HP TippingPoint Next Generation Firewall Series CLI Reference Guide

Add to my manuals
58 Pages

advertisement

HP TippingPoint Next Generation Firewall Series CLI Reference Guide | Manualzz

HP TippingPoint

Security Management System

CLI Reference

Version 4.0

Abstract

This information describes HP TippingPoint Security Management System (SMS) high and low level commands, and contains information for using the SMS command line interface. This information is for system administrators, technicians, and maintenance personnel responsible for installing, configuring, and maintaining HP TippingPoint SMS appliances and associated devices.

*5998-5015*

Part Number: 5998-5015

August 2013

Legal and notice information

© Copyright 2011–2013 Hewlett-Packard Development Company, L.P.

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

TippingPoint®, the TippingPoint logo, and Digital Vaccine® are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries.

UNIX® is a registered trademark of The Open Group.

Security Management System CLI Reference

Publication Part Number: 5998-5015

Product Part Number: JC679A

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Typefaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Document Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

1 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Command Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Remote Paths. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

HTTP and HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SMB (Samba) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The help Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 SMS Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 cls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 diags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 factoryreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 fips-mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

ftp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

ifconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 ipconfig. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 kbdcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 mgmtsettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 nic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

nicsettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 quit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 resolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Security Management System CLI Reference i

reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 shutdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

snmp-request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 snmp-trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

snmpget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 snmpwalk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 vi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 SMS Attributes and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Attribute Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 cli. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

ctl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

kbd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

pkg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

route6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 smtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

svc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

sw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 sys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

ii

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

1 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Table 1-1 - Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 SMS Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 2-1 - Help Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Table 2-2 - Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 2-3 - ping Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 2-4 - ping6 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 2-5 - traceroute Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 2-6 - vi Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 SMS Attributes and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 3-1 - CLI Attribute Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 3-2 - cli Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 3-3 - ctl Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Table 3-4 - db Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 3-5 - dns Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 3-6 - HA Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 3-7 - health Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Table 3-8 - kbd Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Table 3-9 - license Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 3-10 - logs Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Table 3-11 - net Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 3-12 - ntp Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Table 3-13 - pkg Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 3-14 - pwd Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 3-15 - radius Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 3-16 - route Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Table 3-17 - route6 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 3-18 - smtp Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 3-19 - snmp-request Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Table 3-20 - snmp-trap Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Table 3-21 - svc Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Table 3-22 - sw Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Table 3-23 - sys Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Table 3-24 - time Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Security Management System CLI Reference iii

iv

About This Guide

The Security Management System CLI Reference provides information about using the SMS command line interface to configure the HP TippingPoint Security Management System (SMS). This guide includes an

SMS command reference as well as reference information about attributes and objects used by the SMS.

This section covers the following topics:

Target Audience , page v

Related Documentation , page v

Document Conventions , page vi

Customer Support , page viii

Target Audience

The intended audience includes technicians and maintenance personnel responsible for installing, configuring, and maintaining HP TippingPoint security systems and associated hardware. Users should be familiar with networking concepts as well as the following standards and protocols:

• TCP/IP

• UDP

• ICMP

• Ethernet

• Simple Network Time Protocol (SNTP)

• Simple Mail Transport Protocol (SMTP)

• Simple Network management Protocol (SNMP)

Related Documentation

Access the documentation at http://www.hp.com/support/manuals . For the most recent updates for your products, check the HP Networking Support web site at http://www.hp.com/networking/support .

Security Management System CLI Reference v

Document Conventions

This guide uses the following document conventions.

Typefaces , page vi

Document Messages , page vii

Typefaces

HP TippingPoint publications use the following typographic conventions for structuring information:

Document Typographic Conventions

Convention

Medium blue text

Medium blue, underlined text

Bold font

Italics font

Monospace font

Monospace, italic font

Monospace, bold font

Element

Cross-reference links and e-mail addresses.

Website addresses.

• Key names.

• Text typed into a GUI element, such as into a box.

• GUI elements that are clicked or selected, such as menu and list items, buttons, and check boxes. Example: Click OK to accept.

Text emphasis, important terms, variables, and publication titles.

• File and directory names.

• System output.

• Code.

• Text typed at the command-line.

• Code variables.

• Command-line variables.

Emphasis of file and directory names, system output, code, and text typed at the command line.

vi

Document Messages

Document messages are special text that is emphasized by format and typeface. This guide contains the following types of messages:

• Warning

• Caution

• Note

• Tip

WARNING!

Warning notes alert you to potential danger of bodily harm or other potential harmful consequences.

CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow directions could result in damage to equipment or loss of data.

NOTE: Notes provide additional information to explain a concept or complete a task. Notes of specific importance in clarifying information or instructions are denoted as such.

IMPORTANT: Another type of note that provides clarifying information or specific instructions.

TIP: Tips provide helpful hints and shortcuts, such as suggestions about how you can perform a task more easily or more efficiently.

Security Management System CLI Reference vii

Customer Support

HP TippingPoint is committed to providing quality customer support to all customers. Each customer receives a customized support agreement that provides detailed support contact information. When you need technical support, refer to your support agreement or use the following information to contact

Customer Support.

Before You Contact Support

For a quick and efficient resolution of your problem, take a moment to gather some basic information from before you contact HP TippingPoint customer support:

Information

Your customer number

Find It Here...

Customer Support Agreement or the shipping invoice that came with the appliance.

Bottom of the SMS server chassis, or use SMS CLI key

command.

SMS serial number

SMS version number

TOS version number

In the SMS client, on the Admin screen, or in the Updates area of the SMS dashboard.

In the SMS client, on the Devices screen (an entry for each device).

DV Toolkit version number In the SMS client, on the Profiles (DV Toolkit Packages) screen.

Managed device serial numbers Local Security Manager Dashboard or the shipping invoice that came with the appliance.

Contact Information

For additional information or assistance, contact the HP Networking Support: http://www.hp.com/networking/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Contact an HP Authorized Reseller

For the name of the nearest HP authorized reseller, see the contact HP worldwide website: http://www.hp.com/country/us/en/wwcontact.html

viii

1 Using the Command Line Interface

The command line interface (CLI) can be used to configure many aspects of the SMS. It includes wizards, high level commands, and low level commands.

Overview

This chapter explains how to use the SMS CLI.

NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights.

This section includes the following topics:

• ” Usage ” on page 1

• ” The help Command ” on page 3

Usage

Most SMS commands consist of the following elements:

command — the name of the command you want to issue

object — the name of a collection of related attributes (attribs)

attrib — the name of a data variable or parameter on which you want to run the command

[=value] — optional syntax you can use with the set command and other writable commands to define the value of the attrib you specify. If you do not use this syntax, the system goes into interactive

mode and prompts you for the value. See ” Command Types ” on page 1 for more information about

interactive commands.

NOTE: To clear the value of any attribute type a period (.) after the equal sign (=) or when prompted.

These elements are case-sensitive. You can use any of the following syntax to run an SMS command: command command object command object.attrib

command object.attrib=value

Other SMS commands use a syntax similar to standard UNIX commands, as shown in the following example: command -option value

Command Types

SMS commands are either read, write, or read and write. In addition, commands are either interactive, non-interactive, or might support both options.

• Interactive commands — automatically prompt you for attribute values if you use the appropriate syntax. Interactive commands also provide you with the current values of their attributes.

• Non-interactive commands — are either read-only or require you to specify the values you want to set.

For example, the get command is non-interactive because it is read-only. As another example, the date command is non-interactive. If you want to set the date, you must type date value

.

Security Management System CLI Reference 1

Interactive Mode Syntax

You can use any of the following syntax options to initiate an interactive CLI command:

• command —

If you type the command name, the CLI prompts you to set values for all attribs associated with that command.

• command object —

If you specify the object of a particular command, the CLI prompts you to set values for all attribs associated with that object.

• command object.attrib —

If you specify an object and attribute of a particular command, the CLI prompts you to set the value of the attribute you specified.

Example

Following is an example of the set command in interactive mode. Items in bold are typed by the user. Items in brackets ([ ]) indicate the current value of the attribute specified.

Set All System Information Using Interactive Mode

1. Type the following command: set sys

The system returns prompts for information. Default values are listed in brackets. To use the default value, press Enter.

2. The system prompts you to set the value for the contact attribute:

System contact (sys.contact=[Customer Contact]) = Brit

3. Type a value for the location attribute and press Enter:

System location (sys.location=[First floor lab]) =

4. Type a value for name attribute and press Enter:

System name (sys.name=[sms25]) =

5. The system returns the following confirmation message:

Result: Success

System contact (sys.contact ) = Brit

System location (sys.location ) = First floor lab

System name (sys.name ) = sms25

System serial number (sys.serialNum) = X-SMA-ST-SMS25-0001

Remote Paths

Several commands accept remote paths as input. The remote paths specify a resource on an external server that can be accessed by the SMS server. Remote files that can be specified as input to an operation may be accessed using the HTTP, HTTPS, FTP, NFS, or SMB (Samba) protocols.

Remote directories that are used for saving SMS-based files to a remote server can be accessed through the NFS or SMB protocols. Files are always mounted with read-only access. Directories are mounted read-only when possible.

Remote paths are specified as a single string value. The details for each protocol are listed in the following sections. In each example, items in italics are variables. When using the path syntax, you must replace them with the appropriate values for your paths. Items in brackets ([ ]) are optional.

FTP

You can use the following formats for the FTP protocol:

• Complete specification: ftp://[username:password@]server[:port]/directory/filename

• Anonymous FTP: ftp://server/directory/filename

• Specifying a user name and password: ftp://username:password@server/directory/filename

• FTP Examples: ftp://10.11.12.13/pub/sms-0.0-0.500.pkg

ftp://steve:[email protected]/pub/sms-0.0-0.500.pkg

2 Using the Command Line Interface

HTTP and HTTPS

You can use the following format for the HTTP and HTTPS protocols:

• Complete specification: http://[username:password@]server[:port]/directory/filename

or https://[username:password@]server[:port]/directory/filename

• HTTP Example: http://www.servername.com:8000/files/sms-0.0-0.500.pkg

NFS

You can use the following formats for the NFS protocol:

• Remote directory specification—server:/exportedDirectory

• Remote file specification—server:/exportedDirectory/filename

• NFS Example: nfsserver.domain.com:/public/upgrades/sms-0.0-0.500.pkg

SMB (Samba)

You can use the following formats for the SMB protocol:

• Remote file specification:

//server/sharename/directory/filename

• Complete specification:

//server/sharename[/directory][/filename] [-o option-list]

Options can be provided to the SMB mount operation by appending them to the end of the mount point value, and using a space character to separate the values. Options might include the username, password, and workgroup. Options can be joined together using a comma as a separator.

• SMB Example:

//winbox/pub/sms.pkg -o workgroup=mydomn,username=steve,password=ps111

The help Command

The help command returns documentation about the specified command, object, or attribute.

Syntax help help --full help --attribs help object.attrib help --cmds help cmd help --objs help object help --background help background help --topic help topic

Description

The help command is a non-interactive, read command that returns documentation about a command, object, or attribute that you specify.

NOTE: In the help command syntax, you can use the question mark (?) interchangeably with the word

“help.” For example, you could type the following to view documentation about all commands:

? --cmds

Security Management System CLI Reference 3

Objects and Attributes

The following objects and attributes can be used with the help command:

Table 1-1 Help Commands

Command help --full help -- attribs help --objs help --cmds help --background

Description

Lists all commands, objects, and attributes

Lists all attributes

Lists all objects, or collections of attributes

Lists all commands

Lists background topics

Example

To see documentation about the sys object, type help sys. The system returns the following results: sys: System information

System information can be viewed and updates using the “sys” object.

Read-write: name, contact, location

Read-only: serialNum

4 Using the Command Line Interface

2 SMS Command Reference

This chapter describes the SMS commands and the options available for each command.

NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights.

clear cls console

The console command shows a list of messages that have been sent to the console since the last reboot.

Usage console

date

Clears the screen.

Usage cls

Aliases clear

Displays and sets the system time. Without a parameter, date will return the current system date and time.

The parameter allows a new date to be specified.

Usage date [MMDDhhmm[[CC]YY][.ss]]

Related Objects time

delete

Clears the screen.

Usage clear

Aliases cls

Deletes user files. User files are archived and exported files generated from the database contents.

Usage delete file [...]

Related Commands dir, view, vi

diags

Runs diagnostics tests and checks system health. The --force option will run diagnostics without prompting for confirmation. Runs tests for the system, database, network, tmc, and password and provides status. For tmc, tests the connection to the tmc and the package server.

Security Management System CLI Reference 5

Usage diags [--force]

dir

Returns a listing of files contained in the user directory.

Usage dir

Related Commands delete, view, vi

dns

The dns command interactively prompts for DNS (Domain Name Service) settings used to resolve host names to IP address values. To clear server values, use a period (.). The dns object contains default domain name, DNS search list, and DNS server information.

Usage dns

Related Commands nic, ntp

Related Objects dns

exit

Closes the session.

Usage exit

Aliases quit, Ctrl-D

factoryreset

This command is an interactive command that resets the system to the factory defaults. The SMS version is not changed, however, all other system settings are restored to the factory defaults and all data is lost. You

MUST reboot the SMS for this command to complete.

The factory reset command also resets this system network settings. You CAN NOT access the system via networking after the reboot is completed. A VGA console, or serial port access is required to reconfigure networking.

Usage factoryreset

Related Command setup

fips-mode

Used to configure the SMS into one of three levels of FIPS operation:

• Disabled – When placed into this mode, no additional FIPS compliance actions/restrictions are activated in the SMS.

• Crypto – When the SMS is placed into Crypto mode, the SSH terminal negotiates connections using only FIPS 140-2 approved algorithm. This mode affects only the SSH terminal connections for the SMS.

6 SMS Command Reference

• Full – When placed into this mode, the SMS functions in a manner compliant with the FIPS 140-2 publication specified by the National Institute of Standards and Technology. The SMS automatically reboots when placed into full FIPS mode or when full FIPS mode is disabled.

Usage fips-mode

Caveats

Full FIPS mode is not available for vSMS. Transitioning the SMS to operate in Full FIPS mode implements changes to core elements of the SMS server, reboots the SMS, and requires you to upload a new SMS key package. A transition to Full FIPS mode does the following:

• Deletes all SMS users.

• Removes all SMS backup and device snapshots stored on the SMS server.

• Deletes all custom responder actions.

• Regenerates SSH server and HTTPS web security keys.

For more information about FIPS mode, see the SMS User Guide.

ftp

The FTP (File Transfer Protocol) client is used to move files to and from the user directory for the SMS server.

The contents of the user directory can be listed with the dir command. Files can be viewed with the view command, and deleted with the delete command.

Usage ftp [hostName|hostAddress]

After starting the ftp client, issue the command lcd /tmp.

Caveats

The dir/delete/view commands all operate over the contents of the user directory (/tmp). The cd or change-directory command is disabled from the shell for reasons of security. In order for the ftp program to see, and have access to the contents of the user directory, it is important to first change the local directory with the command lcd /tmp. After this point, files can be copied both to and from the SMS server.

Related Commands dir, view, delete, vi

get

Retrieves the value of one or more attribs or a list of attribs contained within an object.

Usage get <attrib|object> [...]

The get command can use any read-write or read-only attribute. See ” SMS Attributes and Objects ” on page 21 for a list of attribs.

Related Commands list, set

help

Returns background information on various topics and command syntax.

Usage help [--full | --attribs | --cmds | --objs | --background | topic]

Alias

?

Security Management System CLI Reference 7

Table 2-1 Help Options

Option

--full

--attribs

--objs

--cmds

--background

Description

Lists all commands, objects and attribs.

Lists all attribs.

Lists all objects (collections of attribs).

Lists all commands (default).

Lists background topics.

ifconfig

Displays the network settings for the box. ifconfig is an alias for the command get net, which displays the

values of the attribs contained in the net object. To change the values, use the set net command. See ” net ” on page 30.

Usage ifconfig

Aliases get net, ipconfig

Related Objects net

ipconfig

Displays the network settings for the box. ipconfig is an alias for the command get net, which displays the

values of the attribs contained in the net object. To change the values, use the set net command. See ” net ” on page 30.

Usage ipconfig

Aliases get net, ifconfig

Related Objects net

kbdcfg

Loads the kernel keymap for the console. This is useful if the console is using a non-QWERTY keyboard.

This command leads you through the configuration of a new keyboard layout.

WARNING!

Do not use this option if you are using a standard QWERTY keyboard. Setting your keyboard layout to a value with which you are not familiar could render your system inaccessible.

See Also kbd.layout (attrib)

8 SMS Command Reference

key

The key command is used to update the license key for the server.

Usage key

Aliases license

Related Objects license

list

Lists the objects or the attribs contained in an object.

Usage list [object | object.attrib] [...]

If no arguments are specified, list will return all defined objects. If an object is specified, list will return all attribs contained within the object. If an attribute is specified, list will confirm the attribute by listing the attribute in the response.

Related Objects

See ” SMS Attributes and Objects ” on page 21 for a list of objects and attribs you can use with the list

command.

See Also get, set

mgmtsettings

The host management options provide prompts to configure IPv4 and IPv6 management addresses, along with the DNS server.

Usage mgmtsettings

Related Objects net

monitor

Shows utilization and uptime information every 5 seconds (by default).

Usage monitor [delay] where delay is the number of seconds between polls.

Related Objects health

more

Command to list output one screen at a time.

nic

Ethernet 10/100/1000Mbps interface management. Interactively prompts for configuration of the SMS server network settings. The bottom-most (NIC1) is enabled by default and is the recommended connection to the management network.

Security Management System CLI Reference 9

Usage nic

Related Commands dns, ntp

nicsettings

Interactive command that prompts you for the SMS NIC configuration settings and is available through the

CLI and OBE If you want to make changes individually to any of the NIC settings, the SMS provides options for setting auto negotiation, port speed, and duplex mode.

Example sms110 SMS=> nicsettings

The Ethernet NIC used for the network management interface is configurable. Please verify the port configuration of the network device that this SMS is connected to before making changes. These values may be changed at a later time with the 'set net' command.

Host autoneg: yes

Host speed: 1000

System duplex: full

Enter: [A]ccept, [C]hange, or [E]xit without saving? <[A],C,E>:

Related Objects net

notify

The notify command is used to manage the SMS notification service. The command interactively prompts for SMTP e-mail addresses and SNMPv1 traps to a remote trap server.

Usage notify

Related Objects smtp, snmp

Related Commands snmp

ntp

The ntp command is used to manage the NTP (Network Time Protocol) client that synchronizes the SMS server time with a list of specified servers. NTP is enabled by default and is configured with a list of Stratum

1 servers available on the internet. The list of servers can be customized to installation requirements. The

SMS server can also act as a NTP server for your devices. The agent can be disabled, but the server cannot. To clear server values, use a period (.).

Usage ntp

Related Objects svc

Related Commands snmp

password

Changes the password for the current user.

10 SMS Command Reference

The security level and restrictions for entering user names and passwords. The default setting is 2 from the following options:

Table 2-2 Security Levels

Level

Level 0

Level 1

Level 2

Description

User names cannot have spaces in it.

Passwords are unrestricted.

User names must be at least 6 characters long without spaces.

Passwords must be at least 8.

Passwords must meet Level 1 restrictions and the following:

• Must contain at least two alphabetic characters.

• Must contain at least one numeric character.

• Must contain at least one non-alphanumeric character (examples include ! ? $ * #).

NOTE: Do not use spaces in the password.

Usage password

ping

Checks network connectivity by sending a ICMP request to the specified destination, and then checking on an echoed response.

Usage ping [-options] hostNameOrAddress

Table 2-3 ping Options

Option

-c count

-i wait

-n

-q

-r

-s packetsize

-v

Description

Stop after sending count packets.

Wait wait seconds between sending each packet. The default is to wait for one second between each packet.

Numeric output only. No attempt will be made to lookup symbolic names for host addresses.

Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of

ICMP header data.

Verbose output.

Security Management System CLI Reference 11

ping6

Checks network connectivity by sending a ICMP request to the specified IPv6 destination, and then checking on an echoed response.

Usage ping6 [-options] hostNameOrAddress

Table 2-4 ping6 Options

Option

-c count

-I

-i wait

-n

-q

-r

-s packetsize

-v

Description

Stop after sending count packets.

Specifies the interface; for example eth0

.

Wait wait seconds between sending each packet. The default is to wait for one second between each packet.

Numeric output only. No attempt will be made to lookup symbolic names for host addresses.

Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of

ICMP header data.

Verbose output.

quit

Closes the session.

Usage quit

Aliases exit

Ctrl-D

reboot

Reboot the system. The --force option will reboot the system without prompting for confirmation. The cancel option aborts an in-progress reboot.

Usage reboot [--force] [cancel]

resolve

Resolves a hostname to an IP address using the DNS settings. If the name cannot be resolved, it is returned as-is.

Usage resolve <hostname>

12 SMS Command Reference

See Also reverse

restart

Restarts the network stack. The --force option restarts the network stack without a confirmation prompt.

Usage restart [--force]

reverse

Performs a reverse-lookup on an IP address or a relative hostname using the DNS settings. If the value cannot be resolved, it is returned as-is.

Usage reverse <ip-address|hostname>

See Also resolve

routes

Route options allow static routes to be added or deleted for the network management interface.

Usage routes

See Also nic (cmd), net (object)

NOTE: Whether or not static route entries are included in routing tables depends on several topology factors. These include network specificity, metrics, and whether the next hop IP is on the associated interface. Other routing types, redistributions, and firewall rules also impact static route entries in the routing tables.

scp

Secure Copy is a remote file copy program that allows a file to be securely copied to or from the SMS CLI.

The scp command is only supported when run from the CLI.

Usage scp

To copy a file using scp, you must supply values to the following prompts:

Enter file transfer mode [G]et or [P]ut <G,[P]>:

Enter scp server IP address or host name:

Enter fully qualified remote file name:

Enter local directory or file name: [/]:

Enter login id:

Enter password:

See Also logs (object), delete (cmd), dir (cmd)

service-access

Enables or disables service access to the SMS. The SMS version serial number and salt is displayed when enabling.

Usage service-access

Security Management System CLI Reference 13

See Also pwd (object)

set

Assigns values to one or more attribs or to a list of attribs contained within an object. The list may be a one or more attribute names, object names, or attrib/object pairs. To accept the current or default value, type the return key. To clear a String or IP Address value, enter a period (.), and then the return key.

The set command can use any read-write or write-only attribute. See ” SMS Attributes and Objects ” on page 21 for more information.

Usage set <attrib|object|attrib=value> [...]

Related Commands list, get

setup shutdown

Shutdown and power-off the system. To restart the system, physically press the POWER button on the front of the unit. The --force option will reboot the system without prompting for confirmation. The cancel option aborts an in-progress shutdown operation.

Usage shutdown [--force] [cancel]

snmp

Initial setup wizard for providing essential configuration settings for the SMS server. Non-essential values can be configured with other commands.

The setup command is automatically invoked with the first CLI login session. It is repeated with each new login session until the entire setup procedure is finally completed. To repeat the procedure, execute the setup command at any time. The setup procedure prompts you to enter the following information:

• Network type (IPv4 default): IPv[4], IPv[6], or [B]oth <4,6,B>

• Management IPv4 Address

• Network Mask

• IPv4 Default Gateway (optional)

• Management IPv6 Address

• IPv6 Default Route (optional)

• DNS Server-1 (optional)

Usage setup

The snmp command is used to manage the SNMP (Simple Network Management Protocol) values.

Usage snmp

14 SMS Command Reference

snmp-request

The snmp-request command is used to manage the SNMP (Simple Network Management Protocol) request agent. When enabled, the SMS agent responds to the SNMP system request. This command prompts you to enable the SNMP request agent and enter the following information:

Enter the SNMP version: V[2], V[3], or [B]oth <2,3,[B]>:

Enter community string []:

Enter User Name []:

Enter Auth Protocol (None, MD5, or SHA): []:

Enter Auth Key: ********************************

Confirm Key: ********************************

Enter Privacy Protocol (None, AES-128, AES-192, AES-256, DES or Triple_DES): []:

Enter Priv Key: ********************************

Confirm Key: ********************************

Version: Both

Community String:

User Name:

Auth Protocol:

Privacy Protocol:

Usage snmp-request

See Also snmp, snmp-trap

snmp-trap

The snmp-trap command is used to manage the SNMP (Simple Network Management Protocol) traps. The

SMS sends SNMP traps to NMS destinations. This command prompts you to enable configuration for an

NMS trap destination and enter the following information:

Commands: [A]dd [D]elete [V]ersion [C]ommunity [P]ort [E]ngine

[U]ser Au[T]hProto Auth[K]ey P[R]ivProto Pr[I]vKey

[L]ist [?]help [Q]uit

Command? <A,D,V,C,P,E,U,T,K,R,I,[L],?,Q>: a

Add=> Enter trap destination address []: 192.168.1.1

Add=> Enter SNMP version: v[2] or v[3] <2,3>: 3

Add=> Enter port number [162]:

Add=> Enter Engine ID []:

Add=> Enter User Name []:

Enter Auth Protocol (None, MD5, or SHA): []:

Enter Auth Key: ********************************

Add=> Confirm Key: ********************************

Enter Privacy Protocol (None, AES-128, AES-192, AES-256, DES or Triple_DES): []:

Enter Priv Key: ********************************

Add=> Confirm Key: ********************************

IP Address: 192.168.1.1

Version: v3

Port: 162

Engine ID:

User Name:

Auth Protocol:

Privacy Protocol:

Usage snmp-trap

Security Management System CLI Reference 15

See Also snmp, snmp-request

snmpget

snmpget will request a single OID from the specified agent.

Usage snmpget hostNameOrAddress communityName OID

Example (IPv6) snmpget -v 2c -c public udp6:[fc01:a63:1:0:214:22ff:fe1e:1d87] system.sysName.0

Example (IPv4) snmpget -v 2c -c public 10.99.1.110 system.sysName.0

See Also snmpwalk

snmpwalk

snmpwalk will traverse the SNMP MIB of the agent running at the specified address. If the address OID is not provided, the walk will begin at the first OID, if the community name is not provided, walk with use public and if the hostNameOrAddress is not provided, walk will use localhost.

Usage snmpwalk [hostNameOrAddress [communityName [OID]]]

Example (IPv6) snmpwalk -v 2c -c public udp6:[fc01:a63:1:0:214:22ff:fe1e:1d87] system

Example (IPv4) snmpwalk -v 2c -c public 10.99.1.110 system

Example (SNMPv3) snmpwalk -v 3 -u user -l authPriv -a SHA -A authKey -x AES -X privKey 192.168.1.1 system

See Also snmpget

ssh

The ssh command enables the user to log into a remote machine and execute remote commands from within the SMS CLI. The communications between two hosts is encrypted and secure.

For more information, refer to external ssh documentation, such as the UNIX man pages.

Usage ssh [-1246AaCfgKkMNnqsTtVvXxYyZ] [-b bind_address] [-c cipher_spec]

[-D [bind_address:]port] [-e escape_char] [-F configfile] [-i identity_file]

[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd]

[-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path]

[-w local_tun[:remote_tun]] [user@]hostname [command]

time

The time command runs the specified program command with the given arguments. When the command finishes, time writes a message to standard output giving timing statistics about this program run. These statistics consist of the elapsed real time between invocation and termination, the user CPU time, and the system CPU time.

For information about the time object, see ” time ” on page 46.

Usage time <command> [arguments...]

16 SMS Command Reference

touch

Creates user files, which are archived files generated from database content.

Usage touch file [...]

See Also delete, dir, view, vi

traceroute

This program attempts to trace the route an IP packet would follow to a remote host by launching UDP probe packets with a small ttl (time to live) then listening for an ICMP time exceeded reply from a gateway.

Probes start with a ttl of one and increase by one until we get an ICMP port unreachable (which means we got to host) or hit a max (which defaults to 30 hops and can be changed with the -m flag). Three probes

(change with -q flag) are sent at each ttl setting and a line is printed showing the ttl, address of the gateway and round trip time of each probe. If the probe answers come from different gateways, the address of each responding system is printed. If there is no response within a five second timeout interval

(changed with the -w flag), an asterisk (*) is printed for that probe.

For IPv4 (-4 flag) or IPv6 (-6 flag) tracerouting can be forced using the appropriate flag. By default, the program tries to resolve the name given and automatically choose the appropriate protocol. If resolving a host name returns both IPv4 and IPv6 addresses, traceroute uses IPv4.

Usage traceroute [-dFInrvx] [-f first_ttl] [-g gateway][-i iface] [-m max_ttl] [-p port]

[-q queries]

[-s src_addr] [-t tos] [-w waittime] [-z pausemsecs] host

Table 2-5 traceroute Options

Option

-4

-6

-f

-F

-d

-g

-i

-I

-m

-n

Description

Force IPv4 tracerouting.

Force IPv6 tracerouting.

Set the initial time-to-live used in the first outgoing probe packet.

Set the don’t fragment bit.

Enable socket level debugging.

Specify a loose source route gateway (8 maximum).

Specify a network interface to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. (See the

-s flag for another way to do this).

Use ICMP ECHO instead of UDP datagrams.

Set the max time-to-live (max number of hops) used in outgoing probe packets. The default is 30 hops (the same default used for TCP connections).

Print hop addresses numerically rather than symbolically and numerically

(saves a nameserver address-to-name lookup for each gateway found on the path).

Security Management System CLI Reference 17

Table 2-5 traceroute Options

Option

-p

-r

-s

-t

-v

-w

-z

Description

Set the base UDP port number used in probes (default is 33434).

Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.

Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it (e.g., after the interface was dropped by routed).

Use the specified IP address as the source address in outgoing probe packets. This is usually given as an IP address, not a hostname.

On multi-homed hosts with more than one IP address, this option can force the source address to be a different IP address than the interface from which the probe packet is sent. If the IP address is not one of the host’s interface addresses, an error is returned and nothing is sent.

Set the type-of-service in probe packets to the following value (default zero). The value must be a decimal integer in the range 0 to 255. This option can be used to see if different types-of-service result in different paths. (If you are not running 4.4bsd, this may be academic since the normal network services like telnet and ftp don’t let you control the TOS).

Not all values of TOS are legal or meaningful - see the IP spec for definitions. Useful values are probably ‘-t 16’ (low delay) and ‘-t 8’ (high throughput).

Use Verbose output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLE values are listed.

Set the time (in seconds) to wait for a response to a probe (default five seconds).

Set the time (in seconds) to pause for a response to a probe.

update

This command leads you through upgrading SMS server software:

1. Acquire the latest upgrade package from the TMC website.

2. Save it to a local HTTP or FTP server that can be accessed by the SMS server.

3. Provide the URL to this downloaded file.

After the package is transferred and installed, the update procedure prompts for a reboot.

Usage update

Aliases ctl.upgrade-source

users

Lists and manages the SMS user accounts. You can create new users and assign or change passwords, roles, disable settings, and force password changes.

Usage users

18 SMS Command Reference

version

Displays the system and component versions.

Usage version

Related Objects sw

vi

Related Object pwd vi is a text editor that is comparable to Vi. It can be used to edit all kinds of plain text. It is especially useful for editing programs. While running vi, a lot of help can be obtained from the on-line help system, with the

:help command.

Usage vi [options] [file ...]

Caveats

/tmp and its contents are the only files and directories that the SuperUser account has permission to modify. When accessing files you must specify the complete path name (for example: vi

/tmp/FileName.txt). After seven days without modification, files in this directory are removed.

Options

The options may be given in any order, before or after filenames. Options without an argument can be combined after a single dash.

Table 2-6 vi Options

Options Descriptions

+[num]

For the first file the cursor will be positioned on line num. If num is missing, the cursor will be positioned on the last line.

+/{pat}

-h

For the first file the cursor will be positioned on the first occurrence of

{pat}. See “:help search-pattern” for the available search patterns.

Give a bit of help about the command line arguments and options.

After this, Vi exits.

-m

-n

-R

-r {file}

Modifying files is disabled. Resets the write option, so that writing files is not possible.

No swap file will be used. Recovery after a crash will be impossible.

Handy if you want to edit a file on a very slow medium (e.g. floppy).

Can also be done with :set uc=0.Can be undone with :set uc=200.

Read-only mode. The read-only option will be set. You can still edit the buffer, but will be prevented from accidently overwriting a file. If you do want to overwrite a file, add an exclamation mark to the Ex command, as in :w!. The -R option also implies the -n option (see below). The read-only option can be reset with :set noro. See :help

‘read-only’.

Recovery mode. The swap file is used to recover a crashed editing session. The swap file is a file with the same filename as the text file with .swp appended. See :help recovery.

Security Management System CLI Reference 19

view

Command to view the contents of the directory. Internal help is available by typing a question mark (?).

See Also delete, dir, ftp, vi

web

Table 2-6 vi Options

Options Descriptions

--

Denotes the end of the options. Arguments after this will be handled as a file name. This can be used to edit a filename that starts with a dash (-).

--help

--version

Give a help message and exit, just like -h.

Print version information and exit.

See Also ftp, dir, delete, view

HTTP/HTTPS (Hyper-Text Transfer Protocol) management.

Interactively prompts for configuration of web server settings. The HTTP and HTTPS services can be separately enabled through the web command. Additionally, a single password can be assigned to the content to limit access to reports, archived data, documentation and client downloads. The user name used for access is web and the password is assigned with the web command.

The HTTP protocol is not secure and transmits data and passwords in the clear. It is recommended that

HTTP be disabled.

Usage web

See Also snmp

who

Displays a list of CLI users, where and when the users originated.

Usage who

See Also health.who

20 SMS Command Reference

3 SMS Attributes and Objects

This chapter describes each object and attribute used by the SMS CLI. For more detailed information about

each element, see the individual commands described in ” SMS Command Reference ” on page 5.

NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights.

Attribute Types

The following table describes each type of attribute (attrib) that you can view or edit in the CLI.

Table 3-1 CLI Attribute Types

Type

Bool

String [#]

Password

IPaddr

Name [#]

Definition

Boolean. Value can be true or false.

String. Can have a maximum size of #.

String. Uses asterisk (*) to mask out the value as it is entered.

IP address. Uses dotted notation.

String. Can contain alpha-numeric characters with a maximum size of #.

cli

Collection of CLI-related attribs. The attribs are used to adjust CLI behavior, including the inactivity timeout value.

Table 3-2 cli Attributes

Attribute cli.sessionTimeout

Description

Attribute used to control the auto-logout time.

By adjusting the value, you can control the number of minutes before the CLI will automatically log out due to inactivity. Set the value to 0 to disable the timeout function.

Example:

Type

Int

Access Range read-write 0-3200

0 set cli.sessionTimeout=30

Security Management System CLI Reference 21

ctl

Collection of system control operations. The attribs contained in ctl can be used to reboot or shutdown the

system, or access the upgrade capability. See ” Remote Paths ” on page 2 for more information about

entering path names for attribs that require them.

Table 3-3 ctl Attributes

Attribute ctl.power-off ctl.reboot

ctl.reboot-needed ctl.pre-upgrade-cleanup ctl.upgrade-source

Description

Setting the ctl.power-off attrib to the value of true will cause the system to shutdown and power-off. To restart the system, it is necessary to physically press the Power button on the front panel of the box.

Setting the ctl.reboot attrib to the value of true will cause the system to reboot. The operation will be immediate with no warning given to other users using the client or the CLI.

Returns the state of the system, indicating whether there are pending configuration settings that require a reboot to apply those changes.

Performs any system cleanup necessary for an SMS upgrade. Updates that the upgrade can occur. This command is also run automatically when an SMS upgrade is requested. The upgrade will fail if this command fails.

Setting the ctl.upgrade-source attrib to a string representing a URL will cause the system to retrieve and apply the update package to the system. Normally, a reboot will be required for the update to become effective. The URL can reference the http, https or ftp protocols.

Example:

Type Access Range

Bool write-only 0

Bool

Bool

Bool write-only 0 read-only 0 write-only 0

String write-only 5-128 ctl.patch-releasenotes ctl.patch-restart set ctl.upgrade-source=http://www.

tippingpoint.com/SMS-UPDATE-1.0.pkg

Used to display the release notes for currently installed Patch.

NOTE: This attribute is used by the UI to retrieve release notes and is of little interest to general cli users.

Used to display restart flag for currently installed Patch.

NOTE: This attribute is used by the UI to retrieve restart flag and is of little interest to general cli users.

String read-only 5-128

String read-only 5-128

22 SMS Attributes and Objects

Table 3-3 ctl Attributes

Attribute ctl.patch-rollback ctl.patch-source ctl.previous-patchversion sw.patch-version

Description

Used to roll back to previous patch version.

Displays true if the currently installed Patch can be rolled back, else false. If set to the version of the currently installed Patch, it rolls it back, to either the previously installed

Patch or no Patch if it was the first Patch installed.

NOTE: This attribute is used by the UI to retrieve this value and is of little interest to general cli users.

Used by the UI for installing Patches. Similar to set ctl.upgrade-source, this takes a path or url to the Patch package file, then validates and installs that Patch.

Used to display the version of the Patch previous to this, for example the Patch a rollback would install, or None if there is no previous Patch.

Used to display the version number of the currently installed Patch, or None if no patch is installed.

Type Access Range

String read-write 5-128

String write-only 5-128

String read-only 5-128

String read-only 5-128

db

Collection of database control operations. The attribs contained in db can be used to backup, restore or

re-initialize the system database. See ” Remote Paths ” on page 2 for more information about entering path

names for attribs that require them.

On startup, the sequence performed is (1) if requested, backup the database, (2) if requested, restore the database, (3) if requested, reinit the database, (4) if needed, migrate the database. Therefore, within a single restart, a current database can be saved to a remote system, and a new database can replace the old one. To clear a current value, set the attribute to a period (.).

Related Commands database

Table 3-4 db Attributes

Attribute db.attackCount

db.backup

db.check

db.clear-export

Description

Displays the number of attack records stored in the database.

Setting the db.backup attrib to yes creates a local database backup with default options.

This file can be downloaded from the

Exports and Archives link from the SMS

Server home page.

Verifies the integrity of the database.

Deletes files in the export directory.

Type

Int

Bool

Bool

Bool

Access Range read-only 0 write-only read-write read-write

Security Management System CLI Reference 23

Table 3-4 db Attributes

Attribute db.export-files db.initTime

db.reinit

Description

Files to be saved and transported to a remote system can be stored in the export directory. To transfer the entire contents of the export directory this attrib must be provided with the name of a Samba (SMB) mount point.

The destination mount point must be writable by the SMS server. SMB can be secured by providing an access list on the server that prevents all machines

except

the SMS server to access it. The export directory can be cleared by setting the db.clear-export attrib.

for

Example:

Type Access Range

String write-only 4-132 set db.export-files=server:/export/ directory

The time that the database was re-initialized.

Setting the db.reinit attrib to true will schedule the database to be cleared upon system startup the next time the system is rebooted.

String read-only 0-32

Bool read-write 0

dns

The dns object contains default domain name, DNS search list and DNS server information.

Related Objects nic, ntp

Table 3-5 dns Attributes

Attribute dns.domain

dns.search

dns.server1

dns.server2

dns.server3

Description

Default DNS domain used to resolve hostnames. If a fully-qualified hostname is not provided, the domain is appended to the hostname and the result is passed for resolution.

DNS domain search list used to resolve hostnames. If a fully-qualified hostname is not provided, each member of the search list is appended to the hostname and the result is passed for resolution.

Attribs used to specify name resolution servers. The value must be a dotted IP address, and the first entry (dns.server1) will be assigned a preferred role.

To clear this value, use a period (.).

Type Access Range

Name read-write 2-64

String read-write 2-128

IPaddr read-write 7-15

24 SMS Attributes and Objects

high availability

Collection of system High Availability (HA) attribs. The attribs are used to retrieve HA information.

Table 3-6 HA Attributes

Attribute ha.status

ha.disable

ha.configured

ha.ports-enabled

Description

Attribute returning the status of HA.

The status messages include the following:

• Disabled: High Availability is not configured.

• Enabled.

• Error: The system could not determine local status.

• Error: Unable to communicate with peer.

• Error: Peer system state is invalid.

• Error: Configuration out of sync with peer.

• Error: Peer system failure.

• Configured: Synchronization required.

• Configured: Attempting synchronization.

• Configured: Synchronizing.

• Degraded: Peer takeover pending.

• Degraded: Unable to communicate with peer.

• Degraded: Synchronization required.

• Degraded: Peer system failure.

Attribute that disables HA.

Attribute returning the status of the HA configuration.

Attribute returning the status of the HA ports.

By default, HA ports are open. To disable, use set ha.ports-enable = no.

Type Access

String read-only

Range

String write-only 1-1024 read-only

String read-write ha.cluster-info

NOTE: If any of your SMS devices are currently configured for HA, the HA ports on those systems cannot be disabled. If the HA ports are disabled, that SMS can not be used in an HA configuration.

Attribute returning the detailed status for the

Passive and Active systems in the SMS HA cluster.

read-only

Security Management System CLI Reference 25

health

Collection of system health-related attribs. The attribs are used to retrieve system health information, including utilization values, and system uptime statistics.

Table 3-7 health Attributes

Attribute health.cpu-util health.db-valid health.diskIo

health.disk-util health.loadAvg

health.memInfo

health.mem-util health.RAID

health.net-valid

Description

Attribute returning the CPU (Processor) utilization. 0% represents a near-idle system, and 100% is fully-utilized.

Attribute reporting the status of the database.

If true, then the database is considered valid and fully operational, if false, the system should be restarted, and other corrective steps taken.

Disk I/O statistics.

• blocks-read

• blocks-written

Attribute returning the disk system utilization.

As disk utilization approaches 100%, database management operations should be performed to reduce disk usage.

CPU load statistics.

• load-avg-1min

• load-avg-5min

• load-avg-15min

• runnable-processes/total-processes

• current-pid

Physical memory statistics.

• total

• used

• free

• shared

• buffers

• cached

Attribute returning the memory (RAM) utilization. 0% represents a near-idle system, and 100% is fully-utilized.

Attribute returns the status of the physical disks in your RAID configuration. Only SMS platforms that have RAID configured will show output.

Attribute reporting the status of the communication paths. Checks to see if network is configured and enabled. If enabled, checks the status of the gateway,

DNS, and NTP.

Type Access read-only

Range

String read-only 2-4

String read-only 1-32

String read-only 0-128

String read-only 2-4

String read-only 0-128

String read-only 0-128

String read-only 2-4

String read-only 0-128

26 SMS Attributes and Objects

Table 3-7 health Attributes

Attribute health.port-health health.swapInfo

health.swapIo

health.sys-valid health.temperature

health.tmc-valid

Description

Attribute returning Port Statistics of the SMS.

This information corresponds to the Ports

Statistics table on the Port Health screen (SMS

Health) in the UI with all 12 numbers printed in a single line. The six numbers are for the primary port and the second six numbers are for the secondary port. Each set of numbers corresponds to the following table headings:

• total input bytes

• total output bytes

• total input discards

• total output discards

• total input errors

• total output errors

Swap memory statistics.

• total

• used

• free

Swap I/O statistics.

• blocks-read

• blocks-written

Attribute reporting the status of the SMS server application. If true, then the system is considered valid and fully operational, if false, the system should be restarted, and other corrective steps taken.

Attribute returning the temperature of the SMS

(in degrees Celsius). This information corresponds to the SMS Health Statistics table in the UI.

NOTE: The number is displayed with no indication for Celsius.

Attribute reporting the status of the communication paths to the TMC and each of the configured devices. The message will indicate the nature of the problem. Usually, the problem can be addressed by confirming that the network settings permit the SMS to communicate with https://tmc.tippingpoint.com

, available through the internet. See also diags.

If the SMS cannot establish a TMC connection, see error messages in the SMS User Guide.

Type Access

String read-only

Range

String read-only 0-128

String read-only 0-128

String read-only 1-32

String read-only 1-3 read-only

Security Management System CLI Reference 27

Table 3-7 health Attributes

Attribute health.uptime

health.who

Description

Attribute reporting the amount of time since the last system boot.

Attribute reporting a list of currently logged-in users. Pipe (|) characters are used in place of carriage-return characters.

Type Access Range

String read-only 2-56

String read-only 0-1024

kbd

Keyboard related attribute.

WARNING!

Do not use this option if you are using a standard QWERTY keyboard. Setting your keyboard layout to a value with which you are not familiar could render your system inaccessible.

Related Command kbdcfg

Table 3-8 kbd Attributes

Attribute kbd.layout

Description

Specifies the console keyboard layout.

Usage: set kbd.layout=

<keyboard

designation>

Example setting: fr

for French keyboard layout.

The default setting is kbd.layout=us

Type Access Range

String read-write 0-64

28 SMS Attributes and Objects

The following console keyboard layouts are available:

license

License information for the SMS server. The license is used to control the number of managed devices supported by the server.

Related Command key

Table 3-9 license Attributes

Attribute license.count

license.date

license.desc license.key

license.reset

Description

Returns the number of devices that the license key permits for this server.

Returns the date that the current license key was installed.

Returns the license key description.

Sets or returns the current SMS server license key.

Resets the current SMS server license key.

Type

Int

Access read-only

Range

0-1000

String read-only 0-32

String read-only 0-64

String read-write 32

Security Management System CLI Reference 29

logs

Collection of log-related attribs. The attribs are used to manage log files that are used for troubleshooting.

The logs zip file, sms_logs.zip, is managed in the /mgmt/client/tmp directory. This is the standard location for cli data files and also allows access from the Exports and Archives link on the SMS web page.

Creating a new logs zip file overwrites the old one.

Related Objects scp

Table 3-10 logs Attributes

Attribute set logs.create=yes set logs.del=yes set logs.create-peer=yes get logs.info

Description

Creates the logs zip file sms_logs.zip.

Deletes the zip file.

Attribute used to create a compressed file containing the HA peer SMS log files. This file can be downloaded from the Exports and

Archives link from the SMS server home page. Only the latest compressed file are retained.

NOTE: This attribute can be used only when

HA has been configured.

If the zip file exists, lists name, size, date and time of creation.

Type Access Range

Bool write-only 0

Bool write-only 0

String write-only 0

String read-only 0-1024

net

Collection of network-related attribs. The attribs are used to configure the two Ethernet 10/100/1000 interfaces for access to the local network.

Unless identified as a net-only attrib, each attrib listed as net.* below can use the prefix net to specify the correct Ethernet10/100/1000 interface.

Example

To change the IP address and gateway for the SMS server, you must complete the following:

1. Change the IP address by entering the command: set net.ipaddr = smsip4addr

OR set net.ipaddr6 = smsip6addr where smsip4addr is the new IPv4 address, smsip6addr is the new IPv6 address.

2. Change the gateway by entering the command: set net.gateway = ipv4gateway

OR set net.gateway6 = ipv6gateway where ipv4gateway is the IP address of the new gateway, ipv6gateway is the IPv6 address of the new

IPv6 gateway.

3. Restart the network stack by entering the command: set net.restart = yes

The system prompts you to confirm that you want to restart the network stack. Your changes are applied when the network stack is restarted.

30 SMS Attributes and Objects

NOTE: You must issue the set net.restart=yes command when you modify the IP address or gateway using the set net command. Changes to these attributes do not take effect until you issue this command. A reboot

(reboot command) should be done after you issue the above command.

For information on set net, see ” set ” on page 14.

Related Commands ifconfig, ipconfig, mgmtsettings

Related Objects dns

Table 3-11 net Attributes

Attribute net.autoneg

net.duplex

net.gateway

net.gateway6

net.hwaddr

net.ifc-enable net.ipaddr

Description

Attribute used to view, and enable/disable auto-negotiation for the Ethernet

10/100/1000 interface.

Valid values are: yes

or no

.

Attribute used to view and change the duplex setting for the Ethernet

10/100/1000 interface.

Valid values are: half

or full

.

Attribute used to provide the gateway

(default route) value. To clear this value, use a period (.). Applies only the net object.

The network interface must be restarted

(net.restart) for setting to take effect. See

” Example ” on page 30.

Attribute used to provide the IPv6 gateway value. To clear this value, use a period (.).

Applies only the net object.

The network interface must be restarted

(net.restart) for setting to take effect. See

” Example ” on page 30.

Attribute used to return the Hardware /

MAC (Media Access Control) address for the Ethernet10/100/1000 interface.

Attrib used to enable/disable the NIC.

Normally, this should not be done. To enable the NIC set the value to true, to disable the value should be set to false.

Attribute used to view and change the IP address for the Ethernet10/100/1000 interface. To clear this value, use a period

(.). Applies only the net object. The network interface must be restarted (net.restart) for setting to take effect. When you employ this command, the CLI may not reflect the change with a confirmation message. See

” Example ” on page 30.

Type

Bool

String

Access read-write

Range

0

IPaddr read-write 0

IPaddr read-write 0

String

Bool read-write

read-only 17 read-write

4

0

IPaddr read-write 0

Security Management System CLI Reference 31

Table 3-11 net Attributes

Attribute net.ipaddr6

net.mask

net.mtu

net.ready

net.restart

net.scope-link net.autoneg

Description

Attribute used to view and change the IPv6 address. To clear this value, use a period

(.). Applies only the net object.

The network interface must be restarted

(net.restart) for setting to take effect. When you employ this command, the CLI may not reflect the change with a confirmation message. See ” Example ” on page 30.

NOTE: The IP address uses IPv6 notation.

Attribute used to provide the subnet mask value. To clear this value, use a period (.).

Attribute used to view the MTU (Maximum

Transmission Unit) for the SMS Ethernet

10/100/1000 interface.

Returns "true" if the primary network interface is configured and ready.

Attribute used restart the

Ethernet10/100/1000 interface with the current network settings. Set to true to restart immediately. (false has no effect.)

Warning: restarting the network interface may cause connections to be lost, including

SMS client sessions, and remote CLI sessions. Applies only the net object.

Attribute used to return the IPv6 Scope Link address for the

Ethernet 10/100/1000 interface. See ” net ” on page 30 and the associated net.ipaddr6

attribute).

See also ” ifconfig ” on page 8 and

” ipconfig ” on page 8.

Attribute used to view, and enable/disable auto-negotiation for the Ethernet

10/100/1000 interface.

Valid values are: yes

or no

.

Type Access Range

IPaddr read-write 0

IPaddr read-write 0

Bool read-only

Bool read-only 0

Bool

String

Bool write-only read-only read-write

0

0

0

0

ntp

Collection of NTP (Network Time Protocol) settings used to synchronize the system time with a remote time server. NTP allows machines within a network to be synchronized on a common time.

Related Objects svc, snmp

32 SMS Attributes and Objects

Table 3-12 ntp Attributes

Attribute ntp.server1

ntp.server2

ntp.server3

ntp.auth-enable ntp.auth-keyId ntp.auth-keyValue

Description

Attribs used to specify a list of NTP time servers. The value may be a dotted IP address or a hostname. The first entry

(ntp.server1) will be assigned the preferred time server role. The preferred time server is also used as a step ticker, which adjusts the time immediately upon system boot.

To clear this value, use a period (.).

Attrib used to enable/disable the NTP authentication. It allows the NTP client to verify that the server is known and trusted and not an intruder intending to masquerade as that server. We only support NTP V3 (symmetric key) authentication.

To enable the NTP authentication, set the value to yes

, and a key id and key value should be provided with the ntp.auth-keyId and ntp.auth-keyValue attribs.

To disable the value, set it to no

.

Example:

Type Access Range

IPaddr read-write 0

Bool read-write 0 set ntp.auth-enable=yes

The ID of key which is used to authenticate

NTP server if the NTP authentication is enabled. The ID has to exist in

/etc/ntp/keys

before you set this value.

To clear this value, use a period (.).

Example: set ntp.auth-keyId=1

The value of key which is used to authenticate NTP server if the NTP authentication is enabled. The key has to exist in

/etc/ntp/keys

before you set this value.

To clear this value, use a period (.).

Example: set ntp.auth-keyValue=test

Int

String read-write read-write

1-6553

5

1-255

pkg

Collection of attribs used to control package management.

Related Object tmc (object)

Security Management System CLI Reference 33

Table 3-13 pkg Attributes

Attribute auto-download auto-install dv-activate dv-delete dv-import dv-info auto-distrib tmc-poll-rate proxy-tmc tmc-proxy-host tmc-proxy-port proxy-tmc-authenticat e

Description

Attrib used to control whether new packages available at the TMC are automatically downloaded. Email will be generated to notify the administrator of the action (if configured).

Attrib used to control whether the SMS database is updated with the newly downloaded package.

Attrib used to activate a DV package.

Attrib used to delete a DV package.

Attrib used to import a DV package to the

SMS using a URL.

Attrib used to list all of the DV packages installed on the SMS.

Attrib used to control whether the new package will be distributed to the managed devices.

Attrib used to control the frequency of the check for new TMC packages. The SMS polls the Threat Management Center

(TMC) at regular intervals (factory default is 30 minutes). Communication is attempted over TCP port 4043 to the host tmc.tippingpoint.com. A follow-up request that pulls the file may be made to another server using port 443.

The poll rate can be adjusted by providing the pkg.tmc-poll-rate attrib with a new value and then rebooting the SMS.

Assigning the attrib the value of '0' disables polling. (This setting may be desirable when the SMS is behind a firewall which prevents outbound communication with the TMC.)

Attrib used to control whether an HTTP proxy server is used to make TMC connections.

Attrib used to control which proxy server to use to make TMC connections.

Attrib used to control which proxy server port to use to make TMC connections.

Attrib used to control whether authentication is required with the HTTP proxy server.

Type

Bool

Bool

String

String

String

String

Bool

Int

Bool

String

Int

Bool

Access Range read-write 0 read-write 0 write-only write-only write-only read-only read-write read-write 0-9999 read-write 0 read-write read-write read-write

0

1-128

1-65535

0

34 SMS Attributes and Objects

pwd

Collection of password-related attribs. The attribs are used to confirm the SuperUser password and enable the service mode used by support personnel. For information about managing users including user groups, passwords, and security levels, see the “Administration” chapter in the SMS User Guide.

Related Command users

Table 3-14 pwd Attributes

Attribute Range pwd.group-adduser pwd.group-deluser pwd.group-list pwd.level

pwd.service-enable

Description

Used to add a user to a user group.

Type

String

Used to remove a user from a user group. String

Used to list all groups, or groups with users.

String

Int Attribute used to set the security level for the password.

Used to enable/disable the service mode password for the system.

To protect customer security, the service mode is deactivated at the factory. To enable the service mode account, the customer must log in with an account that has SuperUser rights and set this attrib to yes. After service mode is enabled, a service professional can log in to the system with a secret one-time password.

To disable service mode, set the attrib to no.

To clear this value, use a period (.).

Example:

Bool

Access write-only write-only read-only read-write

read-write 0 pwd.user-add set pwd.service-enable=false

Used to add a user and specify the user’s default user group. User names must comply with the rules defined by pwd.level. You must also specify a user group in the form of

?usergroup=username

.

Example:

String write-only pwd.user-age pwd.user-del pwd.user-desc pwd.user-email set pwd.user-add?superuser= johnsmith

Attribute used to set the maximum age for a password.

Used to delete a user.

Attribute used to describe the user account.

Attribute used for the user account email address.

Int

String

String

Email read-write write-only read-write read-write

Security Management System CLI Reference 35

Table 3-14 pwd Attributes

Attribute pwd.user-expires pwd.user-expiredays pwd.user-force-pwd pwd.user-pager pwd.user-phone pwd.user-pwd pwd.user-state pwd.user-verify pwd.web

Description

Attribute used to enable password expiration.

Attribute used to set the amount of days to check the account for expiration.

Attribute used to force a user to change their password at next login

Attribute used to include the user account pager number.

Attribute used to include the user account phone number.

Attribute used for the user account password.

Attribute for the state for the user ID.

Attribute used to identify the user

Used to assign a password to the

HTTP/HTTPS-accessible content. This single password allows access to the user manuals, the client software, reports, and archived attack data. The default is pwd.web=yes. To permit unrestricted access to the web server, set the value to

“no”.

Type Access

Bool read-write

String

Bool

String

String

String read-only read-write read-write read-write read-only

Range

String read-only

String read-write

Password write-only 8-32

radius

Collection of radius-related attribs. The attribs are used to enable and configure RADIUS for the SMS. For more information on RADIUS, see the “Administration” chapter in the SMS User Guide.

Table 3-15 radius Attributes

Attribute radius.enable

radius1.secret

radius1.server

radius1.port

radius1.timeout

Description

Attribute used to enable/disable the

RADIUS.

Primary RADIUS Server

Attrib used to enter the RADIUS secret set by the RADIUS server administrator. This entry is used by each RADIUS client, including the SMS server.

Attrib used to set the IP address of the

RADIUS server.

Attrib used to set the port on the RADIUS server that listens for authentication requests

Attrib used to set the maximum timeout period in seconds.

Type

Bool

String

IPaddr

Int

Int

Access

read-write read-write

Range

read-write 0 read-write read-write

1-6553

5

1-300

36 SMS Attributes and Objects

Table 3-15 radius Attributes

Attribute radius1.auth

radius2.secret

radius2.server

radius2.port

radius2.timeout

radius2.auth

Description

Attrib to set the authentication method

(PAP, CHAP, MSCHAP, MSCHAP2,

EAPMD5)

Backup RADIUS Server

Attrib used to enter the RADIUS secret set by the RADIUS server administrator. This entry is used by each RADIUS client, including the SMS server.

Attrib used to set the IP address of the

RADIUS server.

Attrib used to set the port on the RADIUS server that listens for authentication requests

Attrib used to set the maximum timeout period in seconds.

Attrib to set the authentication method

(PAP, CHAP, MSCHAP, MSCHAP2,

EAPMD5)

Type

String

String

IPaddr

Int

Int

String

Access read-write

Range read-write

read-write 0 read-write 1-6553

5 read-write 1-300 read-write

route

Collection of network-related attribs. The attribs are used to configure the Ethernet 10/100/1000 interface for access to the local network.

Usage route.add

route.add <destination> <mask> <gateway> route.del <destination> <mask> <gateway>

Related Objects route6, net

Related Commands ifconfig, ipconfig, routes

Table 3-16 route Attributes

Attribute route.add

route.del

route.info

Description

Attribute used to add a static route to the IP routing table.

Usage: route.add

<gateway>

<destination> <mask>

Attribute used to delete a static route from the IP routing table.

Usage: route.del

<destination> <mask>

<gateway>

Attribute used to list all routes in the IP routing table.

Type Access Range

IPaddrs write only 0

IPaddrs write only 0

String read-only 0-1024

Security Management System CLI Reference 37

route6

Collection of attribs used to add, delete and display IPv6 static routes for the management interface

Usage route6.add

route6.add <destination> <next hop> route6.del <destination> <next hop>

Related Objects route, net

Related Commands ifconfig, ipconfig

Table 3-17 route6 Attributes

Attribute route6.add

route6.del

route6.info

Description

Attribute used to add a static route to the IP routing table.

Usage: route6.add

<destination><next hop>

Attribute used to delete a static route from the IP routing table.

Usage: route6.del

<destination> <next hop>

Attribute used to list all routes in the IP routing table.

Type Access Range

IPaddrs write only 0

IPaddrs write only 0

String read-only 0-1024

smtp

Collection of SMTP (Simple Mail Transfer Protocol) -related attribs. The attribs are used to configure the smtp service.

Table 3-18 smtp Attributes

Attribute smtp.send-mail smtp.notify-list

Description

Sends a mail message from the SMS. Other

SMTP configuration settings are required to successfully send mail.

List of e-mail addresses used to deliver notification messages when a notifiable event occurs. The list should be one or more e-mail addresses separated by comma or semicolons.

Type Access

String write-only

Email read-write

Range

snmp

Collection of SNMP (Simple Network Management Procotol) related attribs. The attribs are used to

configure the SNMP trap service and SMS SNMPrequest agent. For SNMP requests, see ” snmp-request

Attributes

” on page 39. For SNMP traps, see ” snmp-trap Attributes ” on page 40.

Related Objects svc

Related Commands snmp-request, snmp-trap

38 SMS Attributes and Objects

Table 3-19 snmp-request Attributes

Attribute snmp.request-auth-key

Description

Attrib used to specify the authentication key for the SNMP request agent. When enabled, the SMS responds to the SNMP system request.

Example:

Type Access

String write-only snmp.request-auth-proto set snmp.request-auth-key=mykey

Attrib used to specify the authentication protocol for the SNMP request agent. When enabled, the SMS responds to the SNMP system request.

Valid protocol values are: None, MD5, and

SHA.

Example: snmp.request-community

String read-write set snmp.request-auth-proto=MD5

Attrib used to specify the community string for the SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Example:

String read-write snmp.request-enable snmp.request-engine snmp.request-priv-key set snmp.request-community=public

Attrib used to enable/disable the SMS

SNMP request agent. When enabled, the

SMS responds to SNMP system requests.

Example: set snmp.request-enable=true

Attrib used to specify the engine ID for the

SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Example: set snmp.request-engine=012345

Attrib used to specify the privacy key for the

SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Example: set snmp.request-priv-key=mykey

Bool read-write

String read-write

String write-only

Range

Security Management System CLI Reference 39

Table 3-19 snmp-request Attributes

Attribute snmp.request-priv-proto

Description

Attrib used to specify the privacy protocol for the SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Valid protocol values are:

• None

• AES-128

• AES-192

• AES-256

• DES

• Triple_DES

Example:

Type Access

String read-write snmp.request-user snmp.request-version set snmp.request-priv-proto=AES-128

Attrib used to specify the user name for the

SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Example: set snmp.request-user=myuser

Attrib used to change the version for the

SNMP request agent. When enabled, the

SMS responds to the SNMP system request.

Valid version values are: v2 or v3.

Example: set snmp.request-version=v2

String read-write

String write-only

Range

Table 3-20 snmp-trap Attributes

Attribute snmp.trap-add

Description

Attrib used to add a new SNMP trap destination. An IP address and SNMP version uniquely identify a destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples:

Type Access

String write-only snmp.trap-auth-key set snmp.trap-add=1.1.1.1

set snmp.trap-add=1.1.1.1,v3

Attrib used to specifiy the authentication protocol for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples:

String write-only set snmp.trap-auth-key?1.1.1.1=mkey set snmp.trap-auth-key?1.1.1.1,v3= mykey

Range

40 SMS Attributes and Objects

Table 3-20 snmp-trap Attributes

Attribute snmp.trap-auth-proto

Description

Attrib used to specifiy the authentication key for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Valid protocol values are: None, MD5, and

SHA.

Examples:

Type Access

String read-write snmp.trap-community snmp.trap-del snmp.trap-engine snmp.trap-info set snmp.trap-auth-proto?1.1.1.1=MD5 set snmp.trap-auth-proto?1.1.1.1,v3=

MD5

Attrib used to specifiy the community string for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples:

String read-write set snmp.trap-community?1.1.1.1= public set snmp.trap-community?1.1.1.1,v2= public

Attrib used to remove an SNMP trap destination. The IP address must be specified.

The SNMP version is optional and can be specified when separated by a comma.

Examples:

String write-only set snmp.trap-del=1.1.1.1

set snmp.trap-del=1.1.1.1,v3

Attrib used to specify the engine ID for an

SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples: set snmp.trap-engine?1.1.1.1=012345 set snmp.trap-engine?1.1.1.1,v3=

012345

Attrib used to list the SNMP trap destination

Example:

String read-write

String read-only get snmp.trap-info

Range

Security Management System CLI Reference 41

Table 3-20 snmp-trap Attributes

Attribute snmp.trap-port

Description

Attrib used to specify the port for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples:

Type Access

Int read-write

Range snmp.trap-priv-key snmp.trap-priv-proto set snmp.trap-port?1.1.1.1=162 set snmp.trap-port?1.1.1.1,v2=162

Attrib used to specify the privacy key for an

SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples:

String write-only set snmp.trap-priv-key?1.1.1.1=mkey set snmp.trap-priv-key?1.1.1.1,v3= mykey

Attrib used to specify the privacy protocol for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma. Valid protocol values are:

• None

• AES-128

• AES-192

• AES-256

• DES

• Triple_DES

Examples:

String read-write set snmp.trap-priv-proto?1.1.1.1=

AES-128 set snmp.trap-priv-proto?1.1.1.1,v3=

AES-128

42 SMS Attributes and Objects

Table 3-20 snmp-trap Attributes

Attribute snmp.trap-user

Description

Attrib used to specify the user name for an

SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma.

Examples: snmp.trap-version set snmp.trap-user?1.1.1.1=testuser set snmp.trap-user?1.1.1.1,v3= testuser

Attrib used to change the version for an

SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma. Valid version values are: v2 or v3.

Examples: set snmp.trap-version?1.1.1.1=v3 set snmp.trap-version?1.1.1.1,v2=v3

Type Access

String read-write

String write-only

Range

Security Management System CLI Reference 43

svc

Collection of attribs used to enable various services that execute within the system. While the system implements an internal firewall to protect against attacks, further security can be implemented by disabling unneeded services.

Related Commands

ntp, snmp, pwd

Table 3-21 svc Attributes

Attribute svc.fips-enable

Type Access Range

Bool read-write 0

Description

Attribute used to enable/disable SMS FIPS mode. In this mode, only FIPS 140-2 approved cryptographic algorithms are used when allowing SSH connections.

NOTE: FIPS mode cannot be enabled if SSH has not been enabled. Also, disabling SSH automatically disables FIPS mode.

Example: svc.http-enable set svc.fips-enable=yes

Attribute used to enable/disable the HTTP

(HTTP protocol) service.

The HTTP service is used to download the

SMS client during the installation process and download other files. The service is configured to prevent CGI and other active server processing. Once the client is downloaded, the service can be disabled until an updated client is available. HTTP and HTTPS can be enabled separately.

To enable HTTP, set the svc.http-enable attrib to true. To disable, set to false.

Example:

Bool read-write 0 svc.https-enable svc.ping-enable set svc.http-enable=true

Attribute used to enable/disable the HTTPS

(Secure HTTP protocol) service.

The HTTPS service is used to download the

SMS client during the installation process.

The service is configured to prevent CGI and other active server processing. Once the client is downloaded, the service can be disabled until an updated client is available.

To enable HTTPS, set the svc.https-enable attrib to true. To disable, set to false.

Attribute used to enable/disable incoming ping support. Responding to pings can be considered a security weakness for systems.

When disabled, the SMS will not respond to

ICMP Echo Requests.

Example:

Bool read-write 0

Bool read-write 0 set svc.ping-enable=true

44 SMS Attributes and Objects

Table 3-21 svc Attributes

Attribute svc.ntp-enable svc.snmp-enable svc.ssh-enable svc.telnet-enable

Description

Attrib used to enable/disable the NTP

(Network Time Protocol) client. The NTP client can be used to synchronize system time with a list of remote time servers.

To enable the NTP client, set the value to true, and a list of servers should be provided with the ntp.server1 (...) attribs. To disable the value should be set to false.

Example:

Type Access Range

Bool read-write 0 set svc.ntp-enable=true

Attribute used to enable/disable the SNMP

(Simple Network Management Protocol) agent.

The SNMP service provides limited, read-only management support to a remote

SNMP manager. To enable SNMP, set the svc.snmp-enable attrib to true. To disable, set to false. The community name for get requests can be set with the snmp.get-community attrib.

Example:

Bool read-write 0 set svc.snmp-enable=true

Attribute used to enable/disable the SSH

(Secure Shell) service.

The SSH service is used to provide secured, remote CLI (Command Line Interface) access to the system. If SSH is disabled, the CLI can still be accessed by connecting a terminal or a keyboard/monitor to the chassis. The

SMS server supports SSH protocol version

2.

To enable SSH, set the svc.ssh-enable attrib to true. To disable, set to false.

Example:

Bool read-write 0 set svc.ssh-enable=true

Attribute used to enable/disable the Telnet service.

The Telnet service is used to provide remote

CLI (Command Line Interface) access to the system. If Telnet is disabled, the CLI can still be accessed by connecting a terminal or a keyboard monitor to the chassis, or by using the SSH service.

To enable Telnet, set the svc.telnet-enable attrib to true. To disable, set to false.

Example:

Bool read-write 0 set svc.telnet-enable=true

Security Management System CLI Reference 45

sw

Collection of software versioning attribs. The attribs are used to report the system software version, and to list the software packages and their individual versions.

Table 3-22 sw Attributes

Attribute sw.components

sw.version

Description

Returns a list of installed software packages and their versions.

Attribute returning the system software version.

Type Access Range

String read-only

0-1024

String read-only 1-32

sys

Collection of system-related attribs. The attribs retain system values, including the system name, location and contact.

Table 3-23 sys Attributes

Attribute sys.contact

sys.location

sys.model

sys.name

sys.platform

sys.serialNum

Description

Attribute holding the system contact.

Normally, this file contains the name and/or address of the administrator of this system.

Attribute holding the system location.

Normally, this field contains the physical location of the system.

Attribute returning the model of the SMS.

Provide this model in interactions with support staff.

Attribute holding the system name. The system name must be set. It will be used in system prompts.

Attribute returning the platform name. Provide this model number in interactions with support professionals.

Attribute returning the unique ${PRODUCT} system serial number. Provide this serial number in interactions with support professionals.

Type Access

String read-write 0-64

String read-write 0-64

String read-only

Range

1-32

Name read-write 1-32

String read-only 1-32

String read-only 20

time

Collection of system time attribs. The attribs are used to configure the local time zone and the current system time.

See Also ntp

46 SMS Attributes and Objects

Table 3-24 time Attributes

Attribute time.dateTime

time.setTime

time.setTimeZone

Description

Displays the current system time in a readable format.

Displays and sets the current system time. The date and time is specified in the format:

[MMDDhhmm[[CC]YY][.ss]]

Displays and sets the current local time zone.

Time zones can be represented in several forms. For example, US Eastern Time can be represented as either of the following:

Type Access Range

String read-only 32

String read-write 32

String read-write 2-48

• EST5EDT

• America/Newark

The first format is the preferred format: a three-letter zone, followed by a time offset from GMT, and another three-letter zone for the daylight savings time.

Examples: set time.setTimeZone=

America/New_York set time.setTimeZone=CST6CDT

Security Management System CLI Reference 47

48 SMS Attributes and Objects

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals