Command Subcommand Description Usage

Resets the device configuration settings to the factory defaults. Use the -
configuration clear configuration
echo option to echo the command when it is executed.
Use the blocks option to clear all connection table block entries. Use the
connection-tabl e clear connection-table blocks clear connection-table trusts
trusts option to clear all trust table entries.
counter interface Clears interface counters. clear counter interface
counter policy Clears policy counters. clear counter policy
interface Clears the interface. When used without options, it rests all interfaces. clear interface clear interface ethernet <port>
clear
log Clears log files. When used without options, it erases all entries in all logs. clear log clear log alert clear log audit clear log block clear log packet-trace clear log quarantine clear log system

Clears np statistical information. rule-stats clears rule statistics softlinx

np clear np rule-stats clear np softlinx clear np tier-stats
clears Softlinx-related statistics tier-stats clears tier statistics
ramdisk stats Clears RAM disk statistics. clear ramdisk stats
rate-limit-stre ams Clears rate-limited streams from the data table. clear rate-limit streams
list-image Shows a list of all available boot images. boot list-image
Removes a boot image from the devices hard disk. The image is identified
remove-image by version number. CAUTION: Removing a boot image permanently erases boot remove-image <version>
boot it .
Rolls the boot image back to the next most recent valid boot image. This
rollback command can be used to revert the operating system to a previous boot rollback
version.
format Formats the compact flash card. compact-flash format
compact-flash mount Manually mounts the inserted compact flash card. compact-flash mount
unmount Unmounts the compact flash card so that the user can remove it. compact-flash unmount
conf t action-set <action set name> allowed-dest <destination address> add
allowed-dest Adds or removes a quarantine allowed destination.
conf t action-set <action set name> allowed-dest <destination address> remove
conf t action-set <action set name> apply-only <CIDR> add
apply-only Adds or removes a CIDR from the quarantine apply-only list.
conf t action-set <action set name> apply-only <CIDR> remove
Creates or modifies an action set that blocks traffic. The following conf t action-set <action set name> quarantine
secondary actions can be added: quarantine: host IP address is placed conf t action-set <action set name> no quarantine
into quarantine. Use no quarantine to remove the address from quarantine. conf t action-set <action set name> block reset-both
block
reset-both: TCP reset on the source and destination reset-destination: conf t action-set <action set name> block reset-destination
TCP reset on the destination reset-source: TCP reset on the source conf t action-set <action set name> block reset-none
reset-none: no TCP reset. conf t action-set <action set name> block rest-source
delete Deletes the named action set. conf t action-set <action set name> delete
http-block Blocks http requests from quarantined hosts. conf t action-set <action set name> http-block
Creates an web page to display when a quarantined host makes a web conf t action-set <action set name> http-page [-show-name <name of page>] [-show-desc <description of page>] [-custom-text
http-page
request. <content of page>]
http-redirect Redirects http requests from a quarantined hosts to a specified URL. conf t action-set <action set name> http-redirect <url>
Blocks non-http requests from quarantine hosts. Permit non-http requests
non-http-block conf t action-set <action set name> non-http-block
with no non-http-block.
conf t action-set
conf t action-set <action set name> notify-contact add <contact name> conf t action-set <action set name> notify-contact remove
notify-contact Adds or removes a notification contact from an action set.
<contact name>
Enables and sets packet trace settings. Set a priority (high, medium, or
low) with the -priority option and the number of bytes to capture (64- conf t action-set <action set name> packet-trace [-priority <priority>] [-capture-size <bytes>] conf t action-set <action set name>
packet-trace
1600) with the -capture-size option. Use no packet-trace to disable packet no packet-trace
tracing.
Creates or modifies an action set that permits traffic. Use the quarantine conf t action-set <action set name> permit
permit command to quarantine permitted traffic and no quarantine to stop conf t action-set <action set name> permit quarantine
quarantining permitted traffic. conf t action-set <action set name> permit no quarantine
Creates or modifies an action set that rate-limits traffic. Enter the desired
rate-limit conf t action-set <action set name> rate-limit <threshold>
threshold in Kbps.
rename Renames the action set. conf t action-set <action set name> rename <new action set name>
threshold Sets the quarantine threshold in seconds (1-10000). conf t action-set threshold <seconds>
threshold-peri od Sets the quarantine threshold period in minutes (1-60). conf t action-set threshold-period <minutes>
trust Creates or modifies a trust action set. conf t action-set <action set name> trust
Creates a whitelist of trusted IP addresses by using the add or remove conf t action-set <action set name> whitelist add <IP address>
whitelist
subcommands. conf t action-set <action set name> whitelist remove <IP address>
enable Enables remote authentication. conf t authentication remote enable
conf t authentication disable Disables remote authentication. conf t authentication remote disable
remote Sets the remote authentication server timeout. The value should be greater
timeout conf t authentication remote timeout <seconds>
than the timeout configured on the SMS.
Enables a filter category and assigns the named action set to the category.
enable conf t category-settings [-profile <profile name>] <filter category> enable -action-set <action set>
Enable the filter category for a specific profile with the -profile option.
disable Disables the filter category. conf t category-settings [-profile <profile name>] <filter category> disable
conf t category- date Sets the date. conf t clock date <YYYY-MM-DD>
settings dst Enables or disables Daylight Savings Time. conf t clock dst conf t clock no dst
Sets the time according to the 24-hour clock. For example, to set the clock
time conf t clock time <HH:MM:SS>
to 3:30 PM, enter 15:30.
Sets the time zone. For a list of available time zones, use the command
timezone conf t clock timezone <time zone>
show timezones.
Sets the device to require authentication when a compact flash card is
operation-mode authenticate conf t compact-flash operation-mode authenticate
inserted.
conf t compact-flash
Command Subcommand Description Usage
conf t compact-flash
operation-mode auto-mount Sets the device to automatically mount compact flash cards when inserted. conf t compact-flash operation-mode auto-mount
domain Defines the domain name of the email notification server. conf t default-alert-sink domain <domain name>
Defines the email address for the IPS device. This must be a valid email
from conf t default-alert-sink from <email address>
user name on the notification server.
no Removes the default email destination conf t no default-alert-sink
conf t default-alert-
Defines the default period of time in which the TippingPoint device
sink options period conf t default-alert-sink period <minutes>
accumulates notifications before sending an aggregate notification email.
server Defines the IP address of the email notification server. conf t default-alert-sink server <IP address>
Defines the email address of the alert recipient. This must be a valid email
to conf t default-alert-sink to <email address>
address.
Enables or disables adaptive filtering. Apply the change to a specific conf t filter <filter number> [-profile <profile name>] adaptive-config
adaptive-config
security profile with the -profile option. conf t filter <filter number> no adaptive-config
Creates and adds an exception to a filter, identified by source or
add-exception destination IP address. Apply the change to a specific security profile with conf t filter <filter number> [-profile <profile name>] add-exception <source IP address> <destination IP address>
the -profile option.
Deletes a copy of the filter. Apply the change to a specific security profile
delete-copy conf t filter <filter number> [-profile <profile name>] delete-copy
with the -profile option.
Disables a filter. Apply the change to a specific security profile with the -
disable conf t filter <filter number> [-profile <profile name>] disable
profile option.
Enables a filter. Apply the change to a specific security profile with -
conf t filter
enable profileoption. Apply the change to a specific action set with the -action-set conf t filter <filter number> [-profile <profile name>] -action-set <action set name> enable
option.
Removes an exception from a filter. Apply the change to a specific profile
remove-exception conf t filter <filter number> [-profile <profile name>] remove-exception
with the -profile option.
reset Resets filters to the default values. conf t filter <filter number> reset conf t filter all reset
threshold Sets the port scan and host sweep filter threshold. conf t filter threshold
timeout Sets the port scan and host sweep filter timeout. conf t filter timeout
Sets a filter to use the default action set of its category and removes any
use-category previous overrides. Apply the change to a specific profile with the -profile conf t filter <filter number> [-profile <profile name>] use-category
option.
disable Disables transparent HA. conf t high-availability disable
enable Enables transparent HA conf t high-availability enable
Sets the IP address and serial number of the partner device. Use no conf t high-availability partner <IP address> <serial number>
partner
partner to clear the address. conf t high-availability no partner
Sets the means by which the device goes into Layer-2 Fallback (L2FB).
conf t high-availability
hardware: The hardware ZPHA relays are used for L2FB. When the device
enters and exits L2FB, a brief link transition occurs. This is the default
l2fb conf t high-availability l2fb hardware conf t high-availability l2fb software
option. Hardware L2FB is recommended, unless link transitions will cause
network failover issues. software: No link transition occurs when the
device enters and exits L2FB.
dns Sets the DNS server. The secondary server is optional. conf t host dns <domain name> <primary server> [<secondary server>]
Enables or disables FIPS mode. crypto: Only FIPS-approved
cryptographic algorithms are allowed, but some FIPS 140-2 requirements
are not enforced. full: Only FIPS-approved cryptographic algorithms are conf t host fips-mode crypto conf t host fips-mode full
fips-mode
allowed, and all FIPS 140-2 requirements are enforced. disable: Non- conf t host fips-mode disable
FIPS-approved cryptographic algorithms are allowed. For more information
about FIPS, see fips on page 71.
conf t host
Permits or denies communications with the management port from
specified IP addresses. Management port IP setting defaults to permit any conf t host ip-filter deny <IP address>
ip-filter
IP. Use this subcommand to limit management port access to designated conf t host ip-filter permit <IP address>
IP addresses.
Sets a text string that identifies the location of the device. The string is
location conf t host location <location>
restricted to 63 characters.
Sets a text string that identifies the name of the device. The string is
name conf t host name <name>
restricted to 63 characters.
Adds an inspection bypass rule. See conf t inspection-bypass add on
add conf t inspection-bypass add
page 38.
clear-stats Clears statistics associated with an inspection bypass rule. conf t inspection-bypass clear-stats <rule_ID>
enable Enables an inspection bypass rule. conf t inspection-bypass enable <rule_ID>
disable Disables an inspection bypass rule. conf t inspection-bypass disable <rule_ID>
conf t inspection-
remove Removes an inspection bypass rule. conf t inspection-bypass remove <rule_ID>
bypass options
-eth EthType. You can also use the strings ip or !ip. conf t inspection-bypass add -eth <EthType>
The port or ports to which the rule is applied. For more information, see
-ports conf t inspection-bypass add -ports <value> -<option>
ports on page 39.
Specifies GRE tunneling traffic. Default value is any. You may also specify
-gre conf t inspection-bypass add -gre <value>
present or absent.
Command Subcommand Description Usage
Specifies mobile IPv4 tunneling traffic. Default value is any. You may also
-mipv4 conf t inspection-bypass add -mipv4 <value>
specify present or absent.
Specifies IPv6 6-in-4 tunneling traffic. Default value is any. You may also
-ipv6in4 conf t inspection-bypass add -ipv6in4 <value>
specify present or absent.
-vlan Numeric value or range specifying the permitted VLAN IDs. conf t inspection-bypass add -vlan <value>
-mpls Numeric value or range specifying the permitted MPLS IDs. conf t inspection-bypass add -mpls <value>
conf t inspection- -ip-proto IP protocol value. For more information, see ip-proto on page 40. conf t inspection-bypass add -ip-proto <value>
bypass add options -ip-saddr Source CIDR specification. Enter in the form xxx.xxx.xxx.xxx/xx . conf t inspection-bypass add -ip-saddr <CIDR range>
-ip-daddr Destination CIDR specification. Enter in the form xxx.xxx.xxx.xxx/xx . conf t inspection-bypass add -ip-daddr <CIDR range>
-upd-sport UPD source port. conf t inspection-bypass add -upd-sport <value>
-upd-dport UPD destination port. conf t inspection-bypass add -upd-dport <value>
-tcp-sport TCP source port. conf t inspection-bypass add -tcp-sport
-tcp-dport TCP destination port. conf t inspection-bypass add -tcp-dport
conf t interface ethernet <port> duplex half
duplex Sets the duplex speed to half or full.
conf t interface ethernet <port> duplex full
linespeed Sets the line speed. You can set the speed to 10, 100, 1000, or 10000. conf t interface ethernet <port> linespeed <speed>
conf t interface
ethernet conf t interface ethernet <port> negotiate
negotiate Enables or disables auto-negotiate.
conf t interface ethernet <port> no negotiate
Shuts down the port. Use no shutdown to reactivate the port after a conf t interface ethernet <port> negotiate
shutdown
shutdown command or after configuration has changed. conf t interface ethernet <port> no negotiate
conf t interface mgmtEthernet duplex half
duplex Sets the duplex speed to half for full
conf t interface mgmtEthernet full
Sets the IP address for the management ethernet port. The address can be
ip IPv4 or IPv6. Use CIDR notation to set the subnet mask. The default mask conf t interface mgmtEthernet ip <IP address>
is used when the user specifies a non-CIDR IP address.
ipv6 Enables or disables IPv6 support on the management port. conf t interface mgmtEthernet ipv6
Enables or disables automatic IPv6 configuration, which allows the device
conf t interface ipv6auto conf t interface mgmtEthernet ipv6auto
to get an IPv6 address automatically from the subnet router.
mgmtEthernet
linespeed Sets the line speed. You can set the speed to 10, 100, or 1000. conf t interface mgmtEthernet linespeed <speed>
conf t interface mgmtEthernet negotiate
negotiate Enables or disables auto-negotiate.
conf t interface mgmtEthernet no negotiate
physical-port Specifies the physical port. conf t interface mgmtEthernet physical-port <port>
conf t interface mgmtEthernet route <destination> <gateway IP address or CIDR>
route Sets or removes the default route for the management ethernet port.
conf t interface mgmtEthernet no route <destination>
vlan Specifies the VLAN ID. conf t interface mgmtEthernet vlan <vlan ID>
conf t interface settings detect-mdi enable
detect-mdi Enables or disables MDI detection.
conf t interface settings detect-mdi disable
conf t interface Sets the MDI mode to mdi or mdix. The default setting is mdix. The mdi
conf t interface settings mdi-mode mdi
mdi-mode setting has no effect if auto-negotiation is enabled, detect-mdix is enabled,
conf t interface settings mdi-mode mdix
or the port media is fiber.
Sets the intensity of the backlighting in a range from 1 (dimmest) to 100
backlight conf t lcd-keypad backlight <number>
(brightest).
conf t lcd-keypad contrast Sets the contrast in a range from 1 to 50. conf t lcd-keypad contrast <number>
disable Disables the LCD keypad. conf t lcd-keypad disable
enable Enables the LCD keypad. conf t lcd-keypad enable
disable power-supply Disables power supply monitoring. conf t monitor disable power-supply
Enables power supply monitoring. If any power supplies experience an
enable power-supply interruption, the system logs a critical message in the system log and conf t monitor enable power-supply
sends a notification to the SMS if the device is under SMS management.

Sets threshold values for disk usage, memory, and temperature values.
conf t monitor Disk and memory thresholds are expressed in percentages, and
conf t monitor threshold disk -major <60-100> -critical <60-100>
temperature thresholds are expressed in degrees Celsius. The major
threshold conf t monitor threshold memory -major <60-100> -critical <60-100>
threshold value must be set at a value less than the critical threshold value
conf t monitor threshold temperature -major <40-80> -critical <40-80>
and allow time to react before a problem occurs. The critical threshold
value should generate a warning before a problem causes damage.

add Adds a new named IP address to the system. conf t named-ip add <IP address> <name>
delete Removes a name. conf t named-ip remove <name>
conf t named-ip
modify
rename Renames a named IP address. conf t named-ip rename <old name> <new name>
community Sets the NMS community string. The string is limited to 31 characters. conf t nms community <string>
conf t nms trap-destination add <IP address> -port <port number>
Adds or removes an NMS trap IP address. You can also specify a port
conf t nms conf t nms trap-destination remove <IP address>
trap-destinati on number with the -port option. For SNMPv3, the following options are also
conf t nms trap destination add <IP address> port <port number> -user <user ID> -password <password> -engine <engine> -
available: -user -password -engine -des
des <destination>
add Adds a protocol to a port. conf t port <protocol> add <segment> <port>
conf t port
delete Removes a protocol from a port. conf t port <protocol> remove <segment> <port>
Command Subcommand Description Usage
add-pair Adds a port pairing to a profile. conf t profile <profile name> add-pair <port pair>
delete Deletes an existing profile. conf t profile <profile name> delete
description Enters a description string for the profile. conf t profile <profile name> description "<description>"
Sets the deployment mode. Deployment modes offer increased flexibility conf t profile deployment core
for filter settings. TippingPoint provides recommended settings customized conf t profile deployment edge
deployment
for different deployment types, including Core, Edge, or Perimeter. Use conf t profile deployment perimeter
conf t profile show deployment-choices to see your options. conf t profile deployment default
remove-pair Removes a port pairing from a profile. conf t profile <profile name> remove-pair <port pair>
rename Renames a profile. conf t profile <profile name> rename <new profile name>
Creates a security profile. You can add a description string with the - conf t profile <profile name> security
security
description option. conf t profile <profile name> security -description "<description>"
Creates a traffic management profile. You can add a description string with
traffic-mgmt conf t profile <profile name> traffic-mgmt conf t profile <profile name> traffic-mgmt -description "<description>"
the -description option.
Adds or removes a global exception for Application Protection and conf t protection-settings app-except add <source IP address> <destination IP address> -profile <profile name>
app-except
Infrastructure Protection filters. conf t protection-settings app-except remove <source IP address> <destination IP address> -profile <profile name>
Adds or removes an apply-only restriction for Application Protection and conf t protection-settings app-limit add <source IP address> <destination IP address> -profile <profile name>
app-limit
Infrastructure Protection filters. conf t protection-settings app-limit remove <source IP address> <destination IP address> -profile <profile name>
Adds or removes a DNS exception for Application Protection and conf t protection-settings app-except add <DNS> -profile <profile name> conf t protection-settings app-except remove <DNS> -
conf t protection- dns-except
Infrastructure Protection filters. profile <profile name>
settings
Adds or removes an IP address exception for Application Protection and
conf t protection-settings app-except add <IP address> -profile <profile name>
ip-except Infrastructure Protection filters. This exception applies to source and
conf t protection-settings app-except remove <IP address> -profile <profile name>
destination IP addresses.
Adds or removes an apply-only restriction for Performance Protection conf t protection-settings perf-limit add <source IP address> <destination IP address> -profile <profile name>
perf-limit
filters. conf t protection-settings perf-limit remove <source IP address> <destination IP address> -profile <profile name>
Immediately synchronizes the RAM disk with the hard disk. You can
force-sync conf t ramdisk force-sync all conf t ramdisk force-sync <file>
synchronize all files, or specify alert, audit, block, or sys
Sets the synchronization interval in seconds. With a value of zero (0), all
conf t ramdisk writes are immediatly written to the hard disk. With a value of -1, the file is
sync-interval written to the hard disk when a conf t ramdisk force-sync command is conf t ramdisk sync-interval <file>
executed, the device is rebooted or halted, or when the device enters high
availability fallback mode. You must specify alert, audit, block, or sys
conf t remote-syslog audit <IP address> -port <port>
audit Enables or disables remote syslog for the Audit log.
conf t remote-syslog no audit
delete Deletes a remote syslog collector. conf t remote-syslog delete <IP address> -port <port>
conf t remote-syslog rfc-format enable
rfc-format Enables or disables RFC format on the remote syslog.
conf t remote-syslog rfc-format disable
conf t remote-syslog quarantine enable
quarantine Enables or disables remote syslog for the Quarantine log.
conf t remote-syslog quarantine disable
conf t remote-syslog conf t remote-syslog system <IP address> -port <port>
system Enables or disables remote syslog for the System log.
conf t remote-syslog no system
Creates or updates a remote syslog collector. A collector is specified by IP
conf t remote-syslog update <IP address> -port <port> -alert-facility <number>
address and port. You also have the option to include a delimiter and
conf t remote-syslog update <IP address> -port <port> -block-facility <number>
update facility numbers for alert messages, block messages, and misuse/abuse
conf t remote-syslog update <IP address> -port <port> -misuse-facility <number>
messages. Facility numbers may be any number from 0-31 inclusive.
conf t remote-syslog update <IP address> -port <port> -delimiter <character>
Delimiter options include tab, comma, semicolon, and bar.
The action that the IPS takes on traffic coming from the specified IP
conf t reputation action-when-pending [-profile <security profile name>] permit
action-when-pending address while the IP reputation filter is caching the address. The default
conf t reputation action-when-pending drop [-profile <security profile name>] permit
action is permit.
conf t reputation check-dest-address [-profile <security profile name>] enable conf t reputation check-dest-address [-profile
check-dest-address Enables or disables action on the traffic destination IP address.
<security profile name>] disable
conf t reputation check-source-address [-profile <security profile name>] enable
check-source-address Enables or disables action on the traffic source IP address.
conf t reputation check-source-address [-profile <security profile name>] disable
conf t reputation
Configures reputation filters and maps a security profile to a reputation
group. delete-copy: deletes a filter disable: disables a filter without conf t reputation filter <group name> [-profile <security profile name>] delete-copy
deleting it. enable: enables a filter and maps it to a reputation group. conf t reputation filter <group name> [-profile <security profile name>] disable
filter
The -threshold option sets a reputation filter threshold based on the IP conf t reputation filter <reputation group name> [-profile <security profile name>] enable [-threshold <number>] -action-set
reputation information maintained by the TippingPoint TMC. Entries that <action set name>
exceed the TMC-set threshold are acted upon by the IPS.
add-domain Adds a domain to a reputation group. conf t reputation group add-domain <name> <domain>
add-ip Adds an IP address to a reputation group. conf t reputation group add-ip <name> <domain>
create Creates an IP reputation group. conf t reputation group create <name> [-description description of option]
conf t reputation
delete Deletes an IP reputation group. conf t reputation group delete <name>
group
remove-domain Removes a domain from a reputation group. conf t reputation group remove-domain <name> <domain>
remove-ip Removes an IP address from a reputation group. conf t reputation group remove-ip <name> <domain>
rename Renames an IP reputation group. conf t reputation group rename <old name> <new name>
Command Subcommand Description Usage
Sets the intrinsic network high availability (fallback) option for the
segment. If the segment is set to block, all traffic through that segment is conf t segment <segment name> high-availability block
high-availability
denied in the fallback state. If the segment is set to permit, then all traffic conf t segment <segment name> high-availability permit
is permitted in the fallback state.
Configures the Link-Down Synchronization mode and timeout length. The
following modes are available: hub: ensures the partner port is
conf t segment <segment name> link-down hub
unaffected when the link goes down breaker: requires both the port and
link-down conf t segment <segment name> link-down breaker -timeout <seconds>
its partner to be manually restarted when the link goes down wire:
conf t segment <segment name> link-down wire -timeout <seconds>
conf t segment automatically restarts the partner port when the link comes back up Valid
range of timeout is 0 to 240 seconds.
Defines a name for the segment with a maximum of 32 characters. Set the
name to "" to remove the name from the segment. Names must conform
name to the following rules: Can only contain letters A-Z and a-z, digits 0-9, conf t segment <segment name> name "<segment name>"
single spaces, periods (.), underscores (_), and dashes (-) Must include
at least one non-digit character Cannot begin or end with spaces
physical-ports Specifies the physical ports. conf t interface mgmtEthernet physical-port <port a> <port b>
restart Restarts a segment. conf t segment <segment number> restart
browser-check Enables and disables browser checking. conf t server browser-check conf t server no browser-check
Enables and disables HTTP. You must reboot the device after changing
http conf t server http conf t server no http
HTTP settings.
conf t server Enables and disables HTTPS. You must reboot the device after changing
https conf t server https conf t server no https
HTTPS settings.
ssh Enables and disables SSH. conf t server ssh conf t server no ssh
telnet Enables and disables telnet. conf t server telnet conf t server no telnet
columns Sets the column width of the terminal session. conf t session columns <number of columns>
more Enables or disables page-by-page output. conf t session more conf t session no more
rows Sets the row height of the session. conf t session rows <number of rows>
conf t session
Sets the inactivity timeout. The -persist option applies the this value to
timeout conf t session timeout <minutes> conf t session timeout <minutes> -persist
future sessions for all users as well as the current session.
wraparound Enables or disables text-wrapping for long text lines. conf t session wraparound conf t session no wraparound
[no options] Enables SMS management. conf t sms
ip Sets the IP address and port of the SMS that will manage the IPS. conf t sms ip <IP address> -port <port>
Enables or disables restriction of SMS management to a specified IP
must-be-ip conf t sms must-be-ip <IP address or CIDR> conf t sms no must-be-ip
conf t sms address. Only the SMS with this IP can manage the device.
no Disables SMS management. conf t no sms
v2 Enables or disables SNMP v2 communication. conf t sms v2 conf t sms no v2
v3 Enables or disables SNMP v3 communication. conf t sms v3 conf t sms no v3
[no options] Enables SNTP. conf t sntp
Sets the interval at which the IPS will check with the time server. A zero
duration conf t sntp duration <minutes>
value will cause time to be checked once on boot.
no Disables SNTP. conf t no sntp
If the difference between the new time and the current time is equal to or
offset greater than the offset, the new time is accepted by the IPS. A zero value conf t sntp offset <seconds>
conf t sntp will force time to change every time the IPS checks.
port Identifies the port to use for the time server. conf t sntp port <port>
primary Sets or removes the IP address of your primary SNTP time server. conf t sntp primary <IP address> conf t sntp no primary
Sets the number of retries that the device attempts before declaring the
retries conf t sntp retries <number>
SNTP connection is lost.
secondary Sets or removes the IP address of your secondary SNTP time server. conf t sntp secondary <IP address> conf t sntp no secondary
Sets the number of seconds that the device waits before declaring the
timeout conf t sntp timeout <seconds>
SNTP connection is lost.
Creates an ICMP traffic management filter. You can also specify the ICMP conf t traffic-mgmt icmp [-type <ICMP type>] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-destaddr
icmp
type, or use any to apply the filter to all types. <destination IP address>]
Creates aan ICMPv6 traffic management filter. You can also specify the conf t traffic-mgmt icmp6 [-type <ICMPv6 type>] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-
icmp6
ICMPv6 type, or use any to apply the filter to all types. destaddr <destination IP address>]
conf t traffic-mgmt ip [-ip-frag-only] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-destaddr
Creates a IP traffic management filter. You can also specify the whether IP <destination IP address>]
conf t traffic-mgmt ip
fragments are filtered with the -ip-frag-only or -no-ip-frag-only options. conf t traffic-mgmt ip [-no-ip-frag-only] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-destaddr
<destination IP address>]
conf t traffic-mgmt ip6 [-ip-frag-only] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-destaddr
Creates an ipv6 traffic management filter. You can also specify the whether <destination IP address>]
ip6
IP fragments are filtered with the -ip-frag-only or -no-ip-frag-only options. conf t traffic-mgmt ip6 [-no-ip-frag-only] <filter name> [-profile <profile name>] [-srcaddr <source IP address>] [-destaddr
<destination IP address>]
Creates a TCP traffic management filter. You can also specify the TCP conf t traffic-mgmt tcp [-srcport <TCP port>] [-destport <TCP port>] <filter name> [-profile <profile name>] [-srcaddr <source
tcp
source and destination ports. IP address>] [-destaddr <destination IP address>]
conf t traffic-mgmt
Creates a UDP traffic management filter. You can also specify the UDP conf t traffic-mgmt udp [-srcport <UDP port>] [-destport <UDP port>] <filter name> [-profile <profile name>] [-srcaddr <source
udp
source and destination ports.+ IP address>] [-destaddr <destination IP address>]
Command Subcommand Description Usage
allow Permits all traffic that fits the named filter. conf t traffic-mgmt <filter name> [-profile <profile>] allow
block Blocks all traffic that fits the named filter. conf t traffic-mgmt <filter name> [-profile <profile>] block
delete Deletes the named filter. conf t traffic-mgmt <filter name> [-profile <profile>] delete
position Changes the priority of the filter. conf t traffic-mgmt <filter name> [-profile <profile>] position <number>
conf t traffic-mgmt
rate-limit Rate-limits and applies the named action set to all traffic that fits the filter. conf t traffic-mgmt <filter name> [-profile <profile>] rate-limit <action set name>
rename Renames the filter. conf t traffic-mgmt <filter name> [-profile <profile>] rename
trust Enables trust of all packets that match the filter. conf t traffic-mgmt <filter name> [-profile <profile>] trust
conf t tse adaptive-filter mode automatic
adaptive-filter Sets the adaptive filter mode to automatic or manual.
conf t tse adaptive-filter mode manual
Sets the severity of messages logged by the Adaptive Filter Configuration
afc-severity conf t tse afc-severity <severity>
(AFC). Options include: critical error warning info
Enables or disables asymmetric mode for the TSE. Use asymmetric mode if conf t tse asymmetric-network enable
asymmetric-network
your network uses asymmetric routing. conf t tse asymmetric-network disable
Enables or disables notification when traffic congestion reaches a defined conf t tse congestion notify enable -threshold <threshold>
congestion
threshold. conf t tse congestion notify disable
Sets the timeout for the connection tables. non-tcp-timeout: Defines the
timeout for non-TCP connections. The range is 30 to 1800 seconds. conf t tse connection-table non-tcp-timeout <seconds>
connection-table timeout: Defines the global connection table timeout. The range is 30 to conf t tse connection-table timeout <seconds>
1800 seconds. trust-timeout: Defines the timeout for the trust table. The conf t tse connection-table trust-timeout <seconds>
range is 30 to 1800 seconds.
conf t tse gzip-compression enable
gzipcompression Enables or disables GZIP decompression.
conf t tse gzip-compression disable
Specifies inspection of encoded HTTP responses. accelerated: Hardware
conf t tse acceleration is used to detect and decode encoded HTTP responses. conf t tse http-encoded-resp accelerated
http-encoded-resp
inspect: Enables strict detection and decoding of HTTP responses. conf t tse http-encoded-resp inspect conf t tse http-encoded-resp ignore
ignore: The device does not detect or decode HTTP responses.
Enables or disables IDS mode. When enabled, IDS mode configures the
device to operate in a manner similar to an Intrusion Detection System
(IDS). Performance protection is disabled. Adaptive Filtering mode is
conf t tse ids-mode enable
ids-mode set to Manual. Filters currently set to Block are not switched to Permit,
conf t tse ids-mode disable
and Block filters can be still be set. NOTE: IDS mode will be disabled if you
manually enable performance protection or set Adaptive Filtering mode to
Automatic.
Sets the logging mode: conditional: Improves performance by turning off
alert/block logging when the device experiences a specified amount of
congestion. This feature is enabled by default. The -threshold setting
conf t tse logging-mode conditional -threshold <percentage> -period <seconds>
logging-mode defines the percentage of packet loss that turns off logging. The -period
conf t tse logging-mode unconditional
setting sets the length of time logging remains off. unconditional: The
device always logs alerts and blocks, even if traffic is dropped under high
load.
quarantine Sets the quarantine duration. The range is 1 to 1440 minutes. conf t tse quarantine <minutes>
Adds a user. Requires the following options: name: Login name.
Maximum of 31 characters. role: Privilege level. Privileges may be
operator, administrator, or super-user. password: Password. Maximum
add conf t user add <username> -password <password> -role <role>
32 characters. If you do not create a password, you will be asked if you
want to do so. -tech-support: Enables the Technical Support Landing
Page when the user logs into the LSM. (TippingPoint 10 only)
conf t user
enable Enables a user account that has been disabled due to lockout or expiration. conf t user enable <username>
Modifies the named user. Requires one or more of the following options:
role: Privilege level. Privileges may be operator, administrator, or super-
modify user. password: Password. Maximum 32 characters. -tech-support: conf t user modify <username> -password <password> -role <role>
Enables the Technical Support Landing Page when the user logs into the
LSM. (TippingPoint 10 only)
remove Removes a user login. conf t user remove <username>
Specifies the action to take when the maximum number of login attempts
is reached. disable: Requires a super-user to re-enable the user. conf t user option attempt-action disable
attempt-action
lockout: Prevents the user from logging in for the lockout-period. notify: conf t user option attempt-action lockout
Posts a notification to the audit log.
Specifies the action to take when a user account expires. disable: conf t user option expire-action disable
expire-action Disables the account. expire: Expires the account. notify: Audits the conf t user option expire-action expire
conf t user options
expiration to the audit log. conf t user option expire-action notify
Sets the number of days before a password expires. Valid values are 0, 10,
expire-period conf t user option expire-period <value>
20, 30, 45, 90, 332, and 365. With a value of 0, passwords do not expire.
Sets the number of minutes that a user is locked out after the maximum
lockout-period conf t user option lockout-period <value>
number of unsuccessful login attempts.
Command Subcommand Description Usage
Sets the maximum number of login attempts that are permitted before the
max-attempts action specified in attempt-action takes place. Valid values are integers conf t user option max-attempts <value>
conf t user options between 1 and 10, inclusive.
Sets the security level for user names and passwords. Valid values are
security-level conf t user options
integers between 0 and 2 inclusive. See Security Levels on page 64.
Configures the physical port, VLAN ID, and CIDR associated with a virtual
add-row conf t virtual-port <port name> add-row -port-list <physical port> -vlan-list <VLAN ID> -cidr-list <CIDR address>
port. Leaving a option blank sets the value to any.
Creates a virtual port and assigns a name. The maximum number of
create characters is 32. Spaces are not allowed. Use the -description option to conf t virtual-port <name> create [-description "<description>"] <zones>
add a description.
conf t virtual-port delete Deletes a virtual port. conf t virtual-port <name> delete
description Enters a description of the virtual ports. conf t virtual-port <name> description "<description>"
Removes the physical port, VLAN, and CIDR associated with a virtual port,
remove-row conf t virtual-port <port name> remove-row
resetting its values to any.
rename Changes the name of the virtual ports. conf t virtual-port <name> rename <new name>
zones Sets the physical port list and VLAN list for a virtual port. conf t virtual-port <name> zones <VLAN range>
delete Deletes a virtual segment. conf t virtual-segment <incoming virtual port> <outgoing virtual port> delete
Sets the precedence of a virtual segment. Assigning a position of 1 gives
conf t virtual-segment position conf t virtual-segment <incoming virtual port> <outgoing virtual port> [-position <position in list>]
the segment topmost precedence.
update Creates, moves, or edits a virtual segment. conf t virtual-segment <incoming virtual port> <outgoing virtual port> update
dp-ps Lists all processes. debug information dp-ps
Lists the number of processes currently running in the control and data
planes, the maximum CPU usage, and the average CPU usage. The
debug information
ticks following options provide more information: -details: Provides a more debug information ticks
detailed list of processes and CPU usage. -tiers: Lists processes and CPU
usage by tier.
clear-caches Clears the reputation caches. debug reputation clear-cache
debug reputation lookup Looks up an address in the reputation database. debug reputation lookup <IP address>
show-cachestats Shows the reputation cache statistics. debug reputation show-cache-stats
debug best-effort- enable Enables Best Effort mode. debug np best-effort enable [-queue-latency <microseconds>] [-recover-percent <percent>]
mode disable Disables Best Effort mode. debug np best-effort disable
Defines the latency threshold at which Best Effort mode is entered. The
-queuelatency debug np best-effort enable -queue-latency <microseconds>
default is 1000 microseconds.
debug np best-effort Defines the recovery percentage at which Best Effort mode is exited. The
options default is 20%; if the latency threshold is 1000 microseconds, the device
-recoverpercent debug np best-effort enable -recover-percent <percent>
exits Best Effort mode when latency drops to 200 microseconds (20% of
1000).
list Returns a list of all traffic captures currently saved on the IPS. debug traffic-capture list
Removes a saved traffic capture. Use the -f flag to force the removal of the debug traffic-capture remove <traffic capture filename>
remove
file when a traffic capture is in progress. debug traffic-capture remove -f <traffic capture filename>
Initiates a traffic capture. This subcommand can be used in conjunction
start debug traffic-capture start [-c <number of packets>] [-C <file size>] [-i <virtual segment>] [-w <file>] <expression>
debug traffic-capture with the options or with an expression.
If only one traffic capture is currently in progress, terminates the traffic
debug traffic-capture stop
stop capture in progress. If two or more traffic captures are currently in
debug traffic-capture stop <filename>
progress, you must specify a filename.
stop-all Stops traffic captures currently in progress. debug traffic-capture stop-all
Defines the number of packets at which the traffic capture will stop. The
-c debug traffic-capture start -c <number of packets>
default is 100.
Defines the capture file size at which the traffic capture will stop. The size
-C debug traffic-capture start -C <file size>
is defined in bytes. The default is 100000.
Sets the virtual segment on which the traffic will be captured. The default
debug traffic-capture
-i is all defined virtual segments. The segment should be defined with the debug traffic-capture start -i <virtual segment> <expression>
start options
syntax 1A-1B.
Defines a name for the traffic capture file. Do not include an extension; the
TOS will automatically append one. The default file name is the date and
-w debug traffic-capture start -w <file>
time at which the traffic capture was initiated, in the format YYYYMMDD-
HHMMSS.pcap.
Command Subcommand Description Usage
Reboots the device and wipes out the user database. Use the -add and -
password options to create a new default super user. If you do not specify
a username and password, you will be forced to create one via the serial
auth delete port terminal when the device reboots. -add: Defines the new default fips auth delete fips auth delete -add <user name> -password <password>
super-user name. -password: Creates a password for the user. If you
specify an asterisk (*) for the password, you will be prompted for the
password.
Manages generated keys and SSL keys. You must specify two options for
fips managing SSL keys. The first option specifies what to do with the
generated keys: keep: Saves the keys when the box is rebooted.
generate: Generates a new key on reboot. delete: Deletes the generated
keys fips keys <keep/generate/delete> <keep/delete/restore-default>
keys on reboot. The second option specifies the action for the authorized
SSL key that was originally obtained with the device. This option does not
take effect until after a reboot keep: Saves the key. delete: Deletes the
default key. restore-default: Restores the default key.
restore-ssl Restores the default SSL key. fips restore-ssl
The fallback option forces the TippingPoint into fallback or Intrinsic
high-availability force fallback
force Network High Availability (INHA) mode. The normal option causes the
high-availability force normal
TippingPoint to return to normal (non-INHA) operation.
Forces a ZPHA module into one of two modes: normal: traffic passes
through the IPS bypass: traffic bypasses the IPS With no options
high-availability high-availability zero-power bypass-ips [-segment <segment name>]
specified, this command affects the external ZPHA module. Use the -
high-availability zero-power no bypass-ips [-segment <segment name>]
zero-power segment option to set the mode of a Smart ZPHA module. A ZPHA module
high-availability zero-power bypass-ips [-all]
may be one of the following: An external module connected to the device
high-availability zero-power no bypass-ips [-all]
through the ZPHA interface. A Smart ZPHA module on the 2500N,
5100N, or 6100N.
-q Suppresses statistics ping <IP address> <packet count> -q
-v Returns verbose results. ping <IP address> <packet count> -v
ping
-4 IPv4 traffic only. ping <IP address> <packet count> -4
-6 IPv6 traffic only. ping <IP address> <packet count> -6
Adds an IP address to the quarantine list. You can also enter an action set
add quarantine add <IP address> <action set name>
that will apply to all traffic from that IP address.
empty Flushes the quarantine list of all IP addresses. quarantine empty
quarantine Displays a list of quarantined IP addresses. You can filter the addresses
list with the filter subcommand and an IP string, and you can use * as a quarantine list quarantine list filter <IP address>
wildcard, as in 100.*.*.*.
remove Removes an IP address from the quarantine list. quarantine remove <IP address>
emaildefault Configures the default email contact. setup email-default
ethernetport Configures the ethernet ports. setup ethernet-port
host Configures the management port. setup host
setup servers Configures Web, CLI, and SNMP servers. setup servers
sms Restricts SMS to a specified IP address. setup sms
time Configures time management. setup time
vlan-translation Configures VLAN translation. setup vlan-translation
action-sets Displays all action sets with their settings and contacts. show action-set
arp Displays the link level ARP table. show arp
autodv Displays the state of the automatic DV feature. show autodv
clock Displays the time and timezone for the internal clock. show clock show clock -details
Displays whether the compact flash is mounted, and if so, its model
compact-flash number, serial number, revision number, capacity, operation mode, and show compact-flash
mount status.
Displays the to and from addresses and SMTP settings for the default alert
defaultalert-sink show default-alert-sink
sink.
default-gateway Displays the IP address of the default gateway. show default-gateway
show subcommands deployment-choices Displays the deployment modes available for the device. show deployment-choices
dns Displays the DNS that the device is using. show dns
filter Displays the filter information. Specify the filter by number. show filter <number>
Displays FIPS and key information. Use the -details option for more
fips show fips show fips -details
information.
show health disk-space
show health fans
show health i2c-bus
Displays the disk space, memory usage, power supply status, temperature,
health show health memory
fans, I2C bus timeouts, and voltage of the device.
show health power-supply
show health temperature
show health voltage
high-availability Displays the current HA status. show high-availability
Displays the host management port configurable options and the current show host
host
settings. Use the -details option for more information. show host -details
show inspection-bypass
inspection-bypass Displays the inspection bypass rules.
show inspection-bypass -details]
Displays network interface data. Specify one of the following:
show interface mgmtEthernet
interface mgmtEthernet: Management interface. ethernet: Port specifier (1A, 1B,
show interface ethernet
etc.)
Command Subcommand Description Usage

license Shows the license status for the TOS, Digital Vaccine, and IP Reputation. show license
show log alert
show log audit
Displays a log file. Only users with super-user privileges can view the audit show log block
log
log. show log quarantine
show log summary
show log system
Displays manufacturing information, including the device serial number and
mfg-info show mfg-info
MAC address.
show np engine
show np engine filter
show np engine packet
show np engine parse
show np engine reputation dns
show np engine reputation ip
show np engine rule
np Displays the network processor statistic sets. show np general
show np general statistics
show np protocol-mix
show np reassembly
show np reassembly ip
show np reassembly tcp
show np rule-stats
show np softlinx
show subcommands policy counters Displays the counters for Total, Invalid, Alert, and Blocked. show policy counters
Displays detailed information about a named profile. Enclose the name of
profile show profile "<profile name>"
the profile in quotes "".
protection-settings Displays category settings. show protection-settings -profile <profile name>
show ramdisk files
ramdisk Displays the RAM disk status.
show ramdisk stats
rate-limitspeeds Displays all valid rate limit speeds. show rate-limit-speeds
show reputation
reputation Displays the reputation groups and filters. show reputation filter <filter name>
show reputation groups
routes Displays the configured routes. show routes
server Displays the servers running on the device. show servers
service-access Displays the status of service access to the device. show service-access
session Displays the current session settings. show session
Indicates whether an SMS is managing the device and displays information
sms show sms
about the SMS.
sntp Displays the current SNTP settings. show sntp
timezones Displays the available timezones. show timezones
Displays all traffic management filters defined in a traffic management
traffic-mgmt profile. You must specify the profile by name unless there is only one show traffic-mgmt -profile <profile name>
profile on the device.
show tse adaptive-filter top-ten
show tse connection-table blocks
tse Displays information and settings regarding the Threat Suppression Engine. show tse connection-table timeout
show tse connection-table trusts
show tse rate-limit streams
user Displays the user login accounts on the TippingPoint device show user show user -details
version Displays the version of the TOS software running on the IPS device. show version
virtual-port Displays information about a virtual port. show virtual-port <port number>
virtual-segments Displays all of the virtual segments configured on the device. show virtual-segments
Lists all action sets that have been defined for this device. You can also show conf action-set
action-set
view a single action set by specifying the action set name. show conf action-set <action set name>
authentication Displays the remote authentication configuration. show conf authentication
Shows configuration settings for the automatic update service for Digital
autodv show conf autodv
Vaccine packages.
Shows configuration settings for filter categories. You can also view the show conf category-settings
category-settings
settings for a single profile by specifying the profile name. show conf category-settings -profile <profile name>
show configuration clock Shows timezone and daylight saving time settings. show conf clock
compact-flash Shows the compact flash operation mode. show conf compact-flash
default-alertsink Shows the default email address to which attack alerts will be directed. show conf default-alert-sink
default-gateway Shows the device default gateway. show conf default-gateway
Shows the maximum number of email notifications the system will send
email-ratelimit show conf email-rate-limit
every minute. The minimum is 1; the maximum is 35.
filter Shows the filter data for a specific filter, identified by filter number. show conf filter <number>
high-availability Shows high availability configuration settings. show conf high-availability
host Shows the host name and location. show conf host
inspection-bypass Shows the current inspection bypass rule configuration. show conf inspection-bypass
Command Subcommand Description Usage
When used without qualifiers, shows configuration of all ports. ethernet
shows Ethernet port information. Without options, this subcommand shows show conf interface
the status of all Ethernet ports. Use port specifiers (1A, 2A, etc.), to view show conf interface ethernet
interface
the status of a single port. mgmtEthernet shows Management Ethernet show conf interface mgmtEthernet
port information settings shows the persistent configuration settings for show conf interface settings
MDI-detection.
lcd-keypad Shows the configuration setting for the LCD keypad. show conf lcd-keypad
show conf log
log Shows log configuration.
show conf log audit-log
monitor Shows the persistent configuration of monitor thresholds. show conf monitor
nms Shows the NMS settings. show conf nms
notify-contacts Shows the notification contacts and settings. show conf notify-contacts
port Shows the configuration of all ports on the IPS. show conf port
Lists all profiles that have been configured on the device. You can view an show conf profile
profile
individual profile by including the profile name. show conf profile <profile name>
Shows the protection settings. You can also view the settings for a single show conf protection-settings
protection-settings
profile by specifying the profile name. show conf protection-settings -profile <profile name>
show configuration ramdisk Shows the RAM disk configuration. show conf ramdisk
Shows the remote syslog configuration and the IP address of the remote
remote-syslog show conf remote-syslog
log.
show conf reputation
Shows the configuration of reputation filters and groups, and of the IP
reputation show conf reputation group
Reputation feature.
show conf reputation filter
Shows the segment configuration. You can view an individual segment by show conf segment
segment
including the segment name. show conf segment <segment name>
server Shows the device server configuration. show conf server
service-access Shows whether service access is enabled or disabled. show conf service-access
Shows the session timeout settings. Use show session to view the current
session show conf session
session configuration.
sms Shows if SMS is enabled and other SMS configuration settings. show conf sms
sntp Shows the SNTP configuration. show conf sntp
traffic-mgmt Shows the traffic management configuration. show conf traffic-mgmt
Shows the TSE information, including connection table timeout,
tse asymmetric network setting, adaptive aggregation threshold, adaptive filter show conf tse
mode, and IDS mode.
show conf user
user Shows user options. Use the -detailsoption to view additional information.
show conf user -details
Shows virtual port configuration. To show the configuration of a specific show conf virtual-port
virtual-port
virtual port, specify the virtual port name. show conf virtual-port <virtual port name>
virtual-segments Shows the configuration of the virtual segments. show conf virtual-segments
vlantranslation Shows the VLAN translation configuration show conf vlan-translation
create Creates a snapshot with the given name. snapshot create <snapshot name>
list Lists all snapshots saved on the device. snapshot list
remove Deletes the named snapshot. snapshot remove <snapshot name>
snapshot
Replaces the current configuration settings with the settings in the named
restore snapshot. This process may take some time and will require a reboot of the snapshot restore <snapshot name>
device.
When this flag is included in the command, the snapshot will include the
-include-reput ation snapshot create -include-reputation
files from the Reputation DV pacakge in the snapshot.
When this flag is included in the command, the snapshot will include the
-include-manua l-entries snapshot create -include-manual-entries
user-defined IP and DNS reputation entries in the snapshot.
snapshot options When this flag is included in the command, the snapshot will include
-include-network snapshot create -include-network
management port configuration information.
When this flag is included with the snapshot restore command, the
-exclude-network snapshot excludes management port configuration information during the snap
restore process.