NSX CLI Guide
Associated Commands:
| CLI Description | Command |
|---|---|
Clear IDS Engine Event statsclear IDS Engine Event stats. |
clear edgeids events stats
|
Delete all TLS inspection cached certificatesDelete all TLS inspection cached certificates. |
clear tls-inspection cached-certificates
|
Delete TLS inspection cached certificatesDelete TLS inspection cached certificates. |
clear tls-inspection cached-certificates <certificate-id-string-arg>
|
Clear all TLS inspection error statsClear all TLS inspection error stats. |
clear tls-inspection errors
|
Clear all TLS inspection traffic statsClear all TLS inspection traffic stats. |
clear tls-inspection traffic-stats
|
Get IDS Event Engine config statsGet IDS Event Engine config stats. |
get edgeids event-config stats
|
Get IDS Engine Event statsGet IDS Engine Event stats. |
get edgeids events stats
|
Display the specified firewall address setDisplay the specified firewall address set for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> addrset name <string-arg>
|
Display all the firewall address setsDisplay all the firewall address sets for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> addrset sets
|
Display the specified firewall attribute setDisplay the specified firewall attribute set for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> attrset name <string-arg>
|
Display all the firewall attribute setsDisplay all the firewall attribute sets for the logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> attrset sets
|
Display firewall connection informationDisplay the firewall connections on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> connection
|
Display firewall connection countDisplay the firewall connection count. |
get firewall <dpd-uuid-firewall-port-arg> connection count
|
Display firewall connection informationDisplay the firewall connections on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> connection raw
|
Display firewall connection stateDisplay the state of the firewall connections. |
get firewall <dpd-uuid-firewall-port-arg> connection state
|
Display firewall interface statisticsDisplay firewall interface statistics for the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> interface stats
|
Display firewall active/standby configurationDisplay the active/standby configuration for the firewall on the specified logical router interface. |
get firewall <dpd-uuid-firewall-port-arg> sync config
|
Display firewall synchronization statisticsDisplay the firewall synchronization statistics. |
get firewall <dpd-uuid-firewall-port-arg> sync stats
|
Display the fixed timeouts for connection eventsDisplay the fixed timeouts for connection events. |
get firewall <dpd-uuid-firewall-port-arg> timeouts
|
Display specific firewall L7 profile info on given Logical Router UUIDDisplay specific firewall L7 profile information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profile <uuid-string-arg>
|
Display specific firewall L7 profile entry stats info on given Logical Router UUIDDisplay specific firewall L7 profile entry stats information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profile <uuid-string-arg> stats
|
Display all firewall L7 profiles info on given Logical Router UUIDDisplay all firewall L7 profiles information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profiles
|
Display all firewall L7 profile entry stats info on given Logical Router UUIDDisplay all firewall L7 profile entry stats information on given Logical Router UUID. |
get firewall <dpd-uuid-lrouter-port-arg> l7-profiles stats
|
Display IKE policyDisplay IKE policy for the specified logical router interface. |
get firewall <uuid> ike policy [<rule-id>]
|
Display firewall rulesDisplay firewall rules with expanded address sets for the specified logical router interface. |
get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>]
|
Display firewall rule statisticsDisplay firewall rule statistics for the specified logical router interface. |
get firewall <uuid> ruleset [type <rule-type>] stats
|
Display firewall address setsDisplay firewall address sets |
get firewall <vif-uuid-arg> addrsets
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall <vif-uuid-arg> fqdn
|
Display firewall attribute profilesDisplay firewall attribute profiles. |
get firewall <vif-uuid-arg> profile
|
Display firewall rulesDisplay firewall rules |
get firewall <vif-uuid-arg> ruleset rules
|
Display firewall interfacesDisplay the logical router or switch interfaces which have firewall rules. |
get firewall [logical-switch <uuid>] interfaces
|
Display firewall addresses for the specified address setDisplay firewall addresses for the specified address set. |
get firewall addrset name <uuid-arg>
|
Display firewall address sets for the available virtual interfaceDisplay firewall address sets for the available virtual interface. |
get firewall addrset sets
|
Display firewall connection stateDisplay the state of the firewall connections in the VRF context. |
get firewall connection state
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall context-profile <context-profile-id-arg> fqdn
|
Display firewall fqdn attribute of profilesDisplay firewall fqdn attribute of profiles. |
get firewall context-profiles
|
Display firewall exclude interfacesDisplay firewall exclude interfaces. |
get firewall exclude
|
Get the firewall exclusion list under manager mode, for exclusion list members under policy mode, please use API for nowDisplay the firewall exclusion list under manager mode, for exclusion list members under policy mode, please use API for now |
get firewall exclude-list
|
Display firewall exclusionDisplay firewall exclusions. |
get firewall exclusion
|
Display firewall interface statisticsDisplay firewall interface statistics for the specified logical router interface in the VRF context. |
get firewall interface stats
|
Display firewall interfacesDisplay the logical router or switch interfaces which have firewall rules. |
get firewall interfaces
|
Display firewall sync interfacesDisplay sync configuration for logical router interfaces with firewall rules. |
get firewall interfaces sync
|
Display firewall ipfix containersDisplay firewall ipfix containers. |
get firewall ipfix-containers
|
Display firewall ipfix filtersDisplay firewall ipfix filters. |
get firewall ipfix-filters
|
Display firewall ipfix profile configurationDisplay firewall ipfix profile configration. |
get firewall ipfix-profiles
|
Display firewall ipfix statisticsDisplay firewall ipfix statistics. |
get firewall ipfix-stats
|
Display specific firewall L7 profile info based on UUIDDisplay specific firewall L7 profile information based on UUID. |
get firewall l7-profile <uuid-string-arg>
|
Display specific firewall L7 profile entry stats based on UUIDDisplay specific firewall L7 profile entry stats information based on UUID. |
get firewall l7-profile <uuid-string-arg> stats
|
Display all firewall L7 profiles infoDisplay all firewall L7 profiles information. |
get firewall l7-profiles
|
Display all firewall L7 profile entry statsDisplay all firewall L7 profile entry stats information. |
get firewall l7-profiles stats
|
Show DFW packet log file contentsDisplay the contents of the DFW packet log file. |
get firewall packetlog
|
Show last lines of DFW packet log file contentsDisplay last lines of the DFW packet log file. |
get firewall packetlog last <line-count-arg>
|
Display firewall rule statisticsDisplay firewall rule statistics. |
get firewall rule-stats
|
Display total firewall rule statisticsDisplay total firewall rule statistics. |
get firewall rule-stats total
|
Display the summary of firewall rulesDisplay the summary of firewall rules. |
get firewall rules
|
Display the firewall statusDisplay the firewall status. |
get firewall status
|
Get the firewall summaryDisplay the firewall summary. |
get firewall summary
|
Display firewall active/standby configurationDisplay the active/standby configuration for the firewall on the specified logical router interface. |
get firewall sync config
|
Display firewall synchronization statisticsDisplay the firewall synchronization statistics in the VRF context. |
get firewall sync stats
|
Display firewall threshold alarmsDisplay firewall threshold alarms. |
get firewall threshold-alarms
|
Display firewall thresholdsDisplay firewall thresholds. |
get firewall thresholds
|
Display firewall VIFsDisplay firewall VIFs |
get firewall vifs
|
Display firewall vsipioctl fqdn entries with no debugDisplay firewall vsipioctl fqdn entries with no debug. |
get firewall vsipioctl <vsip_commands> [<vsip_param>]
|
Display NSX IDS Engine Fast Log settingDisplay NSX IDS Engine Fast Log setting. |
get ids engine alertlog
|
Display IDS Engine Fast Log settingDisplay IDS Engine Fast Log setting. |
get ids engine fastlog
|
Displays all IDS global statsDisplays all IDS global stats. |
get ids engine global stats
|
Display IDS logging levelDisplays the IDS logging level. |
get ids engine logging-level
|
Display NSX IDS Engine Log LevelDisplay NSX IDS Engine Log Level. |
get ids engine logging-level
|
Display IDS profilesDisplays the IDS profiles. |
get ids engine profiles
|
Display NSX IDS Engine ProfilesDisplay NSX IDS Engine Profiles. |
get ids engine profiles
|
Lists IDS profiles for a specified signatureDisplays the IDS profiles for the specified signature. |
get ids engine profiles signature <ids-sig-id-arg>
|
Display NSX IDS Engine Profile statisticsDisplay NSX IDS Engine Profile statistics. |
get ids engine profilestats <profile-id>
|
Display NSX IDS Enginet Profile statusDisplay NSX IDS Engine Profile status |
get ids engine profilestatus <profile-id>
|
Display NSX IDS Engine RulesDisplay NSX IDS Engine Rules. |
get ids engine rules
|
Get Signature Action for a particular RuleID, ProfileID, SignIDGet Signature Action for a particular RuleID, ProfileID, SignID |
get ids engine signaction <rule-id> <profile-id> <sign-id>
|
Checks for membership and action for a signature-profile pairChecks for membership and action for a signature-profile pair. |
get ids engine signature <ids-sig-id-arg> profile <context-profile-id-arg> membership
|
Display NSX IDS Engine global statisticsDisplay NSX IDS Engine global statistics. |
get ids engine stats
|
Display IDS Enable/DisableDisplays the IDS Enable/Disable Status. |
get ids engine status
|
Display NSX IDS Engine StatusDisplay NSX IDS Engine Status. |
get ids engine status
|
Get IDS Event Engine statsGet IDS Event Engine stats. |
get ids events stats
|
Display NSX IDS Log LevelDisplay NSX IDS Log Level. |
get ids logging-level
|
Display NSX IDS ProfilesDisplay NSX IDS Profiles. |
get ids profiles
|
Display NSX IDS RulesDisplay NSX IDS Rules. |
get ids rules
|
Display NSX IDS StatusDisplay NSX IDS Status. |
get ids status
|
Display info about Service InsertionDisplay information about Service Insertion. |
get service-insertion
|
Display info about Service InsertionDisplay information about Service Insertion. |
get service-insertion <dpd-uuid-service-insertion-arg>
|
Display info about NS Service Insertion BFD control status.Display information about NS Service Insertion BFD control status. |
get service-insertion bfd-ctrl
|
Display info about Service Insertion flow programming table.Display information about Service Insertion flow programming table. |
get service-insertion flow-prog-table
|
Display info about Service Insertion failed SPI.Display information about Service Insertion failed SPI. |
get service-insertion spi-fail-table
|
Display info about EW Service Insertion VRF to interface mapping.Display information about EW Service Insertion VRF to interface mapping. |
get service-insertion vrf-to-intf
|
Display spoof guard config for a host switch and dvportDisplay spoof guard config for a host switch and dvport. |
get spoof-guard config <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard config for a logical portDisplays Spoof Guard config for a logical port. |
get spoof-guard config <logical-port>
|
Display spoof guard stats for a host switch and dvportDisplay spoof guard stats for a host switch and dvport. |
get spoof-guard stats <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard stats for a logical portDisplays Spoof Guard stats for a logical port. |
get spoof-guard stats <logical-port>
|
Display spoof guard whitelist for a host switch and dvportDisplay spoof guard whitelist for a host switch and dvport. |
get spoof-guard whitelist <hs-name-arg> <dvport-id-arg>
|
Display Spoof Guard whitelist for a logical portDisplays Spoof Guard whitelist for a logical port. |
get spoof-guard whitelist <logical-port>
|
Display TLS inspection infoDisplay TLS inspection information. |
get tls-inspection
|
Display TLS inspection action profile detailsDisplay TLS inspection action profile details. |
get tls-inspection action-profile <uuid-string-arg>
|
Display TLS inspection action profile infoDisplay TLS inspection action profile information. |
get tls-inspection action-profiles
|
Display TLS inspection bypassed sitesDisplay TLS inspection bypassed sites and the reason. |
get tls-inspection bypassed-sites lr-uuid <uuid>
|
Display TLS inspection bypassed sitesDisplay TLS inspection bypassed sites and the reason. |
get tls-inspection bypassed-sites sr-uuid <uuid>
|
Display TLS inspection CA bundle detailsDisplay TLS inspection CA bundle details. |
get tls-inspection ca-bundle <uuid-string-arg>
|
Display TLS inspection CA bundle infoDisplay TLS inspection CA bundle information. |
get tls-inspection ca-bundles
|
Show TLS Inspection Cached Certificate DetailsShow TLS Inspection Cached Certificate Details. |
get tls-inspection cached-certificate <certificate-id-string-arg>
|
Display TLS inspection cached certificatesDisplay TLS inspection cached certificates. |
get tls-inspection cached-certificates
|
Show TLS Inspection Certificate DetailsShow TLS Inspection Certificate Details. |
get tls-inspection certificate <tls-certificate-id-arg>
|
Display TLS inspection CRL infoDisplay TLS inspection CRL information. |
get tls-inspection crls
|
Display revoked certs of a TLS inspection CRL matching a serial numberDisplay revoked certs of a TLS inspection CRL matching a serial number. |
get tls-inspection crls <crl-uuid> certificate-serial-number <certificate-serial-number>
|
Display revoked certs of a TLS inspection CRL of an issuerDisplay revoked certs of a TLS inspection CRL of an issuer. |
get tls-inspection crls <crl-uuid> issuer <issuer-SHA256>
|
Display the revoked cert of a TLS inspection CRL that matches the issuer hash and serial numberDisplay the revoked cert of a TLS inspection CRL that matches the issuer hash and serial number. |
get tls-inspection crls <crl-uuid> issuer <issuer-SHA256> certificate-serial-number <certificate-serial-number>
|
Display the revoked cert of a TLS inspection CRL that matches the public key hashDisplay the revoked cert of a TLS inspection CRL that matches the public key hash. |
get tls-inspection crls <crl-uuid> public-key-hash <public-key-hash>
|
Display the revoked cert of a TLS inspection CRL that matches the subject SHA256 hashDisplay the revoked cert of a TLS inspection CRL that matches the subject SHA256 hash. |
get tls-inspection crls <crl-uuid> subject <subject-SHA256>
|
Display the revoked cert of a TLS inspection CRL that matches the subject and public key hashDisplay the revoked cert of a TLS inspection CRL that matches the subject and public key hash. |
get tls-inspection crls <crl-uuid> subject <subject-SHA256> public-key-hash <public-key-hash>
|
Display revoked certs of a TLS inspection CRLDisplay revoked certs of a TLS inspection CRL. |
get tls-inspection crls <uuid-string-arg>
|
Display TLS inspection global error statsDisplay TLS inspection global error stats associated with the routers. |
get tls-inspection errors
|
Display TLS inspection error statsDisplay TLS inspection error stats associated with the routers. |
get tls-inspection errors lr-uuid <uuid>
|
Display TLS inspection error statsDisplay TLS inspection error stats associated with the routers. |
get tls-inspection errors sr-uuid <uuid>
|
Display TLS inspection logging levelsDisplay TLS inspection logging levels. |
get tls-inspection logging-level
|
Display TLS inspection rule statsDisplay TLS inspection rule stats associated with the routers. |
get tls-inspection rule-stats <lr-uuid|sr-uuid>
|
Display TLS inspection rule statsDisplay TLS inspection rule stats associated with the routers. |
get tls-inspection rule-stats <lr-uuid|sr-uuid> [<rule-id>]
|
Display TLS inspection rules briefDisplay TLS inspection rules brief associated with the routers. |
get tls-inspection rules brief <lr-uuid|sr-uuid>
|
Display TLS inspection rules briefDisplay TLS inspection rules brief associated with the routers. |
get tls-inspection rules brief <lr-uuid|sr-uuid> [<rule-id>]
|
Display TLS inspection status infoDisplay TLS inspection status information. |
get tls-inspection status
|
Display TLS inspection traffic statsDisplay TLS inspection traffic stats associated with the routers. |
get tls-inspection traffic-stats lr-uuid <uuid>
|
Display TLS inspection traffic statsDisplay TLS inspection traffic stats associated with the routers. |
get tls-inspection traffic-stats sr-uuid <uuid>
|
Display reputation and category info about URLDisplay reputation and category info about URL |
get url-classification <url-string-arg>
|
Set peer configuration for firewall active/standbySet the peer configuration for active/standby configuration. This configuration happens automatically when firewall rules are added to an active/standby logical router via the NSX Manager web interface or API. This command should be used for advanced configuration or troubleshooting only. If you manually configure the active/standby peer on an
edge node, you must also configure its peer.
|
set firewall <dpd-uuid-firewall-port-arg> local-ip <ip-address> sync-peer <nsxa-uuid-lrouter-port-arg> sync-peer-ip <ip-address>
|
Set mode for firewall synchronizationSet the firewall synchronization mode for active/standby configuration. This configuration happens automatically when firewall rules are added to an active/standby logical router via the NSX Manager web interface or API. This command should be used for advanced configuration or troubleshooting only. If you manually configure the active/standby sync, you must
correctly configure both edge nodes in the active/standby
configuration. One node must be configured as primary
and one as secondary. One node must be configured as active,
and one as passive.
|
set firewall <dpd-uuid-firewall-port-arg> sync-rank <fw-primary-arg> sync-mode <fw-active-arg>
|
Configure NSX IDS Engine Fast Log.Configure NSX IDS Engine Fast Log. |
set ids engine alertlog <ids-eng-alertlog-arg>
|
Configure IDS Engine Fast Log.Configure IDS Engine Fast Log. |
set ids engine fastlog <ids-eng-fastlog-arg>
|
Configure NSX IDS Engine Log LevelConfigure NSX IDS Engine Log Level. |
set ids engine logging-level <ids-eng-log-level-arg>
|
Set IDS logging levelSets the IDS logging level. |
set ids engine logging-level <ids-logging-level-arg>
|
Clear IDS Event Engine statsclear IDS Event Engine stats. |
set ids events stats clear
|
Configure NSX IDS Log LevelConfigure NSX IDS Log Level. |
set ids logging-level <ids-log-level-arg>
|
Set TLS inspection logging level for all destinationsSet TLS inspection logging level for all destinations. |
set tls-inspection logging-level <edge-service-logging-level-arg>
|
Set TLS inspection logging level for a destinationSet TLS inspection logging level for a destination. |
set tls-inspection logging-level <edge-service-logging-level-arg> destination <dest-arg>
|
Start firewall synchronization for the logical router interfaceStart firewall synchronization for the logical router interface. Synchronization happens automatically, but you can optionally start a bulk sync to more quickly synchronize a new or restarted standby router. The sync must be started from the primary router. |
start firewall <dpd-uuid-firewall-port-arg> bulk-sync
|
Stop firewall bulk synchronization for the logical router interfaceStop firewall bulk synchronization for the logical router interface. |
stop firewall <dpd-uuid-firewall-port-arg> bulk-sync
|
Total commands: 138