Forcepoint NGFW Engine commands

There are commands that can be run on the command line on Firewall, Layer 2 Firewall, IPS engines, or Master NGFW Engines.

Note: Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.
Note: All command line tools that are available for single NGFW Engines are also available for Virtual NGFW Engines that have the same role. However, there is no direct access to the command line of Virtual NGFW Engines. Commands to Virtual NGFW Engines must be sent from the command line of the Master NGFW Engine using the se-virtual-engine command.

Some commands are only available when the NGFW Engine is in the Firewall (FW), Layer 2 Firewall (L2FW), or IPS engine (IPS) role.

Table 1. Forcepoint NGFW command line tools
Command Role Description

sg-blacklist

show [-v] [-f FILENAME ] |

add [

[-i FILENAME]|

[src IP_ADDRESS/MASK]

[src6 IPv6_ADDRESS/PREFIX]

[dst IP_ADDRESS/MASK]

[dst6 IPv6_ADDRESS/PREFIX]

[proto {tcp|udp|icmp|NUM}]

[srcport PORT {-PORT}]

[dstport PORT {-PORT}]

[duration NUM]

[ve VIRTUAL_ENGINE_ID]

] |

del [

[-i FILENAME]|

[src IP_ADDRESS/MASK]

[src6 IPv6_ADDRESS/PREFIX]

[dst IP_ADDRESS/MASK]

[dst6 IPv6_ADDRESS/PREFIX]

[proto {tcp|udp|icmp|NUM}]

[srcport PORT{-PORT}]

[dstport PORT{-PORT}]

[duration NUM]

[ve VIRTUAL_ENGINE_ID]

] |

iddel NODE_ID ID |

flush

FW

L2FW

IPS

Used to view, add, or delete active blacklist entries.

The blacklist is applied as defined in Access Rules.

show shows the current active blacklist entries in format: engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). Use the -f option to specify a storage file to view (/data/blacklist/db_<number>). The -v option adds operation's details to the output.

add creates a blacklist entry. Enter the parameters or use the -i option to import parameters from a file.

del deletes the first matching blacklist entry. Enter the parameters or use the -i option to import parameters from a file.

iddel removes one specific blacklist entry on one specific NGFW Engine. NODE_ID is the ID of the NGFW Engine, ID is the blacklist entry's ID (as shown by the show command).

flush deletes all blacklist entries.

Add/Del Parameters:

Enter at least one parameter. The default value is used for the parameters that you omit. You can also save parameters in a text file; each line in the file is read as one blacklist entry.

src defines the source IP address and netmask to match. Matches any IP address by default.

src6 defines the source IPv6 and prefix length to match. Matches any IPv6 address by default.

dst defines the destination IP address and netmask to match. Matches any IP address by default.

dst6 defines the destination IPv6 address and prefix length to match. Matches any IPv6 address by default.

proto defines the protocol to match by name or protocol number. Matches all IP traffic by default.

srcport defines the TCP/UDP source port or range to match. Matches any port by default.

dstport defines the TCP/UDP destination port or range to match. Matches any port by default.

duration defines in seconds how long the entry is kept. Default is 0, which cuts current connections, but is not kept.

ve specifies the Virtual NGFW Engine on which the blacklist entry is created or deleted.

Examples:

sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60

sg-blacklist add -i myblacklist.txt

sg-blacklist del dst 192.168.1.0/24 proto 47

sg-bootconfig

[--primary-console=tty0|ttyS PORT,SPEED]

[--secondary-console=[tty0|ttyS PORT,SPEED]]

[--flavor=up|smp]

[--initrd=yes|no]

[--crashdump=yes|no|Y@X]

[--append=kernel options]

[--help]

apply

FW

L2FW

IPS

Used to edit boot command parameters for future bootups.

--primary-console defines the terminal settings for the primary console.

--secondary-console defines the terminal settings for the secondary console.

--flavor defines whether the kernel is uniprocessor or multiprocessor.

--initrd defines whether Ramdisk is enabled or disabled.

--crashdump defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.

--append defines any other boot options to add to the configuration.

--help shows usage information.

apply applies the specified configuration options.

sg-clear-all

[--help]

[--flash-defaults]

[--dry-run]

[--on-boot]

[--reboot | --shutdown]

[--fast] | --wipe <number>]

[--debug | --verbose]

FW

L2FW

IPS

This command restores the factory default settings on the NGFW Engine.

[--help] shows usage information.

[--flash-defaults] assumes that the NGFW Engine has a flash data partition and a RAM spool partition.

[--dry-run] exits without shutting down or restarting when command execution finishes.

[--on-boot] indicates that NGFW Engine is starting up. This option is not intended to be used in normal command line usage.

[--reboot] the NGFW Engine always restarts when command execution finishes.

[--shutdown] the NGFW Engine always shuts down when command execution finishes.

[--fast] runs a minimal, non-interactive clear for testing purposes.

[--wipe <number>] globally specifies the number of times to wipe partitions.

[--debug] shows full debug messages during command execution.

[--verbose] shows additional informational messages during command execution.

Note: If you run the command without specifying any options, the NGFW Engine requests confirmation before restarting. When the NGFW Engine restarts, you are prompted to select the system restore options.

After using this command, you can reconfigure the NGFW Engine using the sg-reconfigure command.

sg-cluster

[-v <Virtual NGFW Engine ID>]

[status [-c SECONDS]]

[versions]

[online]

[lock-online]

[offline]

[lock-offline]

[standby]

[safe-offline]

[force-online]

[move]

FW

L2FW

IPS

Shows or changes the status of the node.

-v (Master NGFW Engine only) specifies the ID of the Virtual NGFW Engine on which to execute the command.

status shows cluster status. When -c SECONDS is used, the status is shown continuously with the specified number of seconds between updates.

version shows the NGFW Engine software versions of the nodes in the cluster.

online sends the node online.

lock-online sends the node online and keeps it online, even if another process tries to change its state.

offline sends the node offline.

lock-offline sends the node offline and keeps it offline, even if another process tries to change its state.

standby sets an active node to standby.

safe-offline sets the node to offline only if there is another online node.

force-online sets the node online regardless of state or any limitations. Also sets all other nodes offline.

[move] (Master NGFW Engine only) moves the specified Virtual NGFW Engine to this node.

sg-contact-mgmt

FW

L2FW

IPS

Used for establishing a trust relationship with the Management Server as part of NGFW Engine installation or reconfiguration (see sg-reconfigure).

The NGFW Engine contacts the Management Server using the one-time password created when the NGFW Engine's initial configuration is saved.

sg-diagnostics [-s|-u] -f <facility_number>

FW

L2FW

IPS

Enables or disables diagnostics for the specified facility. When enabled, diagnostic information for the specified facility is included in the log data.

-f <facility_number> specifies the facility for which to enable diagnostics. Use the sg-logger -s command to get a list of facility numbers.

-s enables diagnostics.

-u disables diagnostics.

When you run the command without -s or -u, the output shows the current value for the specified facility.

sg-dynamic-routing

[start]

[stop]

[restart]

[force-reload]

[backup <file>]

[restore <file>]

[sample-config]

[route-table]

[info]

FW

start starts the Quagga routing suite.

stop stops the Quagga routing suite and flushes all routes made by zebra.

restart restarts the Quagga routing suite.

force-reload forces reload of the saved configuration.

backup backs up the current configuration to a compressed file.

restore restores the configuration from the specified file.

sample-config creates a basic configuration for Quagga.

route-table prints the current routing table.

info shows the help information for the sg-dynamic-routing command, and detailed information about Quagga suite configuration with vtysh.

sg-ipsec -d

[-u <username[@domain]> |

-si <session id>|

-ck <ike cookie> |

-tri <transform id> |

-ri <remote ip> |

-ci <connection id>]

FW

Deletes VPN-related information (use the vpntool command to view the information). Option -d (for delete) is mandatory.

-u deletes the VPN session of the named VPN client user. You can enter the user account in the form <user_name@domain> if there are several user storage locations (LDAP domains).

-si deletes the VPN session of a VPN client user based on session identifier.

-ck deletes the IKE SA (Phase one security association) based on IKE cookie.

-tri deletes the IPSEC SAs (Phase two security associations) for both communication directions based on transform identifier.

-ri deletes all SAs related to a remote IP address in site-to-site VPNs.

-ci deletes all SAs related to a connection identifier in site-to-site VPNs.

sg-log-view

-h | --help

-c CONFIGURATION_FILE

-C | --show-configuration

-N | --show-field-names

-A | --alerts

-o {list|table|json|json-pretty} | --output-format {list|table|json|json-pretty}

-f | --follow

-t TABLE_FIELDS [TABLE_FIELDS ...] | --table-fields TABLE_FIELDS [TABLE_FIELDS ...]

-a ADD_TABLE_FIELDS [ADD_TABLE_FIELDS ...] | --add-table-fields ADD_TABLE_FIELDS [ADD_TABLE_FIELDS ...]

-r REMOVE_TABLE_FIELDS [REMOVE_TABLE_FIELDS ...] | --remove-table-fields REMOVE_TABLE_FIELDS [REMOVE_TABLE_FIELDS ...]

-I | --add-event-id-table-field

-i EVENT_IDS [EVENT_IDS ...] | --event-ids EVENT_IDS [EVENT_IDS ...]

-s START_DATE | --start-date START_DATE

-e END_DATE | --end-date END_DATE

-F FILTERS [FILTERS ...] | --filters FILTERS [FILTERS ...]

--input-file-format {binary|json}

--log-files [LOG_FILES [LOG_FILES ...]]

--timestamp-type {date|integer}

-S | --show-log-counter

FW

L2FW

IPS

If you have saved copies of the most recent log and alert entries locally on the NGFW Engine, allows you to browse log and alert entries on the command line of the NGFW Engine.

-h | --help shows usage information.

-c specifies a configuration file for viewing stored log entries. If you do not specify a configuration file in this command, the LOG_VIEW_CONF environment variable specifies the configuration file. If no configuration file is specified in the LOG_VIEW_CONF variable, the default configuration is used.

-C | --show-configuration shows the active configuration.

-N | --show-field-names shows all available log field names.

-A | --alerts shows alert entries instead of log entries.

-o | --output-format specifies the output format for log entries. The default is table.

-f | --follow shows log entries in real time as they are generated.

-t | --table-fields shows the specified fields in a table view. You can specify the width and position of the field in the table using numbers and semicolons. For example, situation:40:3.

-a | --add-table-fields adds the specified fields to the table view. You can specify the width and position of the field in the table using numbers and semicolons. For example, situation:40:3.

-r | --remove-table-fields removes the specified fields from the table view.

-I | --add-event-id-table-field adds event_id as the first log field in the table view.

-i | --event-ids shows details about the specified events (event ids) in a list view.

-s | --start-date shows log entries starting from the specified date.

-e | --end-date shows log entries ending on the specified date.

-F | --filters specifies log filters as either a simple filter string or a complete JSON filter string.

--input-file-format specifies the input log file format. The default is binary.

--log-files specifies the log files to show. If you do not specify a log file, all available log files found in the specified log directories are shown.

--timestamp-type shows timestamp values as dates or integers. The default is date.

-S | --show-log-counter shows log counters in table and list views.

sg-logger

-f FACILITY_NUMBER

-t TYPE_NUMBER

[-e EVENT_NUMBER]

[-i "INFO_STRING"]

[-s]

[-h]

FW

L2FW

IPS

Used in scripts to create log messages with the specified properties.

-f defines the facility for the log message.

-t defines the type for the log message.

-e defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).

-i defines the information string for the log message.

-s dumps information about option numbers to stdout

-h shows usage information.

sg-raid

[-status] [-add] [-re-add]

[-force] [-help]

FW

L2FW

IPS

Configures a new hard drive.

This command is only for Forcepoint NGFW appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives.

-status shows the status of the hard drive.

-add adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.

-re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all arrays.

-help shows usage information.

sg-reconfigure

[--maybe-contact]

[--no-shutdown]

[--stop-autocontact]

FW

L2FW

IPS

Starts the NGFW Configuration Wizard. Used for reconfiguring the node manually.

CAUTION:
This script also has parameters that are for the internal use of the NGFW Engine only. Do not use this script with any parameters other than the ones listed here.

--maybe-contact contacts the Management Server if requested. This option is only available on Firewalls.

--no-shutdown allows you to make limited configuration changes on the node without shutting it down. Some changes might not be applied until the node is rebooted.

--stop-autocontact (unconfigured Forcepoint NGFW appliances with valid POS codes only) prevents the NGFW Engine from contacting the installation server for plug-and-play configuration when it reboots.

sg-selftest [-d] [-h]

FW

Runs cryptography tests on the NGFW Engine.

-d runs the tests in debug mode.

-h shows usage information.

sg-status [-l] [-h]

FW

L2FW

IPS

Shows information about the NGFW Engine status.

-l shows all available information about NGFW Engine status.

-h shows usage information.

sg-toggle-active

SHA1 SIZE |

--force [--debug ]

FW

L2FW

IPS

Switches the NGFW Engine between the active and the inactive partition.

This change takes effect when you reboot the NGFW Engine.

You can use this command, for example, if you have upgraded an NGFW Engine and want to switch back to the earlier NGFW Engine version. When you upgrade the NGFW Engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls -l /var/run/stonegate).

The SHA1 option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the NGFW Engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file.

--debug reboots the NGFW Engine with the debug kernel.

--force switches the active configuration without first verifying the signature of the inactive partition.

sg-upgrade

FW

Upgrades the node by rebooting from the installation DVD.

Alternatively, the node can be upgraded remotely using the Management Client.

sg-version

FW

L2FW

IPS

Shows the software version and build number for the node.

se-virtual-engine

-l | --list

-v <Virtual NGFW Engine ID>

-e | --enter

-E "<command [options]>"

-h | --help

FW
Note: Master NGFW Engine only.

Used to send commands to Virtual Firewalls from the command line of the Master NGFW Engine.

All commands that can be used for the Firewall role can also be used for Virtual Firewalls.

-l or --list list the active Virtual NGFW Engines.

-v specifies the ID of the Virtual NGFW Engine on which to execute the command.

-e or --enter enters the command shell for the Virtual NGFW Engine specified with the -v option. To exit the command shell, type exit.

-E executes the specified command on the Virtual NGFW Engine specified with the -v option.

-h or --help shows usage information.

sginfo

[-f]

[-d]

[-s]

[-p]

[--]

[--help]

FW

L2FW

IPS

Gathers system information you can send to Forcepoint Technical Support.

Use this command only when instructed to do so by Forcepoint Technical Support.

-f forces sgInfo even if the configuration is encrypted.

-d includes core dumps in the sgInfo file.

-s includes slapcat output in the sgInfo file.

-p includes passwords in the sgInfo file (by default passwords are erased from the output).

-- creates the sgInfo file without showing the progress.

--help shows usage information.

The following table lists some general Linux operating system commands that can be useful in running your NGFW Engines. Some commands can be stopped by pressing Ctrl+C.

Table 2. General command line tools on NGFW Engines
Command Description
dmesg

Shows system logs and other information.

Use the -h option to see usage.

halt Shuts down the system.
ip

Shows IP address information.

Type the command without options to see usage.

Example: type ip addr for basic information about all interfaces.

ping

Tests connectivity with ICMP echo requests.

Type the command without options to see usage.

ps Reports the status of running processes.
reboot Reboots the system.
scp

Secure copy.

Type the command without options to see usage.

sftp

Secure FTP.

Type the command without options to see usage.

ssh

SSH client (for opening a terminal connection to other hosts).

Type the command without options to see usage.

tcpdump

Gives information about network traffic.

Use the -h option to see usage.

You can also analyze network traffic by creating tcpdump files from the Management Client with the Traffic Capture feature.

top

Shows the top CPU processes taking most processor time.

Use the -h option to see usage.

traceroute

Traces the route packets take to the specified destination.

Type the command without options to see usage.

vpntool

Shows VPN information and allows you to issue some basic commands.

Type the command without options to see usage.