system discard-session-if-engine-error enableEnable interrupting session in case of Anti-Virus engine error.
system discard-session-if-engine-error disableDisable interrupting session in case of Anti-Virus engine error.
show system discard-session-if-engine-errorShow enabled/disabled status of session interruption in case of Anti-Virus engine error.
Example output:
ngfw> show system discard-session-if-engine-error
{
"ngfw-system:system": {
"discard-session-if-engine-error": {
"enable": true
}
}
}
system siemGo to SIEM system configuration submenu.
system siem> enableEnable export of events to SIEM system.
system siem> no enableDisable export of events to SIEM system By default, event export to a SIEM system is disabled.
system user-logs-address <address>Set IPv4 address of SIEM system collector.
system user-logs-protocol (tcp|udp|tls|https)Set SIEM system connection protocol.
show system user-logs-addressShow IP address of SIEM system collector.
Example output:
ngfw> show system user-logs-address
user-logs-address 10.0.0.2:7890
show system user-logs-protocolShow SIEM system connection protocol.
show system status-user-logs-serverShow SIEM system connection status.
Example output:
ngfw> show system status-user-logs-server
{
"ngfw-system:system": {
"siem": {
"state": "notconnect"
}
}
}
system siem-local-storageGo to configuration submenu for local storage of CEF messages.
system siem-local-storage> state <state>Set state of local recording of CEF messages.
Possible states:
enabled - local recording is enabled.enabled-if-failed-to-send - local recording is enabled if the log cannot be sent to the server for log-entry-lifetime.Example:
ngfw> system siem-local-storage> state enabled-if-failed-to-send
system siem-local-storage> [no] log-entry-lifetime <lifetime>Set the time limit for trying to send the log to the SIEM system server, in minutes. If the recording status is enabled-if-failed-to-send and the log has not been sent to the SIEM system server within the specified time, the sending is considered failed and the log is recorded locally.
Example:
ngfw> system siem-local-storage> log-entry-lifetime 86400
Set default value:
ngfw> system siem-local-storage> no log-entry-lifetime
system siem-local-storage> [no] directory-size <size>Set maximum size of event log storage directory, in bytes. When current size exceeds this value, some older files are deleted.
Example:
ngfw> system siem-local-storage> directory-size 1000000000
Set default value:
ngfw> system siem-local-storage> no directory-size
show system siem-local-storageShow configuration of local recording of CEF messages. This command outputs data in JSON format.
Example output:
ngfw> show system siem-local-storage
{
"ngfw-siem-local-storage:siem-local-storage": { "settings": {
"state": "disabled",
"log-entry-lifetime": 0 } }
}
show system security-events-files [<file_regex>]Show names and sizes in bytes of files to which CEF messages were saved, optionally filtered by file name. Regular expressions can be used in the filter.
Examples:
Show all files:
ngfw> show system security-events-files
cef-logs-overflow-2025-02-03-16-00_0.log 536 bytes
/var/security-events/cef-logs-2025-02-03-16-00_0.log 536 bytes
Show files with name containing overflow:
ngfw> show system security-events-files overflow
cef-logs-overflow-2025-02-03-16-00_0.log 536 bytes
show system security-events [file <file_regex>] [filter <log_regex>]Show locally saved CEF messages optionally filtered file and log text.
Examples:
Показать все журналы из всех файлов:
ngfw> show system security-events
./failed-to-send/cef-logs-overflow-2025-02-03-15-00_0.log:CEF:0|Kaspersky|NGFW|...
./failed-to-send/cef-logs-overflow-2025-02-03-15-00_0.log:CEF:0|Kaspersky|NGFW|...
./cef-logs-2025-02-03-15-00_0.log:CEF:0|Kaspersky|NGFW|...
Show logs from files with name containing cef-logs-2025:
ngfw> show system security-events file cef-logs-2025
./cef-logs-2025-02-03-15-00_0.log:CEF:0|Kaspersky|NGFW|...
Show messages containing 15:23:46:
ngfw> show system security-events filter 15:23:46
./failed-to-send/cef-logs-overflow-2025-02-03-15-00_0.log:CEF:0|Kaspersky|NGFW|1.0.0.0|Firewall|Session start|Unknown|rt=2025-02-23T15:23:46 dtz=+03:00...
clear system security-events-files [<file_regex>]Delete files into which CEF messages were saved, optionally filtered by file name.
Examples:
Delete all files:
ngfw> clear system security-events-files
Deleted 2 files
Delete files with name containing overflow:
ngfw> clear system security-events-files overflow
Deleted 1 file
system packet-tracer enableEnable packet logging.
system packet-tracer disableDisable packet logging.
show system packet-tracerShow status of packet logging subsystem.
system hostname <hostname>Set hostname.
Example:
system hostname ngfw
show system hostnameShow current hostname.
system timezone <timezone-id>Change system time zone by specifying new time zone ID. You can use the show system timezone-list command to output the IDs of the existing timezones.
Example:
system timezone Europe/Moscow
show system timezoneShow current system time zone.
show system timezone-list [(<offset>|<text1>)] [<text2>] ...Show list of all time zones optionally filtered by offset in hours (or in HH:MM format) and/or a fragment of time zone name (description). You can specify only one offset and any number of filters by time zone name (description).
Examples:
show system timezone-list 3 europe
show system timezone-list -4
show system timezone-list 5:30
show system timezone-list africa
system rebootRestart Kaspersky NGFW device.
system passwordChange the root user password.
system shutdownShut down Kaspersky NGFW device.
system integrity-checkRun Kaspersky NGFW integrity check.
Example:
ngfw> system integrity-check
[========================================] 100.0%
Integrity check passed successfully
system shellGo to the operating system shell.
system factory-resetFactory reset of Kaspersky NGFW device with user confirmation. As a result, the current firmware version is loaded with the factory configuration and all data modified since the current firmware version was installed is reset (including database updates).
system factory-reset forceFactory reset of Kaspersky NGFW device without user confirmation. As a result, the current firmware version is loaded with the factory configuration and all data modified since the current firmware version was installed is reset (including database updates).
show system infoList system information of the Kaspersky NGFW device.
Example output:
ngfw> show system info
{
"ngfw-system:system": {
"info": {
"version": "1.0.0.0",
"debug": true,
"device-model": "KX-8",
"hostname": "NGFW",
"uptime": "0d, 0h, 3min",
"last-reboot": "Thu Jul 11 12:20:58 2024 MSK",
"system-time": "Thu Jul 11 12:21:44 2024 MSK"
}
}
}
show system databases-infoList the version (release date) of databases for each component.
Example output:
ngfw> show system databases-info
{
"ngfw-system:system": {
"databases-info": {
"status": "ok",
"components-versions": [
{
"name": "APU",
"version": "2025-06-02T07:48Z",
"description": "Antiphishing URLs for URL reputation checker"
},
{
"name": "APUD",
"version": "2024-11-27T11:54Z",
"description": "Antiphishing domains for DNS security"
},
{
"name": "CASB",
"version": "2025-06-02T09:29Z",
"description": "Signatures for DPI"
},
{
"name": "CDB2",
"version": "2025-06-02T07:56Z",
"description": "Certificate reputation DB"
},
{
"name": "EMU64L",
"version": "2025-06-02T12:35Z",
"description": "Emulator for Object AV"
},
{
"name": "IDSNGFW",
"version": "2025-03-20T10:58Z",
"description": "Signatures for IDPS"
},
{
"name": "KDB64L",
"version": "2025-06-02T12:35Z",
"description": "AV signatures for Object AV"
},
{
"name": "KDSCRL",
"version": "2021-09-27T11:12Z",
"description": "Kaspersky Digital Signature Certificate Revocation List"
},
{
"name": "KSN",
"version": "2025-06-02T07:34Z",
"description": "KSN configuration file"
},
{
"name": "UDSFW",
"version": "2024-09-11T07:51Z",
"description": "Hashes of malware for stream AV"
},
{
"name": "Updater",
"version": "2025-05-28T06:59Z",
"description": "Updater configuration file"
},
{
"name": "WA",
"version": "2025-06-02T07:02Z",
"description": "AV engine and SSL/TLS exclusions configuration file"
},
{
"name": "WCCE",
"version": "",
"description": "Web Categories for Web Control"
},
{
"name": "WMDF",
"version": "2024-11-27T11:56Z",
"description": "Malware domains for DNS security"
},
{
"name": "WMUF",
"version": "2025-06-02T07:49Z",
"description": "Malware URLs for URL reputation checker"
},
{
"name": "WMUFIP",
"version": "2024-11-27T11:24Z",
"description": "Malware IP for DNS security"
}
]
}
}
}
show system databases-statusShow service information for Anti-Virus databases.
Example output:
ngfw> show system databases-status
{
"ngfw-system:system": {
"databases-status": {
"last-successfull-update-time": 1748934471,
"release-time": 1748932080,
"build-time": 1748924568,
"primary-index-time": 1748934600,
"state": 4,
"load-result": 0,
"record-count": 27534375
}
}
}
show system statusList information about the status of the key processes of the Kaspersky NGFW device. The JSON output indicates the general status of the device (the device-status field) and the statuses of individual processes (the services-statuses field).
Example output:
ngfw> show system status
{
"ngfw-system:system": {
"status": {
"device-status": "ok",
"services-statuses": [
{
"name": "security engines",
"status": "active"
},
{
"name": "syslog-ng@default",
"status": "active"
},
{
"name": "dumping",
"status": "inactive"
},
{
"name": "vpp",
"status": "active"
},
{
"name": "ngfw-snmp",
"status": "active"
},
{
"name": "dbus",
"status": "active"
},
{
"name": "snmpd",
"status": "inactive(admin)"
},
{
"name": "chrony",
"status": "active"
},
{
"name": "ngfw-status",
"status": "active"
},
{
"name": "getty@tty1",
"status": "active"
},
{
"name": "knbe-agent",
"status": "active"
},
{
"name": "systemd-logind",
"status": "active"
},
{
"name": "systemd-networkd",
"status": "active"
},
{
"name": "sshd",
"status": "active"
},
{
"name": "systemd-journald",
"status": "active"
},
{
"name": "systemd-resolved",
"status": "active"
},
{
"name": "systemd-udevd",
"status": "active"
},
{
"name": "auditd",
"status": "active"
}
]
}
}
}
[no] system account ban-settings enableEnable (or disable, if no) temporary blocking of password authentication for user accounts that failed several authentication attempts in a row.
system account ban-settings threshold <threshold>Set number of failed password authentication attempts after which blocking is enforced.
system account ban-settings duration <duration>Set blocking duration in seconds.
show system accountShow the configuration of the user account control system.
[no] system ssh tcp-keep-aliveEnable (or disable, if no) the sending of TCP keepalive messages for SSH sessions.
system ssh client-alive-interval <interval>Set ClientAliveInterval for SSH.
system ssh client-alive-count-max <count>Set ClientAliveСountMax for SSH.
[no] system ssh password-authEnable (or disable, if no) password authentication over SSH.
show system sshShow SSH configuration.
system ntp enableEnable synchronization with time servers.
no system ntp enableDisable synchronization with time servers.
show system ntp enableShow time servers synchronization status.
Example output:
ngfw> show system ntp enable
{
"ngfw-ntp:chrony": {
"enable": false
}
}
system ntp add (server|pool) <address> [prefer] [key [id <key-id>] [type (md5|sha1|sha256)] [value <key-value>]]Add new time servers. Arguments:
server adds a single time server.pool adds a pool of time servers.address specifies an IPv4 address or domain name of a single server or server pool name.prefer makes the new server top-priority.key [id <key-id>] [type (md5|sha1|sha256)] [value <key-value>] adds a new authentication key to server. If the key you need already exists, you can use it by specifying only id <key-id>. id <key-id> is the unique identification number of an existing or new key.type (md5|sha1|sha256) is the type of a new authentication key. By default, md5.value is new key itself, from 6 to 16 characters.Example commands:
system ntp add pool pool.ntp.orgsystem ntp add server 1.2.3.5 prefersystem ntp add server 1.2.3.6 key id 1system ntp add server 1.2.3.7 prefer key id 2 value ABCDEFGHsystem ntp add server 1.2.3.8 prefer key id 3 type sha1 value ABCDEFGHAdd server pool:
system ntp add pool pool.ntp.org server 1.2.3.4 prefer key id 1no system ntp add <address>Remove configured time server.
system ntp add-key id <key-id> [type (md5|sha1|sha256)] value <key-value>Add new authentication key. Subsequently, this key can be used when adding a time server using the system ntp add command. Arguments:
id <key-id> is the unique identification number of the key.type (md5|sha1|sha256) is the type of authentication key. By default, md5.value is the key itself, from 6 to 16 characters.system ntp replace key id <key-id> [type (md5|sha1|sha256)] value <key-value>Replace authentication key with the specified ID, if exists. Arguments:
id <key-id> is the unique identification number of the key.type (md5|sha1|sha256) is the type of authentication key. By default, md5.value is the key itself, from 6 to 16 characters.no system ntp key <key-id>Delete authentication key with the specified identification number. Trying to delete a key that is used by some time servers results in an error.
system ntp vrf <vrf-name>Use virtual router (Virtual Routing and Forwarding; VRF) <vrf-name> for the route to configured time servers.
no system ntp vrfUse the default Management routing and forwarding table for the route to configured time servers.
show system ntp vrfShow the name of the used virtual router (Virtual Routing and Forwarding; VRF).
Example output:
ngfw> show system ntp vrf
Management
show system ntp serversOutput information about configured time servers.
Example output:
ngfw> show system ntp servers
{
"ngfw-ntp:chrony": {
"ntp-server": [
{
"address": "1.2.3.4",
"preferred": false,
"server-type": "server"
},
{
"address": "5.6.7.8",
"preferred": true,
"server-type": "server"
},
{
"address": "8.9.10.11",
"preferred": false,
"server-type": "server",
"key-number": 1
}
]
}
}
show system ntp synced-serverOutput information about the time server with which the system is currently synchronized.
Example output:
Reference ID : C16A5D74 (vigil.intelfx.name)
Stratum : 3
Ref time (UTC) : Mon Feb 10 06:47:58 2025
System time : 0.000000043 seconds slow of NTP time
Last offset : -0.000079599 seconds
RMS offset : 0.000144497 seconds
Frequency : 13.838 ppm slow
Residual freq : -0.023 ppm
Skew : 0.555 ppm
Root delay : 0.004848466 seconds
Root dispersion : 0.000670573 seconds
Update interval : 1.2 seconds
Leap status : Normal
show system timeDisplay the current time in the local time zone.
Example output for the Europe/Moscow time zone:
Mon Feb 10 06:45:38 2025 MSK
Example output for the Asia/Chita time zone:
Mon Feb 10 12:45:38 2025 +09
show system ntp short-diagnosticsShow brief diagnostic information from chrony.
Example output:
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- prod-ntp-4.ntp1.ps5.cano> 2 10 377 989 +184us[ +94us] +/- 24ms
^- prod-ntp-3.ntp4.ps5.cano> 2 10 377 96 +254us[ +254us] +/- 23ms
^- prod-ntp-5.ntp1.ps5.cano> 2 10 377 1007 +4946us[+4857us] +/- 29ms
^- alphyn.canonical.com 2 10 377 1034 +5973us[+5884us] +/- 86ms
^+ 51.250.110.169 2 10 377 90 +5865us[+5865us] +/- 14ms
^- time.cloudflare.com 3 9 377 36 -1442us[-1442us] +/- 20ms
^- time.cloudflare.com 3 10 377 396 -1253us[-1253us] +/- 20ms
^* cdn.edge-2.msk.i6p.eu 3 9 377 399 -280us[ -286us] +/- 7564us
show system ntp diagnosticsShow full diagnostic information from chrony.
Example output:
{
"ngfw-ntp:chrony": {
"diagnostics": [
{
"pool-name": "pool.ntp.org",
"servers": [
{
"address": "51.250.53.172",
"sync-status": "NotCombined",
"stratum": 2,
"reach": 17,
"last-rx": 34,
"last-sample": "+853µs[+745µs] +/- 36ms"
},
{
"address": "91.201.254.110",
"sync-status": "Combined",
"stratum": 2,
"reach": 17,
"last-rx": 34,
"last-sample": "-45µs[-147µs] +/- 6454µs"
},
{
"address": "89.109.251.22",
"sync-status": "CurrentBest",
"stratum": 1,
"reach": 17,
"last-rx": 34,
"last-sample": "+1204µs[+1093µs] +/- 3497µs"
},
{
"address": "51.250.110.169",
"sync-status": "Combined",
"stratum": 2,
"reach": 17,
"last-rx": 34,
"last-sample": "+548µs[+443µs] +/- 8140µs"
}
]
},
{
"sync-status": "Combined",
"address": "10.3.0.222",
"stratum": 3,
"reach": 17,
"last-rx": 34,
"last-sample": "-1035µs[-1134µs] +/- 2948µs"
}
]
}
}
system servicesGo to system service configuration submenu.
system services> enableEnable system service settings.
system services> no enableDisable system service settings.
system services> vrf <vrf-name>Use virtual router (Virtual Routing and Forwarding; VRF) <vrf-name> for the route to system services.
system services> no vrfUse the default routing table for the route to system services.
show system services settingsShow system service settings.
Example output:
ngfw> show system services settings
{
"ngfw-system:system": {
"services": {
"enable": true,
"vrf-name": "Management"
}
}
}
show system restrictedRun a restricted command line mode check and show its results. The results of the check do not affect the current command line mode.
Example output:
{ "restrictedMode": false, "firstBootPassed": true, "deviceReady": true }
where:
restrictedMode indicates whether restricted command line mode is enabled. This mode is available during the initialization of Kaspersky NGFW and in case of initialization errors. In this mode, only a small subset of commands is availablefirstBootPassed indicates whether the first start of Kaspersky NGFW was completed.deviceReady indicates whether the device is ready.show system last-ksc-policy-sync-timeShow last successful synchronization time of policy from the Open Single Management Platform. The time is in the local time zone.
Example output:
ngfw> show system last-ksc-policy-sync-time
Wed Mar 19 18:14:46 2025 MSK
show system idps traffic-dump-files <regex>Show the names of files in which traffic dumps were saved after triggered IDPS signatures, and the size of the files in bytes; can be filtered by file name using a regular expression.
Example output:
ngfw> show system idps traffic-dump-files
idps-traffic-dump-57600550-33d86c30-3ee0-4df9-aa55-0328d3995de0-1749248417.pcap 128 bytes 2025-06-06 23:20:17
idps-traffic-dump-57600550-075d9079-0fc4-4dcf-92de-2a047372bbf7-1749248400.pcap 128 bytes 2025-06-06 23:20:00
ngfw> show system idps traffic-dump-files .*4df9.*
idps-traffic-dump-57600550-33d86c30-3ee0-4df9-aa55-0328d3995de0-1749248417.pcap 128 bytes 2025-06-06 23:20:17
clear system idps traffic-dump-files <regex>Delete files in which traffic dumps were saved after triggered IDPS signatures; can be filtered by file name using a regular expression.
Example output:
ngfw> clear system idps traffic-dump-files .*
Deleted 2 files