Security Management Center commands
SMC commands include commands for the Management Server, Log Server, and Web Portal Server.
In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts. Commands are found in the following locations:
- For SMC installations on Linux or Windows, commands are found in the <installation directory>/bin directory.
- For the SMC Appliance, general SMC commands are found in the /usr/local/forcepoint/smc/bin directory.
- Commands that are specific to the SMC Appliance are found in the /usr/bin directory.
On the SMC Appliance, commands must be run with elevated permissions using sudo. A list of available sudo commands can be found by running sudo -l at the command line.
Commands that require parameters must be run through the command line (cmd.exe in Windows). Commands that do not require parameters can alternatively be run through a graphical user interface, and can be added as shortcuts during installation.
Command | Description |
---|---|
ambr-crl
(SMC Appliance only) [-a ADD|--add=ADD][-d DELETE|--delete=DELETE] [-q|--query][-i IMPORT_CRL|--import=IMPORT_CRL] [-v][-l <log file path>] [-h|--help] |
Fetches the certificate revocation lists (CRLs) for the CA certificates used by the appliance maintenance and bug remediation (AMBR) utilities. -a ADD, --add=ADD adds a CRL distribution point URL in the form of http://<url>. -d DELETE, --delete=DELETE deletes a CRL distribution point URL. -q, --query lists CRL distribution points. -i IMPORT_CRL, --import=IMPORT_CRL imports a CRL from a file. -v increases the verbosity of the command. You can repeat this command up to two times (-vv or -v -v) to further increase the verbosity. -l <log file path> specifies the path to a log file. -h, --help shows information about the command. |
ambr-decrypt
(SMC Appliance only) |
Decrypts an ambr patch; not normally used by administrators. ambr-install automatically decrypts patches. |
ambr-install <patch>
(SMC Appliance only) [-F|--force][-r|--skip-revocation] [--no-backup][--no-snapshot] [--no-prompt] [-v][-l <log file path>] [-h|--help] |
Installs an ambr patch that has been loaded on the system. You can install multiple patches with a space between each patch name. -F, --force forces the reinstallation of the patch or patches. -r, --skip-revocation skips the certificate revocation checks. --no-backup does not create a configuration backup. --no-snapshot does not create a recovery snapshot. --no-prompt does not prompt before restarting. -v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity. -l <log file path> specifies the path to a log file. -h, --help shows information about the command. |
ambr-load <patch>
(SMC Appliance only) [-f IN_FILES|--file=IN_FILES][-r|--skip-revocation] [-v] [-l <log file path>][-h|--help] |
Loads an ambr patch onto the system from either the patch server or from the local file system. A loaded patch means that the file is copied to the local file system, but not installed. You can load multiple patches with a space between each patch name. -f IN_FILES, --file=IN_FILES specifies the local file to load. -r, --skip-revocation skips the certificate revocation checks. -v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity. -l <log file path> specifies the path to a log file. -h, --help shows information about the command. |
ambr-query
(SMC Appliance only) [-c|--clean] [-u|--update] [-a|--all] [-j|--json] [-i INFO|--info=INFO <patch>] [-L <log file path>] [-v] [-h|--help] |
Shows patch information including:
-u , --update updates the remote patch list from a web server . -c, --clean cleans the remote patch cache. -a, --all shows all local and remote patches. -j, --json formats output as JSON. -i INFO, --info=INFO <patch> shows detailed information about the patch. You can get information about multiple patches in one command by separating the patch names with a space. -v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity. -L <log file path> specifies the path to the file where log messages are written. -h, --help shows information about the command. |
ambr-unload <patch>
(SMC Appliance only) [-a|--all][-v] [-l <log file path>][-h|--help] |
Unloads an ambr patch from the system. The command deletes the patch file if it has not been installed, but it does not uninstall the patch. You can unload multiple patches with a space between each patch name. -a, --all unloads all loaded patches. -v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity. -l <log file path> specifies the path to a log file. -h, --help shows information about the command. |
ambr-verify
(SMC Appliance only) |
Verifies the signature of a patch file; not normally used by administrators. ambr-install automatically verifies patches. |
cloudDiscoveryCLI (Requires installation of the Cloud Discovery Tool) |
Processes log data exported from the SMC to produce a summary report about cloud application usage. To use exported log data with the Cloud Discovery Tool, the data must be in Short CSV format. |
sgArchiveExport [host=<Management Server Address[\Domain>] [login=<login name>] [pass=<password>] [format=<exporter format: CSV or XML>] i=<input files and/or directories> [o=<output file name>] [f=<filter file name>] [e=<filter expression>] [-h|-help|-?] [-v] |
Shows and exports logs from archive. Supports CEF, LEEF, and ESM formats in addition to CSV and XML. This command is only available on the Log Server. The operation checks permissions for the supplied administrator account from the Management Server to prevent unauthorized access to the logs. Enclose details in double quotes if they contain spaces. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. pass defines the password for the user account. format defines the file format for the output file. If this parameter is not defined, the XML format is used. i defines the source from which the logs are exported. Can be a folder or a file. The processing recurses into subfolders. o defines the destination file where the logs are exported. If this parameter is not defined, the output is shown on screen. f defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through in the filter's right-click menu.e allows you to enter a filter expression manually (using the same syntax as exported filter files). -h, -help, or -? shows information about using the script. -v shows verbose output on the command execution. Example (exports logs from one full day to a file using a filter): sgArchiveExport login=admin pass=abc123 i=C:\Program Files\Forcepoint\SMC\data\archive\firewall\year2011\month12\.\sgB.day01\ f=C:\Program Files\Forcepoint\SMC\export\MyExportedFilter.flp format=CSV o=MyExportedLogs.csv |
sgBackupLogSrv [pwd=<password>] [path=<destpath>]destpath [nodiskcheck] [comment=<comment>] [nofsstorage] [-h|--help] |
Note: For the SMC Appliance, use the smca-backup command.
Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the log database is required on the destination drive. Otherwise, the operation fails. pwd enables encryption. path defines the destination path. nodiskcheck ignores the free disk check before creating the backup. comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters. nofsstorage creates a backup only of the Log Server configuration without the log data. -h or --help shows information about using the script. Also see sgRestoreLogBackup. |
sgBackupMgtSrv [pwd=<password>] [path=<destpath>] [nodiskcheck] [comment=<comment>] [-h|--help] |
Note: For the SMC Appliance, use the smca-backup command.
Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails. pwd enables encryption. path defines the destination path. nodiskcheck ignores the free disk check before creating the backup. comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters. -h or --help shows information about using the script. Also see sgRestoreMgtBackup and sgRecoverMgtDatabase. |
sgCertifyLogSrv [host=<Management Server Address[\Domain]> |
Contacts the Management Server and creates a certificate for the Log Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components. host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain the Log Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. Stop the Log Server before running this command. Restart the server after running this command. |
sgCertifyMgtSrv
[login=<login name>] [pass=<password>] [standby-server=<name of additional Management Server>] [active-server=<IP address of active Management Server>] [-nodisplay] [-h|-help|-?] |
Creates a certificate for the Management Server to allow secure communications between the SMC components. Renewing an existing certificate does not require changes on any other SMC components. In an environment with only one Management Server, or to certify the active Management Server, stop the Management Server before running the sgCertifyMgtSrv command. Run the command without parameters. Restart the Management Server after running this command. To certify an additional Management Server, stop the additional Management Server before running the sgCertifyMgtSrv command. The active Management Server must be running when you run this command. The management database is replicated to the additional Management Server during the certification. The additional Management Server must have a connection to the active Management Server when you run this command. [login=<login name>] defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. [pass=<password>] defines the password for the user account. [standby-server] specifies the name of the additional Management Server to be certified. [active-server] specifies the IP address of the active Management Server. -nodisplay sets a text-only console. -h, -help, or -? shows information about using the script. |
sgCertifyWebPortalSrv [host=<Management Server Address[\Domain]>] |
Contacts the Management Server and creates a certificate for the Web Portal Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components. host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain the Web Portal Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. Stop the Web Portal Server before running this command. Restart the server after running this command. |
sgChangeMgtIPOnLogSrv <IP address> |
Changes the Management Server's IP address in the Log Server's local configuration to the IP address you give as a parameter. Use this command if you change the Management Server's IP address. Restart the Log Server service after running this command. |
sgChangeMgtIPOnMgtSrv <IP address> |
Changes the Management Server's IP address in the local configuration to the IP address you give as a parameter. Use this command if you change the Management Server's IP address. Restart the Management Server service after running this command. |
sgClient | Starts a locally installed Management Client. |
sgCreateAdmin |
Creates an unrestricted (superuser) administrator account. The Management Server must be stopped before running this command. |
sgExport
[host=<Management Server Address[\Domain]>] [login=<login name>] [pass=password] file=<file path and name> [type=<all|nw|ips|sv|rb|al|vpn> [name=<element name 1, element name 2, ...>] [recursion] [-system] [-h|-help|-?] |
Exports elements stored on the Management Server to an XML file. Enclose details in double quotes if they contain spaces. host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. pass defines the password for the user account. file defines the name and location of the export .zip file.
type specifies which types of elements are included in the export file:
name allows you to specify by name the elements that you want to export. recursion includes referenced elements in the export, for example, the network elements used in a policy that you export. -system includes any system elements that are referenced by the other elements in the export. -h, -help, or -? shows information about using the script. |
sgHA [host=<Management Server Address[\Domain]>] [login=<login name>] [pass=<password>] [master=<Management Server used as master server for the operation>] [-set-active] [-set-standby] [-check] [-retry] [-force] [-restart] [-h|-help|-?] |
Controls active and standby Management Servers. If you want to perform a full database synchronization, use the sgOnlineReplication command. host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. pass defines the password for the user account. master defines the Management Server used as a master Management Server for the operation. -set-active activates and locks all administrative Domains. -set-standby deactivates and unlocks all administrative Domains. -check checks that the Management Server's database is in sync with the master Management Server. -retry retries replication if this has been stopped due to a recoverable error. -force enforces the operation even if all Management Servers are not in sync.
Note: This option can cause instability if used carelessly.
-restart restarts the specified Management Server. -h, -help, or -? shows information about using the script. |
sgImport [host=<Management Server Address[\Domain]>] [login=<login name>] [pass=<password>] file=<file path and name> [-replace_all] [-h|-help|-?] |
Imports Management Server database elements from an XML file. When importing, existing (non-default) elements are overwritten if both the name and type match. host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. pass defines the password for the user account. file defines the .zip file whose contents you want to import. -replace_all ignores all conflicts by replacing all existing elements with new ones. -h, -help, or -? shows information about using the script. |
sgImportExportUser
[-h|-help|-?] |
Imports and exports a list of Users and User Groups in an LDIF file from/to a Management Server's internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate). CAUTION: The user information in the export file is stored as plaintext. Handle the file securely.
host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. pass defines the password for the user account. action defines whether users are imported or exported. file defines the file that is used for the operation. Example: sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif -h, -help, or -? shows information about using the script. |
sgInfo SG_ROOT_DIR FILENAME [fast=<timestamp>] [list] [hprof=none|limited|all] [-nolog] [-client] [-h|-help|-?] |
Creates a .zip file that contains copies of configuration files and the system trace files. The resulting .zip file is stored in the logged on user's home directory. The file location is shown on the last line of screen output. Provide the generated file to support for troubleshooting purposes. Note: On the SMC Appliance, you must always specify the path to the directory in
which the .zip file is stored. The directory must be accessible from the account that you use to log on to the command
line of the SMC Appliance.
SG_ROOT_DIR SMC installation directory. FILENAME name of output file. fast collects only traces that changed after the specified time stamp. Enter the time stamp in milliseconds or in the format yyyy-MM-dd HH:mm:ss. No other information is collected, except for threaddumps. [list] only lists files. It does not create a .zip file or generate threaddumps. hprof defines whether hprof memory dump files are included.
-nolog extended Log Server information is not collected. -client collects traces only from the Management Client. -h, -help, or -? shows information about using the script. |
sgOnlineReplication [active-server=<name of active Management Server>] [-nodisplay] [-h|-help|-?] |
Replicates the Management Server's database from the active Management Server to an additional Management Server. Stop the Management Server to which the database is replicated before running this command. Restart the Management Server after running this command. Use this script to replicate the database only in the following cases:
CAUTION: This script also has parameters that are for the internal use of the Management Server only. Do not use this script with any parameters other than the
ones listed here.
active-server specifies the IP address of the active Management Server from which the Management database is replicated. -nodisplay sets a text-only console. -h, -help, or -? shows information about using the script. |
sgReinitializeLogServer | Creates a Log Server configuration if the configuration file has been lost. Note: This script is located in <installation directory>/bin/install.
|
sgRestoreArchive <ARCHIVE_DIR> |
Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0–31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_ xx=PATH. |
sgRestoreLogBackup [-pwd=<password>] [-backup=<backup file name>] [-nodiskcheck] [-overwrite-syslog-template] [-h|-help] |
Restores the Log Server (logs or configuration files) from a backup file in the <installation directory>/backups/ directory. -pwd defines a password for encrypted backup. -backup defines a name for the backup file. -nodiskcheck ignores the free disk check before backup restoration. -overwrite-syslog-template overwrites a syslog template file if found in the backup. -h or -help shows information about using the script. |
sgRestoreMgtBackup [-pwd=<password>] [-backup=<backup file name>] [-import-license <license file name>] [-nodiskcheck] [-h|-help] |
Restores the Management Server (database or configuration files) from a backup file in the <installation directory>/backups/ directory. -pwd defines a password for encrypted backup. -backup defines a name for the backup file. -import-license specifies a license file to import during the backup restoration. -nodiskcheck ignores the free disk check before backup restoration. -h or -help shows information about using the script. |
sgRevert |
Reverts to the previous installation saved during the upgrade process. The previous installation can be restored at any time, even after a successful upgrade. Note: This script is located in <installation directory>/bin/uninstall.
|
sgShowFingerPrint | Shows the CA certificate's fingerprint on the Management Server. |
sgStartLogSrv | Starts the Log Server and its database. |
sgStartMgtDatabase |
Starts the Management Server's database. There is usually no need to use this script. |
sgStartMgtSrv | Starts the Management Server and its database. |
sgStartWebPortalSrv | Starts the Web Portal Server. |
sgStopLogSrv | Stops the Log Server. |
sgStopMgtSrv | Stops the Management Server and its database. |
sgStopMgtDatabase |
Stops the Management Server's database. There is usually no need to use this script. |
sgStopWebPortalSrv | Stops the Web Portal Server. |
sgStopRemoteMgtSrv [host=<Management Server address[\Domain]>] [login=<login name>] [pass=<password>] [-h|-help|-?] |
Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server. host is the Management Server's host name if not localhost. login is an SMC administrator account for the logon. pass is the password for the administrator account. -h, -help, or -? shows information about using the script. |
sgTextBrowser
[host=<Management Server address[\Domain]>] [login=<login name>][pass=<password>] [format=<CSV|XML>][o=<output file>] [f=<filter file>][e=<filter expression>] [m=<current|stored>][limit=<maximum number of unique records to fetch>] [-h|-help|-?] |
Shows or exports current or stored logs. This command is available on the Log Server. Enclose the file and filter names in double quotes if they contain spaces. host defines the address of the Management Server used for checking the logon information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If domain is not specified, the Shared Domain is used. login defines the user name for the account that is used for this export. If this parameter is not defined, the user name root is used. pass defines the password for the user account used for this operation. format defines the file format for the output file. If this parameter is not defined, the XML format is used. o defines the destination output file where the logs will be exported. If this parameter is not defined, the output is shown on screen. f defines the exported filter file that you want to use for filtering the log data. e defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. m defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used. limit defines the maximum number of unique records to be fetched. The default value is unlimited. -h, -help, or -? shows information about using the script. |
smca-agent (SMC Appliance only) |
SMC uses it to exchange configuration data between SMC and the operating system; not normally used by administrators. The agent configures the NTP and SNMP daemons and sets the logon and SSH banners. |
smca-backup (SMC Appliance only) [-pwd <password>] [-comment <comment>] [-nodiskcheck] [-nofsstorage] [-path <destination>] [-log] [-mgt] [-h|--help] |
Creates a configuration backup of the SMC Appliance operating system and includes an SMC backup. -pwd <password> enables the encryption of the backup file and sets the password. -comment <comment> adds a comment to the backup file name. -nodiskcheck turns off the available disk space check. -nofsstorage excludes the log files for the Log Server from the backup. -path <destination> specifies a path for backup file storage. The default directory for backups is /usr/local/forcepoint/smc/backups. -log creates a Log Server backup. -mgt creates a Management Server backup. -h, --help shows information about the command. Also see sgRestoreLogBackup and sgRestoreMgtBackup. |
smca-cifs (SMC Appliance only) [add] [remove] [-n <name>] [-s //<server>/<share>] [-u <username>] [-p <password>] [-d <domain>] |
Configures the mounting of remote CIFS file shares on the SMC Appliance. add adds the CIFS share. remove removes the CIFS share. Use with the name option. -n <name> specifies the name of the share. -s //<server>/<share> specifies the server or IP address of the share. -u <username> specifies the user name to authenticate with the CIFS server to get access to the share. -p <password> specifies the password on remote system. -d <domain> specifies the domain of the share. |
smca-restore (SMC Appliance only) [-pwd <password>] [-nodiskcheck] [-backup <filename>] [-nosmca] [-smcaonly] [-overwrite-syslog-template] [-h|-help] |
Restores a backup on the SMC Appliance. -pwd <password> specifies the password for decrypting an encrypted backup file. -nodiskcheck turns off the available disk space check. -backup <filename> specifies the backup file name. If you do not specify the backup file name, you are prompted to select the backup file. [-nosmca] restores the Management Server or Log Server backup without restoring the SMC Appliance configuration [-smcaonly] restores the SMC Appliance configuration without restoring the Management Server or Log Server backup. -overwrite-syslog-template overwrites any existing syslog templates in the log backup file. -h, --help shows information about the command. |
smca-rsync (SMC Appliance only) [add] [modify] [remove] [enable] [disable] [list] [run] [-t task_id] [-i <source directory>] [-o <destination directory>] [-m <mode>] [-h|-help] |
Configures automated backup tasks. Typically used with the smca-cifs command to move backups off the appliance. add adds a backup task. You can specify an existing source and destination directories. If not specified, the default is /usr/local/forcepoint/smc/backups/. modify changes an existing backup task by its task ID. All attributes can be changed, except for the task ID. To change an attribute, use the appropriate option with a new value. remove removes an existing backup task by its task ID. enable enables an existing backup task by its task ID. disable disables an existing backup task by its task ID. list provides a list of all configured backup tasks. run runs all enabled backup tasks. -t task_id specifies the task ID. Use the list command to view the task IDs. -i <source directory> specifies the directory where the backups are stored when they are created. If omitted, the source directory defaults to the SMC backups directory /usr/local/forcepoint/smc/backups/. -o <destination directory> specifies the remote location to store the backups. -m <mode> specifies the rsync mode. You can indicate whether rsync appends or mirrors the source directory to the destination directory. Appending the directory means that existing files in the destination directory, that are not in the source directory or are newer than those files in the source directory, are not changed. If omitted, the mode defaults to append. -h, --help shows information about the command. |
smca-system (SMC Appliance only) [toggle] [toggle-vcdrom] [mirror [-n <name>]] [snapshot [-C|--create] [-R|--restore] [-D, --delete] [-n <name>]] [serial-number] [fingerprint] [toggle-console] [bootloader-password [-s|--set] [-r|--remove]] [netconfig] [log-view [<filename>]] [fips-config] [-f] [-h|-help] |
Manages recovery snapshots, alternate partition mirroring, and changing system partition boot preference. toggle restarts the appliance to the alternate partition. toggle-vcdrom sets the appliance's default boot option to the vcdrom. mirror mirrors the active system to the alternate system. -n <name> specifies the name of the snapshot used for mirror operations.
snapshot manages recovery snapshots.
[serial-number] shows the hardware serial number for the SMC Appliance. [fingerprint] shows the fingerprint for the CA used by the Management Client. toggle-console enables or disables the serial console on the SMC Appliance. bootloader-password manages the bootloader password for the SMC Appliance.
netconfig sets up network-related configuration, such as IPv6 configuration. log-view <filename> shows the contents of the specified log file in the SMC Appliance log data directory /var/log or in any of the subdirectories of /var/log. log-view -l shows a list of all available log files. fips-config modifies the SMC Appliance configuration to support FIPS certification. -f forces the procedure, does not prompt for any confirmation.
-h, --help shows information about the command. |
smca-user (SMC Appliance only) |
This utility is used by the SMC Appliance to keep user accounts in sync between the SMC and the operating system; not normally used by administrators. |