In UserGate, you can define basic settings of the device using the command-line interface, or CLI. Using CLI, network administrators can run various diagnostic commands, such as ping, nslookup and traceroute, configure network interfaces and zones as well as reboot/shut down the device.
CLI is especially useful for network diagnostics or when the web console is temporarily unavailable, e.g. due to invalid IP address or access control zone.
You can connect to CLI physically through standard VGA/keyboard ports (if they are available on UserGate) or a serial port or remotely via SSH.
To connect to CLI using a monitor and a keyboard, perform the following steps:
|
Name |
Description |
|
Step 1. Connect a monitor and a keyboard to UserGate |
Connect a monitor to VGA (HDMI) and a keyboard to USB. |
|
Step 2. Log in to CLI |
Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
To connect to CLI using a serial port, perform the following steps:
|
Name |
Description |
|
Step 1. Connect to UserGate |
Connect your PC to UserGate by means of a special cable for serial ports or a USB-Serial adapter. |
|
Step 2. Run the terminal |
Run any software terminal supporting serial port connections, e.g. Putty for Windows or minicom for Linux. Establish a new serial port connection using the following connection parameters: 115200 8n1 |
|
Step 3. Log in to CLI |
Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
To connect to CLI remotely via SSH, perform the following steps:
|
Name |
Description |
|
Step 1. Enable access to CLI (by SSH) for the selected zone |
Enable access to CLI via the SSH protocol for the zone through which you are going to access CLI. The TCP 2200 port will be opened. |
|
Step 2. Run an SSH terminal |
Run an SSH terminal on your PC, e.g. SSH for Linux or Putty for Windows. Specify the UserGate address for address, 2200 for connection port, and the Full Administrator credentials for username and password (Admin by default). In Linux, the connection command should look like this: ssh Admin@IP-UserGate -p 2200 |
|
Step 3. Log in to CLI |
Log in to CLI using the password of the user you have specified on the previous step. If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
Once you have successfully logged in to CLI, you can view the full list of supported commands by entering help. To view a detailed description of a command, use the following syntax:
help command
For example, if you want to view a detailed description of the iface command for configuring network interfaces, type the following:
help Iface
The following commands are supported:
|
Name |
Description |
|
help |
Displays the full list of available commands |
|
exit |
Log out of CLI |
|
backup |
A set of commands for viewing, deleting and restoring of automatically created backups of configuration. backup list -- shows list of existing backups. backup restore -name NAME -- restore backup with name NAME. backup delete -name NAME - delete selected backup. |
|
cache ldap-clear |
Command for clear LDAP cache. |
|
code-change-control |
A set of commands for viewing and configuring of action on unauthorized code change. Code integrity check runs every time UserGate is booted. code-change-control show - displays the current working mode. By default, tracking of unauthorized changes to the executable code is disabled. code-change-control set log - activates tracking of unauthorized changes to the executable code. When a change is detected, UserGate records the change details in the event log. This option requires setting a password that will be used for switching to another tracking mode. code-change-control set block - activates tracking of unauthorized changes to the executable code. This option requires setting a password that will be used for switching to another tracking mode. When a change is detected, UserGate records the change details in the event log and also creates a block rule for the firewall in order to prohibit any transit traffic through UserGate. This firewall rule can be disabled only after deactivation of tracking of unauthorized changes. code-change-control set off - deactivates tracking of unauthorized changes to the executable code. Requires entering a password that was set during activation of tracking of unauthorized changes. |
|
config-change-control |
A set of commands for viewing and configuring of action on unauthorized config change. Before activating this control, administrator should complete configuration of the UserGate according with company requirement and then to freeze the configuration (set mode to log or block). Any change to configuration will be logged to the Event log or to log and block transit traffic. Config integrity check runs every few minutes. config-change-control show - shows current configuration. Default value is off. config-change-control set log - set action to log unauthorized configuration change to the event log. Requires to set password to change this setting. config-change-control set block - set action to traffic block. If UserGate founds any configuration change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable config-change-control (set it to off). config-change-control set off - set config-change-control to off. Requires to enter password, which was set before. |
|
date |
Returns the server's local time |
|
gateway |
A set of commands for viewing and configuring gateway parameters. Type gateway help for more details. |
|
iface |
A set of commands for viewing and configuring network interface parameters. Type iface help for more details. |
|
license |
Show current license information |
|
netcheck |
Command to check connectivity to a specific web site. Usage: netcheck [-t TIMEOUT] [-d] URL Available options: -t - maximum request timeout in seconds -d - request payload data, if not set only headers are fetched. |
|
node |
A set of commands for viewing and configuring cluster's nodes. Type "node help" for more details. |
|
nslookup |
Returns an IP address of the specified host |
|
ping |
Pings the specified host |
|
proxy |
A set of commands for viewing and configuring of http/s proxy server. Administrator can set the following settings: * add VIA to the HTTP headers. Default is set to false, which is the recommended value * add X-Forwarded-For to the HTTP headers. Default is set to false, which is the recommended value * HTTP connection timeout - set the maximum waiting time for establishing connection to web server. Default value is 20 seconds * HTTP loading timeout - set the maximum waiting time for a data from a web server. Default is 60 seconds Check proxy help for more information. |
|
proxy |
Set of commands for viewing and configuring proxy server parameters. Allows you set parameters such as adding the HTTP headers "via" and "forward," as well as timeout setting for connecting to websites and loading content: * add_via_enabled -- add the HTTP header "via." Disabled by default. * add_forwarded_enabled -- add the HTTP header "forwarded." Disabled by default. * http_connection_timeout -- the wait time allocated to the HTTP connection. By default: 20 seconds. * http_loading_timeout -- the wait time allocated to loading HTTP content. By default: 60 seconds. * proxy_host_rfc - expand the use of the HTTP PROXY 1.1. protocol without indicating the "host" parameter. This mode contradicts RFC, but is required for compatibility with certain programs. By default the value "strict" (observe RFC) is set. * fmode_enabled (boolean) - activates fast content loading. It may not be compatible with certain websites. Disabled by default. * icap_wait_timeout - the time in seconds the UserGate server will wait for a response from an ICAP server. If a response is not received from the server within the allocated amount of time, then if the Resend and Ignore rule is in effect UserGate will send data to the user without modification. If the Resend rule is in effect, UserGate will not send the data to the user. The default value is ten seconds. * smode_enabled (boolean) -- enables SYN Proxy mode. Disabled by default. * legacy_ssl_enabled (boolean) -- disables support for the decryption of SSl protocol TLSv1.3. If this mode is enabled, UserGate will support the protocols TLSv1.0-TLSv1.2. If the mode is disabled, all TLSv1.0-TLSv1.3 will be supported. Disabled by default. Changing the default value is not recommended. See the proxy help for more detailed information. |
|
radmin |
A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate. nodes. Type "radmin help" for more details |
|
radmin_e |
A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate in case of appliance is in hung state. Type "radmin help" for more details |
|
reboot |
Reboot the UserGate server |
|
route |
Create, edit, delete routes |
|
shutdown |
Shuts down the UserGate server |
|
telemetry |
A set of commands for viewing and configuring telemetry mode. Telemetry makes it possible to send anonymous statistical data to the UserGate team for analysis and product improvement. This data includes information such as the popularity of Web resources, uncategorized websites, virus attacks, IDPS events, and malware activity. Telemetry is enabled by default. telemetry show -- shows current status telemetry set -enabled true -- enables telemetry telemetry set -enabled false -- disables telemetry |
|
traceroute |
Trace a connection up to the specified host |
|
usersession |
Command to drop specific user's session (force logout user). usersession terminate -ipv4 IP_ADDRESS - terminate session using IP address of client |
|
webaccess |
A set of commands for viewing and configuring the web console's authentication mode. You can use this command to revert back from the X.509 certificate mode to the Login and password mode. |
|
zone |
A set of commands for viewing and configuring zone parameters. Type zone help for more details. |