Managing Kaspersky NGFW using the command line

Command line mode

After logging in to Kaspersky NGFW using the console and starting the command line, only one of the following modes is available, depending on the current state of the device:

• The Limited access mode offers a limited set of commands for basic diagnostics and startup.
• The Full access mode offers the full set of commands for managing the solution.

The mode in which the command line is started depends on the current status of the device:

• If the status is OK, the full operating mode of Kaspersky NGFW is initiated.
• If the status is not OK, the limited mode of Kaspersky NGFW is initiated.
• If the status is Initialization, the command line does not start. Instead, the user gets a Service is not ready message.

Switching between access modes is not automatic. If the status of the device changes while the device is working (for example, the device goes from Initialization to OK), to gain access to a new set of commands, you need to exit the current session and re-authorize.

Commands and utilities

You can manage Kaspersky NGFW on the command line. You can use the following commands:

• bfd – a family of commands for configuring the Bidirectional Forwarding Detection (BFD) protocol
• bgp – a family of commands for configuring the Border Gateway Protocol (hereinafter BGP)
• bond – a family of commands for configuring and viewing aggregated interfaces
• bridge – a family of commands for configuring L2 bridges
• config – a family of commands for managing the configuration
• counters – a family of commands for viewing event counters
• decrypt – a family of commands for configuring traffic decryption rules
• dhcp-relay – a family of commands for configuring DHCP relay servers
• domain-object – a family of commands for configuring objects that are collections of domain names
• dpi – a family of commands for managing the DPI subsystem
• explicit-proxy – a family of commands for configuring the HTTP proxy server of NGFW
• failover – a family of commands for configuring a high-availability cluster
• health – a command that displays the status of system components
• interface – a family of commands for configuring and viewing interfaces
• ip-reassembly – a family of commands for configuring the processing of fragmented IP packets
• ip route – a family of commands for configuring IP routes
• knbe-agent – a family of commands for managing the agent responsible for synchronizing with the orchestrator
• ksc-server – a family of commands for configuring the Open Single Management Platform (OSMP) connection
• ksn – a family of commands for configuring Kaspersky Security Network (KSN)
• licensing – a family of commands for managing the license
• log – a family of commands for managing the logging system
• mf – a family of commands for configuring traffic filtering by MAC address
• nat – a family of commands for configuring NAT/NAPT translation rules
• object – a family of commands for configuring network objects
• ospf – a family of commands for configuring the OSPF protocol
• pcapdump – a family of commands for configuring, starting, stopping, and viewing the results of capturing local packets passing through Kaspersky NGFW
• pf session – a family of commands for displaying and clearing the table of sessions
• pf – a family of commands for configuring security rules
• proxy – a family of commands for configuring the proxy server connection
• quit – a command for exiting the command line
• routing – a family of commands for configuring routing filters
• security-events-toggle – a family of commands for configuring security event logging
• security – a family of commands for configuring scanning and analysis of the contents of network traffic
• send-net-unreachable – a family of commands for configuring the sending of an ICMP message if the route for the incoming packet is unknown
• service – a family of commands for configuring services
• snmp – a family of commands for configuring SNMP monitoring
• software-updater – a family of commands for the firmware update task
• stat – a family of commands for configuring and viewing interface statistics settings
• system - a family of system commands
• tech-support-info - command for gathering technical information on a Kaspersky NGFW instance for Technical Support in case of an incident
• timeouts – a family of commands for configuring the session closing timeout for various network protocols
• tls – a family of commands for managing the TLS/SSL encryption protocols
• updater – a family of commands for the database update task
• user-awareness – a family of commands for configuring the User awareness functionality
• utils – a family of commands for running utilities
• vrf – a family of commands for configuring virtual routers (VRF-Lite)
• zone – a family of commands for configuring and viewing data plane zones

A full description of the command line commands is given in the Managing Kaspersky NGFW using the command line document.

You can also use the following command line utilities and their options to diagnose and troubleshoot Kaspersky NGFW:

• ping is a utility for checking the connection quality in TCP/IP networks.

  You can use the ping utility to set the maximum transmission unit (MTU) size and control the DF flag.

• curl is a utility for making HTTP requests.
• nslookup is a utility for troubleshooting DNS.
• traceroute is a utility for determining data routes in TCP/IP networks.
• tcpdump is a packet capture utility.
• packet-tracer is a utility for logging packets transiting data plane interfaces.

These diagnostic utilities are available on all interfaces of Kaspersky NGFW. For detailed information on how to use these utilities, refer to the corresponding documentation.

Page top