NSX CLI Guide
Associated Commands:
| CLI Description | Command |
|---|---|
Clear IDS Engine Event statsclear IDS Engine Event stats. |
clear edgeids events stats
|
Delete all TLS inspection cached certificatesDelete all TLS inspection cached certificates. |
clear tls-inspection cached-certificates
|
Delete TLS inspection cached certificatesDelete TLS inspection cached certificates. |
clear tls-inspection cached-certificates <certificate-id-string-arg>
|
Clear all TLS inspection error statsClear all TLS inspection error stats. |
clear tls-inspection errors
|
Clear all TLS inspection traffic statsClear all TLS inspection traffic stats. |
clear tls-inspection traffic-stats
|
Writes IDPS filter specific statistics to /var/log/nsx-idps/filter_stats.txtWrites IDPS filter specific statistics to /var/log/nsx-idps/filter_stats.txt |
dump ids filter stats
|
Display NSX DPI Lib Log LevelDisplay NSX DPI Lib Log Level. |
get dpi lib-dfw logging-level all
|
Display NSX DPI Log LevelDisplay NSX DPI Log Level. |
get dpi logging-level
|
Display NSX DPI StatisticsDisplay NSX DPI Statistics. |
get dpi stats
|
Get IDS Event Engine config statsGet IDS Event Engine config stats. |
get edgeids event-config stats
|
Get IDS Engine Event statsGet IDS Engine Event stats. |
get edgeids events stats
|
Display the specified firewall address setDisplay the specified firewall address set for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> addrset name <string-arg>
|
Display all the firewall address setsDisplay all the firewall address sets for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> addrset sets
|
Display the specified firewall attribute setDisplay the specified firewall attribute set for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> attrset name <string-arg>
|
Display all the firewall attribute setsDisplay all the firewall attribute sets for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> attrset sets
|
Display firewall connection informationDisplay the firewall connections on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> connection
|
Display firewall connection countDisplay the firewall connection count. |
get firewall <dpd-uuid-firewall-port-arg> connection count
|
Display firewall connection informationDisplay the firewall connections on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> connection raw
|
Display firewall connection stateDisplay the state of the firewall connections. |
get firewall <dpd-uuid-firewall-port-arg> connection state
|
Display firewall interface statisticsDisplay firewall interface statistics for the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> interface stats
|
Display firewall active/standby configurationDisplay the active/standby configuration for the firewall on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> sync config
|
Display firewall synchronization statisticsDisplay the firewall synchronization statistics. |
get firewall <dpd-uuid-firewall-port-arg> sync stats
|
Display the fixed timeouts for connection eventsDisplay the fixed timeouts for connection events. |
get firewall <dpd-uuid-firewall-port-arg> timeouts
|
Display specific firewall L7 profile info on given Logical Router UUIDDisplay specific firewall L7 profile information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profile <uuid-string-arg>
|
Display specific firewall L7 profile entry stats info on given Logical Router UUIDDisplay specific firewall L7 profile entry stats information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profile <uuid-string-arg> stats
|
Display all firewall L7 profiles info on given Logical Router UUIDDisplay all firewall L7 profiles information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profiles
|
Display all firewall L7 profile entry stats info on given Logical Router UUIDDisplay all firewall L7 profile entry stats information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profiles stats
|
Display IKE policyDisplay IKE policy for the specified logical router interface. |
get firewall <uuid> ike policy [<rule-id>]
|
Display firewall rulesDisplay firewall rules with expanded address sets for the specified logical router interface. |
get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>]
|
Display firewall rule statisticsDisplay firewall rule statistics for the specified logical router interface. |
get firewall <uuid> ruleset [type <rule-type>] stats
|
Display firewall address setsDisplay firewall address sets |
get firewall <vif-uuid-arg> addrsets
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall <vif-uuid-arg> fqdn
|
Display firewall attribute profilesDisplay firewall attribute profiles. |
get firewall <vif-uuid-arg> profile
|
Display firewall rulesDisplay firewall rules |
get firewall <vif-uuid-arg> ruleset rules
|
Display firewall interfacesDisplay the logical router or switch interfaces which have firewall rules. |
get firewall [logical-switch <uuid>] interfaces
|
Display firewall addresses for the specified address setDisplay firewall addresses for the specified address set. |
get firewall addrset name <uuid-arg>
|
Display firewall address sets for the available virtual interfaceDisplay firewall address sets for the available virtual interface. |
get firewall addrset sets
|
Display firewall connection stateDisplay the state of the firewall connections in the VRF context. |
get firewall connection state
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall context-profile <context-profile-id-arg> fqdn
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall context-profiles
|
Display firewall exclude interfacesDisplay firewall exclude interfaces. |
get firewall exclude
|
Get the firewall exclusion listDisplay the firewall exclusion list. |
get firewall exclude-list
|
Display firewall exclusionDisplay firewall exclusions. |
get firewall exclusion
|
Display firewall interface statisticsDisplay firewall interface statistics for the specified logical router interface in the VRF context. |
get firewall interface stats
|
Display firewall interfacesDisplay the logical router or switch interfaces which have firewall rules. |
get firewall interfaces
|
Display firewall sync interfacesDisplay sync configuration for logical router interfaces with firewall rules. |
get firewall interfaces sync
|
Display firewall ipfix containersDisplay firewall ipfix containers. |
get firewall ipfix-containers
|
Display firewall ipfix filtersDisplay firewall ipfix filters. |
get firewall ipfix-filters
|
Display firewall ipfix profile configurationDisplay firewall ipfix profile configration. |
get firewall ipfix-profiles
|
Display firewall ipfix statisticsDisplay firewall ipfix statistics. |
get firewall ipfix-stats
|
Display specific firewall L7 profile info based on UUIDDisplay specific firewall L7 profile information based on UUID. |
get firewall l7-profile <uuid-string-arg>
|
Display specific firewall L7 profile entry stats based on UUIDDisplay specific firewall L7 profile entry stats information based on UUID. |
get firewall l7-profile <uuid-string-arg> stats
|
Display all firewall L7 profiles infoDisplay all firewall L7 profiles information. |
get firewall l7-profiles
|
Display all firewall L7 profile entry statsDisplay all firewall L7 profile entry stats information. |
get firewall l7-profiles stats
|
Show DFW packet log file contentsDisplay the contents of the DFW packet log file. |
get firewall packetlog
|
Show last lines of DFW packet log file contentsDisplay last lines of the DFW packet log file. |
get firewall packetlog last <line-count-arg>
|
Display firewall rule statisticsDisplay firewall rule statistics. |
get firewall rule-stats
|
Display total firewall rule statisticsDisplay total firewall rule statistics. |
get firewall rule-stats total
|
Display the summary of firewall rulesDisplay the summary of firewall rules. |
get firewall rules
|
Display the firewall statusDisplay the firewall status. |
get firewall status
|
Get the firewall summaryDisplay the firewall summary. |
get firewall summary
|
Display firewall active/standby configurationDisplay the active/standby configuration for the firewall on the specified logical router interface. |
get firewall sync config
|
Display firewall synchronization statisticsDisplay the firewall synchronization statistics in the VRF context. |
get firewall sync stats
|
Display firewall threshold alarmsDisplay firewall threshold alarms. |
get firewall threshold-alarms
|
Display firewall thresholdsDisplay firewall thresholds. |
get firewall thresholds
|
Display firewall VIFsDisplay firewall VIFs |
get firewall vifs
|
Display firewall vsipioctl fqdn entries with no debugDisplay firewall vsipioctl fqdn entries with no debug. |
get firewall vsipioctl <vsip_commands> [<vsip_param>]
|
Display NSX IDS Engine Fast Log settingDisplay NSX IDS Engine Fast Log setting. |
get ids engine alertlog
|
Display IDS Engine Fast Log settingDisplay IDS Engine Fast Log setting. |
get ids engine fastlog
|
Displays all IDS global statsDisplays all IDS global stats. |
get ids engine global stats
|
Display IDS logging levelDisplays the IDS logging level. |
get ids engine logging-level
|
Display NSX IDS Engine Log LevelDisplay NSX IDS Engine Log Level. |
get ids engine logging-level
|
Display IDS profilesDisplays the IDS profiles. |
get ids engine profiles
|
Display NSX IDS Engine ProfilesDisplay NSX IDS Engine Profiles. |
get ids engine profiles
|
Lists IDS profiles for a specified signatureDisplays the IDS profiles for the specified signature. |
get ids engine profiles signature <ids-sig-id-arg>
|
Display NSX IDS Engine Profile statisticsDisplay NSX IDS Engine Profile statistics. |
get ids engine profilestats <profile-id>
|
Display NSX IDS Enginet Profile statusDisplay NSX IDS Engine Profile status |
get ids engine profilestatus <profile-id>
|
Display NSX IDS Engine RulesDisplay NSX IDS Engine Rules. |
get ids engine rules
|
Get Signature Action for a particular RuleID, ProfileID, SignIDGet Signature Action for a particular RuleID, ProfileID, SignID |
get ids engine signaction <rule-id> <profile-id> <sign-id>
|
Checks for membership and action for a signature-profile pairChecks for membership and action for a signature-profile pair. |
get ids engine signature <ids-sig-id-arg> profile <context-profile-id-arg> membership
|
Display NSX IDS Engine global statisticsDisplay NSX IDS Engine global statistics. |
get ids engine stats
|
Display IDS Enable/DisableDisplays the IDS Enable/Disable Status. |
get ids engine status
|
Display NSX IDS Engine StatusDisplay NSX IDS Engine Status. |
get ids engine status
|
Get IDS Event Engine queue statsGet IDS Event Engine queue stats. |
get ids events queue stats
|
Get IDS Event Engine statsGet IDS Event Engine stats. |
get ids events stats
|
Display NSX IDPS filter specific statisticsDisplay NSX IDPS filter specific statistics. |
get ids filter stats <filtername-arg>
|
Display NSX IDS Log LevelDisplay NSX IDS Log Level. |
get ids logging-level
|
Display NSX IDS ProfilesDisplay NSX IDS Profiles. |
get ids profiles
|
Display NSX IDS RulesDisplay NSX IDS Rules. |
get ids rules
|
Display NSX IDS StatusDisplay NSX IDS Status. |
get ids status
|
Display info about Service InsertionDisplay information about Service Insertion. |
get service-insertion
|
Display info about Service InsertionDisplay information about Service Insertion. |
get service-insertion <dpd-uuid-service-insertion-arg>
|
Display info about NS Service Insertion BFD control status.Display information about NS Service Insertion BFD control status. |
get service-insertion bfd-ctrl
|
Display info about Service Insertion flow programming table.Display information about Service Insertion flow programming table. |
get service-insertion flow-prog-table
|
Display info about Service Insertion failed SPI.Display information about Service Insertion failed SPI. |
get service-insertion spi-fail-table
|
Display info about EW Service Insertion VRF to interface mapping.Display information about EW Service Insertion VRF to interface mapping. |
get service-insertion vrf-to-intf
|
Display spoof guard config for a host switch and dvportDisplay spoof guard config for a host switch and dvport. |
get spoof-guard config <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard config for a logical portDisplays Spoof Guard config for a logical port. |
get spoof-guard config <logical-port>
|
Display spoof guard stats for a host switch and dvportDisplay spoof guard stats for a host switch and dvport. |
get spoof-guard stats <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard stats for a logical portDisplays Spoof Guard stats for a logical port. |
get spoof-guard stats <logical-port>
|
Display spoof guard whitelist for a host switch and dvportDisplay spoof guard whitelist for a host switch and dvport. |
get spoof-guard whitelist <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard whitelist for a logical portDisplays Spoof Guard whitelist for a logical port. |
get spoof-guard whitelist <logical-port>
|
Display TLS inspection infoDisplay TLS inspection information. |
get tls-inspection
|
Display TLS inspection action profile detailsDisplay TLS inspection action profile details. |
get tls-inspection action-profile <uuid-string-arg>
|
Display TLS inspection action profile infoDisplay TLS inspection action profile information. |
get tls-inspection action-profiles
|
Display TLS inspection bypassed sitesDisplay TLS inspection bypassed sites and the reason. |
get tls-inspection bypassed-sites lr-uuid <uuid>
|
Display TLS inspection bypassed sitesDisplay TLS inspection bypassed sites and the reason. |
get tls-inspection bypassed-sites sr-uuid <uuid>
|
Display TLS inspection CA bundle detailsDisplay TLS inspection CA bundle details. |
get tls-inspection ca-bundle <uuid-string-arg>
|
Display TLS inspection CA bundle infoDisplay TLS inspection CA bundle information. |
get tls-inspection ca-bundles
|
Show TLS Inspection Cached Certificate DetailsShow TLS Inspection Cached Certificate Details. |
get tls-inspection cached-certificate <certificate-id-string-arg>
|
Display TLS inspection cached certificatesDisplay TLS inspection cached certificates. |
get tls-inspection cached-certificates
|
Show TLS Inspection Certificate DetailsShow TLS Inspection Certificate Details. |
get tls-inspection certificate <tls-certificate-id-arg>
|
Display TLS inspection CRL infoDisplay TLS inspection CRL information. |
get tls-inspection crls
|
Display revoked certs of a TLS inspection CRL matching a serial numberDisplay revoked certs of a TLS inspection CRL matching a serial number. |
get tls-inspection crls <crl-uuid> certificate-serial-number <certificate-serial-number>
|
Display revoked certs of a TLS inspection CRL of an issuerDisplay revoked certs of a TLS inspection CRL of an issuer. |
get tls-inspection crls <crl-uuid> issuer <issuer-SHA256>
|
Display the revoked cert of a TLS inspection CRL that matches the issuer hash and serial numberDisplay the revoked cert of a TLS inspection CRL that matches the issuer hash and serial number. |
get tls-inspection crls <crl-uuid> issuer <issuer-SHA256> certificate-serial-number <certificate-serial-number>
|
Display the revoked cert of a TLS inspection CRL that matches the public key hashDisplay the revoked cert of a TLS inspection CRL that matches the public key hash. |
get tls-inspection crls <crl-uuid> public-key-hash <public-key-hash>
|
Display the revoked cert of a TLS inspection CRL that matches the subject SHA256 hashDisplay the revoked cert of a TLS inspection CRL that matches the subject SHA256 hash. |
get tls-inspection crls <crl-uuid> subject <subject-SHA256>
|
Display the revoked cert of a TLS inspection CRL that matches the subject and public key hashDisplay the revoked cert of a TLS inspection CRL that matches the subject and public key hash. |
get tls-inspection crls <crl-uuid> subject <subject-SHA256> public-key-hash <public-key-hash>
|
Display revoked certs of a TLS inspection CRLDisplay revoked certs of a TLS inspection CRL. |
get tls-inspection crls <uuid-string-arg>
|
Display TLS inspection global error statsDisplay TLS inspection global error stats associated with the routers. |
get tls-inspection errors
|
Display TLS inspection error statsDisplay TLS inspection error stats associated with the routers. |
get tls-inspection errors lr-uuid <uuid>
|
Display TLS inspection error statsDisplay TLS inspection error stats associated with the routers. |
get tls-inspection errors sr-uuid <uuid>
|
Display TLS inspection logging levelsDisplay TLS inspection logging levels. |
get tls-inspection logging-level
|
Display TLS inspection rule statsDisplay TLS inspection rule stats associated with the routers. |
get tls-inspection rule-stats <lr-uuid|sr-uuid>
|
Display TLS inspection rule statsDisplay TLS inspection rule stats associated with the routers. |
get tls-inspection rule-stats <lr-uuid|sr-uuid> [<rule-id>]
|
Display TLS inspection rules briefDisplay TLS inspection rules brief associated with the routers. |
get tls-inspection rules brief <lr-uuid|sr-uuid>
|
Display TLS inspection rules briefDisplay TLS inspection rules brief associated with the routers. |
get tls-inspection rules brief <lr-uuid|sr-uuid> [<rule-id>]
|
Display TLS inspection status infoDisplay TLS inspection status information. |
get tls-inspection status
|
Display TLS inspection traffic statsDisplay TLS inspection traffic stats associated with the routers. |
get tls-inspection traffic-stats lr-uuid <uuid>
|
Display TLS inspection traffic statsDisplay TLS inspection traffic stats associated with the routers. |
get tls-inspection traffic-stats sr-uuid <uuid>
|
Display reputation and category info about URLDisplay reputation and category info about URL |
get url-classification <url-string-arg>
|
Configure NSX DPI Lib Log LevelConfigure NSX DPI Lib Log Level. |
set dpi lib-dfw logging-level <dpi-lib-log-level-arg>
|
Configure NSX DPI Log LevelConfigure NSX DPI Log Level. |
set dpi logging-level <dpi-log-level-arg>
|
Set peer configuration for firewall active/standbySet the peer configuration for active/standby configuration. This configuration happens automatically when firewall rules are added to an active/standby logical router via the NSX Manager web interface or API. This command should be used for advanced configuration or troubleshooting only. If you manually configure the active/standby peer on an
edge node, you must also configure its peer.
|
set firewall <dpd-uuid-firewall-port-arg> local-ip <ip-address> sync-peer <nsxa-uuid-lrouter-port-arg> sync-peer-ip <ip-address>
|
Set mode for firewall synchronizationSet the firewall synchronization mode for active/standby configuration. This configuration happens automatically when firewall rules are added to an active/standby logical router via the NSX Manager web interface or API. This command should be used for advanced configuration or troubleshooting only. If you manually configure the active/standby sync, you must
correctly configure both edge nodes in the active/standby
configuration. One node must be configured as primary
and one as secondary. One node must be configured as active,
and one as passive.
|
set firewall <dpd-uuid-firewall-port-arg> sync-rank <fw-primary-arg> sync-mode <fw-active-arg>
|
Configure NSX IDS Engine Fast Log.Configure NSX IDS Engine Fast Log. |
set ids engine alertlog <ids-eng-alertlog-arg>
|
Configure IDS Engine Fast Log.Configure IDS Engine Fast Log. |
set ids engine fastlog <ids-eng-fastlog-arg>
|
Configure NSX IDS Engine Log LevelConfigure NSX IDS Engine Log Level. |
set ids engine logging-level <ids-eng-log-level-arg>
|
Set IDS logging levelSets the IDS logging level. |
set ids engine logging-level <ids-logging-level-arg>
|
Clear IDS Event Engine statsclear IDS Event Engine stats. |
set ids events stats clear
|
Configure NSX IDS Log LevelConfigure NSX IDS Log Level. |
set ids logging-level <ids-log-level-arg>
|
Set TLS inspection logging level for all destinationsSet TLS inspection logging level for all destinations. |
set tls-inspection logging-level <edge-service-logging-level-arg>
|
Set TLS inspection logging level for a destinationSet TLS inspection logging level for a destination. |
set tls-inspection logging-level <edge-service-logging-level-arg> destination <dest-arg>
|
Start firewall synchronization for the logical router interfaceStart firewall synchronization for the logical router interface. Synchronization happens automatically, but you can optionally start a bulk sync to more quickly synchronize a new or restarted standby router. The sync must be started from the primary router. |
start firewall <dpd-uuid-firewall-port-arg> bulk-sync
|
Stop firewall bulk synchronization for the logical router interfaceStop firewall bulk synchronization for the logical router interface. |
stop firewall <dpd-uuid-firewall-port-arg> bulk-sync
|
Total commands: 146