CLI via Console Cable [Zyxel Devices] - Console to Access the Serial Port & Use Debug level 8 [Putty & TeraTerm]

This article provides a guide on using the Command Line Interface (CLI) via a console cable with the USG FLEX, which is also applicable for ATP and VPN Firewall models. The procedure can be similarly applied to switches, demonstrated here with the XGS-Switch, as well as professional access points such as the WAX510D. It covers selecting the appropriate console cable, logging in, and accessing the console through applications like Putty and TeraTerm. Additionally, it includes instructions on accessing the Web GUI CLI and using the `debug kernel console-level 8` command to troubleshoot reboot and crash issues effectively.

CLI (Command Line Interface): The Command Line Interface is a text-based interface used to interact with devices. The command-line interface is a management interface that can be reached via several ways, including SSH and serial cable/console cable connection. CLI is popular among developers and system administrators for its speed, precision, and flexibility.

COM Port (Communication Port): A COM port is a serial communication interface on a computer, commonly used for connecting peripheral devices like mice, modems, or other hardware. Through COM ports, data is transmitted one bit at a time, often using the RS-232 standard. COM ports are still essential in embedded systems, robotics, and legacy hardware communication.

Console Cable: is a specialized cable used to connect directly to a network device's console port (usually a router, switch, or firewall) to configure or troubleshoot it. It typically has a serial connector on one end (often RS-232 or USB) and an RJ-45 connector on the other, enabling communication between the device and a computer running a terminal emulator (e.g., PuTTY). This direct connection is essential for initial setup or recovery, as it allows access to the device’s Command Line Interface (CLI) even if network connections are not yet configured.

Software

You can either use a terminal console software such as PuTTY or TeraTerm. In this tutorial, we will use puTTY for SSH and TeraTerm for console connection. 

Disclaimer: We have no affiliation with neither puTTY nor TeraTerm and showcase the use of these programs for demonstration and learning purposes - use of these applications happen at your own risk.

Console Cable

USB-to-RS232 RJ-45-to-RS232 USB Typ C-to-RJ-45 USB-to-TTL

In general, all our firewalls support RJ-45-to-RS232, and USB or USB Type-C-to-RJ-45 cables depending on the model . Certain switch models feature RS232, USB Type-C-to-RJ-45, or USB-to-TTL connectors depending on the model. For access points, a USB-to-TTL connector is typically used. However, please consult the specific documentation for your device to confirm compatibility and requirements.

For USG FLEX H Series

Default console parameter applicable to all devices
  • Speed: 115200 bps
  • Data Bits : 8
  • Parity : None
  • Stop Bit : 1
  • Flow Control : Off
  • LAN1 Interface: 192.168.168.1/24
  • RJ-45 to DB-9 Rollover Cable -> Change Console Cable pin-out to general 

* USG FLEX H Console Cable is not compatible with ATP/USG FLEX Series Console cable

Useful articles on this topic

Now that the hardware side of things is clarified, let's move back to the software side.

Cable driver

Eventually, you might have to install additional drivers packaged with the USB-to-RS232 cable or install generic drivers for the application. Once this is done, within your device manager, in most cases, you can see a "COM" interface listed:

mceclip0.png

Once this is done, download TeraTerm using the above-listed link and install the application.

Connecting with TeraTerm

On TeraTerm, you will be prompted to choose the input - select the serial input and select the COM interface listed previously in the device manager. Make then sure to enter the menu Setup > Serial port.

mceclip1.png
mceclip2.png

In this menu, you can set different things regarding the serial port communication. We are, however, only interested in the speed; the rest stays as per default:

mceclip3.png
Default console parameter applicable to all devices
  • Speed: 115200 bps
  • Data Bits : 8
  • Parity : None
  • Stop Bit : 1
  • Flow Control : Off
  • LAN1 Interface: 192.168.168.1/24
  • RJ-45 to DB-9 Rollover Cable -> Change Console Cable pin-out to general 

The speed is measured in baud, and the speed is also referred to as baud rate. A lot of our switches have a default baud rate of 9600, while all firewalls out of our portfolio and access points have a baud rate of 115200. Choose 115200 and click on "New Setting" to save the settings, and back in the Console menu (the black screen), press any button to reinitialize communication with the new baud rate. You then can enter your firewalls username and password (password will not show any character when you type in, so simply carry on typing and press "Enter" once you are done). Afterwards, you should be logged into the unit, which will show via 

mceclip4.png

You can start entering different CLI commands, which can be read within the CLI reference guide, available via https://download.zyxel.com.

CLI-access via Console Cable (using PuTTY)

Download puTTY via the above link and start the application. In the Hostname field, enter the IP-Address of the Firewall (usually the LAN1 interface, which by default is 192.168.1.1). Leave the port as 22 and also as an access method, leave SSH as it is by default and confirm by clicking on the "Open"-Button:

mceclip1.png
mceclip1.png
  • Open Session -> Logging and adjust the logging settings to get an output of our entered commands. You will most likely if the certificate of the firewall has not been changed by you, receive this warning message.
mceclip0.png
mceclip6.png

The reason for this is that the firewall uses self-created key fingerprints as well as self-signed certificates. But this is no reason for concern; allow to proceed by clicking "Yes", "Accept", or similar and proceed. You then should be able to log in as admin-username and the password of the admin account (by default 1234) and should be again showing successful login by seeing this line:

mceclip4.png

You can start entering different CLI commands, which can be read within the CLI reference guide, available via https://download.zyxel.com.

CLI-access via Web GUI (Web Interface)

Many devices, especially our firewall portfolio, now also allow you to access the command line interface via a web browser. For this, log onto the unit, and click on the very left icon at the top icon bar:

mceclip0.png

This enables you to access the device' CLI without any additional software needed.

mceclip1.png

What devices will these methods work on?

These methods of accessing the CLI will work on nearly all of our professional devices, meaning NWA/WAC/WAX-Series on Access points, (X)GS1350/1900/1920/1930/2210/2220/3800/4600 for switches and nearly our entire current ZyWall/USG/USG FLEX/ATP/VPN-portfolio. For most devices, also their predecessor counterparts will work fine via CLI.

Please note: Due to a missing console connection on the AP, the AP CLI's accessibility is limited to SSH.

What can I do with the CLI?

The CLI will allow for more detailed analysis and debugging via relevant commands. But it also offers some nice quick things to check, such as packet-traces, firmware versions of different partitions, showing the currently applied configuration etc., among many other commands. You can see a list of helpful commands right here: Overview of Helpful CLI Commands for USG Series (Best Practice)

Debug the Firewall after Reboot/Crash Issues

For high level debugging cases, you can, in very easy steps, log your console Output in a text file, guided by screenshots. This section also helps you to create long-term debugging on Zyxel-Firewalls.

Enter your respective commands, enter the following command for high profile debug logs:

debug kernel console-level 8
  • Leave the session open until you have logged the respective traffic (in this example, we unfortunately had no issues happening, therefore no log is created). After you have captured / reproduced the issue and the debug logs have been generated, you can  analyze/investigate and close the PuTTY-session:
mceclip0.png
mceclip1.png
  • Now you can access the text-file, which you have created and it will show you all entered commands and results:
     
mceclip2.png

Articles in this section

Was this article helpful?
9 out of 24 found this helpful
Share