This article gives you an overview of helpful and amazing CLI commands, available but not yet integrated within the web interface. (commands are available from 4.33 - WK30 or later) can be found here:
Note: All CLI commands need to be entered by "SSH". Some of them need to be executed via the following mode before the command will be accepted.
For more information on the subject, you may check the full CLI reference guide of the device you are using via: CLI Documentation Full
Flash is full (100% Flash Usage)
debug system _disk-cleanup
In some rare conditions it could be that the Flash is full (100%). To clean it up, you can run the above command.
FAN Speed Check / Temperature Check
If you want to see FAN Speed or temperature information, you can use the debug hardware features.
Increase Console level Output
debug kernel console-level 8
Is mainly used for deep debugging cases.
Check interface statistics
This command is useful when you need to see detailed statistics on an interface basis.
debug interface ifconfig
debug interface show mapping
Check interface traffic
This command is extremely useful to see what particular traffic is going in and out of an interface:
packet-trace interface [NAME OF INTERFACE] port [PORT-NUMBER]
packet-trace interface [NAME OF INTERFACE] ip-proto [NAME OF IP-PROTOCOL]
The first command is to be used when scanning for a port, the latter one when scanning for ip-protocols - below some examples:
This would scan incoming IKE Port 500 packets on WAN1 - useful for VPN debugging e.g.
packet-trace interface wan1 port 500
This would scan on lan1 for any ICMP related traffic, e.g. PINGs coming in and out at the LAN interface - useful for checking all kind of firewall applications, if a VPN properly pushes traffic into the remote LAN etc.:
packet-trace interface lan1 ip-proto icmp
Unlocking Lock-out users (too often wrong password entered)
If you enter too often a wrong password, by default 5 times, the IP address you are trying to enter the USG from will be blocked for 30 minutes. To undo this, you may enter the following commands:
This will show you a list of IP addresses which are currently blocked out of the USG
show lock-out users
After entering the config-mode via "configure terminal", use this to unlock a specific IP Address (marked as W.X.Y.Z)
unlock lock-out users <W.X.Y.Z>
Locked out due to firewall misconfiguration:
Let´s imagine you created a firewall rule and locked yourself out of the device by accident. The following procedure will help you too delete this rule:
The above command will give oyu an output about the firewall rules on your devices sorty by numbers:
"secure-policy rule: 1 - x". Now use the following to get priviliges to delete the troublesome rule and the delete command:
secure-policy delete rule-number
Locked out due to activating "Authenticate Client Certificates:
If you activated this checkbox and can not access the web interface anymore:
Please login via SSH or console port and use:
no ip http secure-server auth-client
Show interface statistics
A fairly generic command, but still underestimated, use this command to show a small table showing basic interface information:
show interface all
Please sign in to leave a comment.