acpfctrl

To view information and settings for the firewall module (acpf), use the acpfctrl utility.

List of all acpfctrl options:

[root@HQ-NG1:~]# acpfctrl
use: acpfctrl [acceptor addrinfo appid arp asdwnl audit auth bacl bal blockpage bridge cache clone contentid device dfbit
               flex forward forward6 fwd icmplog inbound ips landingpage l2tp lproto monitor nattable noping ppp param parp
               plugdebug quarantine realm report resume route rxqueue scada shaping sip sizes sslice slot source srvport
               start stop suspend sync term tune urlcat version]
   acceptor      Acceptor info
                 call with argument 'count' to get acceptor statistics
   addrinfo      Addrinfo cache 
   appid         Appid information, configuration and parameters
   arp           ARP request interface matching
   asyncdownload Configure asynchronous downloads 
   audit         Audit log control
   auth          Authentication control ;user-addr mapping
   bacl          Box access control list
   bal           Balance handling and management
   blockpage     Manage and display blocking page
   bridge        Bridging group manipulation
   cache         Cache control
   cacheadd      Add entry to scan cache
   clone         Clone packet to other host via UDP
   contentid     Change ContentId settings
   crashreport   Report a summary of useful informations in case of a crash or oops.
   device        Show device information
   dfbit         Global clearing of DF bit for vpn tunnels
   flex          Flex setup and information
   forward       Turn forwarding on/off
   forward6      Turn ipv6 forwarding on/off
   fwd           Passthru forwarding (Generic Forwarders)
   icmplog       Log ICMP messages
   inbound       Inbound info
   ips           IPS control
   l2tp          L2TP device handling
   landingpage   Manage landing page rules
   lproto        Locally handled IP Protocols
   monitor       Monitoring (packet capture) information and parameters
   nattable      Plugin nattables
   noping        Non local ECHO handled IPs
   noping6       Non local icmp6 ECHO handled IPs
   ppp           Port protocol protection info
   param         ACPF parameters
   parp          Proxy ARP control
   plugdebug     Plugin debuglevel
   quarantine    Quarantine Groups
   realm         Device realm assignment
   report        Set packet drop reporting
   resume        Acpf wakeup call
   route         DstIP srcIP inDev
   rxqueue       Manage rx queue number and filter for network cards with 82598 and 82599 chipset.
   scada         SCADA related settings
   shaping       Traffic shaping
   sip           SIP call table
   sizes         Show struct size info
   slot          Slot info
   source        Source info
   srvport       Service to Port Mapping
   sslice        Sslice and AV scanning configuration 
   start         Load module, caches and rules
   stat          Slot statistics
   stop          Save caches and unload module
   suspend       Seconds put to sleep for n seconds
   sync          TF sync control
   term          Terminate slots
   trafficstat   Show some traffic statistics
   tune          Tuning control
   urlcat        urlcat info and parameters
   user          user information
   vrf           virtual routing and forwarding
   webmsg        web access syslog forwarding

Options

start

Starts the acpf module and imports the Forwarding Firewall rules and access cache.

stop

Stops the acpf module. The firewall is stopped. Rules and the access cache are saved.

parp show

Displays all proxy ARP entries for the firewall.

[root@ash:/var/phion/logs]# acpfctrl parp show
           noext 10.0.10.208/4 MVPN

noping show

Displays all IP addresses that are set to noping.

bacl show

Displays all box access control list entries.

lproto show

Displays the locally handled IP protocols.

realm show

Displays the device realm assignment. The following realms are available:

• 0unknown
• 1intern
• 2dmz
• 3extern
• 4persvpn
• 5fwvpn
• 6iptun
• 7usr

device

Displays information about all devices for debugging.

Example 1:

[root@HQ-NG1:~]# acpfctrl device show
lo               index=1 realm=opsys
                 port=unknown base=00000000 irq=0 dma=0
                 state=XOFF START
                 mtu=3500 type=LOOPBACK
                 mac=00:00:00:00:00:00 brd=00:00:00:00:00:00 num_mc=0
                 flags=UP LOOPBACK
                 features=SG/IO NO-CSUM HIGH-DMA FRAGLIST
                 refcnt=21 watchtime=0
                 last_rx=1.9656e+06 secs last_tx=1.9656e+06 secs
                 rx=0/0 tx=0/0 rx-err=0 tx-err=0 colls=0

eth0             index=2 realm=intern
                 port=unknown base=00000000 irq=0 dma=0
                 state=XOFF START
                 mtu=1500 type=ETHER
                 mac=00:0c:29:22:84:70 brd=ff:ff:ff:ff:ff:ff num_mc=1
                 flags=UP BROADCAST
                 features=HW-CSUM HIGH-DMA HW-VLAN-TX HW-VLAN-RX HW-VLAN-FILTER
                 refcnt=44 watchtime=5000
                 last_rx=1.9656e+06 secs last_tx=1.96809e+06 secs
                 rx=1569875/1420438899 tx=656119/161707104 rx-err=0 tx-err=0 colls=0

sync

Prints the sync state of the system to the standard output.

[root@HQ-NG1:~]# acpfctrl sync show
Mode:            OFF
Cookie:          cb014880
SyncNumber:      1
Server:          VIRT1
Partner:         DOWN
Source:          10.0.10.88:689
Destination:     0.0.0.0:689
KeyIndex:        0
Key1:            00000000000000000000000000000000
Key2:          00000000000000000000000000000000
A Unsynced       0
A Synced         0
A Unsynced Close 0
A Synced Close   0
P Synced         0
P Synced Close   0
A SIP Unsynced       0
A SIP Synced         0
A SIP Unsynced Close 0
A SIP Synced Close   0
P SIP Synced         0
P SIP Synced Close   0

plugdebug

Dumps debug messages of a specified plugin to the appliance firewall log.

• acpfctrl plugdebug <plugin name> 1 – Enables the dumping of debug messages.
• acpfctrl plugdebug <plugin name> 0 – Disables the dumping of debug messages.

The output for the plugdebug parameter is used by Barracuda Networks Technical Support.

param

Displays the parameter settings for the appliance.

version

Displays the acpf version.

[root@chefix:~]# acpfctrl version
PhionVersionString R-3.2_V-3.2.0.1 Nov  8 2005 18:53:18

tune kernel

Checks the Use Kernel Ruleset parameter in the operational settings of the general firewall configuration and displays the status.

• acpfctrl tune kernel on – Temporarily enables the Use Kernel Ruleset function until reboot.
• acpfctrl tune kernel off – Temporary disables the Use Kernel Ruleset function until reboot.

tune vpnbypass

To properly use tcpdump to troubleshoot or monitor VPN traffic, all VPN traffic must be handled by one CPU. Only use this option temporarily because disabling vpnbypass considerably reduces the performance of the VPN service.

• acpfctrl tune vpnbypass on – VPN traffic is handled by multiple CPUs.(default)
• acpfctrl tune vpnbypass off – VPN traffic is handled by a single CPU, allowing tcpdump to show all VPN traffic.

vrf

The partial command vrf provides a subset of more vrf-related commands:

acpfctrl vrf create   [vrfname] [vrfid] – Creates a VR instance with the given name and ID.

acpfctrl vrf delete   [vrfname] – Deletes a VR instance with the given name.

acpfctrl vrf exec     [vrfname] [cmd] (restricted to acpfctrl commands) – Executes a shell command in the context of the named VR instance.

acpfctrl vrf identify [pid] – Shows the VR instance a user is connected to via the CLI.

acpfctrl vrf event – In case there are events available for the VR instance, this will produce a list.

acpfctrl vrf show – Lists all VR instances configured on the box.