Command	Description	Parameters
arp	Displays the kernel ARP table for the selected module.	None.
cache-user-names	Applies to the Web module only. Use it to turn on, off, or query the status of caching of user names resolved from IP addresses by Content Gateway. Cached entries are valid for 10 minutes.	[Action]: Enter enable to turn on user name caching. Enter disable to turn off user name caching. Enter status to display the status of user name caching.
content-line -r	Applies to the Content Gateway module only. Use it to display the current value of a configuration variable in Content Gateway's records.config file.	[Variable Name]: Enter the name of the configuration variable for which you want to retrieve a value. Example: proxy.config.vmap.enabled This variable returns "0" or "1". "0" indicates that the virtual IP manager is disabled; "1" indicates that it is enabled. For a complete list of valid configuration variables, click the link Content Gateway variables and navigate to the records.config topic. [You may be asked for credentials if you have not logged on to the proxy console earlier in the session.]
content-line -s	Applies to the Content Gateway module only. Use it to set the value of a configuration variable in Content Gateway's records.config file. With this command, you can make changes to Content Gateway variables without restarting the proxy. To activate the changes, run content_line -x (see below).	[Variable Name]: Enter the name of the variable you want to modify. [Value]: Enter the value you want to supply the variable. Example: Enter the variable name proxy.config.arm.enabled and the value "1" or "0". This enables or disables the ARM, which is used for transparent proxy caching, IP spoofing, and ARM security. For a complete list of valid configuration variables, click the link records.config. [You may be asked for credentials if you have not logged on to the proxy console earlier in the session.]
content-line -x	Applies to the Content Gateway module only. Use it to read and apply the values of all configuration variables in Content Gateway's records.config file. If you have used content_line -s to change the setting of any variables in the file records.config, you can activate your changes immediately (without restarting the proxy) by running this command.	None.
debugging reset	Reset the debugging level to factory status.	None.
debugging status	Show the debugging level status.	None.
dig -t mx	Applies to the Email module only. This command returns information on the specified MX server.	[Domain name]: enter the domain name of the MX server you want to query.
dig -t txt	Applies to the Email module only. This command returns the SPF information from the specified server.	[Domain name]: enter the domain name of the server you want to query for SPF records.
dig -x	Applies to the Email module only. This command returns the PTR information for the specified IP address.	[IP address]: enter the IP address for the server you want to query for PTR information.
directory-agent-service	Applies to the Web module only. This command disables and enables the directory agent service.	[Action]: Enter enable to enable the directory agent service. Enter disable to disable the directory agent service.
email-subscription-reset	Applies to the Email module with the Email Hybrid module only. This command clears all TRITON AP-EMAIL subscription information. After the command is run, the user must re-enter the subscription key. Note: If the network is unreachable, the command takes 30 minutes to timeout.	None
email shell debug module	Applies to the Email module only. Debugs the specified TRITON AP-EMAIL module. You must click Stop to end the debug session.	[Expression]: Enter the name of the module you want to debug. Click the information icon for examples. Separate multiple entries with a comma. Examples: filter event all, config_daemon event all
ethtool	Displays the current Ethernet card settings of the specified network interface (NIC) device. This includes: Supported ports Supported link modes Auto-negotiation support Advertised link modes Advertised auto-negotiation Speed Duplex Port PHYAD Transceiver Auto-negotiation setting Wake-on support Wake-on status Link detection Use ethtool to verify local network connectivity. For example, if the ping command fails, use this to determine if you are using the right IP address.	None.
ethtool -k	Displays offload parameters, including checksum, for the selected network interface (NIC) device. This can be used to investigate a variety of problems. For example, if your NIC settings are right, but you are having duplex issues, you know you need to change your duplex settings.	None.
ifconfig	Use to troubleshoot network interface issues. Helps you identify IP issues and check subnets and network interfaces. Displays status information about the specified network interface (NIC), including but not limited to: IP and broadcast address subnet mask number of packets received and transmitted number of bytes received and transmitted	[Interface]: Enter the NIC for which you want settings. Click the information icon for valid NIC values. Enter all to display all interface status. Example: eth0 or eth1
maillog download	Applies to the Email module only. Downloads the specified maillog file.	[File name]: Enter the file name for the mail log you want to download.
maillog show	Applies to the Email module only. Displays all available maillog file names, along with starting and ending timestamps and file size.	None.
multiplexer	Enables and disables the Multiplexer service that supports SIEM integrations. See Administrator Help for the Web module. Multiplexer service will not run on a Filtering only appliance. Instead it transparently uses the Multiplexer service running on the Policy source machine.	[Action]: Enter enable to enable the Multiplexer service. Enter disable to disable the Multiplexer service.
nc -uvz	The netcat (nc) utility. Attempts to read and write data across a network using user datagram protocol (UDP) to the specified server. Use it for functional tests of components and verification of connectivity. Use it to check data going across a UDP network. If you are having problems loading a Web page, or are getting a block, this command can help determine the problem. If you see a reset coming from the proxy, you can determine which DOM/module it is coming from. -u Run netcat in UDP mode -v Run netcat in verbose mode. -z Run netcat in zero I/O mode (used for scanning).	[Destination]: Enter the IP address of the server with which you want to communicate. [Port]: Enter the port number of that server.
nc -vz	The netcat (nc) utility. Attempts to read and write data across a network using transmission control protocol (TCP) to the specified server. Use it for functional tests of components and verification of connectivity. -v Run netcat in verbose mode. -z Run netcat in zero I/O mode (used for scanning)	[Destination]: Enter the IP address of the server with which you want to communicate. [Port]: Enter the port number of that server.
netstat -neatup	Displays a list of open sockets on the selected module, appended with the process column. -n Displays active TCP connections. However, addresses and port numbers are expressed numerically, and no attempt is made to determine names. -e Displays ethernet statistics, such as the number of bytes and packets sent and received. -a Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. -t Indicates which open ports are using TCP. -u Indicates which open ports are using UDP. -p Limits display of statistics or state of all sockets to those applicable to protocol.	None.
netstat -ng	Displays multicast group membership information about the selected module. -n Displays active TCP connections. However, addresses and port numbers are expressed numerically, and no attempt is made to determine names. -g Shows the multicast group memberships for all interfaces.	None.
netstat - nItup	Use one of the netstat commands if you are having network connection and routing issues. netstat -nItup displays the following: the amount of traffic in your network. all active TCP connections and the TCP and UDP ports on which the computer is listening. Addresses and port numbers are expressed numerically, and no attempt is made to determine names. Ethernet statistics, such as the number of bytes and packets sent and received. -n Displays active TCP connections and the ports they use when they connect. (This is useful if, for example, Filtering Service is not filtering. You can look at the connection the module is using here. If it is not the IP and port of the Filtering Service machine, you have found the source of the problem.) -I Shows the state of a particular interface, such as eth0 or eth1. -t Indicates which open ports are using TCP. -u Indicates which open ports are using UDP. -p Limits display of statistics or state of all sockets to those applicable to protocol.	None.
netstat -s	Displays summary statistics for each protocol on the selected module. By default, statistics are shown for the IP, ICMP, TCP, UDP, and TCPEXT protocols. This includes such things as: IP - the number of packets received, forwarded, and discarded for each protocol. ICPM - the number of messages received, failed, sent. TCP - the number of active and passive connection openings and failed connection attempts. UDP - the number of packets received and set. TCPEXT - statistics about SYN cookies, ACKs, packets received and queued, retransmits, and DSACKs. This is just a sampling. Many more statistics are shown.	None.
nslookup	Use this for DNS resolution problems. For example, if a particular Web site is not loading, perform an nslookup on it to view its IP address. nslookup lets you query DNS servers to find DNS details, including IP addresses of a particular computer, MX records for a domain, and the DNS servers of a domain.	[Host]: Enter the hostname (for example myintranet.com) or IP address of the host for which you want DNS information. [DNS server]: Enter the hostname or IP address of the DNS server for the appliance.
pem settings download	Applies to the Email module only. Downloads Personal Email Manager configuration settings, log files, and end-user personal Always Block/Permit files.	None.
ping, ping6	Checks that a hostname or IP address exists, can accept requests from the selected module, and that DNS is resolving. Use this to test connectivity to another host— for example, the TRITON AP-DATA server or TRITON Manager machine—and determine response time. Use ping for IPv4 addresses, and ping6 for IPv6 addresses. Note: ping6 is not supported in the TRITON AP-WEB module.	[Destination]: Enter the hostname (for example myintranet.com) or IP address of the host you want to test.
ping -I, ping6 -I	Checks that a network interface can communicate with a hostname or IP address and that DNS is resolving. Use this to test connectivity to another host— for example, the TRITON AP-DATA server or TRITON Manager machine—from one of the appliance NICs. Use ping for IPv4 addresses, and ping6 for IPv6 addresses. Note: ping6 -I is not supported in the TRITON AP-WEB module.	[Interface]: Enter the name of the NIC you want to test. Click the information icon for valid NIC values. Example: eth0 [Destination]: Enter the hostname or IP address of the host you want to test.
policy-broker-token	Pertains only to the Web module. Use this command to retrieve the Policy Broker token for this appliance. This may be needed to configure support for Remote Filtering. See the Websense Technical Library for more information.	None.
print-bypass	This command applies only to the Content Gateway module. When Content Gateway is in transparent proxy caching mode, use this command to see which source and destination IPs the proxy is bypassing. If sites are not loading correctly, this helps you identify if a site is loading from your cache or going directly to the site for download. All entries in the source and destination bypass tables for the proxy are printed to the output console. For more information on source and destination bypass, see the Configuration Files > bypass.config section of the Content Gateway manager Help system.	None.
proxy-net-check	This command applies only to the Content Gateway module. Use it to display diagnostics for Content Gateway, such as: interface status connection to DNS name servers connection to Policy Server gateway packet loss ping statistics for various modules Internet connectivity filtering status This command is useful for investigating latency issues, outages, or filtering problems, among other things.	None.
route -A inet6 -n	Display the contents of the selected module's kernel IP routing table IPv6 entries in numeric format. This is useful in complex network environments—for example, those with proxy chaining—to see if the environment is set up properly.	None.
route -n	Display the contents of the selected module's kernel IP routing table in numeric format. This is useful in complex network environments—for example, those with proxy chaining—to see if the environment is set up properly.	None.
route add	This command applies only to the Content Gateway module. This command supports all of the add route parameters that are supported on the Configuration > Routing page of the V-Series manager. In addition, this command supports the ability to specify the maximum segment size (MSS).	[Route type]: Enter the route type. The host route is for routing to individual hosts. The net route is for an entire network or subnet. [Target]: Enter the target network address or host IP address for the route. [Netmask]: Enter the netmask for the for the target network or host. [Gateway]: Enter the IP address of the next hop router. [Interface]: Enter the appliance interface to use for this route. [Mss]: Enter the maximum segment size to use for this route. Expressed in octets.
state-server	Applies to the Web module when the appliance is configured as a Full policy source or User directory and filtering system. In multiple Filtering Service deployments, Websense State Server is required for proper application of time-based filtering actions (Quota, Confirm, Password Override, and Account Override). See Policy Server, Filtering Service, and State Server in Administrator Help for the Web module.	[Action]: Enter enable to enable the state server service. Enter disable to disable the state server service.
sysctl-tcp-timestamps	Pertains only to the Content Gateway module. View or change the setting for TCP time stamps. Edit this setting if you are experiencing performance problems with specific Web sites that do not properly support TCP time stamps. The operating system sets this kernel setting during installation. If the setting was changed and you are experiencing site latency with other sites—those that work best with TCP time stamps— return the setting to its default value and consider routing traffic to the problematic sites around the proxy. Be sure to choose a setting that works well for the sites that are most important to you. The setting affects the use of time stamps by the kernel for all TCP connections.	[Value]: Enter "0" to disable the current time stamp setting, and restore it to its default. Enter "1" to re-enable a custom setting. Enter "view" to view the current setting.
sysctl-tcp-window-scaling	Pertains only to the Content Gateway module. View or change the setting for TCP window scaling. Edit this setting if you are experiencing performance problems with specific Web sites that do not properly support TCP windows scaling. The operating system sets this kernel setting during installation. If the setting was changed and you are experiencing site latency with other sites—those that work best with TCP windows scaling— return the setting to its default value and consider routing traffic to the problematic sites around the proxy. Be sure to choose a setting that works well for the sites that are most important to you. The setting affects the use of windows scaling by the kernel for all TCP connections.	[Value]: Enter "0" to disable the current window scaling setting, and restore it to its default. Enter "1" to re-enable a custom setting. Enter "view" to view the current setting.
tcpdump	Use for any Web traffic issues to get packet captures—for example, if a site will not load or if you are having authentication problems. tcpdump intercepts and displays packets being transmitted or received by the specified network interface. Use the Expression field to select which packets are displayed. The output from tcpdump can help you determine whether all routing is occurring properly, to and from the interface. The output is verbose; it displays the data of each package in both hex and ASCII; and it includes a link-level header on each line. Note: If you do not stop the tcpdump command manually, 10,000 packets are captured, the maximum allowed.	[Interface]: Enter the name of the NIC you are debugging. Click the information icon for valid NIC values. Example: eth0 [Expression]: Enter a boolean expression that filters the packets to those of interest. Click the information icon for examples. Example 1: To capture all TCP traffic to and from the proxy on port 8080, enter this expression: tcp port 8080 Example 2: To capture all TCP traffic to the site google.com, enter this expression: tcp and dst host google.com Example 3: To capture all TCP traffic from a specific end-user machine, enter this expression: tcp and src host user.websense.com Note: You can enter a hostname if it is resolvable by a DNS server, but the output uses IP addresses either way.
tcpdump -w	Use this to dump traffic (raw packets) from the specified NIC to a file. To download the file, click the link, Download output file for last command, after running the command. This link is under the console output window. Websense Technical Support may request this file on occasion.	[Interface]: Enter the name of the appliance NIC you are debugging. Click the information icon for valid NIC values. [Expression]: Enter a boolean expression that filters the packets to those of interest. Click the information icon for examples. Enter all to capture all packets. Note: You can enter a host name if it is resolvable by a DNS server, but the output uses IP addresses either way.
top -bn1	Displays all operating system tasks that are currently running on the selected module. Use this to help troubleshoot CPU and memory issues. -b Run in batch mode. -n Update the display for a number of iterations, then exit. -1 Do not display idle processes.	None.
traceroute, traceroute6	Use this to determine the route taken by packets across a network to a particular host. If some machines are not getting filtered or blocked, or if traffic is not even getting to the appliance, this shows the devices (or hops) that are between the machines that may be blocking access to the host. Use tcpdump to get a packet capture from each device. If you are having latency issues, traceroute can also help identify the causes. Use traceroute for IPv4 addresses, and traceroute6 for IPv6 addresses. Note: traceroute is of limited utility if an IP address is being spoofed. Note: traceroute6 is not supported in the TRITON AP-WEB module.	[Destination]: Enter the hostname or IP address of the host destination you are investigating
user-group-ip-precedence	Applies to the Web module only. Use this command to change the precedence of identification attributes applied to: filtering policy, Delegated Administrator (DA) role identification, protocol policy, and quota time available. By default, the precedence attributes are, in descending order: User > Computer > Network > Group > Domain When user-group-ip-precedence is enabled, the precedence order is: User > Group > Domain > Computer > Network	[Action]: Enter enable to modify the precedence order to: User > Group > Domain > Computer > Network Enter disable (default) to set the precedence order to: User > Computer > Network > Group > Domain Enter status to display the current setting. WARNING: Changing the state of user-group-ip-precedence causes Filtering Service to stop and restart.
wget	Use to initiate a non-interactive download of files from the Web, so you can diagnose connectivity issues. Use wget, for example, if you have configured the proxy, but cannot access the Web. wget simulates the proxy going out and retrieving the Web site. This command supports HTTP, HTTPS, and FTP protocols.	[URL]: Enter the URL of the Web site from which you want to download files.
wget-proxy	Use to test connectivity between the specified URL and the proxy (file download not supported). Use wget, for example, if you have configured the proxy, but cannot access the Web. wget simulates the proxy going out and retrieving the Web site. This command supports HTTP, HTTPS, and FTP protocols.	[URL]: Enter the URL of the Web site to which you want to test connectivity. [Proxy IP]: Enter the proxy IP address. This is the IP address of the P1 interface on most appliance configurations. [Port]: Enter the port on which the proxy expects this traffic. 8080 is configured for HTTP by default. 8070 is configured for HTTPS by default. [User name]: Enter the user name of the client, if required for authentication. [Password]: Enter the password of the client, if required for authentication. Enter 'none' in both fields if user name and password are not applicable.