Go to the table of contents Go to the previous page You are at the end of the document
Data Security Protector CLI
Data Security Protector CLI
Deployment and Installation Center | Data Security Solutions | Version 7.7.x
A command-line interpreter (also known as a command-line shell) is a computer program that reads lines of text entered by a user and interprets them in the context of a given operating system or programming language.
Command-line interpreters allow users to issue various commands in a very efficient way. This requires the user to know the names of the commands and their parameters, and the syntax of the language that is interpreted.
This chapter describes the command line interpreter (CLI) for the Linux-based Data Security Protector.
The CLI can be used after initial installation to modify the settings configured by the wizard as well as configure other protector parameters. Log in using the admin or root user (other users can also be defined). Note that admin users are limited and not all Linux shell commands are available to them.
Accessing the CLI
Access the CLI through a direct terminal or via a serial port console.
If using a serial port console, configure your terminal application, such as HyperTerminal or TeraTerm, as follows:
19200 baud, 8 data bits, no parity, 1 stop bit, no flow control.
In addition, the protector allows access via SSH connection.
Connect to port 22 with the SSH tool of your choice and use the credentials you set to access the protector CLI. It is impossible to access the protector using SSH before running the wizard for the first time, as it has irrelevant default network settings.
Command-line reference
Following are general guidelines to using the CLI.
For admin users, use the help command to view a list of all available commands
All commands can be run with the help option to view detailed help about that command. For example: iface help
The CLI shell implements auto-complete for command names using the TAB key. For example, typing i+TAB will display: iface info (all the commands that start with i)
Some commands' output may exceed the height of the screen. Use your terminal software to scroll back and view all output.
Exit the command line interface
Show CLI help messages
Accessing the basic configuration wizard
Opens the Websense Protector Installation Wizard. The user can also run wizard securecomm to go directly to the registration stage of the Wizard, where Data Security Manager details are entered.
Rebooting the protector
Turning off the protector
Showing the Websense Protector version
Setting or showing the system date
date is also a native Linux command. Root users can access the CLI command by running it with its full path: /opt/websense/neti/bin/date.
If the -d option is given, the date is displayed or set using an all digit format (mm/dd/yyyy, for example: 02/21/2006). Otherwise, a dd-mmm-yyyy format is used. dd is the day of the month [01 to 31] mmm is the month in abbreviated 3-letter format [Jan, Feb, Mar, etc.] yyyy is the year [2006, 2007]
Setting or showing the system time
time is also a native Linux command. Root users can access the CLI command by running it with its full path: /opt/websense/neti/bin/time.
-u sets the time in UTC
-h displays a short usage message HH:MM:SS HH is the hour [00 to 24]
MM is the minutes [00 to 59]
SS is the seconds [00 to 59]
Modify or show system time zone
list: displays a complete list of time zones that can be set in the Websense Protector show: displays the time zone set in the Websense Protector (default option) set timezone: sets the time zone. The set command must be followed by the name of the time zone to be selected, as listed using the list command. Note that the names of the time zones are case-sensitive.
Viewing protector information
Root users must access the CLI command by running it with its full path: /opt/websense/neti/bin/info.
cpu: displays the protector's CPU usage information.
memory: displays the protector memory usage information.
network: displays the protector's network settings including hostname, domain name, IP address and routing table.
diag: creates a diagnostic file to be used by Websense technical services.
uptime: displays the amount of time the protector has been up and operational.
features: lists all the possible features available on this protector and what they can do (monitor or block)
hardware: displays hardware information including which network cards are installed.
stats: displays traffic statistics for each protocol being monitored; this is useful to verify the operational status of the Protector.
stats reset: resets all statistics counters to zero.
Collecting statistics
debug stats [-d] [-i interval | -n count]
This command allows a user to collect statistics about network behavior over time. It does so by running info stats at specified intervals for a given number of times. The collected statistics are saved in a CSV file for easy manipulation and analysis in spreadsheet tools such as Microsoft Excel. The resulting file is saved as opt/pa/log/collect_stats.csv.gz
-d: delete previously recorded statistics information file, if one exists interval: the interval in seconds between two runs that take a snapshot of the statistics.
count: how many times the statistics snapshot should be taken.
Configure or show the DNS server(s)
list: displays a list of DNS servers in the protector
delall: deletes all DNS servers set in the protector
add: adds a DNS server specified by its IP address to the protector
del: deletes the DNS server denoted by the specified IP address
Configure or show the default domain name(s)
list: displays a list of configured default domain names in the protector
delall: deletes all default domain names set in the protector
add: adds a default domain name specified by domain to the protector
Use the -m switch to set a domain as main. The main domain is the domain that the protector is actually is a member of. Without the –m switch a 'search domain' is created. For the protector to resolve a domain this domain is searched as well. There may be many 'search domains' but only one main domain.
del: deletes the default domain name denoted by domain from the protector
Configure or show the default gateway
gateway ipaddr
gateway [list | delete]
ipaddr: when given, the ipaddr is used as a default gateway for the protector.
list: shows the configured default gateway.
delete: deletes the defined default gateway.
Configure or show the host name
name: if given, the host name is set to the name given. Otherwise, the host name is displayed.
Configure or show interface information
Configures and displays the protector's network interface information. When invoked without arguments or with the list option, the command displays a list of all available interfaces in the system. When invoked with only an interface name, the command shows detailed information about that interface. Any other invocation method configures the interface denoted in ifname.
ip: the IP address denoted by ipaddr is assigned to the interface. This option is valid only for the management interface. When setting ip, the prefix and bcast options must also be set
prefix: network mask of the interface. For example: 24 (will assign mask to the interface)
bcast: broadcast address of the interface. For example: for an interface with the IP address, the broadcast address is usually
speed: interface link speed. Available speeds: auto, 10, 100, 1000
duplex: interface link duplex. Available duplex options: auto, half, full
mgmt: sets the interface as the management interface of the protector. The previously defined management interface can no longer be used for management purposes.
enable, disable: enables or disables the interface (default is enable)
descr: assigns a short description for the interface. Note that if the description contains spaces, it must be enclosed within quotation marks ("").
Add or delete routing information
list: displays the routing table of the Protector
add: adds a route to a network or IP
del: deletes a route to a network or IP
Manage users
The user command allows you to define additional users who can access the system. Each user has a profile that defines the operations available to users. Available profiles:
admin: all commands are allowed
netadmin: only networking related commands are allowed
policyadmin: only the policy command is allowed
add: add a user with the given profile and password
del: delete a user
mod: modify a user's profile and/or password
list: display a list of all defined users and their profiles
Filtering monitored networks
You can use the Websense Management Interface to define which networks are monitored by the protector.
This CLI command enables advanced filtering of monitored networks.
filter [show | set rule | delete]
show: displays the current active filters - monitored networks
set: defines a list of monitored networks
delete: deletes previously set filter rules
Configuring NTP support
The protector includes an NTP package which contains a NTPD service and a set of related utilities.The service is turned off by default. Enabling the NTP service is simple, but requires very customer-dependent configuration settings. Thus, the following procedure is a general description of the steps that should be executed in order to enable the service.
The NTP service requires root user permissions.
For further NTP configuration details, refer to: http://en.linuxreviews.org/NTP_-_Howto_make_the_clock_show_the_correct_time, or http://doc.ntp.org/4.2.2/, and many other sites on the Web.
From the command line, type chkconfig ntpd on|off to start/not start the service each time the protector machine is started.
Type service ntpd start|stop|restart to explicitly start/stop/restart the service.
Type ntpq -p to verify the synchronization is correct.

Go to the table of contents Go to the previous page You are at the end of the document
Data Security Protector CLI
Copyright 2016 Forcepoint LLC. All rights reserved.