Airshell (`airsh`) Command Reference

For Airwall Gateways that have a console port, and for Linux Airwall Servers you can deploy and configure them with the Airshell (airsh) command-line interface. It provides tab-completion, inline help, and the ability to deploy and configure directly without going into diagnostic mode.

Get started

Connect a computer to the console port on the back of the Airwall™ or Conductor hardware, and use a terminal (macOS, Linux) or terminal emulator (Windows) to open the console. See the platform guide for your Airwall for specific connection instructions.

To access Airwall Gateways with airsh remotely, see Set up Remote Access to Airshell via SSH.

At the console:

v2.2.8 and later: log in with name: airsh, and no password
v2.2.5 and earlier: log in with name: airsh, and password: airsh.

You can then enter commands at the airsh» prompt.

Note: See also Linux Airwall Server Airshell commands.

Advantech Note: To configure an Advantech machine, you can put it into diagnostic mode. See Put an Airwall Gateway into diagnostic mode.

No Default Password in v2.2.8 and later

Starting with v2.2.8, the Airshell console default login has no default password. If you are concerned about securing physical access to Airshell, set a password by entering conf password and following the prompts to set and confirm a new password. Keep this password in a secure location, as it cannot be recovered. This password is only for Airshell physical console access and is not used when you access Airshell remotely.

CAUTION: If this password is lost, you will need to do a factory reset to clear the password.

Common Commands

help [command]: Show help for the specified command.

help [tree]: List available commands. Use help tree to list available commands with their options.

setup-ui: Open the setup wizard to set up an Airwall Gateway. See Configure an Airwall Gateway with the airsh Setup Wizard.

conf network

v2.2.10 and later – Configure port groups, see Configure Port Groups with Airshell. For example: to modify port group (pg) 2 with an IP of 192.168.1.1/24, enter:

conf net modify pg=2 ip=192.168.1.1/24

v2.2.8 and earlier – Set up static IP addresses.

conf net list: Display a list of port groups and their configured options.

ping: Test network connectivity

status

See Airwall status:

Hostname – Shows the Airwall Gateway's identity used when it connects to the Conductor. You use this name to confirm the provisioning request from the Airwall Gateway.
HIT – The Host Identity Tag is a hash of the Airwall Gateway's Host Identity, the public key identifier. This IPv6-like identifier is used for secure communication.
LSI –The Local Scoped Identifier is a shortened IPv4 version of the HIT, used for secure communication.
Device cert. – Present indicates the presence of a device certificate, which means the Airwall Gateway has been provisioned by the Conductor.
Device key – Present indicates the presence of the device identity private key.
Keystore – Indicates where the device identity private key is stored: TPM, Operating System, or file-based keystore.
Annunciator – Displays the status of the annunciator. On some models this affects LEDs and/or LCD display.
Run mode – Indicates the mode the Airwall Gateway is running in:
- Protected – Normal operation mode.
- Transparent – Running with non-encrypted bridging.
- Diagnostic – In diagnostic mode.
- Factory reset – In factory reset mode.
- HA primary/secondary/active – Indicates the High Availability role of the Airwall Gateway.
Conductor – See status of the connection to the Conductor. For more details, see status conductor below.
IP address – Shows the active IP addresses for this Airwall Gateway. An IP address displayed in green indicates it has been selected as active.

status conductor: Shows the status of the Airwall Edge Service's connection to the Conductor. Disconnected indicates the Airwall Edge Service is not connected to the Conductor.
Note: For Airwall Agents and Servers that support it, if Disconnected mode is On, you can still access resources on the Airwall secure network, and your Airwall Agent or Server will reconnect at intervals for configuration and trust policy updates. If you want to reconnect manually, use conductor sync.
conductor set: Set or remove a Conductor IP address or URL and port (optional). For example: conductor set my-conductor.tempered or just conductor set to remove.
conductor sync: If an Airwall Agent or Server is set to Disconnected mode on the Conductor, this command manually reconnects to retrieve any changes to configuration or trust policies. In Disconnected mode, you can still access resources on the Airwall secure network. See Syncing an Airwall Agent or Server in disconnected mode.

diag: Put the Airwall Gateway in diagnostic mode

factory-reset [keep-networking|clear-identity]

Reset Airwall Gateway back to factory default settings.

Use the keep-networking option to preserve the network configuration.
Use clear-identity to remove the device identity and licensing, and to re-license the Airwall Gateway.

If you want to preserve the network configuration, use the keep-networking option:

airsh>> factory-reset keep-networking

exit or quit

Exit Airshell

history: See the history of commands entered into Airshell. Enter history clear to delete history.

color on|off: Turn on or off color on the text output from the serial console.

reboot: Restart the Airwall Gateway.

shutdown: Shut down the Airwall Gateway.

Configuration Commands

activate [activation_code]

Activate a profile, and optionally, enter an activation code to connect an Airwall Gateway to the Conductor. For example:

airsh» activate 8z130f85eed9

Entering an activation code means the Airwall Edge Service can connect to the Conductor without an administrator needing to provision it.

conf

Configure Airwall Gateway or Conductor. You can configure these settings

conf conductor URL|IP_address – Set Conductor URL. Same as conductor set above.
conf name – prior to provisioning, configure the Airwall name shown in the Conductor.
conf cell [apn=auto|<apn>] [carrier=auto|<carrier>] [mode=3g|4g][pin=<code>][auth=none|pap|chap|both] [user=<user>] [pw=<password>][ip-type=<default,ipv4,ipv6,ipv4v6>] [roaming=<0|1>] – Get or set cellular modem configuration. Supported cellular carriers are: "AT&T", "Bell", "GCI", "Generic", "Rogers", "T-Mobile", "Telus", "VTel", and "Verizon". See also – U.S. Cellular Carrier Certifications
- When you set the carrier to “auto”, the Airwall Gateway looks up the operator ID from the SIM card.
- If your carrier name is not listed, use “Generic”.
- When you set the APN to “auto”, the Airwall Gateway uses a default APN from the detected or specified carrier, or you can specify the APN provided to you.
conf cell2 [apn=auto|<apn>] [carrier=auto|<carrier>] [mode=3g|4g][pin=<code>][auth=none|pap|chap|both] [user=<user>] [pw=<password>][ip-type=<default,ipv4,ipv6,ipv4v6>] [roaming=<0|1>] – Get or set second cellular modem configuration.
conf network –
v2.2.10 and later – Configure port groups, see Configure Port Groups with Airshell. For example: to modify port group (pg) 2 with an IP of 192.168.1.1/24, enter:
```
conf net modify pg=2 ip=192.168.1.1/24
```
v2.2.8 and earlier – Set up static IP addresses.
conf password [delete] – Set (or delete) the password for the current Airshell user. Use conf password delete to remove the password. (conf password delete not available remotely)
conf ssh on|off|status – Enable, disable, or see the status of remote log in through SSH. See Set up Remote Access to Airshell via SSH for full details.
conf ssh-key add ssh_public_key – Add or remove public SSH keys you use to log in remotely. See Set up Remote Access to Airshell via SSH for full details.
conf ssh-key remove – Remove the public SSH key you use to log in remotely. See Set up Remote Access to Airshell via SSH for full details.
conf wifi – On Wi-Fi-enabled Airwall Gateways, walks you through the steps to configure a Wi-Fi connection.

setup-ui: v2.2.10 and later – Open the setup wizard to set up an Airwall Gateway. See Configure an Airwall Gateway with the airsh Setup Wizard.

Diagnostic commands

conductor ping: Checks name resolution and performs TLS connection attempt with every configured Conductor URI.

conductor status: Show Conductor settings and status.

conductor set: Set or remove a Conductor IP address or URL and port (optional). For example: conductor set my-conductor.tempered or just conductor set to remove.

diag: Put the Airwall Gateway in diag mode.

diag_report: Get a diagnostic report.

firmware-upgrade: Update the Airwall Gateway firmware from a file hosted on a reachable file server.

network-restart: Restart the network interfaces on the Airwall Gateway.

nmap [overlay_port_group] [Scan Type(s)] [Options] {target specification}: Map your network for discovery or security audits. For more information, see Do network discovery and security audits in Airshell (nmap).

policy [ -v | clear]

Show HIP policy information. Only valid on Airwall Edge Services.

-v – Show additional columns.
clear – Clear HIP policy cache.

Here are the columns in the output:

PGID = Ingress port group ID
IP SRC/DST = source/destination IP address
AGE = seconds since last matching packet
Additional columns shown with -v:
- PEER_HIT – HIT of incoming (ingress) peer
- MAC SRC/DST – source/destination Ethernet address
- VLAN = 802.1Q VLAN ID
- ETH = EtherType
- PKTS = Total packets
- BYTES = Total bytes (including Ethernet headers)

Actions:

TX_PG <id> = Transmit to port group.

TX_LSI <hit> = Transmit to peer.

DROP = Drop due to policy

ping IP_address [-I interface ]: Ping the IP address, optionally with the interface specified with -I.

rpc: Sent JSON-RPC message.

time: Query or time set.

table [TABLE] [ --OPTION=ARG[,ARG]... | KEY=VALUE ]...

Query status table. These tables that show the real-time internal state of Airwall Gateways and a Conductor. All of these tables are included when you run a diagnostic report. For more information and all options, see Airshell table command.

Common Options:

--select COL[,COL]... – Display only the specified columns.

KEY=VALUE

Allows you to filter the results by a value in one of the columns of the table. KEY is the column name, and VALUE is the value to filter on. For example, to return only rows with the value of ESTABLISHED in the state column, enter:

table hip_assoc state=ESTABLISHED

TABLE

These are the available tables. For descriptions, see Airshell table command.

Conductor tables:

file_descriptors, m2_connections, m2_denied, m2_allowed, map_connection

Airwall Gateway tables:

file_descriptors, map_connection, hip_proto, hip_assoc_events,
policy_engine, encrypt_engine, decrypt_engine, reader, writer, io_worker, 
worker, decrypt_sadb, encrypt_sadb, hip_assoc, peers, jet_ip4_relay, jet_engine

Status Commands

license: Display open source license information

log [follow | status [hip|ebm2]hep]

Show the latest lines of the system log, or rating limiting details.

follow – Follow the log output until you quit with CTRL+C
status [hip|ebm2] – Show rate limiting details for HIP or ebm2 traffic.

status [<option>]

Display the status of the Airwall Gateway, including the installed cellular firmware package. With an option, displays the status of one of the following:

cell – Get Cellular information
conductor – Get the status of connection to the Conductor
dnscache [flush | flush <pattern>] – For Airwall Gateways, dumps or flushes the entire DNS cache, or specific entries. For example, flush dnscache example.com or flush dnscache *.example.net
hip – Get HIP state
hipvars – Get additional HIP state
linkmanager – Get Linkmanager status.
macs – Get the MAC addresses for all of the network interfaces on this Airwall Gateway.
network – Get network information
peers – Get a list of peer Airwall Edge Services
ps – Get the running processes on this Airwall Gateway.
relays – Get relay probe information
routes – Get routing tables
threads – Reports CPU and memory usage of threads of major services running on an Airwall secure network.
tunnels – Get a list of tunnels on this Airwall Gateway
wifi – Get Wi-Fi information

Airshell (airsh) Command Reference