clish -s -c "add arpproxy address <ip> macaddress <vip mac>"
clish -s -c "delete arpproxy address <ip>"

[ # ]

netstat -rn | grep instance    // Look for the 2 non "default" tables
netstat -rn | egrep \'instance|iCSU\'    // View PBR table
clish -s 'show aclrules'    // View ACLs
clish -s 'show acl'    // View interfaces ACLs are configured for

[ # ]

clish
  add pbr table <table_name>
  set pbr table <table_name> default route enable
  set pbr table <table_name> default nexthop gateway address <default_nexthop_ip>
  add acl <acl_name>
  set acl <acl_name> ininterface <ifname>
  set acl <acl_name> outinterface <ifname>
  add aclrule <acl_name> position 1
  set aclrule <acl_name> position 1 action pbr pbr_table <table_name> srcaddr <src_address_with_CIDR> destaddr <dst_address_with_CIDR> srcport 0-65535 destport 0-65535 protocol any tcp_estab no tos any dstfield none qspec none
  save config
  exit

Notes:

  • and can be anything you want
  • In ACL, use 0.0.0.0/0 for "any"

[ # ]

!! Change IP
clish -s -c "add interface <if name> address <new ip address>/<cidr>"
clish -s -c "delete interface <if name> address <old ip address>"

!! Remove logical interface
clish -s -c "delete interface <if name>"

!! Delete interface (Will disable VRRP monitoring)
clish -s -c "set interface <if name> disable"
clish -s -c "set interface <if name> logical-name <if name>"
clish -s -c "delete interface <if name> address <old ip address>"

!! Set interface speed
clish -s -c "set interface <physical-interface> speed 100M duplex full active on"

!! Create Interface with VRRP - Example
clish
  add interface eth-s1p2 vlanid 141 address 172.1.1.3/24 logical-name eth-s1p2c23 enable
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p2c0 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 hello-interval 1
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 priority 90
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 backup-address 172.1.1.1 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p2c0 priority-delta 10
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p1c0 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p1c0 priority-delta 10
  save config
  exit

[ # ]

fwpolicy.exe /RB: <policy-name> connect <ip> <username>  !! SmartDashboard
CPlgv.exe connect <ip> <username>  !! SmartView Tracker
provider.exe connect <ip> <username>  !! Provider-1

Notes:

  • 'cd' into the application's directory first
  • This is for versions R55 - <R80

[ # ]

snmp-server location <location-information>
snmp-server contact <contact-information>
snmp-server host <interface> <ip> trap community <community-string>    !! Device only sent traps, no polling
snmp-server host <interface> <ip> poll community <community-string>    !! Device only polling, no traps
snmp-server enable traps

Notes:

  • You can leave off 'poll' and 'trap' to allow both

Documentation

[ # ]

tcpdump -nni [interface] host [ip]
tcpdump -nni [interface] net [ip]/[cidr]
tcpdump -nni [interface] host [ip] and port [port]
tcpdump -nni [interface] vlan [vlan #] and host [ip]
tcpdump -w [file].cap -s 1514 -nni [interface] host [src] and host [dst]        !! captures entire packet into file
tcpdump -r [file].cap                    !! Replay the capture from the file
tcpdump -nni [interface] host [ip] &      !! & symbol puts capture in the background
tcpdump -nni [interface] \(host [ip] or host [ip]\) and \(host [ip] or host [ip]\)
tcpdump -nni [interface] ip proto 112

fw monitor -e 'accept src=[ip] or dst=[ip] ;'    !! net ip/CIDR ??
fw monitor -e "accept (src=192.168.11.1 and dst=10.10.10.1) or (src=10.10.10.1 and dst=192.168.11.1);"

[ # ]

exec nsrp vsd-group <group ID> mode master

Notes:

  • Performed on the standby/backup firewall

[ # ]

  • fxp1 - Control link - Enables sync of config
  • fxp0 - Management interface - Can be used for OOB
  • fab# - Data link - Session sync (packets known as "real-time object" or RTO), transit traffic link for active/active, fragmentation not supported, jumbo frames supported
  • reth - Each reth is a logical interface containing 1 physical interface from each firewall

Redundant Group 0 is always routing engine, Group 1 is what has been configured for failover such as the interfaces

[ # ]

set cli pager off
set cli config-output-format set

Notes:

  • These commands may not output in order so cannot be relied on when implementing to a blank configuration

[ # ]