!! Create user with specific role
set user <username> roles <role name>        !!  Default roles are adminRole & monitorRole

!! Create custom roles
add rba role <username> domain-type System readonly-features <comma-seperated-list-of-RO-commands> readwrite-features <comma-seperated-list-of-RW-commands>

Example of creating a role:

add rba role SomeRole domain-type System readonly-features vpn,ospf,rba readwrite-features tag,revert,fcd

Notes:

  • All Performed via clish. DON'T FORGET TO SAVE

Documentation

[ # ]

fw fetch <CMA/MGMT IP>   !! Fetch policy from management server (run from gateway)
fwm load <policy-name> <gateway-name>  !! Push policy from management server to gateway (run on management server). add '-v<#>' to load a repository version

Documentation

[ # ]

clish -s -c "set static-route <ip>/<cidr> nexthop gateway address <gateway> on"
clish -s -c "set static-route default nexthop gateway address <gateway> on"

[ # ]

Pre-IPSO 6.2
voyager -e 0 <port>    !! No Encryption
voyager -e 128 <port>  !! 128-bit SSL Encryption

IPSO 6.2+
set voyager ssl-port <port>

[ # ]

useradd -u 0 -g 0 -o -s /bin/bash <username>

[ # ]

cp_conf admin get    !! View current administrators
cp_conf admin add <user> <passw> <r|w>    !! Add user with read-only (r) or write (w) permissions
cp_conf admin del <admin1> <admin2> ...   !! Delete user(s)

cp_conf client get   !! View currently defined GUI clients
cp_conf client add <ip/netmask> !! Add a GUI client
cp_conf client del <GUI Client 2> <GUI Client 2> ... !! Delete GUI client(s)
cp_conf client createlist <GUI Client 1> <GUI Client 2>...  !! Add new GUI clients list

Documentation

[ # ]

Delete lock file from the following possible locations

  • $FWDIR/tmp
  • $FWDIR/log

Notes:

  • This should only be done if a user is showing locked even when they are logged out. Do NOT perform while a user is actually logged in.

[ # ]

// Storing information in AWK
RuleNum             - { rule = substr($0, match($0, /rule=[0-9]+/)+5, RLENGTH-5) };
Origin                    - { orig = substr($0, match($0, /orig=[0-9.]+/)+5, RLENGTH-5) };
Protocol               - { proto = substr($0, match($0, /proto=[0-9a-zA-Z]+/)+6, RLENGTH-6) };
DstPort                 - { port = substr($0, match($0, /service=[0-9]+/)+8, RLENGTH-8) };
SrcIP                      - { srcip = substr($0, match($0, /src=[0-9.]+/)+4, RLENGTH-4) };
DstIP                     - { dstip = substr($0, match($0, /dst=[0-9.]+/)+4, RLENGTH-4) };
xSrc                  - { xsrc = substr($0, match($0, /xlatesrc=[0-9.]+/)+9, RLENGTH-9) };
NatRule                - { natrule = substr($0, match($0, /NAT_rulenum=[0-9]+/)+12, RLENGTH-12) };

// Example - The following will count the protocols and ports hitting a specific rule (note: lea log format may have changed since writing this so should not be relied on completely)
grep 'orig=<ip> ' <log-filename> | grep 'rule=<rule#> ' | awk '{ proto = substr($0, match($0, /proto=[0-9a-zA-Z]+/)+6, RLENGTH-6) }; { port = substr($0, match($0, /service=[0-9]+/)+8, RLENGTH-8) }; {print proto " " port};'  | sort | uniq -c | sort -nr | awk 'BEGIN {print "\nHits\tProto\tPort";}{print $1"\t"$2"\t"$3}'

Notes:

  • The LEA logs order and field locations may have changed since this was created. May need modifications before working.
  • Useful for parsing the logs from LEA and looking for specific rules

[ # ]

webui enable <port>
webui disable

Documentation

[ # ]

fwha_vmac_global_param_enabled 1        !! Enable Until Reboot
fwha_vmac_global_param_enabled 0        !! Disable (default)

vi $FWDIR/boot/modules/fwkern.conf        !! Enable Permanently
fwha_vmac_global_param_enabled=1

Notes:

  • This is useful so that the MAC addresses of the VIPs do not change on failover of a cluster. This may correct issues with switches holding onto the old VIP MAC address.

Documentation

[ # ]