Watchguard CLI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard CLI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
WatchGuard
®
Command Line
Interface
User Guide
WatchGuard Firebox Vclass 5.1
ii WatchGuard Vclass 5.1
Copyright
Copyright © 1998-2003 WatchGuard Technologies, Inc.
All rights reserved.
Notice to Users
Information in this document is subject to change and
revision without notice. This documentation and the software
described herein is subject to and may only be used and
copied as outlined in the Firebox System software end-user
license agreement. No part of this manual may be reproduced
by any means, electronic or mechanical, for any purpose
other than the purchaser’s personal use, without prior written
permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or
registered trademarks of WatchGuard Technologies, Inc. in
the United States and other countries. Firebox, ServerLock,
DVCP, and Designing peace of mind are trademarks of
WatchGuard Technologies, Inc. All other trademarks or
trade names mentioned herein, if any, are the property of
their respective owners.
Part No: 1200016
WatchGuard Command Line Interface Guide iii
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Firebox System (WFS) End-User License
Agreement
IMPORTANT — READ CAREFULLY BEFORE
ACCESSING WATCHGUARD SOFTWARE:
This WFS End-User License Agreement (“AGREEMENT”)
is a legal agreement between you (either an individual or a
single entity) and WatchGuard Technologies, Inc.
(“WATCHGUARD”)for the WATCHGUARD WFS software
product identified above, which includes computer software
and may include associated media, printed materials, and on-
line or electronic documentation (“SOFTWARE
PRODUCT”). WATCHGUARD is willing to license the
SOFTWARE PRODUCT to you only on the condition that you
accept all of the terms contained in this Agreement. Please
read this Agreement carefully. By installing or using the
SOFTWARE PRODUCT you agree to be bound by the terms
of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the
SOFTWARE PRODUCT to you, and you will not have any
rights in the SOFTWARE PRODUCT. In that case, promptly
return the SOFTWARE PRODUCT, along with proof of
payment, to the authorized dealer from whom you obtained
the SOFTWARE PRODUCT for a full refund of the price you
paid.
1. Ownership and License. The SOFTWARE PRODUCT is
protected by copyright laws and international copyright
treaties, as well as other intellectual property laws and
treaties. This is a license agreement and NOT an agreement
for sale. All title and copyrights in and to the SOFTWARE
PRODUCT (including but not limited to any images,
photographs, animations, video, audio, music, text, and
applets incorporated into the SOFTWARE PRODUCT), the
accompanying printed materials, and any copies of the
iv WatchGuard Vclass 5.1
SOFTWARE PRODUCT are owned by WATCHGUARD or its
suppliers. Your rights to use the SOFTWARE PRODUCT are
as specified in this AGREEMENT, and WATCHGUARD
retains all rights not expressly granted to you in this
AGREEMENT. Nothing in this AGREEMENT constitutes a
waiver of our rights under U.S. copyright law or any other
law or treaty.
2. Permitted Uses. You are granted the following rights to
the SOFTWARE PRODUCT:
(A) You may install and use the SOFTWARE PRODUCT on
any single computer at any single location. If you wish to use
the SOFTWARE PRODUCT on a different computer, you
must erase the SOFTWARE PRODUCT from the first
computer on which you installed it before you install it onto
a second.
(B) To use the SOFTWARE PRODUCT on more than one
computer at once, you must license an additional copy of the
SOFTWARE PRODUCT for each additional computer on
which you want to use it.
(C)You may make a single copy of the SOFTWARE
PRODUCT for backup or archival purposes only.
3. Prohibited Uses. You may not, without express written
permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the
SOFTWARE PRODUCT or printed materials except as
provided in this AGREEMENT;
(B) Use any backup or archival copy of the SOFTWARE
PRODUCT(or allow someone else to use such a copy) for any
purpose other than to replace the original copy in the event it
is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the SOFTWARE
PRODUCT;
(D) Transfer this license to another party unless (i) the
transfer is permanent, (ii) the third party recipient agrees to
the terms of this AGREEMENT, and (iii) you do not retain
any copies of the SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
SOFTWARE PRODUCT.
WatchGuard Command Line Interface Guide v
4. Limited Warranty. WATCHGUARD makes the
following limited warranties for a period of ninety (90) days
from the date you obtained the SOFTWARE PRODUCT from
WatchGuard Technologies or an authorized dealer:
(A) Media. The disks and documentation will be free from
defects in materials and workmanship under normal use. If
the disks or documentation fail to conform to this warranty,
you may, as your sole and exclusive remedy, obtain a
replacement free of charge if you return the defective disk or
documentation to us with a dated proof of purchase.
(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT
will materially conform to the documentation that
accompanies it. If the SOFTWARE PRODUCT fails to
operate in accordance with this warranty, you may, as your
sole and exclusive remedy, return all of the SOFTWARE
PRODUCT and the documentation to the authorized dealer
from whom you obtained it, along with a dated proof of
purchase, specifying the problems, and they will provide you
with a new version of the SOFTWARE PRODUCT or a full
refund, at their election.
Disclaimer and Release. THE WARRANTIES,
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND
REMEDIES YOU MAY HAVE AGAINST WATCHGUARD,
EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE SOFTWARE
PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY
IMPLIED WARRANTY OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, ANY
IMPLIED WARRANTY ARISING FROM COURSE OF
PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT,
ANY WARRANTY THAT THIS SOFTWARE PRODUCT
vi WatchGuard Vclass 5.1
WILL MEET YOUR REQUIREMENTS, ANY WARRANTY
OF UNINTERRUPTED OR ERROR-FREE OPERATION,
ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR
REMEDY IN TORT, WHETHER OR NOT ARISING FROM
THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR
IMPUTED) OR FAULT OF WATCHGUARD AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).
Limitation of Liability. WATCHGUARD’s liability (whether
in contract, tort, or otherwise; and notwithstanding any fault,
negligence, strict liability or product liability) with regard to
THE SOFTWARE Product will in no event exceed the
purchase price paid by you for such Product. IN NO EVENT
WILL WATCHGUARD BE LIABLE TO YOU OR ANY
THIRD PARTY, WHETHER ARISING IN CONTRACT
(INCLUDING WARRANTY), TORT (INCLUDING ACTIVE,
PASSIVE OR IMPUTED NEGLIGENCE AND STRICT
LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES
(INCLUDING WITHOUT LIMITATION LOSS OF
BUSINESS PROFITS, BUSINESS INTERRUPTION, OR
LOSS OF BUSINESS INFORMATION) ARISING OUT OF
OR IN CONNECTION WITH THIS WARRANTY OR THE
USE OF OR INABILITY TO USE THE SOFTWARE
PRODUCT, EVEN IF WATCHGUARD HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. United States Government Restricted Rights. The
enclosed SOFTWARE PRODUCT and documentation are
provided with Restricted Rights. Use, duplication or
disclosure by the U.S. Government or any agency or
instrumentality thereof is subject to restrictions as set forth
in subdivision (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause at DFARS 252.227-7013, or in
subdivision (c)(1) and (2) of the Commercial Computer
Software -- Restricted Rights Clause at 48 C.F.R. 52.227-
19, as applicable. Manufacturer is WatchGuard
Technologies, Incorporated, 505 Fifth Avenue, Suite 500,
Seattle, WA 98104.
WatchGuard Command Line Interface Guide vii
6. Export Controls. You agree not to directly or indirectly
transfer the SOFTWARE PRODUCT or documentation to
any country to which such transfer would be prohibited by the
U.S. Export Administration Act and the regulations issued
thereunder.
7. Termination. This license and your right to use the
SOFTWARE PRODUCT will automatically terminate if you
fail to comply with any provisions of this AGREEMENT,
destroy all copies of the SOFTWARE PRODUCT in your
possession, or voluntarily return the SOFTWARE PRODUCT
to WATCHGUARD. Upon termination you will destroy all
copies of the SOFTWARE PRODUCT and documentation
remaining in your control or possession.
8. Miscellaneous Provisions. This AGREEMENT will be
governed by and construed in accordance with the
substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale
of Goods, as amended. This is the entire AGREEMENT
between us relating to the contents of this package, and
supersedes any prior purchase order, communications,
advertising or representations concerning the contents of this
package AND BY USING THE SOFTWARE PRODUCT
YOU AGREE TO THESE TERMS. No change or
modification of this AGREEMENT will be valid unless it is in
writing, and is signed by WATCHGUARD.
9. Canadian Transactions: If you obtained this
SOFTWARE PRODUCT in Canada, you agree to the
following:
The parties hereto have expressly required that the present
AGREEMENT and its Exhibits be drawn up in the English
language. / Les parties aux presentes ont expressement exige
que la presente conventions et ses Annexes soient redigees en
la langue anglaise.
viii WatchGuard Vclass 5.1
WatchGuard Command Line Interface Guide ix
Contents
Contents .......................................................................ix
CHAPTER 1 Using the Command Line Interface ..........1
Introducing the WatchGuard CLI .......................................1
CLI capabilities .............................................................2
CLI limitations ...............................................................3
CLI Guide text conventions ...............................................3
Getting started with the WatchGuard CLI ...........................5
Connecting to an appliance .............................................5
Logging into an appliance via a console connection .............6
Logging into an existing appliance via a network connection .7
Understanding the command prompt ................................8
Abbreviating commands and keywords ..............................8
Case sensitivity .............................................................9
Extending command lines ...............................................9
Typing arguments in a command ......................................9
Deleting text in the Command Line Interface ....................10
Using the CLI to add to or replace existing settings and policies
...........................................................................10
Grouping parameters in a command ...............................10
Reviewing the recently used commands ...........................11
x WatchGuard Vclass 5.1
Navigating through the CLI ........................................... 13
Common Navigation commands .................................... 14
Using keywords .......................................................... 15
Show command/argument (“name”) usage ...................... 16
Viewing context-sensitive online help ............................. 17
Logging out of the appliance ........................................ 18
Installing and configuring a WatchGuard appliance .......... 19
To log into a WatchGuard appliance for the first time: ........ 19
To assign network addresses to appliance interfaces .......... 20
To complete system configuration .................................. 20
To create and apply security policies ............................... 21
To remove/delete items from a WatchGuard database ....... 22
To save and apply your most recent changes .................... 22
To maintain an appliance .............................................. 22
To troubleshoot an appliance ........................................ 22
To restore an appliance to the factory-default state ........... 23
To review the most recent tasks (at any level) .................... 23
To get on-line help while working ................................... 24
CHAPTER 2 Administration Mode Commands .......... 25
Command syntax conventions used in this guide ............. 25
Administration mode commands .................................... 27
account command ...................................................... 28
downgrade command ................................................. 29
export command ........................................................ 30
flush command ........................................................... 31
ha_sync command ...................................................... 31
import command ........................................................ 32
operation_mode command .......................................... 35
passwd command ....................................................... 36
reboot command ........................................................ 37
restore default command ............................................. 38
shutdown command .................................................... 38
upgrade command ..................................................... 39
WatchGuard Command Line Interface Guide xi
CHAPTER 3 Configuration Mode Commands .............41
Top-level configuration mode commands ........................41
abort command ..........................................................43
address command .......................................................43
certificate command ....................................................45
commit command .......................................................45
delete command .........................................................45
denial_of_service command ..........................................46
high_availability commands ...........................................47
ike command ..............................................................48
interface command ......................................................49
ipsec command ..........................................................49
license command ........................................................49
log command .............................................................50
nat command .............................................................54
no command ..............................................................56
policy command .........................................................57
qos command ............................................................60
ras command ..............................................................61
rename command .......................................................61
schedule command .....................................................62
service command ........................................................63
system command ........................................................64
trace command ...........................................................64
tenant command .........................................................65
tunnel_switch command ...............................................65
history command ........................................................66
Second level configuration mode commands ...................66
Level 2 certificate configuration commands ......................67
Level 2 High Availability configuration commands ..............72
Level 2 IKE configuration commands ...............................78
Level 2 interface configuration commands ........................82
Level 2 IPSec configuration commands ............................95
Level 2 Quality of Service (QoS) configuration commands .100
xii WatchGuard Vclass 5.1
Level 2 Remote Access Service (RAS) configuration commands
........................................................................ 102
Level 2 System Configuration commands ...................... 107
Level 2 license commands (for upgraded or additional features)
........................................................................ 117
Level 2 tenant configuration commands ........................ 119
Level 3 configuration mode commands ......................... 122
Level 3 route configuration commands .......................... 122
Level 3 log configuration commands ............................ 124
CHAPTER 4 Debug Mode Commands ...................... 127
Debugging/troubleshooting commands ........................ 127
arp command .......................................................... 129
clear_logs ................................................................ 129
config_http command ............................................... 129
conn_idle_timeout command ...................................... 130
ha_instant_sync command .......................................... 130
hwdiag command ..................................................... 131
ifconfig command ..................................................... 131
importscreen command ............................................. 132
kernel_debug command ............................................ 133
netstat command ...................................................... 134
ping command ......................................................... 134
pppoe_config command ............................................ 135
radius_ping command ............................................... 135
rcinfo command ....................................................... 137
reboot command ...................................................... 137
rs_kdiag command .................................................... 138
set_dos_if command ................................................. 139
slink command ......................................................... 139
tcpdump command ................................................... 140
traceroute command ................................................. 140
verbose_trace command ............................................ 141
vinstall command ...................................................... 141
WatchGuard Command Line Interface Guide xiii
CHAPTER 5 Other Commands ...................................143
No command ...............................................................143
Rename command .......................................................143
Show command ...........................................................144
Show command general usage ....................................144
Show address command .............................................145
Show alarm command ................................................146
Show all_routes command ..........................................147
Show certificate command ..........................................147
Show CPM command .................................................148
Show denial_of_service command ................................148
Show diagnostics command ........................................148
Show DNS command .................................................148
Show IKE command ...................................................149
Show interface command ............................................150
Show IPSec command ................................................150
Show LDAP command ................................................151
Show license command ..............................................151
Show log command ...................................................152
Show mode command ...............................................152
Show NAT command .................................................153
Show NTP command .................................................153
Show policy command ...............................................154
Show QoS command .................................................154
Show RAS command ..................................................155
Show route command ................................................156
Show SA command ....................................................156
Show service command ..............................................157
Show SNMP command ...............................................158
Show statistics command ............................................158
Show sysinfo command ..............................................158
Show sysupgrade command ........................................159
Show trace command .................................................159
Show tunnel_switch command .....................................159
Show version command ..............................................160
xiv WatchGuard Vclass 5.1
Index ......................................................................... 161
WatchGuard Command Line Interface Guide 1
CHAPTER 1 Using the Command
Line Interface
Introducing the WatchGuard CLI
The WatchGuard CLI (Command Line Interface) offers
the experienced network administrator an efficient
way to set up and manage WatchGuard Firebox Vclass
security appliances via a terminal application. As the
CLI architecture utilizes a model implemented in
many industry-standard routers, network administra-
tors familiar with routers commonly deployed in net-
work environments will find the WatchGuard CLI is
both easy to learn and to use.
You can use the CLI to administer an appliance
through a console port connection or through a net-
work connection to any of the data interfaces via an
SSH Client using protocol 2 or Telnet, once the appro-
priate firewall-access policies have been created and
configured on the target appliance.
While the CLI replicates most of the functionality of
the WatchGuard Vcontroller™ application, we
strongly recommend that you familiarize yourself
with the use of WatchGuard Vcontroller before
CHAPTER 1: Using the Command Line Interface
2 WatchGuard Vclass 5.1
attempting to use the CLI. Learning the WatchGuard Vcon-
troller, its terms and processes, and the underlying “flow”
of appliance administration, will establish a solid compe-
tency with concepts and terms used extensively in the CLI.
We also recommend that you review the latest Release Notes
for your WatchGuard security appliances and verify that
the most current versions of WatchGuard and Java soft-
ware are being used. Electronic copies may be obtained
from the WatchGuard Technical Support web site
(www.watchguard.com/support/). The Technical Support
Group can also assist in verifying that you have all of the
latest WatchGuard software.
CLI capabilities
The WatchGuard command line interface (CLI) provides
you with simple, fast, command-line access to any local
WatchGuard Firebox Vclass security appliance to perform
most major administrative tasks, including rebooting,
resetting appliance interface IP addresses, entering remote
access user accounts, and managing policies, actions and
proposals stored in the appliance database.
An almost-complete list of CLI setup and administration
tasks includes the following:
Configuring security appliance software
Interface (port) management
Viewing current system settings
Inserting new security policies
Editing or removing existing policies
Reorganizing sort order of policies
Configuring and using the High Availability feature
Opening and reviewing current log files
Displaying reports of tunnel and SA activities
Restoring factory-default configurations
Shutting down and restarting security appliances
CLI Guide text conventions
WatchGuard Command Line Interface Guide 3
CLI limitations
Please note that the WatchGuard CLI is not a complete
replacement for the WatchGuard Vcontroller application,
as you cannot do the following with the CLI:
Set up probes that monitor the current activities of the
security appliance
Set up, activate, and review alarms that are triggered
by a range of operational circumstances
•Import Certificate Revocation List (CRL) files or their
contents
Create “admin” access user accounts
Create firewall-access internal user accounts
CLI Guide text conventions
To help you better use this guide, the following text con-
ventions are used.
Control key The symbol ^ represents the Control
(CTRL) key and is usually used in
combination with other text. For
example, when you see the key
combinations ^Z or Ctrl-Z, this
means you should hold down the
Control key while pressing the Z
key. In the guide, these keys may be
printed in capital letters, but
“Ctrl+letter” functions are not case-
sensitive.
Text strings A text string is defined as a set of
user-variable characters. Text
strings (or, strings) are usually
presented as example data, or the
kind of thing one might type for a
particular value. Such an example
might be presented enclosed in
CHAPTER 1: Using the Command Line Interface
4 WatchGuard Vclass 5.1
quotation marks; however, you do
not need to type quotes when
entering a text string.
For example, we might say: set a
user_profile name to
“All_RAS_Users.” In this example,
you could type your own user
profile name (or string) in place of
ALL_RAS_Users.
You should enclose a string in
quotes in instances where the text
entry includes spaces. For example,
if entering a name like “Joan
Smith,” with a space between the
first and last name, you should
enclose this entry in quotations to
preserve it as a single entity.
For Example WG(config)#address -group
exec_staff
WG(config)#address -group
"exec staff"
Carriage returns Carriage returns are Enter key
presses, and are represented by the
<ENTER> or <CR> notation.
Command examples may omit this
notation for the sake of brevity.
Letter spaces Space characters (entered by
pressing the Space bar on the
keyboard) are represented in a few
instances in this Guide by the <sp>
notation. In most cases, however,
spaces are simply represented by
actual spaces. For example, in:
WG(config)#address -group
exec_staff
Getting started with the WatchGuard CLI
WatchGuard Command Line Interface Guide 5
There is a single space between
“address” and “-group,” and
“group” and “exec_staff.”
Comments Comments are presented as
italicized text preceded by the “#”
character.
# This is a sample comment.
More command-specific and
argument-specific conventions are
detailed in “Command syntax
conventions used in this guide” on
page 21
Getting started with the WatchGuard CLI
Connecting to an appliance
The WatchGuard CLI can be used to perform pre-installa-
tion setup tasks, or to reconfigure or administer the appli-
ance at any time. These comprise two distinct uses of the
CLI, which in turn require different connections:
To use the CLI in pre-installation setup or to do direct
administration of a WatchGuard appliance, you can
directly connect the appliance to your workstation by
connecting a cable from the Console port on the front
of the appliance to a serial port on your workstation.
Your Vclass package includes an adapter for this
purpose. After this connection is made, you can
connect directly to the appliance via a terminal
application.
To use the CLI for administration after a WatchGuard
appliance has been set up and configured, you can
make use of existing network connections. All you
need is (1) the IP address of a WatchGuard appliance
data interface and (2) a currently active policy
CHAPTER 1: Using the Command Line Interface
6 WatchGuard Vclass 5.1
permitting CLI console (Telnet/SSH) access to the
system through that interface. This may be done by
means of the CLI or the WatchGuard Vcontroller, once
configuration is complete.
N
OTE
If you attempt to log into a functioning, fully configured
WatchGuard appliance with the CLI, you must enter
“admin” as the login (or “rsadmin” for legacy appliances),
as the CLI will not permit use of any other “super admin”
account names.
Logging into an appliance via a console
connection
To log into a brand new “factory default” WatchGuard
appliance by means of the CLI console and a console (serial
port) connection, follow these steps:
1 Start any terminal application and open a new
connection window.
2 Verify that the terminal has been set to VT100.
N
OTE
If the terminal is not set to VT100, various functions may not
work—^c will not break, ESC will not work and you’ll have
problems with special characters.
Connection parameters include:
- 9600 bps
- 8 data bits
-No parity
-1 stop bit
- Flow control: none
3 Press <ENTER> once after configuring the connection
parameters.
The connection should be immediate, at which time a welcome
message is displayed, followed by a WatchGuard “Login”
prompt.
/