Symantec Integrated Secure Gateway 2.1

Integrated Secure Gateway 2.
1
Integrated Secure Gateway 2.1
Table of Contents
ISG Required Ports, Protocols, and Services...................................................................................6
ISG Security Best Practices............................................................................................................... 8
About Integrated Secure Gateway................................................................................................... 10
About Licensing ISG Applications............................................................................................................................... 10
About Network Interfaces for Applications and Appliances..................................................................................... 10
About Application Serial Numbers and License IDs..................................................................................................11
First Steps....................................................................................................................................................................... 11
Manage Applications......................................................................................................................................................13
Manage Images...............................................................................................................................................................15
Manage Licenses............................................................................................................................................................16
Upgrade Instructions..................................................................................................................................................... 17
Platform and Performance Reference..........................................................................................................................18
Troubleshooting..............................................................................................................................................................19
Command Line Overview.................................................................................................................. 20
Command Usage Conventions..................................................................................................................................... 20
Typographical Conventions...........................................................................................................................................20
Command Prompts........................................................................................................................................................ 20
Edit Previously Entered Commands............................................................................................................................ 21
Standard Mode Commands...........................................................................................................................................21
enable........................................................................................................................................................................ 21
exit............................................................................................................................................................................. 22
show.......................................................................................................................................................................... 22
Enable Mode Commands.............................................................................................................................................. 23
applications................................................................................................................................................................23
authentication............................................................................................................................................................ 24
clock...........................................................................................................................................................................24
configure.................................................................................................................................................................... 25
diagnostics.................................................................................................................................................................25
diagnostic-systems.................................................................................................................................................... 25
disable....................................................................................................................................................................... 26
display-level............................................................................................................................................................... 26
event-log.................................................................................................................................................................... 27
exit............................................................................................................................................................................. 28
halt............................................................................................................................................................................. 28
health-monitoring....................................................................................................................................................... 28
health-monitoring metric.....................................................................................................................................28
2
health-monitoring view....................................................................................................................................... 30
history........................................................................................................................................................................ 31
images....................................................................................................................................................................... 32
installed-systems....................................................................................................................................................... 32
ip................................................................................................................................................................................ 33
licensing.....................................................................................................................................................................34
login-banner...............................................................................................................................................................35
logout......................................................................................................................................................................... 35
ntp.............................................................................................................................................................................. 36
password-policy......................................................................................................................................................... 36
pcap........................................................................................................................................................................... 36
ping............................................................................................................................................................................ 37
proxy-settings............................................................................................................................................................ 38
restart.........................................................................................................................................................................38
restore-defaults..........................................................................................................................................................38
send........................................................................................................................................................................... 38
show.......................................................................................................................................................................... 39
shutdown................................................................................................................................................................... 40
smtp........................................................................................................................................................................... 41
snmp.......................................................................................................................................................................... 41
ssh-console................................................................................................................................................................41
ssl.............................................................................................................................................................................. 43
ssl create............................................................................................................................................................44
ssl delete............................................................................................................................................................ 45
ssl edit................................................................................................................................................................ 45
ssl inline............................................................................................................................................................. 46
ssl view...............................................................................................................................................................47
traceroute...................................................................................................................................................................48
upload........................................................................................................................................................................ 49
Configure Mode Commands......................................................................................................................................... 49
acl.............................................................................................................................................................................. 50
appliance-name......................................................................................................................................................... 50
applications................................................................................................................................................................51
applications attach-console................................................................................................................................51
applications create............................................................................................................................................. 51
applications delete............................................................................................................................................. 52
applications edit................................................................................................................................................. 52
applications start................................................................................................................................................ 53
applications stop................................................................................................................................................ 53
applications view................................................................................................................................................ 53
3
authentication............................................................................................................................................................ 54
clock...........................................................................................................................................................................54
diagnostic-systems.................................................................................................................................................... 55
dns............................................................................................................................................................................. 56
event-log.................................................................................................................................................................... 56
exit............................................................................................................................................................................. 57
halt............................................................................................................................................................................. 57
health-monitoring....................................................................................................................................................... 58
health-monitoring metric.....................................................................................................................................58
health-monitoring view....................................................................................................................................... 60
images....................................................................................................................................................................... 61
images delete.....................................................................................................................................................61
images load........................................................................................................................................................61
images view....................................................................................................................................................... 62
installed-systems....................................................................................................................................................... 62
interface..................................................................................................................................................................... 63
ipv6............................................................................................................................................................................ 64
licensing.....................................................................................................................................................................64
login-banner...............................................................................................................................................................65
ntp.............................................................................................................................................................................. 66
password-policy......................................................................................................................................................... 67
pcap........................................................................................................................................................................... 69
proxy-settings............................................................................................................................................................ 69
restart.........................................................................................................................................................................70
restore-defaults..........................................................................................................................................................70
show.......................................................................................................................................................................... 71
shutdown................................................................................................................................................................... 72
smtp........................................................................................................................................................................... 72
snmp.......................................................................................................................................................................... 73
snmp agent........................................................................................................................................................ 73
snmp community................................................................................................................................................ 74
snmp notify.........................................................................................................................................................74
snmp system...................................................................................................................................................... 75
snmp target........................................................................................................................................................ 75
snmp usm local..................................................................................................................................................76
snmp usm remote.............................................................................................................................................. 77
snmp vacm group access..................................................................................................................................77
snmp vacm group member................................................................................................................................77
ssh-console................................................................................................................................................................78
ssl.............................................................................................................................................................................. 79
4
ssl create............................................................................................................................................................80
ssl delete............................................................................................................................................................ 81
ssl edit................................................................................................................................................................ 82
ssl inline............................................................................................................................................................. 83
ssl view...............................................................................................................................................................84
timezone.................................................................................................................................................................... 85
upload........................................................................................................................................................................ 86
ISG CLI Error Message Reference............................................................................................................................... 86
Documentation Legal Notice............................................................................................................ 88
5
ISG Required Ports, Protocols, and Services

Depending on your ISG appliance configuration, you must open certain ports and protocols on your firewalls for the
appliance to function as intended, to use enabled features, or to allow connectivity to various components and data
centers. This document topic basic configurations and some commonly used options.
Inbound Connections
Component Default Port Protocol Configurable Source Description
SSH 22 TCP No SSH Client SSH management of

the appliance
SNMP 161 UDP No SNMP client SNMP monitoring
Outbound Connections
Component Default Port Protocol Configurable Source Description
DNS 53 TCP/UDP No DNS server Port used by your

DNS server
HTTP 443 TCP No Depends on the Provides access
service to various HTTPS
services. See full list
in the URLs/IPs for
Symantec Service.
NTP 123 UDP Yes NTP server Periodic time update
from default or
configured NTP
servers
RADIUS 1812 1813 TCP Yes RADIUS server RADIUS
authentication
SMTP N/A TCP Yes SMTP server Email notifications
SNMP 162 UDP No Trap receiver Send SNMP traps
Syslog 514 UDP No Syslog server Syslog uploads to
remote server
Syslog 6514 TCP No Syslog server Syslog uploads to
remote server
6
URLs/IPs for Symantec Services
Service URL Protocol Port Function
Symantec Certificate abrca.bluecoat.com HTTP 80 A Blue Coat/Symantec

Authority service that responds
to CSR requests by
returning a signed
certificate in response.
This is used when
renewing or initially
requesting a certificate.
Symantec Heartbeat subscription.es.bluecoat. HTTPS 443 ISG emits a heartbeat
Server com/heartbeat/post to the Blue Coat/
Symantec heartbeat
server on the following
occasions: appliance
bootup, daily, and after a
system failure. Using the
information contained in
the heartbeat messages,
Symantec is able to
provide better, faster
support to its users.
Symantec Network device-services.es.bluec HTTPS 443 URLs used by the
Protection (Blue Coat) oat.com appliance to manage
Licensing the appliance license
(applicable to licenses
without birth certificates).
Symantec Network bto-services.es.bluecoat HTTPS 443 URL for managing the
Protection (Blue Coat) .com virtual appliance license,
Licensing and to perform software
image update checks
for all versions of ISG
(applicable to licenses
with birth certificates).
Symantec Support upload.bluecoat.com HTTPS 443 A web form for submitting
files to Symantec
Support.
NTP ntp.bluecoat.com, UDP 123 Synchronize the
ntp2.bluecoat.com appliance clock with a
(ISG can also accept verified time reference
configuration of other server.
NTP servers)
Trust Package Updates appliance.bluecoat.com HTTP 80 Download trust packages
(CA certificate update
packages) from
Symantec.
7
ISG Security Best Practices

Your ISG appliance hosts your network security applications, so it is important that you manage it in a secure fashion.
The items listed here represent best-effort security considerations. Consult the security requirements of your organization
when deploying ISG in your environment.
Physical Location and Networking

• Secure the physical location where ISG is deployed.
Make sure that access is limited to a few top-level administrators. Wherever possible, monitor their access.
• Configure management access to the appliance.
Secure the setup console via serial connection to the appliance. The serial console password must be at least
eight characters in length and contain at least three character types (upper-case letters, lower-case letters, numeric
characters, and special characters).
• Secure any serial console servers attached to ISG.
If the ISG appliance is connected to a serial console server, be aware of who can remotely connect to the server and
the CLI, and treat those types of remote management tools with the same or greater care as you do for other methods
of connecting to the appliance.
• Avoid deploying ISG with a direct connection to the Internet.
Wherever possible, ISG should be behind a firewall, proxy, and or other security appliance to protect it from Internet-
based attacks.
• Configure the management interfaces on the appliance in unique, non-congruent subnets.
Configuring the interfaces in this way reduces the vectors available to an attacker.
• Ensure that your network infrastructure is prepared for the connections to and from your ISG appliance.
See ISG Required Ports, Protocols, and Services for a list of URLs and ports used by ISG.
• Use the ssl-context CLI command to configure device connection security.
An SSL context is a collection of ciphers, protocol versions, trusted certificates, and other TLS options. The ssl-context
CLI command enables you to configure a global SSL context that applies to all devices, or to assign a context on a
per-device basis.
• Use only high-strength security ciphers and protocols.
Regardless of the default values, Symantec encourages ISG administrators to be aware of the security landscape, and
only use ciphers and protocols that are known to be highly secure.
• Do not rely on the self-signed certificate.
Replace the built-in self-signed certificate with one signed by a public Certificate Authority (CA) or your organization’s
private CAB, before deploying your ISG appliance. This certificate should be generated with a 2048 bit or higher RSA
key, and should use the SHA2 hashing algorithm.
Administering and Monitoring the Appliance

• Strengthen default password policy.
Change the default password policy to make it stronger. Consider the following best practices:
• Require that passwords have a minimum of eight characters.
• Do not allow easily guessed passwords, such as 12345678, or common words.
• Require that all passwords contain characters from at least three character classes: letters (upper and lower case),
numbers, and special or meta characters. (Do not use colons.)
• Maintain security patches.
8
Most attacks exploit known vulnerabilities. Make sure your ISG appliance is updated with the latest available software
version.
• Ensure that the primary administrator account (admin) details are known only to a select few administrators.
Set the primary admin password to use twelve or more characters, and include a mix of case and special characters.
Save the details in a secure location.
• Set a unique enable password, different from the password of the built-in admin account.
Set the enable password to use twelve or more characters, and include a mix of case and special characters. Save the
details in a secure location.
• Make sure that every ISG administrator has their own account.
• Do not share admin accounts.
Wherever possible, use LDAPS (Secure LDAP) authentication or AD. LDAPS and AD are more secure than local
authentication or standard LDAP or RADIUS authentication.
• Set the ISG Audit Log to remote output syslog.
ISG sends all audit records to the syslog. Enable remote syslog so that you can detect an abnormal behavior as
quickly as possible.
• Enable all email and other alerts.
Direct emails and other alerts to addresses and services that can be viewed by multiple administrators.
• Review system logs regularly.
Administrators must frequently examine the system regularly. Specifically, review System logs for errors, anomalies, or
unexpected events, and review the Audit logs for unauthorized access attempts or suspicious activities.
• Set max failed attempts for authentication.
Set a limit for the number of failed access attempts on any external authentication service you are using.
• Use SNMPv3 for system activity reporting.
Earlier versions of SNMP do not support authentication or security features.
9
About Integrated Secure Gateway

The Integrated Secure Gateway (ISG) is the software on the Symantec Security Platform (SSP) appliance used to
deploy applications.
Use the ISG command line interface (CLI) to perform the following tasks:
• Connect the SSP appliance to your network
• Connect to the ISG serial console
• Create and run one or more applications
• License applications
The SSP is not a licensed product and only the applications it runs require licenses. For information on licensing, see
About Licensing ISG Applications.
Limitations in Integrated Secure Gateway

Currently, ProxySG applications running on ISG do not support SG Redundancy Protocol (SGRP).
About Licensing ISG Applications

Licensing for applications on SSP is managed by ISG (the host) rather than the application itself.
Licenses for applications are managed solely via the ISG command line interface (CLI). License management from within
the application (such as the ProxySG CLI) is disabled.
IMPORTANT
If you make changes to the license, you must restart the application for the changes to take effect.
There are two sub-types of licenses:
• Enterprise: A single license ID that can be used for multiple applications, appliances, and virtual appliances. For
example, you could simultaneously use the same license ID for a ProxySG application on ISG and a ProxySG VA
running on AWS. Each instance or appliance using the license can be a different size. Purchase this license by the
number of cores that you will use across all instances and appliances.
• Node-locked: A single license ID that can be used for single fixed applications running on a single ISG. This license
dictates the size, model, and number of applications you can have running simultaneously. All applications must be the
same model, such as you could purchase a license for two C2S models, but not one C2S and one C2M. This type of
license is perpetual as opposed to a subscription.
NOTE
For ProxySG applications, only Secure Web Gateway (SWG)-Edition and Advanced Reverse Proxy (ARP)
licenses are available. As Proxy-Edition licenses are not available, ProxySG applications running on ISG cannot
be used in Application Delivery Network (ADN) deployments.
About Network Interfaces for Applications and Appliances

The virtual network interface for applications running on ISG is mapped 1-to-1 with the physical network interface of the
SSP appliance; for example, if the interface for the application is defined as 0:0, then that interface is mapped to the 0:0
physical interface.
10
About Application Serial Numbers and License IDs

About Application License IDs
ISG uses application license IDs to identify application license files (which applications on the SSP appliance use). These
license IDs are specific to a particular application type and have the same format as serial numbers. When you create
applications, you must provide a valid license ID that has a corresponding license file installed in the license inventory of
the SSP appliance.
About Application Serial Numbers

Each running application has a serial number and the application license ID is the application’s serial number.
About Appliance Serial Numbers

In addition to the application license IDs and application serial numbers of the applications running on ISG, the SSP
appliance also has a unique serial number.
Which ID or Number Do I Use for Creating Applications?

If you purchased an Enterprise license for use on an ISG-hosted application, use the license ID of the Enterprise license
when installing the license file and creating the application. Enterprise licenses arrive separately from your appliance.
For Node-locked licenses, the license is an add-on that is associated with the appliance. The license ID for a Node-
locked license is the same value as the appliance serial number of the SSP appliance. You can use the show version
command in the ISG CLI to view the SSP appliance serial number.
For information on license types, see About Licensing ISG Applications.
First Steps
Perform the initial configuration steps.
Set Up the Console

Before you set up and configure the appliance, ensure you have performed all steps in the Symantec Security Platform
Quick Start Guide.
1. Use SSH to connect to the ISG console and when prompted, enter 2 .
Welcome to the Symantec S410 Series Appliance Serial Console
Version: ISG 2.1, Release id: 255099
-------------------------- MENU ---------------------------
1) Command Line Interface
2) Setup console
-----------------------------------------------------------
Enter option: 2
2. Enter the number of the interface you want to configure the ISG IP address for and enter the required network
information when prompted.
Please enter the IP addresses for the S410 Appliance
The following interfaces are available for configuration:
1. 0:0
2. 2:0
11
3. 2:1
4. 2:2
5. 2:3
Enter interface number to configure 1

IP address: ip_address
IP subnet mask: subnet_mask
IP gateway: ip_gateway
DNS server: dns_server_ip_address
Would you like to change any of them? Y/N N

3. When prompted, enter the password you want to use for accessing the ISG console and enter the password again to
confirm it.
4. When prompted, enter the password you want to use for accessing enable mode in the ISG CLI and enter the
password again to confirm it.
5. (Optional) Enter Y to secure the serial port and create a setup password. If you don't want to secure the serial port,
enter N. For more information, see "Securing the Serial Port" in the SGOS Administration Guide.
6. Verify the appliance has been successfully configured by connecting to the appliance's CLI via SSH. The following
uses an example value for the IP address:
The S410 Appliance has been successfully configured.
You can connect to the command line interface or the Web interface to perform additional management
tasks.
To connect to the command line interface, open the following location from your SSH appliance: 192.0.2.0
To connect to the Web management interface, go to the following location with your web browser:
https://192.0.2.0:8082/
NOTE
The line "To connect to the Web management interface, go to the following location
with your web browser: https://192.0.2.0:8082/ " in the output is erroneous. The SSP
appliance does not offer a web console of its own, and must be configured via the CLI.
Install the Application License

Before installing your license, ensure you have your license ID available. For information on locating your license ID, see
About Application Serial Numbers and License IDs.
1. Connect to the ISG via SSH.
2. To access the CLI, enter 1.
3. Enter enable mode:
enable
Password:
#
4. Type the command:
# licensing load id license_id username username password password
If the license loaded successfully, the CLI displays the message License update was successful for
license id license_id .
12
Install an Application Image

Before you create and start an application, load the application image onto the ISG. ISG is the platform on which
an application runs.
1. From the appliance serial console, enter configuration mode
# config
2. Load the application image:
(config)# images
(config-images)# load application_location_URL
Create a ProxySG Application

To run the ProxySG application you must first create it.
1. From the ISG CLI, in configuration mode, create the ProxySG application:
(config)# applications
(config-applications)# create sg sg_name model model_name license-id license_id image-id image_id
ok
For information on the different license types available for your appliance, see Platform and Performance Reference.
2. Start your application:
(config-applications)# start application_name
ok
Manage Applications
View application information, attach the serial console to running applications, and edit existing applications.
Create Applications
2. Access the CLI and enter configuration mode.
3. Create the application:
(config-applications)# create sg sg_name model model_name license-id license_id image-id image_id
ok
For information on the different license types available for your appliance, see Platform and Performance Reference.
Edit Applications
2. Access the CLI and enter enable mode.
3. Stop the application that you want to edit:
(config-applications)# stop application_name
NOTE
To edit an existing application, your application must be in a Created or Stopped state.
4. Edit the application:
(config-applications)# edit application_name model_type | image-id image_id
The following example shows how to view the application configuration, stop the application, and change the model from a
C2L to a C2S:
(config-applications) view SG1
13
NAME TYPE VCPU MEMORY MODEL STATUS LICENSE ID IMAGE ID

-------------------------------------------------------------------------
SG1 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532
(config-applications)# stop SG1

ok
(config-applications)# edit SG1 model C2S
ok
Start and Stop Applications

3. Do one of the following:
– Start an application:
– Stop an application:
Remove Applications
3. Remove the application:
(config-applications)# delete application_name
View Application Information

To view application information, such as license IDs, image IDs, and other properties that are associated with your
applications, use the applications view command (in either enable or configuration mode). For example:
(config-applications)# view
-------------------------------------------------------------------------
(config-applications)# view SG1
-------------------------------------------------------------------------
Connect to the Application Serial Console

From an application serial console, you can access the application's command line to perform tasks, such as initial
configuration.
3. Access the application's serial console:
(config-applications)# attach-console application_name
14
The following is an example output of the command:

(config-applications)# attach-console SG1
Connected to domain sgos
Escape character is ^]
System starting up...
In MP mode; two processors active

Executing image: Version: SGOS 6.7.5.3, Release id: 249936 64-bit, gdb, optimized
Manufacturing MBR on directory-3 - Slot 3 (KVM VirtIO Disk N/A N/A)
This is a new system.
Press "enter" three times to activate the serial console
******************* CONFIGURATION ALERT *******************

System entering configuration wizard for the following reasons:
- Cannot find a network adapter configured with an IP address and subnet.
- The console password or 'enable' password is not set.
******************* CONFIGURATION ALERT *******************
--------------- CONFIGURATION START ------------------

Welcome to the Blue Coat SG-VA Series configuration wizard.
This appliance's serial number: 0000990007
---------------------------------------------------------------------
You can get field help by entering a question mark ? in the fields.
You can move backwards through the steps by pressing the UP arrow.
You can exit the wizard without saving your entries by pressing ESC.
---------------------------------------------------------------------
Step 1: How do you plan to configure this appliance?
a) Through a manual setup
b) Through a Director-managed setup
Your choice: []
Manage Images
Install Images
3. Install the image:
(config-images)# load image_url
View Image Information

2. Access the CLI and enter either enable or configuration mode.
– View all downloaded images:
(config-images)# view
– View a specific image:
(config-images)# view image_id
– View all Content Analysis images:
15
(config-images)# view cas

– View all ProxySG images:
(config-images)# view sg
Remove Images
NOTE
You can only delete images when they are not in use.
3. Remove the image:
(config-images)# delete image_id
Manage Licenses
Perform administrative tasks for your application licenses.
Install Licenses
Before installing your license, ensure you have your license ID available. For information on locating your license ID, see
About Application Serial Numbers and License IDs.
3. Install the license:
# licensing load id license_id username username password password
Update Licenses
To update a license installed in an application running on ISG:
3. Load the updated the license into the ISG license inventory with one of the following commands:
# licensing load id license_id
# licensing inline passphrase passphrase
4. From the ISG CLI, stop and restart the application:
5. Verify the license updated by comparing license contents for the ISG and the applications that run on it:
a. Retrieve the license contents from the ISG CLI:
# licensing view id license_id
b. In the ProxySG CLI, retrieve the license contents for the ProxySG applications:
> show licenses
c. Compare the ISG license contents to the application license contents and ensure they match.
16
Remove Licenses from ISG

3. Remove the license:
# licensing delete id license_id
View Installed Licenses

– View all licenses:
# licensing view
– View a specific license:
# licensing view [id license_id]
– View the node-locked license:
# licensing view-node-locked
Upgrade Instructions
Perform the following steps to upgrade the ISG via the ISG command line.
IMPORTANT
Downgrading to ISG 1.67.5.3 is not supported.
1. Stop all existing applications by running the following command for each application:
2. Load the ISG image that you want to upgrade to:

# installed-systems load image_location_URL
3. Restart the ISG:

# restart
4. (Only if upgrading from ISG 1.67.5.3) Previously existing applications are put into the Created state and do not have
an associated default image. To associate a default image with the applications, do the following:
a) Load an application image onto the ISG:
(config-images)# load application_location_URL
b) Retrieve and record the image ID:
(config-images)# view
Image ID Type Version Release ID In Use
sg-6.7.5.3-250069 SG 6.7.5.3 250069 0
c) Assign the image ID to each of the existing applications:
(config-applications)# edit application_name image-id image_ID
5. Start each application and verify that each starts properly and contains all previously existing data.
6. (Only if upgrading from ISG 1.67.5.3) Delete the previous ISG 1.67.5.3 image:
a) Locate the ISG 1.67.5.3 image:
# installed-systems view
1. Version : 2.2.1.1, Release ID : 253965, Locked : false, Booted : true
17
BuildType : CreationTime : 2020-08-17T13:38:42+0000, BootTime : 2020-08-26T02:00:03.348+0000

DisplayName : ISG 2.2.1.1, Release ID: 253965
2. Version : 1.67.5.3, Release ID : 251920, Locked : false, Booted : true
BuildType : CreationTime : 2020-06-16T13:03:11+0000, BootTime : 2020-08-25T22:53:20.352+0000
Default system to run on next hardware restart: 1
Current running system: 1
System to replace next: None
b) Delete the ISG 1.67.5.3 image (in this example, the image is labeled 2):
# installed-systems delete 2
Platform and Performance Reference

Table 1: Total Physical Resources for the Appliance and Virtual Resources Available for Applications
The following table lists the total resources available on the SSP appliance model and the resources from that total that
are available for virtual applications.
Resources Available for Applications Total Resources on the SSP Platform
SSP Model vCPUs RAM (GB) Disk vCPUs RAM (GB) Disk
S410-10 16 32 400 GB 20 48 2x480 GB

S410-20 32 80 800 GB 40 96 2x960 GB
S410-30 48 160 800 GB 64 192 2x960 GB
S410-40 64 320 1.6 TB 80 384 2x1.9 TB
Table 2: Application Models and Fit Per Appliance Model
The following table lists the resources required for each application model and the number of instances of that model that
can fit on the various SSP appliance models.
Number of Model Instances
Resource Requirements Per Application Model
Supported Per SSP Appliance
Application Connection
vCPU RAM (GB) Disk (GB) S410-10 S410-20 S410-30 S410-40
Model Count
C2S 2 12 1x200 15,000 2 4 4 8
C2M 2 16 1x200 20,000 2 4 4 8
C2L 2 20 1x200 25,000 1 4 4 8
C4S 4 20 1x200 25,000 1 4 4 8
C4M 4 24 1x200 37,500 1 3 4 8
C4L 4 32 1x200 50,000 1 2 4 8
C8S 8 32 2x200 50,000 1 2 2 4
C8M 8 64 2x200 100,000 0 1 2 4
C8L 8 80 2x200 125,000 0 1 2 4
C16XS 16 32 2x200 50,000 1 2 2 4
C16S 16 80 2x200 125,000 0 1 2 4
C16M 16 128 4x200 200,000 0 0 1 2
C16L 16 160 4x200 250,000 0 0 1 2
18
Number of Model Instances

Resource Requirements Per Application Model
Supported Per SSP Appliance
Application Connection
vCPU RAM (GB) Disk (GB) S410-10 S410-20 S410-30 S410-40
Model Count
C24S 24 80 2x200 125,000 0 1 2 2
C24M 24 160 4x200 250,000 0 0 1 2
C24L 24 256 8x200 375,000 0 0 0 1
Table 3: Max Performance Deployment
The following table lists the recommended configurations for maximum performance per SSP appliance model.
Application Total
SSP Model Instance Count Total vCPU Total RAM (GB) Total Disk (GB)
Model Connections
S410-10 C16XS 1 16 32 400 50,000
S410-20 C16XS 2 32 64 800 100,000
S410-30 C24S 2 48 160 800 250,000
S410-40 C16S 4 64 320 1,600 500,000
Troubleshooting
Licensing Issues
If you experience issues when licensing your applications, reinstall the license. See Manage Licenses.
If the issue persists, contact Broadcom support: https://support.broadcom.com/contact-support.html.
19
Command Line Overview

The command-line interface (CLI) provides an interface for managing applications running on ISG.
To configure ISG applications, see the supporting documentation for the ProxySG application.
Command Usage Conventions

A few basic conventions apply to commands:
• Commands are case sensitive—that is, you must enter them in lowercase characters. Some parameters must be
entered in uppercase.
• A command can be abbreviated by entering the minimum number of characters required to uniquely distinguish it from
other commands. For example, instead of typing event-log you can type ev and press spacebar or Tab to complete
the command.
• Command syntax can be verified by typing a ? after the command. For example:
# event-log ?
Possible completions:
level Set event log level
log-size Set event log level
syslog Specify syslog configuration
view View the event log configuration
• To issue multiple commands from a single command line, separate the commands with a semicolon (; ). The
semicolon is the equivalent of pressing the Enter key. For example:
# show version;show timezones
• To negate a command or set it to its default, type no before the command. For example:
# no history
• You can edit previously entered commands.
Typographical Conventions
The following typographical conventions are used for command syntax:
Boldface in monospace font Commands configure

[Square brackets] Optional arguments in a command line restore-defaults factory-
defaults [halt|shutdown]
[force]
<angle brackets in italics> Required arguments for which you will display-level <value>
supply a value
Pipe character ( | ) The "or" symbol in a command line choose consent-banner show-banner
one of the options separated by the | true | false
symbol
Command Prompts
The CLI has three major modes—standard, privileged (enable), and configure.
20
• Standard mode: Initial mode; use to monitor the service. Prompt: >
• Privileged (enable) mode: View, manage, and change the appliance settings. Prompt: #
• Config mode: Configuration mode, used to configure a service. Prompt: (config)#
Certain configuration commands also have modes that change the command prompt. For example:
• authentication configuration mode: (config-authentication)# prompt
• health monitoring mode: (config-health-monitoring)# prompt
• NTP configuration mode: (config-ntp)# prompt
• SSL configuration mode: (config-ssl)# prompt
To exit out of the current mode, type exit ; you may need to type exit multiple times to return to the desired mode.
Edit Previously Entered Commands

If you make a typing mistake in your command, you don't need to retype it— you can redisplay the command and edit it.
This capability is available when logged in to the appliance via SSH, but not via a direct console serial connection.
Display a previously entered command Press up arrow until the command you want is displayed
Scroll down through the command history Press down arrow
Move cursor to the left Press left arrow
Move cursor to the beginning of the line Press Ctrl+A
Move cursor to the right Press right arrow
Insert characters Position cursor and start typing
Delete character to the left of cursor Press Backspace
Delete all characters on the line Press Ctrl+U
Cancel current command Press Ctrl+C
View the history of all commands since last boot See history.
NOTE
If the arrow keys aren't working, make sure your remote login utility is emulating VT100 arrows. You may need to
enable this option in your client.
Standard Mode Commands

The following commands are available in standard mode, the mode after logging in to the CLI. The > prompt indicates
standard mode.
To see a list of commands available in standard mode, type help or ? at the > prompt.
enable
Enter the elevated privilege mode, known as enable mode. You will be prompted to enter the enable password.
Syntax
>enable
Notes
• When enable mode is turned on, the prompt changes from > to # .
• To return to standard mode, use the disable command.
21
exit
Exit from the current mode.
For example, if you are in configuration mode, exit returns you to enable mode. If you are in configure-applications
mode, exit returns you to configure mode. If you are in standard mode, exit closes the session.
Syntax
> exit
Notes
You can use this command in any mode.
show
Display information about the system and settings.
Syntax
> show ?
appliance-identifier Display the unique identifier for the ISG appliance.

applications Display the applications available on the appliance.
authentication Display the security parameters for the appliance.
BLUECOAT-INFO-MIB Display MIB entries for the appliance type, software version, and
appliance serial number.
BLUECOAT-SG-HEALTHMONITOR-MIB Display MIB entries for the appliance health monitor.
cli Display CLI-related settings, such as complete-on-space, idle-
timeout, and history.
clock Display current date and time (local and UTC) and timezone.
cpu [all | extended | debug Display the average utilization for the system's processor, where:
<interval_in_seconds> | all extended |
extended all]
• all displays the average utilization of each processing core
available on the system.
• extended displays the average CPU utilization over intervals
of 1, 5, 30, and 60 seconds.
• debug <interval_in_seconds> displays the
verbose average utilization of each processing core available
on the system over the specified interval of seconds.
– us —user
– sy —system
– ni —nice
– id —idle
– wa —IO-wait
– hi —hardware interrupt
– si —software interrupt
– st —stolen time
• all extended | extended all displays average
CPU utilization trends over 1, 5, 30, and 60 second intervals
for each processing core available on the system.
22
hardware-configuration Display system hardware configuration information, such as serial

number, memory, CPUs, cores, storage, NICs.
health-monitoring Display health-monitoring settings.
history Display a list of previously-entered CLI commands.
HOST-RESOURCE-MIB Display MIB entries for the host resource.
IF-MIB Display MIB entries for externally visible network interfaces.
jobs Display the list of jobs currently running in the background.
licenses Displays the list of currently installed license files.
login-banner message | status Show the currently defined login banner message and feature
status (enabled vs. disabled).
notification Display notifications.
password-policy-configuration Display current settings for password policy, such as minimum
password length.
pcap Displays packet capture information.
raid Display RAID configuration information.
restconf-state Display statistics about RESTCONF.
running-config Display current configuration.
SNMP-FRAMEWORK-MIB Display MIB entries for the SNMP framework.
SNMP-MPD-MIB Display MIB entries for the SNMP MPD.
SNMP-TARGET-MIB Display MIB entries for the SNMP target.
SNMP-USER-BASED-MIB Display MIB entries for the user-based SM.
SNMPv2-MIB Display MIB entries for SNMPv2.
ssh-console Displays the configuration of the SSH console.
ssl ca-certificate | certificate | keypair | Display certificate details.
keyring | signing-request
timezone List supported timezones.
version List the software version and release ID, appliance serial number,
and the MAC address.
Examples
> show clock
UTC time : 2020-06-15 21:10:52+00:00 UTC
Local time : 2020-06-15 21:10:52+00:00 UTC
Timezone : UTC
Enable Mode Commands

The following commands are available in enable mode. Enable is a privileged mode that requires its own password.
To enter enable mode, type enable at the standard command prompt (> ) and enter the password. The prompt will
change to #. To see a list of commands available in enable mode, type help or ? at the # prompt.
applications
Lists the applications currently available on the ISG and attach a terminal console to the applications.
23
Syntax
# applications ?
attach-console Attaches a terminal console to an application.

view Displays all applications that have been created on the ISG.
Example
# applications view proxysg1
NAME VCPU MEMORY MODEL STATUS
proxysg1 2 12 GB C2S Starting
authentication
Define authentication realms and local users.
Syntax
# authentication ?
create local-user-list <name> | realm name Create a new local user list, user name, or realm.
<name>
delete local-user-list <name> | realm name Delete a local user list, user name, or realm.
<name>
edit local-user-list <name> | realm name Edit local user lists and user names, or view realms.
<name> view
Examples
# authentication create realm name local
# authentication edit realm local view
Realm name: local
Default group: none
Display name: LocalRealm
Local user list: UserListA
Realm type: none
# authentication delete realm name local
ok
clock
Manually set the time and date of the appliance in Coordinate Universal Time (UTC).
# clock day <value> | hour <value> | minute <value> | month <value> | second <value> |
year <value>
Notes
• Each value must be entered as a separate command.
• If you are using an NTP server, you do not need to manually set the clock.
24
Examples
# clock day 2
# clock month 9
# clock year 2020
configure
A command to enter a mode in which CLI commands are available for changing the configuration of the software and
appliance.
Syntax
# configure
Notes
• When in configure mode, the command prompt changes to: (config)#
• Type ? to see a list of CLI commands available in configure mode.
• Type exit to disable configure mode. The command prompt changes to: #
diagnostics
Provide access to the appliance or submit troubleshooting information to Broadcom Support to help diagnose hardware or
software issues.
Syntax
# diagnostics ?
heartbeat disable | enable | view | send Enable/disable the sending of heartbeat data to Broadcom;
view current heartbeat report or configuration; send report to
Broadcom.
service-info send [<service_request_number> Generate and upload the service diagnostics to Broadcom or a
| password <password>] | plugins server that you specify. If you are sending diagnostics to your own
<plugin_name> | url <url> | [username server, a service request (SR) number is not required.
<username>]
diagnostic-systems
Manage diagnostic images installed on the system. Up to six images can be installed on the system. If your system
already has six images installed and you add another image, the oldest unlocked image will be replaced with the new
image, unless you have designated a particular image to be replaced.
Syntax
diagnostic-systems ?
cancel Cancel the download process of an image that is currently

downloading
delete <image#> Delete an image from the system. Use the diagnostic-systems
view command to identify the image number to delete.
You cannot remove a locked image or the current running image.
25
load <URL> Download and install a diagnostic image on the system. <URL>
is the path to an image on a web server that the appliance has
access to. Example: http://webserver.mycompany.com/images/
diag.bcs
lock <image#> Lock a diagnostic image to protect it from accidental deletion.
replace <image#> Designate which image will be replaced next (if the system already
has six installed images and you load another image). If you do
not specify an image to be replaced, the oldest unlocked image on
the system will be replaced.
unlock <image#> Unlock a diagnostic image that you no longer want to protect
from deletion. You have to unlock a locked image before you can
remove it.
unset-replace Unset image to be replaced next. When a replacement image is
not designated, the oldest image will be replaced when you load a
seventh image.
view Show a list of installed diagnostic images along with their image
numbers, software versions, release IDs, whether the image is
locked or unlocked, whether it has ever been booted, creation
date/time, and boot date/time. The summary at the bottom of the
list indicates which image number is the current running system,
the default system to run the next time the appliance is restarted,
and the image number that will be replaced next.
Examples
# diagnostic-systems load http://webserver.mycompany.com/images/diag.bcs
disable
Return to standard mode.
Syntax
# disable
Notes
When enable mode is turned off, the prompt changes from # to > ,
display-level
Set the depth of the configuration that is shown by the show full-configuration and show running-configuration
commands. For example, if the display-level is set to 1 , only top-level configuration nodes and their values are shown. If it
is set to 2 , then top-level nodes and their child nodes are shown, and so on. By default, the entire configuration is shown.
Syntax
# display-level [level <n>]
Examples
# display-level 1
26
event-log
Manage syslog settings. The syslog feature gives administrators a way to centrally log and analyze events on the
system. This command is available in both the enable and config modes.
Syntax
# event-log ?
level <value> Set the level to specify which messages to suppress to the syslog
server.
For example, setting the level to 3 allows messages with levels 0
- 3 and suppresses messages with levels 4 - 7. <value> can be
one of the following:
• 0 Emergency: system is unusable
• 1 Alert: action must be taken immediately
• 2 Critical: critical conditions
• 3 Error: error conditions
• 4 Warning: warning conditions
• 5 Notice: normal but significant condition
• 6 Informational: informational messages
• 7 Debug: debug-level messages
log-size <value> Set the maximum size in MB for the event-log.
syslog add host <host> [port <port>] Configure a syslog server where <host> is the host name or IP
address of the syslog server. Optionally, you can also specify a
custom port, where <port> is the port number.
syslog add tls host <host> [port <port>] Configure a syslog server using tls where <host> is the host
name or IP address of the syslog server. Optionally, you can also
specify a custom port, where <port> is the port number.
syslog add udp host <host> [port <port>] Configure a syslog server using UDP where <host> is the host
syslog remove host <host> Remove a configured syslog server by specifying the <host> .
syslog clear Removes all configured syslog servers.
view View syslog settings.
Notes
• You can add multiple syslog servers.
• The sub-commands listed above can either be entered in the enable prompt, event-log configuration mode (at the
(config-event-log) prompt), or in configuration mode (at the (config) prompt).
Examples
# event-log syslog add udp host 203.0.113.17
Added syslog server host 203.0.113.17:514.
# event-log view
Log level: 5 (notice)
Remote syslog servers:
203.0.113.17:514
27
exit
Syntax
> exit
Notes
halt
Halts the operating system and stops all CPUs. Once the system is cleanly halted, you can power down the appliance.
Syntax
# halt
Notes
The halt and shutdown commands are similar; the only difference is that shutdown disconnects the power via the CLI
command.
health-monitoring
View Health Monitoring (HM) events and status, and view and change HM settings. This command is available in both the
enable and config modes.
Syntax
# health-monitoring ?
clear-history Clear the entire event history:

metric Set parameters for metrics.
view Show health status and metric settings.
health-monitoring metric
The health monitoring system tracks CPU utilization (cpu-util ), memory utilization (memory-util ), and license-
server statuses. Use the health-monitoring view settings command to see a list of metrics tracked on your
system.
Syntax
# health-monitoring metric ?
cpu-util CPU utilization thresholds.

email enable | disable Enable or disable email notification when
CPU utilization reaches a critical or warning
threshold.
28
high-critical-threshold 0-100 Set the percentage that constitutes the high

critical threshold.
high-warning-threshold 0-100 Set the percentage that constitutes the high
warning threshold.
log enable | disable Enable or disable logging when CPU
utilization reaches a critical or warning
threshold. Default: enable
trap enable | disable Enable or disable SNMP trap when CPU
threshold.
license-server-communication- Communication status with the license server. Set the number of days without
status communication with the license server.
the license server communication status
reaches a critical or warning threshold.
low-critical-threshold 0-7 Set the number of days that constitutes the
low critical threshold.
low-warning-threshold 0-7 Set the number of days that constitutes the
low warning threshold. Default: 6
log enable | disable Enable or disable logging when the license
server communication status reaches a
critical or warning threshold. Default: enable
trap enable | disable Enable or disable SNMP trap when license
critical or warning threshold.
license-validation-status License validation status. Set the number of days without license validation.
validation status reaches a critical or
warning threshold.
memory-util Memory utilization thresholds.
memory utilization reaches a critical or
warning threshold.
critical threshold. Default: 90
low-warning-threshold 0-100 Set the percentage that constitutes the low
warning threshold. Default: 80
log enable | disable Enable or disable logging when memory
29
trap enable | disable Enable or disable SNMP trap when memory

threshold.
raid-status-casma-raid RAID monitoring thresholds.
the RAID status reaches a critical or
warning threshold.
log enable | disable Enable or disable logging when the
RAID status reaches a critical or warning
trap enable | disable Enable or disable SNMP trap when the
threshold.
Notes
• There are four possible threshold that you can set, although no setting has all four:
– high-warning-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Warning state.
– high-critical-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Critical State.
– low-warning-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Warning state.
– low-critical-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Critical state.
The metrics have either the high or low thresholds.
When a threshold is exceeded and transitions to a new state (for example, from OK to Warning, or from Warning to
Critical), you can have the system send a notification email, syslog alert, or SNMP trap.
• You will need to configure SMTP settings to send email notifications, event-log settings to send alerts to a syslog
server, and SNMP trap targets and vacm groups to send SNMP traps.
Examples
# health-monitoring metric memory-util high-warning-threshold 75
# health-monitoring metric memory-util email enabled
health-monitoring view
The view command in the health monitoring system is used for showing the event history and metric settings.
30
Syntax
health-monitoring view ?
current View the current state of all metrics. The output lists each metric,
when the health monitoring system last checked it, the current
state (OK, Warning, Critical) and the current value (for example,
28%).
events [metric <metric_name> | all [duration Shows the event history for all metrics or for one metric, for the
<value> d | h| m] specified duration. An event is an occasion where the metric
exceeded a configured threshold and changed state (for example,
from OK to Warning, Warning to Critical).
• The metric and duration parameters are optional.
• If the metric parameter is omitted, 'all' is assumed.
• If the duration parameter is omitted, "24h" is assumed.
• The d , h , or m suffix is used to indicate days, hours, or
minutes, respectively.
settings Shows the configured threshold settings and alert type (Log,
Email, SNMP Trap) for each metric.
Examples
# health-monitoring view current
Health Monitoring current state of all metrics:
Last Check | Metric Name
| State
-----------------------------+--------------------------------------------------
2017-11-06 23:22:02 | CPU Utilization
| OK - 2.63%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | Memory Utilization
| OK - 18416/128786MB 14%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | RAID casma_raid Working Members
| OK
-----------------------------+--------------------------------------------------
history
Specify how far back in the command history previously-entered commands can be retrieved. For example, with a
history size of 5 , the previous five commands can be retrieved. Each time you press the up arrow, a previously-entered
command is displayed.
Syntax
# history <size>
Notes
When using the up arrow to retrieve previously-entered commands that use passwords, password values are obscured
with asterisks.
31
images
Lists the application images on the ISG.
Syntax
# images ?
view [<image_id> | sg] Displays either all images, a specific image, or all ProxySG
images.
Example
# images view

sg-7.2.2.1-253750 SG 7.2.2.1 253750 0
localhost(config-images)# view sg-7.2.2.1-253750
Image ID: sg-7.2.2.1-253750
Type: SG
Version: 7.2.2.1
Release ID: 253750
Build Type: Debug
Build Time: 2020-08-31T08:13:21+0000Capabilities: gdb_enable
Checksum: 52822953c3ccd3c12124fb887c0a0d343a92e270a26329082366575039178334
Applications: exappname
installed-systems
Manage images installed on the system. Up to six images can be installed on the system. If your system already has six
images installed and you add another image, the oldest unlocked image will be replaced with the new image, unless you
have designated a particular image to be replaced.
CAUTION
Only customers with a valid support contract can upgrade to major releases. If your support contract has
expired, the image installation will fail. Note that you can still upgrade to maintenance releases for the current
version
Syntax
# installed-systems ?

downloading.
default <image#> Specify the image that will be run the next time the system is
restarted.
Use the installed-systems view command to identify the image
number.
delete <image#> Delete an image from the system. Use the installed-systems view
command to identify the image number to delete.
32
load <URL> Download and install an image on the system. <URL> is the path
to an image on a web server that the appliance has access to.
Example: http://webserver.mycompany.com/images/542386.bcs
Image loading will fail if the appliance does not have a license
installed or if your support contract has expired.
lock <image#> Lock an image to protect it from accidental deletion.
unlock <image#> Unlock an image that you no longer want to protect from deletion.
You have to unlock a locked image before you can remove it.
seventh image.
view Show a list of installed images along with their image numbers,
software versions, release IDs, whether the image is locked
or unlocked, whether it has ever been booted, creation date/
time, and boot date/time. The summary at the bottom of the list
indicates which image number is the current running system, the
default system to run the next time the appliance is restarted, and
the image number that will be replaced next.
Examples
# installed-systems view
1. Version : 1.67.5.3, Release ID : 250229, Locked : true, Booted : true
BuildType : Debug, CreationTime : 2020-04-14T01:08:08+0000, BootTime : 2020-06-22T15:54:43.810+0000
ip
Configure the gateway, IPv6 neighbors, ARP table entries, and static routes.
Syntax
(config)# ip ?
arp <IP address> <MAC address> Add a static IPv4 or IPv6 address to the Address Resolution
Protocol (ARP) table, correlating the specified MAC address to the
IP address.
default-gateway <IP_addres> Change the IP address of the default gateway.
neighbor <IPv6_address> <MAC_address> Configure static IPv6 neighbor entries (similar to a static ARP
entry for IPv4). The IPv6 address and the hardware MAC address
must be provided.
33
route <IP_address> [/<prefix>] Specify the static route. For deployments where the default
[<subnet_mask>] [device-name gateway does not route traffic to all segments of the network,
<interface>] [metric <value>] you can define additional routes. A typical use for the route table
is when the SMTP or DNS servers are located on an internal
network.
The route metric is used by routing protocols to determine whether
one route should be chosen over another. With all else being
equal, lower metrics are given preference when choosing routes.
The specific metric values you assign are arbitrary, but they
should have values relative to routing priority. For example, a
route you want to assign high priority could have a metric value of
5 and a lower priority route could have a metric value of 10 or 20.
Examples
(config)# ip arp 1.1.1.1 01:23:45:67:89:ab
(config)# ip route 10.64.0.0/16 10.63.158.213 device-name 0:0 metric 10
(config)# ip route 2001:db8::/32 2001:0db8:0000:0000:0000:ff00:0042:8329 metric 20
(config)# ip route 10.63.0.0 255.255.0.0 10.63.158.213 metric 30
(config)# ip neighbor 2001:db8::ff00:42:8329 01:23:45:67:89:ac
licensing
Configure licensing for applications on the ISG.
Syntax
#licensing ?
delete id <license_id> Deletes a license from the local inventory.

It is possible to delete a license that an application is currently
using. Deleting a license in use will prevent the application from
starting. If the application is running when its license is deleted,
the application will continue to run until it is stopped or the ISG is
restarted. In such cases, reinstall the license before stopping the
application or restarting the appliance.
edit id <license_id> label <label> Edit the label associated with this license, such as to tag a license
with user-specific information.
inline passphrase <passphrase> Loads a new license that was downloaded from myBroadcom,
where <passphrase> is the passphrase you entered when you
downloaded the license.
load id <license_id> username <username> Loads the license from the backend of the ISG, where:
password <password> • <license_id> is the license ID or serial number of
the application
• <username> is your myBroadcom username
• <password> is your myBroadcom password
For licenses that you have already loaded and need to be
updated, you can retrieve updates without providing your
myBroadcom username and password.
view [id <license_id>] View either all license IDs/serial numbers or a specific one
installed in the appliance's local inventory.
34
view-node-locked View how many applications were created with the node-locked
license and how many are currently using it.
Only running applications (In-Use ) count against the license
limit; created applications that are not running do not count.
Notes
After loading the license, you must restart the application that is using the license.
Examples
# licensing 0000990000 username Admin password *******
License update was successful for license id 0000990000
# licensing view-node-locked
Node Locked License ID: 0000990000
Application Type: SG
Model: C2S
Limit: 1
In-Use (0):
login-banner
Configure a banner message to appear before users log in to the appliance. The message will appear before users log in
to the CLI (via serial console and SSH). This feature meets the security technical implementation guideline STIG V-3013.
Messages can contain up to 2,047 characters and can be defined using multi-byte UTF-8 characters.
Syntax
# login-banner ?
disable Disable the login banner message.

enable Enable the login banner message. (You cannot enable the feature
until you define the message.)
inline message Define the login banner message. You will be prompted to enter
the message text and press Ctrl-D when finished.
view message | status Show the currently defined message and feature status (enabled
vs. disabled).
Examples
# login-banner inline message
Enter the login banner message below and end it with a Ctrl+D
This is a banner message.
ok
# login-banner enable
# login-banner view message
# login-banner view status
Login banner is enabled.
logout
Log out the current user. The management session is ended.
35
Syntax
# logout
ntp
Update the appliance's clock.
Syntax
# ntp ?
update-now Forces the NTP service to update the appliance's clock.
password-policy
View the current password rules.
Syntax
# password-policy ?
view Show current password rules.
Examples
# password-policy view
min-uppercase: 0
min-groups: 4
prohibit-whitespace: true
min-special: 1
min-digits: 1
min-length: 8
min-lowercase: 0
prohibit-common-words: No dictionary defined
pcap
Capture packets that are sent to and/or from the appliance. The captured data can be imported into a packet analysis tool
such as Wireshark. This command is available in both the enable and config modes.
Syntax
# pcap ?
start Start capturing packets.

stop Stop capturing packets.
transfer <full_url/filename> <username> Copy captured data to an FTP site. While not necessary,
<password> Symantec recommends that you use pcap stop before using this
command.
view View the status of the capture.
36
Notes
• Before enabling packet capture, you can optionally restrict the packets that are captured by filtering by direction (in or
out) or filtering by interface (for example, just packets sent out of the 1:0 NIC.
• After capture is turned on, the system will create a .dmp file in TCPDump format and start capturing packets into this
file.
• Packets are captured until capturing is disabled with the pcap stop command, or after 30 minutes, whichever comes
first.
Examples
# pcap start
# pcap stop
# pcap transfer ftp://example.com/john_files/test.dmp john.smith ******
ping
Generate pings to test connectivity with another device on the network. If the device answers the pings, a message
displays such as 5 packets transmitted, 5 received, 0% packet loss, time 3007ms . If the appliance
is unable to connect with the other device, the system displays a message such as 5 packets transmitted, 0
received, 100% packet loss, time 13999ms .
Syntax
# ping ipv4 |ipv6 source <source_ip_address> size <packet_size> dont-fragment
repeat <ping_count> <ip_address> | <hostname>
dont-fragment Set the dont-fragment flag on the ping packets.

ipv4 | ipv6 Explicitly force an IPv4 or IPv6 ping.
When an IP version isn't specified, the program will try to
resolve the name given, and choose the appropriate protocol
automatically. If resolving a host name returns both IPv4 and IPv6
addresses, ping will use IPv4.
repeat <ping_count> The number of ping packets to send. The default is 5 .
size <packet_size> The size of the ping packets (in bytes). The default is 100 bytes.
source <source_ip_address> The source IP address to put in the ping packet.
<ip_address> | <hostname> The destination to ping. This is the only required ping parameter.
Examples
# ping repeat 3 size 50 cnn.com
PING cnn.com (198.51.100.122) 50(78) bytes of data.
58 bytes from www.cnn.com (198.51.100.122): icmp_seq=1 ttl=115 time=63.2 ms
--- cnn.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2066ms
rtt min/avg/max/mdev = 62.880/63.022/63.268/0.338 ms
# ping 203.0.113.17
PING 203.0.113.17 (203.0.113.17) 100(128) bytes of data.
--- 203.0.113.17 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 13999ms
37
proxy-settings
View the settings for when the appliance is on a network that is required to be configured with an explicit proxy service.
Syntax
# proxy-settings ?
view View the HTTP proxy config settings.
Examples
# proxy-settings view
enabled:true
host :10.10.12.11
port no:8008
username:becky
restart
Reboots the system and restarts services such as image, licensing, subscription, SNMP, and health monitoring. You will
need to restart the system after upgrading to a new image or changing the running image on the appliance.
Syntax
# restart
restore-defaults
Restore system to factory default settings. This process deletes all data on the appliance.
Syntax
# restore-defaults factory-defaults ?
force The user is not prompted to confirm the action.

halt After the system is restored to factory defaults, the operating
system is halted and CPUs are stopped.
shutdown After the system is restored to factory defaults, the operating
system is halted, CPUs are stopped, and the appliance is powered
off.
Examples
# restore-defaults factory-defaults
Restoring box to factory state. This will delete all customer data and shutdown the system. Do you want to
proceed (yes/no): y
send
Send one or all users a message to their terminal. The message will be shown in the CLI session of any logged-in user.
Syntax
# send <user> | all <message>
38
Notes
The user must be logged on to receive the message.
Examples
# send all "This is an important message."
#
Message from admin@ISG at 2020-07-07 15:09:36...
This is an important message.
show
Syntax
# show ?

applications Display the applications available on the appliance.
authentication Display the security parameters for the appliance.
BLUECOAT-INFO-MIB Display MIB entries for the appliance type, software version, and
appliance serial number.
BLUECOAT-SG-HEALTHMONITOR-MIB Display MIB entries for the appliance health monitor.
cli Display CLI-related settings, such as complete-on-space, idle-
timeout, and history.
extended all]
– us —user
– sy —system
– ni —nice
– id —idle
– wa —IO-wait

health-monitoring Display health-monitoring settings.
39
HOST-RESOURCE-MIB Display MIB entries for the host resource.

IF-MIB Display MIB entries for externally visible network interfaces.
jobs Display the list of jobs currently running in the background.
notification Display notifications.
parser dump [<command_prefix>] Display all possible commands. When a command prefix is
provided, the command only displays possible commands for that
prefix. For example, parser dump health-monitoring
displays all possible commands for health-monitoring .
password length.
restconf-state Display statistics about RESTCONF.
running-config Display current configuration.
SNMP-FRAMEWORK-MIB Display MIB entries for the SNMP framework.
SNMP-MPD-MIB Display MIB entries for the SNMP MPD.
SNMP-TARGET-MIB Display MIB entries for the SNMP target.
SNMP-USER-BASED-MIB Display MIB entries for the user-based SM.
SNMPv2-MIB Display MIB entries for SNMPv2.
Examples
# show clock
UTC time : 2020-06-15 21:10:52+00:00 UTC
Local time : 2020-06-15 21:10:52+00:00 UTC
Timezone : UTC
shutdown
Shuts down the operating system, stops all CPUs, and sends a signal to the power supply unit to disconnect the main
power. With this command (as compared to the halt command), you don’t have to press the power switch to power down
the appliance. This command is used to prepare physical appliances for transport.
Syntax
# shutdown
40
smtp
Configure destination addresses and view settings for Simple Mail Transfer Protocol (SMTP) settings.
Syntax
# smtp ?
destination-addresses add <email_address> | Add email addresses to which the appliance sends alerts and
clear | delete delete <email_address> other messages. You can configure multiple email addresses,
but they must be added one at a time.The delete parameter
removes a specific email address; the clear parameter deletes all
configured destination email addresses.
view Show SMTP settings that are currently configured.
Examples
# smtp destination-addresses add tom.jones@example.com
# smtp view
smtp
gateway 203.0.113.17
from-address mary.johnson@test.com
destination-addresses
destination tom.jones@example.com
snmp
Regenerate or view the engine ID for the Secure Network Management Protocol (SNMP) agent.
Syntax
# snmp ?
agent engine-id regenerate | view Regenerate the engine ID for the Secure Network Management
Protocol (SNMP) agent by setting it to its default value or view the
current engine ID.
ssh-console
Configure the SSH console, including cipher suites, HMACs, key-exchange algorithms, and keys.
41
Syntax
# ssh-console ?
ciphers add <cipher> | demote <cipher> | Configure the ciphers used by the appliance:
promote <cipher>| remove <cipher> | reset |
• add —Add a new cipher suite to the current list
set <cipher_list> | view
• demote —Demote a cipher suite within the list of ciphers
• promote —Promote a cipher suite within the list of ciphers
• reset —Reset the list of cipher suites to the default list
• set —Set the list of cipher suites in the specified order, where
<cipher_list> is a comma-separated list
• view —View the list of cipher suites currently accepted by the
appliance
delete <key_name> Delete the specified user key.

generate host-keypair Regenerate the keypair for the host. After entering the command,
you will be prompted to type y or n to confirm regeneration.
hmacs add <HMAC> | demote <HMAC> | promote Configure the HMACs used by the appliance:
<HMAC>| remove <HMAC> | reset | set
• add —Add an HMAC to the list
<HMAC_list> | view
• demote —Demote an HMAC within the list
• promote —Promote an HMAC within the list
• remove —Remove an HMAC from the list
• reset —Reset the list of HMACs to the default list
• set —Set the list of HMACs to be used by the appliance in
the specified order, where <HMAC_list> is a comma-
separated list
• view —View the list of HMACs currently accepted by the
appliance
inline <key_name> Import the specified user key.

key-exchange-algorithms add <algorithm> | Configure the key-exchange algorithms used by the appliance:
demote <algorithm> | promote <algorithm>|
remove <algorithm> | reset | set
• add —Add an key-exchange algorithm to the list of algorithms
<algorithm_list> | view • demote —Demote a key-exchange algorithm within the list of
algorithms
• promote —Promote a key-exchange algorithm within the list
of algorithms
• remove —Remove a key-exchange algorithm from the list of
algorithms
• reset —Reset the list of key-exchange algorithms to the
default list
• set —Set the list of key-exchange algorithms to
be used by the appliance in the specified order,
where<algorithm_list> is a comma-separated list
• view —View the list of key-exchange algorithms currently
accepted by the appliance
public-key-authentication enable | disable Enable or disable public-key authentication on the appliance.

view [ciphers | client-keys | defaults | View the SSH console configuration.
hmacs | host-public-key | key-exchange-
algorithms]
42
Examples
# ssh-console ciphers add 3des-cbc
ok
ssl
Configure Secure Socket Layer (SSL) settings. This command is available in both the enable and config modes.
Syntax
# ssl ?
create ccl | certificate | crl | keyring | Create SSL objects.

signing-request | ssl-context
delete ca-certificate | ccl | certificate Delete SSL objects.
| crl | keyring | signing-request | ssl-
context
edit ccl | crl | ssl-context Edit the appliance's current SSL settings.
inline ca-certificate | certificate | crl | Import SSL keyrings, CA certificate lists, signing requests, and
keyring | signing-request certificates.
regenerate certificate <keyring-id> Regenerate an existing CA certificate and provide new subject
subject<subject> [alternatives-names] and alternative name data. force is optional, and will overwrite
[force] an existing certificate without confirmation.
trust-package [auto-update | download-now | Manage the list of trusted CA certificates provided by Symantec,
update-interval | url] how frequently to update it, and from where.
view [ca-certificate | ccl | certificate | View available SSL objects.
keypair | keyring | signing-request | ssl-
context
Examples
Add a certificate from a Certificate Authority; the certificate name in this example is ca1 .
# ssl inline ca-certificate ca1 content
Enter the certificate below and end it with a Ctrl-D
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAIk7y/gggzO8MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MRIwEAYDVQQKDAlCbHVlIENvYXQxFDASBgNVBAsMC0RldmVsb3BtZW50MRQwEgYD
VQQDDAtjYS5ibHVlY29hdDEkMCIGCSqGSIb3DQEJARYVZXJpYy5jaGlAYmx1ZWNv
YXQuY29tMB4XDTE1MDExMzAxMzI0MFoXDTI1MDExMDAxMzI0MFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
EjAQBgNVBAoMCUJsdWUgQ29hdDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFDASBgNV
BAMMC2NhLmJsdWVjb2F0MSQwIgYJKoZIhvcNAQkBFhVlcmljLmNoaUBibHVlY29h
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCysxBQYApdEvNc
Nv6e7ELUtYRvnixueKceQM1y28Lj17lMPng6Dghs3ZKF/VPXw+lEsc+LG11a75d9
WziSsv7u4nKjt2Y2nPC4jE8jzgI7Fej26B6//bePh91v/+bJRwNSYR9z6wNa0cQt
prx8e6SvUbq7MkuE6vC9paqBqz4TQL0vyVHaWZXxodRLJaKGsZmq1yn1ogxjBT9+
Mj3HdmzVVRPQ5jNNjV6oKppGOrqpFkzOwcjpKWufOgk850kjsB2mOBE4QDHbJhtg
UtLMSGLaj2hmb58v6JdDROn4T3piZEDzAPl/4N9aOfbliF2nrdRNi2n5d8Q2JaXH
hXPGBGrVAgMBAAGjUDBOMB0GA1UdDgQWBBTCph9yrG16afTN6vaZJDTT2iv6xDAf
BgNVHSMEGDAWgBTCph9yrG16afTN6vaZJDTT2iv6xDAMBgNVHRMEBTADAQH/MA0G
43
CSqGSIb3DQEBBQUAA4IBAQCmI+pLumWXIAiznvq+zU/3/PTHwzcVcwJdK+ngWbHa
-----END CERTIFICATE-----
<Ctrl-D>
CA certificate ca1 is added successfully.
To view the certificate details for the ca1 certificate:

# ssl view ca-certificate ca1
Issuer: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
emailAddress=eric.chi@bluecoat.com
Subject: /C=US/ST=California/L=Sunnyvale/O=Blue Coat/OU=Development/CN=ca.bluecoat/
Valid From: Jan 13 01:32:40 2015 GMT
Valid Until: Jan 10 01:32:40 2025 GMT
Fingerprint: DB:AF:B1:82:EF:0C:9F:AD:84:F7:D8:35:0A:AA:0B:5D:93:DA:77:A5
ssl create
Create SSL keyrings, CA Certificate Lists (CCLs), signing requests, self-signed certificates, and ssl-contexts.
Syntax
# ssl ?
ccl Create a CA Certificate List (CCL).

certificate <keyring_id> Create a self-signed certificate associated with the specified
keyring. You will be prompted to define values for each of the
certificate fields (country, state, and so forth).
crl <CRL_name> path <URL> Create a Certificate Revocation List (CRL).
keyring <key_ring_id> algorithm rsa length Create a keyring. Keyrings are containers for SSL certificates and
<key_length> showable [yes | no] their associated public and private keys on the appliance, and can
be used to manage self-signed or CA-signed certificates.
For RSA keys, key length values are 2048, 3072, 4096. Default =
2048.
signing-request <keyring_id> Create a request for a signed certificate associated with the
specified keyring. You will be prompted to define values for each
of the certificate fields (country, state, etc).
ssl-context <context_id> ccl <CCL_name> Create SSL context configuration.
cipher-suites <cipher_list> keyring
<keyring_name> protocols <protocols_list>
Examples
# ssl create keyring sslkey algorithm rsa length 3072 showable no

# ssl create signing-request sslkey
Value for '' (<Country Code>): US
Value for '' (<State or Province Name (full name)>): CA
Value for '' (<Locality Name (eg city)>): Mountain View
Value for '' (<Organization Name (eg company)>): Symantec
Value for '' (<Organizational Unit Name (eg section)>): Marketing
Value for '' (<Common Name (eg server FQDN or YOUR name)>): symantec.com
Value for '' (<Email address>): jsmith@test.com
44
ssl delete
Delete SSL certificates, lists, keyrings, and signing-requests.
Syntax
# ssl delete ?
ca-certificate <certificate_name> Delete CA certificate.

ccl <CCL_name> Delete a CA Certificate List (CCL).
certificate <keyring_id> Delete the certificate that's in the specified keyring.
crl <CRL_name> Delete a Certificate Revocation List (CRL).
keyring <keyring_id> Delete the specified keyring.
signing-request <keyring_id> Delete the certificate request for the specified keyring.
ssl-context <context_id> Delete the specified SSL context.
Examples
# delete signing-request sslkey
ssl edit
Edit CA certificate lists (CCLs), Certificate Revocation Lists (CRLs), or SSL contexts.
Syntax
# ssl edit ccl <ccl_name> <action>]
add Add a certificate by name to the selected CA certificate list.

remove Remove a certificate from the selected CA certificate list.
reset Empty the CA certificate list for this CA certificate list.
set Set CA certificate list for this CA certificate list.
view View the certificates in the selected CA certificate list.
Syntax
# ssl edit crl <crl_name> <action>
add Add a certificate by name to the selected CRL.

remove Remove a certificate from the selected CRL.
reset Empty the certificate list for this CRL.
set Set the CRL.
view View the certificates in the selected CRL.
Syntax
# ssl edit ssl-context <context_id> <action>
ccl Set the CCL for the SSL context.

cipher-suites SSL context cipher suite configuration.
45
keyring Set the keyring for the SSL context.

protocols Set SSL context protocols.
view View the SSL context configuration.
Examples
# ssl edit ccl browser-trusted add esignit.org
ok
# ssl edit ccl view
Name: browser-trusted
FIPS compliant: no
Certificates:
1st_Data_Digital
A-Trust-Qual-02
A-Trust-Root-05
A-Trust-nQual-03
AC1_Raiz_Mtin
ACA_ROOT
ACCV_ACCVRAIZ1
ACEDICOM_Root
..
ssl inline
Import SSL keyrings, signing requests, and certificates.
Syntax
# ssl inline ?
ca-certificate <certificate_name> content Import a Certificate Authority (CA) certificate from terminal input by
pasting the certificate content.
certificate <keyring_id> Import a certificate into the specified keyring by pasting the
certificate content.
crl <crl_name> Import a Certificate Revocation List (CRL) from terminal input
by pasting the certificate content.
keyring <keyring_id> Install a keyring. Keyrings are containers for SSL certificates on
the appliance, and can be used to manage self-signed or CA-
signed certificates.
You will be prompted to paste the keyring content.
signing-request <keyring_id> Install a request for a signed certificate associated with the
specified keyring.
You will be prompted to paste the signing request content.
Examples
# ssl inline ca-certificate ca1 content

46
GGVAhC+aMe+k3K+tTOO+3zxkSA7zF5X0NSZSRUAovZMrbXRxj+RuK1CMETEVAFzI
70uJv1EQoSt/Fg+Ax0h8M0Jn4lvUGsYPIAbcLjlxCtMNyfcOUG1Ss0yo/A/GXg13
eWINmdtdZHT/+ge01EEssswLxbyw3Pyl4CRMprjxlzg15Rx/PWV+zB+P2yolIrV4
pb5fsCuNrK4lYSdco5XE6P2m0c3P8QL/pB4SiZgWCr1sd0IKIoEphTk0kI++PTYx
d8cuVqPUXEi+UmibOBtfDz2ZffNkmBTdyvLfesINz0ce
<Ctrl-D>

ssl view
View certificate and keyring details and signing request confirmations.
Syntax
# ssl view ?
ca-certificate <certificate_name> [verbose] Show CA certificate and content.

ccl <ca_certificate_list_name> View the details for a specific CA Certificate List.
certificate <keyring_id> Show the certificate that's in the specified keyring.
crl <CRL_name> Show CRL content.
keypair <keyring_id> Show the RSA private key for the specified keyring.
If the keyring was created with the "showable no" option, the key
will not be displayed.
47
keyring <keyring_id> Show details about the specified keyring, including its certificate
and any signing requests.
signing-request <keyring_id> View certificate request for the specified keyring.
ssl-context <context_id> View SSL context configuration.
Examples
To show information about a keyring, in this case called sslkey :

# ssl view keyring sslkey
Keyring ID: sslkey
Private key showability: no-show
Signing request: absent
Certificate: present
Certificate subject: /C=us/ST=ca/L=pa/O=symantec/OU=marketing/CN=symantec.com/emailAddress=test@test.com
Certificate issuer: /C=us/ST=ca/L=pa/O=symantec/OU=marketing/CN=symantec.com/emailAddress=test@test.com
Certificate valid from: Jul 21 05:17:51 2017 GMT
Certificate valid to: Jul 21 05:17:51 2017 GMT
Certificate thumbprint: D7:3A:40:69:1A:D1:C2:77:95:B0:0F:DB:97:55:DE:02:BB:A9:54:00
To view the CA certificates contained in the CA certificate list, bluecoat-licensing :

# ssl view ccl bluecoat-licensing
Name: bluecoat-licensing
FIPS compliant: no
Certificates:BC_Engineering_CA
To view the default SSL context:

# ssl view ssl-context default
Name: default
Keyring: default
CCL: browser-trusted
Protocols: tlsv1.2 tlsv1.1 tlsv1
Cipher suites: ecdhe-rsa-aes256-sha dhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256
ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha dhe-rsa-aes128-sha aes128-sha256 aes128-sha
traceroute
Determines the path that an IP packet takes to travel from the appliance to a destination host.
48
Syntax
# traceroute ipv4 |ipv6 source <source_ip_address> size <packet_size> timeout <seconds> probe-
count <number_of_times_to_probe> min-ttl <minimum_ttl_value> max-ttl <maximum_ttl_value> dont-
fragment <ip_address> | <hostname>
dont-fragment Set the dont-fragment flag on the probe packets.

ipv4 |ipv6 Explicitly force an IPv4 or IPv6 traceroute.
When an IP version isn't specified, the program will try to
resolve the name given, and choose the appropriate protocol
automatically. If resolving a host name returns both IPv4 and IPv6
addresses, traceroute will use IPv4.
max-ttl <maximum_ttl_value> The largest time to live (TTL) value that can be used (default=30).
min-ttl <minimum_ttl_value> TTL value for the first probes (default=1)
probe-count <number_of_times_to_probe> The number of probes to be sent at each TTL level (default=3)
size <packet_size> Size of the traceroute packets, in bytes (default=100 bytes).
source <source_ip_address> The source IP address to put in the traceroute packets.
timeout <seconds> Number of seconds to wait for a response to a probe packet
(default=3).
<ip_address> | <hostname> The destination to trace the route of. This is the only required
traceroute parameter. The IP address can be IPv4 or IPv6.
Examples
# traceroute size 50 timeout 4 cnn.com
1: 10.131.16.1 (10.131.16.1) 4.486ms
2: 172.16.131.66 (172.16.131.66) 0.486ms
3: 199.91.135.130 (199.91.135.130) 7.546ms asymm 4
4: 70.102.68.162 (70.102.68.162) 2.057ms
5: be1.br02.plalca01.integra.net (209.63.100.118) 20.784ms asymm 8
6: te-3-3.car2.SanJose2.Level3.net (4.59.4.29) 20.381ms asymm 7
7: no reply
8: no reply
upload
Upload the third-party attributions zip file to an FTP site.
Syntax
# upload ATTRIBUTIONS <full_url/filename> <username> <password>
Notes
ATTRIBUTIONS must be in uppercase.
Examples
# upload ATTRIBUTIONS ftp://exampleftp.com/attributions.zip mary ******
Configure Mode Commands

This mode offers commands that change the configuration of the ISG.
49
To enter configure mode, type configure at the enable prompt (# ). The prompt will change to (config)# . To see a list
of commands available in configure mode, type help or ? at the (config)# prompt.
The followings commands are available in configure mode.
acl
Create firewall rules—access control lists—for accessing services on the appliance.
Syntax
(config)# acl ?
disable Disable the user-defined access control list. This command is

useful when locked out of the interface with a misconfigured
access list.
enable Enable the user-defined access control list.
rule <source IP> <service> Define the IP addresses (individual, range, or subnet) that are
allowed to access an appliance service (such as Management or
SNMP).
Notes
• The sub-commands listed above can either be entered in acl configuration mode (at the config-acl prompt or in
configuration mode (at the config prompt).
• To remove a rule, enter no rule followed by the rule definition.
• Up to 1000 ACL rules can be entered in the access control list.
• The access control list only apply to incoming connections. Connections originating from the appliance are not subject
to the access control list.
• Changes take effect immediately after a new rule is added or removed. It's not necessary to reboot.
• Existing connections that are allowed under a access control list are not affected when the rule is removed.
• The access list is not interface specific; the list applies to all interfaces.
Examples
(config)# acl
(config-acl)# rule 10.167.9.0/24 Management
(config-acl)# rule 10.167.9.129 255.255.255.0 SNMP
(config-acl)# no rule 10.167.9.0/24 Management
appliance-name
Set the name for the system.
Syntax
(config)# appliance-name <appliance_name>
Examples
(config)# appliance-name ISG1
ISG1(config)#
50
applications
Used to manage the applications running on ISG.
Syntax
(config-applications)# ?
attach-console Attaches a terminal console to an application.

See applications attach-console.
create Creates an application.
See applications create.
delete Deletes an application.
See applications delete.
edit Edit the configuration for an existing application.
See applications edit.
start Starts an application.
See applications start.
stop Stops an application.
See applications stop.
view Displays all applications that have been created on the ISG.
See applications view.
applications attach-console
Attaches a terminal console to an application.
Syntax
(config-applications)# attach-console application_name [force]
where:
• force is used to recover the serial console.
Example
(config-applications)# attach-console proxysg1
ok
applications create
Creates an application on the ISG.
51
Syntax
(config-applications)# create ?
sg sg_name model model_type license-id Creates a ProxySG application where:

license_id image-id image_id • sg_name is the name of the ProxySG application
• model_type is the model type you purchased for the
application; see the ISG Administration & Deployment Guide
for a full list of available model types
• license_id is the license ID or serial number of
the application
• image_id is the ID of the application image that you want to
use to create the application.
Example
create sg proxysg1 model C4L license-id 0123456789 image-id sg-7.2.2.1-253750
ok
applications delete
Deletes an application.
Syntax
(config-applications)# delete app_name
Example
(config-applications)# delete proxysg1
ok
applications edit
Edit the configuration for an existing application.
Syntax
(config-applications)# edit ?
app_name model model_type | image-id Where:

image_id • app_name is the name of the application you want to edit
• model_type is the model type you want to assign to the
application; see the ISG Administration & Deployment Guide
for a full list of available model types
• image_id is the application image you want the application
to use.
Notes
The application must have the status Created or Stopped to be edited. To view the status of your applications, see
applications view.
52
Example
The following is an example of how to change the model type for a ProxySG application.
(config-applications)# edit proxysg1 model C2M
ok
applications start
Starts an application.
Syntax
(config-applications)# start app_name
Example
(config-applications)# start proxysg1
ok
applications stop
Stops an application.
Syntax
(config-applications)# stop app_name
Example
(config-applications)# stop proxysg1
ok
applications view
Displays information on the ProxySG application.
Syntax
(config-applications)# view ?
sg_name The name of the ProxySG application.
Notes
The ProxySG applications can have the following statuses
• Created—The application was created.
• Starting—The application is starting.
• Running—The application has successfully started.
• Failed—The application did not successfully start.
• Stopped—The application was stopped.
Example
The following is an example of viewing a specific ProxySG application.
53
(config-applications)# view proxysg1

proxysg1 2 12 GB C2S Starting
The following is an example of viewing all applications.

(config-applications)# view
proxysg1 2 12 GB C2S Running
proxysg2 2 12 GB C8S Created
authentication
Define authentication realms, local users, and security settings.
Syntax
(config)# authentication ?
admin-realm Select the admin realm name. Users must be part of the admin-
realm to be authenticated for SSH or UI access.
create local-user-list <name> | realm name Create a new local user list, user name, or realm.
<name>
delete local-user-list <name> | realm name Delete a local user list, user name, or realm.
<name>
edit local-user-list <name> | realm Edit a local user list or realm settings.
<realm_name>
enable-password Change the password for entering enable (privileged) mode.
management inactivity-timeout <second> Specify the number of seconds a session can be inactive before it
is terminated. By default, this is 1800 seconds.
management max-concurrent-logins <value> Set the maximum number of concurrent logins per user. By
default, the number of concurrent administrative logins is
unlimited.
management password-history <value> Set the number of password hashes to maintain for each user.
This is used to check whether a password has been used when
changing a password.
Examples
(config)# authentication create realm name local
(config-authentication)# edit realm local
(config-realm-local)# authentication enable-password
Enter current password: *****
Enter new password: *****
Confirm new password: *****
ok
clock
Manually set the time and date of the appliance in Coordinate Universal Time (UTC).
54
# clock day <value> | hour <value> | minute <value> | month <value> | second <value> |
year <value>
Notes
• Each value must be entered as a separate command.
• If you are using an NTP server, you do not need to manually set the clock.
Examples
# clock day 2
# clock month 9
# clock year 2020
diagnostic-systems
Manage diagnostic images installed on the system. Up to six images can be installed on the system. If your system
already has six images installed and you add another image, the oldest unlocked image will be replaced with the new
image, unless you have designated a particular image to be replaced.
Syntax
(config)# diagnostic-systems ?

downloading
delete <image#> Delete an image from the system. Use the diagnostic-systems
view command to identify the image number to delete.
load <URL> Download and install a diagnostic image on the system. <URL>
is the path to an image on a web server that the appliance has
access to. Example: http://webserver.mycompany.com/images/
diag.bcs
lock <image#> Lock a diagnostic image to protect it from accidental deletion.
unlock <image#> Unlock a diagnostic image that you no longer want to protect
from deletion. You have to unlock a locked image before you can
remove it.
seventh image.
view Show a list of installed diagnostic images along with their image
numbers, software versions, release IDs, whether the image is
locked or unlocked, whether it has ever been booted, creation
date/time, and boot date/time. The summary at the bottom of the
list indicates which image number is the current running system,
the default system to run the next time the appliance is restarted,
and the image number that will be replaced next.
55
Examples
(config)# diagnostic-systems load http://webserver.mycompany.com/images/diag.bcs
dns
Configure servers and domains for the domain name system (DNS).
Syntax
(config)# dns ?
name-server <IP_address> IP address of a DNS server. Enter one or more IP addresses,

each separated by a space.
domain-list <domain> <domain> ... A list of DNS domain names of which this appliance will consider
itself to be a member. DNS queries which use a short name will
append these domains, in turn, until a match is found.
Notes
• To clear these settings, use the no command. For example, no dns name-server.
• To view the current settings, type show full-configuration dns .
Examples
(config)# dns name-server 10.2.2.10 10.2.2.11
event-log
Manage syslog settings. The syslog feature gives administrators a way to centrally log and analyze events on the
system. This command is available in both the enable and config modes.
Syntax
(config)# event-log
(config-event-log)# ?
level <value> Set the level to specify which messages to suppress to the syslog
server.
For example, setting the level to 3 allows messages with levels 0
- 3 and suppresses messages with levels 4 - 7. <value> can be
one of the following:
• 0 Emergency: system is unusable
• 1 Alert: action must be taken immediately
• 2 Critical: critical conditions
• 3 Error: error conditions
• 4 Warning: warning conditions
• 5 Notice: normal but significant condition
• 6 Informational: informational messages
• 7 Debug: debug-level messages
log-size <value> Set the maximum size in MB for the event-log.
56
syslog add host <host> [port <port>] Configure a syslog server where <host> is the host name or IP
address of the syslog server. Optionally, you can also specify a
custom port, where <port> is the port number.
syslog add tls host <host> [port <port>] Configure a syslog server using tls where <host> is the host
syslog add udp host <host> [port <port>] Configure a syslog server using UDP where <host> is the host
syslog remove host <host> Remove a configured syslog server by specifying the <host> .
syslog clear Removes all configured syslog servers.
view View syslog settings.
Notes
• You can add multiple syslog servers.
• The sub-commands listed above can either be entered in the enable prompt, event-log configuration mode (at the
(config-event-log) prompt), or in configuration mode (at the (config) prompt).
Examples
(config)# event-log
(config-event-log)# syslog add udp host 203.0.113.17
Added syslog server host 203.0.113.17:514.
(config-event-log)# view
Log level: 5 (notice)
Remote syslog servers:
203.0.113.17:514
exit
Syntax
> exit
Notes
halt
Halts the operating system and stops all CPUs. Once the system is cleanly halted, you can power down the appliance.
Syntax
(config)# halt
57
Notes
The halt and shutdown commands are similar; the only difference is that shutdown disconnects the power via the CLI
command.
health-monitoring
View Health Monitoring (HM) events and status, and view and change HM settings. This command is available in both the
enable and config modes.
Syntax
(config)# health-monitoring
(config-health-monitoring)# ?
clear-history Clear the entire event history:

history-duration Sets the number of days that the HM framework is to store its
history of events.
• It takes one argument, an integer representing the number of
days.
• Default value is 30.
• Once per day, the HM framework clears the event history of all
events older than the specified number of days.
metric Set parameters for metrics.

view Show health status and metric settings.
health-monitoring metric
The health monitoring system tracks CPU utilization (cpu-util ), memory utilization (memory-util ), and license-
server statuses. Use the health-monitoring view settings command to see a list of metrics tracked on your
system.
Syntax
(config-health-monitoring)# metric ?
cpu-util CPU utilization thresholds.

CPU utilization reaches a critical or warning
threshold.
critical threshold.
high-warning-threshold 0-100 Set the percentage that constitutes the high
warning threshold.
log enable | disable Enable or disable logging when CPU
trap enable | disable Enable or disable SNMP trap when CPU
threshold.
license-server-communication- Communication status with the license server. Set the number of days without
status communication with the license server.
58

critical or warning threshold.
license-validation-status License validation status. Set the number of days without license validation.
validation status reaches a critical or
warning threshold.
memory-util Memory utilization thresholds.
memory utilization reaches a critical or
warning threshold.
critical threshold. Default: 90
low-warning-threshold 0-100 Set the percentage that constitutes the low
warning threshold. Default: 80
log enable | disable Enable or disable logging when memory
trap enable | disable Enable or disable SNMP trap when memory
threshold.
raid-status-casma-raid RAID monitoring thresholds.
the RAID status reaches a critical or
warning threshold.
log enable | disable Enable or disable logging when the
59
trap enable | disable Enable or disable SNMP trap when the

threshold.
Notes
• There are four possible threshold that you can set, although no setting has all four:
– high-warning-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Warning state.
– high-critical-threshold—If the metric is equal to or exceeds this threshold, the metric goes in to a Critical State.
– low-warning-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Warning state.
– low-critical-threshold—If the metric is less than or equal to this threshold, the metric goes in to a Critical state.
The metrics have either the high or low thresholds.
When a threshold is exceeded and transitions to a new state (for example, from OK to Warning, or from Warning to
Critical), you can have the system send a notification email, syslog alert, or SNMP trap.
• You will need to configure SMTP settings to send email notifications, event-log settings to send alerts to a syslog
server, and SNMP trap targets and vacm groups to send SNMP traps.
Examples
(config-health-monitoring)# metric memory-util high-warning-threshold 75
(config-health-monitoring)# metric memory-util email enabled
health-monitoring view
The view command in the health monitoring system is used for showing the event history and metric settings.
Syntax
(config-health-monitoring)# view ?
current View the current state of all metrics. The output lists each metric,
when the health monitoring system last checked it, the current
state (OK, Warning, Critical) and the current value (for example,
28%).
events [metric <metric_name> | all [duration Shows the event history for all metrics or for one metric, for the
<value> d | h| m] specified duration. An event is an occasion where the metric
exceeded a configured threshold and changed state (for example,
from OK to Warning, Warning to Critical).
• The metric and duration parameters are optional.
• If the metric parameter is omitted, 'all' is assumed.
• If the duration parameter is omitted, "24h" is assumed.
• The d , h , or m suffix is used to indicate days, hours, or
minutes, respectively.
settings Shows the configured threshold settings and alert type (Log,
Email, SNMP Trap) for each metric.
Examples
(config-health-monitoring)# view current
Health Monitoring current state of all metrics:
Last Check | Metric Name
| State
-----------------------------+--------------------------------------------------
60
2017-11-06 23:22:02 | CPU Utilization

| OK - 2.63%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | Memory Utilization
| OK - 18416/128786MB 14%
-----------------------------+--------------------------------------------------
2017-11-06 23:22:01 | RAID casma_raid Working Members
| OK
-----------------------------+--------------------------------------------------
images
Used to manage application images on the ISG.
Syntax
(config)# images
(config-images)# ?
delete Delete an application image.

See images delete.
load Load an application image onto the ISG.
See images load.
view Displays all application images that have been downloaded onto
the ISG.
See images view.
images delete
Deletes an application image.
NOTE
You can only delete images when they are not in use.
Syntax
(config-images)# delete <image_id>
Example
(config-images)# delete sg-7.2.2.1-253750
images load
Download an application image onto the ISG.
Syntax
(config-images)# load <image_url> [force]
where force forces the specified image to load, even if an image is already loaded on the ISG.
Example
(config-images)# load https://example.com/system.bcsi
61
images view
Displays all application images that have been downloaded onto the ISG.
Syntax
(config-images)# view [<image_id>| sg]
<image_id> The image ID of the application image you want to view.

sg Displays all ProxySG images.
Example
(config-images)# view sg-7.2.2.1-253750

sg-7.2.2.1-253750 SG 7.2.2.1 253750 0
localhost(config-images)# view sg-7.2.2.1-253750
Image ID: sg-7.2.2.1-253750
Type: SG
Version: 7.2.2.1
Release ID: 253750
Build Type: Debug
Build Time: 2020-08-31T08:13:21+0000Capabilities: gdb_enable
Checksum: 52822953c3ccd3c12124fb887c0a0d343a92e270a26329082366575039178334
Applications: exappname
installed-systems
Manage images installed on the system. Up to six images can be installed on the system. If your system already has six
images installed and you add another image, the oldest unlocked image will be replaced with the new image, unless you
have designated a particular image to be replaced.
CAUTION
Only customers with a valid support contract can upgrade to major releases. If your support contract has
expired, the image installation will fail. Note that you can still upgrade to maintenance releases for the current
version
Syntax
(config)# installed-systems ?

downloading.
default <image#> Specify the image that will be run the next time the system is
restarted.
Use the installed-systems view command to identify the image
number.
delete <image#> Delete an image from the system. Use the installed-systems view
command to identify the image number to delete.
62
load <URL> Download and install an image on the system. <URL> is the path
to an image on a web server that the appliance has access to.
Example: http://webserver.mycompany.com/images/542386.bcs
Image loading will fail if the appliance does not have a license
installed or if your support contract has expired.
lock <image#> Lock an image to protect it from accidental deletion.
unlock <image#> Unlock an image that you no longer want to protect from deletion.
You have to unlock a locked image before you can remove it.
seventh image.
view Show a list of installed images along with their image numbers,
software versions, release IDs, whether the image is locked
or unlocked, whether it has ever been booted, creation date/
time, and boot date/time. The summary at the bottom of the list
indicates which image number is the current running system, the
default system to run the next time the appliance is restarted, and
the image number that will be replaced next.
Examples
(config)# installed-systems view
1. Version : 1.67.5.3, Release ID : 250229, Locked : true, Booted : true
BuildType : Debug, CreationTime : 2020-04-14T01:08:08+0000, BootTime : 2020-06-22T15:54:43.810+0000
interface
Configure the interface settings (such as IP address) on the appliance.
Syntax
(config)# interface <interface_number> ?
description <text> Description of the interface; enclose in quotes if the description

contains spaces.
disable Disable the interface.
enable Enable the interface.
ip-address <ip_address> Set the static IP address of the interface.
mtu-size <size> Specify Maximum Transmission Unit (MTU) size (default=1500
bytes).
speed <speed> Set the speed of the interface (for example, 1gb,10gb,100mb).
The default setting is auto .
63
Notes
• The sub-commands listed above can either be entered in interface configuration mode (for example, at the config-
interface-1:0 prompt or in configuration mode (at the (config) prompt).
• Use the show full-configuration command in interface configuration mode to display the interface settings.
(See example below.)
Examples
(config)# interface 0:0
(config-interface-0:0)# ip-address 203.0.113.17 255.255.248.0
ok
(config-interface-0:0)# show full-configuration
interface 0:0
description "management interface"
enable
speed auto
duplex auto
mtu-size 1500
ip-address 203.0.113.17 255.255.248.0
ipv6
Enable or disable support for IPv6 networking. Once enabled, IPv6 support is available in configuration sections
for Packet Captures, Backups, Failover, Ping, Traceroute, SNMPWALK, syslog, and in networking and interface
configuration.
Syntax
(config)# ipv6 [enable|disable]
Examples
(config)# ipv6 enable
(config)# show full-configuration ipv6
ipv6 enable
(config)# exit
#show running-config ipv6
ipv6 enable
licensing
Configure licensing for applications on the ISG.
64
Syntax
(config)#licensing ?
delete id <license_id> Deletes a license from the local inventory.

It is possible to delete a license that an application is currently
using. Deleting a license in use will prevent the application from
starting. If the application is running when its license is deleted,
the application will continue to run until it is stopped or the ISG is
restarted. In such cases, reinstall the license before stopping the
application or restarting the appliance.
edit id <license_id> label <label> Edit the label associated with this license, such as to tag a license
with user-specific information.
inline passphrase <passphrase> Loads a new license that was downloaded from myBroadcom,
where <passphrase> is the passphrase you entered when you
downloaded the license.
load id <license_id> username <username> Loads the license from the backend of the ISG, where:
password <password> • <license_id> is the license ID or serial number of
the application
• <username> is your myBroadcom username
• <password> is your myBroadcom password
For licenses that you have already loaded and need to be
updated, you can retrieve updates without providing your
myBroadcom username and password.
view [id <license_id>] View either all license IDs/serial numbers or a specific one
installed in the appliance's local inventory.
view-node-locked View how many applications were created with the node-locked
license and how many are currently using it.
Only running applications (In-Use ) count against the license
limit; created applications that are not running do not count.
Notes
After loading the license, you must restart the application that is using the license.
Examples
(config)# licensing load id 0000990000 username Admin password *******
License update was successful for license id 0000990000
(config-licensing)# view-node-locked
Node Locked License ID: 0000990000
Application Type: SG
Model: C2S
Limit: 1
In-Use (0):
login-banner
Configure a banner message to appear before users log in to the appliance. The message will appear before users log in
to the CLI (via serial console and SSH). This feature meets the security technical implementation guideline STIG V-3013.
Messages can contain up to 2,047 characters and can be defined using multi-byte UTF-8 characters.
65
Syntax
(config)# login-banner ?
disable Disable the login banner message.

enable Enable the login banner message. (You cannot enable the feature
until you define the message.)
inline message Define the login banner message. You will be prompted to enter
the message text and press Ctrl-D when finished.
view message | status Show the currently defined message and feature status (enabled
vs. disabled).
Examples
(config)# login-banner inline message
Enter the login banner message below and end it with a Ctrl+D
ok
(config)# login-banner enable
(config)# login-banner view message
(config)# login-banner view status
Login banner is enabled.
ntp
Configure Network Time Protocol (NTP) settings. Use NTP to synchronize the time on the appliance with another server
or reference time source. You can configure up to 10 NTP servers.
Syntax
(config)# ntp ?
disable Stops the NTP service on the appliance. The NTP service is
configured to not start when the appliance is rebooted.
enable Starts the NTP service on the appliance. The NTP service is
configured to start automatically when the appliance is rebooted.
At least one NTP server must be defined in order to enable the
NTP service.
server <hostname_or_IP_address> Domain name or IP address of the NTP server. The default NTP
servers are ntp.bluecoat.com and ntp2.bluecoat.com.
symmetric-key key-id <value 1-65534> If your NTP server supports symmetric-key authentication, enter
algorithm <sha1> [encrypted-secret <value> | the key with this series of commands. Only SHA1 is supported in
secret <string>] this release. Defer to your NTP provider's instructions on whether
to use an encrypted secret or unencrypted.
update-now Forces the NTP service to update the appliance's clock.
Notes
• Type ntp to enter NTP configuration mode. The prompt will display as (config-ntp)# .
• Use the no server command in the NTP configuration mode to remove a configured server. (See example below.)
• Use the show full-configuration command in the NTP configuration mode to display the NTP settings. (See
example below.)
66
Examples
(config)# ntp server ntp1.net.symantec.com
(config)# ntp enabled
(config)# ntp
(config-ntp)# show full-configuration
ntp
enabled
server ntp.bluecoat.com
server ntp2.bluecoat.com
(config-ntp)# no server ntp2.net.symantec.com
To view the current configuration:

# show running-config ntp
ntp
enable
symmetric-key 1 algorithm sha1
symmetric-key 1 encrypted-secret $AES256-
CBC$4dQX+DOtMmVWdhtM4PG/+g==$gFDz7v2vfOM0A1D+qjzLPB5jqfqsEZhdoYx8EslIvkY=$kKZd4y09r3hNnlhziLwArw==
$eR4tJbJSB7309qcDCQ+jmLnCXUhfz7gQAcwvHdwFyEKfZUx5QqyKptrQiGGjjRwveM5UXcmem43v65eZan/
WGzBow8YjdwLZNOcoN87xhdN456EWJ8wsKsmd/60dhzVoMu5k3PQS1nQbCtmAn1BreBsrh2L/9zaJFl8C1HrdV5AYZpNokiakrMjxvw01ZAwxsagCflqqr2
+iwXROzUKMoWO4PJj05SF3idHMz2NwecIoXby3nA2e/WY0u/8UhqJauZ/+d1vr5H/8O9VClASR4PL0Nrx2Vi0wjG25WYwuZNe+hQ==
server ntp.bluecoat.com
server ntp2.bluecoat.com
server symmetric-key
!
password-policy
Configure password rules for administrative users. For example, you can require that the password contain at least one
uppercase letter, one number, and one special character. By default, the password length and prohibit-common-words
rules are defined. The default minimum password length is six characters.
Syntax
(config)# password-policy ?
min-digits <value> Set the minimum number of digits required in a password. Range:
0–255. By setting this rule to 0 (the default), numbers are not
required in a password.
min-groups <value> Set the minimum number of password rules (min-digits, min-
lowercase, min-special, min-uppercase) that must be met. Range:
0-4. By setting this rule to 0 (the default), the password does not
have to meet a minimum number of rules. For example, if you set
min-digits and min-special rules, you would set min-
groups to 2. Note: min-length is not counted as a rule for the
purposes of the min-groups command.
min-length <value> Set the minimum number of characters required in a password.
Range: 0–255. The default password length is 6, but the password
can have any length.
min-lowercase <value> Set the minimum number of lowercase letters required in a
password. Range: 0–255. By setting this rule to 0 (the default),
lowercase letters are not required in a password.
67
min-special <value> Set the minimum number of special characters (symbols) required
in a password. Range: 0–255. By setting this rule to 0 (the
default), special characters are not required in a password. Here
are some supported examples of special characters: !\"#$
%&'()*+,-./:<=>?@^_`{|} .
Tildas (~), semi-colons (;) and square brackets ([ ]) are
not supported.
min-uppercase <value> Set the minimum number of uppercase letters contained in a
password. Range: 0–255. By setting this rule to 0 (the default),
uppercase letters are not required in a password.
prohibit-common-words builtin Don't allow common dictionary words to be specified in
passwords.
prohibit-whitespace true | false Enable/disable rejection of white space in passwords.
Default=false.
view Show current password rules.
Notes
• The sub-commands listed above can either be entered in password-policy configuration mode (at the (config-
password-policy) prompt or in configuration mode (at the (config) prompt).
• Use the show password-policy-configuration command to display the password policy settings.
• To remove a rule, type no before the rule command. For example: no min-lowercase
• If you configure multiple password policy rules but don't configure the min-groups command, the rules will not take
effect; only the min-length rule will be enforced.
Examples
To require a password to have at least 8 characters, and have at least one number, one symbol, and one uppercase letter,
set the following rules:
(config)# password-policy
(config-password-policy)# min-length 8
(config-password-policy)# min-digits 1
(config-password-policy)# min-special 1
(config-password-policy)# min-uppercase 1
(config-password-policy)# min-groups 3
(config)# show password-policy-configuration
min-uppercase: 1
min-groups: 3
prohibit-whitespace: false
min-special: 1
min-digits: 1
min-length: 8
min-lowercase: 0
prohibit-common-words: No dictionary defined
After these rules are configured and a user tries to specify "test" for the user password, the following message will appear:
(config local-user-list john_jones)# password test
Please enter a valid password.
Password must contain at least 1 uppercase characters.
Password must contain at least 1 special characters.
Password must contain at least 1 digit characters.
68
Password matches 0 of 3 character rules, but 3 are required.

Password must be at least 8 characters in length.
pcap
Capture packets that are sent to and/or from the appliance. The captured data can be imported into a packet analysis tool
such as Wireshark. This command is available in both the enable and config modes.
Syntax
(config)# pcap ?
filter direction [both | in | out] Filter packets by direction.

filter expression host <host_or_IP_address> Filter packets by hostname or an IPv4 or IPv6 address, or by a
| port <port_number> specific port.
filter interface <nic> Filter packets by interface number (0:0, 1:0, 1:1)
limit capsize | count | snapshot-length Set limits for what the pcap captures for the maximum size of the
capture file in MB, number of packets to capture, or length of the
snapshot in bytes.
start Start capturing packets.
stop Stop capturing packets.
transfer <full_url/filename> <username> Copy captured data to an FTP site. While not necessary,
<password> Symantec recommends that you use pcap stop before using this
command.
view View the status of the capture.
Notes
• Before enabling packet capture, you can optionally restrict the packets that are captured by filtering by direction (in or
out) or filtering by interface (for example, just packets sent out of the 1:0 NIC.
• After capture is turned on, the system will create a .dmp file in TCPDump format and start capturing packets into this
file.
• Packets are captured until capturing is disabled with the pcap stop command, or after 30 minutes, whichever comes
first.
Examples
(config)# pcap filter direction in
(config)# pcap start
(config)# pcap stop
(config)# pcap transfer ftp://example.com/john_files/test.dmp john.smith ******
proxy-settings
Configure settings for the HTTP proxy server in situations where your network requires this appliance to connect through
a proxy to access Internet resources.
69
Syntax
(config)# proxy-settings ?
disable Turn the proxy settings off.

enable Turn the proxy settings on.
host <hostname_or_IP_address> Configure the HTTP proxy host name or IPv4/IPv6 address.
password <string> Enter the password for the HTTP proxy server.
port <value> Define the port number of the HTTP proxy server (0-65535).
username <string> Enter the user name for the HTTP proxy server.
view View the HTTP proxy config settings.
Notes
You can enter all the subcommands in one line, or enter each command on a separate line.
Examples
(config)# proxy-settings enable host 10.10.12.11
(config)# proxy-settings enable
(config)# proxy-settings host 10.10.12.11
(config)# proxy-settings port 8008
(config)# proxy-settings view
enabled:true
host :10.10.12.11
port no:8008
username:becky
restart
Reboots the system and restarts services such as image, licensing, subscription, SNMP, and health monitoring. You will
need to restart the system after upgrading to a new image or changing the running image on the appliance.
Syntax
(config)# restart
restore-defaults
Restore system to factory default settings. This process deletes all data on the appliance.
Syntax
(config)# restore-defaults factory-defaults ?
force The user is not prompted to confirm the action.

halt After the system is restored to factory defaults, the operating
system is halted and CPUs are stopped.
shutdown After the system is restored to factory defaults, the operating
system is halted, CPUs are stopped, and the appliance is powered
off.
70
Examples
(config)# restore-defaults factory-defaults
Restoring box to factory state. This will delete all customer data and shutdown the system. Do you want to
proceed (yes/no): y
show
Syntax
(config)# show ?

configuration commit changes Display committed configuration changes.
configuration rollback changes Display configuration changes that were rolled back.
extended all]
– us —user
– sy —system
– ni —nice
– id —idle
– wa —IO-wait
full-configuration Display current configuration. This displays the same output as

the show running-configuration command in standard/
enable mode.
parser dump [<command_prefix>] Display all possible commands. When a command prefix is
provided, the command only displays possible commands for that
prefix. For example, parser dump health-monitoring
displays all possible commands for health-monitoring .
71

password length.
Examples
(config)# show cpu debug 60
CPU 0: 0.4 us, 1.0 sy, 0.0 ni, 98.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
shutdown
Shuts down the operating system, stops all CPUs, and sends a signal to the power supply unit to disconnect the main
power. With this command (as compared to the halt command), you don’t have to press the power switch to power down
the appliance. This command is used to prepare physical appliances for transport.
Syntax
(config)# shutdown
smtp
Configure Simple Mail Transfer Protocol (SMTP) settings, including destination email addresses, the from email address,
and the SMTP gateway.
Syntax
(config)# smtp ?
destination-addresses add <email_address> | Add email addresses to which the appliance sends alerts and
clear | delete delete <email_address> other messages. You can configure multiple email addresses,
but they must be added one at a time.The delete parameter
removes a specific email address; the clear parameter deletes all
configured destination email addresses.
from address <email_address> Set the from-address that appears on emails generated by the
system.
gateway <SMTP_gateway> Add email addresses to which the appliance sends alerts and
other messages. You can configure multiple email addresses, but
they must be added one at a time.
The delete parameter removes a specific email address;
the clear parameter deletes all configured destination email
addresses.
view Show SMTP settings that are currently configured.
72
Examples
(config)# smtp destination-addresses add tom.jones@example.com
(config)# smtp from-address mary.johnson@test.com
(config)# smtp gateway 203.0.113.17
(config)# smtp view
smtp
gateway 203.0.113.17
from-address mary.johnson@test.com
destination-addresses
destination tom.jones@example.com
snmp
Configure Secure Network Management Protocol (SNMP).
Syntax
(config)# snmp ?
agent Configure the SNMP agent. When an SNMP manager polls a

device for information, the SNMP agent on the device responds to
the queries.
See snmp agent.
community Define the community strings for SNMP v1/v2c.
See snmp community.
notify Configure targets who will receive notifications.
See snmp notify.
system System configuration (contact, location, name).
See snmp system.
target Create new SNMP targets to determine where SNMPv3
notifications should be sent.
See snmp target.
usm local Define an SNMP local user entry.
See snmp usm local.
usm remote Define a user or a management system that receives notification
of SNMPv3 traps and informs.
See snmp usm remote.
vacm Configure view-based access control model.
See snmp vacm group member and snmp vacm group access.
snmp agent
When an SNMP manager polls a device for information, the SNMP agent on the device responds to the queries.
Syntax
(config)# snmp agent ?
disabled Disable the agent.

enabled Enable the agent.
engine-id from-ip <IP_address> Construct an engine ID for the agent from a specified IP address.
73
engine-id from-mac-address <MAC_address> Construct an engine ID for the agent from a specified MAC
address.
engine-id from-text <ASCII_string> Construct an engine ID for the agent from a specified ASCII
string. The maximum string length is 27 characters.
engine-id other <hex_bytes_string> Construct an engine ID for the agent from a string of colon-
separated hex bytes.
engine-id regenerate Regenerate the engine ID for the SNMP agent by setting the ID to
its default value.
engine-id view View the current engine ID for the agent.
max-message-size <value> The maximum length of SNMP message the agent can send or
receive. Range: 484-214748364. Default=50000.
version v1 | v2c | v3 SNMP protocol version used by the agent.
Examples
(config)# snmp agent enabled
(config)# snmp agent version v3
snmp community
Define community strings for SNMP v1/v2. The community string acts as a password for accessing statistics on the
device. Equipment usually ships with a read-only community string set to public but network managers typically change
the community string to a customized value. Each system that polls your appliance could potentially have a different
community string.
NOTE
SNMP community strings are used only by devices that support SNMPv1 and SNMPv2c protocol. SNMPv3 uses
username/password authentication, along with an encryption key.
Syntax
(config)# snmp community <string>
After defining the community string, the command prompt changes, indicating the community string. For example, for a
community string public , the prompt looks as follows:(config-community-public)#
The following sub-commands are available in community string configuration mode.
name <name> Necessary only when the community string is not the same as the
index.
sec-name string <value> Initially set to the value of 'index.'
target-tag < Limit access for this community to the specified target(s).
Examples
(config)# snmp community public
(config-community-public)# target-tag v1target
snmp notify
Configure targets that will receive notifications.
74
Syntax
(config)# snmp notify <list_name> tag <tag_value> [type inform | trap]
Notes
• The tag list is used for grouping entries in the target address table, and contains a list of tag values that are used to
select target addresses to be used for a particular operation.
• The default notification type is trap.
Examples
(config)# snmp notify std_v1_trap tag tagtest
(config)# snmp notify std_v3_inform type inform
snmp system
Configure SNMP system settings to identify the contact name, location, and fully-qualified domain name of the appliance.
Syntax
(config)# snmp system ?
contact <name> The name of the person managing the appliance; <name> can
be up to 256 characters long and must be enclosed in quotation
marks if spaces are used.
location <place> The physical location of the appliance (room, floor, building),
where <place> can be up to 256 characters long and must be
enclosed in quotation marks if spaces are used.
name <fqdn> The appliance's fully-qualified domain name for SNMPv1, where
<fqdn> can be up to 256 characters long and must be enclosed
in quotation marks if spaces are used.
Examples
(config)# snmp system contact "Gail Jellison"
(config)# snmp system location "building B, 1st floor"
snmp target
Create new SNMP targets to determine where SNMP notifications should be sent.
Syntax
(config)# snmp target <target_name> ?
engine-id <engine_id> An SNMP Engine ID identifies an SNMP engine that will receive
trap and inform notifications. The default Engine ID for a remote
SNMP user is LocalSnmpId, the SNMP agent's own SNMP
Engine. If you omit this parameter, the remote user will user this
default LocalSnmpId Engine ID. To specify a different remote
SNMP engine with which this user can communicate, specify the
24-digit hexadecimal Engine ID of a remote SNMP engine.
Needed only if this target can receive v3 informs.
ip <IP_address> IP address of a remote IP host, in dotted-decimal format.
75
retries <value> Number of times the appliance should attempt to re-transmit an

inform message when it does not receive a response. Valid range:
1-10. Default=3.
tag <tag_value> List of tag values used to select target address.
timeout <seconds> Maximum round trip time for communications between the
appliance and the SNMP target address, in seconds.
Needed only if this target can receive v3 informs.
udp-port <port> UDP port number. Default=162.
usm sec-level auth-no-priv | auth-priv | no- User-based SNMPv3 parameters to be used for sending traps or
auth-no-priv user-name <user_name> informs. Where:
• auth-no-priv : The connection is secured with a
passphrase and authentication but no encryption.
• auth-priv : The connection is secured with both
authentication and encryption.
• no-auth-no-priv : The connection uses a simple
passphrase (known as a shared secret) to secure the
communication.
usm user-name <string> Define a user for the target. Additionally, you will be prompted to
supply the following:
• Value for 'snmp target <target_name> ip —
IP address for the target
• Value for 'sec-level' —The security level for the
user
v1 SNMPv1 parameters type. This command has all the subsets of

the snmp target command.
v2c SNMPv2 community parameters type. This command has all the
subsets of the snmp target command.
snmp usm local

Define an SNMPv3 local user entry.
Syntax
(config)# snmp usm local user <user_name>
After defining the local user name, the command prompt changes, indicating you are in configuration mode for the local
user. You can then define authentication and/or privacy keys that a management system can use to access the appliance.
auth [md5 | sha {key <key> | password Specify either the MD5 or SHA hash algorithm and enter an
<password>}] authentication key or password for the user (8-32 characters).
priv [aes | des {key <key> | password Specify either the AES or DES encryption algorithm and enter the
<password>}] privacy key or password (8-32 characters).
Examples
(config)# snmp usm local user altman
(config-user-altman)# auth md5 password Gquw4321
(config-user-altman)# priv aes password Gquw4321
76
snmp usm remote

Define the remote engine ID that receives the notification of SNMPv3 traps and informs.
Syntax
(config)# snmp usm remote <engine_id>
snmp vacm group access

Define access for an SNMP group. Each group is defined by a name, a security model (and level), and a set of views that
specifies which types of MIB data that access group can read or write.
Syntax
(config)# snmp vacm group <group_name> access {usm | v1 | v2c} {auth-no-priv | auth-priv | no-auth-no-priv}
auth-no-priv A connection that is secured with a passphrase and authentication

but no encryption.
auth-priv A connection that is secured with both authentication and
encryption.
no-auth-no-priv A connection that uses a simple passphrase (known as a shared
secret) to secure the communication.
After defining the access rights for the group, the command prompt changes, indicating the security level. For example:
(config-access-v1/auth-no-priv)#
You then need to specify the name of the MIB view for each type of access.
notify-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
notify access.
read-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
read access. Note that SNMPv1 is not permitted in read-view.
write-view <MIB_view> Specify the name of the MIB view of the SNMP context authorizing
write access. Note that write-view is not implemented in all
products.
Examples
(config)# snmp vacm group cas-group-v2c access v2c auth-no-priv
(config-access-v1/auth-no-priv)# read-view cas-view
snmp vacm group member

Define an SNMP access group member for a defined set of access rights.
Syntax
(config)# snmp vacm group <group_name> member <member_name> {sec-model usm | v1 | v2c}
Examples
(config)# snmp vacm group cas-group-2vc member member1 sec-model v2c
(config)# snmp vacm group cas-group-2vc member member2 sec-model v2c
77
Notes
After defining members, you can define the access rights for the group. See snmp vacm group access.
ssh-console
Configure the SSH console, including cipher suites, HMACs, key-exchange algorithms, and keys.
Syntax
(config)# ssh-console ?
ciphers add <cipher> | demote <cipher> | Configure the ciphers used by the appliance:
promote <cipher>| remove <cipher> | reset |
• add —Add a new cipher suite to the current list
set <cipher_list> | view
• demote —Demote a cipher suite within the list of ciphers
• promote —Promote a cipher suite within the list of ciphers
• reset —Reset the list of cipher suites to the default list
• set —Set the list of cipher suites in the specified order, where
<cipher_list> is a comma-separated list
• view —View the list of cipher suites currently accepted by the
appliance
delete <key_name> Delete the specified user key.

generate host-keypair Regenerate the keypair for the host. After entering the command,
you will be prompted to type y or n to confirm regeneration.
hmacs add <HMAC> | demote <HMAC> | promote Configure the HMACs used by the appliance:
<HMAC>| remove <HMAC> | reset | set
• add —Add an HMAC to the list
<HMAC_list> | view
• demote —Demote an HMAC within the list
• promote —Promote an HMAC within the list
• remove —Remove an HMAC from the list
• reset —Reset the list of HMACs to the default list
• set —Set the list of HMACs to be used by the appliance in
the specified order, where <HMAC_list> is a comma-
separated list
• view —View the list of HMACs currently accepted by the
appliance
inline <key_name> Import the specified user key.
78
key-exchange-algorithms add <algorithm> | Configure the key-exchange algorithms used by the appliance:
demote <algorithm> | promote <algorithm>|
remove <algorithm> | reset | set
• add —Add an key-exchange algorithm to the list of algorithms
<algorithm_list> | view • demote —Demote a key-exchange algorithm within the list of
algorithms
• promote —Promote a key-exchange algorithm within the list
of algorithms
• remove —Remove a key-exchange algorithm from the list of
algorithms
• reset —Reset the list of key-exchange algorithms to the
default list
• set —Set the list of key-exchange algorithms to
be used by the appliance in the specified order,
where<algorithm_list> is a comma-separated list
• view —View the list of key-exchange algorithms currently
accepted by the appliance
public-key-authentication enable | disable Enable or disable public-key authentication on the appliance.

view [ciphers | client-keys | defaults | View the SSH console configuration.
hmacs | host-public-key | key-exchange-
algorithms]
Examples
(config)# ssh-console ciphers add 3des-cbc
ok
ssl
Configure Secure Socket Layer (SSL) settings. This command is available in both the enable and config modes.
Syntax
(config)# ssl ?
create ccl | certificate | crl | keyring | Create SSL objects.

signing-request | ssl-context
delete ca-certificate | ccl | certificate Delete SSL objects.
| crl | keyring | signing-request | ssl-
context
edit ccl | crl | ssl-context Edit the appliance's current SSL settings.
inline ca-certificate | certificate | crl | Import SSL keyrings, CA certificate lists, signing requests, and
keyring | signing-request certificates.
regenerate certificate <keyring-id> Regenerate an existing CA certificate and provide new subject
subject<subject> [alternatives-names] and alternative name data. force is optional, and will overwrite
[force] an existing certificate without confirmation.
trust-package [auto-update | download-now | Manage the list of trusted CA certificates provided by Symantec,
update-interval | url] how frequently to update it, and from where.
view [ca-certificate | ccl | certificate | View available SSL objects.
keypair | keyring | signing-request | ssl-
context
79
Notes
• The sub-commands listed above can either be entered in SSL configuration mode (at the (config-ssl) prompt or in
configuration mode (at the (config) prompt).
• Use the show full-configuration ssl command in configure mode to display basic SSL settings, and
(config-ssl-view)# ? to view specific keyrings, CA Certificate LIsts, Certificates, and Certificate Signing
Requests.
Examples
(config)# ssl
(config-ssl)# inline ca-certificate ca1 content
<Ctrl-D>

(config-ssl)# view ca-certificate ca1
ssl create
Create SSL keyrings, CA Certificate Lists (CCLs), signing requests, self-signed certificates, and ssl-contexts.
80
Syntax
(config)# ssl create ?
ccl Create a CA Certificate List (CCL).

certificate <keyring_id> Create a self-signed certificate associated with the specified
keyring. You will be prompted to define values for each of the
certificate fields (country, state, and so forth).
crl <CRL_name> path <URL> Create a Certificate Revocation List (CRL).
keyring <key_ring_id> algorithm rsa length Create a keyring. Keyrings are containers for SSL certificates and
<key_length> showable [yes | no] their associated public and private keys on the appliance, and can
be used to manage self-signed or CA-signed certificates.
For RSA keys, key length values are 2048, 3072, 4096. Default =
2048.
signing-request <keyring_id> Create a request for a signed certificate associated with the
specified keyring. You will be prompted to define values for each
of the certificate fields (country, state, etc).
ssl-context <context_id> ccl <CCL_name> Create SSL context configuration.
cipher-suites <cipher_list> keyring
<keyring_name> protocols <protocols_list>
Examples
(config)# ssl create keyring sslkey algorithm rsa length 3072 showable no
(config-ssl)# create signing-request sslkey
Value for '' (<Country Code>): US
Value for '' (<State or Province Name (full name)>): CA
Value for '' (<Locality Name (eg city)>): Mountain View
Value for '' (<Organization Name (eg company)>): Symantec
Value for '' (<Organizational Unit Name (eg section)>): Marketing
Value for '' (<Common Name (eg server FQDN or YOUR name)>): symantec.com
Value for '' (<Email address>): jsmith@test.com
ssl delete
Delete SSL certificates, lists, keyrings, and signing-requests.
Syntax
(config)# ssl delete ?
ca-certificate <certificate_name> Delete CA certificate.

ccl <CCL_name> Delete a CA Certificate List (CCL).
certificate <keyring_id> Delete the certificate that's in the specified keyring.
crl <CRL_name> Delete a Certificate Revocation List (CRL).
keyring <keyring_id> Delete the specified keyring.
signing-request <keyring_id> Delete the certificate request for the specified keyring.
ssl-context <context_id> Delete the specified SSL context.
81
Examples
(config)# ssl
(config-ssl)# delete signing-request sslkey
ssl edit
Edit CA certificate lists (CCLs), Certificate Revocation Lists (CRLs), or SSL contexts.
Syntax
(config)# ssl edit ccl <ccl_name> [<action>]
add Add a certificate by name to the selected CA certificate list.

remove Remove a certificate from the selected CA certificate list.
reset Empty the CA certificate list for this CA certificate list.
set Set CA certificate list for this CA certificate list.
view View the certificates in the selected CA certificate list.
Syntax
(config)# ssl edit crl <crl_name> [<action>]
add Add a certificate by name to the selected CRL.

remove Remove a certificate from the selected CRL.
reset Empty the certificate list for this CRL.
set Set the CRL.
view View the certificates in the selected CRL.
Syntax
(config)# ssl edit ssl-context <context_id> [<action>]
ccl Set the CCL for the SSL context.

cipher-suites SSL context cipher suite configuration.
keyring Set the keyring for the SSL context.
protocols Set SSL context protocols.
view View the SSL context configuration.
Examples
(config-ssl)# edit ccl browser-trusted
(config-ccl-browser-trusted)# add esignit.org
ok
(config-ccl-browser-trusted)# view
Name: browser-trusted
FIPS compliant: no
Certificates:
1st_Data_Digital
A-Trust-Qual-02
A-Trust-Root-05
82
A-Trust-nQual-03
AC1_Raiz_Mtin
ACA_ROOT
ACCV_ACCVRAIZ1
ACEDICOM_Root
..
ssl inline
Import SSL keyrings, signing requests, and certificates.
Syntax
(config)# ssl inline ?
ca-certificate <certificate_name> content Import a Certificate Authority (CA) certificate from terminal input by
pasting the certificate content.
certificate <keyring_id> Import a certificate into the specified keyring by pasting the
certificate content.
crl <crl_name> Import a Certificate Revocation List (CRL) from terminal input
by pasting the certificate content.
keyring <keyring_id> Install a keyring. Keyrings are containers for SSL certificates on
the appliance, and can be used to manage self-signed or CA-
signed certificates.
You will be prompted to paste the keyring content.
signing-request <keyring_id> Install a request for a signed certificate associated with the
specified keyring.
You will be prompted to paste the signing request content.
Examples
(config)# ssl
(config-ssl)# inline ca-certificate ca1 content
83
GGVAhC+aMe+k3K+tTOO+3zxkSA7zF5X0NSZSRUAovZMrbXRxj+RuK1CMETEVAFzI
70uJv1EQoSt/Fg+Ax0h8M0Jn4lvUGsYPIAbcLjlxCtMNyfcOUG1Ss0yo/A/GXg13
eWINmdtdZHT/+ge01EEssswLxbyw3Pyl4CRMprjxlzg15Rx/PWV+zB+P2yolIrV4
pb5fsCuNrK4lYSdco5XE6P2m0c3P8QL/pB4SiZgWCr1sd0IKIoEphTk0kI++PTYx
d8cuVqPUXEi+UmibOBtfDz2ZffNkmBTdyvLfesINz0ce
<Ctrl-D>

ssl view
View certificate and keyring details and signing request confirmations.
Syntax
(config)# ssl view ?
ca-certificate <certificate_name> [verbose] Show CA certificate and content.

ccl <ca_certificate_list_name> View the details for a specific CA Certificate List.
certificate <keyring_id> Show the certificate that's in the specified keyring.
crl <CRL_name> Show CRL content.
keypair <keyring_id> Show the RSA private key for the specified keyring.
If the keyring was created with the "showable no" option, the key
will not be displayed.
keyring <keyring_id> Show details about the specified keyring, including its certificate
and any signing requests.
signing-request <keyring_id> View certificate request for the specified keyring.
ssl-context <context_id> View SSL context configuration.
Examples
84
To show information about a keyring, in this case called sslkey :

(config-ssl)# view keyring sslkey
Keyring ID: sslkey
Private key showability: no-show
Signing request: absent
Certificate: present
Certificate subject: /C=us/ST=ca/L=pa/O=symantec/OU=marketing/CN=symantec.com/emailAddress=test@test.com
Certificate issuer: /C=us/ST=ca/L=pa/O=symantec/OU=marketing/CN=symantec.com/emailAddress=test@test.com
Certificate valid from: Jul 21 05:17:51 2017 GMT
Certificate valid to: Jul 21 05:17:51 2017 GMT
Certificate thumbprint: D7:3A:40:69:1A:D1:C2:77:95:B0:0F:DB:97:55:DE:02:BB:A9:54:00
To view the CA certificates contained in the CA certificate list, bluecoat-licensing :

(config-ssl)# view ccl bluecoat-licensing
Name: bluecoat-licensing
FIPS compliant: no
Certificates:BC_Engineering_CA
To view the default SSL context:

(config-ssl)# view ssl-context default
Name: default
Keyring: default
CCL: browser-trusted
Protocols: tlsv1.2 tlsv1.1 tlsv1
Cipher suites: ecdhe-rsa-aes256-sha dhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256
ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha dhe-rsa-aes128-sha aes128-sha256 aes128-sha
timezone
Set the time zone where the appliance is located or choose the Coordinated Universal Time (UTC) time standard.
Syntax
(config)# timezone [<area>/<location> | UTC | GMT]
show timezone current Display the currently configured timezone

show timezone Display the available timezone areas.
show timezone <area> Display the full list of timezones in a specific area.
show timezone <value> Display the current time to see the local time in a specific
timezone.
Examples
To select UTC as the time standard (instead of setting a time zone):
(config)# timezone UTC
To set an Antarctica time zone:

(config)# show timezone
Africa
85
America
Antarctica
Arctic
Asia
Atlantic
Australia
Europe
Indian
Pacific
UTC
GMT
all
current
(config)# show timezone Antarctica
Antarctica/McMurdo
Antarctica/Rothera
Antarctica/Palmer
Antarctica/Mawson
Antarctica/Davis
Antarctica/Casey
Antarctica/Vostok
Antarctica/DumontDUrville
Antarctica/Syowa
Antarctica/Troll
Antarctica/Macquarie
(config)# timezone set Antarctica/Davis
upload
Upload the third-party attributions zip file to an FTP site.
Syntax
(config)# upload ATTRIBUTIONS <full_url/filename> <username> <password>
Notes
ATTRIBUTIONS must be in uppercase.
Examples
(config)# upload ATTRIBUTIONS ftp://exampleftp.com/attributions.zip mary ******
ISG CLI Error Message Reference

This topic contains information on what ISG command line interface (CLI) error messages mean and how to resolve them.
86
Table 4: ISG CLI Error Message
Error Message Meaning Solution
Error: operation failed: This error occurs when another session is Recover the serial console with the force
Active console session exists already attached to the serial console of the parameter. See applications attach-console.
for this domain application of which you are trying to attach.
Error: Hardware platform has This error occurs when attempting to Review the requirements for your model
insufficient memory or CPUs create an application where the size of the type and appliance and create an
to create application application model exceeds the memory application with a model that adheres to the
capabilities of the SSP appliance. For requirements for your appliance.
example, running a C24L model on an
SSP-S410-10 appliance would result in this
error message because a C24L requires
256 GB of RAM and an SSP-S410-10
appliance only has 48 GB of RAM.
Error: failed to get domain This error occurs when attempting to Wait a couple seconds for the ISG to start
'sgos' use the attach-console command the application and try the attach-
Error: Domain not found: no immediately after starting an application. console command again.
domain with matching name 'sgos' The ISG has not had enough time to start
up the application yet.
Error: Invalid command, This error occurs when attempting to Use the following command to view the
current application status use the attach-console command application status:
does not allow attach-console when the status of the application you are localhost(config-
attempting to attach is neither Healthy applications)# view
nor Unhealthy state. For example, if you
recently created the application, the status
of the application might be Created .
Error: Invalid license id: This error occurs when you enter an invalid Review the license ID you received in your
1234567890 license ID during application creation. welcome letter and ensure it is entered
correctly.
Error: Insufficient disk This error occurs when you attempt to Delete any unnecessary existing
space for application create other applications and do not have applications or consider upgrading your
enough disk space to support them. application model and/or SSP appliance to
allow for more applications.
Error: Use edit to modify an This error occurs when you attempt to use Use the following command to change the
existing application the create command to change values values of existing applications:
for an existing application. localhost(config-
applications)# edit
application_name model
model_type
Error: Invalid serial number This error occurs when you attempt to You cannot manually change the serial
associated with this SG-VA license a ProxySG application and the ISG number and must delete the application
instance. either is unable to provide the serial number and create a new one.
Metadata Provider failed to or the number is invalid.
provide a valid serial number.
License management cannot be This error occurs when you attempt to Make changes to the ProxySG application
performed using this CLI. manage the ProxySG application license license from the ISG CLI and restart the
from the ProxySG CLI. ISG for the changes to take effect.
87
Documentation Legal Notice

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred
to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by Broadcom
at any time. This Documentation is proprietary information of Broadcom and may not be copied, transferred, reproduced,
disclosed, modified or duplicated, in whole or in part, without the prior written consent of Broadcom.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection
with that software, provided that all Broadcom copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the
applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your
responsibility to certify in writing to Broadcom that all copies and partial copies of the Documentation have been returned
to Broadcom or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENTATION “AS
IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL
BROADCOM BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT,
FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF BROADCOM IS EXPRESSLY
ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
such license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is Broadcom Inc.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)
(3), as applicable, or their successors.
Copyright © 2005-2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its
subsidiaries. All trademarks, trade names, service marks, and logos referenced herein belong to their respective
companies.
88

Symantec Integrated Secure Gateway 2.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Integrated Secure Gateway 2.1

Uploaded by

Copyright:

Available Formats

Integrated Secure Gateway 2.

ISG Required Ports, Protocols, and Services

Component Default Port Protocol Configurable Source Description

SSH 22 TCP No SSH Client SSH management of

Component Default Port Protocol Configurable Source Description

DNS 53 TCP/UDP No DNS server Port used by your

URLs/IPs for Symantec Services

Service URL Protocol Port Function

Symantec Certificate abrca.bluecoat.com HTTP 80 A Blue Coat/Symantec

ISG Security Best Practices

Physical Location and Networking

Administering and Monitoring the Appliance

About Integrated Secure Gateway

Limitations in Integrated Secure Gateway

About Licensing ISG Applications

About Network Interfaces for Applications and Appliances

About Application Serial Numbers and License IDs

About Application Serial Numbers

About Appliance Serial Numbers

Which ID or Number Do I Use for Creating Applications?

Set Up the Console

The following interfaces are available for configuration:

Enter interface number to configure 1

Would you like to change any of them? Y/N N

Install the Application License

Install an Application Image

Create a ProxySG Application

NAME TYPE VCPU MEMORY MODEL STATUS LICENSE ID IMAGE ID

(config-applications)# stop SG1

Start and Stop Applications

View Application Information

Connect to the Application Serial Console

The following is an example output of the command:

In MP mode; two processors active

Press "enter" three times to activate the serial console

******************* CONFIGURATION ALERT *******************

--------------- CONFIGURATION START ------------------

View Image Information

(config-images)# view cas

Remove Licenses from ISG

View Installed Licenses

2. Load the ISG image that you want to upgrade to:

3. Restart the ISG:

BuildType : CreationTime : 2020-08-17T13:38:42+0000, BootTime : 2020-08-26T02:00:03.348+0000

Platform and Performance Reference

S410-10 16 32 400 GB 20 48 2x480 GB

Table 2: Application Models and Fit Per Appliance Model

Number of Model Instances

Table 3: Max Performance Deployment

Command Line Overview

Command Usage Conventions

Boldface in monospace font Commands configure

Edit Previously Entered Commands

Standard Mode Commands

appliance-identifier Display the unique identifier for the ISG appliance.

hardware-configuration Display system hardware configuration information, such as serial

Enable Mode Commands

attach-console Attaches a terminal console to an application.

cancel Cancel the download process of an image that is currently

clear-history Clear the entire event history:

cpu-util CPU utilization thresholds.

high-critical-threshold 0-100 Set the percentage that constitutes the high

trap enable | disable Enable or disable SNMP trap when memory

Image ID Type Version Release ID In Use

* CONFIGURATION ALERT *