Evil_TTL> show | s

Command Modes Overview

Category:WatchGuard -> XTM

There are several command modes supported by WatchGuard XTM series devices. Since I have only XTM 5 Series at my disposal I will give a brief overview of these modes followed by examples.

The following diagram represents every command mode available at the date when this article was first published.

Command-Modes-Overview.png

Main Command Mode

The Main command mode is the default command mode of the WatchGuard CLI. In Main mode, you can:

  • Modify some higher level configuration settings
  • See system logs
  • Enter the Configuration command mode
  • Restore or upgrade the software image
  • Shut down or reboot the WatchGuard device

Example:

WG#?
Privilege commands:
  
arp               Manipulate the system ARP cache
  backup            Backup previous software release 
or configuration
  cert
-request      Certificate request
  checksum          The checksum of all the packages installed on appliance
  clock             Manage the system clock
  configure         Enter configuration mode
  debug
-cli         Configure debugging options
  diagnose          Display internal diagnostic information
  dnslookup         Look up domain name
  
exit              Exit from the EXEC
  export            Export information to external platform
  fips              FIPS mode setting
  help              Description of the interactive help system
  history           Display the command history 
list with line numbers
  import            Import information from external platform
  mgmt
-user-unlock  Unlock a locked management account
  no                Negate a command 
or set its defaults
  password          Change the current administrators password
  ping              Send 
echo messages
  policy
-check      Policy check
  reboot            Reboot system
  restore           Appliance software image
  show              Show running system information
  shutdown          Shutdown this WatchGuard appliance
  sync              Sync info from live security server
  sysinfo           Display system information
  tcpdump           Dump traffic on a network
  traceroute        Trace route to destination
  upgrade           Upgrade software release with dl file
  usb               USB drive
  vpn
-tunnel        Encrypted virtual connection
  who               Show who is logged on

WG

Configuration Command Mode

The Configuration command mode is used to configure system and network settings for the XTM device. To get access to the Configuration command mode, open the CLI in the Main command mode, then use the configure command. You can use Configuration mode to perform these functions:

  • Manage the logging performed by the XTM device
  • Configure global network settings
  • Enter Interface, Link-Aggregation, and Policy command modes
  • Enter VLAN and Bridge command modes

Example:

WG#configure
WG(config)#?
Configure commands:
  
auth-setting             Authentication settings
  bridge                   Local area network settings
  cluster                  Firecluster
  ddns                     Dynamic DNS service
  
default-packet-handling  Default packet handling
  
exit                     Exit from configure mode
  
global-setting           Global settings
  help                     Description of the interactive help system
  history                  Display the command history 
list with line numbers
  
interface                Select an interface to configure
  ip                       Internet protocol
  log
-setting              Log setting
  managed
-client           Configure this firebox as a managed client
  network
-mode             WatchGuard security appliance system mode
  no                       Negate a command 
or set its defaults
  ntp                      Network Time Protocol
  policy                   Enter policy configuration mode
  show                     Show running system information
  signature
-update         Signature update configuration
  snat                     Configure SNAT
.
  
snmp                     Simple Network Management Protocol
  
static-arp               Static arp binding
  system                   System properties
  v6                       Configure the ipv6
  vlan                     Virtual Local Area Network 
(VLAN)
  
vpn-setting              Vpn setting
  web
-server-cert          Web Server Certificate

WG
(config)

Interface Command Mode

Interface command mode is used to configure the Ethernet interfaces of the WatchGuard device. To get access to Interface command mode, open the CLI in Configuration command mode, then use the interface command. You can use Interface command mode to perform these functions on a single interface:

  • Configure the IP address and addressing options for the interface
  • Configure the interface as a gateway
  • Control MTU and link speed preferences
  • Configure the interface as a DHCP server or DHCP relay
  • Configure the interface for QoS

Example:

WG(config)#interface FastEthernet 0
WG(config/if-fe0)#?
External interface configuration commands:
  
dhcp            Ip address negotiated via dhcp
  enable          Enable
/Disable current physical interface
  exit            Exit 
from interface configuration mode
  help            Description of the interactive help system
  history         Display the command history 
list with line numbers
  ip              Internet protocol
  link
-speed      Link operation speed property
  mac
-ip-binding  Static MAC/IP binding in arp table
  mtu             Set the 
interface maximum transmission unit (MTU)
  
name            Name of the entity
  no              Negate a command 
or set its defaults
  pppoe           Point
-to-point protocol over ethernet
  qos             Quality of service
be sure to enable settings by the command global-setting
  secondary       Secondary ip address
  show            Show running system information
  type            Network 
interface type
  v6              Configure the ipv6 
interface
  
vpn-pmtu        Pmtu settings for ipsecapplicable to external only

WG
(config/if-fe0)

Link Aggregation Command Mode

This command mode is available for XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 devices starting with Fireware XTM v11.7.

Link Aggregation command mode is used to configure link aggregation interfaces on the WatchGuard device. A link aggregation interface can include one or more Ethernet interfaces. To get access to Interface command mode, open the CLI in Configuration command mode, then use the link-aggregation command. You can use link-aggregation command mode to perform these functions on a single link-aggregation interface:

  • Add and remove link aggregation member interfaces
  • Configure the link aggregation interface mode
  • Configure the IP address and addressing options for the link aggregation interface
  • Configure the link aggregation interface as a gateway
  • Control link speed
  • Configure the link aggregation interface as a DHCP server or DHCP relay

Policy Command Mode

Policy command mode is used to configure policies. To get access to Policy command mode, open the CLI in the Configuration command mode, then use the policy command. You can use Policy mode to perform these functions:

  • Create and modify rules and schedules
  • Manage user accounts
  • Define users, groups, and aliases for use in policies
  • Control branch office VPN gateways and tunnels
  • Configure branch office and mobile user VPN policies

Example:

WG(config)#policy
WG(config/policy)#?
Policy configuration commands:
  
alias               Alias configuration
  apply               Commit configure
  auth
-server         Authentication server
  auth
-user-group     Authorized user and group
  bovpn
-gateway       Configure Bovpn gateway
  bovpn
-tunnel        Configure Bovpn tunnel
  dynamic
-nat         Dynamic NAT
  
exit                Exit from policy configuration mode
  help                Description of the interactive help system
  history             Display the command history 
list with line numbers
  mvpn
-ipsec          Mobile user Virtual Private Network
  mvpn
-rule           Muvpn rule
  no                  Negate a command 
or set its defaults
  one
-to-one-nat      One to one NAT
  policy
-type         Policy service type
  pptp                Point to Point Tunneling Protocol
  proposal            Proposal configuration
  rule                Policy rule specification
  schedule            Schedule 
for use in the application of policies
  show                Show running system information
  sslvpn              Secure Sockets Layer Virtual 
Private Network
  traffic
-management  Traffic management
  user
-group          Authorized user group
  users               User information

WG
(config/policy)
By privilege15