CLIguide

Appendix A: CLI Guide

This appendix contains a categorized listing of Command Line Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included.

This appendix contains the following sections:

“Text Conventions” section
“Editing and Completion Features” section
“Command Hierarchy” section
“SonicOS Enhanced Command Listing” section
“Configuring Site-to-Site VPN Using CLI” section
“SonicWALL NetExtender Windows Client CLI Commands” section
“SonicWALL NetExtender MAC and Linux Client CLI Commands” section

Input Data Format Specification

The table below describes the data formats acceptable for most commands. H represents one or more hexadecimal digit (0-9 and A-F). D represents one or more decimal digit.

Table 4
Input Data Formats
Data
Data Format

MAC Address

HH:HH:HH:HH:HH:HH

MAC Address

HHHH.HHHH.HHHH

IP Address

D.D.D.D

IP Address

0xHHHHHHHH

Integer Values

D

Integer Values

0xH

Integer Range

D-D

Text Conventions

Bold text indicates a command executed by interacting with the user interface.

Courier bold text indicates commands and text entered using the CLI.
Italic text indicates the first occurrence of a new term, as well as a book title, and also emphasized text. In this command summary, items presented in italics represent user-specified information.
Items within angle brackets (“< >”) are required information.
Items within square brackets (“[ ]”) are optional information.
Items separated by a “pipe” (“|”) are options. You can select any of them.
Note
Though a command string may be displayed on multiple lines in this guide, it must be entered on a single line with no carriage returns except at the end of the complete command.

Editing and Completion Features

You can use individual keys and control-key combinations to assist you with the CLI. The table below describes the key and control-key combination functions.

Table 5
Key Reference
Key(s)
Function

Tab

Completes the current word

?

Displays possible command completions

CTRL+A
Moves cursor to the beginning of the command line
CTRL+B
Moves cursor to the previous character
CTRL+C
Exits the Quick Start Wizard at any time
CTRL+E
Moves cursor to the end of the command line
CTRL+F
Moves cursor to the next character
CTRL+K
Erases characters from the cursor to the end of the line
CTRL+N
Displays the next command in the command history
CTRL+P
Displays the previous command in the com ­ mand history
CTRL+W
Erases the previous word
Left Arrow
Moves cursor to the previous character
Right Arrow
Moves the cursor to the next character
Up Arrow
Displays the previous command in the com ­ mand history
Down Arrow
Displays the next command in the command history

Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Tab or ? key display all options.

myDevice> show [TAB]

alerts
interface
network
tech-support
arp
log
processes
tsr
content-filter
memory
route
web-management
cpu
messages
security-
services
zone
device
nat
status
zones
gms
netstat
system
 

The Tab key can also be used to finish a command if the command is uniquely identified by user input.

myDevice> show al [TAB]

displays

myDevice> show alerts

Additionally, commands can be abbreviated as long as the partial commands are unique. The following text:

myDevice> sho int inf

is an acceptable abbreviation for
myDevice> show interface info

Command Hierarchy

The CLI configuration manager allows you to control hardware and firmware of the appliance through a discreet mode and submode system. The commands for the appliance fit into the logical hierarchy shown below.

To configure items in a submode, activate the submode by entering a command in the mode above it.

For example, to set the default LAN interface speed or duplex, you must first enter configure , then interface x0 lan . To return to the higher Configuration mode, simply enter end or finished .

Configuration Security

SonicWALL Internet Security appliances allow easy, flexible configuration without compromising the security of their configuration or your network.

Passwords

The SonicWALL CLI currently uses the administrator’s password to obtain access. SonicWALL devices are shipped with a default password of password . Setting passwords is important in order to access the SonicWALL and configure it over a network.

Factory Reset to Defaults

If you are unable to connect to your device over the network, you can use the command restore to reset the device to factory defaults during a serial configuration session.

Management Methods for the SonicWALL Network Security Appliance

You can configure the SonicWALL appliance using one of three methods:

Using a serial connection and the configuration manager
An IP address assignment is not necessary for appliance management.
A device must be managed while physically connected via a serial cable.
Web browser-based User Interface
In IP address must have been assigned to the appliance for management or use the default of 192.168.168.168.

Initiating a Management Session using the CLI

Serial Management and IP Address Assignment

Follow the steps below to initiate a management session via a serial connection and set an IP address for the device.

Note
The default terminal settings on the SonicWALL and modules is 80 columns by 25 lines. To ensure the best display and reduce the chance of graphic anomalies, use the same settings with the serial terminal software. The device terminal settings can be changed, if necessary. Use the standard ANSI setting on the serial terminal software.
1.
Attach the included null modem cable to the appliance port marked CONSOLE . Attach the other end of the null modem cable to a serial port on the configuring computer.
2.
Launch any terminal emulation application that communicates with the serial port connected to the appliance. Use these settings:
115,200 baud (9600 for TZ170)
8 data bits
no parity
1 stop bit
no flow control
3.
Press Enter/Return . Initial information is displayed followed by a DEVICE NAME> prompt.

 

Initiating an SSH Management Session via Ethernet

Note
This option works for customers administering a device that does not have a cable for console access to the CLI.

Follow the steps below to initiate an SSH management session through an Ethernet connection from a client to the appliance.

1.
Attach an Ethernet cable to the interface port marked XO . Attach the other end of the Ethernet cable to an Ethernet port on the configuring computer.
2.
Launch any terminal emulation application (such as PuTTY) that communicates via the Ethernet interface connected to the appliance.
3.
Within the emulation application, enter the IP destination address for the appliance and enter 22 as the port number.
4.
Select SSH as the connection type and open a connection.

Logging in to the SonicOS CLI

When the connection is established, log in to the security appliance:

1.
At the User prompt enter the Admin’s username. Only the admin user will be able to login from the CLI. The default Admin username is admin . The default can be changed.
2.
At the Password prompt, enter the Admin’s password. If an invalid or mismatched username or password is entered, the CLI prompt will return to User :, and a “CLI administrator login denied due to bad credentials” error message will be logged. There is no lockout facility on the CLI.

SonicOS Enhanced Command Listing

The following section displays all commands available for the SonicWALL:

“Top Level Commands” section
“Configure Level Commands” section
“LAN Interface Configuration” section
“WAN Interface Configuration” section
Table 6
Top Level Commands
Command
Description
backup
Backs-up device firmware settings
baud 9600
Sets system baud rate to 9600
baud 19200
Sets baud rate to 19200
baud 38400
Sets baud rate to 38400
baud 57600
Sets baud rate to 57600
baud 115200
Sets baud rate to 115200
baud save
Saves current baud rate setting
clear cp-stats
Clears CPU statistics
clear hw-stats
Clears hardware statistics
clear log
Clears messages from the logging buffer
clear pp-stats
Clears presentation protocol statistics
clear screen
Clears the console screen, leaving a single prompt line
clear ssh
Terminates a secure shell connection
clear ssh < int | hex >
Terminates a particular secure shell connection, specified by integer or hexidecimal input
clear ssh all
Terminates all incoming and outgoing secure shell connections
cls
Clears the console screen, leaving a single prompt line
configure
Enters the configuration level
exit
Causes exit from a submenu. If issued at the global level, returns to the login prompt
export preferences
Exports a preferences file using Z-modem pro ­ tocol
export preferences ftp
Exports a preferences file using FTP protocol
export trace all
Exports all native trace route provisioning data using Z-modem protocol
export trace all ftp
Exports all native trace route provisioning data using FTP protocol
export trace current
Exports currently running trace route data using Z-modem protocol
export trace current ftp
Exports currently running trace route data using FTP protocol
export trace last
Exports the most recent trace route data using Z-modem protocol
export trace last ftp
Exports the most recent trace route data using FTP protocol
export tsr
Exports TSR using Z-modem protocol
export tsr ftp
Exports TSR using FTP protocol
firmware boot current
Loads and executes current unit firmware
firmware boot current factory
Loads and executes default factory unit hardware
firmware boot uploaded
Runs uploaded firmware on the unit
firmware boot uploaded factory
Runs original factory installed firmware
firmware download current
Downloads currently running unit firmware
firmware download uploaded
Downloads currently uploaded unit firmware
firmware upload
Uploads updated unit firmware
help < command >
Displays the specified command and descrip ­ tion
import configuration
Imports current system configuration from the SonicWALL
import preferences
Imports preferences from the SonicWALL using Z-modem protocol
language-override
Overrides current unit language setting
language-override chinese
Overrides current unit language setting, resets to Chinese
language-override english
Overrides current unit language setting, resets to English
language-override french
Overrides current unit language setting, resets to French
language-override german
Overrides current unit language setting, resets to German
language-override italian
Overrides current unit language setting, resets to Italian
language-override japanese
Overrides current unit language setting, resets to Japanese
language-override spanish
Overrides current unit language setting, resets to Spanish
logout
Logs user out from the console
monitor
Defines, or redefines, a command and displays the output
no
Negates a command or set its defaults
nslookup < dotted-int | hex | ident >
Looks up the IP address of the given domain name from the configurable domain name servers
ping <dotted-int | hex | ident >
Sends ICMP packets to the destination IP address
remote-console
Executes a command without having to login
restart
Restarts the SonicWALL
restore
Restores the factory default settings on the SonicWALL
safemode
Boots OS in safemode to assist in trouble ­ shooting
show access-rules
Displays the configured firewall access rules
show address-group
Displays all defined address groups
show address-group < string | ident>
Displays system address groups specified by particular string or identifier input
show address-object
Displays all defined address objects
show address-object < string | ident>
Displays all defined address objects specified by particular string or identifier input
show alerts
Displays defined alerts
show all
Displays the configuration information from dif ­ ferent modules of the firewall
show arp
Displays currently known Address Resolution Protocol (ARP) entries
show ars all
Displays all Advanced Routing System (ARS) paths
show ars nsm
Displays all ARS paths being managed through Network Status Management (NSM)
show ars ospf
Displays ARS paths using Open Shortest Path First (OSPF) protocol
show ars rip
Displays all ARS paths using Routing Information Protocol (RIP)
show baud
Displays current baud rate
show buf-memzone
Displays current available space in buffer memory zone
show build-info
Displays current OS build information
show continuous core-work
Displays continuous core work resources
show continuous core-work < int| hex>
Displays continuous core work resources specified by particular integer or hexidecimal input
show continuous interface
Displays all currently selected continuous traffic interfaces
show continuous interface < match>
Displays currently selected continuous traffic interface, specified by an indentifier
show continuous system
Displays all continuous system traffic
show continuous system < int | hex>
Displays continuous system traffic specified by a particular integer or hexidecimal input
show core
Display CPU utility for a process
show core < int | hex>
Displays CPU utility for a process specified by an integer or hexidecimal input
show cp-stats
Display all CPU statistics
show cpu
Displays CPU and memory information
show cpu < string | ident>
Displays CPU and memory information, speci ­ fied by a particular string or identifier input
show device
Displays on the console the contents of the status section of the Technical Support Report (TSR)
show firmware
Displays active running unit firmware
show fpa
Displays all file command data
show gms
Displays Global Management System configuration
show ha
Displays current High Availability configuration
show hw-stats
Displays hardware statistics
show interface < match>
Displays interface data specified by a particular identifier input
show interface all
Displays the configuration of all interfaces
show interface info
Displays all interface status information
show interface info < int | hex>
Displays interface status information specified by a particular integer or hexidecimal input
show interface statistics
Displays all interface statistics
show interface statistics < match>
Displays interface statistics specified by a particular indentifier input
show language
Displays current language setting
show log
Displays all logs unit has in its memory
show log-categories
Displays all current unit log categories
show log-filters
Displays all current unit log filter settings
show mem-pools
Displays unit’s current memory pool block allocation
show memory
Displays system memory on the appliance
show memzone
Displays the status of virtual memory zones on the appliance
show messages
Displays all system messages
show multicore
Displays available multicore configuration and utilization status
show nat
Displays currently configured network address translation policies
show netstat
Displays the contents of the netstat table
show network
Displays current network configuration
show pp-stats
Displays all presentation protocol statistics
show processes
Displays information about active SonicOS processes
show processes < string | ident>
Displays SonicOS processes specified by a particular string or indentifier input
show route
Displays the complete routing table
show security-services
Displays the complete status of all security services on the SonicWALL, including license status, licenses available, licenses in use, and license expiration dates
show service
Displays all services associated with the appli ­ ance, along with protocol group and port details
show service-groups
Displays all service groups associated with the appliance, along with protocol group and port details
show service-groups < group-name>
Displays a specified service group associated with the appliance
show service < service-name>
Displays a service associated with the appli ­ ance, based on the specific service name input
show session
Displays current running session information
show sonicpoint
Displays SonicPoint network configuration
show sonicpoint sessions
Displays all SonicPoint session statistics
show sonicpoint status
Displays SonicPoint network availability
show ssh
Displays all incoming and outgoing secure shell connections to the unit
show sslvpn all
Displays all current SSL-VPN data connected to the unit
show sslvpn clientRoutes
Displays all client routes associated with current SSL-VPN connections to the unit shown on the client routes GUI page
show sslvpn clientRoutes < string | ident>
Displays client routes associated with current SSL-VPN connections to the unit, specified by the particular string or indentifier input
show sslvpn client Settings
Displays all current client settings associated with SSL-VPN connections to the unit shown on the client settings GUI page
show sslvpn connections
Displays all current SSL-VPN connections to the unit
show sslvpn portalSettings
Displays all current portal settings for SSL-VPN connections shown on the portal set ­ tings GUI page
show status
Displays current status of the appliance
show syslog
Displays all log activity, including connection sources and IP addresses
show system
Displays the appliance system status and configuration
show tech-support
Displays the contents of the TSR
show timeout
Displays maximum defined idle time duration
show tracelog all
Displays all available trace route data
show tracelog current
Displays currently running trace route data
show tracelog last
Displays most recently run trace route data
show tsr access-rules
Displays all defined access rules within the TSR
show tsr active-utm
Displays Technical Support Report listing active UTM units on the network
show tsr address-objects
Displays TSR of addresses listed within the object database
show tsr all
Displays all available TSR data
show tsr anti-spam
Displays TSR containing all anti-spam activity data
show tsr arp-cache
Displays TSR containing table relating IP addresses to corresponding MAC or physical addresses
show tsr av
Displays TSR data relating to anti-virus activity
show tsr buf-memzone
Displays TSR data relating to buffer memory zones
show tsr bwm-rules
Displays TSR listing currently configured bandwidth management rules
show tsr cache-check
Displays TSR data relating to cache searches
show tsr content-filtering
Displays TSR data relating to content filtering activity
show tsr db-trace
Displays TSR data relating to database trace routes
show tsr dhcp-client
Displays TSR data relating to DHCP client requests
show tsr dhcp-network-disk
Displays TSR data relating to DHCP requests between network and clients
show tsr dhcp-persistence
Displays TSR data relating the firewall’s ability to retain DHCP lease information
show tsr dhcp-relay
Displays TSR data relating to available DHCP relay information
show tsr dhcp-server
Displays TSR data relating to DHCP server connections
show tsr dhcp-server-stat
Displays TSR data relating DHCP server statistics
show tsr diag
Displays TSR data relating to system diagnostics
show tsr dynamic-dns
Displays TSR data relating to dynamic domain name server records
show tsr ethernet
Displays TSR data relating to Ethernet connections and availability
show tsr fdr
Displays TSR data relating to false discovery rate statistics
show tsr gav
Displays TSR data relating to Gateway Anti- virus statistics
show tsr gsc
Displays TSR data relating to Global Security Client statistics
show tsr guest-profile-objects
Displays TSR data relating to guest and profile data objects
show tsr h323
Displays TSR data relating to H.323 packet activity
show tsr ha
Displays TSR data relating to High Availability status
show tsr hypervisor
Displays TSR information relating to hypervisor data on multiple operating systems running on the host computer
show tsr idp
Displays TSR data relating to internet datagram protocol statistics
show tsr interfaces
Displays TSR data for all appliance interfaces
show tsr ip-helper
Displays TSR data relating to IP Helper configuration and settings
show tsr ip-reassembly
Displays TSR data relating to IP reassembly datagram statistics
show tsr ipsec
Displays TSR data relating to internet protocol security statistics
show tsr l2tp-client
Displays TSR data relating to Layer 2 Tunneling Protocol (L2TP) client statistics
show tsr l2tp-server
Displays the L2TP server section of the TSR
show tsr ldap
Displays the LDAP section of the TSR
show tsr license
Displays TSR data relating to appliance licensing info
show tsr log
Displays TSR data section with all log information
show tsr management
Displays TSR listing appliance management policies
show tsr mcast-igmp-config
Displays TSR listing Multicast and IGMP configurations
show tsr memzone
Displays TSR listing appliance memory zone allocations
show tsr mirror-state
Displays TSR data relating to database mirror state statistics
show tsr msn
Displays TSR data relating to the MSN messenger client
show tsr nat-policies
Displays TSR listing appliance’s current network address translation policies
show tsr network
Displays TSR data on current network configuration
show tsr objects
Displays TSR data on appliance’s object database
show tsr pki
Displays TSR data relating to current public key infrastructure certificates
show tsr pppoe-client
Displays TSR data relating to point-to-point- protocol over Ethernet system settings
show tsr pptp-client
Displays TSR data relating to point-to-point tunneling protocol client configuration
show tsr pref-status
Displays TSR listing appliance’s preferences status
show tsr product
Displays TSR data relating to the appliance product
show tsr qos
Displays TSR listing the appliance’s current Quality of Service resource reservations status
show tsr radius
Displays TSR data relating to RADIUS server status
show tsr route-policies
Displays TSR data relating to established system route policies
show tsr rtsp
Displays TSR data relating to Real Time Streaming Protocol statistics
show tsr schedule-objects
Displays TSR data relating to data objects scheduled for execution
show tsr service-objects
Displays the service object table subsection of the TSR
show tsr single-sign-on
Displays TSR data relating to single sign on authentication policies
show tsr sip
Displays TSR data relating to the appliance’s Session Initiation Protocol settings
show tsr snmp
Displays TSR data relating to Simple Network Management Protocol settings
show tsr sonicpoint
Displays TSR data relating to SonicPoint deployment
show tsr ssl-control
Displays TSR data relating to Secure Socket Layer control policies
show tsr stateful-stats
Displays TSR data detailing stateful packet inspection statistics
show tsr stateful-sync
Displays TSR data detailing appliance’s stateful synchronization configuration
show tsr status
Displays TSR data relating to current appliance status
show tsr time
Displays TSR data relating to appliance’s time policy configuration
show tsr timers
Displays the timers section of the TSR
show tsr update
Displays updated TSR
show tsr user-objects
Displays TSR data relating to currently defined user objects
show tsr users
Displays TSR data relating to currently configured user profiles
show tsr vx-net-stats
Displays TSR data relating to VX-Net statistics
show tsr wireless
(Available on UTM appliances with built in wireless interfaces)
Displays wireless interface section of the TSR
show tsr wlan-zone
Displays TSR data relating to managed wireless local area network zones
show tsr wlb
Displays TSR data relating to WLB platform statistics
show tsr zone-objects
Displays TSR data relating to currently defined zone objects
show vpn policy
Displays Virtual Private Network (VPN) policy configurations
show vpn policy < string | ident>
Displays VPN policies specified by a particular string or identifier input
show vpn sa
Displays current VPN security associations
show vpn sa detail
Displays detailed information on VPN security associations
show vpn sa summary
Displays a data summary on current VPN security associations
show vpn sa ike
Displays VPN security association Internet Key Exchange policies
show vpn sa ike detail
Displays detailed information on VPN security association Internet Key Exchange policies
show vpn sa ike summary
Displays a data summary on VPN security association Internet Key Exchange policies
show vpn sa ipsec
Displays VPN security associations connected with IPSec routing protocols
show vpn sa ipsec detail
Displays detailed information on VPN security associations connected with IPSec routing protocols
show vpn sa ipsec summary
Displays a data summary on VPN security associations connected with IPSec routing protocols
show vpn sa < string>
Displays a particular VPN security association, specified by a particular string input
show vpn sa < string> detail
Displays details on a VPN security association, specified by a particular string input
show vpn sa < string> summary
Displays a data summary on a security association, specified by a particular string input
show vpn sa < string> ike
Displays Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa < string> ike detail
Displays details for Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa < string> ike summary
Displays a summary for Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa < string> ipsec
Displays IPSec data for a VPN security association, specified by a particular string input
show vpn sa < string> ipsec detail
Displays details for IPSec data for a VPN security association, specified by a particular string input
show vpn sa < string> ipsec sum­mary
Displays a summary for IPSec data for a VPN security association, specified by a particular string input
show vpn sa < ident>
Displays VPN security associations, specified by a particular identifier input
show vpn sa < ident> detail
Displays details for a VPN security association, specified by a particular identifier input
show vpn sa < ident> summary
Displays a summary for VPN security associations, specified by a particular indentifier input
show vpn sa < ident> ike
Displays Internet Key Exchange data for a VPN security association, specified by a particular identifier
show vpn sa < ident> ike detail
Displays detailed Internet Key Exchange data for VPN security associations, specified by a particular identified input
show vpn sa < ident> ike summary
Displays a summary on Internet Key Exchange data for VPN security associations, specified by a particular identifier input
show vpn sa < ident> ipsec
Displays IPSec data for VPN security associations, specified by a particular identifier input
show vpn sa < ident> ipsec detail
Displays detailed IPSec data for VPN security associations, specified by a particular identifier input
show vpn sa < ident> ipsec summary
Displays a summary on IPSec data for VPN security associations, specified by a particular identifier input
show web-management
Displays web-management status and configuration data
show zone < lan | wan | dmz | wlan >
Displays all rules for a specified zone. For example, show zone <lan rules> displays all of the rules to and from the LAN zone
show zone all
Displays the configuration of all zones
show zones
Displays configurable zones on the appliance and interfaces associated with each zone
stacktrace
Runs report of the currently active stack frames
stacktrace < string | ident>
Runs report for a specific active set of stack frames, based on the particular string or identifier input
sync-prefs
Synchronizes preferences between appliances
synchronize-licenses
Synchronizes the SonicWALL licensing information with the mysonicwall.com backend
traceroute < dotted-int | hex | ident >
Displays router hops to destination, specified by dotted-integer, hexidecimal, or identifier input
Table 7
Configure Level Commands

 

Command
Description
ACCESS RULES SUB-COMMANNDS
 
 
access-rules < from-zone> < to-zone>
Allows configuration of access rules between one zone and another
< add> commands
 
 
action < allow| deny| dis­card>
Sets the action to allow, deny, or discard an access rule
advanced
Allows configuration of advanced access rule settings
[ no] allow-fragments
Allows/Disallows fragmented packets to be transferred
comment < comments>
Allows administrators to record comments related to this access rule
destination < address object>
Configures an address object destination for an access rule
info
Displays current access rule
[ no] logging
Enables/Disables access rule packet logging
maxconns < percentage>
Configures maximum number of connections in a pool
qos dscp < none| preserve| explicit| map> [< arg>]
Sets DSCP packet header markings
qoa 802.1p < none| preserve| explicit| map> [< arg>]
Sets 802.1p Ethernet packet header markings
[ no] reflexive
Creates/Removes a reflexive access rule
schedule < schedule object>
Configures the schedule object for an access rule
service < service object>
Configures the service object for an access rule
source < address object>
Configures an address object source for an access rule
tcptimeout < minutes>
Sets TCP timeout in minutes
udptimeout < seconds>
Sets UDP timeout in seconds
user < user object>
Configures the user object for an access rule
delete < index>
Deletes specified index of access rules
list [< index>]
Displays one access rule whose index matches the specified value input. If index is not available, all access rules in the current zone to zone context will display
< modify> commands
 
 
< index>
Modifies specific access rules index
action < allow| deny| dis­card>
Modifies an allow, deny, or discard action relating to a specific access rule
advanced
Modifies an advanced access rule
[ no] allow-fragments
Modifies whether fragmented packets are to be transferred
comment < comments>
Modifies comments related to access rules
destination < address object>
Modifies the destination address object for a specific access rule
info
Displays current or modifying access rule settings
[ no] logging
Modifies whether packet logging is enabled for a specific access rule
qos dscp < none| preserve| explicit| map> [< arg>]
Modifies DSCP packet header markings
qos 802.1p < none| preserve| explicit| map> [< arg>]
Modifies 802.1p Ethernet packet header markings
maxconns < percentage>
Modifies maximum number of connections in a pool
schedule < schedule object>
Modifies a schedule object connected to an access rule
service < service object>
Modifies the service object connected to an access rule
source < address object>
Modifies the source address object connected to an access rule
tcptimeout < minutes>
Modifies set TCP timeout limit in minutes
udptimeout < seconds>
Modifies set UDP timeout limit in seconds
user < user object>
Modifies the user-object connected with an access rule
show access-rules
Displays all currently configured access rules
ADDRESS GROUP/ADDRESS OBJECT SUB-COMMANDS
 
abort
Exits to top-level menu and cancels changes where needed
[ no] address-object < object name>
Configures or modifies an address object
[ no] address-group < group name>
Configures or modifies an address group
cancel
Cancel from menu without applying changes
end
Exits configuration mode
exit
Exits menu and applies changes
finished
Exits to top-level and applies changes where needed
host < ip address>
Configures the host IP address for the specific address object
info
Displays current address group configuration
network < subnet> < netmask>
Configures network subnet and netmask
range < begin-address> < end address>
Defines address range for the address group or address object
zone < zone name>
Configures a zone for the specified address object or group
ARP SUB-COMMAND
 
 
[ no ] arp < ip address > < MAC address > interface < lan | wan | dmz >[ perm ][ pub ]
Adds or removes arp entries for specified interface(s)
GMS SUB-COMMANDS
< gms>
algorithm < des-md5 | frd3- sha >
Sets GMS encryption and authentica ­ tion algorithm
[ no ] authentication-key < hex key >
Sets the 32-hex or 40-hex authentica ­ tion key to communicate with the GMS server
[ no ] behind-nat
Enables GMS behind a NAT device
bound-interface < x1 | x2 | x3 | x4 | x5 >
Binds a VPN policy to an interface
[ no ] enable
Enables GMS management on a Son ­ icWALL
encryption-key < hex key >
set the 16-hex/48-hex encryption key to communicate with the GMS server
end
Exits configuration menu
finished
Exits configuration mode to top menu
help < command >
Displays command and description
info
Displays current GMS configuration state
[ no ] nat-address < IP Address >
Sets the public NAT IP address that the GMS server resides behind
[ no ] over-vpn
Enables GMS server locally or over VPN
[ no ] send-heartbeat
Sends heart beat status messages only
[ no ] server < IP Address >
Sets the real IP address of the GMS server
[ no ] standby-management- sa
Enables the backup SA for GMS man ­ agement
syslog-port < uvalue | (default) >
Sets the syslog server port of the GMS server
HIGH AVAILABILITY SUB-COMMAND
 
 
ha < disable| enable>
Enables or disables the High Availability function
NAT SUB-COMMANDS
 
 
nat
Accesses sub-commands to configure NAT policies
< add> commands
 
 
orig-src < original source object>
Sets the original source object for this policy
trans-src < translated source object>
Sets the translated source object for this policy
orig-dst < original destination source object>
Sets the original destination source object for this policy
orig-svc < original service name>
Sets the original service name for this policy
trans-svc < translated service name>
Sets the translated service name for this policy
inbound-interface < inbound interface>
Sets the inbound interface for this policy
outbound-interface < outbound interface>
Sets the outbound interface for this policy
[ no] enable
Enables/Disables a NAT policy once it has been created
[ no] reflexive
Creates/Removes a reflexive NAT policy once it has been saved
comment < comments>
Allows administrator to leave comments relating to a NAT policy
info
Displays currently configured NAT element settings
< delete> commands
 
 
delete < item-number>
Deletes a specific NAT policy
< modify> commands
 
 
< item-number>
Allows modification of a specific NAT policy
[ no] enable
Enables/Disables a specific NAT policy
[ no] comment < comments>
Allows administrator to modify com ­ ments relating to a NAT policy
orig-src < original source object>
Modifies the original source object for this policy
trans-src < translated source object>
Modifies the translated source object for this policy
orig-dst < original destination address object>
Modifies the original destination address object for this policy
trans-dst < translated destination address object>
Modifies the translated destination- address object for this policy
orig-svc < original service name>
Modifies the name of the original service
trans-svc < translated service name>
Modifies the translated service name
inbound-interface < inbound interface>
Modifies the inbound interface for NAT
outbound-interface < outbound interface>
Modifies the outbound interface for NAT
info
Displays current object or modifying object
ROUTE SUB-COMMANDS
 
 
route ars-nsm
Configures the Advanced Routing Suite for the NSM module
route ars-ospf
Configures the Advanced Routing Suite for the OSPF module
route ars-rip
Configures the Advanced Routing Suite for the RIP module
SERVICE SUB-COMMANDS
 
 
service
Accesses sub-commands to configure individual services
< add> commands
 
 
< service name>
Allows configuration of a new service type to be associated to the appliance
< group name>
Allows configuration of a new service group name
[ no] service < service name>
Allows/Removes configuration of service type
ip-type < ip type>
Allows ip-type to be set for a particular service
port-begin < port>
Sets the start point for a service’s port range
port-end < port>
Sets the endpoint for a service’s port range
info
Allows additional values to be added for the specific service
subtype < x>
Sets the subtype for the selected ip-type
 
< delete> commands
 
 
< group name>
Deletes the specifically named service group
< service name>
Deletes the specifically named service type
< modify> commands
 
 
 
< service name>
Allows modification of a service name
< group name>
Modifies the name of a specified service group
ip-type < ip type>
Modifies the ip-type for this particular service
port-begin < port>
Modifies the start port for this range
port-end < port>
Modifies the end port for this range
[ no] service < service name}
Modifies/deletes specified service type
subtype < x>
Modifies the subtype for this specific ip-type
[ info]
Optional, displays service values for service name, protocol, and port range
 
 
 
SONICPOINT SUB-COMMANDS
 
< sonicpoint>
< string>
Configures a SonicPoint profile
 
sync
Synchronizes configured SonicPoints
country-code < US| CA>
Sets applicable country code for a SonicPoint
[ no] delete
Deletes an operational SonicPoint from a deployment
[ no] enable
Enables or disables a configured SonicPoint
end
Exits configuration mode
exit
Exits menu and applies changes
finished
Exits to top-level and applies changes where needed
info
Displays information on a specific SonicPoint
[ no] radio-a enable
Enables or disables 802.11a radio band wireless connections
radio-a acl allow < string>
Adds a specific MAC address to the Access Control List (ACL) to allow 802.11a radio band wireless connections to a SonicPoint
radio-a acl deny < string>
Adds a specific MAC address to the denied Access Control List, preventing 802.11a radio band wireless connections to a SonicPoint
[ no] radio-acl enable
Enables or disables the Access Control List feature on 802.11a radio
radio-a acl mode < deny| allow| disabled| enabled>
Sets Access Control List enforcement
radio-a acl object-handle < string>
Sets 802.11a radio ACL to allow list object handle
radio-a antenna-diversity < one| two| both>
Sets which antenna (left, right, or both) the SonicPoint uses to send and receive data
 
radio-a authtype < both| open| psk| shared>
Sets the method type for authentication to be both, open, WPA/PSK, or WEP- shared
radio-a beacon-interval < uvalue>
Sets the interval (in milliseconds) between broadcasts of the wireless beacon
radio-a channel < uvalue>
Sets the radio channel the SonicPoint will operate on
radio-a datarate < 6| 9| 12| 18| 24| 36| 48| 54| best>
Sets the data rate at which data is transmitted and received to either the best possible rate, or a specified rate
radio-a dtim < uvalue>
Sets 802.11a radio DTIM, which is the numbers of beacon frames that must occur before the radio sends buffered multicast frames
radio-a frag-thresh < uvalue>
Sets the number of bytes of fragmented data for the SonicPoint to allow
[ no] radio-a hide-ssid
Sets SSID to be broadcast as part of the wireless beacon, rather than as a separate broadcast
radio-a maxclients < uvalue>
Sets maximum number of clients that can the SonicPoint can support at one time
radio-a radio-mode < standard| turbo>
Sets radio mode to standard or turbo
radio-a rts-thresh < uvalue>
Sets the RTS threshold in bytes
radio-a sched-onoff < string>
Sets the on/off schedule string for 802.11a radio
radio-a sched-scan < string>
Sets a convenient time to schedule an Intrusion Detection Scan (IDS)
radio-a ssid < string>
Sets Service Set Identifier (SSID) identifying a particular SonicPoint
radio-a txpower < eighth| full| half| minimum| quarter>
Sets Transmit Power Control level strength
radio-a wep key-value < 1-4> < string>
Sets the 802.11a radio WEP key value for each encryption key slot
radio-a wep default-key < uvalue>
Sets the SonicPoint’s default WEP key index
radio-a wep key-mode < 64bit| 128bit| 152bit| none>
Sets WEP key mode, establishing character length of encryption
radio-a wep key-type < alpha| hex>
Sets type of WEP key for encryption
radio-a wpa cipher < aes| auto| tkip>
Sets the cipher type system used by the WPA to either AES, AUTO, or TKIP
 
radio-a wpa interval < uvalue>
Sets the length of time between re-keying the WPA key
radio-a wpa psk < string>
Sets WiFi Protected Access Pre-shared key passphrase
[ no] radio-g enable
Enables or disables 802.11g radio band wireless connections
[ no] radio-g acl enable
Enables or disables the Access Control List
radio-g acl allow < string>
Adds a specific MAC address to the Access Control List (ACL) to allow 802.11g radio band wireless connections to a SonicPoint
radio-g acl deny < string>
Adds a specific MAC address to the denied Access Control List, preventing 802.11g radio band wireless connections to a SonicPoint
radio-g acl mode < deny| allow| disabled| enabled>
Sets Access Control List enforcement
radio-g acl object-handle < string>
Sets 802.11g radio ACL to allow list object handle
radio-g antenna-diversity < one| two| both>
Sets which antenna the SonicPoint uses to send and receive data
radio-g authtype < both| open| psk| shared>
Sets the method type for authentication
 
radio-g beacon-interval < uvalue>
Sets the interval (in milliseconds) between broadcasts of the wireless beacon
radio-g channel < uvalue>
Sets the channel the radio will operate on
radio-g datarate < b1| b11| b2| b5| best| g1| g11| g12| g18| g2| g24| g36| g48| g5| g54| g6| g9| super108| super12| super18| super24| super36| super48| super72| super96>
Sets the data rate at which data is transmitted and received
radio-g dtim < uvalue>
Sets 802.11g radio DTIM, which is the numbers of beacon frames that must occur before the radio sends buffered multicast frames
radio-g frag-thresh < uvalue>
Sets the number of bytes of frag ­ mented data for the SonicPoint to allow
[ no] radio-g g-only
Allows only 802.11g clients to connect
[ no] radio-g hide-ssid
Sets SSID to be broadcast as part of the wireless beacon, rather than as a separate broadcast
radio-g maxclients < uvalue>
Sets maximum number of clients that can the SonicPoint can support at one time
 
radio-g ofdm-power < uvalue>
Sets the difference in radio transmit power allowed between 802.11g and 802.11b modes
[ no] radio-g preamble-long
Sets the length of the initial wireless communication when associating with the host
radio-g protection mode < always| none>
Sets the protection mode; None is the default
radio-g protection rate < 1| 2| 5| 11>
Sets the speed for CTS or RTS protection
radio-g protection type < cts-only| rts-cts>
Sets the protection type
radio-g radio-mode < b| g| super-g>
Sets radio mode. If super-g is selected, all clients must use access cards that support this mode
radio-g rts-thresh < uvalue>
Sets the RTS threshold in bytes
 
radio-g ssid < string>
Sets Service Set Identifier identifying a particular SonicPoint
radio-g sched-onoff < string>
Sets the on/off schedule string for 802.11g radio
radio-g sched-scan < string>
Sets a convenient time to schedule an Intrusion Detection Scan (IDS)
[ no] radio-g short-slot
Allows clients to disassociate and re-associate more quickly
radio-g txpower < eighth| full| half| minimum| quarter>
Sets Transmit Power Control strength
radius1 address < ip address>
Sets the IP address location of the RADIUS authentication server
radius1 port < port>
Sets the port for authentication through the RADIUS server
radius1 secret < string>
Sets the secret passcode for the RADIUS authentication server
radius2 address <ip address >
Sets the IP address for the backup RADIUS authentication server
radius 2 port < port>
Sets the port for authentication through the backup RADIUS server
radius2 secret < string>
Sets the secret passcode for the backup RADIUS authentication server
SSH SUB-COMMANDS
 
 
ssh enable <interface>
Enables SSH management for the specified interface
ssh genkey
Creates a new key to use with SSH
ssh port <port>
Assigns the SSH port or resets to the default port
ssh restore
Restores SSH management settings to defaults
ssh terminate
Stops all SSH sessions, disables all SSH management, and resets the port
SSL VPN SUB-COMMANDS
 
 
sslvpn client
Configures or modifies SSL VPN client settings
sslvpn portal
Configures or modifies SSL VPN portal settings
sslvpn settings
Configures or modifies SSL VPN settings
TIMEOUT SUB-COMMAND
 
 
timeout < minutes>
Sets login timeout in minutes
VPN SUB-COMMANDS
 
 
[ no] vpn < enable| disable> < policy name>
Enables or disables VPN for a specific policy
[ no] vpn policy < policy-name> [ preshared| manual| cert]
Enables or disables a specific VPN policy
VPN SUB-COMMANDS (PRE-SHARED SECRET)
 
 
abort
Exits to top-level menu and cancels changes where needed
[ no] advanced apply-nat < local| remote> < trans­lated address object>
Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
[ no] advanced auto-add-rule
Enables or disables the auto-add access rule
advanced bound-to interface <interface>
Binds VPN policy to specific interface
advanced bound-to zone <zone>
Binds VPN policy to a specific zone
[ no] advanced default-lan-gw <ip address>
Sets the default LAN domain gateway for VPN tunnel traffic
[ no] advanced keepalive
Enables or disables heartbeat messages between peers on this VPN tunnel
[ no] advanced management http
Enables or disables HTTP as the management method security association
[ no] advanced management https
Enables or disables HTTPS as the management method security association
 
[ no] advanced multicast
Enables IP multicasting traffic to pass through the VPN tunnel
[ no] advanced netbios
Enables or disables Windows Networking (NetBIOS) Broadcast
[ no] advanced use-xauth < group-name>
Configures or removes the specified user group for XAUTH users
[ no] advanced user-login http
Enables or disables required user login through HTTP
[ no] advanced user-login https
Enables or disables required user login through HTTPS
cancel
Cancel from menu without applying changes
end
Exits VPN configuration mode
exit
Exits menu and applies changes
finished
Exits to top-level and applies changes where needed
gw domain-name < domain name>
Sets the primary gateway domain name
gw ip-address < ip address>
Sets the primary gateway IP address
id local < domain-name| email address| ip-address| sonicwall-id> < our id>
Sets the name and IP address of the local connection
id remote < domain name| email address| ip-address| sonicwall-id> < their id>
Sets the name and IP address of the remote connection
info
Displays information on a specific VPN policy
network local < address-object> < address object string>| any| dhcp>
Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
network remote < address- object< address object string>| any| dhcp>
Sets a specific VPN tunnel as the default route for all incoming Internet traffic
pre-shared-secret < string>
Established specified preshared secret
proposal ike [< main| aggres­sive| ikev2>] [ encr < des| triple-des| aes-128| aes-192| aes-256>] [ auth < md5| sha1>] [ dh < 1| 2| 5>] [ lifetime < seconds>]
Sets the desired IKE encryption suite configurations for VPN tunnel traffic
 
proposal ipsec [< esp| ah>] [ encr < des| triple-des| aes-128| aes-192| aes-256>] [ auth < md5| sha1>] [ dh < 1| 2| 5>] [ lifetime < seconds>]
Sets encryption settings for IPSec pro ­ posal
sec-gw domain-name < domain name>
Sets the secondary gateway domain name
sec-gw ip-address < ip address>
Sets the secondary gateway’s IP address
VPN SUB-COMMANDS (MANUAL KEY)
 
 
abort
Exits to top-level menu and cancels changes where needed
[ no] advanced apply-nat < local| remote> < trans­lated address object>
Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
[ no] advanced auto-add-rule
Enables or disables the auto-add access rule
advanced bound-to interface <interface>
Binds VPN policy to specific interface
advanced bound-to zone <zone>
Binds VPN policy to a specific zone
[ no] advanced keepalive
Enables or disables heartbeat messages between peers on this VPN tunnel
[ no] advanced management http
Enables or disables HTTP as the management method security association
[ no] advanced managment https
Enables or disables HTTPS as the management method security association
[ no] advanced multicast
Enables IP multicasting traffic to pass through the VPN tunnel
[ no] advanced netbios
Enables or disables Windows Networking (NetBIOS) Broadcast
[ no] advanced use-xauth < group name>
Configures or removes the specified user group for XAUTH users
[ no] advanced user-login http
Enables or disables required user login through HTTP
[ no] advanced user-login https
Enables or disables required user login through HTTPS
cancel
Cancel from menu without applying changes
end
Exits configuration mode
exit
Exits menu and applies changes
finished
Exits to top-level and applies changes where needed
gw domain-name < domain name>
Sets the primary gateway domain name
gw ip-address < ip address>
Sets the primary gateway IP address
info
Displays information on a specific VPN policy
network local <address object < address object string> | any>
Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
network remote < address object < address object string> | any>
Sets a specific VPN tunnel as the default route for all incoming Internet traffic
 
proposal ipsec [< esp| ah>] [ encr < des| triple-des| aes-128| aes-192| aes-256>] [ auth < md5| sha1>] [ dh < 1| 2| 5>] [ lifetime < seconds>]
Sets encryption settings for IPSec proposal
sa [ in-spi < Incoming SPI>] [ out-spi < Outgoing SPI>] [ encr-key < Encryp­tion Key>] [ auth-key < Authentication Key>]
Sets hexidecimal incoming and outgoing Security Parameter Index (SPI) to allow the SonicWALL to uniquely identify all security associations
VPN SUB-COMMANDS (3rd PARTY CERTIFICATE)
 
abort
Exits to top-level menu and cancels changes where needed
[ no] advanced apply-nat
Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
[ no] advanced auto-add-rule
Enables or disables the auto-add access rule
advanced bound-to inter ­ face < interface>
Binds VPN policy to specific interface
advanced bound-to zone < zone>
Binds VPN policy to a specific zone
[no ] advanced default-lan-gw < ip address>
Sets the default LAN gateway for VPN tunnel traffic
[ no] advanced keepalive
Enables or disables heartbeat messages between peers on this VPN tunnel
[ no] advanced management http
Enables or disables HTTP as the management method security association
[ no] advanced managment https
Enables or disables HTTPS as the management method security association
[ no] advanced multicast
Enables IP multicasting traffic to pass through the VPN tunnel
[ no] advanced netbios
Enables or disables Windows Networking (NetBIOS) Broadcast
[ no] advanced ocsp < url>
Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check the certificate status
[ no] advanced use-xauth < group name>
Configures or removes the specified user group for XAUTH users
[ no] advanced user-login http
Enables or disables required user login through HTTP
[ no] advanced user-login https
Enables or disables required user login through HTTPS
cancel
Cancel from menu without applying changes
 
cert < certname>
Selects a certificate for the SonicWALL
end
Exits configuration mode
exit
Exits menu and applies changes
finished
Exits to top-level and applies changes where needed
gw domain-name < domain name>
Sets the primary gateway domain name
gw ip-address < ip address>
Sets the primary gateway IP address
id remote < domain name | email address | distin­guished name> < peer-id>
Sets peer IKE ID type
info
Displays information on a specific VPN policy
network local < address object < address object string> | any>
Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
network remote < address object < address object string> | any>
Sets a specific VPN tunnel as the default route for all incoming Internet traffic
proposal ike [< main| aggres­sive| ikev2>] [encr < des| triple-des| aes-128| aes-192| aes-256>] [ auth < md5| sha1>] [ dh < 1| 2| 5>] [ lifetime < seconds>]
Sets the desired IKE encryption suite configurations for VPN tunnel traffic
proposal ipsec [< esp| ah>] [ encr < des| triple-des| aes-128| aes-192| aes-256>] [ auth < md5| sha1>] [ dh < 1| 2| 5>] [ lifetime < seconds>]
Sets encryption settings for IPSec proposal
sec-gw domain-name < domain name>
Sets the secondary gateway domain name
sec-gw ip-address < ip address>
Sets the secondary gateway’s IP address
SSL VPN CLIENT SUB-COMMANDS
 
 
abort
Exits to top-level menu without applying changes
address < start ip address> < end ip address> < interface>
Sets the global IP address pool from which NetExtender clients are assigned an IP address
[ no] auto-update
Enables/Disables auto-update which assists users in updating their NetEx ­ tender client when a newer version is required to establish a connection
cache-username-password < username-only | pass­word-username | prohibit>
Sets the user name and password cache policy used for the NetExtender client
cancel
Exits from menu without applying changes
[ no] client-communicate
Enables/Disables traffic between hosts connecting to server with NetExtender
[ no] create-connection-profile
Enables/Disables NetExtender client’s ability to create a connection profiles
dns-domain < DNS domain name>
Sets the DNS domain which is the NetExtender client DNS-specific suffix
dns1 < ip address>
Sets the primary DNS server IP address to be used by all NetExtender clients
dns2 < ip address>
Sets the secondary DNS server IP address to be used by all NetExtender clients
end
Exits SSL VPN configuration mode
exit
Exits menu and applies changes
[ no] exit-after-discon­nect
Enables/Disables the forcing of a NetExtender client to exit after disconnecting from the server
finished
Exits to top-level and applies changes where needed
help
Displays available sub-commands for SSL VPN client configuration
info
Displays SSL VPN client settings
no
Inverts sense of a command
show
Invokes show commands
sslvpn-access < LAN| WAN| DMZ| WLAN>
Enables SSL VPN access on specified zone
[ no] uninstall-after-exit
Enables/Disables automatic uninstall of NetExtender clients after exit
user-domain < user domain name>
Sets the user domain to which all SSL VPN users belong
wins1 < ip address>
Sets the primary WINS server IP address
wins2 < ip address>
Sets the secondary WINS server IP address
SSL VPN PORTAL SUB-COMMANDS
 
 
abort
Exits to top-level menu without applying changes
[ no] auto-launch
Enables/Disables automatic launch of NetExtender after a user logs into the portal
banner-title < portal banner title name>
Sets the portal banner title that displays next to the logo on the portal home page
[ no] cache-control
Enables/Disables the use of some HTML META tags to tell browser to cache UI files in portal pages
cancel
Exits the menu without applying changes
custom logo < url>
Sets a customized logo to be used on the portal page. The URL entered must be valid and reachable by the unit.
[ no] default-logo
Enables/Disables the use of the default SonicWALL logo on the portal page
[ no] display-cert
Enables/Disables the display of the button to import the SSL VPN server certificate
end
Exits SSL VPN portal configuration
exit
Exits menu and applies changes
finished
Exits to top-level menu and applies changes
help
Displays available subcommands for SSL VPN portal settings
info
Displays current SSL VPN portal settings
no
Inverts sense of a command
show
Invokes show commands
site-title < portal site title name>
Sets the portal HTML page title that displays in the browser window’s title
SSL VPN ROUTE SUB-COMMANDS
 
 
abort
Exits to top-level menu without applying changes
add-routes < address object name>
Adds an address object as a client route entry
cancel
Exits from menu without applying changes
delete-routes < address object name>
Deletes specified SSL VPN client route entry, identified as an address object
end
Exits SSL VPN client routes configura ­ tion mode
exit
Exits menu and applies changes
finished
Exits to top-level menu and applies changes
help
Displays available subcommands for SSL VPN client routes settings
info
Displays current SSL VPN client routes settings
no
Inverts sense of a command
show
Invokes show commands
[ no] tunnel-all
Enables/Disables tunnel all mode which configures the NetExtender client to tunnel all traffic over the SSL VPN connection
WEB MANAGEMENT SUB-COMMANDS
 
 
[ no] web-management otp enable
Configures one-time password for VPN user access to the appliance
Table 8
LAN Interface Configuration

 

Command
 
Description
interface < x0 | x1 | x2 | x3 | x4 | x5 > [< lan | wan | dmz >]
Assigns zone and enters the configura ­ tion mode for the interface
 
auto
Sets the interface to auto negotiate
comment < string >
Adds comment as part of the port con ­ figuration
duplex < full | half >
Sets the interface duplex speed
end
Exits the configuration mode
finished
Exits configuration mode to the top menu
help < command >
Displays the command and description
[no] https-redirect enable
Enables or disables https redirect on the interface
info
Displays information about the inter ­ face
show interface all
Displays the configuration of all interfaces
[no] management <http|https|ping|snmmp|ss h> enable
Enables or disables specified manage ­ ment protocol on the interface
[no] user-login <http|https>
Configures user-login protocol for the interface
LAN MODE
Enters the LAN configuration mode
< lan >
end
Exits configuration mode
finished
Exits configuration mode to top menu level
help < command >
Displays the command and description
info
Displays information about the inter ­ face
ip < IP Address > netmask <mask>
Sets the IP address for the interface
name < interface name >
Sets the name for the interface
speed < 10 | 100 >
Sets the interface speed
Table 9
WAN Interface Configuration

 

Command
 
Description
< wan >
auto
Sets the interface to auto-negotiate
bandwidth-management enable
Enables bandwidth management
bandwidth-management size < uvalue >
Sets the bandwidth management size
comment < string >
Adds comment as part of the port con ­ figuration
duplex < full | half >
Sets the interface duplex speed
end
Exits the configuration mode
finished
Exits configuration mode to the top menu
fragment-packets
Enables/disables fragmentation of packets larger than the interface MTU
ignore-df-bit
Enables/disables ignoring the don’t fragment bit
help < command >
Displays the command and description
[ no] https-redirect enable
Enables or disables https redirect on the interface
info
Displays information about the inter ­ face
[ no] management < http| https| ping| snmmp| ssh> enable
Enables or disables specified manage ­ ment protocol on the interface
[ no] user-login < http| https>
Configures user-login protocol for the interface
mode < static | dhcp | pptp | l2tp | pppoe >
Sets the mode for the WAN interface and enters the mode configuration
Mode Static WAN Interface Configuration
 
 
[ no ] dns < IP Address >
Enters or removes IP address of DNS servers
end
Exits configuration mode
finished
Exits configuration mode to top menu
gateway < IP Address >
Sets or removes default gateway for the interface
help < command >
Displays help for given command
info
Displays IP information about the inter ­ face
[ no ] ip < IP Address >
Sets the IP address for the interface
Mode DHCP WAN Interface Configuration
 
 
end
Exits configuration mode
finished
Exits configuration mode to top menu
help < command >
Displays help for given command
info
Displays IP information about the inter ­ face
[ no ] hostname < string >
Sets the hostname for the interface
release
Releases IP address information
renew
Renews IP address information
Mode PPTP WAN Interface Configuration
 
 
[ no ] dynamic
Sets the SonicWALL to obtain the IP address dynamically
end
Exits configuration mode
finished
Exits configuration mode to top menu
help < command >
Displays help for given command
[ no ] hostname < string >
Clears/Sets PPTP hostname
[ no ] inactivity
Enables/disables the PPTP inactivity timer
timeout < uvalue >
Sets/Clears the PPTP inactivity timeout
info
Displays IP information about the inter ­ face
[ no ] ip < IP Address >
Sets/Clears the IP address for the interface
[ no ] password < quoted string >
Sets/Clears the PPTP password
[ no ] server ip <IP Address >
Sest/Clears the PPTP server IP address
start
 
stop
 
[ no ] username < string >
Sets/Clears the PPTP username
L2TP WAN Configura ­ tion Mode
 
 
[ no ] dynamic
Sets the SonicWALL to obtain the IP address dynamically
end
Exits configuration mode
finished
Exits configuration mode to top menu
help < command >
Displays help for given command
[ no ] hostname < string >
Clears/Sets L2TP hostname
[ no ] inactivity
Enables/disables the L2TP inactivity timer
timeout < uvalue >
Sets/Clears the L2TP inactivity timeout
 
info
Displays IP information about the inter ­ face
[ no ] ip < IP Address>
Sets/Clears the IP address for the interface
[ no ] password < quoted string >
Sets/Clears the L2TP password
[ no ] server ip < IP Address >
Sets/Clears the L2TP server IP address
start
 
stop
 
[ no ] username < string >
Sets/Clears the L2TP username
mtu < uvalue >
Sets the MTU of the interface
name < interface name >
Sets the name for the interface
speed < 10 | 100 >
Sets the interface speed
Other Interface Configuration
 
 
auto
Sets the interface to autonegotiate
comment < string >
Adds a comment as part of the force configuration
duplex < full | half >
Sets the interface duplex speed
end
Exits configuration mode
finished
Exits configuration mode to top menu
help < command >
Displays help for given command
info
Displays IP information about the inter ­ face
name < interface name >
Sets the name for the interface
speed < 10 | 100 >
Sets the interface to autonegotiate
[no] log categories [ all ]
Assigns/clears logging categories
Log Category Information
 
 
[ no ] all
Assigns/clears all logging categories
[ no ] attack
Assigns/clears attack logging category
[ no ] blocked-code
Assigns/clears blocked code logging category
[ no ] blocked-sites
Assigns/clears blocked sites logging category
[no ] connection
Assigns/clears connection logging cat ­ egory
[ no ] conn-traffic
Assigns/clears conn traffic logging cat ­ egory
[ no ] debug
Assigns/clears debug logging category
end
Exits configuration mode
finished
Exits configuration mode to top menu
help < command >
Displays help for given command
[ no ] icmp
Assigns/clears ICMP logging category
 
info
Displays IP information about the inter ­ face
[no ] lan-icmp
Assigns/clears LAN-ICMP logging cat ­ egory
[ no ] lan-tcp
Assigns/clears LAN-TCP logging cate ­ gory
[ no ] lan-udp
Assigns/clears LAN-UDP logging cate ­ gory
[ no ] maintenance
Assigns/clears maintenance logging category
[ no ] mgmt-80211b
Assigns/clears 80211b management logging category
[ no ] modem-debug
Assigns/clears modem debugging log ­ ging category
[ no ] sys-env
Assigns/clears sys env logging cate ­ gory
[ no ] sys-err
Assigns/clears sys error logging cate ­ gory
[ no ] tcp
Assigns/clears TCP logging category
[ no ] udp
Assigns/clears UDP logging category
[ no ] user-activity
Assign/clear user-activity logging cate ­ gory
[ no ] vpn-stat
Assigns/clears vpn-stat logging cate ­ gory
[ no ] vpn-tunnel-status
Assigns/clears vpn tunnel status log ­ ging category
[ no ] log filter-time <uvalue>
Assigns/clears log filter time
log ordering <choices> [ invert ]
Assign/clear ordering method when displaying log entries
name < string>
Sets/clears the firewall name
[ no ] route default < IP address >
Assigns clear default route
[ no ] route < Destination > < Netmask > < Gateway > [ metric < route metric >]
Assigns clear static routes
[ no ] web-management http enable < x0 | x1 | x2 | x3 | x4 | x5 >
Enables/disables HTTP web manage ­ ment
web-management http port < tcp port or 'default' >
Assigns the HTTP web management port or reset to default
[ no ] web-management https enable < x0 | x1 | x2 | x3 | x4 | x5 >
Enables/disables HTTPS web man ­ agement
web-management https port < tcp port or 'default' >
Assigns the HTTPS web management port or resets to default
web-management restore
Restores default web-management port and interface assignments
zone <wan|lan|dms>
Enters the zone configuration menu
 
end
Exits configuration mode
finished
Exits configuration mode to top menu
[ no ] intrazone-communica ­ tions
Enables/disables intra-zone communi ­ cations
auto
Sets the interface to autonegotiate
bandwidth-management enable
Enables bandwidth management
bandwidth-management size < uvalue >
Sets the bandwidth management size
comment < string >
Adds comment as part of the port con ­ figuration
duplex < full | half >
Sets the interface duplex speed
end
Exit the configuration mode
finished
Exit configuration mode to the top menu
fragment-packets
Enable/disable fragmentation of pack ­ ets larger than the interface MTU
ignore-df-bit
Enable/disable ignoring the don’t frag ­ ment bit
show zone all
Displays the configuration of all zones
[ no] sslvpn-access
Configures SSL VPN access on the zone
< guest services>
SUB-COMMANDS
 
 
abort
Exits to top-level menu and cancels changes where needed
bypass antivirus
Configures the zone’s bypass settings for anti-virus
bypass auth <string|iden ­ tifier
Configures the zone’s bypass authentication based on string or identifier input
custom enable
Enables custom authentication page settings
custom footer-text <string|identifier
Configures custom footer text for the authentication page
custom footer-type <text|url>
Configures custom footer text font for the authentication page
custom header-text <string|identifier>
Configures custom header text for the authentication page
custom header-type <text|url>
Configures custom header text font for the authentication page
deny <string|identifier>
Configures deny settings for access to the zone
enable
Enables WGS
end
Exits upon configuring WGS settings
exit
Exits menu and applies changes
finished
Exits to top-level menu and applies changes where needed
help
Displays help commands for this menu
info
Displays current WGS configuration state
maxguests <value>
Sets maximum guest limit for the zone at specified value
no
Inverts sense of a command
pass <string|identifier>
Allows traffic through zone from the specified network
post enable
Enables guests to be directed to a landing page post-authentication
post url <string|identi ­ fier>
Configures which URL guests are directed to after authentication
show
Invoke show commands
smtp-redirect <string|identifier>
Configures SMTP redirect settings for the zone

Configuring Site-to-Site VPN Using CLI

This section describes how to create a VPN policy using the Command Line Interface. The examples used are a SonicWALL TZ 170 appliance with SonicOS Enhanced 3.2 firmware. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface.

Note
In this example, the VPN policy on the other end has already been created.

CLI Access

1.
Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your TZ 170.
2.
Using a terminal emulator program, such as TerraTerm, use the following parameters:
115,200 baud (9600 for TZ 170)
8 bits
No parity
1 stop bit
No flow control
3.
You may need to hit return two to three times to get to a command prompt, which will look similar to the following:

TZ170>

If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command.

4.
When a you need to make a configuration change, you should be in configure mode. To enter configure mode, type configure.

TZ170 > configure

(config[TZ170])>

The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.

Configuration

In this example, a site-to-site VPN is configured between two TZ 170 appliance, with the following settings:

Local TZ 170 (home):
WAN IP: 10.50.31.150
LAN subnet: 192.168.61.0
Mask 255.255.255.0

Remote TZ 170 (office):
WAN IP: 10.50.31.104
LAN subnet: 192.168.15.0
Mask: 255.255.255.0

Authentication Method: IKE using a Pre-Shared Key
Phase 1 Exchange: Main Mode
Phase 1 Encryption: 3DES
Phase 1 Authentication SHA1
Phase 1 DH group: 2
Phase 1 Lifetime: 28800
Phase 2 Protocol: ESP
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 Lifetime: 28800
No PFS

1.
In configure mode, create an address object for the remote network, specifying the name , zone assignment , type , and address . In this example, we use the name OfficeLAN :

(config[TZ170]> address-object Office LAN
(config-address-object[OfficeLAN])>

Note
The prompt has changed to indicate the configuration mode for the address object.

(config-address-object[OfficeLAN])> zone VPN
(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0
(config-address-object[OfficeLAN])> finished

2.
To display the address object, type the command show address-object [name] :

TZ170 > show address-object OfficeLAN

The output will be similar to the following:

address-object OfficeLAN
network 192.168.15.0 255.255.255.0
zone VPN

3.
To create the VPN policy, type the command vpn policy [name] [authentication method]:

(config[TZ170])> vpn policy OfficeVPN pre-shared
(config-vpn[OfficeVPN])>

Note
The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.
4.
Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall:

(config-vpn[OfficeVPN])> pre-shared-secret sonicwall

5.
Configure the IPSec gateway:

(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

6.
Define the local and the remote networks:

(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"
(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

7.
Configure the IKE and IPSec proposals:

(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800
(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800

8.
In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:

(config-vpn[OfficeVPN])> advanced keepalive

9.
To enable the VPN policy, use the command vpn enable “name” :

(config[TZ170])> vpn enable "OfficeVPN"

10.
Use the finished command to save the VPN policy and exit from the VPN configure mode:

(config-vpn[OfficeVPN])> finished
(config[TZ170])>

The configuration is complete.

Note
The command prompt goes back to the configure mode prompt.

Viewing VPN Configuration

Use the following steps to configure the VPN policies.

1.
To view a list of all the configured VPN policies, type the command show vpn policy. The output will be similar to the following:

(config[TZ170])> show vpn policy

Policy: WAN GroupVPN (Disabled)
Key Mode: Pre-shared
Pre Shared Secret: DE65AD2228EED75A

Proposals:
IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Allow NetBIOS OFF, Allow Multicast OFF
Management: HTTP OFF, HTTPS OFF
Lan Default GW: 0.0.0.0
Require XAUTH: ON, User Group: Trusted Users

Client:
Cache XAUTH Settings: Never
Virtual Adapter Settings: None
Allow Connections To: Split Tunnels
Set Default Route OFF, Apply VPN Access Control List OFF
Require GSC OFF
Use Default Key OFF

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

2.
To view the configuration for a specific policy, specify the policy name in double quotes. For example:

(config[TZ170])> show vpn policy "OfficeVPN"

The output will be similar to the following:

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

3. Type the command show vpn sa “name” to see the active SA:

(config[TZ170])> show vpn sa "OfficeVPN"

Policy: OfficeVPN
IKE SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
Main Mode, 3DES SHA, DH Group 2, Responder
Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)
Lifetime: 28800 seconds (28783 seconds remaining)

IPsec SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)
ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2
Lifetime: 28800 seconds (28783 seconds remaining)

SonicWALL NetExtender Windows Client CLI Commands

The following section includes commands for the NetExtender Windows Client CLI (NEClient.exe):

Usage: NECLI [OPTIONS]

connect [OPTIONS]

-s server
-u user name
-p password
-d domain name
-clientcertificatethumb thumb(when server need client
certificate)
-clientcertificatename name(when server need client
certificate)

disconnect
createprofile [OPTIONS]

-s server
-u user name(optional)
-p password(optional)
-d domain name

displayprofile [OPTIONS]

-s server(optional)
-d domain(optional)
-u username(optional)

deleteprofile [OPTIONS]

-s server
-d domain
-u username

showstatus
setproxy [OPTIONS]

-t 1 automatic detect setting; 2 configuration script; 3 proxy server
-s proxy address/URL of automatic configuration script
-o port
-u user name
-p password
-b bypass proxy
-save
queryproxy
reconnect
viewlog
-profile

servername: connect to server directly when password has been saved

Example:

NECLI -version

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatethumb
cf3d20378ba7f2d9a79c536e230a2495d4a46734

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatename "Admin"

NECLI disconnect

NECLI createprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI displayprofile -s 10.103.62.208

NECLI deleteprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI showstatus

NECLI -t 3 -s 10.103.62.201 -o 808 -u user1 -p password -b
10.103.62.101;10.103.62.102

NECLI queryproxy

NECLI viewlog

NECLI reconnect

NECLI -profile 10.103.62.208

SonicWALL NetExtender MAC and Linux Client CLI Commands

The following section includes the Mac and Linux CLI version, which is similar to the NetExtender Windows Client CLI in the previous section:

Usage: netExtender [OPTIONS] server[:port]

-u user
-p password
-d domain
-t timeout Login timeout in seconds, default is 30 sec.
-e encryption Encryption cipher to use. To see list use -e -h.
-m Use this option to not add remote routes.
-r filename Generate a diagnostic report.
-v Display NetExtender version information.
-h Display this usage information.

server: Specify the server either in FQDN or IP address.
The default port for server is 443 if not specified.

Example:

netExtender -u u1 -p p1 -d LocalDomain sslvpn.company.com
[root@linux]# netExtender -u demo sslvpn.demo.sonicwall.com
SUSE/Ubuntu compatibility mode off

User Access Authentication
Password:
Domain: Active Directory
Connecting to SSL-VPN Server "sslvpn.demo.sonicwall.com:443". . .
Connected.
Logging in...
Login successful.
Using SSL Encryption Cipher 'DHE-RSA-AES256-SHA'
Using new PPP frame encoding mechanism
You now have access to the following 5 remote networks:

192.168.150.0/255.255.255.0

192.168.151.0/255.255.255.0

192.168.152.0/255.255.255.0

192.168.153.0/255.255.255.0

192.168.158.0/255.255.255.0

NetExtender connected successfully. Type "Ctrl-c" to disconnect...
Disconnecting NetExtender...
Terminating pppd.......
SSL-VPN logging out...
SSL-VPN connection is terminated.
Exiting NetExtender client.