HP X Unified Security Platform Series Guida Utente Pagina 1

http://www.3com.com/Part Number TECHD-178 Rev B01Published April 20073Com® X Family Command Line Interface ReferenceX5 (25-user license) – 3CRTPX5-25-

Chapter 1. X Family Startup Configuration2 X Family CLI Reference V 2.5.1LSM provides HTTP and HTTPS (secure management) access. This access requires

Chapter 3. Command Reference92 X Family CLI Reference V 2.5.1servershows the persistent configuration of ssh, telnet, http, and https servers on

showX Family CLI Reference V 2.5.1 93filter-actionshows the filter actions.filter-serviceshows the configuration of the filtering service.ma

Chapter 3. Command Reference94 X Family CLI Reference V 2.5.1show filter numberThe show filter command shows filter data for a specific filter.

showX Family CLI Reference V 2.5.1 95show healthThe show health command shows memory, disk usage, temperature, and thresholds of the device.

Chapter 3. Command Reference96 X Family CLI Reference V 2.5.1show high-availabilityThe show high-availability command shows the status of failo

showX Family CLI Reference V 2.5.1 97 TX Unicast Pkts 0 TX Multicast Pkts 0 TX Broadcast Pkts 0 TX Total Pkts

Chapter 3. Command Reference98 X Family CLI Reference V 2.5.1show status of a mgmt Ethernet portUse show interface mgmtEthernet to show the st

showX Family CLI Reference V 2.5.1 99Common show log command flagsThe different X family logs have a number of command flags that are common

Chapter 3. Command Reference100 X Family CLI Reference V 2.5.1-status < PASS | FAIL > displays only records with pass or fail status.-ip i

showX Family CLI Reference V 2.5.1 101vpndisplays a log of VPN sessions, events, and alerts.-module module-namedisplays records according to

Configuration CategoriesX Family CLI Reference V 2.5.1 3Timekeeping Options Timekeeping Options NTP or CMOS clocktime zonedaylight saving t

Chapter 3. Command Reference102 X Family CLI Reference V 2.5.1protocol-mixdisplays protocol specific statistics broken down by layer.reassemblyd

showX Family CLI Reference V 2.5.1 103tier-statsdisplays general statistics with percentages for tier performance. • Tier 1 — Hardware tier.

Chapter 3. Command Reference104 X Family CLI Reference V 2.5.1Bad TCP flags = 0Bad UDP total len = 0Bad ICMP total len

showX Family CLI Reference V 2.5.1 105show np engine parser statisticsUse show np engine with the parse parameter to view the network proces

Chapter 3. Command Reference106 X Family CLI Reference V 2.5.1show np fast pattern processor statisticsUse show np with the fpp parameter to vie

showX Family CLI Reference V 2.5.1 107show np linx statisticsUse show np linx to view the network processor linx statistics.hostname# show n

Chapter 3. Command Reference108 X Family CLI Reference V 2.5.1Frag 001 = 0Frag 011 = 0Frag 100 = 0Frag 10

showX Family CLI Reference V 2.5.1 109Flows pulled up = 0Flows max active = 0Frags max active

Chapter 3. Command Reference110 X Family CLI Reference V 2.5.1Blocks discarded ROB = 0RSP LPORTs and Schedulers: blksLeft

showX Family CLI Reference V 2.5.1 111show np xslcounters valuesUse show np xslcounters values to view the network processor xslcounter valu

Chapter 1. X Family Startup Configuration4 X Family CLI Reference V 2.5.1Initiating the Setup WizardWhen the Setup Wizard runs, the following screen

Chapter 3. Command Reference112 X Family CLI Reference V 2.5.1show ramdiskThe show ramdisk command displays information on the RAM disk of the d

showX Family CLI Reference V 2.5.1 113/ramLog/log/audit/audit.log 30 11 FALSE 37 21 1.76 0.03 0.

Chapter 3. Command Reference114 X Family CLI Reference V 2.5.1show routing tableUse show routing table to view the routing table.hostname# show

showX Family CLI Reference V 2.5.1 115show smsThe show sms command indicates if the device is under the control of an SMS. If it is under SM

Chapter 3. Command Reference116 X Family CLI Reference V 2.5.1show tseThe show tse command displays information about the Threat Suppression Eng

showX Family CLI Reference V 2.5.1 117-------------------------------- ------------- -------------------- -------- -------- ----------------

Chapter 3. Command Reference118 X Family CLI Reference V 2.5.1Logged In: 0:00:55show web-filter category [url]Use the show web-filter categ

traffic-captureX Family CLI Reference V 2.5.1 119-Fspecifies that the packet not be fragmented. This stops the traceroute from being fragmen

Chapter 3. Command Reference120 X Family CLI Reference V 2.5.1filethe name of the file that you want to export.listlists all the traffic capture

whoX Family CLI Reference V 2.5.1 121The -syntax option adds syntax information to the command tree.view tree (command hierarchy)Use tree to

Super-User DataX Family CLI Reference V 2.5.1 5ExampleThere are three security levels for specifying user names and passwords: Level 0: Use

Chapter 3. Command Reference122 X Family CLI Reference V 2.5.1whoamiaccess: global; allThe whoami command lists the username, access role, and

4X Family CLI Reference V 2.5.1 123NavigationDescribes the X family Command Line Interface. This chapter details how to log in, issue comman

Chapter 4. Navigation124 X Family CLI Reference V 2.5.1NavigationThe X family Command Line Interface offers the following features:• Command Typ

NavigationX Family CLI Reference V 2.5.1 125Command HintsOn each command level, you can view the hierarchical commands available at that lev

Chapter 4. Navigation126 X Family CLI Reference V 2.5.1Command HelpAt the CLI prompt, you can access the help topics for commands. At the prompt

NavigationX Family CLI Reference V 2.5.1 127To see edit keys, type help edit:hostname# help editAvailable editing keystrokesDelete current c

Chapter 4. Navigation128 X Family CLI Reference V 2.5.1An alias that defines an entire command string can only be used to replace that command s

Console SettingsX Family CLI Reference V 2.5.1 129Tip: For best viewing, be sure to set your terminal software’s row and column settings to

Chapter 4. Navigation130 X Family CLI Reference V 2.5.1

X Family CLI Reference V 2.5.1 131Index! 28Aaccount security 4action sets 22, 87additional configuration 16address groups 26alert sink 40, 93alia

Chapter 1. X Family Startup Configuration6 X Family CLI Reference V 2.5.1my-b1rthday mybirthday (must contain numeric)myd*g’snam3 mydogsnam3 (must co

Index132 X Family CLI Reference V 2.5.1Iimages 29infrastructure protection 60, 91, 111interface 26ethernet 50, 90, 96external virtual 51GRE vi

IndexX Family CLI Reference V 2.5.1 133Ttech support viiitemperature 95terminal setup wizard 2, 20account security 4configuration settings 2NMS 1

Index134 X Family CLI Reference V 2.5.1

Host ConfigurationX Family CLI Reference V 2.5.1 7ExampleIn this example, the password is presented in italics. In the actual dialog, the p

Chapter 1. X Family Startup Configuration8 X Family CLI Reference V 2.5.1Time ZoneThe time zone option calculates and shows the local time. System lo

Network Deployment ConfigurationX Family CLI Reference V 2.5.1 9Enter [A]ccept, [C]hange, or [E]xit without saving [C]: ANetwork Deployment

Chapter 1. X Family Startup Configuration10 X Family CLI Reference V 2.5.1Virtual interfaces:Id Type Mode IP Address Subnet Mask NAT 1

Assigning Zones to Virtual InterfacesX Family CLI Reference V 2.5.1 11Security zones: # Zone name Ports 1 LAN None 2 V

3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064Copyright © 2005–2007, 3Com Corporation. All rights reserved. No part of this documentati

Chapter 1. X Family Startup Configuration12 X Family CLI Reference V 2.5.1Would you like to configure DNS? <Y,[N]>:yWould you like to use the D

Enabling SMS ConfigurationX Family CLI Reference V 2.5.1 13Would you like to enable web filtering (license required) and set up firewall ru

Chapter 1. X Family Startup Configuration14 X Family CLI Reference V 2.5.1When the SMS is on a different site than the device, a potential misconfigu

Web, CLI, and SNMP Server OptionsX Family CLI Reference V 2.5.1 15Default Server SettingsThe default settings of the Web, CLI, and SNMP ser

Chapter 1. X Family Startup Configuration16 X Family CLI Reference V 2.5.1Enable the SNMP agent ('No' disables SMS and NMS access)? [Yes]:y

Additional ConfigurationX Family CLI Reference V 2.5.1 17ExampleIn this example, the X family device was originally configured in Routed mo

Chapter 1. X Family Startup Configuration18 X Family CLI Reference V 2.5.1Line SpeedThe line speed setting for port. A valid entry will meet the foll

Additional ConfigurationX Family CLI Reference V 2.5.1 19TO email addressThe TO email address is the email address to which alert notificat

Chapter 1. X Family Startup Configuration20 X Family CLI Reference V 2.5.1Enter email server IP address []: 1.2.3.4Enter period (in minutes) that ema

2X Family CLI Reference V 2.5.1 21Command ReferenceDescriptions and usage of CLI commands.OverviewThe following tables list the CLI commands

X Family CLI Reference V 2.5.1 iiiContentsContents iiiAbout This Guide vWelcome to the X Family CLI vTarget Audience viConventions viRela

Chapter 3 Command Reference22 X Family CLI Reference V 2.5.1Action Sets conf t notify-contact 58conf t default-alert-sink 40show action-sets 87sh

X Family CLI Reference V 2.5.1 23Web Filtering conf t web-filtering 78show conf web-filtering 92show conf web-filtering filter-service 93sho

Chapter 3 Command Reference24 X Family CLI Reference V 2.5.1Reports show tse 116show firewall monitor 94show firewall rules counters 94Table 2–6:

X Family CLI Reference V 2.5.1 25show conf default-alert-sink 89Configuration: Syslog Servers conf t remote-syslog 62show conf remote-syslog

Chapter 3 Command Reference26 X Family CLI Reference V 2.5.1Configuration: IP Interfaces conf t interface virtual 51show conf interface virtual 9

X Family CLI Reference V 2.5.1 27Privilege Groups conf t authentication privilege-groups36show conf authentication privilege-group89RADIUS c

Chapter 3. Command Reference28 X Family CLI Reference V 2.5.1!access: global; allThe ! command executes a command in the history buffer. Use !!

bootX Family CLI Reference V 2.5.1 29delete an aliasEnter the alias command with an existing alias and no other parameters to delete that al

Chapter 3. Command Reference30 X Family CLI Reference V 2.5.1Using the boot commandview available boot imagesEnter boot list-image to list all a

clearX Family CLI Reference V 2.5.1 31clearaccess: global; super, adminThe clear command resets logs or hardware interfaces. The command re

iv X Family CLI Reference V 2.5.1! 28alias 28boot 29bugreport 30clear 31cls 33configure 33debug 81exit 81halt 82help 82high-availabilit

Chapter 3. Command Reference32 X Family CLI Reference V 2.5.1log [alert | audit | block | firewallblock | firewallsession | packet-trace | syste

clsX Family CLI Reference V 2.5.1 33hostname# clear interfacereset the card in slot nEnter the clear interface command and a slot number to

Chapter 3. Command Reference34 X Family CLI Reference V 2.5.1conf t action-set action-set-name threshold threshold-periodThe configure terminal

configureX Family CLI Reference V 2.5.1 35renamerenames the action set.web-blockblocks web requests from quarantined hosts.web-pagecreates a

Chapter 3. Command Reference36 X Family CLI Reference V 2.5.1delete an IP address groupUse configure terminal address-group remove to delete an

configureX Family CLI Reference V 2.5.1 37user-authentication < enable | disable >enables or disables RADIUS for user authentication.v

Chapter 3. Command Reference38 X Family CLI Reference V 2.5.1conf t category-settingsThe configure terminal category-settings command enables an

configureX Family CLI Reference V 2.5.1 39timezonesets the timezone for the device.Using conf t clockset the system dateUse configure termin

Chapter 3. Command Reference40 X Family CLI Reference V 2.5.1aggregate-alertsenables aggregation of connection flood alerts. Use no aggregate-al

configureX Family CLI Reference V 2.5.1 41set email notification server domain name Use configure terminal default-alert-sink domain to set

X Family CLI Reference V 2.5.1 vAbout This GuideExplains who this guide is intended for, how the information is organized, where information updates c

Chapter 3. Command Reference42 X Family CLI Reference V 2.5.1broadcastenables a central VPN DHCP relay agent that will broadcast DHCP requests r

configureX Family CLI Reference V 2.5.1 43mapping a static DHCP entryUse configure terminal dhcp-server static-map add to map a static DHCP

Chapter 3. Command Reference44 X Family CLI Reference V 2.5.1conf t filterThe configure filter command configures a filter’s state and category

configureX Family CLI Reference V 2.5.1 45all resetremoves all user changes to all filters’ configuration and resets all filters to the defa

Chapter 3. Command Reference46 X Family CLI Reference V 2.5.1remove iddeletes a firewall rule.update idupdates or creates a firewall with the sp

configureX Family CLI Reference V 2.5.1 47hostname# conf t firewall rule update 10 permit LAN WAN telnetupdate source and destination addres

Chapter 3. Command Reference48 X Family CLI Reference V 2.5.1conf t firewall serviceUse configure terminal firewall service to configure the ser

configureX Family CLI Reference V 2.5.1 49add a service to a service groupUse configure terminal firewall service-group add-service to add a

Chapter 3. Command Reference50 X Family CLI Reference V 2.5.1id id-numberconfigures an ID number that will be used when a MAC address conflict o

configureX Family CLI Reference V 2.5.1 51turn auto negotiation on for a Ethernet portUse configure terminal interface ethernet negotiate to

About This Guidevi X Family CLI Reference V 2.5.1Target AudienceThis guide is intended for super-users and administrators who manage one or more X fam

Chapter 3. Command Reference52 X Family CLI Reference V 2.5.1ha-mgmt-ip ipsets the virtual IP address that is used to manage the device in a hig

configureX Family CLI Reference V 2.5.1 53zone < add | remove > zone-nameadds a security zone to (or removes it from) this virtual int

Chapter 3. Command Reference54 X Family CLI Reference V 2.5.1zone < add | remove > zone-nameadds a security zone to (or removes it from) t

configureX Family CLI Reference V 2.5.1 55zone < add | remove > zone-nameadds a security zone to (or removes it from) this virtual int

Chapter 3. Command Reference56 X Family CLI Reference V 2.5.1modify username [password password] [privilege-group group-name]modifies an existin

configureX Family CLI Reference V 2.5.1 57oam | no oamenables or disables gathering of OAM information.policy | no policyenables or disables

Chapter 3. Command Reference58 X Family CLI Reference V 2.5.1before a problem occurs. A critical threshold should be set to a value to warn you

configureX Family CLI Reference V 2.5.1 59duration minutesinterval at which the X family device will check with the time server.enableturns

Chapter 3. Command Reference60 X Family CLI Reference V 2.5.1add-pair [in name | out name]adds a security zone pairing to a profile.deletedelete

configureX Family CLI Reference V 2.5.1 61app-limit creates an apply-only restriction for Application Protection and Infrastructure Protecti

ConventionsX Family CLI Reference V 2.5.1 viiTypefaceThis guide uses the following typographical conventions:bold used for commands or parameters, wh

Chapter 3. Command Reference62 X Family CLI Reference V 2.5.1sync-interval < alert | audit | block | firewallblock | firewallsession | sys |

configureX Family CLI Reference V 2.5.1 63Using conf t remote-syslogdesignate a system to receive remote syslog messages Use configure termi

Chapter 3. Command Reference64 X Family CLI Reference V 2.5.1enable PIM-DMUse configure terminal routing to globally enable PIM-DM.hostname# con

configureX Family CLI Reference V 2.5.1 65enable technical support diagnostic accessUse configure terminal service-access to enable technica

Chapter 3. Command Reference66 X Family CLI Reference V 2.5.1hostname# conf t session timeout 25hostname# show sessionCurrent Session SettingsTe

configureX Family CLI Reference V 2.5.1 67enable remote deploymentUse conf t sms remote-deploy to enable configuration of the device by a re

Chapter 3. Command Reference68 X Family CLI Reference V 2.5.1add usernameadds a user account to the system. You can add the password and role fo

configureX Family CLI Reference V 2.5.1 69disabledisables the account when expire-period is reached. A super-user must re-enable the account

Chapter 3. Command Reference70 X Family CLI Reference V 2.5.1user remove usernameremoves a user account.Using conf t useradd a new userUse confi

configureX Family CLI Reference V 2.5.1 71locks out an account for three minutesUse cft user option lockout-period to set the number of minu

About This Guideviii X Family CLI Reference V 2.5.1NoteNotes tell you about information that might not be obvious or that does not relate directly to

Chapter 3. Command Reference72 X Family CLI Reference V 2.5.1auto-connect-phase2 < enable | disable >enables phase 2 auto-connect. Use aut

configureX Family CLI Reference V 2.5.1 73phase1-lifetime < 600–999999 >selects the length of time in seconds you want the Security As

Chapter 3. Command Reference74 X Family CLI Reference V 2.5.1name an IKE proposal and enter its contextUse configure terminal vpn ike proposal t

configureX Family CLI Reference V 2.5.1 75keyselects and configures the keying mode. Some options are only valid on the High Encryption agen

Chapter 3. Command Reference76 X Family CLI Reference V 2.5.1remote < default-route | dhcp | group group-name | subnet ip netmask netmask | r

configureX Family CLI Reference V 2.5.1 77addresses < radius | group name | none >configures how L2TP addresses are assigned. Either s

Chapter 3. Command Reference78 X Family CLI Reference V 2.5.1disabledisables the PPTP server. dns < relay | server-ip-1 [server-ip-2] >con

configureX Family CLI Reference V 2.5.1 79filter-action < block | log | block-and-log >specifies the actions that occur when a web req

Chapter 3. Command Reference80 X Family CLI Reference V 2.5.1conf t zoneUse the configure terminal zone command to create and configure security

debugX Family CLI Reference V 2.5.1 81debugaccess: super userMost debug commands should only be used when you are instructed to do so by te

1X Family CLI Reference V 2.5.1 1X Family Startup ConfigurationThe X family device is a high-speed, comprehensive security system. This sect

Chapter 3. Command Reference82 X Family CLI Reference V 2.5.1hostname#haltaccess: local; super-user, adminThe halt command shuts down the devic

historyX Family CLI Reference V 2.5.1 83force standbyforces the device into Standby state.historyaccess: global; allThe history command dis

Chapter 3. Command Reference84 X Family CLI Reference V 2.5.1hostname# logoutpingaccess: global; allThe ping command tests whether you can reac

quarantineX Family CLI Reference V 2.5.1 85quarantineaccess: global; allThe quarantine command displays a list of quarantined hosts, and is

Chapter 3. Command Reference86 X Family CLI Reference V 2.5.1nowinstructs the device to reboot immediately. Using rebootreboot the deviceUse the

showX Family CLI Reference V 2.5.1 87show action-setsThe show action-sets command lists the action sets.hostname# show action-setsAction Set

Chapter 3. Command Reference88 X Family CLI Reference V 2.5.1SLT1 Management Processor Simplex Active No Info No InfoSLT3 Port H

showX Family CLI Reference V 2.5.1 89Show configuration commands can be used to feed configuration information back to the console. Without

Chapter 3. Command Reference90 X Family CLI Reference V 2.5.1algshows the application layer gateway (ALG).alg sipshow the Session Initiation Pro

showX Family CLI Reference V 2.5.1 91settingsshows the persistent configuration settings for MDI-detection and the Ethernet polling interval