Check Point 600 1100 1200R Cli Guide PDF

Check Point 600, 1100, and 1200R Appliance
Command Line Interface

R77.20
Reference Guide
June 17, 2015
Classification: [Protected]
Contents
add access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
add access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
add ad-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
add address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
add admin-access-ipv4-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
add administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
add antispam allowed-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
add antispam blocked-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
add application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
add application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
add bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
add group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
add host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
add interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
add interface-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
add internet-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
add local-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
add local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
add nat-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
add netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
add network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
add qos-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
add server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
add service-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
add service-icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
add service-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
add service-tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
add service-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
add snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
add static-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
add switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Command Line Interface Reference Guide R77.20 Embedded | 1

add threat-prevention anti-virus file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
add threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
add threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
add threat-prevention whitelist type-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
add threat-prevention whitelist type-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
add vpn site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
add wlan vap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
connect security-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
delete access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
delete access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
delete ad-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
delete address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
delete admin-access-ipv4-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
delete administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
delete aggressive-aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
delete antispam allowed-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
delete antispam blocked-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
delete application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
delete application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
delete bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
delete dhcp server interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
delete dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
delete group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
delete host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
delete interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
delete interface-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
delete internet-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
delete internet-connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
delete local-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
delete local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
delete nat-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
delete nat-rule position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
delete netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

delete network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
delete proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
delete qos-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
delete radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
delete server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
delete service-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
delete service-icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
delete service-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
delete service-tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
delete service-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
delete snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
delete snmp traps-receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
delete snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
delete static-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
delete static-routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
delete streaming-engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
delete switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
delete threat-prevention anti-virus file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
delete threat-prevention anti-virus file-type custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
delete threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
delete threat-prevention exception position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
delete threat-prevention exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
delete threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
delete threat-prevention whitelist type-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
delete threat-prevention whitelist type-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
delete ui-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
delete vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
delete vpn site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
delete wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
delete wlan vaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
fetch cloud-services policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
find application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
find threat-prevention ips protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

reconnect cloud-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
send cloud-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
set access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
set access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
set ad-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
set additional-hw-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
set address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
set admin-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
set administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
set administrator session-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
set administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
set aggressive-aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
set antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
set application-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
set application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
set bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
set cloud-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
set cloud-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
set date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
set device-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
set dhcp server interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
set dhcp-relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
set dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
set dynamic-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
set fw policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
set fw policy user-check accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
set fw policy user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
set fw policy user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
set group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
set host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
set hotspot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
set https-categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

set interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
set internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
set internet mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
set internet-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
set ip-fragments-params . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
set ips engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
set local-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
set local-group users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
set local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
set log-servers-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
set loginMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
set nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
set nat-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
set nat-rule position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
set netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
set network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
set ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
set ntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
set qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
set qos delay-sensitive-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
set qos guarantee-bandwidth-selected-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set qos-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
set reach-my-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
set remote-access users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
set security-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
set serial-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
set server server-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
set server server-nat-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
set server server-network-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
set server server-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
set service-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

set service-icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
set service-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
set service-tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
set service-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
set snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
set snmp traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
set static-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
set streaming-engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
set switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
set threat-prevention anti-bot engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
set threat-prevention anti-bot policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
set threat-prevention anti-bot user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
set threat-prevention anti-bot user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
set threat-prevention anti-virus engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
set threat-prevention anti-virus file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
set threat-prevention anti-virus policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
set threat-prevention anti-virus user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
set threat-prevention anti-virus user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
set threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
set threat-prevention exception position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
set threat-prevention ips custom-default-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
set threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
set threat-prevention ips policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
set threat-prevention ips protection-action-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
set threat-prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
set threat-prevention-advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
set ui-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
set usb-modem-watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
set user-awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
set user-awareness browser-based-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
set vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
set vpn remote-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
set vpn remote-access advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

set vpn remote-access advanced enc-dom-obj manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
set vpn site-to-site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
set vpn site-to-site enc-dom manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
set wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
set wlan radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
show access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
show access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
show access-rules type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
show access-rules type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
show ad-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
show ad-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
show additional-hw-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
show address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
show address-ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
show admin-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
show admin-access-ipv4-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
show administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
show administrator session-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
show administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
show administrators radius-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
show adsl statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
show aggressive-aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
show antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
show antispam allowed-senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
show antispam blocked-senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
show application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
show application-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
show application-control other-undesired-applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
show application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
show application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
show applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
show bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
show bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

show cloud-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
show cloud-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
show cloud-services connection-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
show cloud-services managed-blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
show cloud-services managed-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
show cloud-services status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
show date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
show device-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
show dhcp server interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
show dhcp servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
show dhcp servers table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
show dhcp-relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
show dynamic-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
show fw policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
show group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
show groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
show host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
show hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
show hotspot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
show https-categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
show interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
show interfaces all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
show interfaces table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
show internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
show internet mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
show internet-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
show internet-connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
show internet-connections table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
show ip-fragments-params . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
show ips engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
show local-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

show local-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
show local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
show local-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
show log-servers-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
show loginMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
show nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
show nat-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
show nat-rule position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
show nat-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
show netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
show netflow collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
show network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
show networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
show ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
show ntp active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
show ntp servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
show qos delay-sensitive-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
show qos guarantee-bandwidth-selected-services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
show qos-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
show qos-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
show radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
show radius-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
show reach-my-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
show remote-access users radius-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
show security-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
show serial-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
show server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
show servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
show service-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
show service-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
show service-icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

show service-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
show service-tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
show service-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
show services-icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
show services-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show services-tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show services-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show snmp traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
show snmp traps enabled-traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
show snmp traps receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
show snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
show snmp-general-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
show static-routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
show static-routes table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
show streaming-engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
show switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
show switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
show threat-prevention anti-bot engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
show threat-prevention anti-bot policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
show threat-prevention anti-bot user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
show threat-prevention anti-bot user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
show threat-prevention anti-virus engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
show threat-prevention anti-virus file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
show threat-prevention anti-virus file-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
show threat-prevention anti-virus policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
show threat-prevention anti-virus user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
show threat-prevention anti-virus user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
show threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
show threat-prevention exception position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
show threat-prevention exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
show threat-prevention infected-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
show threat-prevention ips custom-default-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

show threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
show threat-prevention ips network-exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
show threat-prevention ips policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
show threat-prevention ips protection-action-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
show threat-prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
show threat-prevention whitelist files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
show threat-prevention whitelist urls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
show threat-prevention-advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
show ui-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
show usb-modem-watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
show user-awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
show user-awareness browser-based-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
show vpn remote-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
show vpn remote-access advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
show vpn site-to-site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
show vpn sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
show vpn tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
show wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
show wlan radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
show wlan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
show wlan vaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
show wlan vaps statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
update security-blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

add access-rule type incoming-internal-and-vpn
Description Firewall rule base
Syntax add access-rule type incoming-internal-and-vpn [ action <action> ] [ log

<log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination
<destination> ] [ destination-negate <destination-negate> ] [ service
<service> ] [ service-negate <service-negate> ] [ disabled <disabled>
] [ comment <comment> ] [ hours-range-enabled { true hours-range-from
<hours-range-from> hours-range-to <hours-range-to> | false } ] [ { position
<position> | position-above <position-above> | position-below <position-below>
} ] [ name <name> ] [ vpn <vpn> ]
Parameters
Parameter Description
The action taken when there is a match on the rule
action
Options: block, accept, ask, inform, block-inform
Description of the rule
comment Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @
destination Network object that is the target of the connection
If true, the destination is all traffic except what is defined in the destination field
destination-negate
Type: Boolean (true/false)
Indicates if the rule is disabled
disabled
If true, time is configured
hours-range-enabled
Time in the format HH:MM
hours-range-from
Type: A time format hh:mm
hours-range-to
Defines which logging method to use: None - do not log, Log - Create log, Alert
log - log with alert, Account - account rule
Options: none, log, alert, account
name
name
Type: A string of alphanumeric characters without space between them
The order of the rule in comparison to other manual rules
position
Type: Decimal number
position-above
position-below
service The network service object that the rule should match to
If true, the service is everything except what is defined in the service field
service-negate
source Network object or user group that initiates the connection
If true, the source is all traffic except what is defined in the source field
source-negate
Indicates if traffic is matched on encrypted traffic only or all traffic
vpn
Example add access-rule type incoming-internal-and-vpn action block log none

source TEXT source-negate true destination TEXT destination-negate true
service TEXT service-negate true disabled true comment This is a comment.
hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20 position
2 name word vpn true
Output Failure shows an appropriate error message.

add access-rule type outgoing
Syntax add access-rule type outgoing [ action <action> ] [ log <log> ] [ source
<source> ] [ source-negate <source-negate> ] [ destination <destination>
] [ destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ disabled <disabled> ] [ comment
<comment> ] [ hours-range-enabled { true hours-range-from <hours-range-from>
hours-range-to <hours-range-to> | false } ] [ { position <position> |
position-above <position-above> | position-below <position-below> } ] [
name <name> ] [ { [ application-name <application-name> ] | [ application-id
<application-id> ] } ] [ application-negate <application-negate>
] [ limit-application-download { true limit <limit> | false } ] [
limit-application-upload { true limit <limit> | false } ]
Parameters
action
application-id Applications or web sites that are accepted or blocked
application-name Applications or web sites that are accepted or blocked
If true, the rule accepts or blocks all applications but the selected application
application-negate
: () @
destination-negate
disabled
hours-range-enabled
hours-range-from
hours-range-to
Applications traffic upload limit (in kbps)
limit
Type: A number with no fractional part (integer)
If true, download is limited
limit-application-
download
If true, upload is limited
limit-application-
upload
name
name
position
position-above
position-below
service-negate

source-negate
Example add access-rule type outgoing action block log none source TEXT
source-negate true destination TEXT destination-negate true service
TEXT service-negate true disabled true comment This is a comment.
hours-range-enabled true hours-range-from 23:20 hours-range-to 23:20
position 2 name word application-name hasOne application-negate true
limit-application-download true limit -1000000 limit-application-upload true
limit -1000000
add ad-server
Description Active directory server object
Syntax add ad-server domain <domain> ipv4-address <ipv4-address> username

<username> password <password> user-dn <user-dn> use-branch-path { true
branch-path <branch-path> | false }
Parameters
The branch of the domain to be used
branch-path
Type: An LDAP DN
Domain name
domain
Type: Host name
ipv4-address Domain controller IP address
The user’s password
password
Type: A string that contains alphanumeric and special characters
Select only if you want to use only part of the user database defined in the Active
use-branch-path Directory
FQDN of the user
user-dn
Type: An LDAP DN
A user name with administrator privileges to communicate with the AD server
username
Type: A string that contains (0-9, a-z, - . @) up to 64 characters without spaces
Example add ad-server domain myHost.com ipv4-address 192.168.1.1 username admin

password a(ˆ
&7Ba user-dn cn=John Doe,dc=example,dc=com use-branch-path true
branch-path cn=John Doe,dc=example,dc=com
add address-range
Description Address range object
Syntax add address-range name <name> start-ipv4 <start-ipv4> end-ipv4 <end-ipv4> [

dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]

Parameters

Indicates if the object’s IP address(es) is excluded from internal DHCP daemon
dhcp-exclude-ip-addr
Options: on, off
end-ipv4 The end of the IP range
Network Object name
name
Type: String
start-ipv4 The beginning of the IP range
Example add address-range name TEXT start-ipv4 192.168.1.1 end-ipv4 192.168.1.1

dhcp-exclude-ip-addr on
add admin-access-ipv4-address
Administrator access IP addresses
Description Administrator access IP addresses
Syntax add admin-access-ipv4-address single-ipv4-address <single-ipv4-address>
Parameters
IP address
single-ipv4-address
Type: IP address
Example add admin-access-ipv4-address single-ipv4-address 192.168.1.1
Syntax add admin-access-ipv4-address network-ipv4-address <network-ipv4-address> {

subnet-mask <subnet-mask> | [ mask-length <mask-length> ] }
Parameters
Subnet mask length
mask-length
Type: A string that contains numbers only
IP address
network-ipv4-address
Type: IP address
Subnet mask
subnet-mask
Type: Subnet mask
Example add admin-access-ipv4-address network-ipv4-address 192.168.1.1 subnet-mask

255.255.255.0

add administrator
Description Configured administrator for the appliance
Syntax add administrator username <username> [ password-hash <password-hash> ]

permission <permission>
Parameters
Virtual field used for calculating a hashed password
password-hash
Type: An encrypted password
Indicates if the administrator has read-only permissions
permission
Options: read-write, readonly
Indicates the administrator user name
username
Type: A string that contains [A-Z], [0-9], and ’_’ characters
Example add administrator username admin password-hash TZXPLs20bN0RA permission

read-write
add antispam allowed-sender
List of allowed IP addresses, email addresses (senders) and domains for Anti-Spam blade

Description List of allowed IP addresses, email addresses (senders) and domains for Anti-Spam blade
Syntax add antispam allowed-sender ipv4-addr <ipv4-addr>
Parameters
Anti-Spam allowed IP address
ipv4-addr
Type: IP address
Example add antispam allowed-sender ipv4-addr 192.168.1.1


Syntax add antispam allowed-sender sender-or-domain <sender-or-domain>
Parameters

Anti-Spam allowed domain or sender
sender-or-domain
Type: A domain name or email address
Example add antispam allowed-sender sender-or-domain myEmail@mail.com
add antispam blocked-sender
List of blocked IP addresses, email addresses (senders) and domains for Anti-Spam blade

Description List of blocked IP addresses, email addresses (senders) and domains for Anti-Spam blade
Syntax add antispam blocked-sender ipv4-addr <ipv4-addr>
Parameters
Anti-Spam blocked IP address
ipv4-addr
Type: IP address
Example add antispam blocked-sender ipv4-addr 192.168.1.1

Syntax add antispam blocked-sender sender-or-domain <sender-or-domain>
Parameters
Anti-Spam blocked domain or sender
sender-or-domain
Example add antispam blocked-sender sender-or-domain myEmail@mail.com
add application
Database of user-defined URLs

add application
Description Database of user-defined URLs
Syntax add application application-name <application-name> category <category> [

regex-url <regex-url> ] application-url <application-url>
Parameters
Application name
application-name
Type: URL
application-url Contains the URLs related to this application
The primary category for the application (the category which is the most rele-
category
vant)
Indicates if regular expressions are used instead of partial strings
regex-url
Example add application application-name http://somehost.example.com category TEXT

regex-url true application-url http://somehost.example.com
add application
Syntax add application-url <application-url>
Parameters
application-url Application URL
Example add application-url http://somehost.example.com
add application-group
Description User defined application group
Syntax add application-group name <name>
Parameters
Application group name
name Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9,
a-z, _ - . &) characters without spaces
Example add application-group name users

add bridge
Description Bridge configured in the device
Syntax add bridge [ name <name> ]
Parameters
Bridge name
name
Type: A bridge name can be br0-9
Example add bridge name br7
add group
Description Network Objects Group model
Syntax add group name <name> [ comments <comments> ] [ member <member> ]
Parameters
Comments and explanation about the Network Object group
comments Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @
member An association field to the contained network objects
Network Object group name
a-z, _ - .) characters without spaces
Example add group name myObject_17 comments This is a comment. member TEXT
add host
Syntax add host name <name> [ dhcp-exclude-ip-addr { on [ dhcp-reserve-ip-addr-to-mac

{ on mac-addr <mac-addr> | off } ] | off } ] [ dns-resolving <dns-resolving> ]
ipv4-address <ipv4-address>
Parameters
Type: Press TAB to see available options
Indicates if the IP address is reserved in internal DHCP daemon
dhcp-reserve-ip-addr-
to-mac

Indicates if the name of the server/network object will be used as a hostname
dns-resolving for internal DNS service
ipv4-address The beginning of the IP range
MAC address of the Network Object
mac-addr
Type: MAC address
Network Object name
name
Type: String
Example add host name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on

mac-addr 00:1C:7F:21:05:BE dns-resolving true ipv4-address 192.168.1.1
add interface
Local network
add interface
Description Local network
Syntax add interface <assignment> vlan <vlan>
Parameters
The switch or bridge which the object belongs to
assignment
Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and ’/’ characters
Enter a number that is the virtual identifier
vlan
Example add interface My_Network vlan -1000000
add interface
Syntax add vpn tunnel <vpn tunnel> type { unnumbered peer <peer>
internet-connection <internet-connection> | numbered local <local> remote
<remote> peer <peer> }
Parameters
internet-connection The local interface for unnumbered VTI
Enter the IP address of the interface
local
Type: IP address

Remote peer name as defined in the VPN community. You must define the two
peers in the VPN community before you can define the VTI. The Peer ID is an
peer alpha-numeric character string.
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9,
a-z, _ -) characters without spaces
Defines the remote peer IPv4 address, used at the peer gateway’s point-to-point
remote virtual interface (numbered VTI only)
Type: IP address
The type of VTI: Numbered VTI that uses a specified, static IPv4 addresses for
local and remote connections, or unnumbered VTI that uses the interface and
type
the remote peer name to get addresses
A number identifying the Virtual Tunnel Interface (VTI)
vpn tunnel
Example add vpn tunnel -1000000 type unnumbered peer site17 internet-connection My
connection
add interface-loopback
Syntax add interface-loopback ipv4-address <ipv4-address> { mask-length

<mask-length> | subnet-mask <subnet-mask> }
Parameters
ipv4-address
Type: IP address
Represents the network’s mask length
mask-length
Enter the Subnet mask of the specified network
subnet-mask
Type: A subnet mask, or 255.255.255.255
Example add interface-loopback ipv4-address 192.168.1.1 mask-length 20
add internet-connection
Internet Connection
Description Internet Connection
Syntax add internet-connection [ name <name> ]
interface {

WAN [ { use-connection-as-vlan } vlan-id <vlan-id> ] type { static
ipv4-address <ipv4-address> { subnet-mask <subnet-mask> | mask-length
<mask-length> } default-gw <default-gw> [ dns-primary <dns-primary>
] [ dns-secondary <dns-secondary> ] [ dns-tertiary <dns-tertiary>
] | l2tp username <username> { password <password> | password-hash
<password-hash> } server <server> [ local-ipv4-address <local-ipv4-address>
] [ wan-ipv4-address <wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask>
| wan-mask-length <wan-mask-length> } default-gw <default-gw> ] | dhcp
| pppoe username <username> { password <password> | password-hash
<password-hash> } | pptp username <username> { password <password> |
password-hash <password-hash> } server <server> [ local-ipv4-address
<local-ipv4-address> ] [ wan-ipv4-address <wan-ipv4-address> {
wan-subnet-mask <wan-subnet-mask> | wan-mask-length <wan-mask-length> }
default-gw <default-gw> ] } [ conn-test-timeout <conn-test-timeout> ] |
ADSL type { pppoa username <username> { password <password> | password-hash
<password-hash> } | pppoe username <username> { password <password>
| password-hash <password-hash> } | eoa } [ conn-test-timeout
<conn-test-timeout> ] |
DMZ [ { use-connection-as-vlan } vlan-id <vlan-id> ] type { static
ipv4-address <ipv4-address> { subnet-mask <subnet-mask> | mask-length
<mask-length> } default-gw <default-gw> [ dns-primary <dns-primary>
] [ dns-secondary <dns-secondary> ] [ dns-tertiary <dns-tertiary>
] | l2tp username <username> { password <password> | password-hash
<password-hash> } server <server> [ local-ipv4-address <local-ipv4-address>
] [ wan-ipv4-address <wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask>
| wan-mask-length <wan-mask-length> } default-gw <default-gw> ] | dhcp
| pppoe username <username> { password <password> | password-hash
<password-hash> } | pptp username <username> { password <password> |
password-hash <password-hash> } server <server> [ local-ipv4-address
<local-ipv4-address> ] [ wan-ipv4-address <wan-ipv4-address> {
wan-subnet-mask <wan-subnet-mask> | wan-mask-length <wan-mask-length> }
default-gw <default-gw> ] } [ conn-test-timeout <conn-test-timeout> ]
Parameters
Connection test timeout
conn-test-timeout
WAN default gateway (in the advanced section of PPTP and l2TP)
default-gw
Type: IP address
First DNS server IP address
dns-primary
Type: IP address
Second DNS server IP address
dns-secondary
Type: IP address
Third DNS server IP address
dns-tertiary
Type: IP address
Interface name
interface
IP address field(for static ip and bridge settings)
ipv4-address
Type: IP address
isVlan
isVlan
Local tunnel IP address or Auto for automatic
local-ipv4-address
Type: An IP address, or ’auto’
Subnet mask length
mask-length

Connection name
name
Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’ and space characters
Password for PPP connection or cellular modem settings
password
Type: internetPassword
The hash of the user password
password-hash
Type: passwordHash
Server IP address
server
Type: IP address
Subnet mask
subnet-mask
Connection type
type
User name for PPP connection or cellular modem settings
username Type: A string that contains all printable characters but a single or double quote-
like characters. Usually <username>@<ISP>
VLAN ID
vlan-id
Wan IP address wrapper
wan-ipv4-address
WAN subnet mask length
wan-mask-length
WAN subnet mask(in the advanced section)
wan-subnet-mask
Type: Subnet mask
Example add internet-connection name My connection interface WAN true vlan-id

-1000000 type static ipv4-address 192.168.1.1 subnet-mask 255.255.255.0
default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary 192.168.1.1
dns-tertiary 192.168.1.1 conn-test-timeout -1000000
Syntax add internet-connection type { cellular number <number> [ username

<username> { password <password> | password-hash <password-hash> } ] [ apn
<apn> ] [ conn-test-timeout <conn-test-timeout> ] }
Parameters
APN (cellular modem settings)
apn
Type: A string that contains [a-z], [0-9], ’-’ and ’.’ characters
Connection test timeout
conn-test-timeout
Dialed number of the cellular modem settings
number
Type: A sequence of numbers and #,* characters
password
password-hash
Type: passwordHash
Connection type
type

Example add internet-connection type cellular number 758996 username
MyUsername@MyISP password internetPassword apn my-apn conn-test-timeout
-1000000
add local-group
Description Local Users Group
Syntax add local-group name <name> [ comments <comments> ] [ remote-access-on

<remote-access-on> ]
Parameters
Comments
: () @
Local group name
Indicates if the users group have remote access permissions
remote-access-on
Example add local-group name myObject_17 comments This is a comment.

remote-access-on true
add local-user
Description Configure a local database of users
Syntax add local-user name <name> { password-hash <password-hash> |

password <password> } [ comments <comments> ] [ remote-access-always-on
<remote-access-always-on> ] [ is-temp-user { true expiration-date
<expiration-date> [ expiration-time <expiration-time> ] | false } ]
Parameters
Comments
: () @
Expiration date for a temporary user in format yyyy-mm-dd
expiration-date
Type: A date format yyyy-mm-dd
Expiration time for a temporary user in format HH:MM
expiration-time
Indicates if the user entry is temporary
is-temp-user
User’s name in the local database
name
User’s password in the local database
password

User’s hashed password (used for importing database)
password-hash
Always enable remote access permission for user
remote-access-
always-on
Example add local-user name admin password-hash TZXPLs20bN0RA comments This is

a comment. remote-access-always-on true is-temp-user true expiration-date
2000-01-01 expiration-time 23:20
add nat-rule
Description Manual NAT rules
Syntax add nat-rule [ original-source <original-source> ] [ original-destination

<original-destination> ] [ original-service <original-service> ] [
translated-source <translated-source> ] [ translated-destination
<translated-destination> ] [ translated-service <translated-service> ] [
comment <comment> ] [ hide-sources <hide-sources> ] [ enable-arp-proxy
<enable-arp-proxy> ] [ { position <position> | position-above <position-above>
| position-below <position-below> } ] [ name <name> ]
Parameters
Comment for manual NAT rule
: () @
The gateway will reply to ARP requests sent to the original destination’s IP ad-
enable-arp-proxy dress (Does not apply to IP ranges/networks)
Hide multiple sources behind the translated source addresses
hide-sources
name
name
original-destination Original destination of rule
original-service Original service of rule
original-source Original source of rule
position
position-above
position-below
translated-destination Translated destination of rule
translated-service Translated service of rule
translated-source Translated source of rule
Example add nat-rule original-source TEXT original-destination TEXT

original-service TEXT translated-source TEXT translated-destination TEXT
translated-service TEXT comment This is a comment. hide-sources true
enable-arp-proxy true position 2 name word

add netflow collector
Description Netflow object table
Syntax add netflow collector ip <ip> port <port> export-format <export-format> [

srcaddr <srcaddr> ] is-enabled <is-enabled>
Parameters
Export format
export-format
Options: Netflow_V9, Netflow_V5
IP address
ip
Type: IP address
Indicates if netflow is enabled
is-enabled
UDP port
port
Type: Port number
Source IP address
srcaddr
Type: IP address
Example add netflow collector ip 192.168.1.1 port 8080 export-format Netflow_V9

srcaddr 192.168.1.1 is-enabled true
add network
Syntax add network name <name> network-ipv4-address <network-ipv4-address> {

subnet-mask <subnet-mask> | mask-length <mask-length> }
Parameters
mask-length Mask length
Network Object name
name
Type: String
network-ipv4-address Network address
subnet-mask IP mask used in the related network
Example add network name TEXT network-ipv4-address 172.16.10.0 subnet-mask

255.255.255.0
add qos-rule
Description QoS rule base rule configuration
Syntax add qos-rule [ source <source> ] [ destination <destination> ] [

service <service> ] [ { [ low-latency-rule { normal [ limit-bandwidth

<limit-bandwidth> [ limit-percentage <limit-percentage> ] ] [
guarantee-bandwidth <guarantee-bandwidth> [ guarantee-percentage
<guarantee-percentage> ] ] | low } ] | [ limit-bandwidth <limit-bandwidth>
[ limit-percentage <limit-percentage> ] ] [ guarantee-bandwidth
<guarantee-bandwidth> [ guarantee-percentage <guarantee-percentage> ] ] }
] [ weight <weight> ] [ log <log> ] [ comment <comment> ] [ vpn <vpn> ] [
hours-range-enabled { true hours-range-from <hours-range-from> hours-range-to
<hours-range-to> | false } ] [ diffserv-mark { true diffserv-mark-val
<diffserv-mark-val> | false } ] [ name <name> ] [ { position <position> |
position-above <position-above> | position-below <position-below> } ]
Parameters
: () @
DiffServ Mark is a way to mark connections so a third party will handle it. To use
diffserv-mark this option, your ISP or private WAN must support DiffServ
To mark packets that will be given priority on the public network according to
their DSCP, select DiffServ Mark (1-63) and select a value. You can get the
diffserv-mark-val
DSCP value from your ISP or private WAN administrator
If true, traffic guarantee is defined
guarantee-bandwidth
Traffic guarantee percentage
guarantee-percentage
hours-range-enabled
hours-range-from
hours-range-to
If true, traffic limit is defined
limit-bandwidth
Traffic limit percentage
limit-percentage
Defines which logging method to use: None - do not log, Log - Create log
log
Options: none, log
The latency of the rule (low or normal)
low-latency-rule
name
name
position
position-above
position-below
vpn
Traffic weight, relative to the weights defined for other rules
weight
Example add qos-rule source TEXT destination TEXT service TEXT low-latency-rule
normal limit-bandwidth true limit-percentage -1000000 guarantee-bandwidth

true guarantee-percentage -1000000 weight -1000000 log none comment This
is a comment. vpn true hours-range-enabled true hours-range-from 23:20
hours-range-to 23:20 diffserv-mark true diffserv-mark-val -1000000 name word
position 2
add server
Description Server network object
Syntax add server name <name> ipv4-address <ipv4-address> [ dhcp-exclude-ip-addr

{ on [ dhcp-reserve-ip-addr-to-mac { on mac-addr <mac-addr> | off } ] |
off } ] [ comments <comments> ] [ dns-resolving <dns-resolving> ] type
{ web-server | ftp-server | citrix-server | pptp-server | mail-server |
dns-server | custom-server [ tcpProtocol <tcpProtocol> [ tcp-ports <tcp-ports>
] udpProtocol <udpProtocol> [ udp-ports <udp-ports> ] ] }
Parameters
Comments
: () @
Indicates if the internal DHCP service will not distribute the configured IP ad-
dhcp-exclude-ip-addr dress of this server/network object to anyone
Indicates if the internal DHCP service will distribute the configured IP address
dhcp-reserve-ip-addr- only to this server/network object according to its MAC address
to-mac Type: Press TAB to see available options
MAC address of the server
mac-addr
Type: MAC address
Server object name
TCP ports for server of type ’other’
tcp-ports
Type: Port range
tcpProtocol
tcpProtocol
UDP ports for server of type ’other’
udp-ports
Type: Port range
udpProtocol
udpProtocol
Example add server name myObject_17 ipv4-address 192.168.1.1 dhcp-exclude-ip-addr

on dhcp-reserve-ip-addr-to-mac on mac-addr 00:1C:7F:21:05:BE comments This is
a comment. dns-resolving true type web-server

add service-group
Description A group of services
Syntax add service-group name <name> [ comments <comments> ] [ member <member> ]
Parameters
Comments and explanation about the Service Group
: () @
member An association field for the contained services
Service Group name
Example add service-group name myObject_17 comments This is a comment. member TEXT
add service-icmp
Description Service objects
Syntax add service-icmp name <name> icmp-code <icmp-code> icmp-type <icmp-type> [

comments <comments> ]
Parameters
Comments and explanation about the service
: () @
ICMP code
icmp-code
ICMP message type
icmp-type
Service name
name
Type: String
Example add service-icmp name TEXT icmp-code -1000000 icmp-type -1000000 comments
This is a comment.
add service-protocol

Syntax add service-protocol name <name> ip-protocol <ip-protocol> [ comments
<comments> ]
Parameters

: () @
IP Protocol number
ip-protocol
Service name
name
Type: String
Example add service-protocol name TEXT ip-protocol -1000000 comments This is a

comment.
add service-tcp
Syntax add service-tcp name <name> port <port> [ comments <comments> ]
Parameters
: () @
Service name
name
Type: String
Destination ports (a comma separated list of ports/ranges)
port
Type: Port range
Example add service-tcp name TEXT port 8080-8090 comments This is a comment.
add service-udp
Syntax add service-udp name <name> port <port> [ comments <comments> ]
Parameters
: () @
Service name
name
Type: String
port
Type: Port range
Example add service-udp name TEXT port 8080-8090 comments This is a comment.

add snmp
Configured destinations to receive traps sent by the SNMP agent, a trap is an SNMP agent’s way of notifying the
manager that something is wrong
add snmp
Description Configured destinations to receive traps sent by the SNMP agent, a trap is an SNMP agent’s way of
notifying the manager that something is wrong
Syntax add snmp traps-receiver <traps-receiver> version { v2 community <community>

| v3 user <user> }
Parameters
Community name of the receivers trap, public is default for version2 users
community
Receivers IP address that the trap associated with
traps-receiver
Type: IP address
user SNMP version3 Defined users
SNMP Version number, options are: v2 or v3
version
Example add snmp traps-receiver 192.168.1.1 version v2 community word
add snmp
Description SNMP version3 user configuration options for: security level, authentication settings and passwords
Syntax add snmp user <user> security-level { true auth-pass-type <auth-pass-type>

auth-pass-phrase <auth-pass-phrase> privacy-pass-type <privacy-pass-type>
privacy-pass-phrase <privacy-pass-phrase> | false auth-pass-type
<auth-pass-type> auth-pass-phrase <auth-pass-phrase> }
Parameters
Authentication password for the SNMP version3 user
auth-pass-phrase
Authentication protocol type for the version3 user, options are: MD5 or SHA1
auth-pass-type
Options: MD5, SHA1
Privacy password chosen by the version3 user in case privacy is set
privacy-pass-phrase
Privacy protocol type for the version3 user, options are: AES or DES
privacy-pass-type
Options: AES, DES
Does Privacy protocol for this version3 user was set in the security level
security-level
version3 user name
user

Example add snmp user admin security-level true auth-pass-type MD5 auth-pass-phrase
a(ˆ
&7Ba privacy-pass-type AES privacy-pass-phrase a(ˆ
&7Ba
add static-route
Description Static routes
Syntax add static-route [ source <source> ] [ service <service> ] [ destination

<destination> ] [ nexthop gateway { logical <logical> | ipv4-address
<ipv4-address> } ] [ metric <metric> ]
Parameters
IP address and subnet length of the destination of the packet in the format
destination IP/subnet. e.g. 192.168.0.0/16
Type: An IP address with a mask length
Metric
metric
Route service name
service
Type: String
IP address and subnet length of the source of the packet in the format IP/subnet.
source e.g. 192.168.1.0/24
Example add static-route source 172.15.47.0/24 service TEXT destination

172.15.47.0/24 nexthop gateway logical My_Network metric -1000000
add switch
Description Switch
Syntax add switch name <name>
Parameters
Name
name
Type: A switch name can be LAN[1-8]_Switch
Example add switch name LAN2_Switch
add threat-prevention anti-virus file-type
Description Manage Anti-Virus policy per file type

Syntax add threat-prevention anti-virus file-type extension <extension> [ action
<action> ] [ description <description> ]
Parameters
Indicates the action when the file type is detected
action
Options: block, pass, scan
The file description
description Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @
File extension that represents this file type
extension Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @
Example add threat-prevention anti-virus file-type extension This is a comment.

action block description This is a comment.
add threat-prevention exception
Description Malware exceptions
Syntax add threat-prevention exception [ comment <comment> ] [ scope <scope> ]

protection <protection> action <action> log <log> [ name <name> ]
Parameters
action
Options: ask, prevent, detect, inactive
Additional description for the exception
: () @
The logging method used when there is a match on the rule: None - do not log,
log Log - Create log, Alert - log with alert
Options: none, log, alert
The name of the exception
name
The blade to which the exception applies: Anti-Virus and Anti-Bot (malware),
protection Anti-Virus (antivirus) or Anti-Bot (antibot)
Options: any, any-ab, any-av
scope IP address, network object or user group that the exception applies to
Example add threat-prevention exception comment This is a comment. scope TEXT

protection any action ask log none name word
add threat-prevention ips network-exception
Configure exception rules to bypass IPS protections for specific traffic

Description Configure exception rules to bypass IPS protections for specific traffic
Syntax add threat-prevention ips network-exception protection-name

<protection-name> [ destination <destination> ] [ destination-negate
<destination-negate> ] [ service <service> ] [ service-negate <service-negate>
] [ source <source> ] [ source-negate <source-negate> ] [ comment <comment> ]
Parameters
Comment on the IPS Network exception
: () @
destination-negate
protection-name Indicates if the exception rule will be matched on all IPS protections or a specific
one
service Type of network service that is under exception
service-negate
source-negate
Example add threat-prevention ips network-exception protection-name word

destination TEXT destination-negate true service TEXT service-negate true
source TEXT source-negate true comment This is a comment.

Syntax add threat-prevention ips network-exception [ protection-code

<protection-code> ] [ destination <destination> ] [ destination-negate
<destination-negate> ] [ service <service> ] [ service-negate <service-negate>
] [ source <source> ] [ source-negate <source-negate> ] [ comment <comment> ]
Parameters
: () @
destination-negate
protection-code Indicates if the exception rule will be matched on all IPS protections or a specific
one
service-negate
source-negate

Example add threat-prevention ips network-exception protection-code -1000000
destination TEXT destination-negate true service TEXT service-negate true
add threat-prevention whitelist type-file
Description Threat prevention whitelist file
Syntax add threat-prevention whitelist type-file md5 <md5>

Parameters
MD5 encryption for the file in the whitelist
md5 Type: MD5 checksum of a file. Contains only [a-f] and [0-9] characters and of
exact length of 32
Example add threat-prevention whitelist type-file md5 d41d8cd98f00b204e9800998ecf8427e
add threat-prevention whitelist type-url
Description Threat Prevention whitelist URL
Syntax add threat-prevention whitelist type-url url <url>
Parameters
URL
url
Type: URL
Example add threat-prevention whitelist type-url url http://somehost.example.com
add vpn site
Description Configure remote VPN sites

Syntax add vpn site name <name>
remote-site-link-selection {
host-name remote-site-host-name <remote-site-host-name> auth-method

{ preshared-secret password <password> [ enabled <enabled>
] [ remote-site-enc-dom-type <remote-site-enc-dom-type>
] [ enc-profile <enc-profile> ] [ phase1-reneg-interval
<phase1-reneg-interval> ] [ phase2-reneg-interval <phase2-reneg-interval>

] [ enable-perfect-forward-secrecy { true [ phase2-dh <phase2-dh> ] |
false } ] [ is-check-point-site { true [ enable-permanent-vpn-tunnel
<enable-permanent-vpn-tunnel> ] | false } ] [ disable-nat <disable-nat>
] [ aggressive-mode-enabled { true aggressive-mode-DH-group
<aggressive-mode-DH-group> [ { aggressive-mode-enable-peer-id {
true aggressive-mode-peer-id-type <aggressive-mode-peer-id-type>
aggressive-mode-peer-id <aggressive-mode-peer-id> | false } |
aggressive-mode-enable-gateway-id { true aggressive-mode-gateway-id-type
<aggressive-mode-gateway-id-type> aggressive-mode-gateway-id
<aggressive-mode-gateway-id> | false } } ] | false } ] [ enc-method
<enc-method> ] [ use-trusted-ca <use-trusted-ca> ] [ match-cert-ip
<match-cert-ip> ] [ match-cert-dn { true match-cert-dn-string
<match-cert-dn-string> | false } ] [ match-cert-e-mail { true
match-cert-e-mail-string <match-cert-e-mail-string> | false } ]
[ link-selection-probing-method <link-selection-probing-method>
] | certificate [ enabled <enabled> ] [ remote-site-enc-dom-type
<remote-site-enc-dom-type> ] [ enc-profile <enc-profile> ] [
phase1-reneg-interval <phase1-reneg-interval> ] [ phase2-reneg-interval
<phase2-reneg-interval> ] [ enable-perfect-forward-secrecy { true
[ phase2-dh <phase2-dh> ] | false } ] [ is-check-point-site { true
[ enable-permanent-vpn-tunnel <enable-permanent-vpn-tunnel> ] |
false } ] [ disable-nat <disable-nat> ] [ aggressive-mode-enabled
{ true aggressive-mode-DH-group <aggressive-mode-DH-group> [ {
aggressive-mode-enable-peer-id { true aggressive-mode-peer-id-type
<aggressive-mode-peer-id-type> aggressive-mode-peer-id
<aggressive-mode-peer-id> | false } | aggressive-mode-enable-gateway-id
{ true aggressive-mode-gateway-id-type <aggressive-mode-gateway-id-type>
aggressive-mode-gateway-id <aggressive-mode-gateway-id> | false
} } ] | false } ] [ enc-method <enc-method> ] [ use-trusted-ca
<use-trusted-ca> ] [ match-cert-ip <match-cert-ip> ] [ match-cert-dn { true
match-cert-dn-string <match-cert-dn-string> | false } ] [ match-cert-e-mail
{ true match-cert-e-mail-string <match-cert-e-mail-string> | false } ] [
link-selection-probing-method <link-selection-probing-method> ] } |
ip-address remote-site-ip-address <remote-site-ip-address> is-site-behind-static-nat
{ true static-nat-ip <static-nat-ip> auth-method { preshared-secret
password <password> [ enabled <enabled> ] [ remote-site-enc-dom-type
{ true match-cert-e-mail-string <match-cert-e-mail-string> | false
} ] [ link-selection-probing-method <link-selection-probing-method>

{ true match-cert-e-mail-string <match-cert-e-mail-string> | false }
] [ link-selection-probing-method <link-selection-probing-method> ] }
| false auth-method { preshared-secret password <password> [ enabled
<enabled> ] [ remote-site-enc-dom-type <remote-site-enc-dom-type>
link-selection-probing-method <link-selection-probing-method> ] } } |
load-sharing link-selection-multiple-addrs addr <link-selection-multiple-addrs
addr> auth-method { preshared-secret password <password> [ enabled

high-availability link-selection-multiple-addrs addr <link-selection-multiple-addrs
addr> auth-method { preshared-secret password <password> [ enabled

connection-initiated-only-from-remote-site auth-method { preshared-secret
password <password> [ enabled <enabled> ] [ remote-site-enc-dom-type
{ true match-cert-e-mail-string <match-cert-e-mail-string> | false
} ] [ link-selection-probing-method <link-selection-probing-method>
link-selection-probing-method <link-selection-probing-method> ] }
Parameters

aggressive-mode-DH- determine the strength of the key when aggressive mode is enabled
group
Indicates if gateway ID matching will be used. This adds a layer of security to
aggressive-mode- aggressive mode
enable-gateway-id Type: Boolean (true/false)
Indicates if peer ID matching will be used. This adds a layer of security to
enable-peer-id Type: Boolean (true/false)
Indicates if Aggressive mode, a less secure negotiation protocol compared to
main mode, is used. It is less recommended if the remote site supports IPSec
aggressive-mode-
main mode
enabled
The gateway ID that will be used for matching when configured to
aggressive-mode-
Type: vpnAggressiveModePeerId
gateway-id
Indicates the type of gateway ID that will be used for matching when configured
aggressive-mode-
Options: domain-name, user-name
gateway-id-type
The peer ID that will be used for matching when configured to
aggressive-mode-
peer-id
Indicates the type of peer ID that will be used for matching when configured
aggressive-mode-
peer-id-type
Indicates the type of authentication used when connecting to the remote site
auth-method
Disable NAT for traffic to/from the remote site. Useful when one of the internal
disable-nat networks contains a server
Ensures that a session key will not be compromised if one of the (long-term)
enable-perfect- private keys is compromised in the future.
forward-secrecy Type: Boolean (true/false)
VPN Tunnels are constantly kept active and as a result, make it easier to recog-
enable-permanent- nize malfunctions and connectivity problems
vpn-tunnel Type: Boolean (true/false)
Indicates whether or not the remote site is enabled
enabled
Indicates which encryption method is used
enc-method
Options: ike-v1, ike-v2, prefer-ike-v2
Encryption profile (one of predefined profiles or custom)
enc-profile
Type: virtual
Enable if the remote site is connected through a Check Point Security Gateway
is-check-point-site
Indicates if the remote site is behind static NAT
is-site-behind-static-
nat
link-selection-multiple- IP address
addrs addr
The type of probing used for link selection when multiple IP addresses are con-
link-selection-probing- figured for the remote site
method Options: ongoing, one-time
Indicates if certificate matching should match the DN string in the certificate to
match-cert-dn the configured DN string
Indicates the configured DN string for certificate matching
match-cert-dn-string
Type: String
Indicates if certificate matching should match the E-mail string in the certificate
match-cert-e-mail to the configured E-mail string

Indicates the configured E-mail string for certificate matching
match-cert-e-mail-
Type: Email address
string
Indicates if certificate matching should match IP address in the certificate to the
match-cert-ip site’s IP address
Site name
name Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9,
Preshared secret (minimum 6 characters) to be used when authentication
password method is configured as such
Type: vpnPassword
The period, in minutes, between each IKE SA renegotiation
phase1-reneg-interval
Determine the strength of the key used for the IPsec (Phase 2) key exchange
phase2-dh process. The higher the group number, the stronger and more secure the key
is.
The period, in seconds, between each IPSec SA renegotiation
The method of defining the remote site’s encryption domain
remote-site-enc-dom- Options: manually-defined-enc-dom, route-all-traffic-to-site, route-based-vpn,
type enc-dom-hidden-behind-remote-site
Indicates the host name of the remote site
remote-site-host-
Type: An IP address or host name
name
Indicates the IP address of the remote site
remote-site-ip-
Type: IP address
address
Indicates the method of determining the destination IP address/s of the remote
remote-site-link- site
selection Type: Press TAB to see available options
Indicates an external routable IP address via static NAT used by the remote site
static-nat-ip
Type: IP address
Indicates if a specific trusted CA is used for matching the remote site’s certificate
use-trusted-ca
or all configured trusted CAs
Example add vpn site name site17 remote-site-link-selection host-name

remote-site-host-name myHost.com auth-method preshared-secret password
vpnPassword enabled true remote-site-enc-dom-type manually-defined-enc-dom
enc-profile virtual phase1-reneg-interval -1000000 phase2-reneg-interval
-1000000 enable-perfect-forward-secrecy true phase2-dh word
is-check-point-site true enable-permanent-vpn-tunnel true disable-nat
true aggressive-mode-enabled true aggressive-mode-DH-group word
aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name
aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1
use-trusted-ca TEXT match-cert-ip true match-cert-dn true match-cert-dn-string
TEXT match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com
link-selection-probing-method ongoing enabled true remote-site-enc-dom-type
manually-defined-enc-dom enc-profile virtual phase1-reneg-interval
-1000000 phase2-reneg-interval -1000000 enable-perfect-forward-secrecy
true phase2-dh word is-check-point-site true enable-permanent-vpn-tunnel
true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group
word aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type
domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method
ike-v1 use-trusted-ca TEXT match-cert-ip true match-cert-dn true
match-cert-dn-string TEXT match-cert-e-mail true match-cert-e-mail-string
MyEmail@mail.com link-selection-probing-method ongoing auth-method
preshared-secret password vpnPassword enabled true remote-site-enc-dom-type

domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1
link-selection-probing-method ongoing enabled true remote-site-enc-dom-type
link-selection-probing-method ongoing
add wlan vap
Description Virtual Access Point
Syntax add wlan vap ssid <ssid>
Parameters
Wireless network name (SSID)
ssid
Type: A string that contains [A-Z], [0-9], ’_’, ’.’, ’-’ and space characters
Example add wlan vap ssid My wireless
connect security-management
Description Security management settings
Syntax connect security-management mgmt-addr <mgmt-addr> use-one-time-password

<use-one-time-password> local-override-mgmt-addr { true send-logs-to {
local-override-log-server-addr addr <addr> | local-override-mgmt-addr } |
false }
Parameters
The logs are sent to this address
addr
Indicates if the management address used in the next manual fetch command
will be saved and continuously used instead of the address downloaded in the
local-override-mgmt-
policy
addr

The IP address or hostname of the security management server
mgmt-addr
Indicates from where the address of the log server is taken
send-logs-to
Indicates whether to connect to the security management server using a one
use-one-time- time password
password Type: Boolean (true/false)
Example connect security-management mgmt-addr myHost.com use-one-time-password true

local-override-mgmt-addr true send-logs-to local-override-log-server-addr addr
myHost.com
delete access-rule type incoming-internal-and-vpn
Firewall rule base

Syntax delete access-rule type incoming-internal-and-vpn name <name>
Parameters
name
name
Example delete access-rule type incoming-internal-and-vpn name word


Syntax delete access-rule type incoming-internal-and-vpn position <position>

Parameters
position
Example delete access-rule type incoming-internal-and-vpn position 2

delete access-rule type outgoing
Firewall rule base

Syntax delete access-rule type outgoing position <position>
Parameters
position
Example delete access-rule type outgoing position 2

Syntax delete access-rule type outgoing name <name>
Parameters
name
name
Example delete access-rule type outgoing name word

delete ad-server
Syntax delete ad-server <domain>
Parameters
Domain name
domain
Type: Host name
Example delete ad-server myHost.com

delete address-range
Syntax delete address-range <name>
Parameters
Network Object name
name
Type: String
Example delete address-range TEXT
delete admin-access-ipv4-address
Syntax delete admin-access-ipv4-address <ipv4-address>
Parameters
IP address
ipv4-address
Type: IP address
Example delete admin-access-ipv4-address 192.168.1.1
delete administrator

Syntax delete administrator username <username>
Parameters
username
Example delete administrator username admin
delete aggressive-aging
Description Connections aggressive aging

Syntax delete aggressive-aging
Parameters There are no parameters
Example delete aggressive-aging
delete antispam allowed-sender
List of allowed IP addresses, email addresses (senders) and domains for Anti-Spam blade

Syntax delete antispam allowed-sender all
Example delete antispam allowed-sender all

Syntax delete antispam allowed-sender sender-or-domain <sender-or-domain>
Parameters
Anti-Spam allowed domain or sender
sender-or-domain
Example delete antispam allowed-sender sender-or-domain myEmail@mail.com

Syntax delete antispam allowed-sender ipv4-addr <ipv4-addr>
Parameters
Anti-Spam allowed IP address
ipv4-addr
Type: IP address
Example delete antispam allowed-sender ipv4-addr 192.168.1.1

delete antispam blocked-sender
List of blocked IP addresses, email addresses (senders) and domains for Anti-Spam blade

Syntax delete antispam blocked-sender all
Example delete antispam blocked-sender all

Syntax delete antispam blocked-sender sender-or-domain <sender-or-domain>
Parameters
Anti-Spam blocked domain or sender
sender-or-domain
Example delete antispam blocked-sender sender-or-domain myEmail@mail.com

Syntax delete antispam blocked-sender ipv4-addr <ipv4-addr>
Parameters
Anti-Spam blocked IP address
ipv4-addr
Type: IP address
Example delete antispam blocked-sender ipv4-addr 192.168.1.1

delete application
delete application
Syntax delete application application-id <application-id>
Parameters
The ID of the application
application-id
Example delete application application-id -1000000
delete application
Syntax delete application application-name <application-name>
Parameters
Application name
application-name
Type: URL
Example delete application application-name http://somehost.example.com
delete application-group
User defined application group
Syntax delete application-group name <name>
Parameters

Example delete application-group name users
Syntax delete application-group application-group-id <application-group-id>
Parameters
The ID of the application group
application-group-id
Example delete application-group application-group-id -1000000
delete bridge
Syntax delete bridge <name>
Parameters
Bridge name
name
Example delete bridge br7
delete dhcp server interface
Syntax delete dhcp server interface <name> exclude-range
Parameters
Network name
name
Example delete dhcp server interface My_Network exclude-range

delete dns
Configure DNS and Domain settings for the device
delete dns
Description Configure DNS and Domain settings for the device
Syntax delete dns [ primary ipv4-address ]
Example delete dns primary ipv4-address
delete dns
Syntax delete dns [ secondary ipv4-address ]
Example delete dns secondary ipv4-address
delete dns
Syntax delete dns [ tertiary ipv4-address ]
Example delete dns tertiary ipv4-address
delete dns
Syntax delete domainname
Example delete domainname

delete group
Syntax delete group <name>
Parameters
Example delete group myObject_17
delete host
Syntax delete host <name>
Parameters
Network Object name
name
Type: String
Example delete host TEXT
delete interface
Syntax delete interface <name>
Parameters
Network name
name
Example delete interface My_Network

delete interface-loopback
Syntax delete interface-loopback <name>
Parameters
Network name
name
Example delete interface-loopback My_Network
delete internet-connection
Internet Connection
Syntax delete internet-connection <name>
Parameters
Connection name
name
Example delete internet-connection My connection
Syntax delete internet-connection <name> probe-icmp-servers [ first ] [ second ] [

third ]
Parameters
Connection name
name
Example delete internet-connection My connection probe-icmp-servers first second

third

delete internet-connections
Syntax delete internet-connections
Example delete internet-connections
delete local-group
Local Users Group
delete local-group
Syntax delete local-group name <name>
Parameters
Local group name
Example delete local-group name myObject_17
delete local-group
Syntax delete local-group all
Example delete local-group all
delete local-user
Configure a local database of users

delete local-user
Syntax delete local-user name <name>
Parameters
name
Example delete local-user name admin
delete local-user
Syntax delete local-user all
Example delete local-user all
delete nat-rule
Syntax delete nat-rule name <name>
Parameters
name
name
Example delete nat-rule name word

delete nat-rule position
Syntax delete nat-rule position <position>
Parameters
position

Example delete nat-rule position 2
delete netflow collector
Syntax delete netflow collector ip <ip> port <port>
Parameters
IP address
ip
Type: IP address
UDP port
port
Type: Port number
Example delete netflow collector ip 192.168.1.1 port 8080
delete network
Syntax delete network <name>

Parameters
Network Object name
name
Type: String
Example delete network TEXT
delete proxy
Description Configure proxy settings for connecting with Check Point update and license servers
Syntax delete proxy
Example delete proxy

delete qos-rule
QoS rule base rule configuration
delete qos-rule
Syntax delete qos-rule idx <idx>
Parameters
idx
Example delete qos-rule idx 3.141
delete qos-rule
Syntax delete qos-rule name <name>
Parameters
name
name
Example delete qos-rule name word

delete radius-server
Description Users RADIUS server
Syntax delete radius-server priority <priority>
Parameters
Priority of the choose tab, can be primary or secondary
priority
Example delete radius-server priority -1000000

delete server
Syntax delete server <name>
Parameters
Server object name
Example delete server myObject_17
delete service-group
Syntax delete service-group <name>
Parameters
Service Group name
Example delete service-group myObject_17
delete service-icmp
Syntax delete service-icmp <name>
Parameters
Service name
name
Type: String
Example delete service-icmp TEXT

delete service-protocol
Syntax delete service-protocol <name>
Parameters
Service name
name
Type: String
Example delete service-protocol TEXT
delete service-tcp
Syntax delete service-tcp <name>
Parameters
Service name
name
Type: String
Example delete service-tcp TEXT
delete service-udp
Syntax delete service-udp <name>
Parameters
Service name
name
Type: String
Example delete service-udp TEXT

delete snmp
Configured destinations to receive traps sent by the SNMP agent, a trap is an SNMP agent’s way of notifying the
manager that something is wrong
delete snmp
Syntax delete snmp traps-receiver <traps-receiver>
Parameters
traps-receiver
Type: IP address
Example delete snmp traps-receiver 192.168.1.1
delete snmp
Syntax delete snmp user <user>

Parameters
version3 user name
user
Example delete snmp user admin
delete snmp
Description SNMP general configuration options
Syntax delete snmp contact
Example delete snmp contact
delete snmp

Syntax delete snmp location
Example delete snmp location
delete snmp traps-receivers
Syntax delete snmp traps-receivers all
Example delete snmp traps-receivers all
delete snmp users
Syntax delete snmp users all
Example delete snmp users all
delete static-route
Syntax delete static-route <id>
Parameters
id
id
Example delete static-route -1000000

delete static-routes

Syntax delete static-routes
Example delete static-routes
delete streaming-engine-settings
Description Streaming engine settings
Syntax delete streaming-engine-settings

Example delete streaming-engine-settings
delete switch
Description Switch
Syntax delete switch <name>
Parameters
Name
name
Example delete switch LAN2_Switch
delete threat-prevention anti-virus file-type
Syntax delete threat-prevention anti-virus file-type extension <extension>
Parameters
: () @
Example delete threat-prevention anti-virus file-type extension This is a comment.

delete threat-prevention anti-virus file-type custom
Syntax delete threat-prevention anti-virus file-type custom all
Example delete threat-prevention anti-virus file-type custom all
delete threat-prevention exception
Syntax delete threat-prevention exception name <name>
Parameters
name
Example delete threat-prevention exception name word
delete threat-prevention exception position
Syntax delete threat-prevention exception position <position>
Parameters
The order of the rule in comparison to other rules
position
Example delete threat-prevention exception position 2

delete threat-prevention exceptions

Syntax delete threat-prevention exceptions all
Example delete threat-prevention exceptions all

delete threat-prevention ips network-exception

Syntax delete threat-prevention ips network-exception position <position>
Parameters
The order of the rule in the rule base
position
Example delete threat-prevention ips network-exception position 2

Syntax delete threat-prevention ips network-exception all

Example delete threat-prevention ips network-exception all
delete threat-prevention whitelist type-file
Threat prevention whitelist file

Syntax delete threat-prevention whitelist type-file md5 <md5>
Parameters
MD5 encryption for the file in the whitelist
md5 Type: MD5 checksum of a file. Contains only [a-f] and [0-9] characters and of
exact length of 32

Example delete threat-prevention whitelist type-file md5 d41d8cd98f00b204e9800998ecf8427e

Syntax delete threat-prevention whitelist type-file all
Example delete threat-prevention whitelist type-file all
delete threat-prevention whitelist type-url
Threat Prevention whitelist URL

Syntax delete threat-prevention whitelist type-url url <url>
Parameters
URL
url
Type: URL
Example delete threat-prevention whitelist type-url url http://somehost.example.com

Syntax delete threat-prevention whitelist type-url all
Example delete threat-prevention whitelist type-url all
delete ui-settings
Description Web Interface Settings and Customizations

Syntax delete ui-settings
Example delete ui-settings
delete vpn
Syntax delete vpn tunnel <tunnel>
Parameters
tunnel
Example delete vpn tunnel -1000000
delete vpn site
Configure remote VPN sites
delete vpn site

Syntax delete vpn site name <name>
Parameters
Site name
Example delete vpn site name site17
delete vpn site

Syntax delete vpn site all

Example delete vpn site all
delete wlan
Syntax delete wlan vap <vap>
Parameters
The name of the Virtual Access Point
vap
Example delete wlan vap My_Network

delete wlan vaps

Syntax delete wlan vaps
Example delete wlan vaps
fetch cloud-services policy
Description Cloud Services

Syntax fetch cloud-services policy
Example fetch cloud-services policy
find application
Description Application
Syntax find application <application-name>
Parameters

Application or group name
application-name
Type: String
Example find application TEXT
find threat-prevention ips protection
Description IPS topic view
Syntax find threat-prevention ips protection <name>

Parameters
The name of the IPS topic
name
Example find threat-prevention ips protection word
reconnect cloud-services

Syntax reconnect cloud-services
Example reconnect cloud-services
send cloud-report
Description Cloud report
Syntax send cloud-report type <type>
Parameters
The report type
type
Options: top-last-hour, top-last-day, top-last-week, top-last-month, 3d
Example send cloud-report type top-last-hour

set access-rule type incoming-internal-and-vpn
Firewall rule base

Syntax set access-rule type incoming-internal-and-vpn position <position> [ action

<action> ] [ log <log> ] [ source <source> ] [ source-negate <source-negate>
] [ destination <destination> ] [ destination-negate <destination-negate> ] [
service <service> ] [ service-negate <service-negate> ] [ disabled <disabled>
Parameters
action
: () @
destination-negate
disabled
hours-range-enabled
hours-range-from
hours-range-to
name
name
position
position-above
position-below
service-negate
source-negate
vpn
Example set access-rule type incoming-internal-and-vpn position 2 action block

log none source TEXT source-negate true destination TEXT destination-negate

true service TEXT service-negate true disabled true comment This is a comment.

Syntax set access-rule type incoming-internal-and-vpn name <name> [ action <action>

] [ log <log> ] [ source <source> ] [ source-negate <source-negate> ] [
destination <destination> ] [ destination-negate <destination-negate> ] [
Parameters
action
: () @
destination-negate
disabled
hours-range-enabled
hours-range-from
hours-range-to
name
name
position
position-above
position-below
service-negate
source-negate
vpn
Example set access-rule type incoming-internal-and-vpn name word action block log

none source TEXT source-negate true destination TEXT destination-negate true
set access-rule type outgoing
Firewall rule base

Syntax set access-rule type outgoing position <position> [ action <action>

] [ log <log> ] [ source <source> ] [ source-negate <source-negate> ] [
destination <destination> ] [ destination-negate <destination-negate> ] [
<hours-range-from> hours-range-to <hours-range-to> | false } ] [ {
position <position> | position-above <position-above> | position-below
<position-below> } ] [ name <name> ] [ { [ application-name <application-name>
] | [ application-id <application-id> ] } ] [ application-negate
<application-negate> ] [ limit-application-download { true limit <limit> |
false } ] [ limit-application-upload { true limit <limit> | false } ]
Parameters
action
application-negate
: () @
destination-negate
disabled
hours-range-enabled
hours-range-from
hours-range-to
limit
limit-application-
download

limit-application-
upload
name
name
position
position-above
position-below
service-negate
source-negate
Example set access-rule type outgoing position 2 action block log none
source TEXT source-negate true destination TEXT destination-negate true
limit -1000000

Syntax set access-rule type outgoing name <name> [ action <action> ] [ log
<log> ] [ source <source> ] [ source-negate <source-negate> ] [ destination
<destination> ] [ destination-negate <destination-negate> ] [ service
<service> ] [ service-negate <service-negate> ] [ disabled <disabled>
<hours-range-from> hours-range-to <hours-range-to> | false } ] [ {
position <position> | position-above <position-above> | position-below
<position-below> } ] [ name <name> ] [ { [ application-name <application-name>
] | [ application-id <application-id> ] } ] [ application-negate
<application-negate> ] [ limit-application-download { true limit <limit> |
false } ] [ limit-application-upload { true limit <limit> | false } ]
Parameters
action
application-negate

: () @
destination-negate
disabled
hours-range-enabled
hours-range-from
hours-range-to
limit
limit-application-
download
limit-application-
upload
name
name
position
position-above
position-below
service-negate
source-negate
Example set access-rule type outgoing name word action block log none source
TEXT source-negate true destination TEXT destination-negate true service
TEXT service-negate true disabled true comment This is a comment.
limit -1000000
set ad-server
Syntax set ad-server <domain> [ ipv4-address <ipv4-address> ] [ username <username>

] [ password <password> ] [ user-dn <user-dn> ] [ use-branch-path { true [
branch-path <branch-path> ] | false } ]

Parameters
The branch of the domain to be used
branch-path
Type: An LDAP DN
Domain name
domain
Type: Host name
ipv4-address Domain controller IP address
The user’s password
password
Select only if you want to use only part of the user database defined in the Active
use-branch-path Directory
FQDN of the user
user-dn
Type: An LDAP DN
A user name with administrator privileges to communicate with the AD server
username
Example set ad-server myHost.com ipv4-address 192.168.1.1 username admin password

a(ˆ
&7Ba user-dn cn=John Doe,dc=example,dc=com use-branch-path true branch-path
cn=John Doe,dc=example,dc=com
set additional-hw-settings
Description Additional hardware and operating system settings
Syntax set additional-hw-settings [ reset-timeout <reset-timeout> ]
Parameters
Indicates the amount of time (in seconds) that you need to press and hold the
reset-timeout factory defaults button on the back panel to restore to the factory defaults image
Example set additional-hw-settings reset-timeout -1000000
set address-range
Syntax set address-range <name> [ name <name> ] [ start-ipv4 <start-ipv4> ] [

end-ipv4 <end-ipv4> ] [ dhcp-exclude-ip-addr <dhcp-exclude-ip-addr> ]
Parameters
Options: on, off
end-ipv4 The end of the IP range

Network Object name
name
Type: String
start-ipv4 The beginning of the IP range
Example set address-range TEXT name TEXT start-ipv4 192.168.1.1 end-ipv4

192.168.1.1 dhcp-exclude-ip-addr on
set admin-access
Description Administrator access
Syntax set admin-access [ interfaces { Wireless access <access> | VPN access

<access> | LAN access <access> | any access { allow | block } | WAN access
<access> } ] [ web-access-port <web-access-port> ] [ ssh-access-port
<ssh-access-port> ] [ allowed-ipv4-addresses <allowed-ipv4-addresses> ]
Parameters
Enable administrator access from the Internet (clear traffic from external inter-
access faces)
Administrator access permissions policy for source IP addresses
allowed-ipv4-
Options: any, from-ip-list, any-except-internet
addresses
SSH Port
ssh-access-port
Type: Port number
Web Port (HTTPS)
web-access-port
Type: Port number
Example set admin-access interfaces Wireless access true web-access-port 8080

ssh-access-port 8080 allowed-ipv4-addresses any
set administrator
Configured administrator for the appliance
set administrator
Syntax set administrator username <username> password
Parameters
username

Example set administrator username admin password
set administrator
Syntax set administrator username <username> permission <permission> [

password-hash <password-hash> ]
Parameters
password-hash
permission
username
Example set administrator username admin permission read-write password-hash

TZXPLs20bN0RA
set administrator
Syntax set administrator username <username> password-hash <password-hash> [

permission <permission> ]
Parameters
password-hash
permission
username
Example set administrator username admin password-hash TZXPLs20bN0RA permission

read-write
set administrator session-settings
Description Limit administrators login failure attempts for before locking out for a defined period of time
Syntax set administrator session-settings [ lockout-enable <lockout-enable> ] [
max-lockout-attempts <max-lockout-attempts> ] [ lock-period <lock-period> ] [
inactivity-timeout <inactivity-timeout> ]

Parameters
Allowed web interface session idle time before automatic logout is executed (in
inactivity-timeout minutes)
Once locked out, the administrator will be unable to login for this long
lock-period
Limit administrators login failure attempts
lockout-enable
Options: on, off
The maximum number of consecutive login failure attempts before the adminis-
max-lockout-attempts trator is locked out
Example set administrator session-settings lockout-enable on max-lockout-attempts

-1000000 lock-period -1000000 inactivity-timeout -1000000
set administrators
Description Administrators RADIUS authentication
Syntax set administrators radius-auth { true [ use-radius-groups { true

radius-groups <radius-groups> | false } ] [ permission <permission> ] | false
}
Parameters
Administrators role
permission
Administrators RADIUS authentication
radius-auth
RADIUS groups for authentication. Example: RADIUS-group1, RADIUS-class2
radius-groups
Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’, ’,’ and space characters
Use RADIUS groups for authentication
use-radius-groups
Example set administrators radius-auth true use-radius-groups true radius-groups My

group permission read-write
set aggressive-aging
Connections aggressive aging

Syntax set aggressive-aging [ icmp-timeout <icmp-timeout> ] [ icmp-timeout-enable
<icmp-timeout-enable> ] [ other-timeout <other-timeout> ] [
other-timeout-enable <other-timeout-enable> ] [ pending-timeout
<pending-timeout> ] [ pending-timeout-enable <pending-timeout-enable>
] [ tcp-end-timeout <tcp-end-timeout> ] [ tcp-end-timeout-enable
<tcp-end-timeout-enable> ] [ tcp-start-timeout <tcp-start-timeout> ]
[ tcp-start-timeout-enable <tcp-start-timeout-enable> ] [ tcp-timeout
<tcp-timeout> ] [ tcp-timeout-enable <tcp-timeout-enable> ] [
udp-timeout <udp-timeout> ] [ udp-timeout-enable <udp-timeout-enable>
] [ general <general> ] [ log <log> ] [ connt-limit-high-watermark-pct
<connt-limit-high-watermark-pct> ] [ connt-mem-high-watermark-pct
<connt-mem-high-watermark-pct> ] [ memory-conn-status <memory-conn-status> ]
Parameters
Connection table percentage limit
connt-limit-high-
watermark-pct
Memory consumption percentage limit
connt-mem-high-
watermark-pct
Enable aggressive aging of connections
general
ICMP connections reduced timeout
icmp-timeout
Enable reduced timeout for ICMP connections
icmp-timeout-enable
Tracking options for aggressive aging
log
Options: log, none
Choose when aggressive aging timeouts are enforced
memory-conn-status
Options: both, connections, memory
Other IP protocols reduced timeout
other-timeout
Enable reduced timeout for non TCP/UDP/ICMP connections
other-timeout-enable
Pending Data connections reduced timeout
pending-timeout
Enable reduced timeout for non TCP/UDP/ICMP connections
pending-timeout-
enable
TCP termination reduced timeout
tcp-end-timeout
Enable reduced timeout for TCP termination
tcp-end-timeout-
enable
TCP handshake reduced timeout
tcp-start-timeout
Enable reduced timeout for TCP handshake
tcp-start-timeout-
enable
TCP session reduced timeout
tcp-timeout
Enable reduced timeout for TCP session
tcp-timeout-enable
UDP connections reduced timeout
udp-timeout
Enable reduced timeout for UDP connections
udp-timeout-enable
Example set aggressive-aging icmp-timeout -1000000 icmp-timeout-enable true

other-timeout -1000000 other-timeout-enable true pending-timeout -1000000

pending-timeout-enable true tcp-end-timeout -1000000 tcp-end-timeout-enable
true tcp-start-timeout -1000000 tcp-start-timeout-enable true tcp-timeout
-1000000 tcp-timeout-enable true udp-timeout -1000000 udp-timeout-enable
true general true log log connt-limit-high-watermark-pct -1000000
connt-mem-high-watermark-pct -1000000 memory-conn-status both
Syntax set aggressive-aging advanced-settings connections [ other-timeout-enable

<other-timeout-enable> ] [ connt-limit-high-watermark-pct <connt-limit-high-watermark-pct
] [ tcp-start-timeout-enable <tcp-start-timeout-enable> ] [
icmp-timeout-enable <icmp-timeout-enable> ] [ general <general>
] [ tcp-timeout-enable <tcp-timeout-enable> ] [ tcp-timeout
<tcp-timeout> ] [ tcp-start-timeout <tcp-start-timeout> ] [
udp-timeout-enable <udp-timeout-enable> ] [ udp-timeout <udp-timeout>
] [ pending-timeout-enable <pending-timeout-enable> ] [ log <log>
] [ connt-mem-high-watermark-pct <connt-mem-high-watermark-pct> ]
[ tcp-end-timeout-enable <tcp-end-timeout-enable> ] [ icmp-timeout
<icmp-timeout> ] [ tcp-end-timeout <tcp-end-timeout> ] [ memory-conn-status
<memory-conn-status> ] [ pending-timeout <pending-timeout> ] [ other-timeout
<other-timeout> ]
Example set aggressive-aging advanced-settings connections other-timeout-enable

true connt-limit-high-watermark-pct -1000000 tcp-start-timeout-enable true
icmp-timeout-enable true general true tcp-timeout-enable true tcp-timeout
-1000000 tcp-start-timeout -1000000 udp-timeout-enable true udp-timeout
-1000000 pending-timeout-enable true log log connt-mem-high-watermark-pct
-1000000 tcp-end-timeout-enable true icmp-timeout -1000000 tcp-end-timeout
-1000000 memory-conn-status both pending-timeout -1000000 other-timeout
-1000000
set antispam
Policy for Anti-Spam blade
set antispam
Description Policy for Anti-Spam blade
Syntax set antispam [ mode <mode> ] [ detection-method <detection-method> ] [

log <log> ] [ action-spam-email-content <action-spam-email-content> ] [
flag-subject-stamp <flag-subject-stamp> ] [ detect-mode <detect-mode> ]
Parameters

Action to be used upon spam detection in email content: block, flag-header,
action-spam-email- flag-subject
content Options: block, flag-header, flag-subject
Detect-Only mode: on, off
detect-mode
Type of spam detection: either Sender’s IP address or both Sender’s IP address
detection-method and content based detection
Options: email-content, sender-ipaddr-reputation-only
Text to add to spam e-mails subject (depends on action chosen for detected
flag-subject-stamp spam)
Tracking options: log, alert or none
log
Anti-Spam blade mode: on, off
mode
Options: on, off
Example set antispam mode on detection-method email-content log none

action-spam-email-content block flag-subject-stamp word detect-mode true
set antispam
Syntax set antispam advanced-settings ip-rep-fail-open <ip-rep-fail-open>
Example set antispam advanced-settings ip-rep-fail-open true
set antispam
Syntax set antispam advanced-settings email-size-scan <email-size-scan>
Example set antispam advanced-settings email-size-scan -1000000
set antispam
Syntax set antispam advanced-settings allow-mail-track <allow-mail-track>
Example set antispam advanced-settings allow-mail-track none

set antispam
Syntax set antispam advanced-settings transparent-proxy <transparent-proxy>
Example set antispam advanced-settings transparent-proxy true
set antispam
Syntax set antispam advanced-settings ip-rep-timeout <ip-rep-timeout>
Example set antispam advanced-settings ip-rep-timeout -1000000

set antispam
Syntax set antispam advanced-settings spam-engine-timeout <spam-engine-timeout>
Example set antispam advanced-settings spam-engine-timeout -1000000

set antispam
Syntax set antispam advanced-settings spam-engine-all-mail-track

<spam-engine-all-mail-track>
Example set antispam advanced-settings spam-engine-all-mail-track none
set application

set application
Syntax set application application-name <application-name> add url <url>
Parameters
Application name
application-name
Type: URL
url Application URL
Example set application application-name http://somehost.example.com add url

http://somehost.example.com
set application
Syntax set application application-name <application-name> remove url <url>
Parameters
Application name
application-name
Type: URL
url Application URL
Example set application application-name http://somehost.example.com remove url

http://somehost.example.com
set application
Syntax set application application-id <application-id> add url <url>
Parameters
application-id
url Application URL
Example set application application-id -1000000 add url http://somehost.example.com

set application
Syntax set application application-id <application-id> remove url <url>
Parameters
application-id
url Application URL
Example set application application-id -1000000 remove url http://somehost.example.com
set application
Syntax set application application-name <application-name> add category <category>
Parameters
Application name
application-name
Type: URL
category Category name
Example set application application-name http://somehost.example.com add category

TEXT
set application
Syntax set application application-name <application-name> remove category

<category>
Parameters
Application name
application-name
Type: URL
Example set application application-name http://somehost.example.com remove

category TEXT

set application
Syntax set application application-id <application-id> add category <category>
Parameters
application-id
Example set application application-id -1000000 add category TEXT
set application
Syntax set application application-id <application-id> remove category <category>
Parameters
application-id
Example set application application-id -1000000 remove category TEXT
set application
Syntax set application application-id <application-id> [ category <category> ] [

regex-url <regex-url> ]
Parameters
application-id
category
vant)
regex-url
Example set application application-id -1000000 category TEXT regex-url true

set application
Syntax set application application-name <application-name> [ category <category> ]

[ regex-url <regex-url> ]
Parameters
Application name
application-name
Type: URL
category
vant)
regex-url
Example set application application-name http://somehost.example.com category TEXT

regex-url true
set application-control
Description Default APPI policy and configuration
Syntax set application-control [ mode <mode> ] [ block-security-categories

<block-security-categories> ] [ block-inappropriate-content
<block-inappropriate-content> ] [ block-other-undesired-applications
<block-other-undesired-applications> ] [ block-file-sharing-applications
<block-file-sharing-applications> ] [ limit-bandwidth { true [ limit-upload
{ true set-limit <set-limit> | false } ] [ limit-download { true set-limit
<set-limit> | false } ] | false } ]
Parameters
Block file sharing using torrents and peer-to-peer applications
block-file-sharing-
applications
Control content by blocking Internet access to websites with inappropriate con-
block-inappropriate- tent such as sex, violence, weapons, gambling, and alcohol
content Type: Boolean (true/false)
Manually add and block applications or categories of URLs to a group of unde-
block-other-undesired- sired applications
applications Type: Boolean (true/false)
Block applications and URLs that can be a security risk and are categorized as
block-security- spyware, phishing, botnet, spam, anonymizer, or hacking
categories Type: Boolean (true/false)
Indicates if applications that use a lot of bandwidth are limited (also used for
limit-bandwidth QoS)
If true, traffic for downloading is limited to the value in maxLimitedDownload
limit-download
If true, traffic for uploading is limited to the value in maxLimitedDownload
limit-upload
Applications & URLs mode - true for on, false for off
mode

The limit, in kbps, for downloading
set-limit
Example set application-control mode true block-security-categories true

block-inappropriate-content true block-other-undesired-applications true
block-file-sharing-applications true limit-bandwidth true limit-upload true
set-limit -1000000 limit-download true set-limit -1000000
set application-group
Syntax set application-group name <name> add application-name <application-name>

Parameters
application-name Application or group name
Example set application-group name users add application-name hasMany
Syntax set application-group name <name> remove application-name <application-name>

Parameters
Example set application-group name users remove application-name hasMany

Syntax set application-group name <name> add application-id <application-id>
Parameters
application-id The ID of the application or the group
Example set application-group name users add application-id hasMany
Syntax set application-group name <name> remove application-id <application-id>
Parameters
Example set application-group name users remove application-id hasMany
Syntax set application-group application-group-id <application-group-id> add

application-name <application-name>
Parameters
Example set application-group application-group-id -1000000 add application-name

hasMany

Syntax set application-group application-group-id <application-group-id> remove

application-name <application-name>
Parameters
Example set application-group application-group-id -1000000 remove application-name

hasMany
Syntax set application-group application-group-id <application-group-id> add

application-id <application-id>
Parameters
Example set application-group application-group-id -1000000 add application-id

hasMany
Syntax set application-group application-group-id <application-group-id> remove

application-id <application-id>
Parameters
Example set application-group application-group-id -1000000 remove application-id

hasMany

set bridge
Bridge configured in the device
set bridge
Syntax set bridge <name> stp <stp>
Parameters
Bridge name
name
Spanning Tree Protocol mode
stp
Options: on, off
Example set bridge br7 stp on
set bridge
Syntax set bridge <name> add member <member>
Parameters
member Network name
Bridge name
name
Example set bridge br7 add member My_Network
set bridge
Syntax set bridge <name> remove member <member>
Parameters
member Network name
Bridge name
name
Example set bridge br7 remove member My_Network


set cloud-deployment
Description Cloud Deployment Settings
Syntax set cloud-deployment [ cloud-url <cloud-url> ] [ gateway-name <gateway-name>

] [ template <template> ] [ container <container> ]
Parameters
The DNS or IP address through which the device will connect to the cloud ser-
cloud-url vice
Type: URL
Container
container
Type: String
The appliance name used to identify the gateway
gateway-name
Type: A string that contains [A-Z], [0-9] and ’-’ characters
Template
template
Type: String
Example set cloud-deployment cloud-url http://www.checkpoint.com/ gateway-name

My-appliance template TEXT container TEXT
set cloud-services
Cloud Services
set cloud-services
Syntax set cloud-services [ { [ activation-key <activation-key> ] | [

[ service-center <service-center> ] [ gateway-id <gateway-id> ] [
registration-key <registration-key> ] ] } ] [ confirm-untrusted-certificate
<confirm-untrusted-certificate> ] [ mode <mode> ]
Parameters
A key received from the Cloud Services provider which is used to initialize the
activation-key connection to the Cloud Services
Type: String
Is the service center URL is a trusted certificate
confirm-untrusted-
certificate
Gateway id (in the format <gateway name>.<portal name>). This is not needed
gateway-id if an activation-key was configured.
Indicates if the device is managed by a cloud service
mode
Options: off, on
Registration key that acts as a password when connecting to the cloud service
registration-key for the first time. This is not needed if an activation-key was configured.
Type: A registration key

The DNS or IP address through which the device will connect to the cloud ser-
service-center vice for the first time. This is not needed if an activation-key was configured.
Type: URL
Example set cloud-services activation-key TEXT confirm-untrusted-certificate true

mode off
set cloud-services
Syntax set cloud-services advanced-settings cloud-management-configuration

[ smp-login <smp-login> ] [ show-mgmt-server-details-on-login
<show-mgmt-server-details-on-login> ]
Example set cloud-services advanced-settings cloud-management-configuration

smp-login true show-mgmt-server-details-on-login true
set date
Manual time
set date
Description Manual time
Syntax set date <date>
Parameters
Date in the format YYYY-MM-DD
date
Example set date 2000-01-01
set date
Syntax set time <time>
Parameters

time
Example set time 23:20
set date
Syntax set timezone <timezone>
Parameters
timezone Timezone location
Example set timezone GMT-11:00(Midway-Island)
set date
Syntax set timezone-dst automatic <timezone-dst automatic>
Parameters
Automatic adjustment clock for daylight saving changes flag
timezone-dst auto-
Options: on, off
matic
Example set timezone-dst automatic on
set device-details
Description Device details
Syntax set device-details [ hostname <hostname> ] [ country <country> ]

Parameters
The country where you are located. The country configured for the WLAN
country
Options: country
The appliance name used to identify the gateway.
hostname
Type: A string that contains [A-Z], [0-9] and ’-’ characters

Example set device-details hostname My-appliance country albania
set dhcp server interface
DHCP custom option

Description DHCP custom option
Syntax set dhcp server interface <cliName> custom-option name <custom-option name>
type <type> tag <tag> data <data>
Parameters
cliName
cliName
Type: virtual
Set the name of the object
custom-option name
Type: A string that contains alphanumeric characters or hyphen
Set the desired value of the object
data
Type: String
Select a unique tag for the object
tag
Select the appropriate type to store your object
type Options: string, int8, int16, int32, uint8, uint16, uint32, boolean, ipv4-address,
ipv4-address-array, hex-string
Example set dhcp server interface virtual custom-option name MyOption type string
tag -1000000 data TEXT

Syntax set dhcp server interface <name> { disable | enable }
Parameters
Use DHCP Server with a specified IP address range
dhcp
Options: off, on, relay
Network name
name
Example set dhcp server interface My_Network off

Syntax set dhcp server interface <name> relay relay-to <relay relay-to> [ secondary
<secondary> ]
Parameters
Network name
name
Enter the DHCP server IP address
relay relay-to
Type: IP address
Enter the secondary DHCP server IP address
secondary
Type: IP address
Example set dhcp server interface My_Network relay relay-to 192.168.1.1 secondary
192.168.1.1

Syntax set dhcp server interface <name> include-ip-pool <include-ip-pool>
Parameters
DHCP range
include-ip-pool
Type: A range of IP addresses
Network name
name
Example set dhcp server interface My_Network include-ip-pool 192.168.1.1-192.168.1.10

Syntax set dhcp server interface <name> exclude-ip-pool <exclude-ip-pool>
Parameters
DHCP exclude range (IPv4 address range format)
exclude-ip-pool
Type: A range of IP addresses
Network name
name
Example set dhcp server interface My_Network exclude-ip-pool 192.168.1.1-192.168.1.10

Syntax set dhcp server interface <name> default-gateway <default-gateway>
Parameters
default-gateway A virtual field calculated by the values of the fields: dhcpGwMode & dhcpGw
Network name
name
Example set dhcp server interface My_Network default-gateway auto

Syntax set dhcp server interface <name> wins-mode <wins-mode>
Parameters
Network name
name
wins-mode Configure the WINS Server
Example set dhcp server interface My_Network wins-mode auto

Syntax set dhcp server interface <name> wins primary <wins primary> [ secondary
<secondary> ]
Parameters
Network name
name
secondary Configure the IP address for the second WINS server
wins primary Configure the IP address for the first WINS server
Example set dhcp server interface My_Network wins primary 192.168.1.1 secondary
192.168.1.1

Syntax set dhcp server interface <name> lease-time <lease-time>
Parameters
Configure the timeout in hours for a single device to retain a dynamically ac-
lease-time
quired IP address
Network name
name
Example set dhcp server interface My_Network lease-time -1000000

Syntax set dhcp server interface <name> domain <domain>
Parameters
domain The domain name of the DHCP
Network name
name
Example set dhcp server interface My_Network domain myHost.com

Syntax set dhcp server interface <name> ntp <ntp> [ secondary <secondary> ]
Parameters
Network name
name
ntp Configure the first NTP (Network Time Protocol) server to be distributed to
DHCP client
secondary Configure the second NTP (Network Time Protocol) server to be distributed to
DHCP client
Example set dhcp server interface My_Network ntp 192.168.1.1 secondary 192.168.1.1

Syntax set dhcp server interface <name> tftp <tftp>
Parameters
Network name
name
tftp Configure TFTP server to be distributed to DHCP client
Example set dhcp server interface My_Network tftp 192.168.1.1

Syntax set dhcp server interface <name> file <file>
Parameters
file Configure TFTP bootfile to be distributed to DHCP client
Network name
name
Example set dhcp server interface My_Network file word

Syntax set dhcp server interface <name> callmgr <callmgr> [ secondary <secondary> ]
Parameters
callmgr Configure the first Call manager server to be distributed to DHCP client
Network name
name
secondary Configure the second Call manager server to be distributed to DHCP client
Example set dhcp server interface My_Network callmgr 192.168.1.1 secondary

192.168.1.1

Syntax set dhcp server interface <name> xwin-display-mgr <xwin-display-mgr>
Parameters
Network name
name
xwin-display-mgr Configure X-Windows display manager to be distributed to DHCP client
Example set dhcp server interface My_Network xwin-display-mgr 192.168.1.1

Syntax set dhcp server interface <name> avaya-voip <avaya-voip>
Parameters
avaya-voip Configure Avaya IP phone to be distributed to DHCP client
Network name
name
Example set dhcp server interface My_Network avaya-voip TEXT

Syntax set dhcp server interface <name> nortel-voip <nortel-voip>
Parameters
Network name
name
nortel-voip Configure Nortel IP phone to be distributed to DHCP client
Example set dhcp server interface My_Network nortel-voip TEXT


Syntax set dhcp server interface <name> thomson-voip <thomson-voip>

Parameters
Network name
name
thomson-voip Configure Thomson IP phone to be distributed to DHCP client
Example set dhcp server interface My_Network thomson-voip TEXT

Syntax set dhcp server interface <name> dns <dns>
Parameters
dns Configure the DNS Server
Network name
name
Example set dhcp server interface My_Network dns auto

Syntax set dhcp server interface <name> dns primary <dns primary>
Parameters
dns primary Configure the IP address for the first DNS server
Network name
name
Example set dhcp server interface My_Network dns primary 192.168.1.1

Syntax set dhcp server interface <name> dns secondary <dns secondary>
Parameters
dns secondary Configure the IP address for the second DNS server

Network name
name
Example set dhcp server interface My_Network dns secondary 192.168.1.1

Syntax set dhcp server interface <name> dns tertiary <dns tertiary>
Parameters
dns tertiary Configure the IP address for the third DNS server
Network name
name
Example set dhcp server interface My_Network dns tertiary 192.168.1.1

Syntax set dhcp server interface <name> remove custom-option <custom-option>
Parameters
custom-option Set the name of the object
Network name
name
Example set dhcp server interface My_Network remove custom-option MyOption
set dhcp-relay
Description DHCP Relay advanced options
Syntax set dhcp-relay advanced-settings use-internal-ip-addrs-as-source

<use-internal-ip-addrs-as-source>
Example set dhcp-relay advanced-settings use-internal-ip-addrs-as-source true

set dns
set dns
Syntax set dns [ primary ipv4-address <primary ipv4-address> ] [ secondary

ipv4-address <secondary ipv4-address> ] [ tertiary ipv4-address <tertiary
ipv4-address> ]
Parameters
First global DNS IP address
primary ipv4-address
Type: IP address
Second global DNS IP address
secondary ipv4-
Type: IP address
address
Third global DNS IP address
tertiary ipv4-address
Type: IP address
Example set dns primary ipv4-address 192.168.1.1 secondary ipv4-address 192.168.1.1

tertiary ipv4-address 192.168.1.1
set dns
Syntax set dns mode <mode>
Parameters
Status of appliance using global DNS servers
mode
Options: global, internet
Example set dns mode global
set dns
Syntax set dns proxy { on [ resolving <resolving> ] | off }
Parameters
Relay DNS requests from internal network clients to the DNS servers defined
proxy above

Use network objects as a hosts list to translate names to their IP addresses
resolving
Options: on, off
Example set dns proxy on resolving on
set dns
Syntax set domainname <domainname>
Parameters
Identification string that defines a realm of administrative autonomy, authority, or
domainname control in the Internet
Type: A FQDN
Example set domainname somehost.example.com
set dynamic-dns
Configure a persistent domain name for the device
set dynamic-dns
Description Configure a persistent domain name for the device
Syntax set dynamic-dns { enable } provider <provider> password <password> user

<user> domain <domain>
Parameters
The domain name (sometimes called host name) within your account that the
domain device will use
Type: A FQDN
Is the DDNS service active
is-active
The password of the account
password
Select the DDNS provider that you have already set up an account with
provider
Options: no-ip.com, DynDns
The user name of the account
Type: DynDns provider: begins with a letter and have 2-25 alphanumeric char-
user
acters. no-ip.com provider: length is 6-15 characters and contains only a-z, 0-9,
-, _
Example set dynamic-dns true provider no-ip.com password a(ˆ

&7Ba user myUser17

domain somehost.example.com
set dynamic-dns
Syntax set dynamic-dns { disable }
Parameters
Is the DDNS service active
is-active
Example set dynamic-dns true
set dynamic-dns
Syntax set dynamic-dns provider <provider> [ password <password> ] [ user <user> ]

[ domain <domain> ]
Parameters
The domain name (sometimes called host name) within your account that the
domain device will use
Type: A FQDN
The password of the account
password
Select the DDNS provider that you have already set up an account with
provider
Options: no-ip.com, DynDns
The user name of the account
Type: DynDns provider: begins with a letter and have 2-25 alphanumeric char-
user
acters. no-ip.com provider: length is 6-15 characters and contains only a-z, 0-9,
-, _
Example set dynamic-dns provider no-ip.com password a(ˆ

&7Ba user myUser17 domain
somehost.example.com
set fw policy
Default policy for firewall blade

set fw policy
Description Default policy for firewall blade
Syntax set fw policy [ mode <mode> ] [ track-allowed-traffic <track-allowed-traffic>

] [ track-blocked-traffic <track-blocked-traffic> ]
Parameters
mode Current mode for firewall policy
Indicates if accepted connections are logged
track-allowed-traffic
Options: none, log
Indicates if blocked connections are logged
track-blocked-traffic
Options: none, log
Example set fw policy mode off track-allowed-traffic none track-blocked-traffic

none
set fw policy
Description The activation modes for firewall
Syntax set fw policy add name <name>
Parameters
name Service or service group name
Example set fw policy add name TEXT
set fw policy
Description The activation modes for firewall
Syntax set fw policy remove name <name>
Parameters
name Service or service group name
Example set fw policy remove name TEXT

set fw policy user-check accept
Description User Check is a customizable message shown to users upon match, and allows to ’ask’ the user for
the desired action
Syntax set fw policy user-check accept [ body <body> ] [ fallback-action

<fallback-action> ] [ frequency <frequency> ] [ subject <subject> ] [ title
<title> ]
Parameters
The informative text that appears in the APPI ’Accept’ user message
body
Type: A string that contains only printable characters
Indicates the action to take when an ’Accept’ user message cannot be displayed
fallback-action
Options: block, accept
Indicates how often is the APPI ’Accept’ user message is being presented to the
frequency same user
Options: day, week, month
The subject of an APPI ’Accept’ user message
subject
The title of an APPI ’Accept’ user message
title
Example set fw policy user-check accept body My Network fallback-action block

frequency day subject My Network title My Network
set fw policy user-check ask
the desired action
Syntax set fw policy user-check ask [ body <body> ] [ confirm-text <confirm-text>

] [ fallback-action <fallback-action> ] [ frequency <frequency> ] [ subject
<subject> ] [ title <title> ] [ reason-displayed <reason-displayed> ]
Parameters
The informative text that appears in the APPI ’Ask’ user message
body
This text appears next to the ’ignore warning’ checkbox of an APPI ’Ask’ user
confirm-text message
The action that is performed when the ’Ask’ message cannot be shown
fallback-action
Indicates how often is the APPI ’Ask’ user message is being presented to the
frequency same user
Indicates if the user must enter a reason for ignoring this message in a desig-
reason-displayed nated text dialog
The subject of an APPI ’Ask’ user message
subject
The title of an APPI ’Ask’ user message
title

Example set fw policy user-check ask body My Network confirm-text My Network
fallback-action block frequency day subject My Network title My Network
reason-displayed true
set fw policy user-check block
the desired action
Syntax set fw policy user-check block [ body <body> ] [ redirect-url <redirect-url>

] [ subject <subject> ] [ title <title> ] [ redirect-to-url <redirect-to-url>
]
Parameters
The informative text that appears in the APPI ’Block’ user message
body
Indicates if the user will be redirected to a custom URL in case of a ’Block’ action
redirect-to-url
Indicates the URL to redirect the user in case of a ’Block’ action if configured
to do so. The URL to redirect the user in case of a ’Block’ action. Redirection
redirect-url
happens only if this functionality is turned on
Type: urlWithHttp
The subject of an APPI ’Block’ user message
subject
The title of an APPI ’Block’ user message
title
Example set fw policy user-check block body My Network redirect-url urlWithHttp

subject My Network title My Network redirect-to-url true
set group
Network Objects Group model
set group
Syntax set group <name> [ new-name <new-name> ] [ comments <comments> ]
Parameters
Comments and explanation about the Network Object group
: () @

new-name Type: A string that begins with a letter and contain up to 32 alphanumeric (0-9,
Example set group myObject_17 new-name myObject_17 comments This is a comment.
set group
Syntax set group <name> remove-all members
Parameters
Example set group myObject_17 remove-all members
set group
Syntax set group <name> add member <member>
Parameters
member Network Object name
Example set group myObject_17 add member TEXT
set group
Syntax set group <name> remove member <member>
Parameters

member Network Object name
Example set group myObject_17 remove member TEXT
set host
Syntax set host <name> [ name <name> ] [ dhcp-exclude-ip-addr { on [

dhcp-reserve-ip-addr-to-mac { on mac-addr <mac-addr> | off } ] | off } ] [
dns-resolving <dns-resolving> ] [ ipv4-address <ipv4-address> ]
Parameters
Indicates if the IP address is reserved in internal DHCP daemon
dhcp-reserve-ip-addr-
to-mac
MAC address of the Network Object
mac-addr
Type: MAC address
Network Object name
name
Type: String
Example set host TEXT name TEXT dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac

on mac-addr 00:1C:7F:21:05:BE dns-resolving true ipv4-address 192.168.1.1
set hotspot
Hotspot settings
set hotspot
Description Hotspot settings
Syntax set hotspot [ require-auth <require-auth> ] [ auth-mode <auth-mode> ]
[ allowed-group <allowed-group> ] [ timeout <timeout> ] [ portal-title
<portal-title> ] [ portal-msg <portal-msg> ] [ show-terms-of-use
<show-terms-of-use> ] [ terms-of-use <terms-of-use> ]

Parameters
Indicates the specific user group that can authenticate through the hotspot when
allowed-group auth-mode is set to allow-specific-group
Allow access to a specific user group only or all users
auth-mode
Options: allow-all, allow-specific-group
The message shown in hotspot portal
portal-msg
The title of the hotspot portal
portal-title
Indicates if user authentication is required
require-auth
Indicates if a terms and conditions link will be shown in the hotspot portal
show-terms-of-use
Options: on, off
Indicates the When users will click the terms and conditions text shown in the
terms-of-use hotspot portal
Time, in minutes, untill the hotspot session expires
timeout
Example set hotspot require-auth true auth-mode allow-all allowed-group

word timeout -1000000 portal-title My Network portal-msg My Network
show-terms-of-use on terms-of-use My Network
set hotspot
Syntax set hotspot add exception <exception>
Parameters
exception Network object name
Example set hotspot add exception TEXT
set hotspot
Syntax set hotspot remove exception <exception>
Parameters
exception Network object name
Example set hotspot remove exception TEXT


set hotspot
Syntax set hotspot advanced-settings activation <activation>
Example set hotspot advanced-settings activation on
set https-categorization
HTTPS categorization
Description HTTPS categorization
Syntax set https-categorization advanced-settings validate-cert-expiration

<validate-cert-expiration>
Example set https-categorization advanced-settings validate-cert-expiration true
Syntax set https-categorization advanced-settings validate-unreachable-crl

<validate-unreachable-crl>
Example set https-categorization advanced-settings validate-unreachable-crl true
Syntax set https-categorization advanced-settings validate-crl <validate-crl>
Example set https-categorization advanced-settings validate-crl true

set interface
Local network
set interface
Syntax set interface <name> ipv4-address <ipv4-address> { subnet-mask <subnet-mask>

default-gw <default-gw> [ dns-primary <dns-primary> [ dns-secondary
<dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] | mask-length
<mask-length> default-gw <default-gw> [ dns-primary <dns-primary> [
dns-secondary <dns-secondary> [ dns-tertiary <dns-tertiary> ] ] ] }
Parameters
Default gateway
default-gw
Type: IP address
dns-primary
Type: IP address
dns-secondary
Type: IP address
dns-tertiary
Type: IP address
The IP address
ipv4-address
Type: IP address
Subnet mask length
mask-length
Network name
name
Subnet mask
subnet-mask
Type: Subnet mask
Example set interface My_Network ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

default-gw 192.168.1.1 dns-primary 192.168.1.1 dns-secondary 192.168.1.1
dns-tertiary 192.168.1.1
set interface
Syntax set interface <name> ipv4-address <ipv4-address> { mask-length <mask-length>

| subnet-mask <subnet-mask> }
Parameters
ipv4-address
Type: IP address
Represents the network’s mask length
mask-length
Network name
name
Enter the Subnet mask of the specified network
subnet-mask

Example set interface My_Network ipv4-address 192.168.1.1 mask-length 20
set interface
Syntax set interface <name> unassigned
Parameters
Network name
name
Example set interface My_Network unassigned
set interface
Syntax set interface <name> [ auto-negotiation <auto-negotiation> ] [ mtu <mtu> ] [

link-speed <link-speed> ]
Parameters
Enable this option in order to manually configure the link speed of the interface.
auto-negotiation
Options: on, off
Configure the link speed of the interface manually
link-speed
Options: 10/full, 10/half, 100/full, 100/half
Configure the Maximum Transmission Unit size for an interface
mtu
Network name
name
Example set interface My_Network auto-negotiation on mtu -1000000 link-speed

10/full
set interface
Syntax set interface <name> state <state>
Parameters
Network name
name
The mode of the network - enabled or disabled
state
Options: on, off

Example set interface My_Network state on
set interface
Syntax set interface <name> description <description>
Parameters
Description
: () @
Network name
name
Example set interface My_Network description This is a comment.
set interface
Syntax set interface <name> [ lan-access <lan-access> ] [ lan-access-track
<lan-access-track> ]
Parameters
Local networks will be accessible from this network once this option is enabled
lan-access
Traffic from this network to local networks will be logged once this option is
lan-access-track enabled
Options: none, log
Network name
name
Example set interface My_Network lan-access block lan-access-track none
set internet
Description Global settings that affect all internet connections
Syntax set internet advanced-settings reset-sierra-usb-on-lsi-event

<reset-sierra-usb-on-lsi-event>
Example set internet advanced-settings reset-sierra-usb-on-lsi-event true

set internet mode
Description Traffic will be distributed automatically across the defined Internet connections according to the con-
figured load balancing weights
Syntax set internet mode { load-balancing | high-availability }
Parameters
The load balancing mode
lb-mode
Options: on, off
Example set internet mode on
set internet-connection
Internet Connection
Syntax set internet-connection <name> [ auto-negotiation <auto-negotiation> ] [

link-speed <link-speed> ] [ mtu <mtu> ] [ mac-addr <mac-addr> ] [ vpi <vpi> ]
[ vci <vci> ] [ standard <standard> ] [ encapsulation <encapsulation> ]
Parameters
Disable auto negotiation and manually define negotiation link speed
auto-negotiation
Options: on, off
Encapsulation type for the ADSL connection
encapsulation
Options: llc, vcmux
Link speed
link-speed
Options: 100/full, 100/half, 10/full, 10/half
Default mac address wrapper
mac-addr
Type: A MAC address or ’default’
MTU size. Select ’default’ for default value.
mtu
Connection name
name
The ADSL standard to use
standard
Options: multimode, t1413, glite, gdmt, adsl2, adsl2+
VCI value for the ADSL connection
vci
Type: A number between 0 and 65535
VPI value for the ADSL connection
vpi
Type: A number between 0 and 4095

Example set internet-connection My connection auto-negotiation on link-speed
100/full mtu word mac-addr 00:1C:7F:21:05:BE vpi 42 vci 42 standard multimode
encapsulation llc
Syntax set internet-connection <name> connect-on-demand <connect-on-demand>
Parameters
Holds the status of the connect on demand feature
connect-on-demand
Connection name
name
Example set internet-connection My connection connect-on-demand true
Syntax set internet-connection <name> { enable | disable }
Parameters
Connection name
name
Connection enabled/disabled
state
Example set internet-connection My connection true
Syntax set internet-connection <name> qos-download { true [ bandwidth <bandwidth> ]

| false }
Parameters
ISP download bandwidth
bandwidth
Connection name
name

Enable QoS(quality of service) restriction on inbound traffic(download)
qos-download
Example set internet-connection My connection qos-download true bandwidth -1000000
Syntax set internet-connection <name> qos-upload { true [ bandwidth <bandwidth> ] |

false }
Parameters
ISP upload bandwidth
bandwidth
Connection name
name
Enable QoS(quality of service) restriction on outbound traffic(upload)
qos-upload
Example set internet-connection My connection qos-upload true bandwidth -1000000
Syntax set internet-connection <name> ha-priority <ha-priority>

load-balancing-weight <load-balancing-weight>
Parameters
Priority of the connection in HA
ha-priority
Internet connection weight for load balancing configuration
load-balancing-weight
Connection name
name
Example set internet-connection My connection ha-priority -1000000

load-balancing-weight -1000000

Syntax set internet-connection <name> route-traffic-through-default-gateway
<route-traffic-through-default-gateway>
Parameters
Connection name
name
In order to route traffic through this connection you need to add specific routes
route-traffic-through- through it
default-gateway Type: Boolean (true/false)
Example set internet-connection My connection route-traffic-through-default-gateway

true
Syntax set internet-connection <name> type { static ipv4-address <ipv4-address>

{ subnet-mask <subnet-mask> | mask-length <mask-length> } default-gw
<default-gw> [ dns-primary <dns-primary> ] [ dns-secondary <dns-secondary>
] [ dns-tertiary <dns-tertiary> ] | pppoe username <username> {
password <password> | password-hash <password-hash> } | pptp username
<username> { password <password> | password-hash <password-hash> } server
<server> [ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address
<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length
<wan-mask-length> } default-gw <default-gw> ] | l2tp username <username>
{ password <password> | password-hash <password-hash> } server <server>
[ local-ipv4-address <local-ipv4-address> ] [ wan-ipv4-address
<wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> | wan-mask-length
<wan-mask-length> } default-gw <default-gw> ] }
Parameters
default-gw
Type: IP address
dns-primary
Type: IP address
dns-secondary
Type: IP address
dns-tertiary
Type: IP address
IP address field(for static ip and bridge settings)
ipv4-address
Type: IP address
local-ipv4-address
Subnet mask length
mask-length
Connection name
name
password
password-hash
Type: passwordHash

Server IP address
server
Type: IP address
Subnet mask
subnet-mask
Connection type
type
wan-ipv4-address
wan-mask-length
wan-subnet-mask
Type: Subnet mask
Example set internet-connection My connection type static ipv4-address 192.168.1.1

subnet-mask 255.255.255.0 default-gw 192.168.1.1 dns-primary 192.168.1.1
dns-secondary 192.168.1.1 dns-tertiary 192.168.1.1
Syntax set internet-connection <name> type { pppoe [ local-ipv4-address

<local-ipv4-address> ] [ method <method> ] [ idle-time <idle-time> ] }
Parameters
Disconnect idle time
idle-time
local-ipv4-address
Authentication method
method
Options: auto, pap, chap
Connection name
name
Connection type
type
Example set internet-connection My connection type pppoe local-ipv4-address auto

method auto idle-time -1000000
Syntax set internet-connection <name> type { pppoa username <username> { password
<password> | password-hash <password-hash> } | eoa }
Parameters

Connection name
name
password
password-hash
Type: passwordHash
Connection type
type
Example set internet-connection My connection type pppoa username MyUsername@MyISP

password internetPassword
Syntax set internet-connection <name> type { pppoa local-ipv4-address

<local-ipv4-address> [ method <method> ] [ idle-time <idle-time> ] | eoa [
wan-ipv4-address <wan-ipv4-address> { wan-subnet-mask <wan-subnet-mask> |
wan-mask-length <wan-mask-length> } default-gw <default-gw> ] }
Parameters
default-gw
Type: IP address
Disconnect idle time
idle-time
local-ipv4-address
Authentication method
method
Options: auto, pap, chap
Connection name
name
Connection type
type
wan-ipv4-address
wan-mask-length
wan-subnet-mask
Type: Subnet mask
Example set internet-connection My connection type pppoa local-ipv4-address auto

method auto idle-time -1000000

Syntax set internet-connection <name> type { cellular number <number> [ username
<username> { password <password> | password-hash <password-hash> } ] [ apn
<apn> ] }
Parameters
APN (cellular modem settings)
apn
Type: A string that contains [a-z], [0-9], ’-’ and ’.’ characters
Connection name
name
Dialed number of the cellular modem settings
number
Type: A sequence of numbers and #,* characters
password
password-hash
Type: passwordHash
Connection type
type
Example set internet-connection My connection type cellular number 758996 username

MyUsername@MyISP password internetPassword apn my-apn
Syntax set internet-connection <name> probe-next-hop <probe-next-hop> [

probe-servers <probe-servers> ]
Parameters
Connection name
name
Automatically detect loss of connectivity to the default gateway
probe-next-hop
Monitor connection state by sending probe packets to one or more servers on
probe-servers the Internet
Example set internet-connection My connection probe-next-hop true probe-servers

true
Syntax set internet-connection <name> probe-next-hop <probe-next-hop> [

probing-method <probing-method> ]

Parameters
Connection name
name
Automatically detect loss of connectivity to the default gateway
probe-next-hop
Connection probing method
probing-method
Options: icmp, dns
Example set internet-connection My connection probe-next-hop true probing-method

icmp
Syntax set internet-connection <name> { probe-icmp-servers } first <first> [ second

<second> ] [ third <third> ]
Parameters
First IP address for the probing method(when using connection monitoring)
first
Connection name
name
Connection probing method
probing-method
Options: icmp, dns
Second IP address for the probing method(when using connection monitoring)
second
Third IP address for the probing method(when using connection monitoring)
third
Example set internet-connection My connection icmp first myHost.com second

myHost.com third myHost.com
set ip-fragments-params
IP fragments parameters
Description IP fragments parameters
Syntax set ip-fragments-params advanced-settings minsize <minsize>
Example set ip-fragments-params advanced-settings minsize -1000000

Syntax set ip-fragments-params advanced-settings config [ track <track> ] [ limit

<limit> ] [ advanced-state <advanced-state> ] [ timeout <timeout> ] [ pkt-cap
<pkt-cap> ]
Example set ip-fragments-params advanced-settings config track none limit -1000000

advanced-state forbid timeout -1000000 pkt-cap true
set ips engine-settings
IPS engine settings

Description IPS engine settings
Syntax set ips engine-settings [ protection-scope <protection-scope>

] [ bypass-under-load { true [ bypass-track <bypass-track> ] [
gateway-load-thresholds [ cpu-usage-low-watermark <cpu-usage-low-watermark>
] [ cpu-usage-high-watermark <cpu-usage-high-watermark> ] [
memory-usage-low-watermark <memory-usage-low-watermark> ] [
memory-usage-high-watermark <memory-usage-high-watermark> ] [
threshold-detection-delay <threshold-detection-delay> ] ] | false } ]
Parameters
Indicates how the appliance will track events where the bypass mechanism is
bypass-track activated/deactivated
Indicates if the IPS engine will move to bypass mode if the appliance is under
bypass-under-load heavy load
Indicates if the IPS blade will protect internal networks only or protect all net-
protection-scope works (including external networks)
Options: protect-internal-hosts-only, perform-ips-inspection-on-all-traffic
Example set ips engine-settings protection-scope protect-internal-hosts-only

bypass-under-load true bypass-track none gateway-load-thresholds
cpu-usage-low-watermark -1000000 cpu-usage-high-watermark -1000000
memory-usage-low-watermark -1000000 memory-usage-high-watermark -1000000
threshold-detection-delay -1000000

Syntax set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig [

status-code-desc <status-code-desc> ] [ show-error-code <show-error-code> ] [
logo-url <logo-url> ] [ send-detailed-status-code <send-detailed-status-code>
] [ enable-logo-url <enable-logo-url> ]
Example set ips engine-settings advanced-settings AboutConfigIPSErrorPageConfig

status-code-desc This is a comment. show-error-code true logo-url
http://www.checkpoint.com/ send-detailed-status-code true enable-logo-url true

Syntax set ips engine-settings advanced-settings AboutConfigIPSErrorPage [
send-error-code <send-error-code> ] [ error-page-for-supported-web-protections
<error-page-for-supported-web-protections> ] [ url <url> ]

Example set ips engine-settings advanced-settings AboutConfigIPSErrorPage
send-error-code true error-page-for-supported-web-protections do-not-show url
http://www.checkpoint.com/
set local-group
Syntax set local-group name <name> [ new-name <new-name> ] [ comments <comments> ]

[ remote-access-on <remote-access-on> ]
Parameters
Comments
: () @
Local group name
Local group name
Indicates if the users group have remote access permissions
remote-access-on
Example set local-group name myObject_17 new-name myObject_17 comments This is a

comment. remote-access-on true

set local-group users
Local Users Group

Syntax set local-group users name <name> add user-name <user-name>
Parameters
Local group name
user-name User’s name in the local database
Example set local-group users name myObject_17 add user-name admin

Syntax set local-group users name <name> remove user-name <user-name>
Parameters
Local group name
user-name User’s name in the local database
Example set local-group users name myObject_17 remove user-name admin
set local-user
Syntax set local-user name <name> [ new-name <new-name> ] [ { password-hash

<password-hash> | password <password> } ] [ comments <comments> ] [
remote-access-always-on <remote-access-always-on> ] [ is-temp-user { true
expiration-date <expiration-date> [ expiration-time <expiration-time> ] |
false } ]

Parameters
Comments
: () @
Expiration date for a temporary user in format yyyy-mm-dd
expiration-date
Expiration time for a temporary user in format HH:MM
expiration-time
Indicates if the user entry is temporary
is-temp-user
name
new-name
User’s password in the local database
password
User’s hashed password (used for importing database)
password-hash
Always enable remote access permission for user
remote-access-
always-on
Example set local-user name admin new-name admin password-hash TZXPLs20bN0RA

comments This is a comment. remote-access-always-on true is-temp-user true
expiration-date 2000-01-01 expiration-time 23:20
set log-servers-configuration
Description Log servers configuration
Syntax set log-servers-configuration mgmt-server-ip-addr <mgmt-server-ip-addr>

[ log-server-ip-addr <log-server-ip-addr> ] sic-name <sic-name>
one-time-password <one-time-password> [ external-log-server-enable
<external-log-server-enable> ]
Parameters
Determine if an external log server is active
external-log-server-
enable
This IP address is used if the log server is not located on the Security Manage-
log-server-ip-addr ment Server.
Type: IP address
This IP address is used for establishing trusted communication between the
mgmt-server-ip-addr Check Point Appliance and the log server.
Type: IP address
SIC one time password
one-time-password
Enter the SIC name of the log server object that was defined in SmartDashboard
sic-name
Type: A SIC name
Example set log-servers-configuration mgmt-server-ip-addr 192.168.1.1

log-server-ip-addr 192.168.1.1 sic-name QWEDFRGH4 one-time-password a(ˆ
&7Ba

external-log-server-enable true
set loginMessages
Description loginMessages
Syntax set loginMessages <type> { on | off } [ line ] [ message <message> ]
Parameters
enabled
enabled
message
message
Type: virtual
type
type
Options: motd, banner, caption
Example set loginMessages motd true line message virtual
set nat
NAT global
set nat
Description NAT global
Syntax set nat [ hide-internal-networks <hide-internal-networks> ]
Parameters
Hide internal networks behind the Gateway’s external IP address
hide-internal-networks
Example set nat hide-internal-networks true

set nat
Syntax set nat advanced-settings nat-destination-client-side <nat-destination-client-side>
Example set nat advanced-settings nat-destination-client-side true

set nat
Syntax set nat advanced-settings arp-proxy-merge <arp-proxy-merge>
Example set nat advanced-settings arp-proxy-merge true
set nat
Syntax set nat advanced-settings address-trans <address-trans>
Example set nat advanced-settings address-trans true
set nat
Syntax set nat advanced-settings nat-automatic-arp <nat-automatic-arp>
Example set nat advanced-settings nat-automatic-arp true
set nat
Syntax set nat advanced-settings nat-destination-client-side-manual

<nat-destination-client-side-manual>
Example set nat advanced-settings nat-destination-client-side-manual true

set nat
Syntax set nat advanced-settings nat-hash-size <nat-hash-size>
Example set nat advanced-settings nat-hash-size -1000000
set nat
Syntax set nat advanced-settings nat-cache-num-entries <nat-cache-num-entries>
Example set nat advanced-settings nat-cache-num-entries -1000000
set nat
Syntax set nat advanced-settings nat-limit <nat-limit>
Example set nat advanced-settings nat-limit -1000000
set nat
Syntax set nat advanced-settings increase-hide-capacity <increase-hide-capacity>
Example set nat advanced-settings increase-hide-capacity true
set nat
Syntax set nat advanced-settings nat-cache-expiration <nat-cache-expiration>
Example set nat advanced-settings nat-cache-expiration -1000000

set nat
Syntax set nat advanced-settings perform-cluster-hide-fold <perform-cluster-hide-fold>
Example set nat advanced-settings perform-cluster-hide-fold true
set nat
Syntax set nat advanced-settings ip-pool-nat [ ip-pool-securemote

<ip-pool-securemote> ] [ ip-pool-log <ip-pool-log> ] [ ip-pool-per-interface
<ip-pool-per-interface> ] [ ip-pool-override-hide <ip-pool-override-hide>
] [ ip-pool-gw2Gw <ip-pool-gw2Gw> ] [ ip-pool-unused-return-interval
<ip-pool-unused-return-interval> ] [ log-ip-pool-allocation
<log-ip-pool-allocation> ] [ ip-pool-mode <ip-pool-mode> ] [
ip-pool-alloc-per-destination <ip-pool-alloc-per-destination> ]
Example set nat advanced-settings ip-pool-nat ip-pool-securemote true ip-pool-log

none ip-pool-per-interface true ip-pool-override-hide true ip-pool-gw2Gw
true ip-pool-unused-return-interval -1000000 log-ip-pool-allocation none
ip-pool-mode do-not-use-IP-pool-NAT ip-pool-alloc-per-destination true
set nat-rule
Syntax set nat-rule name <name> [ original-source <original-source> ]

[ original-destination <original-destination> ] [ original-service
<original-service> ] [ translated-source <translated-source> ] [
translated-destination <translated-destination> ] [ translated-service
<translated-service> ] [ comment <comment> ] [ hide-sources <hide-sources> ] [
enable-arp-proxy <enable-arp-proxy> ] [ { position <position> | position-above
<position-above> | position-below <position-below> } ] [ name <name> ] [
disabled <disabled> ]
Parameters
: () @
Indicates if rule is disabled
disabled

hide-sources
name
name
position
position-above
position-below
Example set nat-rule name word original-source TEXT original-destination TEXT

enable-arp-proxy true position 2 name word disabled true
set nat-rule position
Syntax set nat-rule position <position> [ original-source <original-source>

] [ original-destination <original-destination> ] [ original-service
<original-service> ] [ translated-source <translated-source> ] [
translated-destination <translated-destination> ] [ translated-service
<translated-service> ] [ comment <comment> ] [ hide-sources <hide-sources> ] [
enable-arp-proxy <enable-arp-proxy> ] [ { position <position> | position-above
<position-above> | position-below <position-below> } ] [ name <name> ] [
Parameters
: () @
disabled
hide-sources
name
name

position
position-above
position-below
Example set nat-rule position 2 original-source TEXT original-destination TEXT

enable-arp-proxy true position 2 name word disabled true
set netflow collector
Syntax set netflow collector for-ip <for-ip> for-port <for-port> [ ip <ip> ] [ port
<port> ] [ export-format <export-format> ] [ srcaddr <srcaddr> ] [ is-enabled
<is-enabled> ]
Parameters
Export format
export-format
Options: Netflow_V9, Netflow_V5
IP address
for-ip
Type: IP address
UDP port
for-port
Type: Port number
IP address
ip
Type: IP address
Indicates if netflow is enabled
is-enabled
UDP port
port
Type: Port number
Source IP address
srcaddr
Type: IP address
Example set netflow collector for-ip 192.168.1.1 for-port 8080 ip 192.168.1.1 port
8080 export-format Netflow_V9 srcaddr 192.168.1.1 is-enabled true
set network

Syntax set network <name> [ name <name> ] [ network-ipv4-address
<network-ipv4-address> ] { [ subnet-mask <subnet-mask> ] | [ mask-length
<mask-length> ] }
Parameters
mask-length Mask length
Network Object name
name
Type: String
network-ipv4-address Network address
subnet-mask IP mask used in the related network
Example set network TEXT name TEXT network-ipv4-address 172.16.10.0 subnet-mask

255.255.255.0
set ntp
NTP
set ntp
Description NTP
Syntax set ntp [ local-time-zone <local-time-zone> ] [ auto-adjust-daylight-saving
<auto-adjust-daylight-saving> ]
Parameters
Auto daylight
auto-adjust-daylight-
Options: on, off
saving
local-time-zone Region on earth that has a uniform standard time
Example set ntp local-time-zone GMT-11:00(Midway-Island) auto-adjust-daylight-saving

on
set ntp
Description NTP
Syntax set ntp active <active>
Parameters
Region on earth that has a uniform standard time
active
Options: on, off

Example set ntp active on
set ntp
Description NTP
Syntax set ntp interval <interval>
Parameters
Time interval (minutes) to update date and time settings from the NTP server
interval
Example set ntp interval -1000000
set ntp
Description NTP
Syntax set ntp auth { on secret-id <secret-id> secret <secret> | off }
Parameters
Authentication with NTP servers flag
auth
Key string for authentication with the NTP servers
secret
Authentication key identifier
secret-id Type: A number with no fractional part. Values are between -
4,503,599,627,370,495 to 4,503,599,627,370,495
Example set ntp auth on secret-id -1000000 secret a(ˆ

&7Ba
set ntp server
NTP
set ntp server

Description NTP
Syntax set ntp server primary <primary>
Parameters

Primary NTP server
primary
Example set ntp server primary myHost.com
set ntp server

Description NTP
Syntax set ntp server secondary <secondary>
Parameters
Secondary NTP server
secondary
Example set ntp server secondary myHost.com
set proxy
Configure proxy settings for connecting with Check Point update and license servers
set proxy
Syntax set proxy server <server> port <port>
Parameters
The proxy port
port
Type: Port number
The proxy Host name or IP address
server
Example set proxy server myHost.com port 8080
set proxy
Syntax set proxy { enable | disable }

Parameters

A proxy server between the appliance and the Internet. This proxy server will
be used when the applianceŠs internal processes must reach a Check Point
use-proxy
server.
Example set proxy true
set qos
QoS blade basic configuration
set qos
Description QoS blade basic configuration
Syntax set qos mode <mode>

Parameters
Indicates if QoS blade is enabled
mode
Example set qos mode true

set qos
Syntax set qos default-policy [ limit-bandwidth-consuming-applications { true [
limit-upload-traffic <limit-upload-traffic> ] [ upload-limit <upload-limit>
] [ limit-download-traffic <limit-download-traffic> ] [ download-limit
<download-limit> ] | false } ] [ guarantee-bandwidth-to-configured-traffic
<guarantee-bandwidth-to-configured-traffic> [ guarantee-bandwidth-percentage
<guarantee-bandwidth-percentage> ] [ guarantee-bandwidth-traffic
<guarantee-bandwidth-traffic> ] [ guarantee-bandwidth-on-services
<guarantee-bandwidth-on-services> ] ] [ ensure-low-latency-for-delay-sensitive-services
<ensure-low-latency-for-delay-sensitive-services> ]
Example set qos default-policy limit-bandwidth-consuming-applications true
limit-upload-traffic true upload-limit -1000000 limit-download-traffic
true download-limit -1000000 guarantee-bandwidth-to-configured-traffic on
guarantee-bandwidth-percentage -1000000 guarantee-bandwidth-traffic vpn
guarantee-bandwidth-on-services all ensure-low-latency-for-delay-sensitive-services
on

set qos
Syntax set qos low-latency-traffic maximum-percentage-of-bandwidth

<maximum-percentage-of-bandwidth>
Example set qos low-latency-traffic maximum-percentage-of-bandwidth -1000000
set qos
Syntax set qos advanced-settings qos-logging <qos-logging>

Example set qos advanced-settings qos-logging true
set qos delay-sensitive-service
A group of services

Syntax set qos delay-sensitive-service add service <service>
Parameters
service Service name
Example set qos delay-sensitive-service add service TEXT

Syntax set qos delay-sensitive-service remove service <service>
Parameters

Example set qos delay-sensitive-service remove service TEXT
set qos guarantee-bandwidth-selected-services
A group of services

Syntax set qos guarantee-bandwidth-selected-services add service <service>
Parameters
Example set qos guarantee-bandwidth-selected-services add service TEXT

Syntax set qos guarantee-bandwidth-selected-services remove service <service>
Parameters
Example set qos guarantee-bandwidth-selected-services remove service TEXT

set qos-rule
set qos-rule
Syntax set qos-rule idx <idx> [ source <source> ] [ destination <destination>
] [ service <service> ] [ { [ low-latency-rule { normal [ limit-bandwidth

Parameters
: () @
diffserv-mark-val
disabled
guarantee-bandwidth
hours-range-enabled
hours-range-from
hours-range-to
idx
limit-bandwidth
limit-percentage
log
Options: none, log
low-latency-rule
name
name
position
position-above
position-below
vpn
weight

Example set qos-rule idx 3.141 source TEXT destination TEXT service TEXT
low-latency-rule normal limit-bandwidth true limit-percentage -1000000
guarantee-bandwidth true guarantee-percentage -1000000 weight -1000000
log none comment This is a comment. vpn true hours-range-enabled
true hours-range-from 23:20 hours-range-to 23:20 diffserv-mark true
diffserv-mark-val -1000000 name word position 2 disabled true
set qos-rule
Syntax set qos-rule name <name> [ source <source> ] [ destination <destination>

] [ service <service> ] [ { [ low-latency-rule { normal [ limit-bandwidth
Parameters
: () @
diffserv-mark-val
disabled
guarantee-bandwidth
hours-range-enabled
hours-range-from
hours-range-to
limit-bandwidth
limit-percentage
log
Options: none, log

low-latency-rule
name
name
position
position-above
position-below
vpn
weight
Example set qos-rule name word source TEXT destination TEXT service TEXT
low-latency-rule normal limit-bandwidth true limit-percentage -1000000
guarantee-bandwidth true guarantee-percentage -1000000 weight -1000000
log none comment This is a comment. vpn true hours-range-enabled
true hours-range-from 23:20 hours-range-to 23:20 diffserv-mark true
diffserv-mark-val -1000000 name word position 2 disabled true
set radius-server
Syntax set radius-server priority <priority> [ ipv4-address <ipv4-address> ] [

udp-port <udp-port> ] [ shared-secret <shared-secret> ] [ timeout <timeout>
]
Parameters
The IP address of the RADIUS server
ipv4-address
Type: IP address
priority
Pre-shared secret between the RADIUS server and the Appliance
shared-secret
A timeout value in seconds for communication with the RADIUS server
timeout
The port number through which the RADIUS server communicates with clients.
udp-port The default is 1812
Example set radius-server priority -1000000 ipv4-address 192.168.1.1 udp-port

-1000000 shared-secret a(ˆ
&7Ba timeout -1000000

set reach-my-device
Reach My Device
set reach-my-device
Description Reach My Device
Syntax set reach-my-device mode <mode>
Parameters
Reach my device mode - true for on, false for off
mode
Example set reach-my-device mode true
set reach-my-device
Syntax set reach-my-device host-name <host-name> [ existing-host-name

<existing-host-name> ]
Parameters
claimOccupiedName
existing-host-name
Gateway Host name (DNS Prefix)
host-name
Example set reach-my-device host-name word existing-host-name true

set reach-my-device
Syntax set reach-my-device advanced-settings ignore-ssl-cert <ignore-ssl-cert>
Example set reach-my-device advanced-settings ignore-ssl-cert true
set reach-my-device

Syntax set reach-my-device advanced-settings reach-my-device-server-addr
<reach-my-device-server-addr>
Example set reach-my-device advanced-settings reach-my-device-server-addr

http://www.checkpoint.com/
set remote-access users
Description VPN Remote Access
Syntax set remote-access users radius-auth { true [ use-radius-groups { true

radius-groups <radius-groups> | false } ] | false }
Parameters
Remote users RADIUS authentication
radius-auth
RADIUS groups for authentication. Example: RADIUS-group1, RADIUS-class2
radius-groups
Type: A string that contains [A-Z], [0-9], ’-’, ’@’, ’.’, ’_’, ’,’ and space characters
Use RADIUS groups for authentication
use-radius-groups
Example set remote-access users radius-auth true use-radius-groups true

radius-groups My group
set security-management
Syntax set security-management mode <mode>
Parameters
Indicates whether the appliance is managed locally or centrally using a Check
mode Point management server
Options: locally-managed, centrally-managed
Example set security-management mode locally-managed
set serial-port
Serial port

set serial-port
Description Serial port
Syntax set serial-port [ port-speed <port-speed> ] [ flow-control <flow-control> ]

[ disabled <disabled> ] [ mode <mode> ]
Parameters
disabled Indicates if the serial port is disabled
flow-control Indicates the method of data flow control to and from the serial port
Indicates if the serial port is used to connect to the appliance’s console, a remote
mode telnet server or allow a remote telnet connection to the device connected to the
serial port.
port-speed Indicates the port speed (Baud Rate) of the serial connection
Example set serial-port port-speed 9600 flow-control rts-cts disabled on mode

console
set serial-port
Syntax set serial-port passive-mode [ tcp-port <tcp-port> ] [ allow-implicitly

<allow-implicitly> ]
Example set serial-port passive-mode tcp-port 8080 allow-implicitly true
set serial-port
Syntax set serial-port active-mode [ tcp-port <tcp-port> ] [ primary-server-address
<primary-server-address> ] [ secondary-server-address <secondary-server-address>
]
Example set serial-port active-mode tcp-port 8080 primary-server-address myHost.com

secondary-server-address myHost.com
set server server-access

Syntax set server server-access <name> [ access-zones { blocked [
trusted-zone-lan <trusted-zone-lan> ] [ trusted-zone-vpn-users
<trusted-zone-vpn-users> ] [ trusted-zone-trusted-wireless-networks
<trusted-zone-trusted-wireless-networks> ] [ trusted-zone-dmz
<trusted-zone-dmz> ] [ trusted-zone-vpn-sites <trusted-zone-vpn-sites>
] | allowed } ] [ allow-ping-to-server <allow-ping-to-server> ] [
log-blocked-connections <log-blocked-connections> ] [ log-accepted-connections
<log-accepted-connections> ]
Parameters
Zones the server is accessible from by default (accept all by default, accept
only from configured zones, or define no server-specific default access policy).
access-zones
Manual policy rules will override this policy.
indicates of default access policy will work on ICMP traffic as well as defined
allow-ping-to-server ports. This option will not work on multiple ports hidden behind the gateway.
Indicates if connections that are accepted by the default access policy to the
log-accepted- server are logged
connections Options: none, log
Indicates if connections that are blocked by the default access policy to the
log-blocked- server are logged
connections Options: none, log
Server object name
Indicates if traffic from the DMZ network to the server is allowed or blocked by
trusted-zone-dmz default
Options: blocked, allowed
Indicates if traffic from Physical internal networks (LAN ports) to the server is
trusted-zone-lan allowed or blocked by default
Indicates if traffic from trusted wireless networks to the server is allowed or
trusted-zone-trusted- blocked by default
wireless-networks Options: blocked, allowed
Indicates if encrypted traffic from remote VPN sites to the server is allowed or
trusted-zone-vpn-sites blocked by default
Indicates if encrypted traffic from VPN remote access users to the server is
trusted-zone-vpn- allowed or blocked by default
users Options: blocked, allowed
Example set server server-access myObject_17 access-zones blocked trusted-zone-lan

blocked trusted-zone-vpn-users blocked trusted-zone-trusted-wireless-networks
blocked trusted-zone-dmz blocked trusted-zone-vpn-sites blocked
allow-ping-to-server true log-blocked-connections none log-accepted-connections
none
set server server-nat-settings

Syntax set server server-nat-settings <name> [ nat-settings { static-nat [
static-nat-ipv4-address <static-nat-ipv4-address> ] [ static-nat-for-outgoing-traffic
<static-nat-for-outgoing-traffic> ] | port-forwarding } ] [
port-address-translation <port-address-translation> ] [ port-address-translation-external
<port-address-translation-external-port> ] [ force-source-hide-nat
<force-source-hide-nat > ]
Parameters
Allow access from internal networks to the external IP address of the server via
force-source-hide-nat local switch
Server object name
Indicates the general NAT settings configured (no NAT, hide behind the gate-
nat-settings way’s external IP address or use a different external IP address)
For servers with a single port, indicates if the external port is not the same as
port-address- the internal port.
translation Type: Boolean (true/false)
For servers with a single port, indicates the external port that is used to forward
port-address- traffic to the server
translation-external- Type: Port number
port
indicates if outgoing traffic from the server using static NAT will be hidden behind
static-nat-for- the configured external IP address without a port change
outgoing-traffic Type: Boolean (true/false)
For servers using static NAT, the external IP address used to forward traffic to
static-nat-ipv4- the server
address Type: IP address
Example set server server-nat-settings myObject_17 nat-settings static-nat

static-nat-ipv4-address 192.168.1.1 static-nat-for-outgoing-traffic true
port-address-translation true port-address-translation-external-port 8080
force-source-hide-nat true
set server server-network-settings
Syntax set server server-network-settings <name> [ name <name> ] [

dhcp-exclude-ip-addr { on [ dhcp-reserve-ip-addr-to-mac { on mac-addr
<mac-addr> | off } ] | off } ] [ comments <comments> ] [ dns-resolving
<dns-resolving> ] [ ipv4-address <ipv4-address> ]
Parameters
Comments
: () @

Indicates if the internal DHCP service will not distribute the configured IP ad-
dhcp-exclude-ip-addr dress of this server/network object to anyone
Indicates if the internal DHCP service will distribute the configured IP address
dhcp-reserve-ip-addr- only to this server/network object according to its MAC address
to-mac Type: Press TAB to see available options
MAC address of the server
mac-addr
Type: MAC address
Server object name
Example set server server-network-settings myObject_17 name myObject_17

dhcp-exclude-ip-addr on dhcp-reserve-ip-addr-to-mac on mac-addr
00:1C:7F:21:05:BE comments This is a comment. dns-resolving true ipv4-address
192.168.1.1
set server server-ports
Syntax set server server-ports <name> [ web-server { true service-http { true

[ service-http-ports <service-http-ports> ] | false } service-https {
true [ service-https-ports <service-https-ports> ] | false } | false
} ] [ mail-server { true service-smtp { true [ service-smtp-ports
<service-smtp-ports> ] | false } service-pop3 { true [ service-pop3-ports
<service-pop3-ports> ] | false } service-imap { true [ service-imap-ports
<service-imap-ports> ] | false } | false } ] [ dns-server { true service-dns
{ true [ service-dns-porst <service-dns-porst> ] | false } | false } ] [
ftp-server { true service-ftp { true [ service-ftp-ports <service-ftp-ports>
] | false } | false } ] [ citrix-server { true service-citrix { true [
service-citrix-ports <service-citrix-ports> ] | false } | false } ] [
pptp-server { true service-pptp-selected { true [ service-pptp-ports
<service-pptp-ports> ] | false } | false } ] [ custom-server { true [
tcpProtocol <tcpProtocol> [ tcp-ports <tcp-ports> ] udpProtocol <udpProtocol>
[ udp-ports <udp-ports> ] ] | false } ]
Parameters
citrix-server Indicates a Citrix server (for each type we provide default but configurable ports)
custom-server Server type custom
dns-server Indicates a DNS server (for each type we provide default but configurable ports)
ftp-server Indicates a FTP server (for each type we provide default but configurable ports)
mail-server Indicates a mail server (for each type we provide default but configurable ports)
Server object name

Indicates a PPTP server (for each type we provide default but configurable
pptp-server
ports)
service-citrix Indicates if ports are defined for Citrix (for a Citrix server)
service-citrix-ports Configured ports for Citrix (for a Citrix server)
service-dns Indicates if ports are defined for DNS (for a DNS server)
service-dns-porst Configured ports for DNS (for a DNS server)
service-ftp Indicates if ports are defined for FTP (for a FTP server)
service-ftp-ports Configured ports for FTP (for a FTP server)
service-http Indicates if ports are defined for HTTP (for a web server)
service-http-ports Configured ports for HTTP (for a web server)
service-https Indicates if ports are defined for HTTPS (for a web server)
service-https-ports Configured ports for HTTPS (for a web server)
service-imap Indicates if ports are defined for IMAP (for a mail server)
service-imap-ports Configured ports for IMAP (for a web server)
service-pop3 Indicates if ports are defined for POP3 (for a mail server)
service-pop3-ports Configured ports for POP3 (for a web server)
service-pptp-ports Configured ports for PPTP (for a PPTP server)
service-pptp-selected Indicates if ports are defined for PPTP (for a PPTP server)
service-smtp Indicates if ports are defined for SMTP (for a mail server)
service-smtp-ports Configured ports for SMTP (for a web server)
TCP ports for server of type ’other’
tcp-ports
Type: Port range
tcpProtocol
tcpProtocol
UDP ports for server of type ’other’
udp-ports
Type: Port range
udpProtocol
udpProtocol
web-server Indicates a web server (for each type we provide default but configurable ports)
Example set server server-ports myObject_17 web-server true service-http true

service-http-ports 8080-8090 service-https true service-https-ports 8080-8090
mail-server true service-smtp true service-smtp-ports 8080-8090 service-pop3
true service-pop3-ports 8080-8090 service-imap true service-imap-ports
8080-8090 dns-server true service-dns true service-dns-porst 8080-8090
ftp-server true service-ftp true service-ftp-ports 8080-8090 citrix-server
true service-citrix true service-citrix-ports 8080-8090 pptp-server true
service-pptp-selected true service-pptp-ports 8080-8090 custom-server true
tcpProtocol true tcp-ports 8080-8090 udpProtocol true udp-ports 8080-8090
set service-group
A group of services
set service-group
Syntax set service-group <name> [ new-name <new-name> ] [ comments <comments> ]
Parameters

Comments and explanation about the Service Group
: () @
Service Group name
Service Group name
Example set service-group myObject_17 new-name myObject_17 comments This is a

comment.
set service-group
Syntax set service-group <name> remove-all members
Parameters
Service Group name
Example set service-group myObject_17 remove-all members
set service-group
Syntax set service-group <name> add member <member>
Parameters
member Service name
Service Group name
Example set service-group myObject_17 add member TEXT

set service-group

Syntax set service-group <name> remove member <member>
Parameters
member Service name
Service Group name
Example set service-group myObject_17 remove member TEXT
set service-icmp
Syntax set service-icmp <name> [ name <name> ] [ icmp-code <icmp-code> ] [

icmp-type <icmp-type> ] [ comments <comments> ]
Parameters
: () @
ICMP code
icmp-code
ICMP message type
icmp-type
Service name
name
Type: String
Example set service-icmp TEXT name TEXT icmp-code -1000000 icmp-type -1000000
comments This is a comment.
set service-protocol
Syntax set service-protocol <name> [ name <name> ] [ ip-protocol <ip-protocol> ] [

comments <comments> ] [ session-timeout <session-timeout> ] [ accept-replies
<accept-replies> ] [ sync-connections-on-cluster <sync-connections-on-cluster>
] [ match <match> ] [ aggressive-aging-enable <aggressive-aging-enable> ] [
aggressive-aging-timeout <aggressive-aging-timeout> ]
Parameters
accept-replies Specifies if service replies are to be accepted

Enable to manage the connections table capacity and memory consumption of
aggressive-aging-
the firewall to increase durability and stability
enable
aggressive-aging- Time (in seconds) before the aggressive aging times out
timeout
: () @
IP Protocol number
ip-protocol
INSPECT expression that searches for a pattern in a packet, only relevant for
match
services of type ’other’
Service name
name
Type: String
session-timeout Time (in seconds) before the session times out
Enables state-synchronized High Availability or Load Sharing on a ClusterXL
or OPSEC-certified cluster. Of the services allowed by the rule base, only
sync-connections-on-
those with synchronize connections on cluster will be synchronized as they pass
cluster
through the cluster
Example set service-protocol TEXT name TEXT ip-protocol -1000000 comments

This is a comment. session-timeout -1000000 accept-replies true
sync-connections-on-cluster true match TEXT aggressive-aging-enable true
aggressive-aging-timeout -1000000
set service-tcp
Syntax set service-tcp <name> [ name <name> ] [ port <port> ] [

comments <comments> ] [ session-timeout <session-timeout> ] [
sync-connections-on-cluster <sync-connections-on-cluster> ] [
sync-delay-enable <sync-delay-enable> ] [ delay-sync-interval
<delay-sync-interval> ] [ aggressive-aging-enable <aggressive-aging-enable>
] [ aggressive-aging-timeout <aggressive-aging-timeout> ] [ use-source-port {
false | true source-port <source-port> } ]
Parameters
aggressive-aging-
enable
timeout
: () @
delay-sync-interval Time (in seconds) after connection initiation to start synchronizing connections
Service name
name
Type: String
port
Type: Port range

source-port Source port
cluster
through the cluster
sync-delay-enable True to delay connections synchronization
use-source-port Use source port
Example set service-tcp TEXT name TEXT port 8080-8090 comments This is a
comment. session-timeout -1000000 sync-connections-on-cluster true
sync-delay-enable true delay-sync-interval -1000000 aggressive-aging-enable
true aggressive-aging-timeout -1000000 use-source-port false source-port 8080
set service-udp
Syntax set service-udp <name> [ name <name> ] [ port <port> ] [ comments <comments>
] [ session-timeout <session-timeout> ] [ accept-replies <accept-replies>
] [ sync-connections-on-cluster <sync-connections-on-cluster> ] [
aggressive-aging-enable <aggressive-aging-enable> ] [ aggressive-aging-timeout
<aggressive-aging-timeout> ]
Parameters
accept-replies Specifies if service replies are to be accepted
aggressive-aging-
enable
timeout
: () @
Service name
name
Type: String
port
Type: Port range
cluster
through the cluster
Example set service-udp TEXT name TEXT port 8080-8090 comments This is a comment.
session-timeout -1000000 accept-replies true sync-connections-on-cluster true
aggressive-aging-enable true aggressive-aging-timeout -1000000

set snmp
SNMP version3 user configuration options for: security level, authentication settings and passwords
set snmp
Syntax set snmp user <user> security-level { true [ auth-pass-type

<auth-pass-type> ] [ auth-pass-phrase <auth-pass-phrase> ] [ privacy-pass-type
<privacy-pass-type> ] [ privacy-pass-phrase <privacy-pass-phrase> ] | false [
auth-pass-type <auth-pass-type> ] [ auth-pass-phrase <auth-pass-phrase> ] }
Parameters
Authentication password for the SNMP version3 user
auth-pass-phrase
Authentication protocol type for the version3 user, options are: MD5 or SHA1
auth-pass-type
Options: MD5, SHA1
Privacy password chosen by the version3 user in case privacy is set
privacy-pass-phrase
Privacy protocol type for the version3 user, options are: AES or DES
privacy-pass-type
Options: AES, DES
Does Privacy protocol for this version3 user was set in the security level
security-level
version3 user name
user
Example set snmp user admin security-level true auth-pass-type MD5 auth-pass-phrase
a(ˆ
&7Ba privacy-pass-type AES privacy-pass-phrase a(ˆ
&7Ba
set snmp
Syntax set snmp [ agent <agent> ] [ agent-version <agent-version> ] [ community

<community> ] [ contact <contact> ] [ location <location> ]
Parameters
Is SNMP option enabled or disabled, disabled is the default
agent
Is the defined SNMP version is version3 only
agent-version
Community name of the SNMP, public is the default
community
System contact name, maximum length is 128
contact Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @
System location name
location Type: A string that contains less than 257 characters, of this set: 0-9, a-z or , . -
: () @

Example set snmp agent true agent-version true community word contact This is a
comment. location This is a comment.
set snmp traps
Configure, enable or disable traps from the list, the enabled traps are sent to the trap receivers
set snmp traps

Description Configure, enable or disable traps from the list, the enabled traps are sent to the trap receivers
Syntax set snmp traps { enable | disable }

Parameters
snmpTrapsEnable
snmpTrapsEnable
Example set snmp traps true
set snmp traps

Syntax set snmp traps trap-name <trap-name> [ enable <enable> ] [ severity
<severity> ] [ repetitions <repetitions> ] [ repetitions-delay
<repetitions-delay> ] [ threshold <threshold> ]
Parameters
Enable or disable whether a trap is sent for the specific event
enable
Repetitions on trap sending times between 0 - 10, optional field
repetitions
Wait time (in seconds) between sending each trap, optional field
repetitions-delay
Trap hazardous level, optional field, severity of the trap between 1 - 4
severity
The mathematical value associated with the thresholds
threshold
Trap event name
trap-name
Options: trap-name
Example set snmp traps trap-name interface-disconnected enable true severity

-1000000 repetitions -1000000 repetitions-delay -1000000 threshold -1000000

set snmp traps
Syntax set snmp traps receiver <receiver> version { v2 [ community <community> ] |

v3 [ user <user> ] }
Parameters
Community name of the receivers trap, public is default for version2 users
community
receiver
Type: IP address
user SNMP version3 Defined users
SNMP Version number, options are: v2 or v3
version
Example set snmp traps receiver 192.168.1.1 version v2 community word
set static-route
Syntax set static-route <id> [ source <source> ] [ service <service> ] [

destination <destination> ] [ nexthop gateway { logical <logical> |
ipv4-address <ipv4-address> } ] [ metric <metric> ] [ disabled <disabled> ]
Parameters
IP address and subnet length of the destination of the packet in the format
destination IP/subnet. e.g. 192.168.0.0/16
Is rule disabled
disabled
id
id
Metric
metric
Route service name
service
Type: String
IP address and subnet length of the source of the packet in the format IP/subnet.
source e.g. 192.168.1.0/24
Example set static-route -1000000 source 172.15.47.0/24 service TEXT destination

172.15.47.0/24 nexthop gateway logical My_Network metric -1000000 disabled
true

set streaming-engine-settings
Streaming engine settings
Syntax set streaming-engine-settings [ tcp-block-out-of-win-mon-only

<tcp-block-out-of-win-mon-only> ] [ tcp-block-out-of-win-track
<tcp-block-out-of-win-track> ] [ tcp-block-retrans-err-mon-only
<tcp-block-retrans-err-mon-only> ] [ tcp-block-retrans-err-track
<tcp-block-retrans-err-track> ] [ tcp-block-syn-retrans-mon-only
<tcp-block-syn-retrans-mon-only> ] [ tcp-block-syn-retrans-track
<tcp-block-syn-retrans-track> ] [ tcp-block-urg-bit-mon-only
<tcp-block-urg-bit-mon-only> ] [ tcp-block-urg-bit-track <tcp-block-urg-bit-track>
] [ tcp-hold-timeout-mon-only <tcp-hold-timeout-mon-only> ] [
tcp-hold-timeout-track <tcp-hold-timeout-track> ] [ tcp-invalid-checksum-mon-only
<tcp-invalid-checksum-mon-only> ] [ tcp-invalid-checksum-track
<tcp-invalid-checksum-track> ] [ tcp-segment-limit-mon-only
<tcp-segment-limit-mon-only> ] [ tcp-segment-limit-track <tcp-segment-limit-track>
]
Parameters
TCP Out of Sequence activation mode
tcp-block-out-of-win-
Options: prevent, detect
mon-only
TCP Out of Sequence tracking
tcp-block-out-of-win-
track
TCP Invalid Retransmission activation mode
tcp-block-retrans-err-
mon-only
TCP Invalid Retransmission tracking
tcp-block-retrans-err-
track
TCP SYN Modified Retransmission activation mode
tcp-block-syn-retrans-
mon-only
TCP SYN Modified Retransmission tracking
tcp-block-syn-retrans-
track
TCP Urgent Data Enforcement activation mode
tcp-block-urg-bit-mon-
only
TCP Urgent Data Enforcement tracking
tcp-block-urg-bit-track
Stream Inspection Timeout activation mode
tcp-hold-timeout-mon-
only
Stream Inspection Timeout tracking
tcp-hold-timeout-track
TCP Invalid Checksum activation mode
tcp-invalid-checksum-
mon-only
TCP Invalid Checksum tracking
tcp-invalid-checksum-
track

TCP Segment Limit Enforcement activation mode
tcp-segment-limit-
mon-only
TCP Segment Limit Enforcement tracking
tcp-segment-limit-
track
Example set streaming-engine-settings tcp-block-out-of-win-mon-only prevent

tcp-block-out-of-win-track none tcp-block-retrans-err-mon-only prevent
tcp-block-retrans-err-track none tcp-block-syn-retrans-mon-only
prevent tcp-block-syn-retrans-track none tcp-block-urg-bit-mon-only
prevent tcp-block-urg-bit-track none tcp-hold-timeout-mon-only prevent
tcp-hold-timeout-track none tcp-invalid-checksum-mon-only prevent
tcp-invalid-checksum-track none tcp-segment-limit-mon-only prevent
tcp-segment-limit-track none
Syntax set streaming-engine-settings advanced-settings tcp-streaming-engine-setting-form

[ tcp-block-urg-bit-track <tcp-block-urg-bit-track> ] [ tcp-block-retrans-err-track
<tcp-block-retrans-err-track> ] [ tcp-block-syn-retrans-track
<tcp-block-syn-retrans-track> ] [ tcp-invalid-checksum-track
<tcp-invalid-checksum-track> ] [ tcp-block-out-of-win-mon-only
<tcp-block-out-of-win-mon-only> ] [ tcp-block-out-of-win-track
<tcp-block-out-of-win-track> ] [ tcp-block-retrans-err-mon-only
<tcp-block-retrans-err-mon-only> ] [ tcp-block-syn-retrans-mon-only
<tcp-block-syn-retrans-mon-only> ] [ tcp-invalid-checksum-mon-only
<tcp-invalid-checksum-mon-only> ] [ tcp-segment-limit-track
<tcp-segment-limit-track> ] [ tcp-block-urg-bit-mon-only <tcp-block-urg-bit-mon-only>
] [ tcp-segment-limit-mon-only <tcp-segment-limit-mon-only> ]
[ tcp-hold-timeout-mon-only <tcp-hold-timeout-mon-only> ] [
tcp-hold-timeout-track <tcp-hold-timeout-track> ]
Example set streaming-engine-settings advanced-settings tcp-streaming-engine-setting-form

tcp-block-urg-bit-track none tcp-block-retrans-err-track none
tcp-block-syn-retrans-track none tcp-invalid-checksum-track none
tcp-block-out-of-win-mon-only prevent tcp-block-out-of-win-track none
tcp-block-retrans-err-mon-only prevent tcp-block-syn-retrans-mon-only
prevent tcp-invalid-checksum-mon-only prevent tcp-segment-limit-track
none tcp-block-urg-bit-mon-only prevent tcp-segment-limit-mon-only prevent
tcp-hold-timeout-mon-only prevent tcp-hold-timeout-track none
set switch
Switch

set switch
Description Switch
Syntax set switch <name> add port <port>
Parameters
Name
name
port Name
Example set switch LAN2_Switch add port My_Network
set switch
Description Switch
Syntax set switch <name> remove port <port>
Parameters
Name
name
port Name
Example set switch LAN2_Switch remove port My_Network
set threat-prevention anti-bot engine
Description Anti-Bot engine
Syntax set threat-prevention anti-bot engine [ malicious-activity

<malicious-activity> ] [ reputation-domains <reputation-domains> ] [
reputation-ips <reputation-ips> ] [ reputation-urls <reputation-urls> ] [
unusual-activity <unusual-activity> ]
Parameters
Indicates if the action upon detecting malicious activity will be according to the
malicious-activity policy settings or a manually configured specific action
Options: ask, prevent, detect, inactive, policy-action
Indicates if the action upon detecting attempted access to domains with a bad
reputation-domains reputation will be according to the policy or a manually configured specific action
Indicates if the action upon detecting attempted access to IP addresses with a
bad reputation will be according to the policy or a manually configured specific
reputation-ips
action

Indicates if the action upon detecting attempted access to URLs with a bad
reputation-urls reputation will be according to the policy or a manually configured specific action
Indicates if the action upon detecting unusual activity will be according to the
unusual-activity policy or a manually configured specific action
Example set threat-prevention anti-bot engine malicious-activity ask

reputation-domains ask reputation-ips ask reputation-urls ask unusual-activity
ask
set threat-prevention anti-bot policy
Threat Prevention Anti-Bot policy

Description Threat Prevention Anti-Bot policy
Syntax set threat-prevention anti-bot policy [ mode <mode> ] [ detect-mode

<detect-mode> ]
Parameters
Indicates if the Anti-Bot blade is set to ’Detect Only’ mode
detect-mode
Indicates if the Anti-Bot blade is active
mode
Example set threat-prevention anti-bot policy mode true detect-mode true

Syntax set threat-prevention anti-bot policy advanced-settings res-class-mode

<res-class-mode>
Example set threat-prevention anti-bot policy advanced-settings res-class-mode

rs-hold

set threat-prevention anti-bot user-check ask
the desired action
Syntax set threat-prevention anti-bot user-check ask [ body <body> ] [

activity-text <activity-text> ] [ fallback-action <fallback-action> ]
[ frequency <frequency> ] [ subject <subject> ] [ title <title> ] [
reason-displayed <reason-displayed> ]
Parameters
This text appears next to the ’ignore warning’ checkbox of an Anti-Bot ’Ask’ user
activity-text message
The informative text that appears in the Anti-Bot ’Ask’ user message
body
Indicates the action to take when an ’Ask’ user message cannot be displayed
fallback-action
Indicates how often is the Anti-Bot ’Ask’ user message is being presented to the
frequency same user
The subject of an Anti-Bot ’Ask’ user message
subject
The title of an Anti-Bot ’Ask’ user message
title
Example set threat-prevention anti-bot user-check ask body My Network activity-text

My Network fallback-action block frequency day subject My Network title My
Network reason-displayed true
set threat-prevention anti-bot user-check block
the desired action
Syntax set threat-prevention anti-bot user-check block [ body <body> ] [

redirect-url <redirect-url> ] [ subject <subject> ] [ title <title> ] [
redirect-to-url <redirect-to-url> ]
Parameters
The informative text that appears in the Anti-Bot ’Block’ user message
body
redirect-to-url
redirect-url
Type: urlWithHttp

The subject of an Anti-Bot ’Block’ user message
subject
The title of an Anti-Bot ’Block’ user message
title
Example set threat-prevention anti-bot user-check block body My Network

redirect-url urlWithHttp subject My Network title My Network redirect-to-url
true
set threat-prevention anti-virus engine
Description Anti-Virus engine
Syntax set threat-prevention anti-virus engine [ urls-with-malware

<urls-with-malware> ] [ viruses <viruses> ]
Parameters
Indicates if the action upon detecting access to and from URLs with a bad rep-
urls-with-malware utation will be according to the policy or a manually configured specific action
Indicates if the action upon detecting viruses will be according to the policy or a
viruses manually configured specific action
Example set threat-prevention anti-virus engine urls-with-malware ask viruses ask
set threat-prevention anti-virus file-type
Syntax set threat-prevention anti-virus file-type extension <extension> [ action

<action> ] [ description <description> ]
Parameters
Indicates the action when the file type is detected
action
Options: block, pass, scan
The file description
: () @
: () @
Example set threat-prevention anti-virus file-type extension This is a comment.

action block description This is a comment.

set threat-prevention anti-virus policy
Threat Prevention Anti-Virus policy

Description Threat Prevention Anti-Virus policy
Syntax set threat-prevention anti-virus policy [ mode <mode> ] [ detect-mode

<detect-mode> ] [ scope <scope> [ interfaces <interfaces> ] ] [ protocol-http
<protocol-http> ] [ protocol-mail <protocol-mail> ] [ protocol-ftp
<protocol-ftp> ] [ file-types-policy <file-types-policy> ]
Parameters
Indicates if the Anti-Virus blade is set to ’Detect Only’ mode
detect-mode
Indicates the file types that are inspected by the Anti-Virus blade: malware
file-types-policy (known to contain malware), all (all file types), specific (configured file families)
Options: malware, all-types, specific-families
Indicates the source zones for inspected incoming files: External, External and
interfaces DMZ or all interfaces
Options: all, external, external-dmz
Indicates if the Anti-Virus blade is active
mode
Indicates if Anti-Virus inspection will be performed on FTP traffic
protocol-ftp
Indicates if Anti-Virus inspection will be performed on all configured ports of
protocol-http HTTP traffic
Indicates if Anti-Virus inspection will be performed on mail traffic (SMTP and
protocol-mail POP3)
Indicates the source of scanned filed: Scan incoming files, or scan both incom-
scope ing and outgoing files
Options: incoming, incoming-and-outgoing
Example set threat-prevention anti-virus policy mode true detect-mode true scope
incoming interfaces all protocol-http true protocol-mail true protocol-ftp
true file-types-policy malware

Syntax set threat-prevention anti-virus policy advanced-settings priority-scanning

<priority-scanning>

Example set threat-prevention anti-virus policy advanced-settings priority-scanning
true

Syntax set threat-prevention anti-virus policy advanced-settings file-scan-size-kb
<file-scan-size-kb>
Example set threat-prevention anti-virus policy advanced-settings file-scan-size-kb
-1000000

Syntax set threat-prevention anti-virus policy advanced-settings max-nesting-level
<max-nesting-level>
Example set threat-prevention anti-virus policy advanced-settings max-nesting-level
-1000000

Syntax set threat-prevention anti-virus policy advanced-settings
action-when-nesting-level-exceeded <action-when-nesting-level-exceeded>
Example set threat-prevention anti-virus policy advanced-settings
action-when-nesting-level-exceeded allow

Syntax set threat-prevention anti-virus policy advanced-settings res-class-mode
<res-class-mode>
Example set threat-prevention anti-virus policy advanced-settings res-class-mode
rs-hold

set threat-prevention anti-virus user-check ask
the desired action
Syntax set threat-prevention anti-virus user-check ask [ body <body> ] [

activity-text <activity-text> ] [ fallback-action <fallback-action> ]
[ frequency <frequency> ] [ subject <subject> ] [ title <title> ] [
reason-displayed <reason-displayed> ]
Parameters
This text appears next to the ’ignore warning’ checkbox of an Anti-Virus ’Ask’
activity-text user message
The informative text that appears in the Anti-Virus ’Ask’ user message
body
Indicates the action to take when an ’Ask’ user message cannot be displayed
fallback-action
Indicates how often is the Anti-Virus ’Ask’ user message is being presented to
frequency the same user
The subject of an Anti-Virus ’Ask’ user message
subject
The title of an Anti-Virus ’Ask’ user message
title
Example set threat-prevention anti-virus user-check ask body My Network

activity-text My Network fallback-action block frequency day subject My
Network title My Network reason-displayed true
set threat-prevention anti-virus user-check block
the desired action
Syntax set threat-prevention anti-virus user-check block [ body <body> ] [

redirect-url <redirect-url> ] [ subject <subject> ] [ title <title> ] [
redirect-to-url <redirect-to-url> ]
Parameters
The informative text that appears in the Anti-Virus ’Block’ user message
body
redirect-to-url
redirect-url
Type: urlWithHttp

The subject of an Anti-Virus ’Block’ user message
subject
The title of an Anti-Virus ’Block’ user message
title
Example set threat-prevention anti-virus user-check block body My Network

redirect-url urlWithHttp subject My Network title My Network redirect-to-url
true
set threat-prevention exception
Syntax set threat-prevention exception name <name> [ comment <comment> ] [ scope

<scope> ] [ protection <protection> ] [ action <action> ] [ log <log> ] [
new-name <new-name> ]
Parameters
action
: () @
name
new-name
Example set threat-prevention exception name word comment This is a comment. scope
TEXT protection any action ask log none new-name word
set threat-prevention exception position

Syntax set threat-prevention exception position <position> [ comment <comment> ] [
scope <scope> ] [ protection <protection> ] [ action <action> ] [ log <log> ]
[ new-name <new-name> ]
Parameters

action
: () @
new-name
position
Example set threat-prevention exception position 2 comment This is a comment.

scope TEXT protection any action ask log none new-name word
set threat-prevention ips custom-default-policy
Description Configure the custom default policy if chosen as custom
Syntax set threat-prevention ips custom-default-policy [ server-protections

<server-protections> ] [ client-protections <client-protections> ]
[ disable-by-confidence-level <disable-by-confidence-level > ] [
disable-confidence-level-below-or-equal <disable-confidence-level-below-or-equal>
] [ disable-by-severity <disable-by-severity> ] [ disable-severity-below-or-equal
<disable-severity-below-or-equal> ] [ disable-by-performance-impact
<disable-by-performance-impact> ] [ disable-performance-impact-above-or-equal
<disable-performance-impact-above-or-equal> ] [ disable-protocol-anomalies
<disable-protocol-anomalies> ]
Parameters
Indicates if Client protections are active by default
client-protections
Indicates if protections will be deactivated if their confidence level is below or
disable-by- equal configured level
confidence-level Type: Boolean (true/false)
Indicates if protections will be deactivated if their performance impact is above
disable-by- or equal configured level
performance-impact Type: Boolean (true/false)
Indicates if protections will be deactivated if their severity is below or equal con-
disable-by-severity figured level
If configured, protections will be deactivated according to this confidence level
disable-confidence-
Options: Low, Medium-low, Medium, Medium-high, High
level-below-or-equal

If configured, protections will be deactivated according to this performance im-
disable-performance- pact level
impact-above-or-equal Options: Very-low, Low, Medium, High
Do not activate protocol anomaly detection signatures
disable-protocol-
anomalies
If configured, protections will be deactivated according to this severity level
disable-severity-
Options: Low, Medium, High, Critical
below-or-equal
Indicates if Server protections are active by default
server-protections
Example set threat-prevention ips custom-default-policy server-protections

true client-protections true disable-by-confidence-level true
disable-confidence-level-below-or-equal Low disable-by-severity true
disable-severity-below-or-equal Low disable-by-performance-impact true
disable-performance-impact-above-or-equal Very-low disable-protocol-anomalies
true
set threat-prevention ips network-exception

Syntax set threat-prevention ips network-exception position <position>

[ protection-code <protection-code> ] [ destination <destination> ]
[ destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ source <source> ] [ source-negate
<source-negate> ] [ comment <comment> ]
Parameters
: () @
destination-negate
position
protection-code Indicates if the exception rule will be matched on all IPS protections or a specific
one
service-negate
source-negate

Example set threat-prevention ips network-exception position 2 protection-code
-1000000 destination TEXT destination-negate true service TEXT service-negate
true source TEXT source-negate true comment This is a comment.

Syntax set threat-prevention ips network-exception position <position>

protection-name <protection-name> [ destination <destination> ] [
destination-negate <destination-negate> ] [ service <service> ] [
service-negate <service-negate> ] [ source <source> ] [ source-negate
<source-negate> ] [ comment <comment> ]
Parameters
: () @
destination-negate
position
protection-name Indicates if the exception rule will be matched on all IPS protections or a specific
one
service-negate
source-negate
Example set threat-prevention ips network-exception position 2 protection-name

word destination TEXT destination-negate true service TEXT service-negate true
set threat-prevention ips policy
Description Threat Prevention IPS global policy
Syntax set threat-prevention ips policy [ mode <mode> ] [ log <log> ] [

default-policy <default-policy> ] [ detect-mode <detect-mode> ]
Parameters
default-policy The type of policy used for IPS - strict, typical or custom
Indicates if the default policy of IPS is to only logs events and not block them
detect-mode

Indicates the tracking level for IPS - none, block or alert
log
Indicates if IPS blade is active
mode
Example set threat-prevention ips policy mode true log none default-policy word
detect-mode true
set threat-prevention ips protection-action-override
IPS topic view

Syntax set threat-prevention ips protection-action-override protection-code

<protection-code> [ action <action> ] [ track <track> ]
Parameters
action Indicates the manually configured action for this protection
The IPS topic the override belongs to. Every override belongs to a single topic
protection-code Type: A number with no fractional part. Values are between -
4,503,599,627,370,495 to 4,503,599,627,370,495
track Indicates the manually configured tracking option for this protection
Example set threat-prevention ips protection-action-override protection-code

-1000000 action prevent track none

Syntax set threat-prevention ips protection-action-override protection-name

<protection-name> [ action <action> ] [ track <track> ]
Parameters
action Indicates the manually configured action for this protection
protection-name
track Indicates the manually configured tracking option for this protection
Example set threat-prevention ips protection-action-override protection-name word

action prevent track none


Syntax set threat-prevention ips protection-action-override protection-code

<protection-code> override-policy-action <override-policy-action>
Parameters
Indicates if the action upon detection will be according to the general IPS policy
override-policy-action or manually configured for this protection
4,503,599,627,370,495 to 4,503,599,627,370,495
Example set threat-prevention ips protection-action-override protection-code

-1000000 override-policy-action true

Syntax set threat-prevention ips protection-action-override protection-name

<protection-name> override-policy-action <override-policy-action>
Parameters
Indicates if the action upon detection will be according to the general IPS policy
override-policy-action or manually configured for this protection
protection-name
Example set threat-prevention ips protection-action-override protection-name word

override-policy-action true
set threat-prevention policy
Policy for Threat Prevention, shared by Anti-Virus and Anti-Bot

Description Policy for Threat Prevention, shared by Anti-Virus and Anti-Bot

Syntax set threat-prevention policy [ high-confidence <high-confidence> ] [
medium-confidence <medium-confidence> ] [ low-confidence <low-confidence> ]
[ performance-impact <performance-impact> ] [ track <track> ]
Parameters
Indicates the default action for Threat Prevention protections with a high confi-
high-confidence dence level
Indicates the default action for Threat Prevention protections with a low confi-
low-confidence dence level
Indicates the default action for Threat Prevention protections with a medium
medium-confidence confidence level
Indicates the allowed performance impact of active Threat Prevention protec-
performance-impact tions by default
Options: low, medium, high
Tracking options for Threat Prevention protections: None - do not log, Log -
track Create log, Alert - log with alert
Example set threat-prevention policy high-confidence ask medium-confidence ask

low-confidence ask performance-impact low track none

Syntax set threat-prevention policy advanced-settings fail-mode <fail-mode>
Example set threat-prevention policy advanced-settings fail-mode allow-all-requests

Syntax set threat-prevention policy advanced-settings block-requests-when-the-web-service-is-u

<block-requests-when-the-web-service-is-unavailable>
Example set threat-prevention policy advanced-settings block-requests-when-the-web-service-is-

true

set threat-prevention-advanced
Description Advanced settings for Threat Prevention
Syntax set threat-prevention-advanced advanced-settings file-inspection-size-kb

<file-inspection-size-kb>
Example set threat-prevention-advanced advanced-settings file-inspection-size-kb

-1000000
set ui-settings
Web Interface Settings and Customizations
set ui-settings
Syntax set ui-settings [ use-custom-webui-logo <use-custom-webui-logo> ] [

custom-webui-logo-url <custom-webui-logo-url> ]
Parameters
Clicking the company logo in the web interface opens this URL
custom-webui-logo-url
Type: urlWithHttp
The company logo is displayed on the appliance’s web interface and on its log-
in page. The customized logo should follow the size restrictions in order to be
use-custom-webui-
displayed properly.
logo
Example set ui-settings use-custom-webui-logo true custom-webui-logo-url

urlWithHttp
set ui-settings
Syntax set ui-settings advanced-settings AboutConfigCustomLogos [

custom-webui-logo-url <custom-webui-logo-url> ] [ use-custom-webui-logo
<use-custom-webui-logo> ]
Example set ui-settings advanced-settings AboutConfigCustomLogos

custom-webui-logo-url urlWithHttp use-custom-webui-logo true

set usb-modem-watchdog
Uses the internet probing (if probing is enabled) to automatically detect and fix 3G/4G internet connectivity prob-
lems
Description Uses the internet probing (if probing is enabled) to automatically detect and fix 3G/4G internet con-
nectivity problems
Syntax set usb-modem-watchdog advanced-settings interval <interval>
Example set usb-modem-watchdog advanced-settings interval -1000000
nectivity problems
Syntax set usb-modem-watchdog advanced-settings mode <mode>
Example set usb-modem-watchdog advanced-settings mode off
set user-awareness
User awareness configuration table
set user-awareness
Description User awareness configuration table
Syntax set user-awareness [ mode <mode> ] [ ad-queries-mode <ad-queries-mode> ] [

browser-based-authentication-mode <browser-based-authentication-mode> ]
Parameters
Indicates if user awareness seamlessly queries the AD (Active Directory)
ad-queries-mode servers to get user information
Indicates if user awareness uses a portal to identify locally defined users or as
browser-based- a backup to other identification methods
authentication-mode Type: Boolean (true/false)
User awareness mode - true for on, false for off
mode

Example set user-awareness mode true ad-queries-mode true browser-based-authentication-mode
true
set user-awareness
Syntax set user-awareness advanced-settings association-timeout

<association-timeout>
Example set user-awareness advanced-settings association-timeout -1000000
set user-awareness
Syntax set user-awareness advanced-settings assume-single-user <assume-single-user>
Example set user-awareness advanced-settings assume-single-user true
set user-awareness browser-based-authentication

Syntax set user-awareness browser-based-authentication [ redirect-upon-destinations

{ manually-defined [ redirect-upon-destination-internet <redirect-upon-destination-intern
] [ redirect-upon-destinations-net-objs <redirect-upon-destinations-net-objs>
] | all } ] [ block-unauthenticated-non-web-traffic <block-unauthenticated-non-web-traffi
] [ require-user-agreement <require-user-agreement> ] [ agreement-text
<agreement-text> ] [ portal-address <portal-address> ] [ session-timeout
<session-timeout> ] [ log-out-on-portal-close <log-out-on-portal-close> ]
Parameters
The conditions shown to the users to agree to
agreement-text
When true, users using non-HTTP traffic are forced to login first through
block- Browser-Based Authentication
unauthenticated- Type: Boolean (true/false)
non-web-traffic

When true, the user is forced to keep the portal window open to remain logged
log-out-on-portal- in
close Type: Boolean (true/false)
Use the auto option unless you want to redirect to a manually configured URL
portal-address Type: String
Enter "<auto>" for default
When choosing redirect to manually defined destinations - indicates if the desti-
redirect-upon- nations include the internet (external interfaces)
destination-internet Type: Boolean (true/false)
Browser based authentication will only be shown to unidentified users on traffic
redirect-upon- to these configured destinations
destinations Type: Press TAB to see available options
When choosing redirect to manually defined destinations - indicates if the desti-
redirect-upon- nations include a manual list of network objects
destinations-net-objs Type: Boolean (true/false)
Indicates if users must agree to the legal conditions
require-user-
agreement
Session timeout duration, in minutes, for browser-based authentication
session-timeout Type: A number with no fractional part (integer)
Units should be entered in minutes
Example set user-awareness browser-based-authentication redirect-upon-destinations

manually-defined redirect-upon-destination-internet true redirect-upon-destinations-net-o
true block-unauthenticated-non-web-traffic true require-user-agreement
true agreement-text My Network portal-address TEXT session-timeout -1000000
log-out-on-portal-close true

Syntax set user-awareness browser-based-authentication add net-obj <net-obj>

Parameters
net-obj Network object name
Example set user-awareness browser-based-authentication add net-obj TEXT

Syntax set user-awareness browser-based-authentication remove net-obj <net-obj>
Parameters
net-obj Network object name

Example set user-awareness browser-based-authentication remove net-obj TEXT

Syntax set user-awareness browser-based-authentication remove-all net-objs
Example set user-awareness browser-based-authentication remove-all net-objs
set vpn
set vpn
Syntax set vpn site <site> [ enabled <enabled> ] [ remote-site-enc-dom-type

<phase2-reneg-interval> ] [ enable-perfect-forward-secrecy { true [
phase2-dh <phase2-dh> ] | false } ] [ is-check-point-site { true [
enable-permanent-vpn-tunnel <enable-permanent-vpn-tunnel> ] | false
} ] [ disable-nat <disable-nat> ] [ aggressive-mode-enabled { true
aggressive-mode-DH-group <aggressive-mode-DH-group> | false } ] [ {
<aggressive-mode-peer-id-type> aggressive-mode-peer-id <aggressive-mode-peer-id>
| false } | aggressive-mode-enable-gateway-id { true aggressive-mode-gateway-id-type
<aggressive-mode-gateway-id> | false } } ] [ enc-method <enc-method> ]
[ use-trusted-ca <use-trusted-ca> ] [ match-cert-ip <match-cert-ip> ] [
match-cert-dn { true match-cert-dn-string <match-cert-dn-string> | false } ]
[ match-cert-e-mail { true match-cert-e-mail-string <match-cert-e-mail-string>
| false } ] [ link-selection-probing-method <link-selection-probing-method>
] [ name <name> ] [ remote-site-link-selection <remote-site-link-selection>
] [ remote-site-host-name <remote-site-host-name> ] [ remote-site-ip-address
<remote-site-ip-address> ] [ is-site-behind-static-nat <is-site-behind-static-nat>
] [ static-nat-ip <static-nat-ip> ] [ auth-method { preshared-secret
password <password> | certificate } ] [ link-selection-primary-addr
<link-selection-primary-addr> ]
Parameters
aggressive-mode-DH- determine the strength of the key when aggressive mode is enabled
group

Indicates if gateway ID matching will be used. This adds a layer of security to
enable-gateway-id Type: Boolean (true/false)
Indicates if peer ID matching will be used. This adds a layer of security to
enable-peer-id Type: Boolean (true/false)
Indicates if Aggressive mode, a less secure negotiation protocol compared to
main mode, is used. It is less recommended if the remote site supports IPSec
aggressive-mode-
main mode
enabled
The gateway ID that will be used for matching when configured to
aggressive-mode-
gateway-id
Indicates the type of gateway ID that will be used for matching when configured
aggressive-mode-
gateway-id-type
The peer ID that will be used for matching when configured to
aggressive-mode-
peer-id
Indicates the type of peer ID that will be used for matching when configured
aggressive-mode-
peer-id-type
Indicates the type of authentication used when connecting to the remote site
auth-method
Disable NAT for traffic to/from the remote site. Useful when one of the internal
disable-nat networks contains a server
Ensures that a session key will not be compromised if one of the (long-term)
enable-perfect- private keys is compromised in the future.
forward-secrecy Type: Boolean (true/false)
VPN Tunnels are constantly kept active and as a result, make it easier to recog-
enable-permanent- nize malfunctions and connectivity problems
vpn-tunnel Type: Boolean (true/false)
Indicates whether or not the remote site is enabled
enabled
Indicates which encryption method is used
enc-method
Options: ike-v1, ike-v2, prefer-ike-v2
Encryption profile (one of predefined profiles or custom)
enc-profile
Type: virtual
Enable if the remote site is connected through a Check Point Security Gateway
is-check-point-site
is-site-behind-static- When connection type is IP address, this indicates if it is behind static NAT
nat
Specifies The primary IP address for the link selection
link-selection-primary-
addr
The type of probing used for link selection when multiple IP addresses are con-
link-selection-probing- figured for the remote site
method Options: ongoing, one-time
Indicates if certificate matching should match the DN string in the certificate to
match-cert-dn the configured DN string
Indicates the configured DN string for certificate matching
match-cert-dn-string
Type: String
Indicates if certificate matching should match the E-mail string in the certificate
match-cert-e-mail to the configured E-mail string
Indicates the configured E-mail string for certificate matching
match-cert-e-mail-
Type: Email address
string

Indicates if certificate matching should match IP address in the certificate to the
match-cert-ip site’s IP address
Site name
Preshared secret (minimum 6 characters) to be used when authentication
password method is configured as such
Type: vpnPassword
The period, in minutes, between each IKE SA renegotiation
Determine the strength of the key used for the IPsec (Phase 2) key exchange
phase2-dh process. The higher the group number, the stronger and more secure the key
is.
The period, in seconds, between each IPSec SA renegotiation
The method of defining the remote site’s encryption domain
remote-site-enc-dom- Options: manually-defined-enc-dom, route-all-traffic-to-site, route-based-vpn,
type enc-dom-hidden-behind-remote-site
remote-site-host- Indicates the remote site’s host name when the link selection method is config-
name ured as such
Indicates the remote site’s single IP address when the link selection method is
remote-site-ip-
configured as such
address
Indicates the method of determining the destination IP address/s of the remote
site
remote-site-link-
Options: ip-address, host-name, high-availability, load-sharing, connection-
selection
initiated-only-from-remote-site
Site name
site Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9,
Indicates an external routable IP address via static NAT used by the remote site,
static-nat-ip
when configured as such
Indicates if a specific trusted CA is used for matching the remote site’s certificate
use-trusted-ca
or all configured trusted CAs
Example set vpn site site17 enabled true remote-site-enc-dom-type

link-selection-probing-method ongoing name site17 remote-site-link-selection
ip-address remote-site-host-name myHost.com remote-site-ip-address 192.168.1.1
is-site-behind-static-nat true static-nat-ip 192.168.1.1 auth-method
preshared-secret password vpnPassword link-selection-primary-addr word
set vpn
Syntax set vpn site <site> add remote-site-enc-dom-network-obj <remote-site-enc-dom-network-ob

Parameters
remote-site-enc-dom- Network Object name
network-obj
Site name
Example set vpn site site17 add remote-site-enc-dom-network-obj TEXT
set vpn
Syntax set vpn site <site> remove-all remote-site-enc-dom-network-obj

<remote-site-enc-dom-network-obj>
Parameters
network-obj
Site name
Example set vpn site site17 remove-all remote-site-enc-dom-network-obj TEXT
set vpn
Syntax set vpn site <site> remove remote-site-enc-dom-network-obj

<remote-site-enc-dom-network-obj>
Parameters
network-obj
Site name
Example set vpn site site17 remove remote-site-enc-dom-network-obj TEXT

set vpn
Syntax set vpn site <site> add link-selection-multiple-addrs addr

<link-selection-multiple-addrs addr>
Parameters
addrs addr
Site name
Example set vpn site site17 add link-selection-multiple-addrs addr 192.168.1.1
set vpn
Syntax set vpn site <site> remove-all link-selection-multiple-addrs addr
Parameters
addrs addr
Site name
Example set vpn site site17 remove-all link-selection-multiple-addrs addr

192.168.1.1
set vpn
Syntax set vpn site <site> remove link-selection-multiple-addrs addr

Parameters
addrs addr
Site name

Example set vpn site site17 remove link-selection-multiple-addrs addr 192.168.1.1
set vpn
Syntax set vpn site <site> add custom-enc-phase1-enc <custom-enc-phase1-enc>
Parameters
Encryption algorithm preferences for phase1 in the VPN encryption algorithm,
custom-enc-phase1-
which sets the base for phase2
enc
Site name
Example set vpn site site17 add custom-enc-phase1-enc word
set vpn
Syntax set vpn site <site> remove-all custom-enc-phase1-enc <custom-enc-phase1-enc>
Parameters
custom-enc-phase1-
enc
Site name
Example set vpn site site17 remove-all custom-enc-phase1-enc word
set vpn
Syntax set vpn site <site> remove custom-enc-phase1-enc <custom-enc-phase1-enc>
Parameters
custom-enc-phase1-
enc

Site name
Example set vpn site site17 remove custom-enc-phase1-enc word
set vpn
Syntax set vpn site <site> add custom-enc-phase1-auth <custom-enc-phase1-auth>
Parameters
custom-enc-phase1- Authentication algorithm used for encryption validation
auth
Site name
Example set vpn site site17 add custom-enc-phase1-auth word
set vpn
Syntax set vpn site <site> remove-all custom-enc-phase1-auth <custom-enc-phase1-auth>
Parameters
auth
Site name
Example set vpn site site17 remove-all custom-enc-phase1-auth word
set vpn
Syntax set vpn site <site> remove custom-enc-phase1-auth <custom-enc-phase1-auth>
Parameters

auth
Site name
Example set vpn site site17 remove custom-enc-phase1-auth word
set vpn
Syntax set vpn site <site> add custom-enc-phase1-dh-group <custom-enc-phase1-dh-group>
Parameters
custom-enc-phase1- VPN Diffie-Hellman key exchange encryption level
dh-group
Site name
Example set vpn site site17 add custom-enc-phase1-dh-group word
set vpn
Syntax set vpn site <site> remove-all custom-enc-phase1-dh-group

<custom-enc-phase1-dh-group>
Parameters
dh-group
Site name
Example set vpn site site17 remove-all custom-enc-phase1-dh-group word
set vpn

Syntax set vpn site <site> remove custom-enc-phase1-dh-group <custom-enc-phase1-dh-group>
Parameters
dh-group
Site name
Example set vpn site site17 remove custom-enc-phase1-dh-group word
set vpn
Syntax set vpn site <site> add custom-enc-phase2-enc <custom-enc-phase2-enc>
Parameters
custom-enc-phase2- Encryption algorithm preferences for phase2 in the VPN encryption algorithm
enc
Site name
Example set vpn site site17 add custom-enc-phase2-enc word
set vpn
Syntax set vpn site <site> remove-all custom-enc-phase2-enc <custom-enc-phase2-enc>
Parameters
enc
Site name
Example set vpn site site17 remove-all custom-enc-phase2-enc word

set vpn
Syntax set vpn site <site> remove custom-enc-phase2-enc <custom-enc-phase2-enc>
Parameters
enc
Site name
Example set vpn site site17 remove custom-enc-phase2-enc word
set vpn
Syntax set vpn site <site> add custom-enc-phase2-auth <custom-enc-phase2-auth>
Parameters
auth
Site name
Example set vpn site site17 add custom-enc-phase2-auth word
set vpn
Syntax set vpn site <site> remove-all custom-enc-phase2-auth <custom-enc-phase2-auth>
Parameters
auth
Site name
Example set vpn site site17 remove-all custom-enc-phase2-auth word

set vpn
Syntax set vpn site <site> remove custom-enc-phase2-auth <custom-enc-phase2-auth>
Parameters
auth
Site name
Example set vpn site site17 remove custom-enc-phase2-auth word
set vpn
Syntax set vpn tunnel <tunnel> type { unnumbered [ peer <peer> ] [

internet-connection <internet-connection> ] | numbered [ local <local> ] [
remote <remote> ] [ peer <peer> ] }
Parameters
internet-connection The local interface for unnumbered VTI
local
Type: IP address
Remote peer name as defined in the VPN community. You must define the two
peers in the VPN community before you can define the VTI. The Peer ID is an
peer alpha-numeric character string.
Type: A string that begins with a letter and contains up to 32 alphanumeric (0-9,
Defines the remote peer IPv4 address, used at the peer gateway’s point-to-point
remote virtual interface (numbered VTI only)
Type: IP address
tunnel
The type of VTI: Numbered VTI that uses a specified, static IPv4 addresses for
local and remote connections, or unnumbered VTI that uses the interface and
type
the remote peer name to get addresses
Example set vpn tunnel -1000000 type unnumbered peer site17 internet-connection My
connection

set vpn remote-access
VPN Remote Access

Syntax set vpn remote-access [ default-access-to-lan <default-access-to-lan>

] [ mode <mode> ] [ track <track> ] [ mobile-client <mobile-client> ] [
sslvpn-client <sslvpn-client> ] [ l2tp-vpn-client <l2tp-vpn-client> ] [
l2tp-pre-shared-key <l2tp-pre-shared-key> ]
Parameters
Allow traffic from Remote Access clients (by default)
default-access-to-lan
L2TP Pre-Shared Key
l2tp-pre-shared-key
Enable VPN remote access clients to connect via native VPN client (L2TP)
l2tp-vpn-client
Enable VPN remote access mobile clients to connect via Check Point Mobile
mobile-client VPN client
Enable VPN Remote Access
mode
Enable VPN remote access clients to connect via SSL VPN
sslvpn-client
Log traffic from Remote Access clients (by default)
track
Options: none, log
Example set vpn remote-access default-access-to-lan block mode true track none
mobile-client true sslvpn-client true l2tp-vpn-client true l2tp-pre-shared-key
word

Syntax set vpn remote-access advanced-settings allow-caching-passwords-on-client

<allow-caching-passwords-on-client>
Example set vpn remote-access advanced-settings allow-caching-passwords-on-client

true


Syntax set vpn remote-access advanced-settings enc-dns-traffic <enc-dns-traffic>
Example set vpn remote-access advanced-settings enc-dns-traffic true

Syntax set vpn remote-access advanced-settings verify-gateway-cert
<verify-gateway-cert>
Example set vpn remote-access advanced-settings verify-gateway-cert true

Syntax set vpn remote-access advanced-settings update-topo-startup
<update-topo-startup>
Example set vpn remote-access advanced-settings update-topo-startup true

Syntax set vpn remote-access advanced-settings keep-alive-time <keep-alive-time>
Example set vpn remote-access advanced-settings keep-alive-time -1000000

Syntax set vpn remote-access advanced-settings endpoint-vpn-user-re-auth-timeout
<endpoint-vpn-user-re-auth-timeout>
Example set vpn remote-access advanced-settings endpoint-vpn-user-re-auth-timeout
-1000000

Syntax set vpn remote-access advanced-settings ike-over-tcp <ike-over-tcp>
Example set vpn remote-access advanced-settings ike-over-tcp true

Syntax set vpn remote-access advanced-settings is-udp-enc-active

<is-udp-enc-active>

Example set vpn remote-access advanced-settings is-udp-enc-active true

Syntax set vpn remote-access advanced-settings om-method-radius <om-method-radius>

Example set vpn remote-access advanced-settings om-method-radius true

Syntax set vpn remote-access advanced-settings snx-uninstall-on-disconnect

<snx-uninstall-on-disconnect>
Example set vpn remote-access advanced-settings snx-uninstall-on-disconnect

ask-user

Syntax set vpn remote-access advanced-settings snx-keep-alive-timeout

<snx-keep-alive-timeout>
Example set vpn remote-access advanced-settings snx-keep-alive-timeout -1000000

Syntax set vpn remote-access advanced-settings update-topo <update-topo>

Example set vpn remote-access advanced-settings update-topo -1000000

Syntax set vpn remote-access advanced-settings use-limited-auth-timeout

<use-limited-auth-timeout>
Example set vpn remote-access advanced-settings use-limited-auth-timeout true

Syntax set vpn remote-access advanced-settings auth-timeout-limit

<auth-timeout-limit>
Example set vpn remote-access advanced-settings auth-timeout-limit -1000000


Syntax set vpn remote-access advanced-settings ike-support-crash-recovery

<ike-support-crash-recovery>
Example set vpn remote-access advanced-settings ike-support-crash-recovery true

Syntax set vpn remote-access advanced-settings enc-method <enc-method>

Example set vpn remote-access advanced-settings enc-method ike-v1

Syntax set vpn remote-access advanced-settings snx-user-re-auth-timeout

<snx-user-re-auth-timeout>
Example set vpn remote-access advanced-settings snx-user-re-auth-timeout -1000000

Syntax set vpn remote-access advanced-settings allow-update-topo

<allow-update-topo>
Example set vpn remote-access advanced-settings allow-update-topo true


Syntax set vpn remote-access advanced-settings om-enable-with-multiple-if

<om-enable-with-multiple-if>
Example set vpn remote-access advanced-settings om-enable-with-multiple-if true

Syntax set vpn remote-access advanced-settings snx-encryption-enable-rc4

<snx-encryption-enable-rc4>
Example set vpn remote-access advanced-settings snx-encryption-enable-rc4 true

Syntax set vpn remote-access advanced-settings disconnect-enc-domain
<disconnect-enc-domain>
Example set vpn remote-access advanced-settings disconnect-enc-domain true

Syntax set vpn remote-access advanced-settings ike-ip-comp-support

<ike-ip-comp-support>
Example set vpn remote-access advanced-settings ike-ip-comp-support true

Syntax set vpn remote-access advanced-settings snx-upgrade <snx-upgrade>
Example set vpn remote-access advanced-settings snx-upgrade ask-user

Syntax set vpn remote-access advanced-settings enable-back-conn <enable-back-conn>
Example set vpn remote-access advanced-settings enable-back-conn true


Syntax set vpn remote-access advanced-settings allow-clear-traffic-while-disconnected

<allow-clear-traffic-while-disconnected>
Example set vpn remote-access advanced-settings allow-clear-traffic-while-disconnected

true

Syntax set vpn remote-access advanced-settings prevent-ip-pool-nat

<prevent-ip-pool-nat>
Example set vpn remote-access advanced-settings prevent-ip-pool-nat true


Syntax set vpn remote-access advanced-settings disable-office-mode

<disable-office-mode>
Example set vpn remote-access advanced-settings disable-office-mode true

Syntax set vpn remote-access advanced-settings allow-simultaneous-login

<allow-simultaneous-login>
Example set vpn remote-access advanced-settings allow-simultaneous-login true

Syntax set vpn remote-access advanced-settings port [ visitor-mode-port
<visitor-mode-port> ] [ reserve-port-443 <reserve-port-443> ]
Example set vpn remote-access advanced-settings port visitor-mode-port 8080

reserve-port-443 true

Syntax set vpn remote-access advanced-settings office-mode [ single-om-per-site

<single-om-per-site> ] [ om-perform-antispoofing <om-perform-antispoofing> ]
Example set vpn remote-access advanced-settings office-mode single-om-per-site true

om-perform-antispoofing true

Syntax set vpn remote-access advanced-settings visitor-mode [ enable-visitor-mode-all

<enable-visitor-mode-all> ] [ visitor-mode-interface <visitor-mode-interface>
]
Example set vpn remote-access advanced-settings visitor-mode enable-visitor-mode-all

all visitor-mode-interface 192.168.1.1
set vpn remote-access advanced
Syntax set vpn remote-access advanced [ om-network-ip <om-network-ip> ] [

om-subnet-mask <om-subnet-mask> ] [ default-route-through-this-gateway
<default-route-through-this-gateway> ] [ enc-dom <enc-dom> ] [
use-this-gateway-as-dns-server <use-this-gateway-as-dns-server> ] [
dns-primary <dns-primary> ] [ dns-secondary <dns-secondary> ] [ dns-tertiary
<dns-tertiary> ] [ dns-domain-mode <dns-domain-mode> ] [ domain-name
<domain-name> ]
Parameters
Indicates if Internet traffic from connected clients will be routed first through this
default-route-through- gateway
this-gateway Type: Boolean (true/false)
Indicates if remote access clients use the domain name configured under DNS
dns-domain-mode network settings of the device, or a manually configured domain name
Configure manually office mode first DNS
dns-primary
Type: IP address
Configure manually office mode second DNS
dns-secondary
Type: IP address
Configure manually office mode third DNS
dns-tertiary
Type: IP address
Manual configuration of the domain used by remote access clients
domain-name
Type: A FQDN
Indicates if the encryption domain for remote access clients is calculated auto-
enc-dom matically or manually configured
Options: manual, auto
Office Mode - Allocate IP addresses from the following network
om-network-ip
Type: Network address
Subnet for allocating IP addresses of incoming remote access connections (Of-
om-subnet-mask fice Mode)
Type: Subnet mask
Indicates if the remote access clients will use this gateway as a DNS server.
use-this-gateway-as- Appliacable only when encryption domain is calculated automatically
dns-server Type: Boolean (true/false)
Example set vpn remote-access advanced om-network-ip 172.16.10.0 om-subnet-mask

255.255.255.0 default-route-through-this-gateway true enc-dom manual
use-this-gateway-as-dns-server true dns-primary 192.168.1.1 dns-secondary
192.168.1.1 dns-tertiary 192.168.1.1 dns-domain-mode true domain-name
somehost.example.com
set vpn remote-access advanced enc-dom-obj manual
VPN Remote Access

Syntax set vpn remote-access advanced enc-dom-obj manual add name <name>
Parameters
name Network Object name
Example set vpn remote-access advanced enc-dom-obj manual add name TEXT

Syntax set vpn remote-access advanced enc-dom-obj manual remove name <name>
Parameters
Example set vpn remote-access advanced enc-dom-obj manual remove name TEXT
set vpn site-to-site
VPN Global

Description VPN Global

Syntax set vpn site-to-site [ mode <mode> ] [ default-access-to-lan
<default-access-to-lan> ] [ track <track> ] [ local-encryption-domain
<local-encryption-domain> ] [ manual-source-ip-address <manual-source-ip-address>
] [ sourceIpSelection <sourceIpSelection> ] [ outgoing-interface-selection
<outgoing-interface-selection> ]
Parameters
default-access-to-lan Allow traffic from remote sites (by default)âĂİ
Indicates if the local encryption domain is configured manually or determined
local-encryption- automatically using the local networks
domain Options: auto, manual
A manually configured source IP address to be used (if configured to) for VPN
manual-source-ip- tunnels
address Type: IP address
Indicates whether or not VPN site to site is active
mode
Indicates the method according to which the outgoing interface selection for
outgoing-interface- VPN traffic is chosen
selection Options: routing-table, route-based-probing
sourceIpSelection
sourceIpSelection
Options: automatically, manually
The default Logging setting for traffic from remote sites
track
Options: none, log
Example set vpn site-to-site mode true default-access-to-lan block track

none local-encryption-domain auto manual-source-ip-address 192.168.1.1
sourceIpSelection automatically outgoing-interface-selection routing-table

Syntax set vpn site-to-site advanced-settings sync-sa-with-other-cluster-members
<sync-sa-with-other-cluster-members>
Example set vpn site-to-site advanced-settings sync-sa-with-other-cluster-members
-1000000

Syntax set vpn site-to-site advanced-settings keep-dont-fragment-flag-on-packet
<keep-dont-fragment-flag-on-packet>
Example set vpn site-to-site advanced-settings keep-dont-fragment-flag-on-packet
true


Syntax set vpn site-to-site advanced-settings period-after-crl-not-valid

<period-after-crl-not-valid>
Example set vpn site-to-site advanced-settings period-after-crl-not-valid -1000000

Syntax set vpn site-to-site advanced-settings log-notification-for-administrative-actions

<log-notification-for-administrative-actions>
Example set vpn site-to-site advanced-settings log-notification-for-administrative-actions

none

Syntax set vpn site-to-site advanced-settings udp-encapsulation-for-firewalls-and-proxies

<udp-encapsulation-for-firewalls-and-proxies>
Example set vpn site-to-site advanced-settings udp-encapsulation-for-firewalls-and-proxies

true

Syntax set vpn site-to-site advanced-settings copy-diff-serv-from-ipsec-packet

<copy-diff-serv-from-ipsec-packet>
Example set vpn site-to-site advanced-settings copy-diff-serv-from-ipsec-packet

true

Syntax set vpn site-to-site advanced-settings permanent-tunnel-up-track

<permanent-tunnel-up-track>
Example set vpn site-to-site advanced-settings permanent-tunnel-up-track none

Syntax set vpn site-to-site advanced-settings vpn-tunnel-sharing

<vpn-tunnel-sharing>
Example set vpn site-to-site advanced-settings vpn-tunnel-sharing hosts

Syntax set vpn site-to-site advanced-settings vpn-configuration-and-key-exchange-errors
<vpn-configuration-and-key-exchange-errors>
Example set vpn site-to-site advanced-settings vpn-configuration-and-key-exchange-errors

none

Syntax set vpn site-to-site advanced-settings is-admin-access-agnostic

<is-admin-access-agnostic>
Example set vpn site-to-site advanced-settings is-admin-access-agnostic true

Syntax set vpn site-to-site advanced-settings reply-from-incoming-interface

<reply-from-incoming-interface>
Example set vpn site-to-site advanced-settings reply-from-incoming-interface true

Syntax set vpn site-to-site advanced-settings log-vpn-packet-handling-errors

<log-vpn-packet-handling-errors>
Example set vpn site-to-site advanced-settings log-vpn-packet-handling-errors none

Syntax set vpn site-to-site advanced-settings check-validity-of-ipsec-reply-packets
<check-validity-of-ipsec-reply-packets>
Example set vpn site-to-site advanced-settings check-validity-of-ipsec-reply-packets

true

Syntax set vpn site-to-site advanced-settings ike-dos-protection-unknown-sites

<ike-dos-protection-unknown-sites>
Example set vpn site-to-site advanced-settings ike-dos-protection-unknown-sites

none

Syntax set vpn site-to-site advanced-settings permanent-tunnel-down-track

<permanent-tunnel-down-track>
Example set vpn site-to-site advanced-settings permanent-tunnel-down-track none

Syntax set vpn site-to-site advanced-settings ike-dos-protection-known-sites

<ike-dos-protection-known-sites>
Example set vpn site-to-site advanced-settings ike-dos-protection-known-sites none

Syntax set vpn site-to-site advanced-settings maximum-concurrent-ike-negotiations
<maximum-concurrent-ike-negotiations>
Example set vpn site-to-site advanced-settings maximum-concurrent-ike-negotiations

-1000000

Syntax set vpn site-to-site advanced-settings log-vpn-outgoing-link

<log-vpn-outgoing-link>
Example set vpn site-to-site advanced-settings log-vpn-outgoing-link none

Syntax set vpn site-to-site advanced-settings reply-from-same-ip

<reply-from-same-ip>
Example set vpn site-to-site advanced-settings reply-from-same-ip true

Syntax set vpn site-to-site advanced-settings period-before-crl-valid

<period-before-crl-valid>
Example set vpn site-to-site advanced-settings period-before-crl-valid -1000000

Syntax set vpn site-to-site advanced-settings enable-link-selection
<enable-link-selection>
Example set vpn site-to-site advanced-settings enable-link-selection true

Syntax set vpn site-to-site advanced-settings log-vpn-successful-key-exchange

<log-vpn-successful-key-exchange>
Example set vpn site-to-site advanced-settings log-vpn-successful-key-exchange none

Syntax set vpn site-to-site advanced-settings limit-open-sas <limit-open-sas>
Example set vpn site-to-site advanced-settings limit-open-sas -1000000

Syntax set vpn site-to-site advanced-settings timeout-for-an-rdp-packet-reply

<timeout-for-an-rdp-packet-reply>

Example set vpn site-to-site advanced-settings timeout-for-an-rdp-packet-reply
-1000000

Syntax set vpn site-to-site advanced-settings perform-ike-using-cluster-ip
<perform-ike-using-cluster-ip>
Example set vpn site-to-site advanced-settings perform-ike-using-cluster-ip true

Syntax set vpn site-to-site advanced-settings maximum-concurrent-vpn-tunnels

<maximum-concurrent-vpn-tunnels>
Example set vpn site-to-site advanced-settings maximum-concurrent-vpn-tunnels

-1000000

Syntax set vpn site-to-site advanced-settings ike-use-largest-possible-subnets

<ike-use-largest-possible-subnets>
Example set vpn site-to-site advanced-settings ike-use-largest-possible-subnets

true

Syntax set vpn site-to-site advanced-settings copy-diff-serv-to-ipsec-packet
<copy-diff-serv-to-ipsec-packet>
Example set vpn site-to-site advanced-settings copy-diff-serv-to-ipsec-packet true
set vpn site-to-site enc-dom manual
VPN Global

Syntax set vpn site-to-site enc-dom manual add name <name>
Parameters
Example set vpn site-to-site enc-dom manual add name TEXT

Syntax set vpn site-to-site enc-dom manual remove-all name <name>
Parameters

Example set vpn site-to-site enc-dom manual remove-all name TEXT

Syntax set vpn site-to-site enc-dom manual remove name <name>
Parameters
Example set vpn site-to-site enc-dom manual remove name TEXT
set wlan
Virtual Access Point
set wlan
Syntax set wlan { enable | disable }
Parameters
The mode of the Virtual Access Point
mode
Options: on, off
Example set wlan on
set wlan
Syntax set wlan ssid <ssid>
Parameters

ssid
Example set wlan ssid My wireless
set wlan
Syntax set wlan security-type <security-type>

Parameters
Security Type
security-type
Options: none, WEP, WPA2, WPA/WPA2
Example set wlan security-type none
set wlan
Syntax set wlan wpa-auth-type password <password> [ hotspot <hotspot > ]
Example set wlan wpa-auth-type password gTd&3(gha_ hotspot on
set wlan
Syntax set wlan wpa-auth-type { radius [ hotspot <hotspot > ] }
Parameters
The Hotspot of the Virtual Access Point
hotspot
Options: on, off
Wireless protected access authentication
wpa-auth-type
Example set wlan wpa-auth-type radius hotspot on

set wlan
Syntax set wlan wpa-encryption-type <wpa-encryption-type>
Parameters
Wireless protected access encryption type
wpa-encryption-type
Options: Auto, CCMP-AES, TKIP
Example set wlan wpa-encryption-type Auto
set wlan
Syntax set wlan assignment <assignment>
Parameters
The network assigned to the virtual access point
assignment
Example set wlan assignment My_Network
set wlan
Syntax set wlan advanced-settings [ hide-ssid <hide-ssid> ] [ station-to-station

<station-to-station> ] [ wds <wds> ]
Example set wlan advanced-settings hide-ssid on station-to-station allow wds on
set wlan
Syntax set wlan vap <vap> { enable | disable }
Parameters
The mode of the Virtual Access Point
mode
Options: on, off
vap

Example set wlan vap My_Network on
set wlan
Syntax set wlan vap <vap> ssid <ssid>
Parameters
ssid
vap
Example set wlan vap My_Network ssid My wireless
set wlan
Syntax set wlan vap <vap> security-type <security-type>
Parameters
Security Type
security-type
Options: none, WEP, WPA2, WPA/WPA2
vap
Example set wlan vap My_Network security-type none
set wlan
Syntax set wlan vap <vap> wpa-auth-type password <password> [ hotspot <hotspot > ]
Parameters
vap
Example set wlan vap My_Network wpa-auth-type password gTd&3(gha_ hotspot on

set wlan
Syntax set wlan vap <vap> wpa-auth-type { radius [ hotspot <hotspot > ] }
Parameters
The Hotspot of the Virtual Access Point
hotspot
Options: on, off
vap
Wireless protected access authentication
wpa-auth-type
Example set wlan vap My_Network wpa-auth-type radius hotspot on
set wlan
Syntax set wlan vap <vap> wpa-encryption-type <wpa-encryption-type>

Parameters
vap
Wireless protected access encryption type
wpa-encryption-type
Options: Auto, CCMP-AES, TKIP
Example set wlan vap My_Network wpa-encryption-type Auto
set wlan
Syntax set wlan vap <vap> assignment <assignment>
Parameters
The network assigned to the virtual access point
assignment
vap
Example set wlan vap My_Network assignment My_Network

set wlan
Syntax set wlan vap <vap> advanced-settings [ hide-ssid <hide-ssid> ] [

station-to-station <station-to-station> ] [ wds <wds> ]
Parameters
vap
Example set wlan vap My_Network advanced-settings hide-ssid on station-to-station

allow wds on
set wlan radio
Wireless networks
set wlan radio

Description Wireless networks
Syntax set wlan radio [ country <country> ] [ operation-mode <operation-mode> ]

[ channel <channel> ] [ channel-width <channel-width> ] [ transmitter-power
<transmitter-power> ]
Parameters
Channel
channel
Options: auto, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Channel width
channel-width
Options: auto, 20
Country
country
Options: country
Operation mode
operation-mode
Options: 11b, 11g, 11bg, 11n, 11ng
Controls the range of the wireless access point. Lower power can help reduce
transmitter-power interference to nearby access points
Options: minimum, eighth, quarter, half, full
Example set wlan radio country albania operation-mode 11b channel auto
channel-width auto transmitter-power minimum
set wlan radio


Syntax set wlan radio { off | on }
Parameters
Wireless radio mode
mode
Options: off, on
Example set wlan radio off
set wlan radio

Syntax set wlan radio advanced-settings transmitter-power <transmitter-power>
Example set wlan radio advanced-settings transmitter-power minimum
set wlan radio

Syntax set wlan radio advanced-settings antenna <antenna>
Example set wlan radio advanced-settings antenna auto
set wlan radio

Syntax set wlan radio advanced-settings guard-interval <guard-interval>
Example set wlan radio advanced-settings guard-interval short
show access-rule type incoming-internal-and-vpn
Access rule

Description Access rule
Syntax show access-rule type incoming-internal-and-vpn position <position> position

<position>
Parameters
The order of a manual rule in comparison to other manual rules
position
Example show access-rule type incoming-internal-and-vpn position 2 position 2

Syntax show access-rule type incoming-internal-and-vpn name <name> position

<position>
Parameters
name
name
position
Example show access-rule type incoming-internal-and-vpn name word position 2
show access-rule type outgoing
Access rule

Syntax show access-rule type outgoing name <name> position <position>
Parameters
name
name
position

Example show access-rule type outgoing name word position 2

Syntax show access-rule type outgoing position <position> position <position>
Parameters
position
Example show access-rule type outgoing position 2 position 2
show access-rules type incoming-internal-and-vpn
Syntax show access-rules type incoming-internal-and-vpn position <position>
Parameters
position
Example show access-rules type incoming-internal-and-vpn position 2
show access-rules type outgoing
Syntax show access-rules type outgoing position <position>
Parameters
position
Example show access-rules type outgoing position 2

show ad-server
Syntax show ad-server <domain>
Parameters
Domain name
domain
Type: Host name
Example show ad-server myHost.com
show ad-servers
Syntax show ad-servers
Example show ad-servers
show additional-hw-settings
Description Additional hardware and operating system settings
Syntax show additional-hw-settings
Example show additional-hw-settings
show address-range
Syntax show address-range <name>
Parameters
Network Object name
name
Type: String

Example show address-range TEXT
show address-ranges
Syntax show address-ranges
Example show address-ranges
show admin-access
Description Administrator access
Syntax show admin-access
Example show admin-access
show admin-access-ipv4-addresses
Syntax show admin-access-ipv4-addresses
Example show admin-access-ipv4-addresses
show administrator
Syntax show administrator username <username>
Parameters
username

Example show administrator username admin
show administrator session-settings
Description Limit administrators login failure attempts for before locking out for a defined period of time
Syntax show administrator session-settings
Example show administrator session-settings
show administrators
Syntax show administrators
Example show administrators
show administrators radius-auth
Description Administrators RADIUS authentication
Syntax show administrators radius-auth
Example show administrators radius-auth
show adsl statistics
Description ADSL information
Syntax show adsl statistics
Example show adsl statistics

show aggressive-aging
Connections aggressive aging
Syntax show aggressive-aging
Example show aggressive-aging
Syntax show aggressive-aging advanced-settings
Example show aggressive-aging advanced-settings
show antispam
Policy for Anti-Spam blade
show antispam
Syntax show antispam
Example show antispam
show antispam
Syntax show antispam advanced-settings
Example show antispam advanced-settings

show antispam allowed-senders
Syntax show antispam allowed-senders
Example show antispam allowed-senders
show antispam blocked-senders
Syntax show antispam blocked-senders
Example show antispam blocked-senders
show application
Application
show application
Syntax show application application-name <application-name>
Parameters
Application or group name
application-name
Type: String
Example show application application-name TEXT
show application
Syntax show application application-id <application-id>
Parameters

The ID of the application or the group
application-id
Example show application application-id -1000000
show application-control
Description Default APPI policy and configuration
Syntax show application-control
Example show application-control
show application-control other-undesired-applications
Syntax show application-control other-undesired-applications
Example show application-control other-undesired-applications
show application-group
Syntax show application-group application-group-id <application-group-id>
Parameters
Example show application-group application-group-id -1000000


Syntax show application-group name <name>
Parameters
Example show application-group name users
show application-groups
Syntax show application-groups
Example show application-groups
show applications
Syntax show applications
Example show applications
show bridge
Syntax show bridge <name>
Parameters
Bridge name
name

Example show bridge br7
show bridges
Syntax show bridges
Example show bridges
show cloud-deployment
Description Cloud Deployment Settings
Syntax show cloud-deployment
Example show cloud-deployment
show cloud-services
Syntax show cloud-services advanced-settings
Example show cloud-services advanced-settings
show cloud-services connection-details
Syntax show cloud-services connection-details
Example show cloud-services connection-details

show cloud-services managed-blades
Description Table for activation status of a blade
Syntax show cloud-services managed-blades
Example show cloud-services managed-blades
show cloud-services managed-services
Description Cloud services managed by the provider
Syntax show cloud-services managed-services
Example show cloud-services managed-services
show cloud-services status
Description Status of current connection to the cloud services provider
Syntax show cloud-services status

Example show cloud-services status
show date
Manual time
show date
Syntax show date
Example show date

show date
Syntax show time
Example show time
show date
Syntax show timezone
Example show timezone

show date
Syntax show timezone-dst
Example show timezone-dst

show device-details
Description Device details
Syntax show device-details
Example show device-details
show dhcp server interface
Local network

Syntax show dhcp server interface <name>
Parameters
Network name
name
Example show dhcp server interface My_Network

Syntax show dhcp server interface <name> ip-pool
Parameters
Network name
name
Example show dhcp server interface My_Network ip-pool

show dhcp servers

Syntax show dhcp servers
Example show dhcp servers
show dhcp servers table

Syntax show dhcp servers table
Example show dhcp servers table

show dhcp-relay
Description DHCP Relay advanced options
Syntax show dhcp-relay advanced-settings
Example show dhcp-relay advanced-settings
show dns
show dns
Syntax show dns
Example show dns
show dns
Syntax show dns [ primary ipv4-address ] [ secondary ipv4-address ] [ tertiary

ipv4-address ] [ mode ] [ proxy ]
Example show dns primary ipv4-address secondary ipv4-address tertiary ipv4-address

mode proxy
show dns
Syntax show domainname
Example show domainname

show dynamic-dns
Syntax show dynamic-dns
Example show dynamic-dns
show fw policy
Default policy for firewall blade
show fw policy
Description Default policy for firewall blade
Syntax show fw policy
Example show fw policy
show fw policy
the desired action
Syntax show fw policy user-check { block | ask | accept }
Parameters
Activity message type
user-check
Example show fw policy user-check block

show group

Syntax show group <name>
Parameters

Example show group myObject_17
show groups
Syntax show groups
Example show groups
show host
Syntax show host <name>
Parameters
Network Object name
name
Type: String
Example show host TEXT
show hosts
Syntax show hosts
Example show hosts

show hotspot
Hotspot settings
show hotspot
Syntax show hotspot
Example show hotspot
show hotspot
Syntax show hotspot advanced-settings
Example show hotspot advanced-settings
show https-categorization
Syntax show https-categorization advanced-settings
Example show https-categorization advanced-settings
show interface

Syntax show interface <name> [ all ]
Parameters
Network name
name
Example show interface My_Network all

show interfaces
Syntax show interfaces
Example show interfaces
show interfaces all
Syntax show interfaces all
Example show interfaces all
show interfaces table
Syntax show interfaces table
Example show interfaces table
show internet
Description Global settings that affect all internet connections
Syntax show internet advanced-settings
Example show internet advanced-settings

show internet mode
Description Traffic will be distributed automatically across the defined Internet connections according to the con-
figured load balancing weights
Syntax show internet mode
Example show internet mode
show internet-connection
Internet Connection
Syntax show internet-connection <name>
Parameters
Connection name
name
Example show internet-connection My connection
Syntax show internet-connection <name> icmp-servers
Parameters
Connection name
name
Example show internet-connection My connection icmp-servers

show internet-connections

Syntax show internet-connections
Example show internet-connections
show internet-connections table
Syntax show internet-connections table

Example show internet-connections table
show ip-fragments-params
Syntax show ip-fragments-params advanced-settings
Example show ip-fragments-params advanced-settings
show ips engine-settings
IPS engine settings

Syntax show ips engine-settings
Example show ips engine-settings

Syntax show ips engine-settings advanced-settings
Example show ips engine-settings advanced-settings
show local-group
Syntax show local-group name <name>
Parameters
Local group name
Example show local-group name myObject_17
show local-groups
Syntax show local-groups
Example show local-groups
show local-user
Syntax show local-user name <name>
Parameters
name

Example show local-user name admin
show local-users
Syntax show local-users
Example show local-users
show log-servers-configuration
Description Log servers configuration
Syntax show log-servers-configuration
Example show log-servers-configuration
show loginMessages
loginMessages
show loginMessages
Syntax show loginMessages <type>
Parameters
type
type
Example show loginMessages motd

show loginMessages

Syntax show loginMessages <type> [ enabled ]
Parameters
type
type
Example show loginMessages motd enabled
show nat
NAT global
show nat
Syntax show nat
Example show nat
show nat
Syntax show nat advanced-settings
Example show nat advanced-settings
show nat-rule
Syntax show nat-rule name <name> position <position>
Parameters
name
name
position

Example show nat-rule name word position 2
show nat-rule position
Syntax show nat-rule position <position> position <position>
Parameters
position
Example show nat-rule position 2 position 2
show nat-rules
Syntax show nat-rules position <position>
Parameters
position
Example show nat-rules position 2
show netflow collector
Syntax show netflow collector ip <ip> port <port>
Parameters
IP address
ip
Type: IP address
UDP port
port
Type: Port number
Example show netflow collector ip 192.168.1.1 port 8080

show netflow collectors
Syntax show netflow collectors
Example show netflow collectors
show network
Syntax show network <name>
Parameters
Network Object name
name
Type: String
Example show network TEXT

show networks

Syntax show networks
Example show networks
show ntp
Description NTP
Syntax show ntp
Example show ntp

show ntp active
Description NTP
Syntax show ntp active
Example show ntp active
show ntp servers
Description NTP
Syntax show ntp servers
Example show ntp servers
show proxy
Syntax show proxy

Example show proxy
show qos
QoS blade basic configuration
show qos
Syntax show qos
Example show qos

show qos
Syntax show qos advanced-settings
Example show qos advanced-settings
show qos delay-sensitive-services
Syntax show qos delay-sensitive-services
Example show qos delay-sensitive-services
show qos guarantee-bandwidth-selected-services
Syntax show qos guarantee-bandwidth-selected-services
Example show qos guarantee-bandwidth-selected-services
show qos-rule
show qos-rule
Syntax show qos-rule idx <idx> position <position>
Parameters
idx
position

Example show qos-rule idx 3.141 position 2
show qos-rule
Syntax show qos-rule name <name> position <position>
Parameters
name
name
position
Example show qos-rule name word position 2
show qos-rules
Description View for QoS rule base

Syntax show qos-rules position <position>
Parameters
position
Example show qos-rules position 2
show radius-server
Syntax show radius-server priority <priority>
Parameters
priority
Example show radius-server priority -1000000

show radius-servers
Syntax show radius-servers
Example show radius-servers
show reach-my-device
Reach My Device
Syntax show reach-my-device
Example show reach-my-device
Syntax show reach-my-device advanced-settings
Example show reach-my-device advanced-settings
show remote-access users radius-auth
Syntax show remote-access users radius-auth
Example show remote-access users radius-auth

show security-management
Syntax show security-management
Example show security-management
show serial-port
Syntax show serial-port
Example show serial-port
show server
Syntax show server <name>

Parameters
Server object name
Example show server myObject_17
show servers
Syntax show servers
Example show servers

show service-group
Syntax show service-group <name>
Parameters
Service Group name
Example show service-group myObject_17
show service-groups
Syntax show service-groups
Example show service-groups

show service-icmp
Syntax show service-icmp <name>
Parameters
Service name
name
Type: String
Example show service-icmp TEXT

show service-protocol

Syntax show service-protocol <name>
Parameters

Service name
name
Type: String
Example show service-protocol TEXT
show service-tcp
Syntax show service-tcp <name>
Parameters
Service name
name
Type: String
Example show service-tcp TEXT
show service-udp
Syntax show service-udp <name>
Parameters
Service name
name
Type: String
Example show service-udp TEXT
show services-icmp
Syntax show services-icmp
Example show services-icmp

show services-protocol
Syntax show services-protocol
Example show services-protocol
show services-tcp
Syntax show services-tcp
Example show services-tcp
show services-udp
Syntax show services-udp

Example show services-udp
show snmp
SNMP version3 user configuration options for: security level, authentication settings and passwords
show snmp
Syntax show snmp user <user>
Parameters
version3 user name
user

Example show snmp user admin
show snmp
Syntax show snmp agent
Example show snmp agent
show snmp
Syntax show snmp agent-version
Example show snmp agent-version
show snmp
Syntax show snmp community
Example show snmp community
show snmp
Syntax show snmp contact
Example show snmp contact

show snmp
Syntax show snmp location
Example show snmp location
show snmp traps
Syntax show snmp traps status
Example show snmp traps status
show snmp traps enabled-traps
Syntax show snmp traps enabled-traps
Example show snmp traps enabled-traps
show snmp traps receivers
Syntax show snmp traps receivers
Example show snmp traps receivers

show snmp users
Syntax show snmp users
Example show snmp users
show snmp-general-all
Syntax show snmp-general-all

Example show snmp-general-all
show static-routes
Syntax show static-routes
Example show static-routes
show static-routes table
Syntax show static-routes table

Example show static-routes table
show streaming-engine-settings
Streaming engine settings

Syntax show streaming-engine-settings
Example show streaming-engine-settings
Syntax show streaming-engine-settings advanced-settings
Example show streaming-engine-settings advanced-settings

show switch
Switch
show switch
Description Switch
Syntax show switch <name>
Parameters
Name
name
Example show switch LAN2_Switch
show switch
Description Switch
Syntax show switch <name> ports
Parameters
Name
name

Example show switch LAN2_Switch ports
show switches
Description Switch
Syntax show switches
Example show switches
show threat-prevention anti-bot engine
Description Anti-Bot engine

Syntax show threat-prevention anti-bot engine
Example show threat-prevention anti-bot engine
show threat-prevention anti-bot policy
Threat Prevention Anti-Bot policy

Syntax show threat-prevention anti-bot policy
Example show threat-prevention anti-bot policy

Syntax show threat-prevention anti-bot policy advanced-settings
Example show threat-prevention anti-bot policy advanced-settings

show threat-prevention anti-bot user-check ask
the desired action
Syntax show threat-prevention anti-bot user-check ask
Example show threat-prevention anti-bot user-check ask
show threat-prevention anti-bot user-check block
the desired action
Syntax show threat-prevention anti-bot user-check block
Example show threat-prevention anti-bot user-check block

show threat-prevention anti-virus engine
Description Anti-Virus engine
Syntax show threat-prevention anti-virus engine
Example show threat-prevention anti-virus engine
show threat-prevention anti-virus file-type
Syntax show threat-prevention anti-virus file-type extension <extension>
Parameters
: () @
Example show threat-prevention anti-virus file-type extension This is a comment.

show threat-prevention anti-virus file-types

Syntax show threat-prevention anti-virus file-types
Example show threat-prevention anti-virus file-types
show threat-prevention anti-virus policy
Threat Prevention Anti-Virus policy

Syntax show threat-prevention anti-virus policy
Example show threat-prevention anti-virus policy

Syntax show threat-prevention anti-virus policy advanced-settings
Example show threat-prevention anti-virus policy advanced-settings
show threat-prevention anti-virus user-check ask
the desired action
Syntax show threat-prevention anti-virus user-check ask
Example show threat-prevention anti-virus user-check ask

show threat-prevention anti-virus user-check block
the desired action
Syntax show threat-prevention anti-virus user-check block
Example show threat-prevention anti-virus user-check block
show threat-prevention exception
Syntax show threat-prevention exception name <name> position <position>
Parameters
name
position
Example show threat-prevention exception name word position 2
show threat-prevention exception position

Syntax show threat-prevention exception position <position> position <position>
Parameters
position
Example show threat-prevention exception position 2 position 2
show threat-prevention exceptions
Syntax show threat-prevention exceptions position <position>

Parameters
position
Example show threat-prevention exceptions position 2
show threat-prevention infected-hosts
Description Infected host
Syntax show threat-prevention infected-hosts
Example show threat-prevention infected-hosts
show threat-prevention ips custom-default-policy
Description Configure the custom default policy if chosen as custom
Syntax show threat-prevention ips custom-default-policy

Example show threat-prevention ips custom-default-policy
show threat-prevention ips network-exception
Syntax show threat-prevention ips network-exception position <position> position

<position>
Parameters
position
Example show threat-prevention ips network-exception position 2 position 2

show threat-prevention ips network-exceptions
Syntax show threat-prevention ips network-exceptions position <position>
Parameters
position
Example show threat-prevention ips network-exceptions position 2
show threat-prevention ips policy
Description Threat Prevention IPS global policy

Syntax show threat-prevention ips policy
Example show threat-prevention ips policy
show threat-prevention ips protection-action-override
IPS topic view

Syntax show threat-prevention ips protection-action-override protection-code

<protection-code>
Parameters
4,503,599,627,370,495 to 4,503,599,627,370,495
Example show threat-prevention ips protection-action-override protection-code

-1000000

Syntax show threat-prevention ips protection-action-override protection-name

<protection-name>
Parameters
protection-name
Example show threat-prevention ips protection-action-override protection-name word

show threat-prevention policy
Policy for Threat Prevention, shared by Anti-Virus and Anti-Bot

Syntax show threat-prevention policy
Example show threat-prevention policy

Syntax show threat-prevention policy advanced-settings
Example show threat-prevention policy advanced-settings
show threat-prevention whitelist files

Syntax show threat-prevention whitelist files
Example show threat-prevention whitelist files

show threat-prevention whitelist urls
Syntax show threat-prevention whitelist urls
Example show threat-prevention whitelist urls
show threat-prevention-advanced
Description Advanced settings for Threat Prevention
Syntax show threat-prevention-advanced advanced-settings
Example show threat-prevention-advanced advanced-settings
show ui-settings
Web Interface Settings and Customizations
show ui-settings
Syntax show ui-settings
Example show ui-settings
show ui-settings
Syntax show ui-settings advanced-settings
Example show ui-settings advanced-settings

show usb-modem-watchdog
nectivity problems
Syntax show usb-modem-watchdog advanced-settings
Example show usb-modem-watchdog advanced-settings
show user-awareness
show user-awareness
Syntax show user-awareness
Example show user-awareness
show user-awareness
Syntax show user-awareness advanced-settings
Example show user-awareness advanced-settings
show user-awareness browser-based-authentication
Syntax show user-awareness browser-based-authentication
Example show user-awareness browser-based-authentication

show vpn
show vpn
Syntax show vpn site <site>
Parameters
Site name
Example show vpn site site17
show vpn
Syntax show vpn tunnel <tunnel>
Parameters
tunnel
Example show vpn tunnel -1000000
show vpn remote-access
VPN Remote Access

Syntax show vpn remote-access
Example show vpn remote-access

Syntax show vpn remote-access advanced-settings
Example show vpn remote-access advanced-settings
show vpn remote-access advanced
Syntax show vpn remote-access advanced
Example show vpn remote-access advanced
show vpn site-to-site
VPN Global

Syntax show vpn site-to-site
Example show vpn site-to-site


Syntax show vpn site-to-site advanced-settings

Example show vpn site-to-site advanced-settings

show vpn sites
Syntax show vpn sites
Example show vpn sites
show vpn tunnels
Syntax show vpn tunnels
Example show vpn tunnels
show wlan
Virtual Access Point
show wlan
Syntax show wlan vap <vap>
Parameters
vap
Example show wlan vap My_Network

show wlan
Syntax show wlan
Example show wlan

show wlan radio
Wireless networks
show wlan radio

Syntax show wlan radio
Example show wlan radio
show wlan radio

Syntax show wlan radio advanced-settings
Example show wlan radio advanced-settings
show wlan statistics
Description Wireless statistics

Syntax show wlan statistics
Example show wlan statistics
show wlan vaps

Syntax show wlan vaps
Example show wlan vaps

show wlan vaps statistics
Description Wireless statistics per vap
Syntax show wlan vaps statistics
Example show wlan vaps statistics
update security-blades
Description Blade update status
Syntax update security-blades [ all ]
Example update security-blades all

Check Point 600 1100 1200R Cli Guide PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Check Point 600 1100 1200R Cli Guide PDF

Загружено:

Авторское право:

Доступные форматы

Check Point 600, 1100, and 1200R Appliance

Command Line Interface

June 17, 2015

add access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

add access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

add antispam allowed-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

add antispam blocked-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

add netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Command Line Interface Reference Guide R77.20 Embedded | 1

add threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

add threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

add threat-prevention whitelist type-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

add threat-prevention whitelist type-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

add vpn site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

add wlan vap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

delete access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

delete access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

delete antispam allowed-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

delete antispam blocked-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

delete dhcp server interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

delete nat-rule position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

delete netflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Command Line Interface Reference Guide R77.20 Embedded | 2

delete snmp traps-receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

delete snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

delete threat-prevention anti-virus file-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

delete threat-prevention anti-virus file-type custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

delete threat-prevention exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

delete threat-prevention exception position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

delete threat-prevention exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

delete threat-prevention ips network-exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

delete threat-prevention whitelist type-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

delete threat-prevention whitelist type-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

delete vpn site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

delete wlan vaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

fetch cloud-services policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

find threat-prevention ips protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Command Line Interface Reference Guide R77.20 Embedded | 3

set access-rule type incoming-internal-and-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

set access-rule type outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

set administrator session-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

set dhcp server interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

set dhcp-relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

set dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

set dynamic-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

set fw policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

set fw policy user-check accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

set fw policy user-check ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

set fw policy user-check block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

set group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

set host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

set hotspot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

set https-categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Command Line Interface Reference Guide R77.20 Embedded | 4

set internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

set internet mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

set internet-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

set ip-fragments-params . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

set ips engine-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

set local-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

set local-group users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

set local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

set log-servers-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125