Forcepoint NGFW Engine commands

There are commands that can be run on the command line on Firewall, Layer 2 Firewall, IPS engines, or Master NGFW Engines.

Note: Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.
Note: All command line tools that are available for single NGFW Engines are also available for Virtual NGFW Engines that have the same role. However, there is no direct access to the command line of Virtual NGFW Engines. Commands to Virtual NGFW Engines must be sent from the command line of the Master NGFW Engine using the se-virtual-engine command.
Table 1. Forcepoint NGFW command line tools
Command Engine role Description

sg-blacklist

show [-v] [-f FILENAME ] |

add [

[-i FILENAME]|

[src IP_ADDRESS/MASK]

[src6 IPv6_ADDRESS/PREFIX]

[dst IP_ADDRESS/MASK]

[dst6 IPv6_ADDRESS/PREFIX]

[proto {tcp|udp|icmp|NUM}]

[srcport PORT {-PORT}]

[dstport PORT {-PORT}]

[duration NUM]

] |

del [

[-i FILENAME]|

[src IP_ADDRESS/MASK]

[src6 IPv6_ADDRESS/PREFIX]

[dst IP_ADDRESS/MASK]

[dst6 IPv6_ADDRESS/PREFIX]

[proto {tcp|udp|icmp|NUM}]

[srcport PORT{-PORT}]

[dstport PORT{-PORT}]

[duration NUM]

] |

iddel NODE_ID ID |

flush

Firewall

Layer 2 Firewall

IPS

Used to view, add, or delete active blacklist entries.

The blacklist is applied as defined in Access Rules.

show displays the current active blacklist entries in format: engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). Use the -f option to specify a storage file to view (/data/blacklist/db_<number>). The -v option adds operation's details to the output.

add creates a blacklist entry. Enter the parameters or use the -i option to import parameters from a file.

del deletes the first matching blacklist entry. Enter the parameters or use the -i option to import parameters from a file.

iddel removes one specific blacklist entry on one specific engine. NODE_ID is the engine's ID, ID is the blacklist entry's ID (as shown by the show command).

flush deletes all blacklist entries.

Add/Del Parameters:

Enter at least one parameter. The default value is used for the parameters that you omit. You can also save parameters in a text file; each line in the file is read as one blacklist entry.

src defines the source IP address and netmask to match. Matches any IP address by default.

src6 defines the source IPv6 and prefix length to match. Matches any IPv6 address by default.

dst defines the destination IP address and netmask to match. Matches any IP address by default.

dst6 defines the destination IPv6 address and prefix length to match. Matches any IPv6 address by default.

proto defines the protocol to match by name or protocol number. Matches all IP traffic by default.

srcport defines the TCP/UDP source port or range to match. Matches any port by default.

dstport defines the TCP/UDP destination port or range to match. Matches any port by default.

duration defines in seconds how long the entry is kept. Default is 0, which cuts current connections, but is not kept.

Examples:

sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60

sg-blacklist add -i myblacklist.txt

sg-blacklist del dst 192.168.1.0/24 proto 47

sg-bootconfig

[--primary-console=tty0|ttyS PORT,SPEED]

[--secondary-console=[tty0|ttyS PORT,SPEED]]

[--flavor=up|smp]

[--initrd=yes|no]

[--crashdump=yes|no|Y@X]

[--append=kernel options]

[--help]

apply

Firewall

Layer 2 Firewall

IPS

Used to edit boot command parameters for future bootups.

--primary-console defines the terminal settings for the primary console.

--secondary-console defines the terminal settings for the secondary console.

--flavor defines whether the kernel is uniprocessor or multiprocessor.

--initrd defines whether Ramdisk is enabled or disabled.

--crashdump defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.

--append defines any other boot options to add to the configuration.

--help displays usage information.

apply applies the specified configuration options.

sg-clear-all

[--help]

[--flash-defaults]

[--dry-run]

[--on-boot]

[--reboot | --shutdown]

[--fast] | --wipe <number>]

[--debug | --verbose]

Firewall

Layer 2 Firewall

IPS

This command restores the factory default settings on the engine.

[--help] displays usage information.

[--flash-defaults] assumes that the engine has a flash data partition and a RAM spool partition.

[--dry-run] exits without shutting down or restarting when command execution finishes.

[--on-boot] indicates that engine is starting up. This option is not intended to be used in normal command line usage.

[--reboot] the engine always restarts when command execution finishes.

[--shutdown] the engine always shuts down when command execution finishes.

[--fast] runs a minimal, non-interactive clear for testing purposes.

[--wipe <number>] globally specifies the number of times to wipe partitions.

[--debug] shows full debug messages during command execution.

[--verbose] shows additional informational messages during command execution.

Note: If you run the command without specifying any options, the engine requests confirmation before restarting. When the engine restarts, you are prompted to select the system restore options.

After using this command, you can reconfigure the engine using the sg-reconfigure command.

sg-cluster

[-v <virtual engine ID>]

[status [-c SECONDS]]

[versions]

[online]

[lock-online]

[offline]

[lock-offline]

[standby]

[safe-offline]

[force-offline]

Firewall

Layer 2 Firewall

IPS

Used to display or change the status of the node.

-v (Master NGFW Engine only) specifies the ID of the Virtual NGFW Engine on which to execute the command.

status displays cluster status. When -c SECONDS is used, the status is shown continuously with the specified number of seconds between updates.

version displays the engine software versions of the nodes in the cluster.

online sends the node online.

lock-online sends the node online and keeps it online, even if another process tries to change its state.

offline sends the node offline.

lock-offline sends the node offline and keeps it offline, even if another process tries to change its state.

standby sets an active node to standby.

safe-offline sets the node to offline only if there is another online node.

force-offline sets the node online regardless of state or any limitations. Also sets all other nodes offline.

sg-contact-mgmt

Firewall

Layer 2 Firewall

IPS

Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure).

The engine contacts the Management Server using the one-time password created when the engine's initial configuration is saved.

sg-dynamic-routing

[start]

[stop]

[restart]

[force-reload]

[backup <file>]

[restore <file>]

[sample-config]

[route-table]

[info]

Firewall

start starts the Quagga routing suite.

stop stops the Quagga routing suite and flushes all routes made by zebra.

restart restarts the Quagga routing suite.

force-reload forces reload of the saved configuration.

backup backs up the current configuration to a compressed file.

restore restores the configuration from the specified file.

sample-config creates a basic configuration for Quagga.

route-table prints the current routing table.

info displays the help information for the sg-dynamic-routing command, and detailed information about Quagga suite configuration with vtysh.

sg-ipsec -d

[-u <username[@domain]> |

-si <session id>|

-ck <ike cookie> |

-tri <transform id> |

-ri <remote ip> |

-ci <connection id>]

Firewall

Deletes VPN-related information (use the vpntool command to view the information). Option -d (for delete) is mandatory.

-u deletes the VPN session of the named VPN client user. You can enter the user account in the form <user_name@domain> if there are several user storage locations (LDAP domains).

-si deletes the VPN session of a VPN client user based on session identifier.

-ck deletes the IKE SA (Phase one security association) based on IKE cookie.

-tri deletes the IPSEC SAs (Phase two security associations) for both communication directions based on transform identifier.

-ri deletes all SAs related to a remote IP address in site-to-site VPNs.

-ci deletes all SAs related to a connection identifier in site-to-site VPNs.

sg-logger

-f FACILITY_NUMBER

-t TYPE_NUMBER

[-e EVENT_NUMBER]

[-i "INFO_STRING"]

[-s]

[-h]

Firewall

Layer 2 Firewall

IPS

Used in scripts to create log messages with the specified properties.

-f defines the facility for the log message.

-t defines the type for the log message.

-e defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).

-i defines the information string for the log message.

-s dumps information about option numbers to stdout

-h displays usage information.

sg-raid

[-status] [-add] [-re-add]

[-force] [-help]

Firewall

Layer 2 Firewall

IPS

Configures a new hard drive.

This command is only for Forcepoint NGFW appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives.

-status displays the status of the hard drive.

-add adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.

-re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all arrays.

-help displays usage information.

sg-reconfigure

[--maybe-contact]

[--no-shutdown]

[--stop-autocontact]

Firewall

Layer 2 Firewall

IPS

Starts the NGFW Initial Configuration Wizard. Used for reconfiguring the node manually.

CAUTION:
This script also has parameters that are for the internal use of the engine only. Do not use this script with any parameters other than the ones listed here.

--maybe-contact contacts the Management Server if requested. This option is only available on firewall engines.

--no-shutdown allows you to make limited configuration changes on the node without shutting it down. Some changes might not be applied until the node is rebooted.

--stop-autocontact (unconfigured Forcepoint NGFW appliances with valid POS codes only) prevents the engine from contacting the installation server for plug-and-play configuration when it reboots.

sg-selftest [-d] [-h]

Firewall

Runs cryptography tests on the engine.

-d runs the tests in debug mode.

-h displays usage information.

sg-status [-l] [-h]

Firewall

Layer 2 Firewall

IPS

Displays information about the engine's status.

-l displays all available information about engine status.

-h displays usage information.

sg-toggle-active

SHA1 SIZE |

--force [--debug ]

Firewall

Layer 2 Firewall

IPS

Switches the engine between the active and the inactive partition.

This change takes effect when you reboot the engine.

You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls -l /var/run/stonegate).

The SHA1 option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file.

--debug reboots the engine with the debug kernel.

--force switches the active configuration without first verifying the signature of the inactive partition.

sg-upgrade

Firewall

Upgrades the node by rebooting from the installation DVD.

Alternatively, the node can be upgraded remotely using the Management Client.

sg-version

Firewall

Layer 2 Firewall

IPS

Displays the software version and build number for the node.

se-virtual-engine

-l | --list

-v <virtual engine ID>

-e | --enter

-E "<command [options]>"

-h | --help

Firewall (Master NGFW Engine only)

Used to send commands to Virtual Firewalls from the command line of the Master NGFW Engine.

All commands that can be used for the Firewall role can also be used for Virtual Firewalls.

-l or --list list the active Virtual NGFW Engines.

-v specifies the ID of the Virtual NGFW Engine on which to execute the command.

-e or --enter enters the command shell for the Virtual NGFW Engine specified with the -v option. To exit the command shell, type exit.

-E executes the specified command on the Virtual NGFW Engine specified with the -v option.

-h or --help displays usage information.

sginfo

[-f]

[-d]

[-s]

[-p]

[--]

[--help]

Firewall

Layer 2 Firewall

IPS

Gathers system information you can send to Forcepoint support.

Use this command only when instructed to do so by Forcepoint support.

-f forces sgInfo even if the configuration is encrypted.

-d includes core dumps in the sgInfo file.

-s includes slapcat output in the sgInfo file.

-p includes passwords in the sgInfo file (by default passwords are erased from the output).

-- creates the sgInfo file without displaying the progress.

--help displays usage information.

The following table lists some general Linux operating system commands that can be useful in running your engines. Some commands can be stopped by pressing Ctrl+C.

Table 2. General command line tools on engines
Command Description
dmesg

Shows system logs and other information.

Use the -h option to see usage.

halt Shuts down the system.
ip

Displays IP address information.

Type the command without options to see usage.

Example: type ip addr for basic information about all interfaces.

ping

Tests connectivity with ICMP echo requests.

Type the command without options to see usage.

ps Reports the status of running processes.
reboot Reboots the system.
scp

Secure copy.

Type the command without options to see usage.

sftp

Secure FTP.

Type the command without options to see usage.

ssh

SSH client (for opening a terminal connection to other hosts).

Type the command without options to see usage.

tcpdump

Gives information about network traffic.

Use the -h option to see usage.

You can also analyze network traffic by creating tcpdump files from the Management Client with the Traffic Capture feature.

top

Displays the top CPU processes taking most processor time.

Use the -h option to see usage.

traceroute

Traces the route packets take to the specified destination.

Type the command without options to see usage.

vpntool

Displays VPN information and allows you to issue some basic commands.

Type the command without options to see usage.