Quantum Spark 1500, 1600 AND 1800 Appliance Series: CLI Reference Guide

03 August 2021
QUANTUM SPARK 1500,

1600 AND 1800
APPLIANCE SERIES
R80.20.20
CLI Reference Guide

[Classification: Protected]
Check Point Copyright Notice
Check Point Copyright Notice
© 2021 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.

RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.20 CLI Reference Guide | 2
Important Information
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection against
new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Check Point R80.20.20
For more about this release, see the R80.20.20 home page.
Latest Version of this Document in English
Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
03 August 2021 Updated "Configuring NetFlow" on page 651
02 May 2021 Updated "add internet-connection (physical interface)" on page 464
28 January 2021 First release of this document
Table of Contents
Table of Contents
Introduction 42
Using Command Line Reference 43
CLI Syntax 44
Running Gaia Clish Commands from Expert Mode 45
Supported Linux Commands 46
access-rule type outgoing 47
add access-rule type outgoing 47
delete access-rule type outgoing 50
set access-rule type outgoing 51
show access-rule type outgoing 54
access-rule type incoming-internal-and-vpn 55
add access-rule type incoming-internal-and-vpn 55
delete access-rule type incoming-internal-and-vpn 57
set access-rule type incoming-internal-and-vpn 58
show access-rule type incoming-internal-and-vpn 60
additional-hw-settings 61
set additional-hw-settings 61
show additional-hw-settings 62
additional-management-settings 63
set additional-management-settings 63
show additional-management-settings 64
ad-server 65
add ad-server 65
delete ad-server 66
set ad-server 67
show ad-server 68
show ad-servers 69
address-range 70
add address-range 70
delete address-range 71
set address-range 72
show address-range 73
show address-ranges 74
Table of Contents
admin-access 75
add admin access 75
set admin-access 76
show admin-access 77
admin-access-ip-addresses 78
show admin-access-ip-addresses 78
delete admin-access-ip-address-all 79
admin-access-ipv4-address 80
add admin-access-ipv4-address 80
delete admin-access-ipv4-address 83
show admin-access-ipv4-addresses 84
delete admin-access-ipv4-address-all 85
administrator 86
add administrator 86
delete administrator 87
set administrator 88
set administrators 90
set administrators 91
show administrator 92
show administrators 93
autogmt 96
set-autogmt 96
show-autogmt 96
administrators radius-auth 98
set administrators radius-auth 99
set administrators radius-auth (legacy mode) 100
show administrators radius-auth 101
administrators roles-settings 102
set administrators roles-settings 102
Table of Contents
show administrators roles-settings 102
administrator session-settings 104
set administrator session-settings 105
show administrator session-settings 106
show adsl statistics 107
aggressive-aging 108
set aggressive-aging 109
show aggressive-aging 113
antispam 116
set antispam 117
set antispam 118
set antispam 120
set antispam 121
set antispam 122
set antispam 123
set antispam 124
set antispam 125
set antispam 126
set antispam 127
show antispam 128
show antispam 129
show antispam 130
antispam allowed-sender 131
add antispam allowed-sender 132
delete antispam allowed-sender 135
show antispam allowed-senders 139
Table of Contents
antispam blocked-sender 140
add antispam blocked-sender 141
delete antispam blocked-sender 144
show antispam blocked-senders 148
application 149
add application 150
add application 151
add application 152
delete application 153
find application 156
set application 157
set application 158
set application 159
set application 160
set application 161
set application 162
set application 163
set application 164
set application 165
set application 166
set application 167
show application 168
show applications 171
application-control 172
set application-control 173
show application-control 175
Table of Contents
show application-control other-undesired-applications 176
application-control-engine-settings 177
set application-control-engine-settings 178
show application-control-engine-settings 186
application-group 187
add application-group 188
delete application-group 189
set application-group 192
show application-group 201
show application-groups 204
antispoofing 205
set antispoofing 206
show antispoofing 207
backup settings 208
show backup settings 209
blade-update-schedule 210
Table of Contents
set blade-update-schedule 211
show blade-update-schedule 216
bookmark 219
add bookmark 220
delete bookmark 221
delete bookmark 222
delete bookmark 223
set bookmark 224
show bookmark 226
show bookmarks 227
bridge 228
add bridge 229
delete bridge 230
set bridge 231
set bridge 232
set bridge 233
set bridge 234
show bridge 235
show bridges 236
show cellular-modem-status 237
show clock 238
cloud-deployment 239
set cloud-deployment 240
show cloud-deployment 241
cloud-notifications 242
set cloud-notification 243
show cloud-notifications 244
send cloud-report 245
cloud-services 246
reconnect cloud-services 247
Table of Contents
set cloud-services 248
show cloud-services 251
show cloud-services connection-details 252
cloud-services-firmware-upgrade 253
set cloud-services-firmware-upgrade 254
show cloud-services-firmware-upgrade 258
show cloud-service managed-blades 261
show cloud-services managed-services 262
fetch cloud-services policy 263
show cloud-services status 264
show commands 265
cphaprob 266
cphastop 269
cpinfo 270
cpstart 271
cpstat 272
cpstop 275
cpwd_admin 276
date 277
set date 278
set date 279
set date 280
set date 281
set date 282
show date 283
show date 284
show date 285
show date 286
Table of Contents
show date 287
restore default-settings 288
dhcp-bridge-settings 289
show dhcp-bridge-settings 289
set dhcp-bridge-settings 289
dhcp-relay 291
set dhcp-relay 292
show dhcp-relay 293
show dhcp servers 294
dhcp server interface 295
delete dhcp server interface 296
set dhcp server interface 297
show dhcp server interface 320
Table of Contents
show diag 323
show disk usage 324
dns 325
delete dns 326
delete dns 327
delete dns 328
delete dns 329
delete dns 330
set dns 331
set dns 332
set dns 333
set dns 334
set dns 335
show dns 336
show dns 337
show dns 338
dsl 339
set dsl advanced-settings global-settings 340
set dsl advanced-settings standards 341
show dsl advanced-setting 343
show dsl statistics 344
dynamic-dns 347
set dynamic-dns 348
set dynamic-dns 349
set dynamic-dns 350
show dynamic-dns 351
dynamic objects 354
exit 356
set expert password 357
fetch certificate 358
fetch policy 359
Table of Contents
fw commands 360
fw policy 361
set fw policy 362
set fw policy 363
set fw policy 364
set fw policy 365
show fw policy 366
show fw policy 367
show fw policy 368
show fw policy 369
set fw policy user-check accept 370
set fw policy user-check ask 371
set fw policy user-check block 372
set fw policy user-check block-device 373
set fw policy user-check block-infected-device 374
global-radius-conf 375
set global-radius-conf 376
show global-radius-conf 377
group 378
add group 379
delete group 380
set group 381
set group 382
set group 383
set group 384
set group 385
show group 386
show groups 387
host 388
add host 389
delete host 390
set host 391
show host 393
show hosts 394
hotspot 395
Table of Contents
set hotspot 396
set hotspot 397
set hotspot 399
set hotspot 400
set hotspot 401
set hotspot 402
show hotspot 403
show hotspot 404
show hotspot 405
https-categorization 406
set https-categorization 407
show https-categorization 411
interface 412
add interface 413
add interface 414
add interface 415
add interface-alias 416
delete interface 417
set interface 418
set interface 419
set interface 420
set interface 421
set interface 422
set interface 423
set interface 424
set interface 425
set interface 426
set interface 427
set interface 428
show interface 429
show interfaces 430
show interfaces all 431
Table of Contents
interface-alias 432
add interface-alias 432
delete interface-alias 433
set interface-alias 434
interface-bond 435
add interface-bond 435
delete interface-bond 436
set interface-bond 437
show interface-bond 440
show interfaces-bond 441
internal-certificates-conf 442
add internal-certificate 442
delete internal-certificate 442
show internal-certificate 443
show internal-certificates 443
ips engine-settings 445
set ips engine-settings 446
show ips engine-settings 450
interface-loopback 453
add interface-loopback 454
delete interface-loopback 455
internet 456
set internet 457
show internet 458
internet-advanced-settings 459
set internet-advanced-settings 459
show internet-advanced-settings 459
internet-connection 461
Table of Contents
add internet-connection 462
add internet-connection interface cellular 462
add internet-connection (physical interface) 464
WAN 464
ADSL 469
DSL 470
DMZ 473
add internet-connection (3G/4G modem) 483
delete internet-connection 485
delete internet-connection 486
deleter internet-connection 487
delete internet-connections 488
set internet-connection 489
set internet-connection interface DMZ 508
set internet-connection {name} type cellular 511
set internet-connection {name} type usb-cellular 512
show internet-connection 514
show internet-connection {name} type cellular 516
Table of Contents
show internet-connections 522
show internet-connections table 523
set iot-stats 524
show iot-stats 525
internet-connection-bond 526
delete internet-connection-bond 526
set internet-connection-bond 527
show internet-connection-bond 530
show internet-connections-bond 531
internet mode 532
set internet mode 533
show internet mode 534
ip-fragments-params 535
set ip-fragments-params 536
show ip-fragments-params 539
ipv6-state 540
set ipv6-state 541
show ipv6-state 542
ip-resolving 543
set ip-resolving 543
show ip-resolving 543
license 545
fetch license 546
show license 547
fetch license usercenter retry 547
local-group 548
add local-group 549
delete local-group 550
set local-group 553
Table of Contents
set local-group 554
set local-group 555
set local-group 556
show local-group 557
show local-groups 558
set local-group users 559
local-user 562
add local-user 563
delete local-user 564
set local-user 567
set local-user 568
set local-user 570
set local-user 571
show local-user 572
show local-users 573
local-users expired 574
delete local-users expired 575
show local-users expired 576
show logs 577
log-servers-configuration 578
set log-servers-configuration 579
show log-servers-configuration 580
maas 581
connect maas 581
set maas 582
show maas 583
mac-filtering-list 584
add mac-filtering-list 585
delete mac-filtering-list 586
show mac-filtering-list 587
mac-filtering-settings 588
Table of Contents
set mac-filtering settings 589
set mac-filtering-settings 590
show mac-filtering-settings 593
set mobile-settings 596
show mobile-settings 598
mobile-device 599
revoke mobile-device 599
mobile-settings 600
show mobile-settings 603
mobile-invitation 604
add mobile-invitation 604
show mobile-invitation 604
mobile-push-notification 605
show mobile-push-notification 605
monitor-mode-network 606
add monitor-mode-network 607
delete monitor-mode-network 608
set monitor-mode-network 609
show monitor-mode-networks 610
monitor-mode-configuration 611
set monitor-mode-configuration 612
show monitor-mode-configuration 613
message 614
set message 615
show message 616
show message 617
show memory usage 618
set misp-refresh-route 619
Table of Contents
nat 620
set nat 621
set nat 622
set nat 623
set nat 624
set nat 625
set nat 626
set nat 627
set nat 628
set nat 629
set nat 630
set nat 631
set nat 632
set nat 633
set nat 634
show nat 635
show nat 636
show nat 637
nat-rule 638
add nat-rule 639
delete nat-rule 641
set nat-rule 642
show nat-rule 644
show nat-rules 645
show nat-manual-rules 646
nat-rule position 647
delete nat-rule position 648
set nat-rule position 649
Configuring NetFlow 651
Introduction 651
Configuration Procedure for Centrally Managed 653
add netflow collector 653
delete netflow collector 654
set netflow collector 655
show netflow collector 657
Table of Contents
show netflow collectors 657
network 659
add network 660
delete network 661
set network 662
show network 663
show networks 664
show notifications-log 665
notifications-policy 666
set notifications-policy 667
show notifications-policy 670
show notifications-policy 671
ntp 672
set ntp 673
set ntp 674
set ntp 675
set ntp 676
set ntp 677
show ntp 678
show ntp active 679
ntp server 680
set ntp server 681
set ntp server 682
set ntp server 683
show ntp servers 684
os-settings 685
set os-settings 685
set os-settings 686
show os-settings 687
periodic backup 688
set periodic-backup 689
show periodic-backup 691
set property 692
Table of Contents
privacy settings 693
set privacy-settings advanced-settings 693
show privacy-settings advanced-settings 694
proxy 695
delete proxy 696
set proxy 697
set proxy 698
set proxy 699
show proxy 700
qos 701
set qos 702
set qos 703
set qos 704
set qos 705
set qos 706
show qos 707
show qos 708
show qos 709
qos delay-sensitive-service 710
set qos delay-sensitive-service 711
show qos delay-sensitive-services 714
qos guarantee-bandwidth-selected-services 715
set qos guarantee-bandwidth-selected-services 716
show qos guarantee-bandwidth-selected-services 719
qos-rule 720
add qos-rule 721
delete qos-rule 723
delete qos-rule 724
delete qos-rule 725
set qos-rule 726
set qos-rule 727
Table of Contents
set qos-rule 729
show qos-rule 731
show qos-rule 732
show qos-rule 733
show qos-rules 734
radius-server 735
delete radius-server 736
set radius-server 737
show radius-server 738
show radius-servers 739
reach-my-device 740
set reach-my-device 741
show reach-my-device 745
reboot 748
set remote-access users 749
show remote-access users radius-auth 750
set rest-api 751
show rest-api 752
generate report cloud-report 753
restore settings 754
show restore settings log 755
show revert log 756
revert to factory defaults 757
revert to saved image 758
report-settings 759
set report-settings 760
show report-settings 763
show rule hits 764
Table of Contents
show saved image 765
update security-blades 766
updatable-object 767
add updatable-object 767
delete updatable-object 768
show updatable-object 769
show updatable-objects 771
show updatable-objects-imported 772
security-management 773
connect security-management 774
set security-management 775
show security-management 778
serial-port 779
set serial-port 780
set serial-port 781
set serial-port 782
set serial-port 783
set serial-port-nine-pin 784
show serial-port 787
show serial-port-nine-pin 788
server 789
add server 790
delete server 792
show server 793
show servers 794
service-details 795
set device-details 796
show device-details 797
service-group 798
Table of Contents
add service-group 799
delete service-group 800
set service-group 801
show service-group 806
show service-groups 807
service-icmp 808
add service-icmp 809
delete service-icmp 810
set service-icmp 811
show service-icmp 812
add service-protocol 813
service-protocol 814
delete service-protocol 815
set service-protocol 816
show service-protocol 818
show services-protocol 819
set server server-access 820
set server server-nat-settings 822
set server server-network-settings 824
set server server-ports 825
service-system-default 828
set service-system-default Any_TCP 829
show service-system-default Any_TCP 831
set service-system-default Any_UDP 832
show service-system-default Any_UDP 834
set service-system-default CIFS 835
show service-system-default CIFS 837
set service-system-default Citrix 838
show service-system-default Citrix 840
set service-system-default Citrix firewall-settings 841
show service-system-default Citrix firewall-settings 842
Table of Contents
set service-system-default DHCP 843
show service-system-default DHCP 844
set service-system-default DNS_TCP 845
show service-system-default DNS_TCP 847
set service-system-default DNS_UDP 848
show service-system-default DNS_UDP 849
set service-system-default FTP 850
show service-system-default FTP 852
set service-system-default FTP firewall-settings 853
show service-system-default FTP firewall-settings 854
set service-system-default GRE 855
show service-system-default GRE 857
set service-system-default H323 858
show service-system-default H323 860
set service-system-default H323_RAS 861
show service-system-default H323_RAS 862
set service-system-default HTTP 863
show service-system-default HTTP 865
set service-system-default HTTPS 866
show service-system-default HTTPS 868
set service-system-default HTTP ips-settings 869
show service-system-default HTTP ips-settings 871
set service-system-default HTTPS url-filtering-settings 872
show service-system-default HTTPS url-filtering-settings 873
set service-system-default IIOP 874
show service-system-default IIOP 876
set service-system-default IMAP 877
show service-system-default IMAP 879
set service-system-default LDAP 880
show service-system-default LDAP 882
set service-system-default MGCP 883
show service-system-default MGCP 884
set service-system-default NetBIOSDatagram 885
show service-system-default NetBIOSDatagram 886
set service-system-default NetBIOSName 887
Table of Contents
show service-system-default NetBIOSName 888
set service-system-default NetShow 889
show service-system-default NetShow 891
set service-system-default NNTP 892
show service-system-default NNTP 894
set service-system-default POP3 895
show service-system-default POP3 897
set service-system-default PPTP_TCP 898
show service-system-default PPTP_TCP 900
set service-system-default PPTP_TCP ips-settings 901
show service-system-default PPTP_TCP ips-settings 902
set service-system-default RealAudio 903
show service-system-default RealAudio 905
set service-system-default RSH 906
show service-system-default RSH 908
set service-system-default RTSP 909
show service-system-default RTSP 911
set service-system-default SCCP 912
show service-system-default SCCP 914
set service-system-default SCCPS 915
show service-system-default SCCPS 917
set service-system-default SIP_TCP 918
show service-system-default SIP_TCP 920
set service-system-default SIP_UDP 921
show service-system-default SIP_UDP 922
set service-system-default SMTP 923
show service-system-default SMTP 925
set service-system-default SNMP 926
show service-system-default SNMP 927
set service-system-default SNMP firewall-settings 928
show service-system-default SNMP firewall-settings 929
set service-system-default SQLNet 930
show service-system-default SQLNet 932
set service-system-default SSH 933
show service-system-default SSH 935
Table of Contents
set service-system-default SSH ips-settings 936
show service-system-default SSH ips-settings 937
set service-system-default TELNET 938
show service-system-default TELNET 940
set service-system-default TFTP 941
show service-system-default TFTP 943
service-tcp 944
add service-tcp 945
set service-tcp 946
delete service-tcp 948
show service-tcp 949
show services-tcp 950
service-udp 951
add service-udp 952
delete service-udp 953
set service-udp 954
show service-udp 955
show services-udp 956
show services-icmp 957
shell/expert 958
set sic_init 959
sim 960
snmp 961
add snmp 962
add snmp 963
add snmp 964
delete snmp 965
delete snmp 966
delete snmp 967
delete snmp 968
set snmp 969
set snmp 970
set snmp 971
set snmp 972
set snmp 973
Table of Contents
set snmp 974
show snmp 975
show snmp 976
show snmp 977
show snmp 978
show snmp 979
show snmp 980
show snmp-general-all 981
snmp traps 982
set snmp traps 983
set snmp traps 984
set snmp traps 985
set snmp traps 986
set snmp-traps 987
set snmp-traps 988
set-snmp-traps 989
show snmp traps 990
delete snmp traps-receivers 991
show snmp traps receivers 992
show snmp traps enabled-traps 993
snmp user 994
delete snmp user 995
set snmp user 996
show snmp user 997
show snmp users 998
delete snmp users 999
show software version 1000
ssl-inspection advanced-settings 1001
set ssl-inspection advanced-settings 1002
show ssl-inspection advanced-settings 1004
ssl-inspection exception 1005
add ssl-inspection exception 1006
delete ssl-inspection exception 1008
Table of Contents
set ssl-inspection exception 1011
show ssl-inspection exception 1013
show ssl-inspection exceptions 1014
ssl-inspection policy 1015
set ssl-inspection policy 1016
set ssl-inspection policy https-categorization-only-mode 1018
set ssl-inspection policy inspect-https-protocol 1019
set ssl-inspection policy inspect-imaps-protocol 1020
show ssl-inspection policy 1021
delete ssl-network-extender 1022
stateful-inspection 1023
set stateful-inspection 1023
show stateful-inspection 1031
static-route 1033
add static-route 1034
add static-route 1034
set static-route 1036
delete static-route 1037
Table of Contents
delete static-routes 1038
show static-routes 1039
streaming-engine-settings 1040
set streaming-engine-settings 1041
show streaming-engine-settings 1045
switch 1048
add switch 1049
delete switch 1050
set switch 1051
set switch 1052
set switch 1053
show switch 1054
show switch 1055
show switch 1056
show switches 1057
syslog-server 1058
add syslog-server 1059
add-syslog-server protocol tls 1060
delete syslog-server 1061
set syslog-server 1064
show syslog-server 1067
show syslog-server all 1070
system-settings 1071
show system-settings is-custom-branding 1072
traceroute-max-ttl 1073
Table of Contents
threat-prevention-advanced 1074
set threat-prevention-advanced 1075
show threat-prevention-advanced 1076
threat-prevention anti-bot 1077
set threat-prevention anti-bot engine 1078
show threat-prevention anti-bot engine 1079
set threat-prevention anti-bot policy 1080
show threat-prevention anti-bot policy 1083
set threat-prevention anti-bot user-check ask 1086
show threat-prevention anti-bot user-check ask 1087
set threat-prevention anti-bot user-check block 1088
show threat-prevention anti-bot user-check block 1089
threat-prevention anti-virus 1090
set threat-prevention anti-virus engine 1091
show threat-prevention anti-virus engine 1092
add threat-prevention anti-virus file-type 1093
delete threat-prevention anti-virus file-type 1094
set threat-prevention anti-virus file-type 1095
show threat-prevention anti-virus file-type 1096
show threat-prevention anti-virus file-types 1097
delete threat-prevention anti-virus file-type custom 1098
set threat-prevention anti-virus policy 1099
show threat-prevention anti-virus policy 1106
Table of Contents
set threat-prevention anti-virus user-check ask 1109
show threat-prevention anti-virus user-check ask 1110
set threat-prevention anti-virus user-check block 1111
show threat-prevention anti-virus user-check block 1112
threat-prevention exception 1113
add threat-prevention exception 1114
delete threat-prevention exception 1116
set threat-prevention exception 1117
show threat-prevention exception 1119
delete threat-prevention exceptions 1120
show threat-prevention infected-hosts 1121
threat-prevention ips 1122
set threat-prevention ips custom-default-policy 1123
show threat-prevention ips custom-default-policy 1125
add threat-prevention ips network-exception 1126
delete threat-prevention ips network-exception 1129
set threat-prevention ips network-exception 1132
show threat-prevention ips network-exception 1135
set threat-prevention ips policy 1136
show threat-prevention ips policy 1137
find threat-prevention ips protection 1138
set threat-prevention ips protection-action-override 1139
show threat-prevention ips protection-action-override 1144
Table of Contents
threat-prevention-profile 1147
set threat-prevention policy 1147
threat-prevention policy 1148
set threat-prevention policy 1149
show threat-prevention policy 1150
threat-prevention threat-emulation additional-remote-emulator 1151
add threat-prevention threat-emulation additional-remote-emulator 1152
delete threat-prevention threat-emulation additional-remote-emulator 1153
set threat-prevention threat-emulation additional-remote-emulator 1156
show threat-prevention threat-emulation additional-remote-emulator 1157
set threat-prevention threat-emulation file-types-revert-actions-to-default 1160
threat-prevention threat-emulation 1161
set threat-prevention threat-emulation file-type 1162
show threat-prevention threat-emulation file-type 1163
show threat-prevention threat-emulation file-types 1164
set threat-prevention threat-emulation policy 1165
show threat-prevention threat-emulation policy 1169
threat-prevention whitelist 1172
add threat-prevention whitelist mail 1173
show threat-prevention whitelist files 1174
delete threat-prevention whitelist mail 1175
set threat-prevention whitelist mail 1176
show threat-prevention whitelist mail 1177
delete threat-prevention whitelist mails 1178
show threat-prevention whitelist mails 1179
add threat-prevention whitelist type-file 1180
delete threat-prevention whitelist type-file 1181
Table of Contents
add threat-prevention whitelist type-url 1184
delete threat-prevention whitelist type-url 1185
show threat-prevention whitelist urls 1188
update default-image from current-image 1189
ui-settings 1190
set ui-settings 1191
show ui-settings 1194
usb-modem-advanced 1197
add usb-modem-advanced 1198
delete usb-modem-advanced 1199
delete usb-modem-advanced-all 1200
set usb-modem-advanced 1201
show usb-modem-advanced 1202
show usb-modem-advanced table 1203
usb-modem-info 1204
show usb-modem-info 1205
show usb-modem-info-table 1206
usb-modem-watchdog 1207
set usb-modem-watchdog 1208
show usb-modem-watchdog 1211
set used-ad-group 1212
user-awareness 1215
set user-awareness 1216
Table of Contents
set user-awareness browser-based-authentication 1220
show user-awareness 1226
show user-awareness browser-based-authentication 1229
set user-management 1230
show upgrade log 1231
show used-ad-group bookmarks 1232
upgrade from usb or tftp server 1233
vpn 1234
vpn 1235
Managing the VPN Driver 1236
Launching TunnelUtil Tool 1237
Debugging VPN 1238
delete vpn 1239
set vpn 1240
set vpn 1241
set vpn 1245
set vpn 1246
set vpn 1247
set vpn 1248
set vpn 1249
set vpn 1250
set vpn 1251
set vpn 1252
set vpn 1253
set vpn 1254
set vpn 1255
Table of Contents
set vpn 1256
set vpn 1257
set vpn 1258
set vpn 1259
set vpn 1260
set vpn 1261
set vpn 1262
set vpn 1263
set vpn 1264
set vpn 1265
set vpn 1266
show vpn 1267
show vpn 1268
show vpn 1269
vpn remote-access 1270
set vpn remote-access 1271
Table of Contents
show vpn remote-access 1308
set vpn remote-access advanced 1313
show vpn remote-access advanced 1315
set vpn remote-access advanced enc-dom-obj manual 1316
vpn remote-access two-factor-authentication 1319
set vpn remote-access two-factor-authentication 1319
show vpn remote-access two-factor-authentication 1320
vpn site 1322
add vpn site 1323
delete vpn site 1330
Table of Contents
show vpn sites 1333
vpn site-to-site 1334
set vpn site-to-site 1335
Table of Contents
shows vpn site-to-site 1372
show vpn site-to-site 1373
shows vpn site-to-site 1374
set vpn site-to-site enc-dom manual 1375
vpn tunnel 1379
show vpn tunnel 1380
show vpn tunnels 1381
wlan 1382
delete wlan 1383
set wlan 1384
set wlan 1385
set wlan 1386
set wlan 1387
set wlan 1388
set wlan 1389
set wlan 1390
set wlan 1391
set wlan 1392
set wlan 1393
set wlan 1394
set wlan 1395
set wlan 1396
set wlan 1397
set wlan 1398
set wlan 1399
set wlan wireless advanced-settings protected-mgmt-frames 1400
show wlan 1401
show wlan 1402
Table of Contents
show wlan 1403
wlan radio 1404
set wlan radio 1405
set wlan radio 1406
set wlan radio 1407
set wlan radio 1408
set wlan radio 1409
set wlan radio 1410
set wlan radio 1411
show wlan radio 1412
show wlan statistics 1413
wlan vaps 1414
add wlan vap 1415
delete wlan vaps 1416
set wlan vap wireless advanced-settings protected-mgmt-frames 1417
set wlan vap 1418
show wlan vap wireless 1419
show wlan vaps 1420
show wlan vaps statistics 1421
zero-touch 1422
set zero-touch 1423
show zero-touch 1424
test zero-touch-request 1425
Introduction
Introduction
This guide contains all relevant CLI commands for the Quantum Spark Small and Medium Business (SMB)
appliance models:
n 1530
n 1550
n 1570
n 1590
n 1570R
n 1600
n 1800
Using Command Line Reference
Using Command Line Reference
You can make changes to your appliance with the WebUI or Command Line Interface (CLI). When using CLI
note these aspects:
n The CLI default shell (clish) covers all the operations that are supported from the WebUI. It also
supports auto-completion capabilities, similar to Gaia. For advanced operations that require direct
access to the file system (such as redirecting debug output to a file), log in to Expert mode.
n SSH to the appliance is supported and is enabled through the WebUI.
n You can enable login directly to expert mode. To do this:
l Login to Expert mode using the "Expert" password.
l Run the command bashUser on
l You will now always login directly to expert mode (this mode is not deleted during reboot)
l To turn this mode off, run the command bashUser off
n SCP to the appliance is supported but you need to enable direct login to Expert mode. Note that
SFTP that is commonly used by winSCP is not supported. For more information, see sk52763.
CLISH Auto-completion
All CLISH commands support auto-completion. Standard Check Point and native Linux commands can be
used from the CLISH shell but do not support auto-completion. These are examples of the different
commands:
n CLISH - fetch,set, show
n Standard Check Point - cphaprob,..., fw, vpn
n Native Linux - ping, tcpdump, traceroute
CLI Syntax
CLI Syntax
The CLI commands are formatted according to these syntax rules.
Notation Description
Text without brackets Items you must type as shown
<Text inside angle brackets> Placeholder for which you must supply a value
[Text inside square brackets] Optional items
Vertical pipe (|) Separator for mutually exclusive items; choose one
{Text inside curly brackets} Set of required items; choose one
Ellipsis (?) Multiple values or parameters can be entered
Running Gaia Clish Commands from Expert Mode
Running Gaia Clish Commands from Expert
Mode
You can run Gaia Clish commands from Expert mode.
Syntax
clish [ -A -i { -c Cmd | -f File -v} -h -C ]
Parameters
Parameter Description
-c Cmd Single command to execute
-f File File to load commands from
-v Verbose
-i Ignore cmd failure in batch mode and continue
-A Run as admin
-C List available commands
-h Help (this message)
Note - If the default shell, in which you logged in, was Gaia Clish, and then you logged in
to the Expert mode from it, you cannot run the clish command from the Expert mode
(running clish -> expert -> clish commands does not work, but running expert->
clish commands works).
Supported Linux Commands
Supported Linux Commands
These standard Linux commands are also supported by the Check Point Small and Medium Business
Appliance CLI.
n arp
n netstat
n nslookup
n ping
n resize
n sleep
n tcpdump
n top
n traceroute
n uptime
access-rule type outgoing
Relevant commands for outgoing access rule
add access-rule type outgoing
Description
Adds a new firewall access rule to the outgoing (clear) traffic Rule Base.
Syntax
add access-rule type outgoing [ action <action> ] [ log <log> ] [ source

<source> ] [ source-negate <source-negate>] [ destination <destination> ] [
destination-negate <destination-negate> ] [ service <service> ] [ service-
negate <service-negate> ] [ disabled <disabled> ] [ comment <comment> ] [
hours-range-enabled { true hours-range-from <hours-range-from> hours-range-
to <hours-range-to> | false } ] [ { position <position>| position-above
<position-above> | position-below <position-below> } ] [ name <name> ] [ {
[ application-name <application-name> ] | [ application-id <application-id>
] } ] [ application-negate <application-negate> ] [ limit-application-
download { true limit <limit> | false } ] [ limit-application-upload { true
limit <limit> | false } ]
Parameters
action The action taken when there is a match on the rule
Options: block, accept, ask, inform, block-inform
application-id Applications or web sites that are accepted or blocked
application-name Applications or web sites that are accepted or blocked
application- If true, the rule accepts or blocks all applications but the selected application
negate Type: Boolean (true/false)
comment Description of the rule
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : ()
@
destination Network object that is the target of the connection
destination- If true, the destination is all traffic except what is defined in the destination field
disabled Indicates if the rule is disabled
Type: Boolean (true/false)
hours-range- If true, time is configured
enabled Type: Boolean (true/false)
hours-range-from Time in the format HH:MM
Type: A time format hh:mm
hours-range-to Time in the format HH:MM
limit Applications traffic upload limit (in kbps)
Type: A number with no fractional part (integer)
limit-application- If true, download is limited
download Type: Boolean (true/false)
limit-application- If true, upload is limited
upload Type: Boolean (true/false)
log Defines which logging method to use: None - do not log, Log - Create log, Alert - log
with alert, Account - account rule
Options: none, log, alert, account
name name
Type: A string of alphanumeric characters without space between them
position The order of the rule in comparison to other manual rules
Type: Decimal number
position-above The order of the rule in comparison to other manual rules
position-below The order of the rule in comparison to other manual rules
service The network service object that the rule should match to
service-negate If true, the service is everything except what is defined in the service field
source Network object or user group that initiates the connection
source-negate If true, the source is all traffic except what is defined in the source field
Example
add access-rule type outgoing action block log none source TEXT source-
negate true destination TEXT destination-negate true service TEXT service-
negate true disabled true comment "This is a comment." hours-range-enabled
true hours-range-from 23:20 hours-range-to 23:20 position 2 name word
application-name hasOne application-negate true limit-application-download
true limit 200 limit-application-upload true limit 5
delete access-rule type outgoing
delete access-rule type outgoing
Description
Deletes an existing firewall access rule to the outgoing (clear) traffic Rule Base by rule position or rule name.
Syntax
delete access-rule type outgoing position <position>
delete access-rule type outgoing name <name>
Parameters
name name
Example
delete access-rule type outgoing position 2
delete access-rule type outgoing name word
set access-rule type outgoing
Description
Configures an existing firewall access rule to the outgoing (clear) traffic Rule Base by position or name.
Syntax
set access-rule type outgoing position <position> [ action <action> ] [ log

<log>] [ source <source> ] [ source-negate <source-negate> ] [ destination
<destination> ] [ destination-negate <destination-negate> ] [ service
<service> ] [ service-negate <service-negate> ] [ disabled <disabled> ] [
comment <comment> ] [ hours-range-enabled { true hours-range-from <hours-
range-from> hours-range-to <hours-range-to> | false } ] [ { position
<position> | position-above <position-above> | position-below <position-
below> } ] [ name <name> ] [ { [ application-name <application-name> ] | [
application-id <application-id>] } ] [ application-negate <application-
negate> ] [ limit-application-download { true limit <limit> | false } ] [
limit-application-upload { true limit <limit> | false } ]
set access-rule type outgoing name <name>[ action <action> ] [ log <log> ]
[ source <source> ] [ source-negate <source-negate> ] [ destination
comment <comment> ] [ hours-range-enabled { true hours-range-from <hours-
below> } ] [ name <name> ] [ { [ application-name <application-name> ] | [
application-id <application-id> ] } ] [ application-negate <application-
negate> ] [ limit-application-download { true limit <limit> | false } ] [
limit-application-upload { true limit <limit> | false } ]
Parameters
application-id Applications or web sites that are accepted or blocked
application-name Applications or web sites that are accepted or blocked
application- If true, the rule accepts or blocks all applications but the selected application
@
hours-range-from Time in the format HH:MM
limit Applications traffic upload limit (in kbps)
limit-application- If true, download is limited
download Type: Boolean (true/false)
limit-application- If true, upload is limited
upload Type: Boolean (true/false)
name name
Example
set access-rule type outgoing position 2 action block log none source TEXT
source-negate true destination TEXT destination-negate true service TEXT
service-negate true disabled true comment "This is a comment." hours-range-
enabled true hours-range-from 23:20 hours-range-to 23:20 position 2 name
word application-name hasOne application-negate true limit-application-
download true limit 100 limit-application-upload true limit 5
set access-rule type outgoing name word action block log none source TEXT
source-negate true destination TEXT destination-negate true service TEXT
service-negate true disabled true comment "This is a comment." hours-range-
enabled true hours-range-from 23:20 hours-range-to 23:20 position 2 name
word application-name hasOne application-negate true limit-application-
download true limit 100 limit-application-upload true limit 5
show access-rule type outgoing
show access-rule type outgoing
Description
Shows a firewall access rule in the outgoing (clear) traffic Rule Base according to name or position.
Syntax
show access-rule type outgoing name <name>
show access-rule type outgoing position <position>
Parameters
name name
position The order of a manual rule in comparison to other manual rules
Example
show access-rule type outgoing position 2
show access-rule type outgoing name word
access-rule type incoming-internal-and-vpn
access-rule type incoming-internal-
and-vpn
Commands relevant for firewall access rule to the incoming/internal/VPN traffic Rule Base.
add access-rule type incoming-internal-and-vpn
Description
Adds a new firewall access rule to the incoming/internal/VPN traffic Rule Base.
Syntax
add access-rule type incoming-internal-and-vpn [ action <action> ] [ log

<log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination
comment <comment>] [ hours-range-enabled { true hours-range-from <hours-
below>} ] [ name <name> ] [ vpn <vpn> ]
Parameters
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . - : () @
hours-range- Time in the format HH:MM
from Type: A time format hh:mm
access-rule type incoming-internal-and-vpn
name name
vpn Indicates if traffic is matched on encrypted traffic only or all traffic
Example
add access-rule type incoming-internal-and-vpn action block log none source

TEXT source-negate true destination TEXT destination-negate true service
TEXT service-negate true disabled true comment "This is a comment." hours-
range-enabled true hours-range-from 23:20 hours-range-to 23:20 position 2
name word vpn true
delete access-rule type incoming-internal-and-vpn
delete access-rule type incoming-internal-and-
vpn
Description
Deletes an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by rule name or rule
position.
Syntax
delete access-rule type incoming-internal-and-vpn name <name>
delete access-rule type incoming-internal-and-vpn position <position>
Parameters
name Name
Example
delete access-rule type incoming-internal-and-vpn name word
delete access-rule type incoming-internal-and-vpn position 2
set access-rule type incoming-internal-and-vpn
Description
Configures an existing firewall access rule to the incoming/internal/VPN traffic Rule Base by position or
name.
Syntax
set access-rule type incoming-internal-and-vpn position <position> [ action

<action>] [ log <log> ] [ source <source> ] [ source-negate <source-negate>
] [ destination <destination> ] [ destination-negate <destination-negate> ]
[ service <service> ] [ service-negate <service-negate> ] [ disabled
<disabled> ] [ comment <comment> ] [ hours-range-enabled { true hours-
range-from <hours-range-from> hours-range-to <hours-range-to> | false } ] [
{ position <position> | position-above <position-above> | position-below
<position-below> } ] [ name <name> ] [ vpn <vpn>]
set access-rule type incoming-internal-and-vpn name <name> [ action

<action> ] [ log <log> ] [ source <source> ] [ source-negate <source-
negate> ] [ destination <destination> ] [ destination-negate <destination-
negate>] [ service <service> ] [ service-negate <service-negate> ] [
disabled <disabled> ] [ comment <comment> ] [ hours-range-enabled { true
hours-range-from <hours-range-from> hours-range-to <hours-range-to> | false
} ] [ { position <position> | position-above <position-above> | position-
below <position-below> } ] [ name <name> ] [ vpn <vpn> ]
Parameters
hour-range-to Time in the format HH:MM
name name
Example
set access-rule type incoming-internal-and-vpn position 2 action block log

none source TEXT source-negate true destination TEXT destination-negate
true service TEXT service-negate true disabled true comment "This is a
comment." hours-range-enabled true hours-range-from 23:20 hours-range-to
23:20 position 2 name word vpn true
set access-rule type incoming-internal-and-vpn name word action block log

none source TEXT source-negate true destination TEXT destination-negate
true service TEXT service-negate true disabled true comment "This is a
comment." hours-range-enabled true hours-range-from 23:20 hours-range-to
23:20 position 2 name word vpn true
show access-rule type incoming-internal-and-vpn
show access-rule type incoming-internal-and-
vpn
Description
Shows a firewall access rule in the incoming/internal/VPN traffic Rule Base according to position or name..
Syntax
show access-rule type incoming-internal-and-vpn position <position>
show access-rule type incoming-internal-and-vpn name <name>
Parameters
position The order of a manual rule in comparison to other manual rules
name name
Example
show access-rule type incoming-internal-and-vpn position 2
show access-rule type incoming-internal-and-vpn name word
additional-hw-settings
additional-hw-settings
Relevant commands for additional hardware settings.
set additional-hw-settings
Description
Configures various hardware settings.
Syntax
set additional-hw-settings [ reset-timeout <reset-timeout> ]
Parameters
reset-timeout Indicates the amount of time (in seconds) that you need to press and hold the factory
defaults button on the back panel to restore to the factory defaults image
Example
set additional-hw-settings reset-timeout 15
show additional-hw-settings
Description
Shows advanced hardware related setings.
Syntax
Parameters
n/a
Example
additional-management-settings
additional-management-settings
Commands relevant for additional management settings.
set additional-management-settings
Description
Configure additional management settings.
Syntax
set additional-management-settings advanced-settings install-temporary-

policy-to-storage <advanced-settings install-temporary-policy-to-storage>
Parameters
advanced-settings Indicates whether the temporary policy installation files will be saved to the
install-temporary- storage partition
policy- Type: Boolean (true/false)
to-storage
Example
set additional-management-settings advanced-settings install-temporary-

policy-to-storage true
show additional-management-settings
Description
Show the additional management settings that were configured.
Syntax
Parameters
n/a
Example
ad-server
ad-server
Relevant commands for ad server
add ad-server
Description
Adds a new Active Directory server object.
Syntax
add ad-server domain <domain> ipv4-address <ipv4-address> username

<username> password <password> user-dn <user-dn> use-branch-path { true
branch-path <branch-path> | false }
When you fill the branch-path field, you can add multiple branches by chaining them into a single string with
a semi-colon separator between them: branch1path;branch2path;branch3path
Parameters
branch-path The branch of the domain to be used
Type: An LDAP DN
domain Domain name
Type: Host name
ipv4-address Domain controller IP address
password The user's password
Type: A string that contains alphanumeric and special characters
use-branch- Select only if you want to use only part of the user database defined in the Active
path Directory
user-dn FQDN of the user
Type: An LDAP DN
username A user name with administrator privileges to communicate with the AD server
Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces
Example
add ad-server domain myHost.com ipv4-address 192.168.1.1 username admin

password a(&7Ba user-dn cn=John\ Doe,dc=example,dc=com use-branch-path true
branch-path cn=John\ Doe,dc=example,dc=com
delete ad-server
delete ad-server
Description
Deletes an existing Active Directory server object.
Syntax
delete ad-server <domain>
Parameters
domain Domain name
Type: Host name
Example
delete ad-server myHost.com
set ad-server
set ad-server
Description
Configures an existing Active Directory server object.
Syntax
set ad-server <domain> [ ipv4-address <ipv4-address> ] [ username

<username>
] [ password <password> ] [ user-dn <user-dn> ] [ use-branch-path { true [

branch-path <branch-path> ] | false } ]
When you fill the branch-path field, you can add multiple branches by chaining them into a single string with
a semi-colon separator between them: branch1path;branch2path;branch3path
Parameters
branch-path The branch of the domain to be used
Type: An LDAP DN
domain Domain name
Type: Host name
ipv4-address Domain controller IP address
password The user's password
use-branch- Select only if you want to use only part of the user database defined in the Active
path Directory
user-dn FQDN of the user
Type: An LDAP DN
username A user name with administrator privileges to communicate with the AD server
Example
set ad-server myHost.com ipv4-address 192.168.1.1 username admin password a

(&7Ba user-dn cn=John\ Doe,dc=example,dc=com use-branch-path true branch-
path cn=John\ Doe,dc=example,dc=com
show ad-server
show ad-server
Description
Shows settings of a configured Active Directory server object.
Syntax
show ad-server <domain>
Parameters
domain Domain name
Type: Host name
Example
show ad-server myHost.com
show ad-servers
show ad-servers
Description
Shows settings of all configured AD server objects.
Syntax
show ad-servers
Parameters
n/a
Example
show ad-servers
address-range
address-range
Relevant commands for address range.
add address-range
Description
Adds a new IP address range object.
Syntax
add address-range name <name> start-ipv4 <start-ipv4> end-ipv4 <end-ipv4> [

dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]
Parameters
dhcp-exclude-ip-addr Indicates if the object's IP address(es) is excluded from internal DHCP daemon
Options: on, off
end-ipv4 The end of the IP range
name Network Object name
Type: String
start-ipv4 The beginning of the IP range
Example
add address-range name TEXT start-ipv4 192.168.1.1 end-ipv4 192.168.1.1

dhcp-exclude-ip-addr on
delete address-range
delete address-range
Description
Deletes an existing address range object.
Syntax
delete address-range <name>
Parameters
Type: String
Example
delete address-range TEXT
set address-range
set address-range
Description
Configures an existing IP address range object.
Syntax
set address-range <name> [ name <name> ] [ start-ipv4 <start-ipv4> ] [ end-

ipv4 <end-ipv4> ] [ dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]
Parameters
Options: on, off
end-ipv4 The end of the IP range
Type: String
start-ipv4 The beginning of the IP range
Example
set address-range TEXT name TEXT start-ipv4 192.168.1.1 end-ipv4

192.168.1.1 dhcp-exclude-ip-addr on
show address-range
show address-range
Description
Shows settings of a configured IP address range object.
Syntax
show address-range <name>
Parameters
Type: String
Example
show address-range TEXT
show address-ranges
show address-ranges
Description
Shows settings of all configured IP address range objects.
Syntax
show address-ranges
Parameters
n/a
Example
show address-ranges
admin-access
admin-access
Relevant commands for admin access.
add admin access
Description
Adds a specific IPv4 address or a network IPv4 address from which the administrator can remotely access
the appliance.
Syntax
add admin-access-ipv4-address
{single-ipv4-address|network-ipv4-address} <ip_addr> {subnet-mask
<netmask>|mask-length <mask_length>}
Parameters
ip_addr IPv4 address
mask_length Interface mask length, a value between 1 - 32
netmask Interface IPv4 address subnet mask
Return Value
0 on success, 1 on failure
Example
add admin-access-ipv4-address network-ipv4-address 1.1.1.1 subnet-mask

255.255.255.0
set admin-access
set admin-access
Description
Configures various parameters for administrator access to the device via web/SSH.
Syntax
set admin-access [ interfaces { Wireless access <access> | VPN access

<access> | LAN access <access> | any access { allow | block } | WAN access
<access> } ] [ web-access-port <web-access-port> ] [ ssh-access-port <ssh-
access-port> ] [ support-weak-tls-version <support-weak-tls-version> ] [
allowed-ipv4-addresses <allowed-ipv4-addresses> ]
Parameters
access Enable administrator access from the Internet (clear traffic from external interfaces)
allowed-ipv4- Administrator access permissions policy for source IP addresses
addresses Options: any, from-ip-list, any-except-internet
ssh-access- SSH Port
port Type: Port number
support- For security reasons, it is highly recommended never to change this parameter's value.
weak-tls- Support of TLSv1.0 will be added back to the administration portal to allow connectivity
version with old browsers (usually ones released prior to 2014). Changing the default of this
parameter exposes the administration portal to attacks that use vulnerabilities like
Heartbleed (CVE-2014-0160).
web-access- Web Port (HTTPS)
Example
set admin-access interfaces Wireless access true web-access-port 8080 ssh-

access-port 8080 support-weak-tls-version true allowed-ipv4-addresses any
show admin-access
show admin-access
Description
Shows settings of administrator access configuration.
Syntax
show admin-access
Parameters
n/a
Example
show admin-access
admin-access-ip-addresses
admin-access-ip-addresses
Relevant commands for admin access IP addresses.
show admin-access-ip-addresses
Description
Show all the configured IP addresses that are permitted for administrator access to the appliance.
Syntax
Parameters
n/a
Example
delete admin-access-ip-address-all
Description
Delete all the reserved IP addresses for administrator access.
Syntax
Parameters
n/a
Example
admin-access-ipv4-address
admin-access-ipv4-address
Relevant commands for admin access IPv4 addresses.
Adds a specific IPv4 address or an IPv4 address network and mask from which the administrator can
remotely access the appliance according to configuration.
Description
Adds a specific IPv4 address from which the administrator can remotely access the appliance according to
configuration.
Syntax
add admin-access-ipv4-address single-ipv4-address <single-ipv4-address>
Parameters
single-ipv4-address IP address
Type: IP address
Example
add admin-access-ipv4-address single-ipv4-address 192.168.1.1
Description
Adds an IPv4 address network and mask from which the administrator can remotely access the appliance
according to configuration.
Syntax
add admin-access-ipv4-address network-ipv4-address <network-ipv4-address>{

subnet-mask <subnet-mask> | [ mask-length <mask-length> ] }
Parameters
mask-length Subnet mask length
Type: A string that contains numbers only
network-ipv4-address IP address
Type: IP address
subnet-mask Subnet mask
Type: Subnet mask
Example
add admin-access-ipv4-address network-ipv4-address 192.168.1.1 subnet-mask

255.255.255.0
delete admin-access-ipv4-address
delete admin-access-ipv4-address
Description
Deletes a specific IPv4 address or an IPv4 network and subnet from which the administrator can remotely
access the appliance according to configuration.
Syntax
delete admin-access-ipv4-address <ipv4-address>
Parameters
ipv4-address IP address
Type: IP address
Example
delete admin-access-ipv4-address 192.168.1.1
show admin-access-ipv4-addresses
Description
Shows allowed IP addresses for admin access.
Syntax
Parameters
n/a
Example
delete admin-access-ipv4-address-all
Description
Deletes all configured IPv4 addresses from which the administrator can remotely access the appliance
according to configuration.
Syntax
Parameters
n/a
Example
administrator
administrator
Relevant commands for admininstrators.
add administrator
Description
Adds a new user who can access the administration web portal and SSH.
Syntax
add administrator username <username> [ password-hash <password-hash> ]

permission <permission>
Parameters
password-hash Virtual field used for calculating a hashed password
Type: An encrypted password
permission The administrator role and permissions
Options: read-write, readonly, networking
username Indicates the administrator user name
Type: A string that contains [A-Z], [0-9], and '_' characters
Example
add administrator username admin password-hash TZXPLs20bN0RA permission

read-write
delete administrator
delete administrator
Description
Deletes an existing defined administrator. The system will not allow deletion of the last administrator.
Syntax
delete administrator username <username>
Parameters
Example
delete administrator username admin
set administrator
set administrator
Configures an existing user with administrator privileges.
set administrator
Description
Configures a new password for an existing administrator. You will be prompted to add a new password
following this command (this command cannot be used in a script).
Syntax
set administrator username <username> password
Parameters
Example
set administrator username admin password
set administrator
set administrator
Description
Configures an existing administrator's permission level and password (by hash).
Syntax
set administrator username <username> permission <permission> [ password-

hash <password-hash> ]
Parameters
password-hash Virtual field used for calculating a hashed password
permission The administrator role and permissions
Example
set administrator username admin permission read-write password-hash

TZXPLs20bN0RA
set administrators
set administrators
Configure users with administrator privileges through a RADIUS server.
set administrators
set administrators
Description
Configures users with administrator privileges through a RADIUS server.
Syntax
set administrators radius-auth { true [ use-radius-groups { true
radius-groups <radius-groups> | false } ] [ permission <permission> ] | false

}
Parameters
permission Administrators role
radius-auth Administrators RADIUS authentication
radius-groups RADIUS groups for authentication. Example: RADIUS-group1, RADIUS-class2
Type: A string that contains [A-Z], [0-9], '-', '@', '.', '_', ',' and space characters
use-radius-groups Use RADIUS groups for authentication
Example
set administrators radius-auth true use-radius-groups true radius-groups My

group permission read-write
show administrator
show administrator
Description
Shows settings of an existing user with administrator privileges.
Syntax
show administrator username <username>
Parameters
Example
show administrator username admin
show administrators
show administrators
Shows settings of all users with administrator privileges.
show administrators
show administrators
Description
Shows settings of all users with administrator privileges.
Syntax
show administrators
Parameters
n/a
Example
show administrators
show administrators
show administrators
Description
Shows advanced settings of all users with administrator privileges.
Syntax
show administrators advanced-settings
Parameters
n/a
Example
show administrators advanced-settings
show administrators
autogmt
AutoGMT allows the user to automatically determine the gateway’s location and time zone without user
input in the First Time Configuration Wizard.
set-autogmt
Description
Configure to automatically determine the gateway’s location and time zone without user input in the First
Time Configuration Wizard.
Note – In the "set privacy-settings advanced-settings" on page 693 command, the consent flags must be on
to enable this feature:
set privacy-settings advanced-settings customer-consent true location-service-
consent true
Syntax
set autogmt { on | off }
Parameters
n/a
Example
set autogmt on
show-autogmt
Description
Shows if the AutoGMT feature to automatically determine the gateway’s location and time zone is turned on
or off.
Syntax
show autogmt
show administrators
Parameters
n/a
Example
show autogmt
Output
Gateway-TG> show auto-timeZone

auto-timeZone:
administrators radius-auth
administrators radius-auth
Relevant commands for administrator radius authentication.
set administrators radius-auth
set administrators radius-auth
Description
Configure the administrator role on the RADIUS.
Syntax
set administrators radius-auth <enable/disable> use-radius-roles

<true|false>
Parameters
n/a
Example
set administrators radius-auth enable use-radius-roles true
set administrators radius-auth (legacy mode)
set administrators radius-auth (legacy mode)
Description
Use the default role for all RADIUS users.text.
Syntax
set administrators radius-auth <enable/disable> use-radius-roles false

permission <readonly/read-write/networking> [use-radius-groups <group_
name>]
Parameters
admin role n Read Only
n Read-Write
n Networking
group_name The name of the radius group
Example
set administrators radius-auth enable use-radius-roles false permission

networking [use-radius-groups <group_name>]
show administrators radius-auth
Description
Shows RADIUS related settings for users with administrator privileges.
Syntax
Parameters
n/a
Example
administrators roles-settings
Commands relevant for configuring administrator roles
set administrators roles-settings
Description
Configure settings for administrator roles.
Syntax
set administrators roles-settings customize-roles { true [roles-conf

<roles-conf> ] | false }
Parameters
customize- Customize administrators roles permissions
roles Type: Boolean (true/false)
roles-conf The configuration of administrator roles in base64 format. To get the right configuration,
contact Check Point Support.
Type: base64
Example
set administrators roles-settings customize-roles true roles-conf base64
show administrators roles-settings
Description
Show settings for administrator roles.
Syntax
Parameters
n/a
Example
administrator session-settings
administrator session-settings
Relevant commands for administrator session settings.
set administrator session-settings
set administrator session-settings
Description
Configures session settings for administrators. The settings are global for all administrators.
Syntax
set administrator session-settings [ lockout-enable <lockout-enable> ] [

max-lockout-attempts <max-lockout-attempts> ] [ lock-period <lock-period> ]
[ inactivity-timeout <inactivity-timeout> ] [ password-complexity-level
<password-complexity-level> ] [ password-expiration-timeout <password-
expiration-timeout> ]
Parameters
inactivity-timeout Allowed web interface session idle time before automatic logout is executed (in
minutes)
lock-period Once locked out, the administrator will be unable to login for this long
lockout-enable Limit administrators login failure attempts
Options: on, off
max-lockout- The maximum number of consecutive login failure attempts before the administrator
attempts is locked out
password- Set of additional restrictions on administrator passwords, according to the selected
complexity-level mode
Options: low, high
password- Number of days before administrator is required to change his password. Takes
expiration- effect only if password complexity level is set to 'high'
timeout Type: A number with no fractional part (integer)
Example
set administrator session-settings lockout-enable on max-lockout-attempts 5

lock-period 5 inactivity-timeout 5 password-complexity-level low password-
expiration-timeout 5
show administrator session-settings
Description
Shows session settings for users with administrator privileges.
Syntax
Parameters
n/a
Example
show adsl statistics
Description
Shows statistics regarding the DSL internet connection (applicable on appliance models with DSL).
Syntax
Parameters
n/a
Example
aggressive-aging
aggressive-aging
Relevant commands for aggressive aging.
set aggressive-aging
Configures aggressive aging feature's behavior. Aggressive Aging is designed to optimize how the device is
dealing with a large connection number by aggressively reducing the timeout of existing connections when
necessary.
Description
Configures aggressive aging default reduced timeouts.
Syntax
set aggressive-aging [ icmp-timeout <icmp-timeout> ] [ icmp-timeout-enable

<icmp-timeout-enable> ] [ other-timeout <other-timeout> ] [ other-timeout-
enable <other-timeout-enable> ] [ pending-timeout <pending-timeout> ] [
pending-timeout-enable <pending-timeout-enable> ] [ tcp-end-timeout <tcp-
end-timeout> ] [ tcp-end-timeout-enable <tcp-end-timeout-enable> ] [ tcp-
start-timeout <tcp-start-timeout> ] [ tcp-start-timeout-enable <tcp-start-
timeout-enable> ] [ tcp-timeout <tcp-timeout> ] [ tcp-timeout-enable <tcp-
timeout-enable> ] [ udp-timeout <udp-timeout> ] [ udp-timeout-enable <udp-
timeout-enable> ] [ general <general>] [ log <log> ] [ connt-limit-high-
watermark-pct <connt-limit-high-watermark-pct> ] [ connt-mem-high-
watermark-pct <connt-mem-high-watermark-pct> ] [ memory-conn-status
<memory-conn-status> ]
Parameters
connt-limit-high- watermark-pct Connection table percentage limit
connt-mem-high- watermark-pct Memory consumption percentage limit
general Enable aggressive aging of connections
icmp-timeout ICMP connections reduced timeout
icmp-timeout-enable Enable reduced timeout for ICMP connections
log Tracking options for aggressive aging
Options: log, none
memory-conn-status Choose when aggressive aging timeouts are enforced
Options: both, connections, memory
other-timeout Other IP protocols reduced timeout
other-timeout-enable Enable reduced timeout for non TCP/UDP/ICMP connections
pending-timeout Pending Data connections reduced timeout
pending-timeout- enable Enable reduced timeout for non TCP/UDP/ICMP connections
tcp-end-timeout TCP termination reduced timeout
tcp-end-timeout- enable Enable reduced timeout for TCP termination
tcp-start-timeout TCP handshake reduced timeout
tcp-start-timeout- enable Enable reduced timeout for TCP handshake
tcp-timeout TCP session reduced timeout
tcp-timeout-enable Enable reduced timeout for TCP session
udp-timeout UDP connections reduced timeout
udp-timeout-enable Enable reduced timeout for UDP connections
Example
set aggressive-aging icmp-timeout 30 icmp-timeout-enable true other-timeout

30 other-timeout-enable true pending-timeout 30 pending-timeout-enable true
tcp-end-timeout 3600 tcp-end-timeout-enable true tcp-start-timeout 3600
tcp-start-timeout-enable true tcp-timeout 3600 tcp-timeout-enable true udp-
timeout 3600 udp-timeout-enable true general true log log connt-limit-high-
watermark-pct 80 connt-mem-high-watermark-pct 80 memory-conn-status both
Description
Configures aggressive aging advanced settings.
Syntax
set aggressive-aging advanced-settings connections [ other-timeout-enable

<other-timeout-enable> ] [ connt-limit-high-watermark-pct <connt-limit-
high-watermark-pct> ] [ tcp-start-timeout-enable <tcp-start-timeout-enable>
] [ icmp-timeout-enable <icmp-timeout-enable> ] [ general <general> ] [
tcp-timeout-enable <tcp-timeout-enable> ] [ tcp-timeout <tcp-timeout> ] [
tcp-start-timeout <tcp-start-timeout> ] [ udp-timeout-enable <udp-timeout-
enable> ] [ udp-timeout <udp-timeout> ] [ pending-timeout-enable <pending-
timeout-enable>] [ log <log> ] [ connt-mem-high-watermark-pct <connt-mem-
high-watermark-pct> ] [ tcp-end-timeout-enable <tcp-end-timeout-enable> ] [
icmp-timeout <icmp-timeout> ] [ tcp-end-timeout <tcp-end-timeout> ] [
memory-conn-status <memory-conn-status> ] [ pending-timeout <pending-
timeout> ] [ other-timeout <other-timeout> ]
Parameters
n/a
Example
set aggressive-aging advanced-settings connections other-timeout-enable

true connt-limit-high-watermark-pct -1000000 tcp-start-timeout-enable true
icmp-timeout-enable true general true tcp-timeout-enable true tcp-timeout -
1000000 tcp-start-timeout -1000000 udp-timeout-enable true udp-timeout -
1000000 pending-timeout-enable true log log connt-mem-high-watermark-pct -
1000000 tcp-end-timeout-enable true icmp-timeout -1000000 tcp-end-timeout -
1000000 memory-conn-status both pending-timeout -1000000 other-timeout -
1000000
show aggressive-aging
Shows aggressive aging settings.
Description
Shows aggressive aging settings.
Syntax
Parameters
n/a
Example
Description
Shows aggressive aging advanced settings.
Syntax
show aggressive-aging advanced-settings
Parameters
n/a
Example
show aggressive-aging advanced-settings
antispam
antispam
Relevant commands for Anti-Spam Software Blade and settings.
set antispam
set antispam
Configures policy for Anti-Spam blade.
set antispam
set antispam
Description
Configures the policy for Anti-Spam blade.
Syntax
set antispam [ mode <mode> ] [ detection-method <detection-method> ] [ log

<log> ] [ action-spam-email-content <action-spam-email-content> ] [ flag-
subject-stamp <flag-subject-stamp> ] [ detect-mode <detect-mode> ] [
specify-suspected-spam-settings { true [ suspected-spam-log <suspected-
spam-log> ] [ action-suspected-spam-email-content <action-suspected-spam-
email-content> ] [ flag-suspected-spam-subject-stamp <flag-suspected-spam-
subject-stamp> ] | false } ]
Parameters
action-spam-email- Action to be used upon spam detection in email content: block, flag-header,
content flag-subject
Options: block, flag-header, flag-subject
action-suspected- spam- Action to be used upon suspected spam detection in email content: block,
email-content flag-header, flag-subject
Options: block, flag-header, flag-subject
detect-mode Detect-Only mode: on, off
detection-method Type of spam detection: Either Sender's IP address or both Sender's IP
address and content based detection
Options: email-content, sender-ipaddr-reputation-only
flag-subject-stamp Text to add to spam emails' subject (depends on action chosen for detected
spam)
Type: A string of alphanumeric characters with space between them
flag-suspected-spam- Text to add to suspected spam emails subject (depends on action chosen
subject-stamp for detected spam)
log Tracking options for spam emails: log, alert or none
Options: none, log, alert
mode Anti-Spam blade mode: on, off
Options: on, off
specify-suspected- spam- Handle suspected spam emails differently from spam emails
settings Type: Boolean (true/false)
set antispam
suspected-spam-log Tracking options for suspected spam emails: log, alert or none
Example
set antispam mode on detection-method email-content log none action-spam-

email-content block flag-subject-stamp several words detect-mode true
specify-suspected-spam-settings true suspected-spam-log none action-
suspected-spam-email-content block flag-suspected-spam-subject-stamp
several words
set antispam
set antispam
Description
Configures advanced setting for the Anti-Spam blade.
Syntax
set antispam advanced-settings ip-rep-fail-open <ip-rep-fail-open>
Parameters
n/a
Example
set antispam advanced-settings ip-rep-fail-open true
set antispam
set antispam
Description
Syntax
set antispam advanced-settings email-size-scan <email-size-scan>
Parameters
n/a
Example
set antispam advanced-settings email-size-scan 1024
set antispam
set antispam
Description
Syntax
set antispam advanced-settings scan-outgoing <scan-outgoing>
Parameters
n/a
Example
set antispam advanced-settings scan-outgoing true
set antispam
set antispam
Description
Syntax
set antispam advanced-settings spam-engine-timeout <spam-engine-timeout>
Parameters
n/a
Example
set antispam advanced-settings spam-engine-timeout 15
set antispam
set antispam
Description
Syntax
set antispam advanced-settings allow-mail-track <allow-mail-track>
Parameters
n/a
Example
set antispam advanced-settings allow-mail-track none
set antispam
set antispam
Description
Syntax
set antispam advanced-settings transparent-proxy <transparent-proxy>
Parameters
n/a
Example
set antispam advanced-settings transparent-proxy true
set antispam
set antispam
Description
Syntax
set antispam advanced-settings ip-rep-timeout <ip-rep-timeout>
Parameters
n/a
Example
set antispam advanced-settings ip-rep-timeout 15
set antispam
set antispam
Description
Syntax
set antispam advanced-settings spam-engine-all-mail-track
<spam-engine-all-mail-track>
Parameters
n/a
Example
set antispam advanced-settings spam-engine-all-mail-track none
show antispam
show antispam
Shows the configured policy for the Anti-Spam blade.
show antispam
show antispam
Description
Shows the configured policy for the Anti-Spam blade.
Syntax
show antispam
Parameters
n/a
Example
show antispam
show antispam
show antispam
Description
Shows the advanced settings in the configured policy for the Anti-Spam blade.
Syntax
show antispam advanced-settings
Parameters
n/a
Example
show antispam advanced-settings
antispam allowed-sender
antispam allowed-sender
add antispam allowed-sender
Adds a new Anti-Spam "allow" exception.
Description
Adds a new Anti-Spam "allow" exception for a specific IP address.
Syntax
add antispam allowed-sender ipv4-addr <ipv4-addr>
Parameters
ipv4-addr Anti-Spam allowed IP address
Type: IP address
Example
add antispam allowed-sender ipv4-addr 192.168.1.1
Description
Adds a new Anti-Spam "allow" exception for a sender email or domain.
Syntax
add antispam allowed-sender sender-or-domain <sender-or-domain>
Parameters
sender-or-domain Anti-Spam allowed domain or sender
Type: A domain or email address
Example
add antispam allowed-sender sender-or-domain myEmail@mail.com
delete antispam allowed-sender
Deletes an existing Anti-Spam "allow" exception.
Description
Deletes all existing Anti-Spam "allow" exceptions.
Syntax
delete antispam allowed-sender all
Parameters
n/a
Example
delete antispam allowed-sender all
Description
Deletes an existing Anti-Spam "allow" exception for sender's email or domain.
Syntax
delete antispam allowed-sender sender-or-domain <sender-or-domain>
Parameters
sender-or-domain Anti-Spam allowed domain or sender
Type: A domain name or email address
Example
delete antispam allowed-sender sender-or-domain myEmail@mail.com
Description
Deletes an existing Anti-Spam "allow" exception for a specific IPv4 address.
Syntax
delete antispam allowed-sender ipv4-addr <ipv4-addr>
Parameters
ipv4-addr Anti-Spam allowed IP address
Type: IP address
Example
delete antispam allowed-sender ipv4-addr 192.168.1.1
show antispam allowed-senders
Description
Shows the "allowed" exceptions for the Anti-Spam blade.
Syntax
Parameters
n/a
Example
antispam blocked-sender
antispam blocked-sender
add antispam blocked-sender
Adds a new Anti-Spam "block" exception.
Description
Adds a new Anti-Spam "block" exception for a specific IP address.
Syntax
add antispam blocked-sender ipv4-addr <ipv4-addr>
Parameters
ipv4-addr Anti-Spam blocked IP address
Type: IP address
Example
add antispam blocked-sender ipv4-addr 192.168.1.1
Description
Adds a new Anti-Spam "block" exception for a sender email or domain.
Syntax
add antispam blocked-sender sender-or-domain <sender-or-domain>
Parameters
sender-or-domain Anti-Spam blocked domain or sender
Example
add antispam blocked-sender sender-or-domain myEmail@mail.com
delete antispam blocked-sender
Deletes an existing Anti-Spam "block" exception.
Description
Deletes all existing Anti-Spam "block" exceptions.
Syntax
delete antispam blocked-sender all
Parameters
n/a
Example
delete antispam blocked-sender all
Description
Deletes an existing Anti-Spam "block" exception for sender's email or domain.
Syntax
delete antispam blocked-sender sender-or-domain <sender-or-domain>
Parameters
sender-or-domain Anti-Spam blocked domain or sender
Example
delete antispam blocked-sender sender-or-domain myEmail@mail.com
Description
Deletes an existing Anti-Spam "block" exception for a specific IPv4 address.
Syntax
delete antispam blocked-sender ipv4-addr <ipv4-addr>
Parameters
ipv4-addr Anti-Spam blocked IP address
Type: IP address
Example
delete antispam blocked-sender ipv4-addr 192.168.1.1
show antispam blocked-senders
Description
Shows the "blocked" exceptions for the Anti-Spam blade.
Syntax
Parameters
n/a
Example
application
application
Relevant commands for application.
add application
add application
Adds a new custom application object (string or regular expression signature over URL).
add application
add application
Description
Adds a new custom application object (string or regular expression signature over URL).
Syntax
add application application-name <application-name> category <category> [

regex-url <regex-url> ] application-url <application-url>
Parameters
application-name Application name
Type: URL
application-url Contains the URLs related to this application
category The primary category for the application (the category which is the most relevant)
regex-url Indicates if regular expressions are used instead of partial strings
Example
add application application-name http://somehost.example.com category TEXT

regex-url true application-url http://somehost.example.com
add application
add application
Description
Simplified method for adding a new custom application object (string over URL)
Syntax
add application-url <application-url>
Parameters
application-url Application URL
Example
add application-url http://somehost.example.com
delete application
delete application
Deletes an existing custom application object (string or regular expression signature over URL).
delete application
delete application
Description
Deletes an existing custom application object by application ID.
Syntax
delete application application-id <application-id>
Parameters
application-id The ID of the application
Example
delete application application-id 1000000
delete application
delete application
Description
Deletes an existing custom application object by application name.
Syntax
delete application application-name <application-name>
Parameters
Type: URL
Example
delete application application-name http://somehost.example.com
find application
find application
Description
Find an application by name (or partial string) to view further details regarding it.
Syntax
find application <application-name>
Parameters
application-name Application or group name
Type: String
Example
find application TEXT
set application
set application
Configures an existing custom application object.
set application
set application
Description
Adds a URL to an existing custom application object by name.
Syntax
set application application-name <application-name> add url <url>
Parameters
Type: URL
url Application URL
Example
set application application-name http://somehost.example.com add url

http://somehost.example.com
set application
set application
Description
Removes a URL from an existing custom application object by name.
Syntax
set application application-name <application-name>remove url <url>
Parameters
Type: URL
url Application URL
Example
set application application-name http://somehost.example.com remove url

set application
set application
Description
Adds a URL to an existing custom application object by ID.
Syntax
set application application-id <application-id> add url <url>
Parameters
url Application URL
Example
set application application-id 12345678 add url http://somehost.example.com
set application
set application
Description
Removes a URL from an existing custom application object by ID.
Syntax
set application application-id <application-id> remove url <url>
Parameters
url Application URL
Example
set application application-id 12345678 remove url

set application
set application
Description
Adds a category to an existing custom application object by name.
Syntax
set application application-name <application-name> add category <category>
Parameters
Type: URL
category Category name
Example
set application application-name http://somehost.example.com add category

TEXT
set application
set application
Description
Removes a category from an existing custom application object by name.
Syntax
set application application-name <application-name> remove category

<category>
Parameters
Type: URL
Example
set application application-name http://somehost.example.com remove

category TEXT
set application
set application
Description
Adds a category to an existing custom application object by ID.
Syntax
set application application-id <application-id> add category <category>
Parameters
Example
set application application-id 12345678 add category TEXT
set application
set application
Description
Removes a category from an existing custom application object by ID.
Syntax
set application application-id <application-id> remove category <category>
Parameters
Example
set application application-id 12345678 remove category TEXT
set application
set application
Description
Configures an existing custom application by ID.
Syntax
set application application-id <application-id> [ category <category> ] [

regex-url <regex-url> ]
Parameters
Example
set application application-id 12345678 category TEXT regex-url true
set application
set application
Description
Configures an existing custom application by name.
Syntax
set application application-name <application-name> [ category <category> ]

[ regex-url <regex-url>]
Parameters
Type: URL
Example
set application application-name http://somehost.example.com category TEXT

regex-url true
show application
show application
Shows details for a specific application in the Application Control database.
show application
show application
Description
Shows details for a specific application in the Application Control database by application name.
Syntax
show application application-name <application-name>
Parameters
Type: String
Example
show application application-name TEXT
show application
show application
Description
Shows details for a specific application in the Application Control database by application ID.
Syntax
show application application-id <application-id>
Parameters
application-id The ID of the application or the group
Example
show application application-id 12345678
show applications
show applications
Description
Shows details of all applications.
Syntax
show applications
Parameters
n/a
Example
show applications
application-control
application-control
set application-control
Description
Configures the default policy for the Application Control and URL filtering blades.
Syntax
set application-control [ mode <mode>] [ url-flitering-only <url-flitering-

only>] [ block-security-categories <block-security-categories>] [ block-
inappropriate-content <block-inappropriate-content> ] [ block-other-
undesired-applications <block-other-undesired-applications> ] [ block-file-
sharing-applications <block-file-sharing-applications> ] [ limit-bandwidth
{ true [ limit-upload { true set-limit <set-limit> | false } ] [ limit-
download { true set-limit <set-limit> | false } ] | false } ]
Parameters
block-file-sharing- Block file sharing using torrents and peer-to-peer applications
applications Type: Boolean (true/false)
block- Control content by blocking Internet access to websites with inappropriate content
inappropriate- such as sex, violence, weapons, gambling, and alcohol
content Type: Boolean (true/false)
block-other- Manually add and block applications or categories of URLs to a group of
undesired- undesired applications
applications Type: Boolean (true/false)
block-security- Block applications and URLs that can be a security risk and are categorized as
categories spyware, phishing, botnet, spam, anonymizer, or hacking
limit-bandwidth Indicates if applications that use a lot of bandwidth are limited (also used for QoS)
limit-download If true, traffic for downloading is limited to the value in maxLimitedDownload
limit-upload If true, traffic for uploading is limited to the value in maxLimitedDownload
mode Applications & URLs mode - true for on, false for off
set-limit The limit, in kbps, for downloading
url-flitering-only Indicates if enable URL Filtering and detection only mode is enabled
Example
set application-control mode true url-flitering-only true block-security-

categories true block-inappropriate-content true block-other-undesired-
applications true block-file-sharing-applications true limit-bandwidth true
limit-upload true set-limit 5 limit-download true set-limit 100
show application-control
Description
Shows the configured policy for the Application Control blade
Syntax
Parameters
n/a
Example
show application-control other-undesired-applications
show application-control other-undesired-
applications
Description
Shows the content of the custom "Other Undesired Applications" group. This group can be chosen to be
blocked by default by the Application Control policy.
Syntax
Parameters
n/a
Example
application-control-engine-settings
application-control-engine-settings
set application-control-engine-settings
Configures Application Control blade's advanced engine settings.
Description
Syntax
set application-control-engine-settings advanced-settings fail-mode <fail-

mode>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings fail-mode allow-

all-requests
Description
Syntax
set application-control-engine-settings advanced-settings block-requests-

when-web-service-unavailable <block-requests-when-web-service-unavailable>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings block-requests-

when-web-service-unavailable true
Description
Syntax
set application-control-engine-settings advanced-settings enforce-safe-

search <enforce-safe-search>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings enforce-safe-

search true
Description
Syntax
set application-control-engine-settings advanced-settings web-site-

categorization-mode <web-site-categorization-mode>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings web-site-

categorization-mode background
Description
Syntax
set application-control-engine-settings advanced-settings track-browse-time
<track-browse-time>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings track-browse-time

true
Description
Syntax
set application-control-engine-settings advanced-settings http-referrer-

identification <http-referrer-identification>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings http-referrer-

identification true
Description
Syntax
set application-control-engine-settings advanced-settings categorize-

cached-and-translated-pages <categorize-cached-and-translated-pages>
Parameters
n/a
Example
set application-control-engine-settings advanced-settings categorize-

cached-and-translated-pages true
show application-control-engine-settings
show application-control-engine-settings
Description
Shows advanced settings of the Application Control blade.
Syntax
show application-control-engine-settings advanced-settings
Parameters
n/a
Example
show application-control-engine-settings advanced-settings
application-group
application-group
add application-group
add application-group
Description
Adds a new group object for applications.
Syntax
add application-group name <name>
Parameters
name Application group name
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .
&) characters without spaces
Example
add application-group name users
delete application-group
Deletes an existing group object of applications.
Description
Deletes an existing group object of applications by group object name.
Syntax
delete application-group name <name>
Parameters
Example
delete application-group name users
Description
Deletes an existing group object of applications by group object ID.
Syntax
delete application-group application-group-id <application-group-id>
Parameters
application-group-id The ID of the application group
Example
delete application-group application-group-id 12345678
set application-group
Configures an existing application group object.
Description
Adds an application to an existing application group object by application's name.
Syntax
set application-group name <name> add application-name <application-name>
Parameters
application- Application or group name
name
Example
set application-group name users add application-name hasMany
Description
Removes an application from an existing application group object by application's name.
Syntax
set application-group name <name> remove application-name <application-

name>
Parameters
application- Application or group name
name
Example
set application-group name users remove application-name hasMany
Description
Adds an application to an existing application group object by application's ID.
Syntax
set application-group name <name> add application-id <application-id>
Parameters
Example
set application-group name users add application-id hasMany
Description
Removes an application from an existing application group object by application's ID.
Syntax
set application-group name <name> remove application-id <application-id>
Parameters
Example
set application-group name users remove application-id hasMany
Description
Adds an application to an existing application group object by application's name using group object's ID.
Syntax
set application-group application-group-id <application-group-id> add

application-name <application-name>
Parameters
Example
set application-group application-group-id 12345678 add application-name

hasMany
Description
Removes an application from an existing application group object by application's name using group
object's ID.
Syntax
set application-group application-group-id <application-group-id> remove

application-name <application-name>
Parameters
Example
set application-group application-group-id 12345678 remove application-name

hasMany
Description
Adds an application to an existing application group object by application's ID using group object's ID.
Syntax
set application-group application-group-id <application-group-id> add

application-id <application-id>
Parameters
Example
set application-group application-group-id 12345678 add application-id

hasMany
Description
Removes an application from an existing application group object by application's ID using group object's
ID.
Syntax
set application-group application-group-id <application-group-id> remove

application-id <application-id>
Parameters
Example
set application-group application-group-id 12345678 remove application-id

hasMany
show application-group
shows the configuration of the Application group objects.
Description
Shows the configuration of a specific application group object by ID.
Syntax
show application-group application-group-id <application-group-id>
Parameters
Example
show application-group application-group-id 12345678
Description
Shows the configuration of a specific application group object by name.
Syntax
show application-group name <name>
Parameters
Example
show application-group name users
show application-groups
Description
Shows the configuration of all specific application group objects.
Syntax
Parameters
n/a
Example
antispoofing
antispoofing
set antispoofing
set antispoofing
Description
Configures the activation of the IP address Anti-Spoofing feature.
Syntax
set antispoofing advanced-settings global-activation <global-activation>
Parameters
n/a
Example
set antispoofing advanced-settings global-activation true
show antispoofing
show antispoofing
Description
Shows the configuration for IP addresses Anti-Spoofing functionality.
Syntax
show antispoofing advanced-settings
Parameters
n/a
Example
show antispoofing advanced-settings
backup settings
backup settings
Description
Creates a backup file that contains the current settings for the appliance and saves them to a file. The file is
saved to either a USB device or TFTP server. You can use these options when the backup file is created:
n Specific file name (The default file name contains the current image and a date and time stamp)
n Password encryption
n Backup policies
n Add a comment to the file
Syntax
backup settings to {usb|tftp server <serverIP>} [filename <filename>]

[file-encryption {off|on password <pass>}] [backup-policy {on|off}] [add-
comment <comment>]
Parameters
comment Comment that is added to the file.
filename Name of the backup file.
pass Password for the file. Alphanumeric and special characters are allowed.
serverIP IPv4 address of the TFTP server.
Return Value
Example
backup settings to usb file-encryption on password admin backup-policy on

add-comment check_point_new_configuration
Output
Success prints OK. Failure shows an appropriate error message.
Comments
When saving the backup file to a USB device, the backup settings command fails if there are two USB
devices connected to the appliance.
show backup settings
show backup settings
Description
Shows previous backup information of the appliance's settings.
show backup-settings-log shows the log file of previous backup settings operations.
Syntax
show backup-settings-{log|info {from tftp server <server> filename

<file>|from usb filename <file>}}
Parameters
server IP address or host name of the TFTP server
file Name of backup file
Example
show backup-settings-log
show backup-settings-info from usb filename backup
Output
Success shows backup settings information. Failure shows an appropriate error message.
blade-update-schedule
blade-update-schedule
set blade-update-schedule
Configures schedule for Software Blade updates.
Description
Configures schedule forSoftware Blades updates.
Syntax
set blade-update-schedule [ schedule-ips <schedule-ips> ] [ schedule-anti-

bot <schedule-anti-bot> ] [ schedule-anti-virus <schedule-anti-virus> ] [
schedule-appi <schedule-appi> ] [ recurrence { daily time <time>| weekly
day-of-week <day-of-week>time <time> | hourly hour-interval <hour-
interval> | monthly day-of-month <day-of-month> time <time> } ]
Parameters
day-of-month If the update occurs monthly, this is the day in which it occurs
day-of-week If the update occurs weekly, this is the weekday in which it occurs
Options: sunday, monday, tuesday, wednesday, thursday, friday, saturday
hour-interval If the update occurs hourly, this indicates the hour interval between each update
recurrence The recurrence of the updates - hourly, daily, weekly or monthly
Type: Press TAB to see available options
schedule-anti- Indicates if Anti-Bot blade is automatically updated according to configured
bot schedule
schedule-anti- Indicates if Anti-Virus blade is automatically updated according to configured
virus schedule
schedule-appi Indicates if Application Control blade is automatically updated according to
configured schedule
schedule-ips Indicates if IPS blade is automatically updated according to configured schedule
time The hour of the update (Format: HH:MM in 24 hour clock)
Example
set blade-update-schedule schedule-ips true schedule-anti-bot true

schedule-anti-virus true schedule-appi true recurrence daily time 23:20
Description
Configures advanced settings for Software Blade updates.
Syntax
set blade-update-schedule advanced-settings max-num-of-retries <max-num-of-

retries>
Parameters
n/a
Example
set blade-update-schedule advanced-settings max-num-of-retries 10
Description
Configures advanced settings for Software Blade updates.
Syntax
set blade-update-schedule advanced-settings timeout-until-retry <timeout-

until-retry>
Parameters
n/a
Example
set blade-update-schedule advanced-settings timeout-until-retry 10
show blade-update-schedule
Shows the configuration of Software Blade updates schedule.
Description
Shows the configuration of Software Blade updates schedule
Syntax
Parameters
n/a
Example
Description
Shows advanced settings of Software Blade updates schedule.
Syntax
show blade-update-schedule advanced-settings
Parameters
n/a
Example
show blade-update-schedule advanced-settings
bookmark
bookmark
add bookmark
add bookmark
Description
Adds a new bookmark link that will appear for VPN remote access users in the SNX VPN remote access
landing page.
Syntax
add bookmark label <label> url <url> [ tooltip <tooltip> ] [ type <type> ]
[ is-global <is-global> ] [ user-name <user-name> ] [ password <password> ]
[ screen-width <screen-width> ] [ screen-height <screen-height> ]
Parameters
is-global Indicates if the bookmark will be displayed for all remote access users
label Text for the bookmark in the SSL Network Extender portal
password The password for remote desktop connection
screen-height The height of the screen when the bookmark is remote desktop
screen-width The width of the screen when the bookmark is remote desktop
tooltip Tooltip for the bookmark in the SSL Network Extender portal
type The type of the bookmark - link or remote desktop connection
Options: link, rdp
url Bookmark URL - should start with http:// or https:// for a bookmark of type link

Type: URL
user-name The user name for remote desktop connection
Example
add bookmark label myLabel url http://www.checkpoint.com/ tooltip "This is

a comment." type link is-global true user-name admin password a(&7Ba
screen-width 1920 screen-height 1080
delete bookmark
delete bookmark
Deletes an existing bookmark link that appears in the SNX VPN remote access landing page.
delete bookmark
delete bookmark
Description
Deletes an existing bookmark link by label.
Syntax
delete bookmark label <label>
Parameters
Example
delete bookmark label myLabel
delete bookmark
delete bookmark
Description
Deletes all existing bookmark links.
Syntax
delete bookmark all
Parameters
n/a
Example
delete bookmark all
set bookmark
set bookmark
Description
Configures an existing bookmark shown to users in the SNX landing page.
Syntax
set bookmark [ label <label> ] [ new-label <new-label> ] [ url <url> ] [

tooltip <tooltip> ] [ type <type> ] [ is-global <is-global> ] [ user-name
<user-name> ] [ password <password> ] [ screen-width <screen-width> ] [
screen-height <screen-height> ]
Parameters
is-global Indicates if the bookmark will be displayed for all remote access users
new-label Text for the bookmark in the SSL Network Extender portal
password The password for remote desktop connection
screen-height The height of the screen when the bookmark is remote desktop
screen-width The width of the screen when the bookmark is remote desktop
tooltip Tooltip for the bookmark in the SSL Network Extender portal
type The type of the bookmark - link or remote desktop connection
Options: link, rdp
url Bookmark URL - should start with http:// or https:// for a bookmark of type link
Type: URL
user-name The user name for remote desktop connection
set bookmark
Example
set bookmark label myLabel new-label myNewLabel url

http://www.checkpoint.com/ tooltip myToolTip type link is-global true user-
name admin password a(&7Ba screen-width 1920 screen-height 1080
show bookmark
show bookmark
Description
Shows the configuration of a bookmark defined to be shown to users when connecting to the SNX portal
using remote access VPN.
Syntax
show bookmark label <label>
Parameters
Example
show bookmark label myLabel
show bookmarks
show bookmarks
Description
Shows all bookmarks defined to be shown to users when connecting to the SNX portal using remote access
VPN.
Syntax
show bookmarks
Parameters
n/a
Example
show bookmarks
bridge
bridge
add bridge
add bridge
Description
Adds a new bridge.
Syntax
add bridge [ name <name> ]
Parameters
name Bridge name
Type: A bridge name should be br0-9
Example
add bridge name br7
delete bridge
delete bridge
Description
Deletes an existing bridge.
Syntax
delete bridge <name>
Parameters
name Bridge name
Example
delete brdige br7
set bridge
set bridge
Configures an existing bridge interface.
set bridge
set bridge
Description
Configures an existing bridge interface.
Syntax
set bridge <name> stp <stp>
Parameters
name Bridge name
stp Spanning Tree Protocol mode
Options: on, off
Example
set bridge br7 stp on
set bridge
set bridge
Description
Adds an existing network/interface to an existing bridge.
Syntax
set bridge <name> add member <member>
Parameters
member Network name
name Bridge name
Example
set bridge br7 add member My_Network
set bridge
set bridge
Description
Removes an existing network/interface from an existing bridge.
Syntax
set bridge <name> remove member <member>
Parameters
member Network name
name Bridge name
Example
set bridge br7 remove member My_Network
show bridge
show bridge
Description
Shows configuration and statistics of a defined bridge.
Syntax
show bridge <name>
Parameters
name Bridge name
Example
show bridge br7
show bridges
show bridges
Description
Shows details of all defined bridges.
Syntax
show bridges
Parameters
n/a
Example
show bridges
show bridges
show cellular-modem-status
Description
Show the status of the cellular (LTE) modem..
Syntax
Parameters
N/A
Example
show clock
show clock
Description
Shows current system date and time.
Syntax
show clock
Parameters
n/a
Example
show clock
Output
Success shows date and time. Failure shows an appropriate error message.
cloud-deployment
cloud-deployment
set cloud-deployment
set cloud-deployment
Description
Configures different settings for zero-touch deployment. Command is relevant to preset files.
Syntax
set cloud-deployment [ cloud-url <cloud-url> ] [ gateway-name <gateway-

name>
] [ template <template> ] [ container <container> ]
Parameters
cloud-url The DNS or IP address through which the device will connect to the cloud service
Type: URL
container Container
Type: String
gateway-name The appliance name used to identify the gateway
Type: A string that contains [A-Z], [0-9] and '-' characters
template Template
Type: String
Example
set cloud-deployment cloud-url http://www.checkpoint.com/ gateway-name My-

appliance template TEXT container TEXT
show cloud-deployment
Description
Shows the configuration of cloud management connection.
Syntax
Parameters
n/a
Example
cloud-notifications
cloud-notifications
These commands are relevant for Cloud notifications
set cloud-notification
set cloud-notification
Description
Turn on/off a specific notification type.
Syntax
set cloud-notification <notification-type> mode <mode>
Parameters
notification-type Describes the notification type including:
n license-expired
n license-about-to-expire
n license-activated
n infected-device
n malicious-file-blocked
n malicious-file-downloaded
n firmware-upgrade-available
n new-device
n system-up
n unexpected-reboot
n primary-internet-up
n secondary-internet-up
n malicious-mail-blocked
n malicious-mail-received
n reconnected-device
mode Enable sending the chosen cloud notification type.
Example
set cloud-notification license-expired mode on
show cloud-notifications
Description
Show mode for all types of notifications
Syntax
Parameters
n/a
Example
send cloud-report
send cloud-report
Description
Force sending a report to Cloud Services.
Syntax
send cloud-report type <type>
Parameters
type The report type
Options: top-last-hour, top-last-day, top-last-week, top-last-month, 3d
Example
send cloud-report type top-last-hour
cloud-services
cloud-services
reconnect cloud-services
Description
Force a manual reconnection to Cloud Services.
Syntax
Parameters
n/a
Example
set cloud-services
set cloud-services
Configures settings for cloud/SMP management connection.
set cloud-services
set cloud-services
Description
Configures settings for cloud/SMP management connection.
Syntax
set cloud-services [ { [ activation-key <activation-key> ] | [ [ service-

center <service-center> ] [ gateway-id <gateway-id> ] [ registration-key
<registration-key> ] ] } ] [ confirm-untrusted-certificate <confirm-
untrusted-certificate> ] [ mode <mode> ]
Parameters
activation-key A key received from the Cloud Services provider which is used to initialize the
connection to the Cloud Services
Type: String
confirm- Is the service center URL is a trusted certificate
untrusted- Type: Boolean (true/false)
certificate
gateway-id Gateway id (in the format <gateway name>.<portal name>). This is not needed if an
activation-key was configured.
Type: cloudGwName
mode Indicates if the device is managed by a cloud service
Options: off, on
registration- Registration key that acts as a password when connecting to the cloud service for the
key first time. This is not needed if an activation-key was configured.
Type: A registration key
service-center The DNS or IP address through which the device will connect to the cloud service for
the first time. This is not needed if an activation-key was configured.
Type: URL
Example
set cloud-services activation-key TEXT confirm-untrusted-certificate true

mode off
set cloud-services
set cloud-services
Description
Configures advanced settings for cloud/SMP management connection.
Syntax
set cloud-services advanced-settings cloud-management-configuration [ smp-

login <smp-login> ] [ show-mgmt-server-details-on-login <show-mgmt-server-
details-on-login> ]
Parameters
n/a
Example
set cloud-services advanced-settings cloud-management-configuration smp-

login true show-mgmt-server-details-on-login true
show cloud-services
show cloud-services
Description
Shows advanced settings of cloud management connection.
Syntax
show cloud-services advanced-settings
Parameters
n/a
Example
show cloud-services advanced-settings
show cloud-services connection-details
Description
Shows connection details for cloud management connection.
Syntax
Parameters
n/a
Example
cloud-services-firmware-upgrade
cloud-services-firmware-upgrade
set cloud-services-firmware-upgrade
Configure settings for the "firmware upgrade" Cloud Services.
Description
Configures settings for the "firmware upgrade" Cloud Services.
Syntax
set cloud-services-firmware-upgrade [ activate <activate> ] frequency {

immediately-when-available | daily time <time> | monthly day-of-month <day-
of-month> time <time> | weekly day-of-week <day-of-week> time <time> }
Parameters
activate Enable auto firmware upgrades. Upgrades may occur immediately or be scheduled
according to a predefined frequency
day-of-month Choose the desired day of the month
day-of-week Choose the desired day of week
frequency Indicates the preferred time to perform upgrade once a new firmware is detected
time The hour of the upgrade (Format: HH:MM in 24 hour clock)
Example
set cloud-services-firmware-upgrade activate true frequency immediately-

when-available
Description
Configures advanced settings for the "firmware upgrade" Cloud Services.
Syntax
set cloud-services-firmware-upgrade advanced-settings max-num-of-retries
<max-num-of-retries>
Parameters
n/a
Example
set cloud-services-firmware-upgrade advanced-settings max-num-of-retries 15
Description
Configures advanced settings for the "firmware upgrade" Cloud Services.
Syntax
set cloud-services-firmware-upgrade advanced-settings timeout-until-retry
<timeout-until-retry>
Parameters
n/a
Example
set cloud-services-firmware-upgrade advanced-settings timeout-until-retry

15
show cloud-services-firmware-upgrade
Shows configuration of the "Firmware Upgrade" Cloud Services.
Description
Shows configuration of the "Firmware Upgrade" Cloud Services.
Syntax
Parameters
n/a
Example
Description
Shows advanced settings of the "Firmware Upgrade" Cloud Services.
Syntax
show cloud-services-firmware-upgrade advanced-settings
Parameters
n/a
Example
show cloud-services-firmware-upgrade advanced-settings
show cloud-service managed-blades
show cloud-service managed-
blades
Description
Shows the currently managed blades by the cloud management.
Syntax
show cloud-services managed-blades
Parameters
n/a
Example
show cloud-services managed-blades
show cloud-services managed-services
show cloud-services managed-
services
Description
Shows the currently managed services by the cloud management.
Syntax
Parameters
n/a
Example
fetch cloud-services policy
Description
Fetch configuration now from your Cloud Services Security Management Server.
Syntax
Parameters
n/a
Example
show cloud-services status
Description
Shows the current status of the cloud management connection.
Syntax
Parameters
n/a
Example
show commands
show commands
Description
Shows all available CLI commands.
Syntax
show commands
Parameters
n/a
Example
show commands
cphaprob
cphaprob
Description
Defines and manages the critical cluster member properties of the appliance. When a critical process fails,
the appliance is considered to have failed.
Syntax
cphaprob [-i[a]] [-d <device>] [-s {ok|init|problem}] [-f <file>] [-p]

[register|unregister|report|list|state|if]
Parameters
register Registers <appliance> as a critical process.
-a Lists all devices in the cluster.
-d <device> The name of the device as it appears in the output of the cphaprob list.
-p The configuration change is permanent and applies after the appliance reboots.
-t <timeout> If <device> fails to contact ClusterXL in <timeout> seconds, <device> is considered
to have failed.
To disable this parameter, enter the value 0.
-s Status to be reported.
ok - <appliance> is alive
init - <appliance> is initializing
problem - <appliance> has failed
-f <file> Option to automatically register several appliances. The file defined in the <file> field
register should contain the list of appliances with these parameters:
n <device>
n <timeout>
n Status
unregister Unregisters <device> as a critical process.
report Reports the status of the <device> to the gateway.
cphaprob
list Displays that state of:
-i - Internal (as well as external) devices, such as interface check and High
Availability initialization.
-e - External devices, such as devices registered by the user or outside the kernel.
For example, fwd, sync, filter.
-ia - All devices, including those used for internal purposes, such as note initialization
and load-balance configuration.
state Displays the state of all the gateways in the High Availability configuration.
if Displays the state of interfaces.
Example
cphaprob -d $process -t 0 -s ok -p register
Output
These are some typical scenarios for the cphaprob command.
Argument Description
cphaprob -d <device> -t Register <device> as a critical process, and add it to the list

<timeout(sec)> -s of devices that must be running for the cluster member to
<ok|init|problem> [-p] register be considered active.
cphaprob -f <file> register Register all the user defined critical devices listed in <file>.
cphaprob -d <device> [-p] Unregister a user defined <device> as a critical process.

unregister This means that this device is no longer considered critical.
cphaprob -a unregister Unregister all the user defined <device>.
cphaprob -d <device> -s Report the status of a user defined critical device to

<ok|init|problem> report ClusterXL.
cphaprob [-i[a]] [-e] list View the list of critical devices on a cluster member, and of

all the other machines in the cluster.
cphaprob state View the status of a cluster member, and of all the other

members of the cluster.
cphaprob [-a] if View the state of the cluster member interfaces and the

virtual cluster interfaces.
Examples
cphaprob
cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register

cphaprob -f <file> register
cphaprob -d <device> [-p] unregister
cphaprob -a unregister
cphaprob -d <device> -s <ok|init|problem> report
cphaprob [-i[a]] [-e] list
cphaprob state
cphaprob [-a] if
cphastop
cphastop
Description
Disables High Availability on the appliance. Running cphastopon an appliance that is a cluster member
stops the appliance from passing traffic. State synchronization also stops.
Syntax
cphastop
Parameters
n/a
Return Value
Example
cphastop
Output
cpinfo
cpinfo
Description
Creates a Check Point Support Information (CPinfo) file on a machine at the time of execution.
The files is saved to a USB drive or TFTP server.
The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location.
Syntax
cpinfo {to-tftp <ipaddr>|to-usb}
Parameters
ipaddr IPv4 address
Return Value
Example
cpinfo to-usb
Output
Success prints Creating cpinfo.txt file. Failure shows an appropriate error message.
cpstart
cpstart
Start all Check Point processes and applications running on a machine.
Description
Starts firewall services.
Syntax
cpstart
Parameters
n/a
Return Value
Example
cpstart
Output
Success shows Starting CP products.... Failure shows an appropriate error message.
cpstat
cpstat
Description
Shows Check Point statistics for applications.
Syntax
cpstat [-p <port>] [-s <SICname>] [-f <flavor>] [-o <polling>] [-c <count>]
[-e <period>] [-x] [-j] [-d] application_flag <flag>
Parameters
-p <port> Port number of the server. The default is the standard server port (18192).
-s Secure Internal Communication (SIC) name of the server.
<SICname>
-f <flavor> The flavor of the output (as it appears in the configuration file). The default is the first
flavor found in the configuration file.
-o Polling interval (seconds) specifies the pace of the results.
<polling> The default is 0, meaning the results are shown only once.
-c <count> Specifies how many times the results are shown. The default is 0, meaning the results
are repeatedly shown.
-e <period> Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for
regular olds.
-x XML output mode
-j Json output mode
-d Debug mode.
cpstat
<flag> One of these applications is displayed:
One of the following:
fw- Firewall component of the Security Gateway
vpn- VPN component of the Security Gateway
fg- QoS (formerly FloodGate-1)
ha- ClusterXL (High Availability)
os- OS Status
mg- for the Security Management Server
persistency- for historical status values
polsrv
uas
svr
cpsemd
cpsead
asm
ls
ca
Return Value
Example
cpstat -c 3 -o 3 fw
Output
Success shows OK. Failure shows an appropriate error message.
The following flavors can be added to the application flags:
n fw- "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect", "cookies", "chains",
"fragments", "totals", "ufp", "http", "ftp", "telnet", "rlogin", "smtp", "pop3", "sync"
n vpn- "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator", "nic", "statistics",
"watermarks", "all"
n fg- "all"
n ha- "default", "all"
n os- "default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf", "multi_cpu", "multi_
disk", "all", "average_cpu", "average_memory", "statistics"
n mg- "default"
n persistency- "product", "Tableconfig", "SourceConfig"
n polsrv- "default", "all"
n uas- "default"
n svr- "default"
cpstat
n cpsemd- "default"
n cpsead- "default"
n asm- "default", "WS"
n ls- "default"
n ca- "default", "crl", "cert", user", "all"
cpstop
cpstop
Description
Stops firewall services and terminates all Check Point processes and applications running on the appliance.
Syntax
cpstop
Parameters
n/a
Return Value
Example
cpstop
Output
Success shows Uninstalling Security Policy.... Failure shows an appropriate error message.
cpwd_admin
cpwd_admin
Description
The cpwd_admin utility can be used to verify if a process is running and to stop and start a process if
necessary.
Syntax
cpwd_admin {del <name>|detach <name>|list|kill|exist|start_monitor|stop_
monitor|
monitor_list}
Parameters
del Deletes process
detach Detaches process
list Print status of processes
kill Stops cpWatchDog
exist Checks if cpWatchDog is running
start_monitor cpwd starts monitoring this machine
stop_monitor cpwd stops monitoring this machine
monitor_list Displays list of monitoring processes
name Name of process
Return Value
Example
cpwd_admin start_monitor
Output
date
date
set date
set date
Configures the device's date and time.
set date
set date
Description
Manually configure the device's date.
Syntax
set date <date>
Parameters
date Date in the format YYYY-MM-DD
Type: A date format yyyy-mm-dd
Example
set date 2000-01-01
set date
set date
Description
Manually configure the device's time.
Syntax
set time <time>
Parameters
time Time in the format HH:MM
Example
set time 23:20
set date
set date
Description
Manually configure the device's time zone.
Syntax
set timezone <timezone>
Parameters
timezone Timezone location
Example
set timezone GMT-11:00(Midway-Island)
set date
set date
Description
Configures if the daylight savings will be changed automatically.
Syntax
set timezone-dst automatic <timezone-dst automatic>
Parameters
timezone-dst automatic Automatic adjustment clock for daylight saving changes flag
Options: on, off
Example
set timezone-dst automatic on
show date
show date
Shows date and time.
show date
show date
Description
Shows current date of the appliance.
Syntax
show date
Parameters
n/a
Example
show date
show date
show date
Description
Shows current time of the appliance.
Syntax
show time
Parameters
n/a
Example
show time
show date
show date
Description
Shows current time zone of the appliance.
Syntax
show timezone
Parameters
n/a
Example
show timezone
show date
show date
Description
Shows current daylight savings configuration of the appliance.
Syntax
show timezone-dst
Parameters
n/a
Example
show timezone-dst
restore default-settings
Description
Restores the default settings of the appliance without affecting the software image. All the custom user
settings for the appliance are deleted.
Syntax
restore default-settings [preserve-sic {yes|no}|preserve-license

{yes|no}|force {yes|no}]
Parameters
preserve-sic Select whether to preserve your current SIC settings.
preserve-license Select whether to preserve your current license.
force Skip the confirmation question.
Return Value
Example
restore default-settings preserve-sic yes
Comments
The appliance automatically reboots after the default settings are restored.
dhcp-bridge-settings
Delete this text and replace it with your own content.
show dhcp-bridge-settings
Description
Show the MAC address for the DHCP bridge.
Syntax
Parameters
n/a
Example
set dhcp-bridge-settings
Description
Configure the MAC address for the DHCP bridge from an internal (LAN) or external port (WAN, DMZ).
Syntax
set dhcp-bridge-settings mac-assignment <mac-assignment>
Parameters
mac- Indicates whether the MAC address for the DHCP bridge is taken from an internal
assignment (LAN) or external port (WAN, DMZ).
Options: use-internal-interfaces-mac, use-external-interfaces-mac
Example
set dhcp-bridge-settings mac-assignment use-internal-interfaces-mac
dhcp-relay
dhcp-relay
set dhcp-relay
set dhcp-relay
Description
Configures advanced settings for DHCP Relay functionality.
Syntax
set dhcp-relay advanced-settings use-internal-ip-addrs-as-source <use-

internal-ip-addrs-as-source>
Parameters
n/a
Example
set dhcp-relay advanced-settings use-internal-ip-addrs-as-source true
show dhcp-relay
show dhcp-relay
Description
Shows advanced settings for DHCP relay.
Syntax
show dhcp-relay advanced-settings
Parameters
n/a
Example
show dhcp-relay advanced-settings
show dhcp servers
show dhcp servers
Description
Shows configuration for all DHCP servers.
Syntax
show dhcp servers
Parameters
n/a
Example
show dhcp servers
dhcp server interface
dhcp server interface
delete dhcp server interface
delete dhcp server interface
Description
Deletes the configured exclude range from the DHCP server settings of a specific network/interface.
Syntax
delete dhcp server interface <name> exclude-range
Parameters
name Network name
Type: A string that contains [A-Z], [0-9], '_', '.', '-' and '/' characters
Example
delete dhcp server interface My_Network exclude-range
set dhcp server interface
Configures DHCP server settings.
Description
Configures a custom DHCP option.
Syntax
set dhcp server interface <cliName> custom-option name <custom-option name>

type <type> tag <tag> data <data>
Parameters
cliName cliName
Type: virtual
custom-option Set the name of the object
name Type: A string that contains alphanumeric characters or hyphen
data Set the desired value of the object
Type: String
tag Select a unique tag for the object
type Select the appropriate type to store your object
Options: string, int8, int16, int32, uint8, uint16, uint32, boolean, ipv4-address, ipv4-
address-array, hex-string
Example
set dhcp server interface LAN1 custom-option name MyOption type string tag
43 data TEXT
Description
Configures if a DHCP server is active or not on an existing network/interface.
Syntax
set dhcp server interface <name> { disable | enable }
Parameters
dhcp Use DHCP Server with a specified IP address range
Options: off, on, relay
name Network name
Example
set dhcp server interface My_Network off
Description
Configures DHCP relay functionality on an existing network/interface.
Syntax
set dhcp server interface <name> relay relay-to <relay relay-to> { [

secondary <secondary> ] | [ relay-secondary <relay-secondary> ] }
Parameters
name Network name
relay relay-to Enter the DHCP server IP address
Type: IP address
relay-secondary This field is deprecated. Please use field 'secondary'
secondary Enter the secondary DHCP server IP address
Type: IP address
Example
set dhcp server interface My_Network relay relay-to 192.168.1.1 secondary

192.168.1.1
Description
Configures an IP address pool for a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> include-ip-pool <include-ip-pool>
Parameters
include-ip-pool DHCP range
Type: A range of IP addresses
name Network name
Example
set dhcp server interface My_Network include-ip-pool 192.168.1.1-

192.168.1.10
Description
Configures the default gateway provided by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> default-gateway <default-gateway>
Parameters
default-gateway A virtual field calculated by the values of the fields: dhcpGwMode & dhcpGw
name Network name
Example
set dhcp server interface My_Network default-gateway auto
Description
Configures the WINS mode provided by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> wins-mode <wins-mode>
Parameters
name Network name
wins-mode Configure the WINS Server
Example
set dhcp server interface My_Network wins-mode auto
Description
Configures the WINS servers IP addresses provided by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> wins primary <wins primary> [ secondary
<secondary> ]
Parameters
name Network name
secondary Configure the IP address for the second WINS server
wins primary Configure the IP address for the first WINS server
Example
set dhcp server interface My_Network wins primary 192.168.1.1 secondary

192.168.1.1
Description
Configures the lease time used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> lease-time <lease-time>
Parameters
lease-time Configure the timeout in hours for a single device to retain a dynamically acquired IP
address
name Network name
Example
set dhcp server interface My_Network lease-time 30
Description
Configures the domain used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> domain <domain>
Parameters
domain The domain name of the DHCP
name Network name
Example
set dhcp server interface My_Network domain myHost.com
Description
Configures the NTP servers used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> ntp <ntp> [ secondary <secondary> ]
Parameters
name Network name
ntp Configure the first NTP (Network Time Protocol) server to be distributed to DHCP client
secondary Configure the second NTP (Network Time Protocol) server to be distributed to DHCP
client
Example
set dhcp server interface My_Network ntp 192.168.1.1 secondary 192.168.1.1
Description
Configures the TFTP server used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> tftp <tftp>
Parameters
name Network name
tftp Configure TFTP server to be distributed to DHCP client
Example
set dhcp server interface My_Network tftp 192.168.1.1
Description
Configures the TFTP bootfile used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> file <file>
Parameters
file Configure TFTP bootfile to be distributed to DHCP client
name Network name
Example
set dhcp server interface My_Network file word
Description
Configures the Call Manager servers used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> callmgr <callmgr> [ secondary <secondary>

]
Parameters
callmgr Configure the first Call manager server to be distributed to DHCP client
name Network name
secondary Configure the second Call manager server to be distributed to DHCP client
Example
set dhcp server interface My_Network callmgr 192.168.1.1 secondary

192.168.1.1
Description
Configures the X-Windows display manager server used by a DHCP server on an existing
network/interface.
Syntax
set dhcp server interface <name> xwin-display-mgr <xwin-display-mgr>
Parameters
name Network name
xwin-display-mgr Configure X-Windows display manager to be distributed to DHCP client
Example
set dhcp server interface My_Network xwin-display-mgr 192.168.1.1
Description
Configures the Avaya Manager server used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name>avaya-voip <avaya-voip>
Parameters
avaya-voip Configure Avaya IP phone to be distributed to DHCP client
name Network name
Example
set dhcp server interface My_Network avaya-voip 192.168.1.1
Description
Configures the Nortel Manager server used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> nortel-voip <nortel-voip>
Parameters
name Network name
nortel-voip Configure Nortel IP phone to be distributed to DHCP client
Example
set dhcp server interface My_Network nortel-voip 192.168.1.1
Description
Configures the Thomson Manager server used by a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> thomson-voip <thomson-voip>
Parameters
name Network name
thomson-voip Configure Thomson IP phone to be distributed to DHCP client
Example
set dhcp server interface My_Network thomson-voip 192.168.1.1
Description
Configures the DNS servers provided by a DHCP server on an existing network/interface. In automatic
mode the device will provide its own IP address when configured as DNS proxy, and the DNS servers it is
configured with otherwise.
Syntax
set dhcp server interface <name> dns { none | manual [ primary <primary> ]
[ secondary <secondary> ] [ tertiary <tertiary> ] | auto }
Parameters
dns Configure the DNS Server
name Network name
primary Configure the IP address for the first DNS server
secondary Configure the IP address for the second DNS server
tertiary Configure the IP address for the third DNS server
Example
set dhcp server interface My_Network dns none
Description
Configures the primary DNS server provided by a DHCP server on an existing network/interface in manual
mode.
Syntax
set dhcp server interface <name> dns primary <dns primary>
Parameters
dns primary Configure the IP address for the first DNS server
name Network name
Example
set dhcp server interface My_Network dns primary 192.168.1.1
Description
Configures the secondary DNS server provided by a DHCP server on an existing network/interface in
manual mode.
Syntax
set dhcp server interface <name> dns secondary <dns secondary>
Parameters
dns secondary Configure the IP address for the second DNS server
name Network name
Example
set dhcp server interface My_Network dns secondary 192.168.1.1
Description
Configures the tertiary DNS server provided by a DHCP server on an existing network/interface in manual
mode.
Syntax
set dhcp server interface <name> dns tertiary <dns tertiary>
Parameters
dns tertiary Configure the IP address for the third DNS server
name Network name
Example
set dhcp server interface My_Network dns tertiary 192.168.1.1
Description
Removes a custom DHCP option from a DHCP server on an existing network/interface.
Syntax
set dhcp server interface <name> remove custom-option <custom-option>
Parameters
custom-option Set the name of the object
name Network name
Example
set dhcp server interface My_Network remove custom-option MyOption
show dhcp server interface
Shows configuration of DHCP servers.
Description
Shows the configuration of a DHCP server configured on a specific interface/network.
Syntax
show dhcp server interface <name>
Parameters
name Network name
Example
show dhcp server interface My_Network
Description
Shows the IP address pool of a DHCP server configured on a specific interface/network.
Syntax
show dhcp server interface <name> ip-pool
Parameters
name Network name
Example
show dhcp server interface My_Network ip-pool
show diag
show diag
Description
Shows information about your appliance, such as the current firmware version and additional details.
Syntax
show diag
Parameters
n/a
Example
show diag
Output
Current system information.
show disk usage
show disk usage
Description
Shows the file system space used and space available.
Syntax
show disk-usage [-h|-m|-k]
Parameters
-h Human readable (e.g. 1K 243M 2G)
-m 1024*1024 blocks
-k 1024 blocks
Example
show disk-usage-h
Output
Current file system space used and space available.
dns
dns
delete dns
delete dns
Deletes configured DNS settings.
delete dns
delete dns
Description
Deletes configured primary DNS.
Syntax
delete dns [ primary ipv4-address ]
Parameters
n/a
Example
delete dns primary ipv4-address
delete dns
delete dns
Description
Deletes configured secondary DNS.
Syntax
delete dns [ secondary ipv4-address ]
Parameters
n/a
Example
delete dns secondary ipv4-address
delete dns
delete dns
Description
Deletes configured tertiary DNS.
Syntax
delete dns [ tertiary ipv4-address ]
Parameters
n/a
Example
delete dns tertiary ipv4-address
delete dns
delete dns
Description
Deletes configured domain name of the appliance.
Syntax
delete domainname
Parameters
n/a
Example
delete domainname
set dns
set dns
Configures the DNS and domain settings for the device.
set dns
set dns
Description
Configures the DNS settings for the device.
Syntax
set dns [ primary ipv4-address <primary ipv4-address> ] [ secondary ipv4-

address <secondary ipv4-address> ] [ tertiary ipv4-address <tertiary ipv4-
address> ]
Parameters
primary ipv4-address First global DNS IP address
Type: IP address
secondary ipv4- address Second global DNS IP address
Type: IP address
tertiary ipv4-address Third global DNS IP address
Type: IP address
Example
set dns primary ipv4-address 192.168.1.1 secondary ipv4-address 192.168.1.1

tertiary ipv4-address 192.168.1.1
set dns
set dns
Description
Configures the DNS mode for the device. It can either use manually configured DNS servers or use the DNS
servers provided to him by the active internet connection from his ISP.
Syntax
set dns mode <mode>
Parameters
mode Status of appliance using global DNS servers
Options: global, internet
Example
set dns mode global
set dns
set dns
Description
Configures the DNS proxy mode. DNS proxy allows treating the configured network objects as a hosts list
which the device can translate from hostname to IP address for local networks.
Syntax
set dns proxy { on [ resolving <resolving> ] | off }
Parameters
proxy Relay DNS requests from internal network clients to the DNS servers defined above
resolving Use network objects as a hosts list to translate names to their IP addresses
Options: on, off
Example
set dns proxy on resolving on
set dns
set dns
Description
Configures the domain settings for the device.
Syntax
set domainname <domainname>
Parameters
domainname Identification string that defines a realm of administrative autonomy, authority, or
control in the Internet
Type: A FQDN
Example
set domainname somehost.example.com
show dns
show dns
Shows configuration for DNS and domain name.
show dns
show dns
Description
Shows configuration for DNS.
Syntax
show dns
Parameters
n/a
Example
show dns
show dns
show dns
Description
Shows configuration for domain name.
Syntax
show domainname
Parameters
n/a
Example
show domainname
dsl
dsl
set dsl advanced-settings global-settings
set dsl advanced-settings global-settings
Description
Set DSL configuration parameters.
Syntax
set dsl advanced-settings global-settings [ ginp <ginp> ] [ sra <sra> ]
Parameters
ginp Enhanced Impulse Noise Protection
sra Enables Seamless Rate Adaption
Example
set dsl advanced-settings global-settings ginp downstream-and-upstream sra

true
set dsl advanced-settings standards
Description
Set DSL standard related configuration parameters.
Syntax
set dsl advanced-settings standards [ vdsl2 <true|false> ] [ dmt <

true|false > ] [ adsl-lite < true|false > ] [ adsl2 < true|false > ] [
adsl2plus < true|false > ] [ t1413 < true|false > ] [ annex-m < true|false
> [ annex-l < true|false > ] [ vdsl-8a < true|false > ] [ vdsl-8b <
true|false > ] [ vdsl-8c < true|false > ] [ vdsl-8d < true|false > ] [
vdsl-12a < true|false >] [ vdsl-12b < true|false >] [ vdsl-17a < true|false
>] [ vdsl-us0 < true|false > ]
Parameters
vdsl2 Supports ITU G.993.2 VDSL2 standard.
dmt Supports ITU G.992.1 ADSL (G.dmt) standard.
adsl-lite Supports ITU G.992.2 ADSL Lite (G.lite) standard.
adsl2 Supports ITU G.992.3 ADSL2 standard.
adsl2plus Supports ITU G.992.5 Annex M ADSL2+M standard.
t1413 Supports ANSI T1.413-1998 Issue 2 ADSL.
annex-m In an Annex A appliance: Combined with supported ADSL2+ it specifies support for
Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2 it
specifies support for Annex J ADSL2.
annex-l Combined with enabled ADSL2 (G.992.3) specifies support for Annex L.
vdsl-8a Supports VDSL Profile 8a.
vdsl-8b Supports VDSL Profile 8b.
vdsl-8c Supports VDSL Profile 8c.
vdsl-8d Supports VDSL Profile 8d.
vdsl-12b Supports VDSL Profile 12b.
vdsl-us0 Enables usage of first upstream band in VDSL2.
Example
set dsl advanced-settings standards adsl2plus false
show dsl advanced-setting
show dsl advanced-setting
Description
Show all DSL advanced settings parameters.
Syntax
show dsl advanced-settings
Parameters
n/a
Example
show dsl advanced-settings
Sample Output
adsl2plus: true
vdsl-8d: true
vdsl-8c: true
vdsl-8b: true
annex-m: false
t1413: true
vdsl-17a: true
adsl-lite: true
vdsl2: true
annex-l: false
vdsl-12b: true
adsl2: true
dmt: true
ginp: disabled
sra: false
vdsl8a: true
vdsl-us0: true
vdsl-12a: true
show dsl statistics
show dsl statistics
Description
Show DSL statistics.
Syntax
show dsl statistics
Parameters
tpstc Indicates the TPS-TC layer. Possible values: ATM, PTM.
mode Indicates the negotiated DSL mode. Example for a value: VDSL Annex B.
status Indicates the status of DSL connection synchronization. Example values: Showtime,
G.994.
bitrate-up Indicates the upstream DSL bit rate.
bitrate-down Indicates the downstream DSL bit rate.
vendor 4 hexa digits representing the vendor of the DSL chip in the peer DSLAM/MSAG (i.e.
IFTN, BDCM) + 4 hex digits representing the firmware version of the vendor.
power-up Indicates the appliance transmission power (dBm).
hec-up Indicates the number of HEC errors counted by the peer DSLAM/MSAG.
attn-up Indicates the upstream attenuation (dB).
attn-down Indicates the attenuation of the power from the peer DSLAM/MSAG to the appliance
(dB).
rs-down Indicates the number of RS words that were received by the appliance in the
downstream.
rs-corrected- Indicates the number of RS words that were corrected by the appliance in the
down downstream.
rs-up Indicates the number of RS words that were received by the peer DSLAM/MSAG in the
upstream.
rs-corrected- Indicates the number of RS words that were corrected by the peer DSLAM/MSAG in the
up upstream.
hec-up Indicates the number of HEC errors counted by the peer DSLAM/MSAG.
show dsl statistics
hec-down Indicates the number of HEC errors counted by the appliance.
total-cells-up Indicates the number of 53 bytes (cells in the case of ATM) that were transmitted by the
appliance.
total-cells- Indicates the number of 53 bytes (cells in the case of ATM) that were received by the
down appliance.
configured- Indicates the seamless rate adaptation (SRA) that was configured in the appliance.
sra Possible values: On, Off.
configured- Indicates whether trellis was enabled in the appliance configuration. Possible values:
trellis On, Off.
configured- Indicates the upstream/downstream on/off for the configured Enhanced Impulse
ginp response. Possible values: Off/Off, Off/On, On/Off, On/On
configured- Indicates the upstream/downstream on/off for the Bit Swap configured in the appliance.
bitswap Possible values: On, Off.
vectoring Indicates the vectoring status. Possible values:
0: Vectoring Training State.
1: Showtime vectoring state, idle, not reporting errors.
2: Initial showtime vector mode state, transition to full factoring when the peer sends a
vectoring configuration message.
3: Vectoring state where error samples are being reported upon peer request.
4: Vectoring is disabled.
5: DSLAM/MSAG doesn't support vectoring.
Example
show dsl statistics
show dsl statistics
Sample Output
snr-down: 8.7
configured-ginp: Off/Off
power-up: 7.6
rs-corrected-down: 421298
rs-corrected-up: 208
configured-sra: Off
rs-up: 1610329207
configured-trellis: On
total-cells-down: 2609810117
snr-up: 15.4
tpstc: PTM
bitrate-up: 5024
vectoring: 5 (DSLAM is not a vectored DSLAM)
vendor: IFTN:0xb206
status: Showtime
rs-down: 2127995393
mode: VDSL2 Annex B
hec-up: 0
bitrate-down: 48470
training: Showtime
power-down: 7.7
total-cells-up: 0
hec-down: 0
attn-down: 25.9
attn-up: 0.0
configured-bitswap: Off
dynamic-dns
dynamic-dns
set dynamic-dns
set dynamic-dns
Configures a persistent domain name for the device.
set dynamic-dns
set dynamic-dns
Description
Configures a persistent domain name for the device.
Syntax
set dynamic-dns { is_active } provider <provider> password <password> user
<user> domain <domain>
Parameters
domain The domain name (sometimes called host name) within your account that the device will
use
Type: A FQDN
is-active Is the DDNS service active
Type: Boolean (enable/disable)
password The password of the account
provider Select the DDNS provider that you have already set up an account with
Options: no-ip.com, DynDns
user The user name of the account
Type: DynDns provider: begins with a letter and have 2-25 alphanumeric char acters.
no-ip.com provider: length is 6-15 characters and contains only a-z, 0-9, -, _
Example
set dynamic-dns enable provider no-ip.com password a(&7Ba user myUser17
set dynamic-dns
set dynamic-dns
Description
Configure advanced settings for the DDNS service.
Syntax
set dynamic-dns advanced-settings iterations <iterations>
Parameters
n/a
Example
set dynamic-dns advanced-settings iterations 15
show dynamic-dns
show dynamic-dns
Shows configuration for DDNS service.
show dynamic-dns
show dynamic-dns
Description
Shows configuration for DDNS service.
Syntax
show dynamic-dns
Parameters
n/a
Example
show dynamic-dns
show dynamic-dns
show dynamic-dns
Description
Shows advanced settings for DDNS service.
Syntax
show dynamic-dns advanced-settings
Parameters
n/a
Example
show dynamic-dns advanced-settings
dynamic objects
dynamic objects
Manages dynamic objects on the appliance. The dynamic_objects command specifies an IP address to
which the dynamic object is resolved.
First, define the dynamic object in the SmartDashboard. Then create the same object with the CLI (-n
argument). After the new object is created on the gateway with the CLI, you can use the dynamic_objects
command to specify an IP address for the object.
Any change you make to dynamic objects' ranges are applied immediately to the objects. It is not necessary
to reinstall the policy.
Description
Manages dynamic objects on the appliance.
Syntax
dynamic_objects -o <object> [-r <fromIP> <toIP> ...] [-a] [-d] [-l] [-n
<object> ] [-c] [-do <object>]
Parameters
-o Name of the dynamic object that is being configured.
-r Defines the range of IP addresses that are being configured for this object.
-a Adds range of IP addresses to the dynamic object.
-d Deletes range of IP addresses from the dynamic object.
-l Lists dynamic objects that are used on the appliance.
-n Creates a new dynamic object.
-c Compare the objects in the dynamic objects file and in objects.
-do Deletes the dynamic object.
<object> Name of dynamic object.
<fromIP> Starting IPv4 address.
<toIP> Ending IPv4 address.
Example
dynamic_objects -n sg80gw -r 190.160.1.1 190.160.1.40 -a
dynamic objects
Output
Success shows Operation completed successfully. Failure shows an appropriate error message.
exit
exit
Description
Exits from the shell.
Syntax
exit
Parameters
n/a
Example
exit
set expert password
set expert password
Description
Sets the initial password or password hash for the expert shell
Syntax
set expert {password|password-hash} { <pass>| <pass_hash>}
Parameters
pass Password using alphanumeric and special characters
pass_hash Password MD5 string representation
Example
set expert password-hash $1$fGT7pGX6$oo9LUBJTkLOGKLhjRQ2rw1
Output
Comments
To generate a password-hash, you can use this command on any Check Point SMB Appliance gateway (as
an expert user).
cryptpw -a md5 <password string>
fetch certificate
fetch certificate
Description
Establishes a SIC connection with the Security Management Server and fetches the certificate. You fetch
the certificate from a specific appliance with the gateway-name parameter.
Syntax
fetch certificate mgmt-ipv4-address <ip_addr> [gateway-name <gw_name>]
Parameters
ip_addr Management IPv4 address
gw_name Appliance/Module name
Example
fetch certificate mgmt-ipv4-address 192.168.1.100 gateway-name SMB_

Appliance
Output
fetch policy
fetch policy
Description
Fetches a policy from the Security Management Server with IPv4 address <ip_addr> or from the local
gateway.
Syntax
fetch policy {local|mgmt-ipv4-address <ip_addr>}
Parameters
ip_addr IPv4 address of the Security Management Server.
Return Value
Example
fetch policy mgmt-ipv4-address 192.168.1.100
Output
Success shows Done. Failure shows an appropriate error message.
fw commands
fw commands
The fw commands are used for working with various aspects of the firewall. All fwcommands are executed
on the Check Point Security Gateway. For more about the fwcommands, see the Command Line Interface
(CLI) Reference Guide.
fw commands can be found by typing fw [TAB] at a command line. For some of the CLI commands, you
can enter the -h parameter to display all the relevant arguments and parameters. These commands are:
fw command Explanation
fw accel [-h] Turn acceleration on/off
fw activation Activate license
[-h]
fw avload [-h] Load Anti-Virussignatures to kernel
fw ctl [args] Control kernel
fw debug [-h] Turn debug output on or off
fw fetch Fetch last policy
fw fetchdefault Fetch default policy
[-h]
fw fetchlocal Fetch local policy
[-h]
fw monitor [-h] Monitor Check Point Appliance traffic
fw pull_cert Pull certificate from internal CA
fw sfwd fw daemon
fw sic_init [- Initialize SIC
h]
fw sic_reset [- Reset SIC
h]
fw sic_test Test SIC with management
fw stat [-h] Display policy installation status of the gateway. (Command is provided for

backward compatibility.)
fw tab [-h] Display kernel-table content
fw unloadlocal Unload local policy
fw ver [-k] Display version
fw policy
fw policy
set fw policy
set fw policy
Configures the default policy for the Firewall blade
set fw policy
set fw policy
Description
Configures the default policy for the Firewall blade.
Syntax
set fw policy [ mode <mode> ] [ track-allowed-traffic <track-allowed-

traffic>
] [ track-blocked-traffic <track-blocked-traffic> ]
Parameters
mode Current mode for firewall policy
track-allowed-traffic Indicates if accepted connections are logged
Options: none, log
track-blocked-traffic Indicates if blocked connections are logged
Options: none, log
Example
set fw policy mode off track-allowed-traffic none track-blocked-traffic

none
set fw policy
set fw policy
Description
Configures advanced settings for the default policy of the Firewall blade.
Syntax
set fw policy advanced-settings blocked-packets-action <blocked-packets-

action>
Parameters
n/a
Example
set fw policy advanced-settings blocked-packets-action auto
set fw policy
set fw policy
Description
Configures advanced settings for the default policy of the Firewall blade.
Syntax
set fw policy advanced-settings log-implied-rules <log-implied-rules>
Parameters
n/a
Example
set fw policy advanced-settings log-implied-rules true
show fw policy
show fw policy
Shows the configured policy for the Firewall blade.
show fw policy
show fw policy
Description
Shows the configured policy for the Firewall blade.
Syntax
show fw policy
Parameters
n/a
Example
show fw policy
show fw policy
show fw policy
Description
Shows advanced settings for the Firewall blade.
Syntax
show fw policy advanced-settings
Parameters
n/a
Example
show fw policy advanced-settings
show fw policy
show fw policy
Description
Shows the configuration for customizable messages shown to users upon actions.
Syntax
show fw policy user-check { block | ask | accept }
Parameters
user-check Activity message type
Example
show fw policy user-check block
set fw policy user-check accept
set fw policy user-check accept
Description
Configures a customizable "accept" message shown to users upon match on browser based traffic.
Syntax
set fw policy user-check accept [ body <body> ] [ fallback-action

<fallback-action> ] [ frequency <frequency> ] [ subject <subject> ] [ title
<title> ]
Parameters
body The informative text that appears in the APPI 'Accept' user message
Type: A string that contains only printable characters
fallback- Indicates the action to take when an 'Accept' user message cannot be displayed
action Options: block, accept
frequency Indicates how often is the APPI 'Accept' user message is being presented to the same
user
Options: day, week, month
subject The subject of an APPI 'Accept' user message
title The title of an APPI 'Accept' user message
Example
set fw policy user-check accept body My Network fallback-action block

frequency day subject My Network title My Network
set fw policy user-check ask
set fw policy user-check ask
Description
Configures a customizable "ask" message shown to users upon match on browser based traffic.
Syntax
set fw policy user-check ask [ body <body> ] [ confirm-text <confirm-text>
] [ fallback-action <fallback-action> ] [ frequency <frequency> ] [ subject

<subject> ] [ title <title> ] [ reason-displayed <reason-displayed> ]
Parameters
body The informative text that appears in the APPI 'Ask' user message
confirm-text This text appears next to the 'ignore warning' checkbox of an APPI 'Ask' user
message
fallback-action The action that is performed when the 'Ask' message cannot be shown
Options: block, accept
frequency Indicates how often is the APPI 'Ask' user message is being presented to the same
user
reason- Indicates if the user must enter a reason for ignoring this message in a designated
displayed text dialog
subject The subject of an APPI 'Ask' user message
title The title of an APPI 'Ask' user message
Example
set fw policy user-check ask body My Network confirm-text My Network

fallback-action block frequency day subject My Network title My Network
reason-displayed true
set fw policy user-check block
set fw policy user-check block
Description
Configures a customizable "block" message shown to users upon match on browser based traffic.
Syntax
set fw policy user-check block [ body <body> ] [ redirect-url <redirect-

url>
] [ subject <subject> ] [ title <title> ] [ redirect-to-url <redirect-to-url>]
Parameters
body The informative text that appears in the APPI 'Block' user message
redirect-to-url Indicates if the user will be redirected to a custom URL in case of a 'Block' action
redirect-url Indicates the URL to redirect the user in case of a 'Block' action if configured to do so.
The URL to redirect the user in case of a 'Block' action. Redirection happens only if this
functionality is turned on
Type: urlWithHttp
subject The subject of an APPI 'Block' user message
title The title of an APPI 'Block' user message
Example
set fw policy user-check block body My Network redirect-url urlWithHttp

subject My Network title My Network redirect-to-url true
set fw policy user-check block-device
set fw policy user-check block-
device
Description
User Check is a customizable message shown to users upon match, and allows to 'ask' the user for the
desired action. In this case, to block a particular device.
Syntax
set fw policy user-check block-device [ body <body> ] [ subject <subject> ]

[ title <title>
Parameters
body The informative text that appears in the 'Block Device' user message.
subject The subject of the 'Block Device' user message
title The title of the 'Block Device' user message
Example
set fw policy user-check block-device body My Network subject My Network

title My Network
set fw policy user-check block-infected-device
set fw policy user-check block-
infected-device
Description
User Check is a customizable message shown to users upon match, and allows to 'ask' the user for the
desired action. In this case, to block an infected device.
Syntax
set fw policy user-check block-infected-device [ body <body> ] [ subject

<subject> ] [ title <title> ]
Parameters
body The informative text that appears in the 'Block Infected Device' user message
subject The subject of the 'Block Infected Device' user message
title The title of the 'Block Infected Device' user message
Example
set fw policy user-check block-infected-device body My Network subject My

Network title My Network
global-radius-conf
global-radius-conf
set global-radius-conf
set global-radius-conf
Description
Configure the NAS IP\IPv6 address for RADIUS server authentication.
NAS IP\IPv6 address indicates the identifying IP Address of the NAS which is requesting authentication of
the user, and should be unique to the NAS within the scope of the RADIUS server.
Syntax
set global-radius-conf [ nas-ip-address <nas-ip-address> ] [ nasIPV6

<nasIPV6> ]
Parameters
nas-ip-address Nas ip address
Type: IP address
nasIPV6 nasIPV6
Type: ipv6addr
Example
set global-radius-conf nas-ip-address 192.168.1.1 nasIPV6 ipv6addr
show global-radius-conf
Description
Configure the NAS IP\IPv6 address for RADIUS server authentication.
Syntax
Parameters
n/a
Example
group
group
add group
add group
Description
Adds a new group of network objects.
Syntax
add group name <name> [ comments <comments> ] [ member <member> ]
Parameters
comments Comments and explanation about the Network Object group
member An association field to the contained network objects
name Network Object group name
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ - .)
characters without spaces
Example
add group name myObject_17 comments "This is a comment." member TEXT
delete group
delete group
Description
Deletes an existing group object of network objects.
Syntax
delete group <name>
Parameters
Example
delete group myObject_17
set group
set group
Configures an existing network objects group.
set group
set group
Description
Configures an existing network objects group.
Syntax
set group <name> [ new-name <new-name> ] [ comments <comments> ]
Parameters
comments Comments and explanation about the Network Object group
new-name Network Object group name
Example
set group myObject_17 new-name myObject_17 comments "This is a comment."
set group
set group
Description
Removes all members from an existing network objects group.
Syntax
set group <name> remove-all members
Parameters
Example
set group myObject_17 remove-all members
set group
set group
Description
Adds an existing network object to an existing network objects group.
Syntax
set group <name> add member <member>
Parameters
member Network Object name
Example
set group myObject_17 add member TEXT
set group
set group
Description
Removes an existing network object from an existing network objects group.
Syntax
set group <name> remove member <member>
Parameters
member Network Object name
Example
set group myObject_17 remove member TEXT
show group
show group
Description
Shows the contents of a network object group.
Syntax
show group <name>
Parameters
Example
show group myObject_17
show groups
show groups
Description
Shows the contents of all network object groups.
Syntax
show groups
Parameters
n/a
Example
show groups
host
host
add host
add host
Description
Adds a new network host object that can be used for resolving when the device acts as a DNS proxy, and
also DHCP settings for this object (exclude/reserve IP address).
Syntax
add host name <name> [ dhcp-exclude-ip-addr { on [ dhcp-reserve-ip-addr-to-

mac { on [ mac-addr <mac-addr> ] [ reserve-mac-address <reserve-mac-
address> ] | off } ] [ mac-reserved-in-dhcp { on [ mac-addr <mac-addr> ] [
reserve-mac-address <reserve-mac-address> ] | off } ] | off } ] [ dns-
resolving <dns-resolving> ] ipv4-address <ipv4-address>
Parameters
dhcp-exclude-ip- Indicates if the object's IP address(es) is excluded from internal DHCP daemon
addr Type: Press TAB to see available options
dhcp-reserve-ip- Indicates if the IP address is reserved in internal DHCP daemon
addr- to-mac Type: Press TAB to see available options
dns-resolving Indicates if the name of the server/network object will be used as a hostname for
internal DNS service Type: Boolean (true/false)
ipv4-address The beginning of the IP range
mac-addr MAC address of the Network Object
Type: MAC address
mac-reserved-in- This field is deprecated. Please use field 'dhcp-reserve-ip-addr-to-mac'
dhcp
Type: String
reserve-mac- This field is deprecated. Please use field 'mac-addr'
address
Example
add host name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on

mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE mac-
reserved-in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address
00:1C:7F:21:05:BE dns-resolving true ipv4-address 192.168.1.1
delete host
delete host
Description
Deletes an existing network host object.
Syntax
delete host <name>
Parameters
Type: String
Example
delete host TEXT
set host
set host
Description
Configures an existing network object/host.
Syntax
set host <name> [ name <name> ] [ dhcp-exclude-ip-addr { on [ dhcp-reserve-

ip-addr-to-mac { on [ mac-addr <mac-addr> ] [ reserve-mac-address <reserve-
mac-address> ] | off } ] [ mac-reserved-in-dhcp { on [ mac-addr <mac-addr>
] [ reserve-mac-address <reserve-mac-address> ] | off } ] | off } ] [
exclude-from-dhcp { on [ dhcp-reserve-ip-addr-to-mac { on [ mac-addr <mac-
addr>] [ reserve-mac-address <reserve-mac-address> ] | off } ] [ mac-
reserved-in-dhcp { on [ mac-addr <mac-addr> ] [ reserve-mac-address
<reserve-mac-address> ] | off } ] | off } ] [ dns-resolving <dns-
resolving>] [ ipv4-address <ipv4-address> ]
Parameters
dhcp-reserve-ip-addr- Indicates if the IP address is reserved in internal DHCP daemon
to-mac Type: Press TAB to see available options
dns-resolving Indicates if the name of the server/network object will be used as a hostname
for internal DNS service
exclude-from-dhcp This field is deprecated. Please use field 'dhcp-reserve-ip-addr-to-mac'
mac-addr MAC address of the Network Object
Type: MAC address
mac-reserved-in-dhcp This field is deprecated. Please use field 'dhcp-reserve-ip-addr-to-mac'
Type: String
reserve-mac-address This field is deprecated. Please use field 'mac-addr'
set host
Example
set host TEXT name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac

on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE mac-
reserved-in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address
00:1C:7F:21:05:BE exclude-from-dhcp on dhcp-reserve-ip-addr-to-mac on mac-
addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE mac-reserved-
in-dhcp on mac-addr 00:1C:7F:21:05:BE reserve-mac-address 00:1C:7F:21:05:BE
dns-resolving true ipv4-address 192.168.1.1
show host
show host
Description
Shows the configuration of an existing network object.
Syntax
show host <name>
Parameters
Type: String
Example
show host TEXT
show hosts
show hosts
Description
Shows the configuration of all existing network objects.
Syntax
show hosts
Parameters
n/a
Example
show hosts
hotspot
hotspot
set hotspot
set hotspot
Configures hotspot settings.
set hotspot
set hotspot
Description
Configures hotspot settings.
Syntax
set hotspot [ require-auth <require-auth> ] [ auth-mode <auth-mode> ] [

allowed-group <allowed-group> ] [ timeout <timeout> ] [ portal-title
<portal-title> ] [ portal-msg <portal-msg> ] [ show-terms-of-use <show-
terms-of-use> ] [ terms-of-use <terms-of-use> ] [ redirect-after-auth
<redirect-after-auth> ] [ redirect-after-auth-url <redirect-after-auth-url>
]
Parameters
allowed- Indicates the specific user group that can authenticate through the hotspot when auth-
group mode is set to allow-specific-group
auth-mode Allow access to a specific user group only or all users
Options: allow-all, allow-specific-group
portal-msg The message shown in hotspot portal
portal-title The title of the hotspot portal
redirect-after- Indicates if after the user accepts terms or authenticate in the hotspot portal the user will
auth be redirected to a configured external URL instead of the originally requested URL
Options: on, off
redirect-after- Redirect the user to the following URL after the user accepts terms or authenticate in
auth-url the hotspot portal
Type: urlWithHttp
require-auth Indicates if user authentication is required
show-terms- Indicates if a terms and conditions link will be shown in the hotspot portal
of-use Options: on, off
terms-of-use Indicates the When users will click the terms and conditions text shown in the hotspot
portal
timeout Time, in minutes, untill the hotspot session expires
set hotspot
Example
set hotspot require-auth true auth-mode allow-all allowed-group word

timeout 15 portal-title My Network portal-msg My Network show-terms-of-use
on terms-of-use My Network redirect-after-auth on redirect-after-auth-url
urlWithHttp
set hotspot
set hotspot
Description
Adds an existing network object as an exception for hotspot portal.
Syntax
set hotspot add exception <exception>
Parameters
exception Network object name
Example
set hotspot add exception TEXT
set hotspot
set hotspot
Description
Removes an existing network object from being an exception to hotspot portal.
Syntax
set hotspot remove exception <exception>
Parameters
exception Network object name
Example
set hotspot remove exception TEXT
set hotspot
set hotspot
Description
Configures advanced hotspot settings.
Syntax
set hotspot advanced-settings activation <activation>
Parameters
n/a
Example
set hotspot advanced-settings activation on
set hotspot
set hotspot
Description
Configures advanced hotspot settings.
Syntax
set hotspot advanced-settings prevent-simultaneous-login <prevent-

simultaneous-login>
Parameters
n/a
Example
set hotspot advanced-settings prevent-simultaneous-login true
show hotspot
show hotspot
Shows hotspot configuration.
show hotspot
show hotspot
Description
Shows hotspot configuration.
Syntax
show hotspot
Parameters
n/a
Example
show hotspot
show hotspot
show hotspot
Description
Shows hotspot advanced settings configuration.
Syntax
Shows hotspot advanced-settings
Parameters
n/a
Example
Shows hotspot advanced-settings
https-categorization
https-categorization
set https-categorization
Configures HTTPS categorization settings (categorization does not require a full SSL inspection
mechanism).
Description
Configures advanced HTTPS categorization settings.
Syntax
set https-categorization advanced-settings validate-cert-expiration

<validate-cert-expiration>
Parameters
n/a
Example
set https-categorization advanced-settings validate-cert-expiration true
Description
Syntax
set https-categorization advanced-settings validate-unreachable-crl

<validate-unreachable-crl>
Parameters
n/a
Example
set https-categorization advanced-settings validate-unreachable-crl true
Description
Syntax
set https-categorization advanced-settings validate-crl <validate-crl>
Parameters
n/a
Example
set https-categorization advanced-settings validate-crl true
show https-categorization
show https-categorization
Description
Shows configuration for HTTPS categorization feature.
Syntax
show https-categorization advanced-settings
Parameters
n/a
Example
show https-categorization advanced-settings
interface
interface
add interface
add interface
Adds a new virtual interface.
add interface
add interface
Description
Adds a new 802.1q tag-based VLAN over an existing physical interface.
Syntax
add interface <assignment> vlan <vlan>
Parameters
assignment The switch or bridge which the object belongs to
vlan Enter a number that is the virtual identifier
Example
add interface My_Network vlan 12
add interface
add interface
Description
Adds a new numbered/unnumbered Virtual Tunnel Interface (VTI) to be used for Route-based VPN
purposes.
Syntax
add vpn tunnel <vpn tunnel> type { unnumbered peer <peer> internet-
connection <internet-connection> | numbered local <local> remote <remote>
peer <peer> }
Parameters
internet- The local interface for unnumbered VTI
connection
local Enter the IP address of the interface
Type: IP address
peer Remote peer name as defined in the VPN community. You must define the two peers in
the VPN community before you can define the VTI. The Peer ID is an alpha-numeric
character string.
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9, a-z, _ -)
remote Defines the remote peer IPv4 address, used at the peer gateway's point-to-point virtual
interface (numbered VTI only)
Type: IP address
type The type of VTI: Numbered VTI that uses a specified, static IPv4 addresses for local and
remote connections, or unnumbered VTI that uses the interface and the remote peer
name to get addresses
vpn tunnel A number identifying the Virtual Tunnel Interface (VTI)
Example
add vpn tunnel 12 type unnumbered peer site17 internet-connection My

connection
add interface
add interface-alias
Description
Associate more than one IP address to a network interface.
Syntax
add interface-alias alias-physical-port <alias-physical-port> [ ipv4-

address <ipv4-address> ] [ {mask-length <mask-length. | subnet-mask
<subnet-mask> } ]
Parameters
alias-physical-port The physical port used by the alias network. Separate networks only
Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters
ipv4-address Enter the IP address of the interface
Type: IP address
mask-length Represents the network’s mask length
subnet-mask The subnet mask of the specified network
Type: A subnet mask, or 255.255.255.255
Example
add interface-alias alias-physical-port My_Network ipv4-address 192.168.1.1

mask-length 20
delete interface
delete interface
Description
Deletes an existing virtual interface.
Syntax
delete interface <name>
Parameters
name Network name
Example
delete interface My_Network
set interface
set interface
Configures local networks/interfaces.
set interface
set interface
Description
Configures local networks/interfaces.
Syntax
set interface <name> ipv4-address <ipv4-address> { subnet-mask <subnet-

mask> default-gw <default-gw> [ dns-primary <dns-primary> [ dns-secondary
<dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] | mask-length <mask-
length> default-gw <default-gw> [ dns-primary <dns-primary> [ dns-secondary
<dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] }
Parameters
default-gw Default gateway
Type: IP address
dns-primary First DNS server IP address
Type: IP address
dns-secondary Second DNS server IP address
Type: IP address
dns-tertiary Third DNS server IP address
Type: IP address
ipv4-address The IP address
Type: IP address
name Network name
Type: Subnet mask
Example
set interface My_Network ipv4-address 192.168.1.100 subnet-mask

255.255.255.0 default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary
192.168.1.2 dns-tertiary 192.168.1.3
set interface
set interface
Description
Configures IP address for local networks/interfaces.
Syntax
set interface <name> ipv4-address <ipv4-address>{ mask-length <mask-length>

| subnet-mask <subnet-mask> }
Parameters
Type: IP address
mask-length Represents the network's mask length
name Network name
subnet-mask Enter the Subnet mask of the specified network
Example
set interface My_Network ipv4-address 192.168.1 mask-length 20
set interface
set interface
Description
Configures a physical interface to be unassigned from existing networks.
Syntax
set interface <name> unassigned
Parameters
name Network name
Example
set interface LAN2 unassigned
set interface
set interface
Description
Configures monitor mode on an existing local network/interface.
Syntax
set interface <name> monitor-mode
Parameters
name Network name
Example
set interface My_Network monitor-mode
set interface
set interface
Description
Configures advanced settings on an existing local network/interface.
Syntax
set interface <name>[ mac-address-override <mac-address-override> ] [

exclude-from-dns-proxy <exclude-from-dns-proxy> ]
Parameters
exclude-from-dns- proxy Exclude from DNS proxy
Options: on, off
mac-address-override Override default MAC address
Type: MAC address
name Network name
Example
set interface My_Network mac-address-override 00:1C:7F:21:05:BE exclude-

from-dns-proxy on
set interface
set interface
Description
Configures networking settings on an existing local network/interface.
Syntax
set interface <name> [ auto-negotiation <auto-negotiation> ] [ mtu <mtu> ]

[ link-speed <link-speed>]
Parameters
auto-negotiation Enable this option in order to manually configure the link speed of the interface.
Options: on, off
link-speed Configure the link speed of the interface manually
Options: 10/full, 10/half, 100/full, 100/half
mtu Configure the Maximum Transmission Unit size for an interface
name Network name
Example
set interface My_Network auto-negotiation on mtu 1460 link-speed 10/full
set interface
set interface
Description
Enable/disable an existing local network/interface.
Syntax
set interface <name> state <state>
Parameters
name Network name
state The mode of the network - enabled or disabled
Options: on, off
Example
set interface My_Network state on
set interface
set interface
Description
Configures a description for an existing local network/interface.
Syntax
set interface <name> [ description <description> ]
Parameters
description Description
name Network name
Example
set interface My_Network description "This is a comment."
set interface
set interface
Description
Configures automatic access policy for an existing local network/interface. This feature is relevant when the
device is locally managed.
Syntax
set interface <name> [ lan-access <lan-access> ] [ lan-access-track <lan-

access-track>
Parameters
lan-access Local networks will be accessible from this network once this option is enabled
lan-access-track Traffic from this network to local networks will be logged once this option is enabled
Options: none, log
name Network name
Example
set interface My_Network lan-access block lan-access-track none
set interface
set interface
Description
Configure hotspot functionality for an existing local network/interface.
Syntax
set interface <name> hotspot <hotspot>
Parameters
hotspot Redirect users to the Hotspot portal before allowing access from this interface
Options: on, off
name Network name
Example
set interface My_Network hotspot on
show interface
show interface
Description
Shows configuration and details of local networks.
Syntax
show interface <name> [ all ]
Parameters
name Network name
Example
show interface My_Network all
show interfaces
show interfaces
Description
Shows the list of defined local networks.
Syntax
show interfaces
Parameters
n/a
Example
show interfaces
show interfaces all
show interfaces all
Description
Shows details of all defined local networks.
Syntax
show interfaces all
Parameters
n/a
Example
show interfaces all
interface-alias
interface-alias
add interface-alias
Description
Associate more than one IP address to a network interface.
Syntax
add interface-alias alias-physical-port <alias-physical-port> [ ipv4-

address <ipv4-address> ] [ {mask-length <mask-length. | subnet-mask
<subnet-mask> } ]
Parameters
alias-physical-port The physical port used by the alias network. Separate networks only
Type: IP address
mask-length Represents the network’s mask length
subnet-mask The subnet mask of the specified network
Example
add interface-alias alias-physical-port My_Network ipv4-address 192.168.1.1

mask-length 20
delete interface-alias
delete interface-alias
Description
Delete one of multiple IP addresses associated to a network interface.
Syntax
delete interface-alias <name>
Parameters
name Network name
Example
delete interface-alias My_Network
set interface-alias
set interface-alias
Description
Configure the settings for an alias IP.
Syntax
set interface-alias <name> [ ipv4-address <ipv4-address> ] [ { mask-length

<mask-length> | subnet-mask <subnet-mask> } ] [ state <state> ]
Parameters
ipv4 address Enter the IP address of the interface Type: IP address
mask-length Represents the network’s mask length Type: A string that contains numbers only
name Network name
state The mode of the network - enabled or disabled Options: on, off
subnet-mask The subnet mask of the specified network Type: A subnet mask, or 255.255.255.255
Example
set interface-alias My_Network ipv4-address 192.168.1.1 mask-length 20

state on
interface-bond
interface-bond
add interface-bond
Description
Create a link aggregation (bond) between two or more interfaces (LAN).
Syntax
add interface-bond slave-port-1 <slave-port-1> slave-port-2 <slave-port-2>

[ bond-mode { xor [ bond-hash-policy <bond-hash-policy> ] [ bond-mii-
interval <bond-mii-interval> ] | round-robin [ bond-mii-interval <bond-mii-
interval> ] | master bond-master <bond-master> [ bond-mii-interval <bond-
mii-interval> ] | 8023ad [ bond-hash-policy <bond-hash-policy> ] [ bond-
mii-interval <bond-mii-interval> ] } ]
Parameters
bond-hash policy The bond hash policy
Options: layer2, layer2_3, layer3_4
bond-master The bond Master port
bond-mii-interval The bond MII interval
bond-mode The bond operation mode policy
slave-port-1 bondPort1
slave-port-2 bondPort2
Example
add interface-bond slave-port-1 My_Network slave-port-2 My_Network bond-

mode xor bond-hash-policy layer2 bond-mii-interval -1000000
delete interface-bond
delete interface-bond
Delete this text and replace it with your own content.
Description
Delete a link aggregation (bond) between two or more interfaces.
Syntax
delete interface <name>
Parameters
name Network name
Example
delete interface My_Network
set interface-bond
set interface-bond
Description
Configure the settings for an interface bond.
Syntax
set interface-bond <name> [ bond-mode <bond-mode> ] [ bond-master <bond-

master> ] [ bond-mii-interval <bond-mii-interval> ] [ bond-hash-policy
<bond-hash-policy> ]
Parameters
bond-hash-policy The bond hash policy
Options: layer2, layer2_3, layer3_4
Options: 8023ad, round-robin, xor, master
name Network name
Example
set interface-bond My_Network bond-mode 8023ad bond-master My_Network bond-

mii-interval -1000000 bond-hash-policy layer2
set interface-bond
set interface-bond
Description
Configure the settings for an internet bond (LAN).
Syntax
set interface-bond <name> add-member <add-member>
Parameters
add-member bondPort1
name Network name
Example
set interface-bond My_Network add-member My_Network
set interface-bond
set interface-bond
Description
Configure the settings for an interface bond (LAN).
Syntax
set interface-bond <name> remove-member <remove-member>
Parameters
name Network name
remove-member bondPort1
Example
set interface-bond My_Network remove-member My_Network
show interface-bond
show interface-bond
Description
Show the name of the interface in the bond (LAN).
Syntax
show interface-bond <name>
Parameters
name Network name
Example
show interface-bond <name>
show interfaces-bond
Description
Show the interfaces in the bond (LAN).
Syntax
Parameters
n/a
Example
internal-certificates-conf
Configure settings for internal certificates.
add internal-certificate
Description
Add an internal certificate.
Syntax
add internal-certificate certificate-name <certificate-name> p12-password

<p12-password> url <url> [ less secure <less-secure> ]
Parameters
certificate- Informal representation for the Certificate Type: String
name
Less-secure Allow connections to SSL sites without certificates. Only applied over SFTP.
P12- PKCS#12 Password, PKCS #12 defines an archive file format for storing many
password cryptography objects as a single file
Type: A registration key
url Download the certificate file from this URL. The URL format should be
(s)ftp://name:passwd@machine.domain:port/full_path_to_file
Type: ftpUrl
Example
add internal-certificate certificate-name TEXT p12-password QWEDFRGH4 url

ftpUrl less-secure true
delete internal-certificate
Description
Delete an internal certificate.
Syntax
delete internal-certificate name <name>
Parameters
name Name of the internal certificate
Type: String
Example
delete internal-certificate name TEXT
show internal-certificate
Description
Show an internal certificate.
Syntax
show internal-certificate name <name>
Parameters
name Name of the internal certificate
Type: String
Example
show internal-certificate name TEXT
show internal-certificates
Description
Show all internal certificates.
Syntax
Parameters
n/a
Example
ips engine-settings
ips engine-settings
set ips engine-settings
Description
Configures advanced IPS engine settings. This command configures if and when IPS will deactivate upon
high resource consumption of the device.
Syntax
set ips engine-settings [ protection-scope <protection-scope> ] [ bypass-

under-load { true [ bypass-track <bypass-track>] [ gateway-load-thresholds
[ cpu-usage-low-watermark <cpu-usage-low-watermark>] [ cpu-usage-high-
watermark <cpu-usage-high-watermark> ] [ memory-usage-low-watermark
<memory-usage-low-watermark> ] [ memory-usage-high-watermark <memory-usage-
high-watermark> ] [ threshold-detection-delay <threshold-detection-delay> ]
] | false } ]
Parameters
bypass-track Indicates how the appliance will track events where the bypass mechanism is
activated/deactivated
bypass- Indicates if the IPS engine will move to bypass mode if the appliance is under heavy
under-load load
protection- Indicates if the IPS blade will protect internal networks only or protect all networks
scope (including external networks)
Options: protect-internal-hosts-only, perform-ips-inspection-on-all-traffic
Example
set ips engine-settings protection-scope protect-internal-hosts-only

bypass-under-load true bypass-track none gateway-load-thresholds cpu-usage-
low-watermark 75 cpu-usage-high-watermark 80 memory-usage-low-watermark 75
memory-usage-high-watermark 80 threshold-detection-delay 90
Description
Configures advanced IPS engine settings. This command configures a legacy error page shown in some
legacy IPS HTTP protections.
Syntax
set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig [

status-code-desc <status-code-desc> ] [ show-error-code <show-error-code> ]
[ logo-url <logo-url> ] [ send-detailed-status-code <send-detailed-status-
code>
] [ enable-logo-url <enable-logo-url> ]
Parameters
n/a
Example
set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig

status-code-desc "This is a comment." show-error-code true logo-url
http://www.checkpoint.com/ send-detailed-status-code true enable-logo-url
true
Description
Configures advanced IPS engine settings. This command configures a legacy error page shown in some
legacy IPS HTTP protections.
Syntax
set ips engine-settings advanced-settings AboutConfigIPSErrorPage [ send-

error-code <send-error-code>] [ error-page-for-supported-web-protections
<error-page-for-supported-web-protections> ] [ url <url> ]
Parameters
n/a
Example
set ips engine-settings advanced-settings AboutConfigIPSErrorPage send-

error-code true error-page-for-supported-web-protections do-not-show url
http://www.checkpoint.com/
show ips engine-settings
Shows engine settings for the IPS blade.
Description
Shows engine settings for the IPS blade.
Syntax
Parameters
n/a
Example
Description
Shows advanced engine settings for the IPS blade.
Syntax
show ips engine-settings advanced-settings
Parameters
n/a
Example
show ips engine-settings advanced-settings
interface-loopback
interface-loopback
add interface-loopback
add interface-loopback
Description
Adds a new loopback interface (A fixed interface in the system that is commonly used for dynamic routing
purposes).
Syntax
add interface-loopback ipv4-address <ipv4-address> { mask-length <mask-

length> | subnet-mask <subnet-mask> }
Parameters
Type: IP address
mask-length Represents the network's mask length
subnet-mask Enter the Subnet mask of the specified network
Example
add interface-loopback ipv4-address 192.168.1.1 mask-length 20
delete interface-loopback
delete interface-loopback
Description
Deletes an existing configured loopback interface.
Syntax
delete interface-loopback <name>
Parameters
name Network name
Example
delete interface-loopback My_Network
internet
internet
set internet
set internet
Description
Configures advanced settings for internet connectivity.
Syntax
set internet advanced-settings reset-sierra-usb-on-lsi-event <reset-sierra-

usb-on-lsi-event>
Parameters
n/a
Example
set internet advanced-settings reset-sierra-usb-on-lsi-event true
show internet
show internet
Description
Shows advanced settings for configured internet
Syntax
show internet advanced-settings
Parameters
n/a
Example
show internet
internet-advanced-settings
set internet-advanced-settings
Description
Configure advanced global internet settings.
Syntax
set internet advanced-settings reset-sierra-usb-on-lsi-event <reset-sierra-

usb-on-lsi-event>
Parameters
reset-sierra-usb-on-lsi- Indicates whether Sierra type USB modems will be reset when they send an
event Invalid LSI signal
Example
set internet advanced-settings reset-sierra-usb-on-lsi-event true
show internet-advanced-settings
Description
Show internet advanced global settings.
Syntax
Parameters
n/a
show internet
Example
internet-connection
internet-connection
add internet-connection
Adds a new internet connection.
add internet-connection interface cellular
Description
Add a new cellular (LTE) internet connection.
Syntax
add internet-connection interface cellular [apn {VALUE}] [pin {VALUE}]

[apn-sim1-authentication-method {VALUE}] [apn-sim1-password {VALUE}] [apn-
sim2-username {VALUE}] [apn-sim2-authentication-method {VALUE}] [apn-sim2-
password {VALUE}] [apn-sim2-username {VALUE}][apn-sim2 {VALUE}] [pin-sim2
{VALUE}] [primary-sim {sim1 | sim2}] [disable-sim {sim1 | sim2 | none}]
[name {VALUE}]
Parameters
apn APN (Access Point Name) of SIM 1(optional).
pin PIN (Personal Identification Number) of SIM 1(optional).
apn-sim1- The APN authentication method provided by your cellular network carrier for
authentication-method SIM1.
Values:
n pap
n chap
n none
apn-sim1-password The APN password provided by your cellular network carrier for SIM1.
Password string. Maximum length of 15 characters. Required when apn-sim1-
authentication-method = pap or chap
apn-sim1-username The APN username provided by your cellular network carrier for SIM1.
Maximum length of 59 characters. Required when apn-sim1-authentication-
method = pap or chap
apn-sim2- The APN authentication method provided by your cellular network carrier for
authentication-method SIM2.
n pap
n chap
n none
Password string. Maximum length of 15 characters. Required when apn-sim2-
apn-sim2 APN (Access Point Name) of SIM 2 (optional).
pin-sim2 PIN number of SIM 2 (optional).
primary-sim The preferred SIM to use for the connection.
disable-sim Allows disabling of one of the SIM cards.
name The name of the internet connection.
sim1-carrier- Predefined configuration and firmware package required for specific cellular
configuation-package network carriers for SIM1.
configuation-package network carriers for SIM2.
Example
add internet-connection interface cellular apn sim1apn.com pin 1111 apn-

sim1-authentication-method pap apn-sim1-username my_sim1_username apn-sim1-
password my_sim1_password apn-sim2-authentication-method none apn-sim2
sim2apn.com pin-sim2 2222 disable-sim none primary-sim sim1 name Internet1
add internet-connection (physical interface)
Description
Adds a new internet connection using an existing physical interface (multiple internet connection can
engage in High Availability/Load Sharing).
WAN
Syntax for DHCP
add internet-connection name <name> interface WAN type dhcp
Parameters
conn-test-timeout Connection test timeout
interface Interface name
name Connection name
Type: A string that contains [A-Z], [0-9], '-', '@', '.', '_' and space characters
type Connection type
vlan-id VLAN ID
Syntax for Static IP
add internet-connection name <name> interface WAN type static default-gw

<default-gw> ipv4-address <ipv4-address> mask-length <mask-length>
add internet-connection name <name> interface WAN type static default-gw

<default-gw> ipv4-address <ipv4-address> subnet-mask <subnet-mask> { dns-
primary <dns-primary>dns-secondary <dns-secondary> dns-tertiary <dns-
tertiary>} { use-connection-as-vlan vlan-id <vlan-id>} { conn-test-timeout
<conn-test-timeout>}
Parameters
default-gw WAN default gateway (in the advanced section of PPTP and l2TP)
Type: IP address
Type: IP address
Type: IP address
Type: IP address
ipv4-address IP address field (for static IP and bridge settings)
Type: IP address
vlan-id VLAN ID
Syntax for L2TP
add internet-connection name <name> interface WAN type l2tp server <server>
password-hash <password-hash>
add internet-connection name <name> interface WAN type l2tp server <server>
password <password> username <username> { local-ipv4-address <local-ipv4-
address> wan-ipv4-address <wan-ipv4-address> wan-mask-length <wan-mask-
length>
add internet-connection name <name>interface WAN type l2tp server <server>

address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-mask-
length> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-
pppoe>local-ipv4-address <local-ipv4-address>}
Parameters
conn-test- Connection test timeout
Type: IP address
is-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only once
pppoe Type: Boolean (true/false)
local-ipv4- Local tunnel IP address or Auto for automatic
address Type: An IP address, or 'auto'
password Password for PPP connection or cellular modem settings
Type: internetPassword
password-hash The hash of the user password
Type: passwordHash
server Server IP address
Type: IP address
username User name for PPP connection or cellular modem settings
Type: A string that contains all printable characters but a single or double quotelike
characters. Usually <username>@<ISP>
vlan-id VLAN ID
wan-ipv4- Wan IP address wrapper
wan-mask- WAN subnet mask length
length Type: A string that contains numbers only
wan-subnet- WAN subnet mask (in the advanced section)
mask Type: Subnet mask
Syntax for PPPoE
add internet-connection name < name> interface WAN type pppoe username
<username> password-hash <password-hash>
add internet-connection name <name> interface WAN type pppoe username

<username> password <password-hash> { is-unnumbered-pppoe <is-unnumbered-
pppoe> local-ipv4-address <local-ipv4-address> }
Parameters
Type: passwordHash
vlan-id VLAN ID
Syntax for PPTP
add internet-connection name <name> interface WAN type pptp server <server>
command_synadd internet-connection name <name> interface WAN type

pptpserver <server> password <password > username <username> { { local-
ipv4-address <local-ipv4-address> wan-ipv4-address <wan-ipv4-address> wan-
mask-length <wan-mask-length>tax
add internet-connection name <name> interface WAN type pptp server <server>
address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-subnet-
mask> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe>
local-ipv4-address <local-ipv4-address>}
Parameters
default-gw
Type: passwordHash
Type: IP address
vlan-id VLAN ID
ADSL
Syntax for EoA
add internet-connection name <name> interface ADSL type eoa
Parameters
encapsulation Encapsulation type for the ADSL connection
Options: llc, vcmux
standard The ADSL standard to use
Options: multimode, t1413, glite, gdmt, adsl2, adsl2+
vci VCI value for the ADSL connection
Type: A number between 0 and 65535
vpi VPI value for the ADSL connection
Syntax for PPPoE
add internet-connection name <name> interface ADSL type pppoe username

add internet-connection name <name> interface ADSLtype pppoe username

<username> password <password> { encapsulation <encapsulation> is-
unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-
address> vci <vci> vpi <vpi>} { encapsulation <encapsulation> vci <vci>
vpi <vpi>} { conn-test-timeout <conn-test-timeout> standard <standard>}
Parameters
Options: llc, vcmux
Type: passwordHash
DSL
Syntax for IPoE Dynamic
add internet-connection name <name> interface DSL type ipoe-dynamic
Parameters
Options: llc, vcmux
vlan-id VLAN ID
Syntax for IPoE Static
add internet-connection name <name> interface DSL type ipoe-staticdefault-

gw <default-gw> ipv4-address <ipv4-address> mask-length <mask-length>
add internet-connection name <name> interface DSL type ipoe-static default-

gw <default-gw> ipv4-address <ipv4-address> subnet-mask VALUE { dns-primary
<dns-primary> dns-secondary <dns-secondary> dns-tertiary <dns-tertiary> }
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Options: llc, vcmux
Type: IP address
vlan-id VLAN ID
Syntax for PPPoE
add internet-connection name <name> interface DSL type pppoe username

add internet-connection name <name> interface DSL type pppoe username

<username> password <password> { encapsulation <encapsulation> is-
unnumbered-pppoe <is-unnumbered-pppoe> local-ipv4-address <local-ipv4-
address> vci <vci> vpi <vpi> } { encapsulation <encapsulation> vci <vci>
vpi <vpi> } { use-connection-as-vlan vlan-id <vlan-id> } { conn-test-
timeout <conn-test-timeout>}
Parameters
Options: llc, vcmux
Type: passwordHash

vlan-id VLAN ID
DMZ
Syntax for SFP-DSL type ppoe
add internet-connection name interface DMZ dmz-connection sfp-dsl type

pppoe username <username> password <password>
Parameters
ls-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only once
ppoe Type: Boolean (true/false)
password Password for PPP connection settings
Type: passwordHash
username User name for PPP connection settings Type: A string that contains all printable
characters but a single or double quotelike characters. Usually
<username>@<ISP>
vci VCI value for the ADSL connection Type: A number between 0 and 65535
vpi VPI value for the ADSL connection Type: A number between 0 and 255
Example

pppoe username admin@isp password XXXXXX
Syntax for SFP-DSL type ipoe-dynamic

ipoe-dynamic
Parameters
Options:
n llc
n vcmux
Example

ipoe-dynamic
Syntax for SFP-DSL type ipoe-static
• add internet-connection name interface DMZ dmz-connection sfp-dsl type

ipoe-static default-gw ipv4-address < ipv4-address> mask-length < ipv4-
address>
• add internet-connection name interface DMZ dmz-connection sfp-dsl ipoe-

static default-gw ipv4-address < ipv4-address> subnet-mask VALUE { dns-
primary < dns-primary > dns-secondary < dns-secondary> dns-tertiary < dns-
tertiary >}
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Type: IP address
subnet-mask Subnet mask Type: A subnet mask, or 255.255.255.255
Example

ipoe-static default-gw ipv4-address 172.15.47.4 mask-length 255.255.255.
Syntax for DHCP
add internet-connection name <name> interface DMZ type dhcp
Parameters
vlan-id VLAN ID
Syntax for Static IP
add internet-connection name <name> interface DMZ type static default-gw

<default-gw> ipv4-address <ipv4-address> mask-length <mask-length>
add internet-connection name <name> interface DMZ type static default-gw

<default-gw> ipv4-address <ipv4-address> subnet-mask <subnet-mask> { dns-
primary <dns-primary> dns-secondary <dns-secondary> dns-tertiary <dns-
tertiary>} { use-connection-as-vlan vlan-id <vlan-id>} { conn-test-timeout
<conn-test-timeout>}
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Type: IP address
vlan-id VLAN ID
Syntax for L2TP
add internet-connection name <name> interface DMZ type l2tp server <server>
length>
address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-mask-
length> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-
pppoe> local-ipv4-address <local-ipv4-address>}
Parameters
Type: IP address
Type: passwordHash
Type: IP address
vlan-id VLAN ID
Syntax for PPPoE
add internet-connection name <name> interface DMZ type pppoe username

<username> password-hash <password>
add internet-connection name <name> interface DMZ type pppoe username

<username> password <password>{ is-unnumbered-pppoe <is-unnumbered-pppoe>
Parameters
Type: passwordHash
vlan-id VLAN ID
Syntax for PPTP
add internet-connection name <name> interface DMZ type pptp server <server>
password <password> username <username> { { local-ipv4-address <local-ipv4-
length>
address> wan-ipv4-address <wan-ipv4-address> wan-subnet-mask <wan-subnet-
mask> default-gw <default-gw>} { is-unnumbered-pppoe <is-unnumbered-pppoe>
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Options: llc, vcmux
Type: IP address
isVlan isVlan
Type: passwordHash
Type: IP address
vlan-id VLAN ID
Example
add internet-connection name My connection interface WAN true vlan-id -

1000000 type static ipv4-address 192.168.1.1 subnet-mask 255.255.255.0
default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary 192.168.1.1
dns-tertiary 192.168.1.1 conn-test-timeout -1000000
add internet-connection (3G/4G modem)
Description
Adds a new internet connection using an external 3G/4G modem connected directly to the appliance
(multiple internet connection can engage in High Availability/Load Sharing).
Syntax
USB:
add internet-connection name <name> typeanalog use-serial-portfalse number
<number> { username <username> password-hash <password-hash>}
add internet-connection name <name> typeanalog use-serial-portfalse number

<number> { username <username> password <password> }
add internet-connection name <name> typeanalog use-serial-porttrue number

<number> { username <username> password-hash <password-hash> }
add internet-connection name <name> typeanalog use-serial-porttrue number

<number> username <username> password <password> { flow-control <flow-control>
port-speed <port-speed>} { conn-test-timeout <conn-test-timeout>}
add internet-connection name <name> typecellular number <number> { conn-test-

timeout <conn-test-timeout> } name <name>} { apn <apn> username <username>
password-hash <password-hash> }
add internet-connection name <name> typecellular number <number> { conn-test-

timeout <conn-test-timeout> name <name>} { apn <apn> username
<username>password <password> }
Parameters
apn APN (cellular modem settings)
Type: A string that contains [a-z], [0-9], '-' and '.' characters
flow-control Flow control (serial port settings)
Options: rts-cts, xon-xoff
number Dialed number of the cellular modem settings
Type: A sequence of numbers and #,* characters
password- The hash of the user password
hash Type: passwordHash
port-speed Port speed (serial port settings)
Options: 9600, 19200, 38400, 57600, 115200, 230400
use-serial- Use serial port
port Type: Boolean (true/false)
username User name for PPP connection settings
Example
add internet-connection type analog use-serial-port true number 758996

username MyUsername@MyISP password internetPassword port-speed 9600 flow-
control rts-cts conn-test-timeout 50 name My connection
delete internet-connection
Deletes an existing internet connection or internet connection related configuration.
Description
Deletes an existing internet connection by name.
Syntax
delete internet-connection <name>
Parameters
Example
delete internet-connection My connection
deleter internet-connection
deleter internet-connection
Description
Deletes an existing internet connection's ping servers, configured for connection health monitoring.
Syntax
delete internet-connection <name> probe-icmp-servers [ first ] [ second ] [

third ]
Parameters
Example
delete internet-connection My connection probe-icmp-servers first second

third
delete internet-connections
Description
Deletes all existing internet connections.
Syntax
Parameters
n/a
Example
set internet-connection
Configures internet connections settings.
Description
Configures an existing internet connection.
Syntax
set internet-connection <name>[ auto-negotiation <auto-negotiation> ] [

link-speed <link-speed> ] [ mtu <mtu>] [ mac-addr <mac-addr> ]
Parameters
auto-negotiation Disable auto negotiation and manually define negotiation link speed
Options: on, off
link-speed Link speed
Options: 100/full, 100/half, 10/full, 10/half
mac-addr Default mac address wrapper
Type: A MAC address or 'default'
mtu MTU size. Select 'default' for default value.
Example
set internet-connection My connection auto-negotiation on link-speed

100/full mtu word mac-addr 00:1C:7F:21:05:BE
Description
Configures advanced settings for an existing internet connection.
Syntax
set internet-connection <name> connect-on-demand <connect-on-demand>
Parameters
connect-on-demand Holds the status of the connect on demand feature
Example
set internet-connection My connection connect-on-demand true
Description
Enable/Disable an existing internet connection.
Syntax
set internet-connection <name> { enable | disable }
Parameters
state Connection enabled/disabled
Example
set internet-connection My connection true
Description
Configures advanced settings for an existing internet connection. Download bandwidth details allow QoS
blade to run on this internet connection in locally/SMP managed mode and when managed using an LSM
profile.
Syntax
set internet-connection <name> qos-download { true [ bandwidth <bandwidth>

]| false }
Parameters
bandwidth ISP download bandwidth
qos-download Enable QoS (quality of service) restriction on inbound traffic (download)
Example
set internet-connection My connection qos-download true bandwidth 100
Description
Configures advanced settings for an existing internet connection. Upload bandwidth details allow QoS blade
to run on this internet connection in locally/SMP managed mode and when managed using an LSM profile.
Syntax
set internet-connection <name> qos-upload { true [ bandwidth <bandwidth> ]

| false }
Parameters
bandwidth ISP upload bandwidth
qos-upload Enable QoS (quality of service) restriction on outbound traffic (upload)
Example
set internet-connection My connection qos-upload true bandwidth 5
Description
Configure hide NAT behavior on an existing internet connection. It is possible to disable hide-NAT from a
specific internet connection.
Syntax
set internet-connection <name> disable-nat <disable-nat>
Parameters
disable-nat Disable NAT(Network Address Translation) for traffic going through this Internet
connection
Example
set internet-connection My connection disable-nat true
Description
Configures multiple ISP settings for an existing internet connection.
Syntax
set internet-connection <name> ha-priority <ha-priority> load-balancing-

weight <load-balancing-weight>
Parameters
ha-priority Priority of the connection in HA
load-balancing-weight Internet connection weight for load balancing configuration
Example
set internet-connection My connection ha-priority 2 load-balancing-weight

15
Description
Configures advanced settings for an existing internet connection. It is possible to remove a configured
internet connection from being used as a default route, making it available for traffic through
manual/dynamic routing rules.
Syntax
set internet-connection <name> route-traffic-through-default-gateway

<route-traffic-through-default-gateway>
Parameters
Type: A string that contains [A-Z], [0-9], '-', '@', '.', '_' and space
characters
route-traffic-through- default- In order to route traffic through this connection you need to add specific
gateway routes through it
Example
set internet-connection My connection route-traffic-through-default-gateway

true
Description
Configures settings for an existing internet connection.
Syntax
set internet-connection <name>type { dhcp | pptp username <username> {

password <password> | password-hash <password-hash> } [ local-ipv4-address
<local-ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] server
<server> [ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address
<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length
<wan-mask-length> } default-gw <default-gw> ] | static ipv4-address <ipv4-
address> { subnet-mask <subnet-mask> | mask-length <mask-length> } default-
gw <default-gw> [ dns-primary <dns-primary> ] [ dns-secondary <dns-
secondary>] [ dns-tertiary <dns-tertiary> ] | l2tp username <username> {
password <password> | password-hash <password-hash> } [ local-ipv4-address
<local-ipv4-address>] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] server
<server>[ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address
<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length
<wan-mask-length> } default-gw <default-gw> ] }
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Type: IP address
is-unnumbered- Unnumbered PPoE lets you manage a range of IP addresses and dial only once.
Type: passwordHash
Type: IP address
Example
set internet-connection My connection type dhcp
Description
Configures advanced settings for an existing internet connection.
Syntax
set internet-connection <name> type { pppoa username <username> { password

<password> | password-hash <password-hash> } [ local-ipv4-addres <local-
ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] [ vpi <vpi> ]
[ vci <vci> ] [ encapsulation <encapsulation> ] | eoa }
Parameters
Options: llc, vcmux
is-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only once.
password-hash The hash of the user password.
Type: passwordHash
Type: A string that contains all printable characters but a single or double quotelike
Example
set internet-connection My connection type pppoe username MyUsername@MyISP

password internetPassword local-ipv4-address auto is-unnumbered-pppoe true
vpi 42 vci 42 encapsulation llc
Description
Configures advanced settings for an existing internet connection. This command is available only for
hardware that contains a DSL port.
Syntax
set internet-connection <name> type { pppoa [ method <method> ] [ idle-time

<idle-time> ] [ standard <standard> ] | eoa [ vpi <vpi> ] [ vci <vci> ] [
encapsulation <encapsulation> ] [ wan-ipv4-address <wan-ipv4-address> {
wan-subnet-mask <wan-subnet-mask> | wan-mask-length <wan-mask-length> }
default-gw <default-gw> ] [ standard <standard> ] }
Parameters
Type: IP address
encapsulation Encapsulation for the ADSL connection
Options: llc, vcmux
idle-time Disconnect idle time
method Authentication method
Options: auto, pap, chap
wan-ipv4-address Wan IP address wrapper
Type: An IP address, or 'auto'
wan-mask-length WAN subnet mask length
wan-subnet-mask WAN subnet mask (in the advanced section)
Type: Subnet mask
Example
set internet-connection My connection type pppoa method auto idle-time -

1000000 standard multimode
Description
Configures advanced settings for an existing internet connection. This command is available only for
hardware that contains a DSL port.
Syntax
set internet-connection <name> type { pppoe [ username <username> ] [ {

password <password> | password-hash <password-hash> } ] [ [ { use-
connection-as-vlan } vlan-id <vlan-id> ] ] [ local-ipv4-address <local-
ipv4-address> ] [ is-unnumbered-pppoe <is-unnumbered-pppoe> ] [ vpi <vpi> ]
[ vci <vci> ] [ encapsulation <encapsulation> ] [ method <method> ] [ idle-
time <idle-time> ] [ standard <standard> ] | ipoe-dynamic [ { use-
connection-as-vlan } vlan-id <vlan-id> ] [ vpi <vpi>] [ vci <vci> ] [
encapsulation <encapsulation> ] | ipoe-static ipv4-address <ipv4-address> {
subnet-mask <subnet-mask> | mask-length <mask-length> } default-gw
<default-gw>[ dns-primary <dns-primary>] [ dns-secondary <dns-secondary> ]
[ dns-tertiary <dns-tertiary> ] [ { use-connection-as-vlan } vlan-id <vlan-
id> ] [ vpi <vpi> ] [ vci <vci> ] [ encapsulation <encapsulation> ] }
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Options: llc, vcmux
idle-time Disconnect idle time
Type: IP address
is-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only
pppoe once
isVlan isVlan
local-ipv4-address Local tunnel IP address or Auto for automatic
Type: An IP address, or 'auto'
method Authentication method
Options: auto, pap, chap
Type: passwordHash
Type: A string that contains all printable characters but a single or double
quotelike
vlan-id VLAN ID
Example
set internet-connection My connection type pppoe username MyUsername@MyISP

password internetPassword true vlan-id -1000000 local-ipv4-address auto is-
unnumbered-pppoe true vpi 42 vci 42 encapsulation llc method auto idle-time
-1000000 standard multimode
Description
Configures settings for an existing internet connection.
Syntax
set internet-connection <name>type { cellular number <number> [ username

<username> { password <password> | password-hash <password-hash> } ] [ apn
<apn> ] }
Parameters
apn APN (cellular modem settings)
Type: A string that contains [a-z], [0-9], '-' and '.' characters
number Dialed number of the cellular modem settings
Type: A sequence of numbers and #,* characters
password- The hash of the user password
hash Type: passwordHash
Example
set internet-connection My connection type cellular number 758996 username

MyUsername@MyISP password internetPassword apn my-apn
Description
Configures health monitoring settings for an existing internet connection.
Syntax
set internet-connection <name> probe-next-hop <probe-next-hop> [ probe-

servers <probe-servers> ][ probing-method <probing-method> ]
Parameters
probe-next-hop Automatically detect loss of connectivity to the default gateway
probe-servers Monitor connection state by sending probe packets to one or more servers on the
Internet
probing- Connection probing method
method Options: icmp, dns
Example
set internet-connection My connection probe-next-hop true probe-servers

true probing-method icmp
Description
Configures health monitoring settings for an existing internet connection.
Syntax
set internet-connection < name> { probe-icmp-servers } first <first> [

second <second> ] [ third <third> ]
Parameters
first First IP address for the probing method (when using connection monitoring)
Type: An IP address or host name
probing-method Connection probing method
Options: icmp, dns
second Second IP address for the probing method (when using connection monitoring)
third Third IP address for the probing method (when using connection monitoring)
Example
set internet-connection My connection icmp first myHost.com second

myHost.com third myHost.com
set internet-connection interface DMZ
Description
Configure settings for an SFP DSL internet connection over the DMZ port in 1570 / 1590 appliances that do
not have an internal DSL port.
Syntax for SFP-DSL type ppoe
set internet-connection <internet-connection-name> dmz-connection sfp-dsl

type pppoe username <username> password <password>
Parameters
ls-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only once
ppoe Type: Boolean (true/false)
Type: passwordHash
username User name for PPP connection settings Type: A string that contains all printable
characters but a single or double quotelike characters. Usually
<username>@<ISP>
vci VCI value for the ADSL connection Type: A number between 0 and 65535
vpi VPI value for the ADSL connection Type: A number between 0 and 255
Example
set internet-connection name interface DMZ dmz-connection sfp-dsl type

pppoe username admin@isp password XXXXXX
Syntax for SFP-DSL type ipoe-dynamic
set internet-connection <internet-connection-name> dmz-connection sfp-dsl

type ipoe-dynamic
Parameters
Options:
n llc
n vcmux
Example

ipoe-dynamic
Syntax for SFP-DSL type ipoe-static
• set internet-connection <internet-connection-name> dmz-connection sfp-dsl

type ipoe-static default-gw < default-gw> ipv4-address < ipv4-address>
subnet-mask <subnet-mask>
• set internet-connection <internet-connection-name> dmz-connection sfp-dsl

ipoe-static default-gw ipv4-address < ipv4-address> subnet-mask VALUE {
dns-primary < dns-primary > dns-secondary < dns-secondary> dns-tertiary <
dns-tertiary >}
Parameters
Type: IP address
Type: IP address
Type: IP address
Type: IP address
Type: IP address
subnet-mask Subnet mask Type: A subnet mask, or 255.255.255.255
Example

ipoe-static default-gw ipv4-address 172.15.47.4 mask-length 255.255.255.
set internet-connection {name} type cellular
Description
Sets the LTE modem internet connection to a specific carrier.
Syntax
set internet-connection {name} type cellular
apn APN (Access Point Name) of SIM 1(optional).
pin PIN (Personal Identification Number) of SIM 1(optional).
apn-sim1-authentication- The APN authentication method provided by your cellular network
method
carrier for SIM1. Values:
n pap
n chap
n none
Password String. Maximum length of 15 characters. Required when apn-sim1-
apn-sim2-authentication- The APN authentication method provided by your cellular network carrier for
method SIM2.
n pap
n chap
n none
Password String. Maximum length of 15 characters. Required when apn-sim2-
apn-sim2 APN (Access Point Name) of SIM 2 (optional).
pin-sim2 PIN number of SIM 2 (optional).
primary-sim The preferred SIM to use for the connection.
disable-sim Allows disabling of one of the SIM cards.
name The name of the internet connection.
configuation-package - network carriers for SIM1.
configuation-package - network carriers for SIM2.
Example
set internet-connection Bezeq type cellular
set internet-connection {name} type usb-cellular
Description
Configure the settings for a new cellular interface (USB).
Syntax
set internet-connection {name} type usb-cellular
Parameters
apn The Access Point Name given to you by your cellular network carrier for SIM1.
password-hash The hash of the user password.
password Password for PPP connection or cellular modem settings.
initialization-string The initialization string for the cellular modem settings.
is-unnumbered- Unnumbered PPPoE lets you manage a range of IP addresses and dial only
pppoe once.
local-ipv4-address Local tunnel IP address or auto for automatic.
method Authentication method.
number Dialed number of the cellular modem settings.
username User name for PPP connection or cellular modem settings.
conn-test-timeout Connection test timeout.
name Connection name.
Example
set internet-connection Internet2 type usb-cellular
show internet-connection
Shows configuration and details of defined internet connections.
Description
Shows configuration and details of a defined internet connection.
Syntax
show internet-connection <name>
Parameters
Example
show internet-connection My connection
Description
Shows configured ping servers for health monitoring of defined internet connection.
Syntax
show internet-connection <name> icmp-servers
Parameters
Example
show internet-connection My connection icmp-servers
show internet-connection {name} type cellular
Description
Shows the carrier connection name for LTE internal modem.
Syntax
show internet-connection {name} type cellular
Parameters
sim1-carrier-configuation- Predefined configuration and firmware package required for specific
package - cellular network carriers for SIM1.
sim2-carrier-configuation- Predefined configuration and firmware package required for specific
package - cellular network carriers for SIM2.
Example
show internet-connection Internet1 type cellular
Output
> show internet-connection Internet1

high-availability-recovery-time:60
load-balancing-weight: 10
operator: Cellcom Cellcom
signal-strength: -61
bond-master:
username:
isVlan: false
conn-test-timeout:
local-tunnel-ip-assignment: automatic
subnet-mask: 255.255.255.240
alias-id: 0
mac-addr:
custom-mtu: true
access-point-security-type:
idle-time: 20
dns-primary: 194.90.0.13
apn-sim2-password:
dns-secondary: 212.143.0.13
probe-next-hop: true
dns-tertiary:
is-bond: false
lan-default-mac-address: 00:1C:7F:95:E8:26
username:
qos-download: false
third: dns.opendns.com
username:
number: *99#
pin-sim2:
second: b.resolvers.Level3.net
max-latency-allowed: 900
probing-window-size: 10
use-default-mac-addr: on
link-status: internet
type: cellular
wan-ip-address:
signal-strength-level: 5
local-tunnel-ip:
wan-ipv4-address: auto
initialization-string:
password:
first: dns.google.com
link-speed: 10/half
password-hash:
dns-tertiary-ipv6:
first-name: Google Public DNS
number: *99#
is-active: true
wan-subnet-mask:
is-unnumbered-pppoe: false
type: cellular
access-point-ssid:
prefix-length: 64
dns-secondary-ipv6:
type: pppoa
qos-upload: false
ipv6-address: ::
apn-sim2:
failover-after-ping-failure-percent:63
local-ipv4-address: auto
cellular-generation: 4g
bridge-name:
bridge-type: dhcp
interface-ipv6: WAN
type: usb-cellular
cluster-status: non-ha
interface: cellular
disable-sim: none
hostname-via-dhcp: false
ip-version: ipv4
inbound-bandwidth: 1000000
probing-method: icmp
mask-length: 28
ipv6-address:
state: true
type: pppoe
name: Internet1
primary-sim: sim1
wan-ip-assignment: automatic
country:
dns-primary-ipv6:
probingStatus: table: 0xf6dd0a48
username:
vci: 0
access-point-password:
status:
bond-id:
second-name: Level 3 Communications
connect-on-demand: false
access-point-signal-strength:
apn-sim1-authentication-method:none
route-traffic-through-default-gateway:true
use-serial-port: false
pin:
interface: cellular
server:
default-gw: 10.152.144.40
apn-sim1-username:
dmz-link-speed: 10/half
mtu: 1500
wan-default-mac-address: 00:1C:7F:95:E8:25
standard:
sim1-carrier-configuation-package:
bond-slaves:
access-point-wpa-password:
probe-servers: true
disable-nat: false
dmz-default-mac-address: 00:1C:7F:95:E8:27
apn:
bond-hash-policy: layer2
active-sim: sim2
default-gw:
auto-negotiation: on
ipv4-address: 10.152.144.39
apn-sim2-username:
ip-address: 10.152.144.39
password:
access-point-radio-type:
number: *99#
vlan-id: 0
failover-after-ping-failures: 1
apn-sim2-authentication-method:none
lan-link-speed:
linked-connection-id:
access-point-operation-mode:
wan-mask-length:
conn-duration: 3396
cellularRadioMode: on
password:
outbound-bandwidth: 1000000
status-type:
username:
type-ipv6: auto-obtain
wan-link-speed: 10/half
bond-mode: 802.3ad
password:
access-point-user-name:
mtu: 1500
apn-sim1-password:
ha-priority: 1
port-speed: 115200
type-ipv6: pppoe-ipv6
vpi: 0
encapsulation: llc
service-rovider:
third-name: OpenDNS
service-name:
mac-addr: default
dial: tone
bond-mii-interval: 100
password:
probing-frequency: 3
flow-control: rts-cts
method: auto
sim2-carrier-configuation-package:
linked-connection:
default-gw-ipv6:
show internet-connections
Description
Shows details and configuration of all internet connections.
Syntax
Parameters
n/a
Example
show internet-connections table
Description
Shows details and configuration of all internet connections in a table.
Syntax
Parameters
n/a
Example
set iot-stats
Description
Enable or disable IoT collecting statistics.
Syntax
set iot-stats [ mode <mode> ]
Parameters
mode Enable / Disable IoT collecting statistics.
Options:
n on
n off
Example
set iot-stats [ mode <mode> ] on
show iot-stats
Description
Show collected IoT statistics.
Syntax
show iot-stats
Parameters
n/a
Example
show iot-stats
Output
internet-connection-bond
internet-connection-bond
delete internet-connection-bond
Description
Delete a link aggregation (bond) between two or more interfaces (WAN).
Syntax
delete internet-connection-bond <name>
Parameters
Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters
Example
delete internet-connection-bond My connection
set internet-connection-bond
Description
Configure a link aggregation (bond) between two or more interfaces (WAN).
Syntax
set internet-connection-bond <name> [ bond-mode <bond-mode> ] [ bond-mii-

interval <bond-mii-interval> ] [ bond-hash-policy <bond-hash-policy> ] [
bond-master <bond-master> ]
Parameters
bond-hash-policy The bond hash policy
Options: layer2, layer2_3,layer3_4
Options: 802.3ad, round-robin, xor, high-availability
Example
set internet-connection-bond My connection bond-mode 802.3ad bond-master

My_Network bond-mii-interval -1000000 bond-hash-policy layer2
Description
Syntax
set internet-connection-bond <name> add-member <add-member>
Parameters
add-member bondPort1
Type: Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters
Example
set internet-connection-bond My connection add-member My_Network
Description
Syntax
set internet-connection-bond <name> remove-member <remove-member>
Parameters
remove-member List of interfaces that are part of the WAN link aggregation (Bond)
Type: String
Example
set internet-connection-bond My connection remove-member My_Network
show internet-connection-bond
show internet-connection-bond
Description
Show the link aggregation (bond) between two or more interfaces. (WAN).
Syntax
show internet-connection-bond <name>
Parameters
Example
show internet-connection-bond My connection
show internet-connections-bond
Description
Show the link aggregations (bond) between two or more interfaces (WAN).
Syntax
Parameters
n/a
Example
internet mode
internet mode
set internet mode
set internet mode
Description
Configures multiple ISP internet connections behavior. Determines whether traffic will be distributed
automatically across the defined active Internet connections according to the configured load balancing
weights or use the default High Availability behavior based on priorities of each internet connection.
Syntax
set internet mode { load-balancing | high-availability }
Parameters
lb-mode The load balancing mode
Options: on, off
Example
set internet mode on
show internet mode
show internet mode
Description
Shows multiple internet connections mode (High Availability or Load Sharing.
Syntax
show internet mode
Parameters
n/a
Example
show internet mode
ip-fragments-params
ip-fragments-params
set ip-fragments-params
Configures how the appliance handles IP fragments.
Description
Syntax
set ip-fragments-params advanced-settings minsize <minsize>
Parameters
n/a
Example
set ip-fragments-params advanced-settings minsize 150
Description
Syntax
set ip-fragments-params advanced-settings config [ track <track> ] [ limit

<limit> ] [ advanced-state <advanced-state> ] [ timeout <timeout> ] [ pkt-
cap <pkt-cap> ]
Parameters
n/a
Example
set ip-fragments-params advanced-settings config track none limit 150

advanced-state forbid timeout 15 pkt-cap true
show ip-fragments-params
show ip-fragments-params
Description
Shows configuration of IP fragments handling.
Syntax
show ip-fragments-params advanced-settings
Parameters
n/a
Example
show ip-fragments-params advanced-settings
ipv6-state
ipv6-state
set ipv6-state
set ipv6-state
Description
Enable the IPv6 mode of the appliance.
Syntax
set ipv6-state
Parameters
n/a
Example
set ipv6-state
show ipv6-state
show ipv6-state
Description
Show if the IPv6 mode of the appliance is enabled or disabled.
Syntax
show ipv6-state
Parameters
n/a
Example
show ipv6-state
show ipv6-state
ip-resolving
set ip-resolving
Description
Configure IP Resolving settings.
Syntax
set ip-resolving [ mode <mode> ] [ ttl <ttl> ]
Parameters
mode Enable / Disable IP Resolving logs enrichment.
Options: on, off
ttl The time (in seconds) for which the hostname resolution will be used. Limited to a range
of 30-86400.
Example
set ip-resolving mode on ttl -3600
show ip-resolving
Description
Show IP Resolving.
Syntax
show ip-resolving
Parameters
n/a
show ipv6-state
Example
show ip-resolving
Output
Gateway-ID-5694FE55> show ip-resolving

mode: on
ttl: 1800
license
license
fetch license
fetch license
Description
Fetches a license from one of these locations:
n Local gateway - There is an option to specify the file name with the <file_name> parameter.
n User Center at Check Point
n USB device - There is an option to specify the file name with the <file_name> parameter.
Syntax
fetch license {local [file <file_name>]|usercenter|usb [file <file_name>]
Parameters
file_name Name of the file that contains the license
Return Value
Example
fetch license usb file LicenseFile.xml
Output
show license
show license
Description
Shows current license state.
Syntax
show license
Parameters
n/a
Example
show license
Output
Current license state
fetch license usercenter retry
Description
If the User Center is not available, the appliance tries to fetch the license in the background in defined
intervals (minutes).
Syntax
Parameters
n/a
Example
local-group
local-group
add local-group
add local-group
Description
Adds a new group for user objects.
Syntax
add local-group name <name> [ comments <comments> ] [ remote-access-on

<remote-access-on> ]
Parameters
comments Comments
name Local group name
remote- Indicates if the users group have remote access permissions
access-on Type: Boolean (true/false)
Example
add local-group name myObject_17 comments "This is a comment." remote-

access-on true
delete local-group
delete local-group
Deletes an existing group object for user objects.
delete local-group
delete local-group
Description
Deletes an existing group object for user objects by group object name.
Syntax
delete local-group name <name>
Parameters
Example
delete local-group name myObject_17
delete local-group
delete local-group
Description
Deletes all existing group objects for user objects.
Syntax
delete local-group all
Parameters
n/a
Example
delete local-group all
set local-group
set local-group
Configures an existing user group object.
set local-group
set local-group
Description
Syntax
set local-group name <name> [ new-name <new-name> ] [ comments <comments> ]

[ remote-access-on <remote-access-on> ]
Parameters
comments Comments
new-name Local group name
remote- Indicates if the users group have remote access permissions
access-on Type: Boolean (true/false)
Example
set local-group name myObject_17 new-name myObject_17 comments "This is a

comment." remote-access-on true
set local-group
set local-group
Description
Adds a bookmark to be shown in the SNX landing page to an existing user group object. This is relevant only
if users in this group have VPN remote access privileges.
Syntax
set local-group name <name> add bookmark label <bookmark label>
Parameters
bookmark Text for the bookmark in the SSL Network Extender portal
label
Example
set local-group name myObject_17 add bookmark label myLabel
set local-group
set local-group
Description
Removes a bookmark from being shown in the SNX landing page to an existing user group object. This is
relevant only if users in this group have VPN remote access privileges.
Syntax
set local-group name <name> remove bookmark label <bookmark label>
Parameters
bookmark Text for the bookmark in the SSL Network Extender portal
label
Example
set local-group name myObject_17 remove bookmark label myLabel
show local-group
show local-group
Description
Shows the content of a user group object.
Syntax
show local-group name <name>
Parameters
Example
show local-group name myObject_17
show local-groups
show local-groups
Description
Shows the content of all user group objects.
Syntax
show local-groups
Parameters
n/a
Example
show local-groups
set local-group users
Description
Adds a user to an existing user group object.
Syntax
set local-group users name <name> add user-name <user-name>
Parameters
user-name User's name in the local database
Example
set local-group users name myObject_17 add user-name admin
Description
Removes a user from an existing user group object.
Syntax
set local-group users name <name> remove user-name <user-name>
Parameters
user-name User's name in the local database
Example
set local-group users name myObject_17 remove user-name admin
local-user
local-user
add local-user
add local-user
Description
Adds a new locally defined user object and configure its VPN remote access permissions.
Syntax
add local-user name <name> [email <email>] [phone-number <phone-number>]{

password-hash <password-hash> | password <password> } [ comments <comments>
] [ remote-access-always-on <remote-access-always-on> ] [ is-temp-user {
true expiration-date <expiration-date> [ expiration-time <expiration-time>
] | false } ]
Parameters
comments Comments
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , .
- : () @
expiration-date Expiration date for a temporary user in format yyyy-mm-dd
expiration-time Expiration time for a temporary user in format HH:MM
is-temp-user Indicates if the user entry is temporary
name User's name in the local database
Type: A string that contains (0-9, a-z, - . @) up to 64 characters without
spaces
password User's password in the local database
password-hash User's hashed password (used for importing database)
remote-access-always- Always enable remote access permission for user
on Type: Boolean (true/false)
Example
add local-user name admin password-hash TZXPLs20bN0RA comments "This is a

comment." remote-access-always-on true is-temp-user true expiration-date
2000-01-01 expiration-time 23:20
delete local-user
delete local-user
Deletes an existing locally defined user object.
delete local-user
delete local-user
Description
Deletes an existing locally defined user object by user name.
Syntax
delete local-user name <name>
Parameters
Example
delete local-user name admin
delete local-user
delete local-user
Description
Deletes all existing locally defined user objects by user name.
Syntax
delete local-user all
Parameters
n/a
Example
delete local-user all
set local-user
set local-user
Configures an existing user object.
set local-user
set local-user
Description
Configures an existing user object.
Syntax
set local-user name <name> [ new-name <new-name> ] [ { password-hash

<password-hash> | password <password> } ] [ comments < comments> ] [
remote-access-always-on <remote-access-always-on> ] [ is-temp-user { true
expiration-date <expiration-date> [ expiration-time <expiration-time>] |
false } ]
Parameters
comments Comments
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , .
- : () @
expiration-date Expiration date for a temporary user in format yyyy-mm-dd
expiration-time Expiration time for a temporary user in format HH:MM
is-temp-user Indicates if the user entry is temporary
spaces
new-name User's name in the local database
spaces
password User's password in the local database
password-hash User's hashed password (used for importing database)
remote-access-always- Always enable remote access permission for user
on Type: Boolean (true/false)
set local-user
Example
set local-user name admin new-name admin password-hash TZXPLs20bN0RA

comments "This is a comment." remote-access-always-on true is-temp-user
true expiration-date 2000-01-01 expiration-time 23:20
set local-user
set local-user
Description
Adds a bookmark to be shown in the SNX landing page to an existing user. This is relevant only if the user
has VPN remote access privileges.
Syntax
set local-user name <name> add bookmark label <bookmark label>
Parameters
bookmark label Text for the bookmark in the SSL Network Extender portal
Example
set local-user name admin add bookmark label myLabel
set local-user
set local-user
Description
Removes a bookmark from being shown in the SNX landing page to an existing user. This is relevant only if
the user has VPN remote access privileges.
Syntax
set local-user name <name> remove bookmark label <bookmark label>
Parameters
Example
set local-user name admin remove bookmark label myLabel
show local-user
show local-user
Description
Shows the configuration of a locally defined user.
Syntax
show local-user name <name> email <email>] [phone-number <phone-number>]
Parameters
Example
show local-user name admin
Output
Gateway-TG> show local-user name CP

name: CP
remote-access-always-on: true
email: cp@gmail.com
phone-number: 972500000000
is-temp-user: false
expiration-date:
expiration-time:
remote-access-on: false
created-on:
comments:
ra-groups-counter: 0
password-hash:
$5$nfCF8gk4$uqEYANjh0atmPW5VG.jXFsTFja3s4CCfECNJFQcKT22
bookmarks:
show local-users
show local-users
Description
Shows all locally defined users.
Syntax
show local-users
Parameters
n/a
Example
show local-users
local-users expired
local-users expired
delete local-users expired
Description
Deletes all expired locally defined user objects from the database.
Syntax
Parameters
n/a
Example
show local-users expired
Description
Shows all expired locally defined users.
Syntax
Parameters
n.a
Example
show logs
show logs
Description
Shows system and kernel logs.
Syntax
show logs {system|kernel}
Parameters
n/a
Example
show logs kernel
log-servers-configuration
log-servers-configuration
set log-servers-configuration
set log-servers-configuration
Description
Configures external log servers for a locally managed device.
Syntax
set log-servers-configuration mgmt-server-ip-addr <mgmt-server-ip-addr> [

log-server-ip-addr < log-server-ip-addr> ] sic-name <sic-name>
one-time-password <one-time-password> [ external-log-server-enable <external-

log-server-enable> ]
Parameters
external-log- Determine if an external log server is active
server- enable Type: Boolean (true/false)
log-server-ip- This IP address is used if the log server is not located on the Security Management
addr Server.
Type: IP address
mgmt-server-ip- This IP address is used for establishing trusted communication between the Check
addr Point Appliance and the log server. Type: IP address
one-time- SIC one time password
password Type: A string that contains alphanumeric and special characters
sic-name Enter the SIC name of the log server object that was defined in SmartDashboard
Type: A SIC name
Example
set log-servers-configuration mgmt-server-ip-addr 192.168.1.1 log-server-

ip-addr 192.168.1.1 sic-name QWEDFRGH4 one-time-password a(&7Ba external-
log-server-enable true
show log-servers-configuration
Description
Shows external log server configuration.
Syntax
Parameters
n/a
Example
maas
maas
connect maas
Description
Connect to Management as a Service (MaaS) to manage policy, log analysis, and reporting log retention.
Syntax
connect maas auth-token <auth-token>
Parameters
auth-token Authentication token is used for connecting to MAAS
Type: base64
Example
connect maas auth-token base64
set maas
set maas
Description
Configure the settings for Management as a Service (MaaS).
Syntax
set maas mode <mode>
Parameters
mode Connection to MAAS mode
Options: enable, disable, stop-using
Example
set maas mode enable
show maas
show maas
Description
Show if connected to Management as a Service (MaaS).
Syntax
show maas
Parameters
n/a
Example
show maas
mac-filtering-list
mac-filtering-list
add mac-filtering-list
add mac-filtering-list
Description
Add a MAC address to the list of addresses allowed to access LAN/DMZ networks.
Syntax
add mac-filtering-list mac <mac>
Parameters
mac MAC address to allow
Type: MAC address
Example
add mac-filtering-list mac 00:1C:7F:21:05:BE
delete mac-filtering-list
delete mac-filtering-list
Description
Delete a MAC address from the list of addresses allowed to access LAN/DMZ networks.
Syntax
delete mac-filtering-list mac <mac>
Parameters
mac MAC address to allow
Type: MAC address
Example
delete mac-filtering-list mac 00:1C:7F:21:05:BE
show mac-filtering-list
Description
Show the MAC addresses that are allowed to access LAN/DMZ networks.
Syntax
Parameters
n/a
Example
mac-filtering-settings
mac-filtering-settings
set mac-filtering settings
Configure the settings for MAC filtering.
set mac-filtering-settings
set mac-filtering-settings
Description
Syntax
set mac-filtering-settings state <state>
Parameters
state MAC filtering state
Options: on, off
Example
set mac-filtering-settings state on
Description
Syntax
set mac-filtering-settings advanced-settings log-activation <log-

activation>
Parameters
n/a
Example
set mac-filtering-settings advanced-settings log-activation on
Description
Syntax
set mac-filtering-settings advanced-settings log-interval <log-interval>
Parameters
n/a
Example
set mac-filtering-settings advanced-settings log-interval -1000000
show mac-filtering-settings
Show the settings for MAC filtering.
Description
Show the settings for MAC filtering.
Syntax
Parameters
n/a
Example
Description
Show the advanced settings for MAC filtering.
Syntax
show mac-filtering-settings advanced-settings
Parameters
n/a
Example
show mac-filtering-settings advanced-settings
set mobile-settings
set mobile-settings
Description
Configure settings for a mobile device. In this case, for when the pairing code expires.
Syntax
set mobile-settings advanced-settings pairing-code-expiration <pairing-

code-expiration>
Parameters
n/a
Example
set mobile-settings advanced-settings pairing-code-expiration -1000000
set mobile-settings
set mobile-settings
Description
Configure settings for a mobile device.
Syntax
set mobile-settings advanced-settings not-cloud-server <not-cloud-server>
Parameters
n/a
Example
set mobile-settings advanced-settings not-cloud-server urlv6
show mobile-settings
Description
Show configured advanced settings for a mobile device.
Syntax
show mobile-settings advanced-settings
Parameters
n/a
Example
mobile-device
mobile-device
revoke mobile-device
Description
Remove mobile device from the list of associated devices.
Syntax
revoke mobile-device id <id>
Parameters
id id
Type: A number with no fractional part (Integer)
Example
revoke mobile-device id -1000000
mobile-settings
mobile-settings
These commands are relevant for mobile settings.
set mobile-settings
set mobile-settings
Description
Configure settings for a mobile device. In this case, for when the pairing code expires.
Syntax
set mobile-settings advanced-settings pairing-code-expiration <pairing-

code-expiration>
Parameters
pairing-code-expiration Number of hours until the pairing code expires.
Example
set mobile-settings advanced-settings pairing-code-expiration 1
set mobile-settings
set mobile-settings
Description
Configure settings for a mobile device.
Syntax
set mobile-settings advanced-settings not-cloud-server <not-cloud-server>
Parameters
not-cloud-server Notification server URL - URL for the cloud service that pushes the notifications.
Example
set mobile-settings advanced-settings not-cloud-server urlv6
Description
Show configured advanced settings for a mobile device.
Syntax
Parameters
n/a
Example
mobile-invitation
mobile-invitation
add mobile-invitation
Description
Invitation for a new mobile device.
Syntax
add mobile-invitation administrator name <administrator name>
Parameters
administrator name Administrator Name
Type: A string that contains [A-Z], [0-9], and ’_’ characters
Example
add mobile-invitation administrator name admin
show mobile-invitation
Description
Show which mobile devices are connected.
Syntax
show mobile-invitation id <id>
Parameters
id id
Type: A number with no fractional part (Integer)
Example
show mobile-invitation id -1000000
mobile-push-notification
mobile-push-notification
show mobile-push-notification
Description
Show mobile push notifications.
Syntax
show mobile-push-notifications
Parameters
n/a
Example
show mobile-push-notifications
monitor-mode-network
monitor-mode-network
add monitor-mode-network
add monitor-mode-network
Description
Configuring "Monitor mode" over interfaces requires a mechanism to determine which are the local
networks within the real topology. One of the options is a manual configuration of this topology using this
command.
Syntax
add monitor-mode-network ipv4-address <ipv4-address> subnet-mask <subnet-

mask>
Parameters
ipv4-address Indicates a network IP address that will be recognized as Internal
Type: IP address
subnet-mask Network subnet mask
Example
add monitor-mode-network ipv4-address 192.168.1.1 subnet-mask 255.255.255.0
delete monitor-mode-network
delete monitor-mode-network
Description
Deletes manually configured IP addresses that determine the local networks in monitor mode when not
working in automatic detection mode.
Syntax
delete monitor-mode-network ipv4-address <ipv4-address>
Parameters
Type: IP address
Example
delete monitor-mode-network ipv4-address 192.168.1.1
set monitor-mode-network
set monitor-mode-network
Description
Configures IP addresses of networks that are manually recognized as local in the non-automatic mode of
monitor mode interface inspection.
Syntax
set monitor-mode-network ipv4-address <ipv4-address> [ ipv4-address <ipv4-

address> ] [ subnet-mask <subnet-mask> ]
Parameters
Type: IP address
subnet-mask Network subnet mask
Example
set monitor-mode-network ipv4-address 192.168.1.1 ipv4-address 192.168.1.1

subnet-mask 255.255.255.0
show monitor-mode-networks
Description
Shows manually defined local networks for monitor mode configuration.
Syntax
Parameters
n/a
Example
monitor-mode-configuration
monitor-mode-configuration
set monitor-mode-configuration
set monitor-mode-configuration
Description
Configures mode of work for monitor mode interface inspection. Determines if locally managed networks will
be automatically detected or manually configured.
Syntax
set monitor-mode-configuration [ use-defined-networks <use-defined-

networks>]
Parameters
use-defined-networks Indicates if user-defined internal networks are used for Monitor mode
Example
set monitor-mode-configuration use-defined-networks true
show monitor-mode-configuration
Description
Shows monitor mode configuration for interfaces.
Syntax
Parameters
n/a
Example
message
message
set message
set message
Description
Configures a banner message for the SSH administrator login
Syntax
set message <type> { on | off } [ line ] [ msgvalue <msgvalue> ]
Parameters
msgvalue Indicates the banner messages text
Type: virtual
status Indicates if a banner message for SSH login will appear
type Indicates the type of the message (only banner supported)
Options: motd, banner, caption
Example
set message motd true line msgvalue "My Banner message"
show message
show message
Shows banner message for the ssh login.
show message
show message
Description
Shows banner message for the ssh login.
Syntax
show message <type>
Parameters
type Indicates the type of the message (only banner supported)
Options: motd, banner, caption
Example
show message motd
show memory usage
show memory usage
Description
Shows the amount of memory that is being used.
Syntax
show memory-usage
Parameters
n/a
Example
show memory-usage
Output
Success shows used memory. Failure shows an appropriate error message.
show memory usage
set misp-refresh-route
Description
Refresh multiple ISP routes.
Syntax
set misp-refresh-route mode <mode>
Parameters
mode Indicates whether acceleration will refresh routes in multiple ISP configurations.
Example
set misp-refresh-route mode true
nat
nat
set nat
set nat
Configures general NAT policy settings.
set nat
set nat
Description
Configures if local networks will be hidden by default behind the external IP addresses of the gateway.
Syntax
set nat [ hide-internal-networks <hide-internal-networks> ]
Parameters
hide-internal-networks Hide internal networks behind the Gateway's external IP address
Example
set nat hide-internal-networks true
set nat
set nat
Description
Configures advanced NAT policy settings.
Syntax
set nat advanced-settings nat-destination-client-side <nat-destination-

client-side>
Parameters
n/a
Example
set nat advanced-settings nat-destination-client-side true
set nat
set nat
Description
Syntax
set nat advanced-settings arp-proxy-merge <arp-proxy-merge>
Parameters
n/a
Example
set nat advanced-settings arp-proxy-merge true
set nat
set nat
Description
Syntax
set nat advanced-settings address-trans <address-trans>
Parameters
n/a
Example
set nat advanced-settings address-trans true
set nat
set nat
Description
Syntax
set nat advanced-settings nat-automatic-arp <nat-automatic-arp>
Parameters
n/a
Example
set nat advanced-settings nat-automatic-arp true
set nat
set nat
Description
Syntax
set nat advanced-settings nat-destination-client-side-manual
<nat-destination-client-side-manual>
Parameters
n/a
Example
set nat advanced-settings nat-destination-client-side-manual true
set nat
set nat
Description
Syntax
set nat advanced-settings nat-hash-size <nat-hash-size>
Parameters
n/a
Example
set nat advanced-settings nat-hash-size 1024
set nat
set nat
Description
Syntax
set nat advanced-settings nat-cache-num-entries <nat-cache-num-entries>
Parameters
n/a
Example
set nat advanced-settings nat-cache-num-entries 100
set nat
set nat
Description
Syntax
set nat advanced-settings nat-limit <nat-limit>
Parameters
n/a
Example
set nat advanced-settings nat-limit 100
set nat
set nat
Description
Syntax
set nat advanced-settings increase-hide-capacity <increase-hide-capacity>
Parameters
n/a
Example
set nat advanced-settings increase-hide-capacity true
set nat
set nat
Description
Syntax
set nat advanced-settings nat-cache-expiration <nat-cache-expiration>
Parameters
n/a
Example
set nat advanced-settings nat-cache-expiration 100
set nat
set nat
Description
Syntax
set nat advanced-settings perform-cluster-hide-fold <perform-cluster-hide-

fold>
Parameters
n/a
Example
set nat advanced-settings perform-cluster-hide-fold true
set nat
set nat
Description
Configures advanced IP-Pool NAT policy settings.
Syntax
set nat advanced-settings ip-pool-nat [ ip-pool-securemote <ip-pool-

securemote> ] [ ip-pool-log <ip-pool-log> ] [ ip-pool-per-interface <ip-
pool-per-interface> ] [ ip-pool-override-hide <ip-pool-override-hide> ] [
ip-pool-gw2Gw <ip-pool-gw2Gw> ] [ ip-pool-unused-return-interval <ip-pool-
unused-return-interval> ] [ log-ip-pool-allocation <log-ip-pool-allocation>
] [ ip-pool-mode <ip-pool-mode> ] [ ip-pool-alloc-per-destination <ip-pool-
alloc-per-destination> ]
Parameters
n/a
Example
set nat advanced-settings ip-pool-nat ip-pool-securemote true ip-pool-log

none ip-pool-per-interface true ip-pool-override-hide true ip-pool-gw2Gw
true ip-pool-unused-return-interval 100 log-ip-pool-allocation none ip-
pool-mode do-not-use-IP-pool-NAT ip-pool-alloc-per-destination true
show nat
show nat
Shows NAT policy.
show nat
show nat
Description
Shows NAT policy.
Syntax
show nat
Parameters
n/a
Example
show nat
show nat
show nat
Description
Shows advanced settings for NAT policy.
Syntax
show nat advanced-settings
Parameters
n/a
Example
show nat advanced-settings
nat-rule
nat-rule
add nat-rule
add nat-rule
Description
Adds a new manual NAT (translation of source/destination/service) rule to the NAT Rule Base.
Syntax
add nat-rule [ original-source <original-source> ] [ original-destination

<original-destination> ] [ original-service <original-service> ] [
translated-source <translated-source> ] [ translated-destination
<translated-destination> ] [ translated-service <translated-service> ] [
comment <comment> ] [ hide-sources <hide-sources> ] [ enable-arp-proxy
<enable-arp-proxy> ] [ { position <position> | position-above <position-
above> | position-below <position-below> } ] [ name <name> ]
Parameters
comment Comment for manual NAT rule
enable-arp- The gateway will reply to ARP requests sent to the original destination's IP address
proxy (Does not apply to IP ranges/networks) Type: Boolean (true/false)
hide-sources Hide multiple sources behind the translated source addresses
name name
original- Original destination of rule
destination
original- Original service of rule
service
original- Original source of rule
source
position- The order of the rule in comparison to other manual rules
above Type: Decimal number
below Type: Decimal number
add nat-rule
translated- Translated destination of rule
destination
translated- Translated service of rule
service
translated- Translated source of rule
source
Example
add nat-rule original-source TEXT original-destination TEXT original-

service TEXT translated-source TEXT translated-destination TEXT translated-
service TEXT comment "This is a comment." hide-sources true enable-arp-
proxy true position 2 name word
delete nat-rule
delete nat-rule
Description
Deletes a manually configured NAT rule by name.
Syntax
delete nat-rule name <name>
Parameters
name name
Example
delete nat-rule name word
set nat-rule
set nat-rule
Description
Configures an existing manual NAT rule by name.
Syntax
set nat-rule name <name> [ original-source <original-source> ] [ original-

destination <original-destination> ] [ original-service <original-service>]
[ translated-source <translated-source> ] [ translated-destination
<translated-destination> ] [ translated-service <translated-service> ] [
comment <comment>] [ hide-sources <hide-sources> ] [ enable-arp-proxy
<enable-arp-proxy> ] [ { position <position> | position-above <position-
above> | position-below <position-below> } ] [ name <name> ] [ disabled
<disabled> ]
Parameters
disabled Indicates if rule is disabled
proxy (Does not apply to IP ranges/networks)
name name
destination
service
source
set nat-rule
destination
service
source
Example
set nat-rule name word original-source TEXT original-destination TEXT

original-service TEXT translated-source TEXT translated-destination TEXT
translated-service TEXT comment "This is a comment." hide-sources true
enable-arp-proxy true position 2 name word disabled true
show nat-rule
show nat-rule
Description
Shows the name or position of a specific NAT rule. Includes auto-generated rules.
Syntax
show nat-rule name <name>
show nat-rule position <position>
Parameters
n/a
Example
show nat-rule name word
show nat-rules
show nat-rules
Description
Shows configuration of all manually and auto-generated NAT rules.
Syntax
show nat-rules
Parameters
n/a
Example
show nat-rules position 2
show nat-manual-rules
show nat-manual-rules
Description
Shows configuration of manual NAT rules by name or position.
Syntax
show nat-manual-rules name <name>
show nat-manual-rules <position>
Parameters
<name> Rule name
<position> Rule position
Example
show nat-rule name word
nat-rule position
nat-rule position
delete nat-rule position
delete nat-rule position
Description
Deletes a manually configured NAT rule by position.
Syntax
delete nat-rule position <position>
Parameters
Example
delete nat-rule position 2
set nat-rule position
Description
Configures an existing manual NAT rule by position
Syntax
set nat-rule position <position> [ original-source <original-source> ] [

original-destination <original-destination>] [ original-service <original-
service>] [ translated-source <translated-source> ] [ translated-
destination <translated-destination> ] [ translated-service <translated-
service> ] [ comment <comment> ] [ hide-sources <hide-sources> ] [ enable-
arp-proxy <enable-arp-proxy> ] [ { position <position> | position-above
<position-above> | position-below <position-below> } ] [ name <name> ] [
disabled <disabled> ]
Parameters
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -: () @
proxy (Does not apply to IP ranges/networks)
name name
destination
service
source
destination
service
source
Example
set nat-rule position 2 original-source TEXT original-destination TEXT

original-service TEXT translated-source TEXT translated-destination TEXT
translated-service TEXT comment "This is a comment." hide-sources true
enable-arp-proxy true position 2 name word disabled true
Configuring NetFlow
Introduction
NetFlow is an industry standard for traffic monitoring. Cisco developed this network protocol to collect
network traffic patterns and volume.
One host (the NetFlow Exporter) sends information about its network flows to a different host (the NetFlow
Collector).
A network flow is a unidirectional stream of packets that contain the same set of characteristics.
You can configure a Quantum Spark Appliance as an Exporter of NetFlow records for all the traffic that
passes through it.
The NetFlow Collector is a different external server, and you configure it separately.
NetFlow Export configuration is a list of collectors, to which the service sends records:
n To enable NetFlow, configure at minimum one NetFlow Collector.
n To disable NetFlow, remove all NetFlow Collectors from the Gaia Embedded configuration.
You can configure a maxumum of three NetFlow Collectors. Gaia Embedded sends the NetFlow records go
to all configured NetFlowCollectors. If you configure three NetFlow Collectors, Gaia Embedded sends each
NetFlow record three times.
Regardless of which NetFlow export format you configure, Gaia Embedded exports values as set of fields.
The fields
n Source IP address.
n Destination IP address.
n Source port.
n Destination port.
n Ingress physical interface index (defined by SNMP).
n Egress physical interface index (defined by SNMP).
n Packet count for this flow.
n Byte count for this flow.
n Start of flow timestamp (FIRST_SWITCHED).
n End of flow timestamp (LAST_SWITCHED).
n IP protocol number.
n TCP flags from the flow (TCP only).
Notes:
n The IP addresses and TCP/UDP ports the NetFlow reports are the ones, on
which the NetFlow expects to receive traffic.
Therefore, for NAT connections, the NetFlow reports one of the two directions of
the flow with the NATed address.
n NetFlow sends the connection records after the connections terminated.
If the connections are open for a long time, it can take time for the NetFlow to
sends the records.
Configuration Procedure for Centrally Managed
1. Configure the NetFlow Export settings in Gaia
a. Add the NetFlow Collector.
See "add netflow collector" below.
b. If needed, change the NetFlow Collector configuration.
See "set netflow collector" on page 655.
2. In ,SmartConsole configure the explicit Access Control rule
a. From the left navigation panel, click Security Policies.
b. Open the applicable policy.
c. In the top left corner, click Access Control > Policy.
d. Add an explicit rule for the traffic that you wish to export with NetFlow:
Services &
Destinatio
Source VPN Application Content Action Track
n
s
Source Destination *Any Applicable *Any Accept Log

Host or Host or service Accountin
Network Network objects g
objects objects
e. Publish the SmartConsole session.
f. Install the Access Control policy on the Quantum Spark Appliance object.
add netflow collector
Description
Adds a new NetFlow Collector object (you can configure up to three). The NetFlow records are exported to
each defined collector.
In addition, see "Configuring NetFlow" on page 651.
Syntax
add netflow collector ip <IPv4 Address of Collector> port <Destination Port

on Collector> [srcaddr <Source IPv4 Address>] export-format {Netflow_V5 |
Netflow_V9} is-enabled {true | false}
Parameters
ip <IPv4 Address of Specifies the destination IPv4 address of the NetFlow Collector, to which
Collector> Gaia Embedded sends the NetFlow packets.
Type: IP address
port <Destination Port on Specifies the destination UDP port number on the NetFlow Collector, on
Collector> which the collector listens.
Type: Port number
srcaddr <Source IPv4 Optional: Specifies the source IPv4 address of the NetFlow packets.
Address> This must be an IPv4 address of the local host.
The default is an IPv4 address of the network interface, from which Gaia
Embedded sends the NetFlow packets.
We recommend the default.
Type: IP address
export-format {Netflow_ The NetFlow protocol version to use:
V5 | Netflow_V9}
n Netflow_V5 - Protocol NetFlow v5
n Netflow_V9 - Protocol NetFlow v9 (default)
Each NetFlow protocol version has a different packet format.
is-enabled {true | false} Enables (true) and disables (false) the NetFlow Collector.
Example
add netflow collector ip 192.168.22.33 port 8080 export-format Netflow_V9

srcaddr 192.168.1.1 is-enabled true
delete netflow collector
Description
Deletes an existing NetFlow Collector.
Syntax
delete netflow collector ip [Press TAB to select the configured IPv4

Address of Collector] port [Press TAB to select the configured Destination
Port on Collector]
Parameters
ip <IPv4 Address of Collector> Selects the configured NetFlow Collector by its destination IPv4
address.
Type: IP address
port <Destination Port on Selects the configured NetFlow Collector by its destination UDP port
Collector> number.
Type: Port number
Example
delete netflow collector ip 192.168.22.33 port 8080
set netflow collector
Description
Configures an existing NetFlow Collector that you added with the "add netflow collector" on page 653
command.
Syntax
set netflow collector

for-ip [Press TAB to select the configured IPv4 Address of Collector]
for-port [Press TAB to select the configured Destination Port on
Collector]
ip <IPv4 Address of Collector> port <Destination Port on
Collector> export-format {Netflow_V5 | Netflow_V9} [srcaddr <Source IPv4
Address>] is-enabled {true | false}
Parameters
for-ip <IPv4 Address of Selects the configured NetFlow Collector by its destination IPv4 address.
Collector> Notes:
n If you configured only one NetFlow Collector, it is not
necessary to use the "for-ip" and the "for-port"
parameters.
n If you configured two or three NetFlow Collectors with
different IP addresses, use the "for-ip" parameter.
n If you configured two or three collectors with the same IPv4
address and different UDP ports, you must use the "for-
ip" and the "for-port" parameters to identify the
collectors.
Type: IP address
for-port <Destination Port Selects the configured NetFlow Collector by its destination UDP port
on Collector> number.
Type: Port number
ip <IPv4 Address of Specifies the destination IPv4 address of the NetFlow Collector, to which
Collector> Gaia Embedded sends the NetFlow packets.
Type: IP address
port <Destination Port on Specifies the destination UDP port number on the NetFlow Collector, on
Collector> which the collector listens.
Type: Port number
export-format {Netflow_ The NetFlow protocol version to use:
V5 | Netflow_V9}
n Netflow_V5 - Protocol NetFlow v5
n Netflow_V9 - Protocol NetFlow v9 (default)
Each NetFlow protocol version has a different packet format.
srcaddr <Source IPv4 Optional: Specifies the source IPv4 address of the NetFlow packets.
Address> This must be an IPv4 address of the local host.
The default is an IPv4 address of the network interface, from which Gaia
Embedded sends the NetFlow packets.
We recommend the default.
Type: IP address
is-enabled {true | false} Enables (true) and disables (false) the NetFlow Collector.
Example
set netflow collector for-ip 192.168.22.33 for-port 8080 ip 192.168.22.33

port 8080 export-format Netflow_V9 srcaddr 192.168.1.1 is-enabled true
show netflow collector
Description
Shows configuration of a specific NetFlow collector.
In addition, see:
n "show netflow collectors" below
n "Configuring NetFlow" on page 651
Syntax
show netflow collector ip [Press TAB to select the configured IPv4 Address
of Collector] port [Press TAB to select the configured Destination Port on
Collector]
Parameters
ip <IPv4 Address of Collector> Selects the configured NetFlow Collector by its destination IPv4
address.
Type: IP address
port <Destination Port on Selects the configured NetFlow Collector by its destination UDP port
Collector> number.
Type: Port number
Example
show netflow collector ip 192.168.22.33 port 8080
show netflow collectors
Description
Shows configuration of all NetFlow collectors.
In addition, see:
n "show netflow collector" above
n "Configuring NetFlow" on page 651
Syntax
Parameters
n/a
Example
network
network
add network
add network
Description
Adds a new network address range object (a network and a subnet mask).
Syntax
add network name <name> network-ipv4-address <network-ipv4-address> {

subnet-mask <subnet-mask> | mask-length <mask-length> }
Parameters
mask-length Mask length
Type: String
network-ipv4-address Network address
subnet-mask IP mask used in the related network
Example
add network name TEXT network-ipv4-address 172.16.10.0 subnet-mask

255.255.255.0
delete network
delete network
Description
Deletes an existing network address range object (a network and a subnet mask) by object name.
Syntax
delete network <name>
Parameters
Type: String
Example
delete network TEXT
set network
set network
Description
Configures an existing network with subnet.
Syntax
set network <name> [ name <name> ] [ network-ipv4-address <network-ipv4-

address> ] { [ subnet-mask <subnet-mask> ] | [ mask-length <mask-length> ]
}
Parameters
mask-length Mask length
Type: String
network-ipv4-address Network address
subnet-mask IP mask used in the related network
Example
set network TEXT name TEXT network-ipv4-address 172.16.10.0 subnet-mask

255.255.255.0
show network
show network
Description
Shows configuration of a specific IP address network object.
Syntax
show network <name>
Parameters
Type: String
Example
show network TEXT
show networks
show networks
Description
Shows configuration of all IP address network objects.
Syntax
show networks
Parameters
n/a
Example
show networks
show notifications-log
Description
Show the notification logs.
Syntax
Parameters
n/a
Example
notifications-policy
notifications-policy
These commands are relevant for notifications policy.
set notifications-policy
Description
Configure the policy for sending notifications to the user.
Syntax
set notifications-policy [ send-push-notifications <send-push-

notifications> ] [ send-detailed-push-notifications <send-detailed-push-
notifications> ]
set notifications-policy [send-cloud-notifications <send-cloud-notification>]
Parameters
send-detailed- Notification previews may contain information about your network. Turning it off
push- means that the security gateway removes this information from the push notification.
notifications Type: Boolean (true/false)
send-push- Indicates whether notifications are sent to mobile application
send-cloud- Enable sending cloud notifications.
Example
set notifications-policy send-push-notifications true send-detailed-push-

notifications true set notifications-policy send-cloud-notifications true
Description
Syntax
set notifications-policy advanced-settings limit-push-notifications <limit-

push-notifications>
Parameters
n/a
Example
set notifications-policy advanced-settings limit-push-notifications -

1000000
Description
Syntax
set notifications-policy advanced-settings send-push-notifications <send-

push-notifications>
Parameters
n/a
Example
set notifications-policy advanced-settings send-push-notifications true
show notifications-policy
Description
Show the policy for sending notifications to the user.
Syntax
Parameters
n/a
Example
Description
Show the policy for sending notifications to the user.
Syntax
show notifications-policy advanced-settings
Parameters
n/a
Example
show notifications-policy advanced settings
ntp
ntp
set ntp
set ntp
Configures NTP settings.
set ntp
set ntp
Description
Syntax
set ntp [ local-time-zone <local-time-zone> ] [ auto-adjust-daylight-saving

<auto-adjust-daylight-saving> ]
Parameters
auto-adjust-daylight- saving Auto daylight
Options: on, off
local-time-zone Region on earth that has a uniform standard time
Example
set ntp local-time-zone GMT-11:00(Midway-Island) auto-adjust-daylight-

saving on
set ntp
set ntp
Description
Enables/Disables NTP functionality.
Syntax
set ntp active <active>
Parameters
active Region on earth that has a uniform standard time
Options: on, off
Example
set ntp active on
set ntp
set ntp
Description
Syntax
set ntp interval <interval>
Parameters
interval Time interval (minutes) to update date and time settings from the NTP server
Example
set ntp interval 15
set ntp
set ntp
Description
Syntax
set ntp auth { on secret-id <secret-id> secret <secret> | off }
Parameters
auth Authentication with NTP servers flag
secret Key string for authentication with the NTP servers
secret-id Authentication key identifier
Type: A number with no fractional part. Values are between 4,503,599,627,370,495 to
4,503,599,627,370,495
Example
set ntp auth on secret-id 455397 secret a(&7Ba
show ntp
show ntp
Description
Shows NTP configuration.
Syntax
show ntp
Parameters
n/a
Example
show ntp
show ntp active
show ntp active
Description
Shows NTP activation status.
Syntax
show ntp active
Parameters
n/a
Example
show ntp active
ntp server
ntp server
set ntp server
set ntp server
Configures NTP server settings.
set ntp server
set ntp server
Description
Configures primary NTP server's IP address.
Syntax
set ntp server primary <primary>
Parameters
primary Primary NTP server
Example
set ntp server primary myHost.com
set ntp server
set ntp server
Description
Configures secondary NTP server's IP address.
Syntax
set ntp server secondary <secondary>
Parameters
secondary Secondary NTP server
Example
set ntp server secondary myHost.com
show ntp servers
show ntp servers
Description
Shows all defined NTP servers.
Syntax
show ntp servers
Parameters
n/a
Example
show ntp servers
os-settings
os-settings
set os-settings
Description
Enable net switch flow control.
Syntax
set os-settings advanced-settings enable-net-switch-flow-control enable-

net-switch-flow-control>
Parameters
n/a
Example
set os-settings advanced-settings enable-net-switch-flow-control true
set os-settings
set os-settings
Description
Disable automatic transfer of received Internet DHCP client options to internal LAN network DHCP servers.
Syntax
set os-settings advanced-settings disable-dhcp-options-transfer <disable-

dhcp-options-transfer>
Parameters
n/a
Example
set os-settings advanced-settings disable-dhcp-options-transfer true
show os-settings
show os-settings
Description
Show the advanced OS settings for disable DHCP transfer options, enable net switch flow control, and
enable automatic WiFi channel change.
Syntax
show os-settings advanced-settings
Parameters
n/a
Example
show os-settings advanced-settings
Output
Gateway-ID-7F95E7BF> show os-settings advanced-settings

disable-dhcp-options-transfer:false
enable-net-switch-flow-control:false
enable-automatic-wifi-channel-change:false
periodic backup
periodic backup
set periodic-backup
set periodic-backup
Description
Configures periodic backup to a remote FTP server.
Syntax
set periodic-backup [ mode <mode>] [ server-address <server-address> ] [

server-username <server-username> ] [ server-password <server-password> ] [
file-encryption { true [ encryption-password <encryption-password>] | false
} ] [ schedule { monthly [ day-of-month <day-of-month> ] | weekly [ day-of-
week <day-of-week> ] | daily } ] [ hour <hour> ]
Parameters
day-of-month Day of the month to backup
day-of-week Day of the week to backup
encryption-password Encryption password
file-encryption Choose whether to encrypt the backup data
hour Scheduled backup hour. The backup will be performed during this hour
mode Is periodic backup enabled
schedule Schedule the frequency of the periodic backup
server-address Backup server name or IPv4 address (FTP)
Type: backupUrl
server-password Backup server password
server-username Backup server username
set periodic-backup
Example
set periodic-backup mode true server-address backupUrl server-username

admin server-password a(&7Ba file-encryption true encryption-password a
(&7Ba schedule monthly day-of-month 2 hour 2
show periodic-backup
Description
Shows periodic backup configuration.
Syntax
Parameters
n/a
Example
set property
set property
Description
Disables or enables first time configuration (from the USB autoplay configuration or the WebUI).
Syntax
set property {USB_auto_configuration {always|once|off} | first-time-wizard

{always|once}}
Parameters
n/a
Example
n set property USB_auto_configuration off
n set property first-time-wizard off
privacy settings
privacy settings
set privacy-settings advanced-settings
Description
In Advanced Settings, select if the customer consents to sending diagnostic data to Check Point.
Syntax
set privacy-settings advanced-settings customer-consent <customer-consent>
Parameters
customer-consent Type: Boolean (true/false)
Example
set privacy-settings advanced-settings customer-consent true
show privacy-settings advanced-settings
Description
In Advanced Settings, show if the customer consents to sending diagnostic data.
Syntax
Parameters
n/a
Example
Sample Output
customer-consent: true
proxy
proxy
delete proxy
delete proxy
Description
Deletes configured proxy settings for the appliance.
Syntax
delete proxy
Parameters
n/a
Example
delete proxy
set proxy
set proxy
Configures proxy settings for connecting with Check Point update and license servers.
set proxy
set proxy
Description
Configures proxy settings for connecting with Check Point update and license servers, when the device is
located behind a proxy server.
Syntax
set proxy server <server> port <port>
Parameters
port The proxy port
Type: Port number
server The proxy Host name or IP address
Example
set proxy server myHost.com port 8080
set proxy
set proxy
Description
Enable/Disable proxy configuration for the device.
Syntax
set proxy { enable | disable }
Parameters
use-proxy A proxy server between the appliance and the Internet. This proxy server will be used
when the appliance?s internal processes must reach a Check Point server.
Example
set proxy true
show proxy
show proxy
Description
Shows proxy configuration.
Syntax
show proxy
Parameters
n/a
Example
show proxy
qos
qos
set qos
set qos
Configures QoS policy.
set qos
set qos
Description
Enables/Disables the QoS
Syntax
set qos mode <mode>
Parameters
mode Indicates if QoS blade is enabled
Example
set qos mode true
set qos
set qos
Description
Configures the default QoS policy.
Syntax
set qos default-policy [ limit-bandwidth-consuming-applications { true [

limit-upload-traffic <limit-upload-traffic>] [ upload-limit <upload-limit>
] [ limit-download-traffic <limit-download-traffic> ] [ download-limit
<download-limit> ] | false } ] [ guarantee-bandwidth-to-configured-traffic
<guarantee-bandwidth-to-configured-traffic> [ guarantee-bandwidth-
percentage <guarantee-bandwidth-percentage> ] [ guarantee-bandwidth-traffic
<guarantee-bandwidth-traffic> ] [ guarantee-bandwidth-on-services
<guarantee-bandwidth-on-services> ] ] [ ensure-low-latency-for-delay-
sensitive-services <ensure-low-latency-for-delay-sensitive-services> ]
Parameters
n/a
Example
set qos default-policy limit-bandwidth-consuming-applications true limit-

upload-traffic true upload-limit 5 limit-download-traffic true download-
limit 100 guarantee-bandwidth-to-configured-traffic on guarantee-bandwidth-
percentage 80 guarantee-bandwidth-traffic vpn guarantee-bandwidth-on-
services all ensure-low-latency-for-delay-sensitive-services on
set qos
set qos
Description
Configures advanced QoS settings.
Syntax
set qos low-latency-traffic maximum-percentage-of-bandwidth
<maximum-percentage-of-bandwidth>
Parameters
n/a
Example
set qos low-latency-traffic maximum-percentage-of-bandwidth 80
set qos
set qos
Description
Configures advanced QoS settings.
Syntax
set qos advanced-settings qos-logging <qos-logging>
Parameters
n/a
Example
set qos advanced-settings qos-logging true
show qos
show qos
Shows the policy of the QoS blade.
show qos
show qos
Description
Shows the policy of the QoS blade.
Syntax
show qos
Parameters
n/a
Example
show qos
show qos
show qos
Description
Shows advanced settings of the QoS blade.
Syntax
show qos advanced-settings
Parameters
n/a
Example
show qos advanced-settings
qos delay-sensitive-service
qos delay-sensitive-service
set qos delay-sensitive-service
Configures a default used group of services that are delay sensitive.
Description
Adds an existing service object to the default group of services that are delay sensitive.
Syntax
set qos delay-sensitive-service add service <service>
Parameters
service Service name
Example
set qos delay-sensitive-service add service TEXT
Description
Removes an existing service object from the default group of services that are delay sensitive.
Syntax
set qos delay-sensitive-service remove service <service>
Parameters
Example
set qos delay-sensitive-service remove service TEXT
show qos delay-sensitive-services
Description
Shows the group of services that are considered delay sensitive.
Syntax
Parameters
n/a
Example
qos guarantee-bandwidth-selected-services
qos guarantee-bandwidth-selected-
services
set qos guarantee-bandwidth-selected-services
Configures a default used group of services that will be guaranteed bandwidth according to QoS default
policy.
Description
Adds an existing service object to the default used group of services that will be guaranteed bandwidth
according to QoS default policy.
Syntax
set qos guarantee-bandwidth-selected-services add service <service>
Parameters
Example
set qos guarantee-bandwidth-selected-services add service TEXT
Description
Removes an existing service object from the default used group of services that will be guaranteed
bandwidth according to QoS default policy.
Syntax
set qos guarantee-bandwidth-selected-services remove service <service>
Parameters
Example
set qos guarantee-bandwidth-selected-services remove service TEXT
show qos guarantee-bandwidth-selected-services
show qos guarantee-bandwidth-selected-
services
Description
Shows the group of services that can be guaranteed bandwidth in the QoS default policy.
Syntax
Parameters
n/a
Example
qos-rule
qos-rule
add qos-rule
add qos-rule
Description
Adds a new bandwidth/latency control rule to the QoS Rule Base.
Syntax
add qos-rule [ source <source> ] [ destination <destination> ] [ service

<service> ] [ { [ low-latency-rule { normal [ limit-bandwidth <limit-
bandwidth> [ limit-percentage <limit-percentage> ] ] [ guarantee-bandwidth
<guarantee-bandwidth> [ guarantee-percentage <guarantee-percentage> ] ] |
low } ] | [ limit-bandwidth <limit-bandwidth> [ limit-percentage <limit-
percentage> ] ] [ guarantee-bandwidth <guarantee-bandwidth> [ guarantee-
percentage <guarantee-percentage> ] ] } ] [ weight <weight> ] [ log <log> ]
[ comment <comment> ] [ vpn <vpn> ] [ hours-range-enabled { true hours-
range-from <hours-range-from> hours-range-to <hours-range-to> | false } ] [
diffserv-mark { true diffserv-mark-val <diffserv-mark-val> | false } ] [
name <name> ] [ { position <position> | position-above <position-above> |
position-below <position-below> } ]
Parameters
diffserv-mark DiffServ Mark is a way to mark connections so a third party will handle it. To use this
option, your ISP or private WAN must support DiffServ
diffserv-mark- To mark packets that will be given priority on the public network according to their
val DSCP, select DiffServ Mark (1-63) and select a value. You can get the DSCP value
from your ISP or private WAN administrator
guarantee- If true, traffic guarantee is defined
bandwidth Type: Boolean (true/false)
guarantee- Traffic guarantee percentage
percentage Type: A number with no fractional part (integer)
add qos-rule
to Type: A time format hh:mm
limit- If true, traffic limit is defined
limit- Traffic limit percentage
log Defines which logging method to use: None - do not log, Log - Create log
Options: none, log
low-latency- The latency of the rule (low or normal)
rule Type: Press TAB to see available options
name name
weight Traffic weight, relative to the weights defined for other rules
Example
add qos-rule source TEXT destination TEXT service TEXT low-latency-rule

normal limit-bandwidth true limit-percentage 15 guarantee-bandwidth true
guarantee-percentage 30 weight 30 log none comment "This is a comment." vpn
true hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20
diffserv-mark true diffserv-mark-val 5 name word position 2
delete qos-rule
delete qos-rule
Deletes an existing bandwidth/latency control rule in the QoS Rule Base.
delete qos-rule
delete qos-rule
Description
Deletes an existing bandwidth/latency control rule in the QoS Rule Base by idx.
Syntax
delete qos-rule idx <idx>
Parameters
idx The order of the rule in comparison to other manual rules
Example
delete qos-rule idx 3.141
delete qos-rule
delete qos-rule
Description
Deletes an existing bandwidth/latency control rule in the QoS Rule Base by name.
Syntax
delete qos-rule name <name>
Parameters
name name
Example
delete qos-rule name word
set qos-rule
set qos-rule
Configures an existing bandwidth/latency control rule within the QoS blade policy.
set qos-rule
set qos-rule
Description
Configures an existing bandwidth/latency control rule within the QoS blade policy by idx.
Syntax
set qos-rule idx <idx> [ source <source> ] [ destination <destination> ] [

service <service> ] [ { [ low-latency-rule { normal [ limit-bandwidth
<limit-bandwidth> [ limit-percentage <limit-percentage> ] ] [ guarantee-
bandwidth <guarantee-bandwidth> [ guarantee-percentage <guarantee-
percentage> ] ] | low } ] | [ limit-bandwidth <limit-bandwidth> [ limit-
percentage <limit-percentage> ] ] [ guarantee-bandwidth <guarantee-
bandwidth>[ guarantee-percentage <guarantee-percentage> ] ] } ] [ weight
<weight> ] [ log <log> ] [ comment <comment> ] [ vpn <vpn> ] [ hours-range-
enabled { true hours-range-from <hours-range-from> hours-range-to <hours-
range-to> | false } ] [ diffserv-mark { true diffserv-mark-val <diffserv-
mark-val> | false } ] [ name <name> ] [ { position <position> | position-
above <position-above> | position-below <position-below> } ] [ disabled
<disabled> ]
Parameters
set qos-rule
Options: none, log
name name
Example
set qos-rule idx 3.141 source TEXT destination TEXT service TEXT low-
latency-rule normal limit-bandwidth true limit-percentage 80 guarantee-
bandwidth true guarantee-percentage 80 weight 15 log none comment "This is
a comment." vpn true hours-range-enabled true hours-range-from 23:20 hours-
range-to 23:20 diffserv-mark true diffserv-mark-val 5 name word position 2
disabled true
set qos-rule
set qos-rule
Description
Configures an existing bandwidth/latency control rule within the QoS blade policy by name.
Syntax
set qos-rule name <name> [ source <source> ] [ destination <destination> ]

[ service <service> ] [ { [ low-latency-rule { normal [ limit-bandwidth
<limit-bandwidth> [ limit-percentage <limit-percentage> ] ] [ guarantee-
bandwidth <guarantee-bandwidth> [ guarantee-percentage <guarantee-
percentage> ] ] | low } ] | [ limit-bandwidth <limit-bandwidth> [ limit-
percentage <limit-percentage> ] ] [ guarantee-bandwidth <guarantee-
bandwidth> [ guarantee-percentage <guarantee-percentage> ] ] } ] [ weight
<weight> ] [ log <log> ] [ comment <comment> ] [ vpn <vpn> ] [ hours-range-
enabled { true hours-range-from <hours-range-from> hours-range-to <hours-
range-to> | false } ] [ diffserv-mark { true diffserv-mark-val <diffserv-
mark-val> | false } ] [ name <name> ] [ { position <position>| position-
above <position-above> | position-below <position-below>} ] [ disabled
<disabled> ]
Parameters
set qos-rule
Options: none, log
name name
Example
set qos-rule name word source TEXT destination TEXT service TEXT low-
latency-rule normal limit-bandwidth true limit-percentage 80 guarantee-
bandwidth true guarantee-percentage 80 weight 15 log none comment "This is
a comment." vpn true hours-range-enabled true hours-range-from 23:20 hours-
range-to 23:20 diffserv-mark true diffserv-mark-val 5 name word position 2
disabled true
show qos-rule
show qos-rule
Shows configuration of QoS (bandwidth/latency control) rules.
show qos-rule
show qos-rule
Description
Shows configuration of a QoS rule by ID.
Syntax
show qos-rule idx <idx>
Parameters
Example
show qos-rule idx 3.141 position 2
show qos-rule
show qos-rule
Description
Shows configuration of a QoS rule by name.
Syntax
show qos-rule name <name>
Parameters
name name
Example
show qos-rule name word position 2
show qos-rules
show qos-rules
Description
Shows configuration of a QoS rule by position.
Syntax
show qos-rules position <position>
Parameters
position The order of the generated rules in the QoS Rule Base
Example
show qos-rules position 2
radius-server
radius-server
delete radius-server
delete radius-server
Description
Deletes an existing configured RADIUS server.
Syntax
delete radius-server priority <priority>
Parameters
priority Priority of the choose tab, can be primary or secondary
Example
delete radius-server priority 1
set radius-server
set radius-server
Description
Configures RADIUS servers.
Syntax
set radius-server priority <priority> [ ipv4-address <ipv4-address> ] [

udp-port <udp-port> ] [ shared-secret <shared-secret> ] [ timeout
<timeout>]
Parameters
ipv4-address The IP address of the RADIUS server
Type: IP address
shared-secret Pre-shared secret between the RADIUS server and the Appliance
timeout A timeout value in seconds for communication with the RADIUS server
udp-port The port number through which the RADIUS server communicates with clients. The
default is 1812
Example
set radius-server priority 2 ipv4-address 192.168.1.1 udp-port 1812 shared-

secret a(&7Ba timeout 15
show radius-server
show radius-server
Description
Shows the configuration of a RADIUS server.
Syntax
show radius-server priority <priority>
Parameters
Example
show radius-server priority 1
show radius-servers
show radius-servers
Description
Shows the configuration of all RADIUS servers.
Syntax
show radius-servers
Parameters
n/a
Example
show radius-servers
reach-my-device
reach-my-device
set reach-my-device
set reach-my-device
Configures the "Reach my device" service, which enables connecting to the device's management portal
even when the device is behind NAT.
set reach-my-device
set reach-my-device
Description
Configures the "Reach my device" service, which enables connecting to the device's management portal
even when the device is behind NAT.
Syntax
set reach-my-device [ mode <mode> ] [ host-name <host-name> ] [ existing-

host-name { true validation-token <validation-token> | false } ]
Parameters
existing-host-name Register with an existing host name
host-name Gateway Host name (DNS Prefix)
mode Reach my device mode (on/off)
validation-token Gateway validation token
Example
set reach-my-device mode true host-name word existing-host-name true

validation-token word
set reach-my-device
set reach-my-device
Description
Configures advanced settings of the "Reach my device" service, which enables connecting to the device's
management portal even when the device is behind NAT.
Syntax
set reach-my-device advanced-settings ignore-ssl-cert <ignore-ssl-cert>
Parameters
n/a
Example
set reach-my-device advanced-settings ignore-ssl-cert true
set reach-my-device
set reach-my-device
Description
Configures advanced settings of the "Reach my device" service, which enables connecting to the device's
management portal even when the device is behind NAT.
Syntax
set reach-my-device advanced-settings reach-my-device-server-addr
<reach-my-device-server-addr>
Parameters
n/a
Example
set reach-my-device advanced-settings reach-my-device-server-addr

http://www.checkpoint.com/
show reach-my-device
Shows the configuration of "Reach My Device" cloud service.
Description
Shows the configuration of "Reach My Device" cloud service.
Syntax
Parameters
n/a
Example
Description
Shows advanced settings of "Reach My Device" cloud service.
Syntax
show reach-my-device advanced-settings
Parameters
n/a
Example
show reach-my-device advanced-settings
reboot
reboot
Description
Reboots the system.
Syntax
reboot
Parameters
n/a
Example
reboot
set remote-access users
set remote-access users
Description
Configures VPN remote access privileges to users defined in configured RADIUS servers.
Syntax
set remote-access users radius-auth { true [ use-radius-groups { true

radius-groups <radius-groups> | false } ] | false }
Parameters
radius-auth Remote users RADIUS authentication
radius-groups RADIUS groups for authentication. Example: RADIUS-group1, RADIUS-class2
Type: A string that contains [A-Z], [0-9], '-', '@', '.', '_', ',' and space characters
use-radius-groups Use RADIUS groups for authentication
Example
set remote-access users radius-auth true use-radius-groups true radius-

groups My group
show remote-access users radius-auth
show remote-access users radius-
auth
Description
Shows RADIUS-based users VPN remote access configuration.
Syntax
Parameters
n/a
Example
set rest-api
Description
Enable or disable REST API.
Syntax
set rest-api mode <mode>
Parameters
mode Indicates if REST API is enabled or not.
Example
set rest-api mode true
show rest-api
Description
Show enabled REST API.
Syntax
show rest-api
Parameters
n/a
Example
show rest-api
Output
Gateway-ID-7F95E42D> show rest-api

mode: on
Gateway-ID-7F95E42D> show stateful-inspection advanced-settings
tcp-end-timeout: 20
other-timeout: 60
icmp-reply: true
dpi-lan-dmz: true
tcp-timeout: 3600
udp-timeout: 40
other-reply: true
fw-allow-out-of-state-tcp: 0
fw-log-out-of-state-tcp: 0
udp-reply: true
traceroute-max-ttl: 29
allow-ipv6: false
icmp-errors: true
fw-drop-out-of-state-icmp: true
icmp-timeout: 30
dpi-lan-lan: false
tcp-start-timeout: 25
fw-log-out-of-state-icmp: 0
Gateway-ID-7F95E42D> show iot-stats
mode: off
generate report cloud-report
Description
Generate a cloud report.
Syntax
generate report type <type> {monthly, daily, weekly, hourly}
Parameters
type The report type
Options:
n monthly
n daily
n weekly
n hourly
Example
generate report type hourly
restore settings
restore settings
Description
Restores the appliance settings from a backup file. The backup file can be located on a USB device or on a
TFTP server.
Syntax
restore settings from {usb|tftp server <serverIP>} filename <file_name>
Parameters
file_name Name of the backup file.
serverIP IPv4 address of the TFTP server.
Example
restore settings from tftp server 1.1.1.1 filename sg80
Comments
The appliance automatically reboots after the settings are restored.
show restore settings log
show restore settings log
Description
Shows the log file of previous restore settings to default operations. You can display these restore settings
log files:
n restore-settings-log- Log file for restoring saved settings.
n restore-default-settings-log - Log file for restoring the default settings.
Syntax
show {restore-settings-log|restore-default-settings-log}
Parameters
n/a
Example
show restore-settings-log
Output
Success shows the restore settings log file. Failure shows an appropriate error message.
show revert log
show revert log
Description
Shows the log file of previous revert operations.
Syntax
show revert-log
Parameters
n/a
Example
show revert-log
Output
Success shows the revert log file. Failure shows an appropriate error message.
revert to factory defaults
revert to factory defaults
Description
Revert the appliance to the original factory defaults. This command deletes all data and software images
from the appliance.
Syntax
revert to factory-defaults
Parameters
n/a
Example
revert to factory-defaults
Output
Success shows a warning message. Enter yesto continue.
Failure shows an appropriate error message.
revert to saved image
revert to saved image
Description
Reverts the appliance to the previous software image.
Syntax
revert to previous-image
Parameters
n/a
Example
revert to previous-image
Output
report-settings
report-settings
set report-settings
set report-settings
Configure local reports settings.
set report-settings
set report-settings
Description
Configure advanced local reports settings.
Syntax
set report-settings advanced-settings centrally-max-period
<centrally-max-period>
Parameters
n/a
Example
set report-settings advanced-settings centrally-max-period report-period-

hour
set report-settings
set report-settings
Description
Configure advanced local reports settings.
Syntax
set report-settings advanced-settings locally-max-period
<locally-max-period>
Parameters
n/a
Example
set report-settings advanced-settings locally-max-period report-period-hour
show report-settings
show report-settings
Description
Shows report scheduling and creation configuration.
Syntax
show report-settings advanced-settings
Parameters
n/a
Example
show report-settings advanced-settings
show rule hits
show rule hits
Description
Shows the top firewall policy rule hits.
Syntax
show rule-hits [top <rule>]
Parameters
rule Number of rules in the security policy that are displayed.
Minimum value i
1
.
Return Value
0
on success,
1
on failure
Example
show rule-hits top 3
Output
Success shows number of hits per rule. Failure shows an appropriate error message.
show saved image
show saved image
Description
Shows information about the saved backup image.
Syntax
show saved-image
Parameters
n/a
Example
show saved-image
Output
Success shows information about the image. Failure shows an appropriate error message.
update security-blades
Description
Manually update Software Blades.
Syntax
update security-blades [ all ]
Parameters
n/a
Example
update security-blades all
updatable-object
add updatable-object
Description
Add an object to the list of updatable objects.
Syntax
add updatable-object name <name>
Parameters
name The name of the updatable object.
Type: String
Example
add updatable-object name Country
delete updatable-object
delete updatable-object
Description
Delete an object from the list of updatable objects.
Syntax
delete updatable-object name <name>
Parameters
Type: String
Example
delete updatable-object name Country
show updatable-object
Show the list of updatable objects.
Description
Show details of the updatable object by UI.
Syntax
show updatable-object uid <uid>
Parameters
uid The code name of the updatable object, as used in the Management Server.
Type: A string of alphanumeric characters without space between them.
Example
show updatable-object uid word
Output
uid: CP_GEO_IL
name: Israel
parent-uid: CP_GEO_ASIA
is-imported: true
Description
Show details of the updatable object by name.
Syntax
show updatable-object name <name>
Parameters
Type: String.
Example
show updatable-object name Country
Output
uid: CP_GEO_IL
name: Israel
is-imported: true
show updatable-objects
Description
Shows the list of all available updatable objects.
Syntax
Parameters
n/a
Example
Output
name: Africa
uuid: d00802e8-0570-4851-8900-0a7c2ca80a9a
is-imported: false
uid: CP_GEO_AFRICA
parent-uid:
name: Burkina Faso
uuid: 91dac46d-1d35-4f8c-b4a4-ac588325c9b7
is-imported: false
uid: CP_GEO_BF
parent-uid: CP_GEO_AFRICA
name: Burundi
uuid: e80e48ad-022b-4fec-88df-91164346513e
is-imported: false
uid: CP_GEO_BI
show updatable-objects-imported
Description
Shows a list of all the imported updatable objects.
Syntax
show updateable-objects-imported
Parameters
n/a
Example
Output
name: Benin
uuid: 96d9b816-3216-45c8-9446-c73380244bbd
is-imported: true
uid: CP_GEO_BJ
name: Chad
uuid: 11be095e-9343-47dc-aaed-2e2cb4ad2862
is-imported: true
uid: CP_GEO_TD
name: Japan
uuid: 3f615c4d-3d99-4b08-b4e1-cf6b3b2e73e1
is-imported: true
uid: CP_GEO_JP
security-management
security-management
connect security-management
connect security-management
Description
Configure first connection to the Security Management Server.
Syntax
connect security-management mgmt-addr <mgmt-addr> use-one-time-password

<use-one-time-password> local-override-mgmt-addr { true send-logs-to {
local-override-log-server-addr addr <addr> | local-override-mgmt-addr } |
false }
Parameters
addr The logs are sent to this address
local- Indicates if the management address used in the next manual fetch command will be
override- saved and continuously used instead of the address downloaded in the policy
mgmt-addr Type: Boolean (true/false)
mgmt-addr The IP address or hostname of the Security Management Server
send-logs-to Indicates from where the address of the log server is taken
use-one- Indicates whether to connect to the Security Management Server using a one time
time- password
password Type: Boolean (true/false)
Example
connect security-management mgmt-addr myHost.com use-one-time-password true

local-override-mgmt-addr true send-logs-to local-override-log-server-addr
addr myHost.com
set security-management
Configures settings to connect to a remote Security Management Server and log server.
Description
Configures a local override to the IP addresses of the Security Management Server and log server. This is
relevant when centrally managed.
Syntax
set security-management local-override-mgmt-addr { true mgmt-address <mgmt-

address> send-logs-to { local-override-log-server-addr addr <addr> | local-
override-mgmt-addr } | false }
Parameters
addr The logs are sent to this address
local- Indicates if the management address used in the next manual fetch command will be
override- saved and continuously used instead of the address downloaded in the policy
mgmt- addr Type: Boolean (true/false)
mgmt- IP address or hostname of the Security Management Server
address Type: An IP address or host name
send-logs-to Indicates from where the address of the log server is taken
Example
set security-management local-override-mgmt-addr true mgmt-address

myHost.com send-logs-to local-override-log-server-addr addr myHost.com
Description
Configures if the device is managed centrally or locally. In centrally managed appliances only the
networking configurations are available and the security policy comes from the remote Security
Management Server.
Syntax
set security-management mode <mode>
Parameters
mode Indicates whether the appliance is managed locally or centrally using a Check Point
Security Management Server.
Options: locally-managed, centrally-managed
Example
set security-management mode locally-managed
show security-management
Description
Shows settings of the Security Management Server.
Syntax
Parameters
n/a
Example
serial-port
serial-port
set serial-port
set serial-port
Configures the physical serial port settings.
set serial-port
set serial-port
Description
Configures the physical serial port data flow settings.
Syntax
set serial-port [ port-speed <port-speed> ] [ flow-control <flow-control> ]

[ disabled <disabled> ] [ mode <mode> ]
Parameters
disabled Indicates if the serial port is disabled
flow-control Indicates the method of data flow control to and from the serial port
mode Indicates if the serial port is used to connect to the appliance's console, a remote telnet
server or allow a remote telnet connection to the device connected to the serial port.
port-speed Indicates the port speed (Baud Rate) of the serial connection
Example
set serial-port port-speed 9600 flow-control rts-cts disabled on mode

console
set serial-port
set serial-port
Description
Configures the physical serial port as a relay to which incoming TELNET traffic on a configured port will be
redirected.
Syntax
set serial-port passive-mode [ tcp-port <tcp-port> ] [ allow-implicitly

<allow-implicitly>]
Parameters
n/a
Example
set serial-port passive-mode tcp-port 8080 allow-implicitly true
set serial-port
set serial-port
Description
Configures the physical serial port as a relay to outgoing connection to a remote TELNET server.
Syntax
set serial-port active-mode [ tcp-port <tcp-port> ] [ primary-server-

address
<primary-server-address> ] [ secondary-server-address <secondary-server-address>
]
Parameters
n/a
Example
set serial-port active-mode tcp-port 8080 primary-server-address myHost.com

secondary-server-address myHost.com
set serial-port-nine-pin
Description
Configure the settings for the 9 PIN serial port.
Syntax
set serial-port-nine-pin [ port-speed <port-speed> ] [ flow-control <flow-

control> ] [ disabled <disabled> ] [ mode <mode> ]
Parameters
disabled Indicates if the 9-PIN serial port is disabled
flow-control Indicates the method of data flow control to and from the 9 PIN serial port
mode Indicates if the 9 PIN serial port can be used by a remote telnet server or allow a remote
telnet connection to the device connected to the serial port.
port-speed Indicates the 9 PIN port speed (Baud Rate) of the serial connection
Example
set serial-port-nine-pin port-speed 9600 flow-control rts-cts disabled on

mode active
Description
Syntax
set serial-port-nine-pin passive-mode [ tcp-port <tcp-port> ] [ allow-

implicitly <allow-implicitly> ]
Parameters
n/a
Example
set serial-port-nine-pin passive-mode tcp-port 8080 allow-implicitly true
Description
Syntax
set serial-port-nine-pin active-mode [ tcp-port <tcp-port> ] [primary-

server-address <primary-server-address> ] [ secondary-server-address
<secondary-server-address> ]
Parameters
n/a
Example
set serial-port-nine-pin active-mode tcp-port 8080 primary-server-address

myHost.com secondary-server-address myHost.com
show serial-port
show serial-port
Description
Shows configuration for the serial port.
Syntax
show serial-port
Parameters
n/a
Example
show serial-port
show serial-port-nine-pin
Description
Show the settings for the 9 PIN serial port.
Syntax
Parameters
n/a
Example
server
server
add server
add server
Description
Adds a new server object. Server object are a way to define a network host object with its access and NAT
configuration, instead of creating manual rules for it.
Syntax
add server name <name> ipv4-address <ipv4-address> [ dhcp-exclude-ip-addr {

on [ dhcp-reserve-ip-addr-to-mac { on mac-addr <mac-addr> | off } ] | off }
] [ comments <comments> ] [ dns-resolving <dns-resolving> ] type { web-
server | ftp-server | citrix-server | pptp-server | mail-server | dns-
server | custom-server [ tcpProtocol <tcpProtocol> [ tcp-ports <tcp-ports>
] udpProtocol <udpProtocol> [ udp-ports <udp-ports> ] ] }
Parameters
comments Comments
dhcp-exclude- Indicates if the internal DHCP service will not distribute the configured IP address of
ip-addr this server/network object to anyone
dhcp-reserve-ip- Indicates if the internal DHCP service will distribute the configured IP address only to
addr-to-mac this server/network object according to its MAC address
internal DNS service
mac-addr MAC address of the server
Type: MAC address
name Server object name
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _
- .) characters without spaces
tcp-ports TCP ports for server of type 'other'
Type: Port range
tcpProtocol tcpProtocol
add server
udp-ports UDP ports for server of type 'other'
Type: Port range
udpProtocol udpProtocol
Example
add server name myObject_17 ipv4-address 192.168.1.1 dhcp-exclude-ip-addr

on dhcp-reserve-ip-addr-to-mac on mac-addr 00:1C:7F:21:05:BE comments "This
is a comment." dns-resolving true type web-server
delete server
delete server
Description
Deletes an existing server object.
Syntax
delete server <name>
Parameters
Example
delete server myObject_17
show server
show server
Description
Shows configuration of an existing server object.
Syntax
show server <name>
Parameters
Example
show server myObject_17
show servers
show servers
Description
Shows the configuration of all server objects.
Syntax
show servers
Parameters
n/a
Example
show servers
service-details
service-details
set device-details
set device-details
~~
Description
Configures the device's details.
Syntax
set device-details [ hostname <hostname> ] [ country <country> ]
Parameters
country The country where you are located. The country configured for the WLAN
Options: country
hostname The appliance name used to identify the gateway.
Type: A string that contains [A-Z], [0-9] and '-' characters
Example
set device-details hostname My-appliance country albania
show device-details
show device-details
Description
Shows configuration of basic device details.
Syntax
show device-details
Parameters
n/a
Example
show device-details
service-group
service-group
add service-group
add service-group
Description
Adds a new group for service objects.
Syntax
add service-group name <name> [ comments <comments> ] [ member <member> ]
Parameters
comments Comments and explanation about the Service Group
member An association field for the contained services
name Service Group name
Example
add service-group name myObject_17 comments "This is a comment." member

TEXT
delete service-group
delete service-group
Description
Deletes an existing group object for service objects by object name.
Syntax
delete service-group <name>
Parameters
Example
delete service-group myObject_17
set service-group
set service-group
Configures an existing service objects group.
set service-group
set service-group
Description
Configures an existing service objects group.
Syntax
set service-group <name> [ new-name <new-name> ] [ comments <comments> ]
Parameters
comments Comments and explanation about the Service Group
new-name Service Group name
Example
set service-group myObject_17 new-name myObject_17 comments "This is a

comment."
set service-group
set service-group
Description
Removes all service objects from an existing service objects group.
Syntax
set service-group <name> remove-all members
Parameters
Example
set service-group myObject_17 remove-all members
set service-group
set service-group
Description
Adds an existing service object to an existing service objects group.
Syntax
set service-group <name> add member <member>
Parameters
member Service name
Example
set service-group myObject_17 add member TEXT
set service-group
set service-group
Description
Removes an existing service object from an existing service objects group.
Syntax
set service-group <name> remove member <member>
Parameters
member Service name
Example
set service-group myObject_17 remove member TEXT
show service-group
show service-group
Description
Shows the content of a service object group.
Syntax
show service-group <name>
Parameters
Example
show service-group myObject_17
show service-groups
show service-groups
Description
Shows the content of all service object groups.
Syntax
show service-groups
Parameters
n/a
Example
show service-groups
service-icmp
service-icmp
add service-icmp
add service-icmp
Description
Adds a new ICMP-type service object.
Syntax
add service-icmp name <name> icmp-code <icmp-code> icmp-type <icmp-type> [

comments <comments>]
Parameters
comments Comments and explanation about the service
icmp-code ICMP code
icmp-type ICMP message type
name Service name
Type: String
Example
add service-icmp name TEXT icmp-code 2 icmp-type 5 comments "This is a

comment."
delete service-icmp
delete service-icmp
Description
Deletes an existing ICMP-type service object by name.
Syntax
delete service-icmp <name>
Parameters
name Service name
Type: String
Example
delete service-icmp TEXT
set service-icmp
set service-icmp
Description
Configures an existing ICMP-type service object.
Syntax
set service-icmp <name>[ name <name> ] [ icmp-code <icmp-code> ] [ icmp-

type <icmp-type> ] [ comments <comments> ]
Parameters
icmp-code ICMP code
icmp-type ICMP message type
name Service name
Type: String
Example
set service-icmp TEXT name TEXT icmp-code 2 icmp-type 5 comments "This is a

comment."
show service-icmp
show service-icmp
Description
Shows the configuration of a specific ICMP-type service object.
Syntax
show service-icmp <name>
Parameters
name Service name
Type: String
Example
show service-icmp TEXT
add service-protocol
add service-protocol
Description
Adds a new non-TCP/UDP service object (a different IP protocol than 6 or 17).
Syntax
add service-protocol name <name> ip-protocol <ip-protocol> [ comments

<comments>]
Parameters
ip-protocol IP Protocol number
name Service name
Type: String
Example
add service-protocol name TEXT ip-protocol 50 comments "This is a comment."
service-protocol
service-protocol
delete service-protocol
delete service-protocol
Description
Deletes a non-TCP/UDP service object by name.
Syntax
delete service-protocol <name>
Parameters
name Service name
Type: String
Example
delete service-protocol TEXT
set service-protocol
Description
Configures an existing non-TCP/UDP service object.
Syntax
set service-protocol <name> [ name <name>] [ ip-protocol <ip-protocol> ] [

comments <comments> ] [ session-timeout <session-timeout> ] [ accept-
replies
<accept-replies> ] [ sync-connections-on-cluster <sync-connections-on-cluster>
] [ match <match> ] [ aggressive-aging-enable <aggressive-aging-enable> ] [
aggressive-aging-timeout <aggressive-aging-timeout> ]
Parameters
accept-replies Specifies if service replies are to be accepted
aggressive- Enable to manage the connections table capacity and memory consumption of the
aging- enable firewall to increase durability and stability
aggressive- Time (in seconds) before the aggressive aging times out
aging-timeout
ip-protocol IP Protocol number
match INSPECT expression that searches for a pattern in a packet, only relevant for services
of type 'other'
name Service name
Type: String
session- Time (in seconds) before the session times out
timeout
sync- Enables state-synchronized High Availability or Load Sharingon a ClusterXL or
connections- OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with
on- cluster synchronize connections on cluster will be synchronized as they pass through the
cluster
Example
set service-protocol TEXT name TEXT ip-protocol 50 comments "This is a

comment." session-timeout 15 accept-replies true sync-connections-on-
cluster true match TEXT aggressive-aging-enable true aggressive-aging-
timeout 15
show service-protocol
show service-protocol
Description
Shows the configuration of a specific non-TCP/UDP service object.
Syntax
show service-protocol <name>
Parameters
name Service name
Type: String
Example
show service-protocol TEXT
show services-protocol
Description
Shows the configuration of all non-TCP/UDP service objects.
Syntax
Parameters
n/a
Example
set server server-access
Description
Configures an existing server object. A server object is a network object with predefined access and NAT
configurations.
Syntax
set server server-access <name> [ access-zones { blocked [ trusted-zone-lan

<trusted-zone-lan> ] [ trusted-zone-vpn-users <trusted-zone-vpn-users> ] [
trusted-zone-trusted-wireless-networks <trusted-zone-trusted-wireless-
networks> ] [ trusted-zone-dmz <trusted-zone-dmz> ] [ trusted-zone-vpn-
sites <trusted-zone-vpn-sites> ] | allowed } ] [ allow-ping-to-server
<allow-ping-to-server> ] [ log-blocked-connections <log-blocked-
connections> ] [ log-accepted-connections <log-accepted-connections> ]
Parameters
access-zones Zones the server is accessible from by default (accept all by default, accept only from
configured zones, or define no server-specific default access policy). Manual policy
rules will override this policy.
allow-ping-to- Indicates if default access policy will work on ICMP traffic as well as defined ports.
server This option will not work on multiple ports hidden behind the gateway.
log-accepted- Indicates if connections that are accepted by the default access policy to the server
connections are logged
Options: none, log
log-blocked- Indicates if connections that are blocked by the default access policy to the server are
connections logged
Options: none, log
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ -
.) characters without spaces
trusted-zone- Indicates if traffic from the DMZ network to the server is allowed or blocked by default
dmz Options: blocked, allowed
trusted-zone- Indicates if traffic from Physical internal networks (LAN ports) to the server is allowed
lan or blocked by default
Options: blocked, allowed
trusted-zone- Indicates if traffic from trusted wireless networks to the server is allowed or blocked by
trusted- default
wireless- Options: blocked, allowed
networks
trusted-zone- Indicates if encrypted traffic from remote VPN sites to the server is allowed or blocked
vpn-sites by default
trusted-zone- Indicates if encrypted traffic from VPN remote access users to the server is allowed or
vpn- users blocked by default
Example
set server server-access myObject_17 access-zones blocked trusted-zone-lan

blocked trusted-zone-vpn-users blocked trusted-zone-trusted-wireless-
networks blocked trusted-zone-dmz blocked trusted-zone-vpn-sites blocked
allow-ping-to-server true log-blocked-connections none log-accepted-
connections none
set server server-nat-settings
Description
Configures NAT settings on an existing server object.
Syntax
set server server-nat-settings <name> [ nat-settings { static-nat [ static-

nat-ipv4-address <static-nat-ipv4-address> ] [ static-nat-for-outgoing-
traffic <static-nat-for-outgoing-traffic> ] | port-forwarding } ] [ port-
address-translation <port-address-translation> ] [ port-address-
translation-external <port-address-translation-external-port> ] [ force-
source-hide-nat <force-source-hide-nat > ]
Parameters
force-source-hide- Allow access from internal networks to the external IP address of the server via
nat local switch
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-
z, _ - .) characters without spaces
nat-settings Indicates the general NAT settings configured (no NAT, hide behind the
gateway's external IP address or use a different external IP address)
port-address- For servers with a single port, indicates if the external port is not the same as the
translation internal port.
port-address- For servers with a single port, indicates the external port that is used to forward
translation-external- traffic to the server
static-nat-for- indicates if outgoing traffic from the server using static NAT will be hidden behind
outgoing-traffic the configured external IP address without a port change
static-nat-ipv4- For servers using static NAT, the external IP address used to forward traffic to
address the server
Type: IP address
Example
set server server-nat-settings myObject_17 nat-settings static-nat static-

nat-ipv4-address 192.168.1.1 static-nat-for-outgoing-traffic true port-
address-translation true port-address-translation-external-port 8080 force-
source-hide-nat true
set server server-network-settings
set server server-network-settings
Description
Configures network settings on an existing server object.
Syntax
set server server-network-settings <name> [ name <name> ] [ dhcp-exclude-

ip-addr { on [ dhcp-reserve-ip-addr-to-mac { on mac-addr <mac-addr> | off }
] | off } ] [ comments <comments> ] [ dns-resolving <dns-resolving> ] [
ipv4-address <ipv4-address> ]
Parameters
comments Comments
dhcp-exclude- Indicates if the internal DHCP service will not distribute the configured IP address of
ip-addr this server/network object to anyone
dhcp-reserve-ip- Indicates if the internal DHCP service will distribute the configured IP address only to
addr- to-mac this server/network object according to its MAC address
internal DNS service
mac-addr MAC address of the server
Type: MAC address
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _
- .) characters without spaces
Example
set server server-network-settings myObject_17 name myObject_17 dhcp-

exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on mac-addr
00:1C:7F:21:05:BE comments "This is a comment." dns-resolving true ipv4-
address 192.168.1.1
set server server-ports
Description
Configures an existing server object.
Syntax
set server server-ports <name> [ web-server { true service-http { true [

service-http-ports <service-http-ports> ] | false } service-https { true [
service-https-ports <service-https-ports> ] | false } | false } ] [ mail-
server { true service-smtp { true [ service-smtp-ports <service-smtp-ports>
] | false } service-pop3 { true [ service-pop3-ports <service-pop3-ports> ]
| false } service-imap { true [ service-imap-ports <service-imap-ports> ] |
false } | false } ] [ dns-server { true service-dns { true [ service-dns-
ports <service-dns-ports> ] | false } | false } ] [ ftp-server { true
service-ftp { true [ service-ftp-ports <service-ftp-ports> ] | false } |
false } ] [ citrix-server { true service-citrix { true [ service-citrix-
ports <service-citrix-ports> ] | false } | false } ] [ pptp-server { true
service-pptp-selected { true [ service-pptp-ports <service-pptp-ports> ] |
false } | false } ] [ custom-server { true [ tcpProtocol <tcpProtocol> [
tcp-ports <tcp-ports> ] udpProtocol <udpProtocol> [ udp-ports <udp-ports> ]
] | false } ]
Parameters
citrix-server Indicates a Citrix server (for each type we provide default but configurable ports)
custom-server Server type custom
dns-server Indicates a DNS server (for each type we provide default but configurable ports
ftp-server Indicates a FTP server (for each type we provide default but configurable ports)
mail-server Indicates a mail server (for each type we provide default but configurable ports)
Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9, a-z, _ -
.) characters without spaces
pptp-server Indicates a PPTP server (for each type we provide default but configurable ports)
service-citrix Indicates if ports are defined for Citrix (for a Citrix server)
service-citrix- Configured ports for Citrix (for a Citrix server)
ports
service-dns Indicates if ports are defined for DNS (for a DNS server)
service-dns- Configured ports for DNS (for a DNS server)
ports
service-ftp Indicates if ports are defined for FTP (for a FTP server)
service-ftp- Configured ports for FTP (for a FTP server)
ports
service-http Indicates if ports are defined for HTTP (for a web server)
service-http- Configured ports for HTTP (for a web server)
ports
service-https Indicates if ports are defined for HTTPS (for a web server)
service-https- Configured ports for HTTPS (for a web server)
ports
service-imap Indicates if ports are defined for IMAP (for a mail server)
service-imap- Configured ports for IMAP (for a web server)
ports
service-pop3 Indicates if ports are defined for POP3 (for a mail server)
service-pop3- Configured ports for POP3 (for a web server)
ports
service-pptp- Configured ports for PPTP (for a PPTP server)
ports
service-pptp- Indicates if ports are defined for PPTP (for a PPTP server)
selected
service-smtp Indicates if ports are defined for SMTP (for a mail server)
service-smtp- Configured ports for SMTP (for a web server)
ports
tcp-ports TCP ports for server of type 'other'
Type: Port range
tcpProtocol tcpProtocol
udp-ports UDP ports for server of type 'other'
Type: Port range
udpProtocol udpProtocol
web-server Indicates a web server (for each type we provide default but configurable ports)
Example
set server server-ports myObject_17 web-server true service-http true

service-http-ports 8080-8090 service-https true service-https-ports 8080-
8090 mail-server true service-smtp true service-smtp-ports 8080-8090
service-pop3 true service-pop3-ports 8080-8090 service-imap true service-
imap-ports 8080-8090 dns-server true service-dns true service-dns-ports
8080-8090 ftp-server true service-ftp true service-ftp-ports 8080-8090
citrix-server true service-citrix true service-citrix-ports 8080-8090 pptp-
server true service-pptp-selected true service-pptp-ports 8080-8090 custom-
server true tcpProtocol true tcp-ports 8080-8090 udpProtocol true udp-ports
8080-8090
service-system-default
service-system-default
set service-system-default Any_TCP
Description
Configures settings of the built-in Any_TCP service object.
Syntax
set service-system-default Any_TCP [ port <port> ] [ session-timeout

<session-timeout> ] [ use-source-port { false | true [ source-port <source-
port> ] } ] [ keep-connections-open-after-policy-installation <keep-
connections-open-after-policy-installation> ] [ sync-connections-on-cluster
<sync-connections-on-cluster> ] [ sync-delay-enable <sync-delay-enable> ] [
delay-sync-interval <delay-sync-interval> ] [ aggressive-aging-enable
<aggressive-aging-enable> ] [ aggressive-aging-timeout <aggressive-aging-
timeout>]
Parameters
aging-timeout
delay-sync- Time (in seconds) after connection initiation to start synchronizing connections
interval
keep- True to keep connections open after policy has been installed, even if they are not
connections- allowed under the new policy
open-after-
policy-
installation
port Destination ports (a comma separated list of ports/ranges)
Type: Port range
timeout
source-port Source port
sync- Enables state-synchronized High Availability or Load Sharing on a ClusterXL or
connections- OPSEC-certified cluster. Of the services allowed by the Rule BaseRule Base, only
on- cluster those with synchronize connections on cluster will be synchronized as they pass
through the cluster.
sync-delay- True to delay connections synchronization.
enable
use-source- Use source port
port
Example
set service-system-default Any_TCP port 8080-8090 session-timeout 15 use-

source-port false source-port 8080 keep-connections-open-after-policy-
installation true sync-connections-on-cluster true sync-delay-enable true
delay-sync-interval 15 aggressive-aging-enable true aggressive-aging-
timeout 15
show service-system-default Any_TCP
Description
Shows the settings of the built-in Any_TCP service object.
Syntax
Parameters
n/a
Example
set service-system-default Any_UDP
Description
Configures settings of the built-in Any_UDP service object.
Syntax
set service-system-default Any_UDP [ port <port> ] [ session-timeout

<session-timeout> ] [ use-source-port { false | true [ source-port <source-
port> ] } ] [ keep-connections-open-after-policy-installation <keep-
connections-open-after-policy-installation> ] [ sync-connections-on-cluster
<sync-connections-on-cluster> ] [ aggressive-aging-enable <aggressive-
aging-enable> ] [ aggressive-aging-timeout <aggressive-aging-timeout> ] [
accept-replies <accept-replies> ]
Parameters
aging-timeout
open-after-
policy-
installation
Type: Port range
timeout
on- cluster synchronize connections on cluster will be synchronized as they pass through the
cluster.
use-source- Use source port.
port
Example
set service-system-default Any_UDP port 8080-8090 session-timeout 15 use-

source-port false source-port 8080 keep-connections-open-after-policy-
installation true sync-connections-on-cluster true aggressive-aging-enable
true aggressive-aging-timeout 15 accept-replies true
show service-system-default Any_UDP
Description
Shows the settings of the built-in Any_UDP service object.
Syntax
Parameters
n/a
Example
set service-system-default CIFS
Description
Configures settings of the built-in CIFS service object.
Syntax
set service-system-default CIFS [ port <port> ] [ disable-inspection

<disable-inspection>] [ session-timeout <session-timeout> ] [ use-source-
port { false | true [ source-port <source-port> ] } ] [ keep-connections-
open-after-policy-installation <keep-connections-open-after-policy-
installation> ] [ sync-connections-on-cluster <sync-connections-on-cluster>
] [ sync-delay-enable <sync-delay-enable> ] [ delay-sync-interval <delay-
sync-interval> ] [ aggressive-aging-enable <aggressive-aging-enable> ] [
Parameters
aging-enable firewall to increase durability and stability
aging-timeout
interval
disable- Disable deep inspection of traffic matching this service
inspection Type: Boolean (true/false)
open-after-
policy-
installation
Type: Port range
timeout
on-cluster synchronize connections on cluster will be synchronized as they pass through the
cluster.
enable
port
Example
set service-system-default CIFS port 8080-8090 disable-inspection true

session-timeout 15 use-source-port false source-port 8080 keep-connections-
open-after-policy-installation true sync-connections-on-cluster true sync-
delay-enable true delay-sync-interval 15 aggressive-aging-enable true
aggressive-aging-timeout 15
show service-system-default CIFS
Description
Shows the settings of the built-in CIFS service object.
Syntax
Parameters
n/a
Example
set service-system-default Citrix
Description
Configures settings of the built-in Citrix service object.
Syntax
set service-system-default Citrix [ port <port> ] [ disable-inspection

<disable-inspection> ] [ session-timeout <session-timeout> ] [ use-source-
] [ sync-delay-enable <sync-delay-enable>] [ delay-sync-interval <delay-
Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default Citrix port 8080-8090 disable-inspection true

show service-system-default Citrix
Description
Shows the settings of the built-in Citrix service object.
Syntax
Parameters
n/a
Example
set service-system-default Citrix firewall-settings
set service-system-default Citrix firewall-
settings
Description
Configures firewall inspection settings of the built-in Citrix service object.
Syntax
set service-system-default Citrix firewall-settings [ protocol-support

<protocol-support> ]
Parameters
protocol- Which protocol to support on the configured ports. The default port 1494 is commonly
support used by two different protocols - Winframe or Citrix ICA
Options: PROTO_TYPE.WIN_FRAME, PROTO_TYPE.CITRIX_ICA
Example
set service-system-default Citrix firewall-settings protocol-support PROTO_

TYPE.WIN_FRAME
show service-system-default Citrix firewall-settings
show service-system-default Citrix firewall-
settings
Description
Shows the inspection settings of the built-in Citrix service object.
Syntax
Parameters
n/a
Example
set service-system-default DHCP
set service-system-default DHCP
Description
Configures settings of the built-in DHCP service object.
Syntax
set service-system-default DHCP [ port <port> ] [ disable-inspection

port { false | true [ source-port <source-port> ] } ] [ accept-replies
<accept-replies> ]
Parameters
disable-inspection Disable deep inspection of traffic matching this service
Type: Port range
session-timeout Time (in seconds) before the session times out
use-source-port Use source port
Example
set service-system-default DHCP port 8080-8090 disable-inspection true

session-timeout 15 use-source-port false source-port 8080 accept-replies
true
show service-system-default DHCP
Description
Shows the settings of the built-in DHCP service object.
Syntax
Parameters
n/a
Example
set service-system-default DNS_TCP
Description
Configures settings of the built-in DNS_TCP service object.
Syntax
set service-system-default DNS_TCP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default DNS_TCP port 8080-8090 disable-inspection true

show service-system-default DNS_TCP
Description
Shows the settings of the built-in DNS_TCP service object.
Syntax
Parameters
n/a
Example
set service-system-default DNS_UDP
set service-system-default DNS_UDP
Description
Configures settings of the built-in DNS_UDP service object.
Syntax
set service-system-default DNS_UDP [ port <port> ] [ disable-inspection

<accept-replies> ]
Parameters
accept-replies Specifies if service replies are to be accepted.
disable-inspection Disable deep inspection of traffic matching this service.
port Destination ports (a comma separated list of ports/ranges).
Type: Port range
session-timeout Time (in seconds) before the session times out.
source-port Source port.
use-source-port Use source port.
Example
set service-system-default DNS_UDP port 8080-8090 disable-inspection true

true
show service-system-default DNS_UDP
Description
Shows the settings of the built-in DNS_UDP service object.
Syntax
Parameters
n/a
Example
set service-system-default FTP
Description
Configures settings of the built-in FTP service object.
Syntax
set service-system-default FTP [ port <port> ] [ disable-inspection

Parameters
aging-enable firewall to increase durability and stability.
aggressive- Time (in seconds) before the aggressive aging times out.
aging-timeout
delay-sync- Time (in seconds) after connection initiation to start synchronizing connections.
interval
disable- Disable deep inspection of traffic matching this service.
connections- allowed under the new policy.
open-after-
policy-
installation
Type: Port range
session- Time (in seconds) before the session times out.
timeout
cluster.
enable
port
Example
set service-system-default FTP port 8080-8090 disable-inspection true

show service-system-default FTP
Description
Shows the settings of the built-in FTP service object.
Syntax
Parameters
n/a
Example
set service-system-default FTP firewall-settings
set service-system-default FTP firewall-settings
Description
Configures firewall inspection settings of the built-in FTP service object.
Syntax
set service-system-default FTP firewall-settings [ mode <mode> ]
Parameters
mode FTP connection mode (allowed values are 'Any', 'Active' or 'Passive').
Options: any, active, passive
Example
set service-system-default FTP firewall-settings mode any
show service-system-default FTP firewall-settings
show service-system-default FTP firewall-
settings
Description
Shows the inspection settings of the built-in FTP service object.
Syntax
Parameters
n/a
Example
set service-system-default GRE
Description
Configures settings of the built-in GRE service object.
Syntax
set service-system-default GRE [ ip-protocol <ip-protocol> ] [ disable-

inspection <disable-inspection> ] [ session-timeout <session-timeout>] [
accept-replies <accept-replies> ] [ match <match> ] [ keep-connections-
] [ aggressive-aging-enable <aggressive-aging-enable> ] [ aggressive-aging-
timeout <aggressive-aging-timeout> ]
Parameters
aging-timeout
ip-protocol IP Protocol number.
open-after-
policy-
installation
match INSPECT expression that searches for a pattern in a packet, only relevant for services
of type 'other'.
timeout
cluster.
Example
set service-system-default GRE ip-protocol 15 disable-inspection true

session-timeout 15 accept-replies true match TEXT keep-connections-open-
after-policy-installation true sync-connections-on-cluster true aggressive-
aging-enable true aggressive-aging-timeout 15
show service-system-default GRE
Description
Shows the settings of the built-in GRE service object.
Syntax
Parameters
n/a
Example
set service-system-default H323
Description
Configures settings of the built-in H323 service object.
Syntax
set service-system-default H323 [ port <port> ] [ disable-inspection

sync-interval> ]
Parameters
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default H323 port 8080-8090 disable-inspection true

delay-enable true delay-sync-interval 15
show service-system-default H323
Description
Shows the settings of the built-in H323 service object.
Syntax
Parameters
n/a
Example
set service-system-default H323_RAS
set service-system-default H323_RAS
Description
Configures settings of the built-in H323_RAS service object.
Syntax
set service-system-default H323_RAS [ port <port> ] [ disable-inspection

<accept-replies> ]
Parameters
disable-inspection Disable deep inspection of traffic matching this service.
Type: Port range
session-timeout Time (in seconds) before the session times out.
use-source-port Use source port.
Example
set service-system-default H323_RAS port 8080-8090 disable-inspection true

true
show service-system-default H323_RAS
Description
Shows the settings of the built-in H323_RAS service object.
Syntax
Parameters
n/a
Example
set service-system-default HTTP
Description
Configures settings of the built-in HTTP service object.
Syntax
set service-system-default HTTP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default HTTP port 8080-8090 disable-inspection true

show service-system-default HTTP
Description
Shows the settings of the built-in HTTP service object.
Syntax
Parameters
n/a
Example
set service-system-default HTTPS
Description
Configures settings of the built-in HTTPS service object.
Syntax
set service-system-default HTTPS [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default HTTPS port 8080-8090 disable-inspection true

session-timeout 15 use-source-port false source-port 8080 >keep-
connections-open-after-policy-installation true sync-connections-on-cluster
true sync-delay-enable true delay-sync-interval 15 aggressive-aging-enable
true aggressive-aging-timeout 15
show service-system-default HTTPS
Description
Shows the settings of the built-in HTTPS service object.
Syntax
Parameters
n/a
Example
set service-system-default HTTP ips-settings
Description
Configures IPS settings of the built-in HTTP service object.
Syntax
set service-system-default HTTP ips-settings [ non-standard-ports-action

<non-standard-ports-action>] [ non-standard-ports-track <non-standard-
ports-track> ] [ parser-failure-action <parser-failure-action> ] [ parser-
failure-track <parser-failure-track> ] [ strict-request <strict-request> ]
[ strict-response <strict-response> ] [ split-url <split-url> ] [ no-colon
<no-colon> ] [ tab-as-seperator <tab-as-seperator>] [ duplicate-content-
length <duplicate-content-length> ] [ duplicate-host <duplicate-host> ] [
responses <responses> ] [ invalid-chunk <invalid-chunk> ] [ empty-value
<empty-value> ] [ post <post>] [ recursive-url <recursive-url> ] [
trailing-whitespaces <trailing-whitespaces> ]
Parameters
duplicate- True to block duplicate Content-Length' header with same value.
content-length Type: Boolean (true/false)
duplicate-host True to block duplicate 'Host' header with same value.
empty-value True to block HTTP header with empty value.
invalid-chunk True if invalid chunk.
no-colon True to block HTTP header with no colon.
non-standard- Select action for connection over non standard ports (allowed values are 'Accept' and
ports-action 'Block').
non-standard- Select track option for connection over non standard ports (allowed values are 'log',
ports-track 'alert' and 'don't log') .
parser-failure- Select action for when the parser fails (allowed values are 'Accept' and 'Block').
action Options: block, accept
parser-failure- Select track option for when the parser fails (allowed values are 'log', 'alert' and 'don't
track log').
post True to block requests with 'POST' method and without 'Content-Type' header.
recursive-url True to block HTTP requests with recursive URL encoding.
responses True to block responses with both 'Content-Length' and 'Transfer-Encoding'headers.
split-url True to split the URL between the query and fragment sections instructs the HTTP
protections to inspect the query and fragment sections separately.
strict-request True to enforce strict HTTP request parsing.
strict-response True to enforce strict HTTP response parsing.
tab-as- True to block HTTP traffic with 'tab' character as a separator.
seperator Type: Boolean (true/false)
trailing- True to block request header names with trailing whitespaces.
whitespaces Type: Boolean (true/false)
Example
set service-system-default HTTP ips-settings non-standard-ports-action

block non-standard-ports-track none parser-failure-action block parser-
failure-track none strict-request true strict-response true split-url true
no-colon true tab-as-seperator true duplicate-content-length true
duplicate-host true responses true invalid-chunk true empty-value true post
true recursive-url true trailing-whitespaces true
show service-system-default HTTP ips-settings
Description
Shows the inspection settings of the built-in HTTP service object.
Syntax
Parameters
n/a
Example
set service-system-default HTTPS url-filtering-settings
set service-system-default HTTPS url-filtering-
settings
Description
Configures URL filtering over HTTPS. Enables categorization over HTTPS even without full SSL inspection.
Syntax
set service-system-default HTTPS url-filtering-settings [ categorize-https-

sites <categorize-https-sites> ]
Parameters
categorize-https-sites Categorize HTTPS sites by their certificate CN.
Example
set service-system-default HTTPS url-filtering-settings categorize-https-

sites true
show service-system-default HTTPS url-filtering-settings
show service-system-default HTTPS url-
filtering-settings
Description
Shows the configuration of URL filtering categorization option over HTTPS.
Syntax
Parameters
n/a
Example
set service-system-default IIOP
Description
Configures settings of the built-in IIOP service object.
Syntax
set service-system-default IIOP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster.
enable
port
Example
set service-system-default IIOP port 8080-8090 disable-inspection true

show service-system-default IIOP
Description
Shows the settings of the built-in IIOP service object.
Syntax
Parameters
n/a
Example
set service-system-default IMAP
Description
Configures settings of the built-in IMAP service object.
Syntax
set service-system-default IMAP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
sync-delay- True to delay connections synchronization
enable
port
Example
set service-system-default IMAP port 8080-8090 disable-inspection true

show service-system-default IMAP
Description
Shows the settings of the built-in IMAP service object.
Syntax
Parameters
n/a
Example
set service-system-default LDAP
Description
Configures settings of the built-in LDAP service object.
Syntax
set service-system-default LDAP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default LDAP port 8080-8090 disable-inspection true

show service-system-default LDAP
Description
Shows the settings of the built-in LDAP service object.
Syntax
Parameters
n/a
Example
set service-system-default MGCP
set service-system-default MGCP
Description
Configures settings of the built-in MGCP service object.
Syntax
set service-system-default MGCP [ port <port> ] [ disable-inspection

port { false | true [ source-port <source-port>] } ] [ accept-replies
<accept-replies> ]
Parameters
Type: Port range
Example
set service-system-default MGCP port 8080-8090 disable-inspection true

true
show service-system-default MGCP
Description
Shows the settings of the built-in MGCP service object.
Syntax
Parameters
n/a
Example
set service-system-default NetBIOSDatagram
set service-system-default NetBIOSDatagram
Description
Configures settings of the built-in NetBiosDatagram service object.
Syntax
set service-system-default NetBIOSDatagram [ port <port> ] [ disable-

inspection <disable-inspection> ] [ session-timeout <session-timeout> ] [
use-source-port { false | true [ source-port <source-port> ] } ] [ accept-
replies <accept-replies> ]
Parameters
Type: Port range
Example
set service-system-default NetBIOSDatagram port 8080-8090 disable-

inspection true session-timeout 15 use-source-port false source-port 8080
accept-replies true
show service-system-default NetBIOSDatagram
Description
Shows the settings of the built-in NetBiosDatagram service object.
Syntax
Parameters
n/a
Example
set service-system-default NetBIOSName
set service-system-default NetBIOSName
Description
Configures settings of the built-in NetBiosName service object.
Syntax
set service-system-default NetBIOSName [ port <port> ] [ disable-inspection

<accept-replies>]
Parameters
Type: Port range
Example
set service-system-default NetBIOSName port 8080-8090 disable-inspection

true session-timeout 15 use-source-port false source-port 8080 accept-
replies true
show service-system-default NetBIOSName
Description
Shows the settings of the built-in NetBiosName service object.
Syntax
Parameters
n/a
Example
set service-system-default NetShow
Description
Configures settings of the built-in NetShow service object.
Syntax
set service-system-default NetShow [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default NetShow port 8080-8090 disable-inspection true

show service-system-default NetShow
Description
Shows the settings of the built-in NetShow service object.
Syntax
Parameters
n/a
Example
set service-system-default NNTP
Description
Configures settings of the built-in NNTP service object.
Syntax
set service-system-default NNTP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default NNTP port 8080-8090 disable-inspection true

show service-system-default NNTP
Description
Shows the settings of the built-in NNTP service object.
Syntax
Parameters
n/a
Example
set service-system-default POP3
Description
Configures settings of the built-in POP3 service object.
Syntax
set service-system-default POP3 [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default POP3 port 8080-8090 disable-inspection true

show service-system-default POP3
Description
Shows the settings of the built-in POP3 service object.
Syntax
Parameters
n/a
Example
set service-system-default PPTP_TCP
Description
Configures settings of the built-in PPTP_TCP service object.
Syntax
set service-system-default PPTP_TCP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default PPTP_TCP port 8080-8090 disable-inspection true

show service-system-default PPTP_TCP
Description
Shows the settings of the built-in PPTP_TCP service object.
Syntax
Parameters
n/a
Example
set service-system-default PPTP_TCP ips-settings
set service-system-default PPTP_TCP ips-
settings
Description
Configures additional inspection settings of the built-in PPTP_TCP service object.
Syntax
set service-system-default PPTP_TCP ips-settings [ action <action> ] [

track
<track> ] [ strict <strict> ]
Parameters
action Select action for PPTP connections (allowed values are 'Accept' and 'Block')
strict True to enforce strict PPTP parsing
track Select track option for PPTP connections (allowed values are 'log', 'alert' and 'don't log')
Example
set service-system-default PPTP_TCP ips-settings action block track none

strict true
show service-system-default PPTP_TCP ips-settings
show service-system-default PPTP_TCP ips-
settings
Description
Shows the inspection settings of the built-in Any_TCP service object.
Syntax
Parameters
n/a
Example
set service-system-default RealAudio
Description
Configures settings of the built-in RealAudio service object.
Syntax
set service-system-default RealAudio [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default RealAudio port 8080-8090 disable-inspection true

show service-system-default RealAudio
Description
Shows the settings of the built-in RealAudio service object.
Syntax
Parameters
n/a
Example
set service-system-default RSH
Description
Configures settings of the built-in RSH service object.
Syntax
set service-system-default RSH [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default RSH port 8080-8090 disable-inspection true

show service-system-default RSH
Description
Shows the settings of the built-in RSH service object.
Syntax
Parameters
n/a
Example
set service-system-default RTSP
Description
Configures settings of the built-in RTSP service object.
Syntax
set service-system-default RTSP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default RTSP port 8080-8090 disable-inspection true

show service-system-default RTSP
Description
Shows the settings of the built-in RTSP service object.
Syntax
Parameters
n/a
Example
set service-system-default SCCP
Description
Configures settings of the built-in SCCP service object.
Syntax
set service-system-default SCCP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SCCP port 8080-8090 disable-inspection true

show service-system-default SCCP
Description
Shows the settings of the built-in SCCP service object.
Syntax
Parameters
n/a
Example
set service-system-default SCCPS
Description
Configures settings of the built-in SCCPS service object.
Syntax
set service-system-default SCCPS [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SCCPS port 8080-8090 disable-inspection true

show service-system-default SCCPS
Description
Shows the settings of the built-in SCCPS service object.
Syntax
Parameters
n/a
Example
set service-system-default SIP_TCP
Description
Configures settings of the built-in SIP_TCP service object.
Syntax
set service-system-default SIP_TCP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SIP_TCP port 8080-8090 disable-inspection true

show service-system-default SIP_TCP
Description
Shows the settings of the built-in SIP_TCP service object.
Syntax
Parameters
n/a
Example
set service-system-default SIP_UDP
set service-system-default SIP_UDP
Description
Configures settings of the built-in SIP_UDP service object.
Syntax
set service-system-default SIP_UDP [ port <port> ] [ disable-inspection

<accept-replies> ]
Parameters
Type: Port range
Example
set service-system-default SIP_UDP port 8080-8090 disable-inspection true

true
show service-system-default SIP_UDP
Description
Shows the settings of the built-in SIP_UDP service object.
Syntax
Parameters
n/a
Example
set service-system-default SMTP
Description
Configures settings of the built-in SMTP service object.
Syntax
set service-system-default SMTP [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SMTP port 8080-8090 disable-inspection true

show service-system-default SMTP
Description
Shows the settings of the built-in SMTP service object.
Syntax
Parameters
n/a
Example
set service-system-default SNMP
set service-system-default SNMP
Description
Configures settings of the built-in SNMP service object.
Syntax
set service-system-default SNMP [ port <port> ] [ disable-inspection

<accept-replies> ]
Parameters
Type: Port range
Example
set service-system-default SNMP port 8080-8090 disable-inspection true

true
show service-system-default SNMP
Description
Shows the settings of the built-in SNMP service object.
Syntax
Parameters
n/a
Example
set service-system-default SNMP firewall-settings
set service-system-default SNMP firewall-
settings
Description
Additional configuration for SNMP service
Syntax
set service-system-default SNMP firewall-settings [ read-only <read-only> ]
Parameters
read-only True to enforce read-only mode
Example
set service-system-default SNMP firewall-settings read-only true
show service-system-default SNMP firewall-settings
show service-system-default SNMP firewall-
settings
Description
Shows the inspection settings of the built-in SNMP service object.
Syntax
Parameters
n/a
Example
set service-system-default SQLNet
Description
Configures settings of the built-in SQLNet service object.
Syntax
set service-system-default SQLNet [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SQLNet port 8080-8090 disable-inspection true

show service-system-default SQLNet
Description
Shows the settings of the built-in SQLNet service object.
Syntax
Parameters
n/a
Example
set service-system-default SSH
Description
Configures settings of the built-in SSH service object.
Syntax
set service-system-default SSH [ port <port> ] [ disable-inspection

<disable-inspection> ] [ session-timeout <session-timeout>] [ use-source-
Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default SSH port 8080-8090 disable-inspection true

show service-system-default SSH
Description
Shows the settings of the built-in SSH service object.
Syntax
Parameters
n/a
Example
set service-system-default SSH ips-settings
set service-system-default SSH ips-settings
Description
Configures additional inspection settings of the built-in SSH service object.
Syntax
set service-system-default SSH ips-settings [ block-version <block-version>
Parameters
block-version True to enforce blocking of version 1.x
Example
set service-system-default SSH ips-settings block-version true
show service-system-default SSH ips-settings
Description
Shows the inspection settings of the built-in SSH service object.
Syntax
Parameters
n/a
Example
set service-system-default TELNET
Description
Configures settings of the built-in TELNET service object.
Syntax
set service-system-default TELNET [ port <port> ] [ disable-inspection

Parameters
aging-timeout
interval
open-after-
policy-
installation
Type: Port range
timeout
cluster
enable
port
Example
set service-system-default TELNET port 8080-8090 disable-inspection true

show service-system-default TELNET
Description
Shows the settings of the built-in TELNET service object.
Syntax
Parameters
n/a
Example
set service-system-default TFTP
Description
Configures settings of the built-in TFTP service object.
Syntax
set service-system-default TFTP [ port <port> ] [ disable-inspection

<disable-inspection> ] [ accept-replies <accept-replies> ] [ session-
timeout <session-timeout> ] [ use-source-port { false | true [ source-port
<source-port> ] } ] [ keep-connections-open-after-policy-installation
<keep-connections-open-after-policy-installation> ] [ sync-connections-on-
cluster <sync-connections-on-cluster> ]
Parameters
open-after-
policy-
installation
Type: Port range
timeout
cluster
port
Example
set service-system-default TFTP port 8080-8090 disable-inspection true

accept-replies true session-timeout 15 use-source-port false source-port
8080 keep-connections-open-after-policy-installation true sync-connections-
on-cluster true
show service-system-default TFTP
Description
Shows the settings of the built-in TFTP service object.
Syntax
Parameters
n/a
Example
service-tcp
service-tcp
add service-tcp
add service-tcp
Description
Adds a new TCP service object with configurable ports.
Syntax
add service-tcp name <name> port <port> [ comments <comments> ]
Parameters
name Service name
Type: String
Type: Port range
Example
add service-tcp name TEXT port 8080-8090 comments "This is a comment."
set service-tcp
set service-tcp
Description
Configures an existing TCP service object.
Syntax
set service-tcp <name> [ name <name> ] [ port <port> ] [ comments

<comments> ] [ session-timeout <session-timeout>] [ sync-connections-on-
cluster <sync-connections-on-cluster>] [ sync-delay-enable <sync-delay-
enable> ] [ delay-sync-interval
<delay-sync-interval> ] [ aggressive-aging-enable <aggressive-aging-enable>
] [ aggressive-aging-timeout <aggressive-aging-timeout> ] [ use-source-port {
false | true source-port <source-port>} ]
Parameters
aging-timeout
interval
name Service name
Type: String
Type: Port range
timeout
cluster
set service-tcp
enable
port
Example
set service-tcp TEXT name TEXT port 8080-8090 comments "This is a comment."
session-timeout 15 sync-connections-on-cluster true sync-delay-enable true
delay-sync-interval 15 aggressive-aging-enable true aggressive-aging-
timeout 15 use-source-port false source-port 8080
delete service-tcp
delete service-tcp
Description
Deletes a TCP service object by name.
Syntax
delete service-tcp <name>
Parameters
name Service name
Type: String
Example
delete service-tcp TEXT
show service-tcp
show service-tcp
Description
Shows the configuration of a specific TCP service object.
Syntax
show service-tcp <name>
Parameters
name Service name
Type: String
Example
show service-tcp TEXT
show services-tcp
show services-tcp
Description
Shows the configuration of all TCP service objects.
Syntax
show services-tcp
Parameters
n/a
Example
show services-tcp
service-udp
service-udp
add service-udp
add service-udp
Description
Adds a new UDP service object with configurable ports.
Syntax
add service-udp name <name> port <port> [ comments <comments> ]
Parameters
name Service name
Type: String
Type: Port range
Example
add service-udp name TEXT port 8080-8090 comments "This is a comment."
delete service-udp
delete service-udp
Description
Deletes a UDP service object by name.
Syntax
delete service-udp <name>
Parameters
name Service name
Type: String
Example
delete service-udp TEXT
set service-udp
set service-udp
Description
Configures an existing UDP service object
Syntax
set service-udp <name> [ name <name> ] [ port <port> ] [ comments

<comments> ] [ session-timeout <session-timeout> ] [ accept-replies
<accept-replies> ] [ sync-connections-on-cluster <sync-connections-on-
cluster> ] [ aggressive-aging-enable <aggressive-aging- enable> ] [
Parameters
aging-timeout
name Service name
Type: String
Type: Port range
timeout
cluster
Example
set service-udp TEXT name TEXT port 8080-8090 comments "This is a comment."
session-timeout 15 accept-replies true sync-connections-on-cluster true
aggressive-aging-enable true aggressive-aging-timeout 15
show service-udp
show service-udp
Description
Shows the configuration of a specific UDP service object
Syntax
show service-udp <name>
Parameters
name Service name
Type: String
Example
show service-udp TEXT
show services-udp
show services-udp
Description
Shows the configuration of all UDP service objects.
Syntax
show services-udp
Parameters
n/a
Example
show services-udp
show services-icmp
show services-icmp
Description
Shows the configuration of all ICMP-type service objects.
Syntax
show services-icmp
Parameters
n/a
Example
show services-icmp
shell/expert
shell/expert
The shelland expertcommands switch between the shell and expert modes.
Description
Changes to expert mode.
Syntax
shell
expert
Parameters
n/a
Example
shell
Comments
Use the cpshell command to start cpshell.
set sic_init
set sic_init
Description
Sets the SIC password.
Syntax
set sic_init password <pass>
Parameters
pass One-time password, as specified by the Security Management Server administrator.
Example
set sic_init password verySecurePassword
sim
sim
Description
SecureXL Implementation Module commands
Parameters
ver get the version
if get the interface list
tab [-s] [name] print the table content (-s for summary)
ranges print the range content
tab -d templates print only templates in drop state
dbg <options> set the sim debug flags
affinity get/set affinity options
nonaccel [-s|-c] <name(s)> set or clear interface(s) as not accelerated
feature <feature> {on | off} enable/disable features
tmplquota <options> configure template quota feature
hlqos <options> configure Heavy-Load CPU QOS feature
snmp
snmp
add snmp
add snmp
Adds SNMP trap receiver and SNMP users to the SNMP configuration.
add snmp
add snmp
Description
Adds a new SNMP trap receiver IP address to be used by the SNMP agent.
Syntax
add snmp traps-receiver <traps-receiver> version { v2 community <community>

| v3 user <user> }
Parameters
community Community name of the receivers trap, public is default for version2 users
traps-receiver Receivers IP address that the trap associated with
Type: IP address
user SNMP version3 Defined user
version SNMP Version, options are: v2 or v3
Example
add snmp traps-receiver 192.168.1.1 version v2 community word
add snmp
add snmp
Description
Adds a new user to be used by SNMPv3 protocol.
Syntax
add snmp user <user> security-level { true auth-pass-type <auth-pass-type>

auth-pass-phrase <auth-pass-phrase> privacy-pass-type <privacy-pass-type>
privacy-pass-phrase <privacy-pass-phrase> | false auth-pass-type <auth-
pass-type> auth-pass-phrase <auth-pass-phrase> }
Parameters
auth-pass-phrase Authentication password for the SNMP version3 user
auth-pass-type Authentication protocol type for the version3 user, options are: MD5 or SHA1
Options: MD5, SHA1
privacy-pass-phrase Privacy password chosen by the version3 user in case privacy is set
privacy-pass-type Privacy protocol type for the version3 user, options are: AES or DES
Options: AES, DES
security-level Does Privacy protocol for this version3 user was set in the security level
user version3 user name
Example
add snmp user admin security-level true auth-pass-type MD5 auth-pass-phrase

a(&7Ba privacy-pass-type AES privacy-pass-phrase a(&7Ba
delete snmp
delete snmp
Deletes SNMP trap receivers and SNMP users.
delete snmp
delete snmp
Description
Deletes an existing SNMP trap receiver by IP address.
Syntax
delete snmp traps-receiver <traps-receiver>
Parameters
traps-receiver Receivers IP address that the trap associated with
Type: IP address
Example
delete snmp traps-receiver 192.168.1.1
delete snmp
delete snmp
Description
Deletes a configured SNMP contact.
Syntax
delete snmp contact
Parameters
n/a
Example
delete snmp contact
delete snmp
delete snmp
Description
Deletes a configured SNMP location.
Syntax
delete snmp location
Parameters
n/a
Example
delete snmp location
set snmp
set snmp
Configures SNMP settings.
set snmp
set snmp
escription
Configures SNMP agent settings.
Syntax
set snmp agent <agent> [ agent-version <agent-version> ] [ community

<community> ] [ contact <contact> ] [ location <location> ]
Parameters
agent Is SNMP option enabled or disabled, disabled is the default
agent-version Is the defined SNMP version is version3 only
community Community name of the SNMP, public is the default
contact System contact name, maximum length is 128
location System location name
Example
set snmp agent true agent-version true community word contact myContact
location myLocation
set snmp
set snmp
Description
Configures SNMP agent settings.
Syntax
set snmp agent-version <agent-version> [ agent <agent> ] [ community

<community> ] [ contact <contact> ] [ location <location> ]
Parameters
Example
set snmp agent-version true agent true community word contact myContact
location myLocation
set snmp
set snmp
Description
Configures SNMP community settings.
Syntax
set snmp community <community> [ agent <agent> ] [ agent-version <agent-

version> ] [ contact <contact> ] [ location <location> ]
Parameters
Example
set snmp community word agent true agent-version true contact myContact
location myLocation
set snmp
set snmp
Description
Configures SNMP contact settings.
Syntax
set snmp contact <contact> [ agent <agent> ] [ agent-version <agent-

version>
] [ community <community> ] [ location <location> ]
Parameters
Example
set snmp contact myContact agent true agent-version true community word
location myLocation
set snmp
set snmp
Description
Configures SNMP location settings.
Syntax
set snmp location <location>[ agent <agent> ] [ agent-version <agent-

version> ] [ community <community> ] [ contact <contact> ]
Parameters
Example
set snmp location myLocation agent true agent-version true community word
contact myContact
show snmp
show snmp
Shows SNMP configuration.
show snmp
show snmp
Description
Shows SNMP agent configuration.
Syntax
show snmp agent
Parameters
n/a
Example
show snmp agent
show snmp
show snmp
Description
Shows SNMP agent version configuration.
Syntax
show snmp agent-version
Parameters
n/a
Example
show snmp agent-version
show snmp
show snmp
Description
Shows SNMP community configuration.
Syntax
show snmp community
Parameters
n/a
Example
show snmp community
show snmp
show snmp
Description
Shows SNMP contact configuration.
Syntax
show snmp contact
Parameters
n/a
Example
show snmp contact
show snmp
show snmp
Description
Shows SNMP location configuration.
Syntax
show snmp location
Parameters
n/a
Example
show snmp location
show snmp-general-all
Description
Shows SNMP configuration.
Syntax
Parameters
n/a
Example
snmp traps
snmp traps
set snmp traps
set snmp traps
Configures, enables or disables traps from the list, the enabled traps are sent to the trap receivers.
set snmp traps
set snmp traps
Description
Enable/Disable SNMP traps functionality.
Syntax
set snmp traps { enable | disable }
Parameters
snmpTrapsEnable snmpTrapsEnable
Example
set snmp traps true
set snmp traps
set snmp traps
Description
Configures an existing SNMP trap.
Syntax
set snmp traps trap-name <trap-name> [ enable <enable> ] [ severity

<severity> ] [ repetitions <repetitions> ] [ repetitions-delay
<repetitions-delay> ] [ threshold <threshold> ]
Parameters
enable Enable or disable whether a trap is sent for the specific event
repetitions Repetitions on trap sending times between 0 - 10, optional field
repetitions-delay Wait time (in seconds) between sending each trap, optional field
severity Trap hazardous level, optional field, severity of the trap between 1 - 4
threshold The mathematical value associated with the thresholds
trap-name Trap event name
Options: trap-name
Example
set snmp traps trap-name interface-disconnected enable true severity 15

repetitions 15 repetitions-delay 15 threshold 15
set snmp traps
set snmp traps
Description
Configures an existing SNMP trap receiver.
Syntax
set snmp traps receiver <receiver> version { v2 [ community <community> ] |

v3 [ user <user> ] }
Parameters
community Community name of the receivers trap, public is default for version2 users
receiver Receivers IP address that the trap associated with
Type: IP address
user SNMP version3 Defined user
version SNMP Version, options are: v2 or v3
Example
set snmp traps receiver 192.168.1.1 version v2 community word
set snmp-traps
set snmp-traps
Description
Configure, enable or disable traps from the list, the enabled traps are sent to the trap receivers.
Syntax
set snmp traps { enable | disable }
Parameters
snmpTrapsEnable snmpTrapsEnable
Example
set snmp traps true
set snmp-traps
set snmp-traps
Description
Configure, enable or disable traps from the list, the enabled traps are sent to the trap receivers.
Syntax
set snmp traps trap-name <trap-name> [ enable <enable> ] [ severity

<severity> ] [ repetitions <repetitions> ] [ repetitions-delay
<repetitions-delay> ] [ threshold <threshold> ]
Parameters
enable Enable or disable whether a trap is sent for the specific event.
repetitions Repetitions on trap sending times between 0 - 10, optional field.
Type: A number with no fractional part (integer).
repetitions-delay Wait time (in seconds) between sending each trap, optional field.
severity Trap hazardous level, optional field, severity of the trap between 1 - 4.
threshold The mathematical value associated with the thresholds.
trap-name Trap event name.
Options: trap-name
Example
set snmp traps trap-name interface-disconnected enable true severity -

1000000 repetitions -1000000 repetitions-delay -1000000 threshold -1000000
set-snmp-traps
set-snmp-traps
Description
Configured destinations to receive traps sent by the SNMP agent. A trap is how the SNMP agent notifies the
administrator that something is wrong.
Syntax
set snmp traps receiver <receiver> version { v2 [ community <community> ] |

v3 [ user <user> ] }
Parameters
community Community name of the receivers trap, public is default for version2 users.
receiver Receivers IP address that the trap is associated with.
Type: IP address
user SNMP version3 Defined user.
version SNMP Version, options are: v2 or v3.
Example
set snmp traps receiver 192.168.1.1 version v2 community word
show snmp traps
show snmp traps
Description
Shows SNMP traps status.
Syntax
show snmp traps status
Parameters
n/a
Example
show snmp traps status
delete snmp traps-receivers
delete snmp traps-receivers
Description
Deletes all configured SNMP trap receivers.
Syntax
delete snmp traps-receivers all
Parameters
n/a
Example
delete snmp traps-receivers all
show snmp traps receivers
Description
Shows all SNMP trap receivers.
Syntax
Parameters
n/a
Example
show snmp traps enabled-traps
Description
Shows all SNMP traps.
Syntax
Parameters
n/a
Example
snmp user
snmp user
delete snmp user
delete snmp user
Description
Deletes a configured SNMP user by name.
Syntax
delete snmp user <user-name>
Parameters
user-name version3 user name
Example
delete snmp user admin
set snmp user
set snmp user
Description
Configures an existing SNMP user.
Syntax
set snmp user <user-name> security-level { true [ auth-pass-type <auth-

pass-type> ] [ auth-pass-phrase <auth-pass-phrase> ] [ privacy-pass-type
<privacy-pass-type> ] [ privacy-pass-phrase <privacy-pass-phrase> ] | false
[ auth-pass-type <auth-pass-type> ] [ auth-pass-phrase <auth-pass-phrase> ]
}
Parameters
auth-pass-phrase Authentication password for the SNMP version3 user
auth-pass-type Authentication protocol type for the version3 user, options are: MD5 or SHA1
Options: MD5, SHA1
privacy-pass-phrase Privacy password chosen by the version3 user in case privacy is set
privacy-pass-type Privacy protocol type for the version3 user, options are: AES or DES
Options: AES, DES
security-level Does Privacy protocol for this version3 user was set in the security level
Example
set snmp user admin security-level true auth-pass-type MD5 auth-pass-phrase

a(&7Ba privacy-pass-type AES privacy-pass-phrase a(&7Ba
show snmp user
show snmp user
Description
Shows the configuration of SNMP user.
Syntax
show snmp user <user-name>
Parameters
Example
show snmp user admin
show snmp users
show snmp users
Description
Shows the configuration of all SNMP users.
Syntax
show snmp users
Parameters
n/a
Example
show snmp users
delete snmp users
delete snmp users
Description
Deletes all configured SNMP users.
Syntax
delete snmp users all
Parameters
n/a
Example
delete snmp users all
show software version
show software version
Description
Shows the version of the current software.
Syntax
show software-version | ver
Parameters
n/a
Example
show software-version
Output
Success shows the software version of the appliance. Failure shows an appropriate error message.
ssl-inspection advanced-settings
ssl-inspection advanced-settings
set ssl-inspection advanced-settings
Description
Configure advanced settings for SSL Inspection.
Syntax
set ssl-inspection advanced-settings [ bypass-well-known-update-services

<bypass-well-known-update-services> ] [ validate-crl <validate-crl> ] [
validate-cert-expiration <validate-cert-expiration> ] [ validate-
unreachable-crl <validate-unreachable-crl> ] [ track-validation-errors
<track-validation-errors> ] [ retrieve-intermediate-ca-certificate
<retrieve-intermediate-ca-certificate> ] [ log-empty-ssl-connections <log-
empty-ssl-connections> ] [ additional-https-ports <additional-https-ports>
] [ validate-untrusted-certificates <validate-untrusted-certificates>]
Parameters
additional-https-ports Additional HTTPS ports for ssl inspection (a comma separated list
ofports/ranges)
Type: Port range
bypass-well-known- Bypass HTTPS Inspection of traffic to well known software update services
update-services Type: Boolean (true/false)
log-empty-ssl- Log connections that were terminated by the client before data was sent - might
connections indicate the client did not install CA certificate
retrieve-intermediate- Indicates if the SSL inspection mechanism will perform it's validations on all
ca-certificate intermidate CA certificates in the certificate chain
track-validation-errors Choose if the SSL Inspection validations are tracked
validate-cert- Indicates if the SSL inspection mechanism will drop connections that present an
expiration expired certificate
validate-crl Indicates if the SSL inspection mechanism will drop connections that present a
revoked certificate
validate-unreachable- Indicates if the SSL inspection mechanism will drop connections that present a
crl certificate with an unreachable CRL
validate-untrusted- Indicates if the SSL inspection mechanism will drop connections that present an
certificates untrusted server certificate
Example
set ssl-inspection advanced-settings bypass-well-known-update-services true

validate-crl true validate-cert-expiration true validate-unreachable-crl
true track-validation-errors none retrieve-intermediate-ca-certificate true
log-empty-ssl-connections true additional-https-ports 8080-8090 validate-
untrusted-certificates true
show ssl-inspection advanced-settings
Description
Show advanced settings for SSL Inspection.
Syntax
Parameters
n/a
Example
ssl-inspection exception
ssl-inspection exception
add ssl-inspection exception
Description
Add a new exception to bypass SSL Inspection policy for specific traffic.
Syntax
add ssl-inspection exception [ source <source> ] [ source-negate <source-

negate> ] [ destination <destination> ] [ destination-negate <destination-
negate> ] [ service <service> ] [ service-negate <service-negate> ] [ { [
category-name <category-name> ] | [ category-id <category-id> ] } ] [
category-negate <category-negate> ] [ comment <comment> ] [ track <track> ]
[ disabled <disabled> ]
Parameters
category-id Application or custom application name
category-name Application or custom application name
category-negate If true, the category is all traffic except what is defined in the category field
@
disabled Indicates if the exception is disabled
service The network service object that the exception should match to
track The action taken when there is a match on the rule
Example
add ssl-inspection exception source TEXT source-negate true destination

TEXT destination-negate true service TEXT service-negate true category-name
TEXT category-negate true comment This is a comment. track none disabled
true
delete ssl-inspection exception
Delete an existing SSL Inspection policy exception.
Description
Syntax
delete ssl-inspection exception position <position>
Parameters
position The index of exception
Example
delete ssl-inspection exception position 2
Description
Syntax
delete ssl-inspection exception all
Parameters
n/a
Example
delete ssl-inspection exception all
set ssl-inspection exception
Description
Configure an existing SSL Inspection policy exception.
Syntax
set ssl-inspection exception position <position> [ source <source>
] [ source-negate <source-negate> ] [ destination <destination> ] [

destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ { [ category-name <category-name> ] |
[ category-id <category-id> ] } ] [ category-negate <category-negate> ] [
comment <comment> ] [ track <track> ] [ disabled <disabled> ]
Parameters
category-id Application or custom application name
category-name Application or custom application name
category-negate If true, the category is all traffic except what is defined in the category field
@
disabled Indicates if the exception is disabled
service The network service object that the exception should match to
track The action taken when there is a match on the rule
Example
set ssl-inspection exception position 2 source TEXT source-negate true

destination TEXT destination-negate true service TEXT service-negate true
category-name TEXT category-negate true comment "This is a comment." track
none disabled true
show ssl-inspection exception
show ssl-inspection exception
Description
Show the configuration of a specific SSL Inspection policy exception.
Syntax
show ssl-inspection exception position <position> position <position>
Parameters
Example
show ssl-inspection exception position 2 position 2
show ssl-inspection exceptions
show ssl-inspection exceptions
Description
Show all configured SSL Inspection policy exceptions.
Syntax
show ssl-inspection exceptions position <position>
Parameters
Example
show ssl-inspection exceptions position 2
ssl-inspection policy
ssl-inspection policy
set ssl-inspection policy
Description
Configure SSL Inspection policy.
Syntax
set ssl-inspection policy [ mode <mode> ] [ log-policy-bypass-traffic <log-

policy-bypass-traffic> ] [ log-inspected-traffic <log-inspected-traffic> ]
[ bypass-health-category-traffic <bypass-health-category-traffic> ] [
bypass-government-and-military-category-traffic <bypass-government-and-
military-category-] [ bypass-banking-category-traffic <bypass-banking-
category-traffic>] [ bypass-other-categories-traffic <bypass-other-
categories-traffic> ] [ bypass-streaming-category-traffic <bypass-
streaming-category-traffic> ] [ bypass-trusted-wireless-ssl-inspection
<bypass-trusted-wireless-ssl-inspection> ] [ bypass-untrusted-wireless-ssl-
inspection <bypass-untrusted-wireless-ssl-inspection> ] [ bypass-well-
known-update-services <bypass-well-known-update-services> ]
Parameters
bypass-banking-category- Bypass banking category traffic
traffic Type: Boolean (true/false)
bypass-government-and- Bypass government category traffic
military-category-traffic Type: Boolean (true/false)
bypass-health-category- Bypass health category traffic
bypass-other-categories- Bypass other categories traffic
bypass-streaming- Bypass streaming category traffic
category-traffic Type: Boolean (true/false)
bypass-trusted-wireless- Bypass SSL inspection on trusted wireless networks
ssl-inspection Type: Boolean (true/false)
bypass-untrusted- Bypass SSL inspection on untrusted wireless networks
wireless-ssl-inspection Type: Boolean (true/false)
bypass-well-known- Bypass HTTPS Inspection of traffic to well known software update services
update-services Type: Boolean (true/false)
log-inspected-traffic Generates an SSL inspection log. You can see the logs of the security
policy that is enforced on SSL traffic without enabling this feature.
log-policy-bypass-traffic Generate an SSL bypass log for SSL traffic that was not inspected by SSL
inspection
mode Indicates if SSL inspection feature is active
Example
set ssl-inspection policy mode true log-policy-bypass-traffic true log-

inspected-traffic true bypass-health-category-traffic true bypass-
government-and-military-category-traffic true bypass-banking-category-
traffic true bypass-other-categories-traffic true bypass-streaming-
category-traffic true bypass-trusted-wireless-ssl-inspection true bypass-
untrusted-wireless-ssl-inspection true bypass-well-known-update-services
true
set ssl-inspection policy https-categorization-only-mode
set ssl-inspection policy https-categorization-
only-mode
Description
Allow URL filtering for HTTPS sites and applications based on server's certificate without activating SSL
traffic inspection.
Syntax
set ssl-inspection policy https-categorization-only-mode { on }
Parameters
https-categorization-only-mode HTTPS categorization only cane be enabled via HTTPS service
Example
set ssl-inspection policy https-categorization-only-mode true
set ssl-inspection policy inspect-https-protocol
set ssl-inspection policy inspect-https-protocol
Description
Enable SSL Inspection policy to inspect HTTPS protocol. Note- SSL Inspection must be enabled first.
Syntax
set ssl-inspection policy inspect-https-protocol { true | false }
Parameters
true/false true - Enabled
false - Disabled
Example
set ssl-inspection policy inspect-https-protocol true
set ssl-inspection policy inspect-imaps-protocol
set ssl-inspection policy inspect-imaps-protocol
Description
Enable SSL Inspection policy to inspect IMAPS protocol. Note- SSL Inspection must be enabled first.
Syntax
set ssl-inspection policy inspect-imaps-protocol { true | false }
Parameters
true/false true - Enabled
false - Disabled
Example
set ssl-inspection policy inspect-imaps-protocol true
show ssl-inspection policy
Description
Show SSL Inspection policy.
Syntax
Parameters
n/a
Example
delete ssl-network-extender
Description
Forces a manual deletion of the SSL network extender, thus forcing the gateway to re-download the latest
version of the extender from the cloud.
Syntax
Parameters
n/a
Example
stateful-inspection
Set and show results of stateful inspection.
set stateful-inspection
Description
Configure stateful inspection advanced settings.
Description
Syntax
set stateful-inspection advanced-settings tcp-end-timeout <tcp-end-timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings tcp-end-timeout -1000
Description
Syntax
set stateful-inspection advanced-settings other-timeout <other-timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings other-timeout -1000
Description
Syntax
set stateful-inspection advanced-settings icmp-reply <icmp-reply>
Parameters
n/a
Example
set stateful-inspection advanced-settings icmp-reply true
Description
Syntax
set stateful-inspection advanced-settings dpi-lan-dmz <dpi-lan-dmz>
Parameters
n/a
Example
set stateful-inspection advanced-settings dpi-lan-dmz true
Description
Syntax
set stateful-inspection advanced-settings tcp-timeout <tcp-timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings tcp-timeout -1000
Description
Syntax
set stateful-inspection advanced-settings udp-timeout <udp-timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings udp-timeout -1000
Description
Syntax
set stateful-inspection advanced-settings other-reply <other-reply>
Parameters
n/a
Example
set stateful-inspection advanced-settings other-reply true
Description
Syntax
set stateful-inspection advanced-settings fw-allow-out-of-state-tcp <fw-

allow-out-of-state-tcp>
Parameters
n/a
Example
set stateful-inspection advanced-settings fw-allow-out-of-state-tcp -1000
Description
Syntax
set stateful-inspection advanced-settings fw-log-out-of-state-tcp <fw-log-

out-of-state-tcp>
Parameters
n/a
Example
set stateful-inspection advanced-settings fw-log-out-of-state-tcp -10000
Description
Syntax
set stateful-inspection advanced-settings udp-reply <udp-reply>
Parameters
n/a
Example
set stateful-inspection advanced-settings udp-reply true
Description
Syntax
set stateful-inspection advanced-settings allow-ipv6 <allow-ipv6>
Parameters
n/a
Example
set stateful-inspection advanced-settings allow-ipv6 true
Description
Syntax
set stateful-inspection advanced-settings icmp-errors <icmp-errors>
Parameters
n/a
Example
set stateful-inspection advanced-settings icmp-errors true
Description
Syntax
set stateful-inspection advanced-settings fw-drop-out-of-state-icmp <fw-

drop-out-of-state-icmp>
Parameters
n/a
Example
set stateful-inspection advanced-settings fw-drop-out-of-state-icmp true
Description
Syntax
set stateful-inspection advanced-settings icmp-timeout <icmp-timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings icmp-timeout -10000
Description
Syntax
set stateful-inspection advanced-settings dpi-lan-lan <dpi-lan-lan>
Parameters
n/a
Example
set stateful-inspection advanced-settings dpi-lan-lan true
Description
Configure stateful inspections advanced settings.
Syntax
set stateful-inspection advanced-settings tcp-start-timeout <tcp-start-

timeout>
Parameters
n/a
Example
set stateful-inspection advanced-settings tcp-start-timeout -1000
Description
Syntax
set stateful-inspection advanced-settings fw-log-out-of-state-icmp <fw-log-

out-of-state-icmp>
Parameters
n/a
Example
set stateful-inspection advanced-settings fw-log-out-of-state-icmp -10000
show stateful-inspection
Description
Show stateful inspection advanced settings.
Syntax
show stateful-inspection advanced-settings
Parameters
n/a
Example
show stateful-inspection advanced-settings
Output
static-route
static-route
add static-route
add static-route
Description
Adds a new manually configured routing rule.
Syntax
add static-route [ source <source> ] [ service <service> ] [ destination

<destination> ] [ nexthop gateway { logical <logical> | ipv4-address <ipv4-
address> } ] [ metric <metric> ]
Parameters
destination IP address and subnet length of the destination of the packet in the format
IP/subnet. e.g. 192.168.0.0/16
Type: An IP address with a mask length
metric Metric
service Route service name
Type: String
source IP address and subnet length of the source of the packet in the format IP/subnet. e.g.
192.168.1.0/24
Example
add static-route source 172.15.47.0/24 service TEXT destination

172.15.47.0/24 nexthop gateway logical My_Network metric 10
add static-route
Description
Add static route monitoring.
Syntax
add static-route [ source ] [ service ] [ destination ] [ nexthop gateway

monitored-ip <Monitored IP Address> {on | off} monitored-ip-option {fail-
all | fail-any | off} { logical | ipv4-address } ] [ metric ]
add static-route
Parameters
destination IP address and subnet length of the destination of the packet in the format IP/subnet
e.g. 192.168.0.0/16.
metric Metric Type: A number with no fractional part (integer)
Type: String
192.168.1.0/24
monitored-ip Remote IPv4 address to monitor for the next hop gateway.
Up to three unique addresses can be added here (in separate commands). The address
is followed by "on" or "off": "on" means this address is being added, while "off" removes
it.
monitored-ip- The failure condition and flavor for the configured monitored IP address(es).
option Options:
n fail-all - - Fails the next hop gateway when all monitored IP addresses become
unreachable. Restores the next hop.
n fail_any- Fails the next hop gateway when one of the monitored IP addresses
becomes unreachable.
n off
Example
add static-route service HTTP nexthop gateway monitored-ip 172.15.47.0 on

monitored-ip-option fail-all logical internet
set static-route
set static-route
Description
Configures an existing manually configured route rule.
Syntax
set static-route <id> [ source <source> ] [ service <service> ] [

destination <destination> ] [ nexthop gateway { logical <logical> |
ipv4-address <ipv4-address> } ] [ metric <metric> ] [ disabled <disabled> ]
Parameters
destination IP address and subnet length of the destination of the packet in the format IP/subnet.
e.g. 192.168.0.0/16
disabled Is rule disabled
id id
metric Metric
Type: String
192.168.1.0/24
Example
set static-route 15 source 172.15.47.0/24 service TEXT destination

172.15.47.0/24 nexthop gateway logical My_Network metric 15 disabled true
delete static-route
delete static-route
Description
Deletes a manually defined routing rule.
Syntax
delete static-route <id>
Parameters
id The rule order as shown in "show static-routes"
Example
delete static-route 3
delete static-routes
Description
Deletes all manually defined static routing rules.
Syntax
Parameters
n/a
Example
show static-routes
show static-routes
Description
Shows all static routes.
Syntax
show static-routes
Parameters
n/a
Example
show static-routes
streaming-engine-settings
streaming-engine-settings
set streaming-engine-settings
Configures the streaming engine settings.
Description
Syntax
set streaming-engine-settings [ tcp-block-out-of-win-mon-only <tcp-block-

out-of-win-mon-only> ] [ tcp-block-out-of-win-track <tcp-block-out-of-win-
track> ] [ tcp-block-retrans-err-mon-only <tcp-block-retrans-err-mon-only>
] [ tcp-block-retrans-err-track <tcp-block-retrans-err-track> ] [ tcp-
block-syn-retrans-mon-only <tcp-block-syn-retrans-mon-only> ] [ tcp-block-
syn-retrans-track <tcp-block-syn-retrans-track> ] [ tcp-block-urg-bit-mon-
only <tcp-block-urg-bit-mon-only> ] [ tcp-block-urg-bit-track <tcp-block-
urg-bit-track> ] [ tcp-hold-timeout-mon-only <tcp-hold-timeout-mon-only> ]
[ tcp-hold-timeout-track <tcp-hold-timeout-track> ] [ tcp-invalid-checksum-
mon-only <tcp-invalid-checksum-mon-only> ] [ tcp-invalid-checksum-track
<tcp-invalid-checksum-track> ] [ tcp-segment-limit-mon-only <tcp-segment-
limit-mon-only> ] [ tcp-segment-limit-track <tcp-segment-limit-track>
Parameters
tcp-block-out-of-win-mon-only TCP Out of Sequence activation mode
Options: prevent, detect
tcp-block-out-of-win-track TCP Out of Sequence tracking
tcp-block-retrans-err-mon-only TCP Invalid Retransmission activation mode
tcp-block-retrans-err-track TCP Invalid Retransmission tracking
tcp-block-syn-retrans-mon- only TCP SYN Modified Retransmission activation mode
tcp-block-syn-retrans-track TCP SYN Modified Retransmission tracking
tcp-block-urg-bit-mon-only TCP Urgent Data Enforcement activation mode
tcp-block-urg-bit-track TCP Urgent Data Enforcement tracking
tcp-hold-timeout-mon-only Stream Inspection Timeout activation mode
tcp-hold-timeout-track Stream Inspection Timeout tracking
tcp-invalid-checksum- mon-only TCP Invalid Checksum activation mode
tcp-invalid-checksum-track TCP Invalid Checksum tracking
tcp-segment-limit-mon-only TCP Segment Limit Enforcement activation mode
tcp-segment-limit-track TCP Segment Limit Enforcement tracking
Example
set streaming-engine-settings tcp-block-out-of-win-mon-only prevent tcp-

block-out-of-win-track none tcp-block-retrans-err-mon-only prevent tcp-
block-retrans-err-track none tcp-block-syn-retrans-mon-only prevent tcp-
block-syn-retrans-track none tcp-block-urg-bit-mon-only prevent tcp-block-
urg-bit-track none tcp-hold-timeout-mon-only prevent tcp-hold-timeout-track
none tcp-invalid-checksum-mon-only prevent tcp-invalid-checksum-track none
tcp-segment-limit-mon-only prevent tcp-segment-limit-track none
Description
Syntax
set streaming-engine-settings advanced-settings tcp-streaming-engine-

setting-form [ tcp-block-urg-bit-track <tcp-block-urg-bit-track> ] [ tcp-
block-retrans-err-track <tcp-block-retrans-err-track> ] [ tcp-block-syn-
retrans-track <tcp-block-syn-retrans-track> ] [ tcp-invalid-checksum-track
<tcp-invalid-checksum-track> ] [ tcp-block-out-of-win-mon-only <tcp-block-
out-of-win-mon-only> ] [ tcp-block-out-of-win-track <tcp-block-out-of-win-
track> ] [ tcp-block-retrans-err-mon-only <tcp-block-retrans-err-mon-only>
] [ tcp-block-syn-retrans-mon-only <tcp-block-syn-retrans-mon-only>] [ tcp-
invalid-checksum-mon-only <tcp-invalid-checksum-mon-only> ] [ tcp-segment-
limit-track <tcp-segment-limit-track> ] [ tcp-block-urg-bit-mon-only <tcp-
block-urg-bit-mon-only> ] [ tcp-segment-limit-mon-only <tcp-segment-limit-
mon-only> ] [ tcp-hold-timeout-mon-only <tcp-hold-timeout-mon-only> ] [
tcp-hold-timeout-track <tcp-hold-timeout-track>]
Parameters
n/a
Example
set streaming-engine-settings advanced-settings tcp-streaming-engine-

setting-form tcp-block-urg-bit-track none tcp-block-retrans-err-track none
tcp-block-syn-retrans-track none tcp-invalid-checksum-track none tcp-block-
out-of-win-mon-only prevent tcp-block-out-of-win-track none tcp-block-
retrans-err-mon-only prevent tcp-block-syn-retrans-mon-only prevent tcp-
invalid-checksum-mon-only prevent tcp-segment-limit-track none tcp-block-
urg-bit-mon-only prevent tcp-segment-limit-mon-only prevent tcp-hold-
timeout-mon-only prevent tcp-hold-timeout-track none
show streaming-engine-settings
Shows streaming engine settings.
Description
Shows streaming engine settings.
Syntax
Parameters
n/a
Example
Description
Shows streaming engine advanced settings.
Syntax
show streaming-engine-settings advanced-settings
Parameters
n/a
Example
show streaming-engine-settings advanced-settings
switch
switch
add switch
add switch
Description
Adds a new Port-based VLAN switch object. The physical LAN ports can take part in a "switch" object which
passes traffic between those ports in the hardware level (traffic doesn't undergo inspection as it is not routed
between those ports). In essence the "switch" combines physical LAN ports into a single network.
Syntax
add switch name <name>
Parameters
name Name
Type: A switch name should be LAN[1-8]_Switch
Example
add switch name LAN2_Switch
delete switch
delete switch
Description
Deletes a defined port-based VLAN switch object by name.
Syntax
delete switch <name>
Parameters
name Name
Example
delete switch LAN2_Switch
set switch
set switch
Configures an existing port-based VLAN (switch).
set switch
set switch
Description
Add a physical port to an existing port-based VLAN (switch).
Syntax
set switch <name> add port <port>
Parameters
name Name
port Name
Example
set switch LAN2_Switch add port LAN4
set switch
set switch
Description
Removes a physical port from an existing port-based VLAN (switch).
Syntax
set switch <name> remove port <port>
Parameters
name Name
port Name
Example
set switch LAN2_Switch remove port LAN4
show switch
show switch
Shows port-based VLAN (switch) configuration.
show switch
show switch
Description
Shows port-based VLAN (switch) configuration.
Syntax
show switch <name>
Parameters
name Name
Example
show switch LAN2_Switch
show switch
show switch
Description
Shows ports within a configured port-based VLAN (switch) configuration.
Syntax
show switch <name> ports
Parameters
name Name
Example
show switch LAN2_Switch ports
show switches
show switches
Description
Shows all port-based VLANs (switches).
Syntax
show switches
Parameters
n/a
Example
show switches
syslog-server
syslog-server
add syslog-server
add syslog-server
Description
Adds a new external syslog server. The appliance can send its syslog information to multiple syslog servers
and can also be configured to relay its security logs to external syslog servers.
Syntax
add syslog-server ipv4-address <ipv4-address> [ port <port> ] [ enabled

<enabled> ] name <name> [ sent-logs <sent-logs> ]
Parameters
enabled Determine if an external System Log Server is active
ipv4-address The desired external System Log Server IP address
Type: IP address
name System Log Server name
port Port in the external System Log Server that receives the logs (default is 514)
Type: Port number
sent-logs Determine which logs types will be sent to the System Log Server
Options: system-logs, security-logs, system-and-security-logs
Example
add syslog-server ipv4-address 192.168.1.1 port 8080 enabled true name

several words sent-logs system-logs
add-syslog-server protocol tls
add-syslog-server protocol tls
Description
Adds a new external syslog server for the TLS protocol.
Syntax
add syslog-server protocol tls
Parameters
n/a
Example
add syslog-server protocol tls
delete syslog-server
Deletes a configured external syslog server.
Description
Deletes a configured external syslog server by IP address.
Syntax
delete syslog-server ipv4-address <ipv4-address>
Parameters
Type: IP address
Example
delete syslog-server ipv4-address 192.168.1.1
Description
Deletes a configured external syslog server by name.
Syntax
delete syslog-server name <name>
Parameters
Example
delete syslog-server name syslog_server_name
set syslog-server
set syslog-server
Configure an existing syslog server's settings.
set syslog-server
set syslog-server
Description
Configure an existing syslog server's settings by IP address.
Syntax
set syslog-server ipv4-address <ipv4-address> [ ipv4-address <ipv4-address>
] [ enabled <enabled> ] [ name <name> ] [ port <port> ] [ sent-logs <sent-

logs> ]
Parameters
Type: IP address
Type: Port number
Example
set syslog-server ipv4-address 192.168.1.1 ipv4-address 192.168.1.1 enabled

true name several words port 8080 sent-logs system-logs
set syslog-server
set syslog-server
Description
Configure an existing syslog server's settings by name.
Syntax
set syslog-server name <name> [ ipv4-address <ipv4-address> ] [ enabled

<enabled> ] [ name <name> ] [ port <port> ] [ sent-logs <sent-logs> ]
Parameters
Type: IP address
Type: Port number
Example
set syslog-server name several words ipv4-address 192.168.1.1 enabled true

name several words port 8080 sent-logs system-logs
show syslog-server
show syslog-server
Shows configuration of external syslog servers.
show syslog-server
show syslog-server
Description
Shows configuration of an external syslog server by IP address.
Syntax
show syslog-server ipv4-address <ipv4-address>
Parameters
Type: IP address
Example
show syslog-server ipv4-address 192.168.1.1
show syslog-server
show syslog-server
Description
Shows configuration of an external syslog server by name.
Syntax
show syslog-server name <name>
Parameters
Example
show syslog-server name several words
show syslog-server all
Description
Shows configuration of all external syslog servers.
Syntax
Parameters
n/a
Example
system-settings
Relevant commands for system settings.
show system-settings is-custom-branding
Description
Shows whether white labeling has been enabled and the appliance has been customized with a particular
brand.
Syntax
Parameters
n/a
Example
traceroute-max-ttl
traceroute-max-ttl
Description
The maximal value for TTL field for a packet to be considered as a traceroute
Syntax
set stateful_inspection advanced-settings traceroute-max-ttl <value>
Parameters
value Integer between 0 and 64.
Default: 29
Example
set stateful_inspection advanced-settings traceroute-max-ttl 0
threat-prevention-advanced
threat-prevention-advanced
set threat-prevention-advanced
set threat-prevention-advanced
Description
Configures advanced settings for Threat Prevention blades.
Syntax
set threat-prevention-advanced advanced-settings file-inspection-size-kb

<file-inspection-size-kb>
Parameters
n/a
Example
set threat-prevention-advanced advanced-settings file-inspection-size-kb

15000
show threat-prevention-advanced
show threat-prevention-advanced
Description
Shows advanced settings for the Threat Prevention blades.
Syntax
show threat-prevention-advanced advanced-settings
Parameters
n/a
Example
show threat-prevention-advanced advanced-settings
threat-prevention anti-bot
threat-prevention anti-bot
set threat-prevention anti-bot engine
set threat-prevention anti-bot engine
Description
Configures the engine settings of the <tp_bot> blade.
Syntax
set threat-prevention anti-bot engine [ malicious-activity <malicious-

activity> ] [ reputation-domains <reputation-domains> ] [ reputation-ips
<reputation-ips> ] [ reputation-urls <reputation-urls> ] [ unusual-activity
<unusual-activity>]
Parameters
malicious- Indicates if the action upon detecting malicious activity will be according to the policy
activity settings or a manually configured specific action
Options: ask, prevent, detect, inactive, policy-action
reputation- Indicates if the action upon detecting attempted access to domains with a bad
domains reputation will be according to the policy or a manually configured specific action
reputation-ips Indicates if the action upon detecting attempted access to IP addresses with a bad
reputation will be according to the policy or a manually configured specific action
reputation- Indicates if the action upon detecting attempted access to URLs with a bad reputation
urls will be according to the policy or a manually configured specific action
unusual- Indicates if the action upon detecting unusual activity will be according to the policy or a
activity manually configured specific action
Example
set threat-prevention anti-bot engine malicious-activity ask reputation-

domains ask reputation-ips ask reputation-urls ask unusual-activity ask
show threat-prevention anti-bot engine
Description
Shows the engine settings of the Anti-Bot blade.
Syntax
Parameters
n/a
Example
set threat-prevention anti-bot policy
Configures the policy of the Anti-Bot blade.
Description
Configures the policy of the Anti-Bot blade.
Syntax
set threat-prevention anti-bot policy [ mode <mode> ] [ detect-mode

<detect-mode> ]
Parameters
detect-mode Indicates if the Anti-Bot blade is set to 'Detect Only' mode
mode Indicates if the Anti-Bot blade is active
Example
set threat-prevention anti-bot policy mode true detect-mode true
Description
Configures advanced settings of the Anti-Bot blade.
Syntax
set threat-prevention anti-bot policy advanced-settings res-class-mode

<res-class-mode>
Parameters
n/a
Example
set threat-prevention anti-bot policy advanced-settings res-class-mode rs-

hold
show threat-prevention anti-bot policy
Shows the policy of the Anti-Bot blade.
Description
Shows the policy of the Anti-Bot blade.
Syntax
Parameters
n/a
Example
Description
Shows the advanced settings of the Anti-Bot blade.
Syntax
show threat-prevention anti-bot policy advanced-settings
Parameters
n/a
Example
show threat-prevention anti-bot policy advanced-settings
set threat-prevention anti-bot user-check ask
set threat-prevention anti-bot user-check ask
Description
Syntax
set threat-prevention anti-bot user-check ask [ body <body> ] [ activity-

text <activity-text> ] [ fallback-action <fallback-action> ] [ frequency
<frequency> ] [ subject <subject> ] [ title <title> ] [ reason-displayed
<reason-displayed> ]
Parameters
activity-text This text appears next to the 'ignore warning' checkbox of an Anti-Bot 'Ask' user
message
body The informative text that appears in the Anti-Bot 'Ask' user message
fallback-action Indicates the action to take when an 'Ask' user message cannot be displayed
frequency Indicates how often is the Anti-Bot 'Ask' user message is being presented to the same
user
subject The subject of an Anti-Bot 'Ask' user message
title The title of an Anti-Bot 'Ask' user message
Example
set threat-prevention anti-bot user-check ask body My Network activity-text

My Network fallback-action block frequency day subject My Network title My
Network reason-displayed true
show threat-prevention anti-bot user-check ask
Description
Shows the settings of the customizable "ask" message shown to users upon match on browser based traffic.
Syntax
Parameters
n/a
Example
set threat-prevention anti-bot user-check block
set threat-prevention anti-bot user-check block
Description
Syntax
set threat-prevention anti-bot user-check block [ body <body> ] [ redirect-

url <redirect-url> ] [ subject <subject> ] [ title <title> ] [ redirect-to-
url <redirect-to-url> ]
Parameters
body The informative text that appears in the Anti-Bot 'Block' user message
Type: urlWithHttp
subject The subject of an Anti-Bot 'Block' user message
title The title of an Anti-Bot 'Block' user message
Example
set threat-prevention anti-bot user-check block body My Network redirect-

url urlWithHttp subject My Network title My Network redirect-to-url true
show threat-prevention anti-bot user-check block
show threat-prevention anti-bot user-check
block
Description
Shows the settings of the customizable "block" message shown to users upon Anti-Bot match on browser
based traffic.
Syntax
Parameters
n/a
Example
threat-prevention anti-virus
threat-prevention anti-virus
set threat-prevention anti-virus engine
set threat-prevention anti-virus engine
Description
Configures the engine settings of the Anti-Virus blade
Syntax
set threat-prevention anti-virus engine [ urls-with-malware <urls-with-

malware> ] [ viruses <viruses> ]
Parameters
urls-with- Indicates if the action upon detecting access to and from URLs with a bad reputation will
malware be according to the policy or a manually configured specific action
viruses Indicates if the action upon detecting viruses will be according to the policy or a
manually configured specific action
Example
set threat-prevention anti-virus engine urls-with-malware ask viruses ask
show threat-prevention anti-virus engine
Description
Shows the engine settings of the Anti-Virus blade.
Syntax
Parameters
n/a
Example
add threat-prevention anti-virus file-type
add threat-prevention anti-virus file-type
Description
Adds a new custom file type according to extension, to be handled by the Anti-Virus file type handling
mechanism. An action for the Anti-Virus blade is also configured for this new custom file type.
Syntax
add threat-prevention anti-virus file-type extension <extension> [ action

<action> ] [ description <description> ]
Parameters
action Indicates the action when the file type is detected
Options: block, pass, scan
description The file description
extension File extension that represents this file type
Example
add threat-prevention anti-virus file-type extension "This is a comment."

action block description This is a comment.
delete threat-prevention anti-virus file-type
Description
Deletes a manually configured custom file type according to extension.
Syntax
delete threat-prevention anti-virus file-type extension <extension>
Parameters
Example
delete threat-prevention anti-virus file-type extension pdf
set threat-prevention anti-virus file-type
set threat-prevention anti-virus file-type
Description
Configure a specific action of the Anti-Virus blade for a specific file extension.
Syntax
set threat-prevention anti-virus file-type extension <extension> [ action

Parameters
Options: block, pass, scan
Example
set threat-prevention anti-virus file-type extension pdf action block

description "This is a comment."
show threat-prevention anti-virus file-type
show threat-prevention anti-virus file-type
Description
Shows the Anti-Virus blade configuration for a specific file type.
Syntax
show threat-prevention anti-virus file-type extension <extension>
Parameters
Example
show threat-prevention anti-virus file-type extension pdf
show threat-prevention anti-virus file-types
Description
Shows the Anti-Virus blade configuration for all defined file types.
Syntax
Parameters
n/a
Example
delete threat-prevention anti-virus file-type custom
custom
Description
Deletes all manually configured custom file types.
Syntax
delete threat-prevention anti-virus file-type custom all
Parameters
n/a
Example
delete threat-prevention anti-virus file-type custom all
set threat-prevention anti-virus policy
Configures the policy of the Anti-Virus blade.
Description
Configures the policy of the Anti-Virus blade.
Syntax
set threat-prevention anti-virus policy [ mode <mode> ] [ detect-mod

<detect-mode> ] [ scope <scope> [ interfaces <interfaces> ] ] [ protocol-
http <protocol-http> ] [ protocol-mail <protocol-mail> ] [ protocol-ftp
<protocol-ftp> ] [ file-types-policy <file-types-policy> ]
Parameters
detect-mode Indicates if the Anti-Virus blade is set to 'Detect Only' mode
file-types- Indicates the file types that are inspected by the Anti-Virus blade: malware (known to
policy contain malware), all (all file types), specific (configured file families)
Options: malware, all-types, specific-families
interfaces Indicates the source zones for inspected incoming files: External, External and DMZ or
all interfaces
Options: all, external, external-dmz
mode Indicates if the Anti-Virus blade is active
protocol-ftp Indicates if Anti-Virus inspection will be performed on FTP traffic
protocol-http Indicates if Anti-Virus inspection will be performed on all configured ports of HTTP traffic
protocol-mail Indicates if Anti-Virus inspection will be performed on mail traffic (SMTP and POP3)
scope Indicates the source of scanned filed: Scan incoming files, or scan both incoming and
outgoing files
Options: incoming, incoming-and-outgoing
Example
set threat-prevention anti-virus policy mode true detect-mode true scope

incoming interfaces all protocol-http true protocol-mail true protocol-ftp
true file-types-policy malware
Description
Configures advanced settings of the Anti-Virus blade.
Syntax
set threat-prevention anti-virus policy advanced-settings priority-scanning

<priority-scanning>
Parameters
n/a
Example
set threat-prevention anti-virus policy advanced-settings priority-scanning

true
Description
Syntax
set threat-prevention anti-virus policy advanced-settings file-scan-size-kb

<file-scan-size-kb>
Parameters
n/a
Example
set threat-prevention anti-virus policy advanced-settings file-scan-size-kb

15000
Description
Syntax
set threat-prevention anti-virus policy advanced-settings max-nesting-level

<max-nesting-level>
Parameters
n/a
Example
set threat-prevention anti-virus policy advanced-settings max-nesting-level

2
Description
Syntax
set threat-prevention anti-virus policy advanced-settings action-when-

nesting-level-exceeded <action-when-nesting-level-exceeded>
Parameters
n/a
Example
set threat-prevention anti-virus policy advanced-settings action-when-

nesting-level-exceeded allow
Description
Syntax
set threat-prevention anti-virus policy advanced-settings res-class-mode

<res-class-mode>
Parameters
n/a
Example
set threat-prevention anti-virus policy advanced-settings res-class-mode

rs-hold
show threat-prevention anti-virus policy
Shows the policy for the Anti-Virus blade.
Description
Shows the policy for the Anti-Virus blade.
Syntax
Parameters
n/a
Example
Description
Shows advanced settings for the Anti-Virus blade.
Syntax
show threat-prevention anti-virus policy advanced-settings
Parameters
n/a
Example
show threat-prevention anti-virus policy advanced-settings
set threat-prevention anti-virus user-check ask
set threat-prevention anti-virus user-check ask
Description
Syntax
set threat-prevention anti-virus user-check ask [ body <body>] [ activity-

text <activity-text> ] [ fallback-action <fallback-action> ] [ frequency
<frequency> ] [ subject <subject>] [ title <title> ] [ reason-displayed
<reason-displayed> ]
Parameters
activity-text This text appears next to the 'ignore warning' checkbox of an Anti-Virus 'Ask' user
message
body The informative text that appears in the Anti-Virus 'Ask' user message
fallback-action Indicates the action to take when an 'Ask' user message cannot be displayed
frequency Indicates how often is the Anti-Virus 'Ask' user message is being presented to the
same user
subject The subject of an Anti-Virus 'Ask' user message
title The title of an Anti-Virus 'Ask' user message
Example
set threat-prevention anti-virus user-check ask body My Network activity-

text My Network fallback-action block frequency day subject My Network
title My Network reason-displayed true
show threat-prevention anti-virus user-check ask
show threat-prevention anti-virus user-check
ask
Description
Shows the settings of the customizable "ask" message shown to users upon Anti-Virus match on browser
based traffic.
Syntax
Parameters
n/a
Example
set threat-prevention anti-virus user-check block
set threat-prevention anti-virus user-check
block
Description
Syntax
set threat-prevention anti-virus user-check block [ body <body> ] [

redirect-url <redirect-url> ] [ subject <subject> ] [ title <title> ] [
redirect-to-url <redirect-to-url> ]
Parameters
body The informative text that appears in the Anti-Virus 'Block' user message
Type: urlWithHttp
subject The subject of an Anti-Virus 'Block' user message
title The title of an Anti-Virus 'Block' user message
Example
set threat-prevention anti-virus user-check block body My Network redirect-

url urlWithHttp subject My Network title My Network redirect-to-url true
show threat-prevention anti-virus user-check block
show threat-prevention anti-virus user-check
block
Description
Shows the settings of the customizable "block" message shown to users upon Anti-Virus match on browser
based traffic.
Syntax
Parameters
n/a
Example
threat-prevention exception
threat-prevention exception
add threat-prevention exception
Description
Adds a new exception rule for Threat Preventionmalware protection.
Syntax
add threat-prevention exception [ destination <destination> ] [

destination-negate <destination-negate> ] [ service <service> ] [ service-
negate <service-negate> ] [ source <source> ] [ source-negate
<source-negate> ] [ { protection-name <protection-name> | [ protection-code
<protection-code> ] | [ blade <blade> ] } ] [ action <action> ] [ log <log>
] [ comment <comment> ]
Parameters
Options: ask, prevent, detect, inactive
blade The blade to which the exception applies: Anti-Virus, Anti-Bot or both
Options: any, any-av, any-ab, any-ips
comment Additional description for the exception
log The logging method used when there is a match on the rule: None - do not log, Log -
Create log, Alert - log with alert
protection- Indicates if the exception rule will be matched a specific IPS protection
code
name
service Type of network service that is under exception
service- If true, the service is everything except what is defined in the service field
source IP address, network object or user group that the exception applies to
source negate If true, the source is all traffic except what is defined in the source field
Example
add threat-prevention exception destination TEXT destination-negate true

service TEXT service-negate true source TEXT source-negate true protection-
name word action ask log none comment This is a comment.
delete threat-prevention exception
delete threat-prevention exception
Description
Deletes an existing malware exception rule by name.
Syntax
delete threat-prevention exception name <name>
Parameters
name The name of the exception
Example
delete threat-prevention exception name word
set threat-prevention exception
Description
Configures an existing exception rule for the Threat Prevention malware exceptions.
Syntax
set threat-prevention exception <position> [ destination <destination>

] [ destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ source <source> ] [ source-negate
<source-negate> ] [ { protection-name <protection-name> | [ protection-code
<protection-code> ] | [ blade <blade> ] } ] [ action <action> ] [ log <log>
] [ comment <comment> ]
Parameters
Options: ask, prevent, detect, inactive
blade The blade to which the exception applies: Anti-Virus, Anti-Bot or both
Options: any, any-av, any-ab, any-ips
comment Additional description for the exception
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -: () @
log The logging method used when there is a match on the rule: None - do not log, Log -
Create log, Alert - log with alert
position The order of the rule in comparison to other rules
code
name
service- If true, the service is everything except what is defined in the service field
source IP address, network object or user group that the exception applies to
Example
set threat-prevention exception 2 destination TEXT destination-negate true

service TEXT service-negate true source TEXT source-negate true protection-
name word action ask log none comment This is a comment.
show threat-prevention exception
show threat-prevention exception
Description
Shows the configuration of a specific malware exception rule by name.
Syntax
show threat-prevention exception name <name>
show threat-prevention exception position <position>
Parameters
name The name of the exception
position The order of the rule in comparison to other rules
Example
show threat-prevention exception name word
delete threat-prevention exceptions
delete threat-prevention exceptions
Description
Deletes all existing malware exception rules for Anti-Virus, Anti-Bot and Threat Emulation (where
applicable).
Syntax
delete threat-prevention exceptions all
Parameters
n/a
Example
delete threat-prevention exceptions all
show threat-prevention infected-hosts
show threat-prevention infected-
hosts
Description
Shows a list of infected hosts detected by Threat Prevention blades.
Syntax
Parameters
n/a
Example
threat-prevention ips
threat-prevention ips
set threat-prevention ips custom-default-policy
Description
Configures the default policy of the IPS blade.
Syntax
set threat-prevention ips custom-default-policy [ server-protections

<server-protections> ] [ client-protections <client-protections> ] [
disable-by-confidence-level <disable-by-confidence-level > ] [ disable-
confidence-level-below-or-equal <disable-confidence-level-below-or-equal> ]
[ disable-by-severity <disable-by-severity> ] [ disable-severity-below-or-
equal <disable-severity-below-or-equal> ] [ disable-by-performance-impact
<disable-by-performance-impact> ] [ disable-performance-impact-above-or-
equal <disable-performance-impact-above-or-equal> ] [ disable-protocol-
anomalies <disable-protocol-anomalies>]
Parameters
client-protections Indicates if Client protections are active by default
disable-by-confidence- Indicates if protections will be deactivated if their confidence level is below
level or equal configured level Type: Boolean (true/false)
disable-by-performance- Indicates if protections will be deactivated if their performance impact is
impact above or equal configured level Type: Boolean (true/false)
disable-by-severity Indicates if protections will be deactivated if their severity is below or equal
configured level
disable-confidence-level- If configured, protections will be deactivated according to this confidence
below -or-equal level
Options: Low, Medium-low, Medium, Medium-high, High
disable-performance- If configured, protections will be deactivated according to this performance
impact -above-or-equal impact level
Options: Very-low, Low, Medium, High
disable-protocol- Do not activate protocol anomaly detection signatures
anomalies Type: Boolean (true/false)
disable-severity-below-or If configured, protections will be deactivated according to this severity level
-equal Options: Low, Medium, High, Critical
server-protections Indicates if Server protections are active by default
Example
set threat-prevention ips custom-default-policy server-protections true

client-protections true disable-by-confidence-level true disable-
confidence-level-below-or-equal Low disable-by-severity true disable-
severity-below-or-equal Low disable-by-performance-impact true disable-
performance-impact-above-or-equal Very-low disable-protocol-anomalies true
show threat-prevention ips custom-default-policy
show threat-prevention ips custom-default-
policy
Description
Shows the configuration of a custom IPS policy.
Syntax
Parameters
n/a
Example
add threat-prevention ips network-exception
Adds a new exception rule for the IPS blade.
Description
Adds a new exception rule for the IPS blade. To create exceptions for specific protections use protection
name.
Syntax
add threat-prevention ips network-exception protection-name <protection-

name> [ destination <destination> ] [ destination-negate <destination-
negate> ] [ service <service> ] [ service-negate <service-negate> ] [
source <source> ] [ source-negate <source-negate> ] [ comment <comment> ]
Parameters
comment Comment on the IPS Network exception
@
protection-name Indicates if the exception rule will be matched on all IPS protections or a specific
one
source-negate If true, the service is everything except what is defined in the service field
Example
add threat-prevention ips network-exception protection-name word

source TEXT source-negate true comment "This is a comment."
Description
Adds a new exception rule for the IPS blade. To create exceptions for specific protections use protection
code.
Syntax
add threat-prevention ips network-exception [ protection-code <protection-

code> ] [ destination <destination> ] [ destination-negate <destination-
negate> ] [ service <service> ] [ service-negate <service-negate> ] [
source <source> ] [ source-negate <source-negate> ] [ comment <comment> ]
Parameters
@
protection-code Indicates if the exception rule will be matched on all IPS protections or a specific
one
Example
add threat-prevention ips network-exception protection-code 123435

delete threat-prevention ips network-exception
Deletes exception rules to bypass IPS protections for specific traffic.
Description
Deletes an existing exception rule for the IPS blade by position.
Syntax
delete threat-prevention ips network-exception position <position>
Parameters
position The order of the rule in the Rule Base
Example
delete threat-prevention ips network-exception position 2
Description
Deletes all existing exception rules for the IPS blade.
Syntax
delete threat-prevention ips network-exception all
Parameters
n/a
Example
delete threat-prevention ips network-exception all
set threat-prevention ips network-exception
Configure exception rules to bypass IPS protections for specific traffic.
Description
Configure an existing exception rule to the IPS blade by position for a specific protection by protection ID
(Code).
Syntax
set threat-prevention ips network-exception position <position> [

protection-code <protection-code> ] [ destination <destination> ] [
destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ source <source> ] [ source-negate <source-

negate> ] [ comment <comment> ]
Parameters
Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -: ()
@
protection-code Indicates if the exception rule will be matched on all IPS protections or a specific
one
Example
set threat-prevention ips network-exception position 2 protection-code

12345678 destination TEXT destination-negate true service TEXT service-
negate true source TEXT source-negate true comment "This is a comment."
Description
Configure an existing exception rule to the IPS blade by position for a specific protection by protection
name.
Syntax
set threat-prevention ips network-exception position <position> protection-

name <protection-name> [ destination <destination> ] [ destination-negate
<destination-negate> ] [ service <service>] [ service-negate <service-
negate> ] [ source <source> ] [ source-negate <source-negate> ] [ comment
<comment> ]
Parameters
@
protection-name Indicates if the exception rule will be matched on all IPS protections or a specific
one
Example
set threat-prevention ips network-exception position 2 protection-name word

show threat-prevention ips network-exception
show threat-prevention ips network-exception
Description
Shows the configuration of an IPS exception rule by position
Syntax
show threat-prevention ips network-exception position <position>
Parameters
Example
show threat-prevention ips network-exception position 2
set threat-prevention ips policy
set threat-prevention ips policy
Description
Configures general settings in the policy of the IPS blade.
Syntax
set threat-prevention ips policy [ mode <mode> ] [ log <log> ] [ default-

policy <default-policy> ] [ detect-mode <detect-mode> ]
Parameters
default-policy The type of policy used for IPS - strict, typical or custom
detect-mode Indicates if the default policy of IPS is to only logs events and not block them
log Indicates the tracking level for IPS - none, block or alert
mode Indicates if IPS blade is active
Example
set threat-prevention ips policy mode true log none default-policy word
detect-mode true
show threat-prevention ips policy
Description
Shows the policy of the IPS blade.
Syntax
Parameters
n/a
Example
find threat-prevention ips protection
find threat-prevention ips protection
Description
Find an IPS protection by name (or partial string) to view further details regarding it.
Syntax
find threat-prevention ips protection <name>
Parameters
name The name of the IPS topic
Example
find threat-prevention ips protection word
set threat-prevention ips protection-action-override
set threat-prevention ips protection-action-
override
Configures actions to override the IPS policy for a specific IPS protection.
Description
Enable/Disable an action override for a specific IPS protection by protection ID (code).
Syntax
set threat-prevention ips protection-action-override protection-code

<protection-code> [ action <action> ] [ track <track> ]
Parameters
action Indicates the manually configured action for this protection
protection- The IPS topic the override belongs to. Every override belongs to a single topic
code Type: A number with no fractional part. Values are between 4,503,599,627,370,495 to
4,503,599,627,370,495
track Indicates the manually configured tracking option for this protection
Example

12345678 action prevent track none
Description
Configures an action override for a specific IPS protection by name.
Syntax
set threat-prevention ips protection-action-override protection-name

<protection-name> [ action <action> ] [ track <track> ]
Parameters
action Indicates the manually configured action for this protection
protection-name The name of the IPS topic
track Indicates the manually configured tracking option for this protection
Example
set threat-prevention ips protection-action-override protection-name word

action prevent track none
Description
Configures an action override for a specific IPS protection by protection ID (code).
Syntax

<protection-code> override-policy-action <override-policy-action>
Parameters
override- Indicates if the action upon detection will be according to the general IPS policy or
policy-action manually configured for this protection
4,503,599,627,370,495
Example

12345678 override-policy-action true
Description
Enable/Disable an action override for a specific IPS protection by name.
Syntax
set threat-prevention ips protection-action-override protection-name

<protection-name> override-policy-action <override-policy-action>
Parameters
override- Indicates if the action upon detection will be according to the general IPS policy or
policy-action manually configured for this protection
protection- The name of the IPS topic
name Type: A string of alphanumeric characters without space between them
Example
set threat-prevention ips protection-action-override protection-name word

override-policy-action true
show threat-prevention ips protection-action-override
show threat-prevention ips protection-action-
override
Shows action overrides for specific IPS protections.
Description
Shows action overrides for a specific IPS protection by protection ID (code).
Syntax
show threat-prevention ips protection-action-override protection-code

<protection-code>
Parameters
4,503,599,627,370,495
Example
show threat-prevention ips protection-action-override protection-code

12345678
Description
Shows action overrides for a specific IPS protection by protection name.
Syntax
show threat-prevention ips protection-action-override protection-name

<protection-name>
Parameters
protection-name The name of the IPS topic
Example
show threat-prevention ips protection-action-override protection-name word
threat-prevention-profile
Commands relevant for the Unified Threat Prevention profile.
set threat-prevention policy
Description
Configures the policy for the Threat Prevention blades Anti-Virus, Anti-Bot and Threat Emulation (where
applicable).
Syntax
set threat-prevention policy [ track <track> ] [ profile <profile> ]
set threat-prevention policy advanced-settings fail-mode <fail-mode>
set threat-prevention policy advanced-settings block-requests-when-the-web-

service-is-<block-requests-when-the-web-service-is-unavailable>
Parameters
profile Unified policy profile
track Tracking options for Threat Prevention protections: None - do not log, Log -Create log,
Alert - log with alert
Example
set threat-prevention policy high-confidence ask medium-confidence ask low-

confidence ask performance-impact low track none
set threat-prevention policy advanced-settings fail-mode allow-all-requests

service-is true
threat-prevention policy
threat-prevention policy
Shows commands relevant to Threat Prevention policy.
Description
Configures the policy for the Threat Prevention blades Anti-Virus, Anti-Bot and Threat Emulation (where
applicable).
Syntax
set threat-prevention policy [ track <track> ] [ profile <profile> ]
set threat-prevention policy advanced-settings fail-mode <fail-mode>

service-is-<block-requests-when-the-web-service-is-unavailable>
Parameters
profile Unified policy profile
track Tracking options for Threat Prevention protections: None - do not log, Log -Create log,
Alert - log with alert
Example
set threat-prevention policy high-confidence ask medium-confidence ask low-

confidence ask performance-impact low track none
set threat-prevention policy advanced-settings fail-mode allow-all-requests

service-is true
show threat-prevention policy
Description
Shows the configuration for the Threat Prevention policy shared by the Anti-Bot, Anti-Virus and Threat
Emulation (where applicable) blades.
Syntax
show threat-prevention policy advanced-settings
Parameters
n/a
Example
show threat-prevention policy advanced-settings
threat-prevention threat-emulation additional-remote-emulator
threat-prevention threat-emulation
additional-remote-emulator
add threat-prevention threat-emulation additional-remote-emulator
add threat-prevention threat-emulation
Description
Add a gateway to the threat emulation list of additional (private) emulation gateways.
Syntax
add threat-prevention threat-emulation additional-remote-emulator ip-

address <ip-address> name <name>
Parameters
ip-address Remote emulation gateway IP address
Type: IP address
name Remote emulation gateway name
Example
add threat-prevention threat-emulation additional-remote-emulator ip-

address 192.168.1.1 name several words
delete threat-prevention threat-emulation additional-remote-emulator
delete threat-prevention threat-emulation
Delete a gateway from the threat emulation list of additional (private) emulation gateways.
delete threat-prevention threat-emulation additional-remote-
emulator
Description
Syntax
delete threat-prevention threat-emulation additional-remote-emulator ip-

address <ip-address>
Parameters
Type: IP address
Example
delete threat-prevention threat-emulation additional-remote-emulator ip-

address 192.168.1.1
delete threat-prevention threat-emulation additional-remote-
emulator
Description
Syntax
delete threat-prevention threat-emulation additional-remote-emulator name

<name>
Parameters
Example
delete threat-prevention threat-emulation additional-remote-emulator name

several words
set threat-prevention threat-emulation additional-remote-emulator
set threat-prevention threat-emulation
Description
Configure a gateway as an additional (private) emulation gateway.
Syntax
set threat-prevention threat-emulation additional-remote-emulator name

<name> [ ip-address <ip-address> ] [ name <name> ]
Parameters
Type: IP address
Example
textset threat-prevention threat-emulation additional-remote-emulator name

several words ip-address 192.168.1.1 name several words
show threat-prevention threat-emulation additional-remote-emulator
show threat-prevention threat-emulation
Show all gateways that are configured as additional (private) emulation gateways.
show threat-prevention threat-emulation additional-remote-
emulator
Description
Syntax
Parameters
n/a
Example
show threat-prevention threat-emulation additional-remote-
emulator
Description
Syntax
show threat-prevention threat-emulation additional-remote-emulator name <name>
Parameters
Example
show threat-prevention threat-emulation additional-remote-emulator name

several words
set threat-prevention threat-emulation file-types-revert-actions-to-default
set threat-prevention threat-
emulation file-types-revert-actions-
to-default
Description
Reverts all actions on specific file types to their default value in the factory settings.
Syntax
Parameters
n/a
Example
set threat-prevention threat-emulation file-type
set threat-prevention threat-emulation file-type
Description
Configures an override action for a specific file type by the Threat Emulation blade (where applicable).
Syntax
set threat-prevention threat-emulation file-type <extension> [ action

Parameters
Options: bypass, inspect
Example
set threat-prevention threat-emulation file-type word action bypass

description "This is a comment."
show threat-prevention threat-emulation file-type
show threat-prevention threat-emulation file-
type
Description
Shows the Threat Emulation (where applicable) configuration for a specific file type.
Syntax
show threat-prevention threat-emulation file-type <extension>
Parameters
Example
show threat-prevention threat-emulation file-type word
show threat-prevention threat-emulation file-types
show threat-prevention threat-emulation file-
types
Description
Shows the Threat Emulation (where applicable) configuration for all specific file types.
Syntax
Parameters
n/a
Example
set threat-prevention threat-emulation policy
Configures a policy specific to the Threat Emulation blade (where applicable).
Description
Configures policy settings for the Threat Emulation blade (where applicable).
Syntax
set threat-prevention threat-emulation policy [ mode <mode> ] [ detect-mode

<detect-mode> ] [ scope <scope> ] [ interfaces <interfaces>
] [ protocol-http <protocol-http> ] [ protocol-mail <protocol-mail> ] [

connection-handling-mode-http <connection-handling-mode-http> ] [ connection-
handling-mode-smtp <connection-handling-mode-smtp> ]
Parameters
connection- Indicates the strictness mode of the Threat Emulation engine over HTTP: Back-ground
handling- - connections are allowed while the file emulation runs (if needed), Hold - connections
mode-http are blocked until the file emulation is completed
Options: background, hold
connection- Indicates the strictness mode of the Threat Emulation engine over SMTP: Back-ground
handling- - connections are allowed while the file emulation runs (if needed), Hold - connections
mode-smtp are blocked until the file emulation is completed
Options: background, hold
detect-mode Indicates if the Threat Emulation blade is set to 'Detect Only' mode
interfaces Indicates the source zones for inspected incoming files: External, External and DMZ or
all interfaces
Options: all, external, external-dmz
mode Indicates if the Threat Emulation blade is active
protocol-http Indicates if file emulation will be performed on all configured ports of HTTP traffic
protocol-mail Indicates if file emulation will be performed on mail traffic (SMTP)
scope Indicates the source of scanned file: scan incoming files, or scan both incoming and
outgoing files
Options: incoming, incoming-and-outgoing
Example
set threat-prevention threat-emulation policy mode true detect-mode true

scope incoming interfaces all protocol-http true protocol-mail true
connection-handling-mode-http background connection-handling-mode-smtp
background
Description
Configures advanced settings for the Threat Emulation blade (where applicable).
Syntax
set threat-prevention threat-emulation policy advanced-settings connection-

handling-mode-smtp <connection-handling-mode-smtp>
Parameters
n/a
Example
set threat-prevention threat-emulation policy advanced-settings connection-

handling-mode-smtp background
show threat-prevention threat-emulation policy
Shows the policy of the Threat Emulation policy.
Description
Shows the policy of the Threat Emulation policy.
Syntax
Parameters
n/a
Example
Description
Shows advanced settings of the Threat Emulation policy.
Syntax
show threat-prevention threat-emulation policy advanced-settings
Parameters
n/a
Example
show threat-prevention threat-emulation policy advanced-settings
threat-prevention whitelist
threat-prevention whitelist
add threat-prevention whitelist mail
add threat-prevention whitelist mail
Description
Adds a new excluded mail addresses for the Threat Emulation blade (where applicable).
Syntax
add threat-prevention whitelist mail email-address <email-address> [ type

<type> ]
Parameters
email-address The email address of the recipient or sender
Type: Email address
type The type of the email address - recipient, sender or both
Options: recipient, sender, both
Example
add threat-prevention whitelist mail email-address MyEmail@mail.com type

recipient
show threat-prevention whitelist files
Description
Shows the list of whitelist files (md5sum) for the Threat Prevention blades.
Syntax
Parameters
n/a
Example
delete threat-prevention whitelist mail
delete threat-prevention whitelist mail
Description
Deletes an excluded mail address for the Threat Emulation blade (where applicable).
Syntax
delete threat-prevention whitelist mail <email-address>
Parameters
Type: Email address
Example
delete threat-prevention whitelist mail MyEmail@mail.com
set threat-prevention whitelist mail
set threat-prevention whitelist mail
Description
Configures excluded mail addresses for the Threat Emulation blade (where applicable).
Syntax
set threat-prevention whitelist mail <email-address>type <type>
Parameters
Type: Email address
type The type of the email address - recipient, sender or both
Options: recipient, sender, both
Example
set threat-prevention whitelist mail MyEmail@mail.com type recipient
show threat-prevention whitelist mail
show threat-prevention whitelist mail
Description
Shows the setting for a whitelist email address set for the Threat Prevention blades.
Syntax
show threat-prevention whitelist mail <email-address>
Parameters
Type: Email address
Example
show threat-prevention whitelist mail MyEmail@mail.com
delete threat-prevention whitelist mails
delete threat-prevention whitelist mails
Description
Deletes all excluded mail addresses for the Threat Emulation blade (where applicable).
Syntax
delete threat-prevention whitelist mails all
Parameters
n/a
Example
delete threat-prevention whitelist mails all
show threat-prevention whitelist mails
Description
Shows the whitelist email addresses set for the Threat Prevention blades.
Syntax
Parameters
n/a
Example
add threat-prevention whitelist type-file
add threat-prevention whitelist type-file
Description
Adds a new excluded file for Threat Prevention blades according to md5.
Syntax
add threat-prevention whitelist type-file md5 <md5>
Parameters
md5 MD5 encryption for the file in the whitelist
Type: MD5 checksum of a file. Contains only [a-f] and [0-9] characters and of exact
length of 32
Example
add threat-prevention whitelist type-file md5

d41d8cd98f00b204e9800998ecf8427e
delete threat-prevention whitelist type-file
Deletes excluded files for Threat Prevention blades.
Description
Removes an excluded file for Threat Prevention blades by md5.
Syntax
delete threat-prevention whitelist type-file md5 <md5>
Parameters
md5 MD5 encryption for the file in the whitelist
Type: MD5 checksum of a file. Contains only [a-f] and [0-9] characters and of exact
length of 32
Example
delete threat-prevention whitelist type-file md5

d41d8cd98f00b204e9800998ecf8427e
Description
Removes all excluded files for Threat Prevention blades.
Syntax
delete threat-prevention whitelist type-file all
Parameters
n/a
Example
delete threat-prevention whitelist type-file all
add threat-prevention whitelist type-url
add threat-prevention whitelist type-url
Description
Adds a new excluded URL for Threat Prevention blades.
Syntax
add threat-prevention whitelist type-url url <url>
Parameters
url URL
Type: URL
Example
add threat-prevention whitelist type-url url http://somehost.example.com
delete threat-prevention whitelist type-url
Deletes excluded URLs for Threat Prevention blades.
Description
Removes an excluded URL for Threat Prevention blades.
Syntax
delete threat-prevention whitelist type-url url <url>
Parameters
url URL
Type: URL
Example
delete threat-prevention whitelist type-url url http://somehost.example.com
Description
Removes all excluded URLs for Threat Prevention blades.
Syntax
delete threat-prevention whitelist type-url all
Parameters
n/a
Example
delete threat-prevention whitelist type-url all
show threat-prevention whitelist urls
Description
Shows the whitelist URLs set for the Threat Prevention blades.
Syntax
Parameters
n/a
Example
update default-image from current-
image
Description
Update default image from currently running image.
Syntax
update default-image from current-image preserve-settings <yes | no> [force

<yes | no>]
Parameters
preserve-settings Yes - Preserve your current settings
No – Do not preserve your current settings
force Yes- Confirm before rebooting
No – Execute immediately
Example
update default-image from current-image preserve-settings yes force yes
Output
The system will now reboot.

During this boot, default image will be updated from current image.
Save settings as part of the image: yes
Save license as part of the image: yes
Save SIC as part of the image: yes
Are you sure you want to continue(yes/no)?
ui-settings
ui-settings
set ui-settings
set ui-settings
Configures customizations that can be done for the administration portal.
set ui-settings
set ui-settings
Description
Configure a custom logo that will appear in the administration portal. The logo can be reached through a
URL.
Syntax
set ui-settings [ use-custom-webui-logo <use-custom-webui-logo> ] [ custom-

webui-logo-url <custom-webui-logo-url> ]
Parameters
custom- Clicking the company logo in the web interface opens this URL
webui-logo- Type: urlWithHttp
url
use-custom- The company logo is displayed on the appliance's web interface and on its login page.
webui- logo The customized logo should follow the size restrictions in order to be displayed properly.
Example
set ui-settings use-custom-webui-logo true custom-webui-logo-url

urlWithHttp
set ui-settings
set ui-settings
Description
Configures customizations that can be done for the administration portal.
Syntax
set ui-settings advanced-settings AboutConfigCustomLogos [ custom-webui-

logo-url <custom-webui-logo-url> ] [ use-custom-webui-logo <use-custom-
webui-logo> ]
Parameters
n/a
Example
set ui-settings advanced-settings AboutConfigCustomLogos custom-webui-logo-

url urlWithHttp use-custom-webui-logo true
show ui-settings
show ui-settings
Shows web interface settings and customizations.
show ui-settings
show ui-settings
Description
Shows web interface settings and customizations.
Syntax
show ui-settings
Parameters
n/a
Example
show ui-settings
show ui-settings
show ui-settings
Description
Shows web Interface advanced settings.
Syntax
show ui-settings advanced-settings
Parameters
n/a
Example
show ui-settings advanced-settings
usb-modem-advanced
usb-modem-advanced
add usb-modem-advanced
add usb-modem-advanced
Description
Add a USB modem advanced entry.
Syntax
add usb-modem-advanced field-name <field-name> field-value <field-value>is-

any-device <is-any-device> vendor-id <vendor-id> product-id <product-id>
Parameters
field-name Name
Type: A string that contains [a-z], [A-Z], [0-9], '_'
field-value Value
Type: A string that contains [a-z], [A-Z], [0-9], '_', '.', ',', '-', '/', '@', '+', ',', ':', '='
is-any-device Does paramter apply to all devices
product-id Product ID
Type: A hexadecimal string
vendor-id Vendor ID
Example
add usb-modem-advanced field-name usb_advanced_config_name field-value usb_

advanced_config_value is-any-device true vendor-id 7AA1 product-id 7AA1
delete usb-modem-advanced
delete usb-modem-advanced
Description
Delete an existing USB modem advanced entry.
Syntax
delete usb-modem-advanced <id>
Parameters
id id
Example
delete usb-modem-advanced -1000000
delete usb-modem-advanced-all
Description
Delete all existing USB modem advanced entries.
Syntax
Parameters
n/a
Example
set usb-modem-advanced
set usb-modem-advanced
Description
Configure a USB modem advanced entry.
Syntax
set usb-modem-advanced <id> [ field-name <field-name> ] [ field-value

<field-value> ] [ is-any-device <is-any-device> ] [ vendor-id <vendor-id> ]
[ product-id <product-id>
Parameters
field-name Name
Type: A string that contains [a-z], [A-Z], [0-9], '_'
field-value Value
Type: A string that contains [a-z], [A-Z], [0-9], '_', '.', ',', '-', '/', '@', '+', ',', ':', '='
id id
is-any-device Does parameter apply to all devices
product-id Product ID
vendor-id Vendor ID
Type: A hexa decimal string
Example
set usb-modem-advanced -1000000 field-name usb_advanced_config_name field-

value usb_advanced_config_value is-any-device true vendor-id 7AA1 product-
id 7AA1
show usb-modem-advanced
Description
Show existing USB modem advanced entries.
Syntax
Parameters
n/a
Example
show usb-modem-advanced table
Description
Show the existing USB modem advanced entries in a table.
Syntax
Parameters
n/a
Example
usb-modem-info
usb-modem-info
show usb-modem-info
show usb-modem-info
Description
Show existing USB modem information.
Syntax
show usb-modem-info
Parameters
n/a
Example
show usb-modem-info
show usb-modem-info-table
show usb-modem-info-table
Description
Show existing USB modem information in a table.
Syntax
show usb-modem-info table
Parameters
n/a
Example
show usb-modem-info table
usb-modem-watchdog
usb-modem-watchdog
set usb-modem-watchdog
Configures the internet probing (if probing is enabled) to automatically detect and fix 3G/4G internet
connectivity problems.
Description
Syntax
set usb-modem-watchdog advanced-settings interval <interval>
Parameters
n/a
Example
set usb-modem-watchdog advanced-settings interval 10
Description
Syntax
set usb-modem-watchdog advanced-settings mode <mode>
Parameters
n/a
Example
set usb-modem-watchdog advanced-settings mode off
show usb-modem-watchdog
show usb-modem-watchdog
Description
Shows configuration for additional health monitoring functionality to USB modems.
Syntax
show usb-modem-watchdog advanced-settings
Parameters
n/a
Example
show usb-modem-watchdog advanced-settings
set used-ad-group
set used-ad-group
Configures settings of a user group defined in the AD server.
set used-ad-group
set used-ad-group
Description
Adds a bookmark to be shown in the SNX landing page to user group defined in the AD server. This is
relevant only if the user group is defined with VPN remote access privileges.
Syntax
set used-ad-group name <name>add bookmark label <bookmark label>
Parameters
name Group name
Type: Active Directory group name
Example
set used-ad-group name my AD group add bookmark label myLabel
set used-ad-group
set used-ad-group
Description
Removes a bookmark from being shown in the SNX landing page to user group defined in the AD server.
This is relevant only if the user group is defined with VPN remote access privileges.
Syntax
set used-ad-group name <name> remove bookmark label <bookmark label>
Parameters
name Group name
Example
set used-ad-group name my AD group remove bookmark label myLabel
user-awareness
user-awareness
set user-awareness
set user-awareness
Configures settings for the User Awareness blade.
set user-awareness
set user-awareness
Description
Configures the activation mode and user identification methods for the User Awareness blade.
Syntax
set user-awareness [ mode <mode>] [ ad-queries-mode <ad-queries-mode> ] [

browser-based-authentication-mode <browser-based-authentication-mode> ]
Parameters
ad-queries-mode Indicates if User Awareness seamlessly queries the AD (Active Directory)
servers to get user information
browser-based- Indicates if User Awareness uses a portal to identify locally defined users or
authentication- mode as a backup to other identification methods
mode User Awareness mode - true for on, false for off
Example
set user-awareness mode true ad-queries-mode true browser-based-

authentication-mode true
set user-awareness
set user-awareness
Description
Configures advanced settings for the User Awareness blade.
Syntax
set user-awareness advanced-settings association-timeout <association-

timeout>
Parameters
n/a
Example
set user-awareness advanced-settings association-timeout 10
set user-awareness
set user-awareness
Description
Syntax
set user-awareness advanced-settings assume-single-user <assume-single-

user>
Parameters
n/a
Example
set user-awareness advanced-settings assume-single-user true
set user-awareness browser-based-authentication
set user-awareness browser-based-
authentication
Configures settings for browser-based authentication (captive portal) by the User Awareness blade.
Description
Configures settings for browser-based authentication (captive portal) by the User Awareness blade.
Syntax
set user-awareness browser-based-authentication [ redirect-upon-

destinations { manually-defined [ redirect-upon-destination-internet
<redirect-upon-destination-internet> ] [ redirect-upon-destinations-net-
objs <redirect-upon-destinations-net-objs> ] | all } ] [ block-
unauthenticated-non-web-traffic <block-unauthenticated-non-web-traffic> ] [
require-user-agreement <require-user-agreement> ] [ agreement-text
<agreement-text> ] [ portal-address <portal-address> ] [ session-timeout
<session-timeout> ] [ log-out-on-portal-close <log-out-on-portal-close> ]
Parameters
agreement-text The conditions shown to the users to agree to
block-unauthenticated- When true, users using non-HTTP traffic are forced to login first through
non-web-traffic Browser-Based Authentication
log-out-on-portal-close When true, the user is forced to keep the portal window open to remain logged
in
portal-address Use the auto option unless you want to redirect to a manually configured URL
Type: String
Enter "<auto>" for default
redirect-upon- When choosing redirect to manually defined destinations - indicates if the
destination-internet destinations include the internet (external interfaces)
redirect-upon- Browser based authentication will only be shown to unidentified users on traffic
destinations to these configured destinations
redirect-upon- When choosing redirect to manually defined destinations - indicates if the
destinations-net-objs destinations include a manual list of network objects
require-user- Indicates if users must agree to the legal conditions
agreement Type: Boolean (true/false)
session-timeout Session timeout duration, in minutes, for browser-based authentication
Type: A number with no fractional part (integer) Units should be entered in
minutes
Example
set user-awareness browser-based-authentication redirect-upon-destinations

manually-defined redirect-upon-destination-internet true redirect-upon-
destinations-net-o true block-unauthenticated-non-web-traffic true require-
user-agreement true agreement-text My Network portal-address TEXT session-
timeout 10 log-out-on-portal-close true
Description
Configures network objects to be used in the User Awareness blade.
Syntax
set user-awareness browser-based-authentication add net-obj <net-obj>
Parameters
net-obj Network object name
Example
set user-awareness browser-based-authentication add net-obj TEXT
Description
Syntax
set user-awareness browser-based-authentication remove net-obj <net-obj>
Parameters
net-obj Network object name
Example
set user-awareness browser-based-authentication remove net-obj TEXT
Description
Syntax
set user-awareness browser-based-authentication remove-all net-objs
Parameters
n/a
Example
set user-awareness browser-based-authentication remove-all net-objs
show user-awareness
show user-awareness
Shows the configuration of the User Awareness blade.
show user-awareness
show user-awareness
Description
Shows the configuration of the User Awareness blade.
Syntax
show user-awareness
Parameters
n/a
Example
show user-awareness
show user-awareness
show user-awareness
Description
Shows advanced settings of the User Awareness blade.
Syntax
show user-awareness advanced-settings
Parameters
n/a
Example
show user-awareness advanced-settings
show user-awareness browser-based-authentication
Description
Shows the browser-based authentication configuration of the User Awareness blade.
Syntax
Parameters
n/a
Example
set user-management
set user-management
Description
Syntax
set user-management advanced-settings auto-delete-expired-local-users

<auto-delete-expired-local-users>
Parameters
n/a
Example
set user-management advanced-settings auto-delete-expired-local-users true
show upgrade log
show upgrade log
Description
Shows upgrade log files.
Syntax
show upgrade-log
Parameters
n/a
Example
show upgrade-log
show used-ad-group bookmarks
show used-ad-group bookmarks
Description
Show bookmarks configured to a user group defined in AD.
Syntax
show used-ad-group bookmarks name <name>
Parameters
name Group name
Example
show used-ad-group bookmarks name my AD group
upgrade from usb or tftp server
upgrade from usb or tftp server
Description
Upgrades the software image from a file on a USB drive or TFTP server.
Syntax
upgrade from {usb [file <usb_file>]|tftp server <server> filename <tftp_

file>}
Parameters
usb_file Name of software image file on USB drive.
server Host name or IP address of TFTP server.
tftp_file Name of software image file on TFTP server.
Example
upgrade from tftp server my-tftp-server filename my-new-software
vpn
vpn
vpn
vpn
The vpncommand manages the VPN driver and helps to debug the VPN.
Managing the VPN Driver
Managing the VPN Driver
Description
Installs the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the
Firewall driver.
Syntax
vpn drv <on|off>
Parameters
on|off Starts or stops the VPN kernel
Return Value
Example
vpn drv on
Output
Launching TunnelUtil Tool
Launching TunnelUtil Tool
Description
Launches the VPN TunnelUtil tool to:
n List IKE and IPSec SAs
n Delete IKE and IPSec SAs
Syntax
vpn tunnelutil
Parameters
n/a
Return Value
Example
vpn tunnelutil
Output
Success launches VPN TunnelUtil tool. Failure shows an appropriate error message.
Debugging VPN
Debugging VPN
Description
Contains multiple utilities for troubleshooting VPN issues.
Syntax
vpn debug {on [TOPIC=level]|off} [ikeon|ikeoff] [trunc [TOPIC=level]]

[mon|moff]
Parameters
on|off Writes debugging information t
$FWDIR/log/sfwd.elg
[TOPIC=level] Sets level of debugging for a particular topic.
This argument can only be used afte
on
o
trunc
.
ikeon|ikeoff Writes IKE packet information int
$FWDIR/log/ike.elg
trunc Writes bot
sfwd.elg
an
ike.elg
, but first clears the files
mon|moff Writes raw IKE packets t
$FWDIR/log/ikemonitor.snoop
Return Value
0
on success,
1
on failure
Example
vpn debug on
delete vpn
delete vpn
Description
Delete a configured Virtual Tunnel Interface (VTI) by tunnel ID.
Syntax
delete vpn tunnel <tunnel>
Parameters
tunnel A number identifying the Virtual Tunnel Interface (VTI)
Example
delete vpn tunnel 12
set vpn
set vpn
Configures existing remote VPN sites.
set vpn
set vpn
Description
Configures existing remote VPN sites.
Syntax
set vpn site <site> [ enabled <enabled> ] [ remote-site-enc-dom-type

<remote-site-enc-dom-type> ] [ enc-profile <enc-profile> ] [ phase1-reneg-
interval <phase1-reneg-interval> ] [ phase2-reneg-interval <phase2-reneg-
interval> ] [ enable-perfect-forward-secrecy { true [ phase2-dh <phase2-dh>
] | false } ] [ is-check-point-site { true [ enable-permanent-vpn-tunnel
<enable-permanent-vpn-tunnel> ] | false } ] [ disable-nat <disable-nat> ] [
aggressive-mode-enabled { true aggressive-mode-DH-group <aggressive-mode-
DH-group> | false } ] [ { aggressive-mode-enable-peer-id { true aggressive-
mode-peer-id-type <aggressive-mode-peer-id-type> aggressive-mode-peer-id
<aggressive-mode-peer-id> | false } | aggressive-mode-enable-gateway-id {
true aggressive-mode-gateway-id-type <aggressive-mode-gateway-id-type>
aggressive-mode-gateway-id <aggressive-mode-gateway-id> | false } } ] [
enc-method <enc-method> ] [ use-trusted-ca <use-trusted-ca> ] [ match-cert-
ip <match-cert-ip> ] [ match-cert-dn { true match-cert-dn-string <match-
cert-dn-string> | false } ] [ match-cert-e-mail { true match-cert-e-mail-
string <match-cert-e-mail-string> | false } ] [ link-selection-probing-
method <link-selection-probing-method> ] [ name <name>] [ remote-site-link-
selection <remote-site-link-selection> ] [ remote-site-host-name <remote-
site-host-name> ] [ remote-site-ip-address <remote-site-ip-address> ] [ is-
site-behind-static-nat <is-site-behind-static-nat> ] [ static-nat-ip
<static-nat-ip> ] [ auth-method { preshared-secret password <password> |
certificate } ] [ link-selection-primary-addr <link-selection-primary-
addr>]
Parameters
aggressive- Determine the strength of the key when aggressive mode is enabled
mode-DH-group
aggressive- Indicates if gateway ID matching will be used. This adds a layer of security to
mode- enable- aggressive mode
gateway-id Type: Boolean (true/false)
aggressive- Indicates if peer ID matching will be used. This adds a layer of security to aggressive
mode- enable- mode
peer-id Type: Boolean (true/false)
aggressive- Indicates if Aggressive mode, a less secure negotiation protocol compared to main
mode-enabled mode, is used. It is less recommended if the remote site supports IPSec main mode
set vpn
aggressive- The gateway ID that will be used for matching when configured to
mode-gateway-id Type: vpnAggressiveModePeerId
aggressive- Indicates the type of gateway ID that will be used for matching when configured
mode- gateway- Options: domain-name, user-name
id-type
aggressive- The peer ID that will be used for matching when configured to
mode-peer-id Type: vpnAggressiveModePeerId
aggressive- Indicates the type of peer ID that will be used for matching when configured
mode-peer-id- Options: domain-name, user-name
type
auth-method Indicates the type of authentication used when connecting to the remote site
disable-nat Disable NAT for traffic to/from the remote site. Useful when one of the internal
networks contains a server Type: Boolean (true/false)
enable-perfect- Ensures that a session key will not be compromised if one of the (long-term)
forward-secrecy private keys is compromised in the future. Type: Boolean (true/false)
enable- VPN Tunnels are constantly kept active and as a result, make it easier to recognize
permanent-vpn- malfunctions and connectivity problems
tunnel Type: Boolean (true/false)
enabled Indicates whether or not the remote site is enabled
enc-method Indicates which encryption method is used
Options: ike-v1, ike-v2, prefer-ike-v2
enc-profile Encryption profile (one of predefined profiles or custom)
Type: virtual
is-check-point- Enable if the remote site is connected through a Check Point Security Gateway
site Type: Boolean (true/false)
is-site-behind- When connection type is IP address, this indicates if it is behind static NAT
static-nat
link-selection- Specifies The primary IP address for the link selection
primary-addr Type: A string of alphanumeric characters without space between them
link-selection- The type of probing used for link selection when multiple IP addresses are
probing-method configured for the remote site
Options: ongoing, one-time
match-cert-dn Indicates if certificate matching should match the DN string in the certificate to the
configured DN string Type: Boolean (true/false)
set vpn
match-cert-dn- Indicates the configured DN string for certificate matching
string Type: String
match-cert-e-mail Indicates if certificate matching should match the E-mail string in the certificate to
the configured E-mail string
match-cert-e- Indicates the configured E-mail string for certificate matching
mail-string Type: Email address
match-cert-ip Indicates if certificate matching should match IP address in the certificate to the
site's IP address
name Site name
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9, a-z,
_ -) characters without spaces
password Preshared secret (minimum 6 characters) to be used when authentication method is
configured as such
Type: vpnPassword
phase1-reneg- The period, in minutes, between each IKE SA renegotiation
interval Type: A number with no fractional part (integer)
phase2-dh Determine the strength of the key used for the IPsec (Phase 2) key exchange
process. The higher the group number, the stronger and more secure the key is.
phase2-reneg- The period, in seconds, between each IPSec SA renegotiation
remote-site-enc- The method of defining the remote site's encryption domain
dom-type Options: manually-defined-enc-dom, route-all-traffic-to-site, route-based-vpn, enc-
dom-hidden-behind-remote-site
remote-site-host- Indicates the remote site's host name when the link selection method is configured
name as such
remote-site-ip- Indicates the remote site's single IP address when the link selection method is
address configured as such
remote-site-link- Indicates the method of determining the destination IP address/s of the remote site
selection Options: ip-address, host-name, high-availability, load-sharing, connection-
initiated-only-from-remote-site
site Site name
static-nat-ip Indicates an external routable IP address via static NAT used by the remote site,
when configured as such
set vpn
use-trusted-ca Indicates if a specific trusted CA is used for matching the remote site's certificate or
all configured trusted CAs
Example
set vpn site site17 enabled true remote-site-enc-dom-type manually-defined-

enc-dom enc-profile custom phase1-reneg-interval 15 phase2-reneg-interval
15 enable-perfect-forward-secrecy true phase2-dh word is-check-point-site
true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-
enabled true aggressive-mode-DH-group word aggressive-mode-enable-peer-id
true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id
vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca TEXT match-cert-ip
true match-cert-dn true match-cert-dn-string TEXT match-cert-e-mail true
match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method
ongoing name site17 remote-site-link-selection ip-address remote-site-host-
name myHost.com remote-site-ip-address 192.168.1.1 is-site-behind-static-
nat true static-nat-ip 192.168.1.1 auth-method preshared-secret password
vpnPassword link-selection-primary-addr word
set vpn
set vpn
Description
Adds network objects to the encryption domain of existing remote VPN sites.
Syntax
set vpn site <site> add remote-site-enc-dom-network-obj <remote-site-enc-

dom-network-obj>
Parameters
remote-site- Network Object name
enc-dom-
network-obj
site Site name
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9, a-z, _
-) characters without spaces
Example
set vpn site site17 add remote-site-enc-dom-network-obj TEXT
set vpn
set vpn
Description
Removes all network objects from the encyryption domain of existing remote VPN sites.
Syntax
set vpn site <site> remove-all remote-site-enc-dom-network-obj
<remote-site-enc-dom-network-obj>
Parameters
enc-dom-
network-obj
site Site name
Example
set vpn site site17 remove-all remote-site-enc-dom-network-obj TEXT
set vpn
set vpn
Description
Removes network objects from the encryption domain of existing remote VPN sites.
Syntax
set vpn site <site> remove remote-site-enc-dom-network-obj <remote-site-

enc-dom-network-obj>
Parameters
enc-dom-
network-obj
site Site name
Example
set vpn site site17 remove remote-site-enc-dom-network-obj TEXT
set vpn
set vpn
Description
Adds IP addresses to an existing remote VPN site. This allows High Availability or Load Sharing between
the remote links using the link selection functionality.
Syntax
set vpn site <site> add link-selection-multiple-addrs addr <link-selection-

multiple-addrs addr>
Parameters
link-selection- IP address
multiple-
addrs addr
site Site name
Example
set vpn site site17 add link-selection-multiple-addrs addr 192.168.1.1
set vpn
set vpn
Description
Removes all IP addresses from an existing remote VPN site configured with multiple links.
Syntax
set vpn site <site>remove-all link-selection-multiple-addrs addr <link-

selection-multiple-addrs addr>
Parameters
multiple-
addrs addr
site Site name
Example
set vpn site site17 remove-all link-selection-multiple-addrs addr

192.168.1.1
set vpn
set vpn
Description
Removes IP addresses from an existing remote VPN site. This allows High Availability or Load Sharing
between the remote links using the link selection functionality.
Syntax
set vpn site <site> remove link-selection-multiple-addrs addr <link-

selection-multiple-addrs addr>
Parameters
multiple-
addrs addr
site Site name
Example
set vpn site site17 remove link-selection-multiple-addrs addr 192.168.1.1
set vpn
set vpn
Description
Adds a phase 1 encryption algorithm to an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> add custom-enc-phase1-enc <custom-enc-phase1-enc>
Parameters
custom-enc- Encryption algorithm preferences for phase1 in the VPN encryption algorithm, which
phase1-enc sets the base for phase2
site Site name
Example
set vpn site site17 add custom-enc-phase1-enc word
set vpn
set vpn
Description
Removes all phase 1 encryption algorithm from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove-all custom-enc-phase1-enc <custom-enc-phase1-

enc>
Parameters
site Site name
Example
set vpn site site17 remove-all custom-enc-phase1-enc word
set vpn
set vpn
Description
Removes a phase 1 encryption algorithm from an existing remote VPN site configured with a custom
encryption suite
Syntax
set vpn site <site> remove custom-enc-phase1-enc <custom-enc-phase1-enc>
Parameters
site Site name
Example
set vpn site site17 remove custom-enc-phase1-enc word
set vpn
set vpn
Description
Adds a phase 1 authentication algorithm to an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> add custom-enc-phase1-auth <custom-enc-phase1-auth>
Parameters
custom-enc- Authentication algorithm used for encryption validation
phase1-auth
site Site name
Example
set vpn site site17 add custom-enc-phase1-auth word
set vpn
set vpn
Description
Removes all phase 1 authentication algorithms from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove-all custom-enc-phase1-auth <custom-enc-phase1-

auth>
Parameters
phase1-auth
site Site name
Example
set vpn site site17 remove-all custom-enc-phase1-auth word
set vpn
set vpn
Description
Removes a phase 1 authentication algorithm from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove custom-enc-phase1-auth <custom-enc-phase1-auth>
Parameters
phase1-auth
site Site name
Example
set vpn site site17 remove custom-enc-phase1-auth word
set vpn
set vpn
Description
Adds a Diffie-Hellman group to an existing remote VPN site configured with a custom encryption suite.
Syntax
set vpn site <site> add custom-enc-phase1-dh-group <custom-enc-phase1-dh-

group>
Parameters
custom-enc- VPN Diffie-Hellman key exchange encryption level
phase1-dh-group
site Site name
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9,
a-z, _ -) characters without spaces
Example
set vpn site site17 add custom-enc-phase1-dh-group word
set vpn
set vpn
Description
Removes all Diffie-Hellman groups from an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> remove-all custom-enc-phase1-dh-group <custom-enc-

phase1-dh-group>
Parameters
phase1-dh-group
site Site name
Example
set vpn site site17 remove-all custom-enc-phase1-dh-group word
set vpn
set vpn
Description
Removes an Diffie-Hellman group from an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> remove custom-enc-phase1-dh-group <custom-enc-phase1-

dh-group>
Parameters
phase1-dh-group
site Site name
Example
set vpn site site17 remove custom-enc-phase1-dh-group word
set vpn
set vpn
Description
Adds a phase 2 encryption algorithm to an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> add custom-enc-phase2-enc <custom-enc-phase2-enc>
Parameters
custom-enc- Encryption algorithm preferences for phase2 in the VPN encryption algorithm
phase2-enc
site Site name
Example
set vpn site site17 add custom-enc-phase2-enc word
set vpn
set vpn
Description
Removes all phase 2 encryption algorithms from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove-all custom-enc-phase2-enc <custom-enc-phase2-

enc>
Parameters
phase2-enc
site Site name
Example
set vpn site site17 remove-all custom-enc-phase2-enc word
set vpn
set vpn
Description
Removes a phase 2 encryption algorithm from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove custom-enc-phase2-enc <custom-enc-phase2-enc>
Parameters
phase2-enc
site Site name
Example
set vpn site site17 remove custom-enc-phase2-enc word
set vpn
set vpn
Description
Adds a phase 2 authentication algorithm to an existing remote VPN site configured with a custom encryption
suite.
Syntax
set vpn site <site> add custom-enc-phase2-auth <custom-enc-phase2-auth>
Parameters
phase2-auth
site Site name
Example
set vpn site site17 add custom-enc-phase2-auth word
set vpn
set vpn
Description
Removes all phase 2 authentication algorithms from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove-all custom-enc-phase2-auth <custom-enc-phase2-

auth>
Parameters
phase2-auth
site Site name
Example
set vpn site site17 remove-all custom-enc-phase2-auth word
set vpn
set vpn
Description
Removes a phase 2 authentication algorithm from an existing remote VPN site configured with a custom
encryption suite.
Syntax
set vpn site <site> remove custom-enc-phase2-auth <custom-enc-phase2-auth>
Parameters
phase2-auth
site Site name
Example
set vpn site site17 remove custom-enc-phase2-auth word
set vpn
set vpn
Description
Configures an existing Virtual Tunnel Interface (VTI) for route based VPN.
Syntax
set vpn tunnel <tunnel> type { unnumbered [ peer <peer> ] [ internet-

connection <internet-connection> ] | numbered [ local <local> ] [ remote
<remote> ] [ peer <peer> ] }
Parameters
internet- The local interface for unnumbered VTI
connection
local Enter the IP address of the interface
Type: IP address
peer Remote peer name as defined in the VPN community. You must define the two peers in
the VPN community before you can define the VTI. The Peer ID is an alpha-numeric
character string.
remote Defines the remote peer IPv4 address, used at the peer gateway's point-to-point virtual
interface (numbered VTI only)
Type: IP address
type The type of VTI: Numbered VTI that uses a specified, static IPv4 addresses for local and
remote connections, or unnumbered VTI that uses the interface and the remote peer
name to get addresses
Example
set vpn tunnel 15 type unnumbered peer site17 internet-connection My

connection
show vpn
show vpn
Shows VPN site to site configuration.
show vpn
show vpn
Description
Shows the configuration of a remote VPN site.
Syntax
show vpn site <site>
Parameters
site Site name
Example
show vpn site site17
show vpn
show vpn
Description
Shows the configuration of a Virtual Tunnel Interface (VTI) used for route-based VPN.
Syntax
show vpn tunnel <tunnel>
Parameters
Example
show vpn tunnel 12
vpn remote-access
vpn remote-access
set vpn remote-access
Configures settings for VPN remote access (Client to server VPN).
Description
Configures settings for VPN remote access.
Syntax
set vpn remote-access [ default-access-to-lan <default-access-to-lan>
] [ mode <mode> ] [ track <track> ] [ mobile-client <mobile-client> ] [

sslvpn-client <sslvpn-client> ] [ l2tp-vpn-client <l2tp-vpn-client> ] [ l2tp-
pre-shared-key <l2tp-pre-shared-key> ]
Parameters
default-access-to- Allow traffic from Remote Access clients (by default)
lan Options: block, accept
l2tp-pre-shared-key L2TP Pre-Shared Key
l2tp-vpn-client Enable VPN remote access clients to connect via native VPN client (L2TP)
mobile-client Enable VPN remote access mobile clients to connect via Check Point Mobile VPN
client
mode Enable VPN Remote Access
sslvpn-client Enable VPN remote access clients to connect via SSL VPN
track Log traffic from Remote Access clients (by default)
Options: none, log
Example
set vpn remote-access default-access-to-lan block mode true track none

mobile-client true sslvpn-client true l2tp-vpn-client true l2tp-pre-shared-
key word
Description
Configures advanced settings for VPN remote access.
Syntax
set vpn remote-access advanced-settings enc-dns-traffic <enc-dns-traffic>
Parameters
n/a
Example
set vpn remote-access advanced-settings enc-dns-traffic true
Description
Syntax
set vpn remote-access advanced-settings verify-gateway-cert <verify-

gateway-cert>
Parameters
n/a
Example
set vpn remote-access advanced-settings verify-gateway-cert true
Description
Syntax
set vpn remote-access advanced-settings update-topo-startup <update-topo-

startup>
Parameters
n/a
Example
set vpn remote-access advanced-settings update-topo-startup true
Description
Syntax
set vpn remote-access advanced-settings keep-alive-time <keep-alive-time>
Parameters
n/a
Example
set vpn remote-access advanced-settings keep-alive-time 15
Description
Syntax
set vpn remote-access advanced-settings endpoint-vpn-user-re-auth-timeout

<endpoint-vpn-user-re-auth-timeout>
Parameters
n/a
Example
set vpn remote-access advanced-settings endpoint-vpn-user-re-auth-timeout

15
Description
Syntax
set vpn remote-access advanced-settings ike-over-tcp <ike-over-tcp>
Parameters
n/a
Example
set vpn remote-access advanced-settings ike-over-tcp true
Description
Syntax
set vpn remote-access advanced-settings is-udp-enc-active <is-udp-enc-

active>
Parameters
n/a
Example
set vpn remote-access advanced-settings is-udp-enc-active true
Description
Syntax
set vpn remote-access advanced-settings radius-retransmit-timeout <radius-

retransmit-timeout>
Parameters
n/a
Example
set vpn remote-access advanced-settings radius-retransmit-timeout 15
Description
Syntax
set vpn remote-access advanced-settings om-method-radius <om-method-radius>
Parameters
n/a
Example
set vpn remote-access advanced-settings om-method-radius true
Description
Syntax
set vpn remote-access advanced-settings snx-uninstall-on-disconnect <snx-

uninstall-on-disconnect>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-uninstall-on-disconnect ask-

user
Description
Syntax
set vpn remote-access advanced-settings snx-keep-alive-timeout <snx-keep-

alive-timeout>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-keep-alive-timeout 15
Description
Syntax
set vpn remote-access advanced-settings snx-min-tls <snx-min-tls>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-min-tls tls-1-0
Description
Syntax
set vpn remote-access advanced-settings snx-encryption-enable-3des <snx-

encryption-enable-3des>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-encryption-enable-3des true
Description
Syntax
set vpn remote-access advanced-settings update-topo <update-topo>
Parameters
n/a
Example
set vpn remote-access advanced-settings update-topo 15
Description
Syntax
set vpn remote-access advanced-settings use-limited-auth-timeout <use-

limited-auth-timeout>
Parameters
n/a
Example
set vpn remote-access advanced-settings use-limited-auth-timeout true
Description
Syntax
set vpn remote-access advanced-settings auth-timeout-limit <auth-timeout-

limit>
Parameters
n/a
Example
set vpn remote-access advanced-settings auth-timeout-limit 15
Description
Syntax
set vpn remote-access advanced-settings om-enable-with-multiple-if <om-

enable-with-multiple-if>
Parameters
n/a
Example
set vpn remote-access advanced-settings om-enable-with-multiple-if true
Description
Syntax
set vpn remote-access advanced-settings disconnect-enc-domain <disconnect-

enc-domain>
Parameters
n/a
Example
set vpn remote-access advanced-settings disconnect-enc-domain true
Description
Syntax
set vpn remote-access advanced-settings enable-back-conn <enable-back-conn>
Parameters
n/a
Example
set vpn remote-access advanced-settings enable-back-conn true
Description
Syntax
set vpn remote-access advanced-settings allow-update-topo <allow-update-

topo>
Parameters
n/a
Example
set vpn remote-access advanced-settings allow-update-topo true
Description
Syntax
set vpn remote-access advanced-settings snx-encryption-enable-rc4 <snx-

encryption-enable-rc4>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-encryption-enable-rc4 true
Description
Syntax
set vpn remote-access advanced-settings ike-ip-comp-support <ike-ip-comp-

support>
Parameters
n/a
Example
set vpn remote-access advanced-settings ike-ip-comp-support true
Description
Syntax
set vpn remote-access advanced-settings enc-method <enc-method>
Parameters
n/a
Example
set vpn remote-access advanced-settings enc-method ike-v1
Description
Syntax
set vpn remote-access advanced-settings snx-upgrade <snx-upgrade>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-upgrade ask-user
Description
Syntax
set vpn remote-access advanced-settings ike-support-crash-recovery <ike-

support-crash-recovery>
Parameters
n/a
Example
set vpn remote-access advanced-settings ike-support-crash-recovery true
Description
Syntax
set vpn remote-access advanced-settings allow-clear-traffic-while-

disconnected <allow-clear-traffic-while-disconnected>
Parameters
n/a
Example
set vpn remote-access advanced-settings allow-clear-traffic-while-

disconnected true
Description
Syntax
set vpn remote-access advanced-settings allow-caching-passwords-on-client

<allow-caching-passwords-on-client>
Parameters
n/a
Example
set vpn remote-access advanced-settings allow-caching-passwords-on-client

true
Description
Syntax
set vpn remote-access advanced-settings prevent-ip-pool-nat <prevent-ip-

pool-nat>
Parameters
n/a
Example
set vpn remote-access advanced-settings prevent-ip-pool-nat true
Description
Syntax
set vpn remote-access advanced-settings disable-office-mode <disable-

office-mode>
Parameters
n/a
Example
set vpn remote-access advanced-settings disable-office-mode true
Description
Syntax
set vpn remote-access advanced-settings snx-user-re-auth-timeout <snx-user-

re-auth-timeout>
Parameters
n/a
Example
set vpn remote-access advanced-settings snx-user-re-auth-timeout 15
Description
Syntax
set vpn remote-access advanced-settings allow-simultaneous-login <allow-

simultaneous-login>
Parameters
n/a
Example
set vpn remote-access advanced-settings allow-simultaneous-login true
Description
Syntax
set vpn remote-access advanced-settings port [ visitor-mode-port <visitor-

mode-port> ] [ reserve-port-443 <reserve-port-443> ]
Parameters
n/a
Example
set vpn remote-access advanced-settings port visitor-mode-port 8080

reserve-port-443 true
Description
Syntax
set vpn remote-access advanced-settings office-mode [ om-perform-

antispoofing <om-perform-antispoofing> ] [ single-om-per-site <single-om-
per-site> ]
Parameters
n/a
Example
set vpn remote-access advanced-settings office-mode om-perform-antispoofing

true single-om-per-site true
Description
Syntax
set vpn remote-access advanced-settings visitor-mode [ enable-visitor-mode-

all <enable-visitor-mode-all> ] [ visitor-mode-interface <visitor-mode-
interface>]
Parameters
n/a
Example
set vpn remote-access advanced-settings visitor-mode enable-visitor-mode-

all all visitor-mode-interface 192.168.1.1
Description
Enable/Disable two-factor authentication for VPN remote access.
Syntax
set vpn remote-access use-two-factor-authentication { true | false }
Parameters
n/a
Example
set vpn remote-access use-two-factor-authentication true
Description
Enable/Disable two-factor authentication for VPN remote access.
Syntax
set vpn remote-access use-two-factor-authentication { true | false }
Parameters
n/a
Example
set vpn remote-access use-two-factor-authentication true
show vpn remote-access
Shows configuration of remote access VPN.
Description
Syntax
Parameters
n/a
Example
Output
> show vpn remote-access

mode: false
default-access-to-lan: accept
track: log
use-two-factor-authentication:true
mobile-client: true
sslvpn-client: false
l2tp-vpn-client: false
l2tp-pre-shared-key:
Description
Shows advanced settings of remote access VPN.
Syntax
show vpn remote-access advanced-settings
Parameters
n/a
Example
show vpn remote-access advanced-settings
Description
Syntax
Parameters
n/a
Example
Output

mode: false
track: log
mobile-client: true
Description
Syntax
Parameters
n/a
Example
Output

mode: false
track: log
mobile-client: true
set vpn remote-access advanced
Description
Syntax
set vpn remote-access advanced [ om-network-ip <om-network-ip> ] [ om-

subnet-mask <om-subnet-mask> ] [ default-route-through-this-gateway
<default-route-through-this-gateway> ] [ enc-dom <enc-dom> ] [
use-this-gateway-as-dns-server <use-this-gateway-as-dns-server> ] [ dns-

primary <dns-primary> ] [ dns-secondary <dns-secondary> ] [ dns-tertiary <dns-
tertiary> ] [ dns-domain-mode <dns-domain-mode> ] [ domain-name <domain-name>
]
Parameters
default-route- Indicates if Internet traffic from connected clients will be routed first through this
through- this- gateway
gateway Type: Boolean (true/false)
dns-domain-mode Indicates if remote access clients use the domain name configured under DNS
network settings of the device, or a manually configured domain name
dns-primary Configure manually office mode first DNS
Type: IP address
dns-secondary Configure manually office mode second DNS
Type: IP address
dns-tertiary Configure manually office mode third DNS
Type: IP address
domain-name Manual configuration of the domain used by remote access clients
Type: A FQDN
enc-dom Indicates if the encryption domain for remote access clients is calculated
automatically or manually configured
Options: manual, auto
om-network-ip Office Mode - Allocate IP addresses from the following network
Type: Network address
om-subnet-mask Subnet for allocating IP addresses of incoming remote access connections (Office
Mode)
Type: Subnet mask
use-this-gateway- Indicates if the remote access clients will use this gateway as a DNS server.
as- dns-server Applicable only when encryption domain is calculated automatically
Example
set vpn remote-access advanced om-network-ip 172.16.10.0 om-subnet-mask

255.255.255.0 default-route-through-this-gateway true enc-dom manual use-
this-gateway-as-dns-server true dns-primary 192.168.1.1 dns-secondary
192.168.1.1 dns-tertiary 192.168.1.1 dns-domain-mode true domain-name
somehost.example.com
show vpn remote-access advanced
Description
Shows advanced settings of remote access VPN.
Syntax
Parameters
n/a
Example
set vpn remote-access advanced enc-dom-obj manual
set vpn remote-access advanced enc-dom-obj
manual
Configures manual encryption domain for VPN remote access users.
Description
Adds a network object to the manual encryption domain of VPN remote access.
Syntax
set vpn remote-access advanced enc-dom-obj manual add name <name>
Parameters
Example
set vpn remote-access advanced enc-dom-obj manual add name TEXT
Description
Removes a network object from the manual encryption domain of VPN remote access.
Syntax
set vpn remote-access advanced enc-dom-obj manual remove name <name>
Parameters
Example
set vpn remote-access advanced enc-dom-obj manual remove name TEXT
vpn remote-access two-factor-
authentication
set vpn remote-access two-factor-
authentication
Description
Configure two-factor authentication for VPN Remote Access.
Syntax
set vpn remote-access two-factor-authentication [ use-sms <use-sms> [ sms-

provider <sms-provider> ] [ sms-dynamicid-url <sms-dynamicid-url> ]
[ sms-provider-username <sms-provider-username> ] [ sms-provider-password
<sms-provider-password> ] [ sms-api-id <sms-api-id> ] [ sms-message<sms-
message> ]
[ one-time-password-length <one-time-password-length> ] [ one-time-
password-expiration
<one-time-password-expiration> ] [ one-time-password-retries
<one-time-password-retries> ] [ default-country-code <default-country-code>
]
Parameters
default-country- The default country code for phone numbers that do not include a country code.
code Type: A number with no fractional part (integer).
one-time- The amount of time users have to enter the one time password before it expires
password- (in minutes).
expiration Type: A number with no fractional part (integer)
one-time- Number of characters used in the one time password.
password-length Type: A number with no fractional part (integer).
one-time- The number of times users can attempt to enter the one time password before the
password-retries entire authentication process restarts.
sms-api-id The API ID required by the SMS provider.
sms-dynamicid-url The DynamicID URL when sending SMS message using a user defined SMS
provider.
Type: urlDynamicId
sms-message The SMS message that will be sent to the user.
Type: String
sms-provider Indicates which provider will send the SMS messages.
Options: check-point, external
sms-provider- The password required by the SMS provider.
password Type: extendedPassword
sms-provider- The username required by the SMS provider
username Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces.
use-email Indicates whether sending email messages is enabled Type: Boolean (true/false)
use-sms Indicates whether sending SMS messages is enabled.
Example
set vpn remote-access two-factor-authentication use-sms true sms-provider

check-point sms-dynamicid-url urlDynamicId sms-provider-username admin
sms-provider-password extendedPassword sms-api-id word sms-message TEXT
one-time-password-length 8
one-time-password-expiration 5 one-time-password-retries 3 default-country-
code 8
show vpn remote-access two-factor-
authentication
Description
Show two-factor authentication for VPN Remote Access settings.
Syntax
show vpn remote-access two-factor-authentication
Parameters
n/a
Example
Output

use-sms: true
sms-provider: external
sms-dynamicid-url: https:asdf.com
sms-provider-username: asdf
sms-provider-password:
sms-api-id:
sms-message: Hello World
use-email: false
email-provider: external
email-dynamicid-path:
email-api-id:
email-message:
one-time-password-length: 6
one-time-password-expiration: 5
one-time-password-retires: 3
default-country-code:
vpn site
vpn site
add vpn site
add vpn site
Description
Adds a new remote VPN site for VPN site-to-site.
add vpn site
Syntax
add vpn site
add vpn site name <name> remote-site-link-selection { host-name remote-

site-host-name <remote-site-host-name> auth-method { preshared-secret
password <password> [ enabled <enabled> ] [ remote-site-enc-dom-type
<remote-site-enc-dom-type> ] [ enc-profile <enc-profile> ] [ phase1-reneg-
interval <phase1-reneg-interval> ] [ phase2-reneg-interval <phase2-reneg-
interval> ] [ enable-perfect-forward-secrecy { true [ phase2-dh <phase2-dh>
] | false } ] [ is-check-point-site { true [ enable-permanent-vpn-tunnel
<enable-permanent-vpn-tunnel> ] | false } ] [ disable-nat <disable-nat> ] [
DH-group> [ { aggressive-mode-enable-peer-id { true aggressive-mode-peer-
id-type <aggressive-mode-peer-id-type> aggressive-mode-peer-id <aggressive-
mode-peer-id> | false } | aggressive-mode-enable-gateway-id { true
aggressive-mode-gateway-id-type <aggressive-mode-gateway-id-type>
aggressive-mode-gateway-id <aggressive-mode-gateway-id> | false } } ] |
false } ] [ enc-method <enc-method> ] [ use-trusted-ca <use-trusted-ca> ] [
match-cert-ip <match-cert-ip> ] [ match-cert-dn { true match-cert-dn-string
<match-cert-dn-string>| false } ] [ match-cert-e-mail { true match-cert-e-
mail-string <match-cert-e-mail-string> | false } ] [ link-selection-
probing-method <link-selection-probing-method> ] | certificate [ enabled
<enabled> ] [ remote-site-enc-dom-type <remote-site-enc-dom-type> ] [ enc-
profile <enc-profile> ] [ phase1-reneg-interval <phase1-reneg-interval> ] [
phase2-reneg-interval <phase2-reneg-interval> ] [ enable-perfect-forward-
secrecy { true [ phase2-dh <phase2-dh> ] | false } ] [ is-check-point-site
{ true [ enable-permanent-vpn-tunnel <enable-permanent-vpn-tunnel> ] |
false } ] [ disable-nat <disable-nat> ] [ aggressive-mode-enabled { true
aggressive-mode-DH-group <aggressive-mode-DH-group> [ { aggressive-mode-
enable-peer-id { true aggressive-mode-peer-id-type <aggressive-mode-peer-
id-type> aggressive-mode-peer-id <aggressive-mode-peer-id> | false } |
aggressive-mode-enable-gateway-id { true aggressive-mode-gateway-id-type
<aggressive-mode-gateway-id-type> aggressive-mode-gateway-id <aggressive-
mode-gateway-id> | false } } ] | false } ] [ enc-method <enc-method> ] [
use-trusted-ca <use-trusted-ca>] [ match-cert-ip <match-cert-ip> ] [ match-
cert-dn { true match-cert-dn-string <match-cert-dn-string> | false } ] [
match-cert-e-mail { true match-cert-e-mail-string <match-cert-e-mail-
string> | false } ] [ link-selection-probing-method <link-selection-
probing-method> ] } | ip-address remote-site-ip-address <remote-site-ip-
address> is-site-behind-static-nat { true static-nat-ip <static-nat-ip>
auth-method { preshared-secret password <password> [ enabled <enabled> ] [
remote-site-enc-dom-type <remote-site-enc-dom-type> ] [ enc-profile <enc-
profile> ] [ phase1-reneg-interval <phase1-reneg-interval> ] [ phase2-
reneg-interval <phase2-reneg-interval> ] [ enable-perfect-forward-secrecy {
true [ phase2-dh <phase2-dh> ] | false } ] [ is-check-point-site { true [
enable-permanent-vpn-tunnel <enable-permanent-vpn-tunnel> ] | false } ] [
disable-nat <disable-nat> ] [ aggressive-mode-enabled { true aggressive-
mode-DH-group <aggressive-mode-DH-group> [ { aggressive-mode-enable-peer-id
{ true aggressive-mode-peer-id-type <aggressive-mode-peer-id-type>
aggressive-mode-peer-id <aggressive-mode-peer-id> | false } | aggressive-
mode-enable-gateway-id { true aggressive-mode-gateway-id-type <aggressive-
mode-gateway-id-type> aggressive-mode-gateway-id <aggressive-mode-gateway-
id> | false } } ] | false } ] [ enc-method <enc-method> ] [ use-trusted-ca
<use-trusted-ca> ] [ match-cert-ip <match-cert-ip> ] [ match-cert-dn { true
match-cert-dn-string <match-cert-dn-string> | false } ] [ match-cert-e-mail
{ true match-cert-e-mail-string <match-cert-e-mail-string> | false } ] [
link-selection-probing-method <link-selection-probing-method> ] |
certificate [ enabled <enabled> ] [ remote-site-enc-dom-type <remote-site-
enc-dom-type> ] [ enc-profile <enc-profile> ] [ phase1-reneg-interval
<phase1-reneg-interval> ] [ phase2-reneg-interval <phase2-reneg-interval> ]
[ enable-perfect-forward-secrecy { true [ phase2-dh <phase2-dh> ] | false }
] [ is-check-point-site { true [ enable-permanent-vpn-tunnel <enable-
permanent-vpn-tunnel> ] | false } ] [ disable-nat <disable-nat>] [
DH-group> [ { aggressive-mode-enable-peer-id { true aggressive-mode-peer-
add vpn site
Parameters
aggressive-mode- determine the strength of the key when aggressive mode is enabled
DH-group
aggressive-mode- Indicates if gateway ID matching will be used. This adds a layer of security to
enable-gateway-id aggressive mode
aggressive-mode- Indicates if peer ID matching will be used. This adds a layer of security to
enable-peer-id aggressive mode
aggressive-mode- main mode, is used. It is less recommended if the remote site supports IPSec main
enabled mode
aggressive-mode- The gateway ID that will be used for matching when configured to
gateway-id Type: vpnAggressiveModePeerId
aggressive-mode- Indicates the type of gateway ID that will be used for matching when configured
gateway-id-type Options: domain-name, user-name
aggressive-mode- The peer ID that will be used for matching when configured to
peer-id Type: vpnAggressiveModePeerId
aggressive-mode- Indicates the type of peer ID that will be used for matching when configured
peer-id-type Options: domain-name, user-name
auth-method Indicates the type of authentication used when connecting to the remote site
disable-nat Disable NAT for traffic to/from the remote site. Useful when one of the internal
networks contains a server
enable-perfect- Ensures that a session key will not be compromised if one of the (long-term)
forward-secrecy private keys is compromised in the future.
enable- VPN Tunnels are constantly kept active and as a result, make it easier to recognize
permanent- vpn- malfunctions and connectivity problems Type: Boolean (true/false)
tunnel
enabled Indicates whether or not the remote site is enabled
enc-method Indicates which encryption method is used
Options: ike-v1, ike-v2, prefer-ike-v2
add vpn site
enc-profile Encryption profile (one of predefined profiles or custom)
Type: virtual
is-check-point-site Enable if the remote site is connected through a Check Point Security Gateway
is-site-behind- Indicates if the remote site is behind static NAT
static- nat Type: Boolean (true/false)
multiple-addrs
addr
link-selection- The type of probing used for link selection when multiple IP addresses are
probing- method configured for the remote site
Options: ongoing, one-time
match-cert-dn Indicates if certificate matching should match the DN string in the certificate to the
configured DN string
match-cert-dn- Indicates the configured DN string for certificate matching
string Type: String
match-cert-e-mail Indicates if certificate matching should match the E-mail string in the certificate to
the configured E-mail string
match-cert-e-mail- Indicates the configured E-mail string for certificate matching
string Type: Email address
match-cert-ip Indicates if certificate matching should match IP address in the certificate to the
site's IP address
name Site name
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9, a-
z, _ -) characters without spaces
password Preshared secret (minimum 6 characters) to be used when authentication method
is configured as such
Type: vpnPassword
phase1-reneg- The period, in minutes, between each IKE SA renegotiation
phase2-dh Determine the strength of the key used for the IPsec (Phase 2) key exchange
process. The higher the group number, the stronger and more secure the key is.
phase2-reneg- The period, in seconds, between each IPSec SA renegotiation
add vpn site
remote-site-enc- The method of defining the remote site's encryption domain
dom- type Options: manually-defined-enc-dom, route-all-traffic-to-site, route-based-vpn, enc-
dom-hidden-behind-remote-site
remote-site-host- Indicates the host name of the remote site
name Type: An IP address or host name
remote-site-ip- Indicates the IP address of the remote site
address Type: IP address
remote-site-link- Indicates the method of determining the destination IP address/s of the remote site
selection Type: Press TAB to see available options
static-nat-ip Indicates an external routable IP address via static NAT used by the remote site
Type: IP address
use-trusted-ca Indicates if a specific trusted CA is used for matching the remote site's certificate or
all configured trusted CAs
add vpn site
Example
add vpn site name site17 remote-site-link-selection host-name remote-site-

host-name myHost.com auth-method preshared-secret password vpnPassword
enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile
custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-
forward-secrecy true phase2-dh word is-check-point-site true enable-
permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true
aggressive-mode-DH-group word aggressive-mode-enable-peer-id true
aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id
ongoing enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-
profile custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-
perfect-forward-secrecy true phase2-dh word is-check-point-site true
enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled
true aggressive-mode-DH-group word aggressive-mode-enable-peer-id true
aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id
ongoing auth-method preshared-secret password vpnPassword enabled true
remote-site-enc-dom-type manually-defined-enc-dom enc-profile custom
phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-forward-
secrecy true phase2-dh word is-check-point-site true enable-permanent-vpn-
tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-
DH-group word aggressive-mode-enable-peer-id true aggressive-mode-peer-id-
type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method
ike-v1 use-trusted-ca TEXT match-cert-ip true match-cert-dn true match-
cert-dn-string TEXT match-cert-e-mail true match-cert-e-mail-string
MyEmail@mail.com link-selection-probing-method ongoing enabled true remote-
site-enc-dom-type manually-defined-enc-dom enc-profile custom phase1-reneg-
interval 15 phase2-reneg-interval 15 enable-perfect-forward-secrecy true
phase2-dh word is-check-point-site true enable-permanent-vpn-tunnel true
disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group word
aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-
name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1 use-
trusted-ca TEXT match-cert-ip true match-cert-dn true match-cert-dn-string
TEXT match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-
selection-probing-method ongoing
delete vpn site
delete vpn site
Delete VPN sites.
delete vpn site
delete vpn site
Description
Delete an existing VPN site by name.
Syntax
delete vpn site name <name>
Parameters
name Site name
Example
delete vpn site name site17
delete vpn site
delete vpn site
Description
Delete all existing VPN sites.
Syntax
delete vpn site all
Parameters
n/a
Example
delete vpn site all
show vpn sites
show vpn sites
Description
Show all configured remote VPN sites.
Syntax
show vpn sites
Parameters
n/a
Example
show vpn sites
vpn site-to-site
vpn site-to-site
set vpn site-to-site
Configure global settings for VPN site to site.
Description
Configure global settings for VPN site to site.
Syntax
set vpn site-to-site [ mode <mode> ] [ default-access-to-lan <default-

access-to-lan> ] [ track <track> ] [ local-encryption-domain <local-
encryption-domain> ] [ manual-source-ip-address <manual-source-ip-address>
] [ source-ip-address-selection <source-ip-address-selection> ] [ outgoing-
interface-selection <outgoing-interface-selection> ] [ use-dpd-responder-
mode <use-dpd-responder-mode> ] [ tunnel-health-monitor-mode <tunnel-
health-monitor-mode>]
Parameters
default-access-to- Allow traffic from remote sites (by default)?A? ?I
lan Options: block, accept
local-encryption- Indicates if the local encryption domain is configured manually or determined
domain automatically using the local networks
Options: auto, manual
manual-source-ip- A manually configured source IP address to be used (if configured to) for VPN
address tunnels
Type: IP address
mode Indicates whether or not VPN site to site is active
outgoing- Indicates the method according to which the outgoing interface selection for VPN
interface-selection traffic is chosen
Options: routing-table, route-based-probing
source-ip- Select whether the source IP address is chosen automatically according to the
address-selection outgoing interface or manually configured
Options: automatically, manually
track The default Logging setting for traffic from remote sites
Options: none, log
tunnel-health- VPN tunnel monitor mechanism, can work with permanent tunnel or with DPD
monitor-mode mode
Options: tunnel-test, dpd
use-dpd- Once checked DPD responder mode will be enabled, otherwise permanent tunnel
responder-mode based on DPD mode will be enabled
Example
set vpn site-to-site mode true default-access-to-lan block track none

local-encryption-domain auto manual-source-ip-address 192.168.1.1 source-
ip-address-selection automatically outgoing-interface-selection routing-
table use-dpd-responder-mode true tunnel-health-monitor-mode tunnel-test
Description
Configure advanced settings for VPN site to site.
Syntax
set vpn site-to-site advanced-settings sync-sa-with-other-cluster-members

<sync-sa-with-other-cluster-members>
Parameters
n/a
Example
set vpn site-to-site advanced-settings sync-sa-with-other-cluster-members

15
Description
Syntax
set vpn site-to-site advanced-settings keep-dont-fragment-flag-on-packet

<keep-dont-fragment-flag-on-packet>
Parameters
n/a
Example
set vpn site-to-site advanced-settings keep-dont-fragment-flag-on-packet

true
Description
Syntax
set vpn site-to-site advanced-settings delete-ipsec-sas-on-ikes-delete

<delete-ipsec-sas-on-ikes-delete>
Parameters
n/a
Example
set vpn site-to-site advanced-settings delete-ipsec-sas-on-ikes-delete true
Description
Syntax
set vpn site-to-site advanced-settings period-after-crl-not-valid <period-

after-crl-not-valid>
Parameters
n/a
Example
set vpn site-to-site advanced-settings period-after-crl-not-valid 2
Description
Syntax
set vpn site-to-site advanced-settings log-notification-for-administrative-

actions <log-notification-for-administrative-actions>
Parameters
n/a
Example
set vpn site-to-site advanced-settings log-notification-for-administrative-

actions none
Description
Syntax
set vpn site-to-site advanced-settings udp-encapsulation-for-firewalls-and-

proxies <udp-encapsulation-for-firewalls-and-proxies>
Parameters
n/a
Example
set vpn site-to-site advanced-settings udp-encapsulation-for-firewalls-and-

proxies true
Description
Syntax
set vpn site-to-site advanced-settings copy-diff-serv-from-ipsec-packet

<copy-diff-serv-from-ipsec-packet>
Parameters
n/a
Example
set vpn site-to-site advanced-settings copy-diff-serv-from-ipsec-packet

true
Description
Syntax
set vpn site-to-site advanced-settings log-vpn-successful-key-exchange

<log-vpn-successful-key-exchange>
Parameters
n/a
Example
set vpn site-to-site advanced-settings log-vpn-successful-key-exchange none
Description
Syntax
set vpn site-to-site advanced-settings dpd-triggers-new-ike-negotiation

<dpd-triggers-new-ike-negotiation>
Parameters
n/a
Example
set vpn site-to-site advanced-settings dpd-triggers-new-ike-negotiation

true
Description
Syntax
set vpn site-to-site advanced-settings log-vpn-packet-handling-errors <log-

vpn-packet-handling-errors>
Parameters
n/a
Example
set vpn site-to-site advanced-settings log-vpn-packet-handling-errors none
Description
Syntax
set vpn site-to-site advanced-settings keep-ikesa-keys <keep-ikesa-keys>
Parameters
n/a
Example
set vpn site-to-site advanced-settings keep-ikesa-keys do-not-keep
Description
Syntax
set vpn site-to-site advanced-settings permanent-tunnel-up-track

<permanent-tunnel-up-track>
Parameters
n/a
Example
set vpn site-to-site advanced-settings permanent-tunnel-up-track none
Description
Syntax
set vpn site-to-site advanced-settings tunnel-test-from-internal <tunnel-

test-from-internal>
Parameters
n/a
Example
set vpn site-to-site advanced-settings tunnel-test-from-internal true
Description
Syntax
set vpn site-to-site advanced-settings vpn-tunnel-sharing <vpn-tunnel-

sharing>
Parameters
n/a
Example
set vpn site-to-site advanced-settings vpn-tunnel-sharing hosts
Description
Syntax
set vpn site-to-site advanced-settings vpn-configuration-and-key-exchange-

errors <vpn-configuration-and-key-exchange-errors>
Parameters
n/a
Example
set vpn site-to-site advanced-settings vpn-configuration-and-key-exchange-

errors none
Description
Syntax
set vpn site-to-site advanced-settings reply-from-same-ip <reply-from-same-

ip>
Parameters
n/a
Example
set vpn site-to-site advanced-settings reply-from-same-ip true
Description
Syntax
set vpn site-to-site advanced-settings no-local-dns-encrypt <no-local-dns-

encrypt>
Parameters
n/a
Example
set vpn site-to-site advanced-settings no-local-dns-encrypt true
Description
Syntax
set vpn site-to-site advanced-settings is-admin-access-agnostic <is-admin-

access-agnostic>
Parameters
n/a
Example
set vpn site-to-site advanced-settings is-admin-access-agnostic true
Description
Syntax
set vpn site-to-site advanced-settings period-before-crl-valid <period-

before-crl-valid>
Parameters
n/a
Example
set vpn site-to-site advanced-settings period-before-crl-valid 5
Description
Syntax
set vpn site-to-site advanced-settings maximum-concurrent-vpn-tunnels

<maximum-concurrent-vpn-tunnels>
Parameters
n/a
Example
set vpn site-to-site advanced-settings maximum-concurrent-vpn-tunnels 5
Description
Syntax
set vpn site-to-site advanced-settings limit-open-sas <limit-open-sas>
Parameters
n/a
Example
set vpn site-to-site advanced-settings limit-open-sas 5
Description
Syntax
set vpn site-to-site advanced-settings permanent-tunnel-down-track

<permanent-tunnel-down-track>
Parameters
n/a
Example
set vpn site-to-site advanced-settings permanent-tunnel-down-track none
Description
Syntax
set vpn site-to-site advanced-settings enable-link-selection <enable-link-

selection>
Parameters
n/a
Example
set vpn site-to-site advanced-settings enable-link-selection true
Description
Syntax
set vpn site-to-site advanced-settings check-validity-of-ipsec-reply-

packets <check-validity-of-ipsec-reply-packets>
Parameters
n/a
Example
set vpn site-to-site advanced-settings check-validity-of-ipsec-reply-

packets true
Description
Syntax
set vpn site-to-site advanced-settings ike-dos-protection-unknown-sites

<ike-dos-protection-unknown-sites>
Parameters
n/a
Example
set vpn site-to-site advanced-settings ike-dos-protection-unknown-sites

none
Description
Syntax
set vpn site-to-site advanced-settings ike-dos-protection-known-sites <ike-

dos-protection-known-sites>
Parameters
n/a
Example
set vpn site-to-site advanced-settings ike-dos-protection-known-sites none
Description
Syntax
set vpn site-to-site advanced-settings maximum-concurrent-ike-negotiations

<maximum-concurrent-ike-negotiations>
Parameters
n/a
Example
set vpn site-to-site advanced-settings maximum-concurrent-ike-negotiations

20
Description
Syntax
set vpn site-to-site advanced-settings log-vpn-outgoing-link <log-vpn-

outgoing-link>
Parameters
n/a
Example
set vpn site-to-site advanced-settings log-vpn-outgoing-link none
Description
Syntax
set vpn site-to-site advanced-settings delete-ike-sas-from-a-dead-peer

<delete-ike-sas-from-a-dead-peer>
Parameters
n/a
Example
set vpn site-to-site advanced-settings delete-ike-sas-from-a-dead-peer true
Description
Syntax
set vpn site-to-site advanced-settings timeout-for-an-rdp-packet-reply

<timeout-for-an-rdp-packet-reply>
Parameters
n/a
Example
set vpn site-to-site advanced-settings timeout-for-an-rdp-packet-reply 15
Description
Syntax
set vpn site-to-site advanced-settings perform-ike-using-cluster-ip

<perform-ike-using-cluster-ip>
Parameters
n/a
Example
set vpn site-to-site advanced-settings perform-ike-using-cluster-ip true
Description
Syntax
set vpn site-to-site advanced-settings reply-from-incoming-interface

<reply-from-incoming-interface>
Parameters
n/a
Example
set vpn site-to-site advanced-settings reply-from-incoming-interface true
Description
Syntax
set vpn site-to-site advanced-settings ike-use-largest-possible-subnets

<ike-use-largest-possible-subnets>
Parameters
n/a
Example
set vpn site-to-site advanced-settings ike-use-largest-possible-subnets

true
Description
Syntax
set vpn site-to-site advanced-settings copy-diff-serv-to-ipsec-packet

<copy-diff-serv-to-ipsec-packet>
Parameters
n/a
Example
set vpn site-to-site advanced-settings copy-diff-serv-to-ipsec-packet true
shows vpn site-to-site
Shows configuration of site-to-site VPN.
show vpn site-to-site
Description
Shows configuration of site-to-site VPN.
Syntax
Parameters
n/a
Example
Description
Shows advanced settings of site-to-site VPN.
Syntax
show vpn site-to-site advanced-settings
Parameters
n/a
Example
show vpn site-to-site advanced-settings
set vpn site-to-site enc-dom manual
Configures manually the local encryption domain for site-to-site VPN
Description
Adds a network object to the local encryption domain for site-to-site VPN.
Syntax
set vpn site-to-site enc-dom manual add name <name>
Parameters
Example
set vpn site-to-site enc-dom manual add name TEXT
Description
Removes all network objects from the local encryption domain for site-to-site VPN.
Syntax
set vpn site-to-site enc-dom manual remove-all name <name>
Parameters
Example
set vpn site-to-site enc-dom manual remove-all name TEXT
Description
Removes a network object from the local encryption domain for site-to-site VPN.
Syntax
set vpn site-to-site enc-dom manual remove name <name>
Parameters
Example
set vpn site-to-site enc-dom manual remove name TEXT
vpn tunnel
vpn tunnel
show vpn tunnel
show vpn tunnel
Description
Shows all IKE (Internet Key Exchange) and IPSec (Internet Protocol Security) SAs (Security Associations)
for the VPN tunnel.
Syntax
show vpn-tunnel-info
Parameters
n/a
Example
show vpn-tunnel-info
show vpn tunnels
show vpn tunnels
Description
Shows all Virtual Tunnel Interfaces (VTIs).
Syntax
show vpn tunnels
Parameters
n/a
Example
show vpn tunnels
wlan
wlan
delete wlan
delete wlan
Description
Delete an existing wireless Virtual Access Point (VAP) by SSID.
Syntax
delete wlan vap <vap>
Parameters
vap The name of the Virtual Access Point
Example
delete wlan vap My_Network
set wlan
set wlan
Configures a virtual access point (VAP) wireless network in appliance models that contain wireless options).
set wlan
set wlan
Description
Turn on/off the first wireless network (VAP) that was created.
Syntax
set wlan { on | off }
Parameters
mode The mode of the Virtual Access Point
Options: on, off
Example
set wlan on
set wlan
set wlan
Description
Configures the SSID of the first wireless network that was created.
Syntax
set wlan ssid <ssid>
Parameters
ssid Wireless network name (SSID)
Type: A string that contains [A-Z], [0-9], '_', '.', '-' and space characters
Example
set wlan ssid My wireless
set wlan
set wlan
Description
Configures the first wireless network that was created.
Syntax
set wlan security-type <security-type>
Parameters
security-type Security Type
Options: none, WEP, WPA2, WPA/WPA2
Example
set wlan security-type none
set wlan
set wlan
Description
Syntax
set wlan wpa-auth-type password <password> [ hotspot <hotspot > ]
Parameters
n/a
Example
set wlan wpa-auth-type password gTd&3(gha_ hotspot on
set wlan
set wlan
Description
Syntax
set wlan wpa-auth-type { radius [ hotspot <hotspot > ] }
Parameters
hotspot The Hotspot of the Virtual Access Point
Options: on, off
wpa-auth-type Wireless protected access authentication
Example
set wlan wpa-auth-type radius hotspot on
set wlan
set wlan
Description
Syntax
set wlan wpa-encryption-type <wpa-encryption-type>
Parameters
wpa-encryption-type Wireless protected access encryption type
Options: Auto, CCMP-AES, TKIP
Example
set wlan wpa-encryption-type Auto
set wlan
set wlan
Description
Syntax
set wlan assignment <assignment>
Parameters
assignment The network assigned to the virtual access point
Example
set wlan assignment My_Network
set wlan
set wlan
Description
Enable/Disable an existing wireless network (VAP).
Syntax
set wlan vap <vap>{ enable | disable }
Parameters
mode The mode of the Virtual Access Point
Options: on, off
Example
set wlan vap My_Network on
set wlan
set wlan
Description
Configures the SSID of an existing wireless network (VAP).
Syntax
set wlan vap <vap> ssid <ssid>
Parameters
Example
set wlan vap My_Network ssid My wireless
set wlan
set wlan
Description
Configures an existing wireless network (VAP).
Syntax
set wlan vap <vap> security-type <security-type>
Parameters
security-type Security Type
Options: none, WEP, WPA2, WPA/WPA2
Example
set wlan vap My_Network security-type none
set wlan
set wlan
Description
Syntax
set wlan vap <vap> wpa-auth-type password <password> [ hotspot <hotspot > ]
Parameters
Example
set wlan vap My_Network wpa-auth-type password gTd&3(gha_ hotspot on
set wlan
set wlan
Description
Syntax
set wlan vap <vap> wpa-auth-type { radius [ hotspot <hotspot >] }
Parameters
hotspot The Hotspot of the Virtual Access Point
Options: on, off
wpa-auth-type Wireless protected access authentication
Example
set wlan vap My_Network wpa-auth-type radius hotspot on
set wlan
set wlan
Description
Syntax
set wlan vap <vap> wpa-encryption-type <wpa-encryption-type>
Parameters
wpa-encryption-type Wireless protected access encryption type
Options: Auto, CCMP-AES, TKIP
Example
set wlan vap My_Network wpa-encryption-type Auto
set wlan
set wlan
Description
Syntax
set wlan vap <vap> assignment <assignment>
Parameters
assignment The network assigned to the virtual access point
Example
set wlan vap My_Network assignment My_Network
set wlan
set wlan
Description
Syntax
set wlan vap <vap> advanced-settings [ hide-ssid <hide-ssid> ] [ station-

to-station <station-to-station> ] [ wds <wds> ]
Parameters
Example
set wlan vap My_Network advanced-settings hide-ssid on station-to-station

allow wds on
set wlan wireless advanced-settings protected-mgmt-frames
set wlan wireless advanced-settings protected-
mgmt-frames
Description
Enable or disable protection of 802.11 management frames (refers to the main wireless access point).
Syntax
set wlan <main-wireless-name>advanced-settings protected-mgmt-frames { on |

off }
Parameters
main-wireless-name Name of the main wireless access point
Type Press TAB to see available options
on/off on - Enabled
off - Disabled
Example
set wlan NANCY-wireless advanced-settings protected-mgmt-frames off
show wlan
show wlan
Shows configuration for wireless networks (relevant to hardware models with wireless).
show wlan
show wlan
Description
Shows configuration for a virtual access point (VAP or wireless network).
Syntax
show wlan vap <vap>
Parameters
Example
show wlan vap My_Network
show wlan
show wlan
Description
Shows configuration of the wireless radio.
Syntax
text
show wlan
Parameters
n/a
Example
show wlan
wlan radio
wlan radio
set wlan radio
set wlan radio
Configures the radio settings of wireless antennas (in appliance models that contain wireless options).
set wlan radio
set wlan radio
Description
Configures the radio settings of wireless antennas.
Syntax
set wlan radio [ country <country> ] [ operation-mode <operation-mode> ] [

channel <channel> ] [ channel-width <channel-width> ]
Parameters
channel Channel
Options: channel
channel-width Channel width
Options: auto, 20, 40, 80
country Country
Options: country
operation-mode Operation mode
Options: 11b, 11g, 11bg, 11n, 11ng, 11ac, 11nac
Example
set wlan radio country albania operation-mode 11b channel auto channel-
width auto
set wlan radio
set wlan radio
Description
Configures the radio settings of wireless antennas per band (in wireless models that contain a concurrent
dual band option using two radio antennas).
Syntax
set wlan radio band <band> [ country <country> ] [ operation-mode

<operation-mode> ] [ channel <channel> ] [ channel-width <channel-width> ]
Parameters
band type
Options: 5GHz, 2.4GHz
channel Channel
Options: channel
channel-width Channel width
Options: auto, 20, 40, 80
country Country
Options: country
operation-mode Operation mode
Options: 11b, 11g, 11bg, 11n, 11ng, 11ac, 11nac
Example
set wlan radio band 5GHz country albania operation-mode 11b channel auto
channel-width auto
set wlan radio
set wlan radio
Description
Enable/Disable the wireless radio.
Syntax
set wlan radio { off | on }
Parameters
mode Wireless radio mode
Options: off, on
Example
set wlan radio off
set wlan radio
set wlan radio
Description
Enable/Disable the wireless radio per band (in wireless models that contain a concurrent dual band option
using two radio antennas).
Syntax
set wlan radio band <band> { off | on }
Parameters
band type
mode Wireless radio mode
Options: off, on
Example
set wlan radio band 5GHz off
set wlan radio
set wlan radio
Description
Configures advanced radio settings for the wireless radio.
Syntax
set wlan radio advanced-settings [ transmitter-power <transmitter-power> ]

[ guard-interval <guard-interval> ] [ antenna <antenna> ]
Parameters
n/a
Example
set wlan radio advanced-settings transmitter-power minimum guard-interval

short antenna auto
set wlan radio
set wlan radio
Description
Configures advanced radio settings for the wireless radio per band (in wireless models that contain a
concurrent dual band option using two radio antennas).
Syntax
set wlan radio band <band> advanced-settings [ transmitter-power

<transmitter-power> ] [ guard-interval <guard-interval> ] [ antenna
<antenna>]
Parameters
band type
Example
set wlan radio band 5GHz advanced-settings transmitter-power minimum guard-

interval short antenna auto
show wlan radio
show wlan radio
Description
Shows configuration of the wireless radio.
Syntax
show wlan radio
Parameters
n/a
Example
show wlan radio
show wlan statistics
Description
Shows statistics of the wireless radio.
Syntax
Parameters
n/a
Example
wlan vaps
wlan vaps
add wlan vap
add wlan vap
Description
Adds a new wireless network (Virtual Access Point or VAP) to an available wireless radio. In hardware
models were dual antennas are available, during configuration of a wireless network the specific band for
the network must be selected (2.4Ghz/5Ghz).
Syntax
add wlan vap ssid <ssid> band <band>
Parameters
band Wireless radio transmitter
Example
add wlan vap ssid My wireless band 5GHz
delete wlan vaps
delete wlan vaps
Description
Delete all existing wireless Virtual Access Points (VAP).
Syntax
delete wlan vaps
Parameters
n/a
Example
delete wlan vaps
set wlan vap wireless advanced-settings protected-mgmt-frames
set wlan vap wireless advanced-settings
protected-mgmt-frames
Description
Enable or disable protection of 802.11 management frames
Syntax
set wlan vap <wireless-name> advanced-settings protected-mgmt-frames { on |

off }
Parameters
wireless-name Name of the wireless network
Type Press TAB to see available options
on/off on - Enabled
off - Disabled
Example
set wlan vap cp7f7e5168 advanced-settings protected-mgmt-frames off
set wlan vap
set wlan vap
Description
Use MAC address as wireless password.
Syntax
set wlan vap <vap> wpa-auth-type password-set-as-mac-with-prefix <prefix>
Parameters
vap Name of the VAP that is being edited.
prefix The authentication type is password-set-as-mac-with-prefix.
Example
set wlan vap Guest1 wpa-auth-type password-set-as-mac-with-prefix aaa
show wlan vap wireless
show wlan vap wireless
Description
Show wlan vap wireless networks for which 802.11w is enabled
Syntax
show wlan vap <wireless-name>
Parameters
<wireless-name> Name of the wireless network
Example
show wlan vap MyWiFi
show wlan vaps
show wlan vaps
Description
Shows all Virtual Access points (VAPs or wireless network).
Syntax
show wlan vaps
Parameters
n/a
Example
show wlan vaps
show wlan vaps statistics
Description
Shows statistics per Virtual Access Point.
Syntax
Parameters
n/a
Example
zero-touch
zero-touch
set zero-touch
set zero-touch
Description
Configure parameters for the ZeroTouch service.
Syntax
set zero-touch [ cloud-url <cloud-url> ] [ verify-certificate <verify-

certificate> ] [ mode <mode> ]
Parameters
cloud-url The DNS or IP address of the cloud service.
Default: zerotouch.checkpoint.com
Type: URL or IP address
mode When the mode is set to on, the appliance will constantly try to fetch configuration from
the Zero Touch server if the First Time Configuration Wizard is not started.
Options: on, off
Default: on
verify- When verify-certificate is set to on, the appliance will verify the SSL certificate of the
certificate Zero Touch server. You are advised NOT to change this value.
Options: on, off
Default: on
Example
set zero-touch cloud-url <url> verify-certificate on mode on
show zero-touch
show zero-touch
Description
Show the parameters configured for the Zero Touch service.
Syntax
show zero-touch
Parameters
n/a
Example
show zero-touch
test zero-touch-request
test zero-touch-request
Description
Test the procedure of receiving configuration from the Zero Touch server. If the command is executed
without parameters, the gateway will connect to the Zero Touch server and display the received
configuration without enforcing it. There is an option to store the configuration in the /storage/zt_
cfg.clish file.
Syntax
test zero-touch-request [save-config-as file ]
Parameters
Optional Parameter Description
save-configuration-as file Save received configuration to the /storage/zt_cfg.clish file.
Example
test zero-touch-request test zero-touch-request save-config-as file

Quantum Spark 1500, 1600 AND 1800 Appliance Series: CLI Reference Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Quantum Spark 1500, 1600 AND 1800 Appliance Series: CLI Reference Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quantum Spark 1500, 1600 AND 1800 Appliance Series: CLI Reference Guide

Uploaded by

Copyright:

Available Formats

03 August 2021

QUANTUM SPARK 1500,

CLI Reference Guide

clish [ -A -i { -c Cmd | -f File -v} -h -C ]

add access-rule type outgoing [ action <action> ] [ log <log> ] [ source

delete access-rule type outgoing position <position>

delete access-rule type outgoing name <name>

delete access-rule type outgoing position 2

delete access-rule type outgoing name word

set access-rule type outgoing position <position> [ action <action> ] [ log

show access-rule type outgoing name <name>

show access-rule type outgoing position <position>

show access-rule type outgoing position 2

show access-rule type outgoing name word

add access-rule type incoming-internal-and-vpn [ action <action> ] [ log

add access-rule type incoming-internal-and-vpn action block log none source

delete access-rule type incoming-internal-and-vpn name <name>

delete access-rule type incoming-internal-and-vpn position <position>

delete access-rule type incoming-internal-and-vpn name word

delete access-rule type incoming-internal-and-vpn position 2

set access-rule type incoming-internal-and-vpn position <position> [ action

set access-rule type incoming-internal-and-vpn name <name> [ action

set access-rule type incoming-internal-and-vpn position 2 action block log

set access-rule type incoming-internal-and-vpn name word action block log

show access-rule type incoming-internal-and-vpn position <position>

show access-rule type incoming-internal-and-vpn name <name>

show access-rule type incoming-internal-and-vpn position 2

show access-rule type incoming-internal-and-vpn name word

set additional-hw-settings [ reset-timeout <reset-timeout> ]

set additional-hw-settings reset-timeout 15

set additional-management-settings advanced-settings install-temporary-

set additional-management-settings advanced-settings install-temporary-

add ad-server domain <domain> ipv4-address <ipv4-address> username

add ad-server domain myHost.com ipv4-address 192.168.1.1 username admin

delete ad-server <domain>

delete ad-server myHost.com

set ad-server <domain> [ ipv4-address <ipv4-address> ] [ username

] [ password <password> ] [ user-dn <user-dn> ] [ use-branch-path { true [

set ad-server myHost.com ipv4-address 192.168.1.1 username admin password a

show ad-server <domain>

show ad-server myHost.com

add address-range name <name> start-ipv4 <start-ipv4> end-ipv4 <end-ipv4> [

add address-range name TEXT start-ipv4 192.168.1.1 end-ipv4 192.168.1.1

delete address-range <name>

delete address-range TEXT

set address-range <name> [ name <name> ] [ start-ipv4 <start-ipv4> ] [ end-

set address-range TEXT name TEXT start-ipv4 192.168.1.1 end-ipv4

show address-range <name>

show address-range TEXT

add admin-access-ipv4-address network-ipv4-address 1.1.1.1 subnet-mask

set admin-access [ interfaces { Wireless access <access> | VPN access

set admin-access interfaces Wireless access true web-access-port 8080 ssh-

add admin-access-ipv4-address single-ipv4-address <single-ipv4-address>

add admin-access-ipv4-address single-ipv4-address 192.168.1.1

add admin-access-ipv4-address network-ipv4-address <network-ipv4-address>{

add admin-access-ipv4-address network-ipv4-address 192.168.1.1 subnet-mask

delete admin-access-ipv4-address <ipv4-address>