Reference Manual Command Line Interface (CLI) Industrial Ethernet Firewall EAGLE One RM CLI EAGLE One Technische Unterstützung Release 5.3 09/2013 https://hirschmann-support.belden.eu.com The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone. © 2013 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation of a backup copy of the software for your own use. For devices with embedded software, the end-user license agreement on the enclosed CD/DVD applies. The performance features described here are binding only if they have been expressly agreed when the contract was made. This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document. Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated operating software. In addition, we refer to the conditions of use specified in the license contract. You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com). Printed in Germany Hirschmann Automation and Control GmbH Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany Tel.: +49 1805 141538 09/2013 – 13.11.13 Contents Contents About this Manual 5 Key 7 1 Introduction 8 1.1 Industrial Ethernet Firewall 9 1.1.1 Application areas 9 1.1.2 Operating Modes 9 1.2 User interfaces 11 1.3 Command Line Interface 12 2 Access to CLI 13 2.1 Preparing the data connection 14 2.2 CLI via SSH (Secure Shell) 15 2.3 CLI via the V.24 port 19 3 Using the CLI 23 3.1 Mode-based command hierarchy 24 3.2 Executing the commands 30 3.2.1 Syntax analysis 30 3.2.2 Command tree 30 3.2.3 Structure of a command 31 3.3 Properties of the CLI 35 3.3.1 Input prompt 35 3.3.2 Key combinations 36 3.3.3 Data entry elements 38 3.3.4 Line length 39 4 Examples 43 4.1 Change timeout default setting 44 4.2 Login Banner 49 4.3 Saving the Configuration 51 RM CLI EAGLE One Release 5.3 09/2013 3 Contents 5 Maintenance 53 5.1 Service Shell 54 A Readers’ Comments 57 B Index 59 C Further Support 61 RM CLI EAGLE One 4 Release 5.3 09/2013 About this Manual About this Manual The “Command Line Interface” reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device. The “Configuration“ user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The “GUI Graphical User Interface” reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device. The “Installation” user manual contains a device description, safety instructions, a description of the display, and the other information that you need to install the device. The Industrial HiVision Network Management Software provides you with additional options for smooth configuration and monitoring: Simultaneous configuration of multiple devices Graphical user interface with network layout Auto-topology discovery Event log Event handling Client/server structure Browser interface ActiveX control for SCADA integration SNMP/OPC gateway. RM CLI EAGLE One Release 5.3 09/2013 5 About this Manual RM CLI EAGLE One 6 Release 5.3 09/2013 Key Key The designations used in this manual have the following meanings: List Work step Subheading Link Cross-reference with link Note: A note emphasizes an important fact or draws your attention to a dependency. Courier ASCII representation in user interface RM CLI EAGLE One Release 5.3 09/2013 7 Introduction 1 Introduction RM CLI EAGLE One 8 Release 5.3 09/2013 Introduction 1.1 Industrial Ethernet Firewall 1.1 Industrial Ethernet Firewall 1.1.1 Application areas The EAGLE One industrial firewall/VPN system helps provide for the authentication, security and confidentiality of communication within production networks, but also beyond company boundaries. The EAGLE One devices support the following network modes: Transparent mode Router mode PPPoE mode 1.1.2 Operating Modes This device helps you protect the internal network (1 INTERN port) from external influences (2 EXTERN port). These influences can include deliberate attacks or unauthorized access attempts, as well as interfering network events such as overloads. State on delivery On delivery, the device works in the Transparent Mode. In this mode, no network settings (e.g., for subnetworks) are required for operation. The firewall is preconfigured so that the IP traffic from the internal network is possible; however, traffic from the external network to the internal network is not possible. Thus, the default settings already support security against attacks from the external network. RM CLI EAGLE One Release 5.3 09/2013 9 Introduction 1.1 Industrial Ethernet Firewall Modes Transparent mode In transparent mode, the Firewall transmits on level 2 of the ISO/OSI layer model. The IP address ranges before and after the Firewall are located in the same sub-network. The Firewall also allows you to access the device in the delivery state without configuring the IP address. To do this, use the address 192.168.1.1/24. Router Mode In router mode, the Firewall transmits on level 3 of the ISO/OSI layer model. The IP address ranges before and after the Firewall are located in different subnetworks. You will find a detailed description of the IP configuration in the “Configuration” user manual of the EAGLE One. PPPoE mode In the PPPoE mode, the device works like in the router mode. However, the device uses the PPPoE protocol on the 2 EXTERN. This enables Internet connections via a DSL modem, for example. RM CLI EAGLE One 10 Release 5.3 09/2013 Introduction 1.2 User interfaces 1.2 User interfaces The device provides you 3 user interfaces, which you can access through different interfaces: System monitor via the V.24 interface (out-of-band) Command Line Interface (CLI) via the V.24 connection (out-of-band) or via SSH (in-band) Graphical user interface (GUI) via Ethernet (in-band). RM CLI EAGLE One Release 5.3 09/2013 11 Introduction 1.3 Command Line Interface 1.3 Command Line Interface The Command Line Interface enables you to use the functions of the device through a local or remote connection. This supports you with a secure administration of the firewall via V.24 or via the Secure Shell (SSH) protocol. In addition, you have the option of defining rules which support you in securing the access and administration. The Command Line Interface provides IT specialists with a familiar environment for configuring IT devices. As an experienced user or administrator, you have knowledge about the basics and about using secure shell (SSH) connections. The “Command Line Interface” reference manual gives you step-by-step information on using the Command Line Interface (CLI) and its commands. The commands in the Command Line Interface of the EAGLE One Firewall can be divided into the following areas: Authentication Delete Copy Denial of Service Device Status Interface Logging NAT (Network Address Translation) Network Packet Filter Profiles Signal contact SNMP Trap (Simple Network Management Protocol) SNTP (Simple Network Time Protocol) Users Display Serviceshell RM CLI EAGLE One 12 Release 5.3 09/2013 Access to CLI 2 Access to CLI RM CLI EAGLE One Release 5.3 09/2013 13 Access to CLI 2.1 Preparing the data connection 2.1 Preparing the data connection You find information about your EAGLE One Industrial Ethernet Firewall device in the User Manual "Installation". Information for configuring your EAGLE One Industrial Ethernet Firewall can be found in the “Configuration” user manual. Connect your Firewall with the network. Set the network parameters appropriately for the data connection to be successful. You can access the user interface of the Command Line Interface with the freeware program PuTTY. This program is located on the product CD. Install PuTTY on your computer. RM CLI EAGLE One 14 Release 5.3 09/2013 Access to CLI 2.2 CLI via SSH (Secure Shell) 2.2 CLI via SSH (Secure Shell) Start the PuTTY program on your computer. PuTTY appears with the login screen. Figure 1: PuTTY input screen In the Host Name (or IP address) input field you enter the IP address of your device. The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal numbers are separated by points. RM CLI EAGLE One Release 5.3 09/2013 15 Access to CLI 2.2 CLI via SSH (Secure Shell) To select a connection type, click on SSH under Connection type. After selecting and setting the required parameters, the device enables you to set up the data connection via SSH. Click “Open” to set up the data connection to your device. Depending on the device and the time at which SSH was configured, setting up the connection takes up to a minute.