HP TippingPoint Next Generation Firewall Series CLI Reference Guide
Contents
1. Security Management System CLI Reference 37 route Collection of attribs used to add delete and display IPv static routes for the management interface Usage route6 add route6 add lt destination gt lt next hop gt route6 del lt destination gt lt next hop gt Related Objects route net Related Commands ifconfig ipconfig Table 3 17 route Attributes Attribute Description Access route6 add Attribute used to add a static route to the IP IlPaddrs write only routing table Usage route6 add lt destination gt lt next hop gt route del Attribute used to delete a static route from IPaddrs write only the IP routing table Usage route6 del lt destination gt lt next hop gt route6 info Attribute used to list all routes in the IP read only routing table smip Collection of SMTP Simple Mail Transfer Protocol related attribs The attribs are used to configure the smtp service Table 3 18 smtp Attributes Attribute Description smtp send mail Sends a mail message from the SMS Other write only SMTP configuration settings are required to successfully send mail smtp notify list List of e mail addresses used to deliver read write notification messages when a notifiable event occurs The list should be one or more e mail addresses separated by comma or semicolons snmp Collection of SNMP Simple Network Management Procotol related attribs2. ha configured Attribute returning the status of the HA read only configuration ha ports enabled Attribute returning the status of the HA ports read write By default HA ports are open To disable use set ha ports enable no NOTE If any of your SMS devices are currently configured for HA the HA ports on those systems cannot be disabled If the HA ports are disabled that SMS can not be used in an HA configuration ha cluster info Attribute returning the detailed status for the read only Passive and Active systems in the SMS HA cluster Security Management System CLI Reference 25 health Collection of system health related attribs The attribs are used to retrieve system health information including utilization values and system uptime statistics Table 3 7 health Attributes Attribute Description Access health cpu util Attribute returning the CPU Processor read only utilization 0 represents a near idle system and 100 is fully utilized health db valid Attribute reporting the status of the database read only If true then the database is considered valid and fully operational if false the system should be restarted and other corrective steps taken health diskIo Disk I O statistics read only blocks read blocks written health disk util Attribute returning the disk system utilization read only As disk utilization approaches 100 database management operations shou
3. Probes start with a ttl of one and increase by one until we get an ICMP port unreachable which means we got to hosi or hit a max which defaults to 30 hops and can be changed with the m flag Three probes change with q flag are sent at each tll setting and a line is printed showing the ttl address of the gateway and round trip time of each probe If the probe answers come from different gateways the address of each responding system is printed If there is no response within a five second timeout interval changed with the w flag an asterisk is printed for that probe For IPv4 4 flag or IPv 6 flag tracerouting can be forced using the appropriate flag By default the program tries to resolve the name given and automatically choose the appropriate protocol If resolving a host name returns both IPv4 and IPv6 addresses traceroute uses IPv4 Usage traceroute dFInrvx f first_ttl1 g gateway i iface m max ttl p port q queries s src_addr t tos w waittime z pausemsecs host Table 2 5 traceroute Options Option Description Force IPv4 tracerouting Force IPv tracerouting Set the initial time to live used in the first outgoing probe packet Set the don t fragment bit Enable socket level debugging Specify a loose source route gateway 8 maximum Specify a network interface to obtain the source IP address for outgoing probe packets This is normally only usef
4. The set command can use any read write or write only attribute See SMS Attributes and Objects on page 21 for more information Usage set lt attrib object attrib value gt Related Commands list get setup Initial setup wizard for providing essential configuration settings for the SMS server Non essential values can be configured with other commands The setup command is automatically invoked with the first CLI login session It is repeated with each new login session until the entire setup procedure is finally completed To repeat the procedure execute the setup command at any time The setup procedure prompts you to enter the following information e Network type IPv4 default IPv 4 IPv 6 or B oth lt 4 6 B gt Management IPv4 Address Network Mask e Pv4 Default Gateway optional e Management IPv Address e Pv Default Route optional DNS Server optional Usage setup shutdown Shutdown and power off the system To restart the system physically press the POWER button on the front of the unit The force option will reboot the system without prompting for confirmation The cancel option aborts an in progress shutdown operation Usage shutdown force cancel snmp The snmp command is used to manage the SNMP Simple Network Management Protocol values Usage snmp 14 SMS Command Reference snmp request The snmp request command is used to manage the SNMP Simple Network Management Protocol reque
5. 206445 540448254054 e08h404e0 045004 1 Overview aida papado aida iia de ica ia hea 1 USAGE se ela ele Rack ad dt Ee A dd a Gh Wale ew aa 1 Command Types da AR RD ty Bak HT etn Ace AA Me Whe AE A 1 Remote Paths qimiy enaena tutes POU Oy Oy Oy ee eee ey wa ey en aka 2 FIR koe be gh dd aa Seo ae OEE bid See dla edo did sad 2 FU cine AMPS eana a E E pss do adi ads E ee ae 3 NIFS fiat aat wa a E to E aloe cap aei E ne WER a Me Weel de AEA 3 SMB Sambas speir triacetin O AE 3 A A A 3 2 SMS Command REDES ESTARIA PTI 5 cledis sarea IN 5 AA De nk Ds sp DG ID babe idiot Aa OS 5 CONSE gaa O A aes 5 A Sd ed ote PS hc LS eh in DS hn AD An ee nd er REA Oe eer nk Ha ae 5 cl i a oe ee ee ee eee eee eee eee eee ee IN 5 o lle le SEs Sc hp hls de O O A tc Wot 5 Ol ae a a ey E hea ee a 6 DU eiii ica conc ee ee ne ada eiii 6 Exi i sete a Mean a thee gies aeseieluar gs eee Gute Stra biti Han acai ete acceler Gece Baan eens ney fet tigen 6 ANIA A hae Sec sea Se bh da ae ah eth cea Sa de So vk Ms Ap WG kA in Bo es phe Hecke a 6 A ade wos mee danas 6 MP se decd Std io itn SoG he de de BEd Base rte Sek dh ce toh dean dia cst ie ii etre oh he 7 Sl nis asad aoe A Se ewe Sula ota os 7 help spc an Gch ha II A he ge ws as Dey he acon ete A ea hee ln oh 7 e eaea ere qathe gh r aaa a Gop hey 4a aiay Sar a enteral a gee ds gio gi aoa ane A 8 o cb iid cde bp aaa tata kdtbakbedabdwds Ake ees Eee aE T OCDE RESO SE 8 o ee ee e ee a eee ee eer ee eee ee eee a ee
6. Command Types SMS commands are either read write or read and write In addition commands are either interactive non interactive or might support both options e Interactive commands automatically prompt you for attribute values if you use the appropriate syntax Interactive commands also provide you with the current values of their attributes Non interactive commands are either read only or require you to specify the values you want to set For example the get command is non interactive because it is read only As another example the date command is non interactive If you want to set the date you must type date value Security Management System CLI Reference Interactive Mode Syntax You can use any of the following syntax options to initiate an interactive CLl command command If you type the command name the CLI prompts you to set values for all attribs associated with that command command object If you specify the object of a particular command the CLI prompts you to set values for all attribs associated with that object command object attrib If you specify an object and attribute of a particular command the CLI prompts you to set the value of the attribute you specified Example Following is an example of the set command in interactive mode Items in bold are typed by the user Items in brackets indicate the current value of the attribute specified Set All System Information Using
7. Related Objects smtp snmp Related Commands snmp The ntp command is used to manage the NTP Network Time Protocol client that synchronizes the SMS server time with a list of specified servers NTP is enabled by default and is configured with a list of Stratum 1 servers available on the internet The list of servers can be customized to installation requirements The SMS server can also act as a NTP server for your devices The agent can be disabled but the server cannot To clear server values use a period Usage ntp Related Objects svc Related Commands snmp password Changes the password for the current user 10 SMS Command Reference The security level and restrictions for entering user names and passwords The default setting is 2 from the following options Table 2 2 Security Levels Level Description Level O User names cannot have spaces in it Passwords are unrestricted Level 1 User names must be at least 6 characters long without spaces Passwords must be at least 8 Level 2 Passwords must meet Level 1 restrictions and the following e Must contain at least two alphabetic characters e Must contain at least one numeric character e Must contain at least one non alphanumeric character examples include NOTE Do not use spaces in the password Usage password ping Checks network connectivity by sending a ICMP request to the specified destination and then che
8. swapInfo Swap memory statistics read only e total e used e free swaplo Swap I O statistics read only blocks read blocks written sys valid Attribute reporting the status of the SMS server String read only application If true then the system is considered valid and fully operational if false the system should be restarted and other corrective steps taken temperature Attribute returning the temperature of the SMS String read only in degrees Celsius This information corresponds to the SMS Health Statistics table in the UI NOTE The number is displayed with no indication for Celsius tmc valid Attribute reporting the status of the read only communication paths to the TMC and each of the configured devices The message will indicate the nature of the problem Usually the problem can be addressed by confirming that the network settings permit the SMS to communicate with https tmc tippingpoint com available through the internet See also diags If the SMS cannot establish a TMC connection see error messages in the SMS User Guide Security Management System CLI Reference 27 Table 3 7 health Attributes Attribute Description Access health uptime Attribute reporting the amount of time since read only the last system boot health who Attribute reporting a list of currently logged in read only users Pipe characters are used in place of carriage return charac
9. 192 e AES 256 e DES e Triple_DES Examples set snmp trap priv proto 1 1 1 1 AES 128 set snmp trap priv proto 1 1 1 1 v3 AES 128 read write Table 3 20 snmp trap Attributes Attribute Description Access snmp trap user Attrib used to specify the user name for an read write SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap user 1 1 1 1 testuser set snmp trap user 1 1 1 1 v3 testuser snmp trap version Attrib used to change the version for an write only SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Valid version values are v2 or v3 Examples set snmp trap version 1 1 1 1 v3 set snmp trap version 1 1 1 1 v2 v3 Security Management System CLI Reference 43 svc Collection of attribs used to enable various services that execute within the system While the system implements an internal firewall to protect against attacks further security can be implemented by disabling unneeded services Related Commands ntp snmp pwd Table 3 21 svc Attributes Attribute Description Access svc fips enable Attribute used to enable disable SMS FIPS read write mode In this mode only FIPS 140 2 approved cryptographic algorithms are used when allowing SSH connections NOTE FIPS mode cannot be
10. Table 3 16 Table 3 17 Table 3 18 Table 3 19 logs AMMbUIES 67 b44 beaches bbe med a ikai whe oe ae he te Re es 30 o tee ng at heed ee Papeete bee Riek a a aw we aca eee 4 31 o AA Sep ace oa Saw SE eS aya aS Sega ot OEE ek BRE SS 33 Pkg Atri DUES ens thee e A a a EEE E OS 34 A RS OOS ODEO EN 35 radius Affrib tes sc ca iaa ra ee AT A A OR ies 36 rote AMES ii one Bot Ra Oa vod Oo vos SAWN SD Aw Oe Robe ae eae 37 FOULS Atri ONES rie Gin ie k aaea a e ea Bebe Re HR Sn Rese AR dh E ABRE R Heh ich oh ge Sonn A tock 38 A O eA eddies aod ae be eee 38 snmp request Attributes RARA RIA DADA ea IO 39 Table 3 20 amprirap Attributes ye a BH ia BREE 40 Table 3 27 sve AMES coso as EPR BHM OR Re a ee OR Ra Tee 44 Table 3 22 sw Attributes rosa 46 Table 3 23 sys Attributes ARA ee EYEE AYIA IARI eA Ea Pew 46 Table 3 24 time Attributes 2 0 ec eee ee eee ee eee nee neces 47 Security Management System CLI Reference iii About This Guide The Security Management System CLI Reference provides information about using the SMS command line interface to configure the HP TippingPoint Security Management System SMS This guide includes an SMS command reference as well as reference information about attributes and objects used by the SMS This section covers the following topics e Target Audience page v e Related Documentation page v e Document Conventions page vi Customer Support page viii Target Audience The intended aud
11. The attribs are used to configure the SNMP trap service and SMS SNMPrequest agent For SNMP requests see snmp request Attributes on page 39 For SNMP traps see snmp trap Attributes on page 40 Related Objects Svc Related Commands snmp request snmp trap 38 SMS Attributes and Objects Table 3 19 snmp request Attributes Attribute Description Access snmp request auth key Attrib used to specify the authentication key String write only for the SNMP request agent When enabled the SMS responds to the SNMP system request Example set snmp request auth key mykey snmp request auth proto Attrib used to specify the authentication read write protocol for the SNMP request agent When enabled the SMS responds to the SNMP system request Valid protocol values are None MD5 and SHA Example set snmp request auth proto MD5 request community Attrib used to specify the community string for read write the SNMP request agent When enabled the SMS responds to the SNMP system request Example set snmp request community public request enable Attrib used to enable disable the SMS read write SNMP request agent When enabled the SMS responds to SNMP system requests Example set snmp request enable true request engine Attrib used to specify the engine ID for the read write SNMP request agent When enabled the SMS responds to the SNMP system request Example set snmp request
12. address than the interface from which the probe packet is sent If the IP address is not one of the host s interface addresses an error is returned and nothing is sent Set the type of service in probe packets to the following value default zero The value must be a decimal integer in the range O to 255 This option can be used to see if different types of service result in different paths If you are not running 4 4bsd this may be academic since the normal network services like telnet and ftp don t let you control the TOS Not all values of TOS are legal or meaningful see the IP spec for definitions Useful values are probably t 16 low delay and t 8 high throughput Use Verbose output Received ICMP packets other than TIME_EXCEEDED and UNREACHABLE values are listed Set the time in seconds to wait for a response to a probe default five seconds Set the time in seconds to pause for a response to a probe This command leads you through upgrading SMS server software 1 Acquire the latest upgrade package from the TMC website 2 Save it to a local HTTP or FTP server that can be accessed by the SMS server 3 Provide the URL to this downloaded file After the package is transferred and installed the update procedure prompts for a reboot Usage update Aliases ctl upgrade source Lists and manages the SMS user accounts You can create new users and assign or change passwords roles di
13. boot To clear this value use a period auth enable Attrib used to enable disable the NTP read write authentication It allows the NTP client to verity that the server is known and trusted and not an intruder intending to masquerade as that server We only support NTP V3 symmetric key authentication To enable the NTP authentication set the value to yes and a key id and key value should be provided with the ntp auth keyld and ntp auth keyValue attribs To disable the value set it to no Example set ntp auth enable yes ntp auth keyld The ID of key which is used to authenticate read write NTP server if the NTP authentication is enabled The ID has to exist in etc ntp keys before you set this value To clear this value use a period Example set ntp auth keyId 1 ntp auth keyValue The value of key which is used to read write authenticate NTP server if the NTP authentication is enabled The key has to exist in etc ntp keys before you set this value To clear this value use a period Example set ntp auth keyValue test pkg Collection of attribs used to control package management Related Object tme object Security Management System CLI Reference 33 Table 3 13 pkg Attributes Attribute Description auto download Attrib used to control whether new read write packages available at the TMC are automatically downloaded Email will be generated to notify the admin
14. enabled if SSH has not been enabled Also disabling SSH automatically disables FIPS mode Example set svc fips enable yes svc http enable Attribute used to enable disable the HTTP read write HTTP protocol service The HTTP service is used to download the SMS client during the installation process and download other files The service is configured to prevent CGI and other active server processing Once the client is downloaded the service can be disabled until an updated client is available HTTP and HTTPS can be enabled separately To enable HTTP set the sve http enable attrib to true To disable set to false Example set svc http enable true svc https enable Attribute used to enable disable the HTTPS read write Secure HTTP protocol service The HTTPS service is used to download the SMS client during the installation process The service is configured to prevent CGI and other active server processing Once the client is downloaded the service can be disabled until an updated client is available To enable HTTPS set the svc https enable attrib to true To disable set to false svc ping enable Attribute used to enable disable incoming read write ping support Responding to pings can be considered a security weakness for systems When disabled the SMS will not respond to ICMP Echo Requests Example set svc ping enable true 44 SMS Attributes and Objects Table 3 21 svc Attr
15. ete anette tes 16 SEW s ii hd ee hc OE PS TROLS AME Ge Tht ok Leen PERO eho hed 16 O A tecadeiteh ecrehse 16 U son shy TE Bi hy ev hs Rrra cpa 0h His elite dite 16 POUCH do Aa gadis dde AAA dia Aaa hei Abaca 17 AAA 17 AA pe Re A eee 18 USPS isa ye Cor Shey nk to ge secy E sek ca ec E ed Set ac te dd Beatson fe D tesa onda hel wok 202 Ge car S ac tot fe E eka ele 18 VETSION a Sh E dives arith tevests sont thay A oP dass a ads ied ate eat es 19 Maida a o rd Pens east gS Gade id de 19 MI a aid ae tt eect atten aia ne 20 O E O chesney ees Ae shea towed 20 WHO gardai am aha a Govt e a Guba aca Guide and Ake saa Ae ea ete hake dr ab 20 SMS Atmibuies and Cues ody sb dace ey tonr bode oe hee oie ee heer E 21 Atribute A A HEE eee S 21 A a rae nae erased it ie 21 A A 22 E TA 23 O O Geach ote anh a e E idee Ganka aigh aia Pag e Goptos 24 Nigh availabiliy sacras ectgecase coats secudes sue cd ous oa Se ese dl 25 A E A Dh tn oad Sate a tee ale A on ted 26 A ON 28 license sterii merienn iodo diia a iii iii 29 A ee ee ee ee eee ee ee eee ee eee ee ee ere ee 30 Mi Pane od EE E da bh id ide ty Get aia Bese Bria cos Dab les tada 30 AA 32 o a ee ee a ee ee re ee ee eee ee eee ee ee eee E eee ee eee ee ee 33 PWA A ene ee ne ae ee ee ee eee ee eee A eer eee 35 AUIS ss op x tou atx II E ve den Beak fe A A as hat hs Gye By apa 36 A goon ay atte oe ace es oe pee tee parser org tee ee petty pene aoc aaa tee ae ee 37 AA 38 Mrs asias actas Bed dad eet oo o
16. get help e Full When placed into this mode the SMS functions in a manner compliant with the FIPS 140 2 publication specified by the National Institute of Standards and Technology The SMS automatically reboots when placed into full FIPS mode or when full FIPS mode is disabled Usage fips mode Caveats Full FIPS mode is not available for vSMS Transitioning the SMS to operate in Full FIPS mode implements changes to core elements of the SMS server reboots the SMS and requires you to upload a new SMS key package A transition to Full FIPS mode does the following e Deletes all SMS users e Removes all SMS backup and device snapshots stored on the SMS server e Deletes all custom responder actions e Regenerates SSH server and HTTPS web security keys For more information about FIPS mode see the SMS User Guide The FTP File Transfer Protocol client is used to move files to and from the user directory for the SMS server The contents of the user directory can be listed with the dir command Files can be viewed with the view command and deleted with the delete command Usage ftp hostName hostAddress After starting the ftp client issue the command led tmp Caveats The dir delete view commands all operate over the contents of the user directory tmp The cd or change directory command is disabled from the shell for reasons of security In order for the ftp program to see and have access to the contents of the user dir
17. set the attrib to no To clear this value use a period Example set pwd service enable false read write pwd user add Used to add a user and specify the user s default user group User names must comply with the rules defined by pwd level You must also specify a user group in the form of usergroup username Example set pwd user add superuser johnsmith write only USer age Attribute used to set the maximum age for a password read write User del Used to delete a user write only User desc Attribute used to describe the user account read write User email Attribute used for the user account email address Security Management System CLI Reference read write 35 Table 3 14 pwd Attributes Attribute Description Access pwd user expires Attribute used to enable password Bool read write expiration user expiredays Attribute used to set the amount of days to String read only check the account for expiration user force pwd Attribute used to force a user to change Bool read write their password at next login User pager Attribute used to include the user account String read write pager number user phone Attribute used to include the user account String read write phone number user pwd Attribute used for the user account String read only password user state Attribute for the state for the user ID Str
18. sms_logs zip write only set logs del yes Deletes the zip file write only set Attribute used to create a compressed file write only logs create peer yes containing the HA peer SMS log files This file can be downloaded from the Exports and Archives link from the SMS server home page Only the latest compressed file are retained NOTE This attribute can be used only when HA has been configured get logs info If the zip file exists lists name size date and read only time of creation Collection of network related attribs The attribs are used to configure the two Ethernet 10 100 1000 interfaces for access to the local network Unless identified as a net only attrib each attrib listed as net below can use the prefix net to specify the correct Ethernet10 100 1000 interface Example To change the IP address and gateway for the SMS server you must complete the following 1 Change the IP address by entering the command set net ipaddr smsip4addr OR set net ipaddr6 smsip6addr where smsip4addr is the new IPv4 address smsip addr is the new IPv address 2 Change the gateway by entering the command set net gateway ipv4gateway OR set net gateway6 ipv gateway where ipv4gateway is the IP address of the new gateway ipv gateway is the IPv address of the new IPv gateway 3 Restart the network stack by entering the command set net restart yes The system prompts you to confirm that you wa
19. ua utf ws cz lat2 prog fr_CH latini ro_win ua ws cz us qwertz ar ru uk de gr pc ru cp1251 unicode de latin1 u ru ms us de atini nodeadkeys huio1 ru yawerty us acentos de_CH latini yi rul wangbe defkeymap 11 heb ru wangbe2 defkeymap_V1 0 11 phonetic ru3 windowkeys dk is latini rud license License information for the SMS server The license is used to control the number of managed devices supported by the server Related Command key Table 3 9 license Attributes Attribute Description license Returns the number of devices that the read only license key permits for this server license Returns the date that the current license key read only was installed license Returns the license key description read only license Sets or returns the current SMS server license read write key license Resets the current SMS server license key Security Management System CLI Reference 29 logs net Collection of log related attribs The attribs are used to manage log files that are used for troubleshooting The logs zip file sms_logs zip is managed in the mgmt client tmp directory This is the standard location for cli data files and also allows access from the Exports and Archives link on the SMS web page Creating a new logs zip file overwrites the old one Related Objects scp Table 3 10 logs Attributes Attribute Description Access set logs create yes Creates the logs zip file
20. use the following information to contact Customer Support Before You Contact Support For a quick and efficient resolution of your problem take a moment to gather some basic information from before you contact HP TippingPoint customer support Information Find It Here Your customer number Customer Support Agreement or the shipping invoice that came with the appliance SMS serial number Bottom of the SMS server chassis or use SMS CLI key command SMS version number In the SMS client on the Admin screen or in the Updates area of the SMS dashboard TOS version number In the SMS client on the Devices screen an entry for each device DV Toolkit version number In the SMS client on the Profiles DV Toolkit Packages screen Managed device serial numbers Local Security Manager Dashboard or the shipping invoice that came with the appliance Contact Information viii For additional information or assistance contact the HP Networking Support hitp www hp com networking support Before contacting HP collect the following information Product model names and numbers Technical support registration number if applicable Product serial numbers Error messages Operating system type and revision level Detailed questions Contact an HP Authorized Reseller For the name of the nearest HP authorized reseller see the contact HP worldwide website http www hp com country us en wwcontact h
21. using the path syntax you must replace them with the appropriate values for your paths Items in brackets are optional You can use the following formats for the FTP protocol Complete specification ftp username password server port directory filename 7 Anonymous FTP ftp server directory filename e Specifying a user name and password ftp username password server directory filename e FTP Examples ftp 10 11 12 13 pub sms 0 0 0 500 pkg ftp steve password 10 11 12 13 pub sms 0 0 0 500 pkg Using the Command Line Interface HTTP and HTTPS You can use the following format for the HTTP and HTTPS protocols Complete specification http username password0 server port directory filename or https username passworde server port directory filename e HTTP Example http www servername com 8000 files sms 0 0 0 500 pkg NFS You can use the following formats for the NFS protocol e Remote directory specification server exportedDirectory e Remote file specification server exportedDirectory filename e NFS Example nfsserver domain com public upgrades sms 0 0 0 500 pkg SMB Samba You can use the following formats for the SMB protocol Remote file specification server sharename directory filename Complete specification server sharename directory filename o option list Options can be provided to the SMB mount operation by appending them to the end of the mo
22. 1 1 1 set snmp trap add 1 1 1 1 v3 write only Access write only snmp trap auth key 40 SMS Attributes and Objects Attrib used to specifiy the authentication protocol for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap auth key 1 1 1 1 mkey set snmp trap auth key 1 1 1 1 v3 mykey write only Table 3 20 snmp trap Attributes Attribute Description Access snmp trap auth proto Attrib used to specifiy the authentication key read write for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Valid protocol values are None MD5 and SHA Examples set snmp trap auth proto 1 1 1 1 MD5 set snmp trap auth proto 1 1 1 1 v3 MD5 snmp trap community Attrib used to specifiy the community string read write for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap community 1 1 1 1 public set snmp trap community 1 1 1 1 v2 public snmp trap del Attrib used to remove an SNMP trap write only destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap del 1 1 1 1 set snmp trap del 1
23. 1 1 1 v3 snmp trap engine Attrib used to specify the engine ID for an read write SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap engine 1 1 1 1 012345 set snmp trap engine 1 1 1 1 v3 012345 snmp trap info Attrib used to list the SNMP trap destination read only Example get snmp trap info Security Management System CLI Reference 41 42 Table 3 20 snmp trap Attributes Attribute snmp trap port Description Attrib used to specify the port for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap port 1 1 1 1 162 set snmp trap port 1 1 1 1 v2 162 Access read write snmp trap priv key Attrib used to specify the privacy key for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap priv key 1 1 1 1 mkey set snmp trap priv key 1 1 1 1 v3 mykey write only snmp trap priv proto SMS Attributes and Objects Attrib used to specify the privacy protocol for an SNMP trap destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Valid protocol values are None AES 128 e AES
24. HP TippingPoint Security Management System CLI Reference Version 4 0 Abstract This information describes HP TippingPoint Security Management System SMS high and low level commands and contains information for using the SMS command line interface This information is for system administrators technicians and maintenance personnel responsible for installing configuring and maintaining HP TippingPoint SMS appliances and associated devices ANIM Part Number 5998 5015 August 2013 Legal and notice information Copyright 2011 2013 Hewlett Packard Development Company L P Hewlett Packard Company makes no warranty of any kind with regard to this material including but not limited to the implied warranties of merchantability and fitness for a particular purpose Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material This document contains proprietary information which is protected by copyright No part of this document may be photocopied reproduced or translated into another language without the prior written consent of Hewlett Packard The information is provided as is without warranty of any kind and is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Noth
25. Interactive Mode 1 Type the following command set sys The system returns prompts for information Default values are listed in brackets To use the default value press Enter 2 The system prompts you to set the value for the contact attribute System contact sys contact Customer Contact Brit 3 Type a value for the location attribute and press Enter System location sys location First floor lab 4 Type a value for name attribute and press Enter System name sys name sms25 5 The system returns the following confirmation message Result Success X SMA ST SMS25 0001 System contact sys contact Brit System location sys location First floor lab System name sys name sms25 System serial number sys serialNum Remote Paths FTP Several commands accept remote paths as input The remote paths specify a resource on an external server that can be accessed by the SMS server Remote files that can be specified as input to an operation may be accessed using the HTTP HTTPS FTP NFS or SMB Samba protocols Remote directories that are used for saving SMS based files to a remote server can be accessed through the NFS or SMB protocols Files are always mounted with read only access Directories are mounted read only when possible Remote paths are specified as a single string value The details for each protocol are listed in the following sections In each example items in italics are variables When
26. The ssh command enables the user to log into a remote machine and execute remote commands from within the SMS CLI The communications between two hosts is encrypted and secure For more information refer to external ssh documentation such as the UNIX man pages Usage ssh 1246AaCfgKkMNngsTtVvxXxYyZ b bind address c cipher_spec D bind_address port e escape char F configfile i identity file L bind_address port host hostport 1 login name m mac_spec O ctl_cmd o option p port R bind address port host hostport S ctl path w local_tun remote_tun user hostname command The time command runs the specified program command with the given arguments When the command finishes time writes a message to standard output giving timing statistics about this program run These statistics consist of the elapsed real time between invocation and termination the user CPU time and the system CPU time For information about the time object see time on page 46 Usage time lt command gt arguments 16 SMS Command Reference touch Creates user files which are archived files generated from database content Usage touch file See Also delete dir view vi traceroute This program attempts to trace the route an IP packet would follow to a remote host by launching UDP probe packets with a small ttl time to live then listening for an ICMP time exceeded reply from a gateway
27. ackup RADIUS Server radius2 secret Attrib used to enter the RADIUS secret set read write by the RADIUS server administrator This entry is used by each RADIUS client including the SMS server radius2 server Attrib used to set the IP address of the IPaddr read write RADIUS server radius2 port Attrib used to set the port on the RADIUS Int read write server that listens for authentication requests radius2 timeout Attrib used to set the maximum timeout read write period in seconds radius2 Attrib to set the authentication method read write PAP CHAP MSCHAP MSCHAP2 EAPMD5 route Collection of network related attribs The attribs are used to configure the Ethernet 10 100 1000 interface for access to the local network Usage route add route add lt destination gt lt mask gt lt gateway gt route del lt destination gt lt mask gt lt gateway gt Related Objects route6 net Related Commands ifconfig ipconfig routes Table 3 16 route Attributes Attribute Description route add Attribute used to add a static route to the IP IPaddrs write only routing table Usage route add lt destination gt lt mask gt lt gateway gt route del Attribute used to delete a static route from IPaddrs write only the IP routing table Usage route del lt destination gt lt mask gt lt gateway gt route info Attribute used to list all routes in the IP read only routing table
28. ary network read only interface is configured and ready restart Attribute used restart the write only Ethernet10 100 1000 interface with the current network settings Set to true to restart immediately false has no effect Warning restarting the network interface may cause connections to be lost including SMS client sessions and remote CLI sessions Applies only the net object scope link Attribute used to return the IPv Scope Link read only address for the Ethernet 10 100 1000 interface See net on page 30 and the associated net ipaddr attribute See also ifconfig on page 8 and ipconfig on page 8 autoneg Attribute used to view and enable disable read write auto negotiation for the Ethernet 10 100 1000 interface Valid values are yes or no ntp Collection of NTP Network Time Protocol settings used to synchronize the system time with a remote time server NTP allows machines within a network to be synchronized on a common time Related Objects svc snmp 32 SMS Attributes and Objects Table 3 12 ntp Attributes Attribute Description Access serverl Attribs used to specify a list of NTP time read write Server2 servers The value may be a dotted IP Server3 address or a hostname The first entry ntp server1 will be assigned the preferred time server role The preferred time server is also used as a step ticker which adjusts the time immediately upon system
29. ation and uptime information every 5 seconds by default Usage monitor delay where delay is the number of seconds between polls Related Objects health Command to list output one screen at a time Ethernet 10 100 1000Mbps interface management Interactively prompts for configuration of the SMS server network settings The bottom most NIC 1 is enabled by default and is the recommended connection to the management network Security Management System CLI Reference 9 Usage nic Related Commands dns ntp nicsettings notify ntp Interactive command that prompts you for the SMS NIC configuration settings and is available through the CLI and OBE If you want to make changes individually to any of the NIC settings the SMS provides options for setting auto negotiation port speed and duplex mode Example sms110 SMS gt nicsettings The Ethernet NIC used for the network management interface is configurable Please verify the port configuration of the network device that this SMS is connected to before making changes These values may be changed at a later time with the set net command Host autoneg yes Host speed 1000 System duplex full Enter A ccept C hange or E xit without saving lt A C E gt Related Objects net The notify command is used to manage the SMS notification service The command interactively prompts for SMTP e mail addresses and SNMPv1 traps to a remote trap server Usage notify
30. cking on an echoed response Usage ping options hostNameOrAddress Table 2 3 ping Options Stop after sending count packets Wait wait seconds between sending each packet The default is to wait for one second between each packet Numeric output only No attempt will be made to lookup symbolic names for host addresses Quiet output Nothing is displayed except the summary lines at startup time and when finished Bypass the normal routing tables and send directly to a host on an attached network If the host is not on a directly attached network an error is returned This option can be used to ping a local host through an interface that has no route through it packetsize Specifies the number of data bytes to be sent The default is 56 which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data Verbose output Security Management System CLI Reference 11 ping6 Checks network connectivity by sending a ICMP request to the specified IPv6 destination and then checking on an echoed response Usage ping options hostNameOrAddress Table 2 4 ping Options Option Description Stop after sending count packets Specifies the interface for example etho Wait wait seconds between sending each packet The default is to wait for one second between each packet Numeric output only No attempt will be made to lookup symbolic names for host addresse
31. command Additionally a single password can be assigned to the content to limit access to reports archived data documentation and client downloads The user name used for access is web and the password is assigned with the web command The HTTP protocol is not secure and transmits data and passwords in the clear It is recommended that HTTP be disabled Usage web See Also snmp Displays a list of CLI users where and when the users originated Usage who See Also health who 20 SMS Command Reference 3 SMS Attributes and Objects This chapter describes each object and attribute used by the SMS CLI For more detailed information about each element see the individual commands described in SMS Command Reference on page 5 NOTE To use the SMS CLI you must be logged in with an account that has SuperUser rights Attribute Types The following table describes each type of attribute attrib that you can view or edit in the CLI Table 3 1 CLI Attribute Types Type Definition Bool Boolean Value can be true or false String String Can have a maximum size of Password String Uses asterisk to mask out the value as it is entered IPaddr IP address Uses dotted notation Name String Can contain alpha numeric characters with a maximum size of cli Collection of CLl related attribs The attribs are used to adjust CLI behavior including the inactivity timeout value Tabl
32. e CLI Command Line Interface access to the system If Telnet is disabled the CLI can still be accessed by connecting a terminal or a keyboard monitor to the chassis or by using the SSH service To enable Telnet set the svc telnet enable attrib to true To disable set to false Example set svc telnet enable true Security Management System CLI Reference 45 sw Collection of software versioning attribs The attribs are used to report the system software version and to list the software packages and their individual versions Table 3 22 sw Attributes Attribute Description sw components Returns a list of installed software packages read only and their versions sw version Attribute returning the system software read only version sys Collection of system related attribs The attribs retain system values including the system name location and contact Table 3 23 sys Attributes Attribute Description sys contact Attribute holding the system contact read write Normally this file contains the name and or address of the administrator of this system location Attribute holding the system location read write Normally this field contains the physical location of the system Attribute returning the model of the SMS read only Provide this model in interactions with support staff Attribute holding the system name The system read write name must be set It wi
33. e 3 2 cli Attributes Attribute Description Access cli sessionTimeout Attribute used to control the auto logout time read write By adjusting the value you can control the number of minutes before the CLI will automatically log out due to inactivity Set the value to O to disable the timeout function Example set cli sessionTimeout 30 Security Management System CLI Reference 21 ctl Collection of system control operations The attribs contained in ctl can be used to reboot or shutdown the system or access the upgrade capability See Remote Paths on page 2 for more information about entering path names for attribs that require them Table 3 3 ctl Attributes Attribute Description Access ctl power off Setting the ctl power off attrib to the value of write only true will cause the system to shutdown and power off To restart the system it is necessary to physically press the Power button on the front panel of the box Setting the ctl reboot attrib to the value of write only true will cause the system to reboot The operation will be immediate with no warning given to other users using the client or the CLI reboot needed Returns the state of the system indicating read only whether there are pending configuration settings that require a reboot to apply those changes pre upgrade cleanup Performs any system cleanup necessary for write only an SMS upgrade Updates that the upgrade can occ
34. ectory it is important to first change the local directory with the command lcd tmp After this point files can be copied both to and from the SMS server Related Commands dir view delete vi Retrieves the value of one or more attribs or a list of attribs contained within an object Usage get lt attriblobject gt The get command can use any read write or read only attribute See SMS Attributes and Objects on page 21 for a list of attribs Related Commands list set Returns background information on various topics and command syntax Usage help full attribs cmds objs background topic Alias 2 Security Management System CLI Reference 7 Table 2 1 Help Options Option Description full Lists all commands objects and attribs attribs Lists all attribs objs Lists all objects collections of attribs cmds Lists all commands default background Lists background topics ifconfig Displays the network settings for the box ifconfig is an alias for the command get net which displays the values of the attribs contained in the net object To change the values use the set net command See net on page 30 Usage ifconfig Aliases get net ipconfig Related Objects net ipconfig Displays the network settings for the box ipconfig is an alias for the command get net which displays the values of the attribs contained in the net object To c
35. ee eee eee ee ee ee 8 A he ai esac II AA ks hE le Ge aR BA 9 A a ee ee eee ee eee eee eee eae ee Pe en Se eae ee 9 MOMISCHINGS 4 256 e hood odds OL Lad ERE hed tad bk 9 MONON 3 90 pasat ani aleta aie 9 MUS A iD PA A Dende cat 9 O A ee ge aes Oe 9 NIGSCHINGS eoa ida Goode DE A ROR DEO dee Ob dee wedded ee eee Oke Theta eee dates 10 AOU ae a aaa eae ee ee ERR Un US oe ee ey eS 10 TMT as tess ls Pe AO 10 password 5 Ado oh ae eed dee Oe ela Sek sana O haan y aw 10 PING 20145 She cade whats obs eat heme de wee eee ye a 11 DINO astas oats diane ais ari a o eds arab es Get aed ii taras 12 QUito id eta dla ces aude sn ia 12 DOCS sansa hay oak Oe een A E ey ea are 12 FESOlVE Lc bob Ride eee beh Cha bh Che RRKGREECGES RUD RDE SAL GDTEE DES EEDA ADE GRES 12 POSTON Metzen a aie a Stina AR dh Ghee oe a ot iG eh gia Ek GGL Mel Stak Se De Bo ae Oe el eg data 13 Security Management System CLI Reference i VETS a ote A a ads a do o tata Seat oe Satu ati eet 13 A EE 13 E ean tia A 13 SEPVICOACCESS 5 bbb te aca dica bain debe adh 13 a aie ats Slates aie Gt drake Aca hon Aiea he tat ee ee a ene kad tke 14 SETUD Ss iaa ds ath Rath toa nial cei ea dd id A AAA a hic ah ag hela de tyes Atay 14 SMUT OW Miva a ese 8 eh Sas a da Ale a weed Abpea ten A oe det aye Aoi 14 SAMP i aii i dorar Bathe adhd Owed ie dad Re a ee bo eee 14 SMMPTEQUEST 5 a whoa aie Ug ws Ells SL Pow aS GEST SATS NG TURES SAU od te 15 A At bebo 15 STAMOS Mi cse ace saree A ROO eae
36. engine 012345 request priv key Attrib used to specify the privacy key for the write only SNMP request agent When enabled the SMS responds to the SNMP system request Example set snmp request priv key mykey Security Management System CLI Reference 39 Table 3 19 snmp request Attributes Attribute snmp request priv proto Description Attrib used to specify the privacy protocol for the SNMP request agent When enabled the SMS responds to the SNMP system request Valid protocol values are None AES 128 e AES 192 e AES 256 e DES e Triple_DES Example set snmp request priv proto AES 128 String Access read write snmp request user Attrib used to specify the user name for the SNMP request agent When enabled the SMS responds to the SNMP system request Example set snmp request user myuser read write snmp request version Attrib used to change the version for the SNMP request agent When enabled the SMS responds to the SNMP system request Valid version values are v2 or v3 Example set snmp request version v2 Table 3 20 snmp trap Attributes Attribute snmp trap add Description Attrib used to add a new SNMP trap destination An IP address and SNMP version uniquely identify a destination The IP address must be specified The SNMP version is optional and can be specified when separated by a comma Examples set snmp trap add 1
37. ery after a crash will be impossible Handy if you want to edit a file on a very slow medium e g floppy Can also be done with set ue 0 Can be undone with set uc 200 Read only mode The read only option will be set You can still edit the buffer but will be prevented from accidently overwriting a file If you do want to overwrite a file add an exclamation mark to the Ex command as in w The R option also implies the n option see below The read only option can be reset with set noro See help read only Recovery mode The swap file is used to recover a crashed editing session The swap file is a file with the same filename as the text file with swp appended See help recovery Security Management System CLI Reference 19 view web who Table 2 6 vi Options Options Descriptions Denotes the end of the options Arguments after this will be handled as a file name This can be used to edit a filename that starts with a dash help Give a help message and exit just like h version Print version information and exit See Also ftp dir delete view Command to view the contents of the directory Internal help is available by typing a question mark See Also delete dir ftp vi HTTP HTTPS Hyper Text Transfer Protocol management Interactively prompts for configuration of web server settings The HTTP and HTTPS services can be separately enabled through the web
38. f files contained in the user directory Usage dir Related Commands delete view vi dns The dns command interactively prompts for DNS Domain Name Service settings used to resolve host names to IP address values To clear server values use a period The dns object contains default domain name DNS search list and DNS server information Usage dns Related Commands nic ntp Related Objects dns exit Closes the session Usage exit Aliases quit Ctrl D factoryreset This command is an interactive command that resets the system to the factory defaults The SMS version is not changed however all other system settings are restored to the factory defaults and all data is lost You MUST reboot the SMS for this command to complete The factory reset command also resets this system network settings You CAN NOT access the system via networking after the reboot is completed A VGA console or serial port access is required to reconfigure networking Usage factoryreset Related Command setup fips mode Used to configure the SMS into one of three levels of FIPS operation e Disabled When placed into this mode no additional FIPS compliance actions restrictions are activated in the SMS e Crypto When the SMS is placed into Crypto mode the SSH terminal negotiates connections using only FIPS 140 2 approved algorithm This mode affects only the SSH terminal connections for the SMS 6 SMS Command Reference
39. fault options This file can be downloaded from the Exports and Archives link from the SMS Server home page db check Verifies the integrity of the database read write db clear export Deletes files in the export directory read write Security Management System CLI Reference 23 Table 3 4 db Attributes Attribute Description Access db export files Files to be saved and transported to a write only remote system can be stored in the export directory To transfer the entire contents of the export directory this attrib must be provided with the name of a Samba SMB mount point The destination mount point must be writable by the SMS server SMB can be secured by providing an access list on the server that prevents all machines except for the SMS server to access it The export directory can be cleared by setting the db clear export attrib Example set db export files server export directory db initTime The time that the database was read only re initialized db reinit Setting the db reinit attrib to true will read write schedule the database to be cleared upon system startup the next time the system is rebooted dns The dns object contains default domain name DNS search list and DNS server information Related Objects nic ntp Table 3 5 dns Attributes Attribute Description dns domain Default DNS domain used to resolve read write hostnames If a fully qualified hos
40. hange the values use the set net command See net on page 30 Usage ipconfig Aliases get net ifconfig Related Objects net kbdcfg Loads the kernel keymap for the console This is useful if the console is using a non QWERTY keyboard This command leads you through the configuration of a new keyboard layout A WARNING Do not use this option if you are using a standard QWERTY keyboard Setting your keyboard layout to a value with which you are not familiar could render your system inaccessible See Also kbd layout attrib 8 SMS Command Reference key list The key command is used to update the license key for the server Usage key Aliases license Related Objects license Lists the objects or the attribs contained in an object Usage list object object attrib If no arguments are specified list will return all defined objects If an object is specified list will return all attribs contained within the object If an attribute is specified list will confirm the attribute by listing the attribute in the response Related Objects See SMS Attributes and Objects on page 21 for a list of objects and attribs you can use with the list command See Also get set mgmisettings The host management options provide prompts to configure IPv4 and IPv management addresses along with the DNS server Usage mgmtsettings Related Objects net monitor more nic Shows utiliz
41. ibutes Attribute Description Access svc ntp enable Attrib used to enable disable the NTP read write Network Time Protocol client The NTP client can be used to synchronize system time with a list of remote time servers To enable the NTP client set the value to true and a list of servers should be provided with the ntp server attribs To disable the value should be set to false Example set svc ntp enable true svc snmp enable Attribute used to enable disable the SNMP read write Simple Network Management Protocol agent The SNMP service provides limited read only management support to a remote SNMP manager To enable SNMP set the svc snmp enable attrib to true To disable set to false The community name for get requests can be set with the snmp get community attrib Example set svc snmp enable true svc ssh enable Attribute used to enable disable the SSH read write Secure Shell service The SSH service is used to provide secured remote CLI Command Line Interface access to the system If SSH is disabled the CLI can still be accessed by connecting a terminal or a keyboard monitor to the chassis The SMS server supports SSH protocol version 2 To enable SSH set the svc ssh enable attrib to true To disable set to false Example set svc ssh enable true svc telnet enable Attribute used to enable disable the Telnet read write service The Telnet service is used to provide remot
42. ience includes technicians and maintenance personnel responsible for installing configuring and maintaining HP TippingPoint security systems and associated hardware Users should be familiar with networking concepts as well as the following standards and protocols e TCP IP e UDP e ICMP Ethernet Simple Network Time Protocol SNTP Simple Mail Transport Protocol SMTP Simple Network management Protocol SNMP Related Documentation Access the documentation at hitp www hp com support manuals For the most recent updates for your products check the HP Networking Support web site at hitp www hp com networkin Security Management System CLI Reference v Document Conventions This guide uses the following document conventions e Typefaces page vi e Document Messages page vii Typefaces HP TippingPoint publications use the following typographic conventions for structuring information Document Typographic Conventions Convention Element Medium blue text Cross reference links and e mail addresses Medium blue underlined text Website addresses Bold font e Key names e Text typed into a GUI element such as into a box e GUI elements that are clicked or selected such as menu and list items buttons and check boxes Example Click OK to accept ltalics font Text emphasis important terms variables and publication titles Monospace font File and directory names System output Code Text
43. ing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein TippingPoint the TippingPoint logo and Digital Vaccine are registered trademarks of Hewlett Packard All other company and product names may be trademarks of their respective holders All rights reserved This document contains confidential information trade secrets or both which are the property of Hewlett Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work such as translation transformation or adaptation without written permission from Hewlett Packard or one of its subsidiaries UNIX is a registered trademark of The Open Group Security Management System CLI Reference Publication Part Number 5998 5015 Product Part Number JC679A Table of Contents Abov ie Sige 666 haa 64 oath Obe bey ss oe ehs bey eis ere ees wie eee kee v Target Audiences s poderei a ae ek ee a EEE AATE E E RUR EO A A a K aE RA ee ee a e a a ae v Related Documentation da a A AA RA a v Document Conventions sios a a echo E a ee he ede E Be Rone dese A OEA a catas vi Typefaces d i Se A RA oe AS vi Document Messages iso rosies aia Soc a E R aE A prec ae erecta tee a vii Customer Support ss ce eu ee ctet eS Ba niee e a ales viii Comos sn ah oan ead Rue BK ween in Ese ye awe ome eee he oh ead eas eS viii 1 Using the Command line Interface o
44. ing read only user verify Attribute used to identify the user String read write web Used to assign a password to the Password write only HTTP HTTPS accessible content This single password allows access to the user manuals the client software reports and archived attack data The default is pwd web yes To permit unrestricted access fo the web server set the value to a radius Collection of radius related attribs The attribs are used to enable and configure RADIUS for the SMS For more information on RADIUS see the Administration chapter in the SMS User Guide Table 3 15 radius Attributes Attribute Description Access radius enable Attribute used to enable disable the read write RADIUS Primary RADIUS Server radiusl secret Attrib used to enter the RADIUS secret set read write by the RADIUS server administrator This entry is used by each RADIUS client including the SMS server radiusl server Attrib used to set the IP address of the read write RADIUS server radiusl port Attrib used to set the port on the RADIUS read write server that listens for authentication requests radiusl timeout Attrib used to set the maximum timeout read write period in seconds 36 SMS Attributes and Objects Table 3 15 radius Attributes Attribute Description Access radiusl Attrib to set the authentication method read write PAP CHAP MSCHAP MSCHAP2 EAPMD5 B
45. ions tmc proxy port Attrib used to control which proxy server read write 1 65535 port to use to make TMC connections proxy tmc authenticat Attrib used to control whether read write e authentication is required with the HTTP proxy server 34 SMS Attributes and Objects pwd Collection of password related attribs The attribs are used to confirm the SuperUser password and enable the service mode used by support personnel For information about managing users including user groups passwords and security levels see the Administration chapter in the SMS User Guide Related Command users Table 3 14 pwd Attributes Attribute pwd group adduser Description Used to add a user to a user group Access write only pwd group deluser Used to remove a user from a user group write only pwd group list Used to list all groups or groups with users read only pwd level Attribute used to set the security level for the password read write pwd service enable Used to enable disable the service mode password for the system To protect customer security the service mode is deactivated at the factory To enable the service mode account the customer must log in with an account that has SuperUser rights and set this attrib to yes After service mode is enabled a service professional can log in to the system with a secret one time password To disable service mode
46. istrator of the action if configured auto install Attrib used to control whether the SMS read write database is updated with the newly downloaded package dv activate Attrib used to activate a DV package write only dv delete Attrib used to delete a DV package write only dv import Attrib used to import a DV package to the write only SMS using a URL dv info Attrib used to list all of the DV packages read only installed on the SMS auto distrib Attrib used to control whether the new read write package will be distributed to the managed devices tmc poll rate Attrib used to control the frequency of the read write check for new TMC packages The SMS polls the Threat Management Center TMC at regular intervals factory default is 30 minutes Communication is attempted over TCP port 4043 to the host tmc tippingpoint com A follow up request that pulls the file may be made to another server using port 443 The poll rate can be adjusted by providing the pkg tmc poll rate attrib with a new value and then rebooting the SMS Assigning the attrib the value of O disables polling This setting may be desirable when the SMS is behind a firewall which prevents outbound communication with the TMC proxy tmc Attrib used to control whether an HTTP read write proxy server is used to make TMC connections tmc proxy host Attrib used to control which proxy server read write 1 128 to use to make TMC connect
47. ld be performed to reduce disk usage health loadAvg CPU load statistics read only load avg min load avg 5min load avg 15min runnable processes total processes e currentpid health memInfo Physical memory statistics read only total used e free e shared buffers cached health mem util Attribute returning the memory RAM read only utilization 0 represents a near idle system and 100 is fully utilized health RAID Attribute returns the status of the physical disks read only in your RAID configuration Only SMS platforms that have RAID configured will show output health net valid Attribute reporting the status of the read only communication paths Checks to see if network is configured and enabled If enabled checks the status of the gateway DNS and NTP 26 SMS Attributes and Objects Table 3 7 health Attributes Attribute Description Access health port health Attribute returning Port Statistics of the SMS read only This information corresponds to the Ports Statistics table on the Port Health screen SMS Health in the UI with all 12 numbers printed in a single line The six numbers are for the primary port and the second six numbers are for the secondary port Each set of numbers corresponds to the following table headings total input bytes e total output bytes total input discards total output discards total input errors total output errors
48. ll be used in system prompts platform Attribute returning the platform name Provide read only this model number in interactions with support professionals serialNum Attribute returning the unique PRODUCT read only system serial number Provide this serial number in interactions with support professionals time Collection of system time attribs The attribs are used to configure the local time zone and the current system time See Also ntp 46 SMS Attributes and Objects Table 3 24 time Attributes Attribute Description Access time dateTime Displays the current system time in a read only readable format time setTime Displays and sets the current system time The read write date and time is specified in the format MMDDhhmm CC YY ss time setTimeZone Displays and sets the current local time zone read write Time zones can be represented in several forms For example US Eastern Time can be represented as either of the following e EST5EDT e America Newark The first format is the preferred format a three letter zone followed by a time offset from GMT and another three letter zone for the daylight savings time Examples set time setTimeZone America New_York set time setTimeZone CST6CDT Security Management System CLI Reference 47 48 SMS Attributes and Objects
49. llowing results sys System information System information can be viewed and updates using the sys object Read write name contact location Read only serialNum Using the Command Line Interface 2 clear cls SMS Command Reference This chapter describes the SMS commands and the options available for each command NOTE To use the SMS CLI you must be logged in with an account that has SuperUser rights Clears the screen Usage clear Aliases cls Clears the screen Usage cls Aliases clear console date delete diags The console command shows a list of messages that have been sent to the console since the last reboot Usage console Displays and sets the system time Without a parameter date will return the current system date and time The parameter allows a new date to be specified Usage date MMDDhhmm CC YY ss Related Objects time Deletes user files User files are archived and exported files generated from the database contents Usage delete file Related Commands dir view vi Runs diagnostics tests and checks system health The force option will run diagnostics without prompting for confirmation Runs tests for the system database network tmc and password and provides status For tmc tests the connection to the tmc and the package server Security Management System CLI Reference 5 Usage diags force dir Returns a listing o
50. n the Hardware read only MAC Media Access Control address for the Ethernet10 100 1000 interface ifc enable Attrib used to enable disable the NIC read write Normally this should not be done To enable the NIC set the value to true to disable the value should be set to false Attribute used to view and change the IP read write address for the Ethernet10 100 1000 interface To clear this value use a period Applies only the net object The network interface must be restarted net restart for setting to take effect When you employ this command the CLI may not reflect the change with a confirmation message See Example on page 30 Security Management System CLI Reference 31 Table 3 11 net Attributes Attribute Description Access net ipaddr Attribute used to view and change the IPv IPaddr read write address To clear this value use a period Applies only the net object The network interface must be restarted net restart for setting to take effect When you employ this command the CLI may not reflect the change with a confirmation message See Example on page 30 NOTE The IP address uses IPv notation Attribute used to provide the subnet mask IPaddr read write value To clear this value use a period Attribute used to view the MTU Maximum Bool read only Transmission Unit for the SMS Ethernet 10 100 1000 interface Returns true if the prim
51. neral cli users ctl patch source Used by the UI for installing Patches Similar write only to set ctl upgrade source this takes a path or url to the Patch package file then validates and installs that Patch ctl previous patch Used to display the version of the Patch read only version previous to this for example the Patch a rollback would install or None if there is no previous Patch sw patch version Used to display the version number of the read only currently installed Patch or None if no patch is installed Collection of database control operations The attribs contained in db can be used to backup restore or re initialize the system database See Remote Paths on page 2 for more information about entering path names for attribs that require them On startup the sequence performed is 1 if requested backup the database 2 if requested restore the database 3 if requested reinit the database 4 if needed migrate the database Therefore within a single restart a current database can be saved to a remote system and a new database can replace the old one To clear a current value set the attribute to a period Related Commands database Table 3 4 db Attributes Attribute Description Access db attackCount Displays the number of attack records stored read only in the database db backup Setting the db backup attrib to yes creates a write only local database backup with de
52. network management interface Usage routes See Also nic cmd net object NOTE Whether or not static route entries are included in routing tables depends on several topology factors These include network specificity metrics and whether the next hop IP is on the associated interface Other routing types redistributions and firewall rules also impact static route entries in the routing tables scp Secure Copy is a remote file copy program that allows a file to be securely copied to or from the SMS CLI The sep command is only supported when run from the CLI Usage scp To copy a file using sep you must supply values to the following prompts Enter file transfer mode G Jet or Plut lt G P gt Enter scp server IP address or host name Enter fully qualified remote file name Enter local directory or file name Enter login id Enter password See Also logs object delete cmd dir cmd service access Enables or disables service access to the SMS The SMS version serial number and salt is displayed when enabling Usage service access Security Management System CLI Reference 13 See Also pwd object set Assigns values to one or more attribs or to a list of attribs contained within an object The list may be a one or more attribute names object names or attrib object pairs To accept the current or default value type the return key To clear a String or IP Address value enter a period and then the return key
53. nt to restart the network stack Your changes are applied when the network stack is restarted 30 SMS Attributes and Objects NOTE You must issue the set net restart yes command when you modify the IP address or gateway using the set net command Changes to these attributes do not take effect until you issue this command A reboot reboot command should be done after you issue the above command For information on set net see set on page 14 Related Commands ifconfig ipconfig mgmtsettings Related Objects dns Table 3 11 net Attributes Attribute Description net autoneg Attribute used to view and enable disable read write auto negotiation for the Ethernet 10 100 1000 interface Valid values are yes or no Attribute used to view and change the read write duplex setting for the Ethernet 10 100 1000 interface Valid values are half or full gateway Attribute used to provide the gateway read write default route value To clear this value use a period Applies only the net object The network interface must be restarted net restart for setting to take effect See Example on page 30 gateway6 Attribute used to provide the IPv gateway Paddr read write value To clear this value use a period Applies only the net object The network interface must be restarted net restart for setting to take effect See Example on page 30 hwaddr Attribute used to retur
54. s Quiet output Nothing is displayed except the summary lines at startup time and when finished Bypass the normal routing tables and send directly to a host on an attached network If the host is not on a directly attached network an error is returned This option can be used to ping a local host through an interface that has no route through it packetsize Specifies the number of data bytes to be sent The default is 56 which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data Verbose output quit Closes the session Usage quit Aliases exit Ctrl D reboot Reboot the system The force option will reboot the system without prompting for confirmation The cancel option aborts an in progress reboot Usage reboot force cancel resolve Resolves a hostname to an IP address using the DNS settings If the name cannot be resolved it is returned as is Usage resolve lt hostname gt 12 SMS Command Reference See Also reverse restart Restarts the network stack The force option restarts the network stack without a confirmation prompt Usage restart force reverse Performs a reverse lookup on an IP address or a relative hostname using the DNS settings If the value cannot be resolved it is returned as is Usage reverse lt ip address hostname gt See Also resolve routes Route options allow static routes to be added or deleted for the
55. sable settings and force password changes Usage users 18 SMS Command Reference Related Object pwd version Displays the system and component versions Usage version Related Objects Sw vi is a text editor that is comparable to Vi It can be used to edit all kinds of plain text It is especially useful for editing programs While running vi a lot of help can be obtained from the on line help system with the help command Usage vi options file Caveats tmp and its contents are the only files and directories that the SuperUser account has permission to modify When accessing files you must specify the complete path name for example vi tmp FileName txt After seven days without modification files in this directory are removed Options The options may be given in any order before or after filenames Options without an argument can be combined after a single dash Table 2 6 vi Options Options Descriptions For the first file the cursor will be positioned on line num If num is missing the cursor will be positioned on the last line For the first file the cursor will be positioned on the first occurrence of pat See help search pattern for the available search patterns Give a bit of help about the command line arguments and options After this Vi exits Modifying files is disabled Resets the write option so that writing files is not possible No swap file will be used Recov
56. st agent When enabled the SMS agent responds to the SNMP system request This command prompts you to enable the SNMP request agent and enter the following information Enter the SNMP version V 2 V 3 or B oth lt 2 3 B gt Enter community string Enter User Name Enter Auth Protocol None MD5 or SHA Enter Auth Key kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Confirm Key kkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Enter Privacy Protocol None AES 128 AES 192 AES 256 DES or Triple_DES Enter Priv Key kkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Confirm Key kkxkkkkkkkkkkkkkkkkkkkkkkkk kkkkkkk Usage Version Both Community String User Name Auth Protocol Privacy Protocol snmp request See Also snmp snmp trap snmp trap The snmp trap command is used to manage the SNMP Simple Network Management Protocol traps The SMS sends SNMP traps to NMS destinations This command prompts you to enable configuration for an NMS trap destination and enter the following information Commands A dd D elete V ersion C ommunity P ort E ngine U ser Au T hProto Auth K ey P R ivProto Pr I vKey L ist help Qluit Command lt A D V C P E U T K R I L Q gt a Add gt Enter trap destination address 192 168 1 1 Add gt Enter SNMP version v 2 or v 3 lt 2 3 gt 3 Add gt Enter port number 162 Add gt Enter Engine ID Add gt Enter User Name Enter Auth Protocol None MD5 or SHA Enter A
57. ters kbd Keyboard related attribute A WARNING Do not use this option if you are using a standard QWERTY keyboard Setting your keyboard layout to a value with which you are not familiar could render your system inaccessible Related Command kbdcfg Table 3 8 kbd Attributes Attribute Description Access kbd layout Specifies the console keyboard layout read write Usage set kbd layout lt keyboard designation gt Example setting r for French keyboard layout The default setting is kbd layout us 28 SMS Attributes and Objects The following console keyboard layouts are available This procedure will lead you through setting the layout for your keyboard The following layouts are available ANST dvorak dvorak 1 it ibm se fi lat6 appl key dvorak r Ita se 1r209 azerty emacs jp106 se lat backspace emacs2 keypad se latini be latini es la latini sg bg cp1251 es cp850 he sg latini bg cp855 et lt baltic sg latini 1k450 bg_bds cp1251 et nodeadkeys 1t 14 sk prog qwerty bg_bds utf euro mk sk prog qwertz bg_pho cp1251 eurol mk cp1251 sk qwerty bg_pho utf8 euro2 mk utf sk qwertz br abnt fi mkO slovene br abnt2 fi latini nl sr cy br latini abnt2 fi lating nl2 sw latin1 br latini us fi old no tr_f latins by fr no latini tr_g latin5 Ef fr latino pci10o tralt croat fr latini pl trf ctrl fr lating pl2 tra EZ fr old pt ua cz cp1250 fr pc pt latin1 ua utf cz lat2 fr_CH pt lating
58. tml 1 Using the Command Line Interface The command line interface CLI can be used to configure many aspects of the SMS It includes wizards high level commands and low level commands Overview This chapter explains how to use the SMS CLI NOTE To use the SMS CLI you must be logged in with an account that has SuperUser rights This section includes the following topics e Usage on page 1 e The help Command on page 3 Usage Most SMS commands consist of the following elements command the name of the command you want to issue e object the name of a collection of related attributes attribs e attrib the name of a data variable or parameter on which you want to run the command value optional syntax you can use with the set command and other writable commands to define the value of the attrib you specify If you do not use this syntax the system goes into interactive mode and prompts you for the value See Command Types on page 1 for more information about interactive commands NOTE To clear the value of any attribute type a period after the equal sign or when prompted These elements are case sensitive You can use any of the following syntax to run an SMS command command command object command object attrib command object attrib value Other SMS commands use a syntax similar to standard UNIX commands as shown in the following example command option value
59. tname is not provided the domain is appended to the hostname and the result is passed for resolution DNS domain search list used to resolve read write hostnames If a fully qualified hostname is not provided each member of the search list is appended to the hostname and the result is passed for resolution serverl Attribs used to specify name resolution IPaddr read write Server2 servers The value must be a dotted IP server3 address and the first entry dns server1 will be assigned a preferred role To clear this value use a period 24 SMS Attributes and Objects high availability Collection of system High Availability HA attribs The attribs are used to retrieve HA information Table 3 6 HA Attributes Attribute Description ha status Attribute returning the status of HA read only The status messages include the following e Disabled High Availability is not configured Enabled Error The system could not determine local status Error Unable to communicate with peer Error Peer system state is invalid Error Configuration out of sync with peer Error Peer system failure Configured Synchronization required Configured Attempting synchronization Configured Synchronizing Degraded Peer takeover pending Degraded Unable to communicate with peer e Degraded Synchronization required e Degraded Peer system failure ha disable Attribute that disables HA write only
60. typed at the command line Monospace italic font Code variables Command line variables Monospace bold font Emphasis of file and directory names system output code and text typed at the command line vi Document Messages Document messages are special text that is emphasized by format and typeface This guide contains the following types of messages e Warning e Caution e Note e Tip A WARNING Warning notes alert you to potential danger of bodily harm or other potential harmful consequences A CAUTION Caution notes provide information to help minimize risk for example when a failure to follow directions could result in damage to equipment or loss of data NOTE Notes provide additional information to explain a concept or complete a task Notes of specific importance in clarifying information or instructions are denoted as such IMPORTANT Another type of note that provides clarifying information or specific instructions TIP Tips provide helpful hints and shortcuts such as suggestions about how you can perform a task more easily or more efficiently Security Management System CLI Reference vii Customer Support HP TippingPoint is committed to providing quality customer support to all customers Each customer receives a customized support agreement that provides detailed support contact information When you need technical support refer to your support agreement or
61. u ala tom 4s 38 SAMD A se hPa ed 38 A OA 44 We id o dc id To o id cd das il dd eo ibi Sica to dile 46 Va aaa ol il Dra ash Sot ey ee 46 A A Me eae we Bi wks ab We E we Woke White died 46 List of Tables PGi WG Se A v 1 Usingthe Command line leet ea osu saves CS h Gewese eek anaes abe aes 1 Table 1 1 Help Commands recerca A Add ad 4 2 SMS Command Reterenee oscio in rr a 5 Table 2 1 Help Options iee aea sia ie aiaia 648Gb A E AA ARS a TE e a a aA 8 Table 2 2 Security Levels n n nannaa anaa 11 Table ER ping Options ici IA did a Rhee ee CREE e a a e HRS 11 Table 2 4 Gigs Options as n onanan aene 12 Table 2 5 traceroute Options o td Si AA e a AAA ARA ASA AS 17 Table 2 6 vi Options sd a RA AT Aa Ads 19 3 SMS Pies ond Objects o AAA El Table 3 1 CLI Attribute Types e cria Pa E Ae Rs Rd aR A eh wah Dh eh ed 21 Table 3 2 cli Attributes iii ad Seo ee dew e eh dde Sd hd dead ate aed 21 Table 3 3 ctl Attributes 2 ee eee eee eee eee eee 22 Table 3 4 db Attributes s eas eei aeae nee eee ee ee eee eee eee eens 23 Table 3 5 dns Attributes 2 0 ee eee eee eee eee eee 24 Table 3 6 HA Attributes ini iaka daone cc eee eee eee eee eee eens 25 Table 3 7 health Attributes 2 0 eee eee eee eee 26 Table 3 8 kbd Attributes os ci en i eai ec eee eee eee eee eee eee ee 28 Table 3 9 license Attributes 2 ec eee ee eee eee eee 29 Table 3 10 Table 3 11 Table 3 12 Table 3 13 Table 3 14 Table 3 15
62. ul on a multi homed host See the s flag for another way to do this Use ICMP ECHO instead of UDP datagrams Set the max time to live max number of hops used in outgoing probe packets The default is 30 hops the same default used for TCP connections Print hop addresses numerically rather than symbolically and numerically saves a nameserver address to name lookup for each gateway found on the path Security Management System CLI Reference 17 users Table 2 5 traceroute Options Option Description Set the base UDP port number used in probes default is 33434 Traceroute hopes that nothing is listening on UDP ports base to base nhops 1 at the destination host so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing If something is listening on a port in the default range this option can be used to pick an unused port range Bypass the normal routing tables and send directly to a host on an attached network If the host is not on a directly attached network an error is returned This option can be used to ping a local host through an interface that has no route through it e g after the interface was dropped by routed Use the specified IP address as the source address in outgoing probe packets This is usually given as an IP address not a hostname On multi homed hosts with more than one IP address this option can force the source address to be a different IP
63. unt point value and using a space character to separate the values Options might include the username password and workgroup Options can be joined together using a comma as a separator e SMB Example winbox pub sms pkg o workgroup mydomn username steve password ps111 The help Command The help command returns documentation about the specified command object or attribute Syntax help help full help attribs help object attrib help cmds help cmd help objs help object help background help background help topic help topic Description The help command is a non interactive read command that returns documentation about a command object or attribute that you specify NOTE In the help command syntax you can use the question mark interchangeably with the word help For example you could type the following to view documentation about all commands cmas Security Management System CLI Reference 3 4 Objects and Attributes The following objects and attributes can be used with the help command Table 1 1 Help Commands Command Description lp full Lists all commands objects and attributes lp attribs Lists all attributes lp objs Lists all objects or collections of attributes lp cmds Lists all commands lp background Lists background topics Example To see documentation about the sys object type help sys The system returns the fo
64. ur This command is also run automatically when an SMS upgrade is requested The upgrade will fail if this command fails upgrade source Setting the ctl upgrade source attrib to a write only string representing a URL will cause the system to retrieve and apply the update package to the system Normally a reboot will be required for the update to become effective The URL can reference the http https or ftp protocols Example set ctl upgrade source http www tippingpoint com SMS UPDATE 1 0 pkg ctl patch releasenotes Used to display the release notes for read only currently installed Patch NOTE This attribute is used by the UI to retrieve release notes and is of little interest to general cli users ctl patch restart Used to display restart flag for currently read only installed Patch NOTE This attribute is used by the UI to retrieve restart flag and is of little interest to general cli users 22 SMS Attributes and Objects Table 3 3 ctl Attributes Attribute Description Access ctl patch rollback Used to roll back to previous patch version read write Displays true if the currently installed Patch can be rolled back else false If set to the version of the currently installed Patch it rolls it back to either the previously installed Patch or no Patch if it was the first Patch installed NOTE This attribute is used by the Ul to retrieve this value and is of little interest to ge
65. uth Key kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Add gt Confirm Key kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxkxk Enter Privacy Protocol None AES 128 AES 192 AES 256 DES or Triple DES Enter Priv Key kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Add gt Confirm Key kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk IP Address 192 168 1 1 Version v3 Port 162 Engine ID User Name Auth Protocol Privacy Protocol Usage snmp trap Security Management System CLI Reference I 15 See Also snmp snmp request snmpget snmpget will request a single OID from the specified agent Usage snmpget hostNameOrAddress communityName OID Example IPv6 snmpget v 2c c public udp6 fc01 a63 1 0 214 22ff fele 1d87 system sysName 0 Example IPv4 snmpget v 2c c public 10 99 1 110 system sysName 0 See Also snmpwalk snmpwalk ssh time snmpwalk will traverse the SNMP MIB of the agent running at the specified address If the address OID is not provided the walk will begin at the first OID if the community name is not provided walk with use public and if the hostNameOrAddress is not provided walk will use localhost Usage snmpwalk hostNameOrAddress communityName OID Example IPv6 snmpwalk v 2c c public udp6 fc01 a63 1 0 214 22ff fele 1d87 system Example IPv4 snmpwalk v 2c c public 10 99 1 110 system Example SNMPv3 snmpwalk v 3 u user 1 authPriv a SHA A authKey x AES X privKey 192 168 1 1 system See Also snmpget
Download Pdf Manuals
Related Search