Command Line

Section 1: iShield NGCLI Configuration

The iShield NGCLI is the last resort for initial configuration and recovery in the event that the iShield WebUI cannot be accessed due a configuration mishap, or if the iShield device certificate has not been renewed.

The purpose of this section and the iShield LAB is not to teach the agent how to navigate the entirety of the iShield NGCLI. Unfortunately, we will not have applications for all permutations of the iShield configuration in this LAB environment, and thus cannot provide a LAB environment to address every possible scenario that the iShield NGCLI could assist a technician in solving.

The goal of this LAB is to introduce the agent to the iShield NGCLI and provide a base understanding pertaining to the critical features of the firewall that any advanced iShield support agent will need to navigate as more complex issues arise.

The following will be covered as part of the iShield NGCLI Platinum training and are considered to be Core Skills that all technicians must master in order to achieve Platinum Certification.

General Features and Navigation:

1. Certificate Management

2. Ping

3. Show

4. Save

5. Reload/Full-Reload

6. Reset-Factory-Config

Configuration and Management

1. IP Module

2. Connection Module

3. DNSMASQ-Server Module

4. Hostname

5. Route

6. NAT

7. Policies

8. Identities

9. Proxy

10. Remote-Management

Automation and Templating

1. How to “automate” a task.

2. How to store a template and deploy a template.

3. How to generate custom commands and execute them successfully.

4. How to interpret errors.

General Features and Navigation:

1. Certificate Management

Command: certificate info

Example Output:

iShieldNG* > certificate info

- Certificate:

- Version: 3 (0x2)

- Serial Number:

- Signature Algorithm: sha256WithRSAEncryption

- Issuer: C = ZA, ST = Gauteng, L = Randburg, O = CloudGroup

- Not Before: Sep 20 22:02:16 2023 GMT

- Not After : Dec 19 22:02:16 2023 GMT

- Signature Algorithm: sha256WithRSAEncryption

- Verification: OK

Command: certificate download

Example Output: 

certificate download

* Device already has a valid certificate

2. Ping
   
   

Ping overview:

The ping command is similar to the ping command that you would use in standard Linux and Windows Operating Systems, however, there are minor differences in the requirements to successfully execute a ping command.

The below output lists the switches that must be used in order to execute a ping from the NGCLI.

 ping

-------------------------

-connection <connection id>      Ping using connection <connection id> (optional)

-count <count>                   How many packets to send (default:3) (optional)

-timeout <timeout>               Packet timeout in ms (default:800) (optional)

-host <hostname/IP>              Hostname / IP to ping

-------------------------

The only requirement to successfully execute a ping is to specify the “ping” command along with the “-host” switch and finally the host you would like to ping. i.e. “8.8.8.8”.

The final command would look like this:

Command: ping -host 8.8.8.8

The result should look like this if the ping is successful.

ping -host 8.8.8.8

(due to unsaved config changes connection routing might not work as expected, save & reload to be sure.)

PING '8.8.8.8' (with 36 bytes payload)

64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=2ms

64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=3ms

64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=3ms

--- 8.8.8.8 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 8ms

rtt min/avg/max = 2.00/2.67/3.00 ms

3. Show

The “show” command does not need much of an introduction and will be quite simple to use once you start regularly navigating the NGCLI. Executing “show” in the NGCLI will show you the current iShield configuration file.

This is useful in cases where you do not want to continuously flip between multiple screens in order to identify the current configuration of the iShield or a particular module within the iShield configuration.

Executing the show command when editing a specific module, will clip an excerpt of the configuration related to that module to the display as opposed to outputting the entire configuration file.

Below is an example of the clipped configuration visible when editing interfaces using the IP module in the NGCLI.

 show

! Configuration (clipped and not entire config)

ip interface ether1

 description InternetConnection

 mode static

 designation WAN

 ipv4 10.0.2.2 netmask 255.255.255.0

ip interface ether2

 description LocalAreaNetwork

 mode static

 designation LAN

 ipv4 10.0.0.1 netmask 255.255.255.0

ip interface ether3 vlan 20

 mode static

 designation LAN

ip interface ether3 vlan 10

 mode

 designation WAN

ip interface ether3

 description WAN Failover

 mode

 designation LAN

4. Save

The “save” command saves the current configuration and the changes that have been made to the firewall.

5. Reload/Full-Reload

The “reload” and “full-reload” commands are used to apply changes to modules by restarting the services associated with running these modules. A “reload” also listed in the WebUI as a “soft-reload” will reload only the modules that you have made adjustments to. 

In most cases, this would not have an impact on the network, unless changes have been made to the network configuration or routing of the iShield.

A “full-reload” will reload all iShield modules, regardless of where changes have been made. This will have an impact on the network, you can expect anywhere from one, to three minutes of down time.

6. Reset-Factory-Config

This command is quite simple, yet very effective.

Executing the command “reset-factory-config” will reset the iShield configuration to factory defaults. We will test this command at the end of the iShield LAB today.

I do not recommend executing this remotely, unless you have hands on site.

Configuration and Management

1. IP Module

The IP module will be used to configure the physical interfaces of the iShield. This will be necessary in cases where access to the iShield WebUI and NGCLI are not possible by normal means.

In order to get an iShield online, the last resort would be to connect a screen and a keyboard to the device. Doing this will prompt the technician to log in using their standard admin credentials.

Once access has been granted, the NGCLI can be used to navigate through the iShield configuration and changes can be applied to the IP module to get the iShield up and running again.

Initial Command: ip interface <ethernet interface>

Available Commands in IP Module:

description <description>       Interface description

ipv4 <ip> netmask <subnet>      Add ipv4 address

mode <static|dhcp>              Interface IP assignment mode

designation <LAN/WAN>           Is this interface connected to the WAN or LAN

show                            Show system parameters / config

2. Connection Module

Initial Command: connection <connection id>

name <connection name>                        Connections Name (eg, adsl, 3g)

interface <interface>                         Interface connection is outbound on (Required)

type <static|dhcp|dhcp6|pppoe>                Connection Type

testType <ICMP/HTTP>                          Which test type should be conducted on this connection

testFrequency <seconds>                       How often connection is tested (default every 10 seconds)

testAddress <list of test addresses>          IPs/Hostnames to ping test for testing (space seperated)

testICMPtimeout <milliseconds>                Timeout per ping in milliseconds (default: 800)

testICMPpackets <# of packets>                Test packets to be sent per test address (default:3)

testICMPfailurePercentage <# percentage>      Percentage of dropped packets before connection is marked down (default:50%)

testICMPinterval <milliseconds>               The interval in milliseconds to wait before pinging the next test host (default: 100)

show                                          Show system parameters / config

3. Hostname

Initial Command: hostname <elected hostname>

4. Route

Initial Command: route dst <dst/cidr>

src <CIDR>                               Routing based on source CIDR notation

weight <0-255>                           Route weight

connection <connection ID>               Connection used for routing

failover-connection <connection ID>      Secondary connection used for routing

gateway <gateway>

5. Identities

Creating identities can be quite cumbersome, however, this process can be “scripted” based on a set of commands that can be copied and pasted into the iShield NGCLI.

Initial Command: identity <identity name>

Add Devices: devices <mac address>

6. Proxy

The iShield proxy has a vast set of options that can be used to configure/manipulate the proxy and how certain traffic is handled. This LAB will cover the core features of the iShield proxy and show you how and when to apply certain rules.

• https-exclusion-list <condition> <criteria>            HTTPS exclusion matching rule

• https-cert-error-whitelist <condition> <criteria>      HTTPS certificate error exclusion matching rule

• proxy-bypass-list <condition> <criteria>               Proxy Bypass matching rule (hosts will skip interception)

7. Remote-Management

webui-restrict-trusted-sources <true/false>         Restrict WebUI to trusted sources only

webui-trusted-source <CIDR network range/mask>      WebUI trusted source network range

ssh-restrict-trusted-sources <true/false>           Restrict SSH to trusted sources only

ssh-trusted-source <CIDR network range/mask>        SSH trusted source network range

allow-vendor-access <true/false>                    Allow vendor remote support acccess

webui-http-port <port number, default 80>           WebUI HTTP listening port

webui-https-port <port number, default 443>         WebUI HTTPS listening port

ssh-port <port number, default 22>                  SSH CLI listening port