Watchguard tcp dump options

About TCP Dump Argumentlogo-small

When you run the TCP dump task, you must specify the interface on which to run the task. You an also include expressions in the task arguments to filter for specific traffic.

To specify the interface, you include the -i argument and the interface name and number.

For example:

– i eth1 — Physical interface #1

-i ath1 — Wireless interface #1

-i br1 — Bridge interface #1

-i la1 — Link aggregation interface #1

To build an expression to filter the traffic from the interface you specify, you can use any of the standard TCP dump keywords and operators. Some of the common keywords and operators are:

host — Only include traffic to or from the specified host IP address.

net — Only show traffic to or from the IP addresses in the specified subnet. For example, for, type 10.0.1.

port — Only show traffic with either a source or destination of the specified port.

portrange — Only show traffic from the specified range of ports.

ip proto — Only show traffic from the specified protocol. For example, for ESP packets, type 50.

src or dst — Use with the keywords host or port to specify the source or destination.

tcp or udp — Use with the keywords port or portrange to specify the protocol.

and / or — Use to combine expressions.

For a complete list of the available keywords, see the PCAP-Filter manpage at

Examples of TCP dump arguments:

-i eth1 host and dst port 80
Show only traffic on interface eth1, to or from with destination port 80.

-i eth0 tcp port 25
Show only traffic on interface eth0, to or from TCP port 25.

-i vlan1024
Show only traffic tagged with VLAN 1024.

-i eth0 udp port 500 or ip proto 50
Show all UDP port 500 or ESP packets for the eth0 interface.

-i eth2 src and dst
Show all traffic from to on the eth2 interface.

Hits: 1827

HP A-Series comware cli

enter config mode:

show running-config:
disp cur

set ntp:
ntp-service enable
ntp-service unicast-peer

check ntp:
disp ntp-service stat

Clock status: synchronized
Clock stratum: 5
System peer:
Local mode: sym_active
Reference clock ID:
Leap indicator: 00
Clock jitter: 0.000198 s
Stability: 0.000 pps
Clock precision: 2^-17
Root delay: 6.37817 ms
Root dispersion: 6.54602 ms
Reference time: db84e749.fba8a28a Thu, Sep 15 2016 9:24:25.983

save config:
s s f (save safely force)

show saved-config:
disp sav

exit terminal:


more examples here

Hits: 123

Factory Reset M-series

To reset a Firebox M200 or M300 to factory-default settings:Openlogo-small

Hits: 931

Recommended Watchguard Firecluster IP addresses

logo-smallSelect IP Addresses for Cluster Interfaces

We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses that begin with 169.254. If you use link-local IP addresses, you might find it useful to define your cluster interface IP addresses like this:

169.254.<interface number>.<member number>/24 

The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your table could look something like this:

Interface # and IP addresses for a FireCluster
Interface # IP address for Member 1 IP address for Member 2
Primary cluster interface 5
Backup cluster interface 6
Management interface 1

Hits: 190

Watchguard XTM HTTPS Deep Inspection with Active Directory

On the XTM:

Create FW CSR via Firebox Sytem Manager, use type Proxy Authority

On the Domain Controller:

– Upgrade DC Cert authority to issue sha-256 certs link

– Export root and intermediate certs type Base64

– Import FW CSR via http://DC-ip/certsrv, type subordinate ca

– Export FW Cert type Base64

On the XTM:

– First import root then intermediate certs type IPSEC, Web Server, Other

– Then import FW Cert type Proxy Authority


Create https proxy policy in Policy Manager

Content Inspection: Enable deep inspection, do not Allow SSLv3, action inspect

Domain Names: None matched: Inspect

Test to find out if the firewall issues the right certs in your browser:















Hits: 117


DNS Lookup using DIGdigging-a-hole

Here is how you do DNS lookups from your *nix host…

Host record:

$ dig +noall +answer

; <<>> DiG 9.8.3-P1 <<>> +noall +answer

;; global options: +cmd 1315 IN A


Reverse lookup:

$ dig -x +noall +answer

; <<>> DiG 9.8.3-P1 <<>> -x +noall +answer

;; global options: +cmd 3599 IN PTR 3599 IN PTR


All records:

$ dig -t ANY +noall +answer

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> -t ANY +noall +answer

;; global options: +cmd 3599 IN A 3599 IN NS 3599 IN NS 3599 IN NS 3599 IN SOA 2016102504 10800 3600 604800 3600 3599 IN MX 10 3599 IN TXT “v=spf1 a mx ip4: ?all” 3599 IN NSEC3PARAM 1 0 10 BEEF


Mail records only:

$ dig -t MX +noall +answer

; <<>> DiG 9.8.3-P1 <<>> -t MX +noall +answer

;; global options: +cmd 3599 IN MX 10


Use specific nameserver:

$ dig @ +noall +answer

; <<>> DiG 9.8.3-P1 <<>> @ +noall +answer

; (1 server found)

;; global options: +cmd 3599 IN A



Hits: 9

Let's use bash shortcuts

Command Editing Shortcuts

  • Ctrl + a – go to the start of the command line
  • Ctrl + e – go to the end of the command line
  • Ctrl + k – delete from cursor to the end of the command line
  • Ctrl + u – delete from cursor to the start of the command line
  • Ctrl + w – delete from cursor to start of word (i.e. delete backwards one word)
  • Ctrl + y – paste word or text that was cut using one of the deletion shortcuts (such as the one above) after the cursor
  • Ctrl + xx – move between start of command line and current cursor position (and back again)
  • Alt + b – move backward one word (or go to start of word the cursor is currently on)
  • Alt + f – move forward one word (or go to end of word the cursor is currently on)
  • Alt + d – delete to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + c – capitalize to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + u – make uppercase from cursor to end of word
  • Alt + l – make lowercase from cursor to end of word
  • Alt + t – swap current word with previous
  • Ctrl + f – move forward one character
  • Ctrl + b – move backward one character
  • Ctrl + d – delete character under the cursor
  • Ctrl + h – delete character before the cursor
  • Ctrl + t – swap character under cursor with the previous one

Hits: 7