This article gives you an overview of helpful and amazing CLI commands, available but not yet integrated within the web interface. (commands are available from 4.33 - WK30 or later) can be found here:
Note: All CLI commands need to be entered by "SSH". Some of them need to be executed via the following mode before the command will be accepted.
For more information on the subject, you may check the full CLI reference guide of the device you are using via:
Flash is full (100% Flash Usage)
|"debug system _disk-cleanup"|
In some rare conditions, it could be that the Flash is full (100%). To clean it up, you can run the above command.
FAN Speed Check / Temperature Check
If you want to see FAN Speed or temperature information, you can use the debug hardware features.
Increase Console Level Output
|"debug kernel console-level 8"|
Is mainly used for deep debugging cases.
Check interface statistics
This command is useful when you need to see detailed statistics on an interface basis.
|"debug interface ifconfig"|
|"debug interface show mapping"|
Check interface traffic
This command is extremely useful to see what particular traffic is going in and out of an interface:
|"packet-trace interface [NAME OF INTERFACE] port [PORT-NUMBER]"|
|"packet-trace interface [NAME OF INTERFACE] ip-proto [NAME OF IP-PROTOCOL]"|
The first command is to be used when scanning for a port, the latter one when scanning for ip-protocols - below some examples:
This would scan incoming IKE Port 500 packets on WAN1 - useful for VPN debugging e.g.
|"packet-trace interface wan1 port 500"|
This would scan on lan1 for any ICMP-related traffic, e.g. PINGs coming in and out at the LAN interface - useful for checking all kinds of firewall applications, if a VPN properly pushes traffic into the remote LAN, etc.:
|"packet-trace interface lan1 ip-proto icmp"|
Unlocking Lock-out users (too often wrong password entered)
If you enter a wrong password, by default 5 times, the IP address you are trying to enter the USG from will be blocked for 30 minutes. To undo this, you may enter the following commands:
This will show you a list of IP addresses which are currently blocked out of the USG
After entering the config mode via "configure terminal", use this to unlock a specific IP Address (marked as W.X.Y.Z)
|"unlock lockout-users <W.X.Y.Z>"|
Locked out due to firewall misconfiguration:
Let´s imagine you created a firewall rule and locked yourself out of the device by accident. The following procedure will help you to delete this rule:
The above command will give you an output about the firewall rules on your devices story by numbers:
"secure-policy rule: 1 - x". Now use the following to get privileges to delete the troublesome rule and the delete command:
|"secure-policy delete rule-number"|
Locked out due to activating "Authenticate Client Certificates:
If you activated this checkbox and can not access the web interface anymore:
Please login via SSH or console port and use:
|"no ip http secure-server auth-client"|
Show interface statistics
A fairly generic command, but still underestimated, use this command to show a small table showing basic interface information:
|"show interface all"|