4.6. Command-line interface (CLI)

In UserGate, you can define basic settings of the device using the command-line interface, or CLI. Using CLI, network administrators can run various diagnostic commands, such as ping, nslookup and traceroute, configure network interfaces and zones as well as reboot/shut down the device.

CLI is especially useful for network diagnostics or when the web console is temporarily unavailable, e.g. due to invalid IP address or access control zone.

You can connect to CLI physically through standard VGA/keyboard ports (if they are available on UserGate) or a serial port or remotely via SSH.

To connect to CLI using a monitor and a keyboard, perform the following steps:

Name

Description

Step 1. Connect a monitor and a keyboard to UserGate

Connect a monitor to VGA (HDMI) and a keyboard to USB.

Step 2. Log in to CLI

Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm

To connect to CLI using a serial port, perform the following steps:

Name

Description

Step 1. Connect to UserGate

Connect your PC to UserGate by means of a special cable for serial ports or a USB-Serial adapter.

Step 2. Run the terminal

Run any software terminal supporting serial port connections, e.g. Putty for Windows or minicom for Linux. Establish a new serial port connection using the following connection parameters: 115200 8n1

Step 3. Log in to CLI

Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm

To connect to CLI remotely via SSH, perform the following steps:

Name

Description

Step 1. Enable access to CLI (by SSH) for the selected zone

Enable access to CLI via the SSH protocol for the zone through which you are going to access CLI. The TCP 2200 port will be opened.

Step 2. Run an SSH terminal

Run an SSH terminal on your PC, e.g. SSH for Linux or Putty for Windows. Specify the UserGate address for address, 2200 for connection port, and the Full Administrator credentials for username and password (Admin by default). In Linux, the connection command should look like this:

ssh Admin@IP-UserGate -p 2200

Step 3. Log in to CLI

Log in to CLI using the password of the user you have specified on the previous step. If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm
Once you have successfully logged in to CLI, you can view the full list of supported commands by entering help. To view a detailed description of a command, use the following syntax:
help command
For example, if you want to view a detailed description of the iface command for configuring network interfaces, type the following:
help Iface

The following commands are supported:

Name

Description

help

Displays the full list of available commands

exit quit Ctrl+D

Log out of CLI

backup

A set of commands for viewing, deleting and restoring of automatically created backups of configuration.

backup list -- shows list of existing backups.

backup restore -name NAME -- restore backup with name NAME.

backup delete -name NAME - delete selected backup.

cache ldap-clear

Command for clear LDAP cache.

code-change-control

A set of commands for viewing and configuring of action on unauthorized code change. Code integrity check runs every time UserGate is booted.

code-change-control show - displays the current working mode. By default, tracking of unauthorized changes to the executable code is disabled.

code-change-control set log - activates tracking of unauthorized changes to the executable code. When a change is detected, UserGate records the change details in the event log. This option requires setting a password that will be used for switching to another tracking mode.

code-change-control set block - activates tracking of unauthorized changes to the executable code. This option requires setting a password that will be used for switching to another tracking mode. When a change is detected, UserGate records the change details in the event log and also creates a block rule for the firewall in order to prohibit any transit traffic through UserGate. This firewall rule can be disabled only after deactivation of tracking of unauthorized changes.

code-change-control set off - deactivates tracking of unauthorized changes to the executable code. Requires entering a password that was set during activation of tracking of unauthorized changes.

config-change-control

A set of commands for viewing and configuring of action on unauthorized config change. Before activating this control, administrator should complete configuration of the UserGate according with company requirement and then to freeze the configuration (set mode to log or block). Any change to configuration will be logged to the Event log or to log and block transit traffic. Config integrity check runs every few minutes.

config-change-control show - shows current configuration. Default value is off.

config-change-control set log - set action to log unauthorized configuration change to the event log. Requires to set password to change this setting.

config-change-control set block - set action to traffic block. If UserGate founds any configuration change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable config-change-control (set it to off).

config-change-control set off - set config-change-control to off. Requires to enter password, which was set before.

date

Returns the server's local time

gateway

A set of commands for viewing and configuring gateway parameters. Type gateway help for more details.

iface

A set of commands for viewing and configuring network interface parameters. Type iface help for more details.

license

Show current license information

netcheck

Command to check connectivity to a specific web site. Usage:

netcheck [-t TIMEOUT] [-d] URL

Available options:

-t - maximum request timeout in seconds

-d - request payload data, if not set only headers are fetched.

node

A set of commands for viewing and configuring cluster's nodes. Type "node help" for more details.

nslookup

Returns an IP address of the specified host

ping

Pings the specified host

proxy

A set of commands for viewing and configuring of http/s proxy server. Administrator can set the following settings:

  • add VIA to the HTTP headers. Default is set to false, which is the recommended value

  • add X-Forwarded-For to the HTTP headers. Default is set to false, which is the recommended value

  • HTTP connection timeout - set the maximum waiting time for establishing connection to web server. Default value is 20 seconds

  • HTTP loading timeout - set the maximum waiting time for a data from a web server. Default is 60 seconds

Check proxy help for more information.

proxy

Set of commands for viewing and configuring proxy server parameters. Allows you set parameters such as adding the HTTP headers "via" and "forward," as well as timeout setting for connecting to websites and loading content:

  • add_via_enabled -- add the HTTP header "via." Disabled by default.

  • add_forwarded_enabled -- add the HTTP header "forwarded." Disabled by default.

  • http_connection_timeout -- the wait time allocated to the HTTP connection. By default: 20 seconds.

  • http_loading_timeout -- the wait time allocated to loading HTTP content. By default: 60 seconds.

  • proxy_host_rfc - expand the use of the HTTP PROXY 1.1. protocol without indicating the "host" parameter. This mode contradicts RFC, but is required for compatibility with certain programs. By default the value "strict" (observe RFC) is set.

  • fmode_enabled (boolean) - activates fast content loading. It may not be compatible with certain websites. Disabled by default.

  • icap_wait_timeout - the time in seconds the UserGate server will wait for a response from an ICAP server. If a response is not received from the server within the allocated amount of time, then if the Resend and Ignore rule is in effect UserGate will send data to the user without modification. If the Resend rule is in effect, UserGate will not send the data to the user. The default value is ten seconds.

  • smode_enabled (boolean) -- enables SYN Proxy mode. Disabled by default.

  • legacy_ssl_enabled (boolean) -- disables support for the decryption of SSl protocol TLSv1.3. If this mode is enabled, UserGate will support the protocols TLSv1.0-TLSv1.2. If the mode is disabled, all TLSv1.0-TLSv1.3 will be supported. Disabled by default.

Changing the default value is not recommended. See the proxy help for more detailed information.

radmin

A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate. nodes. Type "radmin help" for more details

radmin_e

A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate in case of appliance is in hung state. Type "radmin help" for more details

reboot

Reboot the UserGate server

route

Create, edit, delete routes

shutdown

Shuts down the UserGate server

telemetry

A set of commands for viewing and configuring telemetry mode. Telemetry makes it possible to send anonymous statistical data to the UserGate team for analysis and product improvement. This data includes information such as the popularity of Web resources, uncategorized websites, virus attacks, IDPS events, and malware activity. Telemetry is enabled by default.

telemetry show -- shows current status

telemetry set -enabled true -- enables telemetry

telemetry set -enabled false -- disables telemetry

traceroute

Trace a connection up to the specified host

usersession

Command to drop specific user's session (force logout user).

usersession terminate -ipv4 IP_ADDRESS - terminate session using IP address of client

webaccess

A set of commands for viewing and configuring the web console's authentication mode. You can use this command to revert back from the X.509 certificate mode to the Login and password mode.

zone

A set of commands for viewing and configuring zone parameters. Type zone help for more details.