There are several command modes supported by WatchGuard XTM series devices. Since I have only XTM 5 Series at my disposal I will give a brief overview of these modes followed by examples.
The following diagram represents every command mode available at the date when this article was first published.
Main Command Mode
The Main command mode is the default command mode of the WatchGuard CLI. In Main mode, you can:
- Modify some higher level configuration settings
- See system logs
- Enter the Configuration command mode
- Restore or upgrade the software image
- Shut down or reboot the WatchGuard device
Example:
WG#?
Privilege commands:
arp Manipulate the system ARP cache
backup Backup previous software release or configuration
cert-request Certificate request
checksum The checksum of all the packages installed on appliance
clock Manage the system clock
configure Enter configuration mode
debug-cli Configure debugging options
diagnose Display internal diagnostic information
dnslookup Look up domain name
exit Exit from the EXEC
export Export information to external platform
fips FIPS mode setting
help Description of the interactive help system
history Display the command history list with line numbers
import Import information from external platform
mgmt-user-unlock Unlock a locked management account
no Negate a command or set its defaults
password Change the current administrator's password
ping Send echo messages
policy-check Policy check
reboot Reboot system
restore Appliance software image
show Show running system information
shutdown Shutdown this WatchGuard appliance
sync Sync info from live security server
sysinfo Display system information
tcpdump Dump traffic on a network
traceroute Trace route to destination
upgrade Upgrade software release with dl file
usb USB drive
vpn-tunnel Encrypted virtual connection
who Show who is logged on
WG#
Configuration Command Mode
The Configuration command mode is used to configure system and network settings for the XTM device. To get access to the Configuration command mode, open the CLI in the Main command mode, then use the configure command. You can use Configuration mode to perform these functions:
- Manage the logging performed by the XTM device
- Configure global network settings
- Enter Interface, Link-Aggregation, and Policy command modes
- Enter VLAN and Bridge command modes
Example:
WG#configure
WG(config)#?
Configure commands:
auth-setting Authentication settings
bridge Local area network settings
cluster Firecluster
ddns Dynamic DNS service
default-packet-handling Default packet handling
exit Exit from configure mode
global-setting Global settings
help Description of the interactive help system
history Display the command history list with line numbers
interface Select an interface to configure
ip Internet protocol
log-setting Log setting
managed-client Configure this firebox as a managed client
network-mode WatchGuard security appliance system mode
no Negate a command or set its defaults
ntp Network Time Protocol
policy Enter policy configuration mode
show Show running system information
signature-update Signature update configuration
snat Configure SNAT.
snmp Simple Network Management Protocol
static-arp Static arp binding
system System properties
v6 Configure the ipv6
vlan Virtual Local Area Network (VLAN)
vpn-setting Vpn setting
web-server-cert Web Server Certificate
WG(config)#
Interface Command Mode
Interface command mode is used to configure the Ethernet interfaces of the WatchGuard device. To get access to Interface command mode, open the CLI in Configuration command mode, then use the interface command. You can use Interface command mode to perform these functions on a single interface:
- Configure the IP address and addressing options for the interface
- Configure the interface as a gateway
- Control MTU and link speed preferences
- Configure the interface as a DHCP server or DHCP relay
- Configure the interface for QoS
Example:
WG(config)#interface FastEthernet 0
WG(config/if-fe0)#?
External interface configuration commands:
dhcp Ip address negotiated via dhcp
enable Enable/Disable current physical interface
exit Exit from interface configuration mode
help Description of the interactive help system
history Display the command history list with line numbers
ip Internet protocol
link-speed Link operation speed property
mac-ip-binding Static MAC/IP binding in arp table
mtu Set the interface maximum transmission unit (MTU)
name Name of the entity
no Negate a command or set its defaults
pppoe Point-to-point protocol over ethernet
qos Quality of service, be sure to enable settings by the command global-setting
secondary Secondary ip address
show Show running system information
type Network interface type
v6 Configure the ipv6 interface
vpn-pmtu Pmtu settings for ipsec, applicable to external only
WG(config/if-fe0)#
Link Aggregation Command Mode
This command mode is available for XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 1050 and 2050 devices starting with Fireware XTM v11.7.
Link Aggregation command mode is used to configure link aggregation interfaces on the WatchGuard device. A link aggregation interface can include one or more Ethernet interfaces. To get access to Interface command mode, open the CLI in Configuration command mode, then use the link-aggregation command. You can use link-aggregation command mode to perform these functions on a single link-aggregation interface:
- Add and remove link aggregation member interfaces
- Configure the link aggregation interface mode
- Configure the IP address and addressing options for the link aggregation interface
- Configure the link aggregation interface as a gateway
- Control link speed
- Configure the link aggregation interface as a DHCP server or DHCP relay
Policy Command Mode
Policy command mode is used to configure policies. To get access to Policy command mode, open the CLI in the Configuration command mode, then use the policy command. You can use Policy mode to perform these functions:
- Create and modify rules and schedules
- Manage user accounts
- Define users, groups, and aliases for use in policies
- Control branch office VPN gateways and tunnels
- Configure branch office and mobile user VPN policies
Example:
WG(config)#policy
WG(config/policy)#?
Policy configuration commands:
alias Alias configuration
apply Commit configure
auth-server Authentication server
auth-user-group Authorized user and group
bovpn-gateway Configure Bovpn gateway
bovpn-tunnel Configure Bovpn tunnel
dynamic-nat Dynamic NAT
exit Exit from policy configuration mode
help Description of the interactive help system
history Display the command history list with line numbers
mvpn-ipsec Mobile user Virtual Private Network
mvpn-rule Muvpn rule
no Negate a command or set its defaults
one-to-one-nat One to one NAT
policy-type Policy service type
pptp Point to Point Tunneling Protocol
proposal Proposal configuration
rule Policy rule specification
schedule Schedule for use in the application of policies
show Show running system information
sslvpn Secure Sockets Layer Virtual Private Network
traffic-management Traffic management
user-group Authorized user group
users User information
WG(config/policy)#