To view information and settings for the firewall module (acpf), use the acpfctrl utility.
List of all acpfctrl options:
[root@HQ-NG1:~]# acpfctrl
use: acpfctrl [acceptor addrinfo appid arp asdwnl audit auth bacl bal blockpage bridge cache clone contentid device dfbit
flex forward forward6 fwd icmplog inbound ips landingpage l2tp lproto monitor nattable noping ppp param parp
plugdebug quarantine realm report resume route rxqueue scada shaping sip sizes sslice slot source srvport
start stop suspend sync term tune urlcat version]
acceptor Acceptor info
call with argument 'count' to get acceptor statistics
addrinfo Addrinfo cache
appid Appid information, configuration and parameters
arp ARP request interface matching
asyncdownload Configure asynchronous downloads
audit Audit log control
auth Authentication control ;user-addr mapping
bacl Box access control list
bal Balance handling and management
blockpage Manage and display blocking page
bridge Bridging group manipulation
cache Cache control
cacheadd Add entry to scan cache
clone Clone packet to other host via UDP
contentid Change ContentId settings
crashreport Report a summary of useful informations in case of a crash or oops.
device Show device information
dfbit Global clearing of DF bit for vpn tunnels
flex Flex setup and information
forward Turn forwarding on/off
forward6 Turn ipv6 forwarding on/off
fwd Passthru forwarding (Generic Forwarders)
icmplog Log ICMP messages
inbound Inbound info
ips IPS control
l2tp L2TP device handling
landingpage Manage landing page rules
lproto Locally handled IP Protocols
monitor Monitoring (packet capture) information and parameters
nattable Plugin nattables
noping Non local ECHO handled IPs
noping6 Non local icmp6 ECHO handled IPs
ppp Port protocol protection info
param ACPF parameters
parp Proxy ARP control
plugdebug Plugin debuglevel
quarantine Quarantine Groups
realm Device realm assignment
report Set packet drop reporting
resume Acpf wakeup call
route DstIP srcIP inDev
rxqueue Manage rx queue number and filter for network cards with 82598 and 82599 chipset.
scada SCADA related settings
shaping Traffic shaping
sip SIP call table
sizes Show struct size info
slot Slot info
source Source info
srvport Service to Port Mapping
sslice Sslice and AV scanning configuration
start Load module, caches and rules
stat Slot statistics
stop Save caches and unload module
suspend Seconds put to sleep for n seconds
sync TF sync control
term Terminate slots
trafficstat Show some traffic statistics
tune Tuning control
urlcat urlcat info and parameters
user user information
vrf virtual routing and forwarding
webmsg web access syslog forwarding
Options
start
Starts the acpf module and imports the Forwarding Firewall rules and access cache.
stop
Stops the acpf module. The firewall is stopped. Rules and the access cache are saved.
parp show
Displays all proxy ARP entries for the firewall.
[root@ash:/var/phion/logs]# acpfctrl parp show
noext 10.0.10.208/4 MVPN
noping show
Displays all IP addresses that are set to noping.
bacl show
Displays all box access control list entries.
lproto show
Displays the locally handled IP protocols.
realm show
Displays the device realm assignment. The following realms are available:
- 0unknown
- 1intern
- 2dmz
- 3extern
- 4persvpn
- 5fwvpn
- 6iptun
- 7usr
device
Displays information about all devices for debugging.
Example 1:
[root@HQ-NG1:~]# acpfctrl device show
lo index=1 realm=opsys
port=unknown base=00000000 irq=0 dma=0
state=XOFF START
mtu=3500 type=LOOPBACK
mac=00:00:00:00:00:00 brd=00:00:00:00:00:00 num_mc=0
flags=UP LOOPBACK
features=SG/IO NO-CSUM HIGH-DMA FRAGLIST
refcnt=21 watchtime=0
last_rx=1.9656e+06 secs last_tx=1.9656e+06 secs
rx=0/0 tx=0/0 rx-err=0 tx-err=0 colls=0
eth0 index=2 realm=intern
port=unknown base=00000000 irq=0 dma=0
state=XOFF START
mtu=1500 type=ETHER
mac=00:0c:29:22:84:70 brd=ff:ff:ff:ff:ff:ff num_mc=1
flags=UP BROADCAST
features=HW-CSUM HIGH-DMA HW-VLAN-TX HW-VLAN-RX HW-VLAN-FILTER
refcnt=44 watchtime=5000
last_rx=1.9656e+06 secs last_tx=1.96809e+06 secs
rx=1569875/1420438899 tx=656119/161707104 rx-err=0 tx-err=0 colls=0
sync
Prints the sync state of the system to the standard output.
[root@HQ-NG1:~]# acpfctrl sync show
Mode: OFF
Cookie: cb014880
SyncNumber: 1
Server: VIRT1
Partner: DOWN
Source: 10.0.10.88:689
Destination: 0.0.0.0:689
KeyIndex: 0
Key1: 00000000000000000000000000000000
Key2: 00000000000000000000000000000000
A Unsynced 0
A Synced 0
A Unsynced Close 0
A Synced Close 0
P Synced 0
P Synced Close 0
A SIP Unsynced 0
A SIP Synced 0
A SIP Unsynced Close 0
A SIP Synced Close 0
P SIP Synced 0
P SIP Synced Close 0
plugdebug
Dumps debug messages of a specified plugin to the appliance firewall log.
- acpfctrl plugdebug <plugin name> 1 – Enables the dumping of debug messages.
- acpfctrl plugdebug <plugin name> 0 – Disables the dumping of debug messages.
The output for the plugdebug parameter is used by Barracuda Networks Technical Support.
param
Displays the parameter settings for the appliance.
version
Displays the acpf version.
[root@chefix:~]# acpfctrl version
PhionVersionString R-3.2_V-3.2.0.1 Nov 8 2005 18:53:18
tune kernel
Checks the Use Kernel Ruleset parameter in the operational settings of the general firewall configuration and displays the status.
- acpfctrl tune kernel on – Temporarily enables the Use Kernel Ruleset function until reboot.
- acpfctrl tune kernel off – Temporary disables the Use Kernel Ruleset function until reboot.
tune vpnbypass
To properly use tcpdump to troubleshoot or monitor VPN traffic, all VPN traffic must be handled by one CPU. Only use this option temporarily because disabling vpnbypass considerably reduces the performance of the VPN service.
- acpfctrl tune vpnbypass on – VPN traffic is handled by multiple CPUs.(default)
- acpfctrl tune vpnbypass off – VPN traffic is handled by a single CPU, allowing tcpdump to show all VPN traffic.
vrf
The partial command vrf provides a subset of more vrf-related commands:
acpfctrl vrf create [vrfname] [vrfid] – Creates a VR instance with the given name and ID.
acpfctrl vrf delete [vrfname] – Deletes a VR instance with the given name.
acpfctrl vrf exec [vrfname] [cmd] (restricted to acpfctrl commands) – Executes a shell command in the context of the named VR instance.
acpfctrl vrf identify [pid] – Shows the VR instance a user is connected to via the CLI.
acpfctrl vrf event – In case there are events available for the VR instance, this will produce a list.
acpfctrl vrf show – Lists all VR instances configured on the box.