CLIguide
This appendix contains a categorized listing of Command Line Interface (CLI) commands for SonicOS firmware. Each command is described, and where appropriate, an example of usage is included.
Topics:
• Input Data Format Specification
• Editing and Completion Features
• Management Methods for the SonicWALL Network Security Appliance
• Initiating a Management Session using the CLI
• Logging in to the SonicOS CLI
• Configuring Site-to-Site VPN Using CLI
• SonicWALL NetExtender Windows Client CLI Commands
• SonicWALL NetExtender MAC and Linux Client CLI Commands
Input Data Format Specification
The table below describes the data formats acceptable for most commands. H represents one or more hexadecimal digit (0-9 and A-F). D represents one or more decimal digit.
|
Bold text indicates a command executed by interacting with the user interface.
Courier bold text indicates commands and text entered using the CLI.
Italic text indicates the first occurrence of a new term, as well as a book title, and also emphasized text. In this command summary, items presented in italics represent user-specified information.
Items within angle brackets (“< >”) are required information.
Items within square brackets (“[ ]”) are optional information.
Items separated by a “pipe” (“|”) are options. You can select any of them.
Note Though a command string may be displayed on multiple lines in this guide, it must be entered on a single line with no carriage returns except at the end of the complete command.
Editing and Completion Features
You can use individual keys and control-key combinations to assist you with the CLI. The table below describes the key and control-key combination functions.
|
Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Tab or ? key display all options.
myDevice> show [TAB]
|
The Tab key can also be used to finish a command if the command is uniquely identified by user input.
myDevice> show al [TAB]
displays
myDevice> show alerts
Additionally, commands can be abbreviated as long as the partial commands are unique. The following text:
myDevice> sho int inf
is an acceptable abbreviation for
myDevice> show interface info
The CLI configuration manager allows you to control hardware and firmware of the appliance through a discreet mode and submode system. The commands for the appliance fit into the logical hierarchy shown below.
To configure items in a submode, activate the submode by entering a command in the mode above it.
For example, to set the default LAN interface speed or duplex, you must first enter configure, then interface x0 lan. To return to the higher Configuration mode, simply enter end or finished.
SonicWALL Internet Security appliances allow easy, flexible configuration without compromising the security of their configuration or your network.
The SonicWALL CLI currently uses the administrator’s password to obtain access. SonicWALL devices are shipped with a default password of password. Setting passwords is important in order to access the SonicWALL and configure it over a network.
If you are unable to connect to your device over the network, you can use the command restore to reset the device to factory defaults during a serial configuration session.
Management Methods for the SonicWALL Network Security Appliance
You can configure the SonicWALL appliance using one of three methods:
• Using a serial connection and the configuration manager
– An IP address assignment is not necessary for appliance management.
– A device must be managed while physically connected via a serial cable.
• Web browser-based User Interface
– In IP address must have been assigned to the appliance for management or use the default of 192.168.168.168.
Initiating a Management Session using the CLI
Serial Management and IP Address Assignment
Note The default terminal settings on the SonicWALL and modules is 80 columns by 25 lines. To ensure the best display and reduce the chance of graphic anomalies, use the same settings with the serial terminal software. The device terminal settings can be changed, if necessary. Use the standard ANSI setting on the serial terminal software.
Follow the steps below to initiate a management session via a serial connection and set an IP address for the device.
1. Attach the included null modem cable to the appliance port marked CONSOLE. Attach the other end of the null modem cable to a serial port on the configuring computer.
2. Launch any terminal emulation application that communicates with the serial port connected to the appliance. Use these settings:
• 115,200 baud
• 8 data bits
• no parity
• 1 stop bit
• no flow control
3. Press Enter/Return. Initial information is displayed followed by a DEVICE NAME> prompt.
Initiating an SSH Management Session via Ethernet
Note This option works for customers administering a device that does not have a cable for console access to the CLI.
Follow the steps below to initiate an SSH management session through an Ethernet connection from a client to the appliance.
1. Attach an Ethernet cable to the interface port marked XO. Attach the other end of the Ethernet cable to an Ethernet port on the configuring computer.
2. Launch any terminal emulation application (such as PuTTY) that communicates via the Ethernet interface connected to the appliance.
3. Within the emulation application, enter the IP destination address for the appliance and enter 22 as the port number.
4. Select SSH as the connection type and open a connection.
When the connection is established, log in to the security appliance:
1. At the User prompt enter the Admin’s username. Only the admin user will be able to login from the CLI. The default Admin username is admin. The default can be changed.
2. At the Password prompt, enter the Admin’s password. If an invalid or mismatched username or password is entered, the CLI prompt will return to User:, and a “CLI administrator login denied due to bad credentials” error message will be logged. There is no lockout facility on the CLI.
The following sections displays all commands available for the SonicWALL:
|
|
|
|
Configuring Site-to-Site VPN Using CLI
This section describes how to create a VPN policy using the Command Line Interface. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface.
Note In this example, the VPN policy on the other end has already been created.
Topics:
1. Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your firewall.
2. Using a terminal emulator program, such as TerraTerm, use the following parameters:
• 115,200 baud
• 8 bits
• No parity
• 1 stop bit
• No flow control
3. You may need to hit return two to three times to get to a command prompt, which will look similar to the following:
TZ200>
If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command.
4. When a you need to make a configuration change, you should be in configure mode. To enter configure mode, type configure.
TZ200 > configure
(config[TZ200])>
The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.
In this example, a site-to-site VPN is configured between two TZ 200 appliance, with the following settings:
Local TZ 200 (home):
WAN IP: 10.50.31.150
LAN subnet: 192.168.61.0
Mask 255.255.255.0
Remote TZ 200 (office):
WAN IP: 10.50.31.104
LAN subnet: 192.168.15.0
Mask: 255.255.255.0
Authentication Method: IKE using a Pre-Shared Key
Phase 1 Exchange: Main Mode
Phase 1 Encryption: 3DES
Phase 1 Authentication SHA1
Phase 1 DH group: 2
Phase 1 Lifetime: 28800
Phase 2 Protocol: ESP
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 Lifetime: 28800
No PFS
1. In configure mode, create an address object for the remote network, specifying the name, zone assignment, type, and address. In this example, we use the name OfficeLAN:
(config[TZ200]> address-object Office LAN
(config-address-object[OfficeLAN])>
Note The prompt has changed to indicate the configuration mode for the address object.
(config-address-object[OfficeLAN])> zone VPN
(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0
(config-address-object[OfficeLAN])> finished
2. To display the address object, type the command show address-object [name]:
TZ200 > show address-object OfficeLAN
The output will be similar to the following:
address-object OfficeLAN
network 192.168.15.0 255.255.255.0
zone VPN
3. To create the VPN policy, type the command vpn policy [name] [authentication method]:
(config[TZ200])> vpn policy OfficeVPN pre-shared
(config-vpn[OfficeVPN])>
Note The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.
4. Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall:
(config-vpn[OfficeVPN])> pre-shared-secret sonicwall
5. Configure the IPSec gateway:
(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104
6. Define the local and the remote networks:
(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"
(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"
7. Configure the IKE and IPSec proposals:
(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800
(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800
8. In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:
(config-vpn[OfficeVPN])> advanced keepalive
9. To enable the VPN policy, use the command vpn enable “name” :
(config[TZ200])> vpn enable "OfficeVPN"
10. Use the finished command to save the VPN policy and exit from the VPN configure mode:
(config-vpn[OfficeVPN])> finished
(config[TZ200])>
The configuration is complete.
Note The command prompt goes back to the configure mode prompt.
Use the following steps to configure the VPN policies.
1. To view a list of all the configured VPN policies, type the command show vpn policy. The output will be similar to the following:
(config[TZ200])> show vpn policy
Policy: WAN GroupVPN (Disabled)
Key Mode: Pre-shared
Pre Shared Secret: DE65AD2228EED75A
Proposals:
IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:
Allow NetBIOS OFF, Allow Multicast OFF
Management: HTTP OFF, HTTPS OFF
Lan Default GW: 0.0.0.0
Require XAUTH: ON, User Group: Trusted Users
Client:
Cache XAUTH Settings: Never
Virtual Adapter Settings: None
Allow Connections To: Split Tunnels
Set Default Route OFF, Apply VPN Access Control List OFF
Require GSC OFF
Use Default Key OFF
Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall
IKE ID:
Local: IP Address
Peer: IP Address
Network:
Local: LAN Primary Subnet
Remote: OfficeLAN
Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN
2. To view the configuration for a specific policy, specify the policy name in double quotes. For example:
(config[TZ200])> show vpn policy "OfficeVPN"
The output will be similar to the following:
Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall
IKE ID:
Local: IP Address
Peer: IP Address
Network:
Local: LAN Primary Subnet
Remote: OfficeLAN
Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN
3. Type the command show vpn sa “name” to see the active SA:
(config[TZ200])> show vpn sa "OfficeVPN"
Policy: OfficeVPN
IKE SAs
GW: 10.50.31.150:500 --> 10.50.31.104:500
Main Mode, 3DES SHA, DH Group 2, Responder
Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)
Lifetime: 28800 seconds (28783 seconds remaining)
IPsec SAs
GW: 10.50.31.150:500 --> 10.50.31.104:500
(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)
ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2
Lifetime: 28800 seconds (28783 seconds remaining)
SonicWALL NetExtender Windows Client CLI Commands
The following section includes commands for the NetExtender Windows Client CLI (NEClient.exe):
Usage: NECLI [OPTIONS]
connect [OPTIONS]
-s server
-u user name
-p password
-d domain name
-clientcertificatethumb thumb(when server need client
certificate)
-clientcertificatename name(when server need client
certificate)
disconnect
createprofile [OPTIONS]
-s server
-u user name(optional)
-p password(optional)
-d domain name
displayprofile [OPTIONS]
-s server(optional)
-d domain(optional)
-u username(optional)
deleteprofile [OPTIONS]
-s server
-d domain
-u username
showstatus
setproxy [OPTIONS]
-t 1 automatic detect setting; 2 configuration script; 3 proxy server
-s proxy address/URL of automatic configuration script
-o port
-u user name
-p password
-b bypass proxy
-save
queryproxy
reconnect
viewlog
-profile
servername: connect to server directly when password has been saved
Example:
NECLI -version
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatethumb
cf3d20378ba7f2d9a79c536e230a2495d4a46734
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatename "Admin"
NECLI disconnect
NECLI createprofile -s 10.103.62.208 -d LocalDomain -u admin
NECLI displayprofile -s 10.103.62.208
NECLI deleteprofile -s 10.103.62.208 -d LocalDomain -u admin
NECLI showstatus
NECLI -t 3 -s 10.103.62.201 -o 808 -u user1 -p password -b
10.103.62.101;10.103.62.102
NECLI queryproxy
NECLI viewlog
NECLI reconnect
NECLI -profile 10.103.62.208
SonicWALL NetExtender MAC and Linux Client CLI Commands
The following section includes the Mac and Linux CLI version, which is similar to the NetExtender Windows Client CLI in the previous section:
Usage: netExtender [OPTIONS] server[:port]
-u user
-p password
-d domain
-t timeout Login timeout in seconds, default is 30 sec.
-e encryption Encryption cipher to use. To see list use -e -h.
-m Use this option to not add remote routes.
-r filename Generate a diagnostic report.
-v Display NetExtender version information.
-h Display this usage information.
server: Specify the server either in FQDN or IP address.
The default port for server is 443 if not specified.
Example:
netExtender -u u1 -p p1 -d LocalDomain sslvpn.company.com
[root@linux]# netExtender -u demo sslvpn.demo.sonicwall.com
SUSE/Ubuntu compatibility mode off
User Access Authentication
Password:
Domain: Active Directory
Connecting to SSL-VPN Server "sslvpn.demo.sonicwall.com:443". . .
Connected.
Logging in...
Login successful.
Using SSL Encryption Cipher 'DHE-RSA-AES256-SHA'
Using new PPP frame encoding mechanism
You now have access to the following 5 remote networks:
192.168.150.0/255.255.255.0
192.168.151.0/255.255.255.0
192.168.152.0/255.255.255.0
192.168.153.0/255.255.255.0
192.168.158.0/255.255.255.0
NetExtender connected successfully. Type "Ctrl-c" to disconnect...
Disconnecting NetExtender...
Terminating pppd.......
SSL-VPN logging out...
SSL-VPN connection is terminated.
Exiting NetExtender client.