Professional Documents
Culture Documents
Symantec Integrated Secure Gateway 2.1
Symantec Integrated Secure Gateway 2.1
1
Integrated Secure Gateway 2.1
Table of Contents
ISG Required Ports, Protocols, and Services...................................................................................6
ISG Security Best Practices............................................................................................................... 8
About Integrated Secure Gateway................................................................................................... 10
About Licensing ISG Applications............................................................................................................................... 10
About Network Interfaces for Applications and Appliances..................................................................................... 10
About Application Serial Numbers and License IDs..................................................................................................11
First Steps....................................................................................................................................................................... 11
Manage Applications......................................................................................................................................................13
Manage Images...............................................................................................................................................................15
Manage Licenses............................................................................................................................................................16
Upgrade Instructions..................................................................................................................................................... 17
Platform and Performance Reference..........................................................................................................................18
Troubleshooting..............................................................................................................................................................19
Command Line Overview.................................................................................................................. 20
Command Usage Conventions..................................................................................................................................... 20
Typographical Conventions...........................................................................................................................................20
Command Prompts........................................................................................................................................................ 20
Edit Previously Entered Commands............................................................................................................................ 21
Standard Mode Commands...........................................................................................................................................21
enable........................................................................................................................................................................ 21
exit............................................................................................................................................................................. 22
show.......................................................................................................................................................................... 22
Enable Mode Commands.............................................................................................................................................. 23
applications................................................................................................................................................................23
authentication............................................................................................................................................................ 24
clock...........................................................................................................................................................................24
configure.................................................................................................................................................................... 25
diagnostics.................................................................................................................................................................25
diagnostic-systems.................................................................................................................................................... 25
disable....................................................................................................................................................................... 26
display-level............................................................................................................................................................... 26
event-log.................................................................................................................................................................... 27
exit............................................................................................................................................................................. 28
halt............................................................................................................................................................................. 28
health-monitoring....................................................................................................................................................... 28
health-monitoring metric.....................................................................................................................................28
2
Integrated Secure Gateway 2.1
health-monitoring view....................................................................................................................................... 30
history........................................................................................................................................................................ 31
images....................................................................................................................................................................... 32
installed-systems....................................................................................................................................................... 32
ip................................................................................................................................................................................ 33
licensing.....................................................................................................................................................................34
login-banner...............................................................................................................................................................35
logout......................................................................................................................................................................... 35
ntp.............................................................................................................................................................................. 36
password-policy......................................................................................................................................................... 36
pcap........................................................................................................................................................................... 36
ping............................................................................................................................................................................ 37
proxy-settings............................................................................................................................................................ 38
restart.........................................................................................................................................................................38
restore-defaults..........................................................................................................................................................38
send........................................................................................................................................................................... 38
show.......................................................................................................................................................................... 39
shutdown................................................................................................................................................................... 40
smtp........................................................................................................................................................................... 41
snmp.......................................................................................................................................................................... 41
ssh-console................................................................................................................................................................41
ssl.............................................................................................................................................................................. 43
ssl create............................................................................................................................................................44
ssl delete............................................................................................................................................................ 45
ssl edit................................................................................................................................................................ 45
ssl inline............................................................................................................................................................. 46
ssl view...............................................................................................................................................................47
traceroute...................................................................................................................................................................48
upload........................................................................................................................................................................ 49
Configure Mode Commands......................................................................................................................................... 49
acl.............................................................................................................................................................................. 50
appliance-name......................................................................................................................................................... 50
applications................................................................................................................................................................51
applications attach-console................................................................................................................................51
applications create............................................................................................................................................. 51
applications delete............................................................................................................................................. 52
applications edit................................................................................................................................................. 52
applications start................................................................................................................................................ 53
applications stop................................................................................................................................................ 53
applications view................................................................................................................................................ 53
3
Integrated Secure Gateway 2.1
authentication............................................................................................................................................................ 54
clock...........................................................................................................................................................................54
diagnostic-systems.................................................................................................................................................... 55
dns............................................................................................................................................................................. 56
event-log.................................................................................................................................................................... 56
exit............................................................................................................................................................................. 57
halt............................................................................................................................................................................. 57
health-monitoring....................................................................................................................................................... 58
health-monitoring metric.....................................................................................................................................58
health-monitoring view....................................................................................................................................... 60
images....................................................................................................................................................................... 61
images delete.....................................................................................................................................................61
images load........................................................................................................................................................61
images view....................................................................................................................................................... 62
installed-systems....................................................................................................................................................... 62
interface..................................................................................................................................................................... 63
ipv6............................................................................................................................................................................ 64
licensing.....................................................................................................................................................................64
login-banner...............................................................................................................................................................65
ntp.............................................................................................................................................................................. 66
password-policy......................................................................................................................................................... 67
pcap........................................................................................................................................................................... 69
proxy-settings............................................................................................................................................................ 69
restart.........................................................................................................................................................................70
restore-defaults..........................................................................................................................................................70
show.......................................................................................................................................................................... 71
shutdown................................................................................................................................................................... 72
smtp........................................................................................................................................................................... 72
snmp.......................................................................................................................................................................... 73
snmp agent........................................................................................................................................................ 73
snmp community................................................................................................................................................ 74
snmp notify.........................................................................................................................................................74
snmp system...................................................................................................................................................... 75
snmp target........................................................................................................................................................ 75
snmp usm local..................................................................................................................................................76
snmp usm remote.............................................................................................................................................. 77
snmp vacm group access..................................................................................................................................77
snmp vacm group member................................................................................................................................77
ssh-console................................................................................................................................................................78
ssl.............................................................................................................................................................................. 79
4
Integrated Secure Gateway 2.1
ssl create............................................................................................................................................................80
ssl delete............................................................................................................................................................ 81
ssl edit................................................................................................................................................................ 82
ssl inline............................................................................................................................................................. 83
ssl view...............................................................................................................................................................84
timezone.................................................................................................................................................................... 85
upload........................................................................................................................................................................ 86
ISG CLI Error Message Reference............................................................................................................................... 86
Documentation Legal Notice............................................................................................................ 88
5
Integrated Secure Gateway 2.1
Inbound Connections
Outbound Connections
6
Integrated Secure Gateway 2.1
7
Integrated Secure Gateway 2.1
8
Integrated Secure Gateway 2.1
Most attacks exploit known vulnerabilities. Make sure your ISG appliance is updated with the latest available software
version.
• Ensure that the primary administrator account (admin) details are known only to a select few administrators.
Set the primary admin password to use twelve or more characters, and include a mix of case and special characters.
Save the details in a secure location.
• Set a unique enable password, different from the password of the built-in admin account.
Set the enable password to use twelve or more characters, and include a mix of case and special characters. Save the
details in a secure location.
• Make sure that every ISG administrator has their own account.
• Do not share admin accounts.
Wherever possible, use LDAPS (Secure LDAP) authentication or AD. LDAPS and AD are more secure than local
authentication or standard LDAP or RADIUS authentication.
• Set the ISG Audit Log to remote output syslog.
ISG sends all audit records to the syslog. Enable remote syslog so that you can detect an abnormal behavior as
quickly as possible.
• Enable all email and other alerts.
Direct emails and other alerts to addresses and services that can be viewed by multiple administrators.
• Review system logs regularly.
Administrators must frequently examine the system regularly. Specifically, review System logs for errors, anomalies, or
unexpected events, and review the Audit logs for unauthorized access attempts or suspicious activities.
• Set max failed attempts for authentication.
Set a limit for the number of failed access attempts on any external authentication service you are using.
• Use SNMPv3 for system activity reporting.
Earlier versions of SNMP do not support authentication or security features.
9
Integrated Secure Gateway 2.1
10
Integrated Secure Gateway 2.1
First Steps
Perform the initial configuration steps.
1. 0:0
2. 2:0
11
Integrated Secure Gateway 2.1
3. 2:1
4. 2:2
5. 2:3
You can connect to the command line interface or the Web interface to perform additional management
tasks.
To connect to the command line interface, open the following location from your SSH appliance: 192.0.2.0
To connect to the Web management interface, go to the following location with your web browser:
https://192.0.2.0:8082/
NOTE
The line "To connect to the Web management interface, go to the following location
with your web browser: https://192.0.2.0:8082/ " in the output is erroneous. The SSP
appliance does not offer a web console of its own, and must be configured via the CLI.
12
Integrated Secure Gateway 2.1
(config)# images
(config-images)# load application_location_URL
Manage Applications
View application information, attach the serial console to running applications, and edit existing applications.
Create Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Create the application:
(config)# applications
(config-applications)# create sg sg_name model model_name license-id license_id image-id image_id
ok
For information on the different license types available for your appliance, see Platform and Performance Reference.
Edit Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Stop the application that you want to edit:
(config-applications)# stop application_name
NOTE
To edit an existing application, your application must be in a Created or Stopped state.
4. Edit the application:
(config-applications)# edit application_name model_type | image-id image_id
The following example shows how to view the application configuration, stop the application, and change the model from a
C2L to a C2S:
(config-applications) view SG1
13
Integrated Secure Gateway 2.1
Remove Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Remove the application:
(config-applications)# delete application_name
14
Integrated Secure Gateway 2.1
Manage Images
Install Images
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Install the image:
(config-images)# load image_url
15
Integrated Secure Gateway 2.1
Remove Images
NOTE
You can only delete images when they are not in use.
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Remove the image:
(config-images)# delete image_id
Manage Licenses
Perform administrative tasks for your application licenses.
Install Licenses
Before installing your license, ensure you have your license ID available. For information on locating your license ID, see
About Application Serial Numbers and License IDs.
1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Install the license:
# licensing load id license_id username username password password
If the license loaded successfully, the CLI displays the message License update was successful for
license id license_id .
Update Licenses
To update a license installed in an application running on ISG:
1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Load the updated the license into the ISG license inventory with one of the following commands:
# licensing load id license_id
# licensing inline passphrase passphrase
If the license loaded successfully, the CLI displays the message License update was successful for
license id license_id .
4. From the ISG CLI, stop and restart the application:
(config)# applications
(config-applications)# stop application_name
(config-applications)# start application_name
5. Verify the license updated by comparing license contents for the ISG and the applications that run on it:
a. Retrieve the license contents from the ISG CLI:
# licensing view id license_id
b. In the ProxySG CLI, retrieve the license contents for the ProxySG applications:
> show licenses
c. Compare the ISG license contents to the application license contents and ensure they match.
16
Integrated Secure Gateway 2.1
Upgrade Instructions
Perform the following steps to upgrade the ISG via the ISG command line.
IMPORTANT
Downgrading to ISG 1.67.5.3 is not supported.
1. Stop all existing applications by running the following command for each application:
(config-applications)# stop application_name
4. (Only if upgrading from ISG 1.67.5.3) Previously existing applications are put into the Created state and do not have
an associated default image. To associate a default image with the applications, do the following:
a) Load an application image onto the ISG:
(config-images)# load application_location_URL
b) Retrieve and record the image ID:
(config-images)# view
Image ID Type Version Release ID In Use
sg-6.7.5.3-250069 SG 6.7.5.3 250069 0
c) Assign the image ID to each of the existing applications:
(config-applications)# edit application_name image-id image_ID
5. Start each application and verify that each starts properly and contains all previously existing data.
6. (Only if upgrading from ISG 1.67.5.3) Delete the previous ISG 1.67.5.3 image:
a) Locate the ISG 1.67.5.3 image:
# installed-systems view
1. Version : 2.2.1.1, Release ID : 253965, Locked : false, Booted : true
17
Integrated Secure Gateway 2.1
The following table lists the total resources available on the SSP appliance model and the resources from that total that
are available for virtual applications.
Resources Available for Applications Total Resources on the SSP Platform
SSP Model vCPUs RAM (GB) Disk vCPUs RAM (GB) Disk
The following table lists the resources required for each application model and the number of instances of that model that
can fit on the various SSP appliance models.
Number of Model Instances
Resource Requirements Per Application Model
Supported Per SSP Appliance
Application Connection
vCPU RAM (GB) Disk (GB) S410-10 S410-20 S410-30 S410-40
Model Count
C2S 2 12 1x200 15,000 2 4 4 8
C2M 2 16 1x200 20,000 2 4 4 8
C2L 2 20 1x200 25,000 1 4 4 8
C4S 4 20 1x200 25,000 1 4 4 8
C4M 4 24 1x200 37,500 1 3 4 8
C4L 4 32 1x200 50,000 1 2 4 8
C8S 8 32 2x200 50,000 1 2 2 4
C8M 8 64 2x200 100,000 0 1 2 4
C8L 8 80 2x200 125,000 0 1 2 4
C16XS 16 32 2x200 50,000 1 2 2 4
C16S 16 80 2x200 125,000 0 1 2 4
C16M 16 128 4x200 200,000 0 0 1 2
C16L 16 160 4x200 250,000 0 0 1 2
18
Integrated Secure Gateway 2.1
The following table lists the recommended configurations for maximum performance per SSP appliance model.
Application Total
SSP Model Instance Count Total vCPU Total RAM (GB) Total Disk (GB)
Model Connections
S410-10 C16XS 1 16 32 400 50,000
S410-20 C16XS 2 32 64 800 100,000
S410-30 C24S 2 48 160 800 250,000
S410-40 C16S 4 64 320 1,600 500,000
Troubleshooting
Licensing Issues
If you experience issues when licensing your applications, reinstall the license. See Manage Licenses.
If the issue persists, contact Broadcom support: https://support.broadcom.com/contact-support.html.
19
Integrated Secure Gateway 2.1
Typographical Conventions
The following typographical conventions are used for command syntax:
Command Prompts
The CLI has three major modes—standard, privileged (enable), and configure.
20
Integrated Secure Gateway 2.1
• Standard mode: Initial mode; use to monitor the service. Prompt: >
• Privileged (enable) mode: View, manage, and change the appliance settings. Prompt: #
• Config mode: Configuration mode, used to configure a service. Prompt: (config)#
Certain configuration commands also have modes that change the command prompt. For example:
• authentication configuration mode: (config-authentication)# prompt
• health monitoring mode: (config-health-monitoring)# prompt
• NTP configuration mode: (config-ntp)# prompt
• SSL configuration mode: (config-ssl)# prompt
To exit out of the current mode, type exit ; you may need to type exit multiple times to return to the desired mode.
Display a previously entered command Press up arrow until the command you want is displayed
Scroll down through the command history Press down arrow
Move cursor to the left Press left arrow
Move cursor to the beginning of the line Press Ctrl+A
Move cursor to the right Press right arrow
Insert characters Position cursor and start typing
Delete character to the left of cursor Press Backspace
Delete all characters on the line Press Ctrl+U
Cancel current command Press Ctrl+C
View the history of all commands since last boot See history.
NOTE
If the arrow keys aren't working, make sure your remote login utility is emulating VT100 arrows. You may need to
enable this option in your client.
enable
Enter the elevated privilege mode, known as enable mode. You will be prompted to enter the enable password.
Syntax
>enable
Notes
• When enable mode is turned on, the prompt changes from > to # .
• To return to standard mode, use the disable command.
21
Integrated Secure Gateway 2.1
exit
Exit from the current mode.
For example, if you are in configuration mode, exit returns you to enable mode. If you are in configure-applications
mode, exit returns you to configure mode. If you are in standard mode, exit closes the session.
Syntax
> exit
Notes
You can use this command in any mode.
show
Display information about the system and settings.
Syntax
> show ?
22
Integrated Secure Gateway 2.1
Examples
> show clock
UTC time : 2020-06-15 21:10:52+00:00 UTC
Local time : 2020-06-15 21:10:52+00:00 UTC
Timezone : UTC
applications
Lists the applications currently available on the ISG and attach a terminal console to the applications.
23
Integrated Secure Gateway 2.1
Syntax
# applications ?
Example
# applications view proxysg1
NAME VCPU MEMORY MODEL STATUS
proxysg1 2 12 GB C2S Starting
authentication
Define authentication realms and local users.
Syntax
# authentication ?
create local-user-list <name> | realm name Create a new local user list, user name, or realm.
<name>
delete local-user-list <name> | realm name Delete a local user list, user name, or realm.
<name>
edit local-user-list <name> | realm name Edit local user lists and user names, or view realms.
<name> view
Examples
# authentication create realm name local
# authentication edit realm local view
Realm name: local
Default group: none
Display name: LocalRealm
Local user list: UserListA
Realm type: none
# authentication delete realm name local
ok
clock
Manually set the time and date of the appliance in Coordinate Universal Time (UTC).
# clock day <value> | hour <value> | minute <value> | month <value> | second <value> |
year <value>
Notes
• Each value must be entered as a separate command.
• If you are using an NTP server, you do not need to manually set the clock.
24
Integrated Secure Gateway 2.1
Examples
# clock day 2
# clock month 9
# clock year 2020
configure
A command to enter a mode in which CLI commands are available for changing the configuration of the software and
appliance.
Syntax
# configure
Notes
• When in configure mode, the command prompt changes to: (config)#
• Type ? to see a list of CLI commands available in configure mode.
• Type exit to disable configure mode. The command prompt changes to: #
diagnostics
Provide access to the appliance or submit troubleshooting information to Broadcom Support to help diagnose hardware or
software issues.
Syntax
# diagnostics ?
heartbeat disable | enable | view | send Enable/disable the sending of heartbeat data to Broadcom;
view current heartbeat report or configuration; send report to
Broadcom.
service-info send [<service_request_number> Generate and upload the service diagnostics to Broadcom or a
| password <password>] | plugins server that you specify. If you are sending diagnostics to your own
<plugin_name> | url <url> | [username server, a service request (SR) number is not required.
<username>]
diagnostic-systems
Manage diagnostic images installed on the system. Up to six images can be installed on the system. If your system
already has six images installed and you add another image, the oldest unlocked image will be replaced with the new
image, unless you have designated a particular image to be replaced.
Syntax
diagnostic-systems ?
25
Integrated Secure Gateway 2.1
load <URL> Download and install a diagnostic image on the system. <URL>
is the path to an image on a web server that the appliance has
access to. Example: http://webserver.mycompany.com/images/
diag.bcs
lock <image#> Lock a diagnostic image to protect it from accidental deletion.
replace <image#> Designate which image will be replaced next (if the system already
has six installed images and you load another image). If you do
not specify an image to be replaced, the oldest unlocked image on
the system will be replaced.
unlock <image#> Unlock a diagnostic image that you no longer want to protect
from deletion. You have to unlock a locked image before you can
remove it.
unset-replace Unset image to be replaced next. When a replacement image is
not designated, the oldest image will be replaced when you load a
seventh image.
view Show a list of installed diagnostic images along with their image
numbers, software versions, release IDs, whether the image is
locked or unlocked, whether it has ever been booted, creation
date/time, and boot date/time. The summary at the bottom of the
list indicates which image number is the current running system,
the default system to run the next time the appliance is restarted,
and the image number that will be replaced next.
Examples
# diagnostic-systems load http://webserver.mycompany.com/images/diag.bcs
disable
Return to standard mode.
Syntax
# disable
Notes
When enable mode is turned off, the prompt changes from # to > ,
display-level
Set the depth of the configuration that is shown by the show full-configuration and show running-configuration
commands. For example, if the display-level is set to 1 , only top-level configuration nodes and their values are shown. If it
is set to 2 , then top-level nodes and their child nodes are shown, and so on. By default, the entire configuration is shown.
Syntax
# display-level [level <n>]
Examples
# display-level 1
26
Integrated Secure Gateway 2.1
event-log
Manage syslog settings. The syslog feature gives administrators a way to centrally log and analyze events on the
system. This command is available in both the enable and config modes.
Syntax
# event-log ?
level <value> Set the level to specify which messages to suppress to the syslog
server.
For example, setting the level to 3 allows messages with levels 0
- 3 and suppresses messages with levels 4 - 7. <value> can be
one of the following:
• 0 Emergency: system is unusable
• 1 Alert: action must be taken immediately
• 2 Critical: critical conditions
• 3 Error: error conditions
• 4 Warning: warning conditions
• 5 Notice: normal but significant condition
• 6 Informational: informational messages
• 7 Debug: debug-level messages
log-size <value> Set the maximum size in MB for the event-log.
syslog add host <host> [port <port>] Configure a syslog server where <host> is the host name or IP
address of the syslog server. Optionally, you can also specify a
custom port, where <port> is the port number.
syslog add tls host <host> [port <port>] Configure a syslog server using tls where <host> is the host
name or IP address of the syslog server. Optionally, you can also
specify a custom port, where <port> is the port number.
syslog add udp host <host> [port <port>] Configure a syslog server using UDP where <host> is the host
name or IP address of the syslog server. Optionally, you can also
specify a custom port, where <port> is the port number.
syslog remove host <host> Remove a configured syslog server by specifying the <host> .
syslog clear Removes all configured syslog servers.
view View syslog settings.
Notes
• You can add multiple syslog servers.
• The sub-commands listed above can either be entered in the enable prompt, event-log configuration mode (at the
(config-event-log) prompt), or in configuration mode (at the (config) prompt).
Examples
# event-log syslog add udp host 203.0.113.17
Added syslog server host 203.0.113.17:514.
# event-log view
Log level: 5 (notice)
Remote syslog servers:
203.0.113.17:514
27
Integrated Secure Gateway 2.1
exit
Exit from the current mode.
For example, if you are in configuration mode, exit returns you to enable mode. If you are in configure-applications
mode, exit returns you to configure mode. If you are in standard mode, exit closes the session.
Syntax
> exit
Notes
You can use this command in any mode.
halt
Halts the operating system and stops all CPUs. Once the system is cleanly halted, you can power down the appliance.
Syntax
# halt
Notes
The halt and shutdown commands are similar; the only difference is that shutdown disconnects the power via the CLI
command.
health-monitoring
View Health Monitoring (HM) events and status, and view and change HM settings. This command is available in both the
enable and config modes.
Syntax
# health-monitoring ?
health-monitoring metric
The health monitoring system tracks CPU utilization (cpu-util ), memory utilization (memory-util ), and license-
server statuses. Use the health-monitoring view settings command to see a list of metrics tracked on your
system.
Syntax
# health-monitoring metric ?
28
Integrated Secure Gateway 2.1
29
Integrated Secure Gateway 2.1
Notes
• There are four possible threshold that you can set, although no setting has all four:
– high-warning-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Warning state.
– high-critical-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Critical State.
– low-warning-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Warning state.
– low-critical-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Critical state.
The metrics have either the high or low thresholds.
When a threshold is exceeded and transitions to a new state (for example, from OK to Warning, or from Warning to
Critical), you can have the system send a notification email, syslog alert, or SNMP trap.
• You will need to configure SMTP settings to send email notifications, event-log settings to send alerts to a syslog
server, and SNMP trap targets and vacm groups to send SNMP traps.
Examples
# health-monitoring metric memory-util high-warning-threshold 75
# health-monitoring metric memory-util email enabled
health-monitoring view
The view command in the health monitoring system is used for showing the event history and metric settings.
30
Integrated Secure Gateway 2.1
Syntax
health-monitoring view ?
current View the current state of all metrics. The output lists each metric,
when the health monitoring system last checked it, the current
state (OK, Warning, Critical) and the current value (for example,
28%).
events [metric <metric_name> | all [duration Shows the event history for all metrics or for one metric, for the
<value> d | h| m] specified duration. An event is an occasion where the metric
exceeded a configured threshold and changed state (for example,
from OK to Warning, Warning to Critical).
• The metric and duration parameters are optional.
• If the metric parameter is omitted, 'all' is assumed.
• If the duration parameter is omitted, "24h" is assumed.
• The d , h , or m suffix is used to indicate days, hours, or
minutes, respectively.
settings Shows the configured threshold settings and alert type (Log,
Email, SNMP Trap) for each metric.
Examples
# health-monitoring view current
Health Monitoring current state of all metrics:
Last Check | Metric Name
| State
-----------------------------+--------------------------------------------------
2017-11-06 23:22:02 | CPU Utilization
| OK - 2.63%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | Memory Utilization
| OK - 18416/128786MB 14%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | RAID casma_raid Working Members
| OK
-----------------------------+--------------------------------------------------
history
Specify how far back in the command history previously-entered commands can be retrieved. For example, with a
history size of 5 , the previous five commands can be retrieved. Each time you press the up arrow, a previously-entered
command is displayed.
Syntax
# history <size>
Notes
When using the up arrow to retrieve previously-entered commands that use passwords, password values are obscured
with asterisks.
31
Integrated Secure Gateway 2.1
images
Lists the application images on the ISG.
Syntax
# images ?
view [<image_id> | sg] Displays either all images, a specific image, or all ProxySG
images.
Example
# images view
installed-systems
Manage images installed on the system. Up to six images can be installed on the system. If your system already has six
images installed and you add another image, the oldest unlocked image will be replaced with the new image, unless you
have designated a particular image to be replaced.
CAUTION
Only customers with a valid support contract can upgrade to major releases. If your support contract has
expired, the image installation will fail. Note that you can still upgrade to maintenance releases for the current
version
Syntax
# installed-systems ?
32
Integrated Secure Gateway 2.1
load <URL> Download and install an image on the system. <URL> is the path
to an image on a web server that the appliance has access to.
Example: http://webserver.mycompany.com/images/542386.bcs
Image loading will fail if the appliance does not have a license
installed or if your support contract has expired.
lock <image#> Lock an image to protect it from accidental deletion.
replace <image#> Designate which image will be replaced next (if the system already
has six installed images and you load another image). If you do
not specify an image to be replaced, the oldest unlocked image on
the system will be replaced.
unlock <image#> Unlock an image that you no longer want to protect from deletion.
You have to unlock a locked image before you can remove it.
unset-replace Unset image to be replaced next. When a replacement image is
not designated, the oldest image will be replaced when you load a
seventh image.
view Show a list of installed images along with their image numbers,
software versions, release IDs, whether the image is locked
or unlocked, whether it has ever been booted, creation date/
time, and boot date/time. The summary at the bottom of the list
indicates which image number is the current running system, the
default system to run the next time the appliance is restarted, and
the image number that will be replaced next.
Examples
# installed-systems view
1. Version : 1.67.5.3, Release ID : 250229, Locked : true, Booted : true
BuildType : Debug, CreationTime : 2020-04-14T01:08:08+0000, BootTime : 2020-06-22T15:54:43.810+0000
DisplayName : ISG 1.67.5.3, Release ID: 250229
Default system to run on next hardware restart: 1
Current running system: 1
System to replace next: None
ip
Configure the gateway, IPv6 neighbors, ARP table entries, and static routes.
Syntax
(config)# ip ?
arp <IP address> <MAC address> Add a static IPv4 or IPv6 address to the Address Resolution
Protocol (ARP) table, correlating the specified MAC address to the
IP address.
default-gateway <IP_addres> Change the IP address of the default gateway.
neighbor <IPv6_address> <MAC_address> Configure static IPv6 neighbor entries (similar to a static ARP
entry for IPv4). The IPv6 address and the hardware MAC address
must be provided.
33
Integrated Secure Gateway 2.1
route <IP_address> [/<prefix>] Specify the static route. For deployments where the default
[<subnet_mask>] [device-name gateway does not route traffic to all segments of the network,
<interface>] [metric <value>] you can define additional routes. A typical use for the route table
is when the SMTP or DNS servers are located on an internal
network.
The route metric is used by routing protocols to determine whether
one route should be chosen over another. With all else being
equal, lower metrics are given preference when choosing routes.
The specific metric values you assign are arbitrary, but they
should have values relative to routing priority. For example, a
route you want to assign high priority could have a metric value of
5 and a lower priority route could have a metric value of 10 or 20.
Examples
(config)# ip arp 1.1.1.1 01:23:45:67:89:ab
(config)# ip route 10.64.0.0/16 10.63.158.213 device-name 0:0 metric 10
(config)# ip route 2001:db8::/32 2001:0db8:0000:0000:0000:ff00:0042:8329 metric 20
(config)# ip route 10.63.0.0 255.255.0.0 10.63.158.213 metric 30
(config)# ip neighbor 2001:db8::ff00:42:8329 01:23:45:67:89:ac
licensing
Configure licensing for applications on the ISG.
Syntax
#licensing ?
34
Integrated Secure Gateway 2.1
view-node-locked View how many applications were created with the node-locked
license and how many are currently using it.
Only running applications (In-Use ) count against the license
limit; created applications that are not running do not count.
Notes
After loading the license, you must restart the application that is using the license.
Examples
# licensing 0000990000 username Admin password *******
License update was successful for license id 0000990000
# licensing view-node-locked
Node Locked License ID: 0000990000
Application Type: SG
Model: C2S
Limit: 1
In-Use (0):
login-banner
Configure a banner message to appear before users log in to the appliance. The message will appear before users log in
to the CLI (via serial console and SSH). This feature meets the security technical implementation guideline STIG V-3013.
Messages can contain up to 2,047 characters and can be defined using multi-byte UTF-8 characters.
Syntax
# login-banner ?
Examples
# login-banner inline message
Enter the login banner message below and end it with a Ctrl+D
This is a banner message.
ok
# login-banner enable
# login-banner view message
This is a banner message.
# login-banner view status
Login banner is enabled.
logout
Log out the current user. The management session is ended.
35
Integrated Secure Gateway 2.1
Syntax
# logout
ntp
Update the appliance's clock.
Syntax
# ntp ?
password-policy
View the current password rules.
Syntax
# password-policy ?
Examples
# password-policy view
min-uppercase: 0
min-groups: 4
prohibit-whitespace: true
min-special: 1
min-digits: 1
min-length: 8
min-lowercase: 0
prohibit-common-words: No dictionary defined
pcap
Capture packets that are sent to and/or from the appliance. The captured data can be imported into a packet analysis tool
such as Wireshark. This command is available in both the enable and config modes.
Syntax
# pcap ?
36
Integrated Secure Gateway 2.1
Notes
• Before enabling packet capture, you can optionally restrict the packets that are captured by filtering by direction (in or
out) or filtering by interface (for example, just packets sent out of the 1:0 NIC.
• After capture is turned on, the system will create a .dmp file in TCPDump format and start capturing packets into this
file.
• Packets are captured until capturing is disabled with the pcap stop command, or after 30 minutes, whichever comes
first.
Examples
# pcap start
# pcap stop
# pcap transfer ftp://example.com/john_files/test.dmp john.smith ******
ping
Generate pings to test connectivity with another device on the network. If the device answers the pings, a message
displays such as 5 packets transmitted, 5 received, 0% packet loss, time 3007ms . If the appliance
is unable to connect with the other device, the system displays a message such as 5 packets transmitted, 0
received, 100% packet loss, time 13999ms .
Syntax
# ping ipv4 |ipv6 source <source_ip_address> size <packet_size> dont-fragment
repeat <ping_count> <ip_address> | <hostname>
Examples
# ping repeat 3 size 50 cnn.com
PING cnn.com (198.51.100.122) 50(78) bytes of data.
58 bytes from www.cnn.com (198.51.100.122): icmp_seq=1 ttl=115 time=63.2 ms
58 bytes from www.cnn.com (198.51.100.122): icmp_seq=2 ttl=115 time=62.8 ms
58 bytes from www.cnn.com (198.51.100.122): icmp_seq=3 ttl=115 time=62.9 ms
--- cnn.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2066ms
rtt min/avg/max/mdev = 62.880/63.022/63.268/0.338 ms
# ping 203.0.113.17
PING 203.0.113.17 (203.0.113.17) 100(128) bytes of data.
--- 203.0.113.17 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 13999ms
37
Integrated Secure Gateway 2.1
proxy-settings
View the settings for when the appliance is on a network that is required to be configured with an explicit proxy service.
Syntax
# proxy-settings ?
Examples
# proxy-settings view
enabled:true
host :10.10.12.11
port no:8008
username:becky
restart
Reboots the system and restarts services such as image, licensing, subscription, SNMP, and health monitoring. You will
need to restart the system after upgrading to a new image or changing the running image on the appliance.
Syntax
# restart
restore-defaults
Restore system to factory default settings. This process deletes all data on the appliance.
Syntax
# restore-defaults factory-defaults ?
Examples
# restore-defaults factory-defaults
Restoring box to factory state. This will delete all customer data and shutdown the system. Do you want to
proceed (yes/no): y
send
Send one or all users a message to their terminal. The message will be shown in the CLI session of any logged-in user.
Syntax
# send <user> | all <message>
38
Integrated Secure Gateway 2.1
Notes
The user must be logged on to receive the message.
Examples
# send all "This is an important message."
#
Message from admin@ISG at 2020-07-07 15:09:36...
This is an important message.
show
Display information about the system and settings.
Syntax
# show ?
39
Integrated Secure Gateway 2.1
Examples
# show clock
UTC time : 2020-06-15 21:10:52+00:00 UTC
Local time : 2020-06-15 21:10:52+00:00 UTC
Timezone : UTC
shutdown
Shuts down the operating system, stops all CPUs, and sends a signal to the power supply unit to disconnect the main
power. With this command (as compared to the halt command), you don’t have to press the power switch to power down
the appliance. This command is used to prepare physical appliances for transport.
Syntax
# shutdown
40
Integrated Secure Gateway 2.1
smtp
Configure destination addresses and view settings for Simple Mail Transfer Protocol (SMTP) settings.
Syntax
# smtp ?
destination-addresses add <email_address> | Add email addresses to which the appliance sends alerts and
clear | delete delete <email_address> other messages. You can configure multiple email addresses,
but they must be added one at a time.The delete parameter
removes a specific email address; the clear parameter deletes all
configured destination email addresses.
view Show SMTP settings that are currently configured.
Examples
# smtp destination-addresses add tom.jones@example.com
# smtp view
smtp
gateway 203.0.113.17
from-address mary.johnson@test.com
destination-addresses
destination tom.jones@example.com
snmp
Regenerate or view the engine ID for the Secure Network Management Protocol (SNMP) agent.
Syntax
# snmp ?
agent engine-id regenerate | view Regenerate the engine ID for the Secure Network Management
Protocol (SNMP) agent by setting it to its default value or view the
current engine ID.
ssh-console
Configure the SSH console, including cipher suites, HMACs, key-exchange algorithms, and keys.
41
Integrated Secure Gateway 2.1
Syntax
# ssh-console ?
ciphers add <cipher> | demote <cipher> | Configure the ciphers used by the appliance:
promote <cipher>| remove <cipher> | reset |
• add —Add a new cipher suite to the current list
set <cipher_list> | view
• demote —Demote a cipher suite within the list of ciphers
• promote —Promote a cipher suite within the list of ciphers
• reset —Reset the list of cipher suites to the default list
• set —Set the list of cipher suites in the specified order, where
<cipher_list> is a comma-separated list
• view —View the list of cipher suites currently accepted by the
appliance
42
Integrated Secure Gateway 2.1
Examples
# ssh-console ciphers add 3des-cbc
ok
ssl
Configure Secure Socket Layer (SSL) settings. This command is available in both the enable and config modes.
Syntax
# ssl ?
Examples
Add a certificate from a Certificate Authority; the certificate name in this example is ca1 .
# ssl inline ca-certificate ca1 content
Enter the certificate below and end it with a Ctrl-D
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAIk7y/gggzO8MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MRIwEAYDVQQKDAlCbHVlIENvYXQxFDASBgNVBAsMC0RldmVsb3BtZW50MRQwEgYD
VQQDDAtjYS5ibHVlY29hdDEkMCIGCSqGSIb3DQEJARYVZXJpYy5jaGlAYmx1ZWNv
YXQuY29tMB4XDTE1MDExMzAxMzI0MFoXDTI1MDExMDAxMzI0MFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
EjAQBgNVBAoMCUJsdWUgQ29hdDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFDASBgNV
BAMMC2NhLmJsdWVjb2F0MSQwIgYJKoZIhvcNAQkBFhVlcmljLmNoaUBibHVlY29h
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCysxBQYApdEvNc
Nv6e7ELUtYRvnixueKceQM1y28Lj17lMPng6Dghs3ZKF/VPXw+lEsc+LG11a75d9
WziSsv7u4nKjt2Y2nPC4jE8jzgI7Fej26B6//bePh91v/+bJRwNSYR9z6wNa0cQt
prx8e6SvUbq7MkuE6vC9paqBqz4TQL0vyVHaWZXxodRLJaKGsZmq1yn1ogxjBT9+
Mj3HdmzVVRPQ5jNNjV6oKppGOrqpFkzOwcjpKWufOgk850kjsB2mOBE4QDHbJhtg
UtLMSGLaj2hmb58v6JdDROn4T3piZEDzAPl/4N9aOfbliF2nrdRNi2n5d8Q2JaXH
hXPGBGrVAgMBAAGjUDBOMB0GA1UdDgQWBBTCph9yrG16afTN6vaZJDTT2iv6xDAf
BgNVHSMEGDAWgBTCph9yrG16afTN6vaZJDTT2iv6xDAMBgNVHRMEBTADAQH/MA0G
43
Integrated Secure Gateway 2.1
CSqGSIb3DQEBBQUAA4IBAQCmI+pLumWXIAiznvq+zU/3/PTHwzcVcwJdK+ngWbHa
-----END CERTIFICATE-----
<Ctrl-D>
CA certificate ca1 is added successfully.
ssl create
Create SSL keyrings, CA Certificate Lists (CCLs), signing requests, self-signed certificates, and ssl-contexts.
Syntax
# ssl ?
Examples
44
Integrated Secure Gateway 2.1
ssl delete
Delete SSL certificates, lists, keyrings, and signing-requests.
Syntax
# ssl delete ?
Examples
# delete signing-request sslkey
ssl edit
Edit CA certificate lists (CCLs), Certificate Revocation Lists (CRLs), or SSL contexts.
Syntax
# ssl edit ccl <ccl_name> <action>]
Syntax
# ssl edit crl <crl_name> <action>
Syntax
# ssl edit ssl-context <context_id> <action>
45
Integrated Secure Gateway 2.1
Examples
# ssl edit ccl browser-trusted add esignit.org
ok
# ssl edit ccl view
Name: browser-trusted
FIPS compliant: no
Certificates:
1st_Data_Digital
A-Trust-Qual-02
A-Trust-Root-05
A-Trust-nQual-03
AC1_Raiz_Mtin
ACA_ROOT
ACCV_ACCVRAIZ1
ACEDICOM_Root
..
ssl inline
Import SSL keyrings, signing requests, and certificates.
Syntax
# ssl inline ?
ca-certificate <certificate_name> content Import a Certificate Authority (CA) certificate from terminal input by
pasting the certificate content.
certificate <keyring_id> Import a certificate into the specified keyring by pasting the
certificate content.
crl <crl_name> Import a Certificate Revocation List (CRL) from terminal input
by pasting the certificate content.
keyring <keyring_id> Install a keyring. Keyrings are containers for SSL certificates on
the appliance, and can be used to manage self-signed or CA-
signed certificates.
You will be prompted to paste the keyring content.
signing-request <keyring_id> Install a request for a signed certificate associated with the
specified keyring.
You will be prompted to paste the signing request content.
Examples
Add a certificate from a Certificate Authority; the certificate name in this example is ca1 .
46
Integrated Secure Gateway 2.1
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MRIwEAYDVQQKDAlCbHVlIENvYXQxFDASBgNVBAsMC0RldmVsb3BtZW50MRQwEgYD
VQQDDAtjYS5ibHVlY29hdDEkMCIGCSqGSIb3DQEJARYVZXJpYy5jaGlAYmx1ZWNv
YXQuY29tMB4XDTE1MDExMzAxMzI0MFoXDTI1MDExMDAxMzI0MFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
EjAQBgNVBAoMCUJsdWUgQ29hdDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFDASBgNV
BAMMC2NhLmJsdWVjb2F0MSQwIgYJKoZIhvcNAQkBFhVlcmljLmNoaUBibHVlY29h
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCysxBQYApdEvNc
Nv6e7ELUtYRvnixueKceQM1y28Lj17lMPng6Dghs3ZKF/VPXw+lEsc+LG11a75d9
WziSsv7u4nKjt2Y2nPC4jE8jzgI7Fej26B6//bePh91v/+bJRwNSYR9z6wNa0cQt
prx8e6SvUbq7MkuE6vC9paqBqz4TQL0vyVHaWZXxodRLJaKGsZmq1yn1ogxjBT9+
Mj3HdmzVVRPQ5jNNjV6oKppGOrqpFkzOwcjpKWufOgk850kjsB2mOBE4QDHbJhtg
UtLMSGLaj2hmb58v6JdDROn4T3piZEDzAPl/4N9aOfbliF2nrdRNi2n5d8Q2JaXH
hXPGBGrVAgMBAAGjUDBOMB0GA1UdDgQWBBTCph9yrG16afTN6vaZJDTT2iv6xDAf
BgNVHSMEGDAWgBTCph9yrG16afTN6vaZJDTT2iv6xDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQCmI+pLumWXIAiznvq+zU/3/PTHwzcVcwJdK+ngWbHa
GGVAhC+aMe+k3K+tTOO+3zxkSA7zF5X0NSZSRUAovZMrbXRxj+RuK1CMETEVAFzI
70uJv1EQoSt/Fg+Ax0h8M0Jn4lvUGsYPIAbcLjlxCtMNyfcOUG1Ss0yo/A/GXg13
eWINmdtdZHT/+ge01EEssswLxbyw3Pyl4CRMprjxlzg15Rx/PWV+zB+P2yolIrV4
pb5fsCuNrK4lYSdco5XE6P2m0c3P8QL/pB4SiZgWCr1sd0IKIoEphTk0kI++PTYx
d8cuVqPUXEi+UmibOBtfDz2ZffNkmBTdyvLfesINz0ce
-----END CERTIFICATE-----
<Ctrl-D>
CA certificate ca1 is added successfully.
ssl view
View certificate and keyring details and signing request confirmations.
Syntax
# ssl view ?
47
Integrated Secure Gateway 2.1
keyring <keyring_id> Show details about the specified keyring, including its certificate
and any signing requests.
signing-request <keyring_id> View certificate request for the specified keyring.
ssl-context <context_id> View SSL context configuration.
Examples
To view the certificate details for the ca1 certificate:
# ssl view ca-certificate ca1
Issuer: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
emailAddress=eric.chi@bluecoat.com
Subject: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
emailAddress=eric.chi@bluecoat.com
Valid From: Jan 13 01:32:40 2015 GMT
Valid Until: Jan 10 01:32:40 2025 GMT
Fingerprint: DB:AF:B1:82:EF:0C:9F:AD:84:F7:D8:35:0A:AA:0B:5D:93:DA:77:A5
traceroute
Determines the path that an IP packet takes to travel from the appliance to a destination host.
48
Integrated Secure Gateway 2.1
Syntax
# traceroute ipv4 |ipv6 source <source_ip_address> size <packet_size> timeout <seconds> probe-
count <number_of_times_to_probe> min-ttl <minimum_ttl_value> max-ttl <maximum_ttl_value> dont-
fragment <ip_address> | <hostname>
Examples
# traceroute size 50 timeout 4 cnn.com
1: 10.131.16.1 (10.131.16.1) 4.486ms
2: 172.16.131.66 (172.16.131.66) 0.486ms
3: 199.91.135.130 (199.91.135.130) 7.546ms asymm 4
4: 70.102.68.162 (70.102.68.162) 2.057ms
5: be1.br02.plalca01.integra.net (209.63.100.118) 20.784ms asymm 8
6: te-3-3.car2.SanJose2.Level3.net (4.59.4.29) 20.381ms asymm 7
7: no reply
8: no reply
upload
Upload the third-party attributions zip file to an FTP site.
Syntax
# upload ATTRIBUTIONS <full_url/filename> <username> <password>
Notes
ATTRIBUTIONS must be in uppercase.
Examples
# upload ATTRIBUTIONS ftp://exampleftp.com/attributions.zip mary ******
49
Integrated Secure Gateway 2.1
To enter configure mode, type configure at the enable prompt (# ). The prompt will change to (config)# . To see a list
of commands available in configure mode, type help or ? at the (config)# prompt.
The followings commands are available in configure mode.
acl
Create firewall rules—access control lists—for accessing services on the appliance.
Syntax
(config)# acl ?
Notes
• The sub-commands listed above can either be entered in acl configuration mode (at the config-acl prompt or in
configuration mode (at the config prompt).
• To remove a rule, enter no rule followed by the rule definition.
• Up to 1000 ACL rules can be entered in the access control list.
• The access control list only apply to incoming connections. Connections originating from the appliance are not subject
to the access control list.
• Changes take effect immediately after a new rule is added or removed. It's not necessary to reboot.
• Existing connections that are allowed under a access control list are not affected when the rule is removed.
• The access list is not interface specific; the list applies to all interfaces.
Examples
(config)# acl
(config-acl)# rule 10.167.9.0/24 Management
(config-acl)# rule 10.167.9.129 255.255.255.0 SNMP
(config-acl)# no rule 10.167.9.0/24 Management
appliance-name
Set the name for the system.
Syntax
(config)# appliance-name <appliance_name>
Examples
(config)# appliance-name ISG1
ISG1(config)#
50
Integrated Secure Gateway 2.1
applications
Used to manage the applications running on ISG.
Syntax
(config)# applications
(config-applications)# ?
applications attach-console
Attaches a terminal console to an application.
Syntax
where:
• force is used to recover the serial console.
Example
(config-applications)# attach-console proxysg1
ok
applications create
Creates an application on the ISG.
51
Integrated Secure Gateway 2.1
Syntax
(config-applications)# create ?
Example
create sg proxysg1 model C4L license-id 0123456789 image-id sg-7.2.2.1-253750
ok
applications delete
Deletes an application.
Syntax
(config-applications)# delete app_name
Example
(config-applications)# delete proxysg1
ok
applications edit
Edit the configuration for an existing application.
Syntax
(config-applications)# edit ?
Notes
The application must have the status Created or Stopped to be edited. To view the status of your applications, see
applications view.
52
Integrated Secure Gateway 2.1
Example
The following is an example of how to change the model type for a ProxySG application.
(config-applications)# edit proxysg1 model C2M
ok
applications start
Starts an application.
Syntax
(config-applications)# start app_name
Example
(config-applications)# start proxysg1
ok
applications stop
Stops an application.
Syntax
(config-applications)# stop app_name
Example
(config-applications)# stop proxysg1
ok
applications view
Displays information on the ProxySG application.
Syntax
(config-applications)# view ?
Notes
The ProxySG applications can have the following statuses
• Created—The application was created.
• Starting—The application is starting.
• Running—The application has successfully started.
• Failed—The application did not successfully start.
• Stopped—The application was stopped.
Example
The following is an example of viewing a specific ProxySG application.
53
Integrated Secure Gateway 2.1
authentication
Define authentication realms, local users, and security settings.
Syntax
(config)# authentication ?
admin-realm Select the admin realm name. Users must be part of the admin-
realm to be authenticated for SSH or UI access.
create local-user-list <name> | realm name Create a new local user list, user name, or realm.
<name>
delete local-user-list <name> | realm name Delete a local user list, user name, or realm.
<name>
edit local-user-list <name> | realm Edit a local user list or realm settings.
<realm_name>
enable-password Change the password for entering enable (privileged) mode.
management inactivity-timeout <second> Specify the number of seconds a session can be inactive before it
is terminated. By default, this is 1800 seconds.
management max-concurrent-logins <value> Set the maximum number of concurrent logins per user. By
default, the number of concurrent administrative logins is
unlimited.
management password-history <value> Set the number of password hashes to maintain for each user.
This is used to check whether a password has been used when
changing a password.
Examples
(config)# authentication create realm name local
(config-authentication)# edit realm local
(config-realm-local)# authentication enable-password
Enter current password: *****
Enter new password: *****
Confirm new password: *****
ok
clock
Manually set the time and date of the appliance in Coordinate Universal Time (UTC).
54
Integrated Secure Gateway 2.1
# clock day <value> | hour <value> | minute <value> | month <value> | second <value> |
year <value>
Notes
• Each value must be entered as a separate command.
• If you are using an NTP server, you do not need to manually set the clock.
Examples
# clock day 2
# clock month 9
# clock year 2020
diagnostic-systems
Manage diagnostic images installed on the system. Up to six images can be installed on the system. If your system
already has six images installed and you add another image, the oldest unlocked image will be replaced with the new
image, unless you have designated a particular image to be replaced.
Syntax
(config)# diagnostic-systems ?
55
Integrated Secure Gateway 2.1
Examples
(config)# diagnostic-systems load http://webserver.mycompany.com/images/diag.bcs
dns
Configure servers and domains for the domain name system (DNS).
Syntax
(config)# dns ?
Notes
• To clear these settings, use the no command. For example, no dns name-server.
• To view the current settings, type show full-configuration dns .
Examples
(config)# dns name-server 10.2.2.10 10.2.2.11
event-log
Manage syslog settings. The syslog feature gives administrators a way to centrally log and analyze events on the
system. This command is available in both the enable and config modes.
Syntax
(config)# event-log
(config-event-log)# ?
level <value> Set the level to specify which messages to suppress to the syslog
server.
For example, setting the level to 3 allows messages with levels 0
- 3 and suppresses messages with levels 4 - 7. <value> can be
one of the following:
• 0 Emergency: system is unusable
• 1 Alert: action must be taken immediately
• 2 Critical: critical conditions
• 3 Error: error conditions
• 4 Warning: warning conditions
• 5 Notice: normal but significant condition
• 6 Informational: informational messages
• 7 Debug: debug-level messages
log-size <value> Set the maximum size in MB for the event-log.
56
Integrated Secure Gateway 2.1
syslog add host <host> [port <port>] Configure a syslog server where <host> is the host name or IP
address of the syslog server. Optionally, you can also specify a
custom port, where <port> is the port number.
syslog add tls host <host> [port <port>] Configure a syslog server using tls where <host> is the host
name or IP address of the syslog server. Optionally, you can also
specify a custom port, where <port> is the port number.
syslog add udp host <host> [port <port>] Configure a syslog server using UDP where <host> is the host
name or IP address of the syslog server. Optionally, you can also
specify a custom port, where <port> is the port number.
syslog remove host <host> Remove a configured syslog server by specifying the <host> .
syslog clear Removes all configured syslog servers.
view View syslog settings.
Notes
• You can add multiple syslog servers.
• The sub-commands listed above can either be entered in the enable prompt, event-log configuration mode (at the
(config-event-log) prompt), or in configuration mode (at the (config) prompt).
Examples
(config)# event-log
(config-event-log)# syslog add udp host 203.0.113.17
Added syslog server host 203.0.113.17:514.
(config-event-log)# view
Log level: 5 (notice)
Remote syslog servers:
203.0.113.17:514
exit
Exit from the current mode.
For example, if you are in configuration mode, exit returns you to enable mode. If you are in configure-applications
mode, exit returns you to configure mode. If you are in standard mode, exit closes the session.
Syntax
> exit
Notes
You can use this command in any mode.
halt
Halts the operating system and stops all CPUs. Once the system is cleanly halted, you can power down the appliance.
Syntax
(config)# halt
57
Integrated Secure Gateway 2.1
Notes
The halt and shutdown commands are similar; the only difference is that shutdown disconnects the power via the CLI
command.
health-monitoring
View Health Monitoring (HM) events and status, and view and change HM settings. This command is available in both the
enable and config modes.
Syntax
(config)# health-monitoring
(config-health-monitoring)# ?
health-monitoring metric
The health monitoring system tracks CPU utilization (cpu-util ), memory utilization (memory-util ), and license-
server statuses. Use the health-monitoring view settings command to see a list of metrics tracked on your
system.
Syntax
(config-health-monitoring)# metric ?
58
Integrated Secure Gateway 2.1
59
Integrated Secure Gateway 2.1
Notes
• There are four possible threshold that you can set, although no setting has all four:
– high-warning-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Warning state.
– high-critical-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Critical State.
– low-warning-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Warning state.
– low-critical-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Critical state.
The metrics have either the high or low thresholds.
When a threshold is exceeded and transitions to a new state (for example, from OK to Warning, or from Warning to
Critical), you can have the system send a notification email, syslog alert, or SNMP trap.
• You will need to configure SMTP settings to send email notifications, event-log settings to send alerts to a syslog
server, and SNMP trap targets and vacm groups to send SNMP traps.
Examples
(config-health-monitoring)# metric memory-util high-warning-threshold 75
(config-health-monitoring)# metric memory-util email enabled
health-monitoring view
The view command in the health monitoring system is used for showing the event history and metric settings.
Syntax
(config-health-monitoring)# view ?
current View the current state of all metrics. The output lists each metric,
when the health monitoring system last checked it, the current
state (OK, Warning, Critical) and the current value (for example,
28%).
events [metric <metric_name> | all [duration Shows the event history for all metrics or for one metric, for the
<value> d | h| m] specified duration. An event is an occasion where the metric
exceeded a configured threshold and changed state (for example,
from OK to Warning, Warning to Critical).
• The metric and duration parameters are optional.
• If the metric parameter is omitted, 'all' is assumed.
• If the duration parameter is omitted, "24h" is assumed.
• The d , h , or m suffix is used to indicate days, hours, or
minutes, respectively.
settings Shows the configured threshold settings and alert type (Log,
Email, SNMP Trap) for each metric.
Examples
(config-health-monitoring)# view current
Health Monitoring current state of all metrics:
Last Check | Metric Name
| State
-----------------------------+--------------------------------------------------
60
Integrated Secure Gateway 2.1
images
Used to manage application images on the ISG.
Syntax
(config)# images
(config-images)# ?
images delete
Deletes an application image.
NOTE
You can only delete images when they are not in use.
Syntax
(config-images)# delete <image_id>
Example
(config-images)# delete sg-7.2.2.1-253750
images load
Download an application image onto the ISG.
Syntax
(config-images)# load <image_url> [force]
where force forces the specified image to load, even if an image is already loaded on the ISG.
Example
(config-images)# load https://example.com/system.bcsi
61
Integrated Secure Gateway 2.1
images view
Displays all application images that have been downloaded onto the ISG.
Syntax
(config-images)# view [<image_id>| sg]
Example
(config-images)# view sg-7.2.2.1-253750
installed-systems
Manage images installed on the system. Up to six images can be installed on the system. If your system already has six
images installed and you add another image, the oldest unlocked image will be replaced with the new image, unless you
have designated a particular image to be replaced.
CAUTION
Only customers with a valid support contract can upgrade to major releases. If your support contract has
expired, the image installation will fail. Note that you can still upgrade to maintenance releases for the current
version
Syntax
(config)# installed-systems ?
62
Integrated Secure Gateway 2.1
load <URL> Download and install an image on the system. <URL> is the path
to an image on a web server that the appliance has access to.
Example: http://webserver.mycompany.com/images/542386.bcs
Image loading will fail if the appliance does not have a license
installed or if your support contract has expired.
lock <image#> Lock an image to protect it from accidental deletion.
replace <image#> Designate which image will be replaced next (if the system already
has six installed images and you load another image). If you do
not specify an image to be replaced, the oldest unlocked image on
the system will be replaced.
unlock <image#> Unlock an image that you no longer want to protect from deletion.
You have to unlock a locked image before you can remove it.
unset-replace Unset image to be replaced next. When a replacement image is
not designated, the oldest image will be replaced when you load a
seventh image.
view Show a list of installed images along with their image numbers,
software versions, release IDs, whether the image is locked
or unlocked, whether it has ever been booted, creation date/
time, and boot date/time. The summary at the bottom of the list
indicates which image number is the current running system, the
default system to run the next time the appliance is restarted, and
the image number that will be replaced next.
Examples
(config)# installed-systems view
1. Version : 1.67.5.3, Release ID : 250229, Locked : true, Booted : true
BuildType : Debug, CreationTime : 2020-04-14T01:08:08+0000, BootTime : 2020-06-22T15:54:43.810+0000
DisplayName : ISG 1.67.5.3, Release ID: 250229
Default system to run on next hardware restart: 1
Current running system: 1
System to replace next: None
interface
Configure the interface settings (such as IP address) on the appliance.
Syntax
(config)# interface <interface_number> ?
63
Integrated Secure Gateway 2.1
Notes
• The sub-commands listed above can either be entered in interface configuration mode (for example, at the config-
interface-1:0 prompt or in configuration mode (at the (config) prompt).
• Use the show full-configuration command in interface configuration mode to display the interface settings.
(See example below.)
Examples
(config)# interface 0:0
(config-interface-0:0)# ip-address 203.0.113.17 255.255.248.0
ok
(config-interface-0:0)# show full-configuration
interface 0:0
description "management interface"
enable
speed auto
duplex auto
mtu-size 1500
ip-address 203.0.113.17 255.255.248.0
ipv6
Enable or disable support for IPv6 networking. Once enabled, IPv6 support is available in configuration sections
for Packet Captures, Backups, Failover, Ping, Traceroute, SNMPWALK, syslog, and in networking and interface
configuration.
Syntax
(config)# ipv6 [enable|disable]
Examples
(config)# ipv6 enable
(config)# show full-configuration ipv6
ipv6 enable
(config)# exit
#show running-config ipv6
ipv6 enable
licensing
Configure licensing for applications on the ISG.
64
Integrated Secure Gateway 2.1
Syntax
(config)#licensing ?
Notes
After loading the license, you must restart the application that is using the license.
Examples
(config)# licensing load id 0000990000 username Admin password *******
License update was successful for license id 0000990000
(config-licensing)# view-node-locked
Node Locked License ID: 0000990000
Application Type: SG
Model: C2S
Limit: 1
In-Use (0):
login-banner
Configure a banner message to appear before users log in to the appliance. The message will appear before users log in
to the CLI (via serial console and SSH). This feature meets the security technical implementation guideline STIG V-3013.
Messages can contain up to 2,047 characters and can be defined using multi-byte UTF-8 characters.
65
Integrated Secure Gateway 2.1
Syntax
(config)# login-banner ?
Examples
(config)# login-banner inline message
Enter the login banner message below and end it with a Ctrl+D
This is a banner message.
ok
(config)# login-banner enable
(config)# login-banner view message
This is a banner message.
(config)# login-banner view status
Login banner is enabled.
ntp
Configure Network Time Protocol (NTP) settings. Use NTP to synchronize the time on the appliance with another server
or reference time source. You can configure up to 10 NTP servers.
Syntax
(config)# ntp ?
disable Stops the NTP service on the appliance. The NTP service is
configured to not start when the appliance is rebooted.
enable Starts the NTP service on the appliance. The NTP service is
configured to start automatically when the appliance is rebooted.
At least one NTP server must be defined in order to enable the
NTP service.
server <hostname_or_IP_address> Domain name or IP address of the NTP server. The default NTP
servers are ntp.bluecoat.com and ntp2.bluecoat.com.
symmetric-key key-id <value 1-65534> If your NTP server supports symmetric-key authentication, enter
algorithm <sha1> [encrypted-secret <value> | the key with this series of commands. Only SHA1 is supported in
secret <string>] this release. Defer to your NTP provider's instructions on whether
to use an encrypted secret or unencrypted.
update-now Forces the NTP service to update the appliance's clock.
Notes
• Type ntp to enter NTP configuration mode. The prompt will display as (config-ntp)# .
• Use the no server command in the NTP configuration mode to remove a configured server. (See example below.)
• Use the show full-configuration command in the NTP configuration mode to display the NTP settings. (See
example below.)
66
Integrated Secure Gateway 2.1
Examples
(config)# ntp server ntp1.net.symantec.com
(config)# ntp enabled
(config)# ntp
(config-ntp)# show full-configuration
ntp
enabled
server ntp.bluecoat.com
server ntp2.bluecoat.com
(config-ntp)# no server ntp2.net.symantec.com
password-policy
Configure password rules for administrative users. For example, you can require that the password contain at least one
uppercase letter, one number, and one special character. By default, the password length and prohibit-common-words
rules are defined. The default minimum password length is six characters.
Syntax
(config)# password-policy ?
min-digits <value> Set the minimum number of digits required in a password. Range:
0–255. By setting this rule to 0 (the default), numbers are not
required in a password.
min-groups <value> Set the minimum number of password rules (min-digits, min-
lowercase, min-special, min-uppercase) that must be met. Range:
0-4. By setting this rule to 0 (the default), the password does not
have to meet a minimum number of rules. For example, if you set
min-digits and min-special rules, you would set min-
groups to 2. Note: min-length is not counted as a rule for the
purposes of the min-groups command.
min-length <value> Set the minimum number of characters required in a password.
Range: 0–255. The default password length is 6, but the password
can have any length.
min-lowercase <value> Set the minimum number of lowercase letters required in a
password. Range: 0–255. By setting this rule to 0 (the default),
lowercase letters are not required in a password.
67
Integrated Secure Gateway 2.1
min-special <value> Set the minimum number of special characters (symbols) required
in a password. Range: 0–255. By setting this rule to 0 (the
default), special characters are not required in a password. Here
are some supported examples of special characters: !\"#$
%&'()*+,-./:<=>?@^_`{|} .
Tildas (~), semi-colons (;) and square brackets ([ ]) are
not supported.
min-uppercase <value> Set the minimum number of uppercase letters contained in a
password. Range: 0–255. By setting this rule to 0 (the default),
uppercase letters are not required in a password.
prohibit-common-words builtin Don't allow common dictionary words to be specified in
passwords.
prohibit-whitespace true | false Enable/disable rejection of white space in passwords.
Default=false.
view Show current password rules.
Notes
• The sub-commands listed above can either be entered in password-policy configuration mode (at the (config-
password-policy) prompt or in configuration mode (at the (config) prompt).
• Use the show password-policy-configuration command to display the password policy settings.
• To remove a rule, type no before the rule command. For example: no min-lowercase
• If you configure multiple password policy rules but don't configure the min-groups command, the rules will not take
effect; only the min-length rule will be enforced.
Examples
To require a password to have at least 8 characters, and have at least one number, one symbol, and one uppercase letter,
set the following rules:
(config)# password-policy
(config-password-policy)# min-length 8
(config-password-policy)# min-digits 1
(config-password-policy)# min-special 1
(config-password-policy)# min-uppercase 1
(config-password-policy)# min-groups 3
(config)# show password-policy-configuration
min-uppercase: 1
min-groups: 3
prohibit-whitespace: false
min-special: 1
min-digits: 1
min-length: 8
min-lowercase: 0
prohibit-common-words: No dictionary defined
After these rules are configured and a user tries to specify "test" for the user password, the following message will appear:
(config local-user-list john_jones)# password test
Please enter a valid password.
Password must contain at least 1 uppercase characters.
Password must contain at least 1 special characters.
Password must contain at least 1 digit characters.
68
Integrated Secure Gateway 2.1
pcap
Capture packets that are sent to and/or from the appliance. The captured data can be imported into a packet analysis tool
such as Wireshark. This command is available in both the enable and config modes.
Syntax
(config)# pcap ?
Notes
• Before enabling packet capture, you can optionally restrict the packets that are captured by filtering by direction (in or
out) or filtering by interface (for example, just packets sent out of the 1:0 NIC.
• After capture is turned on, the system will create a .dmp file in TCPDump format and start capturing packets into this
file.
• Packets are captured until capturing is disabled with the pcap stop command, or after 30 minutes, whichever comes
first.
Examples
(config)# pcap filter direction in
(config)# pcap start
(config)# pcap stop
(config)# pcap transfer ftp://example.com/john_files/test.dmp john.smith ******
proxy-settings
Configure settings for the HTTP proxy server in situations where your network requires this appliance to connect through
a proxy to access Internet resources.
69
Integrated Secure Gateway 2.1
Syntax
(config)# proxy-settings ?
Notes
You can enter all the subcommands in one line, or enter each command on a separate line.
Examples
(config)# proxy-settings enable host 10.10.12.11
(config)# proxy-settings enable
(config)# proxy-settings host 10.10.12.11
(config)# proxy-settings port 8008
(config)# proxy-settings view
enabled:true
host :10.10.12.11
port no:8008
username:becky
restart
Reboots the system and restarts services such as image, licensing, subscription, SNMP, and health monitoring. You will
need to restart the system after upgrading to a new image or changing the running image on the appliance.
Syntax
(config)# restart
restore-defaults
Restore system to factory default settings. This process deletes all data on the appliance.
Syntax
(config)# restore-defaults factory-defaults ?
70
Integrated Secure Gateway 2.1
Examples
(config)# restore-defaults factory-defaults
Restoring box to factory state. This will delete all customer data and shutdown the system. Do you want to
proceed (yes/no): y
show
Display information about the system and settings.
Syntax
(config)# show ?
71
Integrated Secure Gateway 2.1
Examples
(config)# show cpu debug 60
CPU 0: 0.4 us, 1.0 sy, 0.0 ni, 98.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
CPU 1: 0.4 us, 0.5 sy, 0.0 ni, 99.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
CPU 2: 0.7 us, 0.6 sy, 0.0 ni, 98.6 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
shutdown
Shuts down the operating system, stops all CPUs, and sends a signal to the power supply unit to disconnect the main
power. With this command (as compared to the halt command), you don’t have to press the power switch to power down
the appliance. This command is used to prepare physical appliances for transport.
Syntax
(config)# shutdown
smtp
Configure Simple Mail Transfer Protocol (SMTP) settings, including destination email addresses, the from email address,
and the SMTP gateway.
Syntax
(config)# smtp ?
destination-addresses add <email_address> | Add email addresses to which the appliance sends alerts and
clear | delete delete <email_address> other messages. You can configure multiple email addresses,
but they must be added one at a time.The delete parameter
removes a specific email address; the clear parameter deletes all
configured destination email addresses.
from address <email_address> Set the from-address that appears on emails generated by the
system.
gateway <SMTP_gateway> Add email addresses to which the appliance sends alerts and
other messages. You can configure multiple email addresses, but
they must be added one at a time.
The delete parameter removes a specific email address;
the clear parameter deletes all configured destination email
addresses.
view Show SMTP settings that are currently configured.
72
Integrated Secure Gateway 2.1
Examples
(config)# smtp destination-addresses add tom.jones@example.com
(config)# smtp from-address mary.johnson@test.com
(config)# smtp gateway 203.0.113.17
(config)# smtp view
smtp
gateway 203.0.113.17
from-address mary.johnson@test.com
destination-addresses
destination tom.jones@example.com
snmp
Configure Secure Network Management Protocol (SNMP).
Syntax
(config)# snmp ?
snmp agent
When an SNMP manager polls a device for information, the SNMP agent on the device responds to the queries.
Syntax
(config)# snmp agent ?
73
Integrated Secure Gateway 2.1
engine-id from-mac-address <MAC_address> Construct an engine ID for the agent from a specified MAC
address.
engine-id from-text <ASCII_string> Construct an engine ID for the agent from a specified ASCII
string. The maximum string length is 27 characters.
engine-id other <hex_bytes_string> Construct an engine ID for the agent from a string of colon-
separated hex bytes.
engine-id regenerate Regenerate the engine ID for the SNMP agent by setting the ID to
its default value.
engine-id view View the current engine ID for the agent.
max-message-size <value> The maximum length of SNMP message the agent can send or
receive. Range: 484-214748364. Default=50000.
version v1 | v2c | v3 SNMP protocol version used by the agent.
Examples
(config)# snmp agent enabled
(config)# snmp agent version v3
snmp community
Define community strings for SNMP v1/v2. The community string acts as a password for accessing statistics on the
device. Equipment usually ships with a read-only community string set to public but network managers typically change
the community string to a customized value. Each system that polls your appliance could potentially have a different
community string.
NOTE
SNMP community strings are used only by devices that support SNMPv1 and SNMPv2c protocol. SNMPv3 uses
username/password authentication, along with an encryption key.
Syntax
(config)# snmp community <string>
After defining the community string, the command prompt changes, indicating the community string. For example, for a
community string public , the prompt looks as follows:(config-community-public)#
The following sub-commands are available in community string configuration mode.
name <name> Necessary only when the community string is not the same as the
index.
sec-name string <value> Initially set to the value of 'index.'
target-tag < Limit access for this community to the specified target(s).
Examples
(config)# snmp community public
(config-community-public)# target-tag v1target
snmp notify
Configure targets that will receive notifications.
74
Integrated Secure Gateway 2.1
Syntax
(config)# snmp notify <list_name> tag <tag_value> [type inform | trap]
Notes
• The tag list is used for grouping entries in the target address table, and contains a list of tag values that are used to
select target addresses to be used for a particular operation.
• The default notification type is trap.
Examples
(config)# snmp notify std_v1_trap tag tagtest
(config)# snmp notify std_v3_inform type inform
snmp system
Configure SNMP system settings to identify the contact name, location, and fully-qualified domain name of the appliance.
Syntax
(config)# snmp system ?
contact <name> The name of the person managing the appliance; <name> can
be up to 256 characters long and must be enclosed in quotation
marks if spaces are used.
location <place> The physical location of the appliance (room, floor, building),
where <place> can be up to 256 characters long and must be
enclosed in quotation marks if spaces are used.
name <fqdn> The appliance's fully-qualified domain name for SNMPv1, where
<fqdn> can be up to 256 characters long and must be enclosed
in quotation marks if spaces are used.
Examples
(config)# snmp system contact "Gail Jellison"
(config)# snmp system location "building B, 1st floor"
snmp target
Create new SNMP targets to determine where SNMP notifications should be sent.
Syntax
(config)# snmp target <target_name> ?
engine-id <engine_id> An SNMP Engine ID identifies an SNMP engine that will receive
trap and inform notifications. The default Engine ID for a remote
SNMP user is LocalSnmpId, the SNMP agent's own SNMP
Engine. If you omit this parameter, the remote user will user this
default LocalSnmpId Engine ID. To specify a different remote
SNMP engine with which this user can communicate, specify the
24-digit hexadecimal Engine ID of a remote SNMP engine.
Needed only if this target can receive v3 informs.
ip <IP_address> IP address of a remote IP host, in dotted-decimal format.
75
Integrated Secure Gateway 2.1
usm user-name <string> Define a user for the target. Additionally, you will be prompted to
supply the following:
• Value for 'snmp target <target_name> ip —
IP address for the target
• Value for 'sec-level' —The security level for the
user
Syntax
(config)# snmp usm local user <user_name>
After defining the local user name, the command prompt changes, indicating you are in configuration mode for the local
user. You can then define authentication and/or privacy keys that a management system can use to access the appliance.
auth [md5 | sha {key <key> | password Specify either the MD5 or SHA hash algorithm and enter an
<password>}] authentication key or password for the user (8-32 characters).
priv [aes | des {key <key> | password Specify either the AES or DES encryption algorithm and enter the
<password>}] privacy key or password (8-32 characters).
Examples
(config)# snmp usm local user altman
(config-user-altman)# auth md5 password Gquw4321
(config-user-altman)# priv aes password Gquw4321
76
Integrated Secure Gateway 2.1
Syntax
(config)# snmp usm remote <engine_id>
Syntax
(config)# snmp vacm group <group_name> access {usm | v1 | v2c} {auth-no-priv | auth-priv | no-auth-no-priv}
After defining the access rights for the group, the command prompt changes, indicating the security level. For example:
(config-access-v1/auth-no-priv)#
You then need to specify the name of the MIB view for each type of access.
notify-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
notify access.
read-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
read access. Note that SNMPv1 is not permitted in read-view.
write-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
write access. Note that write-view is not implemented in all
products.
Examples
(config)# snmp vacm group cas-group-v2c access v2c auth-no-priv
(config-access-v1/auth-no-priv)# read-view cas-view
Syntax
(config)# snmp vacm group <group_name> member <member_name> {sec-model usm | v1 | v2c}
Examples
(config)# snmp vacm group cas-group-2vc member member1 sec-model v2c
(config)# snmp vacm group cas-group-2vc member member2 sec-model v2c
77
Integrated Secure Gateway 2.1
Notes
After defining members, you can define the access rights for the group. See snmp vacm group access.
ssh-console
Configure the SSH console, including cipher suites, HMACs, key-exchange algorithms, and keys.
Syntax
(config)# ssh-console ?
ciphers add <cipher> | demote <cipher> | Configure the ciphers used by the appliance:
promote <cipher>| remove <cipher> | reset |
• add —Add a new cipher suite to the current list
set <cipher_list> | view
• demote —Demote a cipher suite within the list of ciphers
• promote —Promote a cipher suite within the list of ciphers
• reset —Reset the list of cipher suites to the default list
• set —Set the list of cipher suites in the specified order, where
<cipher_list> is a comma-separated list
• view —View the list of cipher suites currently accepted by the
appliance
78
Integrated Secure Gateway 2.1
key-exchange-algorithms add <algorithm> | Configure the key-exchange algorithms used by the appliance:
demote <algorithm> | promote <algorithm>|
remove <algorithm> | reset | set
• add —Add an key-exchange algorithm to the list of algorithms
<algorithm_list> | view • demote —Demote a key-exchange algorithm within the list of
algorithms
• promote —Promote a key-exchange algorithm within the list
of algorithms
• remove —Remove a key-exchange algorithm from the list of
algorithms
• reset —Reset the list of key-exchange algorithms to the
default list
• set —Set the list of key-exchange algorithms to
be used by the appliance in the specified order,
where<algorithm_list> is a comma-separated list
• view —View the list of key-exchange algorithms currently
accepted by the appliance
Examples
(config)# ssh-console ciphers add 3des-cbc
ok
ssl
Configure Secure Socket Layer (SSL) settings. This command is available in both the enable and config modes.
Syntax
(config)# ssl ?
79
Integrated Secure Gateway 2.1
Notes
• The sub-commands listed above can either be entered in SSL configuration mode (at the (config-ssl) prompt or in
configuration mode (at the (config) prompt).
• Use the show full-configuration ssl command in configure mode to display basic SSL settings, and
(config-ssl-view)# ? to view specific keyrings, CA Certificate LIsts, Certificates, and Certificate Signing
Requests.
Examples
Add a certificate from a Certificate Authority; the certificate name in this example is ca1 .
(config)# ssl
(config-ssl)# inline ca-certificate ca1 content
Enter the certificate below and end it with a Ctrl-D
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAIk7y/gggzO8MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MRIwEAYDVQQKDAlCbHVlIENvYXQxFDASBgNVBAsMC0RldmVsb3BtZW50MRQwEgYD
VQQDDAtjYS5ibHVlY29hdDEkMCIGCSqGSIb3DQEJARYVZXJpYy5jaGlAYmx1ZWNv
YXQuY29tMB4XDTE1MDExMzAxMzI0MFoXDTI1MDExMDAxMzI0MFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
EjAQBgNVBAoMCUJsdWUgQ29hdDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFDASBgNV
BAMMC2NhLmJsdWVjb2F0MSQwIgYJKoZIhvcNAQkBFhVlcmljLmNoaUBibHVlY29h
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCysxBQYApdEvNc
Nv6e7ELUtYRvnixueKceQM1y28Lj17lMPng6Dghs3ZKF/VPXw+lEsc+LG11a75d9
WziSsv7u4nKjt2Y2nPC4jE8jzgI7Fej26B6//bePh91v/+bJRwNSYR9z6wNa0cQt
prx8e6SvUbq7MkuE6vC9paqBqz4TQL0vyVHaWZXxodRLJaKGsZmq1yn1ogxjBT9+
Mj3HdmzVVRPQ5jNNjV6oKppGOrqpFkzOwcjpKWufOgk850kjsB2mOBE4QDHbJhtg
UtLMSGLaj2hmb58v6JdDROn4T3piZEDzAPl/4N9aOfbliF2nrdRNi2n5d8Q2JaXH
hXPGBGrVAgMBAAGjUDBOMB0GA1UdDgQWBBTCph9yrG16afTN6vaZJDTT2iv6xDAf
BgNVHSMEGDAWgBTCph9yrG16afTN6vaZJDTT2iv6xDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQCmI+pLumWXIAiznvq+zU/3/PTHwzcVcwJdK+ngWbHa
-----END CERTIFICATE-----
<Ctrl-D>
CA certificate ca1 is added successfully.
ssl create
Create SSL keyrings, CA Certificate Lists (CCLs), signing requests, self-signed certificates, and ssl-contexts.
80
Integrated Secure Gateway 2.1
Syntax
(config)# ssl create ?
Examples
(config)# ssl create keyring sslkey algorithm rsa length 3072 showable no
(config-ssl)# create signing-request sslkey
Value for '' (<Country Code>): US
Value for '' (<State or Province Name (full name)>): CA
Value for '' (<Locality Name (eg city)>): Mountain View
Value for '' (<Organization Name (eg company)>): Symantec
Value for '' (<Organizational Unit Name (eg section)>): Marketing
Value for '' (<Common Name (eg server FQDN or YOUR name)>): symantec.com
Value for '' (<Email address>): jsmith@test.com
ssl delete
Delete SSL certificates, lists, keyrings, and signing-requests.
Syntax
(config)# ssl delete ?
81
Integrated Secure Gateway 2.1
Examples
(config)# ssl
(config-ssl)# delete signing-request sslkey
ssl edit
Edit CA certificate lists (CCLs), Certificate Revocation Lists (CRLs), or SSL contexts.
Syntax
(config)# ssl edit ccl <ccl_name> [<action>]
Syntax
(config)# ssl edit crl <crl_name> [<action>]
Syntax
(config)# ssl edit ssl-context <context_id> [<action>]
Examples
(config-ssl)# edit ccl browser-trusted
(config-ccl-browser-trusted)# add esignit.org
ok
(config-ccl-browser-trusted)# view
Name: browser-trusted
FIPS compliant: no
Certificates:
1st_Data_Digital
A-Trust-Qual-02
A-Trust-Root-05
82
Integrated Secure Gateway 2.1
A-Trust-nQual-03
AC1_Raiz_Mtin
ACA_ROOT
ACCV_ACCVRAIZ1
ACEDICOM_Root
..
ssl inline
Import SSL keyrings, signing requests, and certificates.
Syntax
(config)# ssl inline ?
ca-certificate <certificate_name> content Import a Certificate Authority (CA) certificate from terminal input by
pasting the certificate content.
certificate <keyring_id> Import a certificate into the specified keyring by pasting the
certificate content.
crl <crl_name> Import a Certificate Revocation List (CRL) from terminal input
by pasting the certificate content.
keyring <keyring_id> Install a keyring. Keyrings are containers for SSL certificates on
the appliance, and can be used to manage self-signed or CA-
signed certificates.
You will be prompted to paste the keyring content.
signing-request <keyring_id> Install a request for a signed certificate associated with the
specified keyring.
You will be prompted to paste the signing request content.
Examples
Add a certificate from a Certificate Authority; the certificate name in this example is ca1 .
(config)# ssl
(config-ssl)# inline ca-certificate ca1 content
Enter the certificate below and end it with a Ctrl-D
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAIk7y/gggzO8MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MRIwEAYDVQQKDAlCbHVlIENvYXQxFDASBgNVBAsMC0RldmVsb3BtZW50MRQwEgYD
VQQDDAtjYS5ibHVlY29hdDEkMCIGCSqGSIb3DQEJARYVZXJpYy5jaGlAYmx1ZWNv
YXQuY29tMB4XDTE1MDExMzAxMzI0MFoXDTI1MDExMDAxMzI0MFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
EjAQBgNVBAoMCUJsdWUgQ29hdDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFDASBgNV
BAMMC2NhLmJsdWVjb2F0MSQwIgYJKoZIhvcNAQkBFhVlcmljLmNoaUBibHVlY29h
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCysxBQYApdEvNc
Nv6e7ELUtYRvnixueKceQM1y28Lj17lMPng6Dghs3ZKF/VPXw+lEsc+LG11a75d9
WziSsv7u4nKjt2Y2nPC4jE8jzgI7Fej26B6//bePh91v/+bJRwNSYR9z6wNa0cQt
prx8e6SvUbq7MkuE6vC9paqBqz4TQL0vyVHaWZXxodRLJaKGsZmq1yn1ogxjBT9+
Mj3HdmzVVRPQ5jNNjV6oKppGOrqpFkzOwcjpKWufOgk850kjsB2mOBE4QDHbJhtg
UtLMSGLaj2hmb58v6JdDROn4T3piZEDzAPl/4N9aOfbliF2nrdRNi2n5d8Q2JaXH
hXPGBGrVAgMBAAGjUDBOMB0GA1UdDgQWBBTCph9yrG16afTN6vaZJDTT2iv6xDAf
BgNVHSMEGDAWgBTCph9yrG16afTN6vaZJDTT2iv6xDAMBgNVHRMEBTADAQH/MA0G
83
Integrated Secure Gateway 2.1
CSqGSIb3DQEBBQUAA4IBAQCmI+pLumWXIAiznvq+zU/3/PTHwzcVcwJdK+ngWbHa
GGVAhC+aMe+k3K+tTOO+3zxkSA7zF5X0NSZSRUAovZMrbXRxj+RuK1CMETEVAFzI
70uJv1EQoSt/Fg+Ax0h8M0Jn4lvUGsYPIAbcLjlxCtMNyfcOUG1Ss0yo/A/GXg13
eWINmdtdZHT/+ge01EEssswLxbyw3Pyl4CRMprjxlzg15Rx/PWV+zB+P2yolIrV4
pb5fsCuNrK4lYSdco5XE6P2m0c3P8QL/pB4SiZgWCr1sd0IKIoEphTk0kI++PTYx
d8cuVqPUXEi+UmibOBtfDz2ZffNkmBTdyvLfesINz0ce
-----END CERTIFICATE-----
<Ctrl-D>
CA certificate ca1 is added successfully.
ssl view
View certificate and keyring details and signing request confirmations.
Syntax
(config)# ssl view ?
Examples
To view the certificate details for the ca1 certificate:
(config-ssl)# view ca-certificate ca1
Issuer: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
emailAddress=eric.chi@bluecoat.com
Subject: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
emailAddress=eric.chi@bluecoat.com
Valid From: Jan 13 01:32:40 2015 GMT
Valid Until: Jan 10 01:32:40 2025 GMT
84
Integrated Secure Gateway 2.1
Fingerprint: DB:AF:B1:82:EF:0C:9F:AD:84:F7:D8:35:0A:AA:0B:5D:93:DA:77:A5
timezone
Set the time zone where the appliance is located or choose the Coordinated Universal Time (UTC) time standard.
Syntax
(config)# timezone [<area>/<location> | UTC | GMT]
Examples
To select UTC as the time standard (instead of setting a time zone):
(config)# timezone UTC
85
Integrated Secure Gateway 2.1
America
Antarctica
Arctic
Asia
Atlantic
Australia
Europe
Indian
Pacific
UTC
GMT
all
current
(config)# show timezone Antarctica
Antarctica/McMurdo
Antarctica/Rothera
Antarctica/Palmer
Antarctica/Mawson
Antarctica/Davis
Antarctica/Casey
Antarctica/Vostok
Antarctica/DumontDUrville
Antarctica/Syowa
Antarctica/Troll
Antarctica/Macquarie
(config)# timezone set Antarctica/Davis
upload
Upload the third-party attributions zip file to an FTP site.
Syntax
(config)# upload ATTRIBUTIONS <full_url/filename> <username> <password>
Notes
ATTRIBUTIONS must be in uppercase.
Examples
(config)# upload ATTRIBUTIONS ftp://exampleftp.com/attributions.zip mary ******
86
Integrated Secure Gateway 2.1
Error: operation failed: This error occurs when another session is Recover the serial console with the force
Active console session exists already attached to the serial console of the parameter. See applications attach-console.
for this domain application of which you are trying to attach.
Error: Hardware platform has This error occurs when attempting to Review the requirements for your model
insufficient memory or CPUs create an application where the size of the type and appliance and create an
to create application application model exceeds the memory application with a model that adheres to the
capabilities of the SSP appliance. For requirements for your appliance.
example, running a C24L model on an
SSP-S410-10 appliance would result in this
error message because a C24L requires
256 GB of RAM and an SSP-S410-10
appliance only has 48 GB of RAM.
Error: failed to get domain This error occurs when attempting to Wait a couple seconds for the ISG to start
'sgos' use the attach-console command the application and try the attach-
Error: Domain not found: no immediately after starting an application. console command again.
domain with matching name 'sgos' The ISG has not had enough time to start
up the application yet.
Error: Invalid command, This error occurs when attempting to Use the following command to view the
current application status use the attach-console command application status:
does not allow attach-console when the status of the application you are localhost(config-
attempting to attach is neither Healthy applications)# view
nor Unhealthy state. For example, if you
recently created the application, the status
of the application might be Created .
Error: Invalid license id: This error occurs when you enter an invalid Review the license ID you received in your
1234567890 license ID during application creation. welcome letter and ensure it is entered
correctly.
Error: Insufficient disk This error occurs when you attempt to Delete any unnecessary existing
space for application create other applications and do not have applications or consider upgrading your
enough disk space to support them. application model and/or SSP appliance to
allow for more applications.
Error: Use edit to modify an This error occurs when you attempt to use Use the following command to change the
existing application the create command to change values values of existing applications:
for an existing application. localhost(config-
applications)# edit
application_name model
model_type
Error: Invalid serial number This error occurs when you attempt to You cannot manually change the serial
associated with this SG-VA license a ProxySG application and the ISG number and must delete the application
instance. either is unable to provide the serial number and create a new one.
Metadata Provider failed to or the number is invalid.
provide a valid serial number.
License management cannot be This error occurs when you attempt to Make changes to the ProxySG application
performed using this CLI. manage the ProxySG application license license from the ISG CLI and restart the
from the ProxySG CLI. ISG for the changes to take effect.
87
Integrated Secure Gateway 2.1
88