This article gives you an overview of helpful and amazing CLI commands, available but not yet integrated within the web interface. (commands are available from 4.33 - WK30 or later) can be found here:
Note: All CLI commands need to be entered by "SSH". Some of them need to be executed via the following mode before the command will be accepted.
| "configure terminal" |
For more information on the subject, you may check the full CLI reference guide of the device you are using via:
Flash is full (100% Flash Usage)
| "debug system _disk-cleanup" |
In some rare conditions, it could be that the Flash is full (100%). To clean it up, you can run the above command.
FAN Speed Check / Temperature Check
|
"debug hardware" "fan-get" |
If you want to see FAN Speed or temperature information, you can use the debug hardware features.
Increase Console Level Output
| "debug kernel console-level 8" |
Is mainly used for deep debugging cases.
Check interface statistics
This command is useful when you need to see detailed statistics on an interface basis.
| "debug interface ifconfig" |
| "debug interface show mapping" |
Check interface traffic
This command is extremely useful to see what particular traffic is going in and out of an interface:
| "packet-trace interface [NAME OF INTERFACE] port [PORT-NUMBER]" |
| "packet-trace interface [NAME OF INTERFACE] ip-proto [NAME OF IP-PROTOCOL]" |
The first command is to be used when scanning for a port, the latter one when scanning for ip-protocols - below some examples:
This would scan incoming IKE Port 500 packets on WAN1 - useful for VPN debugging e.g.
| "packet-trace interface wan1 port 500" |
This would scan on lan1 for any ICMP-related traffic, e.g. PINGs coming in and out at the LAN interface - useful for checking all kinds of firewall applications, if a VPN properly pushes traffic into the remote LAN, etc.:
| "packet-trace interface lan1 ip-proto icmp" |
Unlocking Lock-out users (too often wrong password entered)
If you enter a wrong password, by default 5 times, the IP address you are trying to enter the USG from will be blocked for 30 minutes. To undo this, you may enter the following commands:
This will show you a list of IP addresses which are currently blocked out of the USG
| "show lockout-users" |
After entering the config mode via "configure terminal", use this to unlock a specific IP Address (marked as W.X.Y.Z)
| "unlock lockout-users <W.X.Y.Z>" |
Locked out due to firewall misconfiguration:
Let´s imagine you created a firewall rule and locked yourself out of the device by accident. The following procedure will help you to delete this rule:
| "show secure-policy" |
The above command will give you an output about the firewall rules on your devices story by numbers:
"secure-policy rule: 1 - x". Now use the following to get privileges to delete the troublesome rule and the delete command:
| "configure terminal" |
| "secure-policy delete rule-number" |
Locked out due to activating "Authenticate Client Certificates:
If you activated this checkbox and can not access the web interface anymore:
Please login via SSH or console port and use:
| "configure terminal" |
| "no ip http secure-server auth-client" |
Show interface statistics
A fairly generic command, but still underestimated, use this command to show a small table showing basic interface information:
| "show interface all" |
Comments
0 comments
Please sign in to leave a comment.