CLI Commands [USG Series] - Overview of Helpful CLI Commands for USG Series

This article gives you an overview of helpful and amazing CLI commands, available but not yet integrated within the web interface. (commands are available from 4.33 - WK30 or later) can be found here:

CLI Command Firmware Support

Note: All CLI commands need to be entered by "SSH". Some of them need to be executed via the following mode before the command will be accepted.

"configure terminal"

For more information on the subject, you may check the full CLI reference guide of the device you are using via: 

CLI Documentation Full

Flash is full (100% Flash Usage)

"debug system _disk-cleanup"

In some rare conditions, it could be that the Flash is full (100%). To clean it up, you can run the above command.

FAN Speed Check / Temperature Check

"debug hardware"
"fan-get"

If you want to see FAN Speed or temperature information, you can use the debug hardware features.

Increase Console Level Output

"debug kernel console-level 8"

Is mainly used for deep debugging cases.

Check interface statistics

This command is useful when you need to see detailed statistics on an interface basis.

"debug interface ifconfig"
This command is for matching interface names with the USG/ATPs in the above command.
"debug interface show mapping"

Check interface traffic

This command is extremely useful to see what particular traffic is going in and out of an interface:

"packet-trace interface [NAME OF INTERFACE] port [PORT-NUMBER]"
"packet-trace interface [NAME OF INTERFACE] ip-proto [NAME OF IP-PROTOCOL]"

The first command is to be used when scanning for a port, the latter one when scanning for ip-protocols - below some examples:

This would scan incoming IKE Port 500 packets on WAN1 - useful for VPN debugging e.g.

"packet-trace interface wan1 port 500"

This would scan on lan1 for any ICMP-related traffic, e.g. PINGs coming in and out at the LAN interface - useful for checking all kinds of firewall applications, if a VPN properly pushes traffic into the remote LAN, etc.:

"packet-trace interface lan1 ip-proto icmp"

Unlocking Lock-out users (too often wrong password entered)

If you enter a wrong password, by default 5 times, the IP address you are trying to enter the USG from will be blocked for 30 minutes. To undo this, you may enter the following commands:

This will show you a list of IP addresses which are currently blocked out of the USG

"show lockout-users"

After entering the config mode via "configure terminal", use this to unlock a specific IP Address (marked as W.X.Y.Z)

"unlock lockout-users <W.X.Y.Z>"

Locked out due to firewall misconfiguration:

Let´s imagine you created a firewall rule and locked yourself out of the device by accident. The following procedure will help you to delete this rule:

"show secure-policy"

The above command will give you an output about the firewall rules on your devices story by numbers:

"secure-policy rule: 1 - x". Now use the following to get privileges to delete the troublesome rule and the delete command:

"configure terminal"
"secure-policy delete rule-number"

Locked out due to activating "Authenticate Client Certificates:

If you activated this checkbox and can not access the web interface anymore:

mceclip0.png

Please login via SSH or console port and use:

"configure terminal"
"no ip http secure-server auth-client"

Show interface statistics

A fairly generic command, but still underestimated, use this command to show a small table showing basic interface information:

"show interface all"

Articles in this section

Was this article helpful?
17 out of 34 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.