CLIguide

CLIguide

Appendix A: CLI Guide

This appendix contains a categorized listing of Command Line Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included.

This appendix contains the following sections:

Input Data Format Specification

The table below describes the data formats acceptable for most commands. H represents one or more hexadecimal digit (0-9 and A-F). D represents one or more decimal digit.

Table 16:

Data Data Format

MAC Address

HH:HH:HH:HH:HH:HH

MAC Address

HHHH.HHHH.HHHH

IP Address

D.D.D.D

IP Address

0xHHHHHHHH

Integer Values

D

Integer Values

0xH

Integer Range

D-D

Input Data Formats

Text Conventions

Bold text indicates a command executed by interacting with the user interface.

Courier bold text indicates commands and text entered using the CLI.

Italic text indicates the first occurrence of a new term, as well as a book title, and also emphasized text. In this command summary, items presented in italics represent user-specified information.

Items within angle brackets (“< >”) are required information.

Items within square brackets (“[ ]”) are optional information.

Items separated by a “pipe” (“|”) are options. You can select any of them.

Note: Though a command string may be displayed on multiple lines in this guide, it must be entered on a single line with no carriage returns except at the end of the complete command.

Editing and Completion Features

You can use individual keys and control-key combinations to assist you with the CLI. The table below describes the key and control-key combination functions.

Table 17:

Key(s) Function

Tab

Completes the current word

?

Displays possible command completions

CTRL+A

Moves cursor to the beginning of the command line

CTRL+B

Moves cursor to the previous character

CTRL+C

Exits the Quick Start Wizard at any time

CTRL+E

Moves cursor to the end of the command line

CTRL+F

Moves cursor to the next character

CTRL+K

Erases characters from the cursor to the end of the line

CTRL+N

Displays the next command in the command history

CTRL+P

Displays the previous command in the command his­tory

CTRL+W

Erases the previous word

Left Arrow

Moves cursor to the previous character

Right Arrow

Moves the cursor to the next character

Up Arrow

Displays the previous command in the command his­tory

Down Arrow

Displays the next command in the command history

Key Reference

Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Tab or ? key display all options.

: : : : myDevice> show [TAB]

alerts

interface

network

tech-support

arp

log

processes

tsr

content-filter

memory

route

web-management

cpu

messages

security-services

zone

device

nat

status

zones

gms

netstat

system

The Tab key can also be used to finish a command if the command is uniquely identified by user input.

myDevice> show al [TAB]

displays

myDevice> show alerts

Additionally, commands can be abbreviated as long as the partial commands are unique. The following text:

myDevice> sho int inf

is an acceptable abbreviation for

myDevice> show interface info

Command Hierarchy

The CLI configuration manager allows you to control hardware and firmware of the appliance through a discreet mode and submode system. The commands for the appliance fit into the logical hierarchy shown below.

To configure items in a submode, activate the submode by entering a command in the mode above it.

For example, to set the default LAN interface speed or duplex, you must first enter configure, then interface x0 lan. To return to the higher Configuration mode, simply enter end or finished.

Configuration Security

SonicWALL Internet Security appliances allow easy, flexible configuration without compromising the security of their configuration or your network.

Passwords

The SonicWALL CLI currently uses the administrator’s password to obtain access. SonicWALL devices are shipped with a default password of password. Setting passwords is important in order to access the SonicWALL and configure it over a network.

Factory Reset to Defaults

If you are unable to connect to your device over the network, you can use the command restore to reset the device to factory defaults during a serial configuration session.

Management Methods for the SonicWALL Network Security Appliance

You can configure the SonicWALL appliance using one of three methods:

Initiating a Management Session using the CLI

Serial Management and IP Address Assignment

Follow the steps below to initiate a management session via a serial connection and set an IP address for the device.

Note: The default terminal settings on the SonicWALL and modules is 80 columns by 25 lines. To ensure the best display and reduce the chance of graphic anomalies, use the same settings with the serial terminal software. The device terminal settings can be changed, if necessary. Use the standard ANSI setting on the serial terminal software.

  1. Attach the included null modem cable to the appliance port marked CONSOLE. Attach the other end of the null modem cable to a serial port on the configuring computer.
  2. Launch any terminal emulation application that communicates with the serial port connected to the appliance. Use these settings:
  3. Press Enter/Return. Initial information is displayed followed by a DEVICE NAME> prompt.

Initiating an SSH Management Session via Ethernet

Note: This option works for customers administering a device that does not have a cable for console access to the CLI.

Follow the steps below to initiate an SSH management session through an Ethernet connection from a client to the appliance.

  1. Attach an Ethernet cable to the interface port marked XO. Attach the other end of the Ethernet cable to an Ethernet port on the configuring computer.
  2. Launch any terminal emulation application (such as PuTTY) that communicates via the Ethernet interface connected to the appliance.
  3. Within the emulation application, enter the IP destination address for the appliance and enter 22 as the port number.
  4. Select SSH as the connection type and open a connection.

Logging in to the SonicOS CLI

When the connection is established, log in to the security appliance:

  1. At the User prompt enter the Admin’s username. Only the admin user will be able to login from the CLI. The default Admin username is admin. The default can be changed.
  2. At the Password prompt, enter the Admin’s password. If an invalid or mismatched username or password is entered, the CLI prompt will return to User:, and a “CLI administrator login denied due to bad credentials” error message will be logged. There is no lockout facility on the CLI.

SonicOS Enhanced Command Listing

The following section displays all commands available for the SonicWALL:

Table 18:

Command Description

backup

Backs-up device firmware settings

baud 9600

Sets system baud rate to 9600

baud 19200

Sets baud rate to 19200

baud 38400

Sets baud rate to 38400

baud 57600

Sets baud rate to 57600

baud 115200

Sets baud rate to 115200

baud save

Saves current baud rate setting

clear cp-stats

Clears CPU statistics

clear hw-stats

Clears hardware statistics

clear log

Clears messages from the logging buffer

clear pp-stats

Clears presentation protocol statistics

clear screen

Clears the console screen, leaving a single prompt line

clear ssh

Terminates a secure shell connection

clear ssh <int | hex>

Terminates a particular secure shell connec­tion, specified by integer or hexidecimal input

clear ssh all

Terminates all incoming and outgoing secure shell connections

cls

Clears the console screen, leaving a single prompt line

configure

Enters the configuration level

exit

Causes exit from a submenu. If issued at the global level, returns to the login prompt

export preferences

Exports a preferences file using Z-modem protocol

export preferences ftp

Exports a preferences file using FTP protocol

export trace all

Exports all native trace route provisioning data using Z-modem protocol

export trace all ftp

Exports all native trace route provisioning data using FTP protocol

export trace current

Exports currently running trace route data using Z-modem protocol

export trace current ftp

Exports currently running trace route data using FTP protocol

export trace last

Exports the most recent trace route data using Z-modem protocol

export trace last ftp

Exports the most recent trace route data using FTP protocol

export tsr

Exports TSR using Z-modem protocol

export tsr ftp

Exports TSR using FTP protocol

firmware boot current

Loads and executes current unit firmware

firmware boot current factory

Loads and executes default factory unit hardware

firmware boot uploaded

Runs uploaded firmware on the unit

firmware boot uploaded factory

Runs original factory installed firmware

firmware download current

Downloads currently running unit firmware

firmware download uploaded

Downloads currently uploaded unit firmware

firmware upload

Uploads updated unit firmware

help <command>

Displays the specified command and description

import configuration

Imports current system configuration from the Son­icWALL

import preferences

Imports preferences from the SonicWALL using Z-modem protocol

language-override

Overrides current unit language setting

language-override chinese

Overrides current unit language setting, resets to Chi­nese

language-override english

Overrides current unit language setting, resets to English

language-override french

Overrides current unit language setting, resets to French

language-override german

Overrides current unit language setting, resets to Ger­man

language-override italian

Overrides current unit language setting, resets to Ital­ian

language-override japanese

Overrides current unit language setting, resets to Jap­anese

language-override spanish

Overrides current unit language setting, resets to Spanish

logout

Logs user out from the console

monitor

Defines, or redefines, a command and displays the output

no

Negates a command or set its defaults

nslookup <dotted-int | hex | ident>

Looks up the IP address of the given domain name from the configurable domain name servers

ping <dotted-int | hex | ident>

Sends ICMP packets to the destination IP address

remote-console

Executes a command without having to login

restart

Restarts the SonicWALL

restore

Restores the factory default settings on the Sonic­WALL

safemode

Boots OS in safemode to assist in troubleshooting

show access-rules

Displays the configured firewall access rules

show address-group

Displays all defined address groups

show address-group <string | ident>

Displays system address groups specified by particu­lar string or identifier input

show address-object

Displays all defined address objects

show address-object <string | ident>

Displays all defined address objects specified by par­ticular string or identifier input

show alerts

Displays defined alerts

show all

Displays the configuration information from differ­ent modules of the firewall

show arp

Displays currently known Address Resolution Proto­col (ARP) entries

show ars all

Displays all Advanced Routing System (ARS) paths

show ars nsm

Displays all ARS paths being managed through Net­work Status Management (NSM)

show ars ospf

Displays ARS paths using Open Shortest Path First (OSPF) protocol

show ars rip

Displays all ARS paths using Routing Informa­tion Protocol (RIP)

show baud

Displays current baud rate

show buf-memzone

Displays current available space in buffer memory zone

show build-info

Displays current OS build information

show continuous core-work

Displays continuous core work resources

show continuous core-work <int| hex>

Displays continuous core work resources specified by particular integer or hexidecimal input

show continuous interface

Displays all currently selected continuous traffic interfaces

show continuous interface <match>

Displays currently selected continuous traffic inter­face, specified by an indentifier

show continuous system

Displays all continuous system traffic

show continuous system <int | hex>

Displays continuous system traffic specified by a par­ticular integer or hexidecimal input

show core

Display CPU utility for a process

show core <int | hex>

Displays CPU utility for a process specified by an integer or hexidecimal input

show cp-stats

Display all CPU statistics

show cpu

Displays CPU and memory information

show cpu <string | ident>

Displays CPU and memory information, specified by a particular string or identifier input

show device

Displays on the console the contents of the status section of the Technical Support Report (TSR)

show firmware

Displays active running unit firmware

show fpa

Displays all file command data

show gms

Displays Global Management System configura­tion

show ha

Displays current High Availability configuration

show hw-stats

Displays hardware statistics

show interface <match>

Displays interface data specified by a particular identi­fier input

show interface all

Displays the configuration of all interfaces

show interface info

Displays all interface status information

show interface info <int | hex>

Displays interface status information specified by a particular integer or hexidecimal input

show interface statistics

Displays all interface statistics

show interface statistics <match>

Displays interface statistics specified by a particular indentifier input

show language

Displays current language setting

show log

Displays all logs unit has in its memory

show log-categories

Displays all current unit log categories

show log-filters

Displays all current unit log filter settings

show mem-pools

Displays unit’s current memory pool block alloca­tion

show memory

Displays system memory on the appliance

show memzone

Displays the status of virtual memory zones on the appliance

show messages

Displays all system messages

show multicore

Displays available multicore configuration and utiliza­tion status

show nat

Displays currently configured network address trans­lation policies

show netstat

Displays the contents of the netstat table

show network

Displays current network configuration

show pp-stats

Displays all presentation protocol statistics

show processes

Displays information about active SonicOS processes

show processes <string | ident>

Displays SonicOS processes specified by a particular string or indentifier input

show route

Displays the complete routing table

show security-services

Displays the complete status of all security services on the SonicWALL, including license status, licenses available, licenses in use, and license expiration dates

show service

Displays all services associated with the appliance, along with protocol group and port details

show service-groups

Displays all service groups associated with the appli­ance, along with protocol group and port details

show service-groups <group-name>

Displays a specified service group associated with the appliance

show service <service-name>

Displays a service associated with the appliance, based on the specific service name input

show session

Displays current running session information

show sonicpoint

Displays SonicPoint network configuration

show sonicpoint sessions

Displays all SonicPoint session statistics

show sonicpoint status

Displays SonicPoint network availability

show ssh

Displays all incoming and outgoing secure shell con­nections to the unit

show sslvpn all

Displays all current SSL-VPN data connected to the unit

show sslvpn clientRoutes

Displays all client routes associated with current SSL-VPN connections to the unit shown on the client routes GUI page

show sslvpn clientRoutes <string | ident>

Displays client routes associated with current SSL-VPN connections to the unit, specified by the partic­ular string or indentifier input

show sslvpn client Settings

Displays all current client settings associated with SSL-VPN connections to the unit shown on the cli­ent settings GUI page

show sslvpn connections

Displays all current SSL-VPN connections to the unit

show sslvpn portalSettings

Displays all current portal settings for SSL-VPN connections shown on the portal settings GUI page

show status

Displays current status of the appliance

show syslog

Displays all log activity, including connection sources and IP addresses

show system

Displays the appliance system status and configura­tion

show tech-support

Displays the contents of the TSR

show timeout

Displays maximum defined idle time duration

show tracelog all

Displays all available trace route data

show tracelog current

Displays currently running trace route data

show tracelog last

Displays most recently run trace route data

show tsr access-rules

Displays all defined access rules within the TSR

show tsr active-utm

Displays Technical Support Report listing active UTM units on the network

show tsr address-objects

Displays TSR of addresses listed within the object database

show tsr all

Displays all available TSR data

show tsr anti-spam

Displays TSR containing all anti-spam activity data

show tsr arp-cache

Displays TSR containing table relating IP addresses to corresponding MAC or physical addresses

show tsr av

Displays TSR data relating to anti-virus activity

show tsr buf-memzone

Displays TSR data relating to buffer memory zones

show tsr bwm-rules

Displays TSR listing currently configured bandwidth management rules

show tsr cache-check

Displays TSR data relating to cache searches

show tsr content-filtering

Displays TSR data relating to content filtering activity

show tsr db-trace

Displays TSR data relating to database trace routes

show tsr dhcp-client

Displays TSR data relating to DHCP client requests

show tsr dhcp-network-disk

Displays TSR data relating to DHCP requests between network and clients

show tsr dhcp-persistence

Displays TSR data relating the firewall’s ability to retain DHCP lease information

show tsr dhcp-relay

Displays TSR data relating to available DHCP relay information

show tsr dhcp-server

Displays TSR data relating to DHCP server connec­tions

show tsr dhcp-server-stat

Displays TSR data relating DHCP server statistics

show tsr diag

Displays TSR data relating to system diagnostics

show tsr dynamic-dns

Displays TSR data relating to dynamic domain name server records

show tsr ethernet

Displays TSR data relating to Ethernet connec­tions and availability

show tsr fdr

Displays TSR data relating to false discovery rate sta­tistics

show tsr gav

Displays TSR data relating to Gateway Anti-virus sta­tistics

show tsr gsc

Displays TSR data relating to Global Security Client statistics

show tsr guest-profile-objects

Displays TSR data relating to guest and profile data objects

show tsr h323

Displays TSR data relating to H.323 packet activity

show tsr ha

Displays TSR data relating to High Availability status

show tsr hypervisor

Displays TSR information relating to hypervisor data on multiple operating systems running on the host computer

show tsr idp

Displays TSR data relating to internet datagram protocol statistics

show tsr interfaces

Displays TSR data for all appliance interfaces

show tsr ip-helper

Displays TSR data relating to IP Helper configu­ration and settings

show tsr ip-reassembly

Displays TSR data relating to IP reassembly data­gram statistics

show tsr ipsec

Displays TSR data relating to internet protocol secu­rity statistics

show tsr l2tp-client

Displays TSR data relating to Layer 2 Tunneling Protocol (L2TP) client statistics

show tsr l2tp-server

Displays the L2TP server section of the TSR

show tsr ldap

Displays the LDAP section of the TSR

show tsr license

Displays TSR data relating to appliance licensing info

show tsr log

Displays TSR data section with all log informa­tion

show tsr management

Displays TSR listing appliance management policies

show tsr mcast-igmp-config

Displays TSR listing Multicast and IGMP configu­rations

show tsr memzone

Displays TSR listing appliance memory zone alloca­tions

show tsr mirror-state

Displays TSR data relating to database mirror state statistics

show tsr msn

Displays TSR data relating to the MSN messenger client

show tsr nat-policies

Displays TSR listing appliance’s current network address translation policies

show tsr network

Displays TSR data on current network configu­ration

show tsr objects

Displays TSR data on appliance’s object database

show tsr pki

Displays TSR data relating to current public key infra­structure certificates

show tsr pppoe-client

Displays TSR data relating to point-to-point- proto­col over Ethernet system settings

show tsr pptp-client

Displays TSR data relating to point-to-point tun­neling protocol client configuration

show tsr pref-status

Displays TSR listing appliance’s preferences status

show tsr product

Displays TSR data relating to the appliance product

show tsr qos

Displays TSR listing the appliance’s current Quality of Service resource reservations status

show tsr radius

Displays TSR data relating to RADIUS server status

show tsr route-policies

Displays TSR data relating to established system route policies

show tsr rtsp

Displays TSR data relating to Real Time Streaming Protocol statistics

show tsr schedule-objects

Displays TSR data relating to data objects scheduled for execution

show tsr service-objects

Displays the service object table subsection of the TSR

show tsr single-sign-on

Displays TSR data relating to single sign on authenti­cation policies

show tsr sip

Displays TSR data relating to the appliance’s Session Initiation Protocol settings

show tsr snmp

Displays TSR data relating to Simple Network Man­agement Protocol settings

show tsr sonicpoint

Displays TSR data relating to SonicPoint deployment

show tsr ssl-control

Displays TSR data relating to Secure Socket Layer control policies

show tsr stateful-stats

Displays TSR data detailing stateful packet inspection statistics

show tsr stateful-sync

Displays TSR data detailing appliance’s stateful synchronization configuration

show tsr status

Displays TSR data relating to current appliance status

show tsr time

Displays TSR data relating to appliance’s time policy configuration

show tsr timers

Displays the timers section of the TSR

show tsr update

Displays updated TSR

show tsr user-objects

Displays TSR data relating to currently defined user objects

show tsr users

Displays TSR data relating to currently config­ured user profiles

show tsr vx-net-stats

Displays TSR data relating to VX-Net statistics

show tsr wireless

(Available on UTM appliances with built in wireless interfaces)

Displays wireless interface section of the TSR

show tsr wlan-zone

Displays TSR data relating to managed wireless local area network zones

show tsr wlb

Displays TSR data relating to WLB platform statistics

show tsr zone-objects

Displays TSR data relating to currently defined zone objects

show vpn policy

Displays Virtual Private Network (VPN) policy con­figurations

show vpn policy <string | ident>

Displays VPN policies specified by a particular string or identifier input

show vpn sa

Displays current VPN security associations

show vpn sa detail

Displays detailed information on VPN security asso­ciations

show vpn sa summary

Displays a data summary on current VPN security associations

show vpn sa ike

Displays VPN security association Internet Key Exchange policies

show vpn sa ike detail

Displays detailed information on VPN security asso­ciation Internet Key Exchange policies

show vpn sa ike summary

Displays a data summary on VPN security association Internet Key Exchange policies

show vpn sa ipsec

Displays VPN security associations connected with IPSec routing protocols

show vpn sa ipsec detail

Displays detailed information on VPN security asso­ciations connected with IPSec routing protocols

show vpn sa ipsec summary

Displays a data summary on VPN security associa­tions connected with IPSec routing protocols

show vpn sa <string>

Displays a particular VPN security association, speci­fied by a particular string input

show vpn sa <string> detail

Displays details on a VPN security association, speci­fied by a particular string input

show vpn sa <string> summary

Displays a data summary on a security association, specified by a particular string input

show vpn sa <string> ike

Displays Internet Key Exchange data for a VPN security association, specified by a particular string input

show vpn sa <string> ike detail

Displays details for Internet Key Exchange data for a VPN security association, specified by a particular string input

show vpn sa <string> ike summary

Displays a summary for Internet Key Exchange data for a VPN security association, specified by a particu­lar string input

show vpn sa <string> ipsec

Displays IPSec data for a VPN security associa­tion, specified by a particular string input

show vpn sa <string> ipsec detail

Displays details for IPSec data for a VPN security association, specified by a particular string input

show vpn sa <string> ipsec summary

Displays a summary for IPSec data for a VPN secu­rity association, specified by a particular string input

show vpn sa <ident>

Displays VPN security associations, specified by a particular identifier input

show vpn sa <ident> detail

Displays details for a VPN security association, speci­fied by a particular identifier input

show vpn sa <ident> summary

Displays a summary for VPN security associa­tions, specified by a particular indentifier input

show vpn sa <ident> ike

Displays Internet Key Exchange data for a VPN security association, specified by a particular iden­tifier

show vpn sa <ident> ike detail

Displays detailed Internet Key Exchange data for VPN security associations, specified by a particular identified input

show vpn sa <ident> ike summary

Displays a summary on Internet Key Exchange data for VPN security associations, specified by a particu­lar identifier input

show vpn sa <ident> ipsec

Displays IPSec data for VPN security associa­tions, specified by a particular identifier input

show vpn sa <ident> ipsec detail

Displays detailed IPSec data for VPN security associ­ations, specified by a particular identifier input

show vpn sa <ident> ipsec summary

Displays a summary on IPSec data for VPN security associations, specified by a particular identifier input

show web-management

Displays web-management status and configura­tion data

show zone <lan | wan | dmz | wlan>

Displays all rules for a specified zone. For example, show zone <lan rules> displays all of the rules to and from the LAN zone

show zone all

Displays the configuration of all zones

show zones

Displays configurable zones on the appliance and interfaces associated with each zone

stacktrace

Runs report of the currently active stack frames

stacktrace <string | ident>

Runs report for a specific active set of stack frames, based on the particular string or identifier input

sync-prefs

Synchronizes preferences between appliances

synchronize-licenses

Synchronizes the SonicWALL licensing informa­tion with the mysonicwall.com backend

traceroute <dotted-int | hex | ident>

Displays router hops to destination, specified by dot­ted-integer, hexidecimal, or identifier input

Top Level Commands

Table 19: Configure Level Commands

Command Description

ACCESS RULES SUB-COMMANNDS

access-rules <from-zone> <to-zone>

Allows configuration of access rules between one zone and another

<add> commands

action <allow|deny|discard>

Sets the action to allow, deny, or discard an access rule

advanced

Allows configuration of advanced access rule settings

[no] allow-fragments

Allows/Disallows fragmented packets to be transferred

comment <comments>

Allows administrators to record com­ments related to this access rule

destination <address object>

Configures an address object destina­tion for an access rule

info

Displays current access rule

[no] logging

Enables/Disables access rule packet logging

maxconns <percentage>

Configures maximum number of connec­tions in a pool

qos dscp <none| preserve|explicit|map> [<arg>]

Sets DSCP packet header markings

qoa 802.1p <none| preserve|explicit|map> [<arg>]

Sets 802.1p Ethernet packet header mark­ings

[no] reflexive

Creates/Removes a reflexive access rule

schedule <schedule object>

Configures the schedule object for an access rule

service <service object>

Configures the service object for an access rule

source <address object>

Configures an address object source for an access rule

tcptimeout <minutes>

Sets TCP timeout in minutes

udptimeout <seconds>

Sets UDP timeout in seconds

user <user object>

Configures the user object for an access rule

delete <index>

Deletes specified index of access rules

list [<index>]

Displays one access rule whose index matches the specified value input. If index is not available, all access rules in the current zone to zone context will display

<modify> commands

<index>

Modifies specific access rules index

action <allow|deny|discard>

Modifies an allow, deny, or discard action relating to a specific access rule

advanced

Modifies an advanced access rule

[no] allow-fragments

Modifies whether fragmented packets are to be transferred

comment <comments>

Modifies comments related to access rules

destination <address object>

Modifies the destination address object for a specific access rule

info

Displays current or modifying access rule settings

[no] logging

Modifies whether packet logging is enabled for a specific access rule

qos dscp <none| preserve|explicit|map> [<arg>]

Modifies DSCP packet header markings

qos 802.1p <none| preserve|explicit|map> [<arg>]

Modifies 802.1p Ethernet packet header markings

maxconns <percentage>

Modifies maximum number of connec­tions in a pool

schedule <schedule object>

Modifies a schedule object connected to an access rule

service <service object>

Modifies the service object connected to an access rule

source <address object>

Modifies the source address object con­nected to an access rule

tcptimeout <minutes>

Modifies set TCP timeout limit in minutes

udptimeout <seconds>

Modifies set UDP timeout limit in sec­onds

user <user object>

Modifies the user-object connected with an access rule

show access-rules

Displays all currently configured access rules

ADDRESS GROUP/ADDRESS OBJECT SUB-COMMANDS

abort

Exits to top-level menu and cancels changes where needed

[no] address-object <object name>

Configures or modifies an address object

[no] address-group <group name>

Configures or modifies an address group

cancel

Cancel from menu without applying changes

end

Exits configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level and applies changes where needed

host <ip address>

Configures the host IP address for the spe­cific address object

info

Displays current address group configu­ration

network <subnet> <netmask>

Configures network subnet and netmask

range <begin-address> <end address>

Defines address range for the address group or address object

zone <zone name>

Configures a zone for the specified address object or group

ARP SUB-COMMAND

[no] arp <ip address> <MAC address> interface <lan|wan|dmz>[perm][pub]

Adds or removes arp entries for specified interface(s)

GMS SUB-COMMANDS

<gms>

algorithm <des-md5|frd3-sha>

Sets GMS encryption and authentication algorithm

[no] authentication-key <hex key>

Sets the 32-hex or 40-hex authentication key to communicate with the GMS server

[no] behind-nat

Enables GMS behind a NAT device

bound-interface <x1|x2|x3|x4|x5>

Binds a VPN policy to an interface

[no] enable

Enables GMS management on a Sonic­WALL

encryption-key <hex key>

set the 16-hex/48-hex encryption key to communicate with the GMS server

end

Exits configuration menu

finished

Exits configuration mode to top menu

help <command>

Displays command and description

info

Displays current GMS configuration state

[no] nat-address <IP Address>

Sets the public NAT IP address that the GMS server resides behind

[no] over-vpn

Enables GMS server locally or over VPN

[no] send-heartbeat

Sends heart beat status messages only

[no] server <IP Address>

Sets the real IP address of the GMS server

[no] standby-management-sa

Enables the backup SA for GMS manage­ment

syslog-port <uvalue|(default)>

Sets the syslog server port of the GMS server

HIGH AVAILABILITY SUB-COMMAND

ha <disable|enable>

Enables or disables the High Availability function

NAT SUB-COMMANDS

nat

Accesses sub-commands to configure NAT policies

<add> commands

orig-src <original source object>

Sets the original source object for this policy

trans-src <translated source object>

Sets the translated source object for this pol­icy

orig-dst <original destination source object>

Sets the original destination source object for this policy

orig-svc <original service name>

Sets the original service name for this policy

trans-svc <translated service name>

Sets the translated service name for this pol­icy

inbound-interface <inbound interface>

Sets the inbound interface for this policy

outbound-interface <outbound inter­face>

Sets the outbound interface for this policy

[no] enable

Enables/Disables a NAT policy once it has been created

[no] reflexive

Creates/Removes a reflexive NAT policy once it has been saved

comment <comments>

Allows administrator to leave com­ments relating to a NAT policy

info

Displays currently configured NAT ele­ment settings

<delete> commands

delete <item-number>

Deletes a specific NAT policy

<modify> commands

<item-number>

Allows modification of a specific NAT pol­icy

[no] enable

Enables/Disables a specific NAT policy

[no] comment <comments>

Allows administrator to modify comments relating to a NAT policy

orig-src <original source object>

Modifies the original source object for this policy

trans-src <translated source object>

Modifies the translated source object for this policy

orig-dst <original destination address object>

Modifies the original destination address object for this policy

trans-dst <translated destination address object>

Modifies the translated destination-address object for this policy

orig-svc <original service name>

Modifies the name of the original service

trans-svc <translated service name>

Modifies the translated service name

inbound-interface <inbound interface>

Modifies the inbound interface for NAT

outbound-interface <outbound inter­face>

Modifies the outbound interface for NAT

info

Displays current object or modifying object

ROUTE SUB-COMMANDS

route ars-nsm

Configures the Advanced Routing Suite for the NSM module

route ars-ospf

Configures the Advanced Routing Suite for the OSPF module

route ars-rip

Configures the Advanced Routing Suite for the RIP module

SERVICE SUB-COMMANDS

service

Accesses sub-commands to configure indi­vidual services

<add> commands

<service name>

Allows configuration of a new service type to be associated to the appliance

<group name>

Allows configuration of a new service group name

[no] service <service name>

Allows/Removes configuration of service type

ip-type <ip type>

Allows ip-type to be set for a particular ser­vice

port-begin <port>

Sets the start point for a service’s port range

port-end <port>

Sets the endpoint for a service’s port range

info

Allows additional values to be added for the specific service

subtype <x>

Sets the subtype for the selected ip-type

<delete> commands

<group name>

Deletes the specifically named service group

<service name>

Deletes the specifically named service type

<modify> com­mands

<service name>

Allows modification of a service name

<group name>

Modifies the name of a specified service group

ip-type <ip type>

Modifies the ip-type for this particular ser­vice

port-begin <port>

Modifies the start port for this range

port-end <port>

Modifies the end port for this range

[no] service <service name}

Modifies/deletes specified service type

subtype <x>

Modifies the subtype for this specific ip-type

[info]

Optional, displays service values for service name, protocol, and port range

SONICPOINT SUB-COMMANDS

<sonicpoint>

<string>

Configures a SonicPoint profile

sync

Synchronizes configured SonicPoints

country-code <US|CA>

Sets applicable country code for a Son­icPoint

[no] delete

Deletes an operational SonicPoint from a deployment

[no] enable

Enables or disables a configured Son­icPoint

end

Exits configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level and applies changes where needed

info

Displays information on a specific Son­icPoint

[no] radio-a enable

Enables or disables 802.11a radio band wire­less connections

radio-a acl allow <string>

Adds a specific MAC address to the Access Control List (ACL) to allow 802.11a radio band wireless connections to a Son­icPoint

radio-a acl deny <string>

Adds a specific MAC address to the denied Access Control List, preventing 802.11a radio band wireless connections to a SonicPoint

[no] radio-acl enable

Enables or disables the Access Control List feature on 802.11a radio

radio-a acl mode <deny|allow| disabled|enabled>

Sets Access Control List enforcement

radio-a acl object-handle <string>

Sets 802.11a radio ACL to allow list object handle

radio-a antenna-diversity <one|two|both>

Sets which antenna (left, right, or both) the SonicPoint uses to send and receive data

radio-a authtype <both|open|psk|shared>

Sets the method type for authentication to be both, open, WPA/PSK, or WEP-shared

radio-a beacon-interval <uvalue>

Sets the interval (in milliseconds) between broadcasts of the wireless beacon

radio-a channel <uvalue>

Sets the radio channel the SonicPoint will operate on

radio-a datarate <6|9|12|18|24|36|48|54| best>

Sets the data rate at which data is transmitted and received to either the best possible rate, or a specified rate

radio-a dtim <uvalue>

Sets 802.11a radio DTIM, which is the num­bers of beacon frames that must occur before the radio sends buffered multicast frames

radio-a frag-thresh <uvalue>

Sets the number of bytes of frag­mented data for the SonicPoint to allow

[no] radio-a hide-ssid

Sets SSID to be broadcast as part of the wireless beacon, rather than as a separate broadcast

radio-a maxclients <uvalue>

Sets maximum number of clients that can the SonicPoint can support at one time

radio-a radio-mode <standard|turbo>

Sets radio mode to standard or turbo

radio-a rts-thresh <uvalue>

Sets the RTS threshold in bytes

radio-a sched-onoff <string>

Sets the on/off schedule string for 802.11a radio

radio-a sched-scan <string>

Sets a convenient time to schedule an Intru­sion Detection Scan (IDS)

radio-a ssid <string>

Sets Service Set Identifier (SSID) identify­ing a particular SonicPoint

radio-a txpower <eighth|full|half| minimum|quarter>

Sets Transmit Power Control level strength

radio-a wep key-value <1-4> <string>

Sets the 802.11a radio WEP key value for each encryption key slot

radio-a wep default-key <uvalue>

Sets the SonicPoint’s default WEP key index

radio-a wep key-mode <64bit|128bit|152bit| none>

Sets WEP key mode, establishing character length of encryption

radio-a wep key-type <alpha|hex>

Sets type of WEP key for encryption

radio-a wpa cipher <aes|auto|tkip>

Sets the cipher type system used by the WPA to either AES, AUTO, or TKIP

radio-a wpa interval <uvalue>

Sets the length of time between re-key­ing the WPA key

radio-a wpa psk <string>

Sets WiFi Protected Access Pre-shared key passphrase

[no] radio-g enable

Enables or disables 802.11g radio band wire­less connections

[no] radio-g acl enable

Enables or disables the Access Control List

radio-g acl allow <string>

Adds a specific MAC address to the Access Control List (ACL) to allow 802.11g radio band wireless connections to a Son­icPoint

radio-g acl deny <string>

Adds a specific MAC address to the denied Access Control List, preventing 802.11g radio band wireless connections to a SonicPoint

radio-g acl mode <deny|allow| disabled|enabled>

Sets Access Control List enforcement

radio-g acl object-handle <string>

Sets 802.11g radio ACL to allow list object handle

radio-g antenna-diversity <one|two|both>

Sets which antenna the SonicPoint uses to send and receive data

radio-g authtype <both|open|psk|shared>

Sets the method type for authentication

radio-g beacon-interval <uvalue>

Sets the interval (in milliseconds) between broadcasts of the wireless beacon

radio-g channel <uvalue>

Sets the channel the radio will operate on

radio-g datarate <b1|b11|b2|b5|best|g1|g11|g12|g18|g2|g24|g36|g48| g5|g54|g6|g9|super108| super12|super18|super24| super36|super48|super72| super96>

Sets the data rate at which data is transmitted and received

radio-g dtim <uvalue>

Sets 802.11g radio DTIM, which is the num­bers of beacon frames that must occur before the radio sends buffered multicast frames

radio-g frag-thresh <uvalue>

Sets the number of bytes of fragmented data for the SonicPoint to allow

[no] radio-g g-only

Allows only 802.11g clients to connect

[no] radio-g hide-ssid

Sets SSID to be broadcast as part of the wireless beacon, rather than as a separate broadcast

radio-g maxclients <uvalue>

Sets maximum number of clients that can the SonicPoint can support at one time

radio-g ofdm-power <uvalue>

Sets the difference in radio transmit power allowed between 802.11g and 802.11b modes

[no] radio-g preamble-long

Sets the length of the initial wireless commu­nication when associating with the host

radio-g protection mode <always|none>

Sets the protection mode; None is the default

radio-g protection rate <1|2|5|11>

Sets the speed for CTS or RTS protec­tion

radio-g protection type <cts-only|rts-cts>

Sets the protection type

radio-g radio-mode <b|g|super-g>

Sets radio mode. If super-g is selected, all cli­ents must use access cards that support this mode

radio-g rts-thresh <uvalue>

Sets the RTS threshold in bytes

radio-g ssid <string>

Sets Service Set Identifier identifying a par­ticular SonicPoint

radio-g sched-onoff <string>

Sets the on/off schedule string for 802.11g radio

radio-g sched-scan <string>

Sets a convenient time to schedule an Intru­sion Detection Scan (IDS)

[no] radio-g short-slot

Allows clients to disassociate and re-associate more quickly

radio-g txpower <eighth|full|half| minimum|quarter>

Sets Transmit Power Control strength

radius1 address <ip address>

Sets the IP address location of the RADIUS authentication server

radius1 port <port>

Sets the port for authentication through the RADIUS server

radius1 secret <string>

Sets the secret passcode for the RADIUS authentication server

radius2 address <ip address>

Sets the IP address for the backup RADIUS authentication server

radius 2 port <port>

Sets the port for authentication through the backup RADIUS server

radius2 secret <string>

Sets the secret passcode for the backup RADIUS authentication server

SSH SUB-COMMANDS

ssh enable <interface>

Enables SSH management for the speci­fied interface

ssh genkey

Creates a new key to use with SSH

ssh port <port>

Assigns the SSH port or resets to the default port

ssh restore

Restores SSH management settings to defaults

ssh terminate

Stops all SSH sessions, disables all SSH man­agement, and resets the port

SSL VPN SUB-COMMANDS

sslvpn client

Configures or modifies SSL VPN client settings

sslvpn portal

Configures or modifies SSL VPN portal set­tings

sslvpn settings

Configures or modifies SSL VPN settings

TIMEOUT SUB-COMMAND

timeout <minutes>

Sets login timeout in minutes

VPN SUB-COMMANDS

[no] vpn <enable|disable> <policy name>

Enables or disables VPN for a specific pol­icy

[no] vpn policy <policy-name> [pre­shared| manual|cert]

Enables or disables a specific VPN policy

VPN SUB-COMMANDS (PRE-SHARED SECRET)

abort

Exits to top-level menu and cancels changes where needed

[no] advanced apply-nat <local|remote> <translated address object>

Enable or disable translation of the local and/or remote networks communicat­ing with this VPN tunnel

[no] advanced auto-add-rule

Enables or disables the auto-add access rule

advanced bound-to interface <inter­face>

Binds VPN policy to specific interface

advanced bound-to zone <zone>

Binds VPN policy to a specific zone

[no] advanced default-lan-gw <ip address>

Sets the default LAN domain gateway for VPN tunnel traffic

[no] advanced keepalive

Enables or disables heartbeat messages between peers on this VPN tunnel

[no] advanced management http

Enables or disables HTTP as the manage­ment method security association

[no] advanced management https

Enables or disables HTTPS as the manage­ment method security association

[no] advanced multicast

Enables IP multicasting traffic to pass through the VPN tunnel

[no] advanced netbios

Enables or disables Windows Network­ing (NetBIOS) Broadcast

[no] advanced use-xauth <group-name>

Configures or removes the specified user group for XAUTH users

[no] advanced user-login http

Enables or disables required user login through HTTP

[no] advanced user-login https

Enables or disables required user login through HTTPS

cancel

Cancel from menu without applying changes

end

Exits VPN configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level and applies changes where needed

gw domain-name <domain name>

Sets the primary gateway domain name

gw ip-address <ip address>

Sets the primary gateway IP address

id local <domain-name|email address|ip-address|sonicwall-id> <our id>

Sets the name and IP address of the local connection

id remote <domain name|email address|ip-address|sonicwall-id> <their id>

Sets the name and IP address of the remote connection

info

Displays information on a specific VPN pol­icy

network local <address-object> <address object string>|any|dhcp>

Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP

network remote <address- object<address object string>|any|dhcp>

Sets a specific VPN tunnel as the default route for all incoming Internet traffic

pre-shared-secret <string>

Established specified preshared secret

proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]

Sets the desired IKE encryption suite con­figurations for VPN tunnel traffic

proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]

Sets encryption settings for IPSec proposal

sec-gw domain-name <domain name>

Sets the secondary gateway domain name

sec-gw ip-address <ip address>

Sets the secondary gateway’s IP address

VPN SUB-COMMANDS (MANUAL KEY)

abort

Exits to top-level menu and cancels changes where needed

[no] advanced apply-nat <local|remote> <translated address object>

Enable or disable translation of the local and/or remote networks communicat­ing with this VPN tunnel

[no] advanced auto-add-rule

Enables or disables the auto-add access rule

advanced bound-to interface <inter­face>

Binds VPN policy to specific interface

advanced bound-to zone <zone>

Binds VPN policy to a specific zone

[no] advanced keepalive

Enables or disables heartbeat messages between peers on this VPN tunnel

[no] advanced management http

Enables or disables HTTP as the manage­ment method security association

[no] advanced managment https

Enables or disables HTTPS as the manage­ment method security association

[no] advanced multicast

Enables IP multicasting traffic to pass through the VPN tunnel

[no] advanced netbios

Enables or disables Windows Network­ing (NetBIOS) Broadcast

[no] advanced use-xauth <group name>

Configures or removes the specified user group for XAUTH users

[no] advanced user-login http

Enables or disables required user login through HTTP

[no] advanced user-login https

Enables or disables required user login through HTTPS

cancel

Cancel from menu without applying changes

end

Exits configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level and applies changes where needed

gw domain-name <domain name>

Sets the primary gateway domain name

gw ip-address <ip address>

Sets the primary gateway IP address

info

Displays information on a specific VPN pol­icy

network local <address object <address object string> | any>

Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP

network remote <address object <address object string> | any>

Sets a specific VPN tunnel as the default route for all incoming Internet traffic

proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]

Sets encryption settings for IPSec pro­posal

sa [in-spi <Incoming SPI>] [out-spi <Outgoing SPI>] [encr-key <Encryp­tion Key>] [auth-key <Authentication Key>]

Sets hexidecimal incoming and outgoing Security Parameter Index (SPI) to allow the SonicWALL to uniquely identify all secu­rity associations

VPN SUB-COMMANDS (3rd PARTY CERTIFICATE)

abort

Exits to top-level menu and cancels changes where needed

[no] advanced apply-nat

Enable or disable translation of the local and/or remote networks communicat­ing with this VPN tunnel

[no] advanced auto-add-rule

Enables or disables the auto-add access rule

advanced bound-to interface <inter­face>

Binds VPN policy to specific interface

advanced bound-to zone <zone>

Binds VPN policy to a specific zone

[no] advanced default-lan-gw <ip address>

Sets the default LAN gateway for VPN tun­nel traffic

[no] advanced keepalive

Enables or disables heartbeat messages between peers on this VPN tunnel

[no] advanced management http

Enables or disables HTTP as the manage­ment method security association

[no] advanced managment https

Enables or disables HTTPS as the manage­ment method security association

[no] advanced multicast

Enables IP multicasting traffic to pass through the VPN tunnel

[no] advanced netbios

Enables or disables Windows Network­ing (NetBIOS) Broadcast

[no] advanced ocsp <url>

Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check the certificate status

[no] advanced use-xauth <group name>

Configures or removes the specified user group for XAUTH users

[no] advanced user-login http

Enables or disables required user login through HTTP

[no] advanced user-login https

Enables or disables required user login through HTTPS

cancel

Cancel from menu without applying changes

cert <certname>

Selects a certificate for the SonicWALL

end

Exits configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level and applies changes where needed

gw domain-name <domain name>

Sets the primary gateway domain name

gw ip-address <ip address>

Sets the primary gateway IP address

id remote <domain name | email address | distinguished name> <peer-id>

Sets peer IKE ID type

info

Displays information on a specific VPN pol­icy

network local <address object <address object string> | any>

Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP

network remote <address object <address object string> | any>

Sets a specific VPN tunnel as the default route for all incoming Internet traffic

proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]

Sets the desired IKE encryption suite con­figurations for VPN tunnel traffic

proposal ipsec [<esp|ah>] [encr <des|triple-des|aes-128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>]

Sets encryption settings for IPSec pro­posal

sec-gw domain-name <domain name>

Sets the secondary gateway domain name

sec-gw ip-address <ip address>

Sets the secondary gateway’s IP address

SSL VPN CLIENT SUB-COMMANDS

abort

Exits to top-level menu without applying changes

address <start ip address> <end ip address> <interface>

Sets the global IP address pool from which NetExtender clients are assigned an IP address

[no] auto-update

Enables/Disables auto-update which assists users in updating their NetExtender client when a newer version is required to establish a connection

cache-username-password <username-only | password-username | prohibit>

Sets the user name and password cache pol­icy used for the NetExtender client

cancel

Exits from menu without applying changes

[no] client-communicate

Enables/Disables traffic between hosts con­necting to server with NetExtender

[no] create-connection-profile

Enables/Disables NetExtender client’s abil­ity to create a connection profiles

dns-domain <DNS domain name>

Sets the DNS domain which is the NetEx­tender client DNS-specific suffix

dns1 <ip address>

Sets the primary DNS server IP address to be used by all NetExtender clients

dns2 <ip address>

Sets the secondary DNS server IP address to be used by all NetExtender clients

end

Exits SSL VPN configuration mode

exit

Exits menu and applies changes

[no] exit-after-disconnect

Enables/Disables the forcing of a NetEx­tender client to exit after disconnect­ing from the server

finished

Exits to top-level and applies changes where needed

help

Displays available sub-commands for SSL VPN client configuration

info

Displays SSL VPN client settings

no

Inverts sense of a command

show

Invokes show commands

sslvpn-access <LAN|WAN|DMZ|WLAN>

Enables SSL VPN access on specified zone

[no] uninstall-after-exit

Enables/Disables automatic uninstall of NetExtender clients after exit

user-domain <user domain name>

Sets the user domain to which all SSL VPN users belong

wins1 <ip address>

Sets the primary WINS server IP address

wins2 <ip address>

Sets the secondary WINS server IP address

SSL VPN PORTAL SUB-COMMANDS

abort

Exits to top-level menu without applying changes

[no] auto-launch

Enables/Disables automatic launch of NetExtender after a user logs into the portal

banner-title <portal banner title name>

Sets the portal banner title that displays next to the logo on the portal home page

[no] cache-control

Enables/Disables the use of some HTML META tags to tell browser to cache UI files in portal pages

cancel

Exits the menu without applying changes

custom logo <url>

Sets a customized logo to be used on the portal page. The URL entered must be valid and reachable by the unit.

[no] default-logo

Enables/Disables the use of the default SonicWALL logo on the portal page

[no] display-cert

Enables/Disables the display of the button to import the SSL VPN server certificate

end

Exits SSL VPN portal configuration

exit

Exits menu and applies changes

finished

Exits to top-level menu and applies changes

help

Displays available subcommands for SSL VPN portal settings

info

Displays current SSL VPN portal settings

no

Inverts sense of a command

show

Invokes show commands

site-title <portal site title name>

Sets the portal HTML page title that displays in the browser window’s title

SSL VPN ROUTE SUB-COMMANDS

abort

Exits to top-level menu without applying changes

add-routes <address object name>

Adds an address object as a client route entry

cancel

Exits from menu without applying changes

delete-routes <address object name>

Deletes specified SSL VPN client route entry, identified as an address object

end

Exits SSL VPN client routes configuration mode

exit

Exits menu and applies changes

finished

Exits to top-level menu and applies changes

help

Displays available subcommands for SSL VPN client routes settings

info

Displays current SSL VPN client routes set­tings

no

Inverts sense of a command

show

Invokes show commands

[no] tunnel-all

Enables/Disables tunnel all mode which configures the NetExtender client to tun­nel all traffic over the SSL VPN connection

WEB MANAGEMENT SUB-COMMANDS

[no] web-management otp enable

Configures one-time password for VPN user access to the appliance

Table 20: LAN Interface Configuration

Command   Description

interface <x0|x1|x2|x3|x4|x5> [<lan|wan|dmz>]

Assigns zone and enters the configuration mode for the interface

auto

Sets the interface to auto negotiate

comment <string>

Adds comment as part of the port configu­ration

duplex <full|half>

Sets the interface duplex speed

end

Exits the configuration mode

finished

Exits configuration mode to the top menu

help <command>

Displays the command and description

[no] https-redirect enable

Enables or disables https redirect on the interface

info

Displays information about the interface

show interface all

Displays the configuration of all inter­faces

[no] management <http|https|ping|snmmp|ssh> enable

Enables or disables specified management protocol on the interface

[no] user-login <http|https>

Configures user-login protocol for the inter­face

LAN MODE

Enters the LAN configuration mode

<lan>

end

Exits configuration mode

finished

Exits configuration mode to top menu level

help <command>

Displays the command and description

info

Displays information about the interface

ip <IP Address> netmask <mask>

Sets the IP address for the interface

name <interface name>

Sets the name for the interface

speed <10|100>

Sets the interface speed

Table 21: WAN Interface Configuration

Command   Description

<wan>

auto

Sets the interface to auto-negotiate

bandwidth-management enable

Enables bandwidth management

bandwidth-management size <uvalue>

Sets the bandwidth management size

comment <string>

Adds comment as part of the port configu­ration

duplex <full|half>

Sets the interface duplex speed

end

Exits the configuration mode

finished

Exits configuration mode to the top menu

fragment-packets

Enables/disables fragmentation of packets larger than the interface MTU

ignore-df-bit

Enables/disables ignoring the don’t frag­ment bit

help <command>

Displays the command and description

[no] https-redirect enable

Enables or disables https redirect on the interface

info

Displays information about the interface

[no] management <http|https|ping|snmmp| ssh> enable

Enables or disables specified management protocol on the interface

[no] user-login <http|https>

Configures user-login protocol for the inter­face

mode <static|dhcp|pptp|l2tp|pppoe>

Sets the mode for the WAN interface and enters the mode configuration

Mode Static WAN Interface Configura­tion

[no] dns <IP Address>

Enters or removes IP address of DNS serv­ers

end

Exits configuration mode

finished

Exits configuration mode to top menu

gateway <IP Address>

Sets or removes default gateway for the interface

help <command>

Displays help for given command

info

Displays IP information about the interface

[no] ip <IP Address>

Sets the IP address for the interface

Mode DHCP WAN Interface Configura­tion

end

Exits configuration mode

finished

Exits configuration mode to top menu

help <command>

Displays help for given command

info

Displays IP information about the interface

[no] hostname <string>

Sets the hostname for the interface

release

Releases IP address information

renew

Renews IP address information

Mode PPTP WAN Interface Configura­tion

[no] dynamic

Sets the SonicWALL to obtain the IP address dynamically

end

Exits configuration mode

finished

Exits configuration mode to top menu

help <command>

Displays help for given command

[no] hostname <string>

Clears/Sets PPTP hostname

[no] inactivity

Enables/disables the PPTP inactivity timer

timeout <uvalue>

Sets/Clears the PPTP inactivity timeout

info

Displays IP information about the interface

[no] ip <IP Address>

Sets/Clears the IP address for the interface

[no] password <quoted string>

Sets/Clears the PPTP password

[no] server ip <IP Address>

Sest/Clears the PPTP server IP address

start

stop

[no] username <string>

Sets/Clears the PPTP username

L2TP WAN Configuration Mode

[no] dynamic

Sets the SonicWALL to obtain the IP address dynamically

end

Exits configuration mode

finished

Exits configuration mode to top menu

help <command>

Displays help for given command

[no] hostname <string>

Clears/Sets L2TP hostname

[no] inactivity

Enables/disables the L2TP inactivity timer

timeout <uvalue>

Sets/Clears the L2TP inactivity timeout

info

Displays IP information about the interface

[no] ip <IP Address>

Sets/Clears the IP address for the interface

[no] password <quoted string>

Sets/Clears the L2TP password

[no] server ip <IP Address>

Sets/Clears the L2TP server IP address

start

stop

[no] username <string>

Sets/Clears the L2TP username

mtu <uvalue>

Sets the MTU of the interface

name <interface name>

Sets the name for the interface

speed <10|100>

Sets the interface speed

Other Interface Configuration

auto

Sets the interface to autonegotiate

comment <string>

Adds a comment as part of the force config­uration

duplex <full|half>

Sets the interface duplex speed

end

Exits configuration mode

finished

Exits configuration mode to top menu

help <command>

Displays help for given command

info

Displays IP information about the interface

name <interface name>

Sets the name for the interface

speed <10|100>

Sets the interface to autonegotiate

[no] log categories [all]

Assigns/clears logging categories

Log Category Infor­mation

[no] all

Assigns/clears all logging categories

[no] attack

Assigns/clears attack logging category

[no] blocked-code

Assigns/clears blocked code logging cate­gory

[no] blocked-sites

Assigns/clears blocked sites logging cate­gory

[no] connection

Assigns/clears connection logging category

[no] conn-traffic

Assigns/clears conn traffic logging category

[no] debug

Assigns/clears debug logging category

end

Exits configuration mode

finished

Exits configuration mode to top menu

help <command>

Displays help for given command

[no] icmp

Assigns/clears ICMP logging category

info

Displays IP information about the interface

[no] lan-icmp

Assigns/clears LAN-ICMP logging category

[no]lan-tcp

Assigns/clears LAN-TCP logging category

[no]lan-udp

Assigns/clears LAN-UDP logging category

[no]maintenance

Assigns/clears maintenance logging cate­gory

[no] mgmt-80211b

Assigns/clears 80211b management logging category

[no] modem-debug

Assigns/clears modem debugging logging category

[no] sys-env

Assigns/clears sys env logging category

[no] sys-err

Assigns/clears sys error logging category

[no] tcp

Assigns/clears TCP logging category

[no] udp

Assigns/clears UDP logging category

[no] user-activity

Assign/clear user-activity logging category

[no] vpn-stat

Assigns/clears vpn-stat logging category

[no] vpn-tunnel-status

Assigns/clears vpn tunnel status logging cat­egory

[no] log filter-time <uvalue>

Assigns/clears log filter time

log ordering <choices> [invert]

Assign/clear ordering method when display­ing log entries

name <string>

Sets/clears the firewall name

[no] route default <IP address>

Assigns clear default route

[no] route <Destination> <Netmask> <Gateway> [metric <route metric>]

Assigns clear static routes

[no] web-management http enable <x0 | x1 | x2 | x3 | x4 | x5>

Enables/disables HTTP web management

web-management http port <tcp port or 'default'>

Assigns the HTTP web management port or reset to default

[no] web-management https enable <x0 | x1 | x2 | x3 | x4 | x5>

Enables/disables HTTPS web management

web-management https port <tcp port or 'default'>

Assigns the HTTPS web management port or resets to default

web-management restore

Restores default web-management port and interface assignments

zone <wan|lan|dmz>

Enters the zone configuration menu

end

Exits configuration mode

finished

Exits configuration mode to top menu

[no] intrazone-communications

Enables/disables intra-zone communica­tions

auto

Sets the interface to autonegotiate

bandwidth-management enable

Enables bandwidth management

bandwidth-management size <uvalue>

Sets the bandwidth management size

comment <string>

Adds comment as part of the port configu­ration

duplex <full|half>

Sets the interface duplex speed

end

Exit the configuration mode

finished

Exit configuration mode to the top menu

fragment-packets

Enable/disable fragmentation of packets larger than the interface MTU

ignore-df-bit

Enable/disable ignoring the don’t fragment bit

show zone all

Displays the configuration of all zones

[no] sslvpn-access

Configures SSL VPN access on the zone

<guest services>

SUB-COMMANDS

abort

Exits to top-level menu and cancels changes where needed

bypass antivirus

Configures the zone’s bypass settings for anti-virus

bypass auth <string|identifier

Configures the zone’s bypass authentica­tion based on string or identifier input

custom enable

Enables custom authentication page settings

custom footer-text <string|identifier

Configures custom footer text for the authentication page

custom footer-type <text|url>

Configures custom footer text font for the authentication page

custom header-text <string|identifier>

Configures custom header text for the authentication page

custom header-type <text|url>

Configures custom header text font for the authentication page

deny <string|identifier>

Configures deny settings for access to the zone

enable

Enables WGS

end

Exits upon configuring WGS settings

exit

Exits menu and applies changes

finished

Exits to top-level menu and applies changes where needed

help

Displays help commands for this menu

info

Displays current WGS configuration state

maxguests <value>

Sets maximum guest limit for the zone at specified value

no

Inverts sense of a command

pass <string|identifier>

Allows traffic through zone from the speci­fied network

post enable

Enables guests to be directed to a landing page post-authentication

post url <string|identifier>

Configures which URL guests are directed to after authentication

show

Invoke show commands

smtp-redirect <string|identifier>

Configures SMTP redirect settings for the zone

Configuring Site-to-Site VPN Using CLI

This section describes how to create a VPN policy using the Command Line Interface. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface.

Note: In this example, the VPN policy on the other end has already been created.

CLI Access

  1. Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your firewall.
  2. Using a terminal emulator program, such as TerraTerm, use the following parameters:
  3. You may need to hit return two to three times to get to a command prompt, which will look similar to the following:

    4. TZ200>

    If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command.

  4. When a you need to make a configuration change, you should be in configure mode. To enter configure mode, type configure.

TZ200 > configure

(config[TZ200])>

The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.

Configuration

In this example, a site-to-site VPN is configured between two TZ 200 appliance, with the following settings:





















Local TZ 200 (home):WAN IP: 10.50.31.150LAN subnet: 192.168.61.0 Mask 255.255.255.0Remote TZ 200 (office):WAN IP: 10.50.31.104LAN subnet: 192.168.15.0Mask: 255.255.255.0Authentication Method: IKE using a Pre-Shared KeyPhase 1 Exchange: Main ModePhase 1 Encryption: 3DESPhase 1 Authentication SHA1Phase 1 DH group: 2Phase 1 Lifetime: 28800Phase 2 Protocol: ESPPhase 2 Encryption: 3DESPhase 2 Authentication: SHA1Phase 2 Lifetime: 28800No PFS

  1. In configure mode, create an address object for the remote network, specifying the name, zone assignment, type, and address. In this example, we use the name OfficeLAN:

    2. (config[TZ200]> address-object Office LAN(config-address-object[OfficeLAN])>

    Note: The prompt has changed to indicate the configuration mode for the address object.



    (config-address-object[OfficeLAN])> zone VPN(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0(config-address-object[OfficeLAN])> finished

  2. To display the address object, type the command show address-object [name]:

    3. TZ200 > show address-object OfficeLAN

    The output will be similar to the following:



    address-object OfficeLANnetwork 192.168.15.0 255.255.255.0zone VPN

  3. To create the VPN policy, type the command vpn policy [name] [authentication method]:

    4. (config[TZ200])> vpn policy OfficeVPN pre-shared(config-vpn[OfficeVPN])>

    Note: The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.

  4. Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall:

    5. (config-vpn[OfficeVPN])> pre-shared-secret sonicwall

  5. Configure the IPSec gateway:

    6. (config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

  6. Define the local and the remote networks:

    7. (config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

  7. Configure the IKE and IPSec proposals:

    8. (config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800

  8. In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:

    9. (config-vpn[OfficeVPN])> advanced keepalive

  9. To enable the VPN policy, use the command vpn enable “name” :

    10. (config[TZ200])> vpn enable "OfficeVPN"

  10. Use the finished command to save the VPN policy and exit from the VPN configure mode:

(config-vpn[OfficeVPN])> finished(config[TZ200])>

The configuration is complete.

Note: The command prompt goes back to the configure mode prompt.

Viewing VPN Configuration

Use the following steps to configure the VPN policies.

  1. To view a list of all the configured VPN policies, type the command show vpn policy. The output will be similar to the following:

    2. (config[TZ200])> show vpn policy



    Policy: WAN GroupVPN (Disabled)Key Mode: Pre-sharedPre Shared Secret: DE65AD2228EED75A



    Proposals:IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds





    Advanced:Allow NetBIOS OFF, Allow Multicast OFFManagement: HTTP OFF, HTTPS OFFLan Default GW: 0.0.0.0Require XAUTH: ON, User Group: Trusted Users







    Client:Cache XAUTH Settings: NeverVirtual Adapter Settings: NoneAllow Connections To: Split TunnelsSet Default Route OFF, Apply VPN Access Control List OFFRequire GSC OFFUse Default Key OFF





    Policy: OfficeVPN (Enabled)Key Mode: Pre-sharedPrimary GW: 10.50.31.104Secondary GW: 0.0.0.0Pre Shared Secret: sonicwall



    IKE ID:Local: IP AddressPeer: IP Address




    Network:Local: LAN Primary Subnet Remote: OfficeLAN



    Proposals:IKE: Main Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds








    Advanced:Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFFAllow Multicast OFFManagement: HTTP ON, HTTPS ONUser Login: HTTP ON, HTTPS ONLan Default GW: 0.0.0.0Require XAUTH: OFFBound To: Zone WAN

  2. To view the configuration for a specific policy, specify the policy name in double quotes. For example:

(config[TZ200])> show vpn policy "OfficeVPN"

The output will be similar to the following:





Policy: OfficeVPN (Enabled)Key Mode: Pre-sharedPrimary GW: 10.50.31.104Secondary GW: 0.0.0.0Pre Shared Secret: sonicwall



IKE ID:Local: IP AddressPeer: IP Address



Network:Local: LAN Primary Subnet Remote: OfficeLAN



Proposals:IKE: Main Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds








Advanced:Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFFAllow Multicast OFFManagement: HTTP ON, HTTPS ONUser Login: HTTP ON, HTTPS ONLan Default GW: 0.0.0.0Require XAUTH: OFFBound To: Zone WAN

3. Type the command show vpn sa “name” to see the active SA:

(config[TZ200])> show vpn sa "OfficeVPN"


Policy: OfficeVPNIKE SAs




GW: 10.50.31.150:500 --> 10.50.31.104:500Main Mode, 3DES SHA, DH Group 2, ResponderCookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)Lifetime: 28800 seconds (28783 seconds remaining)

IPsec SAs




GW: 10.50.31.150:500 --> 10.50.31.104:500(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2Lifetime: 28800 seconds (28783 seconds remaining)

SonicWALL NetExtender Windows Client CLI Commands

The following section includes commands for the NetExtender Windows Client CLI (NEClient.exe):

Usage: NECLI [OPTIONS]

connect [OPTIONS]








-s server -u user name -p password -d domain name -clientcertificatethumb thumb(when server need client certificate) -clientcertificatename name(when server need client certificate)


disconnectcreateprofile [OPTIONS]




-s server -u user name(optional) -p password(optional) -d domain name

displayprofile [OPTIONS]



-s server(optional) -d domain(optional) -u username(optional)

deleteprofile [OPTIONS]



-s server -d domain -u username


showstatussetproxy [OPTIONS]











-t 1 automatic detect setting; 2 configuration script; 3 proxy server -s proxy address/URL of automatic configuration script -o port -u user name -p password -b bypass proxy -save queryproxy reconnect viewlog -profile

servername: connect to server directly when password has been saved

Example:

NECLI -version


NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p password



NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p password - clientcertificatethumb cf3d20378ba7f2d9a79c536e230a2495d4a46734


NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p password - clientcertificatename "Admin"

NECLI disconnect

NECLI createprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI displayprofile -s 10.103.62.208

NECLI deleteprofile -s 10.103.62.208 -d LocalDomain -u admin

NECLI showstatus


NECLI -t 3 -s 10.103.62.201 -o 808 -u user1 -p password -b 10.103.62.101;10.103.62.102

NECLI queryproxy

NECLI viewlog

NECLI reconnect

NECLI -profile 10.103.62.208

SonicWALL NetExtender MAC and Linux Client CLI Commands

The following section includes the Mac and Linux CLI version, which is similar to the NetExtender Windows Client CLI in the previous section:

Usage: netExtender [OPTIONS] server[:port]









-u user -p password -d domain -t timeout Login timeout in seconds, default is 30 sec. -e encryption Encryption cipher to use. To see list use -e -h. -m Use this option to not add remote routes. -r filename Generate a diagnostic report. -v Display NetExtender version information. -h Display this usage information.


server: Specify the server either in FQDN or IP address.The default port for server is 443 if not specified.

Example:



netExtender -u u1 -p p1 -d LocalDomain sslvpn.company.com [root@linux]# netExtender -u demo sslvpn.demo.sonicwall.com SUSE/Ubuntu compatibility mode off










User Access AuthenticationPassword: Domain: Active DirectoryConnecting to SSL-VPN Server "sslvpn.demo.sonicwall.com:443". . .Connected.Logging in...Login successful.Using SSL Encryption Cipher 'DHE-RSA-AES256-SHA'Using new PPP frame encoding mechanismYou now have access to the following 5 remote networks:

192.168.150.0/255.255.255.0

192.168.151.0/255.255.255.0

192.168.152.0/255.255.255.0

192.168.153.0/255.255.255.0

192.168.158.0/255.255.255.0






NetExtender connected successfully. Type "Ctrl-c" to disconnect...Disconnecting NetExtender...Terminating pppd.......SSL-VPN logging out...SSL-VPN connection is terminated.Exiting NetExtender client.