Airshell Common Commands

For Airwall Gateways that have a console port, you can deploy and configure the Airwall Gateway with the Airshell (airsh) command-line interface. You can deploy & configure an Airwall Gateway directly without going into diagnostic mode.

Connect a computer to the console port on the back of the Airwall Gateway or Conductor hardware, and use a terminal (macOS, Linux) or terminal emulator (Windows) to open the console. See the platform guide for your Airwall Gateway for specific connection instructions.

At the console:

  • v2.2.8 and later: log in with name: airsh, and no password
  • v2.2.5 and earlier: log in with name: airsh, and password: airsh.

You can then enter commands at the airsh» prompt.

For the full reference of command-line commands, see Airshell Command Line.

No Default Password in v2.2.8 and later

Starting with v2.2.8, the Airshell console default login has no default password. If you are concerned about securing physical access to Airshell, set a password by entering conf password and following the prompts to set and confirm a new password. Keep this password in a secure location, as it cannot be recovered. This password is only for Airshell physical console access and is not used when you access Airshell remotely.

CAUTION: If this password is lost, you will need to do a factory reset to clear the password.

Common Airwall Gateway Commands

help [command]
Show help for the specified command.
help treeghe
List available commands. Use help tree to list available commands with their options.
Open the setup wizard to set up an Airwall Gateway. See Configure an Airwall Gateway with the airsh Setup Wizard.
conf network
v2.2.10 and later – Configure port groups, see Configure Port Groups with Airshell. For example: to modify port group (pg) 2 with an IP of, enter:
conf net modify pg=2 ip=

v2.2.8 and earlier – Set up static IP addresses.

conf net list

Display a list of port groups and their configured options.

Test network connectivity
See Airwall status:
  • Hostname – Shows the Airwall Gateway's identity used when it connects to the Conductor. You use this name to confirm the provisioning request from the Airwall Gateway.
  • HIT – The Host Identity Tag is a hash of the Airwall Gateway's Host Identity, the public key identifier. This IPv6-like identifier is used for secure communication.
  • LSI –The Local Scoped Identifier is a shortened IPv4 version of the HIT, used for secure communication.
  • Device cert. – Present indicates the presence of a device certificate, which means the Airwall Gateway has been provisioned by the Conductor.
  • Device key – Present indicates the presence of the device identity private key.
  • Keystore – Indicates where the device identity private key is stored: TPM, Operating System, or file-based keystore.
  • Annunciator – Displays the status of the annunciator. On some models this affects LEDs and/or LCD display.
  • Run mode – Indicates the mode the Airwall Gateway is running in:
    • Protected – Normal operation mode.
    • Transparent – Running with non-encrypted bridging.
    • Diagnostic – In diagnostic mode.
    • Factory reset – In factory reset mode.
    • HA primary/secondary/active – Indicates the High Availability role of the Airwall Gateway.
  • Conductor – See status of the connection to the Conductor. For more details, see status conductor below.
  • IP address – Shows the active IP addresses for this Airwall Gateway. An IP address displayed in green indicates it has been selected as active.
status conductor
Shows the status of the Airwall Edge Service's connection to the Conductor. Disconnected indicates the Airwall Edge Service is not connected to the Conductor.
Note: For Airwall Agents and Servers that support it, if Disconnected mode is On, you can still access resources on the Airwall secure network, and your Airwall Agent or Server will reconnect at intervals for configuration and trust policy updates. If you want to reconnect manually, use conductor sync.
conductor set
Set or remove a Conductor IP address or URL and port (optional). For example: conductor set my-conductor.tempered or just conductor set to remove.
conductor sync
If an Airwall Agent or Server is set to Disconnected mode on the Conductor, this command manually reconnects to retrieve any changes to configuration or trust policies. In Disconnected mode, you can still access resources on the Airwall secure network. See Sync an Airwall Agent or Server in Disconnected Mode.
Put the Airwall Gateway in diagnostic mode
Reset Airwall Gateway back to factory default settings. If you want to preserve the network configuration, use the keep-networking option:
airsh>> factory-reset keep-networking
exit or quit
Exit Airshell
See the history of commands entered into Airshell. Enter history clear to delete history.
color on|off
Turn on or off color on the text output from the serial console.
Restart the Airwall Gateway.
Shut down the Airwall Gateway.