system

The system command allows configuration of a range of system parameters.

The components and their parameters configurable via system are described in the sections below:

airgap

Allows you to view airgap status and turn airgap functionality on and off.

Syntax

Description

[enable]

Use to enable airgap functionality.

[disable]

Use to disable airgap functionality.

[show]

Displays the current airgap configuration.

appliance_access

Allows you to override or bypass the configured device access settings and allow access to all the XG Firewall services.

Syntax

Description

[disable]

Disables appliance access. Disable is the default setting.

[enable]

Enables appliance access.

[show]

Displays the current appliance access status.

application_classification

Once application classification is enabled, traffic is categorized on the basis of application, and is displayed on the Admin Console. Once application classification is enabled, you can enable microapp discovery, which identifies and classifies microapps used within web browsers. If application classification is disabled, traffic categorization is based on port numbers.

Syntax

Description

[off] [on] [show] microapp-discovery [off] [on] [show]

If application classification is enabled, traffic is categorized on the basis of application. Once application classification is enabled, you can enable microapp discovery, which identifies and classifies microapps used within web browsers.

If application classification is disabled then traffic is classified based on port number.

Default: on

auth

Sets authentication parameters for use with STAS, terminal services, thin client, and maximum live user settings.

Syntax

Description

cta [add] [delete] [IP-Address]

CTA is used in the configuration of STAS authentication.

When entering commands where IP-Address is specified you need to type the IP address.

max-live-users [set] [numerical value] [show]

For max live users the available values are 8192-32768.

Using the command show will display the currently configured values.

thin-client [add] [delete] [citrix-ip] [IP-Address] [show]

Thin client is used for authentication within a Citrix environment.

auto-reboot-on-hang

Auto reboot on hang determines how the system behaves if the kernel goes into a hung state.

Syntax

Description

[disable] [enable] [show]

Default: enabled.

bridge

Allows setting of various parameters for bridged interfaces.

Syntax

Description

bypass-firewall-policy [unknown-network-traffic] [allow] [drop] [show] [dynamic] [static]

Use the bypass-firewall-policy command to configure a policy for non-routable traffic for which no security policy is applied.

static-entry [add] [delete] [show] [interface] [bridge name] [Port] [macaddr] [MAC Address] [priority] [dynamic] [static]

Use the static-entry command for configuring static MAC addresses in bridge mode. The bridge forwarding table stores all the MAC addresses learned by the bridge and is used to determine where to forward packets.

max_bridge_members [reset] [set] [limit] [numerical value] [show]

Use the max_bridge_members command to set the maximum number of interfaces allowed for a bridged interface. Available values are, 2-256.

captcha_authentication_global

Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal using the WAN or VPN interfaces.

If you use this command to disable the CAPTCHA, it will override the VPN-specific setting. We recommend having this setting enabled, and only disabling the CAPTCHA for VPN users using the VPN specific command, captcha_authentication_VPN.

Signing in from a LAN interface doesn't require a CAPTCHA.

Syntax

Description

[disable] [enable] [show] for [webadminconsole] [userportal]

Default: Enabled

captcha_authentication_VPN

Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal.

Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on XG Firewall and not on an external authentication server, such as an AD server.

The CAPTCHA doesn't show on XG 85, XG 85w devices, and on Cyberoam devices upgraded to XG Firewall.

Syntax

Description

[disable] [enable] [show] for [webadminconsole] [userportal]

Default: Disabled

If you configured a site-to-site IPsec connection with remote subnet set to Any, the CAPTCHA applies to all these tunnels. To make sure the CAPTCHA doesn't apply to specific remote hosts or networks, add these to an IPsec route. For <mytunnel>, select from the names of the original IPsec connections shown on the command-line interface.

Examples of commands to add a remote host or network are as follows:

Remote host: console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>

Remote network: console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>

cellular_wan

Allows you to enable or disable the cellular WAN and view any Wi-Fi modem information if connected. The cellular WAN menu will be available in web admin console once cellular WAN has been enabled from CLI.

Syntax

Description

[disable] [enable] query [serialport] [serial port number] [ATcommand] [command string] set [disconnect-on-systemdown] [off] [on] modem-setup-delay [numerical value]

When using the modem-setup-delay command, the numerical value is the number of seconds that you wish to delay the modem coming online.

When using AT commands all valid AT commands are accepted.

custom-feature

Allows you to add top users to generated PDF reports.

Syntax

Description

[disable] [enable] [show]

You can enable or disable this feature and show the current setting.

dhcp

XG Firewall supports configuration of DHCP options, as defined in RFC 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix A provides a list of DHCP options by RFC-assigned option number.

Syntax

Description

conf-generation-method [new] [old] [show]

Use conf-generation-method to assign the method of generating configuration messages. Default: old.

dhcp-relay-refresh-interval [set] [seconds] [numerical value] [show]

Use dhcp-relay-refresh-interval to set the time in seconds for refresh packets to be sent. Available options, 10-1000. Default, 10

dhcp-options [add] [optioncode] [numerical value] [delete] [optionname] [binding] [add] [delete] [dhcpname] [show]

Use dhcp-options to assign properties from the DHCP server to the clients. Example: Set a DNS server address.

lease-over-IPSec [disable] [enable] [show]

Use lease-over-IPSec to specific how DHCP leases should be handled for IPsec connections. Default: disable.

one-lease-per-client [disable] [enable] [show]

Default: disable

send-dhcp-nak [disable] [enable] [show]

Default: enable

static-entry-scope [disable] [enable] [show]

Default: network

dhcpv6

XG Firewall supports configuration of DHCPv6 options, as defined in RFC 3315. DHCPv6 options allow you to specify additional DHCPv6 parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCPv6 message. When the DHCPv6 message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix B provides a list of DHCPv6 options by RFC-assigned option number.

Syntax

Description

dhcpv6-options [add] [optioncode] [numerical value] [delete] [optionname] [list] [binding] [add] [delete] [dhcpname] [show]

Available values for optioncode: 1-65535.

discover-mode

Use this command to configure discover mode on one or more interfaces.

Syntax

Description

tap [add] [delete] [Port] [show]

Add and delete discover mode for the specified ports or show current ports that have discover mode configured.

diagnostics

Diagnostics allows you to view and set various system parameters for troubleshooting purposes.

Syntax

Description

ctr-log-lines [numerical value] [traceroute] [traceroute6]

Set number of lines to display in Consolidated Troubleshooting Report (CTR) log file. ctr-log-lines available options 250-10000. Default, 1000.

purge-old-log

Use purge-old-log to purge all rotated log files

subsystems [Access-Server] [Bwm] [CSC] [IM] [IPSEngine] [LoggingDaemon] [Msyncd] [POPIMAPDaemon] [Pktcapd] [SMTPD] [SSLVPN] [SSLVPN-RPD] [WebProxy] [Wifiauthd]

When using subsystems: Configure each subsystem individually. Configuration options include: debug, purge-logs and purge-oldlogs

show [cpu] [interrupts] [syslog] [version-info] [ctr-log-lines] [memory] [sysmsg] [disk] [subsystem-info] [uptime]

Use diagnostics to view the current status of various systems such as cpu and memory usage.

utilities [arp] [bandwidthmonitor] [connections] [dnslookup] [dnslookup6] [drop-packet-capture] [netconf] [netconf6] [ping] [ping6] [process-monitor] [route] [route6] [traceroute] [traceroute6]

Utilities provides a number of systems to help with troubleshooting.

dos-config

Use dos-config to configure denial of service (DoS) policies and rules. You can enable flood protection for ICMP/TCP/UDP/IP packet types by configuring the maximum packets per second to be allowed per source, destination or globally. If the traffic exceeds the limit then the device considers it an attack.

DOS policy configuration:

Syntax

Description

add [dos-policy] [policy_name] [string] [ICMP-Flood] [IP-Flood] [SYN-Flood] [UDP-Flood] [numerical value] [pps] [global] [per-dst] [per-src]

Value options 1-10000 packets per second.

Using per-src: Configures packets per second (pps) allowed from a single source, above which the device will drop the packets. The limit is applicable to individual source requests per user/IP address.

Using per-dest: Configures packets per second (pps) allowed to a single destination. The limit is applicable to individual destination requests per user/IP address.

Using global: Apply the limit on the entire network traffic regardless of source/destination requests.

With per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users then each user is allowed a packet rate of 2500 packets per second. With global option selected, if limit configured is 2500 packets/second and the network consists of 100 users then only 2500 packets/second are allowed to the entire traffic coming from all the users.

DOS rule configuration:

Syntax

Description

add [dos-rule] [rule_name] [rule_name] [srcip] [ipaddress] [dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp] [ip] [tcp] [udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ] [LAN] [WAN] [VPN] [WiFi] [custom zone] [dos-policy] [policy name]

You can create a DOS rule to apply to all packet types or specific packet types within one command.

To delete a DOS rule or policy:

Syntax

Description

delete [dos-policy] [dos-rule] [dos-policy] [rule-name] [policy-name] [string]

When specifying the string this should be the name of your dos rule or policy.

To flush or view DOS rules and policies the following options are available:

Syntax

Description

flush [dos-rules] show [dos-rules] [dos-policies] [rule-name] [policy-name] [string]

When specifying a string this should be your policy or rule name.

filesystem

The filesystem command enables you to enforce disk write permissions for the report partition.

Syntax

Description

enforce-disk-write [partition-name] [report] [enable] [disable] [show]

Enable or disable disk write permissions or show the current status. Default: enabled.

firewall-acceleration

Use firewall-acceleration to enable the uses advanced data-path architecture allowing faster processing of data packets for known traffic.

Syntax

Description

[disable] [enable] [show]

Enable or disable firewall acceleration or show the current configuration. Default: enabled.

fsck-on-nextboot

Check file system integrity of all the partitions. Turning this option on forcefully checks the file system integrity on next device restart. If the device goes into failsafe mode then this check is automatically turned on. The device can go into failsafe mode for the following reasons;

  • Unable to start config, report or signature database.
  • Unable to apply migration.
  • Unable to find the deployment mode.

Syntax

Description

[off] [on] [show]

Turn integrity checking on or off for the next restart or show the current configuration. Default: off.

gre

Using gre you can configure, delete, set TTL and status for gre tunnels. You can also view route details like tunnel name, local gateway network and netmask and remote gateway network and netmask.

Syntax

Description

route [add] [del] [ipaddress] [network/netmask] [tunnelname][local-gw] [WAN Address] [remote-gw] [remote WAN ipaddress] [local-ip] [ipaddress] [remote-ip] [ipaddress] [show]

tunnel [add] [name] [tunnelname] [local-gw] [port] [remote-gw] [ipaddress/netmask] [local-ip] [ipaddress] [remote-ip] [ipaddress] [del] [ALL] [name] [local-gw] [Port] [remote-gw] [network/netmask]

When usinf route and adding or deleting a host ipaddress type the IP address. Example, 192.168.0.1

When adding or deleting a network type both the network and subnet mask. Example, 192.168.0.0/255.255.255.0

For name, type the tunnel name.

When using tunnel to add or delete a new tunnel, tunnelname should be the name you want to give to the tunnel.

ha

Allows configuration of certain HA parameters.

Syntax

Description

auxiliary_system_traffic_through_dedicated_link [all] [none] [only_dynamic_interface] [show] load-balancing [on] [off] [show]

Use auxiliary_system_traffic_through_dedicated_link to configure routing for system traffic sent by the auxillary. Default: pass all traffic over the dedicated link

Load balancing can be turned on or off and will balance traffic between the appliances.

Show will display the current HA configuration.

ipsec_route

Provides options for configuring IPsec routing.

Syntax

Description

add [host] [ipaddress] [tunnelname] [string]

del [net] [ipaddress/netmask] [tunnelname] [ipaddress/netmask] [tunnelname] [string] [show]

Add or delete IPsec routes by host or network or show the current routes configured.

link_failover

You can configure a vpn as a backup link. When configured, whenever the primary link fails, traffic will be sent through the vpn connection.

Syntax

Description

add [primarylink] [portname] [backuplink] [vpn] [gre] [tunnel] [tunnelname] [monitor PING host] [monitor TCP host] [ipaddress] [portnumber]

Failover can be configured to use a vpn or gre tunnel. When using TCP host monitoring you will also need to specify the TCP port to be monitored. The monitoring port is not required if using ping monitoring..

restart

Restart XG Firewall.

Syntax

Description

[all]

Restarts XG Firewall. If configured in HA this will cause a failover.

route_precedence

Sets routing precedence. By default route lookup precedence is;

  1. Policy
  2. VPN
  3. Static

Syntax

Description

set [sdwan_policyroute] [static] [vpn] [show]

When setting route precedence the first choice take highest priority when entering more than one option. Use show to display the current configuration.

shutdown

Shut down XG Firewall. There are no further options to use with this command.

system_modules

Load or unload the following system modules;

  • dns
  • h323
  • irc
  • pptp
  • sip
  • tftp

By default system modules are loaded.

Syntax

Description

dns [load] [unload]

DNS: The dns module learns the subdomains of non-local DNS traffic.

h323 [load] [unload]

H323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the internet.

pptp [load] [unload]

PPTP: Point to Point Tunneling Protocol is a network protocol that enables secure transfer of data from a remote client to a private server, creating a point to point VPN tunnel using a TCP/IP based network.

irc [load] [unload] [port] [portname] [default]

IRC: Internet Relay Chat is a multi-user, multi-channel chatting system based on a client-server model. A single server links with many other servers to make up an IRC network, which transports messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it is an open network and with no control on file sharing, performance is affected.

sip [load] [unload] [portname] [default]

SIP: Session Initiation Protocol is a signaling protocol which enables the controlling of media communications such as VoIP. The protocol is generally used for maintaining unicast and multicast sessions consisting of several media systems. SIP is a text based and TCP/IP supported application layer protocol.

tftp [load] [unload] [portname] [default] [show]

TFTP: Trivial File Transfer Protocol is a simple form of the file transfer protocol (FTP). TFTP uses the user datagram protocol (UDP) and provides no security features.

usb-setup-delay

Manage the waiting period for detecting the readiness of the USB drive.

Use this option when you're using firewall provisioning or zero touch configuration to set up the firewall.

Syntax

Description

set [number] [show]

Set the value in seconds that you wish to wait before USB devices are detected.

Available values are: 1-15. The default is 3.

vlan-tag

Set VLAN tags for VLAN traffic passing through XG Firewall.

Syntax

Description

set [interface] [interfacename] [vlanid] [number]

reset [interface] [interfacename] [reset]

Use these commands to set and reset VLAN IDs for an interface or to show the current configuration.

Available VLAN IDs: 0-4094.

Note From SFOS 18.0 you can configure all VLAN tagging, including for bridge interfaces, from the web admin console. If you have previously configured VLAN tags for a bridge interface from the CLI, we recommend you delete the configuration and set the tags in the web admin console instead.

wireless-controller

The wireless-controller settings let you configure parameters for attached access points including enabling troubleshooting features.

Syntax

Description

ap_localdebuglevel [get] [set] [number]

global [ap_autoaccept] [value] [ap_debuglevel] [number] [log_level] [number] [radius_accounting_start_delay] [number] [show] [stay_online] [number] [store_bss_stats] [number] [tunnel_id_offset] [number]

Use the ap_localdebuglevel and ap_debuglevel commands to configure the debugging level the device will use when logging.

The level parameter must be from 0 (lowest) to 15 (highest).

You can view the current debug level using the get parameter.

The log_level parameter configures the logging level the device will use. When an event is logged, it is printed into the corresponding log if the log level of the message is equal or higher than the configured log level. The level parameter must be from 0 (lowest) to 7 (highest).

The radius_accounting_start_delay parameter sets the delay to start the 802.1x accounting for the Wi-Fi client. You can set the delay depending on the DHCP response time. You can set a value from 0 to 60 seconds. This allows the Wi-Fi client to receive the IP address first and then start the accounting. The Wi-Fi SSO uses the framed IP address from the accounting start message and allows the user to sign in to XG Firewall.

Available values for ap_autoaccept, stay_online and store_bss_stats are, 0 (off) or 1 (on).

The tunnel_id_offset parameter value must be from 0 (lowest) to 65535 (highest).

remote_pktcap [disable] [enable] [show] [AP serial number]

The remote_pktcap command captures packets on access points when a packet capture is running. To start packet capturing, the value of the ap_debuglevel parameter must be equal to or greater than 4.

set_channel_width [Wi-Fi interface name] [band] [Wi-Fi band] [channel_width] [number]

You can choose Wi-Fi band 2.5GHz or 5GHz.

Available channel widths are: 20 and 40 for 2.5GHz, and 20, 40, or 80 for 5GHz.