'fwaccel ranges' and 'fwaccel6 ranges'

Description

These commands show the SecureXL loaded ranges:

Ranges of Rule Base source IP addresses
Ranges of Rule Base destination IP addresses
Ranges of Rule Base destination ports and protocols

The Security Gateway creates these ranges during the policy installation. The Firewall creates and offloads ranges to SecureXL when any of these feature is enabled:

Rulebase ranges for Drop Templates
Anti-Spoofing enforcement ranges on per-interface basis
NAT64 ranges
NAT46 ranges

These ranges are related to matching of connections to SecureXL Drop Templates. These ranges represent the Source, Destination and Service columns of the Rule Base.

These ranges are not exactly the same as the Rule Base, because as there are objects that cannot be represented as real (deterministic) IP addresses. For example, Domain objects and Dynamic objects. The Security Gateway converts such non-deterministic objects to "Any" IP address.

In addition, implied rules are represented in these ranges, except for some specific implied rules.

You can use these commands for troubleshooting.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] ranges

-h

-a

-l

-p <Range ID>

-s <Range ID>

Syntax for IPv6

fwaccel6 ranges

-h

-a

-l

-p <Range ID>

-s <Range ID>

Parameters

Parameter	Description
`-i <`SecureXL ID`>`	Specifies the SecureXL instance ID (for IPv4 only).
`-h`	Shows the applicable built-in usage.
`-a` or No Parameters	Shows the full information for all loaded ranges. Note - In the list of SecureXL Drop Templates (output of the '`fwaccel templates -d`' and '`fwaccel6 templates -d`' commands), each Drop Template is assembled from ranges indexes. To see mapping between range index and the range itself, run this command `fwaccel ranges -a`. This lets you understand better the practical ranges for Drop Templates and when it is appropriate to use them.
`-l`	Shows the list of loaded ranges: 0 - Ranges of Rule Base source IP addresses 1 - Ranges of Rule Base destination IP addresses 2 - Ranges of Rule Base destination ports and protocols
`-p <`Range ID`>`	Shows the full information for the specified range.
`-s <`Range ID`>`	Shows the summary information for the specified range.

Example 1 - Show the list of ranges from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges -l

SecureXL device 0:

0 Rule base source ranges (ip):

1 Rule base destination ranges (ip):

2 Rule base dport ranges (port, proto):

[Expert@MyGW:0]#

Example 2 - Show the full information for all loaded ranges from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges

SecureXL device 0:

Rule base source ranges (ip):

(0) 0.0.0.0 - 192.168.204.0

(1) 192.168.204.1 - 192.168.204.1

(2) 192.168.204.2 - 192.168.204.39

(3) 192.168.204.40 - 192.168.204.40

(4) 192.168.204.41 - 192.168.254.39

(5) 192.168.254.40 - 192.168.254.40

(6) 192.168.254.41 - 255.255.255.255

Rule base destination ranges (ip):

(0) 0.0.0.0 - 192.168.204.0

(1) 192.168.204.1 - 192.168.204.1

(2) 192.168.204.2 - 192.168.204.39

(3) 192.168.204.40 - 192.168.204.40

(4) 192.168.204.41 - 192.168.254.39

(5) 192.168.254.40 - 192.168.254.40

(6) 192.168.254.41 - 255.255.255.255

Rule base dport ranges (port, proto):

(0) 0, 0 - 138, 6

(1) 139, 6 - 139, 6

(2) 140, 6 - 18189, 6

(3) 18190, 6 - 18190, 6

(4) 18191, 6 - 18191, 6

(5) 18192, 6 - 18192, 6

(6) 18193, 6 - 19008, 6

(7) 19009, 6 - 19009, 6

(8) 19010, 6 - 136, 17

(9) 137, 17 - 138, 17

(10) 139, 17 - 65535, 65535

[Expert@MyGW:0]#

Example 3 - Show the full information for the specified range from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges -p 0

SecureXL device 0:

Rule base source ranges (ip):

(0) 0.0.0.0 - 192.168.204.0

(1) 192.168.204.1 - 192.168.204.1

(2) 192.168.204.2 - 192.168.204.39

(3) 192.168.204.40 - 192.168.204.40

(4) 192.168.204.41 - 192.168.254.39

(5) 192.168.254.40 - 192.168.254.40

(6) 192.168.254.41 - 255.255.255.255

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -p 1

SecureXL device 0:

Rule base destination ranges (ip):

(0) 0.0.0.0 - 192.168.204.0

(1) 192.168.204.1 - 192.168.204.1

(2) 192.168.204.2 - 192.168.204.39

(3) 192.168.204.40 - 192.168.204.40

(4) 192.168.204.41 - 192.168.254.39

(5) 192.168.254.40 - 192.168.254.40

(6) 192.168.254.41 - 255.255.255.255

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -p 2

SecureXL device 0:

Rule base dport ranges (port, proto):

(0) 0, 0 - 138, 6

(1) 139, 6 - 139, 6

(2) 140, 6 - 18189, 6

(3) 18190, 6 - 18190, 6

(4) 18191, 6 - 18191, 6

(5) 18192, 6 - 18192, 6

(6) 18193, 6 - 19008, 6

(7) 19009, 6 - 19009, 6

(8) 19010, 6 - 136, 17

(9) 137, 17 - 138, 17

(10) 139, 17 - 65535, 65535

[Expert@MyGW:0]#

Example 4 - Show the summary information for the specified range from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges -s 0

SecureXL device 0:

List name "Rule base source ranges (ip):", ID 0, Number of ranges 7

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -s 1

SecureXL device 0:

List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -s 2

SecureXL device 0:

List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11

[Expert@MyGW:0]#

Example 5 - Show the list of ranges from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 0

Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).

[Expert@MyVSXGW:0]# fwaccel ranges -l

SecureXL device 0:

0 Anti spoofing ranges eth0:

1 Anti spoofing ranges eth1:

[Expert@MyVSXGW:0]# vsenv 1

Context is set to Virtual Device VS1 (ID 1).

[Expert@MyVSXGW:1]# fwaccel ranges -l

SecureXL device 0:

0 Anti spoofing ranges eth3:

1 Anti spoofing ranges eth2.52:

[Expert@MyVSXGW:1]# vsenv 2

Context is set to Virtual Device VS2 (ID 2).

[Expert@MyVSXGW:2]# fwaccel ranges -l

SecureXL device 0:

0 Anti spoofing ranges eth4:

1 Anti spoofing ranges eth2.53:

[Expert@MyVSXGW:2]#

Example 6 - Show the full information for all loaded ranges from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 0

Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).

[Expert@MyVSXGW:0]# fwaccel ranges

SecureXL device 0:

Anti spoofing ranges eth0:

(0) 0.0.0.0 - 10.20.29.255

(1) 10.20.31.0 - 126.255.255.255

(2) 128.0.0.0 - 192.168.2.255

(3) 192.168.3.1 - 192.168.3.241

(4) 192.168.3.243 - 192.168.3.254

(5) 192.168.4.0 - 223.255.255.255

(6) 240.0.0.0 - 255.255.255.254

Anti spoofing ranges eth1:

(0) 10.20.30.1 - 10.20.30.241

(1) 10.20.30.243 - 10.20.30.254

[Expert@MyVSXGW:0]#

[Expert@MyVSXGW:1]# vsenv 1

Context is set to Virtual Device VS1 (ID 1).

[Expert@MyVSXGW:1]# fwaccel ranges

SecureXL device 0:

Anti spoofing ranges eth3:

(0) 40.50.60.0 - 40.50.60.255

(1) 192.168.196.17 - 192.168.196.17

(2) 192.168.196.19 - 192.168.196.30

Anti spoofing ranges eth2.52:

(0) 70.80.90.0 - 70.80.90.255

(1) 192.168.196.1 - 192.168.196.1

(2) 192.168.196.3 - 192.168.196.14

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# vsenv 2

Context is set to Virtual Device VS2 (ID 2).

[Expert@MyVSXGW:2]# fwaccel ranges

SecureXL device 0:

Anti spoofing ranges eth4:

(0) 100.100.100.0 - 100.100.100.255

(1) 192.168.196.17 - 192.168.196.17

(2) 192.168.196.19 - 192.168.196.30

Anti spoofing ranges eth2.53:

(0) 192.168.196.1 - 192.168.196.1

(1) 192.168.196.3 - 192.168.196.14

(2) 200.200.200.0 - 200.200.200.255

[Expert@MyVSXGW:2]#

Example 7 - Show the summary information for the specified range from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 1

Context is set to Virtual Device VS1 (ID 1).

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel ranges -s 0

SecureXL device 0:

List name "Anti spoofing ranges eth3:", ID 0, Number of ranges 3

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel ranges -s 1

SecureXL device 0:

List name "Anti spoofing ranges eth2.52:", ID 1, Number of ranges 3

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel ranges -s 2

SecureXL device 0:

The requested range table is empty

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# vsenv 2

Context is set to Virtual Device VS2 (ID 2).

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:2]# fwaccel ranges -s 0

SecureXL device 0:

List name "Anti spoofing ranges eth4:", ID 0, Number of ranges 3

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:2]# fwaccel ranges -s 1

SecureXL device 0:

List name "Anti spoofing ranges eth2.53:", ID 1, Number of ranges 3

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:2]# fwaccel ranges -s 2

SecureXL device 0:

The requested range table is empty

[Expert@MyVSXGW:2]#