🔐 Credenciales: en Vaultwarden/Bitwarden. Aquí solo referencias.
get system status
get hardware nic
diagnose sys top 5 3
Log & Report → Forward Traffic.show firewall policy
show firewall vip
show firewall ippool
# Estado general
get vpn ipsec status
diagnose vpn tunnel list
# Depuración IKE (activar → reproducir → desactivar)
diagnose debug reset
diagnose debug application ike -1
diagnose debug enable
# ...
diagnose debug disable
Monitor → SSL-VPN.get router info routing-table all
diagnose sniffer packet any 'host <IP> and (udp port 500 or 4500)' 4 0 a
# TFTP
execute backup config tftp <HOSTNAME>.conf <IP_TFTP>
# SCP (si habilitado)
execute backup config scp <USER>@<HOST>:/ruta/<HOSTNAME>.conf <PASSWORD_OPCIONAL>
Sube el archivo también a la página del cliente (Firewall → Archivos).
# Flujo para hallar la policy aplicada a un flujo
diagnose debug flow filter addr <SRC_OR_DST_IP>
diagnose debug flow show function-name enable
diagnose debug flow trace start 200
# ...
diagnose debug flow trace stop
exec ping-options y execute ping.config firewall address
edit IOC-<IP>
set subnet <IP> 255.255.255.255
next
end
config firewall policy
edit 0
set name "Block IOC"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "IOC-<IP>"
set action deny
set schedule always
set service ALL
next
end