CLIguide

Appendix A: CLI Guide

This appendix contains a categorized listing of Command Line Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included.

This appendix contains the following sections:

•

“Text Conventions” section

•

“Editing and Completion Features” section

•

“Command Hierarchy” section

•

“SonicOS Enhanced Command Listing” section

•

“Configuring Site-to-Site VPN Using CLI” section

•

“ADTRAN NetExtender Windows Client CLI Commands” section

•

“ADTRAN NetExtender MAC and Linux Client CLI Commands” section

Input Data Format Specification

The table below describes the data formats acceptable for most commands. H represents one or more hexadecimal digit (0-9 and A-F). D represents one or more decimal digit.

Table 4

Input Data Formats

Data	Data Format
MAC Address	HH:HH:HH:HH:HH:HH
MAC Address	HHHH.HHHH.HHHH
IP Address	D.D.D.D
IP Address	0xHHHHHHHH
Integer Values	D
Integer Values	0xH
Integer Range	D-D

Text Conventions

Bold text indicates a command executed by interacting with the user interface.

Courier bold text indicates commands and text entered using the CLI.

Italic text indicates the first occurrence of a new term, as well as a book title, and also emphasized text. In this command summary, items presented in italics represent user-specified information.

Items within angle brackets (“< >”) are required information.

Items within square brackets (“[ ]”) are optional information.

Items separated by a “pipe” (“|”) are options. You can select any of them.

Note

Though a command string may be displayed on multiple lines in this guide, it must be entered on a single line with no carriage returns except at the end of the complete command.

Editing and Completion Features

You can use individual keys and control-key combinations to assist you with the CLI. The table below describes the key and control-key combination functions.

Table 5

Key Reference

Key(s)	Function
Tab	Completes the current word
?	Displays possible command completions
CTRL+A	Moves cursor to the beginning of the command line
CTRL+B	Moves cursor to the previous character
CTRL+C	Exits the Quick Start Wizard at any time
CTRL+E	Moves cursor to the end of the command line
CTRL+F	Moves cursor to the next character
CTRL+K	Erases characters from the cursor to the end of the line
CTRL+N	Displays the next command in the command history
CTRL+P	Displays the previous command in the com ­ mand history
CTRL+W	Erases the previous word
Left Arrow	Moves cursor to the previous character
Right Arrow	Moves the cursor to the next character
Up Arrow	Displays the previous command in the com ­ mand history
Down Arrow	Displays the next command in the command history

Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Tab or ? key display all options.

myDevice> show [TAB]

alerts	interface	network	tech-support
arp	log	processes	tsr
content-filter	memory	route	web-management
cpu	messages	security- services	zone
device	nat	status	zones
gms	netstat	system

The Tab key can also be used to finish a command if the command is uniquely identified by user input.

myDevice> show al [TAB]

displays

myDevice> show alerts

Additionally, commands can be abbreviated as long as the partial commands are unique. The following text:

myDevice> sho int inf

is an acceptable abbreviation for

myDevice> show interface info

Command Hierarchy

The CLI configuration manager allows you to control hardware and firmware of the appliance through a discreet mode and submode system. The commands for the appliance fit into the logical hierarchy shown below.

To configure items in a submode, activate the submode by entering a command in the mode above it.

For example, to set the default LAN interface speed or duplex, you must first enter configure , then interface x0 lan . To return to the higher Configuration mode, simply enter end or finished .

Configuration Security

ADTRAN Internet Security appliances allow easy, flexible configuration without compromising the security of their configuration or your network.

Passwords

The ADTRAN CLI currently uses the administrator’s password to obtain access. ADTRAN devices are shipped with a default password of password . Setting passwords is important in order to access the ADTRAN and configure it over a network.

Factory Reset to Defaults

If you are unable to connect to your device over the network, you can use the command restore to reset the device to factory defaults during a serial configuration session.

Management Methods for the firewall

You can configure the ADTRAN appliance using one of three methods:

•

Using a serial connection and the configuration manager

–

An IP address assignment is not necessary for appliance management.

–

A device must be managed while physically connected via a serial cable.

•

Web browser-based User Interface

–

In IP address must have been assigned to the appliance for management or use the default of 192.168.168.168.

Initiating a Management Session using the CLI

Serial Management and IP Address Assignment

Follow the steps below to initiate a management session via a serial connection and set an IP address for the device.

Note

The default terminal settings on the ADTRAN and modules is 80 columns by 25 lines. To ensure the best display and reduce the chance of graphic anomalies, use the same settings with the serial terminal software. The device terminal settings can be changed, if necessary. Use the standard ANSI setting on the serial terminal software.

1.	Attach the included null modem cable to the appliance port marked CONSOLE . Attach the other end of the null modem cable to a serial port on the configuring computer.

2.	Launch any terminal emulation application that communicates with the serial port connected to the appliance. Use these settings:

•

115,200 baud

•

8 data bits

•

no parity

•

1 stop bit

•

no flow control

3.	Press Enter/Return . Initial information is displayed followed by a DEVICE NAME> prompt.

 

Initiating an SSH Management Session via Ethernet

Note

This option works for customers administering a device that does not have a cable for console access to the CLI.

Follow the steps below to initiate an SSH management session through an Ethernet connection from a client to the appliance.

1.	Attach an Ethernet cable to the interface port marked XO . Attach the other end of the Ethernet cable to an Ethernet port on the configuring computer.

2.	Launch any terminal emulation application (such as PuTTY) that communicates via the Ethernet interface connected to the appliance.

3.	Within the emulation application, enter the IP destination address for the appliance and enter 22 as the port number.

4.	Select SSH as the connection type and open a connection.

Logging in to the SonicOS CLI

When the connection is established, log in to the security appliance:

1.	At the User prompt enter the Admin’s username. Only the admin user will be able to login from the CLI. The default Admin username is admin . The default can be changed.

2.	At the Password prompt, enter the Admin’s password. If an invalid or mismatched username or password is entered, the CLI prompt will return to User :, and a “CLI administrator login denied due to bad credentials” error message will be logged. There is no lockout facility on the CLI.

SonicOS Enhanced Command Listing

The following section displays all commands available for the ADTRAN:

•

“Top Level Commands” section

•

“Configure Level Commands” section

•

“LAN Interface Configuration” section

•

“WAN Interface Configuration” section

Table 6

Top Level Commands

Command	Description
backup	Backs-up device firmware settings
baud 9600	Sets system baud rate to 9600
baud 19200	Sets baud rate to 19200
baud 38400	Sets baud rate to 38400
baud 57600	Sets baud rate to 57600
baud 115200	Sets baud rate to 115200
baud save	Saves current baud rate setting
clear cp-stats	Clears CPU statistics
clear hw-stats	Clears hardware statistics
clear log	Clears messages from the logging buffer
clear pp-stats	Clears presentation protocol statistics
clear screen	Clears the console screen, leaving a single prompt line
clear ssh	Terminates a secure shell connection
clear ssh < int | hex >	Terminates a particular secure shell connection, specified by integer or hexidecimal input
clear ssh all	Terminates all incoming and outgoing secure shell connections
cls	Clears the console screen, leaving a single prompt line
configure	Enters the configuration level
exit	Causes exit from a submenu. If issued at the global level, returns to the login prompt
export preferences	Exports a preferences file using Z-modem pro ­ tocol
export preferences ftp	Exports a preferences file using FTP protocol
export trace all	Exports all native trace route provisioning data using Z-modem protocol
export trace all ftp	Exports all native trace route provisioning data using FTP protocol
export trace current	Exports currently running trace route data using Z-modem protocol
export trace current ftp	Exports currently running trace route data using FTP protocol
export trace last	Exports the most recent trace route data using Z-modem protocol
export trace last ftp	Exports the most recent trace route data using FTP protocol
export tsr	Exports TSR using Z-modem protocol
export tsr ftp	Exports TSR using FTP protocol
firmware boot current	Loads and executes current unit firmware
firmware boot current factory	Loads and executes default factory unit hardware
firmware boot uploaded	Runs uploaded firmware on the unit
firmware boot uploaded factory	Runs original factory installed firmware
firmware download current	Downloads currently running unit firmware
firmware download uploaded	Downloads currently uploaded unit firmware
firmware upload	Uploads updated unit firmware
help < command >	Displays the specified command and descrip ­ tion
import configuration	Imports current system configuration from the ADTRAN
import preferences	Imports preferences from the ADTRAN using Z-modem protocol
language-override	Overrides current unit language setting
language-override chinese	Overrides current unit language setting, resets to Chinese
language-override english	Overrides current unit language setting, resets to English
language-override french	Overrides current unit language setting, resets to French
language-override german	Overrides current unit language setting, resets to German
language-override italian	Overrides current unit language setting, resets to Italian
language-override japanese	Overrides current unit language setting, resets to Japanese
language-override spanish	Overrides current unit language setting, resets to Spanish
logout	Logs user out from the console
monitor	Defines, or redefines, a command and displays the output
no	Negates a command or set its defaults
nslookup < dotted-int | hex | ident >	Looks up the IP address of the given domain name from the configurable domain name servers
ping <dotted-int | hex | ident >	Sends ICMP packets to the destination IP address
remote-console	Executes a command without having to login
restart	Restarts the ADTRAN
restore	Restores the factory default settings on the ADTRAN
safemode	Boots OS in safemode to assist in trouble ­ shooting
show access-rules	Displays the configured firewall access rules
show address-group	Displays all defined address groups
show address-group <string | ident>	Displays system address groups specified by particular string or identifier input
show address-object	Displays all defined address objects
show address-object <string | ident>	Displays all defined address objects specified by particular string or identifier input
show alerts	Displays defined alerts
show all	Displays the configuration information from dif ­ ferent modules of the firewall
show arp	Displays currently known Address Resolution Protocol (ARP) entries
show ars all	Displays all Advanced Routing System (ARS) paths
show ars nsm	Displays all ARS paths being managed through Network Status Management (NSM)
show ars ospf	Displays ARS paths using Open Shortest Path First (OSPF) protocol
show ars rip	Displays all ARS paths using Routing Information Protocol (RIP)
show baud	Displays current baud rate
show buf-memzone	Displays current available space in buffer memory zone
show build-info	Displays current OS build information
show continuous core-work	Displays continuous core work resources
show continuous core-work <int| hex>	Displays continuous core work resources specified by particular integer or hexidecimal input
show continuous interface	Displays all currently selected continuous traffic interfaces
show continuous interface <match>	Displays currently selected continuous traffic interface, specified by an indentifier
show continuous system	Displays all continuous system traffic
show continuous system <int | hex>	Displays continuous system traffic specified by a particular integer or hexidecimal input
show core	Display CPU utility for a process
show core <int | hex>	Displays CPU utility for a process specified by an integer or hexidecimal input
show cp-stats	Display all CPU statistics
show cpu	Displays CPU and memory information
show cpu <string | ident>	Displays CPU and memory information, speci ­ fied by a particular string or identifier input
show device	Displays on the console the contents of the status section of the Technical Support Report (TSR)
show firmware	Displays active running unit firmware
show fpa	Displays all file command data
show gms	Displays Global Management System configuration
show ha	Displays current High Availability configuration
show hw-stats	Displays hardware statistics
show interface <match>	Displays interface data specified by a particular identifier input
show interface all	Displays the configuration of all interfaces
show interface info	Displays all interface status information
show interface info <int | hex>	Displays interface status information specified by a particular integer or hexidecimal input
show interface statistics	Displays all interface statistics
show interface statistics <match>	Displays interface statistics specified by a particular indentifier input
show language	Displays current language setting
show log	Displays all logs unit has in its memory
show log-categories	Displays all current unit log categories
show log-filters	Displays all current unit log filter settings
show mem-pools	Displays unit’s current memory pool block allocation
show memory	Displays system memory on the appliance
show memzone	Displays the status of virtual memory zones on the appliance
show messages	Displays all system messages
show multicore	Displays available multicore configuration and utilization status
show nat	Displays currently configured network address translation policies
show netstat	Displays the contents of the netstat table
show network	Displays current network configuration
show pp-stats	Displays all presentation protocol statistics
show processes	Displays information about active SonicOS processes
show processes <string | ident>	Displays SonicOS processes specified by a particular string or indentifier input
show route	Displays the complete routing table
show security-services	Displays the complete status of all security services on the ADTRAN, including license status, licenses available, licenses in use, and license expiration dates
show service	Displays all services associated with the appli ­ ance, along with protocol group and port details
show service-groups	Displays all service groups associated with the appliance, along with protocol group and port details
show service-groups <group-name>	Displays a specified service group associated with the appliance
show service <service-name>	Displays a service associated with the appli ­ ance, based on the specific service name input
show session	Displays current running session information
show ssh	Displays all incoming and outgoing secure shell connections to the unit
show sslvpn all	Displays all current SSL-VPN data connected to the unit
show sslvpn clientRoutes	Displays all client routes associated with current SSL-VPN connections to the unit shown on the client routes GUI page
show sslvpn clientRoutes <string | ident>	Displays client routes associated with current SSL-VPN connections to the unit, specified by the particular string or indentifier input
show sslvpn client Settings	Displays all current client settings associated with SSL-VPN connections to the unit shown on the client settings GUI page
show sslvpn connections	Displays all current SSL-VPN connections to the unit
show sslvpn portalSettings	Displays all current portal settings for SSL-VPN connections shown on the portal set ­ tings GUI page
show status	Displays current status of the appliance
show syslog	Displays all log activity, including connection sources and IP addresses
show system	Displays the appliance system status and configuration
show tech-support	Displays the contents of the TSR
show timeout	Displays maximum defined idle time duration
show tracelog all	Displays all available trace route data
show tracelog current	Displays currently running trace route data
show tracelog last	Displays most recently run trace route data
show tsr access-rules	Displays all defined access rules within the TSR
show tsr active-utm	Displays Technical Support Report listing active UTM units on the network
show tsr address-objects	Displays TSR of addresses listed within the object database
show tsr all	Displays all available TSR data
show tsr anti-spam	Displays TSR containing all anti-spam activity data
show tsr arp-cache	Displays TSR containing table relating IP addresses to corresponding MAC or physical addresses
show tsr av	Displays TSR data relating to anti-virus activity
show tsr buf-memzone	Displays TSR data relating to buffer memory zones
show tsr bwm-rules	Displays TSR listing currently configured bandwidth management rules
show tsr cache-check	Displays TSR data relating to cache searches
show tsr content-filtering	Displays TSR data relating to content filtering activity
show tsr db-trace	Displays TSR data relating to database trace routes
show tsr dhcp-client	Displays TSR data relating to DHCP client requests
show tsr dhcp-network-disk	Displays TSR data relating to DHCP requests between network and clients
show tsr dhcp-persistence	Displays TSR data relating the firewall’s ability to retain DHCP lease information
show tsr dhcp-relay	Displays TSR data relating to available DHCP relay information
show tsr dhcp-server	Displays TSR data relating to DHCP server connections
show tsr dhcp-server-stat	Displays TSR data relating DHCP server statistics
show tsr diag	Displays TSR data relating to system diagnostics
show tsr dynamic-dns	Displays TSR data relating to dynamic domain name server records
show tsr ethernet	Displays TSR data relating to Ethernet connections and availability
show tsr fdr	Displays TSR data relating to false discovery rate statistics
show tsr gav	Displays TSR data relating to Gateway Anti- virus statistics
show tsr gsc	Displays TSR data relating to Global Security Client statistics
show tsr guest-profile-objects	Displays TSR data relating to guest and profile data objects
show tsr h323	Displays TSR data relating to H.323 packet activity
show tsr ha	Displays TSR data relating to High Availability status
show tsr hypervisor	Displays TSR information relating to hypervisor data on multiple operating systems running on the host computer
show tsr idp	Displays TSR data relating to internet datagram protocol statistics
show tsr interfaces	Displays TSR data for all appliance interfaces
show tsr ip-helper	Displays TSR data relating to IP Helper configuration and settings
show tsr ip-reassembly	Displays TSR data relating to IP reassembly datagram statistics
show tsr ipsec	Displays TSR data relating to internet protocol security statistics
show tsr l2tp-client	Displays TSR data relating to Layer 2 Tunneling Protocol (L2TP) client statistics
show tsr l2tp-server	Displays the L2TP server section of the TSR
show tsr ldap	Displays the LDAP section of the TSR
show tsr license	Displays TSR data relating to appliance licensing info
show tsr log	Displays TSR data section with all log information
show tsr management	Displays TSR listing appliance management policies
show tsr mcast-igmp-config	Displays TSR listing Multicast and IGMP configurations
show tsr memzone	Displays TSR listing appliance memory zone allocations
show tsr mirror-state	Displays TSR data relating to database mirror state statistics
show tsr msn	Displays TSR data relating to the MSN messenger client
show tsr nat-policies	Displays TSR listing appliance’s current network address translation policies
show tsr network	Displays TSR data on current network configuration
show tsr objects	Displays TSR data on appliance’s object database
show tsr pki	Displays TSR data relating to current public key infrastructure certificates
show tsr pppoe-client	Displays TSR data relating to point-to-point- protocol over Ethernet system settings
show tsr pptp-client	Displays TSR data relating to point-to-point tunneling protocol client configuration
show tsr pref-status	Displays TSR listing appliance’s preferences status
show tsr product	Displays TSR data relating to the appliance product
show tsr qos	Displays TSR listing the appliance’s current Quality of Service resource reservations status
show tsr radius	Displays TSR data relating to RADIUS server status
show tsr route-policies	Displays TSR data relating to established system route policies
show tsr rtsp	Displays TSR data relating to Real Time Streaming Protocol statistics
show tsr schedule-objects	Displays TSR data relating to data objects scheduled for execution
show tsr service-objects	Displays the service object table subsection of the TSR
show tsr single-sign-on	Displays TSR data relating to single sign on authentication policies
show tsr sip	Displays TSR data relating to the appliance’s Session Initiation Protocol settings
show tsr snmp	Displays TSR data relating to Simple Network Management Protocol settings
show tsr ssl-control	Displays TSR data relating to Secure Socket Layer control policies
show tsr stateful-stats	Displays TSR data detailing stateful packet inspection statistics
show tsr stateful-sync	Displays TSR data detailing appliance’s stateful synchronization configuration
show tsr status	Displays TSR data relating to current appliance status
show tsr time	Displays TSR data relating to appliance’s time policy configuration
show tsr timers	Displays the timers section of the TSR
show tsr update	Displays updated TSR
show tsr user-objects	Displays TSR data relating to currently defined user objects
show tsr users	Displays TSR data relating to currently configured user profiles
show tsr vx-net-stats	Displays TSR data relating to VX-Net statistics
show tsr wireless (Available on UTM appliances with built in wireless interfaces)	Displays wireless interface section of the TSR
show tsr wlan-zone	Displays TSR data relating to managed wireless local area network zones
show tsr wlb	Displays TSR data relating to WLB platform statistics
show tsr zone-objects	Displays TSR data relating to currently defined zone objects
show vpn policy	Displays Virtual Private Network (VPN) policy configurations
show vpn policy <string | ident>	Displays VPN policies specified by a particular string or identifier input
show vpn sa	Displays current VPN security associations
show vpn sa detail	Displays detailed information on VPN security associations
show vpn sa summary	Displays a data summary on current VPN security associations
show vpn sa ike	Displays VPN security association Internet Key Exchange policies
show vpn sa ike detail	Displays detailed information on VPN security association Internet Key Exchange policies
show vpn sa ike summary	Displays a data summary on VPN security association Internet Key Exchange policies
show vpn sa ipsec	Displays VPN security associations connected with IPSec routing protocols
show vpn sa ipsec detail	Displays detailed information on VPN security associations connected with IPSec routing protocols
show vpn sa ipsec summary	Displays a data summary on VPN security associations connected with IPSec routing protocols
show vpn sa <string>	Displays a particular VPN security association, specified by a particular string input
show vpn sa <string> detail	Displays details on a VPN security association, specified by a particular string input
show vpn sa <string> summary	Displays a data summary on a security association, specified by a particular string input
show vpn sa <string> ike	Displays Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa <string> ike detail	Displays details for Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa <string> ike summary	Displays a summary for Internet Key Exchange data for a VPN security association, specified by a particular string input
show vpn sa <string> ipsec	Displays IPSec data for a VPN security association, specified by a particular string input
show vpn sa <string> ipsec detail	Displays details for IPSec data for a VPN security association, specified by a particular string input
show vpn sa <string> ipsec sum­mary	Displays a summary for IPSec data for a VPN security association, specified by a particular string input
show vpn sa <ident>	Displays VPN security associations, specified by a particular identifier input
show vpn sa <ident> detail	Displays details for a VPN security association, specified by a particular identifier input
show vpn sa <ident> summary	Displays a summary for VPN security associations, specified by a particular indentifier input
show vpn sa <ident> ike	Displays Internet Key Exchange data for a VPN security association, specified by a particular identifier
show vpn sa <ident> ike detail	Displays detailed Internet Key Exchange data for VPN security associations, specified by a particular identified input
show vpn sa <ident> ike summary	Displays a summary on Internet Key Exchange data for VPN security associations, specified by a particular identifier input
show vpn sa <ident> ipsec	Displays IPSec data for VPN security associations, specified by a particular identifier input
show vpn sa <ident> ipsec detail	Displays detailed IPSec data for VPN security associations, specified by a particular identifier input
show vpn sa <ident> ipsec summary	Displays a summary on IPSec data for VPN security associations, specified by a particular identifier input
show web-management	Displays web-management status and configuration data
show zone < lan | wan | dmz | wlan >	Displays all rules for a specified zone. For example, show zone <lan rules> displays all of the rules to and from the LAN zone
show zone all	Displays the configuration of all zones
show zones	Displays configurable zones on the appliance and interfaces associated with each zone
stacktrace	Runs report of the currently active stack frames
stacktrace <string | ident>	Runs report for a specific active set of stack frames, based on the particular string or identifier input
sync-prefs	Synchronizes preferences between appliances
synchronize-licenses	Synchronizes the ADTRAN licensing infor ­ mation with the NetVanta Security Portal account backend
traceroute < dotted-int | hex | ident >	Displays router hops to destination, specified by dotted-integer, hexidecimal, or identifier input

Table 7

Configure Level Commands

 

Command		Description
ACCESS RULES SUB-COMMANNDS
	access-rules <from-zone> <to-zone>	Allows configuration of access rules between one zone and another
< add> commands
	action <allow|deny|dis­card>	Sets the action to allow, deny, or discard an access rule
	advanced	Allows configuration of advanced access rule settings
	[ no] allow-fragments	Allows/Disallows fragmented packets to be transferred
	comment <comments>	Allows administrators to record comments related to this access rule
	destination <address object>	Configures an address object destination for an access rule
	info	Displays current access rule
	[ no] logging	Enables/Disables access rule packet logging
	maxconns <percentage>	Configures maximum number of connections in a pool
	qos dscp <none| preserve|explicit|map> [<arg>]	Sets DSCP packet header markings
	qoa 802.1p <none| preserve|explicit|map> [<arg>]	Sets 802.1p Ethernet packet header markings
	[ no] reflexive	Creates/Removes a reflexive access rule
	schedule <schedule object>	Configures the schedule object for an access rule
	service <service object>	Configures the service object for an access rule
	source <address object>	Configures an address object source for an access rule
	tcptimeout <minutes>	Sets TCP timeout in minutes
	udptimeout <seconds>	Sets UDP timeout in seconds
	user <user object>	Configures the user object for an access rule
	delete <index>	Deletes specified index of access rules
	list [<index>]	Displays one access rule whose index matches the specified value input. If index is not available, all access rules in the current zone to zone context will display
< modify> commands
	< index>	Modifies specific access rules index
	action <allow|deny|dis­card>	Modifies an allow, deny, or discard action relating to a specific access rule
	advanced	Modifies an advanced access rule
	[ no] allow-fragments	Modifies whether fragmented packets are to be transferred
	comment <comments>	Modifies comments related to access rules
	destination <address object>	Modifies the destination address object for a specific access rule
	info	Displays current or modifying access rule settings
	[ no] logging	Modifies whether packet logging is enabled for a specific access rule
	qos dscp <none| preserve|explicit|map> [<arg>]	Modifies DSCP packet header markings
	qos 802.1p <none| preserve|explicit|map> [<arg>]	Modifies 802.1p Ethernet packet header markings
	maxconns <percentage>	Modifies maximum number of connections in a pool
	schedule <schedule object>	Modifies a schedule object connected to an access rule
	service <service object>	Modifies the service object connected to an access rule
	source <address object>	Modifies the source address object connected to an access rule
	tcptimeout <minutes>	Modifies set TCP timeout limit in minutes
	udptimeout <seconds>	Modifies set UDP timeout limit in seconds
	user <user object>	Modifies the user-object connected with an access rule
	show access-rules	Displays all currently configured access rules
ADDRESS GROUP/ADDRESS OBJECT SUB-COMMANDS
	abort	Exits to top-level menu and cancels changes where needed
	[ no] address-object <object name>	Configures or modifies an address object
	[ no] address-group <group name>	Configures or modifies an address group
	cancel	Cancel from menu without applying changes
	end	Exits configuration mode
	exit	Exits menu and applies changes
	finished	Exits to top-level and applies changes where needed
	host <ip address>	Configures the host IP address for the specific address object
	info	Displays current address group configuration
	network <subnet> <netmask>	Configures network subnet and netmask
	range <begin-address> <end address>	Defines address range for the address group or address object
	zone <zone name>	Configures a zone for the specified address object or group
ARP SUB-COMMAND
	[ no ] arp < ip address > < MAC address > interface < lan | wan | dmz >[ perm ][ pub ]	Adds or removes arp entries for specified interface(s)
GMS SUB-COMMANDS
< gms>	algorithm < des-md5 | frd3- sha >	Sets GMS encryption and authentica ­ tion algorithm
	[ no ] authentication-key < hex key >	Sets the 32-hex or 40-hex authentica ­ tion key to communicate with the GMS server
	[ no ] behind-nat	Enables GMS behind a NAT device
	bound-interface < x1 | x2 | x3 | x4 | x5 >	Binds a VPN policy to an interface
	[ no ] enable	Enables GMS management on a ADTRAN
	encryption-key < hex key >	set the 16-hex/48-hex encryption key to communicate with the GMS server
	end	Exits configuration menu
	finished	Exits configuration mode to top menu
	help < command >	Displays command and description
	info	Displays current GMS configuration state
	[ no ] nat-address < IP Address >	Sets the public NAT IP address that the GMS server resides behind
	[ no ] over-vpn	Enables GMS server locally or over VPN
	[ no ] send-heartbeat	Sends heart beat status messages only
	[ no ] server < IP Address >	Sets the real IP address of the GMS server
	[ no ] standby-management- sa	Enables the backup SA for GMS man ­ agement
	syslog-port < uvalue | (default) >	Sets the syslog server port of the GMS server
HIGH AVAILABILITY SUB-COMMAND
	ha <disable|enable>	Enables or disables the High Availability function
NAT SUB-COMMANDS
	nat	Accesses sub-commands to configure NAT policies
< add> commands
	orig-src <original source object>	Sets the original source object for this policy
	trans-src <translated source object>	Sets the translated source object for this policy
	orig-dst <original destination source object>	Sets the original destination source object for this policy
	orig-svc <original service name>	Sets the original service name for this policy
	trans-svc <translated service name>	Sets the translated service name for this policy
	inbound-interface <inbound interface>	Sets the inbound interface for this policy
	outbound-interface <outbound interface>	Sets the outbound interface for this policy
	[ no] enable	Enables/Disables a NAT policy once it has been created
	[ no] reflexive	Creates/Removes a reflexive NAT policy once it has been saved
	comment <comments>	Allows administrator to leave comments relating to a NAT policy
	info	Displays currently configured NAT element settings
< delete> commands
	delete <item-number>	Deletes a specific NAT policy
< modify> commands
	< item-number>	Allows modification of a specific NAT policy
	[ no] enable	Enables/Disables a specific NAT policy
	[ no] comment <comments>	Allows administrator to modify com ­ ments relating to a NAT policy
	orig-src <original source object>	Modifies the original source object for this policy
	trans-src <translated source object>	Modifies the translated source object for this policy
	orig-dst <original destination address object>	Modifies the original destination address object for this policy
	trans-dst <translated destination address object>	Modifies the translated destination- address object for this policy
	orig-svc <original service name>	Modifies the name of the original service
	trans-svc <translated service name>	Modifies the translated service name
	inbound-interface <inbound interface>	Modifies the inbound interface for NAT
	outbound-interface <outbound interface>	Modifies the outbound interface for NAT
	info	Displays current object or modifying object
ROUTE SUB-COMMANDS
	route ars-nsm	Configures the Advanced Routing Suite for the NSM module
	route ars-ospf	Configures the Advanced Routing Suite for the OSPF module
	route ars-rip	Configures the Advanced Routing Suite for the RIP module
SERVICE SUB-COMMANDS
	service	Accesses sub-commands to configure individual services
< add> commands
	< service name>	Allows configuration of a new service type to be associated to the appliance
	< group name>	Allows configuration of a new service group name
	[ no] service <service name>	Allows/Removes configuration of service type
	ip-type <ip type>	Allows ip-type to be set for a particular service
	port-begin <port>	Sets the start point for a service’s port range
	port-end <port>	Sets the endpoint for a service’s port range
	info	Allows additional values to be added for the specific service
	subtype <x>	Sets the subtype for the selected ip-type
< delete> commands
	< group name>	Deletes the specifically named service group
	< service name>	Deletes the specifically named service type
< modify> commands
	< service name>	Allows modification of a service name
	< group name>	Modifies the name of a specified service group
	ip-type <ip type>	Modifies the ip-type for this particular service
	port-begin <port>	Modifies the start port for this range
	port-end <port>	Modifies the end port for this range
	[ no] service <service name}	Modifies/deletes specified service type
	subtype <x>	Modifies the subtype for this specific ip-type
	[ info]	Optional, displays service values for service name, protocol, and port range
SSH SUB-COMMANDS
	ssh enable <interface>	Enables SSH management for the specified interface
	ssh genkey	Creates a new key to use with SSH
	ssh port <port>	Assigns the SSH port or resets to the default port
	ssh restore	Restores SSH management settings to defaults
	ssh terminate	Stops all SSH sessions, disables all SSH management, and resets the port
SSL VPN SUB-COMMANDS
	sslvpn client	Configures or modifies SSL VPN client settings
	sslvpn portal	Configures or modifies SSL VPN portal settings
	sslvpn settings	Configures or modifies SSL VPN settings
TIMEOUT SUB-COMMAND
	timeout <minutes>	Sets login timeout in minutes
VPN SUB-COMMANDS
	[ no] vpn <enable|disable> <policy name>	Enables or disables VPN for a specific policy
	[ no] vpn policy <policy-name> [preshared| manual|cert]	Enables or disables a specific VPN policy
VPN SUB-COMMANDS (PRE-SHARED SECRET)
	abort	Exits to top-level menu and cancels changes where needed
	[ no] advanced apply-nat <local|remote> <trans­lated address object>	Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
	[ no] advanced auto-add-rule	Enables or disables the auto-add access rule
	advanced bound-to interface <interface>	Binds VPN policy to specific interface
	advanced bound-to zone <zone>	Binds VPN policy to a specific zone
	[ no] advanced default-lan-gw <ip address>	Sets the default LAN domain gateway for VPN tunnel traffic
	[ no] advanced keepalive	Enables or disables heartbeat messages between peers on this VPN tunnel
	[ no] advanced management http	Enables or disables HTTP as the management method security association
	[ no] advanced management https	Enables or disables HTTPS as the management method security association
	[ no] advanced multicast	Enables IP multicasting traffic to pass through the VPN tunnel
	[ no] advanced netbios	Enables or disables Windows Networking (NetBIOS) Broadcast
	[ no] advanced use-xauth <group-name>	Configures or removes the specified user group for XAUTH users
	[ no] advanced user-login http	Enables or disables required user login through HTTP
	[ no] advanced user-login https	Enables or disables required user login through HTTPS
	cancel	Cancel from menu without applying changes
	end	Exits VPN configuration mode
	exit	Exits menu and applies changes
	finished	Exits to top-level and applies changes where needed
	gw domain-name <domain name>	Sets the primary gateway domain name
	gw ip-address <ip address>	Sets the primary gateway IP address
	id local <domain-name|email address|ip-address|ADTRAN-id> <our id>	Sets the name and IP address of the local connection
	id remote <domain name|email address|ip-address|ADTRAN-id> <their id>	Sets the name and IP address of the remote connection
	info	Displays information on a specific VPN policy
	network local <address-object> <address object string>|any|dhcp>	Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
	network remote <address- object<address object string>|any|dhcp>	Sets a specific VPN tunnel as the default route for all incoming Internet traffic
	pre-shared-secret <string>	Established specified preshared secret
	proposal ike [<main|aggres­sive|ikev2>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]	Sets the desired IKE encryption suite configurations for VPN tunnel traffic
	proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]	Sets encryption settings for IPSec pro ­ posal
	sec-gw domain-name <domain name>	Sets the secondary gateway domain name
	sec-gw ip-address <ip address>	Sets the secondary gateway’s IP address
VPN SUB-COMMANDS (MANUAL KEY)
	abort	Exits to top-level menu and cancels changes where needed
	[ no] advanced apply-nat <local|remote> <trans­lated address object>	Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
	[ no] advanced auto-add-rule	Enables or disables the auto-add access rule
	advanced bound-to interface <interface>	Binds VPN policy to specific interface
	advanced bound-to zone <zone>	Binds VPN policy to a specific zone
	[ no] advanced keepalive	Enables or disables heartbeat messages between peers on this VPN tunnel
	[ no] advanced management http	Enables or disables HTTP as the management method security association
	[ no] advanced managment https	Enables or disables HTTPS as the management method security association
	[ no] advanced multicast	Enables IP multicasting traffic to pass through the VPN tunnel
	[ no] advanced netbios	Enables or disables Windows Networking (NetBIOS) Broadcast
	[ no] advanced use-xauth <group name>	Configures or removes the specified user group for XAUTH users
	[ no] advanced user-login http	Enables or disables required user login through HTTP
	[ no] advanced user-login https	Enables or disables required user login through HTTPS
	cancel	Cancel from menu without applying changes
	end	Exits configuration mode
	exit	Exits menu and applies changes
	finished	Exits to top-level and applies changes where needed
	gw domain-name <domain name>	Sets the primary gateway domain name
	gw ip-address <ip address>	Sets the primary gateway IP address
	info	Displays information on a specific VPN policy
	network local <address object <address object string> | any>	Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
	network remote <address object <address object string> | any>	Sets a specific VPN tunnel as the default route for all incoming Internet traffic
	proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]	Sets encryption settings for IPSec proposal
	sa [in-spi <Incoming SPI>] [out-spi <Outgoing SPI>] [encr-key <Encryp­tion Key>] [auth-key <Authentication Key>]	Sets hexidecimal incoming and outgoing Security Parameter Index (SPI) to allow the ADTRAN to uniquely identify all security associations
VPN SUB-COMMANDS (3rd PARTY CERTIFICATE)
	abort	Exits to top-level menu and cancels changes where needed
	[ no] advanced apply-nat	Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel
	[ no] advanced auto-add-rule	Enables or disables the auto-add access rule
	advanced bound-to inter ­ face <interface>	Binds VPN policy to specific interface
	advanced bound-to zone <zone>	Binds VPN policy to a specific zone
	[no ] advanced default-lan-gw <ip address>	Sets the default LAN gateway for VPN tunnel traffic
	[ no] advanced keepalive	Enables or disables heartbeat messages between peers on this VPN tunnel
	[ no] advanced management http	Enables or disables HTTP as the management method security association
	[ no] advanced managment https	Enables or disables HTTPS as the management method security association
	[ no] advanced multicast	Enables IP multicasting traffic to pass through the VPN tunnel
	[ no] advanced netbios	Enables or disables Windows Networking (NetBIOS) Broadcast
	[ no] advanced ocsp <url>	Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check the certificate status
	[ no] advanced use-xauth <group name>	Configures or removes the specified user group for XAUTH users
	[ no] advanced user-login http	Enables or disables required user login through HTTP
	[ no] advanced user-login https	Enables or disables required user login through HTTPS
	cancel	Cancel from menu without applying changes
	cert <certname>	Selects a certificate for the ADTRAN
	end	Exits configuration mode
	exit	Exits menu and applies changes
	finished	Exits to top-level and applies changes where needed
	gw domain-name <domain name>	Sets the primary gateway domain name
	gw ip-address <ip address>	Sets the primary gateway IP address
	id remote <domain name | email address | distin­guished name> <peer-id>	Sets peer IKE ID type
	info	Displays information on a specific VPN policy
	network local <address object <address object string> | any>	Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP
	network remote <address object <address object string> | any>	Sets a specific VPN tunnel as the default route for all incoming Internet traffic
	proposal ike [<main|aggres­sive|ikev2>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]	Sets the desired IKE encryption suite configurations for VPN tunnel traffic
	proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]	Sets encryption settings for IPSec proposal
	sec-gw domain-name <domain name>	Sets the secondary gateway domain name
	sec-gw ip-address <ip address>	Sets the secondary gateway’s IP address
SSL VPN CLIENT SUB-COMMANDS
	abort	Exits to top-level menu without applying changes
	address <start ip address> <end ip address> <interface>	Sets the global IP address pool from which NetExtender clients are assigned an IP address
	[ no] auto-update	Enables/Disables auto-update which assists users in updating their NetEx ­ tender client when a newer version is required to establish a connection
	cache-username-password <username-only | pass­word-username | prohibit>	Sets the user name and password cache policy used for the NetExtender client
	cancel	Exits from menu without applying changes
	[ no] client-communicate	Enables/Disables traffic between hosts connecting to server with NetExtender
	[ no] create-connection-profile	Enables/Disables NetExtender client’s ability to create a connection profiles
	dns-domain <DNS domain name>	Sets the DNS domain which is the NetExtender client DNS-specific suffix
	dns1 <ip address>	Sets the primary DNS server IP address to be used by all NetExtender clients
	dns2 <ip address>	Sets the secondary DNS server IP address to be used by all NetExtender clients
	end	Exits SSL VPN configuration mode
	exit	Exits menu and applies changes
	[ no] exit-after-discon­nect	Enables/Disables the forcing of a NetExtender client to exit after disconnecting from the server
	finished	Exits to top-level and applies changes where needed
	help	Displays available sub-commands for SSL VPN client configuration
	info	Displays SSL VPN client settings
	no	Inverts sense of a command
	show	Invokes show commands
	sslvpn-access <LAN|WAN|DMZ|WLAN>	Enables SSL VPN access on specified zone
	[ no] uninstall-after-exit	Enables/Disables automatic uninstall of NetExtender clients after exit
	user-domain <user domain name>	Sets the user domain to which all SSL VPN users belong
	wins1 <ip address>	Sets the primary WINS server IP address
	wins2 <ip address>	Sets the secondary WINS server IP address
SSL VPN PORTAL SUB-COMMANDS
	abort	Exits to top-level menu without applying changes
	[ no] auto-launch	Enables/Disables automatic launch of NetExtender after a user logs into the portal
	banner-title <portal banner title name>	Sets the portal banner title that displays next to the logo on the portal home page
	[ no] cache-control	Enables/Disables the use of some HTML META tags to tell browser to cache UI files in portal pages
	cancel	Exits the menu without applying changes
	custom logo <url>	Sets a customized logo to be used on the portal page. The URL entered must be valid and reachable by the unit.
	[ no] default-logo	Enables/Disables the use of the default ADTRAN logo on the portal page
	[ no] display-cert	Enables/Disables the display of the button to import the SSL VPN server certificate
	end	Exits SSL VPN portal configuration
	exit	Exits menu and applies changes
	finished	Exits to top-level menu and applies changes
	help	Displays available subcommands for SSL VPN portal settings
	info	Displays current SSL VPN portal settings
	no	Inverts sense of a command
	show	Invokes show commands
	site-title <portal site title name>	Sets the portal HTML page title that displays in the browser window’s title
SSL VPN ROUTE SUB-COMMANDS
	abort	Exits to top-level menu without applying changes
	add-routes <address object name>	Adds an address object as a client route entry
	cancel	Exits from menu without applying changes
	delete-routes <address object name>	Deletes specified SSL VPN client route entry, identified as an address object
	end	Exits SSL VPN client routes configura ­ tion mode
	exit	Exits menu and applies changes
	finished	Exits to top-level menu and applies changes
	help	Displays available subcommands for SSL VPN client routes settings
	info	Displays current SSL VPN client routes settings
	no	Inverts sense of a command
	show	Invokes show commands
	[ no] tunnel-all	Enables/Disables tunnel all mode which configures the NetExtender client to tunnel all traffic over the SSL VPN connection
WEB MANAGEMENT SUB-COMMANDS
	[ no] web-management otp enable	Configures one-time password for VPN user access to the appliance

Table 8

LAN Interface Configuration

 

Command		Description
interface < x0 | x1 | x2 | x3 | x4 | x5 > [< lan | wan | dmz >]		Assigns zone and enters the configura ­ tion mode for the interface
	auto	Sets the interface to auto negotiate
	comment < string >	Adds comment as part of the port con ­ figuration
	duplex < full | half >	Sets the interface duplex speed
	end	Exits the configuration mode
	finished	Exits configuration mode to the top menu
	help < command >	Displays the command and description
	[no] https-redirect enable	Enables or disables https redirect on the interface
	info	Displays information about the inter ­ face
	show interface all	Displays the configuration of all interfaces
	[no] management <http|https|ping|snmmp|ss h> enable	Enables or disables specified manage ­ ment protocol on the interface
	[no] user-login <http|https>	Configures user-login protocol for the interface
LAN MODE		Enters the LAN configuration mode
< lan >	end	Exits configuration mode
	finished	Exits configuration mode to top menu level
	help < command >	Displays the command and description
	info	Displays information about the inter ­ face
	ip < IP Address > netmask <mask>	Sets the IP address for the interface
name < interface name >		Sets the name for the interface
speed < 10 | 100 >		Sets the interface speed

Table 9

WAN Interface Configuration

 

Command		Description
< wan >	auto	Sets the interface to auto-negotiate
	bandwidth-management enable	Enables bandwidth management
	bandwidth-management size < uvalue >	Sets the bandwidth management size
	comment < string >	Adds comment as part of the port con ­ figuration
	duplex < full | half >	Sets the interface duplex speed
	end	Exits the configuration mode
	finished	Exits configuration mode to the top menu
	fragment-packets	Enables/disables fragmentation of packets larger than the interface MTU
	ignore-df-bit	Enables/disables ignoring the don’t fragment bit
	help < command >	Displays the command and description
	[ no] https-redirect enable	Enables or disables https redirect on the interface
	info	Displays information about the inter ­ face
	[ no] management <http|https|ping|snmmp| ssh> enable	Enables or disables specified manage ­ ment protocol on the interface
	[ no] user-login <http|https>	Configures user-login protocol for the interface
mode < static | dhcp | pptp | l2tp | pppoe >		Sets the mode for the WAN interface and enters the mode configuration
Mode Static WAN Interface Configuration
	[ no ] dns < IP Address >	Enters or removes IP address of DNS servers
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	gateway < IP Address >	Sets or removes default gateway for the interface
	help < command >	Displays help for given command
	info	Displays IP information about the inter ­ face
	[ no ] ip < IP Address >	Sets the IP address for the interface
Mode DHCP WAN Interface Configuration
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	help < command >	Displays help for given command
	info	Displays IP information about the inter ­ face
	[ no ] hostname < string >	Sets the hostname for the interface
	release	Releases IP address information
	renew	Renews IP address information
Mode PPTP WAN Interface Configuration
	[ no ] dynamic	Sets the ADTRAN to obtain the IP address dynamically
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	help < command >	Displays help for given command
	[ no ] hostname < string >	Clears/Sets PPTP hostname
	[ no ] inactivity	Enables/disables the PPTP inactivity timer
	timeout < uvalue >	Sets/Clears the PPTP inactivity timeout
	info	Displays IP information about the inter ­ face
	[ no ] ip < IP Address >	Sets/Clears the IP address for the interface
	[ no ] password < quoted string >	Sets/Clears the PPTP password
	[ no ] server ip <IP Address >	Sest/Clears the PPTP server IP address
	start
	stop
	[ no ] username < string >	Sets/Clears the PPTP username
L2TP WAN Configura ­ tion Mode
	[ no ] dynamic	Sets the ADTRAN to obtain the IP address dynamically
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	help < command >	Displays help for given command
	[ no ] hostname < string >	Clears/Sets L2TP hostname
	[ no ] inactivity	Enables/disables the L2TP inactivity timer
	timeout < uvalue >	Sets/Clears the L2TP inactivity timeout
	info	Displays IP information about the inter ­ face
	[ no ] ip < IP Address>	Sets/Clears the IP address for the interface
	[ no ] password < quoted string >	Sets/Clears the L2TP password
	[ no ] server ip < IP Address >	Sets/Clears the L2TP server IP address
	start
	stop
	[ no ] username < string >	Sets/Clears the L2TP username
	mtu < uvalue >	Sets the MTU of the interface
	name < interface name >	Sets the name for the interface
	speed < 10 | 100 >	Sets the interface speed
Other Interface Configuration
	auto	Sets the interface to autonegotiate
	comment < string >	Adds a comment as part of the force configuration
	duplex < full | half >	Sets the interface duplex speed
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	help < command >	Displays help for given command
	info	Displays IP information about the inter ­ face
	name < interface name >	Sets the name for the interface
	speed < 10 | 100 >	Sets the interface to autonegotiate
	[no] log categories [ all ]	Assigns/clears logging categories
Log Category Information
	[ no ] all	Assigns/clears all logging categories
	[ no ] attack	Assigns/clears attack logging category
	[ no ] blocked-code	Assigns/clears blocked code logging category
	[ no ] blocked-sites	Assigns/clears blocked sites logging category
	[no ] connection	Assigns/clears connection logging cat ­ egory
	[ no ] conn-traffic	Assigns/clears conn traffic logging cat ­ egory
	[ no ] debug	Assigns/clears debug logging category
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	help < command >	Displays help for given command
	[ no ] icmp	Assigns/clears ICMP logging category
	info	Displays IP information about the inter ­ face
	[no ] lan-icmp	Assigns/clears LAN-ICMP logging cat ­ egory
	[ no ] lan-tcp	Assigns/clears LAN-TCP logging cate ­ gory
	[ no ] lan-udp	Assigns/clears LAN-UDP logging cate ­ gory
	[ no ] maintenance	Assigns/clears maintenance logging category
	[ no ] mgmt-80211b	Assigns/clears 80211b management logging category
	[ no ] modem-debug	Assigns/clears modem debugging log ­ ging category
	[ no ] sys-env	Assigns/clears sys env logging cate ­ gory
	[ no ] sys-err	Assigns/clears sys error logging cate ­ gory
	[ no ] tcp	Assigns/clears TCP logging category
	[ no ] udp	Assigns/clears UDP logging category
	[ no ] user-activity	Assign/clear user-activity logging cate ­ gory
	[ no ] vpn-stat	Assigns/clears vpn-stat logging cate ­ gory
	[ no ] vpn-tunnel-status	Assigns/clears vpn tunnel status log ­ ging category
[ no ] log filter-time <uvalue>		Assigns/clears log filter time
log ordering <choices> [ invert ]		Assign/clear ordering method when displaying log entries
name < string>		Sets/clears the firewall name
[ no ] route default < IP address >		Assigns clear default route
[ no ] route < Destination > < Netmask > < Gateway > [ metric < route metric >]		Assigns clear static routes
[ no ] web-management http enable < x0 | x1 | x2 | x3 | x4 | x5 >		Enables/disables HTTP web manage ­ ment
web-management http port < tcp port or 'default' >		Assigns the HTTP web management port or reset to default
[ no ] web-management https enable < x0 | x1 | x2 | x3 | x4 | x5 >		Enables/disables HTTPS web man ­ agement
web-management https port < tcp port or 'default' >		Assigns the HTTPS web management port or resets to default
web-management restore		Restores default web-management port and interface assignments
zone <wan|lan|dmz>		Enters the zone configuration menu
	end	Exits configuration mode
	finished	Exits configuration mode to top menu
	[ no ] intrazone-communica ­ tions	Enables/disables intra-zone communi ­ cations
	auto	Sets the interface to autonegotiate
	bandwidth-management enable	Enables bandwidth management
	bandwidth-management size < uvalue >	Sets the bandwidth management size
	comment < string >	Adds comment as part of the port con ­ figuration
	duplex < full | half >	Sets the interface duplex speed
	end	Exit the configuration mode
	finished	Exit configuration mode to the top menu
	fragment-packets	Enable/disable fragmentation of pack ­ ets larger than the interface MTU
	ignore-df-bit	Enable/disable ignoring the don’t frag ­ ment bit
	show zone all	Displays the configuration of all zones
	[ no] sslvpn-access	Configures SSL VPN access on the zone
< guest services> SUB-COMMANDS
	abort	Exits to top-level menu and cancels changes where needed
	bypass antivirus	Configures the zone’s bypass settings for anti-virus
	bypass auth <string|iden ­ tifier	Configures the zone’s bypass authentication based on string or identifier input
	custom enable	Enables custom authentication page settings
	custom footer-text <string|identifier	Configures custom footer text for the authentication page
	custom footer-type <text|url>	Configures custom footer text font for the authentication page
	custom header-text <string|identifier>	Configures custom header text for the authentication page
	custom header-type <text|url>	Configures custom header text font for the authentication page
	deny <string|identifier>	Configures deny settings for access to the zone
	enable	Enables WGS
	end	Exits upon configuring WGS settings
	exit	Exits menu and applies changes
	finished	Exits to top-level menu and applies changes where needed
	help	Displays help commands for this menu
	info	Displays current WGS configuration state
	maxguests <value>	Sets maximum guest limit for the zone at specified value
	no	Inverts sense of a command
	pass <string|identifier>	Allows traffic through zone from the specified network
	post enable	Enables guests to be directed to a landing page post-authentication
	post url <string|identi ­ fier>	Configures which URL guests are directed to after authentication
	show	Invoke show commands
	smtp-redirect <string|identifier>	Configures SMTP redirect settings for the zone

Configuring Site-to-Site VPN Using CLI

This section describes how to create a VPN policy using the Command Line Interface. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface.

Note

In this example, the VPN policy on the other end has already been created.

CLI Access

1.	Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your firewall.

2.	Using a terminal emulator program, such as TerraTerm, use the following parameters:

•

115,200 baud

•

8 bits

•

No parity

•

1 stop bit

•

No flow control

3.	You may need to hit return two to three times to get to a command prompt, which will look similar to the following:

NetVanta2630>

If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command.

4.	When a you need to make a configuration change, you should be in configure mode. To enter configure mode, type configure.

NetVanta2630 > configure

(config[NetVanta2630])>

The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.

Configuration

In this example, a site-to-site VPN is configured between two NetVanta 2630 appliances, with the following settings:

Local NetVanta 2630 (home):
WAN IP: 10.50.31.150
LAN subnet: 192.168.61.0
Mask 255.255.255.0

Remote NetVanta 2630 (office):
WAN IP: 10.50.31.104
LAN subnet: 192.168.15.0
Mask: 255.255.255.0

Authentication Method: IKE using a Pre-Shared Key
Phase 1 Exchange: Main Mode
Phase 1 Encryption: 3DES
Phase 1 Authentication SHA1
Phase 1 DH group: 2
Phase 1 Lifetime: 28800
Phase 2 Protocol: ESP
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 Lifetime: 28800
No PFS

1.	In configure mode, create an address object for the remote network, specifying the name , zone assignment , type , and address . In this example, we use the name OfficeLAN :

(config[NetVanta2630]> address-object Office LAN
(config-address-object[OfficeLAN])>

Note

The prompt has changed to indicate the configuration mode for the address object.

(config-address-object[OfficeLAN])> zone VPN
(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0
(config-address-object[OfficeLAN])> finished

2.	To display the address object, type the command show address-object [name] :

NetVanta2630 > show address-object OfficeLAN

The output will be similar to the following:

address-object OfficeLAN
network 192.168.15.0 255.255.255.0
zone VPN

3.	To create the VPN policy, type the command vpn policy [name] [authentication method]:

(config[NetVanta2630])> vpn policy OfficeVPN pre-shared
(config-vpn[OfficeVPN])>

Note

The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.

4.	Configure the Pre-Shared Key. In this example, the Pre-Shared Key is ADTRAN:

(config-vpn[OfficeVPN])> pre-shared-secret ADTRAN

5.	Configure the IPSec gateway:

(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

6.	Define the local and the remote networks:

(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"
(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

7.	Configure the IKE and IPSec proposals:

(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800
(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800

8.	In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:

(config-vpn[OfficeVPN])> advanced keepalive

9.	To enable the VPN policy, use the command vpn enable “name” :

(config[NetVanta2630])> vpn enable "OfficeVPN"

10.	Use the finished command to save the VPN policy and exit from the VPN configure mode:

(config-vpn[OfficeVPN])> finished
(config[NetVanta2630])>

The configuration is complete.

Note

The command prompt goes back to the configure mode prompt.

Viewing VPN Configuration

Use the following steps to configure the VPN policies.

1.	To view a list of all the configured VPN policies, type the command show vpn policy. The output will be similar to the following:

(config[NetVanta2630])> show vpn policy

Policy: WAN GroupVPN (Disabled)
Key Mode: Pre-shared
Pre Shared Secret: DE65AD2228EED75A

Proposals:
IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Allow NetBIOS OFF, Allow Multicast OFF
Management: HTTP OFF, HTTPS OFF
Lan Default GW: 0.0.0.0
Require XAUTH: ON, User Group: Trusted Users

Client:
Cache XAUTH Settings: Never
Virtual Adapter Settings: None
Allow Connections To: Split Tunnels
Set Default Route OFF, Apply VPN Access Control List OFF
Require GSC OFF
Use Default Key OFF

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: ADTRAN

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

2.	To view the configuration for a specific policy, specify the policy name in double quotes. For example:

(config[NetVanta2630])> show vpn policy "OfficeVPN"

The output will be similar to the following:

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: ADTRAN

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

3. Type the command show vpn sa “name” to see the active SA:

(config[NetVanta2630])> show vpn sa "OfficeVPN"

Policy: OfficeVPN
IKE SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
Main Mode, 3DES SHA, DH Group 2, Responder
Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)
Lifetime: 28800 seconds (28783 seconds remaining)

IPsec SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)
ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2
Lifetime: 28800 seconds (28783 seconds remaining)

ADTRAN NetExtender Windows Client CLI Commands

The following section includes commands for the NetExtender Windows Client CLI (NEClient.exe):

Usage: NECLI [OPTIONS]

connect [OPTIONS]

-s server
-u user name
-p password
-d domain name
-clientcertificatethumb thumb(when server need client
certificate)
-clientcertificatename name(when server need client
certificate)

disconnect
createprofile [OPTIONS]

-s server
-u user name(optional)
-p password(optional)
-d domain name

displayprofile [OPTIONS]

-s server(optional)
-d domain(optional)
-u username(optional)

deleteprofile [OPTIONS]

-s server
-d domain
-u username

showstatus
setproxy [OPTIONS]

-t 1 automatic detect setting; 2 configuration script; 3 proxy server
-s proxy address/URL of automatic configuration script
-o port
-u user name
-p password
-b bypass proxy
-save
queryproxy
reconnect
viewlog
-profile

servername: connect to server directly when password has been saved

Example:

NECLI -version

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatethumb
cf3d20378ba7f2d9a79c536e230a2495d4a46734

NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatename "Admin"

NECLI disconnect

NECLI createprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI displayprofile -s 10.103.62.208

NECLI deleteprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI showstatus

NECLI -t 3 -s 10.103.62.201 -o 808 -u user1 -p password -b
10.103.62.101;10.103.62.102

NECLI queryproxy

NECLI viewlog

NECLI reconnect

NECLI -profile 10.103.62.208

ADTRAN NetExtender MAC and Linux Client CLI Commands

The following section includes the Mac and Linux CLI version, which is similar to the NetExtender Windows Client CLI in the previous section:

Usage: netExtender [OPTIONS] server[:port]

-u user
-p password
-d domain
-t timeout Login timeout in seconds, default is 30 sec.
-e encryption Encryption cipher to use. To see list use -e -h.
-m Use this option to not add remote routes.
-r filename Generate a diagnostic report.
-v Display NetExtender version information.
-h Display this usage information.

server: Specify the server either in FQDN or IP address.
The default port for server is 443 if not specified.

Example:

netExtender -u u1 -p p1 -d LocalDomain sslvpn.company.com
[root@linux]# netExtender -u demo sslvpn.demo.adtran.com
SUSE/Ubuntu compatibility mode off

User Access Authentication
Password:
Domain: Active Directory
Connecting to SSL-VPN Server "sslvpn.demo.adtran.com:443". . .
Connected.
Logging in...
Login successful.
Using SSL Encryption Cipher 'DHE-RSA-AES256-SHA'
Using new PPP frame encoding mechanism
You now have access to the following 5 remote networks:

192.168.150.0/255.255.255.0

192.168.151.0/255.255.255.0

192.168.152.0/255.255.255.0

192.168.153.0/255.255.255.0

192.168.158.0/255.255.255.0

NetExtender connected successfully. Type "Ctrl-c" to disconnect...
Disconnecting NetExtender...
Terminating pppd.......
SSL-VPN logging out...
SSL-VPN connection is terminated.
Exiting NetExtender client.