Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

SecurePlatform Shell

In This Section:

Command Shell

Management Commands

Documentation Commands

Date and Time Commands

System Commands

Snapshot Image Management

System Diagnostic Commands

Software Blade Commands

Network Diagnostics Commands

Network Configuration Commands

User and Administrator Commands

This section includes a complete listing of the SecurePlatform shell commands. These commands are required for configuration, administration and diagnostics of various system aspects.

Note - All commands are case sensitive.

Command Shell

Command Set

To display a list of available commands, enter ? or help at the command prompt. Many commands provide short usage instructions by running the command with the parameter '--help', or with no parameters.

Command Line Editing

SecurePlatform Command Shell uses command line editing conventions. You can scroll through previously entered commands with the up or down arrow keys. When you reach a command you wish to use, you can edit it or click the Enter key to start it. The audit command is used to display history of commands entered at the command prompt (see audit):

Key

Command

Right Arrow/^f

Move cursor right

Left Arrow/^b

Move cursor left

Home/^a

Move cursor to beginning of line

End/^e

Move cursor to end of line

Backspace/^h

Delete last char

^d

Delete char on cursor

^u

Delete line

^w

Delete word to the left

^k

Delete from cursor to end of line

Up arrow/^p

View previous command

Down arrow/^n

View next command

Command Output

Some command output may be displayed on more than one screen. By default, the Command Shell will display one screen, and prompt: -More-.
Click any key to continue to display the rest of the command output.

The More functionality can be turned on or off, using the scroll command.

Management Commands

exit

Exit the current Mode:

  • In Standard Mode, exit the shell (logout of the SecurePlatform system)
  • In Expert Mode, exit to Standard Mode

Syntax

exit

Expert Mode

Switch from Standard Mode to Expert Mode.

Syntax

expert

Description

After entering the expert, command supply the expert password. After password verification, you will be transferred into expert mode.

passwd

Changing the password can be performed in both modes. Changing the password in Standard Mode changes the login password. Changing the password in Expert Mode changes the Expert Mode and Boot Loader password. During the first transfer to Expert Mode, you will be required to enter your Standard Mode password, i.e. you need to enter the first replacement password that you used when logging in as the admin user. Any sequential admin password change will not update the expert password that you must enter at the first-time expert user password change. Change the Expert Mode password. After the Expert Mode password is changed, the new password must be used to obtain Expert Mode access.

Syntax

passwd

Documentation Commands

help

List the available commands and their respective descriptions.

Syntax

help
or
?

Date and Time Commands

date

Show or set the system date. Changing the date or time affects the hardware clock.

Syntax

date [MM-DD-YYYY]

Parameters

Date Parameters

Parameter

Description

MM-DD-YYYY

The date to be set, first two digits (MM) are the month [01..12], next two digits (DD) are the day of month [01..31], and last four digits (YYYY) are the year

time

Show or set the system time. Changing the date or time affects the hardware clock.

Syntax

time [HH:MM]

Parameters

Time Parameters

Parameter

Description

HH:MM

The time to be set, first two digits (HH) are the hour [00..23], last two digits (MM) are the minute [00..59]

timezone

Set the system time zone.

Syntax

timezone [-show | --help]

Parameters

Time Zone Parameters

Parameter

Description

 

if no parameters are entered, an interactive mode of time zone selection is displayed

-show

show currently selected time zone

--help

show usage message

ntp

Configure and start the Network Time Protocol polling client.

Syntax

ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]

ntp -n <interval> <server1> [<server2>[<server3>]]

Parameters

ntp Parameters

Parameter

Description

MD5_secret

pre-shared secret used to authenticate against the NTP server; use "-n" when authentication is not required.

interval

polling interval, in seconds

server[1,2,3]

IP address or resolvable name of NTP server

ntpstop

Stop polling the NTP server.

Syntax

ntpstop

ntpstart

Start polling the NTP server.

Syntax

ntpstart

System Commands

audit

Display or edit commands, entered in the shell for a specific session. The audit is not kept between sessions.

Syntax

audit setlines <number_of_lines>
audit show <number_of_lines>
audit clear <number_of_lines>

Parameters

Audit Parameters

Parameter

Description

lines<number_of_lines>

restrict the length of the command history that can be shown to <number_of_lines>

show <number_of_lines>

show <number_of_lines> recent commands entered

clear

clear command history

backup

Backup the system configuration. You can also copy backup files to a number of scp and tftp servers for improved robustness of backup. The backup command, run by itself, without any additional flags, will use default backup settings and will perform a local backup.

Syntax

backup -hbackup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] 
[--tftp <ServerIP> [-path <Path>] [<Filename>]]
[--scp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--file [-path <Path>] [<Filename>]]

Backup Parameters

Parameter

Description

-h

Obtain usage

-d

Debug flag

-l

Flag enables backup of the Check Point Security Gateway log (By default, logs are not backed up.)

-p or --purge

Delete old backups from previous backup attempts

[--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off]

schedule interval at which backup is to take place

  • On - specify time and day of week, or day of month
  • Off - disable schedule

--tftp <ServerIP> [-path <Path>][<Filename>]

List of IP addresses of TFTP servers, to which the configuration will be backed up, and optionally the filename.

--scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>]

List of IP addresses of SCP servers, to which the configuration will be backed up, the username and password used to access the SCP Server, and optionally the filename.

--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file [-path <Path>]<Filename>

When the backup is performed locally, specify an optional filename

Note - If a Filename is not specified, a default name will be provided with the following format: backup_hostname.domain-name_day of month_month_year_hour_minutes.tgz

For example: \backup_gateway1.mydomain.com_13_11_2003_12_47.tgz

Examples

backup –file –path /tmp filename 

Puts the backup file in (local) /tmp and names it filename

backup
–tftp <ip1> -path tmp
–tftp <ip2> -path var file1
–scp <ip3> username1 password1 –path /bin file2
–file file3
--scp <ip4> username2 password2 file4
--scp <ip5> username3 password3 –path mybackup

The backup file is saved on:

  1. tftp server with ip1, the backup file is saved in the tmp directory (under the tftp server default directory – usually /tftproot) with the default file name – backup_SystemName_TimaStamp.tgz
  2. tftp server with ip2 , the backup file is saved on var (under the tftp server default directory – usually /tftproot) as file1
  3. scp server with ip3 , the backup file is saved on /bin as file2
  4. locally on the default directory (/var/CPbackup/backups) as file3
  5. scp server with ip4 on the username2 home directory as file4
  6. scp server with ip5 on ~username3/mybackup/ with the default backup file name

reboot

Restart the system.

Syntax

reboot

patch

Apply an upgrade or hotfix file.

Note - See the Release Notes for information about when to replace the patch utility with a more recent version.

Syntax

patch add scp <ip_address> <patch_name> [password (in expert mode)]
patch add tftp <ip_address> <patch_name>
patch add cd <patch_name>
patch add <full_patch_path>
patch log

Parameters

Parameter

Description

add

install a new patch

log

list all patches installed

scp

install from SCP

cd

install from DVD

tftp

install from TFTP server

ip

IP address of the tftp server containing the patch

patch_name

the name of the patch to be installed

password

password, in expert mode

full_patch_path

the full path for the patch file (for example, /var/tmp/mypatch.tgz)

restore

Restore the system configuration.

Syntax

restore [-h] [-d][[--tftp <ServerIP> <Filename>] | 
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]

Parameters

Parameter

Description

-h

obtain usage

-d

debug flag

--tftp <ServerIP> [<Filename>]

IP address of TFTP server, from which the configuration is restored, and the filename.

--scp <ServerIP> <Username> <Password> [<Filename>]

IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP Server, and the filename.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

Specify a filename for restore operation, performed locally.

When the restore command is executed by itself, without any additional flags, a menu of options is displayed. The options in the menu provide the same functionality, as the command line flags, for the restore command

Choose one of the following:
-----------------------------------------------------------
[L]     Restore local backup package
[T]     Restore backup package from TFTP server
[S]     Restore backup package from SCP server
[V]     Restore backup package from FTP server
[R]     Remove local backup package
[Q]     Quit
-----------------------------------------------------------

Select the operation of your choice.

shutdown

Shut down the system.

Syntax

shutdown

ver

Display the SecurePlatform system version.

Syntax

ver

Snapshot Image Management

Commands to take a snapshot of the entire system and to restore the system, from the snapshot, are available. The system can be restored at any time, and at boot time the administrator is given the option of booting from any of the available snapshots. This feature greatly reduces the risks of configuration changes.

The snapshot and revert commands can use an TFTP server, a SCP Server or and FTP server to store snapshots. Alternatively, snapshots can be stored locally.

Note - The amount of time it takes to perform a snapshot or revert depends on the amount of data (for example, logs) that is stored or restored. For example, it may take between 90 to 120 minutes to perform a snapshot or revert for Security Management Server, Log Server, Multi-Domain Security Management, etc.

Revert

Reboot the system from a snapshot file. The revert command, run by itself, without any additional flags, will use default backup settings, and will reboot the system from a local snapshot.

revert  [-h] [-d] [[--tftp <ServerIP> <Filename>]
[--scp <ServerIP> <Username> <Password> <Filename>
[--ftp <ServerIP> <Username> <Password> <Filename>
[--file <Filename>]]

Parameters

Revert Parameters

Parameter

Description

-h

obtain usage

-d

debug flag

--tftp <ServerIP> <Filename>

IP address of the TFTP server, from which the snapshot is rebooted, as well as the filename of the snapshot.

--scp <ServerIP> <Username> <Password> <Filename>

IP address of the SCP server, from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

When the snapshot is made locally, specify a filename

The revert command functionality can also be accessed from the Snapshot image management boot option.

Snapshot

This command creates a snapshot file. The snapshot command, run by itself, without any additional flags, will use default backup settings and will create a local snapshot.

Syntax

snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>]
[--scp <ServerIP> <Username> <Password> <Filename>]
[--ftp <ServerIP> <Username> <Password> <Filename>
[--file <Filename>]]

Parameters

Snapshot Parameters

Parameter

Description

-h

obtain usage

-d

debug flag

--tftp <ServerIP> <Filename>

IP address of the TFTP server, from which the snapshot is made, as well as the filename of the snapshot.

--scp <ServerIP> <Username> <Password> <Filename>

IP address of the SCP server, from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.

--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]

List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.

--file <Filename>

When the snapshot is made locally, specify a filename

System Diagnostic Commands

diag

Display or send the system diagnostic information (diag files).

Syntax

diag <log_file_name> tftp <tftp_host_ip_address>

Parameters

Diag Parameters

Parameter

Description

log_file_name

name of the log file to be sent

tftp

use tftp to upload the diagnostic information (other upload methods can be added in the future)

tftp_host_ip_address

IP address of the host, that is to receive the diagnostic information

log

Shows the list of available log files, applies log rotation parameters, shows the index of the log file in the list, and selects the number of lines of the log to display.

Syntax

log --help
log list
log limit <log-index><max-size><backlog-copies>
log unlimit <log-index>
log show <log-index> [<lines>]

Parameters

Log Parameters

Parameter

Description

list

show the list of available log files

limit

apply log rotation parameters

unlimit

remove log size limitations

log-index

show the index of the log file, in the list

max-size

show the size of the log file, in bytes

backlog-copies

list the number of backlog copies of the log file

lines

select the number of lines of the log to display

top

Display the top 15 processes on the system and periodically updates this information. Raw CPU percentage is used to rank the processes.

Syntax

top

Software Blade Commands

For information about Software Blade commands, see the R77 Command Line Interface Reference Guide.

Network Diagnostics Commands

ping

Send ICMP ECHO_REQUEST packets to network hosts.

Syntax

ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize]

Parameters

ping Parameters

Parameter

Description

-c count

Stop after sending (and receiving) count ECHO_RESPONSE packets.

-d

Set the SO_DEBUG option for the socket being used.

-f

Flood ping. Outputs packets as fast as they come back, or one hundred times per second, whichever is greater. For every ECHO_REQUEST sent, a period ''.'' is printed, while for every ECHO_REPLY received, a backspace is printed. This provides a rapid display of how many packets are being dropped. Only the super-user may use this option. This can place a very heavy load on a network and should be used with caution.

-i wait

Wait: wait i seconds between sending each packet. The default is to wait for one second between each packet. This option is incompatible with the -f option.

-l

Preload: if preload is specified, ping sends that many packets as fast as possible before falling into its normal mode of behavior. Only the super-user may use this option.

-n

Numeric output only. No attempt will be made to lookup symbolic names for host addresses.

-p pattern

You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, ''-p ff'' will direct the sent packet to be filled with a series of ones (''1'').

-q

Quiet output. Nothing is displayed except the summary lines at the time of startup and finish.

-R

Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option.

-r

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

-s packetsize

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes, when combined with the 8 bytes of ICMP header data.

-v

Verbose (detailed) output. Lists ICMP packets (other than ECHO_RESPONSE) that are received.

traceroute

Tracking the route a packet follows (or finding the miscreant Security Gateway that is discarding your packets) can be difficult. Traceroute utilizes the IP protocol 'time to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each Security Gateway along the path to a designated host.

Syntax

traceroute [ -dFInrvx ] [ -f first_ttl ] [ -g gateway ] [ -i iface ]
[ -m max_ttl ] [ -p port ] [ -q nqueries ] [ -s src_addr ] [ -t tos ]
[ -w waittime ] host [ packetlen ]

Parameters

traceroute Parameters

Parameter

Description

-f first_ttl

Set the initial time-to-live, used in the first outgoing probe packet.

-F

Set the "don't fragment" bit.

-d

Enable socket level debugging.

-g

Security Gateway: specify a loose source route Security Gateway (8 maximum).

-i

iface: specify a network interface, to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. (See the -s flag for another way to do this.)

-I

Use ICMP ECHO instead of UDP datagrams.

-m max_ttl

Set the max time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops (the same default used for TCP connections).

-n

Print hop addresses numerically, rather than symbolically and numerically (saves a name server address-to-name lookup, for each Security Gateway found on the path).

-p port

Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.

-q nqueries

Number of queries to run.

-r

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

-s src_addr

Use the following IP address (which usually is given as an IP number, not a hostname) as the source address in out-going probe packets. On multi-homed hosts (those with more than one IP address), this option can be used to force the source address to be something, other than the IP address of the interface that the probe packet is sent on. If the IP address is not one of this computer interface addresses, an error is returned and nothing is sent. (See the -i flag for another way to do this.)

-t tos

Set the type-of-service in probe packets to the following value (default zero). The value must be a decimal integer in the range 0 to 255. This option can be used to see if different types-of-service result in different paths. (If you are not running 4.4bsd, this may be irapplicable, since the normal network services like telnet and ftp don't let you control the TOS. Not all values of TOS are legal or meaningful, see the IP spec for definitions. Useful values are probably "-t 16" (low delay) and "-t 8" (high throughput).

-v

Verbose (detailed) output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.

-w waittime

Set the time (in seconds) to wait for a response to a probe (default is 5 seconds).

-x

Toggle checksums. Normally, this prevents traceroute from calculating checksums. In some cases, the operating system can overwrite parts of the outgoing packet, but not recalculate the checksum (In some cases, the default is not to calculate checksums. Using -x causes checksums to be calculated). Checksums are usually required for the last hop, when using ICMP ECHO probes (-I).

netstat

Show network statistics.

Syntax

netstat [-veenNcCF] [<Af>] -r
netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }

Parameters

netstat Parameters

Parameter

Description

Extended Description

-r

route

display routing table

-i

interfaces

display interface table

-g

groups

display multicast group memberships

-s

statistics

display networking statistics (like SNMP)

-M

masquerade

display masqueraded connections

-v

verbose

be verbose (detailed)

-n

numeric

do not resolve names

-N

symbolic

resolve hardware names

-e

extend

display other/more information

-p

programs

display PID/Program name for sockets

-c

continuous

continuous listing

-l

listening

display listening server sockets

-a

all, listening

display all sockets (default: connected)

-o

timers

display timers

-F

fib

display Forwarding Information Base (default)

-C

cache

display routing cache, instead of FIB

<Socket>

 

Type of socket, may be one of the following: {-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom

-A <AF>,

af <AF>

Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)

Network Configuration Commands

arp

arp manipulates the kernel ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting one up. For debugging purposes, the ARP program also allows a complete dump of the ARP cache.

Syntax

arp [-vn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]

addarp

addarp adds a persistent ARP entry (one that will survive re-boot).

Syntax

addarp <hostname> <hwaddr>

delarp

delarp removes ARP entries created by addarp.

Syntax

delarp <hostname> <MAC>

Parameters

arp Parameters

Parameter

Description

Extended Description

-v

verbose

Tell the user the details of what is going on.

-n

numeric

shows numerical addresses instead of trying to determine symbolic host, port or user names.

-H type,

hw-type type

When setting, or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps Ethernet). Other values might include network technologies such as ARCnet (arcnet), PROnet (pronet), AX.25 (ax25) and NET/ROM (netrom).

-a [hostname]

display [hostname]

Shows the entries of the specified hosts. If the hostname parameter is not used, all entries will be displayed.

-d hostname

delete hostname

Remove any entry for the specified host. This can be used if the indicated host is brought down, for example.

-D

use-device

Use the interface ifa hardware address.

-i If

device If

Select an interface. When dumping the ARP cache, only entries matching the specified interface will be printed. When setting a permanent, or temp ARP, entry this interface will be associated with the entry. If this option is not used, the kernel will guess, based on the routing table. For public entries, the specified interface is the interface, on which ARP requests will be answered.

-f filename

file filename

Similar to the -s option, only this time the address info is taken from file filename set up. The name of the data file is very often /etc/ethers. If no filename is specified /etc/ethers is used as default.

hosts

Show, set or remove hostname to IP-address mappings.

Syntax

hosts add <IP-ADDRESS> <host1> [<host2> ...]
hosts remove <IP_ADDRESS> <host1> [<host2> ...]
hosts

Parameters

hosts Parameters

hosts

Parameter

Description

 

Running hosts, with no parameters, displays the current host names to IP mappings.

add

IP-ADDRESS

IP address, to which hosts will be added.

host1, host2...

Hosts to be added.

remove

IP-ADDRESS

IP address, to which hosts will be removed.

host1, host2...

The name of the hosts to be removed.

ifconfig

Show, configure or store network interfaces settings.

Syntax

ifconfig [-a] [-i] [-v] [-s] <interface> [[<AF>] <address>] 
[add <address>[/<prefixlen>]]
[del <address>[/<prefixlen>]]
[[-]broadcast [<address>]]  [[-]pointopoint [<address>]]
[netmask <address>]  [dstaddr <address>]  [tunnel <address>]
[outfill <NN>] [keepalive <NN>]
[hw <HW> <address>]  [metric <NN>]  [mtu <NN>]
[[-]trailers]  [[-]arp]  [[-]allmulti]
[multicast]  [[-]promisc]
[mem_start <NN>]  [io_addr <NN>]  [irq <NN>]  [media <type>]
[txqueuelen <NN>]
[[-]dynamic]
[up|down]
[--save]

ifConfig Parameters

Parameter

Description

interface

The name of the interface. This is usually a driver name, followed by a unit number, for example eth0 for the first Ethernet interface.

up

Causes the interface to be activated. It is implicitly specified if an address is assigned to the interface.

down

Causes the driver for this interface, to be shut down.

[-]arp

Enable or disable the use of the ARP protocol, on this interface.

[-]promisc

Enable or disable the promiscuous mode of the interface. If selected, all packets on the network will be received by the interface.

[-]allmulti

Enable or disable all-multicast mode. If selected, all multicast packets on the network will be received by the interface.

metric N

Sets the interface metric.

mtu N

Sets the Maximum Transfer Unit (MTU) of an interface.

dstaddr addr

Set the remote IP address for a point-to-point link (such as PPP). This keyword is now obsolete; use the point-to-point keyword instead.

netmask addr

Set the IP network mask, for this interface. This value defaults to the usual class A, B or C network mask (as derived from the interface IP address), but it can be set to any value.

irq addr

Set the interrupt line used by this device. Not all devices can dynamically change their IRQ setting.

io_addr addr

Set the start address in I/O space for this device.

mem_start addr

Set the start address for shared memory used by this device. Only a few devices need this parameter set.

media type

Set the physical port, or medium type, to be used by the device. Not all devices can change this setting, and those that can vary in what values they support. Typical values for type are 10base2 (thin Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external transceiver) and so on. The special, medium type of auto can be used to tell the driver to auto-sense the media. Not all drivers support this feature.

[-]broadcast [addr]

If the address argument is given, set the protocol broadcast address for this interface. Otherwise, set (or clear) the IFF_BROADCAST flag for the interface.

[-]pointopoint [addr]

This keyword enables the point-to-point mode of an interface, meaning that it is a direct link between two computers, with nobody else listening on it. If the address argument is also given, set the protocol address of the other side of the link, just like the obsolete dstaddr keyword does. Otherwise, set or clear the IFF_POINTOPOINT flag for the interface.

hw class address

Set the hardware address of this interface, if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include: ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).

multicast

Set the multicast flag on the interface. This should not normally be needed, as the drivers set the flag correctly themselves.

Address

The IP address to be assigned to this interface.

txqueuelen length

Set the length of the transmit queue of the device. It is useful to set this to small values, for slower devices with a high latency (modem links, ISDN), to prevent fast bulk transfers from disturbing interactive traffic, like telnet, too much.

--save

Saves the interface IP configuration. Not available when
UTM-1 is installed.

vconfig

Configure virtual LAN interfaces.

Syntax

vconfig add [interface-name] [vlan_id]
vconfig rem [vlan-name]

Parameters

vconfig Parameters

Parameter

Description

interface-name

The name of the Ethernet card that hosts the VLAN.

vlan_id

The identifier (0-4095) of the VLAN.

skb_priority

The priority in the socket buffer (sk_buff).

vlan_qos

The 3 bit priority field in the VLAN header.

name-type

One of:

  • VLAN_PLUS_VID (e.g. vlan0005),
  • VLAN_PLUS_VID_NO_PAD (e.g. vlan5),
  • DEV_PLUS_VID (e.g. eth0.0005),
  • DEV_PLUS_VID_NO_PAD (e.g. eth0.5)

bind-type

One of:

  • PER_DEVICE # Allows vlan 5 on eth0 and eth1 to be unique
  • PER_KERNEL # Forces vlan 5 to be unique across all devices

flag-num

Either 0 or 1 (REORDER_HDR). If set, the VLAN device will move the Ethernet header around to make it look exactly like a real Ethernet device.

route

Show, configure or save the routing entries.

Syntax

route [-nNvee] [-FC] [<AF>] List kernel routing tables
route [-v] [-FC] {add|del|flush} ... Modify routing table for AF.
route {-h|--help} [<AF>] Detailed usage syntax for specified AF.
route {-V|--version} Display version/author and exit.
route --save

Parameters

route Parameters

Parameter

Description

Extended Description

-v

verbose

be verbose (detailed)

-n

numeric

do not resolve names

-N

symbolic

resolve hardware names

-e

extend

display other or more information

-F

fib

display Forwarding Information Base (default)

-C

cache

display routing cache, instead of FIB

-A <AF>

af <AF>

Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)

netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)

 

save

 

Save the routing configuration

hostname

Show or set the system host name.

Syntax

hostname [--help]
hostname <host>
hostname <host> <external_ip_address>

Parameters

hostname Parameters

Parameter

Description

 

show host name

host

new host name

external_ip_address

IP address of the interface to be assigned

help

show usage message

domainname

Show or set the system domain name.

Syntax

domainname [<domain>]

Parameters

domainname Parameters

Parameter

Description

 

Show domainname

domain

Set domainname to domain

dns

Add, remove, or show the Domain Name resolving servers.

Syntax

dns [add|del <ip_of_nameserver>]

Parameters

dns Parameters

Parameter

Description

 

show DNS servers configured

add

add new nameserver

del

delete existing nameserver

<ip_of_nameserver>

IP address of the nameserver

sysconfig

Interactive script to configure networking and security for the system.

Syntax

sysconfig

webui

webui configures the port the SecurePlatform HTTPS web server uses for the management interface.

Syntax

webui enable [https_port]
webui disable

Parameters

webui parameters

Parameter

Description

enable [https_port]

enable the Web GUI on port https_port

disable

disable the Web GUI

User and Administrator Commands

adduser

adduser adds a SecurePlatform administrator. (SecurePlatform supports RADIUS authentication for SecurePlatform administrators.)

Syntax

adduser [-x EXTERNAL_AUTH] <user name>

deluser

deluser deletes a SecurePlatform administrator.

Syntax

deluser <user name>

showusers

showusers displays all SecurePlatform administrators.

Syntax

showusers

lockout

Lock out a SecurePlatform administrator.

Syntax

lockout enable <attempts> <lock_period>
lockout disable
lockout show

Parameters

lockout Parameters

Parameter

Description

enable attempts lock_period

Activate lockout after a specified number of unsuccessful attempts to login, and lock the account for lock_period minutes.

disable

Disable the lockout feature.

show

Display the current settings of the lockout feature.

unlockuser

Unlock a locked administrator. (See lockout for more information about a locked administrator.)

Syntax

unlockuser <username>

checkuserlock

Display the lockout status of a SecurePlatform administrator (whether or not the administrator is locked out).

Syntax

checkuserlock <username>

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print