SFCTL

Description

Get or set ASQ module parameters. Waring This command uses some advanced functions of the firewall. Its usage must be done very carefully and with some very good knowledges. Some commands can cut current network connexions.

Command

sfctl
Opt  Arg            Description
-e                  set module state
                    1 = enable
                    0 = disable
-T                  top alike mode
-f                  force operation
-v                  verbose mode
-n                  disable the reverse object lookup
-O   level          optimize ruleset at level
                    0 = none
                    1 = skip rules
-F   modifier       flush one of the following
                    addrlist = flush address list
                    assoc = flush SCTP assoc information
                    filter = flush filter rules
                    state = flush state information
                    etherstate = flush all ether state information
                    count = flush count rule
                    stat = flush statistics
                    fpstat = flush fastpath statistics
                    pof = flush os signature  list (pof)
                    qosq = flush qos queues
                    host = flush host (see -H hstate=...)
                    sipr = flush the sip requests
                    sip = flush the sip register table
                    ipstate = flush flows managed by ipstate
                    fpstate = flush fastpath state
                    hproperties = flush hostproperties
                    assoc = flush SCTP assoc informations
                    all = all the above
-b   t,o,a[,to]     manage blacklist entry
                    t = BlackList|WhiteList...
                    o = add or delete
                    a = string identifier or '*'
                    to = timeout
-C   configdir      load and activate a ASQ configuration
-R   rulefile       load a filter rule file and activate it
-c                  commit filter rules even if equal to old ones
-P   rulefile       load finger printing rule file and activate it
-Q                  load QoS queues config and activate it
-q                  set QoS state
                    1 = enable
                    0 = disable
-s   modifier       dump one of the following
                    addrlist = show address list
                    assoc = show SCTP association table content
                    conn = show connection table content
                    connstat = show TCP conn stats per state
                    count = show count rule
                    etherstate = show Ethernet connection table content
                    filter = show current filter rules
                    fpstat = show fastpath statistics
                    fpstate = show fastpath state table
                    global = show if statistics
                    ha = show ha cluster info
                    host = show host table content
                    if = show interface information
                    ioctl = show ioctl statistics
                    ipstate = show flows managed by ipstate
                    limit = show ASQ limits
                    log = show last log message
                    mem = show memory stats
                    nat = show current nat rules
                    natpool = show reserved nat ports
                    pof = show os signature list (pof)
                    protaddr = show protected address list
                    qos = show QoS rule
                    revrt = show reverse router table
                    route = show route information
                    rulestat = show rulesmatch
                    sip = show sip register table (nat)
                    sipr = show sip request table
                    stat = show statistics
                    state = show state table content
                    table = show filter tables content
                    user = show user table content
                    all = all the above
-l   modifier       write a log entry
                    count = log count rule
                    stat = log statistics
                    all = all the above
-H   type=modifier  modify output. type can be
                    host = display information for host
                    shost = display information for client
                    dhost = display information for server
                    port = display information for port
                    sport = display information for source
                    dport = display information for
                    plugin = display information associated
                    iface = display information associated
                    siface = display information associated
                    diface = display information associated
                    proto = display information associated
                    section = filter information for show
                    state = display information according
                    hstate = display information for host
                    htype = display information for host
                    sigid = display information for host
                    ctype = display connections of a given
                    qid = display connections of a given
                    rtname = display connections of a given
                    auth = display users authenticated
                    name = display user table for a given
                    conn = all to flush all connections
                    rule = filter the connections by the
                    natrule = filter the connections by the
                    macaddr = display information for mac
                    iptype = display information by IP type
                    cpu = display information by CPU
                    bytes = display connections with total
                    lastuse = display connections used within
                    bandwidth = display host with a total
                    hostrep = display host with reputation
                    maxcount = limit number of elements returned by -s
                    geo = geo location filter
                    iprep = iprep filter
-A   <key>[=<val>]
     [,<key>[=<val>]
	 [, ...]];[...] manually add/update authenticated user(s)
                    address = user address
                    name = user name
                    domain = user domain
                    group = group membership ("g_a,g_b")
                    timeout = timeout
                    multiuser = adress is multi-user (no value)
                    authmethod = authentication method
                    admin = user is an admin (no value)
                    sslvpn = user have access to sslvpn (no value)
                    sslrdr = user have access to sslrdr (no value)
                    openvpn = user have access to openvpn (no value)
                    sponsoring = user has the rights to sponsor (no value)
-a   <key>[=<val>]
     [,<key>[=<val>]
     [, ...]];[...] manually remove authenticated user(s)
                    name = user name
                    domain = user domain
                    address = user address
                    all = all authenticated user (no value)
-r old,new          rename a user domain
-t op,val           manually add/remove objects from filter tables (experimental)
                    name = name of the table
                    op = add or del
                    val = addresses separated by comma
-B   op,host,conn,assoc backup operation
                    op = backup or restore
                    host = host filename
                    conn = conn filename
                    assoc = assoc filename
-h   modifier       HA ethernet mode
                    active = set as active mode
                    passive = set as passive mode
                    show = display current mode
                    swap = do a swap
                    bulk = send a bulk update to peer
                    <local IP>,<peer IP>,mtu = configure HA sync in IPS
-o   filename       write output data to filename (work only with -s)
-i   source         data source (work only with -s)
                    asq = use ASQ data (default)
-p   <key>[=<val>]
     [,<key>[=<val>]
     [, ...]];[...] manually add or tweak a host
                    addr = mandatory address of the host
                    if = interface name
                    state = desired state
                    mac = MAC address
                    geo = geo IP ("eu:fr")
                    iprep = IP reputation ("botnet,spam")
                    hostrep = host reputation
                    dns = DNS cache
                    nogeo = remove geo IP from host (no value)
                    noiprep = remove IP reputation from host (no value)
                    nohostrep = remove reputation from host (no value)
                    nodns = remove DNS cache from host (no value)
--libxo params      Pass params to libxo, see libxo possible parameters http://juniper.github.io/libxo/libxo-manual.html#option-keywords.
                    color = Enable colors/effects for display styles (TEXT, HTML)
                    colors=xxxx = Adjust color output values
                    dtrt = Enable "Do The Right Thing" mode
                    flush = Flush after every libxo function call
                    flush-line = Flush after every line (line-buffered)
                    html = Emit HTML output
                    indent=xx = Set the indentation level
                    info = Add info attributes (HTML)
                    json = Emit JSON output
                    keys = Emit the key attribute for keys (XML)
                    log-gettext = Log (via stderr) each gettext(3) string lookup
                    log-syslog = Log (via stderr) each syslog message (via xo_syslog)
                    no-humanize = Ignore the {h:} modifier (TEXT, HTML)
                    no-locale = Do not initialize the locale setting
                    no-retain = Prevent retaining formatting information
                    no-top Do = not emit a top set of braces (JSON)
                    not-first = Pretend the 1st output item was not 1st (JSON)
                    pretty = Emit pretty-printed output
                    retain = Force retaining formatting information
                    text = Emit TEXT output
                    underscores = Replace XML-friendly "-"s with JSON friendly "_"s
                    units = Add the 'units' (XML) or 'data-units (HTML) attribute
                    warn = Emit warnings when libxo detects bad calls
                    warn-xml = Emit warnings in XML
                    xml = Emit XML output
                    xpath = Add XPath expressions (HTML)

Results

Example

S
U2504C099999999999>sfctl -s host
Host (ASQ):
host if state packet bytes throughput
10.1.20.249 in active 0.00 p 0.00 B 1.26MB 0.00 b/s 0.00 b/s
10.1.20.10 in active 0.00 p 0.00 B 490KB 0.00 b/s 12.2Kb/s
10.1.20.103 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 984 b/s
10.1.20.254 in active 5.00 p 320 B 400 B 0.00 b/s 0.00 b/s
10.1.20.251 in active 0.00 p 0.00 B 8.75KB 0.00 b/s 0.00 b/s
204.13.248.112 learning learning / / /
10.1.4.50 in active 0.00 p 0.00 B 80.4KB 0.00 b/s 0.00 b/s
10.1.204.11 in active 0.00 p 0.00 B 189KB 0.00 b/s 2.69Kb/s
10.1.20.101 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 16.0 b/s
10.1.6.1 in active 51.0 p 15.7KB 6.86KB 3.38Kb/s 4.11Kb/s
10.1.20.102 in active 0.00 p 0.00 B 2.13KB 0.00 b/s 16.0 b/s
10.1.5.1 in active 0.00 p 0.00 B 328KB 0.00 b/s 7.25Kb/s
U2504C099999999999>