This article shows how to use the CLI/Command line interface via console cable using USG FLEX, a VPN firewall, an XGS-Switch or even a professional access point like a WAX510D. It shows what console cable to use, how to login and gain console access via Putty & TeraTerm, access Web GUI CLI, and how to use the debug level 8 command [debug kernel console-level 8] for troubleshooting reboot/crash issues/problem.
The command-line interface is a management interface that can be reached via several ways, including SSH and serial cable/console cable connection. This guide will give you great insight into how to access your Zyxel device's CLI (Command Line Interface).
Table of Content
1) Using the Console Cable
1.1 The Software
You can either use a terminal console software such as PuTTY or TeraTerm. In this tutorial, we will use puTTY for SSH and TeraTerm for console connection.
Disclaimer: We have no affiliation with neither puTTY nor TeraTerm and showcase the use of these programs for demonstration and learning purposes - use of these applications happen at your own risk.
- puTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
- TeraTerm - https://ttssh2.osdn.jp/index.html.en
1.2 CLI-access via Console Cable (using TeraTerm)
Use a USB-to-RS232 connector-cable (also known as "serial connection" or "SUB-D 9-pol") and connect to your PC as well as to the router - the serial cable should look like this
Some of our smaller firewalls have an RJ-45 console connection instead of the RS232-connection and have console cables within the packaging content:
Below you can see a picture of both an RS232 console port, mostly prominent on professional firewall and switch hardware, as well as the RJ-45 on our small business routers (such as a USG20W, e.g.):
For USG FLEX H Series
Default console parameter
Speed: 115200 bps
Data Bits : 8
Parity : None
Stop Bit : 1
Flow Control : Off
LAN1 Interface: 192.168.168.1/24
RJ-45 to DB-9 Rollover Cable -> Change Console Cable pin-out to general
* USG FLEX H Console Cable is not compatible with ATP/USG FLEX Series Console cable
Now that the hardware side of things is clarified, let's move back to the software side.
Eventually, you might have to install additional drivers packaged with the USB-to-RS232 cable or install generic drivers for the application. Once this is done, within your device manager, in most cases, you can see a "COM" interface listed:
Once this is done, download TeraTerm using the above-listed link and install the application.
On TeraTerm, you will be prompted to choose the input - select the serial input and select the COM interface listed previously in the device manager:
Make then sure to enter the menu
Setup > Serial port
In this menu, you can set different things regarding the serial port communication. We are, however, only interested in the speed; the rest stays as per default:
The speed is measured in baud, and the speed is also referred to as baud rate. A lot of our switches have a default baud rate of 9600, while all firewalls out of our portfolio and access points have a baud rate of 115200. Choose 115200 and click on "New Setting" to save the settings, and back in the Console menu (the black screen), press any button to reinitialize communication with the new baud rate. You then can enter your firewalls username and password (password will not show any character when you type in, so simply carry on typing and press "Enter" once you are done). Afterwards, you should be logged into the unit, which will show via
You can start entering different CLI commands, which can be read within the CLI reference guide, available via https://download.zyxel.com.
1.2 CLI-access via Console Cable (using PuTTY)
Download puTTY via the above link and start the application. In the Hostname field, enter the IP-Address of the Firewall (usually the LAN1 interface, which by default is 192.168.1.1). Leave the port as 22 and also as an access method, leave SSH as it is by default and confirm by clicking on the "Open"-Button:
Open Session -> Logging and adjust the logging settings to get an output of our entered commands:
You will most likely if the certificate of the firewall has not been changed by you, receive this warning message:
The reason for this is that the firewall uses self-created key fingerprints as well as self-signed certificates. But this is no reason for concern; allow to proceed by clicking "Yes", "Accept", or similar and proceed. You then should be able to log in as admin-username and the password of the admin account (by default 1234) and should be again showing successful login by seeing this line:
As before, you now can proceed to type in different CLI commands.
1.3 CLI-access via Web GUI (Web Interface)
Many devices, especially our firewall portfolio, now also allow you to access the command line interface via a web browser. For this, log onto the unit, and click on the very left icon at the top icon bar:
This enables you to access the device' CLI without any additional software needed.
1.4 What devices will these methods work on?
These methods of accessing the CLI will work on nearly all of our professional devices, meaning NWA/WAC/WAX-Series on Access points, (X)GS1350/1900/1920/1930/2210/2220/3800/4600 for switches and nearly our entire current ZyWall/USG/USG FLEX/ATP/VPN-portfolio. For most devices, also their predecessor counterparts will work fine via CLI.
Please note: Due to a missing console connection on the AP, the AP CLI's accessibility is limited to SSH.
1.5 What can I do with the CLI?
The CLI will allow for more detailed analysis and debugging via relevant commands. But it also offers some nice quick things to check, such as packet-traces, firmware versions of different partitions, showing the currently applied configuration etc., among many other commands. You can see a list of helpful commands right here: Overview of Helpful CLI Commands for USG Series (Best Practice)
2) Debug the Firewall after Reboot/Crash Issues
For high level debugging cases, you can, in very easy steps, log your console Output in a text file, guided by screenshots. This section also helps you to create long-term debugging on Zyxel-Firewalls.
Enter your respective commands, enter the following command for high profile debug logs:
debug kernel console-level 8
Leave the session open until you have logged the respective traffic (in this example, we unfortunately had no issues happening, therefore no log is created)
After you have captured / reproduced the issue and the debug logs have been generated, you can analyze/investigate and close the PuTTY-session:
Now you can access the text-file, which you have created and it will show you all entered commands and results: