The iShield NGCLI is the last resort for initial configuration and recovery in the event that the iShield WebUI cannot be accessed due a configuration mishap, or if the iShield device certificate has not been renewed.
The purpose of this section and the iShield LAB is not to teach the agent how to navigate the entirety of the iShield NGCLI. Unfortunately, we will not have applications for all permutations of the iShield configuration in this LAB environment, and thus cannot provide a LAB environment to address every possible scenario that the iShield NGCLI could assist a technician in solving.
The goal of this LAB is to introduce the agent to the iShield NGCLI and provide a base understanding pertaining to the critical features of the firewall that any advanced iShield support agent will need to navigate as more complex issues arise.
The following will be covered as part of the iShield NGCLI Platinum training and are considered to be Core Skills that all technicians must master in order to achieve Platinum Certification.
General Features and Navigation:
Certificate Management
Ping
Show
Save
Reload/Full-Reload
Reset-Factory-Config
Configuration and Management
IP Module
Connection Module
DNSMASQ-Server Module
Hostname
Route
NAT
Policies
Identities
Proxy
Remote-Management
Automation and Templating
How to “automate” a task.
How to store a template and deploy a template.
How to generate custom commands and execute them successfully.
How to interpret errors.
General Features and Navigation:
Certificate Management
Command: certificate info
Example Output:
iShieldNG* > certificate info
- Certificate:
- Version: 3 (0x2)
- Serial Number:
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C = ZA, ST = Gauteng, L = Randburg, O = CloudGroup
- Not Before: Sep 20 22:02:16 2023 GMT
- Not After : Dec 19 22:02:16 2023 GMT
- Signature Algorithm: sha256WithRSAEncryption
- Verification: OK
Command: certificate download
Example Output:
certificate download
* Device already has a valid certificate
Ping
Ping overview:
The ping command is similar to the ping command that you would use in standard Linux and Windows Operating Systems, however, there are minor differences in the requirements to successfully execute a ping command.
The below output lists the switches that must be used in order to execute a ping from the NGCLI.
ping
-------------------------
-connection <connection id> Ping using connection <connection id> (optional)
-count <count> How many packets to send (default:3) (optional)
-timeout <timeout> Packet timeout in ms (default:800) (optional)
-host <hostname/IP> Hostname / IP to ping
-------------------------
The only requirement to successfully execute a ping is to specify the “ping” command along with the “-host” switch and finally the host you would like to ping. i.e. “8.8.8.8”.
The final command would look like this:
Command: ping -host 8.8.8.8
The result should look like this if the ping is successful.
ping -host 8.8.8.8
(due to unsaved config changes connection routing might not work as expected, save & reload to be sure.)
PING '8.8.8.8' (with 36 bytes payload)
64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=2ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=3ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=3ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 8ms
rtt min/avg/max = 2.00/2.67/3.00 ms
Show
The “show” command does not need much of an introduction and will be quite simple to use once you start regularly navigating the NGCLI. Executing “show” in the NGCLI will show you the current iShield configuration file.
This is useful in cases where you do not want to continuously flip between multiple screens in order to identify the current configuration of the iShield or a particular module within the iShield configuration.
Executing the show command when editing a specific module, will clip an excerpt of the configuration related to that module to the display as opposed to outputting the entire configuration file.
Below is an example of the clipped configuration visible when editing interfaces using the IP module in the NGCLI.
show
! Configuration (clipped and not entire config)
ip interface ether1
description InternetConnection
mode static
designation WAN
ipv4 10.0.2.2 netmask 255.255.255.0
ip interface ether2
description LocalAreaNetwork
mode static
designation LAN
ipv4 10.0.0.1 netmask 255.255.255.0
ip interface ether3 vlan 20
mode static
designation LAN
ip interface ether3 vlan 10
mode
designation WAN
ip interface ether3
description WAN Failover
mode
designation LAN
Save
The “save” command saves the current configuration and the changes that have been made to the firewall.
Reload/Full-Reload
The “reload” and “full-reload” commands are used to apply changes to modules by restarting the services associated with running these modules. A “reload” also listed in the WebUI as a “soft-reload” will reload only the modules that you have made adjustments to.
In most cases, this would not have an impact on the network, unless changes have been made to the network configuration or routing of the iShield.
A “full-reload” will reload all iShield modules, regardless of where changes have been made. This will have an impact on the network, you can expect anywhere from one, to three minutes of down time.
Reset-Factory-Config
This command is quite simple, yet very effective.
Executing the command “reset-factory-config” will reset the iShield configuration to factory defaults. We will test this command at the end of the iShield LAB today.
I do not recommend executing this remotely, unless you have hands on site.
Configuration and Management
IP Module
The IP module will be used to configure the physical interfaces of the iShield. This will be necessary in cases where access to the iShield WebUI and NGCLI are not possible by normal means.
In order to get an iShield online, the last resort would be to connect a screen and a keyboard to the device. Doing this will prompt the technician to log in using their standard admin credentials.
Once access has been granted, the NGCLI can be used to navigate through the iShield configuration and changes can be applied to the IP module to get the iShield up and running again.
Initial Command: ip interface <ethernet interface>
Available Commands in IP Module:
description <description> Interface description
ipv4 <ip> netmask <subnet> Add ipv4 address
mode <static|dhcp> Interface IP assignment mode
designation <LAN/WAN> Is this interface connected to the WAN or LAN
show Show system parameters / config
Connection Module
Initial Command: connection <connection id>
name <connection name> Connections Name (eg, adsl, 3g)
interface <interface> Interface connection is outbound on (Required)
type <static|dhcp|dhcp6|pppoe> Connection Type
testType <ICMP/HTTP> Which test type should be conducted on this connection
testFrequency <seconds> How often connection is tested (default every 10 seconds)
testAddress <list of test addresses> IPs/Hostnames to ping test for testing (space seperated)
testICMPtimeout <milliseconds> Timeout per ping in milliseconds (default: 800)
testICMPpackets <# of packets> Test packets to be sent per test address (default:3)
testICMPfailurePercentage <# percentage> Percentage of dropped packets before connection is marked down (default:50%)
testICMPinterval <milliseconds> The interval in milliseconds to wait before pinging the next test host (default: 100)
show Show system parameters / config
Hostname
Initial Command: hostname <elected hostname>
Route
Initial Command: route dst <dst/cidr>
src <CIDR> Routing based on source CIDR notation
weight <0-255> Route weight
connection <connection ID> Connection used for routing
failover-connection <connection ID> Secondary connection used for routing
gateway <gateway>
Identities
Creating identities can be quite cumbersome, however, this process can be “scripted” based on a set of commands that can be copied and pasted into the iShield NGCLI.
Initial Command: identity <identity name>
Add Devices: devices <mac address>
Proxy
The iShield proxy has a vast set of options that can be used to configure/manipulate the proxy and how certain traffic is handled. This LAB will cover the core features of the iShield proxy and show you how and when to apply certain rules.
https-exclusion-list <condition> <criteria> HTTPS exclusion matching rule
https-cert-error-whitelist <condition> <criteria> HTTPS certificate error exclusion matching rule
proxy-bypass-list <condition> <criteria> Proxy Bypass matching rule (hosts will skip interception)
Remote-Management
webui-restrict-trusted-sources <true/false> Restrict WebUI to trusted sources only
webui-trusted-source <CIDR network range/mask> WebUI trusted source network range
ssh-restrict-trusted-sources <true/false> Restrict SSH to trusted sources only
ssh-trusted-source <CIDR network range/mask> SSH trusted source network range
allow-vendor-access <true/false> Allow vendor remote support acccess
webui-http-port <port number, default 80> WebUI HTTP listening port
webui-https-port <port number, default 443> WebUI HTTPS listening port
ssh-port <port number, default 22> SSH CLI listening port