Lucent VPN Firewall Bricks® 350, 1000, 1100 with Encryption Accelerator Cards FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 6.2 January 27, 2005 © Copyright 2005 Lucent Technologies, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Non-Proprietary Security Policy Page 2 of 74 Table of Contents 1 INTRODUCTION.................................................................................................................. 4 1.1 PURPOSE ............................................................................................................................. 4 1.2 REFERENCES ....................................................................................................................... 4 1.3 TERMINOLOGY ................................................................................................................... 4 1.4 DOCUMENT ORGANIZATION ............................................................................................... 4 2 THE BRICK 350, BRICK 1000, AND BRICK 1100 VPN FIREWALLS WITH ENCRYPTION ACCELERATOR CARDS............................................................................... 6 2.1 THE CRYPTOGRAPHIC MODULE .......................................................................................... 7 2.2 MODULE INTERFACES ......................................................................................................... 9 2.3 ROLES AND SERVICES ....................................................................................................... 22 2.3.1 Crypto Officer Services .................................................................................. 22 2.3.2 User Services ................................................................................................ 63 2.4 PHYSICAL SECURITY ........................................................................................................ 63 Brick 350 Module:.................................................................................................... 63 Brick 1000 Module:.................................................................................................. 64 Brick 1100 Module:.................................................................................................. 64 2.5 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 68 2.6 SELF-TESTS ...................................................................................................................... 70 3 SECURE OPERATION OF THE BRICK 350, BRICK 1000, AND BRICK 1100 VPN FIREWALLS WITH ENCRYPTION ACCELERATOR CARDS ....................................... 71 3.1 INITIAL SETUP .................................................................................................................. 71 3.2 MODULE INITIALIZATION AND CONFIGURATION .............................................................. 71 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 72 3.4 REMOTE ACCESS .............................................................................................................. 72 Page 3 of 74 1 Introduction 1.1 Purpose This is the non-proprietary Cryptographic Module Security Policy for the Brick 350, Brick 1000, and Brick 1100. This security policy describes how the Brick 350, Brick 1000, and Brick 1100 (Hardware Version: Brick 350, Brick 1000, and Brick 1100; Encryption Accelerator Card v2: Hardware Version 1.0, Board Version 1, EAC v2 Firmware version: 7.1; Firmware Version: Lucent LVF 7.2.292) meet the security requirements of FIPS 140-2, and how to operate the Bricks in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Brick 350, Brick 1000, and Brick 1100 VPN Firewalls. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. 1.2 References This document deals only with operations and capabilities of the Brick 350, Brick 1000, and Brick 1100 in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the Brick 350, Brick 1000, and Brick 1100, and the entire Brick series, from the following sources: · The Lucent Technologies website contains information on the full line of products at http://www.lucent.com. The Lucent product descriptions can be found at: http://www.lucent.com/products/subcategory/0,,CTID+2017-STID+10080- LOCL+1,00.html · For answers to technical or sales related questions please refer to the contacts listed on the Lucent Technologies website at http://www.lucent.com/support/access.html. · The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module. 1.3 Terminology In this document, the Brick 350, Brick 1000, and Brick 1100 as a group are referred to as the Module(s) or module(s). When referring to a specific Brick, the module is referred to as the Brick 350 module, the Brick 1000 module, or the Brick 1100 module. 1.4 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Module Software Listing Page 4 of 74 Other supporting documentation as additional references This document provides an overview of the Brick 350, Brick 1000, and Brick 1100 modules and explains the secure configuration and operation of the modules. This introduction section is followed by Section 2, which details the general features and functionality of the Brick 350, Brick 1000, and Brick 1100 modules. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. This Security Policy and other Validation Submission Documentation was produced by Corsec Security, Inc. under contract to Lucent Technologies, Inc. With the exception of this Non- Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Lucent- proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Lucent Technologies, Inc. Page 5 of 74 2 The Brick 350, Brick 1000, and Brick 1100 VPN Firewalls with Encryption Accelerator Cards The VPN Firewall Brick is a high-speed packet-processing appliance, oriented towards providing security functions. The module is offered in several models, providing different physical interface combinations as well as different capacity and throughput ratings. The module is Intel Pentium based, using a PCI bus backplane, so its speed and capacity scales with standard components and has a minimum growth predictable according to Moore's Law. The Brick product line provides LAN-level Ethernet interfaces, in both 10/100 copper and Gigabit fiber ports. In the larger modules (Brick 1000 and Brick 1100), the fan is the only continuously moving part, allowing for the module to have an extremely long hardware mean time between failures (MTBF) ­ greater than 7 years. Within the module, local policy and configuration data are only stored on a solid-state Non- Volatile Random Access Memory (NVRAM) disk. The module does not run as an application on top of a commercial operating system; rather, it runs as the kernel of a small, highly application-specific operating system, designed for small embedded security applications. VPN Firewall Bricks incorporate these features: · Packet Forwarding ­ Bridging and Routing · IEEE 802.1q VLAN Tag Support · Virtual Firewalls & Stateful Packet Filtering · Application Filters · Virtual Private Networking (VPN) & Network Address Translation (NAT) · User Authentication · Quality of Service/Bandwidth Management · Denial of Service Protection · Brick Partitions · Brick Failover/Redundancy & State Sharing · Dynamic Address Support · Logging The same software binary image ("tvpc.Z") runs on all modules, so all features discussed are available on all module platforms. The binary images are identical across all platforms, regardless of the Brick's model number or configuration setup. Bricks are available in a variety of hardware models; the models differ solely in throughput, capacity, and physical interface types. This Security Policy applies to the following FIPS 140-2 Level 2 validated Modules: Brick 350 Module: For enterprise-class demands of large corporate facilities. · VPN Firewall Brick® Model 350 Basic [8-10/100 Ethernet Ports, Internal AC Power Supply, Internal Floppy Drive] Page 6 of 74 · VPN Firewall Brick® Model 350 VPN [8-10/100 Ethernet Ports, Installed Encryption Accelerator Card (EAC) v2, Internal AC Power Supply, Internal Floppy Drive] Brick 1000 Module: For service providers offering advanced security services packages. · VPN Firewall Brick® Model 1000 (5/4) [5-10/100 Ethernet Ports/4-Gigabit Fiber Ports, Dual Internal AC Power Supply, Internal Floppy Drive] · VPN Firewall Brick® Model 1000 (3/4) [3-10/100 Ethernet Ports/4-Gigabit Fiber Ports, Installed Encryption Accelerator Card (EAC) v2, Dual Internal AC Power Supply, Internal Floppy Drive] Brick 1100 Module: For service providers offering advanced security services packages. · VPN Firewall Brick® Model 1100 (7/4) [7-10/100 Ethernet Ports/4-Gigabit Fiber Ports, 3 Installed Encryption Accelerator Cards v2, Dual Internal AC Power Supply, Internal Floppy Drive] 2.1 The Cryptographic Module Figure 1 ­ The Brick 350 Module Figure 2 - The Brick 1000 Module Page 7 of 74 Figure 3 - The Brick 1100 Module The Brick 350, Brick 1000, and Brick 1100 modules are multiple-chip standalone cryptographic modules. The cryptographic boundary is defined as the front, right, left, top, and bottom sides of the case; all portions of the rear of the case that are not designed to accommodate a network module or power supply; and the inverse of the three-dimensional space within the case that would be occupied by any installed power supply or network module that does not perform approved services. The cryptographic boundary includes the connection apparatus between the network modules and power supplies and the motherboard that hosts the network modules and power supplies, but the boundary does not include the power supplies and network modules themselves. In other words, the cryptographic boundary encompasses all hardware components within the case of the module except any installed network modules and power supplies. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The Brick 1000 module requires that a special opacity shield be installed on the top portion of the rear of the module, covering the top row of ventilation holes along the rear of the chassis (as shown in Figure 4) in order to operate in FIPS-approved mode. The shield completely covers the ventilation holes on the top of the rear panel of the Brick 1000 module. To apply, remove the three pan-head screws from the rear of the chassis and attach the opacity shield to the chassis, using the three flat-head screws that are supplied with the FIPS kit. Figure 4 demonstrates the proper application of the shield. Page 8 of 74 Figure 4 ­ Brick 1000 Opacity Shield Application 2.2 Module Interfaces Features such as tunneling, data encryption, and termination of Remote Access Wide Area Networks (WANs) via Internet Protocol Security (IPSec) make the Lucent VPN Firewall Brick an ideal platform for building virtual private networks. The interfaces for the module are located on the front and rear panels of the modules as shown in the following figures. Page 9 of 74 Figure 5 - Brick 350 Physical Interfaces Page 10 of 74 Figure 6 - Brick 1000 Physical Interfaces Page 11 of 74 Figure 7 - Brick 1100 Physical Interfaces Page 12 of 74 The physical interfaces include a power switch, a keyboard port, a monitor port, and a console port (RS-232 serial connector) on the backplane for local system access (on the Brick 350, the port labeled "Serial Port" is the Console Port), Ethernet ports (Ether0 and Ether1 for the Brick 350, Ether0 for the Brick 1000, and Ether0 and Ether7 for the Brick 1100), and the Network Module connection interfaces on the motherboard. The module's status interfaces are located on the front and rear panels. These LEDs provide overall status of the module's operation. Figure 8, Figure 9, and Figure 10 show the front panel LEDs of the Brick 350, Brick 1000, and Brick 1100 modules. Figure 11, Figure 12, and Figure 13 show the rear panel LEDs of the Brick 350, Brick 1000, and Brick 1100 modules. Table 1 and Table 2 provide descriptions for the front panel LEDs, Table 3 and Table 4 provide descriptions for the rear panel LEDs, and Table 5 provides a description of the modules' audible buzzer. Front Panel LEDs: Power LED FD Activity EA Activity LED LED Figure 8 - Brick 350 Front Panel LEDs Page 13 of 74 Model 1000 ­ Front View (Cover Open) Disk Activity LED Power LED Fault Indicator Floppy Activity LED LED Figure 9 - Brick 1000 Front Panel LEDs Page 14 of 74 Model 1100 ­ Front View (Cover Open) Disk Activity LED Power LED Fault Indicator Floppy Activity LED LED Figure 10 - Brick 1100 Front Panel LEDs Page 15 of 74 LED Indication Description Power Solid Power is supplied to the module Off The module is not powered on FD Act Intermittent The flash disk is in use Off The flash disk is not in use EA Act Blinking Encryption Accelerator Card is in use Solid Encryption Accelerator Card failed while LED was blinking in the ON state Off If Encryption Accelerator Card is installed, either the EAC is not currently in use or the EAC failed while LED was blinking in the OFF state Floppy Drive On The floppy drive is reading a diskette Off The floppy drive is not in use Table 1 - Brick 350 Front Panel LEDs and Descriptions LED Indicator Description Power Green Power is supplied to the module Off The module is not powered on Floppy Drive On The floppy drive is reading a diskette Off The floppy drive is not in use Disk Activity Amber The flash disk is in use Off The flash disk is not in use Fault (Power Orange Power supply failure Supply) Off The power supplies are on and functioning Table 2 - Brick 1000 and Brick 1100 Front Panel LEDs and Descriptions Rear Panel LEDs: Model 350 Ether1 LEDs Ether0 LEDs Figure 11 - Brick 350 Rear Panel LEDs Page 16 of 74 Figure 12 - Brick 1000 Rear Panel LEDs Page 17 of 74 Figure 13 - Brick 1100 Rear Panel LEDs LED Indicator Description Motherboard Ether0 Left: Off Port connected at 10Mbps Left: On Port connected at 100Mbps Right: On Port is on Right: Intermittent Data being transferred Motherboard Ether1 Left: Off Port connected at 10Mbps Left: Green Port connected at 100Mbps Left: Yellow Port connected at 1000Mbps Right: On Port is on Right: Intermittent Data being transferred Table 3 - Brick 350 Rear Panel LEDs and Descriptions Page 18 of 74 LED Indicator Description Encryption Blinking Encryption Accelerator Card is in use Accelerator (LED) Solid Encryption Accelerator Card failed while LED was blinking in the ON state Off If Encryption Accelerator Card is installed, either the EAC is not currently in use or the EAC failed while LED was blinking in the OFF state Motherboard Ether0 Left: Off, Right: On Good connection at 10Mbps Left: On, Right: On Good connection at 100Mbps Left: Off, Right: Off No connection Left: Off, Right: Data being transferred at 10Mbps Intermittent Left: On, Right: Data being transferred at 100Mbps Intermittent Motherboard Ether7 Left: Off, Right: On Good connection at 10Mbps (Brick 1100) Left: On, Right: On Good connection at 100Mbps Left: Off, Right: Off No connection Left: Off, Right: Data being transferred at 10Mbps Intermittent Left: On, Right: Data being transferred at 100Mbps Intermittent Table 4 ­ Brick 1000 and Brick 1100 Rear Panel LEDs and Descriptions Audible Indicator Description Sustained alarm A power supply has failed Beep OS image has successfully been loaded by floppy Buzzer Off Alarm Cut Off Switch is enabled or the module is powered off Table 5 ­ Brick 350, Brick 1000, and Brick 1100 Module Audible Description All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following table: Brick 1100 Module Brick 1100 Module Physical Interface FIPS 140-2 Logical Interface Network Module Interface Data Input Interface Ethernet Ports Console Port Floppy Drive PS/2 Keyboard Port Network Module Interface Data Output Interface Ethernet Ports SVGA Video Port Console Port Network Module Interface Control Input Interface Page 19 of 74 Brick 1100 Module Brick 1100 Module Physical Interface FIPS 140-2 Logical Interface Ethernet Ports Power Switch Alarm Cut Off Switch PS/2 Keyboard Port Console Port Network Module Interface Status Output Interface Ethernet Ports SVGA Video Port Ethernet Port LEDs Encryption Acceleration Card LED Power LED Disk Activity LED Fault Status Indicator LED Floppy Drive LED Buzzer Motherboard Power Interface Parallel Port Disabled / Non-functional Mouse Port USB Port #1 USB Port #2 Table 6 ­ Brick 1100 Module FIPS 140-2 Logical Interfaces Brick 1000 Module Brick 1000 Module Physical Interface FIPS 140-2 Logical Interface Network Module Interface Data Input Interface Ethernet Port Console Port Floppy Drive PS/2 Keyboard Port Network Module Interface Data Output Interface Ethernet Port SVGA Video Port Console Port Network Module Interface Control Input Interface Ethernet Port Power Switch Power Supply Alarm Reset Button PS/2 Keyboard Port Console Port Network Module Interface Status Output Interface Ethernet Port SVGA Video Port Page 20 of 74 Brick 1000 Module Brick 1000 Module Physical Interface FIPS 140-2 Logical Interface Ethernet Port LEDs Encryption Acceleration Card LED Power LED Disk Activity LED Fault Status Indicator LED Floppy Drive LED Buzzer Motherboard Power Interface USB Port #1 Disabled / Non-functional USB Port #2 Serial Port Parallel Port Monitor Port #2 (Motherboard) Sound Ports Mouse Port Table 7 - Brick 1000 Module FIPS 140-2 Logical Interfaces Brick 350 Module Brick 350 Module Physical Interface FIPS 140-2 Logical Interface Network Module Interface Data Input Interface Ethernet Ports Serial Port Floppy drive PS/2 Keyboard Port Network Module Interface Data Output Interface Ethernet Ports SVGA Video Port Network Module Interface Control Input Interface Ethernet Ports Power Button PS/2 Keyboard Port Network Module Interface Status Output Interface Ethernet Ports SGVA Video Port Ethernet Port LEDs Flash Disk Activity LED Power LED Floppy Drive LED Buzzer Motherboard Power Interface Parallel Port Disabled / Non-functional USB Port #1 Page 21 of 74 Brick 350 Module Brick 350 Module Physical Interface FIPS 140-2 Logical Interface USB Port #2 USB Port #3 Table 8 ­ Brick 350 Module FIPS 140-2 Logical Interfaces 2.3 Roles and Services Authentication is role-based. The two roles allowed in a FIPS 140-2 Level 2 approved mode of operation are the Crypto Officer role and the User role. The Crypto Officer (via the Lucent Security Management Server [LSMS]) generates a digital certificate which is then loaded into the module at initialization. This certificate is then used during a Secure Sockets Layer (SSL)- like protocol to authenticate the Crypto Officer to the module during all future authentication attempts. Users authenticate to the module using a shared secret Hashed Message Authentication Code - Secure Hash Algorithm (HMAC-SHA-1) key. This authentication is per packet via verification of an HMAC. The Crypto Officer communicates with the Module through an encrypted session that is established using the Crypto Officer Session Keys (DES or 3DES ­ NIST FIPS PUB 46-3 and HMAC ­ NIST PUB 198) and authenticates to the Module using a digital certificate. VPN functionality is available via the User Role. VPN clients authenticate to the Module per (network-layer) packet using a shared secret HMAC-SHA-1 key configured by the Crypto Officer. The Crypto Officer may also authenticate to the cryptographic module via the local console port using a password (which is hashed locally) in order to perform a small number of maintenance activities. 2.3.1 Crypto Officer Services The Crypto Officer is responsible for the configuration and management of the Module. The Crypto Officer first provides an initial configuration for the Module and then is able to access the Module over an encrypted session. Through this session, the Crypto Officer can perform full management of the Module, including loading IPSec Security Associations (SAs) onto the Module for Users. During the initial configuration of the Module, the Crypto Officer generates a disk using the LSMS and this information is then loaded onto the Module over the Module's floppy disk drive. The files on this disk include the following configuration information: · Crypto Officer certificate containing the Crypto Officer Certificate Authority (CA) Digital Signature Algorithm (DSA) public key · DSA key pair for the module (the public key is contained in a certificate generated by the Crypto Officer) · Diffie-Hellman (DH) public parameters · IP address of the LSMS Page 22 of 74 · Domain Name Server (DNS) Host Name given to identify the Module The Module's public key (of the DSA key pair loaded onto the Module) is contained in a certificate generated by the LSMS CA. Each Module is given such a unique certificate, and this is used during the Crypto Officer handshake protocol to authenticate the Module to the Crypto Officer. Additionally, the Crypto Officer possesses a certificate, to allow the Module to authenticate the Crypto Officer. Collectively, these certificates provide a mutual authentication between the Crypto Officer and every Module, so an intruder cannot masquerade as either the Crypto Officer or a Module. Once the Module has been initialized, the Crypto Officer may begin management of the Module through a Triple Data Encryption Standard (3DES) encrypted IP session. The Module provides the Crypto Officer role exclusively to the LSMS after the initial configuration is completed. Digital certificates are used to authenticate the Crypto Officer to the Module and the Module to the Crypto Officer, and a Diffie-Hellman key agreement is performed to negotiate encrypted session keys (HMAC SHA-1 and 3DES keys). After the encrypted session is established, the Crypto Officer accesses the Module's services through this session. Through an encrypted session, the Crypto Officer configures the module for use by IPSec clients. The Crypto Officer loads IPSec SAs onto the module over the encrypted session, including any IPSec SA session keys. As part of these SAs, the Crypto Officer configuration shared secret HMAC keys used to authenticate the User to the module. An operator assuming the Crypto Officer role performs all administrative functions listed below, which are services that are embedded within the LSMS and activated from Application Programming Interface (API) calls to the Module: Page 23 of 74 Writing Commands... LSMS Function Service Call Description Service Output BTABLE "begin Prepare the brick to if the returned value tableload" download a full policy is equal to the exact definition including length of the issued both all of the command, then the individual rule policies command executed and the brick successfully; if the configuration (routes, returned value is interfaces, VLANs, etc). equal to any value other than the exact length of the issued command, then the command did not execute successfully. BATABLE "begin make a copy of the if the returned value tableadd" current brick zone table is equal to the exact configuration in length of the issued preparation for loading command, then the the initial (post-boot) command executed policy for contacting the successfully; if the LSMS to download the returned value is initial policy. The equal to any value reason for the copy is so other than the exact that we do not lose state length of the issued information in the event command, then the that we just transitioned command did not from the standby to the execute successfully. active. "begin load" Clears out any loading if the returned value [BLOAD] state from a zone in is equal to the exact preparation for loading length of the issued a new zone policy. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 24 of 74 Writing Commands... LSMS Function Service Call Description Service Output [STABLE] "sign table" saves full policy signer if the returned value information (e.g. is equal to the exact administrator name, length of the issued date). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SDOMAIN] "sign domain" saves domain (zone) if the returned value signer information (e.g. is equal to the exact administrator name, length of the issued date). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ALOAD] "abort load" change brick state to if the returned value "aborted" for use by the is equal to the exact "read load state" length of the issued command. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 25 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ETABLE] "end signals the end of a full if the returned value tableload" load (prerequisite is equal to the exact "begin tableload"). This length of the issued causes the brick to command, then the verify the signatures on command executed the load. successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ELOAD] "end load" signals the end of a if the returned value policy (prerequisite is equal to the exact "begin load"). This length of the issued causes the brick to command, then the verify the signatures on command executed the policy. successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SWITCH] "switch over" make the pending full if the returned value policy or individual is equal to the exact zone policy active. length of the issued (prerequisite begin load command, then the or begin tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 26 of 74 Writing Commands... LSMS Function Service Call Description Service Output "add table" add an entry to the zone if the returned value [ATABLE] assignment table is equal to the exact (prerequisite "begin length of the issued tableload") command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. (none) "adm cert" passes the public if the returned value certificate for the is equal to the exact administrator signing length of the issued this particular object. command, then the (prerequisite, begin load command executed or tableload). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. (none) "adm pk" passes the signing if the returned value administrators public is equal to the exact key..(prerequisite, begin length of the issued load or tableload). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 27 of 74 Writing Commands... LSMS Function Service Call Description Service Output (none) "data cert" pass the public if the returned value certificate (i.e. the is equal to the exact signature) of the object length of the issued (full load or individual command, then the zone load). command executed (prerequisite, begin load successfully; if the or tableload). returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [AETHTYP] "add add an entry to the list if the returned value ethertype" of ethertype non-ip is equal to the exact protocols allowed to length of the issued pass through the command, then the firewall (prerequisite, command executed begin tableload). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SETHTYP] "switch active the pending list if the returned value ethertype" of ethertype non-ip is equal to the exact protocols allowed to length of the issued pass (prerequisite, begin command, then the tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 28 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ADSAP] "add dsap" add an entry to the list if the returned value of dsap non-ip protocols is equal to the exact allowed to pass through length of the issued the firewall command, then the (prerequisite, begin command executed tableload). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SDSAP] "switch dsap" activate the pending list if the returned value of dsap non-ip protocols is equal to the exact allowed to pass length of the issued (prerequisite, begin command, then the tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [AROUTE] "add route" add an entry to the if the returned value pending IP static routing is equal to the exact table. (prerequisite, length of the issued begin tableload). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 29 of 74 Writing Commands... LSMS Function Service Call Description Service Output [APROXY] "add proxy" add an entry to the if the returned value pending reflection is equal to the exact proxy table. length of the issued (prerequisite, begin command, then the tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. add an entry to the [This function cannot *active* reflection be used in the FIPS "add dynamic proxy table. (This is an mode of operation.] [ADPROXY] proxy" old command that is no longer used in LVF version 7.2.292) [DDPROXY] "delete delete an entry from the if the returned value dynamic *active* reflection is equal to the exact proxy" proxy table. (Never length of the issued used.) command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 30 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ARULE] "add rule" adds a pending rule to if the returned value the loading domain. is equal to the exact (prerequisite, begin length of the issued load). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ADRULE] "add dynamic adds an active rule to if the returned value rule" the specified domain. is equal to the exact (Never used.) length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DDRULE] "delete does nothing. Does nothing dynamic rule" Page 31 of 74 Writing Commands... LSMS Function Service Call Description Service Output "add mask" adds a pending if the returned value [AMASK] dependency mask to the is equal to the exact specified domain. length of the issued (prerequisite, begin command, then the load). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. "add dynamic adds an active if the returned value [ADMASK] mask" dependency mask to the is equal to the exact specified domain. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [AHOST] "add hostgrp" adds a pending host if the returned value group entry to the is equal to the exact specified domain. length of the issued (prerequisite, begin command, then the load) command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 32 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ADHOST] "add dynamic adds an active host if the returned value hostgrp" group entry to the is equal to the exact specified domain. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DDHOST] "delete deletes a host group if the returned value dynamic entry from the specified is equal to the exact hostgrp" domain. (Host group length of the issued entry must have been command, then the loaded with an add command executed dynamic hostgroup). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ASRV] "add srvgrp" adds a pending service if the returned value group entry to the is equal to the exact specified domain. length of the issued (prerequisite, begin command, then the load). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 33 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ADSRV] "add dynamic adds an active service if the returned value srvgrp" group entry to the is equal to the exact specified domain. (Not length of the issued used) command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SCOMM] "set comm" sets file descriptor and if the returned value address of the is equal to the exact connection to the audit length of the issued server. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DISABLE] "disable turns off packet if the returned value firewall" processing for packets is equal to the exact not originating on the length of the issued firewall or destined to command, then the the firewall. command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 34 of 74 Writing Commands... LSMS Function Service Call Description Service Output [RENABLE] "reenable undoes "disable if the returned value firewall firewall". firewall or is equal to the exact destined to the firewall. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [RFRSHMAC] "refresh mac marks all of the MAC if the returned value table" table entries as stale so is equal to the exact that they can move if length of the issued necessary. Any command, then the sessions that have a command executed pointer to this entry successfully; if the have to be rerouted the returned value is next time a packet equal to any value comes through that other than the exact requires the MAC entry. length of the issued command, then the command did not execute successfully. [RFRSHARP] "refresh arp attempts to refresh all of if the returned value table" the entries in the ARP is equal to the exact table. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 35 of 74 Writing Commands... LSMS Function Service Call Description Service Output This is an old command [This function cannot [SETAUTH] "set auth" that is no longer used in be used in the FIPS LVF version 7.2.292. mode of operation.] [LDTYPE] "set ldtype" sets load type so that if the returned value when a switchover is equal to the exact occurs, the brick knows length of the issued what to do. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. sets the load state for [This function cannot use by the "read load be used in the FIPS "write load state". (This is an old mode of operation.] [WLSTATE] state" command that is no longer used in LVF version 7.2.292) [BOOTFREEZE] "zb" prevent the brick from if the returned value rebooting in the event is equal to the exact that a fatal error occurs length of the issued (aka a "panic"). This command, then the allows critical command executed information to be successfully; if the retained on the screen returned value is long enough to read it. equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 36 of 74 Writing Commands... LSMS Function Service Call Description Service Output [REBOOT] "zr" force the brick to if the returned value reboot. is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. This is an old command [This function cannot [REDIRECT] "redirect" that is no longer used in be used in the FIPS LVF version 7.2.292. mode of operation.] [AIPSEC] "add ipsec" add a pending Security if the returned value Association to the is equal to the exact specified zone. length of the issued (prerequisite begin command, then the load). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 37 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ADIPSEC] "add dynamic add an active Security if the returned value ipsec" Association to the is equal to the exact specified zone. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DDIPSEC] "delete delete an active Security if the returned value dynamic Association to the is equal to the exact ipsec" specified zone. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [TRCTRACE] "trace" prints general debug if the returned value trace help (disabled in is equal to the exact production). length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 38 of 74 Writing Commands... LSMS Function Service Call Description Service Output [TRCDUMP] "trace dump" Prints a specific table if the returned value (disabled in production). is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [TRCLEVEL] "trace level" sets trace levels if the returned value (disabled in production). is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [TRCENABLE] "trace enable" enables specific tracing if the returned value (disabled in production). is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 39 of 74 Writing Commands... LSMS Function Service Call Description Service Output [TRCHELP] "trace help" prints general or Displays control specific debug trace status information help. about how to use the trace functions [DUMPENABLE] "dump enable" causes a stack dump to if the returned value be generated if the is equal to the exact current thread length of the issued terminates. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ARPSRVRS] "arp servers" causes the brick to if the returned value generate ARPs for any is equal to the exact local management length of the issued addresses (i.e. LSMS). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 40 of 74 Writing Commands... LSMS Function Service Call Description Service Output [ADDAUDFIL] "add audit create an audit msg if the returned value filter" trace filter. is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [MODAUDFIL] "mod audit modify an audit msg if the returned value filter" trace filter. is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DELAUDFIL] "delete audit delete an audit msg if the returned value filter" trace filter. is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 41 of 74 Writing Commands... LSMS Function Service Call Description Service Output [SETAUDFIL] "set audit enable/disable an audit Enables or disables an filter" msg trace filter. audit msg trace filter. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SETARPFILTER] "set arp filter" enable/disable arp Enable/disable ARP filters. filters. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 42 of 74 Writing Commands... LSMS Function Service Call Description Service Output [SETNONIPFILTER] set nonip enable/disable non-IP Enable/Disable non- filter" filters. IP filters. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ADDPKTFIL] "add packet create a packet trace If the returned value filter" filter is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 43 of 74 Writing Commands... LSMS Function Service Call Description Service Output [MODPKTFIL] "mod packet modifies a packet trace If the returned value filter" filter is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DELPKTFIL] "delete packet deletes a packet trace If the returned value filter" filter is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SETPKTFIL] "set packet enables/disables a If the returned value filter" packet trace filter is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 44 of 74 Writing Commands... LSMS Function Service Call Description Service Output [SETTHROTTLE] "set throttle" sets the size of the If the returned value window over which is equal to the exact error messages get length of the issued throttled. ("throttled" command, then the means to have the command executed message rate reduced to successfully; if the a particular level.) returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. "what are you" causes the brick to Displays status [WWHATAREU] identify itself information about the brick on screen [DSESS] "delete deletes an entry from if the returned value session" the session cache. is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 45 of 74 Writing Commands... LSMS Function Service Call Description Service Output [CONFIG] "config" implements a number of Displays subcommands to configuration modify or display: information for - Intelligent Cache description of Management Policy. subcommands. - MAC move and starcast zone If a subcommand is matching policy. issued, then if the - UDP encapsulation returned value is policy equal to the exact - redundant LSMS length of the issued rehome policy command, then the - SLA probes command executed - the current (write) successfully; if the command tracing returned value is setting equal to any value - also allows for other than the exact removal of cache length of the issued entries based upon the command, then the tag that command did not associates them with a execute successfully. particular dynamic host group or IPSec tunnel. [SMINOSCFG] "switch move a couple of brick- if the returned value minos" wide configuration is equal to the exact settings from pending to length of the issued active (starcast zone command, then the matching & mac command executed moves). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 46 of 74 Writing Commands... LSMS Function Service Call Description Service Output [WFAILOVER] "write display failover info or if the returned value failover" cause failover to is equal to the exact standby. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Displays status output failover information. [CANFAILOVER] "can failover" examines the state of if the returned value the standby to determine is equal to the exact if it can take over all of length of the issued the processing without command, then the losing anything (i.e. no command executed interfaces have failed). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 47 of 74 Writing Commands... LSMS Function Service Call Description Service Output [SETSFD] "set file set the file descriptor if the returned value descriptor" associated with an is equal to the exact active remote console. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [SETTRACEFLAG] "set trace flag" The flag controls if the returned value whether or not certain is equal to the exact messages (such as those length of the issued generated using the command, then the trace audit command) command executed get displayed on the successfully; if the console. returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [EFILEDOWN] "exit force the thread that if the returned value fdownload" waits for the active is equal to the exact brick to send it length of the issued messages to quite so command, then the this brick can go active. command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 48 of 74 Writing Commands... LSMS Function Service Call Description Service Output [PORTTBL] "add add interface if the returned value interface" information to the is equal to the exact pending table length of the issued (prerequisite begin command, then the tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [VIPTBL] "add vlanip" add information about a if the returned value VLAN (prerequisite is equal to the exact begin tableload). length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [PARTITION] "add partition" adds a brick partition to if the returned value the pending table. is equal to the exact (prerequisite begin length of the issued tableload). command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 49 of 74 Writing Commands... LSMS Function Service Call Description Service Output [SETTIMEOFFSET] "set sets the time offset if the returned value timeoffset" between the LSMS and is equal to the exact the brick. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 50 of 74 Writing Commands... LSMS Function Service Call Description Service Output [WTTCMDS] "ctrl a collection of tts - display the stack of commands" commands that display the currently executing information about the thread amount of memory free, ttS - display the stacks of number of packets all of the threads. processed, etc. ttx - display a summary of memory usage ttd - exists in the API, but does nothing. ttp - displays per thread statistics and current state ttD - redisplays the last panic dump since the brick rebooted (if any) ttr - reboot the brick ttm - another memory usage summary ttq - display the mac table tta - enable copying audit messages to the console as well as the LSMS ttb - toggle the "enable fastpkt" flag (fastpkt is a fast packet processing algorithm for TCP and UDP) ttE and ttP - make the brick print out usage statistics every 30 seconds. ttc - displays session cache statistics tt? - tt command help ttF - display syn flood table ttf - display list of files attached to thread #6. Page 51 of 74 Writing Commands... LSMS Function Service Call Description Service Output [WBOOTDELAY] "set change the default if the returned value bootdelay" internal delay from the is equal to the exact time the brick boots length of the issued until the time it can command, then the become active. command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [WADDAPPFILTER] "add appfilter" add an entry to the if the returned value pending application is equal to the exact filter policy length of the issued (prerequisite begin command, then the load). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [WPING] "ping" sends out pings. Display status output ping information [WTRACEROUTE] "traceroute" does traceroute. Display status output traceroute information Page 52 of 74 Writing Commands... LSMS Function Service Call Description Service Output [WWAITFOREAC] "wait for eac" waits for the EACv2 to if the returned value be downloaded and is equal to the exact available. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ADDAGGREGATE] "add adds link aggregation if the returned value aggregate" information to the is equal to the exact pending brick config length of the issued table (prerequisite command, then the (begin tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [ADDPPPOE] "add pppoe" adds Point to Point if the returned value Protocol over Ethernet is equal to the exact (PPPoE) information to length of the issued the pending brick config command, then the table. (prerequisite command executed (begin tableload). successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 53 of 74 Writing Commands... LSMS Function Service Call Description Service Output [DISPLAYPPPOE] "display displays current PPPoE Displays current pppoe" state. PPPoE state [TRACEPPPOE] "trace pppoe" enables the brick to if the returned value print PPPoE negotiation is equal to the exact messages. length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DISPLAYNONIP] "display displays the current Displays current non- nonip" non-IP protocols to IP protocols allowed allow through the brick. with module [INSTALLAGGREGATES] "instaggr" activates the currently if the returned value pending link is equal to the exact aggregation set without length of the issued deleting the pending set. command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Table 9 - LSMS Writing Commands Reading Commands... LSMS Function Service Call Description Service Output [RRULES] "read rules" read the rules for a Displays rules for a particular zone. particular zone. Page 54 of 74 Reading Commands... LSMS Function Service Call Description Service Output [RTABLE] "read table" read the zone assignment Displays table table entries. entries for zone assignment. [RCACHE] "read cache" read the session cache Displays session entries or some summary cache info for a zone. entries/summary information for a zone. [RCONFIG] "read config read information about the Display data" defined management configuration servers. information about defined management servers. [RKEYWRD] "read keyword" read keywords from the Displays keywords inferno.ini configuration from inferno.ini file. configuration file [RTIME] "read time" the current timestamp. Displays the current timestamp. [RUPTIME] "read uptime" read the number of seconds Displays the since the brick number of seconds booted/became active. since the module booted/became active. [REPORTICM] "report icm" read information about the Displays status state of the Intelligent information about Cache Management the state of the feature. Intelligent Cache Management. [RDOMINF] "read dominfo" read information about the Displays policy's signer. information about policy's signer. [RTBLINF] "read tblinfo" read information about the Displays brick config's signer. information about module's configuration signer. This is an old command [This function that is no longer used in cannot be used in [RLSTATE] "read load state" LVF version 7.2.292 the FIPS mode of operation.] Page 55 of 74 Reading Commands... LSMS Function Service Call Description Service Output [RPINGSTAT] "read ping stat" read whether or not the Displays ping status audit channel seems information. healthy. [RSAS] "read sas" read some information Displays SA about the SAs for a zone. information for a (e.g. SPIs, host addresses, zone. algorithms. *NOT* keys). [REXPORT] "get export" read whether or not this Displays status brick is restricted to 56 bit information on encryption. whether module is restricted to 56 bit encryption. [RSWVERSION] "get read the current software Displays current sw_version" version. software version. [RMAC] "read mac" read entries from the MAC Displays entries table. from MAC table. [RARP] "read arp" read entries from the ARP Displays entries table. from ARP table. [RAUDFIL] "read audit read entries from the audit Displays entries filter" trace filter table. from audit trace filter table. [RPKTFIL] "read packet read entries from the Displays entries filter" packet trace filter table. from the packet trace filter table. [RHSTGRPS] "read read entries from the host Displays entries hostgroups" group table for a zone. from the host group table for a zone. [RSRVGRPS] "read read entries from the Displays entries servicegroups" service group table for a from the service zone. group table for a zone. [RROUTES] "read routes" read the list of static routes. Displays the list of static routes. [MHASH] "match hash" determine whether the hash Displays whether of a string matches a the hash of a string reference hash. matches a reference hash. [RWHATAREU] "what are you" reads the brick's name and Displays module's a couple of other useful name, version, and pieces of information. other useful information about the module. Page 56 of 74 Reading Commands... LSMS Function Service Call Description Service Output [RCOUNTDYNSAS] "count dynamic displays the number of Displays number of sas" SA's loaded via the "add SAs loaded via the dynamic ipsec" command "add dynamic on this zone. ipsec" command on the zone. [RMINOS] "read minos" displays information about Displays the MAC move feature and information on the starcast zone matching MAC move feature policy. and the starcast zone matching policy. [RACTIVITY] "read activity" reads information about Displays whether whether the brick is ready module is ready to to transition from standby transition from to active. standby to active. [RFAILOVER] "read failover" displays failover Displays failover information. status. [RDTHROTTLE] "read throttle" displays the current error Displays current message throttling interval. error message throttling interval. [RFILEDOWN] "read waits for file transfer Displays file fdownload" information from the active transfer information to the standby. from active to standby. [RSTTIMER] "read stickiness reads how long the brick Displays how long timer" (LSMS should wait before trying to the module should redundancy) go back to the higher wait before trying priority LSMS. to get back to the higher priority LSMS. [READ] "read" reads information about the Displays current current configuration for: configuration - UDP encapsulation policy information for: - NAT table policy - UDP - SLA probes encapsulation policy - NAT table policy - SLA probes [RVLANS] "read vlans" reads information about the Displays VLAN VLAN configuration. configuration information. Page 57 of 74 Reading Commands... LSMS Function Service Call Description Service Output [RPARTITIONS] "read partitions" reads information about the Displays partition partition configuration. configuration information. [RLASTHOMEDLSMS] "read lastlsms" reads what LSMS was last Displays what connected. LSMS was last connected. [RDEC64] "read decode64" reads the result of decoding Displays result of base 64 encoded input back decoding base 64 into its original form. information. [RENC64] "read encode64" reads the result of encoding Displays result of base 64 arbitrary byte encoding base 64 streams. information. [RCONTACT] "read audit reads whether or not the Displays whether or contact" audit channel is active. not the audit channel is active. [RRANDOM] "get random reads some pseudo random Sends back a bytes" bytes. Used during the pseudo random initialization of flash. number to be used. [DHCP] "dhcp" displays current DHCP Displays current client state. DHCP client state. [RMODELNUMBER] "read model" displays the model number Displays the of this brick. module's model number. [VPN] "vpn" disabled on this version of N/A the brick. Table 10 - LSMS Reading Commands The console/serial/keyboard/monitor ports provide a CLI which offers the Crypto Officer the following services: Service Input Description Service Output "bootstrap" allows CO to reload the Bootstraps the module certificate and initialization information into the brick via the serial port (keyboard) "help" prints list of commands Displays list of commands and their system usage "help " prints help for Displays usage of "logout" logout from remote port Closes down the CLI Page 58 of 74 Service Input Description Service Output "initialize flash" initializes flash Initializes the flash configuration configuration "ping [options]" sends an ICMP ping sends ICMP ping to packet and prints response specified IP address times "repeat" repeat the previous Attempts to execute the command previous command entered by keyboard "refresh " refresh brick's mac or arp Displays "
table table cleared if successful" Displays "Error -> refresh, missing table argument" if unsuccessful "display arptable" display contents of the arp Displays the IP Address, table MAC Address, VlanID, Status, Refcntarptable, and total arp entries "display configuration" prints the inferno.ini file Displays the contents of the inferno.ini file "display dhcp" display DHCP Displays DHCP server IP, configuration information DHCP gateway IP, time lease expires in, time lease renewal in, and DNS server(s) "display encapsulation " display UDP Displays the UDP encapsulation info for the encapsulation information zone for the "display failover" display failover status Displays failover status if enabled; Displays "Failover feature not enabled" if disabled "display files " print the names of the Displays the size, date, files and names of the files for the given "display hostgroups " display a zone's Displays a table with Host hostgroup definitions Name, Typ, TmOut, TagValue, IP Address / Range for all entries in the "display icm" display ICM info Displays current ICM information Page 59 of 74 Service Input Description Service Output "display interfacestatus []" display information about Displays the Interface, an interface's NIC Root, I/F, MAC, Link, Speed, and Mode for all the interfaces on the NIC "display lsms" print the current LSMS Displays "Last LSMS was connected (or the last " "display mactable []" display MAC table for the Displays a table with specified interface entries for IF, MAC, Address, Status, VLAN, and Refcnt for all mac table entries and total number of mac table entries "display mempools" print information on 5 Displays information on memory pools of the the memory pools of the brick brick in a table as Pool, Max-Size, Cur-Size, Peak, Arena-Sz, and In- Use "display nat " print information about Displays a table with NAT tables for a zone entries for Name, RefCt, Pre-NAT list, and Post- NAT list "display partitions" print partition information Displays partition and VLAN ID "display policy < zone>" prints the ruleset for the Displays a table with specified zone entries for Rule#, Source, Destination, Service, A, D, SM, DM, PM, DEP, and VPN. Displays load date, sign date, and LSMS administrator for the policy. "display pppoe" display pppoe information Displays pppoe information for #, Vlan, States, Address, MTU, DNS1, and DNS2 "display remoteconsole" display information about Displays "User is the remote console connected through remote console." "displayroutes []" display routing Displays routing information for an information for an interface interface Page 60 of 74 Service Input Description Service Output "display sa " display a zone's current Displays SPI, User Name, security associations Source, Destination, Prot, AH, ESP, TEP, Sec/Kbytes for current SAs "display servicegroups " display a zone's Displays Service, Name, servicegroup definitions Definitions, and App Mon for "display sessions prints the zone's session Displays Source, [] cache optionally filtered Destination, Service, by an IP address AVE, Rule#, FWD- PKT/B, and REV-PKT/B for "display slamon " displays the list of SLA Displays #send, probes and some statistics #received, max round trip, about each one (#send, delay for entries in #received, max round trip if they exist delay) "display time" print the brick's current Displays "the current time time in GMT is