HP TippingPoint Security Management System CLI Reference Version 4.0 Abstract This information describes HP TippingPoint Security Management System (SMS) high and low level commands, and contains information for using the SMS command line interface. This information is for system administrators, technicians, and maintenance personnel responsible for installing, configuring, and maintaining HP TippingPoint SMS appliances and associated devices.
Legal and notice information © Copyright 2011–2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Table of Contents About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . service-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . setup. . . . . . . . . . . . . . . . . .
List of Tables About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v 1 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Table 1-1 - Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 SMS Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
About This Guide The Security Management System CLI Reference provides information about using the SMS command line interface to configure the HP TippingPoint Security Management System (SMS). This guide includes an SMS command reference as well as reference information about attributes and objects used by the SMS.
Document Conventions This guide uses the following document conventions. • Typefaces, page vi • Document Messages, page vii Typefaces HP TippingPoint publications use the following typographic conventions for structuring information: Document Typographic Conventions Convention Element Medium blue text Cross-reference links and e-mail addresses. Medium blue, underlined text Website addresses. Bold font • • Key names. Text typed into a GUI element, such as into a box.
Document Messages Document messages are special text that is emphasized by format and typeface. This guide contains the following types of messages: • Warning • Caution • Note • Tip WARNING! Warning notes alert you to potential danger of bodily harm or other potential harmful consequences. CAUTION: Caution notes provide information to help minimize risk, for example, when a failure to follow directions could result in damage to equipment or loss of data.
Customer Support HP TippingPoint is committed to providing quality customer support to all customers. Each customer receives a customized support agreement that provides detailed support contact information. When you need technical support, refer to your support agreement or use the following information to contact Customer Support.
1 Using the Command Line Interface The command line interface (CLI) can be used to configure many aspects of the SMS. It includes wizards, high level commands, and low level commands. Overview This chapter explains how to use the SMS CLI. NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights.
Interactive Mode Syntax You can use any of the following syntax options to initiate an interactive CLI command: • command — If you type the command name, the CLI prompts you to set values for all attribs associated with that command. • command object — If you specify the object of a particular command, the CLI prompts you to set values for all attribs associated with that object. • command object.
HTTP and HTTPS You can use the following format for the HTTP and HTTPS protocols: • Complete specification: http://[username:password@]server[:port]/directory/filename or https://[username:password@]server[:port]/directory/filename • HTTP Example: http://www.servername.com:8000/files/sms-0.0-0.500.pkg NFS You can use the following formats for the NFS protocol: • Remote directory specification—server:/exportedDirectory • Remote file specification—server:/exportedDirectory/filename • NFS Example: nfsserver.
Objects and Attributes The following objects and attributes can be used with the help command: Table 1-1 Help Commands Command Description help --full Lists all commands, objects, and attributes help -- attribs Lists all attributes help --objs Lists all objects, or collections of attributes help --cmds Lists all commands help --background Lists background topics Example To see documentation about the sys object, type help sys.
2 SMS Command Reference This chapter describes the SMS commands and the options available for each command. NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights. clear Clears the screen. Usage clear Aliases cls cls Clears the screen. Usage cls Aliases clear console The console command shows a list of messages that have been sent to the console since the last reboot. Usage console date Displays and sets the system time.
Usage diags [--force] dir Returns a listing of files contained in the user directory. Usage dir Related Commands delete, view, vi dns The dns command interactively prompts for DNS (Domain Name Service) settings used to resolve host names to IP address values. To clear server values, use a period (.). The dns object contains default domain name, DNS search list, and DNS server information. Usage dns Related Commands nic, ntp Related Objects dns exit Closes the session.
• Full – When placed into this mode, the SMS functions in a manner compliant with the FIPS 140-2 publication specified by the National Institute of Standards and Technology. The SMS automatically reboots when placed into full FIPS mode or when full FIPS mode is disabled. Usage fips-mode Caveats Full FIPS mode is not available for vSMS. Transitioning the SMS to operate in Full FIPS mode implements changes to core elements of the SMS server, reboots the SMS, and requires you to upload a new SMS key package.
Table 2-1 Help Options Option Description --full Lists all commands, objects and attribs. --attribs Lists all attribs. --objs Lists all objects (collections of attribs). --cmds Lists all commands (default). --background Lists background topics. ifconfig Displays the network settings for the box. ifconfig is an alias for the command get net, which displays the values of the attribs contained in the net object. To change the values, use the set net command. See ”net” on page 30.
key The key command is used to update the license key for the server. Usage key Aliases license Related Objects license list Lists the objects or the attribs contained in an object. Usage list [object | object.attrib] [...] If no arguments are specified, list will return all defined objects. If an object is specified, list will return all attribs contained within the object. If an attribute is specified, list will confirm the attribute by listing the attribute in the response.
Usage nic Related Commands dns, ntp nicsettings Interactive command that prompts you for the SMS NIC configuration settings and is available through the CLI and OBE If you want to make changes individually to any of the NIC settings, the SMS provides options for setting auto negotiation, port speed, and duplex mode. Example sms110 SMS=> nicsettings The Ethernet NIC used for the network management interface is configurable.
The security level and restrictions for entering user names and passwords. The default setting is 2 from the following options: Table 2-2 Security Levels Level Description Level 0 User names cannot have spaces in it. Passwords are unrestricted. Level 1 User names must be at least 6 characters long without spaces. Passwords must be at least 8. Level 2 Passwords must meet Level 1 restrictions and the following: • Must contain at least two alphabetic characters.
ping6 Checks network connectivity by sending a ICMP request to the specified IPv6 destination, and then checking on an echoed response. Usage ping6 [-options] hostNameOrAddress Table 2-4 ping6 Options Option Description -c count Stop after sending count packets. -I Specifies the interface; for example eth0. -i wait Wait wait seconds between sending each packet. The default is to wait for one second between each packet. -n Numeric output only.
See Also reverse restart Restarts the network stack. The --force option restarts the network stack without a confirmation prompt. Usage restart [--force] reverse Performs a reverse-lookup on an IP address or a relative hostname using the DNS settings. If the value cannot be resolved, it is returned as-is. Usage reverse See Also resolve routes Route options allow static routes to be added or deleted for the network management interface.
See Also pwd (object) set Assigns values to one or more attribs or to a list of attribs contained within an object. The list may be a one or more attribute names, object names, or attrib/object pairs. To accept the current or default value, type the return key. To clear a String or IP Address value, enter a period (.), and then the return key. The set command can use any read-write or write-only attribute. See ”SMS Attributes and Objects” on page 21 for more information.
snmp-request The snmp-request command is used to manage the SNMP (Simple Network Management Protocol) request agent. When enabled, the SMS agent responds to the SNMP system request.
See Also snmp, snmp-request snmpget snmpget will request a single OID from the specified agent. Usage snmpget hostNameOrAddress communityName OID Example (IPv6) snmpget -v 2c -c public udp6:[fc01:a63:1:0:214:22ff:fe1e:1d87] system.sysName.0 Example (IPv4) snmpget -v 2c -c public 10.99.1.110 system.sysName.0 See Also snmpwalk snmpwalk snmpwalk will traverse the SNMP MIB of the agent running at the specified address.
touch Creates user files, which are archived files generated from database content. Usage touch file [...] See Also delete, dir, view, vi traceroute This program attempts to trace the route an IP packet would follow to a remote host by launching UDP probe packets with a small ttl (time to live) then listening for an ICMP time exceeded reply from a gateway.
Table 2-5 traceroute Options Option Description -p Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.
Related Object pwd version Displays the system and component versions. Usage version Related Objects sw vi vi is a text editor that is comparable to Vi. It can be used to edit all kinds of plain text. It is especially useful for editing programs. While running vi, a lot of help can be obtained from the on-line help system, with the :help command. Usage vi [options] [file ...] Caveats /tmp and its contents are the only files and directories that the SuperUser account has permission to modify.
Table 2-6 vi Options Options Descriptions -- Denotes the end of the options. Arguments after this will be handled as a file name. This can be used to edit a filename that starts with a dash (-). --help Give a help message and exit, just like -h. --version Print version information and exit. See Also ftp, dir, delete, view view Command to view the contents of the directory. Internal help is available by typing a question mark (?).
3 SMS Attributes and Objects This chapter describes each object and attribute used by the SMS CLI. For more detailed information about each element, see the individual commands described in ”SMS Command Reference” on page 5. NOTE: To use the SMS CLI, you must be logged in with an account that has SuperUser rights. Attribute Types The following table describes each type of attribute (attrib) that you can view or edit in the CLI. Table 3-1 CLI Attribute Types Type Definition Bool Boolean.
ctl Collection of system control operations. The attribs contained in ctl can be used to reboot or shutdown the system, or access the upgrade capability. See ”Remote Paths” on page 2 for more information about entering path names for attribs that require them. Table 3-3 ctl Attributes Attribute Description Type Access Range ctl.power-off Setting the ctl.power-off attrib to the value of true will cause the system to shutdown and power-off.
Table 3-3 ctl Attributes Attribute Description Type Access Range ctl.patch-rollback Used to roll back to previous patch version. Displays true if the currently installed Patch can be rolled back, else false. If set to the version of the currently installed Patch, it rolls it back, to either the previously installed Patch or no Patch if it was the first Patch installed.
Table 3-4 db Attributes Attribute Description Type Access db.export-files Files to be saved and transported to a remote system can be stored in the export directory. To transfer the entire contents of the export directory this attrib must be provided with the name of a Samba (SMB) mount point. String write-only Range 4-132 The destination mount point must be writable by the SMS server.
high availability Collection of system High Availability (HA) attribs. The attribs are used to retrieve HA information. Table 3-6 HA Attributes Attribute Description Type Access ha.status Attribute returning the status of HA. String read-only String write-only Range The status messages include the following: • Disabled: High Availability is not configured. • Enabled. • Error: The system could not determine local status. • Error: Unable to communicate with peer.
health Collection of system health-related attribs. The attribs are used to retrieve system health information, including utilization values, and system uptime statistics. Table 3-7 health Attributes Attribute Description Type Access Range health.cpu-util Attribute returning the CPU (Processor) utilization. 0% represents a near-idle system, and 100% is fully-utilized. String read-only 2-4 health.db-valid Attribute reporting the status of the database.
Table 3-7 health Attributes Attribute Description Type Access Range health.port-health Attribute returning Port Statistics of the SMS. This information corresponds to the Ports Statistics table on the Port Health screen (SMS Health) in the UI with all 12 numbers printed in a single line. The six numbers are for the primary port and the second six numbers are for the secondary port.
Table 3-7 health Attributes Attribute Description Type Access Range health.uptime Attribute reporting the amount of time since the last system boot. String read-only 2-56 health.who Attribute reporting a list of currently logged-in users. Pipe (|) characters are used in place of carriage-return characters. String read-only 0-1024 kbd Keyboard related attribute. WARNING! Do not use this option if you are using a standard QWERTY keyboard.
The following console keyboard layouts are available: license License information for the SMS server. The license is used to control the number of managed devices supported by the server. Related Command key Table 3-9 license Attributes Attribute Description Type Access license.count Returns the number of devices that the license key permits for this server. Int read-only license.date Returns the date that the current license key was installed. String read-only license.
logs Collection of log-related attribs. The attribs are used to manage log files that are used for troubleshooting. The logs zip file, sms_logs.zip, is managed in the /mgmt/client/tmp directory. This is the standard location for cli data files and also allows access from the Exports and Archives link on the SMS web page. Creating a new logs zip file overwrites the old one. Related Objects scp Table 3-10 logs Attributes Attribute Description Type Access Range set logs.
NOTE: You must issue the set net.restart=yes command when you modify the IP address or gateway using the set net command. Changes to these attributes do not take effect until you issue this command. A reboot (reboot command) should be done after you issue the above command. For information on set net, see ”set” on page 14. Related Commands ifconfig, ipconfig, mgmtsettings Related Objects dns Table 3-11 net Attributes Attribute Description Type Access Range net.
Table 3-11 net Attributes Attribute Description Type Access Range net.ipaddr6 Attribute used to view and change the IPv6 address. To clear this value, use a period (.). Applies only the net object. IPaddr read-write 0 read-write 0 The network interface must be restarted (net.restart) for setting to take effect. When you employ this command, the CLI may not reflect the change with a confirmation message. See ”Example” on page 30. NOTE: The IP address uses IPv6 notation. net.
Table 3-12 ntp Attributes Attribute Description Type ntp.server1 ntp.server2 ntp.server3 Attribs used to specify a list of NTP time servers. The value may be a dotted IP address or a hostname. The first entry (ntp.server1) will be assigned the preferred time server role. The preferred time server is also used as a step ticker, which adjusts the time immediately upon system boot. IPaddr Access read-write Range 0 To clear this value, use a period (.). ntp.
Table 3-13 pkg Attributes Attribute Description Type Access Range auto-download Attrib used to control whether new packages available at the TMC are automatically downloaded. Email will be generated to notify the administrator of the action (if configured). Bool read-write 0 auto-install Attrib used to control whether the SMS database is updated with the newly downloaded package. Bool read-write 0 dv-activate Attrib used to activate a DV package.
pwd Collection of password-related attribs. The attribs are used to confirm the SuperUser password and enable the service mode used by support personnel. For information about managing users including user groups, passwords, and security levels, see the “Administration” chapter in the SMS User Guide. Related Command users Table 3-14 pwd Attributes Attribute Description Type Access pwd.group-adduser Used to add a user to a user group. String write-only pwd.
Table 3-14 pwd Attributes Attribute Description Type Access pwd.user-expires Attribute used to enable password expiration. Bool read-write pwd.user-expiredays Attribute used to set the amount of days to check the account for expiration. String read-only pwd.user-force-pwd Attribute used to force a user to change their password at next login Bool read-write pwd.user-pager Attribute used to include the user account pager number. String read-write pwd.
Table 3-15 radius Attributes Attribute Description Type Access radius1.auth Attrib to set the authentication method (PAP, CHAP, MSCHAP, MSCHAP2, EAPMD5) String read-write read-write Range Backup RADIUS Server radius2.secret Attrib used to enter the RADIUS secret set by the RADIUS server administrator. This entry is used by each RADIUS client, including the SMS server. String radius2.server Attrib used to set the IP address of the RADIUS server. IPaddr radius2.
route6 Collection of attribs used to add, delete and display IPv6 static routes for the management interface Usage route6.add route6.add route6.del Related Objects route, net Related Commands ifconfig, ipconfig Table 3-17 route6 Attributes Attribute Description Type Access Range route6.add Attribute used to add a static route to the IP routing table. IPaddrs write only 0 IPaddrs write only 0 String read-only 0-1024 Usage: route6.
Table 3-19 snmp-request Attributes Attribute Description Type Access snmp.request-auth-key Attrib used to specify the authentication key for the SNMP request agent. When enabled, the SMS responds to the SNMP system request. String write-only Range Example: set snmp.request-auth-key=mykey snmp.request-auth-proto Attrib used to specify the authentication protocol for the SNMP request agent. When enabled, the SMS responds to the SNMP system request.
Table 3-19 snmp-request Attributes Attribute Description snmp.request-priv-proto Attrib used to specify the privacy protocol for the SNMP request agent. When enabled, the SMS responds to the SNMP system request. Valid protocol values are: Type Access Range String read-write • None • AES-128 • AES-192 • AES-256 • DES • Triple_DES Example: set snmp.request-priv-proto=AES-128 snmp.request-user Attrib used to specify the user name for the SNMP request agent.
Table 3-20 snmp-trap Attributes Attribute Description Type Access snmp.trap-auth-proto Attrib used to specifiy the authentication key for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma. String read-write Range Valid protocol values are: None, MD5, and SHA. Examples: set snmp.trap-auth-proto?1.1.1.1=MD5 set snmp.trap-auth-proto?1.1.1.1,v3= MD5 snmp.
Table 3-20 snmp-trap Attributes Attribute Description Type Access snmp.trap-port Attrib used to specify the port for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma. Int read-write Examples: set snmp.trap-port?1.1.1.1=162 set snmp.trap-port?1.1.1.1,v2=162 snmp.trap-priv-key Attrib used to specify the privacy key for an SNMP trap destination. The IP address must be specified.
Table 3-20 snmp-trap Attributes Attribute Description Type Access snmp.trap-user Attrib used to specify the user name for an SNMP trap destination. The IP address must be specified. The SNMP version is optional and can be specified when separated by a comma. String read-write Range Examples: set snmp.trap-user?1.1.1.1=testuser set snmp.trap-user?1.1.1.1,v3= testuser snmp.trap-version Attrib used to change the version for an SNMP trap destination. The IP address must be specified.
svc Collection of attribs used to enable various services that execute within the system. While the system implements an internal firewall to protect against attacks, further security can be implemented by disabling unneeded services. Related Commands ntp, snmp, pwd Table 3-21 svc Attributes Attribute Description Type Access Range svc.fips-enable Attribute used to enable/disable SMS FIPS mode. In this mode, only FIPS 140-2 approved cryptographic algorithms are used when allowing SSH connections.
Table 3-21 svc Attributes Attribute Description Type svc.ntp-enable Attrib used to enable/disable the NTP (Network Time Protocol) client. The NTP client can be used to synchronize system time with a list of remote time servers. Bool Access read-write Range 0 To enable the NTP client, set the value to true, and a list of servers should be provided with the ntp.server1 (...) attribs. To disable the value should be set to false. Example: set svc.ntp-enable=true svc.
sw Collection of software versioning attribs. The attribs are used to report the system software version, and to list the software packages and their individual versions. Table 3-22 sw Attributes Attribute Description Type Access sw.components Returns a list of installed software packages and their versions. String read-only Attribute returning the system software version. String sw.version read-only Range 0-1024 1-32 sys Collection of system-related attribs.
Table 3-24 time Attributes Attribute Description Type time.dateTime Displays the current system time in a readable format. String read-only 32 time.setTime Displays and sets the current system time. The date and time is specified in the format: [MMDDhhmm[[CC]YY][.ss]] String read-write 32 time.setTimeZone Displays and sets the current local time zone. Time zones can be represented in several forms.
48 SMS Attributes and Objects
