Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Data Security Protector CLI

A command-line interpreter (also known as a command-line shell) is a computer program that reads lines of text entered by a user and interprets them in the context of a given operating system or programming language.
Command-line interpreters allow users to issue various commands in a very efficient way. This requires the user to know the names of the commands and their parameters, and the syntax of the language that is interpreted.
The CLI can be used after initial installation to modify the settings configured by the wizard as well as configure other protector parameters. Log in using the admin or root user (other users can also be defined). Note that admin users are limited and not all Linux shell commands are available to them.
Connect to port 22 with the SSH tool of your choice and use the credentials you set to access the protector CLI. It is impossible to access the protector using SSH before running the wizard for the first time, as it has irrelevant default network settings.
*
For admin users, use the help command to view a list of all available commands
*
All commands can be run with the help option to view detailed help about that command. For example: iface help
*
The CLI shell implements auto-complete for command names using the TAB key. For example, typing i+TAB will display: iface info (all the commands that start with i)
*
Abbreviations are not accepted in the CLI; it is necessary to type the entire word. The TAB button can be used to complete partially typed commands.
*
Some command output may exceed the length of the screen. Once the screen is full, the CLI will prompt –more-. Use the spacebar to display the next screen.
Websense1# exit
Websense1 login:
This command displays all available commands with a small description for each. The list of available commands depends on the user's profile. All commands support the help argument. When used, the command displays a help message relevant to that command.
Websense1# dns help
dns: Configure or show DNS server(s) Usage: dns [list | delall] dns [{add | del} <ipaddr>]
Opens the Websense Protector Installation Wizard. The user can also run wizard securecomm to go directly to the registration stage of the Wizard, where Data Security Manager details are entered.
Reboots the protector. The protector is shut down and restarted immediately after the command is executed.
Websense1# version
This is Websense Content Protector 7.5.1.009, Policy Engine 7.5.1.9 (Appliance 7.5.1.009)
Sets or displays the date of the protector. By default, the command displays the current date. Otherwise, the argument is used to set the date of the protector.
date is also a native Linux command. Root users can access the CLI command by running it with its full path: /opt/websense/neti/bin/date.
If the thed option is given, the date is displayed or set using an all digit format (mm/dd/yyyy, for example: 02/21/2006). Otherwise, a dd-mmm-yyy format is used. dd is the day of the month [01 to 31] mmm is the month in abbreviated 3-letter format [Jan, Feb, Mar, etc.] yyyy is the year [2006, 2007]
Websense1# date
21-Feb-2006
time is also a native Linux command. Root users can access the CLI command by running it with its full path: /opt/websense/neti/bin/time.
-u sets the time in UTC
-h displays a short usage message HH:MM:SS HH is the hour [00 to 24]
MM is the minutes [00 to 59]
SS is the seconds [00 to 59]
N/A
In the event that minutes and/or seconds are not entered, they are considered 00.
list: displays a complete list of time zones that can be set in the Websense Protector show: displays the time zone set in the Websense Protector (default option) set timezone: sets the time zone. The set command must be followed by the name of the time zone to be selected, as listed using the list command. Note that the names of the time zones are case-sensitive.
info { cpu | memory | network | diag | uptime | hardware | features} info stats [reset]
Root users must access the CLI command by running it with its full path: /opt/websense/neti/bin/info.
cpu: displays the protector's CPU usage information.
memory: displays the protector memory usage information.
network: displays the protector's network settings including hostname, domain name, IP address and routing table.
diag: creates a diagnostic file to be used by Websense technical services.
uptime: displays the amount of time the protector has been up and operational.
features: lists all the possible features available on this protector and what they can do (monitor or block)
hardware: displays hardware information including which network cards are installed.
stats: displays traffic statistis for each protocol being monitored; this is useful to verify the operational status of the Protector.
stats reset: resets all statistics counters to zero.
Websense1# info cpu
Processor 1: 1.3% loaded (98.7% idle) Websense1# info memory
Free physical memory 8.7%
debug stats [-d] [-i interval | -n count]
This command allows a user to collect statistics about network behavior over time. It does so by running info stats at specified intervals for a given number of times. The collected statistics are saved in a CSV file for easy manipulation and analysis in spreadsheet tools such as Microsoft Excel. The resulting file is saved as opt/pa/log/collect_stats.csv.gz
-d: delete previously recorded statistics information file, if one exists interval: the interval in seconds between two runs that take a snapshot of the statistics.
count: how many times the statistics snapshot should be taken.
The default interval is every 60 seconds. The default number is 1440 (which is the equivalent of 24 hours of statistics when the default interval of 60 is selected).
list: displays a list of DNS servers in the protector
delall: deletes all DNS servers set in the protector
add: adds a DNS server specified by its IP address to the protector
del: deletes the DNS server denoted by the specified IP address
list: displays a list of configured default domain names in the protector
delall: deletes all default domain names set in the protector
add: adds a default domain name specified by domain to the protector
Use the -m switch to set a domain as main. The main domain is the domain that the protector is actually is a member of. Without the –m switch a 'search domain' is created. For the protector to resolve a domain this domain is searched as well. There may be many 'search domains' but only one main domain.
del: deletes the default domain name denoted by domain from the protector
gateway ipaddr
gateway [list | delete]
By default, displays the current defined gateway. Using the parameters, it is possible to set or delete the default gateway of the protector.
ipaddr: when given, the ipaddr is used as a default gateway for the protector.
list: shows the configured default gateway.
delete: deletes the defined default gateway.
name: if given, the host name is set to the name given. Otherwise, the host name is displayed.
iface [list]
iface ifname [ip ipaddr] [prefix prefix] [bcast bcastaddr] [speed speed] [duplex duplex] [mgmt] [enable|disable] [descr description]
Configures and displays the protector's network interface information. When invoked without arguments or with the list option, the command displays a list of all available interfaces in the system. When invoked with only an interface name, the command shows detailed information about that interface. Any other invocation method configures the interface denoted in ifname.
Note:
When using this command to configure the management interface, we recommend you use a console connection to the protector (and not a remote SSH connection). Using the latter may terminate the session to the protector. In addition, if the IP address is changed, it may be required to re-establish secure communication with the Websense Data Security Server (by re-running the configuration wizard).
ip: the IP address denoted by ipaddr is assigned to the interface. This option is valid only for the management interface. When setting ip, the prefix and bcast options must also be set
prefix: network mask of the interface. For example: 24 (will assign 255.255.255.0 mask to the interface)
bcast: broadcast address of the interface. For example: for an interface with the IP address 192.168.1.1/24, the broadcast address is usually 192.168.1.255.
speed: interface link speed. Available speeds: auto, 10, 100, 1000
duplex: interface link duplex. Available duplex options: auto, half, full
mgmt: sets the interface as the management interface of the protector. The previously defined management interface can no longer be used for management purposes.
enable, disable: enables or disables the interface (default is enable)
descr: assigns a short description for the interface. Note that if the description contains spaces, it must be enclosed within quotation marks ("").
Websense1# iface eth0 ip 10.100.16.20 prefix 24 bcast 10.100.16.255 mgmt enable
route list
route add {destination network | destination ip} {via ip | dev device}
route del {destination network | destination ip} {via ip | dev device}
Adds or deletes route entries in the protector. When adding or deleting routes to networks, use the x.x.x.x/prefix format. For example: 192.168.1.0/24.
list: displays the routing table of the Protector
add: adds a route to a network or IP
del: deletes a route to a network or IP
user add {username} profile {profile} pwd {password}
user del {username}
user mod {username} [profile {profile}] [pwd {new password}]
user list
The user command allows you to define additional users who can access the system. Each user has a profile that defines the operations available to users. Available profiles:
admin: all commands are allowed
netadmin: only networking related commands are allowed
policyadmin: only the policy command is allowed
add: add a user with the given profile and password
del: delete a user
mod: modify a user's profile and/or password
list: display a list of all defined users and their profiles
Note 
Websense recommends that you test the filter using a tcpdump command before setting the filter to ensure that the filter expression is recognized by the protector.
filter [show | set rule | delete]
show: displays the current active filters - monitored networks
set: defines a list of monitored networks
delete: deletes previously set filter rules
Sets the protector to monitor all TCP traffic to/from 10.0.0.1 and ignore all other hosts in the network. If VLAN is used, it should be listed first in the filter (vlan and tcp, not tcp and vlan).
Configuring NTP support
The protector includes an NTP package which contains a NTPD service and a set of related utilities.The service is turned off by default. Enabling the NTP service is simple, but requires very customer-dependent configuration settings. Thus, the following procedure is a general description of the steps that should be executed in order to enable the service.
The NTP service requires root user permissions.
1.
Perform an initial time synchronization. This can be done manually via the protector's Wizard, or by using the 'ntpdate' utility.
2.
From the command line, type chkconfig ntpd on|off to start/not start the service each time the protector machine is started.
3.
Type service ntpd start|stop|restart to explicitly start/stop/restart the service.
4.
Type ntpq -p to verify the synchronization is correct.


Go to the table of contents Go to the previous page Go to the next page Go to the index
Data Security Protector CLI