SFCTL
Description
Get or set ASQ module parameters. Waring This command uses some advanced functions of the firewall. Its usage must be done very carefully and with some very good knowledges. Some commands can cut current network connexions.
Command
sfctl
Opt Arg Description
-e set module state
1 = enable
0 = disable
-T top alike mode
-f force operation
-v verbose mode
-n disable the reverse object lookup
-O level optimize ruleset at level
0 = none
1 = skip rules
-F modifier flush one of the following
addrlist = flush address list
assoc = flush SCTP assoc information
filter = flush filter rules
state = flush state information
etherstate = flush all ether state information
count = flush count rule
stat = flush statistics
fpstat = flush fastpath statistics
pof = flush os signature list (pof)
qosq = flush qos queues
host = flush host (see -H hstate=...)
sipr = flush the sip requests
sip = flush the sip register table
ipstate = flush flows managed by ipstate
fpstate = flush fastpath state
hproperties = flush hostproperties
assoc = flush SCTP assoc informations
all = all the above
-b t,o,a[,to] manage blacklist entry
t = BlackList|WhiteList...
o = add or delete
a = string identifier or '*'
to = timeout
-C configdir load and activate a ASQ configuration
-R rulefile load a filter rule file and activate it
-c commit filter rules even if equal to old ones
-P rulefile load finger printing rule file and activate it
-Q load QoS queues config and activate it
-q set QoS state
1 = enable
0 = disable
-s modifier dump one of the following
addrlist = show address list
assoc = show SCTP association table content
conn = show connection table content
connstat = show TCP conn stats per state
count = show count rule
etherstate = show Ethernet connection table content
filter = show current filter rules
fpstat = show fastpath statistics
fpstate = show fastpath state table
global = show if statistics
ha = show ha cluster info
host = show host table content
if = show interface information
ioctl = show ioctl statistics
ipstate = show flows managed by ipstate
limit = show ASQ limits
log = show last log message
mem = show memory stats
nat = show current nat rules
natpool = show reserved nat ports
pof = show os signature list (pof)
protaddr = show protected address list
qos = show QoS rule
revrt = show reverse router table
route = show route information
rulestat = show rulesmatch
sip = show sip register table (nat)
sipr = show sip request table
stat = show statistics
state = show state table content
table = show filter tables content
user = show user table content
all = all the above
-l modifier write a log entry
count = log count rule
stat = log statistics
all = all the above
-H type=modifier modify output. type can be
host = display information for host
shost = display information for client
dhost = display information for server
port = display information for port
sport = display information for source
dport = display information for
plugin = display information associated
iface = display information associated
siface = display information associated
diface = display information associated
proto = display information associated
section = filter information for show
state = display information according
hstate = display information for host
htype = display information for host
sigid = display information for host
ctype = display connections of a given
qid = display connections of a given
rtname = display connections of a given
auth = display users authenticated
name = display user table for a given
conn = all to flush all connections
rule = filter the connections by the
natrule = filter the connections by the
macaddr = display information for mac
iptype = display information by IP type
cpu = display information by CPU
bytes = display connections with total
lastuse = display connections used within
bandwidth = display host with a total
hostrep = display host with reputation
maxcount = limit number of elements returned by -s
geo = geo location filter
iprep = iprep filter
-A <key>[=<val>]
[,<key>[=<val>]
[, ...]];[...] manually add/update authenticated user(s)
address = user address
name = user name
domain = user domain
group = group membership ("g_a,g_b")
timeout = timeout
multiuser = adress is multi-user (no value)
authmethod = authentication method
admin = user is an admin (no value)
sslvpn = user have access to sslvpn (no value)
sslrdr = user have access to sslrdr (no value)
openvpn = user have access to openvpn (no value)
sponsoring = user has the rights to sponsor (no value)
-a <key>[=<val>]
[,<key>[=<val>]
[, ...]];[...] manually remove authenticated user(s)
name = user name
domain = user domain
address = user address
all = all authenticated user (no value)
-r old,new rename a user domain
-t op,val manually add/remove objects from filter tables (experimental)
name = name of the table
op = add or del
val = addresses separated by comma
-B op,host,conn,assoc backup operation
op = backup or restore
host = host filename
conn = conn filename
assoc = assoc filename
-h modifier HA ethernet mode
active = set as active mode
passive = set as passive mode
show = display current mode
swap = do a swap
bulk = send a bulk update to peer
<local IP>,<peer IP>,mtu = configure HA sync in IPS
-o filename write output data to filename (work only with -s)
-i source data source (work only with -s)
asq = use ASQ data (default)
-p <key>[=<val>]
[,<key>[=<val>]
[, ...]];[...] manually add or tweak a host
addr = mandatory address of the host
if = interface name
state = desired state
mac = MAC address
geo = geo IP ("eu:fr")
iprep = IP reputation ("botnet,spam")
hostrep = host reputation
dns = DNS cache
nogeo = remove geo IP from host (no value)
noiprep = remove IP reputation from host (no value)
nohostrep = remove reputation from host (no value)
nodns = remove DNS cache from host (no value)
--libxo params Pass params to libxo, see libxo possible parameters http://juniper.github.io/libxo/libxo-manual.html#option-keywords.
color = Enable colors/effects for display styles (TEXT, HTML)
colors=xxxx = Adjust color output values
dtrt = Enable "Do The Right Thing" mode
flush = Flush after every libxo function call
flush-line = Flush after every line (line-buffered)
html = Emit HTML output
indent=xx = Set the indentation level
info = Add info attributes (HTML)
json = Emit JSON output
keys = Emit the key attribute for keys (XML)
log-gettext = Log (via stderr) each gettext(3) string lookup
log-syslog = Log (via stderr) each syslog message (via xo_syslog)
no-humanize = Ignore the {h:} modifier (TEXT, HTML)
no-locale = Do not initialize the locale setting
no-retain = Prevent retaining formatting information
no-top Do = not emit a top set of braces (JSON)
not-first = Pretend the 1st output item was not 1st (JSON)
pretty = Emit pretty-printed output
retain = Force retaining formatting information
text = Emit TEXT output
underscores = Replace XML-friendly "-"s with JSON friendly "_"s
units = Add the 'units' (XML) or 'data-units (HTML) attribute
warn = Emit warnings when libxo detects bad calls
warn-xml = Emit warnings in XML
xml = Emit XML output
xpath = Add XPath expressions (HTML)
Results
Example
S U2504C099999999999>sfctl -s host Host (ASQ): host if state packet bytes throughput 10.1.20.249 in active 0.00 p 0.00 B 1.26MB 0.00 b/s 0.00 b/s 10.1.20.10 in active 0.00 p 0.00 B 490KB 0.00 b/s 12.2Kb/s 10.1.20.103 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 984 b/s 10.1.20.254 in active 5.00 p 320 B 400 B 0.00 b/s 0.00 b/s 10.1.20.251 in active 0.00 p 0.00 B 8.75KB 0.00 b/s 0.00 b/s 204.13.248.112 learning learning / / / 10.1.4.50 in active 0.00 p 0.00 B 80.4KB 0.00 b/s 0.00 b/s 10.1.204.11 in active 0.00 p 0.00 B 189KB 0.00 b/s 2.69Kb/s 10.1.20.101 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 16.0 b/s 10.1.6.1 in active 51.0 p 15.7KB 6.86KB 3.38Kb/s 4.11Kb/s 10.1.20.102 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 16.0 b/s 10.1.5.1 in active 0.00 p 0.00 B 328KB 0.00 b/s 7.25Kb/s U2504C099999999999>