Forcepoint NGFW Engine commands
There are commands that can be run on the command line on Firewall, Layer 2 Firewall, IPS engines, or Master NGFW Engines.
Command | Engine role | Description |
---|---|---|
sg-blacklist show [-v] [-f FILENAME ] | add [ [-i FILENAME]| [src IP_ADDRESS/MASK] [src6 IPv6_ADDRESS/PREFIX] [dst IP_ADDRESS/MASK] [dst6 IPv6_ADDRESS/PREFIX] [proto {tcp|udp|icmp|NUM}] [srcport PORT {-PORT}] [dstport PORT {-PORT}] [duration NUM] ] | del [ [-i FILENAME]| [src IP_ADDRESS/MASK] [src6 IPv6_ADDRESS/PREFIX] [dst IP_ADDRESS/MASK] [dst6 IPv6_ADDRESS/PREFIX] [proto {tcp|udp|icmp|NUM}] [srcport PORT{-PORT}] [dstport PORT{-PORT}] [duration NUM] ] | iddel NODE_ID ID | flush |
Firewall Layer 2 Firewall IPS |
Used to view, add, or delete active blacklist entries. The blacklist is applied as defined in Access Rules. show displays the current active blacklist entries in format: engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). Use the -f option to specify a storage file to view (/data/blacklist/db_<number>). The -v option adds operation's details to the output. add creates a blacklist entry. Enter the parameters or use the -i option to import parameters from a file. del deletes the first matching blacklist entry. Enter the parameters or use the -i option to import parameters from a file. iddel removes one specific blacklist entry on one specific engine. NODE_ID is the engine's ID, ID is the blacklist entry's ID (as shown by the show command). flush deletes all blacklist entries. Add/Del Parameters: Enter at least one parameter. The default value is used for the parameters that you omit. You can also save parameters in a text file; each line in the file is read as one blacklist entry. src defines the source IP address and netmask to match. Matches any IP address by default. src6 defines the source IPv6 and prefix length to match. Matches any IPv6 address by default. dst defines the destination IP address and netmask to match. Matches any IP address by default. dst6 defines the destination IPv6 address and prefix length to match. Matches any IPv6 address by default. proto defines the protocol to match by name or protocol number. Matches all IP traffic by default. srcport defines the TCP/UDP source port or range to match. Matches any port by default. dstport defines the TCP/UDP destination port or range to match. Matches any port by default. duration defines in seconds how long the entry is kept. Default is 0, which cuts current connections, but is not kept. Examples: sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60 sg-blacklist add -i myblacklist.txt sg-blacklist del dst 192.168.1.0/24 proto 47 |
sg-bootconfig [--primary-console=tty0|ttyS PORT,SPEED] [--secondary-console=[tty0|ttyS PORT,SPEED]] [--flavor=up|smp] [--initrd=yes|no] [--crashdump=yes|no|Y@X] [--append=kernel options] [--help] apply |
Firewall Layer 2 Firewall IPS |
Used to edit boot command parameters for future bootups. --primary-console defines the terminal settings for the primary console. --secondary-console defines the terminal settings for the secondary console. --flavor defines whether the kernel is uniprocessor or multiprocessor. --initrd defines whether Ramdisk is enabled or disabled. --crashdump defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M. --append defines any other boot options to add to the configuration. --help displays usage information. apply applies the specified configuration options. |
sg-clear-all
[--help] [--flash-defaults] [--dry-run] [--on-boot] [--reboot | --shutdown] [--fast] | --wipe <number>] [--debug | --verbose] |
Firewall Layer 2 Firewall IPS |
This
command restores the factory default settings on the engine. [--help] displays usage information. [--flash-defaults] assumes that the engine has a flash data partition and a RAM spool partition. [--dry-run] exits without shutting down or restarting when command execution finishes. [--on-boot] indicates that engine is starting up. This option is not intended to be used in normal command line usage. [--reboot] the engine always restarts when command execution finishes. [--shutdown] the engine always shuts down when command execution finishes. [--fast] runs a minimal, non-interactive clear for testing purposes. [--wipe <number>] globally specifies the number of times to wipe partitions. [--debug] shows full debug messages during command execution. [--verbose] shows additional informational messages during command execution. Note: If you run the command without specifying any options, the engine requests confirmation before
restarting. When the engine restarts, you are prompted to select the system restore options.
After using this command, you can reconfigure the engine using the sg-reconfigure command. |
sg-cluster [-v <virtual engine ID>] [status [-c SECONDS]] [versions] [online] [lock-online] [offline] [lock-offline] [standby] [safe-offline] [force-offline] |
Firewall Layer 2 Firewall IPS |
Used to display or change the status of the node. -v (Master NGFW Engine only) specifies the ID of the Virtual NGFW Engine on which to execute the command. status displays cluster status. When -c SECONDS is used, the status is shown continuously with the specified number of seconds between updates. version displays the engine software versions of the nodes in the cluster. online sends the node online. lock-online sends the node online and keeps it online, even if another process tries to change its state. offline sends the node offline. lock-offline sends the node offline and keeps it offline, even if another process tries to change its state. standby sets an active node to standby. safe-offline sets the node to offline only if there is another online node. force-offline sets the node online regardless of state or any limitations. Also sets all other nodes offline. |
sg-contact-mgmt |
Firewall Layer 2 Firewall IPS |
Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure). The engine contacts the Management Server using the one-time password created when the engine's initial configuration is saved. |
sg-dynamic-routing [start] [stop] [restart] [force-reload] [backup <file>] [restore <file>] [sample-config] [route-table] [info] |
Firewall |
start starts the Quagga routing suite. stop stops the Quagga routing suite and flushes all routes made by zebra. restart restarts the Quagga routing suite. force-reload forces reload of the saved configuration. backup backs up the current configuration to a compressed file. restore restores the configuration from the specified file. sample-config creates a basic configuration for Quagga. route-table prints the current routing table. info displays the help information for the sg-dynamic-routing command, and detailed information about Quagga suite configuration with vtysh. |
sg-ipsec -d [-u <username[@domain]> | -si <session id>| -ck <ike cookie> | -tri <transform id> | -ri <remote ip> | -ci <connection id>] |
Firewall |
Deletes VPN-related information (use the vpntool command to view the information). Option -d (for delete) is mandatory. -u deletes the VPN session of the named VPN client user. You can enter the user account in the form <user_name@domain> if there are several user storage locations (LDAP domains). -si deletes the VPN session of a VPN client user based on session identifier. -ck deletes the IKE SA (Phase one security association) based on IKE cookie. -tri deletes the IPSEC SAs (Phase two security associations) for both communication directions based on transform identifier. -ri deletes all SAs related to a remote IP address in site-to-site VPNs. -ci deletes all SAs related to a connection identifier in site-to-site VPNs. |
sg-logger -f FACILITY_NUMBER -t TYPE_NUMBER [-e EVENT_NUMBER] [-i "INFO_STRING"] [-s] [-h] |
Firewall Layer 2 Firewall IPS |
Used in scripts to create log messages with the specified properties. -f defines the facility for the log message. -t defines the type for the log message. -e defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED). -i defines the information string for the log message. -s dumps information about option numbers to stdout -h displays usage information. |
sg-raid [-status] [-add] [-re-add] [-force] [-help] |
Firewall Layer 2 Firewall IPS |
Configures a new hard drive. This command is only for Forcepoint NGFW appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives. -status displays the status of the hard drive. -add adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it. -re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all arrays. -help displays usage information. |
sg-reconfigure [--maybe-contact] [--no-shutdown] [--stop-autocontact] |
Firewall Layer 2 Firewall IPS |
Starts the NGFW Initial Configuration Wizard. Used for reconfiguring the node manually. CAUTION: This script also has parameters that are for the internal use of the engine only. Do not use this script with any parameters other than the ones listed
here.
--maybe-contact contacts the Management Server if requested. This option is only available on firewall engines. --no-shutdown allows you to make limited configuration changes on the node without shutting it down. Some changes might not be applied until the node is rebooted. --stop-autocontact (unconfigured Forcepoint NGFW appliances with valid POS codes only) prevents the engine from contacting the installation server for plug-and-play configuration when it reboots. |
sg-selftest [-d] [-h] |
Firewall |
Runs cryptography tests on the engine. -d runs the tests in debug mode. -h displays usage information. |
sg-status [-l] [-h] |
Firewall Layer 2 Firewall IPS |
Displays information about the engine's status. -l displays all available information about engine status. -h displays usage information. |
sg-toggle-active SHA1 SIZE | --force [--debug ] |
Firewall Layer 2 Firewall IPS |
Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine. You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls -l /var/run/stonegate). The SHA1 option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file. --debug reboots the engine with the debug kernel. --force switches the active configuration without first verifying the signature of the inactive partition. |
sg-upgrade |
Firewall |
Upgrades the node by rebooting from the installation DVD. Alternatively, the node can be upgraded remotely using the Management Client. |
sg-version |
Firewall Layer 2 Firewall IPS |
Displays the software version and build number for the node. |
se-virtual-engine -l | --list -v <virtual engine ID> -e | --enter -E "<command [options]>" -h | --help |
Firewall (Master NGFW Engine only) |
Used to send commands to Virtual Firewalls from the command line of the Master NGFW Engine. All commands that can be used for the Firewall role can also be used for Virtual Firewalls. -l or --list list the active Virtual NGFW Engines. -v specifies the ID of the Virtual NGFW Engine on which to execute the command. -e or --enter enters the command shell for the Virtual NGFW Engine specified with the -v option. To exit the command shell, type exit. -E executes the specified command on the Virtual NGFW Engine specified with the -v option. -h or --help displays usage information. |
sginfo [-f] [-d] [-s] [-p] [--] [--help] |
Firewall Layer 2 Firewall IPS |
Gathers system information you can send to Forcepoint support. Use this command only when instructed to do so by Forcepoint support. -f forces sgInfo even if the configuration is encrypted. -d includes core dumps in the sgInfo file. -s includes slapcat output in the sgInfo file. -p includes passwords in the sgInfo file (by default passwords are erased from the output). -- creates the sgInfo file without displaying the progress. --help displays usage information. |
The following table lists some general Linux operating system commands that can be useful in running your engines. Some commands can be stopped by pressing Ctrl+C.
Command | Description |
---|---|
dmesg |
Shows system logs and other information. Use the -h option to see usage. |
halt | Shuts down the system. |
ip |
Displays IP address information. Type the command without options to see usage. Example: type ip addr for basic information about all interfaces. |
ping |
Tests connectivity with ICMP echo requests. Type the command without options to see usage. |
ps | Reports the status of running processes. |
reboot | Reboots the system. |
scp |
Secure copy. Type the command without options to see usage. |
sftp |
Secure FTP. Type the command without options to see usage. |
ssh |
SSH client (for opening a terminal connection to other hosts). Type the command without options to see usage. |
tcpdump |
Gives information about network traffic. Use the -h option to see usage. You can also analyze network traffic by creating tcpdump files from the Management Client with the Traffic Capture feature. |
top |
Displays the top CPU processes taking most processor time. Use the -h option to see usage. |
traceroute |
Traces the route packets take to the specified destination. Type the command without options to see usage. |
vpntool |
Displays VPN information and allows you to issue some basic commands. Type the command without options to see usage. |