space available.

dns

delete dns

Deletes configured DNS settings.

delete dns

Description

Deletes configured primary DNS.

Syntax

delete dns [ primary ipv4-address ]

Parameters

Parameter

Description

n/a

 

Example

delete dns primary ipv4-address

Output

Failure shows an appropriate error message.

delete dns

Description

Deletes configured secondary DNS.

Syntax

delete dns [ secondary ipv4-address ]

Parameters

Parameter

Description

n/a

 

Example

delete dns secondary ipv4-address

Output

Failure shows an appropriate error message.

delete dns

Description

Deletes configured tertiary DNS.

Syntax

delete dns [ tertiary ipv4-address ]

Parameters

Parameter

Description

n/a

 

Example

delete dns tertiary ipv4-address

Output

Failure shows an appropriate error message.

delete dns

Description

Deletes configured domain name of the appliance.

Syntax

delete domainname

Parameters

Parameter

Description

n/a

 

Example

delete domainname

Output

Failure shows an appropriate error message.

set dns

Configures the DNS and domain settings for the device.

set dns

Description

Configures the DNS settings for the device.

Syntax

set dns [ primary ipv4-address <primary ipv4-address> ] [ secondary ipv4-address <secondary ipv4-address> ] [ tertiary ipv4-address <tertiary ipv4-address> ]

Parameters

Parameter

Description

primary ipv4-address

First global DNS IP address

Type: IP address

secondary ipv4- address

Second global DNS IP address

Type: IP address

tertiary ipv4-address

Third global DNS IP address

Type: IP address

Example

set dns primary ipv4-address 192.168.1.1 secondary ipv4-address 192.168.1.1 tertiary ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

set dns

Description

Configures the DNS mode for the device. It can either use manually configured DNS servers or use the DNS servers provided to him by the active internet connection from his ISP.

Syntax

set dns mode <mode>

Parameters

Parameter

Description

mode

Status of appliance using global DNS servers

Options: global, internet

Example

set dns mode global

Output

Failure shows an appropriate error message.

set dns

Description

Configures the DNS proxy mode. DNS proxy allows treating the configured network objects as a hosts list which the device can translate from hostname to IP address for local networks.

Syntax

set dns proxy { on [ resolving <resolving> ] | off }

Parameters

Parameter

Description

proxy

Relay DNS requests from internal network clients to the DNS servers defined above

Type: Press TAB to see available options

resolving

Use network objects as a hosts list to translate names to their IP addresses

Options: on, off

Example

set dns proxy on resolving on

Output

Failure shows an appropriate error message.

set dns

Description

Configures the domain settings for the device.

Syntax

set domainname <domainname>

Parameters

Parameter

Description

domainname

Identification string that defines a realm of administrative autonomy, authority, or control in the Internet

Type: A FQDN

Example

set domainname somehost.example.com

Output

Failure shows an appropriate error message.

show dns

Shows configuration for DNS and domain name.

show dns

Description

Shows configuration for DNS.

Syntax

show dns

Parameters

Parameter

Description

n/a

 

Example

show dns

Output

Failure shows an appropriate error message.

show dns

Description

Shows configuration for domain name.

Syntax

show domainname

Parameters

Parameter

Description

n/a

 

Example

show domainname

Output

Failure shows an appropriate error message.

dsl

set dsl advanced-settings global-settings

Description

Set DSL configuration parameters.

Syntax

set dsl advanced-settings global-settings [ ginp <ginp> ] [ sra <sra> ]

Parameters

Parameter

Description

ginp

Enhanced Impulse Noise Protection

sra

Enables Seamless Rate Adaption

Example

set dsl advanced-settings global-settings ginp downstream-and-upstream sra true

Output

N/A

set dsl advanced-settings standards

Description

Set DSL standard related configuration parameters.

Syntax

set dsl advanced-settings standards [ vdsl2 <true|false> ] [ dmt < true|false > ] [ adsl-lite < true|false > ] [ adsl2 < true|false > ] [ adsl2plus < true|false > ] [ t1413 < true|false > ] [ annex-m < true|false > [ annex-l < true|false > ] [ vdsl-8a < true|false > ] [ vdsl-8b < true|false > ] [ vdsl-8c < true|false > ] [ vdsl-8d < true|false > ] [ vdsl-12a < true|false > ] [ vdsl-12b < true|false >] [ vdsl-17a < true|false > ] [ vdsl-us0 < true|false > ]

Parameters

Parameter

Description

vdsl2

Supports ITU G.993.2 VDSL2 standard.

dmt

Supports ITU G.992.1 ADSL (G.dmt) standard.

adsl-lite

Supports ITU G.992.2 ADSL Lite (G.lite) standard.

adsl2

Supports ITU G.992.3 ADSL2 standard.

adsl2plus

Supports ITU G.992.5 Annex M ADSL2+M standard.

t1413

Supports ANSI T1.413-1998 Issue 2 ADSL.

annex-m

In an Annex A appliance: Combined with supported ADSL2+ it specifies support for Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2 it specifies support for Annex J ADSL2.

annex-l

Combined with enabled ADSL2 (G.992.3) specifies support for Annex L.

vdsl-8a

Supports VDSL Profile 8a.

vdsl-8b

Supports VDSL Profile 8b.

vdsl-8c

Supports VDSL Profile 8c.

vdsl-8d

Supports VDSL Profile 8d.

vdsl-12a

Supports VDSL Profile 12a.

vdsl-12b

Supports VDSL Profile 12b.

vdsl-17a

Supports VDSL Profile 17a.

vdsl-us0

Enables usage of first upstream band in VDSL2.

Example

set dsl advanced-settings standards adsl2plus false

Output

N/A

show dsl advanced-setting

Description

Show all DSL advanced settings parameters.

Syntax

show dsl advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show dsl advanced-settings

Sample Output

show dsl advanced-settings

adsl2plus: true

vdsl-8d: true

vdsl-8c: true

vdsl-8b: true

annex-m: false

t1413: true

vdsl-17a: true

adsl-lite: true

vdsl2: true

annex-l: false

vdsl-12b: true

adsl2: true

dmt: true

ginp: disabled

sra: false

vdsl8a: true

vdsl-us0: true

vdsl-12a: true

show dsl statistics

Description

Show DSL statistics.

Syntax

show dsl statistics

Parameters

Parameter

Description

tpstc

Indicates the TPS-TC layer. Possible values: ATM, PTM.

mode

Indicates the negotiated DSL mode. Example for a value: VDSL Annex B.

status

Indicates the status of DSL connection synchronization. Example values: Showtime, G.994.

bitrate-up

Indicates the upstream DSL bit rate.

bitrate-down

Indicates the downstream DSL bit rate.

vendor

4 hexa digits representing the vendor of the DSL chip in the peer DSLAM/MSAG (i.e. IFTN, BDCM) + 4 hex digits representing the firmware version of the vendor.

power-up

Indicates the appliance transmission power (dBm).

hec-up

Indicates the number of HEC errors counted by the peer DSLAM/MSAG.

attn-up

Indicates the upstream attenuation (dB).

attn-down

Indicates the attenuation of the power from the peer DSLAM/MSAG to the appliance (dB).

rs-down

Indicates the number of RS words that were received by the appliance in the downstream.

rs-corrected-down

Indicates the number of RS words that were corrected by the appliance in the downstream.

rs-up

Indicates the number of RS words that were received by the peer DSLAM/MSAG in the upstream.

rs-corrected-up

Indicates the number of RS words that were corrected by the peer DSLAM/MSAG in the upstream.

hec-up

Indicates the number of HEC errors counted by the peer DSLAM/MSAG.

hec-down

Indicates the number of HEC errors counted by the appliance.

total-cells-up

Indicates the number of 53 bytes (cells in the case of ATM) that were transmitted by the appliance.

total-cells-down

Indicates the number of 53 bytes (cells in the case of ATM) that were received by the appliance.

configured-sra

Indicates the seamless rate adaptation (SRA) that was configured in the appliance. Possible values: On, Off.

configured-trellis

Indicates whether trellis was enabled in the appliance configuration. Possible values: On, Off.

configured-ginp

Indicates the upstream/downstream on/off for the configured Enhanced Impulse response. Possible values: Off/Off, Off/On, On/Off, On/On

configured-bitswap

Indicates the upstream/downstream on/off for the Bit Swap configured in the appliance. Possible values: On, Off.

vectoring

Indicates the vectoring status. Possible values:

0: Vectoring Training State.

1: Showtime vectoring state, idle, not reporting errors.

2: Initial showtime vector mode state, transition to full factoring when the peer sends a vectoring configuration message.

3: Vectoring state where error samples are being reported upon peer request.

4: Vectoring is disabled.

5: DSLAM/MSAG doesn’t support vectoring.

Example

show dsl statistics

Sample Output

show dsl statistics

snr-down: 8.7

configured-ginp: Off/Off

power-up: 7.6

rs-corrected-down: 421298

rs-corrected-up: 208

configured-sra: Off

rs-up: 1610329207

configured-trellis: On

total-cells-down: 2609810117

snr-up: 15.4

tpstc: PTM

bitrate-up: 5024

vectoring: 5 (DSLAM is not a vectored DSLAM)

vendor: IFTN:0xb206

status: Showtime

rs-down: 2127995393

mode: VDSL2 Annex B

hec-up: 0

bitrate-down: 48470

training: Showtime

power-down: 7.7

total-cells-up: 0

hec-down: 0

attn-down: 25.9

attn-up: 0.0

configured-bitswap: Off

dynamic-dns

set dynamic-dns

Configures a persistent domain name for the device.

set dynamic-dns

Description

Configures a persistent domain name for the device.

Syntax

set dynamic-dns { is_active } provider <provider> password <password> user

<user> domain <domain>

Parameters

Parameter

Description

domain

The domain name (sometimes called host name) within your account that the device will use

Type: A FQDN

is-active

Is the DDNS service active

Type: Boolean (enable/disable)

password

The password of the account

Type: A string that contains alphanumeric and special characters

provider

Select the DDNS provider that you have already set up an account with

Options: no-ip.com, DynDns

user

The user name of the account

Type: DynDns provider: begins with a letter and have 2-25 alphanumeric char acters. no-ip.com provider: length is 6-15 characters and contains only a-z, 0-9, -, _

Example

set dynamic-dns enable provider no-ip.com password a(&7Ba user myUser17

Output

Failure shows an appropriate error message.

set dynamic-dns

Description

Configure advanced settings for the DDNS service.

Syntax

set dynamic-dns advanced-settings iterations <iterations>

Parameters

Parameter

Description

n/a

 

Example

set dynamic-dns advanced-settings iterations 15

Output

Failure shows an appropriate error message.

show dynamic-dns

Shows configuration for DDNS service.

show dynamic-dns

Description

Shows configuration for DDNS service.

Syntax

show dynamic-dns

Parameters

Parameter

Description

n/a

 

Example

show dynamic-dns

Output

Failure shows an appropriate error message.

show dynamic-dns

Description

Shows advanced settings for DDNS service.

Syntax

show dynamic-dns advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show dynamic-dns advanced-settings

Output

Failure shows an appropriate error message.

dynamic objects

Manages dynamic objects on the appliance. The dynamic_objects command specifies an IP address to which the dynamic object is resolved.

First, define the dynamic object in the SmartDashboard. Then create the same object with the CLI (-n argument). After the new object is created on the gateway with the CLI, you can use the dynamic_objects command to specify an IP address for the object.

Any change you make to dynamic objects' ranges are applied immediately to the objects. It is not necessary to reinstall the policy.

Description

Manages dynamic objects on the appliance.

Syntax

dynamic_objects -o <object> [-r <fromIP> <toIP> ...] [-a] [-d] [-l] [-n <object> ] [-c] [-do <object>]

Parameters

Parameter

Description

-o

Name of the dynamic object that is being configured.

-r

Defines the range of IP addresses that are being configured for this object.

-a

Adds range of IP addresses to the dynamic object.

-d

Deletes range of IP addresses from the dynamic object.

-l

Lists dynamic objects that are used on the appliance.

-n

Creates a new dynamic object.

-c

Compare the objects in the dynamic objects file and in objects.

-do

Deletes the dynamic object.

<object>

Name of dynamic object.

<fromIP>

Starting IPv4 address.

<toIP>

Ending IPv4 address.

Example

dynamic_objects -n sg80gw -r 190.160.1.1 190.160.1.40 -a

Output

Success shows Operation completed successfully. Failure shows an appropriate error message.

exit

Description

Exits from the shell.

Syntax

exit

Parameters

Parameter

Description

n/a

 

Return Value

None

Example

exit

Output

None

set expert password

Description

Sets the initial password or password hash for the expert shell

Syntax

set expert {password|password-hash} {<pass>|<pass_hash>}

Parameters

Parameter

Description

<pass>

Password using alphanumeric and special characters

<pass_hash>

Password MD5 string representation

Example

set expert password-hash $1$fGT7pGX6$oo9LUBJTkLOGKLhjRQ2rw1

Output

Success shows OK. Failure shows an appropriate error message.

Comments

To generate a password-hash, you can use this command on any Check Point SMB Appliance gateway (as an expert user).

cryptpw –a md5 <password string>

fetch policy

Description

Fetches a policy from the Security Management Server with IPv4 address <ip_addr> or from the local gateway.

Syntax

fetch policy {local|mgmt-ipv4-address <ip_addr>}

Parameters

Parameter

Description

ip_addr

IPv4 address of the Security Management Server.

Return Value

0 on success, 1 on failure

Example

fetch policy mgmt-ipv4-address 192.168.1.100

Output

Success shows Done. Failure shows an appropriate error message.

fw commands

The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway. For more about the fw commands, see the Command Line Interface (CLI) Reference Guide.

fw commands can be found by typing fw [TAB] at a command line. For some of the CLI commands, you can enter the -h parameter to display all the relevant arguments and parameters. These commands are:

fw command

Explanation

fw accel [-h]

Turn acceleration on/off

fw activation [-h]

Activate license

fw avload [-h]

Load Anti-Virussignatures to kernel

fw ctl [args]

Control kernel

fw debug [-h]

Turn debug output on or off

fw fetch

Fetch last policy

fw fetchdefault [-h]

Fetch default policy

fw fetchlocal [-h]

Fetch local policy

fw monitor [-h]

Monitor Check Point Appliance traffic

fw pull_cert

Pull certificate from internal CA

fw sfwd

fw daemon

fw sic_init [-h]

Initialize SIC

fw sic_reset [-h]

Reset SIC

fw sic_test

Test SIC with management

fw stat [-h]

Display policy installation status of the gateway. (Command is provided for backward compatibility.)

fw tab [-h]

Display kernel-table content

fw unloadlocal

Unload local policy

fw ver [-k]

Display version

fw policy

set fw policy

Configures the default policy for the Firewall blade

set fw policy

Description

Configures the default policy for the Firewall blade.

Syntax

set fw policy [ mode <mode> ] [ track-allowed-traffic <track-allowed-traffic>

] [ track-blocked-traffic <track-blocked-traffic> ]

Parameters

Parameter

Description

mode

Current mode for firewall policy

track-allowed-traffic

Indicates if accepted connections are logged

Options: none, log

track-blocked-traffic

Indicates if blocked connections are logged

Options: none, log

Example

set fw policy mode off track-allowed-traffic none track-blocked-traffic none

Output

Failure shows an appropriate error message.

set fw policy

Description

Configures advanced settings for the default policy of the Firewall blade.

Syntax

set fw policy advanced-settings blocked-packets-action <blocked-packets-action>

Parameters

Parameter

Description

n/a

 

Example

set fw policy advanced-settings blocked-packets-action auto

Output

Failure shows an appropriate error message.

set fw policy

Description

Configures advanced settings for the default policy of the Firewall blade.

Syntax

set fw policy advanced-settings log-implied-rules <log-implied-rules>

Parameters

Parameter

Description

n/a

 

Example

set fw policy advanced-settings log-implied-rules true

Output

Failure shows an appropriate error message.

show fw policy

Shows the configured policy for the Firewall blade.

show fw policy

Description

Shows the configured policy for the Firewall blade.

Syntax

show fw policy

Parameters

Parameter

Description

n/a

 

Example

show fw policy

Output

Failure shows an appropriate error message.

show fw policy

Description

Shows advanced settings for the Firewall blade.

Syntax

show fw policy advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show fw policy advanced-settings

Output

Failure shows an appropriate error message.

show fw policy

Description

Shows the configuration for customizable messages shown to users upon actions.

Syntax

show fw policy user-check { block | ask | accept }

Parameters

Parameter

Description

user-check

Activity message type

Type: Press TAB to see available options

Example

show fw policy user-check block

Output

Failure shows an appropriate error message.

set fw policy user-check accept

Description

Configures a customizable “accept” message shown to users upon match on browser based traffic.

Syntax

set fw policy user-check accept [ body <body> ] [ fallback-action

<fallback-action> ] [ frequency <frequency> ] [ subject <subject> ] [ title

<title> ]

Parameters

Parameter

Description

body

The informative text that appears in the APPI ’Accept’ user message

Type: A string that contains only printable characters

fallback-action

Indicates the action to take when an ’Accept’ user message cannot be displayed

Options: block, accept

frequency

Indicates how often is the APPI ’Accept’ user message is being presented to the same user

Options: day, week, month

subject

The subject of an APPI ’Accept’ user message

Type: A string that contains only printable characters

title

The title of an APPI ’Accept’ user message

Type: A string that contains only printable characters

Example

set fw policy user-check accept body My Network fallback-action block frequency day subject My Network title My Network

Output

Failure shows an appropriate error message.

set fw policy user-check ask

Description

Configures a customizable “ask” message shown to users upon match on browser based traffic.

Syntax

set fw policy user-check ask [ body <body> ] [ confirm-text <confirm-text>

] [ fallback-action <fallback-action> ] [ frequency <frequency> ] [ subject

<subject> ] [ title <title> ] [ reason-displayed <reason-displayed> ]

Parameters

Parameter

Description

body

The informative text that appears in the APPI ’Ask’ user message

Type: A string that contains only printable characters

confirm-text

This text appears next to the ’ignore warning’ checkbox of an APPI ’Ask’ user message

Type: A string that contains only printable characters

fallback-action

The action that is performed when the ’Ask’ message cannot be shown

Options: block, accept

frequency

Indicates how often is the APPI ’Ask’ user message is being presented to the same user

Options: day, week, month

reason-displayed

Indicates if the user must enter a reason for ignoring this message in a designated text dialog

Type: Boolean (true/false)

subject

The subject of an APPI ’Ask’ user message

Type: A string that contains only printable characters

title

The title of an APPI ’Ask’ user message

Type: A string that contains only printable characters

Example

set fw policy user-check ask body My Network confirm-text My Network fallback-action block frequency day subject My Network title My Network reason-displayed true

Output

Failure shows an appropriate error message.

set fw policy user-check block

Description

Configures a customizable “block” message shown to users upon match on browser based traffic.

Syntax

set fw policy user-check block [ body <body> ] [ redirect-url <redirect-url>

] [ subject <subject> ] [ title <title> ] [ redirect-to-url <redirect-to-url>]

Parameters

Parameter

Description

body

The informative text that appears in the APPI ’Block’ user message

Type: A string that contains only printable characters

redirect-to-url

Indicates if the user will be redirected to a custom URL in case of a ’Block’ action

Type: Boolean (true/false)

redirect-url

Indicates the URL to redirect the user in case of a ’Block’ action if configured to do so. The URL to redirect the user in case of a ’Block’ action. Redirection happens only if this functionality is turned on

Type: urlWithHttp

subject

The subject of an APPI ’Block’ user message

Type: A string that contains only printable characters

title

The title of an APPI ’Block’ user message

Type: A string that contains only printable characters

Example

set fw policy user-check block body My Network redirect-url urlWithHttp subject My Network title My Network redirect-to-url true

Output

Failure shows an appropriate error message.

global-radius-conf

set global-radius-conf

Description

Configure the NAS IP\IPv6 address for RADIUS server authentication.

NAS IP\IPv6 address indicates the identifying IP Address of the NAS which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server.

Syntax

set global-radius-conf [ nas-ip-address <nas-ip-address> ] [ nasIPV6 <nasIPV6> ]

Parameters

Parameter

Description

nas-ip-address

Nas ip address

Type: IP address

nasIPV6

nasIPV6

Type: ipv6addr

Example

set global-radius-conf nas-ip-address 192.168.1.1 nasIPV6 ipv6addr

Output

Failure shows an appropriate error message.

show global-radius-conf

Description

Configure the NAS IP\IPv6 address for RADIUS server authentication.

Syntax

show global-radius-conf

Parameters

Parameter

Description

n/a

 

Example

show global-radius-conf

Output

Failure shows an appropriate error message.

group

add group

Description

Adds a new group of network objects.

Syntax

add group name <name> [ comments <comments> ] [ member <member> ]

Parameters

Parameter

Description

comments

Comments and explanation about the Network Object group

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

member

An association field to the contained network objects

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

add group name myObject_17 comments “This is a comment.” member TEXT

Output

Failure shows an appropriate error message.

delete group

Description

Deletes an existing group object of network objects.

Syntax

delete group <name>

Parameters

Parameter

Description

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

delete group myObject_17

Output

Failure shows an appropriate error message.

set group

Configures an existing network objects group.

set group

Description

Configures an existing network objects group.

Syntax

set group <name> [ new-name <new-name> ] [ comments <comments> ]

Parameters

Parameter

Description

comments

Comments and explanation about the Network Object group

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

new-name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set group myObject_17 new-name myObject_17 comments “This is a comment.”

Output

Failure shows an appropriate error message.

set group

Description

Removes all members from an existing network objects group.

Syntax

set group <name> remove-all members

Parameters

Parameter

Description

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set group myObject_17 remove-all members

Output

Failure shows an appropriate error message.

set group

Description

Adds an existing network object to an existing network objects group.

Syntax

set group <name> add member <member>

Parameters

Parameter

Description

member

Network Object name

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set group myObject_17 add member TEXT

Output

Failure shows an appropriate error message.

set group

Description

Removes an existing network object from an existing network objects group.

Syntax

set group <name> remove member <member>

Parameters

Parameter

Description

member

Network Object name

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set group myObject_17 remove member TEXT

Output

Failure shows an appropriate error message.

show group

Description

Shows the contents of a network object group.

Syntax

show group <name>

Parameters

Parameter

Description

name

Network Object group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

show group myObject_17

Output

Failure shows an appropriate error message.

show groups

Description

Shows the contents of all network object groups.

Syntax

show groups

Parameters

Parameter

Description

n/a

 

Example

show groups

Output

Failure shows an appropriate error message.

host

add host

Description

Adds a new network host object that can be used for resolving when the device acts as a DNS proxy, and also DHCP settings for this object (exclude/reserve IP address).

Syntax

add host name <name> [ dhcp-exclude-ip-addr { on [ dhcp-reserve-ip-addr-to-mac { on [ mac-addr <mac-addr> ] [ reserve-mac-address <reserve-mac-address> ] | off } ] [ mac-reserved-in-dhcp { on [ mac-addr <mac-addr> ] [ reserve-mac-address <reserve-mac-address> ] | off } ] | off } ] [ dns-resolving <dns-resolving> ] ipv4-address <ipv4-address>

Parameters

Parameter

Description

dhcp-exclude-ip-addr

Indicates if the object’s IP address(es) is excluded from internal DHCP daemon

Type: Press TAB to see available options

dhcp-reserve-ip-addr- to-mac

Indicates if the IP address is reserved in internal DHCP daemon

Type: Press TAB to see available options

dns-resolving

Indicates if the name of the server/network object will be used as a hostname for internal DNS service Type: Boolean (true/false)

ipv4-address

The beginning of the IP range

mac-addr

MAC address of the Network Object

Type: MAC address

mac-reserved-in-dhcp

This field is deprecated. Please use field ’dhcp-reserve-ip-addr-to-mac’

name

Network Object name

Type: String

reserve-mac-address

This field is deprecated. Please use field ’mac-addr’

Example

add host name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE

mac-reserved-in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE dns-resolving true ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

delete host

Description

Deletes an existing network host object.

Syntax

delete host <name>

Parameters

Parameter

Description

name

Network Object name

Type: String

Example

delete host TEXT

Output

Failure shows an appropriate error message.

set host

Description

Configures an existing network object/host.

Syntax

set host <name> [ name <name> ] [ dhcp-exclude-ip-addr { on [

dhcp-reserve-ip-addr-to-mac { on [ mac-addr <mac-addr> ] [ reserve-mac-address

<reserve-mac-address> ] | off } ] [ mac-reserved-in-dhcp { on [ mac-addr

<mac-addr> ] [ reserve-mac-address <reserve-mac-address> ] | off } ] | off

} ] [ exclude-from-dhcp { on [ dhcp-reserve-ip-addr-to-mac { on [ mac-addr

<mac-addr> ] [ reserve-mac-address <reserve-mac-address> ] | off } ] [ mac-reserved-in-dhcp { on [ mac-addr <mac-addr> ] [ reserve-mac-address

<reserve-mac-address> ] | off } ] | off } ] [ dns-resolving <dns-resolving>] [ ipv4-address <ipv4-address> ]

Parameters

Parameter

Description

dhcp-exclude-ip-addr

Indicates if the object’s IP address(es) is excluded from internal DHCP daemon

Type: Press TAB to see available options

dhcp-reserve-ip-addr- to-mac

Indicates if the IP address is reserved in internal DHCP daemon

Type: Press TAB to see available options

dns-resolving

Indicates if the name of the server/network object will be used as a hostname for internal DNS service

Type: Boolean (true/false)

exclude-from-dhcp

This field is deprecated. Please use field ’dhcp-reserve-ip-addr-to-mac’

ipv4-address

The beginning of the IP range

mac-addr

MAC address of the Network Object

Type: MAC address

mac-reserved-in-dhcp

This field is deprecated. Please use field ’dhcp-reserve-ip-addr-to-mac’

name

Network Object name

Type: String

reserve-mac-address

This field is deprecated. Please use field ’mac-addr’

Example

set host TEXT name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE

mac-reserved-in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE exclude-from-dhcp on dhcp-reserve-ip-addr-to-mac on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE mac-reserved-in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE

dns-resolving true ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

show host

Description

Shows the configuration of an existing network object.

Syntax

show host <name>

Parameters

Parameter

Description

name

Network Object name

Type: String

Example

show host TEXT

Output

Failure shows an appropriate error message.

show hosts

Description

Shows the configuration of all existing network objects.

Syntax

show hosts

Parameters

Parameter

Description

n/a

 

Example

show hosts

Output

Failure shows an appropriate error message.

hotspot

set hotspot

Configures hotspot settings.

set hotspot

Description

Configures hotspot settings.

Syntax

set hotspot [ require-auth <require-auth> ] [ auth-mode <auth-mode> ] [ allowed-group <allowed-group> ] [ timeout <timeout> ] [ portal-title <portal-title> ] [ portal-msg <portal-msg> ] [ show-terms-of-use <show-terms-of-use> ] [ terms-of-use <terms-of-use> ] [ redirect-after-auth <redirect-after-auth> ] [ redirect-after-auth-url <redirect-after-auth-url> ]

Parameters

Parameter

Description

allowed-group

Indicates the specific user group that can authenticate through the hotspot when auth-mode is set to allow-specific-group

Type: A string of alphanumeric characters without space between them

auth-mode

Allow access to a specific user group only or all users

Options: allow-all, allow-specific-group

portal-msg

The message shown in hotspot portal

Type: A string that contains only printable characters

portal-title

The title of the hotspot portal

Type: A string that contains only printable characters

redirect-after-auth

Indicates if after the user accepts terms or authenticate in the hotspot portal the user will be redirected to a configured external URL instead of the originally requested URL

Options: on, off

redirect-after-auth-url

Redirect the user to the following URL after the user accepts terms or authenticate in the hotspot portal

Type: urlWithHttp

require-auth

Indicates if user authentication is required

Type: Boolean (true/false)

show-terms-of-use

Indicates if a terms and conditions link will be shown in the hotspot portal

Options: on, off

terms-of-use

Indicates the When users will click the terms and conditions text shown in the hotspot portal

Type: A string that contains only printable characters

timeout

Time, in minutes, untill the hotspot session expires

Type: A number with no fractional part (integer)

Example

set hotspot require-auth true auth-mode allow-all allowed-group word timeout 15 portal-title My Network portal-msg My Network show-terms-of-use on terms-of-use My Network redirect-after-auth on redirect-after-auth-url urlWithHttp

Output

Failure shows an appropriate error message.

set hotspot

Description

Adds an existing network object as an exception for hotspot portal.

Syntax

set hotspot add exception <exception>

Parameters

Parameter

Description

exception

Network object name

Example

set hotspot add exception TEXT

Output

Failure shows an appropriate error message.

set hotspot

Description

Removes an existing network object from being an exception to hotspot portal.

Syntax

set hotspot remove exception <exception>

Parameters

Parameter

Description

exception

Network object name

Example

set hotspot remove exception TEXT

Output

Failure shows an appropriate error message.

set hotspot

Description

Configures advanced hotspot settings.

Syntax

set hotspot advanced-settings activation <activation>

Parameters

Parameter

Description

n/a

 

Example

set hotspot advanced-settings activation on

Output

Failure shows an appropriate error message.

set hotspot

Description

Configures advanced hotspot settings.

Syntax

set hotspot advanced-settings prevent-simultaneous-login <prevent-simultaneous-login>

Parameters

Parameter

Description

n/a

 

Example

set hotspot advanced-settings prevent-simultaneous-login true

Output

Failure shows an appropriate error message.

show hotspot

Shows hotspot configuration.

show hotspot

Description

Shows hotspot configuration.

Syntax

show hotspot

Parameters

Parameter

Description

n/a

 

Example

show hotspot

Output

Failure shows an appropriate error message.

show hotspot

Description

Shows hotspot advanced settings configuration.

Syntax

Shows hotspot advanced-settings

Parameters

Parameter

Description

n/a

 

Example

Shows hotspot advanced-settings

Output

Failure shows an appropriate error message.

https-categorization

set https-categorization

Configures HTTPS categorization settings (categorization does not require a full SSL inspection mechanism).

set https-categorization

Description

Configures advanced HTTPS categorization settings.

Syntax

set https-categorization advanced-settings validate-cert-expiration <validate-cert-expiration>

Parameters

Parameter

Description

n/a

 

Example

set https-categorization advanced-settings validate-cert-expiration true

Output

Failure shows an appropriate error message.

set https-categorization

Description

Configures advanced HTTPS categorization settings.

Syntax

set https-categorization advanced-settings validate-unreachable-crl <validate-unreachable-crl>

Parameters

Parameter

Description

n/a

 

Example

ext

set https-categorization advanced-settings validate-unreachable-crl true

Output

Failure shows an appropriate error message.

set https-categorization

Description

Configures advanced HTTPS categorization settings.

Syntax

set https-categorization advanced-settings validate-crl <validate-crl>

Parameters

Parameter

Description

n/a

 

Example

set https-categorization advanced-settings validate-crl true

Output

Failure shows an appropriate error message.

show https-categorization

Description

Shows configuration for HTTPS categorization feature.

Syntax

show https-categorization advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show https-categorization advanced-settings

Output

Failure shows an appropriate error message.

interface

add interface

Adds a new virtual interface.

add interface

Description

Adds a new 802.1q tag-based VLAN over an existing physical interface.

Syntax

add interface <assignment> vlan <vlan>

Parameters

Parameter

Description

assignment

The switch or bridge which the object belongs to

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

vlan

Enter a number that is the virtual identifier

Type: A number with no fractional part (integer)

Example

add interface My_Network vlan 12

Output

Failure shows an appropriate error message.

add interface

Description

Adds a new numbered/unnumbered Virtual Tunnel Interface (VTI) to be used for Route-based VPN purposes.

Syntax

text

add vpn tunnel <vpn tunnel> type { unnumbered peer <peer>

internet-connection <internet-connection> | numbered local <local> remote

<remote> peer <peer> }

Parameters

Parameter

Description

internet-connection

The local interface for unnumbered VTI

local

Enter the IP address of the interface

Type: IP address

peer

Remote peer name as defined in the VPN community. You must define the two peers in the VPN community before you can define the VTI. The Peer ID is an alpha-numeric character string.

Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9, a-z, _ -) characters without spaces

remote

Defines the remote peer IPv4 address, used at the peer gateway’s point-to-point virtual interface (numbered VTI only)

Type: IP address

type

The type of VTI: Numbered VTI that uses a specified, static IPv4 addresses for local and remote connections, or unnumbered VTI that uses the interface and the remote peer name to get addresses

Type: Press TAB to see available options

vpn tunnel

A number identifying the Virtual Tunnel Interface (VTI)

Type: A number with no fractional part (integer)

Example

text

add vpn tunnel 12 type unnumbered peer site17 internet-connection My connection

Output

Failure shows an appropriate error message.

delete interface

Description

Deletes an existing virtual interface.

Syntax

delete interface <name>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

delete interface My_Network

Output

Failure shows an appropriate error message.

set interface

Configures local networks/interfaces.

set interface

Description

Configures local networks/interfaces.

Syntax

set interface <name> ipv4-address <ipv4-address> { subnet-mask <subnet-mask> default-gw <default-gw> [ dns-primary <dns-primary> [ dns-secondary <dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] | mask-length <mask-length> default-gw <default-gw> [ dns-primary <dns-primary> [ dns-secondary <dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] }

Parameters

Parameter

Description

default-gw

Default gateway

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

ipv4-address

The IP address

Type: IP address

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

subnet-mask

Subnet mask

Type: Subnet mask

Example

set interface My_Network ipv4-address 192.168.1.1 subnet-mask 255.255.255.0 default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary 192.168.1.1

dns-tertiary 192.168.1.1

Output

Failure shows an appropriate error message.

set interface

Description

Configures IP address for local networks/interfaces.

Syntax

set interface <name> ipv4-address <ipv4-address> { mask-length <mask-length> | subnet-mask <subnet-mask> }

Parameters

Parameter

Description

ipv4-address

Enter the IP address of the interface

Type: IP address

mask-length

Represents the network’s mask length

Type: A string that contains numbers only

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

subnet-mask

Enter the Subnet mask of the specified network

Type: A subnet mask, or 255.255.255.255

Example

set interface My_Network ipv4-address 192.168.1 mask-length 20

Output

Failure shows an appropriate error message.

set interface

Description

Configures a physical interface to be unassigned from existing networks.

Syntax

set interface <name> unassigned

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface LAN2 unassigned

Output

Failure shows an appropriate error message.

set interface

Description

Configures monitor mode on an existing local network/interface.

Syntax

set interface <name> monitor-mode

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network monitor-mode

Output

Failure shows an appropriate error message.

set interface

Description

Configures advanced settings on an existing local network/interface.

Syntax

set interface <name> [ mac-address-override <mac-address-override> ] [ exclude-from-dns-proxy <exclude-from-dns-proxy> ]

Parameters

Parameter

Description

exclude-from-dns- proxy

Exclude from DNS proxy

Options: on, off

mac-address-override

Override default MAC address

Type: MAC address

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network mac-address-override 00:1C:7F:21:05:BE exclude-from-dns-proxy on

Output

Failure shows an appropriate error message.

set interface

Description

Configures networking settings on an existing local network/interface.

Syntax

set interface <name> [ auto-negotiation <auto-negotiation> ] [ mtu <mtu> ] [ link-speed <link-speed> ]

Parameters

Parameter

Description

auto-negotiation

Enable this option in order to manually configure the link speed of the interface.

Options: on, off

link-speed

Configure the link speed of the interface manually

Options: 10/full, 10/half, 100/full, 100/half

mtu

Configure the Maximum Transmission Unit size for an interface

Type: A number with no fractional part (integer)

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network auto-negotiation on mtu 1460 link-speed 10/full

Output

Failure shows an appropriate error message.

set interface

Description

Enable/disable an existing local network/interface.

Syntax

set interface <name> state <state>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

state

The mode of the network - enabled or disabled

Options: on, off

Example

set interface My_Network state on

Output

Failure shows an appropriate error message.

set interface

Description

Configures a description for an existing local network/interface.

Syntax

set interface <name> [ description <description> ]

Parameters

Parameter

Description

description

Description

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network description “This is a comment.”

Output

Failure shows an appropriate error message.

set interface

Description

Configures automatic access policy for an existing local network/interface. This feature is relevant when the device is locally managed.

Syntax

set interface <name> [ lan-access <lan-access> ] [ lan-access-track <lan-access-track>

Parameters

Parameter

Description

lan-access

Local networks will be accessible from this network once this option is enabled

Options: block, accept

lan-access-track

Traffic from this network to local networks will be logged once this option is enabled

Options: none, log

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network lan-access block lan-access-track none

Output

Failure shows an appropriate error message.

set interface

Description

Configure hotspot functionality for an existing local network/interface.

Syntax

set interface <name> hotspot <hotspot>

Parameters

Parameter

Description

hotspot

Redirect users to the Hotspot portal before allowing access from this interface

Options: on, off

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

set interface My_Network hotspot on

Output

Failure shows an appropriate error message.

show interface

Description

Shows configuration and details of local networks.

Syntax

show interface <name> [ all ]

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

show interface My_Network all

Output

Failure shows an appropriate error message.

show interfaces

Description

Shows the list of defined local networks.

Syntax

show interfaces

Parameters

Parameter

Description

n/a

 

Example

show interfaces

Output

Failure shows an appropriate error message.

show interfaces all

Description

Shows details of all defined local networks.

Syntax

show interfaces all

Parameters

Parameter

Description

n/a

 

Example

show interfaces all

Output

Failure shows an appropriate error message.

ips engine-settings

set ips engine-settings

set ips engine-settings

Description

Configures advanced IPS engine settings. This command configures if and when IPS will deactivate upon high resource consumption of the device.

Syntax

set ips engine-settings [ protection-scope <protection-scope> ] [ bypass-under-load { true [ bypass-track <bypass-track> ] [ gateway-load-thresholds [ cpu-usage-low-watermark <cpu-usage-low-watermark> ] [ cpu-usage-high-watermark <cpu-usage-high-watermark> ] [ memory-usage-low-watermark <memory-usage-low-watermark> ] [ memory-usage-high-watermark <memory-usage-high-watermark> ] [ threshold-detection-delay <threshold-detection-delay> ] ] | false } ]

Parameters

Parameter

Description

bypass-track

Indicates how the appliance will track events where the bypass mechanism is activated/deactivated

Options: none, log, alert

bypass-under-load

Indicates if the IPS engine will move to bypass mode if the appliance is under heavy load

Type: Boolean (true/false)

protection-scope

Indicates if the IPS blade will protect internal networks only or protect all networks (including external networks)

Options: protect-internal-hosts-only, perform-ips-inspection-on-all-traffic

Example

set ips engine-settings protection-scope protect-internal-hosts-only bypass-under-load true bypass-track none gateway-load-thresholds

cpu-usage-low-watermark 75 cpu-usage-high-watermark 80

memory-usage-low-watermark 75 memory-usage-high-watermark 80

threshold-detection-delay 90

Output

Failure shows an appropriate error message.

set ips engine-settings

Description

Configures advanced IPS engine settings. This command configures a legacy error page shown in some legacy IPS HTTP protections.

Syntax

set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig [ status-code-desc <status-code-desc> ] [ show-error-code <show-error-code> ] [ logo-url <logo-url> ] [ send-detailed-status-code <send-detailed-status-code>

] [ enable-logo-url <enable-logo-url> ]

Parameters

Parameter

Description

n/a

 

Example

set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig status-code-desc “This is a comment.” show-error-code true logo-url http://www.checkpoint.com/ send-detailed-status-code true enable-logo-url true

Output

Failure shows an appropriate error message.

set ips engine-settings

Description

Configures advanced IPS engine settings. This command configures a legacy error page shown in some legacy IPS HTTP protections.

Syntax

set ips engine-settings advanced-settings AboutConfigIPSErrorPage [

send-error-code <send-error-code> ] [ error-page-for-supported-web-protections

<error-page-for-supported-web-protections> ] [ url <url> ]

Parameters

Parameter

Description

n/a

 

Example

set ips engine-settings advanced-settings AboutConfigIPSErrorPage

send-error-code true error-page-for-supported-web-protections do-not-show url http://www.checkpoint.com/

Output

Failure shows an appropriate error message.

show ips engine-settings

Shows engine settings for the IPS blade.

show ips engine-settings

Description

Shows engine settings for the IPS blade.

Syntax

show ips engine-settings

Parameters

Parameter

Description

n/a

 

Example

show ips engine-settings

Output

Failure shows an appropriate error message.

show ips engine-settings

Description

Shows advanced engine settings for the IPS blade.

Syntax

show ips engine-settings advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show ips engine-settings advanced-settings

Output

Failure shows an appropriate error message.

interface-loopback

add interface-loopback

Description

Adds a new loopback interface (A fixed interface in the system that is commonly used for dynamic routing purposes).

Syntax

add interface-loopback ipv4-address <ipv4-address> { mask-length

<mask-length> | subnet-mask <subnet-mask> }

Parameters

Parameter

Description

ipv4-address

Enter the IP address of the interface

Type: IP address

mask-length

Represents the network’s mask length

Type: A string that contains numbers only

subnet-mask

Enter the Subnet mask of the specified network

Type: A subnet mask, or 255.255.255.255

Example

add interface-loopback ipv4-address 192.168.1.1 mask-length 20

Output

Failure shows an appropriate error message.

delete interface-loopback

Description

Deletes an existing configured loopback interface.

Syntax

delete interface-loopback <name>

Parameters

Parameter

Description

name

Network name

Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters

Example

delete interface-loopback My_Network

Output

Failure shows an appropriate error message.

internet

set internet

Description

Configures advanced settings for internet connectivity.

Syntax

set internet advanced-settings reset-sierra-usb-on-lsi-event <reset-sierra-usb-on-lsi-event>

Parameters

Parameter

Description

n/a

 

Example

set internet advanced-settings reset-sierra-usb-on-lsi-event true

Output

Failure shows an appropriate error message.

show internet

Description

Shows advanced settings for configured internet

Syntax

show internet advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show internet advanced-settings

Output

Failure shows an appropriate error message.

internet-connection

add internet-connection

Adds a new internet connection.

add internet-connection

Description

Adds a new internet connection using an existing physical interface (multiple internet connection can engage in High Availability/Load Sharing).

Syntax

WAN

For DHCP:

add internet-connection name <name> interface WAN type dhcp

Parameters

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

type

Connection type

Type: Press TAB to see available options

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For Static:

add internet-connection name <name> interface WAN type static default-gw <default-gw> ipv4-address <ipv4-address> mask-length <mask-length>

add internet-connection name <name> interface WAN type static default-gw <default-gw> ipv4-address <ipv4-address> subnet-mask <subnet-mask> { dns-primary <dns-primary> dns-secondary <dns-secondary> dns-tertiary <dns-tertiary>} { use-connection-as-vlan vlan-id <vlan-id>} { conn-test-timeout <conn-test-timeout>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For L2TP

add internet-connection name <name> interface WAN type l2tp server <server> password-hash <password-hash>

add internet-connection name <name> interface WAN type l2tp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-mask-length <wan-mask-length>

add internet-connection name <name> interface WAN type l2tp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-mask-length> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or 'auto'

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

server

Server IP address

Type: IP address

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

For PPPoE:

add internet-connection name <name> interface WAN type pppoe username <username> password-hash <password-hash>

add internet-connection name <name> interface WAN type pppoe username <username> password <password-hash> { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address> }

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For PPTP:

add internet-connection name <name> interface WAN type pptp server <server> password-hash <password-hash>

add internet-connection name <name> interface WAN type pptp server <server> password <password > username <username> { { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-mask-length <wan-mask-length>

add internet-connection name <name> interface WAN type pptp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-subnet-mask> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

 

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

server

Server IP address

Type: IP address

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

ADSL

For EoA:

add internet-connection name <name> interface ADSL type eoa

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

standard

The ADSL standard to use

Options: multimode, t1413, glite, gdmt, adsl2, adsl2+

type

Connection type

Type: Press TAB to see available options

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

For PPPoA:

add internet-connection name <name> interface ADSL type pppoa username <username> password-hash <password-hash>

add internet-connection name <name> interface ADSL type pppoa username <username> password <password>{ encapsulation <encapsulation> is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address> vci <vci> vpi <vpi> }

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

 

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

For PPPoE:

add internet-connection name <name> interface ADSL type pppoe username <username> password-hash <password-hash>

add internet-connection name <name> interface ADSL type pppoe username <username> password <password> { encapsulation <encapsulation> is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address> vci <vci> vpi <vpi>} { encapsulation <encapsulation> vci <vci> vpi <vpi>} { conn-test-timeout <conn-test-timeout> standard <standard>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

DSL

For IPoE-Dynamic:

add internet-connection name <name> interface DSL type ipoe-dynamic

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

type

Connection type

Type: Press TAB to see available options

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

For IPoE-Static:

add internet-connection name <name> interface DSL type ipoe-static default-gw <default-gw> ipv4-address <ipv4-address> mask-length <mask-length>

add internet-connection name <name> interface DSL type ipoe-static default-gw <default-gw> ipv4-address <ipv4-address> subnet-mask VALUE { dns-primary <dns-primary> dns-secondary <dns-secondary> dns-tertiary <dns-tertiary> }

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

For PPPoE:

add internet-connection name <name> interface DSL type pppoe username <username> password-hash <password-hash>

add internet-connection name <name> interface DSL type pppoe username <username> password <password> { encapsulation <encapsulation> is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address> vci <vci> vpi <vpi> } { encapsulation <encapsulation> vci <vci> vpi <vpi> } { use-connection-as-vlan vlan-id <vlan-id> } { conn-test-timeout <conn-test-timeout>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

interface

Interface name

Type: Press TAB to see available options

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or 'auto'

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

 

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

DMZ

For DHCP:

add internet-connection name <name> interface DMZ type dhcp

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

type

Connection type

Type: Press TAB to see available options

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For Static:

add internet-connection name <name> interface DMZ type static default-gw <default-gw> ipv4-address <ipv4-address> mask-length <mask-length>

add internet-connection name <name> interface DMZ type static default-gw <default-gw> ipv4-address <ipv4-address> subnet-mask <subnet-mask> { dns-primary <dns-primary> dns-secondary <dns-secondary> dns-tertiary <dns-tertiary>} { use-connection-as-vlan vlan-id <vlan-id>} { conn-test-timeout <conn-test-timeout>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For L2TP:

add internet-connection name <name> interface DMZ type l2tp server <server> password-hash <password-hash>

add internet-connection name <name> interface DMZ type l2tp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-mask-length <wan-mask-length>

add internet-connection name <name> interface DMZ type l2tp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-mask-length> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

server

Server IP address

Type: IP address

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

For PPPoE:

add internet-connection name <name> interface DMZ type pppoe username <username> password-hash <password>

add internet-connection name <name> interface DMZ type pppoe username <username> password <password> { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

For PPTP:

add internet-connection name <name> interface DMZ type pptp server <server> password-hash <password-hash>

add internet-connection name <name> interface DMZ type pptp server <server> password <password> username <username> { { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-mask-length <wan-mask-length>

add internet-connection name <name> interface DMZ type pptp server <server> password <password> username <username> { local-ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-subnet-mask> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-address>}

Parameter

Description

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

interface

Interface name

Type: Press TAB to see available options

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

isVlan

isVlan

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

server

Server IP address

Type: IP address

standard

The ADSL standard to use

Options: multimode, t1413, glite, gdmt, adsl2, adsl2+

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

Example

add internet-connection name My connection interface WAN true vlan-id

-1000000 type static ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary 192.168.1.1

dns-tertiary 192.168.1.1 conn-test-timeout -1000000

Output

Failure shows an appropriate error message.

add internet-connection

Description

Adds a new internet connection using an external 3G/4G modem connected directly to the appliance (multiple internet connection can engage in High Availability/Load Sharing).

Syntax

USB:

add internet-connection name <name> type analog use-serial-port false number <number> { username <username> password-hash <password-hash> }

add internet-connection name <name> type analog use-serial-port false number <number> { username <username> password <password> }

add internet-connection name <name> type analog use-serial-port true number <number> { username <username> password-hash <password-hash> }

add internet-connection name <name> type analog use-serial-port true number <number> username <username> password <password> { flow-control <flow-control> port-speed <port-speed>} { conn-test-timeout <conn-test-timeout>}

add internet-connection name <name> type cellular number <number> { conn-test-timeout <conn-test-timeout> } name <name>} { apn <apn> username <username> password-hash <password-hash> }

add internet-connection name <name> type cellular number <number> { conn-test-timeout <conn-test-timeout> name <name>} { apn <apn> username <username> password <password> }

Parameters

Parameter

Description

apn

APN (cellular modem settings)

Type: A string that contains [a-z], [0-9], ’-’ and ’.’ characters

conn-test-timeout

Connection test timeout

Type: A number with no fractional part (integer)

flow-control

Flow control (serial port settings)

Options: rts-cts, xon-xoff

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

number

Dialed number of the cellular modem settings

Type: A sequence of numbers and #,* characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

port-speed

Port speed (serial port settings)

Options: 9600, 19200, 38400, 57600, 115200, 230400

type

Connection type

Type: Press TAB to see available options

use-serial-port

Use serial port

Type: Boolean (true/false)

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

Example

add internet-connection type analog use-serial-port true number 758996 username MyUsername@MyISP password internetPassword port-speed 9600

flow-control rts-cts conn-test-timeout 50 name My connection

Output

Failure shows an appropriate error message.

delete internet-connection

Deletes an existing internet connection or internet connection related configuration.

delete internet-connection

Description

Deletes an existing internet connection by name.

Syntax

delete internet-connection <name>

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

delete internet-connection My connection

Output

Failure shows an appropriate error message.

deleter internet-connection

Description

Deletes an existing internet connection’s ping servers, configured for connection health monitoring.

Syntax

delete internet-connection <name> probe-icmp-servers [ first ] [ second ] [ third ]

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

delete internet-connection My connection probe-icmp-servers first second third

Output

Failure shows an appropriate error message.

delete internet-connections

Description

Deletes all existing internet connections.

Syntax

delete internet-connections

Parameters

Parameter

Description

n/a

 

Example

delete internet-connections

Output

Failure shows an appropriate error message.

set internet-connection

Configures internet connections settings.

set internet-connection

Description

Configures an existing internet connection.

Syntax

set internet-connection <name> [ auto-negotiation <auto-negotiation> ] [ link-speed <link-speed> ] [ mtu <mtu> ] [ mac-addr <mac-addr> ]

Parameters

Parameter

Description

auto-negotiation

Disable auto negotiation and manually define negotiation link speed

Options: on, off

link-speed

Link speed

Options: 100/full, 100/half, 10/full, 10/half

mac-addr

Default mac address wrapper

Type: A MAC address or ’default’

mtu

MTU size. Select ’default’ for default value.

Type: A string of alphanumeric characters without space between them

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

set internet-connection My connection auto-negotiation on link-speed 100/full mtu word mac-addr 00:1C:7F:21:05:BE

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection.

Syntax

set internet-connection <name> connect-on-demand <connect-on-demand>

Parameters

Parameter

Description

connect-on-demand

Holds the status of the connect on demand feature

Type: Boolean (true/false)

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

set internet-connection My connection connect-on-demand true

Output

Failure shows an appropriate error message.

set internet-connection

Description

Enable/Disable an existing internet connection.

Syntax

set internet-connection <name> { enable | disable }

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

state

Connection enabled/disabled

Type: Boolean (true/false)

Example

set internet-connection My connection true

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection. Download bandwidth details allow QoS blade to run on this internet connection in locally/SMP managed mode and when managed using an LSM profile.

Syntax

set internet-connection <name> qos-download { true [ bandwidth <bandwidth> ]| false }

Parameters

Parameter

Description

bandwidth

ISP download bandwidth

Type: A number with no fractional part (integer)

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

qos-download

Enable QoS (quality of service) restriction on inbound traffic (download)

Type: Boolean (true/false)

Example

set internet-connection My connection qos-download true bandwidth 100

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection. Upload bandwidth details allow QoS blade to run on this internet connection in locally/SMP managed mode and when managed using an LSM profile.

Syntax

set internet-connection <name> qos-upload { true [ bandwidth <bandwidth> ] | false }

Parameters

Parameter

Description

bandwidth

ISP upload bandwidth

Type: A number with no fractional part (integer)

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

qos-upload

Enable QoS (quality of service) restriction on outbound traffic (upload)

Type: Boolean (true/false)

Example

set internet-connection My connection qos-upload true bandwidth 5

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configure hide NAT behavior on an existing internet connection. It is possible to disable hide-NAT from a specific internet connection.

Syntax

set internet-connection <name> disable-nat <disable-nat>

Parameters

Parameter

Description

disable-nat

Disable NAT(Network Address Translation) for traffic going through this Internet connection

Type: Boolean (true/false)

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

set internet-connection My connection disable-nat true

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures multiple ISP settings for an existing internet connection.

Syntax

set internet-connection <name> ha-priority <ha-priority> load-balancing-weight <load-balancing-weight>

Parameters

Parameter

Description

ha-priority

Priority of the connection in HA

Type: A number with no fractional part (integer)

load-balancing-weight

Internet connection weight for load balancing configuration

Type: A number with no fractional part (integer)

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

set internet-connection My connection ha-priority 2 load-balancing-weight 15

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection. It is possible to remove a configured internet connection from being used as a default route, making it available for traffic through manual/dynamic routing rules.

Syntax

set internet-connection <name> route-traffic-through-default-gateway <route-traffic-through-default-gateway>

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

route-traffic-through- default-gateway

In order to route traffic through this connection you need to add specific routes through it

Type: Boolean (true/false)

Example

set internet-connection My connection route-traffic-through-default-gateway true

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures settings for an existing internet connection.

Syntax

set internet-connection <name> type { dhcp | pptp username <username> {

password <password> | password-hash <password-hash> } [ local-ipv4-address

<local-ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] server

<server> [ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address

<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length

<wan-mask-length> } default-gw <default-gw> ] | static ipv4-address

<ipv4-address> { subnet-mask <subnet-mask> | mask-length <mask-length>

} default-gw <default-gw> [ dns-primary <dns-primary> ] [ dns-secondary

<dns-secondary> ] [ dns-tertiary <dns-tertiary> ] | l2tp username <username>

{ password <password> | password-hash <password-hash> } [ local-ipv4-address

<local-ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] server

<server> [ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address

<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length

<wan-mask-length> } default-gw <default-gw> ] }

Parameters

Parameter

Description

default-gw

Default gateway

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

is-unnumbered-pppoe

Unnumbered PPoE lets you manage a range of IP addresses and dial only once.

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

mask-length

Subnet mask length

Type: A string that contains numbers only

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

server

Server IP address

Type: IP address

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

Example

set internet-connection My connection type dhcp

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection.

Syntax

set internet-connection <name> type { pppoa username <username> {

password <password> | password-hash <password-hash> } [ local-ipv4-address

<local-ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] [ vpi

<vpi> ] [ vci <vci> ] [ encapsulation <encapsulation> ] | eoa }

Parameters

Parameter

Description

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once.

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or ’auto’

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password.

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quotelike characters. Usually <username>@<ISP>

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

Example

set internet-connection My connection type pppoe username MyUsername@MyISP

password internetPassword local-ipv4-address auto is-unnumbered-pppoe true vpi

42 vci 42 encapsulation llc

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection. This command is available only for hardware that contains a DSL port.

Syntax

set internet-connection <name> type { pppoa [ method <method> ] [ idle-time

<idle-time> ] [ standard <standard> ] | eoa [ vpi <vpi> ] [ vci <vci> ] [

encapsulation <encapsulation> ] [ wan-ipv4-address <wan-ipv4-address> {

wan-subnet-mask <wan-subnet-mask> | wan-mask-length <wan-mask-length> }

default-gw <default-gw> ] [ standard <standard> ] }

Parameters

Parameter

Description

default-gw

WAN default gateway (in the advanced section of PPTP and l2TP)

Type: IP address

encapsulation

Encapsulation for the ADSL connection

Options: llc, vcmux

idle-time

Disconnect idle time

Type: A number with no fractional part (integer)

method

Authentication method

Options: auto, pap, chap

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

standard

The ADSL standard to use

Options: multimode, t1413, glite, gdmt, adsl2, adsl2+

type

Connection type

Type: Press TAB to see available options

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

wan-ipv4-address

Wan IP address wrapper

Type: An IP address, or ’auto’

wan-mask-length

WAN subnet mask length

Type: A string that contains numbers only

wan-subnet-mask

WAN subnet mask (in the advanced section)

Type: Subnet mask

Example

set internet-connection My connection type pppoa method auto idle-time

-1000000 standard multimode

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures advanced settings for an existing internet connection. This command is available only for hardware that contains a DSL port.

Syntax

set internet-connection <name> type { pppoe [ username <username>

] [ { password <password> | password-hash <password-hash> } ] [ [ {

use-connection-as-vlan } vlan-id <vlan-id> ] ] [ local-ipv4-address

<local-ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] [ vpi

<vpi> ] [ vci <vci> ] [ encapsulation <encapsulation> ] [ method <method>

] [ idle-time <idle-time> ] [ standard <standard> ] | ipoe-dynamic [ {

use-connection-as-vlan } vlan-id <vlan-id> ] [ vpi <vpi> ] [ vci <vci> ] [

encapsulation <encapsulation> ] | ipoe-static ipv4-address <ipv4-address>

{ subnet-mask <subnet-mask> | mask-length <mask-length> } default-gw

<default-gw> [ dns-primary <dns-primary> ] [ dns-secondary <dns-secondary> ]

[ dns-tertiary <dns-tertiary> ] [ { use-connection-as-vlan } vlan-id <vlan-id>

] [ vpi <vpi> ] [ vci <vci> ] [ encapsulation <encapsulation> ] }

Parameters

Parameter

Description

default-gw

Default gateway

Type: IP address

dns-primary

First DNS server IP address

Type: IP address

dns-secondary

Second DNS server IP address

Type: IP address

dns-tertiary

Third DNS server IP address

Type: IP address

encapsulation

Encapsulation type for the ADSL connection

Options: llc, vcmux

idle-time

Disconnect idle time

Type: A number with no fractional part (integer)

ipv4-address

IP address field (for static IP and bridge settings)

Type: IP address

is-unnumbered-pppoe

Unnumbered PPPoE lets you manage a range of IP addresses and dial only once

Type: Boolean (true/false)

isVlan

isVlan

Type: Boolean (true/false)

local-ipv4-address

Local tunnel IP address or Auto for automatic

Type: An IP address, or 'auto'

mask-length

Subnet mask length

Type: A string that contains numbers only

method

Authentication method

Options: auto, pap, chap

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

standard

The ADSL standard to use

Options: multimode, t1413, glite, gdmt, adsl2, adsl2+

subnet-mask

Subnet mask

Type: A subnet mask, or 255.255.255.255

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quotelike

characters. Usually <username>@<ISP>

vci

VCI value for the ADSL connection

Type: A number between 0 and 65535

vlan-id

VLAN ID

Type: A number with no fractional part (integer)

vpi

VPI value for the ADSL connection

Type: A number between 0 and 255

Example

set internet-connection My connection type pppoe username MyUsername@MyISP

password internetPassword true vlan-id -1000000 local-ipv4-address auto

is-unnumbered-pppoe true vpi 42 vci 42 encapsulation llc method auto idle-time

-1000000 standard multimode

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures settings for an existing internet connection.

Syntax

set internet-connection <name> type { cellular number <number> [ username <username> { password <password> | password-hash <password-hash> } ] [ apn <apn> ] }

Parameters

Parameter

Description

apn

APN (cellular modem settings)

Type: A string that contains [a-z], [0-9], ’-’ and ’.’ characters

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

number

Dialed number of the cellular modem settings

Type: A sequence of numbers and #,* characters

password

Password for PPP connection or cellular modem settings

Type: internetPassword

password-hash

The hash of the user password

Type: passwordHash

type

Connection type

Type: Press TAB to see available options

username

User name for PPP connection or cellular modem settings

Type: A string that contains all printable characters but a single or double quote- like characters. Usually <username>@<ISP>

Example

set internet-connection My connection type cellular number 758996 username MyUsername@MyISP password internetPassword apn my-apn

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures health monitoring settings for an existing internet connection.

Syntax

set internet-connection <name> probe-next-hop <probe-next-hop> [ probe-servers <probe-servers> ][ probing-method <probing-method> ]

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

probe-next-hop

Automatically detect loss of connectivity to the default gateway

Type: Boolean (true/false)

probe-servers

Monitor connection state by sending probe packets to one or more servers on the Internet

Type: Boolean (true/false)

probing-method

Connection probing method

Options: icmp, dns

Example

set internet-connection My connection probe-next-hop true probe-servers true probing-method icmp

Output

Failure shows an appropriate error message.

set internet-connection

Description

Configures health monitoring settings for an existing internet connection.

Syntax

set internet-connection <name> { probe-icmp-servers } first <first> [ second

<second> ] [ third <third> ]

Parameters

Parameter

Description

first

First IP address for the probing method (when using connection monitoring)

Type: An IP address or host name

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

probing-method

Connection probing method

Options: icmp, dns

second

Second IP address for the probing method (when using connection monitoring)

Type: An IP address or host name

third

Third IP address for the probing method (when using connection monitoring)

Type: An IP address or host name

Example

set internet-connection My connection icmp first myHost.com second

myHost.com third myHost.com

Output

Failure shows an appropriate error message.

show internet-connection

Shows configuration and details of defined internet connections.

show internet-connection

Description

Shows configuration and details of a defined internet connection.

Syntax

show internet-connection <name>

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

show internet-connection My connection

Output

Failure shows an appropriate error message.

show internet-connection

Description

Shows configured ping servers for health monitoring of defined internet connection.

Syntax

show internet-connection <name> icmp-servers

Parameters

Parameter

Description

name

Connection name

Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters

Example

show internet-connection My connection icmp-servers

Output

Failure shows an appropriate error message.

show internet-connections

Description

Shows details and configuration of all internet connections.

Syntax

show internet-connections

Parameters

Parameter

Description

n/a

 

Example

show internet-connections

Output

Failure shows an appropriate error message.

show internet-connections table

Description

Shows details and configuration of all internet connections in a table.

Syntax

show internet-connections table

Parameters

Parameter

Description

n/a

 

Example

show internet-connections table

Output

Failure shows an appropriate error message.

internet mode

set internet mode

Description

Configures multiple ISP internet connections behavior. Determines whether traffic will be distributed automatically across the defined active Internet connections according to the configured load balancing weights or use the default High Availability behavior based on priorities of each internet connection.

Syntax

set internet mode { load-balancing | high-availability }

Parameters

Parameter

Description

lb-mode

The load balancing mode

Options: on, off

Example

set internet mode on

Output

Failure shows an appropriate error message.

show internet mode

Description

Shows multiple internet connections mode (High Availability or Load Sharing.

Syntax

show internet mode

Parameters

Parameter

Description

n/a

 

Example

show internet mode

Output

Failure shows an appropriate error message.

ip-fragments-params

set ip-fragments-params

Configures how the appliance handles IP fragments.

set ip-fragments-params

Description

Configures how the appliance handles IP fragments.

Syntax

set ip-fragments-params advanced-settings minsize <minsize>

Parameters

Parameter

Description

n/a

 

Example

set ip-fragments-params advanced-settings minsize 150

Output

Failure shows an appropriate error message.

set ip-fragments-params

Description

Configures how the appliance handles IP fragments.

Syntax

set ip-fragments-params advanced-settings config [ track <track> ] [ limit <limit> ] [ advanced-state <advanced-state> ] [ timeout <timeout> ] [ pkt-cap <pkt-cap> ]

Parameters

Parameter

Description

n/a

 

Example

set ip-fragments-params advanced-settings config track none limit 150 advanced-state forbid timeout 15 pkt-cap true

Output

Failure shows an appropriate error message.

show ip-fragments-params

Description

Shows configuration of IP fragments handling.

Syntax

show ip-fragments-params advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show ip-fragments-params advanced-settings

Output

Failure shows an appropriate error message.

ipv6-state

set ipv6-state

Description

Enable the IPv6 mode of the appliance.

Syntax

set ipv6-state

Parameters

Parameter

Description

n/a

 

Example

set ipv6-state

Output

Failure shows an appropriate error message.

show ipv6-state

Description

Show if the IPv6 mode of the appliance is enabled or disabled.

Syntax

show ipv6-state

Parameters

Parameter

Description

n/a

 

Example

show ipv6-state

Output

Failure shows an appropriate error message.

license

fetch license

Description

Fetches a license from one of these locations:

Syntax

fetch license {local [file <file_name>]|usercenter|usb [file <file_name>]

Parameters

Parameter

Description

file_name

Name of the file that contains the license

Return Value

0 on success, 1 on failure

Example

fetch license usb file LicenseFile.xml

Output

Success shows OK. Failure shows an appropriate error message.

show license

Description

Shows current license state.

Syntax

show license

Parameters

Parameter

Description

n/a

 

Example

show license

Output

Current license state

local-group

add local-group

Description

Adds a new group for user objects.

Syntax

add local-group name <name> [ comments <comments> ] [ remote-access-on

<remote-access-on> ]

Parameters

Parameter

Description

comments

Comments

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

remote-access-on

Indicates if the users group have remote access permissions

Type: Boolean (true/false)

Example

add local-group name myObject_17 comments “This is a comment.” remote-access-on true

Output

Failure shows an appropriate error message.

delete local-group

Deletes an existing group object for user objects.

delete local-group

Description

Deletes an existing group object for user objects by group object name.

Syntax

delete local-group name <name>

Parameters

Parameter

Description

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

delete local-group name myObject_17

Output

Failure shows an appropriate error message.

delete local-group

Description

Deletes all existing group objects for user objects.

Syntax

delete local-group all

Parameters

Parameter

Description

n/a

 

Example

delete local-group all

Output

Failure shows an appropriate error message.

set local-group

Configures an existing user group object.

set local-group

Description

Configures an existing user group object.

Syntax

set local-group name <name> [ new-name <new-name> ] [ comments <comments> ] [ remote-access-on <remote-access-on> ]

Parameters

Parameter

Description

comments

Comments

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

new-name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

remote-access-on

Indicates if the users group have remote access permissions

Type: Boolean (true/false)

Example

set local-group name myObject_17 new-name myObject_17 comments “This is a comment.” remote-access-on true

Output

Failure shows an appropriate error message.

set local-group

Description

Adds a bookmark to be shown in the SNX landing page to an existing user group object. This is relevant only if users in this group have VPN remote access privileges.

Syntax

set local-group name <name> add bookmark label <bookmark label>

Parameters

Parameter

Description

bookmark label

Text for the bookmark in the SSL Network Extender portal

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set local-group name myObject_17 add bookmark label myLabel

Output

Failure shows an appropriate error message.

set local-group

Description

Removes a bookmark from being shown in the SNX landing page to an existing user group object. This is relevant only if users in this group have VPN remote access privileges.

Syntax

set local-group name <name> remove bookmark label <bookmark label>

Parameters

Parameter

Description

bookmark label

Text for the bookmark in the SSL Network Extender portal

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

set local-group name myObject_17 remove bookmark label myLabel

Output

Failure shows an appropriate error message.

show local-group

Description

Shows the content of a user group object.

Syntax

show local-group name <name>

Parameters

Parameter

Description

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

Example

show local-group name myObject_17

Output

Failure shows an appropriate error message.

show local-groups

Description

Shows the content of all user group objects.

Syntax

show local-groups

Parameters

Parameter

Description

n/a

 

Example

show local-groups

Output

Failure shows an appropriate error message.

set local-group users

Configures an existing user group object.

set local-group users

Description

Adds a user to an existing user group object.

Syntax

set local-group users name <name> add user-name <user-name>

Parameters

Parameter

Description

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

user-name

User’s name in the local database

Example

set local-group users name myObject_17 add user-name admin

Output

Failure shows an appropriate error message.

set local-group users

Description

Removes a user from an existing user group object.

Syntax

set local-group users name <name> remove user-name <user-name>

Parameters

Parameter

Description

name

Local group name

Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .) characters without spaces

user-name

User’s name in the local database

Example

set local-group users name myObject_17 remove user-name admin

Output

Failure shows an appropriate error message.

local-user

add local-user

Description

Adds a new locally defined user object and configure its VPN remote access permissions.

Syntax

add local-user name <name> { password-hash <password-hash> | password <password> } [ comments <comments> ] [ remote-access-always-on

<remote-access-always-on> ] [ is-temp-user { true expiration-date

<expiration-date> [ expiration-time <expiration-time> ] | false } ]

Parameters

Parameter

Description

comments

Comments

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

expiration-date

Expiration date for a temporary user in format yyyy-mm-dd

Type: A date format yyyy-mm-dd

expiration-time

Expiration time for a temporary user in format HH:MM

Type: A time format hh:mm

is-temp-user

Indicates if the user entry is temporary

Type: Boolean (true/false)

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

password

User’s password in the local database

Type: A string that contains alphanumeric and special characters

password-hash

User’s hashed password (used for importing database)

Type: An encrypted password

remote-access-always-on

Always enable remote access permission for user

Type: Boolean (true/false)

Example

add local-user name admin password-hash TZXPLs20bN0RA comments “This is a comment.” remote-access-always-on true is-temp-user true expiration-date

2000-01-01 expiration-time 23:20

Output

Failure shows an appropriate error message.

delete local-user

Deletes an existing locally defined user object.

delete local-user

Description

Deletes an existing locally defined user object by user name.

Syntax

delete local-user name <name>

Parameters

Parameter

Description

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

delete local-user name admin

Output

Failure shows an appropriate error message.

delete local-user

Description

Deletes all existing locally defined user objects by user name.

Syntax

delete local-user all

Parameters

Parameter

Description

n/a

 

Example

delete local-user all

Output

Failure shows an appropriate error message.

set local-user

Configures an existing user object.

set local-user

Description

Configures an existing user object.

Syntax

set local-user name <name> [ new-name <new-name> ] [ { password-hash

<password-hash> | password <password> } ] [ comments <comments> ] [ remote-access-always-on <remote-access-always-on> ] [ is-temp-user { true expiration-date <expiration-date> [ expiration-time <expiration-time> ] | false } ]

Parameters

Parameter

Description

comments

Comments

Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @

expiration-date

Expiration date for a temporary user in format yyyy-mm-dd

Type: A date format yyyy-mm-dd

expiration-time

Expiration time for a temporary user in format HH:MM

Type: A time format hh:mm

is-temp-user

Indicates if the user entry is temporary

Type: Boolean (true/false)

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

new-name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

password

User’s password in the local database

Type: A string that contains alphanumeric and special characters

password-hash

User’s hashed password (used for importing database)

Type: An encrypted password

remote-access-always-on

Always enable remote access permission for user

Type: Boolean (true/false)

Example

set local-user name admin new-name admin password-hash TZXPLs20bN0RA comments “This is a comment.” remote-access-always-on true is-temp-user true expiration-date 2000-01-01 expiration-time 23:20

Output

Failure shows an appropriate error message.

set local-user

Description

Adds a bookmark to be shown in the SNX landing page to an existing user. This is relevant only if the user has VPN remote access privileges.

Syntax

set local-user name <name> add bookmark label <bookmark label>

Parameters

Parameter

Description

bookmark label

Text for the bookmark in the SSL Network Extender portal

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

set local-user name admin add bookmark label myLabel

Output

Failure shows an appropriate error message.

set local-user

Description

Removes a bookmark from being shown in the SNX landing page to an existing user. This is relevant only if the user has VPN remote access privileges.

Syntax

set local-user name <name> remove bookmark label <bookmark label>

Parameters

Parameter

Description

bookmark label

Text for the bookmark in the SSL Network Extender portal

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

set local-user name admin remove bookmark label myLabel

Output

Failure shows an appropriate error message.

show local-user

Description

Shows the configuration of a locally defined user.

Syntax

show local-user name <name>

Parameters

Parameter

Description

name

User’s name in the local database

Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces

Example

show local-user name admin

Output

Failure shows an appropriate error message.

show local-users

Description

Shows all locally defined users.

Syntax

show local-users

Parameters

Parameter

Description

n/a

 

Example

show local-users

Output

Failure shows an appropriate error message.

local-users expired

delete local-users expired

Description

Deletes all expired locally defined user objects from the database.

Syntax

delete local-users expired

Parameters

Parameter

Description

n/a

 

Example

delete local-users expired

Output

Failure shows an appropriate error message.

show local-users expired

Description

Shows all expired locally defined users.

Syntax

show local-users expired

Parameters

Parameter

Description

n.a

 

Example

show local-users expired

Output

Failure shows an appropriate error message.

show logs

Description

Shows system, kernel, and traffic logs.

Syntax

show logs {system|kernel|traffic}

Parameters

Parameter

Description

n/a

 

Example

show logs kernel

Output

Success shows log file. Failure shows an appropriate error message.

log-servers-configuration

set log-servers-configuration

Description

Configures external log servers for a locally managed device.

Syntax

set log-servers-configuration mgmt-server-ip-addr <mgmt-server-ip-addr> [ log-server-ip-addr <log-server-ip-addr> ] sic-name <sic-name>

one-time-password <one-time-password> [ external-log-server-enable <external-log-server-enable> ]

Parameters

Parameter

Description

external-log-server- enable

Determine if an external log server is active

Type: Boolean (true/false)

log-server-ip-addr

This IP address is used if the log server is not located on the Security Management Server.

Type: IP address

mgmt-server-ip-addr

This IP address is used for establishing trusted communication between the Check Point Appliance and the log server. Type: IP address

one-time-password

SIC one time password

Type: A string that contains alphanumeric and special characters

sic-name

Enter the SIC name of the log server object that was defined in SmartDashboard

Type: A SIC name

Example

set log-servers-configuration mgmt-server-ip-addr 192.168.1.1

log-server-ip-addr 192.168.1.1 sic-name QWEDFRGH4 one-time-password a(&7Ba external-log-server-enable true

Output

Failure shows an appropriate error message.

show log-servers-configuration

Description

Shows external log server configuration.

Syntax

show log-servers-configuration

Parameters

Parameter

Description

n/a

 

Example

show log-servers-configuration

Output

Failure shows an appropriate error message.

mac-filtering-list

add mac-filtering-list

Description

Add a MAC address to the list of addresses allowed to access LAN/DMZ networks.

Syntax

add mac-filtering-list mac <mac>

Parameters

Parameter

Description

mac

MAC address to allow

Type: MAC address

Example

add mac-filtering-list mac 00:1C:7F:21:05:BE

Output

Failure shows an appropriate error message.

delete mac-filtering-list

Description

Delete a MAC address from the list of addresses allowed to access LAN/DMZ networks.

Syntax

delete mac-filtering-list mac <mac>

Parameters

Parameter

Description

mac

MAC address to allow

Type: MAC address

Example

delete mac-filtering-list mac 00:1C:7F:21:05:BE

Output

Failure shows an appropriate error message.

show mac-filtering-list

Description

Show the MAC addresses that are allowed to access LAN/DMZ networks.

Syntax

show mac-filtering-list

Parameters

Parameter

Description

n/a

 

Example

show mac-filtering-list

Output

Failure shows an appropriate error message.

mac-filtering-settings

set mac-filtering settings

Configure the settings for MAC filtering.

set mac-filtering-settings

Description

Configure the settings for MAC filtering.

Syntax

set mac-filtering-settings state <state>

Parameters

Parameter

Description

state

MAC filtering state

Options: on, off

Example

set mac-filtering-settings state on

Output

Failure shows an appropriate error message.

set mac-filtering settings

Description

Configure the settings for MAC filtering.

Syntax

set mac-filtering-settings advanced-settings log-activation <log-activation>

Parameters

Parameter

Description

n/a

 

Example

set mac-filtering-settings advanced-settings log-activation on

Output

Failure shows an appropriate error message.

set mac-filtering settings

Description

Configure the settings for MAC filtering.

Syntax

set mac-filtering-settings advanced-settings log-interval <log-interval>

Parameters

Parameter

Description

n/a

 

Example

set mac-filtering-settings advanced-settings log-interval -1000000

Output

Failure shows an appropriate error message.

show mac-filtering-settings

Show the settings for MAC filtering.

show mac-filtering-settings

Description

Show the settings for MAC filtering.

Syntax

show mac-filtering-settings

Parameters

Parameter

Description

n/a

 

Example

show mac-filtering-settings

Output

Failure shows an appropriate error message.

show mac-filtering-settings

Description

Show the advanced settings for MAC filtering.

Syntax

show mac-filtering-settings advanced-settings

Parameters

Parameter

Description

n/a

 

Example

show mac-filtering-settings advanced-settings

Output

Failure shows an appropriate error message.

monitor-mode-network

add monitor-mode-network

Description

Configuring “Monitor mode” over interfaces requires a mechanism to determine which are the local networks within the real topology. One of the options is a manual configuration of this topology using this command.

Syntax

add monitor-mode-network ipv4-address <ipv4-address> subnet-mask <subnet-mask>

Parameters

Parameter

Description

ipv4-address

Indicates a network IP address that will be recognized as Internal

Type: IP address

subnet-mask

Network subnet mask

Type: A subnet mask, or 255.255.255.255

Example

add monitor-mode-network ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

Output

Failure shows an appropriate error message.

delete monitor-mode-network

Description

Deletes manually configured IP addresses that determine the local networks in monitor mode when not working in automatic detection mode.

Syntax

delete monitor-mode-network ipv4-address <ipv4-address>

Parameters

Parameter

Description

ipv4-address

Indicates a network IP address that will be recognized as Internal

Type: IP address

Example

delete monitor-mode-network ipv4-address 192.168.1.1

Output

Failure shows an appropriate error message.

set monitor-mode-network

Description

Configures IP addresses of networks that are manually recognized as local in the non-automatic mode of monitor mode interface inspection.

Syntax

set monitor-mode-network ipv4-address <ipv4-address> [ ipv4-address

<ipv4-address> ] [ subnet-mask <subnet-mask> ]

Parameters

Parameter

Description

ipv4-address

Indicates a network IP address that will be recognized as Internal

Type: IP address

subnet-mask

Network subnet mask

Type: A subnet mask, or 255.255.255.255

Example

set monitor-mode-network ipv4-address 192.168.1.1 ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

Output

Failure shows an appropriate error message.

show monitor-mode-networks

Description

Shows manually defined local networks for monitor mode configuration.

Syntax

show monitor-mode-networks

Parameters

Parameter

Description

n/a

 

Example

show monitor-mode-networks

Output

Failure shows an appropriate error message.

monitor-mode-configuration

set monitor-mode-configuration

Description

Configures mode of work for monitor mode interface inspection. Determines if locally managed networks will be automatically detected or manually configured.

Syntax

set monitor-mode-configuration [ use-defined-networks <use-defined-networks>]

Parameters

Parameter

Description

use-defined-networks

Indicates if user-defined internal networks are used for Monitor mode

Type: Boolean (true/false)

Example

set monitor-mode-configuration use-defined-networks true

Output

Failure shows an appropriate error message.

show monitor-mode-configuration

Description

Shows monitor mode configuration for interfaces.

Syntax

show monitor-mode-configuration

Parameters

Parameter

Description

n/a

 

Example

show monitor-mode-configuration

Output

Failure shows an appropriate error message.

message

set message

Description

Configures a banner message for the SSH administrator login

Syntax

set message <type> { on | off } [ line ] [ msgvalue <msgvalue> ]

Parameters

Parameter

Description

msgvalue

Indicates the banner messages text

Type: virtual

status

Indicates if a banner message for SSH login will appear

Type: Boolean (true/false)

type

Indicates the type of the message (only banner supported)

Options: motd, banner, caption

Example

set message motd true line msgvalue “My Banner message”

Output

Failure shows an appropriate error message.

show message

Shows banner message for the ssh login.

show message

Description

Shows banner message for the ssh login.

Syntax

show message <type>

Parameters

Parameter

Description

type

Indicates the type of the message (only banner supported)

Options: motd, banner, caption

Example

show message motd

Output

Failure shows an appropriate error message.

show memory usage

Description

Shows the amount of memory that is being used.

Syntax

show memory-usage

Parameters

Parameter

Description

n/a

 

Example

show memory-usage

Output

Success shows used memory. Failure shows an appropriate error message.

nat

set nat

Configures general NAT policy settings.

set nat

Description

Configures if local networks will be hidden by default behind the external IP addresses of the gateway.

Syntax

set nat [ hide-internal-networks <hide-internal-networks> ]

Parameters

Parameter

Description

hide-internal-networks

Hide internal networks behind the Gateway’s external IP address

Type: Boolean (true/false)

Example

set nat hide-internal-networks true

Output

Failure shows an appropriate error message.

set nat

Description

Configures advanced NAT policy settings.

Syntax

set nat advanced-settings nat-destination-client-side <nat-destination-client-side>

Parameters

Parameter

Description

n/a

 

Example

set nat advanced-settings nat-destination-client-side true

Output

Failure shows an appropriate error message.

set nat