Transcription

Forcepoint AppliancesCommand Line Interface (CLI) GuideV Series, X Series, & Virtual Appliancesv8 .4 .x

2018, ForcepointAll rights reserved.10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin TX 78759Published 2018Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All othertrademarks used in this document are the property of their respective owners.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machinereadable form without prior consent in writing from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for aparticular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.

ContentsTopic 1Forcepoint Appliances Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 1Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Logon and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2CLI modes and account privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Basic account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Command syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Help for CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9System configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Host name and description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14User certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Filestore definition and file save commands. . . . . . . . . . . . . . . . . . . . . . . . . . 16Appliance interface configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Appliance vswitch configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Content Gateway Decryption Port Mirroring (DPM) . . . . . . . . . . . . . . . . . . . 29Static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Appliance status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35SNMP monitoring (polling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35SNMP traps and queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Module-specific commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Email module commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Linux settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Maintenance and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Starting and stopping services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Module status and version details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Setting the Web policy mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Appliance hotfixes and upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Collecting a configuration summary for analysis . . . . . . . . . . . . . . . . . . . . . . 59Log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Diagnose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Topic 2Copyrights and Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Other acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Define Book Name Variable 1

Contents2 DefineProduct Name Variable

1Forcepoint AppliancesCommand Line InterfaceCLI Guide Forcepoint Appliances v8.4.xThe command line interface (CLI) is a text-based user interface for configuring,monitoring, and troubleshooting Forcepoint Appliances. For more informationabout Forcepoint Appliances, see the Forcepoint Appliances Getting Started Guide.This guide describes the syntax and usage of each CLI command, including: Conventions, page 1 System configuration, page 10 Maintenance and support, page 46 Diagnose, page 63Use the Forcepoint Appliances API to write scripts to execute configuration changesand perform updates across multiple appliances.Forcepoint Appliances Copyrights and Trademarks statements are included in thisdocument.ConventionsCLI Guide Forcepoint Appliances v8.4.xAdministrators who are new to the appliance CLI may benefit from these quicksummaries: Logon and authentication, page 2 CLI modes and account privileges, page 2 Basic account management, page 3 Command syntax, page 9 Help for CLI commands, page 9Forcepoint Appliances: CLI Guide 1

Forcepoint Appliances Command Line InterfaceLogon and authenticationCLI Guide Forcepoint Appliances v8.4.xThere are several ways to connect to the CLI. Once connected, log on to the CLI withthe admin credentials. The password is set initially during firstboot and can bechanged in the CLI.Connection via SSH is available on all Forcepoint Appliances platforms. WhenSSH access is enabled (default), connect to the CLI using a terminal emulator andSSH. On a Windows system, use PuTTY or similar. On a Mac system use Terminal.Connect to the appliance management interface IP address (interface C) on port 22.On V Series or X Series appliances you can also access the CLI in these ways: Use the Virtual Console feature of the integrated DELL Remote AccessController (iDRAC). Attach a keyboard and monitor directly to the appliance. Connect directly via the serial port or a KVM.On a VMware virtual appliance, in addition to SSH you can access the CLI via thevSphere Client.NoteYour logon session terminates automatically after 15minutes of inactivity.CLI modes and account privilegesCLI Guide Forcepoint Appliances v8.4.xBy default, only the admin account is enabled on each appliance. This is the accountpassword that you set during the firstboot process.Three working modes (sometimes called contexts) are supported by the CommandLine Interface (CLI) and are available to every person logged on as admin.Mode NameDescriptionviewThe default mode. Used for displaying status and settings.configThe mode required for changing settings and enabling/disablingoptions.diagnoseThe mode used to perform troubleshooting. It provides support forsystem and network test commands.Immediately after logon, an admin is always in the view mode.To move from view to the config mode, enter config on the command line. Theadmin password is required for this mode switch.2 Forcepoint Appliances: CLI Guide

Forcepoint Appliances Command Line InterfaceTo move from view to the diagnose mode, enter diagnose on the command line.To return to the view mode from config or diagnose, enter exit on the command line.You cannot move from config directly to diagnose or vice versa.TipIn order to toggle more easily between diagnose and configmodes, an admin may choose to open two sessions(diagnose mode and config mode) at the same time. Only one person logged in as admin can work in config mode at a time. If needed, a person logged in as admin who is working in the view mode can usethe following command to immediately bump the admin who is working in theconfig mode:clear session --configThis moves the administrator who had been working in config mode back into theview mode.A person logged in as admin has full privileges in the view, config, and diagnosemodes. While working in the config mode, an admin can optionally enable twoaccounts: The audit account is for colleagues who need to view settings. This account canwork only in the view mode and can use only show and exit commands. The tech-support account is for use by Forcepoint technicians to providetechnical support.Basic account managementCLI Guide Forcepoint Appliances v8.4.xA person who is logged in as admin and working in the config mode can view,enable, and disable the audit account status and can change the password for theForcepoint Appliances: CLI Guide 3

Forcepoint Appliances Command Line Interfaceadmin and audit accounts. An admin user can also display, create, modify, or delete auser account.Configure accountsAction and SyntaxDetailsChange the password for the adminaccount.You are prompted to enter the currentpassword, and then prompted to enter andconfirm the new password.Note that the admin password is first set whenyou run the firstboot script.The password must be 8 to 15 characters inlength and it must include: At least one uppercase character At least one lowercase character At least one number At least one character in the set:!#%&'()* ,-./; [email protected][] { } Exclude all of the following: The special characters: space : \ " The previous 3 passwords for the account The device’s hostname The user name of any appliance serviceaccount (admin, root, tech-support, audit) Common appliance- or company-relatednamesset account admin--passwordSee if the audit account is enabled ordisabled.show account audit--status4 Forcepoint Appliances: CLI GuideThe audit account is disabled by default.

Forcepoint Appliances Command Line InterfaceAction and SyntaxDetailsEnable or disable the audit account.The --status and --password parameters cannotbe used at the same time.When enabling the audit account for the firsttime, also set a password.The password must be 8 to 15 characters inlength and it must include: At least one uppercase character At least one lowercase character At least one number At least one character in the set:!#%&'()* ,-./; [email protected][] { } Exclude all of the following: The special characters: space : \ " The previous 3 passwords for the account The device’s hostname The user name of any appliance serviceaccount (admin, root, tech-support, audit) Common appliance- or company-relatednames.set account audit--status enabled disabled Set or change the audit account password.set account audit--passwordYou are prompted to enter the password.Enable or disable remote CLI access viaSSH.set access ssh--status enabled disabled SSH status is enabled or disabled for all activeaccounts.Valid users include admin, audit, and techsupport. There is no access via SSH for the rootuser, as this is a reserved internal account.Display whether remote CLI access viaSSH is enabled or disabled.show access ssh--statusDisplay the admin account email address.show account emailDefine an email address to use for adminaccount password recovery.set account email--address address A temporary password is sent to this emailaddress when you request automated passwordrecovery help.You must also define an SMTP server. (Seenext command.)Technical Support can also manually issue atemporary password if you provide the securitycode you see in the appliance iDRAC console.Send a test email using the email/SMTPconfiguration.send test emailDisplay the SMTP server settings usedwith the admin email address to facilitatepassword recovery.show account smtpDisplays: Server IP address or hostname Server port Server user name Server passwordForcepoint Appliances: CLI Guide 5

Forcepoint Appliances Command Line InterfaceAction and SyntaxDetailsDefine an SMTP server for use duringadmin account password recovery.Password recovery requires you to define:1. An SMTP server2. A valid email address to receive atemporary passwordThe host location can be either the SMTPserver’s IPv4 address or its hostname.The SMTP port is optional (set to 25, bydefault).The user is the account to use to connect to theSMTP server.Example:set account smtp--host location --port port --user name (config)# set account smtp--host 10.0.0.25 --port 25--user smtpuserFor admin account password recovery,enter Ctrl P at the console logon prompt.The old password will be overwritten assoon as the admin types “yes” in theconfirmation dialog box.Delete the password recovery emailaddress.delete account emailDelete SMTP settings.delete account smtp6 Forcepoint Appliances: CLI GuideIf you have lost or forgotten your adminpassword, you can either: Have a temporary password sent to theemail address configured on the appliance. Contact Technical Support to receive atemporary password by providing thesecurity code displayed on the console.Use the temporary password to log on to theappliance. You will be prompted to set a newpassword.The password must be 8 to 15 characters inlength and it must include: At least one uppercase character At least one lowercase character At least one number At least one character in the set:!#%&'()* ,-./; [email protected][] { } Exclude all of the following: The special characters: space : \ " The previous 3 passwords for the account The device’s hostname The user name of any appliance serviceaccount (admin, root, tech-supp