1. No category

Network Security Platform 8.2 CLI Guide - Knowledge Center

CLI Guide
Revision F
McAfee Network Security Platform 8.2
COPYRIGHT
Copyright © 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Network Security Platform 8.2
CLI Guide
Contents
Preface
13
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
Introduction
15
About McAfee Network Security Sensor . . . . . . . . . . . . . . . . . . . . . . . .
Issuing CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Issuing a command via the console . . . . . . . . . . . . . . . . . . . . . . .
factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Issuing a command via ssh . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging onto the Sensor via an ssh client . . . . . . . . . . . . . . . . . . . . .
Auto-complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mandatory commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Granular access control for CLI commands . . . . . . . . . . . . . . . . . . . . . . .
adduser WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deleteuser WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deleteallusers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lockuser WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
userpasswd WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
userlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
userrole WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
unlockuser WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
whoami . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Role and CLI command matrix . . . . . . . . . . . . . . . . . . . . . . . . .
Logon to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Meaning of "?" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
®
2
IPS CLI Commands - Normal Mode
15
15
15
16
17
18
18
18
18
18
19
20
20
20
21
21
21
21
22
22
22
23
23
28
28
31
accelerate-ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
accelerate-ftp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
auditlogupload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
checkmanagerconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clrstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clrtsstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.2
13
13
13
14
35
35
35
36
36
37
37
38
39
39
39
CLI Guide
3
Contents
console eventlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deletemgrsecintf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deletesignatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
disconnectalertandpktlogchannels . . . . . . . . . . . . . . . . . . . . . . . . . . .
dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
downloadstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exportsensorcerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
failovermode forward-peer-stp . . . . . . . . . . . . . . . . . . . . . . . . . . . .
fwdump acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
guest-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
host-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
importsensorcerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
increasemgmtprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipreassembly timeout forward . . . . . . . . . . . . . . . . . . . . . . . . . . . .
latency-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
latency-monitor enable action . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
latency-monitor restore-inline . . . . . . . . . . . . . . . . . . . . . . . . . . . .
latency-monitor sensitivity-level . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loadconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loadimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loadsavedimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logmacstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lognpumacstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
npumacstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ntbastat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
raidrepair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reconnectalertandpktlogchannels . . . . . . . . . . . . . . . . . . . . . . . . . . .
rescuedisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
resetconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
secureerase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor perf-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor perf-debug off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor perf-debug status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor-datapath-stat-analysis log . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor-datapath-stat-analysis show . . . . . . . . . . . . . . . . . . . . . . . . . .
sensordroppktevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set auditlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set autorecovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set auxport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set console timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set debugmode passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set dospreventionseverity . . . . . . . . . . . . . . . . . . . . . . . . . . .
set dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set flowvolumelimit enable <threshold> . . . . . . . . . . . . . . . . . . . . . . . .
set flowvolumelimit disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
McAfee Network Security Platform 8.2
39
40
40
40
41
41
42
43
44
44
45
46
47
47
48
48
49
49
49
50
51
51
52
52
53
53
54
54
54
55
55
56
57
58
58
59
60
60
61
61
62
62
62
63
63
64
64
65
65
66
66
66
67
67
68
68
CLI Guide
Contents
set gigfailopen disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set gigfailopendelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set intfport id disable-auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set intfport id enable-auto duplex . . . . . . . . . . . . . . . . . . . . . . . . . . .
set intfport id flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set intfport id speed duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ipssimulation disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set l2f-unknown-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager alertport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager alertport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . . . . .
set manager installsensorport . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager installsensorport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . .
set manager ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager logport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager logport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager secondary ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtport auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtport mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtport speed and duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mnsconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mnsconfig radiusLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set nmsuserwriteaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set outofcontext acllookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set parsetunneledtraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set portsettletime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set previous256byteslogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set scpserver ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor gateway-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor sharedsecretkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sessionlimit timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sshaccesscontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sshinactivetimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sshlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set syncookietcpreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set tacacsauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set tcpudpchecksumerror drop . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set tcpudpchecksumerror forward . . . . . . . . . . . . . . . . . . . . . . . . . . .
set tftpserver ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set threshold-udp-dos-forward-action . . . . . . . . . . . . . . . . . . . . . . . . .
set userconfigvolumedosthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . .
set vlanbasedrecon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
setfailopencfg restore-inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set-sensor-load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to change your password . . . . . . . . . . . . . . . . . . . . . . . . .
How to set the Sensor name . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration of the Sensor setup . . . . . . . . . . . . . . . . . . . . . . . .
Setting the Sensor subnet mask . . . . . . . . . . . . . . . . . . . . . . . . .
How to set the Manager IP address . . . . . . . . . . . . . . . . . . . . . . .
How to set the Sensor default gateway . . . . . . . . . . . . . . . . . . . . . .
How to set the management port configuration . . . . . . . . . . . . . . . . . . .
How to set the shared secret key on the Sensor . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.2
69
69
69
70
70
71
71
72
72
72
73
73
74
74
75
75
76
76
77
77
78
78
78
79
79
80
80
80
81
81
82
83
83
84
84
85
85
85
86
86
87
87
88
88
89
89
91
91
92
92
92
93
94
94
94
94
CLI Guide
5
Contents
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
show acl stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
show arp spoof status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
show auditlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
show auditlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
show autorecovery status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
show auxport status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
show botnet-alertstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
show console timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
show coppersfpserialnumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
show dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
102
show dnsprotectstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
show dospreventionprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
103
show dospreventionseverity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
show dxl status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
show eventlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
showfailopencfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
106
show failover-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
show flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
show flowvolumelimit config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
show gam engine stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
show gigfailopendelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
show gti config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
show gti stats ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
110
show inactiveuserslock status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
show inlinepktdropstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
show ingress-egress stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
show intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
show ipssimulation status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
116
show l2f-unknown-udp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
show l7ae status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
show l7ddosstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
show layer2 forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
show layer2 forward intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
show layer2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
show malwareenginestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
show malwarefilestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
show mem-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
show mgmtport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
show mnsconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
show netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
show nmsuserwriteaccess status . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show outofcontext acllookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show parsetunneledtraffic status . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show pktcapture status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
show pluggable‑module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
show portsettletime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show powersupply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show previous256byteslogging status . . . . . . . . . . . . . . . . . . . . . . . . . 132
show raid status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
133
show rescueimages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show savedalertinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
show savedimages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
134
show sensordroppktevent status . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show sensor-load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
show sessionlimit timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
136
6
McAfee Network Security Platform 8.2
CLI Guide
Contents
show sshaccesscontrol status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sshinactivetimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sshlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssl config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssl stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show syncookietcpreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show syslog statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tacacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tcpipstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tcpudpchecksumerror . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show threshold-udp-dos-forward-action status . . . . . . . . . . . . . . . . . . . . .
show tiestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show userconfigvolumedosthreshold . . . . . . . . . . . . . . . . . . . . . . . . .
show userInfo stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlanbasedrecon status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmpv2support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshaccesscontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshaccesscontrol resetlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshd disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshd enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshlogupload WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traceupload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlanbridgestp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
IPS CLI Commands - Debug Mode
153
40to10conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
aclstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
allow intfport id connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clearactiveflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clrconnlimithost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
datapathstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dossampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dossampling status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
downloadgamupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpdebuglog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDeviceConfigSettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDeviceProfileStats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDeviceTableByAllIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDeviceTableByAllMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDevProfTableEntry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpDevProfTableToLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dumpdgastats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
flashcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getauthstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getccstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getcestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getmdrinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getplstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getsastats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
getscstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipfragstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.2
136
137
137
137
138
139
139
140
140
141
141
142
142
143
143
144
145
145
146
146
147
147
149
150
151
152
155
156
156
157
157
158
158
160
160
161
161
161
162
162
163
164
164
164
164
165
165
166
170
171
171
173
174
175
CLI Guide
7
Contents
ipreassembly timeout millisecond . . . . . . . . . . . . . . . . . . . . . . . . . . .
layer2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
l7dpstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
l7show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logShowCfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
maidstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
matdChnstate WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mobileDbg delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mobileDbg print . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
nsmChanState WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
perf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pptsetprioritytrafficratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reset debugmode passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
resetalertstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reset ratelimitstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rspstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor perf-debug show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sensor perf-debug upload-protoStats . . . . . . . . . . . . . . . . . . . . . . . . .
set aidlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set amchannelencryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set inline drop packet log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set inline traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set intfport id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ipfrag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ipsforunknownudp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set l3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set l7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set l7ddosresponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set loglevel dos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set loglevel dp WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set loglevel mgmnt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ma wakeup port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set malware split session parsing . . . . . . . . . . . . . . . . . . . . . . . . . . .
set malwareEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtprocessrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set recon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show 40to10conversion status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show aidlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show all datapath error-counters . . . . . . . . . . . . . . . . . . . . . . . . . . .
show amchannelencryption status . . . . . . . . . . . . . . . . . . . . . . . . . .
show attack count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show botnet-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show connlimithost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show connlimitstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show datapath processunits . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show doscfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show eccerrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show fe stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show feature status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show feswitch port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gam scan stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gmac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show inline traffic prioritization status . . . . . . . . . . . . . . . . . . . . . . . . .
show ipsforunknownudp status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipfrag status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
McAfee Network Security Platform 8.2
176
176
177
178
179
180
181
181
181
182
182
182
182
183
183
183
184
185
185
185
185
186
186
187
187
187
187
188
188
188
188
189
189
189
190
190
191
191
192
192
198
199
199
200
201
201
201
202
202
203
204
204
205
205
206
206
CLI Guide
Contents
show layer2 portlevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l3 status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l7 status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l7dcap-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l7ddosresponse status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l7ddosstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show layer2 reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show malwareEngine status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show malwareclientstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show malwareserverstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show matd channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mgmtcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mem-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mgmtnetstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mgmtprocessrestart status . . . . . . . . . . . . . . . . . . . . . . . . . . .
show pktcapture status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show prioritytraffic ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ratelimit drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ratelimit markstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ratelimitstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show recon status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show respport r1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show saved alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show saved packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sbcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sensor health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show startup stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show static-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics ipfrag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics l4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tempcounterstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show wb stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show xff-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switch matd channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tustat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
unknownapktocloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
NTBA CLI commands
257
backup resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
backup suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear antimalware cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deletemgrsecintf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deletesignatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
download antimalware updates . . . . . . . . . . . . . . . . . . . . . . . . . . .
downloadgamupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
flowforward collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
host-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.2
206
207
207
207
208
208
209
209
210
217
223
224
229
230
236
236
236
237
238
238
239
239
240
240
241
245
246
247
247
247
248
250
251
251
252
253
253
254
254
255
259
259
259
259
260
261
261
262
262
262
263
264
265
265
CLI Guide
9
Contents
installdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
installntba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loadimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
resetconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
resetpasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set antimalware cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set antimalware encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set console timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set dbdisksize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set flow-fw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set endpointintelligence demo . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set endpointintelligence alertinterval . . . . . . . . . . . . . . . . . . . . . . . . .
set htf delta-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set htf max-deltas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager alertport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager installsensorport . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set manager secondary ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtport auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set mgmtport speed and duplex . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set sensor sharedsecretkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set store-url-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set tftpserver ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show aggstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show antimalware encryption status . . . . . . . . . . . . . . . . . . . . . . . . .
show antimalware scandetails . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show antimalware status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show backupstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cachestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show dbstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show disk-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show endpointintelligence details . . . . . . . . . . . . . . . . . . . . . . . . . . .
show endpointintelligence summary . . . . . . . . . . . . . . . . . . . . . . . . . .
show exporters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show fingerprinting stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show forensic-db details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show flowforwardinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show host-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show htf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
McAfee Network Security Platform 8.2
266
267
268
270
271
271
273
273
274
276
277
278
278
279
279
280
281
281
281
282
282
282
284
285
286
286
286
287
287
288
288
289
290
290
291
292
292
293
294
298
299
300
300
301
303
304
307
307
308
310
311
312
313
314
314
314
CLI Guide
Contents
show intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gam engine stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gam scan stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show l7dcapstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mem-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mgmtport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show nfcstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show pktrecvstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show store-url-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tsstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tcpdump sec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traceupload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
unknown-interfaces-flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
McAfee Network Security Platform 8.2
315
318
319
319
320
322
324
325
327
328
328
329
330
330
332
332
333
334
335
CLI Guide
11
Contents
12
McAfee Network Security Platform 8.2
CLI Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
•
Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee Network Security Platform 8.2
CLI Guide
13
Preface
Find product documentation
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
14
1
Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.
2
In the Knowledge Base pane, click a content source:
•
Product Documentation to find user documentation
•
Technical Articles to find KnowledgeBase articles
3
Select Do not clear my filters.
4
Enter a product, select a version, then click Search to display a list of documents.
McAfee Network Security Platform 8.2
CLI Guide
1
Introduction
This section gives a basic overview of McAfee® Network Security Sensor and McAfee® Network Threat
Behavior Analysis Appliance.
Contents
About McAfee® Network Security Sensor
Issuing CLI commands
CLI syntax
Granular access control for CLI commands
Logon to the CLI
Meaning of "?"
About McAfee® Network Security Sensor
A McAfee® Network Security Sensor is a content-processing appliance built for accurate detection and
prevention of intrusions, misuse, and distributed denial of service (DDoS) attacks. McAfee® Network
Security Sensor (Sensor) is specifically designed to handle traffic at wire speed, inspect and detect
intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any
enterprise environment.
When deployed at key network access points, a Sensor provides real-time traffic monitoring to detect
malicious activity and respond to the malicious activity as configured by the administrator.
Sensors are configured and managed using McAfee® Network Security Manager (Manager). The
process of configuring a Sensor and establishing communication with the Manager is described in later
chapters of this guide.
Issuing CLI commands
You can issue CLI commands locally, from the Sensor Console, or remotely, via ssh.
Issuing a command via the console
When the documentation indicates that you must perform an operation "on the Sensor," it signifies that
you must perform the operation from the command line of a console host connecting to the Sensor. For
example, when you first configure a Sensor, you must do so from the console.
For more information on setting up a console, refer to the respective Sensor Guide.
When you are successfully connected to the Sensor, you will see the login prompt.
McAfee Network Security Platform 8.2
CLI Guide
15
1
Introduction
Issuing CLI commands
factorydefaults
Wipes all settings, certificates, and signatures, from the Sensor, clearing it to blank settings. This
command does not appear when you type ? or commands, nor does the auto-complete function apply
to this command. You must type the command in full to execute it.
This command has no parameters.
You are warned that the operation will clear the Sensor and you must confirm the action. The warning
occurs since the Sensor returns to its clean, pre-configured state, thus losing all current configuration
settings.
Syntax:
factorydefaults
On executing the command the following messages are displayed for an NTBA Appliance:
Are you sure you want to reset NTBA to factory defaults?
WARNING: All existing configuration and data will be lost.
Please enter Y to confirm: y
Step 1 of 3: Removing trust with Network Security Manager
Network Security Manager trust is removed.
Step 2 of 3: Resetting the NTBA database to factory defaults. This will take few
minutes.
Stopping all services.
Formatting NTBA database partitions. This will take several minutes depending on the
disk size.
Creating fresh databases.
Resetting NTBA configurations.
The NTBA configuration and signature files are reset to default.
Step 3 of 3: Rebooting the NTBA appliance. After the reboot, log in to complete the
NTBA setup.
Broadcast message from root (Thu Feb 27 11:57:26 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running factorydefaults
The following errors might occur while you run this command:
16
•
An error occurred while stopping the database events. Restart the appliance or VM
and rerun factorydefaults.
•
An error occurred while trying to disable database events. Restart the appliance or
VM and rerun factorydefaults.
McAfee Network Security Platform 8.2
CLI Guide
1
Introduction
Issuing CLI commands
•
An error occurred while stopping the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
An error occurred while disabling the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
The NTBA database service is still up. Sending a termination signal.
•
The NTBA database service is still up. Sending a kill signal.
•
The NTBA database service can't be stopped. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting the NTBA database partitions. This will take several minutes depending
on the disk size.
•
Dropping NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Creating fresh databases
•
Mounting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA database engine failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Resetting NTBA configurations
•
Verifying software image on the appliance or VM failed. Load the correct NTBA
software image and rerun factorydefaults.
•
Extracting the tar file failed. Load the correct NTBA software image and rerun
factorydefaults.
•
Checking consistency of software image on the appliance or VM failed. Load the
correct NTBA software image and rerun factorydefaults.
•
Retrieving package from the software image failed. Load the correct NTBA software
image and rerun factorydefaults.
•
NTBA configuration and signature files are reset to default.
Issuing a command via ssh
You can administer a Sensor remotely from a command prompt via ssh. To do so, you must ensure
the ssh daemon on the Sensor is started (the default). If it is stopped, you can start it from the console
using the CLI command sshd enable.
Only 5 sshd sessions can be open concurrently on a Sensor.
McAfee Network Security Platform 8.2
CLI Guide
17
1
Introduction
CLI syntax
Logging onto the Sensor via an ssh client
Task
1
Open an ssh client session to logon to the Sensor.
2
At the login prompt, enter the default username admin and password admin123. The number of
login attempts to the Sensor from a client, on a single connection, is set to 3, after which the
connection is closed.
The number of login attempts to the Sensor can differ based on the ssh client that you are using.
You can get 3 login attempts with certain clients (for example Putty release 0.54, Putty release 0.56
etc.) or you can get 4 login attempts with other clients (for example, Putty release 0.58, Linux ssh
clients).
Auto-complete
The CLI provides an auto-complete feature. To auto-complete a command, press TAB after typing a
few characters of a valid command and then press ENTER. For example, typing expo and pressing
TAB would result in the CLI auto-completing the entry with the command exportsensorcerts.
If the partially-entered text matches multiple options, the CLI displays all available matching
commands.
CLI syntax
You issue commands at the command prompt as shown.
<command> <value>
•
Values that you must enter are enclosed in angle brackets (< >).
•
Optional keywords or values are enclosed in square brackets ([ ]).
•
Options are shown separated by a line (|).
•
Variables are indicated by italics.
Do not type the < or [ ] symbols.
Command sequence
Some operations require that you first specify a network value before you issue a command. For
example, you must specify a TFTP server IP address before you issue a loadimage command. See the
instructions on performing the operation for the correct sequence.
Mandatory commands
There are certain commands that must be executed on the Sensor before the Sensor is fully
operational. The remaining commands in this chapter are optional and will assume default values for
their parameters unless they are executed with other specific parameter values.
These are the required commands:
18
•
set sensor name
•
set sensor ip/ipv6
McAfee Network Security Platform 8.2
CLI Guide
Introduction
Granular access control for CLI commands
•
set manager ip
•
set sensor sharedsecretkey
•
If the Sensor is on a different network than the Manager, you will need to use the set sensor
gateway (or set sensor gateway-ipv6 ) command.
1
Granular access control for CLI commands
McAfee Network Security Platform supports creation of multiple user accounts for the Sensor. Each of
these user accounts is created for various functions, that is, different roles are associated with these
user accounts. The role of a user determines the CLI commands he or she is able to access.
The following Sensor user roles are supported:
•
Admin – Access to all commands.
•
Read and Write – Access to all commands, except the ones available only to the administrator.
•
Read Only – Access to all show commands.
•
Updater – Access to update Sensor images and signature files.
•
Maintainer – Access to update Sensor images, signature files, and also add a Sensor to a specific
manager.
The debug commands can be accessed by admins or by users with read and write access.
You can authenticate users by using either TACACS+ or RADIUS servers. For a TACACS+ user to
obtain granular access control, authorization should be enabled at the Sensor. If not, Admin access is
given to the user. The role should be assigned in the TACACS+ server configuration. If no role is
configured in the TACACS+ server, Admin access is given. If a role, other than the allowed roles is
assigned, Read-Only access is given. Users authenticated by RADIUS server are assigned the Admin
role by default. Role based user logins cannot be created through the RADIUS server.
The following is an example of the TACACS+ server configuration file:
user=user1 {
................
................
service = intrushell {
role= “RO-Access”
}
}
In case of RADIUS configuration the role is assigned as Admin by default.
McAfee Network Security Platform 8.2
CLI Guide
19
1
Introduction
Granular access control for CLI commands
The allowed strings to be given in the TACACS+ configuration file are:
•
“Updater”
•
“RW-Access”
•
“Maintainer”
•
“Admin-Access”
•
“RO-Access”
McAfee recommends that either TACACS+/RADIUS users or local users on the Sensor are configured. If
both are required, ensure that users with the same name are not present in the Sensor and the TACACS
+/RADIUS servers.
adduser WORD
Use this command to add a new user in the default role (Read Only). The admin can later choose to
override the user’s role using the userrole command.
A maximum of 100 users can be added.
Syntax:
adduser WORD
where WORD stands for the user name. Consider the following when specifying a user name:
•
The length of a user name can be 1-25 characters.
•
The user name can be created using alphabets, numbers, and few special characters.
•
The special characters that you can use are dot (.), hyphen (-) and underscore (_).
•
The user name must begin with an alphabet, and is case-sensitive.
•
The user can log on using the password assigned by the admin. The admin can assign passwords
with no restrictions.
Applicable to:
M-series and NS-series Sensors.
commands
Displays all CLI commands supported for the current user role.
This command has no parameters.
Syntax:
commands
Applicable to:
M-series and NS-series, and NTBA Appliances.
deleteuser WORD
Deletes existing users.
If the user is currently logged in, you cannot delete the account until the user log off.
Syntax:
20
McAfee Network Security Platform 8.2
CLI Guide
Introduction
Granular access control for CLI commands
1
deleteuser WORD
where WORD stands for the user name to be deleted.
Applicable to:
M-series and NS-series Sensors.
deleteallusers
Deletes all existing users.
If the user is currently logged in, you cannot delete the account until the user logs off.
Syntax:
deleteallusers
Applicable to:
M-series and NS-series Sensors.
lockuser WORD
Locks out any user created by the admin.
Syntax:
lockuser WORD
where WORD stands for the user name.
Note the following:
•
The user admin cannot be locked using this command.
•
When locked, the users using this command will not be able to logon until they are unlocked back
using the command unlockuser.
Applicable to:
M-series and NS-series Sensors.
passwd
Changes the password of the currently logged in user. A password must contain at least 8 characters
and can consist of any alphanumeric character or symbol. This command is applicable for changing the
password for admin as well non-admin users.
The user will be asked to enter the current password before changing to a new password.
Syntax:
passwd
Applicable to:
M-series and NS-series Sensors.
userpasswd WORD
Use this command to assign/reset the password for existing users.
McAfee Network Security Platform 8.2
CLI Guide
21
1
Introduction
Granular access control for CLI commands
Syntax:
userpasswd WORD
where WORD stands for the username for whom the password needs to be assigned or reset.
Once the password is reset, the admin must inform the user about the new password.
The password supplied by the admin is not validated for password strength and minimum length.
Applicable to:
M-series and NS-series Sensors.
userlist
Displays the list of existing users created by admin and the roles assigned to them. The currently
locked users are also displayed.
The locked users, when displayed, are marked with an asterisk (*).
Syntax:
userlist
If a user account gets locked due to logon failure, the locked status is displayed after the next logon
attempt.
Applicable to:
M-series and NS-series Sensors.
userrole WORD
Changes the role of an existing user.
Syntax:
userrole WORD <admin|readwrite|readonly|updater|maintainer>
where WORD stands for the user name for whom the role is to be changed.
Applicable to:
M-series and NS-series Sensors.
unlockuser WORD
Unlocks a user account that is locked due to multiple authentication failures.
Syntax:
unlockuser WORD
where WORD stands for the user name to be unlocked.
Three successive logon failures result in locking of a user account. The admin can then unlock the user
account using this command. Once unlocked the user can continue to use the same password.
The userpasswd command can also be used to unlock a user account. However, in case of userpasswd,
the user will receive a new password.
22
McAfee Network Security Platform 8.2
CLI Guide
1
Introduction
Granular access control for CLI commands
Applicable to:
M-series and NS-series Sensors.
whoami
Dispalys the name of the user who is currently logged in.
Syntax:
whoami
Applicable to:
M-series and NS-series Sensors.
Role and CLI command matrix
The following table shows the different CLI commands and their availability for different roles.
Table 1-1
Role and CLI command matrix
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
adduser
N
N
N
N
Y
accelerate-ftp
N
N
N
N
Y
accelerate-ftp status
N
N
N
N
Y
arp delete
N
N
N
Y
Y
arp dump
N
N
Y
Y
Y
arp flush
N
N
N
Y
Y
arp spoof
N
N
N
Y
Y
auditlogupload
N
N
Y
Y
Y
checkmanagerconnectivity
N
N
N
N
Y
clrstat
N
N
N
Y
Y
clrtsstats
N
N
N
N
Y
commands
Y
Y
Y
Y
Y
console eventlog (on|off|status)
N
N
N
N
Y
debug
N
N
N
Y
Y
deinstall
N
Y
N
Y
Y
deleteallusers
N
N
N
N
Y
deletemgrsecintf
N
Y
N
Y
Y
deletesignatures
N
N
N
Y
Y
deleteuser
N
N
N
N
Y
disconnectalertandpktlogchannels
N
Y
N
Y
Y
dnsprotect
N
N
N
Y
Y
dnsprotect (add|delete)
N
N
N
Y
Y
dnsprotect resetlist
N
N
N
Y
Y
downloadstatus
Y
Y
Y
Y
Y
exit
Y
Y
Y
Y
Y
McAfee Network Security Platform 8.2
CLI Guide
23
1
Introduction
Granular access control for CLI commands
Table 1-1
24
Role and CLI command matrix (continued)
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
exportsensorcerts
N
N
Y
Y
Y
factorydefaults
N
N
N
Y
Y
failovermode forward-peer-stp
(enable|disable)
N
N
N
Y
Y
fwdump acl
N
N
N
N
Y
guest-portal
N
N
N
Y
Y
help
Y
Y
Y
Y
Y
host-vlan
N
N
Y
Y
Y
Importsensorcerts
N
N
N
Y
Y
increasemgmtprocessing
N
N
N
Y
Y
ipreassembly timeout forward
N
N
N
Y
Y
latency-monitor
N
N
N
Y
Y
layer2 mode
N
N
N
Y
Y
loadconfiguration
N
Y
N
Y
Y
loadimage
Y
Y
N
Y
Y
loadsavedimage
N
N
N
Y
Y
lockuser
N
N
N
N
Y
logmacstat
N
N
Y
Y
Y
lognpumacstat
N
N
N
Y
Y
logstat
N
N
Y
Y
Y
macstat
N
N
Y
Y
Y
npumacstat
N
N
Y
Y
Y
ntbastat
N
N
N
N
Y
passwd
Y
Y
Y
Y
Y
ping
Y
Y
Y
Y
Y
quit
Y
Y
Y
Y
Y
raidrepair
N
N
Y
Y
Y
reboot
Y
Y
N
Y
Y
reconnectalertandpktlogchannels
N
Y
N
Y
Y
rescuedisk
N
N
N
Y
Y
resetconfig
N
N
N
Y
Y
secureerase
N
N
N
Y
Y
sensor-datapath-stat-analysis log
N
N
N
N
Y
sensor-datapath-stat-analysis show
N
N
N
N
Y
sensordroppktevent
N
N
N
Y
Y
set auditlog
N
N
N
Y
Y
set autorecovery
N
N
N
Y
Y
set auxport (enable|disable)
N
N
N
Y
Y
set console timeout
N
N
N
Y
Y
McAfee Network Security Platform 8.2
CLI Guide
1
Introduction
Granular access control for CLI commands
Table 1-1
Role and CLI command matrix (continued)
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
set debugmode passwd
N
N
N
N
Y
set dnsprotect
N
N
N
Y
Y
set flowvolumelimit disable
N
N
N
Y
Y
set flowvolumelimit enable
<threshold>
N
N
N
Y
Y
set gigfailopen disable
N
N
N
Y
Y
set gigfailopendelay
N
N
N
Y
Y
set intfport id disable-auto
N
N
N
Y
Y
set intfport id enable-auto-duplex
N
N
N
Y
Y
set intfport id flowcontrol
N
N
N
Y
Y
set intfport id speed duplex
N
N
N
Y
Y
set ipssimulation (enable|disable)
N
N
N
Y
Y
set l2f-unknown-udp
N
N
N
N
Y
set manager alertport
N
N
N
Y
Y
set manager alertport_RSA-2048-bit
N
N
N
Y
Y
set manager installsensorport
N
N
N
Y
Y
set manager
installsensorport_RSA-2048-bit
N
N
N
Y
Y
set manager ip
N
Y
N
Y
Y
set manager logport
N
N
N
Y
Y
set manager logport_RSA-2048-bit
N
N
N
Y
Y
set manager secondary ip
N
Y
N
Y
Y
set mgmtport auto
N
N
N
Y
Y
set mgmtport mtu
N
N
N
Y
Y
set mgmtport speed
N
N
N
Y
Y
set mnsconfig radiusLB
N
N
N
N
Y
set nmsuserwriteaccess
N
N
N
Y
Y
set parsetunneledtraffc
N
N
N
Y
Y
set previous256byteslogging (enable |
disable)
N
N
N
Y
Y
set scpserver ip
Y
Y
N
Y
Y
set sensor gateway
N
Y
N
Y
Y
set sensor gateway-ipv6
N
Y
N
Y
Y
set sensor ip/ipv6
N
Y
N
Y
Y
set sensor name
N
N
N
Y
Y
set sensor sharedsecretkey
N
Y
N
Y
Y
set sensor-load
N
N
N
Y
Y
set sessionlimit timeout
N
N
N
N
Y
set sshinactivetimeout
N
N
N
Y
Y
set ssshaccesscontrol
N
N
N
Y
Y
McAfee Network Security Platform 8.2
CLI Guide
25
1
Introduction
Granular access control for CLI commands
Table 1-1
26
Role and CLI command matrix (continued)
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
set sshlog
N
N
N
N
Y
set syncookietcpreset (on|off)
N
N
N
Y
Y
set tacacsauthorization
N
N
N
Y
Y
set tcpudpchecksumerror drop
N
N
N
Y
Y
set tcpudpchecksumerror forward
N
N
N
Y
Y
set tftpserver ip
Y
Y
N
Y
Y
set threshold-udp-dos-forward-action
N
N
N
N
Y
set unknownprotoscandepth disable
N
N
N
Y
Y
set unknownprotoscandepth enable
<num>
N
N
N
Y
Y
set unknownprotoscandepth enable
entire-flow
N
N
N
Y
Y
set userconfigvolumdosthreshold
N
N
N
Y
Y
set vlanbasedrecon
N
N
N
N
Y
setfailopencfg restore-inline
N
N
N
N
Y
setup
N
N
N
Y
Y
show
Y
Y
Y
Y
Y
show acl stats
N
N
Y
Y
Y
show arp spoof status
N
N
Y
Y
Y
show auditlog
N
N
Y
Y
Y
show auditlog status
N
N
Y
Y
Y
show autorecovery status
N
N
Y
Y
Y
show auxport status
N
N
Y
Y
Y
show console timeout
N
N
Y
Y
Y
show coppersfpserialnumbers
N
N
Y
Y
Y
show dnsprotect
N
N
Y
Y
Y
show dnsprotectstat
N
N
Y
Y
Y
show dospreventionprofile
N
N
Y
Y
Y
show dospreventionseverity
N
N
Y
Y
Y
show dxl status
N
N
N
N
Y
show eventlog
N
N
Y
Y
Y
show failover-status
N
N
Y
Y
Y
show flows
N
N
Y
Y
Y
show flowvolumelimit config
N
N
Y
Y
Y
show gam engine stats
N
N
N
N
Y
show gigfailopendelay
N
N
Y
Y
Y
show gti config
N
N
Y
Y
Y
show gti stats ip
N
N
N
N
Y
show inactiveuserslock status
N
N
N
N
Y
McAfee Network Security Platform 8.2
CLI Guide
1
Introduction
Granular access control for CLI commands
Table 1-1
Role and CLI command matrix (continued)
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
show host-vlan
N
N
Y
Y
Y
show inlinepktdropstat
N
N
Y
Y
Y
show intfport
N
N
Y
Y
Y
show ipssimulation status
N
N
Y
Y
Y
show l2f-unknown-udp status
N
N
N
N
Y
show l7ae status
N
N
N
N
Y
show layer2
N
N
Y
Y
Y
show layer2 mode
N
N
Y
Y
Y
show malwarefilestats
N
N
N
N
Y
show mgmtport
N
N
Y
Y
Y
show mnsconfig
N
N
N
N
Y
show netstat
N
N
Y
Y
Y
show nmsuserwriteaccess status
N
N
N
N
Y
show parsetunneledtraffic status
N
N
Y
Y
Y
show pluggable– module
N
N
Y
Y
Y
show portsettletime
N
N
Y
Y
Y
show powersupply
N
N
Y
Y
Y
show previous256byteslogging status
N
N
Y
Y
Y
show raid status
N
N
N
Y
Y
show rescueimages
N
N
Y
Y
Y
show savedalertinfo
N
N
Y
Y
Y
show savedimages
N
N
N
Y
Y
show sensordroppktevent status
N
N
Y
Y
Y
show sensor-load
N
N
Y
Y
Y
show sessionlimit timeout
N
N
N
N
Y
show sshaccesscontrol status
N
N
Y
Y
Y
show sshinactivetimeout
N
N
Y
Y
Y
show sshlog status
N
N
N
N
Y
show ssl config
N
N
Y
Y
Y
show ssl stats
N
N
Y
Y
Y
show syncookietcpreset
N
N
Y
Y
Y
show syslog statistics
N
N
Y
Y
Y
show tacacs
N
N
Y
Y
Y
show tcpipstats
N
N
Y
Y
Y
show tcpudpchecksumerror
N
N
Y
Y
Y
show threshold-udp-dos-forward-action
status
N
N
N
N
Y
show userconfigvolumedosthreshold
N
N
Y
Y
Y
show userInfo stats
Y
Y
Y
Y
Y
McAfee Network Security Platform 8.2
CLI Guide
27
1
Introduction
Logon to the CLI
Table 1-1
Role and CLI command matrix (continued)
Command Name
Updater Maintainer ReadOnly ReadWrite Admin
show vlanbasedrecon status
N
N
N
N
Y
showfailopencfg
N
N
N
N
Y
shutdown
N
N
N
Y
Y
snmpv2support
N
N
N
N
Y
sshaccesscontrol
N
N
N
Y
Y
sshaccesscontrol resetlist
N
N
N
Y
Y
sshd disable
N
N
N
Y
Y
sshd enable
N
N
N
Y
Y
sshlogupload WORD
N
N
N
N
Y
status
Y
Y
Y
Y
Y
traceupload
N
N
Y
Y
Y
unlockuser
N
N
N
N
Y
userlist
N
N
N
N
Y
userpasswd
N
N
N
N
Y
userrole
N
N
N
N
Y
vlanbridestp
N
N
N
Y
Y
watchdog
N
N
N
Y
Y
whoami
Y
Y
Y
Y
Y
Logon to the CLI
Before you can enter CLI commands, you must first log on to the Sensor with a valid user name
(username is admin) and password (default is admin 123 ).
McAfee strongly recommends you change this password using the passwd command within your first
interaction with the Sensor.
To log off, type exit.
Debug mode
Log on to the Sensor with a valid user name (username is admin) and password (default is admin
123 ). At the command prompt, type debug to log on to debug mode. You can now run the debug
mode commands.
To log off, type exit.
Meaning of "?"
? displays the next possible command string that you can enter.
Syntax
28
McAfee Network Security Platform 8.2
CLI Guide
Introduction
Meaning of "?"
1
?
? shows the next word you can type. If you execute the ? command in conjunction with the set
command, for example, McAfee® Network Security Platform displays a list of all options available with
the set command.
McAfee Network Security Platform 8.2
CLI Guide
29
1
Introduction
Meaning of "?"
30
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
This section details the commands that can be run in Normal mode. In this mode, you can't run the
Debug mode commands.
Contents
accelerate-ftp
accelerate-ftp status
arp delete
arp dump
arp flush
arp spoof
auditlogupload
checkmanagerconnectivity
clrstat
clrtsstats
commands
console eventlog
debug
deinstall
deletemgrsecintf
deletesignatures
disconnectalertandpktlogchannels
dnsprotect
downloadstatus
exit
exportsensorcerts
factorydefaults
failovermode forward-peer-stp
fwdump acl
guest-portal
help
host-vlan
importsensorcerts
increasemgmtprocessing
ipreassembly timeout forward
latency-monitor
latency-monitor enable action
latency-monitor restore-inline
latency-monitor sensitivity-level
loadconfiguration
loadimage
loadsavedimage
logmacstat
McAfee Network Security Platform 8.2
CLI Guide
31
2
IPS CLI Commands - Normal Mode
lognpumacstat
logstat
macstat
npumacstat
ntbastat
ping
quit
raidrepair
reboot
reconnectalertandpktlogchannels
rescuedisk
resetconfig
secureerase
sensor perf-debug
sensor perf-debug off
sensor perf-debug status
sensor-datapath-stat-analysis log
sensor-datapath-stat-analysis show
sensordroppktevent
set
set auditlog
set autorecovery
set auxport
set console timeout
set debugmode passwd
set dnsprotect
set flowvolumelimit enable <threshold>
set flowvolumelimit disable
set gigfailopen disable
set gigfailopendelay
set intfport id disable-auto
set intfport id enable-auto duplex
set intfport id flowcontrol
set intfport id speed duplex
set ipssimulation disable
set l2f-unknown-udp
set manager alertport
set manager alertport_RSA-2048-bit
set manager installsensorport
set manager installsensorport_RSA-2048-bit
set manager ip
set manager logport
set manager logport_RSA-2048-bit
set manager secondary ip
set mgmtport auto
set mgmtport mtu
set mgmtport speed and duplex
set mnsconfig
set mnsconfig radiusLB
set nmsuserwriteaccess
set outofcontext acllookup
set parsetunneledtraffic
32
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
2
set portsettletime
set previous256byteslogging
set scpserver ip
set sensor gateway
set sensor gateway-ipv6
set sensor ip
set sensor ipv6
set sensor name
set sensor sharedsecretkey
set sessionlimit timeout
set sshaccesscontrol
set sshinactivetimeout
set sshlog
set syncookietcpreset
set tacacsauthorization
set tcpudpchecksumerror drop
set tcpudpchecksumerror forward
set tftpserver ip
set threshold-udp-dos-forward-action
set userconfigvolumedosthreshold
set vlanbasedrecon
setfailopencfg restore-inline
set-sensor-load
setup
show
show acl stats
show arp spoof status
show auditlog
show auditlog status
show autorecovery status
show auxport status
show botnet-alertstats
show console timeout
show coppersfpserialnumbers
show dnsprotect
show dnsprotectstat
show dospreventionprofile
show dospreventionseverity
show dxl status
show eventlog
showfailopencfg
show failover-status
show flows
show flowvolumelimit config
show gam engine stats
show gigfailopendelay
show gti config
show gti stats ip
show inactiveuserslock status
show inlinepktdropstat
show ingress-egress stat
show intfport
McAfee Network Security Platform 8.2
CLI Guide
33
2
IPS CLI Commands - Normal Mode
show ipssimulation status
show l2f-unknown-udp status
show l7ae status
show l7ddosstat
show layer2 forward
show layer2 forward intfport
show layer2 mode
show malwareenginestats
show malwarefilestats
show mem-usage
show mgmtport
show mnsconfig
show netstat
show nmsuserwriteaccess status
show outofcontext acllookup
show parsetunneledtraffic status
show pktcapture status
show pluggable‑module
show portsettletime
show powersupply
show previous256byteslogging status
show raid status
show rescueimages
show savedalertinfo
show savedimages
show sensordroppktevent status
show sensor-load
show sessionlimit timeout
show sshaccesscontrol status
show sshinactivetimeout
show sshlog status
show ssl config
show ssl stats
show syncookietcpreset
show syslog statistics
show tacacs
show tcpipstats
show tcpudpchecksumerror
show threshold-udp-dos-forward-action status
show tiestats
show userconfigvolumedosthreshold
show userInfo stats
show vlanbasedrecon status
shutdown
snmpv2support
sshaccesscontrol
sshaccesscontrol resetlist
sshd disable
sshd enable
sshlogupload WORD
status
traceupload
34
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
accelerate-ftp
2
vlanbridgestp
watchdog
accelerate-ftp
Configures the fast forward ftp data flows feature.
Syntax:
accelerate-ftp (inbound | outbound) (enable | disable)
Default Value:
It is disabled by default.
Example:
intruShell@john-3050> accelerate-ftp inbound enable
intruShell@john-3050> accelerate-ftp outbound enable
intruShell@john-3050> accelerate-ftp inbound disable
intruShell@john-3050> accelerate-ftp outbound disable
Applicable to:
M-series and NS-series Sensors.
accelerate-ftp status
Displays the fast forward ftp data flows feature status.
Syntax:
accelerate-ftp status
Sample output:
intruShell@john> accelerate-ftp status
FTP acceleration inbound : ENABLED
FTP acceleration outbound : DISABLED
Applicable to:
M-series and NS-series Sensors.
arp delete
Removes a single MAC or IP address association from the ARP table.It is used in conjunction with
Network Security Platform ARP spoofing detection feature. This command might also be used in
situations where a machine on the network is replaced with new hardware.
Syntax:
McAfee Network Security Platform 8.2
CLI Guide
35
2
IPS CLI Commands - Normal Mode
arp dump
arp delete <IP address>
Parameter Description
IP address
This is a 32-bit IP address number indicated by four numbers separated by periods
(X.X.X.X), where X indicates a number between 0-255.
Example:
The following example shows that the IP address 209.165.202.255 is removed from the ARP table.
arp delete 209.165.202.255
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
See also
arp dump on page 36
arp flush on page 36
arp spoof on page 37
arp dump
Dumps the contents of the current MAC/IP address mapping table in the database to a debug file. This
command is used for debugging purposes. Use with the logstat (on page 56) command to provide a
diagnostic trace to supply to Technical Support. It is used in conjunction with the Network Security
Platform ARP spoofing detection feature.
This command has no parameters.
Syntax:
arp dump
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
See also
logstat on page 54
arp delete on page 35
arp flush on page 36
arp spoof on page 37
arp flush
Deletes the contents of the MAC/IP addresses mapping table. It is used in conjunction with the
Network Security Platform ARP spoofing detection feature.
This command has no parameters.
Syntax:
arp flush
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
36
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
arp spoof
2
See also
arp delete on page 35
arp dump on page 36
arp spoof on page 37
arp spoof
Enables or disables the ARP spoofing detection. It is used in conjunction with the Network Security
Platform ARP spoofing detection feature.
Syntax:
arp spoof <enable><disable>
Parameter
Description
enable
enables ARP spoofing detection
disable
disables ARP spoofing detection
Default Value:
It is disabled by default.
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
See also
arp delete on page 35
arp dump on page 36
arp flush on page 36
auditlogupload
Uploads the audit log file to the configured TFTP/SCP server. This file can contain a maximum of 5000
recent audit events.
Syntax:
auditupload WORD
auditlogupload tftp WORD
auditlogupload scp WORD
where WORD stands for the name of the audit log file to be uploaded.
Note the following:
•
When loading an audit log file on the SCP server, you are prompted for the SCP server credentials
(username and password). The command succeeds only on providing the correct SCP server
credentials.
•
When loading an audit log file on the SCP server the pathname of the file should be absolute; when
loading from the TFTP server the pathname of the file should be relative to /tftpboot.
McAfee Network Security Platform 8.2
CLI Guide
37
2
IPS CLI Commands - Normal Mode
checkmanagerconnectivity
•
If no filename is specified then the default filename is created in the specified path on the SCP
server. The default file name for the audit log is audit_<sensor_timestamp>_<sensor_name>.log.
•
Before executing this command (uploading on the TFTP server), make sure that the file is created
on the TFTP server with write permissions for everyone.
•
The functionality of auditlogupload tftp WORD is the same as auditupload WORD.
Applicable to:
M-series and NS-series Sensors.
checkmanagerconnectivity
This command checks the connectivity between the Sensor and the Manager and displays the
following status information:
•
Alert channel
•
Packet log channel
•
Authentication channel
For any of the above, if the status is displayed as down, it additionally displays the steps for
troubleshooting the connectivity.
Syntax:
checkmanagerconnectivity
Sample Output:
intruShell@john> checkmanagerconnectivity
[Manager Trust]
Trust Established : Yes
[Manager Communications]
IP Connection : Pass
Alert Channel : down
Log Channel : up
Authentication Channel : up
Applicable to:
M-series and NS-series Sensors.
Troubleshooting tips:
38
•
Re-initialize both the alert and log channels by executing disconnectalertandpktlogchannels
and reconnectalertandpktlogchannels at the CLI.
•
If the issue is still persisting, capture the packets on the Sensor's management port and also the
Manager for further analysis.
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
clrstat
2
clrstat
This command clears all the statistics counters in the Sensor.
Syntax:
clrstat
Applicable to:
M-series and NS-series Sensors.
clrtsstats
This command clears all the statistics counters in the Sensor.
Syntax:
clrtsstats
Applicable to:
M-series and NS-series Sensors.
commands
Displays all CLI commands supported for the current user role.
This command has no parameters.
Syntax:
commands
Applicable to:
M-series and NS-series, and NTBA Appliances.
console eventlog
Enables or disables logging for console events. The status option displays if logging is on or off.
Syntax:
console eventlog on
console eventlog off
console eventlog status
Sample output:
intruShell@john-3050> console eventlog status
console logging = off
Applicable to:
McAfee Network Security Platform 8.2
CLI Guide
39
2
IPS CLI Commands - Normal Mode
debug
M-series and NS-series Sensors.
debug
Enables you to log on to debug mode.
Syntax:
debug
Applicable to:
M-series and NS-series, and NTBA Appliances.
deinstall
Clears the Manager-Sensor trust data (the certificate and the shared key value). Every time you delete
a Sensor from the Manager, you must issue this command on the Sensor to clear the established trust
relationship before reconfiguring the Sensor.
This command has no parameters.
Syntax:
deinstall
On executing the command, the following messages are displayed:
deinstall the sensor and remove the trust with the manager ?
Please enter Y to confirm: Y
If you enter Y, the Manager/Sensor trust is removed. By pressing N, the Manager/Sensor trust remains
intact and you come out of the deinstall prompt.
Pressing Y displays the following message:
deinstall in progress ...
this will take a couple of seconds, please check status on CLI
Applicable to:
M-series and NS-series, and NTBA Appliances.
deletemgrsecintf
Clears the IP address of a Manager's secondary NIC.
This command has no parameters.
Syntax:
deletemgrsecintf
40
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
deletesignatures
2
On executing the command, the following messages are displayed:
Please enter Y to confirm: y
Managers secondary intf IPaddr doesn't exist.
Deleting managers secondary interface had some Warnings/Errors.
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set manager ip on page 74
set manager secondary ip on page 75
deletesignatures
Deletes signatures on the Sensor and reboots the Sensor. When you execute this command, the
signatures are deleted and then the Sensor is restarted automatically. Before executing the command,
you are prompted whether both the tasks should be performed.
This command has no parameters.
Syntax:
deletesignatures
On executing the command, the following messages are displayed:
Delete the signatures and reboot the sensor ?
Please enter Y to confirm: y
deleting the signatures and rebooting the sensor
signatures deleted
Broadcast message from root (Fri Mar 28 05:15:54 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
disconnectalertandpktlogchannels
Removes the alert and log channels between the Sensor and the Manager without deleting the trust
keys. This command breaks the communication with the Manager without disturbing the configured
trust information.
This command has no parameters.
Syntax:
disconnectalertandpktlogchannels
McAfee Network Security Platform 8.2
CLI Guide
41
2
IPS CLI Commands - Normal Mode
dnsprotect
On executing the command, the following message is displayed:
this will take a couple of seconds , please check status on CLI
Applicable to:
M-series and NS-series Sensors.
See also
reconnectalertandpktlogchannels on page 60
dnsprotect
This command performs the following tasks, adds new DNS Spoof protection IP address, deletes
existing DNS Spoof protection IP addresses (IPv4, IPv6 or both) from the Protected Server List (PSL),
and relists the DNS sppofing protection IP address.
•
adding a new DNS Spoof protection IP address deletes existing DNS Spoof protection IP addresses
(IPv4, IPv6, or both) from the Protected Server List (PSL) and relists the DNS spoofing protection
IP address. This is not possible when an IPv6 packets have a routing header.
•
deleting an existing DNS Spoof protection IP addresses (IPv4, IPv6 or both) from the Protected
Server List (PSL)
•
relisting the DNS spoofing protection IP address.
This command does not perform when an IPv6 packets have a routing header.
Syntax:
Use the following syntax for adding or deleting a DNS spoof protection IP address
dnsprotect <add/delete/> <ipv4/ipv6> <IP address>
While using the <resetlist> parameter, use the following syntax:
dnsprotect <resetlist> <ipv4/ipv6/all>
Parameter Description
add
adds a new DNS spoofing protection IP address
delete
deletes an existing DNS spoofing protection IP address
resetlist
resets the list the DNS spoofing protection IP address
ipv4
indicates that the IP address is for ipv4 packet
ipv6
indicates that the IP address is for ipv6 packet
all
indicates that the resetlist of the existing DNS spoofing protection IP address is for both
ipv4 and ipv6.
IP address
This is a 32-bit IP address number indicated by four numbers separated by periods
(X.X.X.X), where X indicates a number between 0-255.
Example:
The following example shows the dnsprotect command used for adding the DNS spoof protection IP
address for ipv4.
dnsprotect add ipv4 157.125.202.255.
42
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
downloadstatus
2
The following example shows the dnsprotect command used for reset listing of DNS spoof protection
IP address for all the IP addresses(ipv4 and ipv6).
dnsprotect resetlist all
Applicable to:
M-series and NS-series Sensors.
downloadstatus
Displays the status of various download and upload operations: signature, software image,
certificates, DoS profile downloads (from Manager to Sensor), DoS profile and debug trace uploads
(from Sensor to Manager).
It also lists the number of times you performed the operation, status of your previous attempt to
perform the operation (including the cause of failure when the operation fails), The time of the
command execution is also listed.
This command has no parameters.
Syntax:
downloadstatus
Sample Output:
intruShell@john> downloadstatus
[Download Status]
Signatures Downloaded : 12
Last Signature Download Status : good
Last Signature Download Time (UTC) : 0:19:40, 3/31/2014
Last Signature Download Type : SIGSET + POLICY
Certificates Downloaded : 0
DAT Files Downloaded : 3
Last DAT File Download Status : good
Last DAT File Download Time (UTC) : 23:30:45, 3/30/2014
Software Upgrades : 0
DoS Profile Downloads from Manager : 0
DoS Profile Uploads to Manager : 0
Diagnostic Trace Requests : 0
Guest Portal SSL Cert Downloads from Manager : 0
Guest Portal SSL CSR Uploads to Manager : 0
IBAC AD file Downloads from Manager : 0
McAfee Network Security Platform 8.2
CLI Guide
43
2
IPS CLI Commands - Normal Mode
exit
IBAC AD file Uploads to Manager : 0
Offline downloads to sensor : 0
Device Profile update count : 0
User Id Acl Bulk File download count : 0
Applicable to:
M-series and NS-series Sensors.
exit
Exits the CLI.
This command has no parameters.
Syntax:
exit
Applicable to:
M-series and NS-series, and NTBA Appliances.
exportsensorcerts
Writes the Sensor certificates to an external flash. This command exports the certificates, which
establish trust between the Sensor and the Manager. These certificates include the Manager public
key, Sensor private key, and Sensor public key.
This command does not apply to I-1200 and I-1400 Sensors. This command has no parameters.
Syntax:
exportsensorcerts
On executing the command, the following messages are displayed:
This will delete all the data from Flash and reformat. Proceed?.
Please enter Y to confirm:
Applicable to:
M-series and NS-series Sensors.
See also
importsensorcerts on page 49
show ssl config on page 137
show ssl stats on page 138
44
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
factorydefaults
2
factorydefaults
Wipes all settings, certificates, and signatures, from the Sensor, clearing it to blank settings. This
command does not appear when you type ? or commands, nor does the auto-complete function apply
to this command. You must type the command in full to execute it.
This command has no parameters.
You are warned that the operation will clear the Sensor and you must confirm the action. The warning
occurs since the Sensor returns to its clean, pre-configured state, thus losing all current configuration
settings.
Syntax:
factorydefaults
On executing the command the following messages are displayed for an NTBA Appliance:
Are you sure you want to reset NTBA to factory defaults?
WARNING: All existing configuration and data will be lost.
Please enter Y to confirm: y
Step 1 of 3: Removing trust with Network Security Manager
Network Security Manager trust is removed.
Step 2 of 3: Resetting the NTBA database to factory defaults. This will take few
minutes.
Stopping all services.
Formatting NTBA database partitions. This will take several minutes depending on the
disk size.
Creating fresh databases.
Resetting NTBA configurations.
The NTBA configuration and signature files are reset to default.
Step 3 of 3: Rebooting the NTBA appliance. After the reboot, log in to complete the
NTBA setup.
Broadcast message from root (Thu Feb 27 11:57:26 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running factorydefaults
The following errors might occur while you run this command:
•
An error occurred while stopping the database events. Restart the appliance or VM
and rerun factorydefaults.
•
An error occurred while trying to disable database events. Restart the appliance or
VM and rerun factorydefaults.
McAfee Network Security Platform 8.2
CLI Guide
45
2
IPS CLI Commands - Normal Mode
failovermode forward-peer-stp
•
An error occurred while stopping the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
An error occurred while disabling the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
The NTBA database service is still up. Sending a termination signal.
•
The NTBA database service is still up. Sending a kill signal.
•
The NTBA database service can't be stopped. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting the NTBA database partitions. This will take several minutes depending
on the disk size.
•
Dropping NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Creating fresh databases
•
Mounting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA database engine failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Resetting NTBA configurations
•
Verifying software image on the appliance or VM failed. Load the correct NTBA
software image and rerun factorydefaults.
•
Extracting the tar file failed. Load the correct NTBA software image and rerun
factorydefaults.
•
Checking consistency of software image on the appliance or VM failed. Load the
correct NTBA software image and rerun factorydefaults.
•
Retrieving package from the software image failed. Load the correct NTBA software
image and rerun factorydefaults.
•
NTBA configuration and signature files are reset to default.
failovermode forward-peer-stp
Configures the forwarding of the STP packets to the remote standby Sensor during a Sensor failover.
When the active Sensor fails or is temporarily shut down, the STP packets get forwarded to the
standby Sensor via the failover link.
Syntax:
failovermode forward-peer-stp<enable|disable>
46
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
fwdump acl
Parameter
Description
enable
enables the forwarding of STP packets to the remote standby Sensor
disable
disables the forwarding of STP packets to the remote standby Sensor
2
Applicable to:
M-series and NS-series Sensors.
fwdump acl
Displays the configured firewall rules.
Syntax:
fwdump acl (0 | 1) (fileName | NULL)
Example:
intruShell@john-3050> fwdump acl 0 NULL
Dumping FW Table @ Index 0 into (null)
intruShell@john-3050> fwdump acl 1 NULL
Dumping FW Table @ Index 1 into (null)
intruShell@john-3050> fwdump acl 1 test
Dumping FW Table @ Index 1 into test
Applicable to:
M-series and NS-series Sensors.
guest-portal
This command installs, de-installs,starts, stops or shows the status of the guest portal on the Sensor.
Syntax:
guest-portal <install ><de-install><start><stop><status>
Parameter
Description
install
installs the guest portal web server on the Sensor
de-install
de-installs the guest portal web server on the Sensor
start
starts the guest portal web server on the Sensor
stop
stops the guest portal web server on the Sensor
status
displays the status of the guest portal web server on the Sensor
Example:
The following example shows the guest-portal command used for stopping the web server on the
Sensor.
guest-portal stop
Applicable to:
McAfee Network Security Platform 8.2
CLI Guide
47
2
IPS CLI Commands - Normal Mode
help
M-series Sensors only.
help
Provides a description of the interactive help system.
This command has no parameters.
Syntax:
help
Sample Output:
intruShell@john> help or ntbaSensor@vNTBA> help
If nothing matches, the help list will be empty and you must backup until entering a
'?' shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g.
'set ?') and describes each possible argument.
2. Partial help is provided when an abbreviated argument is entered and you want to
know what arguments match the input (e.g. 'set em?'.)
Applicable to:
M-series and NS-series, and NTBA Appliances.
host-vlan
Enables or disables host-vlan.
Syntax:
host-vlan <enable | disable>
Parameter
Description
enable
enables host vlan
disable
disables host vlan
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
show host-vlan on page 314
48
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
importsensorcerts
2
importsensorcerts
Imports Sensor certificates from an external flash. This command imports the certificates, which
establish trust between the Sensor and the Manager. These certificates include the Manager public
key, Sensor private key, and Sensor public key.
This command does not apply to I-1200 and I-1400 Sensors. This command has no parameters.
Syntax:
importsensorcerts
Applicable to:
M-series and NS-series Sensors.
See also
exportsensorcerts on page 44
show ssl config on page 137
show ssl stats on page 138
increasemgmtprocessing
This command increases the Sensor management path processing capability and can be used with
advanced malware protection.
Syntax:
increasemgmtprocessing <enable|disable|status>
Sample output:
intruShell@jake> increasemgmtprocessing enable
Configuration data updated successfully, please reboot the sensor
intruShell@jake> increasemgmtprocessing status
Current increasemgmtprocessing status: Disabled
Updated increasemgmtprocessing status: Disabled
Applicable to:
M-series Sensors only.
ipreassembly timeout forward
Sensors receive the fragmented packets and hold them until all the fragments arrive or the fragment
timer expires. After the fragment timer expires (default value set to 2 minutes) the fragments are
dropped.
This command allows you to configure the Sensor to forward such fragments instead of dropping
them.
Syntax
McAfee Network Security Platform 8.2
CLI Guide
49
2
IPS CLI Commands - Normal Mode
latency-monitor
ipreassembly timeout forward <enable|disable>
This configuration is persisted across Sensor reboots.
Parameter
Description
enable
Enables the packet fragments to be forwarded.
disable
Disables the packet fragments to be forwarded.
ipreassembly timeout forward status
Displays the status of the ipreassembly timeout forward (enabled or disabled).
Sample Output:
intruShell@john> ipreassembly timeout forward enable
IP Reassembly timeout forward : ENABLED
IPv4 Reassembly timeout frag forward count : 0
IPv6 Reassembly timeout frag forward count : 0
Applicable to:
M-series and NS-series Sensors.
latency-monitor
Disables the latency monitoring feature or displays the status of latency monitoring feature.
Syntax:
latency-monitor <disable | status>
Default Value:
Latency monitoring feature is disabled by default. If disabled, latency monitoring feature does not
generate any alert nor forward the traffic to layer2 when high latency is observed.
latency-monitor status
If latency monitoring is enabled, the following information is displayed.
•
latency monitoring status (enable or disable)
•
configured action (alert-only or layer2-forward)
Sample Output:
intruShell@john> latency-monitor status
latency monitor : Enable
action : alert
restore inline from layer2 : disable
sensitivity Level : low
Unknown-protocol Packets Forwarded Percentage : 0.000000
50
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
latency-monitor enable action
2
Unknown-protocol Packets Forwarded Count : 0
Percentage of Packets Forwarded under Latency : 0.000000
Applicable to:
M-series and NS-series Sensors.
latency-monitor enable action
Enables latency monitoring feature in the Sensor and also specifies the action to be performed if high
latency is observed in the Sensor.
The following are the actions that can be specified in this command:
•
alert-only (generates an alert when a high latency is observed in the Sensor)
•
put-in-layer2 (generates an alert and also forwards the traffic to layer2).
These generated alerts can be seen in the status tab in Manager.
Syntax:
latency-monitor enable action <alert-only | put-in-layer2>
This command should be executed with a parameter value, else the command is treated as invalid.
If layer2-forward is enabled, it is necessary to set the layer2 mode to be on. Otherwise the
layer2-forward action does not get executed.
Example:
latency-monitor enable action alert-only
Applicable to:
M-series and NS-series Sensors.
See also
latency-monitor on page 50
layer2 mode on page 176
latency-monitor restore-inline
When a high latency is observed on the Sensor and the latency monitor is configured, the Sensor
remains in layer 2 until a layer 2 deassert is invoked or a Sensor reboots. This command allows the
Sensor to come out of layer2 mode without layer 2 deassert. The Sensor restores to inline from layer
2 if the following conditions are met:
•
The latency monitor has put the Sensor in layer2 mode.
•
The Sensor is in good health. If the Sensor is in bad health, a deassert cannot be performed and
the Sensor reboots.
•
A substantial amount of time has lapsed, as configured using this command, when the Sensor went
into layer 2 due to latency. The default time to trigger an automatic layer 2 deassert is 10 minutes.
McAfee Network Security Platform 8.2
CLI Guide
51
2
IPS CLI Commands - Normal Mode
latency-monitor sensitivity-level
If the latency continues to exist after the Sensor is restored to inline mode, the Sensor behaves as per
the current setting of the latency monitor.
Syntax
latency-monitor restore-inline enable <10-60>
latency-monitor restore-inline disable
Parameter Description
<10-60>
The time to trigger the restore inline from layer 2. It is counted since the time the
Sensor moved into layer 2 state due to high latency.
The latency-monitor status command displays the current status of the latency monitor feature, as
well as the current status of the restore-inline feature of the latency monitor.
Applicable to:
M-series and NS-series Sensors.
latency-monitor sensitivity-level
Configures the sensitivity level for latency management.
Syntax:
latency-monitor sensitivity-level high
latency-monitor sensitivity-level medium
latency-monitor sensitivity-level low
Applicable to:
M-series and NS-series Sensors.
loadconfiguration
Loads the Sensor configuration from the configured TFTP/SCP server. The TFTP/SCP server IP is
specified on the Sensor. When the Sensor is added to the ISM, the configuration type should be
specified as offline.
Syntax:
loadconfiguration WORD
loadconfiguration tftp WORD
loadconfiguration scp WORD
where WORD stands for the name of the configuration file on the TFTP/SCP server.
52
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
loadimage
2
Note the following:
•
When loading Sensor configuration from the SCP server, you are prompted for the SCP server
credentials (username and password). The command succeeds only on providing the correct SCP
server credentials.
•
When loading Sensor configuration from the SCP server the pathname of the file should be
absolute; when loading from the configured TFTP server the pathname of the file should be relative
to /tftpboot.
•
The functionality of loadconfiguration tftp WORD is the same as loadconfiguration WORD.
Applicable to:
M-series and NS-series Sensors.
loadimage
Loads a Sensor image file from the configured TFTP/SCP server.
Syntax:
loadimage WORD
loadimage tftp WORD
loadimage scp WORD
where WORD stands for the name of the image file on the TFTP/SCP server.
Note the following:
•
When loading a Sensor image file from the SCP server, you are prompted for the SCP server
credentials (username and password). The command succeeds only on providing the correct SCP
server credentials.
•
When loading a Sensor image file from the SCP server the pathname of the file should be absolute;
when loading from the TFTP server the pathname of the file should be relative to /tftpboot.
•
The functionality of loadimage tftp WORD is the same as loadimage WORD.
Applicable to:
M-series and NS-series Sensors.
See also
set tftpserver ip on page 87
loadsavedimage
Loads a Sensor image of this (WORD) version from archive in the SSD to be the next bootable image.
If this is an image downgrade, you must issue the resetconfig command.
Syntax:
loadsavedimage WORD
McAfee Network Security Platform 8.2
CLI Guide
53
2
IPS CLI Commands - Normal Mode
logmacstat
Applicable to:
NS-series Sensors only.
logmacstat
Prints the MAC statistics counted by the Sensor NPU to the Sensor log file. This command is used only
for troubleshooting purposes in conjunction with Technical Support.
This command has no parameters.
Syntax:
logmacstat
Applicable to:
I-3000 and I-4010 Sensors only.
See also
logstat on page 54
lognpumacstat on page 54
macstat on page 55
npumacstat on page 55
traceupload on page 150
lognpumacstat
Prints the MAC statistics to the Sensor log file at the switch, This command is used only for
troubleshooting purposes in conjunction with Technical Support.
This command has no parameters.
Syntax:
lognpumacstat
See also
logstat on page 54
logmacstat on page 54
macstat on page 55
npumacstat on page 55
traceupload on page 150
logstat
Logs certain internal statistics of the Sensor which you can supply to Technical Support using the
Manager's Diagnostics Trace feature. This command is used only for troubleshooting purposes in
conjunction with the Technical Support.
Syntax:
logstat <all><datapath><mgmt><dos>
54
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
macstat
Parameter
Description
all
displays all the debug statistics
datapath
displays the debug statistics for datapath
mgmt
displays the debug statistics for management processor
dos
displays the debug statistics for dos
Sample Output:
intruShell@john> logstat all
Logstat run:0
Mgmt debug statistics logged
Applicable to:
M-series and NS-series Sensors.
See also
traceupload on page 150
logmacstat on page 54
macstat on page 55
npumacstat on page 55
macstat
Prints the MAC statistics counted by the Sensor NPU to the console, This command is used only for
troubleshooting purposes in conjunction with Technical Support.
This command has no parameters.
Syntax:
macstat
Applicable to:
I-3000 and I-4010 Sensors only.
See also
logstat on page 54
logmacstat on page 54
lognpumacstat on page 54
npumacstat on page 55
npumacstat
Prints the MAC statistics at the switch to the console, This command is used only for troubleshooting
purposes in conjunction with Technical Support.
This command has no parameters.
Syntax:
npumacstat
McAfee Network Security Platform 8.2
CLI Guide
55
2
IPS CLI Commands - Normal Mode
ntbastat
See also
logstat on page 54
logmacstat on page 54
lognpumacstat on page 54
macstat on page 55
ntbastat
Displays the Sensor datapath statistics related to NTBA.
Syntax:
set ntbastat [<0-128>] [<0-128>]
Sample Output:
intruShell@john> ntbastat 15 15
Total netflows created : 0
Templates created : 0
TCP netflows created : 0
UDP netflows created : 0
ICMP netflows created : 0
Total netflows sent : 0
Templates sent : 0
Netflows sent via ring buffer : 0
Total active netflows : 0
Total free netflow buffers : 1000
Multiple netflows count : 0
Total Dcap L7 fields counts : 0
In case of netflow errors, you can see these details:
Total netflows not sent : 0
Erroneous netflows deleted and not sent : 0
Netflows deleted due to other errors and not sent : 0
Applicable to:
M-series and NS-series Sensors.
56
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
ping
2
ping
Pings a network host. You can specify either the IPv4 or IPv6 address here. This command pings the
Sensor and returns a response with the following values:
Value
Description
icmp_seq
number of times pinged to the Sensor
ttl
number of hops between the source and destination
time taken
the average time taken by the Sensor to respond to the ping
packets transmitted
number of packets transmitted during the ping
packets received
number of packets received during the ping
packet loss
number of packets lost during the execution of the command
rtt min/avg/max
minimum, average and maximum time taken for a round trip in a ping cycle
Syntax:
ping <A.B.C.D><A:B:C:D:E:F:G:H> -c <1-100>
Parameter
Description
<A.B.C.D>
denotes the 32-bit IP address written as four eight-bit numbers separated by
periods. Each number (A,B,C or D) is an eight-bit number between 0-255.
<A:B:C:D:F:G:H> denotes the 128-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF.
-c <1-100>
denotes the number of times to ping the Sensor. This is optional and can be used
if the Sensor needs to be pinged multiple times.
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
57
2
IPS CLI Commands - Normal Mode
quit
•
For Sensor, the output is as shown:
intruShell@NSP4050> ping 172.16.100.100
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.30 msec
--- 172.16.100.100 ping statistics --- 1 packets transmitted, 1 received, 0% packet
loss, time 0.30ms
rtt min/avg/max = 0.30/0.30/0.30 msec
•
For an NTBA Appliance the output is as shown:
ntbaSensor@vNTBA> ping 172.16.100.100
host 172.16.100.100 is alive
•
For Sensor, when it is pinged multiple times the output is as shown:
intruShell@NSP4050> ping 172.16.100.100 -c 3
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.41 msec
40 bytes from host 172.16.100.100: icmp_seq=2 ttl=64 time taken 0.20 msec
40 bytes from host 172.16.100.100: icmp_seq=3 ttl=64 time taken 0.19 msec
--- 172.16.100.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet
loss, time 0.80ms
rtt min/avg/max = 0.19/0.26/0.41 msec
Example:
The following command pings a 128 bit address written as an octet of four hexadecimal numbers.
ping 2001:0db8:8a2e:0000:0000:0000:0000:0111
Applicable to:
M-series and NS-series, and NTBA Appliances.
quit
Exits the command line interface.
This command has no parameters.
Syntax:
quit
Applicable to:
M-series and NS-series, and NTBA Appliances.
raidrepair
Repairs the RAID1 component SSD exhibiting a fault.
58
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
reboot
2
Select current to repair the faulty SSD within the Sensor. If not repairable, replace the faulty SSD.
Specify new to restore RAID1 by synchronizing the replacement SSD with a healthy SSD.
SSD0/SSD1 identifies the faulty SSD being repaired, current or new replacement.
SSD0 is located in upper bay within chassis and SSD1 is located in lower bay within chassis.
RAID is not supported on NS7x00 Sensors.
Syntax:
raidrepair <new|current> <ssd0|ssd1>
Applicable to:
NS-series (NS9300, NS9200, and NS9100) Sensors only.
reboot
Reboots the device. You must confirm that you want to reboot the device. If hitless reboot is currently
available for the device, then you are prompted to enter 'h' for hitless and 'y' for a full reboot. Use the
status command to know if the hitless reboot option is currently available for the device.
In case of a full reboot, all the processes of a device are restarted. So, there is a break in the device's
function until it comes up again. In case of hitless reboot, only the required processes are restarted. For
more information on hitless reboot, see McAfee Network Security Platform IPS Administration Guide.
Syntax:
reboot
On executing the command the following messages are displayed:
•
For Sensor, the output is as shown:
intruShell@john> reboot
Please enter Y to confirm: y
rebooting the Sensor...
Broadcast message from root (Fri Mar 29 05:45:14 2014):
The system is going down for reboot NOW!
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> reboot
Please enter Y to confirm: y
rebooting the NTBA Appliance ...
Broadcast message from root (Fri Mar 28 06:30:14 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
59
2
IPS CLI Commands - Normal Mode
reconnectalertandpktlogchannels
reconnectalertandpktlogchannels
Re-establishes the alert and packet log channel connection (broken by issuing a
disconnectalertandpktlogchannels command) between the Sensor and Manager. The connection
can only be re-established when the trust between the Sensor and Manager is not broken (for
example, a deinstall breaks trust as well as disconnects the alert and packet log channel and issuing
the reconnectalertandpktlogchannels command will not re-establish connectivity if the certificates
establishing trust between the Sensor and Manager is cleared).
This command has no parameters.
Syntax:
reconnectalertandpktlogchannels
On executing the command, the following message is displayed:
this will take a couple of seconds , please check status on CLI
Applicable to:
M-series and NS-series Sensors.
See also
disconnectalertandpktlogchannels on page 41
deinstall on page 260
rescuedisk
The rescuedisk command must be executed only during an actual Sensor rescue procedure. This
command reformats the SSD and loads a Sensor image of this (WORD) version from the internal flash
device onto the SSD. This will be the next bootable image.
Do not execute this command when the Sensor is in good health.
Syntax:
rescuedisk <rescue image>
You can find the rescue images using show rescueimages command.
Sample Output:
WARNING ... THIS COMMAND WILL REFORMAT YOUR SSD ..?
Please enter Y to confirm:
Applicable to:
M-series and NS-series Sensors.
For M-series Sensors, you can execute this command after inserting an external flash drive into the
Sensor at the time of booting up the Sensor. In normal mode, executing this command displays a There
is no matched command error.
60
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
resetconfig
resetconfig
Resets all configuration values to their defaults. It deletes or resets values as described in the
following table. This command causes an automatic reboot of the Sensor. You must confirm that you
want to reboot the Sensor.
Deleted Values
Values Reset to
Defaults
• Manager address (and secondary interface's IP address, if configured). • Monito
This can be IPv4 or IPv6 address.
ring
and
• Certificates establishing trust between Sensor and Manager (shared
Respo
key value)
nse
port
• Signatures
setting
• TFTP server IP address (IPv4 or IPv6 address)
s
• SCP server IP address (IPv4 or IPv6 address)
• Manag
• DoS profile files (learned DoS behavior)
• SSL Key
• Exception Object
• ACL
• Advanced Setting
ement
port
setting
s
• Manag
er
Alert
port
value
• Manag
er Log
port
value
• Manag
er
Install
port
value
This command has no parameters.
Syntax:
resetconfig
Applicable to:
M-series and NS-Series Sensors.
secureerase
The secureerase command ensures that all data stored on the internal flash is erased and made
inaccessible by reformatting the internal flash and rewriting it with random data.
This command has no parameters.
Syntax:
secureerase
The following prompt appears to confirm the erase.
WARNING: This command will erase all content and make the sensor inaccessible.
You must install a new image(via netboot or external rescueflash) to
reuse this sensor again.
McAfee Network Security Platform 8.2
CLI Guide
61
2
IPS CLI Commands - Normal Mode
sensor perf-debug
Do you really want to proceed? Enter 'y' to proceed or 'n' to stop:
If you enter Y, the data erase continues.
Applicable to:
M-series and NS-series Sensors.
sensor perf-debug
Activates the performance debugging on the Sensor for a specified time.
Syntax:
sensor perf-debug<time in minutes>
Parameter
Description
time in minutes denotes the number of minutes for activating the performance debugging on the
Sensor.
Applicable to:
M-series and NS-series Sensors.
sensor perf-debug off
De-activates the performance debugging on the Sensor for a specified time. This command does not
clear all the temporary performance debug statistics that are created. It only turns off debugging and
the Sensor switches to the normal processing mode.
This command has no parameters.
Syntax:
sensor perf-debug off
Applicable to:
M-series and NS-series Sensors.
sensor perf-debug status
Displays the status of the performance debug.
This command has no parameters.
Syntax:
sensor perf-debug status
Sample Output:
intruShell@john> sensor perf-debug status
perf-debug status : on
62
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
sensor-datapath-stat-analysis log
2
Applicable to:
M-series and NS-series Sensors.
sensor-datapath-stat-analysis log
Logs the analysis of various Sensor datapath statistics into the Sensor log file.
Syntax:
sensor-datapath-stat-analysis log
Applicable to:
M-series and NS-series Sensors.
sensor-datapath-stat-analysis show
Displays the analysis of various Sensor datapath statistics.
Syntax:
sensor-datapath-stat-analysis show
Sample Output:
intruShell@john> sensor-datapath-stat-analysis show
Total pkts received :32130
Total TCP pkts :29682
Total UDP pkts :2430
Total non TCP/UDP pkts :18
Total fragments :0
Total duplicate fragments :0
Total attack detected :7
Total alert generated :8
Total alerts dropped without response :0
Total alerts dropped because of filter setting :0
Total logs sent :9
Total pkts matching L3/L4 UDS :0
Policy Ruleset on Sensor :Default Inline IPS
**Analysis of the statistics**
Attack dropped without response action :0.0000%
Attack dropped because of filter setting :0.0000%
McAfee Network Security Platform 8.2
CLI Guide
63
2
IPS CLI Commands - Normal Mode
sensordroppktevent
Traffic detected with attack :0.0218%
Fragmented traffic :0.0000%
TCP Traffic :92.3810%
UDP Traffic :7.5630%
Non TCP/UDP Traffic :0.0560%
Traffic matching L3/L4 UDS :0.0000%
Count of fragments is ZERO
Percentage of logs to alerts sent :112.5000%
Snort signature support enabled
Applicable to:
M-series and NS-series Sensors.
sensordroppktevent
Enables or disables the monitoring of Sensor load. Whenever the Sensor is overloaded and drops a
large number of packets, a system fault is raised in the Manager.
Syntax:
sensordroppktevent <disable><enable>
Parameter Description
<disable>
disables the monitoring of Sensor load.
<enable>
enables the monitoring of Sensor load.When the Sensor load monitoring is enabled, a
critical fault "Sensor Dropping Packets Internally" is displayed in the Manager's System
Health page if the Sensor drops packets continuously for 9 seconds or more,. If the
packet drop continues, another system fault is generated after every minute. Network
Security Platform raises subsequent faults only if the packet loss is continuously present
for the entire minute.
Default Value:
Disabled
Applicable to:
M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances, this command is
available in debug mode.
See also
show sensordroppktevent status on page 135
set
The set command is used to configure the Sensor's name and network information.
Syntax:
64
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set auditlog
2
set <command> <value>
The set commands and their values are described individually.
set auditlog
Configures the audit log feature on the Sensor.
Syntax:
set auditlog <enable | disable>
where: <enable> allows the audit log feature to record system events.
<disable> stops the audit log feature from recording system events.
Default Value:
enable
Example:
set auditlog enable
Applicable to:
M-series and NS-series Sensors.
See also
auditlogupload on page 37
show auditlog on page 99
show auditlog status on page 100
set autorecovery
Disables auto recovery feature even if the Sensor has layer2 mode is enabled. You can execute this
command only if layer2 mode is On. When layer2 mode is Off, auto-recovery is always disabled.
You can disable the auto recovery feature for debugging purposes. By disabling the auto recovery
feature, the Sensor does not perform auto recovery and remains in layer2.
SSL Decryption are not supported if auto recovery is enabled.
Syntax:
set autorecovery <enable|disable>
If you disable auto recovery, it remains disabled even after disabling and enabling the layer2 mode. To
view the status of auto recovery you can execute the show auto recovery status command.
Default Value:
enable
Applicable to:
McAfee Network Security Platform 8.2
CLI Guide
65
2
IPS CLI Commands - Normal Mode
set auxport
M-Series and NS-Series Sensors.
Auto-recovery is supported on M-3050, M-4050, M-6050, and M-8000 Sensors. On Sensor models
M-1250, M-1450, M-2850, M-2950, auto-recovery is supported only for certain modules. Auto-recovery
is not applicable for Virtual IPS Sensors.
See also
show autorecovery status on page 100
layer2 mode on page 176
set auxport
Configures the auxiliary port status.
Syntax:
set auxport enable
set auxport disable
Applicable to:
M-series and NS-series Sensors.
set console timeout
Specifies the number of minutes of inactivity that may pass before the console connection times out.
Syntax:
set console timeout <0 - 1440>
Parameter
Description
<0-1440>
an integer between 0 (never) and 1440 (24 hours)
where <0 - 1440> is an integer between 0 (never) and 1440 (24 hours).
Example:
set console timeout 60
Default Value:
15 (15 minutes)
Applicable to:
M-series and NS-series Sensors.
set debugmode passwd
Configures the CLI Debug mode password.
Syntax:
set debugmode passwd
66
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set dnsprotect
2
On executing the command, the following messages are displayed:
Please enter new password:
Please Re-enter new password:
Password successfully changed
Example:
intruShell@john> set debugmode passwd
Please enter new password:
Please Re-enter new password:
Password successfully changed
Applicable to:
M-series and NS-series Sensors.
set dospreventionseverity
Sets the severity for the specified denial-of-service profile. Increasing the DoS prevention severity
increases the number of DoS packets dropped.
Syntax:
set dospreventionseverity <dos-measure-name> <inbound | outbound> <0-200>
Parameter
Description
<dos-measure-name> Sets the DoS measure name as any one of the following names. 'tcp-syn',
'tcp-syn-ack', 'tcp-fin', 'tcp-rst', 'udp', 'icmp-echo', 'icmp-echo-reply',
'icmp-non-echo-reply', 'ip-fragment',and 'non-tcp-udp-icmp'
<inbound>
sets the direction to 'inbound'
<outbound>
sets the direction to 'outbound'
<0-200>
sets the DoS prevention security
Example:
set dospreventionseverity tcp-syn-ack outbound 100
Default Value:
30
Applicable to:
M-Series and NS-Series Sensors.
See also
show dospreventionseverity on page 104
show dospreventionprofile on page 103
set dnsprotect
Sets the DNS protection mode.
McAfee Network Security Platform 8.2
CLI Guide
67
2
IPS CLI Commands - Normal Mode
set flowvolumelimit enable <threshold>
Syntax
set dnsprotect <inbound><inbound-outbound><ip-based><off><outbound>
Parameter
Description
<inbound>
sets the DNS protection mode to 'inbound'
<inbound-outbound>
sets the DNS protection mode to 'inbound-outbound'
<ip-based>
sets the DNS protection mode to 'ip-based'
<off>
turns off the DNS protection mode
<outbound>
sets the DNS protection mode to 'outbound'
Applicable to:
M-series and NS-series Sensors.
set flowvolumelimit enable <threshold>
This command reports the connections with high volume of data transfer for both inbound and
outbound connections. Once a threshold for the flow volume is configured, connections whose data
transfer exceed the configured threshold will be reported using the alert "Flow with high volume has
been detected". Use this command to enable the flow volume limit for both inbound and outbound
direction.
Syntax:
set flowvolumelimit enable <threshold>
Parameter:
Parameter
Description
threshold
The valid range of values for flow volume limit is from 1 to 8192 MB.
Applicable to:
M-series and NS-series Sensors.
set flowvolumelimit disable
Use this command to disable the flow volume limit for both inbound and outbound direction.
Syntax:
set flowvolumelimit disable
Applicable to:
M-series and NS-series Sensors.
68
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
set gigfailopen disable
set gigfailopen disable
When this command is executed, the external Fail-open kit will not enter the bypass mode due to link
going down, and will continue even when the Sensor is rebooted. The command can be reversed by
typing set gigfailopendelay <0> to enable the bypass mode again.
Syntax:
set gigfailopen disable
Applicable to:
M-series and NS-series Sensors.
set gigfailopendelay
Sets the number of seconds to delay before fail-open kicks in when a gigabit channel loses its link.To
display the set value, use the show gigfailopendelay command.
Syntax:
set gigfailopendelay <0-60>
Parameter Description
<0-60>
sets the number of seconds to delay. It is an integer between 0 (no delay) and 60(60
seconds)
Default Value:
0 (0 second)
Example:
set gigfailopendelay 10
Applicable to:
M-series and NS-series Sensors.
set intfport id disable-auto
Disables auto-negotiation of speed and duplex setting on the specified fast ethernet monitoring port.
Syntax:
set intfport id <port> disable-auto
Parameter Description
<port>
a valid ethernet monitoring port on the Sensor:1A|1B|2A|2B|3A|3B, and which has
auto-negotiation already enabled.
Example:
set intfport id 1A disable-auto
Applicable to:
McAfee Network Security Platform 8.2
CLI Guide
69
2
IPS CLI Commands - Normal Mode
set intfport id enable-auto duplex
I-1200 and I-2700 Sensors only.
See also
set intfport id enable-auto duplex on page 70
set intfport id enable-auto duplex
Enables auto-negotiation of speed and the duplex setting on the specified fast ethernet monitoring
port.
Syntax:
set intfport id <port> enable-auto <10|100> duplex <full|half>
Parameter Description
<port>
a valid ethernet monitoring port on the Sensor:1A|1B|2A|2B|3A|3B
<10|100>
enables the speed on the fast ethernet monitoring port.The speed value can be either
10 or 100
<full | half> enables the duplex setting on the fast ethernet monitoring port.set the value "half' for
half duplex and 'full' for full duplex.
Example:
set intfport id 1A enable-auto 100 duplex full
Applicable to:
I-1200 and I-2700 Sensors only.
See also
set intfport id disable-auto on page 69
set intfport id flowcontrol
Manually enables or disables flow control on the specified gigabit ethernet monitoring port.
Syntax:
set intfport id <port> flowcontrol <on | off>
Parameter Description
<port>
a valid gigabit ethernet monitoring port. monitoring port on the Sensor
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 | G3/2 | G3/3 |
G3/4 | G3/5 | G3/6 | G3/7 | G3/8
<on>
enables the flow control on the gigabit ethernet monitoring port.
<off>
disables the flow control on the gigabit ethernet monitoring port.
Example:
70
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set intfport id speed duplex
2
set intfport id 1A flowcontrol on
Applicable to:
I-2700, I-3000, I-4000, and I-4010 Sensors only.
See also
show intfport on page 113
set intfport id speed duplex
Manually enables or disables speed and duplex setting on the specified fast ethernet monitoring port.
Syntax:
set intfport id <port> speed <10 | 100> duplex <half | full>
Parameter Description
<port>
a valid ethernet monitoring port on the Sensor
<10 | 100> sets the speed on the ethernet monitoring port.The speed value can be either 10 or
100
<half | full> sets the duplex setting on the ethernet monitoring port.set the value "half' for half
duplex and full for 'full' duplex.
Example:
set intfport id 1A speed 100 duplex full
Applicable to:
I-1200 and I-1400 Sensors only.
See also
show intfport on page 113
set ipssimulation disable
Disables Simulated Blocking. For more information, see Network Security Platform IPS Administration
Guide.
If this command was enabled in command line interface, use it prior to an upgrade . You can disable the
command from CLI and instead use the same feature from the Manager interface.
Syntax
set ipssimulation disable
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
71
2
IPS CLI Commands - Normal Mode
set l2f-unknown-udp
set l2f-unknown-udp
This command, when enabled, forwards traffic without processing for source and destination port
numbers above 1024. Thus by forwarding the unknown UDP traffic, the latency and network
congestion is reduced. By default, the command is disabled.
Syntax:
set l2f-unknown-udp enable/ disable
set manager alertport
Specifies the port on which the Manager listens to the Sensor alerts. You can assign any unassigned
port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager alertport <0 - 10000>
Parameter
Description
<0-10000>
the port number ranging from integer values 0 to 10000.
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
Missing manager alert port, default 8502 used
Default Value:
Default port number is 8502.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager alertport_RSA-2048-bit
Specifies the port on which the Manager listens to the Sensor alerts when and Manager and Sensor
use 2048-bit encryption. You can assign any unassigned port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager alertport_RSA-2048-bit <0 - 10000>
72
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set manager installsensorport
Parameter
Description
<0-10000>
the port number ranging from integer values 0 to 10,000.
2
Default Value:
Default port number is 8507.
Applicable to:
M-series Sensors
set manager installsensorport
Specifies the port which the Manager uses to exchange configuration information with the Sensor
when using 2048 bit encryption. You can assign any unassigned port for this communication.
Syntax:
set manager installsensorport <0 - 10000>
Parameter
Description
<0-10000>
the port number ranges from integer values 0 to 10000.
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
Missing manager Install Sensor Port, default 8501 used
Default Value:
Default port number is 8501.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager installsensorport_RSA-2048-bit
Specifies the port which the Manager uses to exchange configuration information with the Sensor
when using 2048 bit encryption. You can assign any unassigned port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. Also, if your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager installsensorport_RSA-2048-bit <0 - 10000>
Parameter
Description
<0-10000>
the port number ranges from integer values 0 to 10,000.
Default Value:
McAfee Network Security Platform 8.2
CLI Guide
73
2
IPS CLI Commands - Normal Mode
set manager ip
Default port number is 8506.
Applicable to:
M-series Sensors
set manager ip
Specifies the IPv4 or IPv6 address of the Manager server's primary interface.
Syntax:
set manager ip <A.B.C.D |A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C
or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF
Example:
set manager ip 192.34.2.8
Or
set manager ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set manager secondary ip on page 75
set manager logport
Specifies the port on which the Manager listens to the Sensor alerts when and Manager and Sensor
use 2048-bit encryption. You can assign any unassigned port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager logport <0 - 10000>
74
Parameter
Description
<0-10000>
the port number ranging from integer values 0 to 10,000.
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set manager logport_RSA-2048-bit
2
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
Missing manager log port, default 8503 used
Default Value:
Default port number is: 8503
Applicable to:
M-series and NS-series Sensors.
set manager logport_RSA-2048-bit
Specifies the port on which the Manager listens to the Sensor alerts when and Manager and Sensor
use 2048-bit encryption. You can assign any unassigned port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager logport_RSA-2048-bit <0 - 10000>
Parameter
Description
<0-10000>
the port number ranging from integer values 0 to 10,000.
Default Value:
Default port number is: 8508
Applicable to:
M-series Sensors
set manager secondary ip
Specifies an IPv4 or IPv6 address for the Manager server's secondary interface.
Syntax:
set manager secondary ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C
or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF
Example:
McAfee Network Security Platform 8.2
CLI Guide
75
2
IPS CLI Commands - Normal Mode
set mgmtport auto
set manager secondary ip 192.34.2.8
Or
set manager secondary ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
deletemgrsecintf on page 40
set manager ip on page 74
set mgmtport auto
Configures the Management port to auto-negotiate the connection between the Sensor and the
network device.
This command has no parameters.
Syntax:
set mgmtport auto
Default Value:
By default, the Management port is set to auto (auto-negotiate).
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport speed and duplex on page 77
set mgmtport mtu
Configures the management port interface Max Transmission Unit (MTU).
Syntax:
set mgmtport mtu <1000-1500>
Sample Output:
intruShell@john> set mgmtport mtu 1250
MTU set to 1250 for mgmt port
Example:
intruShell@john> set mgmtport mtu 1000
Applicable to:
M-series Sensors.
76
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set mgmtport speed and duplex
2
set mgmtport speed and duplex
Configures the management port to match the speed of the network device connecting to the Sensor
and to run in full- or half-duplex mode.
Syntax:
set mgmtport <speed <10 | 100> duplex <full | half>>
Parameter Description
<10|100>
sets the speed on the ethernet management port. The speed value can be either 10 or
100 Mbps. To set the speed to 1000 Mbps, use the set mgmtport auto command.
<half|full>
sets the duplex setting on the ethernet management port. Set the value half for half
duplex and full for full duplex.
Default Value:
By default, the management port is set to auto (auto-negotiate).
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport auto on page 76
set mnsconfig
Sensors deployed in mobile networks monitor subscriber traffic and RADIUS accounting traffic that
goes out of GGSN to Internet gateway and RADIUS servers. Each mobile device in the network has an
IP address. The Sensor parses RADIUS accounting exchanged between GGSN and the RADIUS server
and forms an association of IP addresses and subscriber mobile identity details like phone number,
IMSI number, and APN. The Sensor also associates the attacks that are detected on the internet traffic
with the mobile subscriber identity data and includes them in alerts sent to the Manager. The following
commands are used to enable monitoring RADIUS accounting traffic in mobile networks.
•
This feature is disabled by default.
•
Mobile entries are not persisted across a Sensor reboot.
Syntax:
set mnsconfig on
Enables capturing and tagging of mobile subscriber data in the alerts sent to the Manager.
set mnsconfig off
Disables capturing and tagging of mobile subscriber data in the alerts sent to the Manager.
For more information, see the McAfee Network Security Platform IPS Administration Guide.
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
77
2
IPS CLI Commands - Normal Mode
set mnsconfig radiusLB
set mnsconfig radiusLB
This command enables and disables the RADIUS traffic load balancing on the Sensor.
Due to the use of fixed source and destination ports in all RADIUS packets that are exchanged over
UDP by the GGSN/RADIUS server, there is a possibility that the Sensor could miss parsing RADIUS
accounting traffic at high data rates. Enabling this command prevents such a scenario.
Syntax
set mnsconfig radiusLB on
Enables RADIUS traffic load balancing.
set mnsconfig radiusLB off
Disables RADIUS traffic load balancing.
Applicable to:
M-series and NS-series Sensors.
set nmsuserwriteaccess
Configures read-write access for third part NMS users.
Syntax
set nmsuserwriteaccess <enable|disable>
Parameter
Description
enable
Enables read-write access to third party NMS users
disable
Disables read-write access to third party NMS users
When enabled, the above command would activate restricted read-write access to the Host Quarantine
Group section of the MIB tree. This restricted read-write access would be made available to all the
configured NMS third party users.
For more information, see the McAfee Network Security Platform IPS Administration Guide.
Applicable to:
M-series and NS-series Sensors.
set outofcontext acllookup
Use this command to enable/disable ACL lookup on out-of-order packets.
Syntax:
set outofcontext acllookup <enable|disable>
Applicable to:
M-series and NS-series Sensors.
78
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set parsetunneledtraffic
2
set parsetunneledtraffic
Use the parsetunneledtraffic command to enable or disable parsing of tunneled traffic. See show
parsetunneledtraffic status for the current tunneling configuration of the Sensor.
For more details on how tunneled traffic is handled, see McAfee Network Security Platform IPS
Administration Guide.
Syntax:
set parsetunneledtraffic <enable><disable>
Parameter
Description
<enable>
enables the parsing of tunneled traffic
<disable>
disables the parsing of tunneled traffic
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
See also
show parsetunneledtraffic status on page 130
set portsettletime
The Sensor enables inline port pairs to act as a true 'wire.' This means that when one port in a pair is
DOWN, its peer will also be brought DOWN, and vice versa, when one is UP, its peer will also be
brought UP (contingent upon the status of the device to which it is connected). This is achieved via the
set portsettletime command, which enables you to specify the "settle time" for the ports. When a
port is enabled and is not UP for a duration equal to the port settling time, then the port is considered
DOWN.
Since different switches take different amounts of time to negotiate, you must configure this value to
a time period appropriate for your network.This value applies to all ports in the Sensor.Wire mode
functionality is not enforced during the port settle time.
Syntax:
set portsettletime <seconds>
Parameter
Description
<seconds>
indicates the number of seconds between 0 and 300
Default Value:
The default value of is 30, meaning 30 seconds.
Applicable to:
M-series and NS-series Sensors.
See also
show portsettletime on page 132
McAfee Network Security Platform 8.2
CLI Guide
79
2
IPS CLI Commands - Normal Mode
set previous256byteslogging
set previous256byteslogging
Configures the Sensor to log the previous 256 bytes of packet data. To take effect, this configuraion
requires a Sensor reboot.
Syntax
set previous256byteslogging <enable|disable>
Parameter
Description
enable
Enables previous 256 bytes logging
disable
Disables previous 256 bytes logging
When the previous 256 bytes logging is configured on the Sensor and Capture 128 Bytes of Attack Data Prior to
Attack is enabled (IPS Settings | Policies | IPS Policies | Edit Attack Details for Attack | Logging) on the Manager,
previous 256 bytes of packet data is logged.
Since 256 bytes packet logging requires more memory at the Sensor, it reduces the number of flows
supported by 10% on M-series Sensors and 24% on I-series Sensors.
Applicable to:
M-series and NS-series Sensors.
set scpserver ip
Specifies the IPv4 or IPv6 address of your SCP server.
Syntax:
set scpserver ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
Indicates a 32-bit address written as four eight-bit numbers separated by
periods. A,B,C or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> Indicates a 128-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc)represents a group of
hexadecimal numbers between 0000-FFFF.
Applicable to:
M-series and NS-series Sensors.
set sensor gateway
Specifies IPv4 address of the gateway for the Manager server.
Syntax:
set sensor gateway <A.B.C.D>
Parameter Description
<A.B.C.D>
80
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D
represents an eight-bit number between 0-255.
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set sensor gateway-ipv6
2
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> set sensor gateway 10.213.174.201
sensor gateway = 10.213.174.201
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set sensor gateway 192.34.2.8
sensor gateway = 192.34.2.8
Example:
set sensor gateway 192.34.2.8
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor gateway-ipv6
Specifies IPv6 address of the gateway for the Manager server.
Syntax:
set sensor gateway-ipv6 <A:B:C:D:E:F:G:H>
Parameter
Description
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons.Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF
Example:
set sensor gateway-ipv6 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
For example, set sensor gateway-ipv6 2001:0db8:8a2e::0111
Applicable to:
M-series and NS-series Sensors.
set sensor ip
Specifies the Sensor's IPv4 address and subnet mask. Changing the Sensor IP requires a Sensor
reboot for the changes to take effect. See the reboot command for instructions on how to reboot the
Sensor.
Syntax:
set sensor ip <A.B.C.D E.F.G.H>
McAfee Network Security Platform 8.2
CLI Guide
81
2
IPS CLI Commands - Normal Mode
set sensor ipv6
Parameter
Description
<A.B.C.D
E.F.G.H>
indicates an IPv4 address followed by a netmask.The netmask strips the host ID
from the IP address, leaving only the network ID. Each netmask consists of binary
ones (decimal 255) to mask the network ID and binary zeroes (decimal 0) to retain
the host ID of the IP address(For example, the default netmask setting for a Class
C address is 255.255.255.0).
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> set sensor ip 10.213.168.169 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.168.169, sensor subnet mask = 255.255.255.0
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@NTBA_210> set sensor ip 10.213.171.210 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.171.210, sensor subnet mask = 255.255.255.0
Example:
set sensor ip 192.34.2.8 255.255.0.0
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor ipv6
Sets the Sensor's IPv6 address and subnet mask.
Syntax:
set sensor ipv6 <A:B:C:D:E:F:G:H/I>
Parameter
Description
<A:B:C:D
E:F:G/H>
indicates a 64-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF. This is followed by a prefix length I
with value between 0 and 128.
Example:
set sensor ipv6 2001:0db8:8a2e:0000:0000:0000:0000:0111/64
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
Example: set sensor ipv6 2001:0db8:8a2e::0111/64
Applicable to:
M-Series and NS-Series Sensors.
82
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
set sensor name
set sensor name
Sets the name of the Sensor. This name is used to identify the Sensor to the Manager and to identify
the Sensor to the admin in the Manager interface. The name you use here in the CLI to identify the
Sensor must match the name you use in the Manager interface or the Manager and Sensor will be
unable to communicate.
Syntax:
set sensor name <WORD>
Parameter Description
<WORD>
indicates a case-sensitive character string up to 25 characters. The string can include
hyphens, underscores, and periods, and must begin with a letter.
Sample Output:
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
•
intruShell@john> set sensor name admin
sensor name = admin
•
ntbaSensor@NTBA_210>set sensor name vNTBA
sensor name = vNTBA
Example:
set sensor name SanJose_Sensor1
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor sharedsecretkey
Specifies the shared secret key value that the Manager and Sensor will use to establish a trust
relationship.
Type the command as shown in the Syntax below. The Sensor prompts you for a secret key value. The
value you enter is not shown. You will be prompted to type the value a second time to verify that the
two entries match.
The sharedsecretkey value you use here in the CLI to identify the Sensor must match the one you use in
the Manager interface or the Manager and Sensor will be unable to communicate. If you want to change
the value, you must change the value in the CLI as well as the manager interface.
Syntax:
set sensor sharedsecretkey
At the Sensor's prompt for a secret key value, enter a case-sensitive character string between 8 and
25 characters of any ASCII text.
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
83
2
IPS CLI Commands - Normal Mode
set sessionlimit timeout
On executing the command, the following messages are displayed
•
When the Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
•
intruShell@john> set sensor shared secretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
•
ntbaSensor@vNTBA> set sensor sharedsecretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sessionlimit timeout
Use this command to set a time limit for a user session.
Syntax:
set sessionlimit timeout <0-24>
The valid range of values for a session are from 0 to 24 hours.
If the session time limit is set to 9 hours for example, the session is automatically closed once the
user has worked on the session for 9 hours.
If the parameter is set as 0, the session timeout does not happen unless the user closes the session.
The session timeout set is saved and is the same value when the Sensor comes up the next time.
The timeout value set is applicable to all users.
Applicable to:
M-series and NS-series Sensors.
set sshaccesscontrol
You can configure ACLs to restrict (for secured usage) ssh access to the Sensor from a network. The
command set sshaccesscontrol enables or disables SSH access to the Sensor from a network.
Syntax:
84
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set sshinactivetimeout
2
set sshaccesscontrol <enable | disable>
When sshaccesscontrol is enabled and the network list is displayed as any/any, the default access is
provided to the entire network.
Default Value:
SSH access to the Sensor is disabled by default. But the ssh access is provided to all networks.
Applicable to:
M-series and NS-series Sensors.
set sshinactivetimeout
Configures the CLI SSH session inactivity timeout in seconds.
Syntax:
set sshinactivetimeout <30-300>
The valid range of values for a timeout are from 30 to 300 seconds.
If the inactive time limit is set to 35 seconds for example, the session is automatically closed once the
user has been inactive on the session for 35 seconds.
The inactive timeout set is saved and is the same value when the Sensor comes up the next time. The
timeout value set is applicable to all users.
Applicable to:
M-series and NS-series Sensors.
set sshlog
Use this command to enable/disable SSH logging (writing into the log files.)
Syntax:
set sshlog <enable/disable>
Default Value:
disabled
Applicable to:
M-series and NS-series Sensors.
set syncookietcpreset
Enables or disables the TCP reset setting.
Syntax:
set syncookietcpreset <on | off >
Sample output:
McAfee Network Security Platform 8.2
CLI Guide
85
2
IPS CLI Commands - Normal Mode
set tacacsauthorization
•
intruShell@john> set syncookietcpreset on
value on
•
intruShell@john> set syncookietcpreset off
value off
Applicable to:
M-series and NS-series Sensors.
set tacacsauthorization
TACACS+ authorization feature provides authorization to access Sensor CLI by matching the service
name in the TACACS server with the service name on the Sensor.The Sensor CLI access is given only
when there is a matching service name.
The TACACS+ user is allowed to log into the Sensor CLI using his credentials and the session is
created using a unique Sensor generated UID, whether authorization is enabled or disabled. Any local
database file created for TACACS+ users at the Sensor is not persisted; after reboot, the database
entries are created as and when the TACACS+ users login.
The audit log has all the operations performed by the TACACS+ user tagged to the user name.
For more information, see the McAfee Network Security Platform IPS Administration Guide. Refer to KB
articles KB58269 and KB58299.
The set tacacsauthorization command is used to set the TACACS+ authorization feature.
Syntax:
set tacacsauthorization <enable|disable>
Parameter
Description
<enable>
Enables the TACACS+ authorization feature
<disable>
Disables the TACACS+ authorization feature
Default Value:
Disable
Applicable to:
M-series and NS-series Sensors.
See also
show tacacs on page 140
set tcpudpchecksumerror drop
The Sensor re-computes TCP and UDP header checksums to determine if their corresponding packets
have been corrupted. If the checksum fails, the packet is dropped. This is standard Sensor behavior.
This command has no parameters.
Syntax:
set tcpudpchecksumerror drop
86
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set tcpudpchecksumerror forward
2
Applicable to:
M-series and NS-series Sensors.
See also
set tcpudpchecksumerror forward on page 87
show tcpudpchecksumerror on page 141
set tcpudpchecksumerror forward
Disables Sensor from dropping the TCP/UDP/ICMP checksum error packets. The Sensor recomputes
TCP, UDP and ICMP header checksums to determine if their corresponding packets have been
corrupted. If the checksum fails, the packet is dropped. This is standard Sensor behavior.
The set tcpudpchecksumerror forward command overrides the check, and is useful in situations
where the Sensor is located on segments where the IP options Loose Source Record Routing (LSRR) or
Strict Source Routing are enabled, which produce valid traffic with invalid checksums, and which the
Sensor would otherwise drop.
This command has no parameters.
Syntax:
set tcpudpchecksumerror forward
Default Value:
This feature is disabled by default-- the Sensor is set to drop packets with invalid headers. (That is,
the value is set to set tcpudpchecksumerror drop.)
Applicable to:
M-series and NS-series Sensors.
See also
set tcpudpchecksumerror drop on page 86
show tcpudpchecksumerror on page 141
set tftpserver ip
Specifies the IPv4 or IPv6 address of your TFTP server.
Syntax:
set tftpserver ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
indicates a 32-bit address written as four eight-bit numbers separated by
periods. A,B,C or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> indicates a 128-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF.
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
87
2
IPS CLI Commands - Normal Mode
set threshold-udp-dos-forward-action
•
For Sensor, the output is as shown:
intruShell@john> set tftpserver ip 192.34.5.12
TFTP Server IP = 192.34.5.12
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set tftpserver ip 192.34.2.54
TFTP Server IP = 192.34.2.54
Example:
set tftpserver ip 192.34.2.54
Or
set tftpserver ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
Applicable to:
M-series and NS-series, and NTBA Appliances.
set threshold-udp-dos-forward-action
When a particular DoS attack crosses the threshold limit, the UDP traffic is forwarded without
processing. Any UDP traffic within the threshold limit is processed. By default, the command is
disabled.
The threshold limit for the DoS attacks can be configured in the Manager under Policy | Intrusion Prevention
| Advanced | Default IPS Attack Settings. For more information, see section DoS attack detection mechanism,
chapter Denial-of-Service attacks in McAfee Network Security Platform IPS Administration Guide.
Syntax:
set threshold-udp-dos-forward-action enable/ disable
set userconfigvolumedosthreshold
Sets a DoS threshold for alerting on volume for a particular packet type.
Syntax:
set userconfigvolumedosthreshold <dos-measure-name> <direction>
Parameter
Description
<dos-measure-name> indicates the DoS measure name: one of 'tcp-syn', 'tcp-syn-ack', 'tcp-fin',
'tcp-rst', 'udp', 'icmp-echo', 'icmp-echo-reply', 'icmp-non-echo-reply',
'ip-fragment', 'non-tcp-udp-icmp'
<direction>
indicates the direction.It can be 'inbound' or 'outbound'
Example:
set userconfigvolumedosthreshold tcp-syn outbound
Applicable to:
88
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set vlanbasedrecon
2
M-series and NS-series Sensors.
See also
show userconfigvolumedosthreshold on page 142
set vlanbasedrecon
Network Security Platform supports VLAN based reconnaissance attack detection. By default, this
option is disabled. When this option is enabled, the reconnaissance attack detection is done on both
VLAN and VIDS.
McAfee recommends that you enable this option only if you want the reconnaissance attack detection
to be done on a VLAN basis.
This option is supported on both I-series and M-series Sensor.
Syntax:
set vlanbasedrecon <enable/disasble>
Parameter
Description
enable
Enables VLAN based reconnaissance.
disable
Disables VLAN based reconnaissance.
Applicable to:
M-series and NS-series Sensors.
setfailopencfg restore-inline
Sensor port pairs deployed in the inline fail-open mode, that is, connected to external passive
fail-open kits and, port pairs with built-in fail-open support, are disabled when they go into the bypass
mode due to external network link-down events. You can configure to periodically restore all such port
pairs from bypass to inline mode using the setfailopencfg restore-inline command.
This feature is not supported for active fail-open kits.
When enabled, the Sensor attempts to restore a port pair from bypass to inline mode periodically
according to the configured interval. This restore operation can be enabled only when the Sensor is in
good health.
setfailopencfg restore-inline
Configures the Sensor to periodically restore the port pairs from bypass to inline mode.
Syntax:
setfailopencfg restore-inline <enable|disable>
Default Value:
Disabled
Applicable to:
M-series and NS-series Sensors.
setfailopencfg restore-inline-interval
McAfee Network Security Platform 8.2
CLI Guide
89
2
IPS CLI Commands - Normal Mode
setfailopencfg restore-inline
Configures the time interval to restore port from bypass to inline mode.
Syntax:
setfailopencfg restore-inline-interval < 5-60 minutes >
Parameter
Description
5-60 minutes Time interval (in minutes) at which the Sensor attempts to restore a port-pair from
bypass to inline.Default is 5 minutes.
Applicable to:
M-series and NS-series Sensors.
setfailopencfg internal/external-failopen bypass/inline
Configures the behavior of the port pair after Sensor reboots.
setfailopencfg internal/external-failopen bypass/inline
Parameter Description
inline
If the Sensor has a link down and is rebooted (setfailopencfg restore-inline is
disabled/enabled, but is not triggered at the time of reboot) the port-pair restores itself
into inline state (by getting enabled and coming up).
bypass
The port pairs stay in the bypass mode (by staying disabled and not coming up).
This configuration is persisted across Sensor reboots.
For the port pairs to be restored from bypass to inline mode, the following conditions should be met:
•
The operating mode is inline-fail-open (fail-open support is built in or passive fail-open kits are
connected).
•
If a passive fail-open kit is used, the kit is connected to the Sensor.
•
If the port pair goes into the bypass mode due to monitoring port link down or a missing cable.
When this feature is enabled or you change the time interval, the Sensor checks and attempts to
restore the port pairs to the inline mode immediately. Consider the following scenarios.
Scenario1: Change of time interval
The feature is enabled at 11.00 with the default time interval of 5 minutes; at 11.03 the port link goes
down for a few milliseconds and is then restored. At 11.04 the time interval is changed to 10 minutes;
the Sensor checks the port pair and restores the port pair to the inline mode at 11.14. Subsequently,
the Sensor checks the port pairs every 10 minutes (unless the time interval is changed again), that is,
the next attempt to restore from bypass to inline mode takes place at 11.24.
Scenario 2: Feature enabled/disabled
The feature is enabled at 11.00 with a default time interval of 5 minutes; at 11.03 the port link goes
down for a few milliseconds and is then restored. At 11.04 the feature is disabled. At 11.05 the port
pair is admin down. The feature is enabled at 11:07, the Sensor checks the port pair but restores the
port pair to the inline mode at 11:12.
If you manually disable the port’s administrative status, the port continues to remain in the bypass
mode even though this feature is enabled.
The Sensor sends a notification to the Manager with a revised timestamp for every failed attempt to
restore a port pair from bypass to the inline mode (typically due to link negotiation failure with peer
devices). If the restore to inline from bypass operation is successful, the Manager clears prior (bypass)
notifications, if any, for that port pair.
90
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
set-sensor-load
2
set-sensor-load
This command sets the following information:
•
average of load (traffic) seen on all processing elements
•
maximum of load (traffic) seen on a single processing element
Syntax:
set sensor-load <on | off>
Parameter
Description
<on>
enables the set sensor-load command.
<off>
disables the set sensor-load command.
Applicable to:
M-series and NS-series Sensors.
setup
This command is used to setup Sensor parameters. You are required to run this command when you
newly set up your Sensor or after resetting the Sensor by using the factorydefaults command.
This command has no parameters.
Syntax:
setup
When you enter this command, you are prompted to enter the following:
•
Current password
•
New password
•
Sensor name
•
IP Type (IPV4=1 or IPV6=2 or BOTH=3)
•
Sensor IP (IPv4 or IPv6 address or BOTH)
•
Sensor subnet mask (IP address)
•
Manager primary IP (IPv4 or IPv6 address or BOTH)
•
Manager secondary IP (IPv4 or IPv6 address or BOTH)
•
Sensor default gateway (IPv4 or IPv6 address or BOTH)
•
Management port configuration choice (a/m)
•
Shared secret key
If you press the Enter button, your current settings are taken as default.
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
91
2
IPS CLI Commands - Normal Mode
setup
How to change your password
You will be prompted to enter your password when you first logon after entering the setup command.
1
Type setup at the prompt.
2
Enter your current password.
3
Enter your new password.
Pressing Enter will retain your current password. If you enter a new password you will be asked to
confirm the password.
If two entries of the password entered does not match or the password is not of minimum length of
8 characters, you will be brought back to the prompt.
How to set the Sensor name
After you have entered the password, you are prompted to enter your Sensor name. Your default
Sensor name is displayed in the [ ] brackets.
Please enter the Sensor name [Sensor_name]:
Configuration of the Sensor setup
You can configure the Sensor setup depending on the type of IP address:
•
IPv4
•
IPv6
•
Both IPv4 and IPv6
Configuring the Sensor setup for IPv4 address:
You are prompted if you enter the IP Type as 1. Your default Sensor IPv4 address is displayed in the
[ ] brackets. The following prompts are displayed.
Please enter the Sensor IP ( A.B.C.D ) [ Sensor_IPv4address ]:
Please enter the Sensor subnet mask ( A.B.C.D ) [Sensor_subnet_mask_IPaddress]:
Please enter the Manager primary IPv4 address ( A.B.C.D ) [ Manager_IPaddress ]:
**You can set the Manager secondary IP in case the Manager has two interfaces**
Press Y to configure Manager secondary IP address [ N ]:
If you type Y, the following prompt appears.
Please enter the Manager secondary IPv4 ( A.B.C.D ) [ Manager_IPaddress ]:
Please enter the Sensor default gateway ( A.B.C.D ) [ Sensor_gateway_IPv4 address ]:
Please enter management port configuration choice(a/m) [port_configuration_selected]:
•
a: signifies auto configured
•
m: signifies manually configured
Press Y to set shared secret key now or N to exit [Y]:
Please enter shared secret key:
92
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
setup
2
Configuring the Sensor setup for IPv6 address:
You are prompted if you enter the IP Type as 2. Your default Sensor IPv6 address is displayed in the
[ ] brackets. The following prompts are displayed.
Please enter the Sensor IPV6 address/ subnet prefix length mask ( A:B:.C:D:E:F:G:H/I ) [IPV6 address/subnet]:
Please enter the Manager primary IPV6 address ( A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
**You can set the Manager secondary IP in case the Manager has two interfaces**
Please enter the Manager secondary IPv6 address ( A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
Please enter the Sensor default IPv6 gateway ( A:B:C:D:E:F:G:H ) [ Sensor_gateway_IPv6 address ]:
Please enter management port configuration choice(a/m) [port_configuration_selected]:
•
a: signifies auto configured
•
m: signifies manually configured
Press Y to set shared secret key now or N to exit [Y]:
Please enter shared secret key:
Configuring the Sensor setup for both IPv4 and IPv6 address:
You are prompted if you enter the IP Type as 3. Your default Sensor IPv4 address is displayed in the
[ ] brackets. The following prompts are displayed.
Please enter the Sensor IP ( A.B.C.D ) [ Sensor_IPv4address ]:
Please enter the Sensor subnet mask ( A.B.C.D ) [Sensor_subnet_mask_IPaddress]:
Please enter the Sensor IPV6 address/ subnet prefix length mask ( A:B:.C:D:E:F:G:H/I ) [IPV6 address/subnet]:
Please enter the Manager primary IPv4 address or IPV6 address ( A.B.C.D or A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
**You can set the Manager secondary IP in case the Manager has two interfaces**
Please enter the Manager secondary IPv4 or IPv6 address ( A.B.C.D or A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
Please enter the Sensor default gateway ( A.B.C.D ) [ Sensor_gateway_IPv4 address ]:
Please enter the Sensor default IPv6 gateway ( A:B:C:D:E:F:G:H ) [ Sensor_gateway_IPv6 address ]:
Please enter management port configuration choice(a/m) [port_configuration_selected]:
•
a: signifies auto configured
•
m: signifies manually configured
Press Y to set shared secret key now or N to exit [Y]:
Please enter shared secret key:
Setting the Sensor subnet mask
You are prompted to enter the Sensor subnet mask. Your default Sensor subnet mask IP address is
displayed in the [ ] brackets.
Please enter the Sensor subnet mask ( A.B.C.D ) [Sensor_subnet_mask_IPaddress]:
McAfee Network Security Platform 8.2
CLI Guide
93
2
IPS CLI Commands - Normal Mode
show
How to set the Manager IP address
You are prompted to set the Manager IP address. If your Manager has two NIC cards, then you will be
required to set the second NIC card IP address. Your default Manager IP address is displayed in the []
brackets. You can set both IPv4 and IPv6 addresses for primary and secondary Managers.
Please enter the Manager primary IPv4 address ( A.B.C.D or A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
Please enter the Manager primary IPv6 address ( A.B.C.D or A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
**You can set the Manager secondary IP in case the Manager has two interfaces**
Press Y to configure Manager secondary IP address [ N ]:
Please enter the Manager secondary IPv4 or IPv6 address ( A.B.C.D or A:B:C:D:E:F:G:H ) [ Manager_IPaddress ]:
How to set the Sensor default gateway
You are prompted to set the Sensor's default gateway IP address. Your default Sensor's gateway IP
address is displayed in the [ ] brackets. You can set both IPv4 and IPv6 addresses in the Sensor
default gateway.
Please enter the Sensor default gateway ( A.B.C.D ) [ Sensor_gateway_IPv4 address ]:
Please enter the Sensor default IPv6 gateway ( A:B:C:D:E:F:G:H ) [ Sensor_gateway_IPv6 address ]:
How to set the management port configuration
You are prompted to set the status of the management port:
•
a: auto configured
•
m: manually configured
Please enter management port configuration choice(a/m) [port_configuration_selected]:
How to set the shared secret key on the Sensor
Setting the shared secret key on the Sensor is the final step in the setup command.
Enter a shared secret key and reconfirm at the prompt.
Press Y to set shared secret key now or N to exit [Y]:
Please enter shared secret key:
show
Shows all the current configuration settings on the Sensor like model, installed software version, IP
address and Manager details.
This command has no parameters.
Syntax:
show
Information displayed by the show command includes:
94
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show
2
[Sensor Info]
•
Date
•
System Uptime
•
System Type
•
Software Version
•
MGMT Ethernet Port
•
System serial number (displays the primary, secondary and master/system serial numbers
separately in case of NS9300)
[Sensor Network Config]
•
IP Address
•
Netmask
•
Default Gateway
•
Default TFTP server
[Manager Config]
•
Manager IP addr
•
Install TCP Port
•
Alert TCP Port
[Peer Manager Config]
•
Manager IP addr
•
Install TCP Port
•
Alert TCP Port
McAfee Network Security Platform 8.2
CLI Guide
95
2
IPS CLI Commands - Normal Mode
show
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> show
[Sensor Info]
System Name : M6050
Date : 2/6/2015 - 9:23:18 UTC
System Uptime : 6 days 23 hrs 10 min 13 secs
System Type : M-6050
Serial Number : J021834009
Software Version : 8.2.2.98
Hardware Version : 1.30
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 10.213.174.202
Netmask : 255.255.255.0
Default Gateway : 10.213.174.201
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 10.213.169.178 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
Logging TCP Port : 8508
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> show
[Sensor Info]
System Name : vNTBA
Date : Fri Mar 28 08:55:26 2014
System Uptime : 02 hrs 24 min 54 secs
System Type : T-200VM
Serial Number : T0020140324185515
Software Version : 8.1.3.6
MGMT Ethernet port : speed = 10 mbps, full duplex, link up
96
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show
2
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default TFTP server : 1.2.3.4
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8501
Alert TCP Port : 8502
•
For NS9300 Sensor, the output is as shown:
intruShell@KAM9300> show
[Sensor Info]
System Name : KAM9300
Date : 1/28/2015 - 8:34:53 UTC
System Uptime : 6 days 22 hrs 03 min 43 secs
System Type : IPS-NS9300
System Serial Number : J073350027
NS9300 P Serial Number : J071328008
NS9300 S Serial Number : J064227B70
Software Version : 8.1.5.71
Hardware Version : 1.10
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default SCPserver : 1.2.3.4
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
McAfee Network Security Platform 8.2
CLI Guide
97
2
IPS CLI Commands - Normal Mode
show acl stats
Logging TCP Port : 8508
Applicable to:
M-series and NS-series, and NTBA Appliances.
show acl stats
Displays statistics about the ACL logs configured on the Sensor.
This command has no parameters.
Syntax:
show acl stats
Information displayed by the show acl stats command includes:
•
Number of ACL log entries received
•
Number of suppressed ACL log entries
•
Number of ACL log entries sent to the server
•
Number of Firewall ACL logs sent through the Manager
•
(M-series Sensors only) Number of Firewall ACL logs sent directly by the Sensor
Sample Output:
intruShell@john> show acl stats
[Acl Alerts]
Received : 164
Suppressed : 0
Sent : 164
Sent Direct : 0
Stateless ACL Fwd count : 20
Applicable to:
M-series and NS-series Sensors.
show arp spoof status
Display whether the ARP spoofing feature is currently enabled or disabled. Used in conjunction with
the ARP spoofing detection feature.
This command has no parameters.
Syntax:
show arp spoof status
Sample Output:
98
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show auditlog
2
intruShell@Sensor-6050> show arp spoof status
ArpSpoofDetection : Enabled
Applicable to: M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances,
this command is available in debug mode.
See also
arp delete on page 35
arp dump on page 36
arp flush on page 36
arp spoof on page 37
show auditlog
Displays the system events in audit log based on user input. It displays the following information:
•
Date and time of the system event.
•
User login details (login success/failure, user name, host IP and port number).
•
Name of the executed CLI commands (with parameters that are used).
Syntax:
show auditlog <[2-50] | all>
where:
[2-50] indicates the number of recent audit log events. This command should be executed with a
parameter value, else the command is treated as invalid.
Sample Output:
intruShell@john> show auditlog all
Jan 28 09:51:49 2014:EXEC CMD : disable user - admin
Jan 28 09:52:22 2014:EXEC CMD : show auditlog all user - admin
Jan 28 09:52:35 2014:EXEC CMD : show auditlog 3 user - admin
Example:
To display the recent 20 events: show auditlog 20
To display all events: show auditlog all
Applicable to:
M-series and NS-series Sensors.
See also
auditlogupload on page 37
show auditlog status on page 100
McAfee Network Security Platform 8.2
CLI Guide
99
2
IPS CLI Commands - Normal Mode
show auditlog status
show auditlog status
Displays whether the audit log feature is enabled or disabled.
Syntax:
show auditlog status
Sample Output:
intruShell@john> show auditlog status
Audit Logging : Enabled
Default Value:
enabled
Applicable to:
M-series and NS-series Sensors.
See also
show auditlog on page 99
show autorecovery status
On data path errors Sensor goes layer2 mode and tries to auto-recover. During a datapath error, the
auto recovery feature reboots the datapath threads without interruption to traffic.
The Sensor should be in good health and in layer 2 mode for performing the auto recovery.
If the recovery is successful, the Sensor comes out of layer2 mode. If the recovery is not successful
the Sensor remains in layer 2 mode.
Syntax:
show autorecovery status
This command has no parameters.
By executing the autorecovery status command, the following status information is displayed.
Status
Description
Auto-recovery enabled
the status of autorecovery, whether it is On or Off. When the layer2 is
enabled, this status will be displayed as On.
Auto-recovery attempts
number of auto recovery attempts made since last reboot
Last Auto-recovery
status
• Not applicable - no auto recovery is attempted
• Success - successful auto recovery
• Failure - failure in auto recovery
• In Progress - auto recovery in progress
Last Auto-recover time
the time when Sensor came out of layer2 due to successful autorecovery
Applicable to:
100
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show auxport status
2
M-series and NS-series Sensors.
Notes:
•
Auto-recovery is supported on M-3050, M-4050, M-6050, and M-8000 Sensors. On Sensor models
M-1250, M-1450, M-2850, M-2950, auto-recovery is supported only for certain modules.
•
Auto-recovery is supported on Virtual IPS Sensors. However, a Virtual IPS Sensor cannot depend
on its software to go to layer2 during recovery. So, the traffic is interrupted until all applications are
restarted and the Sensor is back to GOOD health.
See also
layer2 mode on page 176
show auxport status
Displays the auxiliary port configuration status.
Syntax:
show auxport status
Sample Output:
intruShell@john> show auxport status
Aux Port : Enabled
Applicable to:
M-series and NS-series Sensors.
show botnet-alertstats
Displays the statistics related to advanced botnet detection by a Sensor.
This command has no parameters.
Syntax:
show botnet-alertstats
Information displayed by the show botnet-alertstats command includes:
•
The count of domains, IP addresses, and URLs detected based on the callback detectors.
•
The count of DGA bots detected.
•
The count of suspected DGA command and control servers detected.
•
The count of communications from your network to DGA command and control servers.
•
The count of activities monitored for FFSN.
•
The count of communications from your network to the flux agents of FFSN.
•
The count of command and control domains detected based on heuristics such as protocol
anomalies and DNS response failures.
Sample Output:
Callback detector matches : 306
McAfee Network Security Platform 8.2
CLI Guide
101
2
IPS CLI Commands - Normal Mode
show console timeout
DGA Zombie detected : 5
DGA CnC Server Suspects detected : 25
DGA Zombie to CnC Server callbacks detected : 50
Ip Flux botnet activity detected : 30
IP Flux agent callback detected : 60
Other Zero day botnets detected : 25
Applicable to:
M-series, NS-series, and Virtual IPS Sensors.
show console timeout
Displays the SSH CLI console timeout in minutes.
Syntax:
show console timeout
Sample output:
intruShell@john> show console timeout
Console timeout : 15 mins
Applicable to:
M-series and NS-series Sensors.
show coppersfpserialnumbers
Displays the serial numbers of all copper ports having copper SFPs.
This command has no parameters.
Syntax:
show coppersfpserialnumbers
Applicable to:
M-series and NS-series Sensors.
show dnsprotect
Displays the added DNS Spoof protection IP addresses (IPv4, IPv6 or, both) from the Protected Server
List (PSL) and the DNS Protection Status.
Syntax:
show dnsprotect <ipv4/ipv6/all>
102
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show dnsprotectstat
Parameter
Description
<ipv4>
indicates the list of DNS Spoof protection IP addresses for ipv4
<ipv6>
indicates the list of DNS Spoof protection IP addresses for ipv6
<all>
indicates the list of DNS Spoof protection IP addresses for both ipv4 and ipv6
Sample Output:
intruShell@john> show dnsprotect all
[DNS Protection is enabled for inbound connections]
No IPv4 addresses are configured for DNS Protection.
No IPv6 addresses are configured for DNS Protection.
Applicable to:
M-series and NS-series Sensors.
show dnsprotectstat
Displays the DNS Protection Statistics.
This command has no parameters.
Syntax:
show dnsprotectstat
Applicable to:
M-series and NS-series Sensors.
show dospreventionprofile
Displays the specified denial of service profile information for the Sensor, defined in two arguments—a
DoS measure name, and a traffic direction. This command also displays the DOS prevention profile
information for different measures.
Syntax:
show dospreventionprofile <dos-measure-name> <inbound | outbound>
Parameter
Description
<dos-measure-name> indicates the DoS measure name: one of 'tcp-syn', 'tcp-syn-ack', 'tcp-fin',
'tcp-rst', 'udp', 'icmp-echo', 'icmp-echo-reply', 'icmp-non-echo-reply',
'ip-fragment', 'non-tcp-udp-icmp'
<direction>
indicates the direction. It can be 'inbound' or 'outbound'
show dospreventionprofile intfport (1A|1B|2A|2B|3A|3B|4A|4B|5A|5B|6A|6B|7A|7B|8A|8B|
9A|9B|10A|10B|11A|11B|12A|12B|13A|13B|14A|14B) (tcp-syn|tcp-syn-ack|tcp-fin|tcp-rst|
udp|icmp-echo|icmp-echo-reply|icmp-non-echo-echoreply|ip-fragment|non-tcp-udp-icmp)
(inbound|outbound)
Sample Output:
IntruShell@john> show dospreventionprofile tcp-syn inbound
McAfee Network Security Platform 8.2
CLI Guide
103
2
IPS CLI Commands - Normal Mode
show dospreventionseverity
packet type: TCP-SYN IN (0), profile stage: still learning (0)
long-term average rate=0.000(pkts/s), last_rate=0.000(pkts/s) no attack in progress
each line: bin_index, IP_prefix/prefix_len, AS, LT, ST, ltR(ate), stR(ate)
AS(%) -- percentage of the IP address space this bin occupies
LT(%) -- percentage of long-term traffic that falls into this bin
ST(%) -- percentage of short-term traffic that falls into this bin
ltRate -- long-term average traffic rate (in pkts/s) for this bin
stRate -- short-term traffic rate (in pkts/s) for this bin
0: 0.0.0.0/2 AS=25.000% LT=25.000% ST=25.00% ltR=0.000 stR=0.000
1: 128.0.0.0/2 AS=25.000% LT=25.000% ST=25.00% ltR=0.000 stR=0.000
2: 64.0.0.0/2 AS=25.000% LT=25.000% ST=25.00% ltR=0.000 stR=0.000
Example:
show dospreventionprofile tcp-syn inbound
Information displayed by the show dospreventionprofile command includes:
•
The Sensor's dos profile
•
The traffic direction protected by the profile
Applicable to:
M-series and NS-series Sensors.
show dospreventionprofile intfport is supported only on M-3050, M-4050, M-6050, M-8000, and
M-4030, M-6030, M-8030 Sensors.
See also
set dospreventionseverity on page 67
show dospreventionseverity on page 104
show dospreventionseverity
Displays the severity for a specified denial-of-service profile. This command also displays the DOS
prevention severity information for different measures.
Syntax:
show dosPreventionseverity<dos-measure-name><inbound | outbound>
Parameter
Description
<dos-measure-name> indicates the DoS measure name: one of 'tcp-syn', 'tcp-syn-ack', 'tcp-fin',
'tcp-rst', 'udp', 'icmp-echo', 'icmp-echo-reply', 'icmp-non-echo-reply',
'ip-fragment', 'non-tcp-udp-icmp'
<direction>
104
indicates the direction.It can be 'inbound' or 'outbound'
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show dxl status
2
show dospreventionseverity intfport (1A|1B|2A|2B|3A|3B|4A|4B|5A|5B|6A|6B|7A|7B|8A|8B|
9A|9B|10A|10B|11A|11B|12A|12B|13A|13B|14A|14B) (tcp-syn|tcp-syn-ack|tcp-fin|tcp-rst|
udp|icmp-echo|icmp-echo-reply|icmp-non-echo-echoreply|ip-fragment|non-tcp-udp-icmp)
(inbound|outbound)
Sample Output:
intruShell@Sensor-6050> show dospreventionseverity tcp-syn-ack outbound
DOS Prevention Severity for tcp-syn-ack outbound is 30
Example:
show dospreventionSeverity tcp-syn-ack outbound
Applicable to:
M-3050, M-4050, M-6050, M-8000, and M-4030, M-6030, M-8030 and NS-series Sensors.
See also
set dospreventionseverity on page 67
show dospreventionprofile on page 103
show dxl status
Displays the status of Data Exchange Layer for that device.
Sample output
Configuration Status : Enabled
Status : Running
Version : 1.0.0.1070
Connection Status : Connected
Certificate Status : Present
McAfee Agent
Mode : Managed
Status : Running
Version : 5.0.0.2710
Wakeup Port : 0
McAfee ePO
IP|Name : 10.213.169.206 | Business Unit-EPO
McAfee ePO activity time : 2014-11-13 09:39:10
Applicable to:
NS-series and Virtual IPS Sensors.
McAfee Network Security Platform 8.2
CLI Guide
105
2
IPS CLI Commands - Normal Mode
show eventlog
show eventlog
Displays the logged Sensor events.
Syntax:
show eventlog <2-50 | all>
Sample Output:
intruShell@john> show eventlog 2
Sep 27 10:16:05 2013: %LINK-STATUS: Interface port 5A changed state to DOWN
Sep 27 10:16:05 2013: %LINK-STATUS: Interface port 5B changed state to DOWN
Applicable to:
M-series and NS-series Sensors.
showfailopencfg
Displays the current fail-open configuration.
Syntax:
showfailopencfg
Sample Output:
intruShell@john> showfailopencfg
External Passive Failopen Configuration : INLINE
Periodically Restore Inline-Failopen : DISABLED
Restore Inline-Failopen interval : 5 minutes
Applicable to:
M-series and NS-series Sensors.
show failover-status
Shows whether failover is enabled on the Sensor, the status of the peer Sensor, forward peer STP, and
the fail-open action of the Sensor.
Syntax:
show failover-status
Information displayed by the show failover-status command includes:
•
•
106
Failover Enabled: The command will return:
•
YES: if failover is enabled
•
NO: if failover is disabled
•
UNKNOWN: if it is not explicitly set
Peer Status: Shows if failover is enabled, and also if the peer Sensor is UP or DOWN.
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show flows
•
2
Forward Peer STP: Displays if failovermode forward-peer-stp is set to enabled or disabled.
Forward STP can be enabled only on these Sensors M-3050, M-4050, M-6050, and M-8000.
•
Fail-open Action: Shows if the monitoring port for fail-open is enabled or disabled.
When you enable fail-open on a failover pair, the same monitoring ports are enabled for fail-open on
both the primary and secondary Sensors.
Applicable to:
M-series and NS-series Sensors.
show flows
Shows how many flows exist in the current traffic.
This command has no parameters.
Syntax:
show flows
Information displayed by the show flows command are as follows:
•
Total TCBs
•
Total TCP flows created
•
Total free TCBs
•
Total abandoned TCP handshakes
•
Total active TCP flows
•
syncookie inbound status
•
Total TCP flows in timewait
•
syncookie outbound status
•
Total active UDP flows
•
Total syn cookie proxy connections
•
Total flows in SYN state
•
Total dequote flows count
Sample Output:
intruShell@john> show flows
Total TCBs = 88612
Total free TCBs = 88609
Total active TCP flows = 3
Total TCP flows in timewait = 0
Total active UDP flows = 20
Total flows in SYN state = 1
Total TCP flows created = 15944
Total abandoned TCP handshakes = 302
syncookie inbound status = Inactive
syncookie outbound status = Inactive
Total syn cookie proxy connections = 0
McAfee Network Security Platform 8.2
CLI Guide
107
2
IPS CLI Commands - Normal Mode
show flowvolumelimit config
Total dequote flows count = 20
Applicable to:
M-series and NS-series Sensors.
show flowvolumelimit config
This command displays the flow volume limit configuration.
Syntax:
show flowvolumelimit config
Sample Output:
intruShell@john> show flowvolumelimit config
flow volume threshold is 40MB.
Applicable to:
M-series and NS-series Sensors.
show gam engine stats
Syntax
show gam engine stats
Sample output
Local GAM Engine Statistics:
---------------------------Engine Status: Initialized
Gateway Anti-Malware Engine Version: 7001.1302.1842
Gateway Anti-Malware DAT Version: 3186
Anti-Malware Engine Version: 5600
Anti-virus DAT Version: 7612
Last Update time: 11/5/2014 - 8:16:49 UTC
Last Successful Update time: 11/5/2014 - 8:16:49 UTC
Total number of Scan Threads: 5
Total Full update success count: 0
Total Full update failure count: 0
Total Incr update success count: 0
Total Incr update failure count: 0
108
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show gigfailopendelay
Total NSM Full update success count: 0
Total NSM Full update failure count: 0
Total config issue update failure count: 0
(config issue - Trust/DNS/Proxy config issues)
show gigfailopendelay
Shows the current delay before fail-open operation takes effect on a Sensor with a Gigabit Fail-open
kit installed.
This command has no parameters.
Syntax:
show gigfailopendelay
Sample Output:
intruShell@john> show gigfailopendelay
Failopen delay : 600 seconds
Applicable to:
M-series and NS-series Sensors.
See also
set gigfailopendelay on page 69
show gti config
Displays the GTI server configuration information.
This command has no parameters.
Syntax:
show gti config
Sample output:
Primary Nameserver IP : 10.1.1.1
Secondary Nameserver IP :
Timeout : 6
[IP reputation configuration]
GTI proxy is disabled
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
109
2
IPS CLI Commands - Normal Mode
show gti stats ip
show gti stats ip
Displays the statistics of the IP sent to the GTI server.
This command has no parameters.
Syntax:
show gti stats ip
Sample output:
GTI server connection status is ok
[GTI Query Statistics]
Query sent count :0
Query received count :0
Applicable to:
M-series and NS-series Sensors.
show inactiveuserslock status
Display the configuration status for locking inactive CLI users other than the Admin user.
Syntax:
show inactiveuserslock status
Sample Output:
intruShell@john> show inactiveuserslock status
Inactive Users Locking : Disabled
Applicable to:
M-series and NS-series Sensors.
show inlinepktdropstat
Displays how many monitored packets have been dropped by a port in inline mode.
Syntax:
show inlinepktdropstat <port>
110
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show inlinepktdropstat
Parameter Description
<port>
sets the port for which the statistics is to be displayed.
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 | G3/2 | G3/3 |
G3/4 | G3/5 | G3/6 | G3/7 | G3/8 | all
Takes a single argument which is the port for which to show statistics.
Information displayed by the show inlinepktdropstat command includes the count for each of the
following categories:
•
IP checksum errors
•
TCP checksum errors
•
UDP checksum errors
•
ICMP checksum errors
•
ACL-related packets dropped
•
Out-Of-Context/Bad packets dropped
•
Sensor cold-start-related packets dropped
•
Off/HdrLen error packets dropped
•
dropped attack packets (that is, blocked packets)
•
IP reassembly timeout packets dropped
•
TCP Out-Of-Order timeout packets dropped
•
Dropped packets containing TCP protocol errors
•
Dropped packets containing UDP protocol errors
•
Dropped packets containing ICMP protocol errors
•
Dropped packets containing IP protocol errors
•
Packets dropped due to the Sensor being out of resources
•
Dropped packets containing CRC errors
•
Dropped IP-spoofed packets
•
ICMPv6 checksum error drop count
•
IPv6 reassembly timeout drop count
•
ICMPv6 Protocol error drop count
•
IPv6 Protocol error drop count
•
Host Quarantine IPv4 packet drop count
•
Host Quarantine IPv6 packet drop count
•
Other Layer-2 error packets dropped
McAfee Network Security Platform 8.2
CLI Guide
111
2
IPS CLI Commands - Normal Mode
show inlinepktdropstat
•
IP sanity check packets dropped
•
IPv6 sanity check packets dropped
•
Total IP No Credit Packets dropped
•
Total Inline Forward dropped (available only when all the ports are selected that is, the following
command is executed: show inlinepktdropstat all)
Sample Output:
intruShell@john> show inlinepktdropstat 5B
IP Checksum Error Drop Count : 0
TCP Checksum Error Drop Count : 0
UDP Checksum Error Drop Count : 0
ICMP Checksum Error Drop Count : 0
ICMPv6 Checksum Error Drop Count : 0
ACL Drop Count : 0
Out-Of-Context/Bad Packet Drop Count : 0
Cold Start Drop Count : 0
Off/HdrLen Error Drop Count : 0
Attack Packet Drop Count : 0
IP Reassembly Timeout Drop Count : 0
IPv6 Reassembly Timeout Drop Count : 0
TCP Out-Of-Order Timeout Drop Count : 0
TCP Protocol Error Drop Count : 0
UDP Protocol Error Drop Count : 0
ICMP Protocol Error Drop Count : 0
ICMPv6 Protocol Error Drop Count : 0
IP Protocol Error Drop Count : 0
IPv6 Protocol Error Drop Count : 0
System Out-of-Resource Drop Count : 0
Host Quarantine IPv4 Packet Drop Count : 0
Host Quarantine IPv6 Packet Drop Count : 0
Conn Limiting Packet Drop Count : 0
DoS Attack Packets Dropped : 0
Stateless ACL Drop Count : 0
Total CRC Error Packets Dropped : 0
Total Other Layer-2 Error Packets Dropped : 0
112
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show ingress-egress stat
Total IP Spoofed Packets dropped : 0
Total IP No Credit Packets dropped : 0
Example:
show inlinepktdropstat 2A
Applicable to:
M-series and NS-series Sensors.
show ingress-egress stat
This command applies only to Virtual Security System instances. That is, applies only to the security
appliances installed on hypervisors through the integration with Intel® Security Controller.
For Virtual Security System instances, the show intfport command is not available; you instead use
show ingress-egress stat to view the number of packets received, forwarded, and dropped by the
Virtual Security System instance.
Syntax: show ingress-egress stat
This command has no parameters.
Sample Output:
Total Packets Received
Total Packets Sent
Total Packets Dropped
Applicable to:
Virtual Security System instances.
show intfport
Shows the status of the specified Sensor port. Note that specifying a non-existent port results in an
error. For example, specifying port 3B on an I-4000 will cause the command to fail. Ensure to
capitalize the character when typing the command. For example, 1a will be seen as an invalid
command.
Syntax:
show intfport <port>
Parameter Description
<port>
Sets the port for which the status is to be displayed.
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B | WORD | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 | G3/2 | G3/3 |
G3/4 | G3/5 | G3/6 | G3/7 | G3/8 | WORD | all
McAfee Network Security Platform 8.2
CLI Guide
113
2
IPS CLI Commands - Normal Mode
show intfport
Information displayed by the show intfport command includes:
114
•
Whether the port's administrative status is enabled or disabled
•
The Sensor's operational status
•
The Sensor's operating mode
•
Whether full duplex mode is enabled
•
The port's configured traffic direction (inside or outside)
•
The speed of the 10/100 ports, if applicable
•
The speed of the Gigabit ports, if applicable
•
The peer port's supported link mode
•
The peer ports negotiated duplex and speed
•
The auto-negotiating configuration (I-2700 Sensors only)
•
Total packets received
•
Total packets sent
•
Total CRC errors received
•
Total CRC errors sent
•
Whether or not flow control is on (this applies only to Sensor gigabit ports)
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show intfport
2
Sample Output:
•
For Sensors, the output is as shown
intruShell@john> show intfport 2A
Displaying port 2A
Administrative Status : ENABLED
Operational Status : UP
Operating Mode : INLINE_FAIL_CLOSED
Duplex : FULL
Port Connected to : OUTSIDE
Port Speed : 1 GBPS-AUTONEG
Peer port
supported link modes :
10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Actual negotiated Duplex: FULL
Actual negotiated Speed : 1 GBPS
Additional Porttype Info:
Total Packets Received : 403
Total Packets Sent : 24130
Total CRC Errors Rcvd : 0
Total Other Errors Rcvd : 0
Total CRC Errors Sent : 0
Total Other Errors Sent : 0
Flow Control Status : OFF
•
For NTBA, the output is as shown
ntbaSensor@NTBA_210> show intfport 1
Administrative status : Enabled
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
Total packets received : 27416335
Total packets sent : 291
McAfee Network Security Platform 8.2
CLI Guide
115
2
IPS CLI Commands - Normal Mode
show ipssimulation status
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 17.68.26.27
MAC Address : 00:1B:21:44:77:48
Mapped to ethernet port : eth2
Applicable to: M-series, NS-series, Virtual IPS Sensors, and NTBA Appliances. The command does
not apply to Virtual Security System instances; use the show ingress-egress stat command
instead.
show ipssimulation status
Displays simulated blocking status when enabled in command line interface. However, this command
does not display the status of the ipssimulation if it is enabled or disabled from Manager.
Syntax:
show ipssimulation status
Sample Output:
intruShell@john> show ipssimulation status
ipssimulation CLI Modification Status : Disabled from CLI
Applicable to:
M-series and NS-series Sensors.
show l2f-unknown-udp status
Displays the status of the unknown UDP traffic forwarding.
Syntax:
show l2f-unknown-udp status
Sample Output:
intruShell@john> show l2f-unknown-udp status
Layer 2 forward unknown UDP : enabled
show l7ae status
Displays the layer7 application analysis configuration.
Syntax:
show l7ae status
Sample Output:
116
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show l7ddosstat
2
intruShell@john> show l7ae status
IS Attack Detection status: Good
Applicable to:
M-series and NS-series Sensors.
show l7ddosstat
Displays the various layer 7 DDOS related statistics.
Syntax
show l7ddosstat
Sample output
IntruDbg#> show l7ddosstat
[L7 DDOS Stats]
L7ddos active http connections : 10000
L7ddos Drop Count : 1426
L7ddos Slow Connections closed : 0
L7ddos Challenge Sent Count : 2
L7ddos Challenge Valid Count : 1
L7ddos Challenge Failed Count : 0
Applicable to:
M-series and NS-series Sensors.
show layer2 forward
Shows all the TCP, UDP ports and the VLAN IDs that are enabled for layer2 forwarding.
Syntax:
show layer2 forward <all|tcp|udp|vlan>
Parameter Description
<all>
shows all the port numbers(TCO,UDP) and VLAN IDs that are enabled for layer 2
forwarding.
<tcp>
shows all the TCP port numbers that are enabled for layer 2 forwarding.
<udp>
Shows all the UDP port numbers that are enabled for layer 2 forwarding.
<vlan>
Shows all the VLAN IDs that are enabled for layer 2 forwarding.
Sample Output:
intruShell@john> show layer2 forward all
TCP ports: 50
McAfee Network Security Platform 8.2
CLI Guide
117
2
IPS CLI Commands - Normal Mode
show layer2 forward intfport
UDP ports:
VLAN Ids:
All :
1A-1B :
2A-2B :
3A-3B :
4A-4B :
5A-5B :
6A-6B :
7A-7B :
8A-8B :
9A-9B :
10A-10B :
Example:
The following example shows the show layer2 forward command used for showing all the port
numbers(TCP,UDP) and vlan IDs that are enabled for layer2 forwarding.
Applicable to:
M-series and NS-series Sensors.
This command is not applicable for M-1250/M-1450 Sensor.
show layer2 forward intfport
Displays the layer2 forward statistics for the configured scanning exception rules.
Syntax:
show layer2 forward intfport <port>
Parameter Description
<port>
sets the port for which the status is to be displayed.
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 | G3/2 | G3/3 |
G3/4 | G3/5 | G3/6 | G3/7 | G3/8 | all
Sample Output:
intruShell@john> show layer2 forward intfport 2A
Layer2 forward packets : 0
Applicable to:
M-series and NS-series Sensors.
118
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show layer2 mode
show layer2 mode
Displays all the Layer 2 Passthru feature settings. These settings are configured in the Manager user
interface; some of the settings are configured through the CLI. Layer 2 Passthru is configured within
the Manager user interface.
This command has no parameters.
Syntax:
show layer2 mode
Information displayed by the show layer2 mode command includes:
•
Status of the Layer 2 Passthru feature (whether it is on or off)
•
The set duration
•
The set threshold
•
The number of occurrences that have occurred within the previous duration
Sample Output:
intruShell@john> show layer2 mode
Mode : on
Duration : 10 minutes
Threshold : 1
Occurrences : 0
Applicable to:
M-series and NS-series Sensors.
See also
layer2 mode on page 176
show malwareenginestats
Displays the malware engine statistics.
This command has no parameters.
Syntax:
show malwareenginestats
Sample Output:
intruShell@ns9100doc> show malwareenginestats
MALWARE STATISTICS FOR PDF_JS EMULATOR ENGINE:
-------------------------------------------------Number of files sent: 3
Number of response received: 1
McAfee Network Security Platform 8.2
CLI Guide
119
2
IPS CLI Commands - Normal Mode
show malwareenginestats
Number of files ignored: 0
Number of files with malware score Clean: 2
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 0
Number of alerts with malware score High: 1
Number of alerts with malware score Very High: 0
Total number of alerts sent: 0
Total number of attacks blocked: 1
Total number of TCP resets sent: 1
MALWARE STATISTICS FOR FLASH ENGINE:
-------------------------------------------------Number of files sent: 489
Number of response received: 356
Number of files ignored: 133
Number of files with malware score Clean: 197
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 73
Number of alerts with malware score High: 142
Number of alerts with malware score Very High: 0
Total number of alerts sent: 215
Total number of attacks blocked: 215
Total number of TCP resets sent: 215
MALWARE STATISTICS FOR Mobile Cloud ENGINE:
-------------------------------------------------Number of files sent: 461
Number of response received: 325
Number of files ignored: 136
Number of files with malware score Clean: 256
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 54
120
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show malwareenginestats
2
Number of alerts with malware score High: 87
Number of alerts with malware score Very High: 0
Total number of alerts sent: 295
Total number of attacks blocked: 295
Total number of TCP resets sent: 295
MALWARE STATISTICS FOR Gateway Anti-Malware ENGINE:
-------------------------------------------------Number of files sent: 368
Number of response received: 223
Number of files ignored: 145
Number of files with malware score Clean: 237
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 54
Number of alerts with malware score High: 113
Number of alerts with malware score Very High: 0
Total number of alerts sent: 0
Total number of attacks blocked: 0
Total number of TCP resets sent: 0
MALWARE STATISTICS FOR GTI FILE Reputation ENGINE:
-------------------------------------------------Number of files sent: 0
Number of response received: 0
Number of files ignored: 0
Number of files with malware score Clean: 0
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 0
Number of alerts with malware score High: 0
Number of alerts with malware score Very High: 0
Number of alerts with malware score Unknown: 0
Total number of alerts sent: 0
Total number of attacks blocked: 0
McAfee Network Security Platform 8.2
CLI Guide
121
2
IPS CLI Commands - Normal Mode
show malwareenginestats
Total number of TCP resets sent: 0
MALWARE STATISTICS FOR FILE SAVE ENGINE:
-------------------------------------------------Number of files sent: 207
Number of response received: 90
Number of files ignored: 117
MALWARE STATISTICS FOR BLACKLIST ENGINE:
-------------------------------------------------Number of files sent: 27954
Number of response received: 24226
Number of files ignored: 3728
Number of alerts with malware score Very High: 24226
Total number of alerts sent: 24226
Total number of attacks blocked: 0
Total number of TCP resets: 0
MALWARE STATISTICS FOR MCAFEE CLOUD ENGINE:
-------------------------------------------------Number of files request: 20
Number of files submitted successfully to NSM: 20
MALWARE STATISTICS FOR Advanced Threat Detection ENGINE:
-------------------------------------------------Number of files sent: 27954
Number of response received: 0
Number of files ignored: 27954
Number of alerts with malware score Very Low: 0
Number of alerts with malware score Low: 0
Number of alerts with malware score Medium: 0
Number of alerts with malware score High: 0
Number of alerts with malware score Very High: 0
Total number of alerts sent: 0
Total number of attacks blocked: 0
Total number of TCP resets sent: 0
Applicable to:
122
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show malwarefilestats
2
M-series and NS-series Sensors. The MALWARE STATISTICS FOR MCAFEE CLOUD ENGINE section applies
only to NS-series Sensors running on a version greater than 8.2.5.
show malwarefilestats
Displays the malware file statistics.
This command has no parameters.
Syntax:
show malwarefilestats
Sample Output:
intruShell@john> show malwarefilestats
MALWARE STATISTICS FOR PE (EXE,DLL,SYS,COM,etc.) Files:
Number of files sent: 2
Number of response Received: 2
Number of files ignored: 0
MALWARE STATISTICS FOR MS Office Files:
-----------------------------------------------------------Number of files sent: 11355
Number of response Received: 9403
Number of files ignored: 1952
MALWARE STATISTICS FOR PDF Files:
-----------------------------------------------------------Number of files sent: 0
Number of response Received: 0
Number of files ignored: 0
MALWARE STATISTICS FOR Compressed (Zip,RAR) Files:
-----------------------------------------------------------Number of files sent: 15987
Number of response Received: 14601
Number of files ignored: 1386
MALWARE STATISTICS FOR APK Files:
-----------------------------------------------------------Number of files sent: 118
Number of response Received: 94
McAfee Network Security Platform 8.2
CLI Guide
123
2
IPS CLI Commands - Normal Mode
show mem-usage
Number of files ignored: 24
MALWARE STATISTICS FOR JAR Files:
-----------------------------------------------------------Number of files sent: 466
Number of response Received: 399
Number of files ignored: 67
MALWARE STATISTICS FOR Flash Files:
-----------------------------------------------------------Number of files sent: 31
Number of response Received: 27
Number of files ignored: 4
Applicable to:
M-series and NS-series Sensors.
show mem-usage
This command displays the system memory usage details of the device.
This command has no parameters.
Syntax:
show mem-usage
The show mem-usage command also gives the average percentage usage (Avg.) and the maximum
percentage usage (Max.) of these entities on all the processing elements.
The L7Dcap counter descriptions are as follows:
124
•
Avg. Used L7 Dcap Alert Buffers across all PEs — Average percentage of L7Dcap buffers
used from the total buffers across all the Processing Engines in the Sensor
•
Max. Used L7 Dcap Alert Buffers on a single PE — Percentage of L7Dcap buffer used from
the maximum buffers that a single Processing Engine manages
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show mem-usage
2
•
Avg. Used L7 Dcap flows across all PEs — Average percentage of L7Dcap flows used from the
value configured in the Manager across all the Processing Engines in the Sensor
•
Max. Used L7 Dcap flows on a single PE — Percentage of L7Dcap flows used from the
maximum value that a single Processing Engine manages
Sample Output:
•
For Sensors, the output is as shown
Avg. Used TCP and UDP Flows across all PEs : 0%
Max. Used TCP and UDP Flows on a single PE : 0%
Avg. Used Fragmented IP Flows across all PEs : 0%
Max. Used Fragmented IP Flows on a single PE : 0%
Avg. Used ICMP Flows across all PEs : 0%
Max. Used ICMP Flows on a single PE : 0%
Avg. Used SSL Flows across all PEs : 0%
Max. Used SSL Flows on a single PE : 0%
Avg. Used Fragment Reassembly Buffers across all PEs : 0%
Max. Used Fragment Reassembly Buffers on a single PE : 0%
Avg. Used Packet Buffers across all PEs : 0%
Max. Used Packet Buffers on a single PE : 0%
Avg. Used Attack Marker Nodes across all PEs : 0%
Max. Used Attack Marker Nodes on a single PE : 0%
Avg. Used Shell Marker Nodes across all PEs : 0%
Max. Used Shell Marker Nodes on a single PE : 0%
Avg. Used L7 Dcap Alert Buffers across all PEs : 0%
Max. Used L7 Dcap Alert Buffers on a single PE : 0%
Avg. Used L7 Dcap flows across all PEs : 0%
Max. Used L7 Dcap flows on a single PE : 0%
Avg Attacks received across all PEs : 0%
•
For an NTBA Appliance, the output is as shown
ntbaSensor@vNTBA> show mem-usage
total used free shared buffers cached
Mem: 12046 727 11319 0 18 476
Swap: 11727 0 11727
Total: 23774 727 23047
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
125
2
IPS CLI Commands - Normal Mode
show mgmtport
show mgmtport
Shows all the current configuration settings for the Sensor Management port.
This command has no parameters.
Syntax:
show mgmtport
Information displayed by the show mgmtport command includes:
126
•
The Sensor's Management port value (1000Mbps, 100Mbps, 10Mbps, or auto-negotiate)
•
The Sensor's Management port link status (what speed the two devices settled upon—typically the
highest common setting)
•
What mode has been settled upon
•
The link status
•
The capabilities of the Management port (possible values are: 1000baseTx-FD, 100baseTx-FD,
100baseTx-HD, 10base-T-FD, 10base-T-HD)
•
What the Management port is advertising its capabilities as (possible values are: 1000baseTx-FD,
100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-T-HD)
•
The characteristics of its link partner (possible values are: 1000baseTx-FD, 100baseTx-FD,
100baseTx-HD, 10base-T-FD, 10base-T-HD)
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show mgmtport
2
Sample Output:
•
For Sensor, the output is as shown
intruShell@john> show mgmtport
MGMT Ethernet port : auto negotiated
Settings for MGMT port :
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Auto-negotiation: on
Wake-on: d
Link detected: yes
eth0 Link encap:Ethernet HWaddr 00:06:92:2B:69:40
inet addr:10.213.174.202 Bcast:10.213.174.255 Mask:255.255.255.0
inet6 addr: fe80::206:92ff:fe2b:6940/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3072499 errors:0 dropped:0 overruns:0 frame:0
TX packets:333882 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:255473849 (243.6 Mb) TX bytes:38758684 (36.9 Mb)
Interrupt:24
•
For NTBA, the output is as shown
ntbaSensor@NTBA_210> show mgmtport
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
Total packets received : 15176
Total packets sent : 14356
McAfee Network Security Platform 8.2
CLI Guide
127
2
IPS CLI Commands - Normal Mode
show mnsconfig
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 10.213.171.210
MAC Address : 00:24:E8:46:46:D6
Mapped to ethernet port : eth4
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport auto on page 76
set mgmtport speed and duplex on page 77
show mnsconfig
Displays the status of mobile network security (enabled or disabled).
Syntax
show mnsconfig
Sample output
intruShell@Sensor-6050> show mnsconfig
Mobile network security status : Disabled
Radius Load balancing config : Disabled
Applicable to:
M-series and NS-series Sensors.
show netstat
This command displays the management port netstat output.
This command has no parameters.
Syntax:
show netstat
128
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show netstat
2
Sample Output:
•
For Sensor, the output is as shown
Figure 2-1 show netstat command output for Sensors
•
For an NTBA Appliance, the output is as shown
Figure 2-2 show netstats command output for NTBA
McAfee Network Security Platform 8.2
CLI Guide
129
2
IPS CLI Commands - Normal Mode
show nmsuserwriteaccess status
Applicable to:
M-series and NS-series, and NTBA Appliances.
show nmsuserwriteaccess status
Displays the current SNMP restricted read-write access status (enabled or disabled).
Syntax:
show nmsuserwriteaccess status
Sample Output:
intruShell@john> show nmsuserwriteaccess status
NMS User Write Access Status : Enabled
Applicable to:
M-series and NS-series Sensors.
show outofcontext acllookup
This command displays whether ACL lookup is enabled or disabled on out-of-order packets.
Syntax:
show outofcontext acllookup
Sample Output:
intruDB > show outofcontext acllookup
OOC Acl Lookup Status : Disabled
Applicable to:
M-series and NS-series Sensors.
show parsetunneledtraffic status
Parsing of tunneled traffic by I-series Sensors is enabled by default. However, when you upgrade the
Sensor software to 5.1.5.x, tunneling gets disabled. To know the current status of tunneling
configuration use the show parsetunneledtraffic status CLI command.
This command has no parameters.
To enable or disable the tunneling configuration of a Sensor, use the set parsetunneledtraffic
command. For more information, see McAfee Network Security Platform IPS Administration Guide
Syntax:
show parsetunneledtraffic status
Sample Output:
intruShell@john> show parsetunneledtraffic status
130
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show pktcapture status
2
Tunneling Status : Enabled
Applicable to:
M-series, NS-series, and Virtual IPS Sensors. For Virtual Security System instances, this command is
available in debug mode.
See also
set parsetunneledtraffic on page 79
show pktcapture status
Displays the packet capture status and configuration.
Syntax:
show pktcapture status
Sample Output:
IntruDbg#> show pktcapture status
Packet Capture Status :Not Running
Packet Capture Mode :PORT
Packet Capture Port Number :Not Configured
Packet Capture Rule Set File Status :Not Present
Total Packet Capture Count :0
Packet Capture Duration remaining :0 Sec
Applicable to:
M-series and NS-series Sensors.
show pluggable‑module
Displays the status of the pluggable module(s) inserted into the specified slot(s) located within the
chassis front panel.
Syntax:
show pluggable-module (g1|g2|g5|g6|all)
Sample output:
intruShell@NS9300-Bohol2> show pluggable-module g2
[Port Module G2 ]
Module System Type : 8-port SFP+
Supported Speeds : 10Gbps/1Gbps
Module Status : Active
Total Ports : 8
McAfee Network Security Platform 8.2
CLI Guide
131
2
IPS CLI Commands - Normal Mode
show portsettletime
Applicable to:
NS-series Sensors only.
show portsettletime
Shows the configured portsettletime.
This command has no parameters.
Syntax:
show portsettletime
Sample Output:
intruShell@john> show portsettletime
Port settle delay : 30 seconds
Applicable to:
M-series and NS-series Sensors.
See also
set portsettletime on page 79
show powersupply
Displays the Sensor power supply information.
Syntax:
show powersupply
Sample Output:
intruShell@john> show powersupply
Power Supply (A) : Present
Power Supply (B) : Absent
Applicable to:
M-series and NS-series Sensors.
show previous256byteslogging status
Displays the status of the previous 256 bytes logging feature; whether enabled or disabled.
Syntax
show previous256byteslogging status
Sample output
intruShell@Sensor-6050> show previous256byteslogging status
132
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
show raid status
Logging of previous 256bytes is disabled.
Applicable to:
M-series and NS-series Sensors.
show raid status
Displays the operation status of both SSDs in Network Security Platform operating in RAID1 mode.
RAID is not supported on NS7x00 Sensors.
Syntax:
show raid status
Sample output:
intruShell@NS9300-Bohol2> show raid status
SSD 0 STATUS : good
SSD 1 STATUS : good
NS9300 Secondary SSD 0 STATUS : good
NS9300 Secondary SSD 1 STATUS : good
Applicable to:
NS-series (NS9300, NS9200, and NS9100) Sensors only.
show rescueimages
Displays version numbers of a list of up to five Sensor images currently archived in the internal flash
device.
Syntax:
show rescueimages
Sample output:
intruShell@NS9300-Bohol2> show rescueimages
NS9300P
NS9300S
Applicable to:
NS-series Sensors only.
McAfee Network Security Platform 8.2
CLI Guide
133
2
IPS CLI Commands - Normal Mode
show savedalertinfo
show savedalertinfo
In the event that connectivity between the Sensor and the Manager is interrupted, the Sensor saves
alert data internally. This data is sent to the Manager when connectivity is re-established and the
internal information is deleted. This command shows the number of alerts and packet logs that have
been saved within the Sensor.
Information displayed by the show savedalertinfo command includes:
•
Whether a file of saved alerts exists (if connectivity between Sensor and Manager is currently
established, no file will exist)
•
Number of saved alerts and their size
•
Whether a file of saved packet logs exists
•
Number of saved packet logs and their size
This command has no parameters.
Syntax:
show savedalertinfo
Sample Output:
intruShell@john> show savedalertinfo
Saved Alert Status : Alerts = 456, Size = 81168
Saved Packet Status : No Saved File
Applicable to:
M-series and NS-series Sensors.
show savedimages
Displays version numbers of a list of up to ten Sensor images currently archived in the SSD.
Syntax:
show savedimages
Applicable to:
NS-series Sensors only.
Sample output:
intruShell@NS9300-Bohol2> show savedimages
NS9300P
7.1.44.227
7.1.44.231
7.1.44.232
7.1.44.234
134
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show sensordroppktevent status
2
7.1.5.30
7.1.5.32
7.1.5.33
7.1.5.38
7.1.5.39
7.1.5.40
NS9300S
7.1.44.190
7.1.44.227
7.1.44.231
7.1.44.232
7.1.44.234
7.1.5.32
7.1.5.33
7.1.5.38
7.1.5.39
7.1.5.40
show sensordroppktevent status
Displays whether the option to generate a system fault in the Manager (whenever the Sensor is
overloaded and drops a large number of packets) is enabled or disabled.
This command has no parameters.
Syntax:
show sensordroppktevent status
Applicable to:
I-3000 and I-4010 Sensors only.
In case of Virtual Security System instances, this command is available in debug mode.
See also
sensordroppktevent on page 64
McAfee Network Security Platform 8.2
CLI Guide
135
2
IPS CLI Commands - Normal Mode
show sensor-load
show sensor-load
This show sensor-load command shows you the following information:
•
Average of load (traffic) seen on all processing elements
•
Maximum of load (traffic) seen on a single processing element
Syntax:
show sensor-load
Sample Output:
On executing the command, the following messages are displayed:
•
When the Sensor-load in ON
intruShell@john> show sensor-load
Average load across all PEs : 0% (approx.)
Maximum load on a single PE : 0% (approx.)
•
When the Sensor-load is OFF
Sensor-load calculation switched 'OFF'. Please use 'set sensor-load on' to switch
'ON' the calculation.
Applicable to:
M-series and NS-series Sensors.
See also
set-sensor-load on page 91
show sessionlimit timeout
This command is used to display the session limit timeout set previously using the set sessionlimit
timeout command.
Syntax:
show sessionlimit timeout
Sample Output:
intruShell@john> show sessionlimit timeout
sessionlimit timeout : 2hours
Applicable to:
M-series and NS-series Sensors.
show sshaccesscontrol status
Displays the SSH access control configuration status and settings.
Syntax:
show sshaccesscontrol status
136
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show sshinactivetimeout
2
Sample Output:
intruShell@john> show sshaccesscontrol status
[SSH AccessControl is Disabled]
[SSH Accesscontrol Network list]
Network : any/any
Applicable to:
M-series and NS-series Sensors.
show sshinactivetimeout
Displays the CLI SSH session inactivity timeout.
Syntax:
show sshinactivetimeout
Sample Output:
intruShell@john> show sshinactivetimeout
SSH inactive timeout : 300 sec
Applicable to:
M-series and NS-series Sensors.
show sshlog status
Use this command to display the current SSH logging status.
Syntax:
show sshlog status
Sample Output:
intruShell@john> show sshlog status
SSH Logging : Enabled
Applicable to:
M-series and NS-series Sensors.
show ssl config
Shows the configuration details for SSL on the Sensor.
This command has no parameters.
McAfee Network Security Platform 8.2
CLI Guide
137
2
IPS CLI Commands - Normal Mode
show ssl stats
Information displayed by the show ssl config command includes:
•
Whether SSL will be enabled the next time the Sensor reboots, and how many SSL flows will be
supported
•
Whether SSL decryption is currently active and how many SSL flows are supported
•
How long the session is kept alive after the connection associated with that session ends (default is
5 minutes)
•
Whether or not packet logging is enabled for attacks detected in an SSL tunnel
•
Whether or not SSL decryption keys are present on the Sensor
•
The number of SSL decryption keys present
This command does not apply to I-1200, I-1400, M-1250, and M-1450 Sensors.
Syntax:
show ssl config
Sample Output:
intruShell@john> show ssl config
[SSL Decryption Support]
Requested : yes (25000 flows)
Supported : yes (25000 flows)
SSL Session Lifetime : 5 min
SSL Pkt Logging : disabled
[SSL Decryption Keys]
Present : no
Applicable to:
M-series and NS-series Sensors.
See also
importsensorcerts on page 49
exportsensorcerts on page 44
show ssl stats on page 138
show ssl stats
Shows SSL decryption statistics for the Sensor. This command has no parameters.
Information displayed by the show ssl stats command includes:
•
The names of any certificates loaded into the Manager, and how many times they have been used
in sessions since the Sensor was last rebooted.
•
The number of certificates passed for which the Sensor had no matching certificates.
This command has no parameters.
138
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show syncookietcpreset
2
Syntax:
show ssl stats
Applicable to:
M-series and NS-series Sensors.
This command does not apply to I-1200, I-1400, M-1250, and M-1450 Sensors.
See also
importsensorcerts on page 49
exportsensorcerts on page 44
show ssl config on page 137
show syncookietcpreset
Displays the configuration of TCP Reset send for timed out TCP 3WH when syncookie is active.
Syntax:
show syncookietcpreset
Sample Output:
intruShell@john> show syncookietcpreset
SynCookie TCP RESET setting : Enabled
Applicable to:
M-series and NS-series Sensors.
show syslog statistics
It displays the number of alerts detected by the Sensor or received from Sensor analysis, the number
of alerts sent by the Sensor to the syslog server, and the number of alerts not sent by the Sensor to
the syslog server, which in other words is suppressed.
Syntax:
show syslog statistics
Sample Output:
intruShell@john> show syslog statistics
[syslog Alert]
Received : 34062
Sent : 15451
Suppressed : 18611
Applicable to:
M-series Sensors only.
McAfee Network Security Platform 8.2
CLI Guide
139
2
IPS CLI Commands - Normal Mode
show tacacs
show tacacs
Shows the current TACACS+ configuration for the Sensor.
Information displayed by the show tacacs command includes:
•
whether TACACS+ remote authentication for Sensor CLI users is enabled (on),
•
whether encryption of the TACACS+ traffic is enabled
•
whether the TACACS+ authorization feature is enabled.
•
the IP address of the configured TACACS+ server(s), if any.
This command has no parameters.
Syntax:
show tacacs
Sample Output:
intruShell@john> show tacacs
[TACACS+ Config]
Authentication : Enable
Traffic Encryption : Enable
Authorization : Enabled
Server 1 IP : 10.213.172.87
Applicable to:
M-series and NS-series Sensors.
See also
set tacacsauthorization on page 86
show tcpipstats
The show tcpipstats command reports TCP/IP statistics for traffic flowing through the entire Sensor.
The show tcpipstats command displays the count for each of the following categories:
•
TCP packets
•
TCP resets
•
UDP packets
•
ICMP packets received
•
IP fragments
ICMP unreachables sent
This command has no parameters.
Syntax:
show tcpipstats
Sample Output:
140
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show tcpudpchecksumerror
2
intruShell@john> show tcpipstats
TCP Packets : 4202310216
UDP Packets : 163289410
IP Fragments : 163554316
TCP Resets : 0
ICMP Packets Received : 78340266
ICMP Unreachables Sent : 0
Applicable to:
M-series and NS-series Sensors.
show tcpudpchecksumerror
The Sensor recomputes TCP/UDP/ICMP header checksums to determine and show if their
corresponding packets have been corrupted.
This command has no parameters.
Syntax:
show tcpudpchecksumerror
Sample Output:
intruShell@john> show tcpudpchecksumerror
tcpudpicmpchecksumerror : Forward
Applicable to:
M-series and NS-series Sensors.
See also
set tcpudpchecksumerror forward on page 87
set tcpudpchecksumerror drop on page 86
show threshold-udp-dos-forward-action status
Displays whether the option to forward UDP traffic without parsing (once the DoS threshold limit is
exceeded) is enabled or not.
Syntax:
show threshold-udp-dos-forward-action status
Sample Output:
intruShell@john> show threshold-udp-dos-forward-action status
Threshold UDP DoS forward action : enabled
McAfee Network Security Platform 8.2
CLI Guide
141
2
IPS CLI Commands - Normal Mode
show tiestats
show tiestats
Displays the total requests and responses to file reputation requests and number of file reputation
responses per source, the sources being Enterprise score, Advanced Threat Defense, and Global
Threat Intelligence.
Sample output
[TIE Statistics]
***Total file reputation requests and responses***
Total file reputation requests : 0
Successful file reputation requests : 0
McAfee File Reputation handled requests : 0
Total file reputation responses : 0
Successful file reputation responses : 0
***Number of file reputation responses per source***
Total responses from GTI : 0
Total responses from Enterprise : 0
Total responses from ATD : 0
show userconfigvolumedosthreshold
Displays the specified user-defined DoS threshold for alerting on volume for a particular packet type.
Syntax:
show userconfigvolumedosthreshold <dos-measure-name> <direction>
Parameter
Description
<dos-measure-name> indicates the DoS measure name: one of 'tcp-syn', 'tcp-syn-ack', 'tcp-fin',
'tcp-rst', 'udp', 'icmp-echo', 'icmp-echo-reply', 'icmp-non-echo-reply',
'ip-fragment', 'non-tcp-udp-icmp'
<direction>
indicates the direction.It can be 'inbound' or 'outbound'
Sample Output:
intruShell@Sensor-6050> show userconfigvolumedosthreshold icmp-echo-reply inbound
User did not configure threshold for icmp-echo-reply inbound
Example:
show userconfigvolumedosthreshold icmp-echo-reply inbound returns one of the following
responses:
•
The threshold value configured using set userconfigvolumedosthreshold icmp-echo-reply
inbound
•
Or - if the threshold was not configured, the message User did not configure threshold for
icmp-echo-reply inbound
Applicable to:
142
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
show userInfo stats
2
M-series and NS-series Sensors.
show userInfo stats
Displays the user, group, and MLC related statistics.
Syntax:
show userInfo stats
Sample Output:
intruShell@john> show userInfo stats
[User Info Stats]
Bulk File download count : 2
Incr File download count : 0
User Info count : 1
Group Info count : 0
IP Info count : 0
Applicable to:
M-series and NS-series Sensors.
show vlanbasedrecon status
Displays the status of VLAN based reconnaissance.
McAfee Network Security Platform 8.2
CLI Guide
143
2
IPS CLI Commands - Normal Mode
shutdown
The Manager Threat Analyzer displays VLAN ID in reconnaissance alert messages.
Figure 2-3 Alerts View-Threat Analyzer
The VLAN ID is included in fault notifications and reports.
In case of a fail-over pair, the feature has to be enabled on both the Sensors.
For more information, see the McAfee Network Security Platform Manager Administration Guide, and
McAfee Network Security Platform IPS Administration Guide.
Syntax:
show vlanbasedrecon status
Sample Output:
intruShell@john> show vlanbasedrecon status
Vlan Based Reconnaissance attack detection disabled
Applicable to:
M-series and NS-series Sensors.
shutdown
Halts the Sensor so you can turn it off. You can turn off the Sensor manually after a minute (for
example, unplug the I-4010). The Sensor does not turn off automatically. You must confirm that you
want to shut down the Sensor.
This command has no parameters.
Syntax:
144
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
snmpv2support
2
shutdown
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
reboot on page 59
snmpv2support
You can obtain access to the read-only components of the Network Security Platform MIBs using SNMP
v2.
Configure the NMS IP address on the Manager. See the McAfee Network Security Platform IPS
Administration Guide.
Syntax:
snmpv2support enable <CommunityString>
This command enables SNMP v2 support.
Parameter
Description
CommunityString The SNMP community string to authenticate access to MIB objects and functions.
snmpv2support disable
This command disables SNMP v2 support.
snmpv2support status
This command displays the status of SNMP v2 support (enabled or disabled).
Applicable to:
M-series and NS-series Sensors.
sshaccesscontrol
Configures SSH access to the Sensor from a specific host or network.
Syntax:
sshaccesscontrol <add|delete|> <A.B.C.D> <E.F.G.H>
where :
•
A.B.C.D is the IP address of a host or network.
•
E.F.G.H is the subnet mask.
•
<add> includes a host or network to be allowed for ssh access.
•
<delete> removes a host or network to be denied for ssh access.
McAfee Network Security Platform 8.2
CLI Guide
145
2
IPS CLI Commands - Normal Mode
sshaccesscontrol resetlist
Parameter
Description
<add>
Adds a host or network that is configured for ssh access
<delete>
Deletes a host or networks that is configured for ssh access
Example:
To provide ssh access to a specific host:
sshaccesscontrol add 158.15.130.90 255.255.255.255
To provide ssh access to a network:
sshaccesscontrol add 158.15.130.0 255.255.255.0
To remove ssh access to a specific host:
sshaccesscontrol delete 158.15.130.90 255.255.255.255
To remove ssh access to a network:
sshaccesscontrol delete 158.15.130.0 255.255.255.0
Applicable to:
M-series and NS-series Sensors.
See also
set sshaccesscontrol on page 84
sshaccesscontrol resetlist on page 146
sshaccesscontrol resetlist
Deletes the entire list of hosts or networks that are configured for ssh access.
Syntax:
sshaccesscontrol resetlist
Applicable to:
M-series and NS-series Sensors.
See also
sshaccesscontrol on page 145
sshd disable
Stops the SSH daemon (sshd), preventing remote administration of the Sensor. With sshd stopped,
you can interact with the Sensor only via the Console.
This command has no parameters.
Syntax:
sshd disable
Default Value:
The SSH daemon is enabled by default.
146
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
sshd enable
Applicable to:
M-series and NS-series Sensors.
See also
sshd enable on page 147
sshd enable
Starts the SSH daemon (sshd), which enables remote administration of the Sensor from any command
line.
This command has no parameters.
Syntax:
sshd enable
Default Value:
After the SSH daemon is started, you can log on to the Sensor remotely using the following syntax:
ssh admin<Sensor IP address>
or
ssh -l admin <Sensor IP address>
You will be prompted for the admin password. When you have successfully logged in, you will be able
to use the CLI as if you were using it from the Console.
•
You cannot use remote administration to configure the Sensor initially; you must configure the
Sensor (including its IP address) for the first time from the Console.
•
You may have up to five concurrent SSH sessions.
Applicable to:
M-series and NS-series Sensors.
See also
sshd disable on page 146
sshlogupload WORD
Use this command to upload the SSH log file to the TFTP Server.
Ensure the following before using this command:
•
The TFTP Server IP address must be set using the command set tftpserver ip <server_ip>
•
Ensure the file with the corresponding file name exists on the TFTP Server with write permissions
for all.
McAfee Network Security Platform 8.2
CLI Guide
147
2
IPS CLI Commands - Normal Mode
sshlogupload WORD
The file uploaded on the TFTP Server is the TAR file containing one or more zipped files:
•
Untar the file using the command tar –xvf <filename> to get the individual zipped files.
•
Each file must be unzipped using the command gunzip <zipped_file> to view the file.
Syntax:
sshlogupload <filename>
A sample SSH log message is displayed below:
Sep 16 09:09:52 localhost kernel: SSHD_DROP:IN=eth0 OUT= MAC=00:06:92:25:9d:
80:00:0b:bf:a1:b7:fc:08:00 SRC=172.16.232.47 DST=172.16.199.89 LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=4286 DF PROTO=TCP SPT=2821 DPT=22 WINDOW=65535 RES=0x00 SYN
URGP=0
Log Message Fields
Description
SSHD_DROP
denotes the number of minutes for activating the performance
debugging on the Sensor.
IN=etho
Interface the packet was received from. Empty value for locally
generated packets
OUT=
Interface the packet was sent to. Empty value for locally received
packets
MAC=00:06:92:25:9d:
80:00:0b:bf:a1:b7:fc:08:00
The MAC field consisting of 14 entities, separated by colons, and
this can read as:
Dest MAC= 00:06:92:25:9d:80 - The destination MAC address
Src MAC=00:0b:bf:a1:b7:fc - The source MAC address
Type=08:00- Ethernet frame carrying an IPv4 datagram
SRC=172.16.232.47
The Source IP address
DST=172.16.199.89
The Destination IP address
LEN=48
The total length of IP packet in bytes
TOS=0x00
The Type Of Service, “Type” field
PREC=0x00
The Type Of Service, “Precedence” field
TTL=127
The remaining Time To Live is 127 hops
ID=4286
The unique ID for this IP datagram, shared by all fragments if
fragmented
DF
Do not Fragment flag
PROTO=TCP
The protocol name
SPT=2821
The source port
DPT=22
The destination port
WINDOW=65535
The number of bits specified on the “Window Scale” TCP option
RES=0x00
The reserved bits
SYN
The synchronize flag and is only exchanged at TCP connection
establishment
URGP=0
The urgent flag
Applicable to:
M-series and NS-series Sensors.
148
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Normal Mode
status
2
status
Shows Sensor system status, such as System Health, Manager communication, signature set details,
total number of alerts detected, and total number of alerts sent to the Manager.
This command has no parameters.
Syntax:
status
Sample Output:
For Sensor, the output is as shown:
intruShell@john> status
[Sensor]
System Initialized : yes
System Health Status : good
Layer 2 Status : normal (IDS/IPS)
Installation Status : complete
IPv6 Status : Parse and Detect Attacks
Reboot Status : Not Required
Guest Portal Status : up
Hitless Reboot : Not-Available
Last Reboot reason : reboot issued from CLI
[Signature Status]
Present : yes
Version : 8.6.0.6
Power up signature : good
Geo Location database : Present
DAT file : Present
Version : 318.0
[Manager Communications]
Trust Established : yes (RSA 1024-bit or 2048-bit)
Alert Channel : up
Log Channel : up
Authentication Channel : up
Last Error : None
Alerts Sent : 961
McAfee Network Security Platform 8.2
CLI Guide
149
2
IPS CLI Commands - Normal Mode
traceupload
Logs Sent : 974
[Alerts Detected]
Signature : 4246 Alerts Suppressed : 3483
Scan : 0 Denial of Service : 2
Malware : 0
[McAfee NTBA Communication]
Status : up
IP : 10.213.174.132
Port : 8505
[McAfee MATD Communication]
Status : up
IP : 10.213.174.134
Port : 8506
The same status message appears in an NTBA Appliance also.
If there is a failure in establishing trust relationship between the Sensor and Manager due to mismatch
in shared secret key, the Last Error displays the message Alert Channel - Install Keys
Mismatch. In such an instance, check the shared secret key on the Manager and set it on the Sensor
using set sensor sharedsecretkey command.
Applicable to:
M-series and NS-series, and NTBA Appliances.
traceupload
Uploads an encoded diagnostic trace file to the configured TFTP server, from which you can send it to
the McAfee Technical Support for diagnosing a problem with the Sensor. A trace upload facility is also
available in the Manager interface.
Syntax:
traceupload WORD
where WORD stands for the file name to which the trace must be written.
150
McAfee Network Security Platform 8.2
CLI Guide
2
IPS CLI Commands - Normal Mode
vlanbridgestp
Note the following:
•
Before executing this command, configure TFTP server on NTBA Appliance by running the set
tftpserver ip command.
•
When loading a trace file from the configured TFTP server the pathname of the file should be
relative to /tftpboot.
•
Before executing this command (uploading on the TFTP server), ensure that the file is created on
the TFTP server with write permissions for everyone.
As part of traceupload, additional information is collected using logstat. Due to this, additional time is
required to collect logs from the Sensor, and can take around 10-30 minutes based on the Sensor
model.
On executing the command the following messages are displayed:
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Sample Output:
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> traceupload ntbaTraceFile
Make sure the file ntbaTraceFile exists on the server with 'WRITE' permission for
everyone. If it doesn't exist, then create an empty ntbaTraceFile file with 'WORLD
WRITE' permissions.
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
logstat on page 54
vlanbridgestp
Configures the vlan bridging on the STP packet.
Syntax:
vlanbridgestp<enable|disable|drop>
Parameter
Description
enable
enables the vlan bridging on the STP packet
disable
disables the vlan bridging on the STP packet
drop
drops the vlan bridging on the STP packet
McAfee Network Security Platform 8.2
CLI Guide
151
2
IPS CLI Commands - Normal Mode
watchdog
Applicable to:
M-series and NS-series Sensors.
watchdog
The watchdog process reboots the device whenever an unrecoverable failure is detected in the device.
Syntax:
watchdog <on | off | status>
Parameter Description
<on>
enables the watchog
<off>
disables the watchdog. Use it when a Sensor reboots continuously due to repeated
system failure.
<status>
displays the status of the watchdog process ('on' or 'off')
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> watchdog status
watchdog = off
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> watchdog status
watchdog = on
Applicable to:
M-series and NS-series, and NTBA Appliances.
152
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
This section details the commands that can be run in Debug mode.
Log on to the Sensor with a valid user name (username is admin) and password (default is admin
123 ). At the command prompt, type debug to log on to debug mode.
At the command prompt, type disable to get out of debug mode. To log off, type exit.
In debug mode, you can run the normal and debug mode commands.
Contents
40to10conversion
aclstat
allow intfport id connector
arp static
clearactiveflows
clrconnlimithost
datapathstat
disable
dossampling
dossampling status
downloadgamupdate
dumpdebuglog
dumpDeviceConfigSettings
dumpDeviceProfileStats
dumpDeviceTableByAllIP
dumpDeviceTableByAllMAC
dumpDevProfTableEntry
dumpDevProfTableToLog
dumpdgastats
flashcheck
getauthstats
getccstats
getcestats
getmdrinfo
getplstats
getsastats
getscstats
ipfragstats
ipreassembly timeout millisecond
layer2 mode
l7dpstat
l7show
logShowCfg
McAfee Network Security Platform 8.2
CLI Guide
153
3
IPS CLI Commands - Debug Mode
maidstat
matdChnstate WORD
mobileDbg delete
mobileDbg print
nsmChanState WORD
perf
pptsetprioritytrafficratio
reset debugmode passwd
resetalertstats
reset ratelimitstats
rspstat
sensor perf-debug show
sensor perf-debug upload-protoStats
set aidlog
set amchannelencryption
set inline drop packet log
set inline traffic prioritization
set intfport id
set ipfrag
set ipsforunknownudp
set l3
set l7
set l7ddosresponse
set loglevel
set loglevel dos
set loglevel dp WORD
set loglevel mgmnt
set ma wakeup port
set malware split session parsing
set malwareEngine
set mgmtprocessrestart
set recon
show 40to10conversion status
show aidlog status
show all datapath error-counters
show amchannelencryption status
show attack count
show botnet-usage
show connlimithost
show connlimitstat
show datapath processunits
show doscfg
show eccerrors
show fe stat
show feature status
show feswitch port
show gam scan stats
show gmac
show inline traffic prioritization status
show ipsforunknownudp status
show ipfrag status
show layer2 portlevel
154
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
40to10conversion
3
show l3 status
show l7 status
show l7dcap-usage
show l7ddosresponse status
show l7ddosstat
show layer2 reason
show malwareEngine status
show malwareclientstats
show malwareserverstats
show matd channel
show mgmtcfg
show mem-usage
show mgmtnetstats
show mgmtprocessrestart status
show pktcapture status
show prioritytraffic ratio
show ratelimit drops
show ratelimit markstats
show ratelimitstats
show recon status
show respport r1
show saved alerts
show saved packets
show sbcfg
show sensor health
show startup stats
show static-arp
show statistics alerts
show statistics icmp
show statistics ipfrag
show statistics l4
show statistics tcp
show statistics udp
show tempcounterstatus
show wb stats
show xff-usage
switch matd channel
tustat
unknownapktocloud
40to10conversion
Use this command to convert G0 ports (G0/1 and G0/2) on NS9x00 Sensors to run in 10 Gigabit
Ethernet mode instead of the 40 Gigabit Ethernet mode.
This configuration persists across Sensor reboots.
A separate adaptor is needed to convert QSFP interface into a SFP+ interface. Contact Support for more
information.
McAfee Network Security Platform 8.2
CLI Guide
155
3
IPS CLI Commands - Debug Mode
aclstat
Syntax:
40to10conversion <enable|disable>
Applicable to:
NS9100 and NS9200 Sensors.
aclstat
This command shows ACL statistics for each datapath.
Syntax:
aclstat
Sample Output:
IntruDbg#> aclstat
datapath 19 :
Total number of packets: 0
TCP ACL Drop count: 0
TCP ACL Deny count: 0
TCP ACL Ignore count: 0
IPRF ACL Deny count: 0
IPRF ACL Reject count: 0
IPRF ACL Ignore count: 0
UDP ACL Deny count: 0
UDP ACL Ignore count: 0
ICMP Deny count: 0
ICMP Ignore count: 0
Other IP Deny count: 0
Other IP Ignore count: 0
Applicable to:
M-series and NS-series Sensors.
allow intfport id connector
Configures the supported SFP vendor for the monitoring ports.
Syntax:
allow intfport id <port> connector (all-vendors|mcafee-only)
156
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
arp static
Parameter Description
<port>
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12
Example:
allow intfport id 2B connector mcafee-only
allow intfport id 7B connector all-vendors
Applicable to:
M-series and NS-series Sensors.
arp static
Configures the static ARP entries.
Syntax:
arp static-add A.B.C.D A:B:C:D:E:F <port>
arp static-delete A.B.C.D <port>
Parameter Description
<port>
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12
Example:
arp static-add 1.1.1.9 00:0C:29:A0:C6:5F 1A
arp static-delete 209.165.202.255
Applicable to:
M-series, NS-series, Virtual IPS Sensors, and Virtual Security System instances.
clearactiveflows
Clears the existing active TCP and UDP flows using the following sequence of actions:
1
Configures the Sensor to layer2 mode.
2
Clears the existing TCP and UDP flows.
Configures the Sensor back to normal mode
Syntax:
McAfee Network Security Platform 8.2
CLI Guide
157
3
IPS CLI Commands - Debug Mode
clrconnlimithost
clearactiveflows
clrconnlimithost
Clears Connection Limiting host table.
Syntax:
clrconnlimithost
Applicable to:
M-series and NS-series Sensors.
datapathstat
This command shows datapath statistics and details for all parameters. You can enter a single
parameter to fetch the details.
Syntax:
datapath core <core_number|all> parameter <param|all>
Parameter
Description
core_number
can be a value between 0 - 31
param: The possible values for the
parameter option are listed below.
158
datapath-cache-errors
datapath cache errors
dp-rx-fcs-error-cnt
dp recv fcs error count
dp-tx-fcs-error-cnt
dp sent fcs error count
fifo-dumm
fifo dumm
fifo-inuse-or-double-rx-free-errors
fifo in use or double recd free errors
fifo-inuse-or-double-tx-free-errors
fifo in use or double sent free errors
free-fifo
free fifo
free-tx-buf
free sent buffer
get-rx-buf-failed
get recd buffer failed
get-tx-buf
get sent buffer
get-tx-buf-failed
get sent buffer failed
ip-checksum-err-pkt-count
ip checksum err pkt count
rx-bad
bad recd
rx-buf-added
recd buffer added
rx-bytes
bytes recd
rx-cnt
recd count
rx-descriptors-avail
recd descriptors avail
rx-empty
empty recd
rx-frames
frames recd
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
datapathstat
Parameter
Description
rx-high-watermark-cnt
recd high watermark count
rx-low-watermark-cnt
recd low watermark count
rx-retry
retry recd
rx-too-big
too big recd
sensor-load
display Sensor load
tcp-checksum-err-pkt-count
tcp checksum err pkt count
tx-bytes
bytes sent
tx-cnt
sent count
tx-done
sent done
tx-frames
frames sent
tx-full-cnt
sent full count
tx-pending-cnt
sent pending count
udp-checksum-err-pkt-count
udp checksum err pkt count
3
Sample Output:
IntruDbg#> datapath core all parameter all
core 1
Tx frames: 0
Tx bytes: 0
Rx frames: 0
Rx bytes: 0
Rx bad: 0
Rx empty: 0
Rx retry: 0
Rx too big: 0
free fifo: 0
IP checksum err pkt count: 0
TCP checksum err pkt count: 0
UDP checksum err pkt count: 0
rx descriptors avail: 0
rx low watermark cnt: 0
rx high watermark cnt: 0
free tx buf: 0
tx done: 0
get tx buf: 0
McAfee Network Security Platform 8.2
CLI Guide
159
3
IPS CLI Commands - Debug Mode
disable
get tx buf failed: 0
get rx buf failed: 0
tx dcnt: 0
rx dcnt: 0
rx buf added: 0
datapath cache errors: 0
fifo dumm: 0
Tx full cnt: 0
Tx pending cnt: 0
Fifo inuse/double Tx free errors: 0
Fifo inuse/double Rx free errors: 0
dp-rx-fcs-error-cnt: 0
dp-tx-fcs-error-cnt: 0
sensor-load: 0
Applicable to:
M-series and NS-series Sensors.
disable
Disables debug mode and switches back to normal CLI mode.
Syntax:
disable
Applicable to:
M-series and NS-series Sensors.
dossampling
By default, sub-sampling is enabled due to which the packet count in DoS alerts shows lower than that
of the actual attack, on UDP traffic. You can disable or enable sub-sampling using this command.
Syntax:
dossampling <enable|disable> <inbound|outbound>
Example:
dossampling enable inbound
dossampling enable outbound
dossampling disable inbound
160
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
dossampling status
3
dossampling disable outbound
Applicable to:
M-series and NS-series Sensors.
dossampling status
Displays the status of dossampling (enabled or disabled).
Syntax:
dossampling status
Sample Output:
IntruDbg#> dossampling status
sub-sampling enabled in inbound direction
sub-sampling enabled in outbound direction
Applicable to:
M-series and NS-series Sensors.
downloadgamupdate
Syntax
downloadgamupdate
Sample output
Full Gam Update Request sent
dumpdebuglog
The dumpdebuglog command filters the sensor.log file for log messages that are coming from a
particular specified module. It displays logs based on number of lines or all logs.
Syntax:
dumpdebuglog <SupportedModuleName> <(1-1000)lines(s)(Or)running >
where
<SupportedModuleName> can be cli, controlChannel , correlationEng, intfw, logging, logNode,
packetLog, snmpAgent, systemCtrl, ivSensor, monitor, ssl, sig, authgw, sgap, sm, tsproc, nacfo,
nacpolicy, deviceProfile, sofa, qvm, rad or artemis.
<(1-1000)lines(s)(Or)running > specifies the number of lines of latest logs coming from the
specified module. If running, prints all the logs coming from the specified module.
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
161
3
IPS CLI Commands - Debug Mode
dumpDeviceConfigSettings
dumpDeviceConfigSettings
This command displays the configuration of Device Profiling that has been enabled on the Sensor such
as timers, technique, and VIDS level configuration, if any.
Syntax:
dumpDeviceConfigSettings
Sample Output:
Global Settings:
deviceInactivityTimer:60
deviceReprofileTimer:5
deviceProfileEnableAtSensor:1
detectionTechniquesAtSensor:7
Per Vids Settings:
Vids Id:0 Per Vids Configuration:0
Vids Id:1 Per Vids Configuration:3
Vids Id:2 Per Vids Configuration:3
The result for:
•
deviceInactivityTimer, Host Inactivity Timer denotes the time set in the Manager in minutes.
•
deviceReprofileTimer, Profile Expiration Timer denotes the time set in the Manager in minutes.
•
deviceProfileEnableAtSensor, 1 indicates enabled, 0 indicates disabled.
detectionTechniquesAtSensor indicates the technique that is enabled on the Sensor. You can have any
of 7 different combinations:
1
DHCP
5
DHCP+HTTP
2
TCP
6
TCP+HTTP
3
DHCP+TCP
7
DHCP+TCP+HTTP.
4
HTTP
The values for Per Vids Settings you will see indicate:
•
1 indicates inbound.
•
2 indicates outbound.
•
3 indicates inbound and outbound.
dumpDeviceProfileStats
This command displays statistics about all the various types of events.
Syntax:
dumpDeviceProfileStats
Sample output:
162
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
dumpDeviceTableByAllIP
Device Table Statistics:
Total no of devices in the table:15000
Total no of IP Addresses in the table:15000
Total no of MAC Addresses in the table:0
Total no of devices in the inactive list:0
Event Statistics:
Total no of Device Update Events Sent:0
Total no of Device Inactivate Events Sent:0
Total no of Mac Only Delete Events Sent:0
Total no of Device Events Sent to Rng Buf:0
Total no of Device Events Rejected(Because of Rng Buf Full):0
Total no of Device Events Received by Response Task:0
Total no of Device Events Sent to SBC:0
Current no of Device Events in Ring Buffer:0
Other Statistics:
Total no of dhcp fingerprinting failed:0
Total no of tcp fingerprinting failed:24335
Total no of instances when sending ctrl msgs failed:0
Total no of dhcp fingerprinting succeeded:0
Total no of tcp fingerprinting succeeded:170498
Total no of http fingerprinting succeeded:130
Total no of instances when sending ctrl msgs succeeded:170628
Total no of instances when request for new device node failed:0
Total no of instances when device Type or device Id changed with higher confidence:0
Total no of instances when os Type or os Id changed with higher confidence:98
Total no of instances when IP-MAC associations have changed:0
value = 0 = 0x0
dumpDeviceTableByAllIP
This command displays a list of all devices, that have been profiled, segregated by their IP address.
This command needs to be executed in the lm 3 mode to prevent a crash caused by excessive entries.
Syntax:
dumpDeviceTableByAllIP
McAfee Network Security Platform 8.2
CLI Guide
163
3
IPS CLI Commands - Debug Mode
dumpDeviceTableByAllMAC
Sample Output:
dumpDeviceTableByAllMAC
This command displays a list of all devices, that have been profiled, segregated by their MAC address.
This command needs to be executed in the lm 3 mode to prevent a crash caused by excessive entries.
Syntax:
dumpDeviceTableByAllMAC
Sample Output:
Total no of MAC Addresses in the table:0
Total no of device in the table:14994
dumpDevProfTableEntry
Displays the specific Device Profile Table entry.
Syntax:
dumpDevProfTableEntry (ip | mac ) WORD
dumpDevProfTableToLog
Logs the Device Profile Table data into the Sensor log file.
Syntax:
dumpDevProfTableToLog (ip| mac | all | stats)
dumpdgastats
Dumps data related to bots and C&C servers suspicious for DGA to a debug file. This command is used
for debugging purposes. Use this command to provide diagnostic data to McAfee Technical Support.
This command has no parameters.
Syntax:
dumpdgastats
Applicable to:
M-series, NS-series, and Virtual IPS Sensors.
164
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
flashcheck
3
flashcheck
Performs the flash consistency check.
Syntax:
flashcheck
On executing the command, the following messages are displayed:
Checking Flash may take more than 15 minutes and Sensor will go into Layer2 during
command execution.
Please enter Y to confirm: Y
Checking Flash....
Flash check successful. No errors in Flash
Applicable to:
M-series Sensors only.
getauthstats
Displays authentication details like logged user stats and web server status. This command has no
parameters.
Syntax:
getauthstats
Sample Output:
IntruDbg#> getauthstats
sgap Status = up.
Web Server Status = up.
Web Server Certificate Status = default
auth channel = up
peer auth channel = down
rxUnknownMsgTypeCount = 0.
rxUnknownISMMsgTypeCount = 0.
rxUnknownPeerMsgTypeCount = 0.
policyGetCount = 0.
policyUpdateCount = 0.
usrAuthCount = 0.
usrAuthSuccessCount = 0.
usrAuthFailCount = 0.
usrSelfRegCount = 0.
McAfee Network Security Platform 8.2
CLI Guide
165
3
IPS CLI Commands - Debug Mode
getccstats
usrSelfRegSuccessCount = 0.
usrSelfRegFailCount = 0.
usrDisableCount = 0.
hostHealthCount = 0.
peerUsrDisableCount = 0.
reqISMPendingCount = 0.
reqISMTimeoutCount = 0.
reqPeerPendingCount = 0.
reqPeerTimeoutCount = 0.
authReqPendingCount = 0.
Applicable to:
M-series and NS-series Sensors.
getccstats
The getccstats command displays the statistics of the Sensor control channel module.
Syntax:
getccstats
Sample Output:
IntruDbg#> getccstats
sigfile tables = accessible.
manager-sensor trust = established.
sensor installation = complete
alert channel = up
peer alert channel = down
throttleThreshold = 1.
throttleInterval = 0.
throttleAction = 1.
failoverAction = 2.
failoverStatus = 3.
peerStatus = 5.
fail-open Action = 2.
rxSysEvCount = 14.
putSysEvUnCount = 0.
166
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
getccstats
3
rxSysEvDecodeUnCount = 8.
txSysEvCount = 14.
rxSigAlertCount = 0.
rxScanAlertCount = 0.
rxDosAlertCount = 0.
rxTSMaliciousAlertCount = 0.
txAlertCount-Primary = 0.
txAlertCount-Secondary = 0.
txPerfAlertCount-Primary = 13.
txPerfAlertCount-Secondary = 0.
txAppIdStatsAlertCount-Primary = 0.
txAppIdStatsAlertCount-Secondary = 0.
throttleCount = 0.
copyPortDropCount = 0.
unknownPortInStandbyDropCount = 0.
rxAlertDecodeUnCount = 0.
rxCorrFlagReAlertCountt = 0.
rxScanFilterReAlertCount = 0.
rxShellCodeAlertCount = 0.
sslConflictAlertCount = 0.
sslConflictTimeCount = 0.
rxAlertFromCECount = 0.
txAlertToCECount = 0.
AlertsInRngBufPriCount = 0.
AlertsInRngBufSecCount = 0.
PutAlertInRngBufUnCount = 0.
ScanCorrAlertLogSubNodeThrottleOnCount = 0.
ScanCorrAlertLogNodeFlowOffCount = 0.
ScanCorrAlertLogSubNodeAddCount = 0.
ScanCorrAlertLogSubNodeAddFailedCount = 0.
ScanCorrAlertLogNodeAddCount = 0.
ScanCorrAlertLogNodeAddFailedCount = 0.
ScanCorrLogIdZeroCount = 0.
McAfee Network Security Platform 8.2
CLI Guide
167
3
IPS CLI Commands - Debug Mode
getccstats
ScanCorrLogIdNonZeroCount = 0.
DummyAddLogNodeAddCount = 0.
DummyAddAlertLogNodeAddFailedCount = 0.
DummyAddLogSubNodeAddCount = 0.
DummyAddAlertLogSubNodeAddFailedCount = 0.
DummyAddLogSubNodeThrottleOnCount = 0.
DummyAddLogSubNodeThrottleOffCount = 0.
DummyAddLogNodeFlowOffCount = 0.
DummyFoundLogSubNodeThrottleOnCount = 0.
DummyFoundLogSubNodeThrottleOffCount = 0.
DummyFoundLogNodeFlowOffCount = 0.
DummyFoundLogNodeAlreadyThrottledCount = 0.
DummyFoundLogNodeCopyPortOffCount = 0.
AddLogNodeAddCount = 0.
AddLogNodeAddFailedCount = 0.
AddLogSubNodeAddCount = 0.
AddLogSubNodeAddFailedCount = 0.
AddLogSubNodeThrottleOnCount = 0.
AddLogSubNodeThrottleOffCount = 0.
AddLogNodeFlowOffCount = 0.
FoundLogSubNodeThrottleOnCount = 0.
FoundLogSubNodeThrottleOffCount = 0.
FoundLogNodeAlreadyThrottledCount = 0.
FoundLogNodeFlowOffCount = 0.
FoundLogNodeWasOrigDummyNodeCount = 0.
FoundLogSubNodeWasOrigDummyNodeCountNowThrottled = 0.
FoundLogSubNodeWasOrigDummyNodeCountNowNotThrottled = 0.
aclAlertThrottleMaxIpPair = 10.
aclAlertThrottleInterval = 120.
aclAlertThrottleAction = 1.
aclAlertThrottleThreshold = 5.
aclAlertDirectToSyslog = 2.
rxAclAlertCount = 0.
168
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
getccstats
3
aclThrottleCount = 0.
txAclAlertCount = 0.
ezAlertThrottleMaxIpPair = 10.
ezAlertThrottleInterval = 120.
ezAlertThrottleAction = 1.
ezAlertThrottleThreshold = 5.
ezAlertDirectToSyslog = 0.
rxEzAlertCount = 0.
ezThrottleCount = 0.
txEzAlertCount = 0.
LogIdNodeListCount = 0.
GrpIdNodeListCount = 0.
LogIdListPtr = 0.
LogIdBlockPtr = 0.
LogIdSubListPtr = 0.
LogIdSubBlockPtr = 0.
LogIdHTPtr = 0.
GrpIdListPtr = 0.
GrpIdBlockPtr = 0.
GrpIdHTPtr = 0.
RxCorrSigAlertFromCECount = 0.
DatapathAlertSBFloodOnCount = 0.
RxSigAlertWithPLCount = 0.
RxPSAlertWithPLCount = 0.
RxHSAlertWithPLCount = 0.
TxPLlistDropMsgCount = 0.
TxPLlistSendMsgCount = 0.
fwdChangePLModeReqCount = 0.
fwdDelPLMsgCount = 0.
RxUnknown MsgId Count = 0.
Reboot/Wrap Count = 2015.
PL Reboot/Wrap Count = 2015.
purgeCnt0 = 0.
McAfee Network Security Platform 8.2
CLI Guide
169
3
IPS CLI Commands - Debug Mode
getcestats
purgeCnt1 = 0.
AlertsInRngBufPriCount = 0.
AlertsInRngBufSecCount = 0.
PutAlertInRngBufUnCount = 0.
osfpUpdateMsgRxCnt = 0.
osfpInactivateMsgRxCnt = 0.
osfpMacOnlyDelMsgRxCnt = 0.
osfpUpdateMsgTxCnt = 0.
osfpInactivateMsgTxCnt = 0.
osfpMacOnlyDelMsgTxCnt = 0.
osfpBulkUpdateMsgRxCnt = 0.
osfpBulkInactivateMsgRxCnt = 0.
osfpBulkUpdateMsgTxCnt[EMS_PRIMARY] = 0.
osfpBulkUpdateMsgTxCnt[EMS_SECONDARY] = 0.
osfpBulkInactivateMsgTxCnt[EMS_PRIMARY] = 0.
osfpBulkInactivateMsgTxCnt[EMS_SECONDARY] = 0
Applicable to:
M-series and NS-series Sensors.
getcestats
The getcestats command displays the statistics of the Sensor co-relation engine module.
Syntax:
getcestats
Sample Output:
IntruDbg#> getcestats
rxCount = 1, txCount = 0, unCount = 0,
reCount = 0.
sigAlertRxCount = 0, sigAlertTxCount = 0.
sigAlertReCount = 0, sigAlertPlMarkDelCount = 0.
RxUnknown MsgId Count = 0.
RxPLModeChangeReqCount: 0, rstCorrPktLogging Flag = 0.
packetLogSentCCCount = 0,
packetLogDropPLMsgCount = 0.
170
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
getmdrinfo
3
corrSigAlertTxCount = 0.
scanAlertTxCount = 0.
sweepAlertTxCount = 0.
scanRxCount = 0, scanAlertCount = 0.
sweepRxCount = 0, sweepAlertCount = 0.
osfpRxCount = 0, osfpAlertCount = 0.
bfRxCount = 0, bfAlertCount = 0.
svcRxCount = 0, svcAlertCount = 0.
genCorrRxCount = 0, genCorrAlertCount = 0.
Applicable to:
M-series and NS-series Sensors.
getmdrinfo
This command shows Manager Disaster Recovery (MDR) information like number of managers and IP
address details. This command has no parameters.
Syntax:
getmdrinfo
Sample Output:
IntruDbg#> getmdrinfo
No Of Managers = 1.
Active Ems Ip Address = 172.16.229.189.
Ems Priority = standalone
Ems HA Status = active
Ems HA Mode = standalone
Applicable to:
M-series and NS-series Sensors.
getplstats
The getplstats command displays the statistics of the Sensor packet channel module.
Syntax:
getplstats
Sample Output:
IntruDbg#> getplstats
McAfee Network Security Platform 8.2
CLI Guide
171
3
IPS CLI Commands - Debug Mode
getplstats
sigfile tables : accessible.
log channel = up
peer log channel = down
rxLogCount = 0.
txLogCount-Primary = 0.
txLogCount-Secondary = 0.
rxLogDecodeUnCount = 0.
rxZeroLenLogCount = 0.
sslConflictLogCount = 0.
sslConflictTimeCount = 0.
DeleteLogIdMsgCount = 0.
ToBeDeletedLogIdNodeCount = 0.
LogNodeDeletedCount = 0.
DeleteGrpIdMsgCount = 0.
ToBeDeletedGrpIdNodeCount = 0.
LogNodeThrottleOnCount = 0.
LogNodeNotFlowCount = 0.
PktReCount = 0.
CopyPortNodeCount = 0.
DecodeSubLogMissed = 0.
DecodeLogMissed = 0.
DeleteLogMissed = 0.
DecAlreadyDelLogIdNodeCount = 0.
DecAlreadyExpLogIdNodeCount = 0.
DecScanCorrLogIdNodeCount = 0.
DecodeGrpMissed = 0.
DeleteGrpMissed = 0.
DecAlreadyDelGrpIdNodeCount = 0.
DecAlreadyExpGrpIdNodeCount = 0.
NumSavePacketLogs = 0.
NumSavePacketLogsSent = 0.
NumSavePacketLogsReCount = 0.
NumSavePacketLogsRlCount = 0.
172
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
getsastats
3
RxDelPLMsgCount = 0.
RxSendPLMsgCount = 0.
ModeChangeReqSentCount = 0.
Current Mode = 0.
RxUnknown MsgId Count = 0.
numXLLogCreateCount = 0.
numXLLogDeleteCount = 0.
purgeCnt0 = 0.
purgeCnt1 = 0.
LogsInRngBufPriCount = 0.
LogsInRngBufSecCount = 0.
PutLogInRgBufUnCount = 0.
Applicable to:
M-series and NS-series Sensors.
getsastats
The getsastats command displays the statistics of the SNMP subagent.
Syntax:
getsastats
Sample Output:
IntruDbg#> getsastats
swImageVersion = 8.0.3.1.
hwVersion = 1.10.
serial number = S025250127.
signature set version = 8.6.0.6.
system type = M-1450.
Recvd datapaths and dos Init Done message from system controller.
Sent SNMP ready message to control channel.
Sigfile flag = 0
Number of datapaths = 8.
Connection to datapath 0 is ok.
Connection to datapath 1 is ok.
Connection to datapath 2 is ok.
McAfee Network Security Platform 8.2
CLI Guide
173
3
IPS CLI Commands - Debug Mode
getscstats
Connection to datapath 3 is ok.
Connection to datapath 4 is ok.
Connection to datapath 5 is ok.
Connection to datapath 6 is ok.
Connection to datapath 7 is ok.
DOS connection status is ok.
IPv6 Status DISABLED
GTI Proxy Host 0.0.0.0
GTI Proxy Port 0
GTI Proxy Username ""
UsrIdAclfileDwnldCnt = 0
UsrIdAclIncrUpdtCnt = 0
osfpPersistMsgTxCount = 108
Applicable to:
M-series and NS-series Sensors.
getscstats
The getscstats command displays the statistics of the Sensor system controller.
Syntax:
getscstats
Sample Output:
IntruDbg#> getscstats
sysctrl ready to send INIT_ACKs to datapaths and dos
Acld Sigfile flag reset.
initial sigfile applied msg : received from datapaths and dos.
dos has sent INIT_DONE.
datapath 0 has sent INIT_DONE.
datapath 1 has sent INIT_DONE.
datapath 2 has sent INIT_DONE.
datapath 3 has sent INIT_DONE.
datapath 4 has sent INIT_DONE.
datapath 5 has sent INIT_DONE.
datapath 6 has sent INIT_DONE.
174
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
ipfragstats
datapath 7 has sent INIT_DONE.
dos has sent READY.
datapath 0 has sent READY.
datapath 1 has sent READY.
datapath 2 has sent READY.
datapath 3 has sent READY.
datapath 4 has sent READY.
datapath 5 has sent READY.
datapath 6 has sent READY.
datapath 7 has sent READY.
Prefix 8.0.4E22.0.0
Applicable to:
M-series and NS-series Sensors.
ipfragstats
Displays IP fragment statistics and details for the IP fragments like number of IP fragments received
or dropped. This command has no parameters.
Syntax:
ipfragstats
Sample Output:
IntruDbg#> ipfragstats
datapath 56 :
Total number of IP Fragments received: 4172481
Total number of IP Flows: 3606080
Number of Duplicate fragments: 564254
Fwd Overlap old data packets: 5358
Number of Fragments dropped: 0
Fragments dropped for invalid options: 0
Number of Flows TimedOut: 3605366
Backward Overlap old data packets: 0
Fwd Overlap new data packets: 0
Backward Overlap new data packets: 0
Num Flows dropped for invalid checksum: 0
Error getting fifo buffers: 0
McAfee Network Security Platform 8.2
CLI Guide
175
3
IPS CLI Commands - Debug Mode
ipreassembly timeout millisecond
Number of Invalid Fragments: 0
Error getting Reassembled lists: 0
Number of fragments recvd after timeOut: 0
Number of jumbo frags forwaded: 0
Number of jumbo frags constructed: 0
Fragment requests submitted to DM: 3608227
Fragment DM operations completed: 3608227
Last fragment requests submitted to DM: 0
Last fragment DM operations completed: 0
DM invoked fragCB with NULL args: 0
DM invoked lastFragCB with NULL args: 0
Num fragment flows force freed: 0
Applicable to:
M-series and NS-series Sensors.
ipreassembly timeout millisecond
Configures the IP Fragmentation reassembly timeout period in milliseconds.
Syntax:
ipreassembly timeout millisecond (0 | <250-30000>)
Example:
ipreassembly timeout millisecond 0
ipreassembly timeout millisecond 300
Applicable to:
M-series and NS-series Sensors.
layer2 mode
Configures the Layer 2 mode
Syntax:
layer2 mode <assert><deassert><deassert-all><off><on>
176
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
l7dpstat
3
Parameter Description
assert
forces the Sensor into Layer 2 Passthru Mode(also known as L2 Mode).This helps in
troubleshooting network issues. When this command is used, the Sensor stays in L2
Mode until one of two events occurs. Either during Sensor reboot or when the layer2
mode deassert command is issued.
deassert
forces the Sensor out of Layer 2 Passthru Mode. It is used to re-establish IPS processing
after a layer2 mode assert command is issued. This command should not be used to
force a Sensor out of L2 Mode if L2 Mode was triggered by a Sensor software failure.
Using the command in this manner will trigger a Sensor reboot.
off
resets the layer 2 mode configuration. If an error occurs in the higher layer processing
of the collection subsystem, the Sensor reboots immediately instead of entering Layer2
mode. This command is issued when the Sensor is already forwarding traffic in Layer2
mode. The Sensor will reboot immediately, attempting to recover full detection
functionality.
on
enables the Layer 2 mode feature, If a failure occurs in the higher layer processing of
the collection subsystem it configures the Sensor to forward all traffic at Layer 2 This
command does not force the Sensor to start forwarding traffic in layer2 mode
immediately
Default Value:
on
Examples:
The following command resets the layer 2 mode configuration.
IntruDbg#> layer2 mode off
IntruDbg#> layer2 mode deassert-all
Global level L2 config is set to assert. Hence L2 config can not be modified. To
modify L2 config, global level L2 needs to be deasserted.
Applicable to:
NS-series Sensors.
l7dpstat
The l7loadskipstat command displays the statistics of packets for which the scanning was skipped due
to load.
Syntax:
l7dpstat
Sample Output:
IntruDbg#> l7dpstat
datapath 0:
l7DatapathInstCnt: 7173
l7PriDatapathInstCnt: 0
l7DatapathPktCnt: 2115
l7PriDatapathPktCnt: 0
McAfee Network Security Platform 8.2
CLI Guide
177
3
IPS CLI Commands - Debug Mode
l7show
l3LoopCnt: 76426667
datapath 1:
l7DatapathInstCnt: 143
l7PriDatapathInstCnt: 0
l7DatapathPktCnt: 9
l7PriDatapathPktCnt: 0
l3LoopCnt: 2248470949
Applicable to:
M-series and NS-series Sensors.
l7show
This command shows layer 7 processing statistics for all datapaths.
Syntax:
l7show
Sample Output:
IntruDbg#> l7show
datapath 37 :
Total packets received: 37501712
pkt total: 0
Byte total: 0
Max extra binary scan pkts per monitored pkt: 0
Protocol for max extra binary scan pkts count: 0
datapath 38 :
Total packets received: 26998825
pkt total: 0
Byte total: 0
Max extra binary scan pkts per monitored pkt: 0
Protocol for max extra binary scan pkts count: 0
Applicable to:
M-series and NS-series Sensors.
178
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
logShowCfg
3
logShowCfg
Displays the management module message log level.
Syntax:
logShowCfg
Sample Output:
IntruDbg#> logShowCfg
Logging is ON, mode: send to syslog
controlChannel (id = 0) : level = 0 (emergency)
correlationEng (id = 1) : level = 0 (emergency)
packetLog (id = 2) : level = 0 (emergency)
snmpAgent (id = 3) : level = 0 (emergency)
systemCtrl (id = 4) : level = 0 (emergency)
ivSensor (id = 5) : level = 0 (emergency)
cli (id = 6) : level = 0 (emergency)
monitor (id = 7) : level = 0 (emergency)
ssl (id = 8) : level = 0 (emergency)
sig (id = 9) : level = 0 (emergency)
logging (id = 10) : level = 0 (emergency)
logNode (id = 11) : level = 0 (emergency)
authgw (id = 13) : level = 0 (emergency)
sgap (id = 14) : level = 0 (emergency)
radm (id = 15) : level = 0 (emergency)
qvm (id = 16) : level = 0 (emergency)
radi (id = 17) : level = 0 (emergency)
artemis (id = 18) : level = 0 (emergency)
intfw (id = 19) : level = 0 (emergency)
tsproc (id = 20) : level = 0 (emergency)
rm (id = 22) : level = 0 (emergency)
deviceProfile (id = 24) : level = 0 (emergency)
sofa (id = 25) : level = 0 (emergency)
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
179
3
IPS CLI Commands - Debug Mode
maidstat
maidstat
This command displays multi-attack ID (botnet) statistics.
Syntax:
maidstat
Sample Output:
IntruDbg#> maidstat
Core id range is not selected, Displaying ALL Regular MAID Component Attack IDs
Processed = 0
Known Bot Component Attack IDs Processed = 0
Zero Day Component Attack IDs Processed = 0
Nested Component Attack IDs Processed = 0
Nested Alert Processed= 0
Regular MAID Alerts Raised = 0
Known Bot Alerts Raised = 0
Zero Day Alerts Raised = 0
Regular MAID Alerts Not Sent = 0
Known Bot Alerts Not Sent = 0
Zero Day Alerts Not Sent = 0
Number of Component Attack IDs Over Threshold Met = 0
Number of Component Attack IDs Over Threshold Not Met = 0
Regular MAID Correlation Un-Success = 0
Known Bot Correlation Un-Success = 0
Zero Day Correlation Un-Success = 0
Zero Day TS Bad Reputation Heuristic = 0
Zero Day TS Good Reputation Ignored = 0
MAID Component Alert sent = 0
Next AND Stage Transition = 0
Out Of Order AND Stage = 0
MAID Correlation Tracked For Destination = 0
Hosts State Info Free Buffers = 2000 (2000)
Correlation AID State Free Buffers = 10000 (10000)
Component AID State Free Buffers = 50000 (50000)
Peer Hosts Info Free Buffers = 80000 (80000)
180
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
matdChnstate WORD
3
Zero Day AID State Free Buffers = 6000 (6000)
Zero Day Component AID State Free Buffers = 30000 (30000)
Hosts State Info Buffer Allocation Failed = 0
Correlation AID State Buffer Allocation Failed = 0
Component AID State Buffer Allocation Failed = 0
Peer Hosts Info Buffer Allocation Failed = 0
Zero Day AID State Buffer Allocation Failed = 0
Zero Day Component AID State Buffer Allocation Failed = 0
MAID Table Lookup Failed = 0
MAID Total Memory Used = 8980000
Applicable to:
M-series and NS-series Sensors.
matdChnstate WORD
Configures the Sensor-ATD server channel status.
Syntax:
matdChnstate WORD
Applicable to:
M-series and NS-series Sensors.
mobileDbg delete
Clears the mobile entries: IP, Phone, IMSI and APN.
Syntax:
moblieDbg delete
mobileDbg print
Displays the mobile entries: IP, Phone, IMSI and APN.
Syntax:
moblieDbg print
McAfee Network Security Platform 8.2
CLI Guide
181
3
IPS CLI Commands - Debug Mode
nsmChanState WORD
nsmChanState WORD
Use this command to view, enable or disable the state SSL channel between the Sensor and the
Manager. This command is applicable to the SSL channels of the primary as well as secondary
Manager.
Syntax:
nsmChanState <on|off|status>
Example:
IntruDbg#> nsmChanState status
nsmChan is On
Applicable to:
M-series and NS-series Sensors.
perf
Displays the count of total watermark exceeded in the DoS processor.
Syntax:
perf
pptsetprioritytrafficratio
Sets the ratio in which high priority traffic is given preference compared to normal priority traffic
during packet processing.
Syntax
pptsetprioritytrafficratio
The default value is 3; in this case for every 3 packets processed from the high priority packet queue,
only one packet is processed from the normal priority packet queue.
You can set the ratio with the values 1-5, 1 being the least priority ratio and 5 being the best priority
ratio.
Applicable to:
M-series and NS-series Sensors.
reset debugmode passwd
Resets the password for entering into the debug mode.
This command can be executed only from debug mode.
Syntax:
182
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
resetalertstats
reset debugmode passwd
Applicable to:
M-series and NS-series Sensors.
resetalertstats
Resets the statistics of the alert channel.
Syntax:
resetalertstats
Sample Output:
IntruDbg#> resetalertstats
Alert and Log statistics reset to zero
Applicable to:
M-series and NS-series Sensors.
reset ratelimitstats
Resets the ratelimiting statistics.
Syntax:
reset ratelimitstats (1A|1B|2A|2B|3A|3B|4A|4B|5A|5B|6A|6B|7A|7B|8A|8B|9A|9B|10A|10B|
11A|11B|12A|12B|13A|13B|14A|14B|all)
Applicable to:
M-series Sensors only.
rspstat
Displays the datapath attack response related statistics. This command has no parameters.
Syntax:
rspstat
Sample Output:
IntruDbg#> rspstat
datapath 19 :
Number of TCP RST's sent: 0
Number of ICMP Msg's sent: 0
Number of VIDS's : 0
Number of Common AttackIds: 912865040
McAfee Network Security Platform 8.2
CLI Guide
183
3
IPS CLI Commands - Debug Mode
sensor perf-debug show
Number of Attacks dropped: 0
Number of packets received with Invalid VIDS Id: 0
Number of packets received with Invalid AttackId: 0
Count of out of list errors: 0
Number of Failover Packets freed: 0
Number of Attack Packets freed: 0
Number of Attacks received: 0
Number of packets received from PRPT: 0
Packets freed due to 'block' policy: 0
Number of packets forwarded inline: 0
Number of alerts with NO_RESP action: 0
Number of System events received: 0
Number of alerts suppressed by filters: 0
Number of attacks throttled: 0
Number of ARP packets received: 0
Number of 'dropAlerts Only' throttled: 0
TCP attacks dropped due to blocking: 0
UDP attacks dropped due to blocking: 0
ARP attacks dropped due to blocking: 0
IP attacks dropped due to blocking: 0
Applicable to:
M-series and NS-series Sensors.
sensor perf-debug show
Displays the top 5 protocol statistics as observed by the Sensor. The traffic details on the Sensor are
based on the sensor perf-debug time settings.
Syntax:
sensor perf-debug show
Sample Output:
IntruDbg#> sensor perf-debug show
No traffic detected on sensor
Applicable to:
M-series and NS-series Sensors.
184
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
sensor perf-debug upload-protoStats
sensor perf-debug upload-protoStats
Uploads the datapath protocol statistics to the management module.
Syntax:
show perf-debug upload-protoStats
Applicable to:
M-series and NS-series Sensors.
set aidlog
Logs the details for a specific attack ID. A maximum of 3 logs are added for an attack ID. These logs
are generated at /tftpboot/aidlog/.
Syntax:
set aidlog <off> <enable <WORD> | disable <WORD>>
Where <WORD> is the attack ID.
Parameter
Description
<off>
Turns off the further logging of all enabled attacks but retains the existing logs.
<enable>
Turn on the attack ID log
<disable>
Turn off the attack ID log
The aidlog can be enabled only for 4 attacks at a time.
Applicable to:
M-series and NS-series Sensors.
set amchannelencryption
Configures the anti-malware channel encryption status.
Syntax:
set amchannelencryption <on | off>
Applicable to:
M-series and NS-series Sensors.
set inline drop packet log
Configures the maximum value of dropped packet information to be logged in the Sensor log file.
Syntax:
set inline drop packet log <0-255>
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
185
3
IPS CLI Commands - Debug Mode
set inline traffic prioritization
IntruDbg#> set inline drop packet log 200
set inline drop packet log 200
Applicable to:
M-series and NS-series Sensors.
set inline traffic prioritization
Inline traffic prioritization gives preference to inline traffic over SPAN traffic during period of heavy
load in the network. It is enabled by default, but can be configured through the CLI. You can view its
status using this command.
Syntax
set inline traffic prioritization <enable | disable>
Applicable to:
M-series, NS-series, and Virtual IPS Sensors.
set intfport id
Sets the adminstatus, operatingmode, flowcontrol, speed and duplex on the specified gigabit ethernet
monitoring port.
It is not mandatory to use all the parameters for this command.
Syntax:
set intfport id <port> <adminstatus up | adminstatus down> <ifo | ifc | tap| span>
<gig | auto>
Parameter
Description
<port>
a valid ethernet monitoring port on the Sensor
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A |
5B | 6A | 6B | 7A | 7B | 8A | 8B
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4
| G1/5 | G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 |
G2/3 | G2/4 | G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 |
G3/1 | G3/2 | G3/3 | G3/4 | G3/5 | G3/6 | G3/7 | G3/8
<ifo | ifc | tap|
span>
changes the operating mode in-line fail-open line fail-close, tap or span
<gig | auto>
sets intfport speed to Gbps or auto negotiate
Example:
set intfport id 4B auto
Applicable to:
M-series and NS-series Sensors.
186
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
set ipfrag
3
set ipfrag
Enables or disables IP fragment reassembly processing on datapaths.
Syntax:
set ipfrag <on | off>
Applicable to:
M-series and NS-series Sensors.
set ipsforunknownudp
Configures the status of IPS processing for unknown UDP packets.
Syntax:
set ipsforunknownudp <enable | disable>
Applicable to:
M-series and NS-series Sensors.
set l3
Enables or disables the layer 3 packet processing on datapaths.
This setting should be reconfigured if the Sensor is rebooted.
Syntax:
set l3 <on | off>
Applicable to:
M-series and NS-series Sensors.
set l7
Enables or disables layer 7 packet processing and attack detection on datapaths.
This setting should be reconfigured if the Sensor is rebooted.
Syntax:
set l7 <on | off>
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
187
3
IPS CLI Commands - Debug Mode
set l7ddosresponse
set l7ddosresponse
Configure the layer7 DDOS response status.
Syntax:
set l7ddosresponse <enable | disable>
Applicable to:
M-series and NS-series Sensors.
set loglevel
Assigns the log level for modules at each Sensor processing unit.
Syntax:
set loglevel <all | dos | dp | mgmt>
Applicable to:
M-series and NS-series Sensors.
set loglevel dos
Sets the DOS module message log level.
Syntax:
show loglevel dos (all | <0-21>) <0-16>
On executing the command, the following message is dispalyed:
IntruDbg#> set loglevel dos all 1
WARNING!!!: Changing the log level can adversely affect sensor performance. This
should be used selectively under guidance from Support or Development.
Excessive logging can result in sensor reboot.
Please enter Y to set loglevel now: Y
Applicable to:
M-series and NS-series Sensors.
set loglevel dp WORD
Sets the sibyte module message log level.
Syntax:
set loglevel dp WORD (all | <0-67>) <0-16>
On executing the command, the following message is displayed:
IntruDbg#> set loglevel dp WORD all 10
188
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
set loglevel mgmnt
3
WARNING!!!: Changing the log level can adversely affect sensor performance. This
should be used selectively under guidance from Support or Development.
Excessive logging can result in sensor reboot.
Please enter Y to set loglevel now: Y
Applicable to:
M-series and NS-series Sensors.
set loglevel mgmnt
Sets the management module message log level.
Syntax:
set loglevel mgmt (all | <0-12>) <0-15>
On executing the command, the following message is dispalyed:
IntruDbg#> set loglevel mgmt 5 15
WARNING!!!: Changing the log level can adversely affect sensor performance. This
should be used selectively under guidance from Support or Development.
Excessive logging can result in sensor reboot.
Please enter Y to set loglevel now: Y
Applicable to:
M-series and NS-series Sensors.
set ma wakeup port
Enables you to set the wake-up port for McAfee Agent.
Syntax
set ma wakeup port [<1-65536>]
Sample output
Still is not finalized
set malware split session parsing
This command enables or disables malware inspection of files that are downloaded as many segments.
Syntax:
set malware split session parsing <on/off>
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
189
3
IPS CLI Commands - Debug Mode
set malwareEngine
set malwareEngine
Use this command to enable/disable the following malware engines for Advanced Malware inspection.
Syntax:
set malwareEngine <pdf|flash|gti|gam|atd|mapk > <enable|disable>
Parameter:
Parameter
Description
pdf|flash|gti|gam|atd|mapk Enter the malware you wish to enable:
• PDF/Flash Analysis
• Advanced Threat Defense
• GTI File Reputation
• McAfee Cloud
• Gateway Anti-Malware (GAM)
enable
enable malware engine
disable
disable malware engine
Sample Output:
IntruDBg#> set malwareEngine pdf enable
Successfully set pdf engine state to enable
Applicable to:
M-series and NS-series Sensors.
set mgmtprocessrestart
The Sensor often reboots due to crashes in the management module processes, causing a downtime.
Using this command, you can enable the restart of the management module processes, which restores
the Sensor to normal functionality without going through the complete reboot cycle.
If any of the following four processes have been crashed (or) killed, the system tries to restart all of
them automatically.
•
Zebra (Individual process - takes 3-5 secs approx)
•
Process Group : If any one of the processes ( either control channel/correlation engine/pktlog )
goes down, all the three are stopped and restarted in the following sequence:
•
Correlation Engine ( Process group - takes 15 -20 secs approx)
•
Packet Log Channel ( Process group )
•
Control Channel ( Process group)
Syntax:
set mgmtprocessrestart enable
Use this command to enable the restart of the management module processes.
set mgmtprocessrestart disable
Use this command to disable the restart of the management module processes.
190
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
set recon
In case of Control Channel group restart, the Alert and PktLog channels flap at the Manager. The
reason for this flap is unknown at the Manager, as the process which maintains the means of
communication (the alert channel) to the Manager is being restarted. These are not logged at the
Sensor in the events.log file.
•
The process restart is visible only from the Sensor's default logs and not on the CLI.
•
If the process is crashed/killed more than 3 times in an hour, the Sensor goes for an auto-recovery
or warm reboot depending on the configuration.
•
Not applicable for I-series Sensor models.
•
This feature is enabled by default.
•
For debugging management issues, you can keep the watchdog off. Sensor remains in bad health
and does not try to recover.
Applicable to:
M-series and NS-series Sensors.
set recon
Enables or disables reconnaissance attacks detection.
This setting should be reconfigured if the Sensor is rebooted.
Syntax:
set recon <on | off>
Applicable to:
M-series and NS-series Sensors.
show 40to10conversion status
This CLI command displays the status of the G0 ports (G0/1 and G0/2) on NS9x00 Sensors.
Syntax:
show 40to10conversion status
Sample Output:
IntruDbg#> show 40to10conversion status
40to10 conversion is DISABLED ret(0)
Applicable to:
NS9100 and NS9200 Sensors.
McAfee Network Security Platform 8.2
CLI Guide
191
3
IPS CLI Commands - Debug Mode
show aidlog status
show aidlog status
Displays the status of the attack ID logging.
Syntax:
show aidlog status
Sample Output:
IntruDbg#> show aidlog status
Attack id log : On
Applicable to:
M-series and NS-series Sensors.
show all datapath error-counters
Displays the various error counters in the datapath packet processing.
Syntax:
show all datapath error-counters
Sample Output:
IntruDbg#> show all datapath error-counters
Error Counter From Datapath id: 0
========================================================
Error Counter of L3 Task
========================================================
l3CheckAndTriggerPktDelayCnt :0
ipOffsetLenIndxErrCnt :0
udpOffsetLenIndxErrCnt :0
icmpCksumErrCnt :0
tcpOffsetLenIndxErrCnt :0
tcpRstErrCount :0
tcpIllegalPktErrCount :0
tcpInvalidStateErrCount :0
tcpWindowErrCount :0
tcpNoFlowErrCount :0
l7PsErrCount :0
numFOPktsSentError :0
numErrSendingPktToPME :0
192
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show all datapath error-counters
3
l3FFPipeAddErrors :0
sslErrorDecRxPkt :0
binDectErrorDecRxPkt :0
ipOffsetLenIndxErrMMCnt :0
ipv6OffsetLenIndxErrCnt :0
ipv6OffsetLenIndxErrMMCnt :0
iprfErrCount :0
iprfOffsetLenIndxErrCnt :0
tcpErrCount :0
tcpPawsErrCount :0
tcpNoFlowErrFFMatchedFlag :0
udpErrCount :0
udpNoFlowErrCount :0
udpProbeErrCnt :0
tcpSensorDestinedErrCnt :0
tcpIprfSensorDestinedErrCnt :0
fbdToFpgaErrorCount :0
icmpErrCount :0
otherIPErrCount :0
otherIPv6ErrCount :0
cSegDataLenErrCnt :0
icmpv6CksumErrCnt :0
icmpv6ErrCount :0
arpErrPktCount :0
fbdSendErrors :0
fbdPktInitErrorCount :0
icmpNoFlowErrCount :0
icmpv6NoFlowErrCount :0
vlanBrConfigErrorCount :0
vlanBrMappingErrorCount :0
========================================================
Error Counter of Response Task
=========================================================
McAfee Network Security Platform 8.2
CLI Guide
193
3
IPS CLI Commands - Debug Mode
show all datapath error-counters
numStatSendError :0
acrbCorrelateErrorCnt :0
numStatLogIdError :0
numStatLogFlowIdError :0
numStatLogSendError :0
numErrCreateLogId :0
numStatErrorDeleteLogId :0
alert_buf_alloc_err :0
alert_buf_getSemErr :0
alert_buf_retSemErr :0
alert_msgSemErr :0
l7Dcap_buf_alloc_error :0
numStatRngBufFull :0
l7_dcap_rngBuf_errors :0
cb_inactive_errors :0
numStatListsError :0
numErrSetTcpTask :0
========================================================
Error Counter of SSLtask
=========================================================
sslPktNoContextErrors :0
ssl_decrypt_v2MasterErrs :0
ssl_decrypt_v3PreMasterErrs :0
dssl_cryptoErr :0
dssl_otherErrs :0
ssl_error :0
pkbufSaeCrtError :0
pkbufSaeDestErrors :0
pkbufSaeFragErrors :0
pkbufSendCryptErrors :0
pkbufSendRsaErrors :0
sessionFreeErr :0
ssl_type_error :0
194
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show all datapath error-counters
3
========================================================
Error Counter of Scan Task
=========================================================
ScanGetFifoErrors :0
========================================================
Error Counter of L7 Task
=========================================================
l7UnhandledErrorCount :0
eofPktErr :0
l7CntrHardwarePMEPacketErrorCt :0
l7CntrBScanErrors :0
l7CntrPMEDequoteErrorCt :0
l7RcvRbInPipeErrors :0
AtdtCntrResponseModuleErrorsOnAttackRaise:0
ddAllocErr :0
dequoteErrNoFree :0
========================================================
Error Counter of TcpUdpTask
=========================================================
tu4NacDirectIndexErrorCount :0
hqCtrlPktErrorCount :0
AclClientConnectionErr :0
AclClientMsgErrCount :0
nacHttpRedirectErrorCount :0
tcpConnAckPAWSErrCounter :0
tcpConnAckWinErrCounter :0
tcpConnAckWin0ErrCounter :0
tcpCBArrayIdxErr :0
tuErrorSendEOFCount :0
tuErrorSendEOFSemCount :0
tuEofFlowBufFlowIdErrCnt :0
========================================================
Error Counter of TlvTask
McAfee Network Security Platform 8.2
CLI Guide
195
3
IPS CLI Commands - Debug Mode
show all datapath error-counters
=========================================================
BadEccErrort :0
CorEccErrort :0
xff_buf_alloc_err :0
ipChkSumErrorDropCount :0
tcpChkSumErrorDropCount :0
udpChkSumErrorDropCount :0
icmpChkSumErrorDropCount :0
icmpv6ChkSumErrorDropCount :0
offHdrLenErrorDropCount :0
tcpProtocolErrorCount :0
udpProtocolErrorCount :0
icmpProtocolErrorCount :0
icmpv6ProtocolErrorCount :0
ipProtocolErrorCount :0
ipv6ProtocolErrorCount :0
L3L4ErrorDropCount :0
========================================================
Error Counter of hscan
=========================================================
ivHsConsumeTokenErrors :0
ivHsMakeStatePoolErrors :0
ivHsNonStreamNoDbErrors :0
resFromMgmtHashErr :0
resFromMgmtTimerErr :0
resFromMgmtErrorMgmt :0
resFromMgmtErrorArtemis :0
rstErr :0
TkdtCntrHwarePMResultErrors :0
========================================================
Error Counter of sw-pm
=========================================================
g_numErrsSendingPktsToMSPM :0
196
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show all datapath error-counters
3
g_numErrsSendingPktsToPCRE :0
g_pendingAllocErrs :0
g_ErrorExtPendingList1 :0
g_ErrorExtPendingList2 :0
g_ErrorExtPendingList3 :0
g_ErrorExtPendingList4 :0
========================================================
Error Counter of IvCrpto
=========================================================
ivCrypto_rsaCommandErrs :0
ivCrypto_rsaPkcsErrs :0
ivCrypto_desLengthErrs :0
ivCrypto_desCommandErrs :0
ivCrypto_arc4CommandErrs :0
ivCrypto_aesLengthErrs :0
ivCrypto_aesCommandErrs :0
ivRemoteCryptoBadContextErrors :0
ivRemoteCryptoCtxInitFailedErrors :0
ivRemoteCryptoErrorsWhileCreating :0
ivRemoteCryptoErrorsWhileSending :0
ivRemoteCryptoCertMatchErrors :0
ivRemoteCryptoOpenCallCntWrapErrors :0
========================================================
Error Counter of IPFragTask
=========================================================
ip6CopyErrCount :0
ip6defragErrCount :0
dmIP6FragCallbackError :0
dmIP6LastFragCallbackError :0
ipCopyErrCount :0
ipdefragErrCount :0
numStatFifoError :0
numStatFragBuffersError :0
McAfee Network Security Platform 8.2
CLI Guide
197
3
IPS CLI Commands - Debug Mode
show amchannelencryption status
dmFragCallbackError :0
dmLastFragCallbackError :0
icmpFragErrCnt :0
sgapRspPktErrCnt :0
sgapReqPktErrCnt :0
sgapRSTPktErrCnt :0
========================================================
Error Counter of BDecode
=========================================================
smbGenericErrorMultipleHdrs :0
========================================================
Error Counter of IFSF
=========================================================
IFSFErr :0
========================================================
Error Counter of connLimiting
=========================================================
connRspRstErrCnt :0
connRspHostQErrCnt :0
putConnRefErrCnt[0] :0
putConnRefErrCnt[1] :0
Applicable to:
M-series and NS-series Sensors.
show amchannelencryption status
Displays the anti-malware channel encryption status.
Syntax:
show amchannelencryption status
Sample Output:
IntruDbg#> show amchannelencryption status
AntiMalware Channel Encryption status disabled
Applicable to:
M-series and NS-series Sensors.
198
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show attack count
3
show attack count
Displays the total number of attacks detected in a datapath.
Syntax:
show attack count
Sample Output:
IntruDbg#> show attack count
Datapath 0 :
Total attacks detected = 6963
Datapath 1 :
Total attacks detected = 1674303
Applicable to:
M-series and NS-series Sensors.
show botnet-usage
Displays botnet usage and statistics.
Syntax:
show botnet-usage
Sample output:
IntruDbg#> show botnet-usage
DAT File Status :Present
DAT File version : 778.0
Total IPv4 URL Entries : 0
Total IPv4 URL Entries Successful LookUps : 0
Total IPv6 URL Entries : 0
Total IPv6 URL Entries Successful LookUps : 0
Total URL Entries : 1414
Total URL Entries Successful LookUps : 0
Total Domain Entries : 1783
Total Domain Entries Successful LookUps : 0
Total Failed LookUps(False+/-) : 0
Total Bot IPv4 Seen : 0
Total Bot IPv6 Seen : 0
Total Entries Allocated : 720000
McAfee Network Security Platform 8.2
CLI Guide
199
3
IPS CLI Commands - Debug Mode
show connlimithost
Total Entries Used : 115092
Total Entries Skipped(Same Domain Multiple URI) : 221
Total Entries Upgraded(Whole Domain Upgraded) : 0
Total DNS Domain Black Entries Successful Lookups : 5
Total DNS Failed Lookups : 3
Total DNS Resp Parse Succ : 0
Total DNS Resp Parse Failure : 0
Total DNS Resp Domains extracted successfully : 0
Total DNS Resp parsing forced complete : 0
Total DNS Resp A records extracted successfully : 0
Total DNS Resp AAAA records extracted successfully : 0
Total DNS Resp A records extraction failures : 0
Total DNS Resp AAAA records extraction failures : 0
Total exception matches found : 5
Total DAT black domain entries : 1316
DNS Sinkhole IP : 0x7f000001
DNS Sinkhole TTL (min) : 1
Applicable to:
M-series, NS-series, and Virtual IPS Sensors.
show connlimithost
Shows Connection Limiting host table stats.
Syntax:
show connlimithost
Sample Output:
IntruDbg#> show connlimithost
[connLimiting HostTbl Stats]
Max Host Cnt : 131072
Current Host Cnt : 0
Applicable to:
M-series and NS-series Sensors.
200
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show connlimitstat
3
show connlimitstat
Shows Connection Limiting statistics.
Syntax:
show connlimitstat
Sample Output:
IntruDbg#> show connlimitstat
[connLimiting Stats]
Blocked Connection Cnt : 0
TCP RST Connection Cnt : 0
Quarantine Cnt : 0
Alert Cnt : 0
Applicable to:
M-series and NS-series Sensors.
show datapath processunits
Displays the number of process units in a datapath.
Syntax:
show datapath processunits
Sample Output:
IntruDbg#> show datapath processunits
Datapath 0:
Process unit count 1
Process priority unit count 0
Datapath 1:
Process unit count 0
Process priority unit count 0
Applicable to:
M-series and NS-series Sensors.
show doscfg
This command displays front end configuration.
Syntax:
show doscfg
McAfee Network Security Platform 8.2
CLI Guide
201
3
IPS CLI Commands - Debug Mode
show eccerrors
Sample Output:
IntruDbg#> show doscfg
Layer2 assert
INTF PORT 0
AdminStatus UP
OperatingMode INLINE_FAIL_CLOSED
Duplex : FULL
InOutType INSIDE
Mdix setting : DISABLED
10/100 Port Speed : NOT APPLICABLE
GigSpeedConfig AUTONEG
Applicable to:
M-series and NS-series Sensors.
show eccerrors
Displays the number of ecc errors.
Syntax:
show eccerrors
show fe stat
The show fe stat command provides the statistics of the frontend processor.
Syntax:
show fe stat
Sample Output:
IntruDbg#> show fe stat
No credit to forward a packet inline, Packets dropped count: 0
No credit to forward a packet to datapath, Packets dropped count: 0
Total IPV6 Packets count: 0
Total MPLS Packets count: 0
Total Double VLAN Packets count: 0
Total No feSwitch Tag Packets count: 0
The packet CRC error, Packets dropped count: 0
202
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show feature status
3
The packet Tx Abort error count: 0
The packet Tx Underrun error count: 0
RGmac Free Credit counter is 128
RGmac Tx0 Bucket is 32
RGmac Free In Descriptors is 9999 (10000)
RGmac Tx Descriptors is 0
RGmac Rx Pkt Counter is 42
RGmac Rx FCS Error Counter is 0
RGmac Rx Len Error Counter is 0
RGmac Tx Pkt Counter is 42
RGmac Tx FCS Error Counter is 0
show feature status
This CLI command displays the enable/disable status of the following features:
•
HTTP Response Scanning
•
Web Server Protection
•
NTBA
•
Malware Detection
•
Heuristic Web Application
•
IP Reputation
•
L7 Data Collection
•
Device Profiling
•
X-Forwarded-For
•
IPS Simulation
•
Advanced Botnet Detection
•
SSL Decryption
•
Advanced Traffic Detection
•
GTI Server
Syntax:
show feature status
Sample Output:
IntruDbg#> show feature status
HTTP Response Scanning : Disabled
NTBA : Disabled
Heuristic Web Application : Disabled
L7 Data Collection : Disabled
X-Forwarded-For : Disabled
Advanced Botnet Detection : Disabled
Advanced Traffic Detection : Disabled
McAfee Network Security Platform 8.2
CLI Guide
203
3
IPS CLI Commands - Debug Mode
show feswitch port
Web Server Protection : Disabled
IP Reputation : Disabled
Device Profiling : Disabled
IPS Simulation : Disabled
Malware Detection : Disabled
SSL Decryption : Disabled
GTI Server : Enabled
Applicable to:
M-series and NS-series Sensors.
show feswitch port
The show feswitch port command displays the front-end switch statistics for different network
processors.
Syntax:
show feswitch port <a1 | a2 | b1 | c1>
Sample Output:
IntruDbg#> show feswitch port a1
Total Packets Received : 42
Total Packets Sent : 42
Total CRC Errors Received : 0
Total CRC Errros Sent : 0
Total Other Errors Received : 0
Total Other Errors Sent : 0
Applicable to:
M-series Sensors only.
show gam scan stats
Syntax
show gam scan stats
Sample output
Local GAM Scan Statistics:
--------------------------
204
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show gmac
3
Total scan requested: 2
Total scan submitted to GAM: 2
Total Successful Scans: 2
Total Scan Failures: 0
Total scan misc error count: 0
Total scan req skipped due to filesize mismatch: 0
Total scan req skipped due to timeout in Queue : 0
show gmac
This command displays the gmac statistics.
Syntax:
show gmac
Sample Output:
IntruDbg#> show gmac
RGmac Free Credit counter is 128
RGmac Tx0 Bucket is 32
RGmac Free In Descriptors is 9999 (10000)
RGmac Tx Descriptors is 0
RGmac Rx Pkt Counter is 42
RGmac Rx FCS Error Counter is 0
RGmac Rx Len Error Counter is 0
RGmac Tx Pkt Counter is 42
RGmac Tx FCS Error Counter is 0
Applicable to:
M-series Sensors only.
show inline traffic prioritization status
Inline traffic prioritization gives preference to inline traffic over SPAN traffic during period of heavy
load in the network. It is enabled by default, but can be configured through the CLI. You can view its
status using this command.
show inline traffic prioritization status
Sample output
Inline Traffic Prioritization Status enabled
McAfee Network Security Platform 8.2
CLI Guide
205
3
IPS CLI Commands - Debug Mode
show ipsforunknownudp status
Applicable to:
M-Series, NS-series, and Virtual IPS Sensors.
show ipsforunknownudp status
Displays the configuration status of IPS processing for unknown UDP packets.
Syntax:
show ipsforunknownudp status
Sample Output:
IntruDbg#> show ipsforunknownudp status
IPS for Unknown UDP is enabled
Applicable to:
M-series and NS-series Sensors.
show ipfrag status
Displays the IP fragment reassembly processing status.
Syntax:
show ipfrag status
Sample Output:
IntruDbg#> show ipfrag status
IP Fragment processing enabled
Applicable to:
M-series and NS-series Sensors.
show layer2 portlevel
This command displays the configuration of layer2 settings for the Sensor port pair.
Syntax:
show layer2 portlevel
Sample Output:
IntruDbg#> show layer2 portlevel
Currently no port pair have layer2 config enabled
Applicable to:
NS-series Sensors.
206
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show l3 status
3
show l3 status
Displays the layer 3 packet processing status on datapaths.
Syntax:
show l3 status
Sample Output:
IntruDbg#> show l3 status
Layer3 processing enabled
Applicable to:
M-series and NS-series Sensors.
show l7 status
Displays the layer 7 protocol parsing and attack detection status on datapaths.
Syntax:
show l7 status
Sample Output:
IntruDbg#> show l7 status
Layer7 processing enabled
Applicable to:
M-series and NS-series Sensors.
show l7dcap-usage
Syntax:
show l7dcap-usage
Information displayed by the show l7dcap-usage command includes:
•
Layer-7 Dcap Buffers Allocated at
Initialization
•
Layer-7 Dcap Alert Buffers Allocate Error
•
Layer-7 Dcap Buffers Available now
•
Layer-7 Dcap Regular Alerts Sent
•
Layer-7 Dcap Buffers Allocated Errors
•
Layer-7 Dcap Special Alerts sent
•
Layer-7 Dcap Alert Buffers Allocated
•
Layer-7 Dcap Context End Alerts Sent
•
Layer-7 Dcap Alert Buffers Available
•
Layer-7 Dcap CB InActive when DCAP
Called
Sample Output:
IntruDbg#> show l7dcap-usage
Layer-7 Dcap Buffers Allocated at Init 5600
Layer-7 Dcap Buffers Available now 5565
McAfee Network Security Platform 8.2
CLI Guide
207
3
IPS CLI Commands - Debug Mode
show l7ddosresponse status
Layer-7 Dcap Buffers Alloc Errors 0
Layer-7 Dcap Alert Buffers Allocated 16384
Layer-7 Dcap Alert Buffers Available 16384
Layer-7 Dcap Alert Buffers Allocate Error 0
Layer-7 Dcap Regular Alert's Sent 0
Layer-7 Dcap Special Alert's sent 0
Layer-7 Dcap Context End Alert's Sent 0
Layer-7 Dcap CB InActive when DCAP Called 0
Layer-7 Dcap Ring Buffer Errors 0
Alert Ring Buffer Full Cnt 0
Num Alerts Dropped at Sensors 0
Layer-7 Dcap Fifo Check Seen 0
Applicable to:
M-series and NS-series Sensors.
show l7ddosresponse status
This command displays whether layer 7 DDoS response is enabled or disabled. Layer 7 DDoS response
is enabled by default. When enabled, the Sensor drops packets for server-based DDoS functionality
(Maximum simultaneous connections to the web server exceeds the threshold). Quarantines for
client-based DDoS functionality (Maximum URL request rate exceeds the threshold).
Syntax:
show l7ddosresponse status
Sample Output:
IntruDbg#> show l7ddosresponse status
L7ddos Response Status enabled
Applicable to:
M-series and NS-series Sensors.
show l7ddosstat
Displays the various layer 7 DDOS related statistics.
Syntax
show l7ddosstat
Sample output
IntruDbg#> show l7ddosstat
208
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show layer2 reason
3
[L7 DDOS Stats]
L7ddos active http connections : 10000
L7ddos Drop Count : 1426
L7ddos Slow Connections closed : 0
L7ddos Challenge Sent Count : 2
L7ddos Challenge Valid Count : 1
L7ddos Challenge Failed Count : 0
Applicable to:
M-series and NS-series Sensors.
show layer2 reason
This command displays why the Sensor moved to layer 2 mode.
Syntax:
show layer2 reason
Sample Output:
IntruDbg#> show layer 2 reason
Layer2 reason: assert
The Sensor goes into layer2 during clear active flows.
Applicable to:
M-series and NS-series Sensors.
show malwareEngine status
Displays the status of the following malware engines:
•
GTI File Reputation
•
Advanced Threat Defense
•
PDF/Flash Analysis
•
McAfee Cloud
•
Gateway Anti-Malware (GAM)
Syntax:
show malwareEngine status
Sample Output:
IntruDBg#> show malwareEngine status
PDF Engine : Enable
GTI Engine : Enable
McAfee Network Security Platform 8.2
CLI Guide
209
3
IPS CLI Commands - Debug Mode
show malwareclientstats
GAM Engine : Enable
ATD Engine : Enable
Flash Engine : Enable
Mobile APK Engine : Enable
Applicable to:
M-series and NS-series Sensors.
show malwareclientstats
Displays the malware client statistics in all scan engines for all supported file types.
Syntax:
show malwareclientstats
Sample output
IntruDbg#> show malwareclientstats
Core id range is not selected, Displaying ALL
----------------------------------SOFA CLIENT FILE-ENGINE STATISTICS:
----------------------------------SOFA CLIENT FILE TYPE PDF Files (3) STATISTICS:
----------------------------------Dcap Start Cnt: 1
Dcap End Cnt: 2
Dcap End-At-Offset Cnt: 0
New-File-Dwnld Pkt Cnt: 1
File-Data Pkt Cnt: 457
Scan-Req Pkt Cnt: 1
Error-Out Pkt Cnt: 1
New-File-Dwnld-Rsp Pkt Cnt: 0
Scan-Rsp Pkt Cnt: 1
Error-In Pkt Cnt: 0
Session Timer Allocated: 1
Session Timer Freed: 1
Session Timer Triggered: 0
Scan Timer Allocated: 0
210
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareclientstats
3
Scan Timer Freed: 0
Scan Timer Triggered: 0
Pkt-Hold Timer Allocated: 1
Pkt-Hold Timer Freed: 1
Pkt-Hold Timer Triggered: 1
SOFA CLIENT STATISTICS PDF_JS EMULATOR ENGINE FOR FILE TYPE PDF Files (3):
Scan Req Cnt: 1
Scan Rsp Cnt: 1
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr : 1
Scan Rsp Discarded: 0
Error Result Cnt : 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 4
Resp-Action No-Block: 0
Resp-Action Alert: 4
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 4
Resp-Action No-TCP-Reset : 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 2
Malware Score High: 0
Malware Score Very-High: 2
Malware Score Unknown: 0
SOFA CLIENT STATISTICS FLASH ENGINE FOR FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
McAfee Network Security Platform 8.2
CLI Guide
211
3
IPS CLI Commands - Debug Mode
show malwareclientstats
Scan Rsp Rcvd Within Sess Tmr : 0
Scan Rsp Discarded: 0
Error Result Cnt : 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset : 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS Mobile Cloud ENGINE FOR FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr : 0
Scan Rsp Discarded: 0
Error Result Cnt : 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
212
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareclientstats
3
Resp-Action No-TCP-Reset : 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS Gateway Anti-Malware ENGINE AND FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr : 0
Scan Rsp Discarded: 0
Error Result Cnt : 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset : 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS GTI File Reputation ENGINE AND FILE TYPE PDF Files (3):
Scan Req Cnt: 0
McAfee Network Security Platform 8.2
CLI Guide
213
3
IPS CLI Commands - Debug Mode
show malwareclientstats
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr: 0
Scan Rsp Discarded: 0
Error Result Cnt: 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset: 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS FILE SAVE ENGINE AND FILE TYPE PDF Files (3):
Scan Req Cnt: 1
Scan Rsp Cnt: 1
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr: 1
Scan Rsp Discarded: 0
Error Result Cnt: 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
214
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareclientstats
3
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset: 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS BLACKLIST ENGINE AND FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr: 0
Scan Rsp Discarded: 0
Error Result Cnt: 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset: 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
McAfee Network Security Platform 8.2
CLI Guide
215
3
IPS CLI Commands - Debug Mode
show malwareclientstats
Malware Score Unknown: 0
SOFA CLIENT STATISTICS Advanced Threat Detection ENGINE AND FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr: 0
Scan Rsp Discarded: 0
Error Result Cnt: 0
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset: 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
SOFA CLIENT STATISTICS Anti-Malware Engine (on Advanced Threat Defense ENGINE) AND
FILE TYPE PDF Files (3):
Scan Req Cnt: 0
Scan Rsp Cnt: 0
Scan Rsp Rcvd Within Pkt-Hold Tmr: 0
Scan Rsp Rcvd Within Scan Tmr: 0
Scan Rsp Rcvd Within Sess Tmr: 0
Scan Rsp Discarded: 0
Error Result Cnt: 0
216
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareserverstats
3
L7-DCAP Copy Cnt: 0
L7-DCAP Copy Error Cnt: 0
Resp-Action Block: 0
Resp-Action No-Block: 0
Resp-Action Alert: 0
Resp-Action No-Alert: 0
Resp-Action TCP-Reset: 0
Resp-Action No-TCP-Reset: 0
Clean Files: 0
Malware Score Very-Low: 0
Malware Score Low: 0
Malware Score Medium: 0
Malware Score High: 0
Malware Score Very-High: 0
Malware Score Unknown: 0
Applicable to:
M-series and NS-series Sensors.
show malwareserverstats
Displays the malware server statistics in all scan engines for all supported file types.
Syntax:
show malwareserverstats
Sample Output:
IntruDbg#> show malwareserverstats
Packet Holder Statistics:
------------------------Pkt Hldr Alloc Cnt: 3502.
Pkt Hldr Free Cnt: 3499.
Pkt Hldr Alloc Error Cnt: 0.
Packet Holder Error Statistics:
------------------------------Pkt hlder buf in Use and allocated again: 0.
Pkt hlder buf double frees: 0.
McAfee Network Security Platform 8.2
CLI Guide
217
3
IPS CLI Commands - Debug Mode
show malwareserverstats
Write Holder Statistics:
-----------------------Write Hldr Alloc Cnt: 5.
Write Hldr Free Cnt: 5.
Write Hldr Alloc Error Cnt: 0.
Session Node Statistics:
-----------------------Session Node Alloc Cnt: 1.
Session Node Free Cnt: 1.
Session Close Cnt: 1.
Session Node Alloc Error Cnt: 0.
FileManager Node Statistics:
---------------------------FM Node Alloc Cnt: 1.
FM Node Free Cnt: 1.
FM Alloc Err Cnt: 0.
FM Free Error Cnt: 0.
Session Timer Statistics:
------------------------Session Timer Add Cnt: 1.
Session Timer Delete Cnt: 1.
Session Timer Trigger Cnt: 0.
Session Timer Reupdate Trigger Cnt: 0.
Ctrl Msg Session Timer Cnt: 0.
Session Timer Add Error Cnt: 0.
Scan Timer Statistics:
----------------------Scan Timer Add Cnt: 1.
Scan Timer Delete Cnt: 1.
Scan Timer Trigger Cnt: 0.
Ctrl Msg Scan Timer Cnt: 0.
Scan Timer Add Error Cnt: 0.
SOFA Thread Load Statistics:
218
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareserverstats
3
----------------------------Server Thread Load: 0.
External Write Load: 0.
Internal Write Load: 0.
PDF-JS Scan Load: 0.
NSM Write Load: 0.
File Upload to NSM Load: 0.
Flash Scan Thread Load: 0.
SOFA Control Message Statistics:
-------------------------------Ctrl Msg via Socket Pkt Cnt: 435.
Ctrl Msg Pkt Processed by SOFA-Server: 437.
Ctrl Msg Read Error Cnt: 0.
Ctrl Msg Sigfile Parse Msg Cnt: 1.
SOFA Protocol Statistics:
------------------------Sibyte to SBC Pkt Read Cnt: 461.
Sibyte to SBC Pkt Processed by SOFA-Server: 461.
Sibyte to SBC Pkt Read Discard Cnt: 0.
Sofa-Protocol New File Dwnld Req Pkt Cnt: 1.
Sofa-Protocol File Data Pkt Cnt: 457.
Sofa-Protocol Scan Req Pkt Cnt: 2.
Sofa-Protocol Error Msg In Pkt Cnt: 1.
Sofa-Protocol Pkt seq num mismatch cnt: 0.
Sofa-Protocol New File Dwnld Rsp Pkt Cnt: 0.
Sofa-Protocol Error Msg Out Pkt Cnt: 0.
Sofa-Protocol Scan Rsp Pkt Cnt: 3.
Scan Rsp File Info Pkt Cnt: 1.
Multi-Flow New File Dwnld Req Pkt Cnt: 0.
Multi-Flow File Data Pkt Cnt: 0.
Multi-Flow Scan Req Pkt Cnt: 0.
Multi-Flow Error Msg In Pkt Cnt: 0.
Multi-Flow Md5 Calculated cnt: 0.
McAfee Network Security Platform 8.2
CLI Guide
219
3
IPS CLI Commands - Debug Mode
show malwareserverstats
Multi-Flow Error Msg Out Pkt Cnt: 0.
Multi-Flow Scan Rsp Pkt Cnt: 0.
Multi-Flow Scan Rsp File Info Pkt Cnt: 0.
UDF Statistics:
--------------UDF Scan-Q Add Cnt: 0.
Scan Rsp UDF Pkt Cnt: 0.
GTI File Reputation Statistics:
------------------File Reputation Scan-Q Add Cnt: 0.
Ctrl Msg Artemis Rslt Cnt: 0.
Scan Rsp Artemis Pkt Cnt: 0.
PDF-JS Emulator Statistics:
--------------------------PDF-JS Emulator Scan-Q Add Cnt: 1.
PDF-JS Emulator Scan-DQ Cnt: 1.
PDF-JS Emulator Scan Discard Cnt: 0.
PDF-JS Emulator Scan Skip Cnt: 0.
Pdf JS Cache hit Cnt: 0.
Ctrl Msg PDF-JS Emulator Rslt Cnt: 1.
Scan Rsp PDF-JS Emulator Pkt Cnt: 1.
Flash Engine Statistics:
--------------------------Flash Analyzer Scan-Q Add Cnt: 0.
Flash Analyzer Scan-Q Skip Cnt(due to heavy load): 0.
Flash Analyzer Scan Discard Cnt: 0.
Flash Cache hit Cnt: 0.
Ctrl Msg Flash Analyzer Rslt Cnt: 0.
Scan Rsp Flash Analyzer Pkt Cnt: 0.
Err Rsp Flash Analyzer Pkt Cnt: 0.
Mobile Cloud Engine Statistics:
--------------------------Mcafee Cloud Scan-Q Add Cnt: 0.
220
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show malwareserverstats
3
Mcafee Cloud Scan Discard Cnt: 0.
Mcafee Cloud Cache hit Cnt: 0.
Mcafee Cloud Ctrl Msg Rslt Cnt: 0.
Mcafee Cloud Scan Rsp Pkt Cnt: 0.
File Save Statistics:
--------------------File Save Q Add Cnt: 1.
File Save DQ Cnt: 1.
File Save Discard Cnt: 0.
Ctrl Msg File Save Rslt Cnt: 1.
Scan Rsp File Save Pkt Cnt: 1.
Gateway Anti Malware Statistics:
-------------------------------Scan-Q Add Cnt: 0.
Scan Rsp Pkt Cnt: 0.
Advanced Threat Defense Dynamic Analysis Statistics:
--------------------------------Scan-Q Add Cnt: 0.
Scan Rsp Pkt Cnt: 0.
NTBA and Advanced Threat Defense Protocol Statistics:
--------------------------------Status Query Pkt Cnt: 0 0
New Dwnld Req Pkt Cnt: 0 0
File Data Pkt Cnt: 0 0
Scan Req Pkt Cnt: 0 0
Error Msg Out Pkt Cnt: 0 0
Error Msg Out Pkt Err Cnt: 0 0
New Dwnld Rsp Pkt Cnt: 0 0
Scan Rsp Pkt Cnt: 0 0
Error Msg In Pkt Cnt: 0 0
Status Query Pkt Error Cnt: 0 0
New Dwnld Req Pkt Error Cnt: 0 0
File Data Pkt Error Cnt: 0 0
McAfee Network Security Platform 8.2
CLI Guide
221
3
IPS CLI Commands - Debug Mode
show malwareserverstats
Scan Req Pkt Error Cnt: 0 0
NTBA and Advanced Threat Defense Channel Statistics:
---------------------------------Callback Pkt Cnt: 0.
Ctrl Msg NTBA/Advanced Threat Defense Pkt Cnt: 0.
Pkt Buf Alloc Cnt: 2604.
Pkt Buf Free Cnt: 2601.
Pkt Buf Alloc Fail Cnt: 0.
Pkt Buf Free Fail Cnt: 0.
Pkt Buf Malloc Cnt due to Large Pkt : 0.
Pkt Null Exception: 0.
Rcv Buf Null Cnt: 0.
Wrong Channel Cfg: 0.
SSL Pkt Rcv Err: 0 0
Keep Alive Send Err Cnt: 0 0
Keep Alive Miss Cnt: 0 0
Keep Alive Sent Cnt: 0 0
Keep Alive Response Cnt: 0 0
Channel Initialization Attempt Cnt: 0 0
NSM Protocol Statistics:
---------------------------------MD5 Hash Query Pkt Cnt: 1
MD5 Hash Query Error Pkt Cnt: 0
New Dwnld Req Pkt Cnt: 1
New Dwnld Req Error Pkt Cnt: 0
File Data Pkt Cnt: 473
File Data Error Pkt Cnt: 0
End of File Pkt Cnt: 1
End of File Error Pkt Cnt: 0
New Dwnld Response Pkt Cnt: 1
New Dwnld Error Response Pkt Cnt: 0
MD5 Hash Query Response Pkt Cnt: 1
Malware Cache Statistics:
222
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show matd channel
3
---------------------------------Cache Utilization %: 0.00 %
Cache Nodes utilized: 0
Cache Nodes Total available: 50000
# of times cache purged: 0
MD5 of last file extracted: 5d2d58437f1cde7e3823f0fb8d1f33
[McAfee NTBA Communication]
Status: down
Down Reason: By Configuration
[McAfee Advanced Threat Defense Communication]
Status: down
Down Reason: By Configuration
[McAfee SOFA Primary NSM Communication]
Status: Up
[McAfee SOFA MDR NSM Communication]
Status: Down
Down Reason: Error obtaining channel status
Applicable to:
M-series and NS-series Sensors.
show matd channel
Displays the channel used by Sensor to communicate with Advanced Threat Defense.
By default, SSL channel is used. You can switch between TCP and SSL channel to send files for
scanning.
For TCP channel, make sure that the listening port 8506 is set on Advanced Threat Defense. From an
ATD appliance, execute the set nsp-tcp-channel CLI command to enable or disable TCP channel.
Syntax:
show matd channel
Sample output:
IntruDbg#> show matd channel
MATD NSP channel type:SSL
IntruDbg#> show matd channel
MATD NSP channel type:TCP
McAfee Network Security Platform 8.2
CLI Guide
223
3
IPS CLI Commands - Debug Mode
show mgmtcfg
Applicable to:
M-series and NS-series Sensors.
show mgmtcfg
This command displays various management (control path) configurations. Details include information
about ports, packet logging, alert throttle, layer configuration, TACAS, ACL, NTP, latency monitor, and
GTI proxy. This command has no parameters.
Syntax:
show mgmtcfg
Sample Output:
IntruDbg#> show mgmtcfg
FAILOVERGRP CFG
FailoverAction DISABLED
PeerIPaddr 0
HeartbeatTime 5
HeartbeatRetryCnt 3
FailoverMode STANDALONE
FailopenAction DISABLED
INTF PORT 0
EnableInternalTap TRUE
INTF PORT 1
EnableInternalTap TRUE
INTF PORT 2
EnableInternalTap TRUE
INTF PORT 3
EnableInternalTap TRUE
INTF PORT 4
EnableInternalTap TRUE
INTF PORT 5
EnableInternalTap TRUE
INTF PORT 6
EnableInternalTap TRUE
INTF PORT 7
224
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mgmtcfg
3
EnableInternalTap TRUE
INTF PORT 8
EnableInternalTap TRUE
INTF PORT 9
EnableInternalTap TRUE
INTF PORT 10
EnableInternalTap TRUE
INTF PORT 11
EnableInternalTap TRUE
INTF PORT 12
EnableInternalTap TRUE
INTF PORT 13
EnableInternalTap TRUE
INTF PORT 14
EnableInternalTap TRUE
INTF PORT 15
EnableInternalTap TRUE
Packet Logging CFG
ServerIP 10.213.169.178
ServerPort 8503
Encryption ENABLED
ServerV6IP
Alert Throttle CFG
Threshold 1
Interval 120
Action ENABLED
Global Threshold 10
LAYER2 CFG
Mode ENABLED
Duration 10
Threshold 1
OccurrenceCnt 0
FirstTimeIdx 0
McAfee Network Security Platform 8.2
CLI Guide
225
3
IPS CLI Commands - Debug Mode
show mgmtcfg
LastTimeIdx 0
OccurrenceTime[0] 0
OccurrenceTime[1] 0
OccurrenceTime[2] 0
OccurrenceTime[3] 0
OccurrenceTime[4] 0
OccurrenceTime[5] 0
OccurrenceTime[6] 0
OccurrenceTime[7] 0
OccurrenceTime[8] 0
OccurrenceTime[9] 0
RebootCount 0
TACACS CFG
Authentication Disabled
Traffic Encryption Enabled
Authorization Disabled
ACL CFG
Alert Throttle MaxIp Pair 10
Alert Throttle Interval 120
Alert Throttle Action Enabled
Alert Throttle Threshold 5
Alert Direct to Syslog 1
NMS CFG
NMS User Write Access Status : Disabled
No NMS IPv4 Addresses are configured.
No NMS IPv6 Addresses are configured.
No NMS User's are configured.
MPE CFG
[Configured MPE details]
MPE Server IP address = 0.0.0.0
MPE Anonymous Port = 8443
MPE Listen Port = 8445
MPE Trusted Port = 8444
226
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mgmtcfg
3
MPE Anonymous URI = /nac/certrequest
MPE Trusted URI = /nac/engine
MPE Connection Failure Timeout = 32
MNAC Agent GUID Port = 8444
MNAC OS Capability = 0
MNAC TTL Config = 131074
EZ-LOG-ALERT-THROTTLE CFG
Max IP Pair 10
Throttle Interval 120
Throttle Action Enabled
Throttle Threshold 5
Alert Direct to Syslog 1
SGAP CFG
Auth channel timeout 50
PERFPRMANCE ALERT CFG
Perf Alert Status 1
Perf Alert Parameters 60000000
Perf Alert Duration 3
THRESHOLD BASED ALARM CFG
Alarm Status 1
Alarm Duration 1
Number of Alarm Entries 1
Alarm Index : 3
Alarm Sample Type : 2
Alarm Raising Threshold : 90
Alarm Falling Threshold : 70
Alarm Startup Type : 1
Alarm Description : High Utilization
Alarm Sample Type Index : 0 0 0 0 0 0 0 0
MISCELLANEOUS CFG
Console Timeout = 15
SSH Inactive Timeout = 300
Management Intf MTU = 1500
McAfee Network Security Platform 8.2
CLI Guide
227
3
IPS CLI Commands - Debug Mode
show mgmtcfg
Aux Port Status = Enabled
Auditlog Status = Disabled
Auditlogtomgr Status = Disabled
Mgmt Autorecovery Status = Enabled
Host Persistence Config 1
Artemis Threshold Config 1
Pdf Cache = Enabled
Flash Cache = Enabled
Msas Cache = Enabled
Miscellaneous Flags 2
SCP CFG
SCP IPv4 = 10.213.173.1
NTP CFG
NTP Server1 IPv4 0.0.0.0
NTP Server1 IPv6 = ::
POLL 6
AUTH DISABLE
NTP Server2 IPv4 0.0.0.0
NTP Server2 IPv6 = ::
POLL 6
AUTH DISABLE
LATENCY MONITOR CFG
Latency monitor restore inline from layer2 : Disabled
GTI Proxy CFG
GTI Proxy Host = 0.0.0.0
GTI Proxy Port = 0
GTI Proxy Username = ""
GTI Proxy Host Type = 1
NTBA CFG
IP Address type = 4
Server IPv4 = 0.0.0.0
Server Port = 8505
Connection config = 2
228
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mem-usage
3
Channel Encryption = 0
MATD CFG
IP Address type = 4
Server IPv4 = 0.0.0.0
Server Port = 8505
Connection config = 2
Channel Encryption = 0
MATD Profile/User Name = nsp
MATD Profile/User Id = 2
RADIUS CFG
Authentication Disabled
Primary RADIUS Server IPv4 Address: 0.0.0.0
Primary RADIUS Server Authentication Port: 1812
Primary RADIUS Server Accounting Port: 1813
Primary RADIUS Server Connection Timeout: 6
Backup RADIUS Server IPv4 Address: 0.0.0.0
Backup RADIUS Server Authentication Port: 1812
Backup RADIUS Server Accounting Port: 1813
Backup RADIUS Server Connection Timeout: 6
Applicable to:
M-series and NS-series Sensors.
show mem-usage
This command displays the system memory usage details of the device.
This command has no parameters.
Syntax:
show mem-usage
The show mem-usage command also gives the average percentage usage (Avg.) and the maximum
percentage usage (Max.) of these entities on all the processing elements.
Sample Output:
IntruDbg#> show mem-usage
Avg. Used TCP and UDP Flows across all PEs : 98%
Max. Used TCP and UDP Flows on a single PE : 100%
McAfee Network Security Platform 8.2
CLI Guide
229
3
IPS CLI Commands - Debug Mode
show mgmtnetstats
Avg. Used Fragmented IP Flows across all PEs : 3%
Max. Used Fragmented IP Flows on a single PE : 3%
Avg. Used ICMP Flows across all PEs : 0%
Max. Used ICMP Flows on a single PE : 0%
Avg. Used SSL Flows across all PEs : 0%
Max. Used SSL Flows on a single PE : 0%
Avg. Used Fragment Reassembly Buffers across all PEs : 3%
Max. Used Fragment Reassembly Buffers on a single PE : 3%
Avg. Used Packet Buffers across all PEs : 0%
Max. Used Packet Buffers on a single PE : 1%
Avg. Used Attack Marker Nodes across all PEs : 13%
Max. Used Attack Marker Nodes on a single PE : 14%
Avg. Used Shell Marker Nodes across all PEs : 34%
Max. Used Shell Marker Nodes on a single PE : 38%
Avg. Used L7 Dcap Alert Buffers across all PEs : 0%
Max. Used L7 Dcap Alert Buffers on a single PE : 0%
Avg. Used L7 Dcap flows across all PEs : 0%
Max. Used L7 Dcap flows on a single PE : 0%
Applicable to:
M-series and NS-series, and NTBA Appliances.
show mgmtnetstats
This command displays the network statistics on IP, ICMP, TCP, UDP, IPV6, and SNMP.
Syntax:
show mgmtnetstats
Sample Output:
IntruDbg#> show mgmtnetstats
Ip:
398030 total packets received
8246 with invalid addresses
0 forwarded
0 incoming packets discarded
353329 incoming packets delivered
230
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mgmtnetstats
3
376126 requests sent out
Icmp:
5230 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 5228
echo requests: 2
5232 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 5230
echo replies: 2
Tcp:
1442 active connections openings
953 passive connection openings
0 failed connection attempts
21 connection resets received
110 connections established
103212 segments received
108050 segments send out
63 segments retransmited
0 bad segments received.
52 resets sent
Udp:
239034 packets received
5230 packets to unknown port received.
622 packet receive errors
262844 packets sent
TcpExt:
2 packets pruned from receive queue because of socket buffer overrun
ArpFilter: 0
941 TCP sockets finished time wait in fast timer
3470 delayed acks sent
McAfee Network Security Platform 8.2
CLI Guide
231
3
IPS CLI Commands - Debug Mode
show mgmtnetstats
Quick ack mode was activated 41 times
10 times the listen queue of a socket overflowed
10 SYNs to LISTEN sockets ignored
125 packets directly queued to recvmsg prequeue.
911341 packets directly received from backlog
63345 packets directly received from prequeue
29939 packets header predicted
719 packets header predicted and directly queued to user
TCPPureAcks: 3686
TCPHPAcks: 37362
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 1
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 32
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
232
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mgmtnetstats
3
TCPRcvCollapsed: 129
TCPDSACKOldSent: 0
TCPDSACKOfoSent: 0
TCPDSACKRecv: 0
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 0
TCPAbortOnClose: 9
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 5
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
Ipv6:
Ip6InReceives:0
Ip6InHdrErrors:0
Ip6InTooBigErrors:0
Ip6InNoRoutes:0
Ip6InAddrErrors:0
Ip6InUnknownProtos:0
Ip6InTruncatedPkts:0
Ip6InDiscards:0
Ip6InDelivers:0
Ip6OutForwDatagrams:0
Ip6OutRequests:24
Ip6OutDiscards:0
Ip6OutNoRoutes:0
Ip6ReasmTimeout:0
Ip6ReasmReqds:0
Ip6ReasmOKs:0
Ip6ReasmFails:0
Ip6FragOKs:0
Ip6FragFails:0
McAfee Network Security Platform 8.2
CLI Guide
233
3
IPS CLI Commands - Debug Mode
show mgmtnetstats
Ip6FragCreates:0
Ip6InMcastPkts:0
Ip6OutMcastPkts:24
Icmp6InMsgs:0
Icmp6InErrors:0
Icmp6InDestUnreachs:0
Icmp6InPktTooBigs:0
Icmp6InTimeExcds:0
Icmp6InParmProblems:0
Icmp6InEchos:0
Icmp6InEchoReplies:0
Icmp6InGroupMembQueries:0
Icmp6InGroupMembResponses:0
Icmp6InGroupMembReductions:0
Icmp6InRouterSolicits:0
Icmp6InRouterAdvertisements:0
Icmp6InNeighborSolicits:0
Icmp6InNeighborAdvertisements:0
Icmp6InRedirects:0
Icmp6OutMsgs:24
Icmp6OutDestUnreachs:0
Icmp6OutPktTooBigs:0
Icmp6OutTimeExcds:0
Icmp6OutParmProblems:0
Icmp6OutEchoReplies:0
Icmp6OutRouterSolicits:9
Icmp6OutNeighborSolicits:9
Icmp6OutNeighborAdvertisements:0
Icmp6OutRedirects:0
Icmp6OutGroupMembResponses:0
Icmp6OutGroupMembReductions:0
Udp6InDatagrams:0
Udp6NoPorts:0
234
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show mgmtnetstats
3
Udp6InErrors:0
Udp6OutDatagrams:0
snmp:
snmpInPkts: 3753
snmpOutPkts: 1854
snmpInBadVersions: 0
snmpInBadCommunityNames: 0
snmpInBadCommunityUses: 0
snmpInASNParseErrs: 0
snmpInTooBigs: 0
snmpInNoSuchNames: 0
snmpInBadValues: 0
snmpInReadOnlys: 0
snmpInGenErrs: 0
snmpInTotalReqVars: 7109
snmpInTotalSetVars: 336
snmpInGetRequests: 1195
snmpInGetNexts: 65
snmpInSetRequests: 62
snmpInGetResponses: 0
snmpInTraps: 0
snmpOutTooBigs: 0
snmpOutNoSuchNames: 5
snmpOutBadValues: 0
snmpOutGenErrs: 0
snmpOutGetRequests: 0
snmpOutGetNexts: 0
snmpOutSetRequests: 0
snmpOutGetResponses: 1854
snmpOutTraps: 0
snmpEnableAuthenTraps: 2
snmpSilentDrops: 0
snmpProxyDrops: 0
McAfee Network Security Platform 8.2
CLI Guide
235
3
IPS CLI Commands - Debug Mode
show mgmtprocessrestart status
Applicable to:
M-series and NS-series Sensors.
show mgmtprocessrestart status
Displays the status of set mgmtprocessrestart (enabled or disabled).
Syntax:
show mgmtprocessrestart status
Sample Output:
IntruDbg#> show mgmtprocessrestart status
[Management Process-Restart settings]
Mgmt Process-restart configuration : Enabled
Applicable to:
M-series and NS-series Sensors.
show pktcapture status
Displays the packet capture status and configuration.
Syntax:
show pktcapture status
Sample Output:
IntruDbg#> show pktcapture status
Packet Capture Status :Not Running
Packet Capture Mode :PORT
Packet Capture Port Number :Not Configured
Packet Capture Rule Set File Status :Not Present
Total Packet Capture Count :0
Packet Capture Duration remaining :0 Sec
Applicable to:
M-series and NS-series Sensors.
show prioritytraffic ratio
Displays the ratio in which high priority traffic is given preference compared to normal priority traffic
during packet processing.
Syntax:
show prioritytraffic ratio
236
McAfee Network Security Platform 8.2
CLI Guide
3
IPS CLI Commands - Debug Mode
show ratelimit drops
Sample Output:
IntruDbg#> show prioritytraffic ratio
Priority Traffic Ratio: 3
The above sample indicates that for every 3 packets processed from the high priority packet queue,
only one packet is processed from the normal priority packet queue. The default value while setting
the priority traffic ratio is 3.
Applicable to:
M-series and NS-series Sensors.
show ratelimit drops
Displays the number of packets and bytes dropped. This command has no parameters.
The counts displayed by this command are only estimates done by the Sensor software, and not the
actual count. The actual packet drops are done by the Sensor hardware.
For I-1200 and I-1400 Sensors, rate limiting is done in the software. Therefore, these counters are the
actual packet drop counters for these models.
Syntax:
show ratelimit drops <port_num | all>
Sample Output:
IntruDbg#> show ratelimit drops all
Queue Number Total Dropped Packets Dropped Packet Bytes Count
000000000001 00000000000000003200 0000000000000000000000000
000000000002 00000000000004000000 0000000000000000000000000
000000000003 00000000000000009000 0000000000000000000000000
000000000004 00000000000000000000 0000000000000000000000000
000000000005 00000000000000006890 0000000000000000000000000
000000000006 00000000000000004330 0000000000000000000000000
000000000007 00000000000000000709 0000000000000000000000000
000000000008 00000000000000005600 0000000000000000000000000
Applicable to:
M-series Sensors only.
McAfee Network Security Platform 8.2
CLI Guide
237
3
IPS CLI Commands - Debug Mode
show ratelimit markstats
show ratelimit markstats
Displays the number of packets and bytes placed into the QOS queue. This command has no
parameters.
The queue numbers displayed in the output of this command are the QoS profile queues. The marked
packets statistics indicate how many packets and bytes are placed in the QoS queue. This is only the
number of packets and bytes placed in the queue, and not the drop. The drop is calculated by the
Sensor once the queue limit exceeds the configured value.
Syntax:
show ratelimit markstats <port_num | all>
Sample Output:
IntruDbg#> show ratelimit markstats all
Queue Number Total Marked Packets Marked Packet Bytes Count
000000000001 00000000000000000000 0000000000000000000000000
000000000002 00000000000000000000 0000000000000000000000000
000000000003 00000000000000000000 0000000000000000000000000
000000000004 00000000000000000000 0000000000000000000000000
000000000005 00000000000000000000 0000000000000000000000000
000000000006 00000000000000000000 0000000000000000000000000
000000000007 00000000000000000000 0000000000000000000000000
000000000008 00000000000000000000 0000000000000000000000000
Applicable to:
M-series Sensors only.
show ratelimitstats
This command specifies the queue number and displays the QOS profile queues. This command has no
parameters.
Syntax:
show ratelimitstats <port_num | all>
Sample Output:
IntruDbg#> show ratelimitstats all
Queue Number Total Marked Packets Marked Packet Bytes Count
000000000001 00000000000000000456 0000000000000000000000000
000000000002 00000000000000000000 0000000000000000000000000
000000000003 00000000000000090000 0000000000000000000000000
000000000004 00000000000000005000 0000000000000000000000000
238
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show recon status
3
000000000005 00000000000000000390 0000000000000000000000000
000000000006 00000000000000001000 0000000000000000000000000
000000000007 00000000000000005000 0000000000000000000000000
000000000008 00000000000000007896 0000000000000000000000000
show recon status
Displays reconnaissance attack detection status.
This setting should be reconfigured if the Sensor is rebooted.
Syntax:
show recon status
Sample Output:
IntruDbg#> show recon status
Reconnaissance attack detection enabled
Applicable to:
M-series and NS-series Sensors.
show respport r1
Shows all the current configuration settings for the Sensor Response port.
This command has no parameters.
Syntax:
show respport r1
Information displayed includes:
•
The Sensor's Response port value (1000Mbps, 100Mbps, 10Mbps, or auto-negotiate)
•
The Sensor's Response port link status (what speed the two devices settled upon—typically the
highest common setting)
•
What mode has been settled upon
•
The link status
•
Statistics for the Response port
Sample Output:
intruShell@john> show respport r1
Response Ethernet port : auto negotiated
Settings for MGMT port :
Supported link modes: 100baseT/Full
1000baseT/Full
McAfee Network Security Platform 8.2
CLI Guide
239
3
IPS CLI Commands - Debug Mode
show saved alerts
10000baseT/Full
Advertised link modes: 100baseT/Full
1000baseT/Full
10000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Auto-negotiation: on
Link detected: no
eth1 Link encap:Ethernet HWaddr 00:1E:67:58:9E:3F
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Response Port Statistics
Total Packets Sent : 0
show saved alerts
Displays the total number and size of alerts that are saved.
Syntax:
show saved alerts
Sample Output:
IntruDbg#> show saved alerts
Saved Alert Status :Alerts = 455, Size = 80990
Applicable to:
M-series and NS-series Sensors.
show saved packets
Displays the total number of packets that are saved.
Syntax:
show saved packets
Sample Output:
240
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show sbcfg
3
IntruDbg#> show saved packets
Saved Packet Status : No Saved File
Applicable to:
M-series and NS-series Sensors.
show sbcfg
Displays various datapath configuration. This command has no parameters.
Syntax:
show sbcfg
Sample Output:
IntruDbg#> show sbcfg
IP CFG
IPFragmentTimer 30
OverlapOption OLD_DATA
TTLConfigMode NO_TTL_CHECKING
TTLThreshold 32
TTLResetValue 32
SmallestFragmentSize 256
SmallestFragmentThreshold 10000
IP Fragment Reassembly ENABLE
IPV6OverlapOption OLD_DATA
IPV6SmallestFragmentSize 48
IPV6SmallestFragmentThreshold 10000
TCP CFG
SupportedUDPFlows 800000
TCBInactivityTimer 10
TCPSegmentTimer 60
TCP2MSLTimer 10
InactiveFlowRstEnabled 2
DropReTxTCPEnabled 2
ColdStartTime 60
ColdStartDropAction FORWARD_FLOWS
NormalizationOnOffOption OFF
McAfee Network Security Platform 8.2
CLI Guide
241
3
IPS CLI Commands - Debug Mode
show sbcfg
TcpOverlapOption NEW_DATA
SynAckPermittedOption 1
TCPOptionThreshold 100
DropOnPAWSFail ENABLE
TimeStampEchoMatchFail ENABLE
DropMD5Option ENABLE
UnsolicitedUDPPktsTimeout 60
SynProxyEnable DISABLE
AckScanDiscardTime 15
HalfOpenConnResetEnable RST_3WH_DISABLE
OutOfContextTcpPktEnable PERMIT_OUT_OF_ORDER
synCookieConfig Inbound-DISABLE Outbound-DISABLE
synCookieInboundThreshold 102400
synCookieOutboundThreshold 102400
synCookieMss 536
Tcpudpicmpchecksumerror Drop
flow volume threshold is 0MB.
DNSRedirectConfig disabled
Syn Cookie TCP Reset Send Enable status : Enabled (1)
DNS sinkhole TTL 720
DNS sinkhole IP 127.0.0.1
Oversubscription value: 0
BackendLimit Value: 0x1c2002d
INTF PORT 67
OperatingMode INLINE_FAIL_OPEN
FullDuplex ENABLED
InOutType OUTSIDE
Monitoring Port IP - 0.0.0.0
Monitoring Port Netmask - 0.0.0.0
Monitoring Port Gateway - 0.0.0.0
Monitoring Port Vlan ID - 0
Monitoring Port NBAD Config Status - 0
Monitoring Port AppId Stats Alert Config Status - 0
242
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show sbcfg
3
ALERT THROTTLE CFG
CorrelationTime 5
PKTLOG CFG
MaxPktsPerFlow 1000
DOS CFG
DosPktLogging DISABLED
FAILOVER CFG
FailoverAction DISABLED
FailoverMode FAILOVER_MODE_STANDALONE
SSL CFG
SessionCacheLifetime 5
SupportAction 0
PktLogging DISABLED
ResponseProcEnable DISABLED
ACL Log Alert CFG
Alert Logging Disabled
DNSPROTECTION IPV4 CFG
No IPv4 DNS Protection IP's are configured
DNSPROTECTION IPV6 CFG
No IPv6 DNS Protection IP's are configured
SENSOR LOAD CFG
Sensor Load Computation is set to off
TUNNELING CFG
Tunneling is disabled
OVERSUBSCRIPTION CFG
Oversubscription level 0
IPS SIMULATION CFG
Ips Simulation is disabled
PKTDROP SYSEVENT CFG
PktDrop sysevent is disabled
IP REASSEMBLY TIMEOUT FORWARD CFG
IP Reassembly timeout forward is disabled
IP Reassembly timeout in milli second is 0
McAfee Network Security Platform 8.2
CLI Guide
243
3
IPS CLI Commands - Debug Mode
show sbcfg
BDD threshold value : 20
BDD threshold value : 20
LDPENDING CFG
LDPENDING CFG is set to actual-load
Miscellaneous CFG
Misc Flags 256
Mon Port Ping Status : Disabled
IBAC Host Auth Status : Enabled
Sibyte Smpt Load Balancing Status : Disabled
IPS for Unknown UDP is enabled
EZ-LOG-ALERT CFG
EzAlertLogging 5
NBAD CFG
NBAD Sensor IP Address 12.1.1.11
NBAD Sensor Port 9996
NBAD IPS Primary Mon Port Id 34
NBAD IPS Secondary Mon Port Id 2
NBAD OS Finger Printing Status 0
NBAD App Finger Printing Status 0
NBAD SSL Flow Data Capture Status 0
NBAD TCP Capture Config : Enabled
NBAD UDP Capture Config : Enabled
NBAD ICMP Capture Config : Enabled
Miscellaneous CFG
TAPA Protocol Config : 0
Latency Monitor Status : 0
Artemis Detection Mode : 1
Malware UD Detection Mode : 1
GTIfilelookup timeout : 6
Overwrite GZIP : 0
Unknown Proto Scan Depth : 256
NAC DHCP Pxe Config : 39321602
L7 DCap Percent Flows : Configured-5, Used-20
244
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show sensor health
3
L7 DCap Buffer Size : 1500
Misc Flags 256
Mon Port Ping Status : Disabled
IBAC Host Auth Status : Enabled
Unknown Proto Scandepth Status : Enabled
Sibyte Smpt Load Balancing Status : Disabled
AppId Stats Alert Status : Enabled
MPE Additional CFG
Number of Additional MPE IP Addresses 0
NAC host tracking configuration
NAC host tracking disabled
Dxl Config
EPO IP4 0.0.0.0
EPO IP6 ::
EPO IP TYPE 4
EPO PORT 8443
EPO Action 2
DXL Enable/Disable 2
MATD CFG
IP Address type = 4
Server IPv4 = 10.213.17x.xxx
MATD Profile/User Name = nsp
MATD Profile/User Id = 2
Applicable to:
M-series and NS-series Sensors
show sensor health
Displays the Sensor health information.
Syntax:
show sensor health
Sample Output:
IntruDbg#> show sensor health
bootflag = off
McAfee Network Security Platform 8.2
CLI Guide
245
3
IPS CLI Commands - Debug Mode
show startup stats
sensor health = good
health of control channel = good
health of correlation engine = good
health of snmp master agent = good
health of snmp sub agent = good
health of packet log = good
health of system controller = good
health of CLI = good
health of Log Main = good
health of Log Task = good
health of SGAP = good
health of AuthGw = good
health of ACLDaemon = good
health of TrustedSource = good
health of BCM = good
Applicable to:
M-series and NS-series Sensors.
show startup stats
Displays the startup initialization information.
Syntax:
show startup stats
Sample Output:
IntruDbg#> show startup stats
Controller ready to send INIT_ACKs to datapaths and dos.
initial READY msg : received from datapaths and dos.
dos has sent INIT_DONE.
datapath0 has sent INIT_DONE.
datapath1 has sent INIT_DONE.
dos has sent READY.
datapath0 has sent READY.
datapath1 has sent READY.
Applicable to:
M-series and NS-series Sensors.
246
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show static-arp
3
show static-arp
Displays the static ARP entries.
Syntax:
show static-arp
Sample Output:
IntruDbg#> show static-arp
No of Arp Entry in The Cache is: 0
Dump of ARP Cache Entries completed!
Applicable to:
M-series and NS-series Sensors.
show statistics alerts
Displays the alert statistics (signature alerts, reconnaissance alerts and ACL logs) that are sent to the
Manager.
Syntax:
show statistics alerts
Sample Output:
IntruDbg#> show statistics alerts
Datapath 12 :
Signature alerts sent to mgmt = 249895
Reconnaissance alerts sent to mgmt = 5456257
ACL Logs sent to mgmt = 0
Datapath 13 :
Signature alerts sent to mgmt = 252880
Reconnaissance alerts sent to mgmt = 5660890
ACL Logs sent to mgmt = 0
Applicable to:
M-series and NS-series Sensors.
show statistics icmp
Displays the ICMP statistics. It includes the following information.
•
ICMP echo request packets
•
ICMP total packets
•
ICMP echo reply packets
•
ICMP dropped under load
McAfee Network Security Platform 8.2
CLI Guide
247
3
IPS CLI Commands - Debug Mode
show statistics ipfrag
•
ICMP unsol(icited) reply packets
•
ICMP other packets
•
ICMP dropped checksum error.
Syntax:
show statistics icmp
Sample Output:
IntruDbg#> show statistics icmp
Datapath36
ICMP Echo Request packets: 154207
ICMP Echo Reply packets: 0
ICMP Unsol. Reply packets: 0
ICMP Other packets: 536697
ICMP Total Packets processed: 690904, 0
ICMP Dropped under load: 0
ICMP Dropped w/cksum error: 59053
Datapath37
ICMP Echo Request packets: 391658
ICMP Echo Reply packets: 98
ICMP Unsol. Reply packets: 0
ICMP Other packets: 1186879
ICMP Total Packets processed: 1578635, 0
ICMP Dropped under load: 0
ICMP Dropped w/cksum error: 50956
Applicable to:
M-series and NS-series Sensors.
show statistics ipfrag
Displays the IP fragment statistics in a data path. It includes the following information.
248
•
Total number of IP
•
Number of flows timeout
•
Fragments received
•
Number of flows dropped for invalid
checksum
•
Total number of IP flows
•
Number of invalid fragments
•
Number of duplicate fragments
•
Error getting reassembled lists
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show statistics ipfrag
•
Number of fragments dropped
•
Fragments dropped for invalid options
•
3
Number of fragments received after
timeout.
Syntax:
show statistics ipfrag
Sample Output:
IntruDbg#> show statistics ipfrag
datapath 44 :
Total number of IP Fragments received: 2738083
Total number of IP Flows: 2363420
Number of Duplicate fragments: 372877
Number of Fragments dropped: 0
Fragments dropped for invalid options: 0
Number of Flows TimedOut: 2363174
Num Flows dropped for invalid checksum: 0
Error getting data buffers: 0
Number of Invalid Fragments: 0
Error getting Reassembled lists: 0
Number of fragments recvd after timeOut: 0
datapath 45 :
Total number of IP Fragments received: 2702704
Total number of IP Flows: 2331529
Number of Duplicate fragments: 369732
Number of Fragments dropped: 0
Fragments dropped for invalid options: 0
Number of Flows TimedOut: 2331267
Num Flows dropped for invalid checksum: 0
Error getting data buffers: 0
Number of Invalid Fragments: 0
Error getting Reassembled lists: 0
Number of fragments recvd after timeOut: 0
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
249
3
IPS CLI Commands - Debug Mode
show statistics l4
show statistics l4
Displays the layer 4 statistics. It includes the following information.
•
Total layer 4 flow blocks
•
Total active UDP flows
•
Total SYN flow blocks
•
Total flows in SYN state
•
Total active TCP flows
•
Total free TCBs
•
Total Inactive TCP flows
•
Total created flows
•
Total TCP in timewait
•
Total timeout flows
Syntax:
show statistics l4
Sample Output:
IntruDbg#> show statistics l4
Datapath 46 :
Total Layer4 flow blocks: = 24097
Total SYN flow blocks: = 11670
Total active TCP flows: = 22515
Total inactive TCP flows: = 0
Total TCP in timewait: = 143
Total active udp flows: = 1434
Total flows in SYN state: = 687
Total free TCBs: = 0
Total created flows: = 5798921
Total timedout flows: = 2460478
Datapath 47 :
Total Layer4 flow blocks: = 24097
Total SYN flow blocks: = 11670
Total active TCP flows: = 22539
Total inactive TCP flows: = 0
Total TCP in timewait: = 121
Total active udp flows: = 1437
Total flows in SYN state: = 666
Total free TCBs: = 0
Total created flows: = 5824819
Total timedout flows: = 2430180
Applicable to:
250
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show statistics tcp
3
M-series and NS-series Sensors.
show statistics tcp
Displays the TCP statistics of a datapath for an ID range. It includes the following information TCP
total packets
•
TCP total packets
•
TCP drop count
•
TCP error count.
Syntax:
show statistics tcp
Sample Output:
IntruDbg#> show statistics tcp
Id range is not selected, Displaying ALL
Datapath 12 :
TCP total packets = 5103671, 57258772
TCP drop count = 32494
TCP error count = 0
Datapath 13 :
TCP total packets = 6370552, 52346671
TCP drop count = 50846
TCP error count = 0
Applicable to:
M-series and NS-series Sensors.
show statistics udp
Displays the UDP statistics. It includes the following information.
•
UDP Total packets
•
UDP Dropped packets
•
UDP TimedOut UDP Resp(onse) packets
•
UDP ACL Deny count
Syntax:
show statistics udp
Sample Output:
IntruDbg#> show statistics udp
Id range is not selected, Displaying ALL
McAfee Network Security Platform 8.2
CLI Guide
251
3
IPS CLI Commands - Debug Mode
show tempcounterstatus
Datapath21
UDP Total packets: 10341384, 99820895
UDP Dropped packets: 0
UDP TimedOut UDP Resp. packets: 0
UDP ACL Deny count: 0
Datapath22
UDP Total packets: 11333650, 126239382
UDP Dropped packets: 0
UDP TimedOut UDP Resp. packets: 0
UDP ACL Deny count: 0
Applicable to:
M-series and NS-series Sensors.
show tempcounterstatus
The show tempcounterstatus command displays the status of the temperature counters.
Syntax:
show tempcounterstatus
Sample Output:
IntruDbg#> show tempcounterstatus
INLET temperature counters
inlet exceeded alert: 0
inlet dropped below alert: 0
inlet exceeded critical: 0
inlet dropped below critical: 0
P1 temperature counters
P1 exceeded warning: 0
P1 dropped below warning: 0
P1 exceeded alert: 0
P1 dropped below alert: 0
P1 exceeded critical: 0
P1 dropped below critical: 0
Applicable to:
M-series only.
252
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
show wb stats
3
show wb stats
Shows the status of the updated and total entries in the whitelist and the blacklist while using custom
fingerprints.
Syntax:
show wb stats
Sample output:
IntruDbg#> show wb stats
[WB Info Stats]
-------------------WB bulk file download count : 2
WB bulk download success count : 2
WB bulk download failure count : 0
WB incr file download count : 7
WB incr download success count : 7
WB incr download failure count : 0
Total Manager WB hash count : 17
Total Manager white hash count : 0
Total Manager black hash count : 17
Total cache WB hash count : 0
show xff-usage
Displays the XFF usage details.
Syntax:
show xff-usage
Sample Output:
IntruDbg#> show xff-usage
XFF Buffers Allocated at Init 379264
XFF Buffers Available Now 379264
XFF Buffers Alloc Error 0
XFF Header Seen 0
XFF BAD IP's Received 0
XFF BAD IPv4 Received 0
XFF BAD IPv6 Received 0
McAfee Network Security Platform 8.2
CLI Guide
253
3
IPS CLI Commands - Debug Mode
switch matd channel
XFF Good IPv4 Received 0
XFF Good IPv6 Received 0
XFF IPv4 Seen in Attack Packets 0
XFF IPv6 Seen in Attack Packets 0
Applicable to:
M-series and NS-series Sensors.
switch matd channel
Uses the SSL or TCP channel to send files for scanning to Advanced Threat Defense. By default, the
Sensor uses SSL channel for communication with Advanced Threat Defense.
For TCP channel communication, make sure that the listening port 8506 is set on Advanced Threat
Defense. From ATD, execute the set nsp-tcp-channel CLI command to enable or disable TCP channel.
Syntax:
switch matd channel <tcp | ssl>
Sample output:
IntruDbg#> switch matd channel tcp
IntruDbg#> switch matd channel ssl
Applicable to:
M-series and NS-series Sensors.
tustat
This command shows TCP and UDP statistics for all datapaths.
Syntax:
tustat
Sample Output:
IntruDbg#> tustat
total TCBs: = 0
total SYN TCBS: = 0
total active TCP flows: = 0
total inactive TCP flows: = 0
total tcp in timewait: = 0
total active udp flows: = 0
total flows in SYN state: = 0
254
McAfee Network Security Platform 8.2
CLI Guide
IPS CLI Commands - Debug Mode
unknownapktocloud
3
total free TCBs: = ‑1
total created flows: = 0
total timedout flows: = 0
Applicable to:
M-series and NS-series Sensors.
unknownapktocloud
Use this command to view, enable or disable the upload of unknown mobile .apk files to the Manager.
If disabled, the Sensor will not generate unknown mobile .apk alerts.
Syntax:
unknownapktocloud <on|off|status>
Sample Output:
intruDBg#> unknownapktocloud status
unknownapktocloud = on
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
255
3
IPS CLI Commands - Debug Mode
unknownapktocloud
256
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
You can use the NTBA command line interface commands to configure the NTBA Appliance. Some of
the commands are common to both NTBA Appliance and the Sensor.
Contents
backup resume
backup suspend
clear antimalware cache
commands
deinstall
deletemgrsecintf
deletesignatures
download antimalware updates
downloadgamupdate
exit
factorydefaults
flowforward collector
help
host-vlan
installdb
installntba
loadimage
nslookup
passwd
ping
quit
reboot
resetconfig
resetpasswd
scan
service list
service restart
service start
service status
service stop
set antimalware cache
set antimalware encryption
set console timeout
set dbdisksize
set flow-fw
set endpointintelligence demo
set endpointintelligence alertinterval
set htf delta-period
McAfee Network Security Platform 8.2
CLI Guide
257
4
NTBA CLI commands
set htf max-deltas
set manager alertport
set manager installsensorport
set manager ip
set manager secondary ip
set mgmtport auto
set mgmtport speed and duplex
set sensor gateway
set sensor ip
set sensor name
set sensor sharedsecretkey
set store-url-type
set tftpserver ip
setup
show
show aggstats
show anomaly
show antimalware encryption status
show antimalware scandetails
show antimalware status
show backupstats
show cachestats
show dbstats
show disk-usage
show endpointintelligence details
show endpointintelligence summary
show exporters
show fingerprinting stats
show forensic-db details
show flowforwardinfo
show host-vlan
show htf
show intfport
show gam engine stats
show gam scan stats
show l7dcapstats
show mem-usage
show mgmtport
show netstat
show nfcstats
show pktrecvstats
show route
show store-url-type
show tsstats
shutdown
status
tcpdump sec
traceupload
unknown-interfaces-flows
watchdog
258
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
backup resume
4
backup resume
Resumes processing activities related to external storage backup.
Syntax:
backup resume
Applicable to:
NTBA Appliances only.
backup suspend
Suspends/halts the backup process until resumed.
Syntax:
backup suspend
Applicable to:
NTBA Appliances only.
clear antimalware cache
Clears the antimalware cache.
Syntax:
clear antimalware cache
Sample Output:
ntbaSensor@vNTBA> clear antimalware cache
It will take 5 to 10 seconds to clear the cache
commands
Displays all CLI commands supported for the current user role.
This command has no parameters.
Syntax:
commands
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
259
4
NTBA CLI commands
deinstall
deinstall
Clears the Manager-Sensor trust data (the certificate and the shared key value). Every time you delete
a Sensor from the Manager, you must issue this command on the Sensor to clear the established trust
relationship before reconfiguring the Sensor.
This command has no parameters.
Syntax:
deinstall
On executing the command, the following messages are displayed:
Initiating to deinstall and will remove trust with the configured Manager.
Closed communication channels with Network Security Manager.
Stopping all services.
Removing anomaly profiles.
Resetting the Endpoint Intelligence Agent related configurations.
Executable classifications are removed.
Endpoint Intelligence Agent certificate files are removed.
Whitelist and blacklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
The Service manager is informed to load the configurations.
Restarting services. This will take few minutes.
The Manager trust is removed. Wait for the services to start. After the services are
up, establish trust with the Manager.
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running deinstall
The following errors might occur while you run this command:
260
•
Error: Database migration is in progress. You can run deinstall only after
migration.
•
Error: The system can't verify if the IPS Sensor is installed. Reboot the appliance
or VM and rerun deinstall.
•
NTBA is deinstalled and so you can establish trust with the Manager.
•
Error: An exception occurred. Reboot the appliance or VM and rerun deinstall.
•
Error: The system can't communicate with the Service manager to load
configurations. Reboot the appliance or VM and rerun deinstall.
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
deletemgrsecintf
•
Error: The system can't communicate with the Service manager to restart services.
Run service restart all.
•
Error: An exception occurred while restarting the services. Run service restart
all.
deletemgrsecintf
Clears the IP address of a Manager's secondary NIC.
This command has no parameters.
Syntax:
deletemgrsecintf
On executing the command, the following messages are displayed:
Please enter Y to confirm: y
Managers secondary intf IPaddr doesn't exist.
Deleting managers secondary interface had some Warnings/Errors.
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set manager ip on page 74
set manager secondary ip on page 75
deletesignatures
Deletes signatures on the Sensor and reboots the Sensor. When you execute this command, the
signatures are deleted and then the Sensor is restarted automatically. Before executing the command,
you are prompted whether both the tasks should be performed.
This command has no parameters.
Syntax:
deletesignatures
On executing the command, the following messages are displayed:
Delete the signatures and reboot the sensor ?
Please enter Y to confirm: y
deleting the signatures and rebooting the sensor
signatures deleted
Broadcast message from root (Fri Mar 28 05:15:54 2014):
The system is going down for reboot NOW!
Applicable to:
McAfee Network Security Platform 8.2
CLI Guide
261
4
NTBA CLI commands
download antimalware updates
M-series and NS-series, and NTBA Appliances.
download antimalware updates
This command is used to download the antimalware updates. Make sure you are connected to the
Internet to download and update antimalware software and updates.
Syntax:
download antimalware updates
Sample Output:
On executing the command, the following messages are displayed
•
If already running:
ntbaSensor@vNTBA> download antimalware updates
Downloading the antimalware updates.
Antimalware update is in progress.
•
If not running:
ntbaSensor@vNTBA> download antimalware updates
Downloading the antimalware updates.
Initiated to download the antimalware update download. Run show antimalware status
to see the results.
Errors while running download antimalware upgrades:
The following errors might occur while you run this command:
Error: Detached from shared memory
Error: An exception occurred while downloading the antimalware updates. In the
Manager, check the system events for root cause.
downloadgamupdate
Syntax
downloadgamupdate
Sample output
Full Gam Update Request sent
exit
Exits the CLI.
This command has no parameters.
Syntax:
262
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
factorydefaults
exit
Applicable to:
M-series and NS-series, and NTBA Appliances.
factorydefaults
Wipes all settings, certificates, and signatures, from the Sensor, clearing it to blank settings. This
command does not appear when you type ? or commands, nor does the auto-complete function apply
to this command. You must type the command in full to execute it.
This command has no parameters.
You are warned that the operation will clear the Sensor and you must confirm the action. The warning
occurs since the Sensor returns to its clean, pre-configured state, thus losing all current configuration
settings.
Syntax:
factorydefaults
On executing the command the following messages are displayed for an NTBA Appliance:
Are you sure you want to reset NTBA to factory defaults?
WARNING: All existing configuration and data will be lost.
Please enter Y to confirm: y
Step 1 of 3: Removing trust with Network Security Manager
Network Security Manager trust is removed.
Step 2 of 3: Resetting the NTBA database to factory defaults. This will take few
minutes.
Stopping all services.
Formatting NTBA database partitions. This will take several minutes depending on the
disk size.
Creating fresh databases.
Resetting NTBA configurations.
The NTBA configuration and signature files are reset to default.
Step 3 of 3: Rebooting the NTBA appliance. After the reboot, log in to complete the
NTBA setup.
Broadcast message from root (Thu Feb 27 11:57:26 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running factorydefaults
McAfee Network Security Platform 8.2
CLI Guide
263
4
NTBA CLI commands
flowforward collector
The following errors might occur while you run this command:
•
An error occurred while stopping the database events. Restart the appliance or VM
and rerun factorydefaults.
•
An error occurred while trying to disable database events. Restart the appliance or
VM and rerun factorydefaults.
•
An error occurred while stopping the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
An error occurred while disabling the database processes. Restart the appliance or
VM and rerun factorydefaults.
•
The NTBA database service is still up. Sending a termination signal.
•
The NTBA database service is still up. Sending a kill signal.
•
The NTBA database service can't be stopped. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting the NTBA database partitions. This will take several minutes depending
on the disk size.
•
Dropping NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Formatting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Creating fresh databases
•
Mounting NTBA database partitions failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA database engine failed. Restart the appliance or VM and rerun
factorydefaults.
•
Installing the NTBA databases failed. Restart the appliance or VM and rerun
factorydefaults.
•
Resetting NTBA configurations
•
Verifying software image on the appliance or VM failed. Load the correct NTBA
software image and rerun factorydefaults.
•
Extracting the tar file failed. Load the correct NTBA software image and rerun
factorydefaults.
•
Checking consistency of software image on the appliance or VM failed. Load the
correct NTBA software image and rerun factorydefaults.
•
Retrieving package from the software image failed. Load the correct NTBA software
image and rerun factorydefaults.
•
NTBA configuration and signature files are reset to default.
flowforward collector
Adds or removes flow forwarding destination entry on a particular IP address and port.
Syntax:
264
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
help
flowforward collector <add | delete> <ip> <A.B.C.D port> <1-665535>
Run the show flowforwardinfo command to check if the change has taken effect.
Sample Output:
ntbaSensor@vNTBA> flowforward collector add ip 1.1.1.8 port 2565
[flow forward Info]
Flow forward IP : 1.1.1.8
Flow forward Port : 2565
Flow forwarding mode : BLIND
You can add a maximum of 5 flow forward collectors.
help
Provides a description of the interactive help system.
This command has no parameters.
Syntax:
help
Sample Output:
intruShell@john> help or ntbaSensor@vNTBA> help
If nothing matches, the help list will be empty and you must backup until entering a
'?' shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g.
'set ?') and describes each possible argument.
2. Partial help is provided when an abbreviated argument is entered and you want to
know what arguments match the input (e.g. 'set em?'.)
Applicable to:
M-series and NS-series, and NTBA Appliances.
host-vlan
Enables or disables host-vlan.
Syntax:
host-vlan <enable | disable>
McAfee Network Security Platform 8.2
CLI Guide
265
4
NTBA CLI commands
installdb
Parameter
Description
enable
enables host vlan
disable
disables host vlan
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
show host-vlan on page 314
installdb
This command is used to reinstall the NTBA NetFlow database and the configuration database. This
command backs up your current database configuration and restores it once the database is
recreated.
•
If the database is up while you run this command, the trust connection between the Manager and
NTBA remains intact.
•
If the database is down while you run this command, the trust connection is removed and you need
to re-establish the trust between the Manager and NTBA.
Syntax:
installdb
On executing the command, the following messages are displayed:
Scenario 1: Database is up
Are you sure you want to reinstall the NTBA database ?
WARNING: All existing data will be lost.
Please enter Y to confirm: y
Starting installdb...
Step 1/7: Stopping all services
Step 2/7: Stopping all database processes
Step 3/7: Backing up configurations
Step 4/7: Formatting NTBA database partition. This will take several minutes depending
on the disk size.
Step 5/7: Creating fresh databases
Step 6/7: Restoring configurations
Step 7/7: Starting services. This will take few minutes.
NTBA database reinstallation successfully completed.
Scenario 2: Database is down
Are you sure you want to reinstall the NTBA Database ?
266
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
installntba
4
WARNING: All existing data will be lost.
Please enter Y to confirm: y
Starting installdb...
Step 1/7: Stopping all services
Step 2/7: Stopping all database processes
Step 3/7: Backing up configurations
Database is down. Configuration was not backed up.
Network Security Manager trust is removed.
Step 4/7: Formatting NTBA database partition. This will take several minutes depending
on the disk size.
Step 5/7: Creating fresh databases
Step 6/7: Restoring configurations
Step 7/7: Starting services. This will take few minutes.
IMPORTANT: Re-establish trust with Network Security Manager after the services are up.
Go to the Manager console and update configuration for the NTBA appliance so that the
system can function.
NTBA database reinstallation successfully completed.
ntbaSensor@NTBA_VM>
At the prompt, run the set sensor sharedsecretkey to establish trust between Manager and NTBA,
and receive latest configuration from the Manager.
After installdb is executed successfully, a system reboot and configuration push from Manager is not
required. If you wish to reset configuration to defaults, run the resetconfig command.
installntba
Installs the NTBA Appliance. You can use this command only by inserting CD, DVD, or USB drive.
Syntax:
installntba
On executing the command, the following messages are displayed:
Initiating to format system hard disk and install NTBA!
WARNING: This will delete all existing data.
Please enter Y to confirm:
If you enter Y, you will see:
Creating Linux disk partitions for installation . . .
Formatting Linux disk partitions . . .
McAfee Network Security Platform 8.2
CLI Guide
267
4
NTBA CLI commands
loadimage
Installing boot loader...
Loading the NTBA image . . .
Creating NTBA database disk partitions . . .
Creating labels . . .
Formatting NTBA database disk partitions . . .
NTBA is successfully installed.
Remove the CD or USB key and reboot the system.
Errors while running installntba
The following errors might occur while you run this command:
Installation failed: Hard disk for database is not found. Add a hard disk and rerun
installntba.
Installation failed: Hard disk for NTBA is not found. Add a hard disk and rerun
installntba.
Installation failed: An error occurred while creating Linux disk partitions for NTBA.
Check /temp/install_errors.log and rerun installntba.
Installation failed: An error occurred while formatting Linux disk partitions for
NTBA. Check /temp/install_errors.log and rerun installntba.
Installation failed: An error occurred while installing the boot loader. Check /temp/
install_errors.log and rerun installntba.
Installation failed: An error occurred while loading the NTBA installation image.
Check /temp/install_errors.log and rerun installntba.
Installation failed: An error occurred while creating disk partitions and labels for
the NTBA database. Check /temp/install_errors.log and rerun installntba.
Installation failed: An error occurred while formatting the disk partitions for the
NTBA database. Check /temp/install_errors.log and rerun installntba.
During installation, if an error occurs and the installation fails, you can check the install_errors.log
file and fix the error. After this, rerun the installntba to install NTBA.
loadimage
This command is used to install or upgrade the NTBA software on a physical or virtual NTBA Appliance.
Syntax:
loadimage <image path>
Sample Output:
ntbaSensor@vNTBA> loadimage NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned
Downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned from TFTP Server
Image NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned downloaded successfully
268
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
loadimage
Verifying the NTBA software image:
NTBA configuration is backed up.
NTBA configuration policy is not found. So NTBA configuration can't be backed up.
NTBA software image is found.
Verifying the NTBA software image security:
NTBA software image security check passed
NTBA software package check passed
Database will be upgraded from 8.0 to 8.1.
Loading NTBA software image
The NTBA software image is loaded. Reboot the NTBA appliance.
Errors while running loadimage
The following errors might occur while you run this command:
Before loading the image, set the TFTP server IP address. Execute set tftpserver ip.
An error occurred while downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned
from 10.213.173.1
An error occurred while downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned
from 10.213.173.1. Check the connectivity.
Verifying NTBA software image:
Error: Unzipping the NTBA combined image [image + signature file] failed.
Load the correct NTBA software image and retry loading the image.
Error: NTBA combined image [image + signature file] missing files.
Load the correct NTBA software image and rerun loadimage.
Verifying NTBA software image security:
Error: NTBA software image security check failed.
Load the correct NTBA software image and rerun loadimage.
Error: Make sure to load signed image as NTBA accepts only signed image.
Error: NTBA software package security check failed.
Load the correct NTBA software image and rerun factorydefault.
Error: The NTBA software image loaded is not compatible.
Physical appliance image must be loaded into physical appliance and VM image must be
loaded into virtual NTBA.
Error: Downgrading virtual machine software is not permitted.
Load supported VM software image.
Error: Trying to load and found incompatible appliance software image.
McAfee Network Security Platform 8.2
CLI Guide
269
4
NTBA CLI commands
nslookup
Load compatible appliance software image.
Verify the appliance model and the loaded NTBA software image.
Error: Virtual machine is configured with $totalMem GB, which is lesser than the
required minimum memory of $minMem GB.
The configured number of ethernet ports is $totalNetworkPorts, which is not as per the
supported configuration of $numPort.
Error: Configured hard disk size for NTBA database is $totalDbDiskSizeInGB GB, which
is lesser than the required minimum database disk space of $dbDiskSizeInGB GB.
Error: Configured hard disk size for NBA disk is $totalNtbaDiskSizeInGB GB , which is
lesser than the required minimum disk space of $ntbaDiskSizeInGB GB.
Warning: Attempting to downgrade the NTBA appliance database version from $cur_ver to
$db_schema. This requires reinstalling the NTBA database.
Error: Current NTBA version not supported for migration. Consider upgrade to supported
version $min_ver. Attempting database migration $cur_ver to $db_schema.
Loading NTBA software image:
Error: An exception occurred while extracting the NTBA software image. Load the
correct NTBA software image and rerun loadimage.
Error: An exception occurred while extracting the boot package. Load the correct NTBA
software image and rerun loadimage.
Error: The system can't find the NTBA software image.
Load the correct NTBA software image and rerun loadimage.
nslookup
Displays nslookup query result for the given host-name.
Syntax:
nslookup WORD
Where WORD stands for the host name for which the nslookup query result must be displayed.
Sample Output:
ntbaSensor@vNTBA> nslookup google.com
Server: 10.213.154.101
Address 1: 10.213.154.101
Name: google.com
Address 1: 74.125.227.166 dfw06s32-in-f6.1e100.net
Address 2: 74.125.227.168 dfw06s32-in-f8.1e100.net
Address 3: 74.125.227.160 dfw06s32-in-f0.1e100.net
Address 4: 74.125.227.174 dfw06s32-in-f14.1e100.net
270
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
passwd
Address 5: 74.125.227.165 dfw06s32-in-f5.1e100.net
Address 6: 74.125.227.161 dfw06s32-in-f1.1e100.net
Address 7: 74.125.227.167 dfw06s32-in-f7.1e100.net
Address 8: 74.125.227.162 dfw06s32-in-f2.1e100.net
Address 9: 74.125.227.169 dfw06s32-in-f9.1e100.net
Address 10: 74.125.227.164 dfw06s32-in-f4.1e100.net
Address 11: 74.125.227.163 dfw06s32-in-f3.1e100.net
Address 12: 2607:f8b0:4000:804::1003 dfw06s32-in-x03.1e100.net
passwd
Changes the logon password for the Sensor. It prompts for the old password and then prompts for a
new password. A password must contain at least eight characters and can consist of any alphanumeric
character or symbol.
This command has no parameters.
Syntax:
passwd
Sample Output:
ntbaSensor@vNTBA> passwd
Please enter old password:xxxxxxxx
Please enter new password:
Please Re-enter new password:
Password successfully changed
Applicable to:
M-series and NS-series, and NTBA Appliances.
ping
Pings a network host. You can specify either the IPv4 or IPv6 address here. This command pings the
Sensor and returns a response with the following values:
Value
Description
icmp_seq
number of times pinged to the Sensor
ttl
number of hops between the source and destination
time taken
the average time taken by the Sensor to respond to the ping
packets transmitted
number of packets transmitted during the ping
packets received
number of packets received during the ping
McAfee Network Security Platform 8.2
CLI Guide
271
4
NTBA CLI commands
ping
Value
Description
packet loss
number of packets lost during the execution of the command
rtt min/avg/max
minimum, average and maximum time taken for a round trip in a ping cycle
Syntax:
ping <A.B.C.D><A:B:C:D:E:F:G:H> -c <1-100>
Parameter
Description
<A.B.C.D>
denotes the 32-bit IP address written as four eight-bit numbers separated by
periods. Each number (A,B,C or D) is an eight-bit number between 0-255.
<A:B:C:D:F:G:H> denotes the 128-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF.
-c <1-100>
denotes the number of times to ping the Sensor. This is optional and can be used
if the Sensor needs to be pinged multiple times.
Sample Output:
•
For Sensor, the output is as shown:
intruShell@NSP4050> ping 172.16.100.100
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.30 msec
--- 172.16.100.100 ping statistics --- 1 packets transmitted, 1 received, 0% packet
loss, time 0.30ms
rtt min/avg/max = 0.30/0.30/0.30 msec
•
For an NTBA Appliance the output is as shown:
ntbaSensor@vNTBA> ping 172.16.100.100
host 172.16.100.100 is alive
•
For Sensor, when it is pinged multiple times the output is as shown:
intruShell@NSP4050> ping 172.16.100.100 -c 3
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.41 msec
40 bytes from host 172.16.100.100: icmp_seq=2 ttl=64 time taken 0.20 msec
40 bytes from host 172.16.100.100: icmp_seq=3 ttl=64 time taken 0.19 msec
--- 172.16.100.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet
loss, time 0.80ms
rtt min/avg/max = 0.19/0.26/0.41 msec
Example:
The following command pings a 128 bit address written as an octet of four hexadecimal numbers.
ping 2001:0db8:8a2e:0000:0000:0000:0000:0111
Applicable to:
M-series and NS-series, and NTBA Appliances.
272
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
quit
4
quit
Exits the command line interface.
This command has no parameters.
Syntax:
quit
Applicable to:
M-series and NS-series, and NTBA Appliances.
reboot
Reboots the device. You must confirm that you want to reboot the device. If hitless reboot is currently
available for the device, then you are prompted to enter 'h' for hitless and 'y' for a full reboot. Use the
status command to know if the hitless reboot option is currently available for the device.
In case of a full reboot, all the processes of a device are restarted. So, there is a break in the device's
function until it comes up again. In case of hitless reboot, only the required processes are restarted. For
more information on hitless reboot, see McAfee Network Security Platform IPS Administration Guide.
Syntax:
reboot
On executing the command the following messages are displayed:
•
For Sensor, the output is as shown:
intruShell@john> reboot
Please enter Y to confirm: y
rebooting the Sensor...
Broadcast message from root (Fri Mar 29 05:45:14 2014):
The system is going down for reboot NOW!
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> reboot
Please enter Y to confirm: y
rebooting the NTBA Appliance ...
Broadcast message from root (Fri Mar 28 06:30:14 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
273
4
NTBA CLI commands
resetconfig
resetconfig
This command is used to reset the NTBA configuration to the factory default values. This command
can be used to clear all the user defined configurations and to reset to default values.
Syntax:
resetconfig
This command will reset the configurations related to host finger printing, database pruning,
anti-malware settings, proxy settings, and de-duplication. This command will also remove the anomaly
profiles, signature files, and external storage configurations. The command will break the Manager
trust and after successful completion of the command will request user to re-establish trust with the
Manager. This command will not remove the exporter and interface details from the configuration.
On executing the command, the following messages are displayed:
Are you sure you want to reset the NTBA appliance configuration?
WARNING: All existing configuration will be lost and reset to defaults.
Please enter Y to confirm: y
If you enter Y, you will see:
Step 1 of 4: Checking if database migration is in progress
Database migration is not in progress. Continue with resetconfig.
Step 2 of 4: Removing trust with Network Security Manager
Step 3 of 4: Resetting NTBA configurations
Stopping all services
The configuration for the NTBA database is reset to default.
The configuration for NTBA services is reset to default.
Anomaly profile data is removed.
Signature files are removed.
External storage configuration is removed.
Anti-Malware cache and DAT files are removed.
Miscellaneous configuration files are removed.
Executable classifications are removed.
Endpoint Intelligence Agent certificate files are removed.
Whitelist and blacklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
Step 4 of 4: Restarting all services
Configuration for NTBA appliance is reset to defaults.
274
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
resetconfig
4
IMPORTANT: Re-establish trust with Network Security Manager after the services are up.
Go to the Manager console and update configuration for the NTBA appliance so that the
system can function.
Errors while running resetconfig
The following errors might occur while you reset the NTBA configuration:
Step 1 of 4: Checking if database migration is in progress
Database migration is not in progress. Continue with resetconfig.
Step 2 of 4: Removing trust with Network Security Manager
Network Security Manager trust is not removed. After resetconfig, run deinstall and
re-establish the trust.
Step 3 of 4: Resetting NTBA configurations
Stopping all services
An error occurred while stopping the database events. Restart the appliance or VM and
rerun resetconfig.
An error occurred while disabling database events. Restart the appliance or VM and
rerun resetconfig.
An error occurred while generating disable-database processes script. Restart the
appliance or VM and rerun resetconfig.
An error occurred while disabling database processes. Restart the appliance or VM and
rerun resetconfig.
The NTBA database is down and so configuration can't be reset to default. Restart all
services and once they are up, run resetconfig.
An error occurred while accessing the configuration database. Restart the appliance or
VM and rerun resetconfig.
An error occurred while backing up the current configuration. Restart the appliance or
VM and rerun resetconfig.
An error occurred while restoring internal configuration. Run deinstall and
re-establish trust with Network Security Manager.
An error occurred while removing the configuration backup. This error can be ignored.
So resetconfig will continue.
The configuration for the NTBA database is reset to default.
Verifying the software image failed on the appliance or VM. Load the correct NTBA
software image and rerun resetconfig.
Extracting from a tar file failed. Load the correct NTBA software image and rerun
resetconfig.
Checking consistency of software image failed on the appliance or VM. Load the correct
NTBA software image and rerun resetconfig.
Retrieving the package from the software image failed. Load the correct NTBA software
image and rerun resetconfig.
McAfee Network Security Platform 8.2
CLI Guide
275
4
NTBA CLI commands
resetpasswd
The configuration for NTBA services is reset to default.
Anomaly profile data is removed.
Signature files are removed.
External storage configuration is removed.
Anti-Malware cache and DAT files are removed.
Miscellaneous configuration files are removed.
An error occurred while clearing the classification for executables.
Executable classifications are removed.
Endpoint Intelligence Agent certificate files are removed.
Whitelist and blacklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
Step 4 of 4: Restarting all services
An error occurred while sending a signal to the Service manager to use the latest
configuration. Run service restart all.
An error occurred while sending a signal to the Service manager to restart services.
Run service restart all.
An error occurred while restarting services. Run service restart all.
Configuration for the NTBA appliance is reset to default.
resetpasswd
Changes the log in password for the NTBA Appliance. You can use this command only by inserting CD.
Syntax:
resetpasswd
On executing the command, the following messages are displayed:
Are you sure you want to reset admin password to default?
Please enter Y to confirm.
If you enter Y, you will see
Resetting admin password to default . . .
Reset admin password to default completed,
please reboot the NTBA Appliance and remove the NTBA CD.
276
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
scan
4
scan
Scans the IP address and provides information about host name, operating system, services running,
device type, and MAC address.
Syntax:
scan ip <ip_address>
Sample Output:
ntbaSensor@vNTBA> scan ip 10.213.171.222
Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-28 06:57 UTC
Nmap scan report for 10.213.171.222
Host is up (0.000025s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.0 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/https?
3306/tcp open mysql MySQL (unauthorized)
9876/tcp open sd?
1 service unrecognized despite returning data. If you know the service/version, please
submit the following fingerprint at http://www.insecure.org/cgi-bin/
servicefp-submit.cgi :
SF-Port443-TCP:V=6.25%T=SSL%I=7%D=3/28%Time=53351D6F%P=x86_64-unknown-linu
SF:x-gnu%r(GetRequest,6F,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nConten
SF:t-Length:\x2033\r\nContent-Type:\x20text/plain\r\n\r\nDownload\x20hook\
SF:x20is\x20not\x20implemented\.")%r(FourOhFourRequest,6F,"HTTP/1\.0\x2050
SF:1\x20Not\x20Implemented\r\nContent-Length:\x2033\r\nContent-Type:\x20te
SF:xt/plain\r\n\r\nDownload\x20hook\x20is\x20not\x20implemented\.");
No exact OS matches for host (If you know what OS is running on it, see http://
nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.25%E=4%D=3/28%OT=22%CT=1%CU=35842%PV=Y%DS=0%DC=L%G=Y%TM=53351DF
OS:7%P=x86_64-unknown-linux-gnu)SEQ(SP=CF%GCD=1%ISR=D0%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M400CST11NWA%O2=M400CST11NWA%O3=M400CNNT11NWA%O4=M400CST11NWA%O5=
OS:M400CST11NWA%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6
OS:=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
McAfee Network Security Platform 8.2
CLI Guide
277
4
NTBA CLI commands
service list
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400C
OS:ST11NWA%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://
nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.18 seconds
service list
Lists all the available services.
Syntax:
service list
Sample Output:
ntbaSensor@vNTBA> service list
[Services List]
NetflowProcessor
AntiMalwareService
DeviceProfiler
EpIntelligenceServer
service restart
Restarts all services or the specified service. To get the list of all services, run the service list
command.
This command has all and <service_name> as parameters
Syntax:
service restart all
service restart <service_name>
Sample Output:
ntbaSensor@vNTBA> service restart all
Service command execution in progress. Please check status using "service status
<service-name>" or status command after some time.
278
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
service start
service start
Starts all services or the specified service. To get the list of all services, run the service list
command.
This command has all and <service_name> as parameters
Syntax:
service start all
service start <service_name>
For example, if the service user display name is NetflowProcessor, the command is service start
NetflowProcessor.
Sample Output:
ntbaSensor@NTBA_210> service start NetflowProcessor
Service command execution in progress. Please check status using "service status
<service-name>" or status command after some time.
service status
Shows the status of all services or the specific service. To get the list of all services, run the service
list command.
This command has all and <service_name> as parameters
Syntax:
To get the status of all services, run:
service status
service status all
To get the status of a specific service, run:
service status <service_name>
For example, if the service user display name is NetflowProcessor, the command is service status
NetflowProcessor.
McAfee Network Security Platform 8.2
CLI Guide
279
4
NTBA CLI commands
service stop
Sample Output:
•
For a particular service:
ntbaSensor@vNTBA> service status NetflowProcessor
[Services Status]
NetflowProcessor : Running
•
For all services:
ntbaSensor@vNTBA> service status all
[Services Status]
NetflowProcessor : Running
AntiMalwareService : Running
DeviceProfiler : Disabled
EpIntelligenceServer : Running
The service status are displayed as:
•
Running — The service is running properly.
•
Not Running — The service is not running because of some issue, for example, service crash.
•
Stopped — When user runs the service stop command, this status will appear for the
corresponding service.
•
Disabled — This status is displayed depending on the Manager configurations set by the
administrator. It appears only for the DeviceProfiler service based on the Manager configuration.
service stop
Stops all services or the specified service. To get the list of all services, run the service list
command.
This command has all and <service_name> as parameters
Syntax:
service stop all
service stop <service_name>
For example, if the service user display name is NetflowProcessor, the command is service stop
NetflowProcessor.
Sample Output:
ntbaSensor@NTBA_210> service stop NetflowProcessor
Service command execution in progress. Please check status using "service status
<service-name>" or status command after some time.
280
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
set antimalware cache
4
set antimalware cache
Allows you to enable or disable the antimalware cache.
Syntax:
set antimalware cache <enable/disable>
set antimalware encryption
Enables or disables encryption on the antimalware channel.
Syntax:
set antimalware encryption <on|off>
Sample Output:
ntbaSensor@vNTBA> set antimalware encryption on
Strong encryption on the antimalware channel. Restart the antimalware service for
changes to take effect.
ntbaSensor@vNTBA> set antimalware encryption off
Weak encryption on the antimalware channel. Restart the antimalware service for
changes to take effect.
Applicable to:
NTBA Appliances
set console timeout
Specifies the number of minutes of inactivity that may pass before the console connection times out.
Syntax:
set console timeout <0 - 1440>
Parameter
Description
<0-1440>
an integer between 0 (never) and 1440 (24 hours)
where <0 - 1440> is an integer between 0 (never) and 1440 (24 hours).
Example:
set console timeout 60
Default Value:
15 (15 minutes)
Applicable to:
M-series and NS-series Sensors.
McAfee Network Security Platform 8.2
CLI Guide
281
4
NTBA CLI commands
set dbdisksize
set dbdisksize
Specifies the percentage of disk size that can be allocated for netflow and forensic database. The
percentage limits are 20-80%.
Syntax:
set dbdisksize netflow <20 |80>
set dbdisksize forensic <20 |80>
Sample Output:
ntbaSensor@vNTBA> set dbdisksize netflow 60
Setting database disk size...
Database disk size is set. Restarting netflow service...
ntbaSensor@vNTBA> set dbdisksize forensic 40
Setting database disk size...
Database disk size is set. Restarting forensic service...
set flow-fw
Forwards a copy of the NetFlow information from the NTBA Appliance to a third party device.
Syntax:
set flow-fw <ip> <A.B.C.D port> <1-65535>
Parameter Description
<A.B.C.D>
A 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D
represents an eight-bit number between 0-255.
<1-65535> Port number range
This command is applicable only to NTBA Appliances. This command forwards NetFlow information
received by NTBA Appliance from third-party network devices such as CISCO Routers. NetFlow
information received by the NTBA Appliance from Network Security Sensors is proprietary, and is not
forwarded when this command is executed.
set endpointintelligence demo
This command is to enable or disable endpoint intelligence in demo mode.
Syntax:
set endpointintelligence demo <enable/disable>
282
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
set endpointintelligence demo
4
Sample Output:
•
Enable endpoint intelligence demo mode:
ntbaSensor@vNTBA> set endpointintelligence demo enable
Setting endpoint intelligence in demo mode.
Demo handler is created.
Configuration file for certificates is created.
NTBA private key is created and copied.
Endpoint key is created and self signed.
ePolicy Orchestrator certificate is copied.
Endpoint certificate files are created.
Uploading endpoint certificates to tftp server 10.213.173.1 ...
Uploading eiahostcert.p12 ...
Transfer Successful
Uploading CA certificates to tftp server 10.213.173.1 ...
Uploading ntbacacert.pem ...
Transfer Successful
Endpoint intelligence is set in demo mode.
•
Disable endpoint intelligence demo mode:
ntbaSensor@vNTBA> set endpointintelligence demo disable
Setting endpoint intelligence in demo mode.
Demo file is removed.
ePolicy Orchestrator demo certificates are removed.
Demo certificates are removed.
Private key is removed.
Endpoint certificate is removed.
Demo mode is disabled for endpoint intelligence.
Errors while running set endpointintelligence demo
The following errors might occur while you run this command:
Error: The system failed to remove the demo handler.
Error: The system failed to clean up the ePolicy Orchestrator demo certificates.
Error: The system failed to clean up the endpoint intelligence demo certificates.
Error: The system failed to clean up the private key.
Error: The system failed to clean up the endpoint certificate.
McAfee Network Security Platform 8.2
CLI Guide
283
4
NTBA CLI commands
set endpointintelligence alertinterval
Error: The TFTP server IP address is not set. Run set tftp server ip to set the IP
address.
Error: The system failed to create the demo handler.
Error: The system failed to create the configuration file required to create the
certificates.
Error: The system failed to create the NTBA private key.
Error: The system failed to copy the NTBA private key.
Error: The system failed to create the endpoint key.
Error: The system failed to self sign the endpoint private key.
Error: The system failed to copy the ePolicy Orchestrator certificate.
Error: The system failed to create the endpoint certificate files.
The certificate files upload process failed or timed out.
Make sure that you have a file $SRCFILENAME with correct permissions.
If the full path name doesn't work, try path name relative to /tftpboot.
Timeouts may occur when the network is congested.
Error: The system failed to upload the endpoint certificate file.
The certificate files upload process failed or timed out.
Make sure that you have a file $SRCFILENAME with correct permissions.
If the full path name doesn't work, try path name relative to /tftpboot.
Timeouts may occur when the network is congested.
Error: The system failed to upload the endpoint certificate file.
Error: The system failed to upload the CA certificate file.
set endpointintelligence alertinterval
Configures the time interval as to when the alert should be raised again. By default, it is 7 days.
Syntax:
set endpointintelligence alertinterval <0-30>
Configure it as zero if you want to disable alert throttling.
Sample Output:
Setting the endpoint intelligence alert interval
Alert throttle interval is set to 1.
284
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
set htf delta-period
If you wish to disable alert throttling, set the interval to 0.
•
If EIS is enabled and you disable alert throttling:
ntbaSensor@vNTBA> set endpointintelligence alertinterval 0
Alert throttle interval was set to 0. Continue with the cleanup.
Stopping endpoint intelligence services
Resetting the alert throttle for all executables
Removing alert throttling files
Restarting endpoint intelligence services. This will take few minutes.
•
If EIS is disabled and you disable alert throttling:
ntbaSensor@vNTBA> set endpointintelligence alertinterval 0
Setting endpoint intelligence alert interval.
Alert throttle interval set to 0.
Errors while running set endpointintelligence alertinterval
The following errors might occur while you run this command:
Error: The system can't find alert statistics. From the Manager console, go to Setup |
Enable Integration, enable EIA integration and configure the settings.
Error: An exception occurred while resetting the alert throttle for executables. Try
to set the alert interval.
Error: The system can't communicate with the Service manager. Restart the endpoint
intelligence services.
Error: An exception occurred while restarting endpoint intelligence services. Run the
endpoint intelligence services.
Error: An exception occurred while setting the alert throttle interval. Set the alert
throttle interval again.
set htf delta-period
Specifies the duration (in minutes) of the htf delta period.
Syntax:
set htf delta-period WORD
Parameter
Description
WORD
denotes minutes between 0 to 1440
Example:
set htf delta-period 180
Run the show htf CLI command to check if the change has taken effect.
McAfee Network Security Platform 8.2
CLI Guide
285
4
NTBA CLI commands
set htf max-deltas
set htf max-deltas
Specifies the maximum count for htf delta period.
Syntax:
set htf max-deltas <1-100>
Parameter
Description
<1-100>
an integer between 1 to 100
Example:
set htf max-deltas 100
set manager alertport
Specifies the port on which the Manager listens to the Sensor alerts. You can assign any unassigned
port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified
port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this
parameter.
Syntax:
set manager alertport <0 - 10000>
Parameter
Description
<0-10000>
the port number ranging from integer values 0 to 10000.
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
Missing manager alert port, default 8502 used
Default Value:
Default port number is 8502.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager installsensorport
Specifies the port which the Manager uses to exchange configuration information with the Sensor
when using 2048 bit encryption. You can assign any unassigned port for this communication.
Syntax:
set manager installsensorport <0 - 10000>
286
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
set manager ip
Parameter
Description
<0-10000>
the port number ranges from integer values 0 to 10000.
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
Missing manager Install Sensor Port, default 8501 used
Default Value:
Default port number is 8501.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager ip
Specifies the IPv4 or IPv6 address of the Manager server's primary interface.
Syntax:
set manager ip <A.B.C.D |A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C
or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF
Example:
set manager ip 192.34.2.8
Or
set manager ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set manager secondary ip on page 75
set manager secondary ip
Specifies an IPv4 or IPv6 address for the Manager server's secondary interface.
McAfee Network Security Platform 8.2
CLI Guide
287
4
NTBA CLI commands
set mgmtport auto
Syntax:
set manager secondary ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter
Description
<A.B.C.D>
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C
or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF
Example:
set manager secondary ip 192.34.2.8
Or
set manager secondary ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
deletemgrsecintf on page 40
set manager ip on page 74
set mgmtport auto
Configures the Management port to auto-negotiate the connection between the Sensor and the
network device.
This command has no parameters.
Syntax:
set mgmtport auto
Default Value:
By default, the Management port is set to auto (auto-negotiate).
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport speed and duplex on page 77
set mgmtport speed and duplex
Configures the management port to match the speed of the network device connecting to the Sensor
and to run in full- or half-duplex mode.
288
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
set sensor gateway
Syntax:
set mgmtport <speed <10 | 100> duplex <full | half>>
Parameter Description
<10|100>
sets the speed on the ethernet management port. The speed value can be either 10 or
100 Mbps. To set the speed to 1000 Mbps, use the set mgmtport auto command.
<half|full>
sets the duplex setting on the ethernet management port. Set the value half for half
duplex and full for full duplex.
Default Value:
By default, the management port is set to auto (auto-negotiate).
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport auto on page 76
set sensor gateway
Specifies IPv4 address of the gateway for the Manager server.
Syntax:
set sensor gateway <A.B.C.D>
Parameter Description
<A.B.C.D>
a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D
represents an eight-bit number between 0-255.
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> set sensor gateway 10.213.174.201
sensor gateway = 10.213.174.201
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set sensor gateway 192.34.2.8
sensor gateway = 192.34.2.8
Example:
set sensor gateway 192.34.2.8
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
289
4
NTBA CLI commands
set sensor ip
set sensor ip
Specifies the Sensor's IPv4 address and subnet mask. Changing the Sensor IP requires a Sensor
reboot for the changes to take effect. See the reboot command for instructions on how to reboot the
Sensor.
Syntax:
set sensor ip <A.B.C.D E.F.G.H>
Parameter
Description
<A.B.C.D
E.F.G.H>
indicates an IPv4 address followed by a netmask.The netmask strips the host ID
from the IP address, leaving only the network ID. Each netmask consists of binary
ones (decimal 255) to mask the network ID and binary zeroes (decimal 0) to retain
the host ID of the IP address(For example, the default netmask setting for a Class
C address is 255.255.255.0).
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> set sensor ip 10.213.168.169 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.168.169, sensor subnet mask = 255.255.255.0
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@NTBA_210> set sensor ip 10.213.171.210 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.171.210, sensor subnet mask = 255.255.255.0
Example:
set sensor ip 192.34.2.8 255.255.0.0
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor name
Sets the name of the Sensor. This name is used to identify the Sensor to the Manager and to identify
the Sensor to the admin in the Manager interface. The name you use here in the CLI to identify the
Sensor must match the name you use in the Manager interface or the Manager and Sensor will be
unable to communicate.
Syntax:
set sensor name <WORD>
Parameter Description
<WORD>
indicates a case-sensitive character string up to 25 characters. The string can include
hyphens, underscores, and periods, and must begin with a letter.
Sample Output:
290
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
set sensor sharedsecretkey
On executing the command, the following messages are displayed
•
When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
•
intruShell@john> set sensor name admin
sensor name = admin
•
ntbaSensor@NTBA_210>set sensor name vNTBA
sensor name = vNTBA
Example:
set sensor name SanJose_Sensor1
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor sharedsecretkey
Specifies the shared secret key value that the Manager and Sensor will use to establish a trust
relationship.
Type the command as shown in the Syntax below. The Sensor prompts you for a secret key value. The
value you enter is not shown. You will be prompted to type the value a second time to verify that the
two entries match.
The sharedsecretkey value you use here in the CLI to identify the Sensor must match the one you use in
the Manager interface or the Manager and Sensor will be unable to communicate. If you want to change
the value, you must change the value in the CLI as well as the manager interface.
Syntax:
set sensor sharedsecretkey
At the Sensor's prompt for a secret key value, enter a case-sensitive character string between 8 and
25 characters of any ASCII text.
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
291
4
NTBA CLI commands
set store-url-type
On executing the command, the following messages are displayed
•
When the Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
•
When Sensor is deinstalled:
•
intruShell@john> set sensor shared secretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
•
ntbaSensor@vNTBA> set sensor sharedsecretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
Applicable to:
M-series and NS-series, and NTBA Appliances.
set store-url-type
This command is used to set the configuration to full capture information from the URL.
Example: For domain: http://abc.com, for full-url: http://abc.com/image.html.
Syntax:
set store-url-type <domain-name | full-url>
Parameter
Description
domain-name
capture only the domain name information from the URL
full-url
capture full path information from the URL
When the NTBA Appliance is configured to store full URL (set store-url-type full-url), the performance
might drop by 25-30 percent.
set tftpserver ip
Specifies the IPv4 or IPv6 address of your TFTP server.
Syntax:
set tftpserver ip <A.B.C.D | A:B:C:D:E:F:G:H>
292
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
setup
Parameter
Description
<A.B.C.D>
indicates a 32-bit address written as four eight-bit numbers separated by
periods. A,B,C or D represents an eight-bit number between 0-255.
<A:B:C:D:E:F:G:H> indicates a 128-bit address written as octet (eight groups) of four hexadecimal
numbers, separated by colons. Each group (A,B,C,D etc) represents a group of
hexadecimal numbers between 0000-FFFF.
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> set tftpserver ip 192.34.5.12
TFTP Server IP = 192.34.5.12
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set tftpserver ip 192.34.2.54
TFTP Server IP = 192.34.2.54
Example:
set tftpserver ip 192.34.2.54
Or
set tftpserver ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
Applicable to:
M-series and NS-series, and NTBA Appliances.
setup
This command is used to setup Sensor parameters. You are required to run this command when you
newly set up your Sensor or after resetting the Sensor by using the factory defaults command.
This command has no parameters.
Syntax:
setup
When you enter this command, you are prompted to enter the following:
•
Current password
•
New password
•
Sensor name
•
IP Type (IPV4=1 or IPV6=2 or BOTH=3)
The IP Type command is applicable only for IPS. It is not applicable for NTBA.
•
Sensor IP(IPv4 or IPv6 address or BOTH)
•
Sensor subnet mask (IP address)
•
Manager primary IP (IPv4 or IPv6 address or BOTH)
McAfee Network Security Platform 8.2
CLI Guide
293
4
NTBA CLI commands
show
•
Manager secondary IP (IPv4 or IPv6 address or BOTH)
•
Sensor default gateway (IPv4 or IPv6 address or BOTH)
•
Management port configuration choice (a/m)
•
Shared secret key
If you press Enter, your current settings are taken as default.
Sample Output:
ntbaSensor@NTBA_210> setup
**Press ESC key or CTRL-C at any prompt to abort the setup**
Please enter the current password before starting setup:
Please enter the new password [current password]:
Please confirm the new password:
Password successfully changed
Please enter the sensor name [NTBA_210]:
Please enter the sensor IP(A.B.C.D) [10.213.171.210]:
Please enter the sensor subnet mask(A.B.C.D) [255.255.255.0]:
Please enter the manager primary IPv4 address(A.B.C.D) [10.213.171.215]:
**You can set the Manager secondary IP in case the manager has two interfaces**
Press Y to configure manager secondary IP address [N]: n
Please enter the sensor default gateway(A.B.C.D) [10.213.171.252]:
Please enter management port configuration choice(a/m) [Auto]: a
Sensor configuration is almost complete. The final step is to establish a secure
management channel (trust) between the sensor and its Manager.
This is accomplished by a secret key that is shared by the Manager and this sensor.
Please ensure that a shared secret key has already been defined on the Manager for
this sensor...
Press Y to set shared secret key now or N to exit [Y]: y
Please enter shared secret key:
Please re-enter the shared secret key:
This will take a couple of seconds, please check status on CLI
show
Shows all the current configuration settings on the Sensor like model, installed software version, IP
address and Manager details.
This command has no parameters.
294
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show
4
Syntax:
show
Information displayed by the show command includes:
[Sensor Info]
•
Date
•
System Uptime
•
System Type
•
Software Version
•
MGMT Ethernet Port
•
System serial number (displays the primary, secondary and master/system serial numbers
separately in case of NS9300)
[Sensor Network Config]
•
IP Address
•
Netmask
•
Default Gateway
•
Default TFTP server
[Manager Config]
•
Manager IP addr
•
Install TCP Port
•
Alert TCP Port
[Peer Manager Config]
•
Manager IP addr
•
Install TCP Port
•
Alert TCP Port
McAfee Network Security Platform 8.2
CLI Guide
295
4
NTBA CLI commands
show
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> show
[Sensor Info]
System Name : M6050
Date : 2/6/2015 - 9:23:18 UTC
System Uptime : 6 days 23 hrs 10 min 13 secs
System Type : M-6050
Serial Number : J021834009
Software Version : 8.2.2.98
Hardware Version : 1.30
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 10.213.174.202
Netmask : 255.255.255.0
Default Gateway : 10.213.174.201
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 10.213.169.178 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
Logging TCP Port : 8508
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> show
[Sensor Info]
System Name : vNTBA
Date : Fri Mar 28 08:55:26 2014
System Uptime : 02 hrs 24 min 54 secs
System Type : T-200VM
Serial Number : T0020140324185515
Software Version : 8.1.3.6
MGMT Ethernet port : speed = 10 mbps, full duplex, link up
296
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show
4
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default TFTP server : 1.2.3.4
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8501
Alert TCP Port : 8502
•
For NS9300 Sensor, the output is as shown:
intruShell@KAM9300> show
[Sensor Info]
System Name : KAM9300
Date : 1/28/2015 - 8:34:53 UTC
System Uptime : 6 days 22 hrs 03 min 43 secs
System Type : IPS-NS9300
System Serial Number : J073350027
NS9300 P Serial Number : J071328008
NS9300 S Serial Number : J064227B70
Software Version : 8.1.5.71
Hardware Version : 1.10
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default SCPserver : 1.2.3.4
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
McAfee Network Security Platform 8.2
CLI Guide
297
4
NTBA CLI commands
show aggstats
Logging TCP Port : 8508
Applicable to:
M-series and NS-series, and NTBA Appliances.
show aggstats
Displays aggregator statistics.
Syntax:
show aggstats
Sample Output:
ntbaSensor@vNTBA> show aggstats
[Aggregation module stats]
aggregator - mode : 1
aggregator - running flag : 1
aggregator - stop flag : 0
aggregator - thread stage : 11
aggregator - number of peers : 2
aggregator - peer component nodes :
1.0.0.0
10.213.173.174
aggregator - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregator - latest packet processing timestamp : Tue Oct 1 10:27:32 2013
aggregation self - running flag : 1
aggregation self - stop flag : 0
aggregation self - thread stage : 15
aggregation self - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregation self - latest run timestamp : Tue Oct 1 10:27:19 2013
aggregation committer - running flag : 1
aggregation committer - stop flag : 0
aggregation committer - thread stage : 2
aggregation committer - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregation committer - latest run timestamp : Tue Oct 1 10:27:34 2013
component - mode : 0
298
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show anomaly
4
component - running flag : 0
component - stop flag : 0
component - thread stage : 51
component - aggregator ip : 0.0.0.0
component - thread start timestamp : Not applicable
component - latest packet processing timestamp : Not applicable
Num of Sensor_Traffic monitor data processed : 2786
Num of Top_HTF monitor data processed : 3245
Num of Top_Src_Host monitor data processed : 3246
Num of Top_Dst_Host monitor data processed : 0
Num of Top_Hosts monitor data processed : 0
Num of Top_Ext_Hosts monitor data processed : 3246
Num of Zones monitor data processed : 3246
Num of Top_Services monitor data processed : 3246
Num of Top_Applications monitor data processed : 3173
Num of New_Hosts monitor data processed : 3251
Num of New_Services monitor data processed : 3251
Num of New_Apps monitor data processed : 3251
Num of Top_Files monitor data processed : 0
Num of Top_URLs monitor data processed : 2093
Num of Interface_Summary monitor data processed : 3251
show anomaly
Displays statistics of host-level and zone-level anomaly profiles created.
Syntax:
show anomaly
Sample Output:
ntbaSensor@vNTBA> show anomaly
[anomaly info]
[zone anomaly status:]
[0] Zone id: 112, mode: DETECTION
[1] Zone id: 113, mode: DETECTION
McAfee Network Security Platform 8.2
CLI Guide
299
4
NTBA CLI commands
show antimalware encryption status
[2] Zone id: 109, mode: DETECTION
[Host anomaly status:]
Number of Host Profiles maintained: 869
Number of hosts in DETECTION mode: 486
show antimalware encryption status
Displays encryption status on the antimalware channel.
Syntax:
show antimalware encryption status
Sample Output:
ntbaSensor@vNTBA> show antimalware encryption status
Strong encryption on the antimalware channel.
ntbaSensor@vNTBA> show antimalware encryption status
Weak encryption on the antimalware channel.
Applicable to:
NTBA Appliances
show antimalware scandetails
Displays the antimalware scanning details for IPS Sensors.
Syntax:
show antimalware scandetails
Sample Output:
ntbaSensor@vNTBA> show antimalware scandetails
[Antimalware Scanning details for IPS Sensors]
--------- IPS Sensor [1] ------------------------------ --------------IPS Sensor IP : 172.16.230.36
TotalPktsReceived : 652
TotalPktsSent : 652
LastPktRecvdTime : Thu Sep 12 13:22:52 2013
LastPktSentTime : Thu Sep 12 13:22:52 2013
Successful scan counts : 0
Session Handle Null counts : 0
Internal Error Counts : 0
300
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
show antimalware status
Unknown command received from IPS : 0
File String NULL : 0
File Data NULL : 0
Unknown File : 0
Out of Order Packets : 0
Scan Failed : 0
Md5 Mismatch : 0
Max Load on Workers : 0
Memory allocation Failure : 0
File Transfer Timeout : 0
New File Count : 0
Shared Memory Allocation Failed Count : 0
Scan Response Sent : 0
Scan Request Received : 0
Scan Requests Timedout : 0
LastKeepAliveRecvdTime : Thu Sep 12 13:22:52 2013
LastKeepAliveSentTime : Thu Sep 12 13:22:52 2013
KeepAliveReceivedCount : 651
KeepAliveSentCount : 651
Md5 of Last File Downloaded From IPS : 86aa4dd53cfeefb17a722485b98b20af
show antimalware status
Displays the anti-malware engine status (initialized or uninitialized), the anti-malware engine dat
version, the anti-malware dat version, the anti-malware last update time, the anti-malware last
update status, the anti-malware last update status details, the total scan requests received, the
successful scans, and the failure count. It also displays the number of entries of a scanned file in the
cache, for example, how many times the same file was sent to the NTBA Appliance (hit count), the
last access time, and the last update time.
Syntax:
show antimalware status
Sample Output:
ntbaSensor@vNTBA> show antimalware status
[AntiMalware Engine Status]
Current Engine Status : Anti-Malware Engine Initialized
McAfee Network Security Platform 8.2
CLI Guide
301
4
NTBA CLI commands
show antimalware status
Gateway Antimalware Engine Version : 7001.1302.1842
Gateway Antimalware Dat Version : 3185
Antivirus Dat Version : 7195
Antivirus Engine Version : 5600
[AntiMalware Update Status]
Last Update Time : Thu Sep 12 12:11:49 2014
Last Update Status : Download Updates Success
Last Update Status Details : Success
[AntiMalware Scan Summary]
Total Scan Requests : 10
Total Successful scans : 9
Total Scan Failures : 1
[AntiMalware Cache Stats]
Number of Entries in Cache : 0
Hit Count : 0
Last Access Time :
Last Update Time :
Cache Look up : Enabled
The Current Engine Status might display any of the following statuses depending on the action
performed:
Action
Status Description
Engine will be initialized whenever IPS
service is coming up.
Anti-Malware Engine Initializing
If engine fails to initialize
NTBA failed to initialize Anti-Malware Engine because
Anti-Malware signatures are not available. Please try
\"download antimalware updates\" command.
When successfully initialized
Anti-Malware Engine Initialized
NTBA failed to initialize the downloaded
anti-malware signatures
NTBA failed to initialize the downloaded Anti-Malware
signatures
The following table lists the different statuses that can be displayed by Last Update Status and the
corresponding Last Update Status Details depending on the action:
302
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show backupstats
Last Update Status
Last Update Status Details
Download Updates Failed
• Update Request Not
Valid
• Request Blocked by
Export Compliance
• Protocol Version Not
Supported
• Internal Server Error
4
• No Node Groups Found
Download Updates In Progress
• Sending Update Request
• Parsing Response
• Downloading Dat and Engine Files
• Validating Downloaded Engine
Download Updates Failed
• Sending Update
Request Failed
• Could not get Version
• Get Url List Failed
• Internal Error
• Failed to Download Dat
and engine Files
• Validating Downloaded
Engine Failed
Download Updates Success
Nothing To Update
Download Updates Completed
Success
Update Dats In Progress
Applying Dats and Engine
Update Dats Completed
Success
Update Dats Failed
Internal Error
Failed to set Configuration Variables
Failed to set Dat/Engine Version
Setting Configuration Variables
Setting Dat/Engine Version
Copying Downloaded Files to Slot
Copying Downloaded Files to Slot
Copying Downloaded Files to Slot Failed Copying Downloaded Files to Slot Failed
Removing Old Dats from the slot
Removing Old Dats the slot
Removing Old Dats from the slot Failed
Removing Old Dats from the slot Failed
Getting current slot
Getting current slot
Getting current slot Failed
Getting current slot Failed
Setting Last Update Time
Setting Last Update Time
Setting Update Version
Setting Update Version
Setting Update Version Failed
Setting Update Version Failed
show backupstats
Displays backup processing status, success/error counters, and current configuration summary.
Syntax:
show backupstats
Sample Output:
McAfee Network Security Platform 8.2
CLI Guide
303
4
NTBA CLI commands
show cachestats
ntbaSensor@vNTBA> show backupstats
[BackUp Stats]
Start Time : Fri May 25 10:44:25 2012
Available External Storage : 99 %
Backup Status : OK
Files Consolidated : 1
Files Zipped : 1
Files BackedUp : 1
ConvFiles Dropped : 0
Last Zip Time : Sat May 26 10:16:54 2012
Last Remote Copy Time : Sat May 26 10:17:54 2012
[BackUp Config]
Server :172.16.233.204
Share Path :NTBA-Backup
Protocol :CIFS
Storage Interval:1 Hrs
Storage Limit :99 %
Include L7 data :1
show cachestats
Displays cache statistics information for NetFlow processor.
Syntax:
show cachestats
Sample Output:
ntbaSensor@vNTBA> show cachestats
[Cache Stats Info for NetflowProcessor]
Cache Name : nf_conversation_cache
Node Size : 920
Max Nodes : 2000000
Current Allocs : 2074
Total Allocs : 403094
Total Frees : 401020
304
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show cachestats
4
Failed Allocs : 0
Max Allocs : 2854
Cache Name : netflow_data_cache
Node Size : 1856
Max Nodes : 600000
Current Allocs : 17302
Total Allocs : 1966740
Total Frees : 1949438
Failed Allocs : 0
Max Allocs : 17303
Cache Name : netflow_src_cache
Node Size : 80
Max Nodes : 5000000
Current Allocs : 2972
Total Allocs : 555853
Total Frees : 552881
Failed Allocs : 0
Max Allocs : 3901
Cache Name : netflow_pkt_cache
Node Size : 1552
Max Nodes : 524288
Current Allocs : 0
Total Allocs : 1060375
Total Frees : 1060375
Failed Allocs : 0
Max Allocs : 240
Cache Name : db_update_cache
Node Size : 8884936
Max Nodes : 65
Current Allocs : 1
Total Allocs : 14135
Total Frees : 14134
Failed Allocs : 0
McAfee Network Security Platform 8.2
CLI Guide
305
4
NTBA CLI commands
show cachestats
Max Allocs : 6
Cache Name : traffic_summary_cache
Node Size : 160
Max Nodes : 1700000
Current Allocs : 1948
Total Allocs : 163662
Total Frees : 161714
Failed Allocs : 0
Max Allocs : 16415
[Cache Stats Info for EIS]
Cache Name : nia_sock_cache
Node Size : 112
Max Nodes : 50000
Current Allocs : 31
Total Allocs : 10572
Total Frees : 10541
Failed Allocs : 0
Max Allocs : 35
Cache Name : nia_pkt_cache
Node Size : 3016
Max Nodes : 500000
Current Allocs : 30834
Total Allocs : 74565540
Total Frees : 74534706
Failed Allocs : 0
Max Allocs : 30835
Cache Name : nia_metadata_cache
Node Size : 5720
Max Nodes : 500000
Current Allocs : 3262
Total Allocs : 270668
Total Frees : 267406
Failed Allocs : 0
306
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
show dbstats
Max Allocs : 3263
Cache Name : wb_entry
Node Size : 20
Max Nodes : 100000
Current Allocs : 0
Total Allocs : 0
Total Frees : 0
Failed Allocs : 0
Max Allocs : 0
show dbstats
Displays statistics of the database such as its status, disk size, total records and so on.
Syntax:
show dbstats
Sample Output:
ntbaSensor@vNTBA> show dbstats
[Database information]
Database status : Up
Database uptime : 7 days 19 hrs 37 min 25 secs
Total records inserted into database : 0
Average records per second : 0
Average data log files per second : 0
Database growth rate: 2%
Netflow database disk ratio: 30%
Forensic database disk ratio: 70%
Netflow database disk size : 75594.02M
Forensic database disk size : 176386.05M
Netflow database size: 147.3G
Forensic database size: 6.9M
show disk-usage
Displays disk usage per partition for all disk drives. This is equivalent to the df-h command in Linux.
McAfee Network Security Platform 8.2
CLI Guide
307
4
NTBA CLI commands
show endpointintelligence details
Syntax:
show disk-usage
Sample Output:
show endpointintelligence details
Displays the number of executables processed after reboot, network connection summary, blacklist
and whitelist update details, EIA alert details, and packet processing statistics.
Syntax:
show endpointintelligence details
Sample Output:
ntbaSensor@vNTBA> show endpointintelligence details
[Endpoint Intelligence demo]
Endpoint Intelligence demo mode : Disabled
308
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show endpointintelligence details
4
[Endpoint executables since reboot]
Total executables : 52
Total high and very high malware confidence executables : Programs: 0
Total medium malware confidence executables : Programs: 0
Total auto-classified white executables : 40
Total auto-classified black executables : 0
Total unclassified executables : 15
[Network connections summary]
Total connections by all endpoints : 16201
Total connections by blacklisted executables : 17
Total connections by unclassified executables : 127
Total connections by whitelisted executables : 14751
Total connections by high & very high malware confidence executables: 10
Total connections by medium malware confidence executables : 0
Total connections by low & very low malware confidence executables : 15166
Total connections by unknown malware confidence executables : 135
Total connections by cert whitelisted executables : 16
Total connections by GTI whitelisted executables : 3319
Total connections by GTI blacklisted executables : 0
Total connections by Raptor blacklisted executables : 5
[Whitelist and Blacklist]
Last Whitelist and Blacklist update time :
Total user blacklisted executables : 10
Total user whitelisted executables : 0
GTI whitelisted executable events to NSM : 0
GTI blacklisted executable events to NSM : 0
Cert whitelisted executable events to NSM : 0
[Endpoint Intelligence alerts]
Alert throttling interval (in days) : 0
Total alerts : 33
Very High confidence malicious data file alerts : 0
Very High confidence malware alerts : 16
High confidence malware alerts : 0
McAfee Network Security Platform 8.2
CLI Guide
309
4
NTBA CLI commands
show endpointintelligence summary
Medium confidence malware alerts : 0
Blacklisted executable alerts : 17
Unclassified executable alerts : 0
Whitelisted executable alerts : 0
Throttled Alerts : 0
Alerts dropped due to high-load : 0
[Packet processing stats]
Total packets received : 178
Total packets sent : 2
Total metadata flows : 177
Total Sysinfo packets received : 1
Total keepalives received : 2
Total keepalives sent : 2
Total malformed packets : 0
Total unsupported packets : 0
Total packet send failures due to session not available : 0
Total connections : 1
Total active connections : 1
Total connection timeouts : 0
Total sessions : 1
Total session failures : 0
Total session failures due to timeouts : 0
show endpointintelligence summary
Displays summarized data for active endpoint connections, connectivity status of ePO, and certificate
status.
Syntax:
show endpointintelligence summary
Sample Output:
ntbaSensor@vNTBA> show endpointintelligence summary
[Endpoint Configuration and Status]
Endpoint Intelligence Service : Running
ePO Server IP : 172.16.233.6
310
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
show exporters
Last ePO connection attempt : 2013-09-24 14:17:59
Last ePO connection status : Success
ePO certificate : Downloaded at 2013-09-24 14:17:59
Alert throttling : Enabled
GTI file reputation server : Not reachable
[Endpoint connections]
Total active endpoint connections : 22
Total packets received : 16884
Field
Values
Endpoint Intelligence
Service
• Running
• Not Running
• Stopped
• Disabled
Last ePO connection status
Success or Failed
Alert throttling
Enabled or Disabled
GTI file reputation server
Reachable or Not reachable
ePO certificate
• If ePO certificate is available, it will display as Downloaded along
with the time it was downloaded
• If ePO certificate is not available, it will display as Failed along with
the reason for failure within parentheses
show exporters
This command displays exporter details like IP address, type, and interface count.
Syntax:
show exporters
Sample Output:
ntbaSensor@NTBA_210> show exporters
[Exporter details]
------------------Exporter name : M-2750-254
Exporter type : IPS sensor
Exporter IP : 10.1.1.10
Packets received : 210706
Last packet received time: 2014-11-04 12:48:41
Flow data records : 421412
McAfee Network Security Platform 8.2
CLI Guide
311
4
NTBA CLI commands
show fingerprinting stats
Template records : 4458
Interface count : 2
show fingerprinting stats
Shows statistics related to active device profiling. The statistics are collected or reset once the Device
Profiler service is started or stopped.
Syntax:
show fingerprinting stats
The fingerprinting statistics include:
•
Fingerprinting Service Enabled: Describes whether the user has enabled/disabled the service.
Values will be "Yes" or "No".
•
Service Start Time: Indicates when the service should be started.
•
Schedule Type: Indicated whether the schedule is either configured by the user or by NTBA
•
Next Scan Schedule: Shows the next available schedule time for scan.
•
Total Results Sent to Manager: This counter signifies the number of device profile results sent to
the Manager through alert channel.
•
Total Current Running Scan Count: This counter signifies the number of scans currently in progress.
•
Total number of Hosts Scanned: This counter signifies the number of hosts scanned and results
stored in the database.
•
Total Scan Failures: This counter signifies the number of scan failures.
•
Total Passive Info Host Count Received From Manager: This counter signifies the number of hosts
the Manager sent as the preferred list of IP addresses to be scanned.
•
Total Number of Hosts Excluded From Scan: This counter signifies the total number of hosts
excluded from scanning.
•
Total Internal Host: This counter signifies the total number of hosts to be considered for scanning.
•
Total Active FP Host: This counter signifies the total number of hosts for which the active scan
results are available in the database.
•
Total Host with no FP: This counter signifies the total number of hosts for which the active scan
results are not available in the database.
[Last Scan Run Details]
•
Last Scan Time: Indicates the last scan time.
•
Total Number of Hosts Scanned: This counter signifies the total number of hosts scanned.
•
Total Number of Hosts UP: This counter signifies the total number of hosts that are up.
•
Total Number of Hosts DOWN: This counter signifies the total number of hosts that are down.
•
Total Results sent to Manager: This counter signifies the total number of results sent to the
Manager.
Sample Output:
312
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show forensic-db details
4
ntbaSensor@vNTBA> show fingerprinting stats
[Host FingerPrinting Stats]
[ Note: All Stats Will be Reset Once Host FingerPrinting Service Restarts ]
FingerPrinting Service Enabled : NO
Service Start Time : 2014-03-28 06:57 UTC
Schedule Type : 0
Next Scan Schedule : 0
Total Alerts Sent to NSM : 20
Total Current Running Scan Count : 3000
Total Number of Hosts Scanned : 400000
Total Scan Failures : 10
Total Passive Info Host Count Received From NSM : 0
[ Last Scan Run Details ]
Last Scan Time : 2014-03-28 10:57 UTC
Total Number of Hosts Scanned : 2000
Total Number of Hosts UP : 164
Total Number of Hosts DOWN : 20
Total Results Sent to NSM : 140
show forensic-db details
Displays basic forensic data collection information like data and profile collection time, and context
details.
Syntax:
show forensic-db details
Sample Output:
[Forensic database details]
Forensic status : Enabled
Context data collection interval : Before attack: 20 mins | After attack: 20 mins
Alert source : Network Security Sensor & NTBA
Last context data collection time : 2014-07-31 03:41:00
Last service profile collection time : 2014-07-31 04:01:00
Last executable profile collection time : 2014-07-31 04:01:00
IPS alert rate per second : 0 for the last 10 minutes
McAfee Network Security Platform 8.2
CLI Guide
313
4
NTBA CLI commands
show flowforwardinfo
NTBA alert rate per second : 0 for the last 10 minutes
Average context records per alert : 9.00 for the last 10 minutes
Attack context stored in database for : Last 2 days
show flowforwardinfo
Displays flow forwarding configurations.
Syntax:
show flowforwardinfo
Sample Output:
ntbaSensor@vNTBA> show flowforwardinfo
[flow forward Info]
Flow forward IP : 1.1.1.8
Flow forward Port : 2565
Flow forwarding mode : BLIND
show host-vlan
Shows the status of host-vlan whether it is enabled or disabled.
This command has no parameters.
Syntax:
show host-vlan
Sample Output:
ntbaSensor@vNTBA> show host_vlan
[HOST VLAN settings]
HOST VLAN : enabled
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
host-vlan on page 48
set htf delta-period on page 285
show htf
Displays the htf configuration of delta period, learning period, max deltas, and htf filter.
314
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
show intfport
Syntax:
show htf
Sample Output:
ntbaSensor@vNTBA> show htf
[HTF settings]
HTF delta period : 180 minutes
HTF Filter IP List :
show intfport
Shows the status of the specified Sensor port. Note that specifying a non-existent port results in an
error. For example, specifying port 3B on an I-4000 will cause the command to fail. Ensure to
capitalize the character when typing the command. For example, 1a will be seen as an invalid
command.
Syntax:
show intfport <port>
Parameter Description
<port>
Sets the port for which the status is to be displayed.
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A | 3B| 4A | 4B | 5A | 5B |
6A | 6B | 7A | 7B | 8A | 8B | WORD | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 | G1/2 | G1/3 | G1/4 | G1/5
| G1/6 | G1/7 | G1/8 | G1/9 | G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 |
G2/5 | G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 | G3/2 | G3/3 |
G3/4 | G3/5 | G3/6 | G3/7 | G3/8 | WORD | all
Information displayed by the show intfport command includes:
•
Whether the port's administrative status is enabled or disabled
•
The Sensor's operational status
•
The Sensor's operating mode
•
Whether full duplex mode is enabled
•
The port's configured traffic direction (inside or outside)
•
The speed of the 10/100 ports, if applicable
•
The speed of the Gigabit ports, if applicable
•
The peer port's supported link mode
•
The peer ports negotiated duplex and speed
•
The auto-negotiating configuration (I-2700 Sensors only)
•
Total packets received
•
Total packets sent
McAfee Network Security Platform 8.2
CLI Guide
315
4
316
NTBA CLI commands
show intfport
•
Total CRC errors received
•
Total CRC errors sent
•
Whether or not flow control is on (this applies only to Sensor gigabit ports)
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show intfport
4
Sample Output:
•
For Sensors, the output is as shown
intruShell@john> show intfport 2A
Displaying port 2A
Administrative Status : ENABLED
Operational Status : UP
Operating Mode : INLINE_FAIL_CLOSED
Duplex : FULL
Port Connected to : OUTSIDE
Port Speed : 1 GBPS-AUTONEG
Peer port
supported link modes :
10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Actual negotiated Duplex: FULL
Actual negotiated Speed : 1 GBPS
Additional Porttype Info:
Total Packets Received : 403
Total Packets Sent : 24130
Total CRC Errors Rcvd : 0
Total Other Errors Rcvd : 0
Total CRC Errors Sent : 0
Total Other Errors Sent : 0
Flow Control Status : OFF
•
For NTBA, the output is as shown
ntbaSensor@NTBA_210> show intfport 1
Administrative status : Enabled
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
Total packets received : 27416335
Total packets sent : 291
McAfee Network Security Platform 8.2
CLI Guide
317
4
NTBA CLI commands
show gam engine stats
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 17.68.26.27
MAC Address : 00:1B:21:44:77:48
Mapped to ethernet port : eth2
Applicable to: M-series, NS-series, Virtual IPS Sensors, and NTBA Appliances. The command does
not apply to Virtual Security System instances; use the show ingress-egress stat command
instead.
show gam engine stats
Syntax
show gam engine stats
Sample output
Local GAM Engine Statistics:
---------------------------Engine Status: Initialized
Gateway Anti-Malware Engine Version: 7001.1302.1842
Gateway Anti-Malware DAT Version: 3186
Anti-Malware Engine Version: 5600
Anti-virus DAT Version: 7612
Last Update time: 11/5/2014 - 8:16:49 UTC
Last Successful Update time: 11/5/2014 - 8:16:49 UTC
Total number of Scan Threads: 5
Total Full update success count: 0
Total Full update failure count: 0
Total Incr update success count: 0
Total Incr update failure count: 0
Total NSM Full update success count: 0
Total NSM Full update failure count: 0
Total config issue update failure count: 0
(config issue - Trust/DNS/Proxy config issues)
318
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show gam scan stats
4
show gam scan stats
Syntax
show gam scan stats
Sample output
Local GAM Scan Statistics:
-------------------------Total scan requested: 2
Total scan submitted to GAM: 2
Total Successful Scans: 2
Total Scan Failures: 0
Total scan misc error count: 0
Total scan req skipped due to filesize mismatch: 0
Total scan req skipped due to timeout in Queue : 0
show l7dcapstats
Displays statistics for Layer 7 captured data.
Syntax:
show l7dcapstats
Sample Output:
ntbaSensor@Demo-NTBA> show l7dcapstats
[Layer7 Data Capture Statistics]
------------------------------Total Dcap HTTP URI Count : 66709
Total Dcap HTTP Domain Name Count : 65588
Total Dcap AttackId Count : 19
Total Dcap AppId Count : 158018
Total Forensics Attack Id Count : 7113
Total Forensics Victim Direction Count : 7113
Total File Type : 31416
Total File Hash : 31416
McAfee Network Security Platform 8.2
CLI Guide
319
4
NTBA CLI commands
show mem-usage
show mem-usage
This command displays the system memory usage details of the device.
This command has no parameters.
Syntax:
show mem-usage
The show mem-usage command also gives the average percentage usage (Avg.) and the maximum
percentage usage (Max.) of these entities on all the processing elements.
The L7Dcap counter descriptions are as follows:
320
•
Avg. Used L7 Dcap Alert Buffers across all PEs — Average percentage of L7Dcap buffers
used from the total buffers across all the Processing Engines in the Sensor
•
Max. Used L7 Dcap Alert Buffers on a single PE — Percentage of L7Dcap buffer used from
the maximum buffers that a single Processing Engine manages
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show mem-usage
4
•
Avg. Used L7 Dcap flows across all PEs — Average percentage of L7Dcap flows used from the
value configured in the Manager across all the Processing Engines in the Sensor
•
Max. Used L7 Dcap flows on a single PE — Percentage of L7Dcap flows used from the
maximum value that a single Processing Engine manages
Sample Output:
•
For Sensors, the output is as shown
Avg. Used TCP and UDP Flows across all PEs : 0%
Max. Used TCP and UDP Flows on a single PE : 0%
Avg. Used Fragmented IP Flows across all PEs : 0%
Max. Used Fragmented IP Flows on a single PE : 0%
Avg. Used ICMP Flows across all PEs : 0%
Max. Used ICMP Flows on a single PE : 0%
Avg. Used SSL Flows across all PEs : 0%
Max. Used SSL Flows on a single PE : 0%
Avg. Used Fragment Reassembly Buffers across all PEs : 0%
Max. Used Fragment Reassembly Buffers on a single PE : 0%
Avg. Used Packet Buffers across all PEs : 0%
Max. Used Packet Buffers on a single PE : 0%
Avg. Used Attack Marker Nodes across all PEs : 0%
Max. Used Attack Marker Nodes on a single PE : 0%
Avg. Used Shell Marker Nodes across all PEs : 0%
Max. Used Shell Marker Nodes on a single PE : 0%
Avg. Used L7 Dcap Alert Buffers across all PEs : 0%
Max. Used L7 Dcap Alert Buffers on a single PE : 0%
Avg. Used L7 Dcap flows across all PEs : 0%
Max. Used L7 Dcap flows on a single PE : 0%
Avg Attacks received across all PEs : 0%
•
For an NTBA Appliance, the output is as shown
ntbaSensor@vNTBA> show mem-usage
total used free shared buffers cached
Mem: 12046 727 11319 0 18 476
Swap: 11727 0 11727
Total: 23774 727 23047
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Security Platform 8.2
CLI Guide
321
4
NTBA CLI commands
show mgmtport
show mgmtport
Shows all the current configuration settings for the Sensor Management port.
This command has no parameters.
Syntax:
show mgmtport
Information displayed by the show mgmtport command includes:
322
•
The Sensor's Management port value (1000Mbps, 100Mbps, 10Mbps, or auto-negotiate)
•
The Sensor's Management port link status (what speed the two devices settled upon—typically the
highest common setting)
•
What mode has been settled upon
•
The link status
•
The capabilities of the Management port (possible values are: 1000baseTx-FD, 100baseTx-FD,
100baseTx-HD, 10base-T-FD, 10base-T-HD)
•
What the Management port is advertising its capabilities as (possible values are: 1000baseTx-FD,
100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-T-HD)
•
The characteristics of its link partner (possible values are: 1000baseTx-FD, 100baseTx-FD,
100baseTx-HD, 10base-T-FD, 10base-T-HD)
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show mgmtport
4
Sample Output:
•
For Sensor, the output is as shown
intruShell@john> show mgmtport
MGMT Ethernet port : auto negotiated
Settings for MGMT port :
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Auto-negotiation: on
Wake-on: d
Link detected: yes
eth0 Link encap:Ethernet HWaddr 00:06:92:2B:69:40
inet addr:10.213.174.202 Bcast:10.213.174.255 Mask:255.255.255.0
inet6 addr: fe80::206:92ff:fe2b:6940/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3072499 errors:0 dropped:0 overruns:0 frame:0
TX packets:333882 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:255473849 (243.6 Mb) TX bytes:38758684 (36.9 Mb)
Interrupt:24
•
For NTBA, the output is as shown
ntbaSensor@NTBA_210> show mgmtport
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
Total packets received : 15176
Total packets sent : 14356
McAfee Network Security Platform 8.2
CLI Guide
323
4
NTBA CLI commands
show netstat
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 10.213.171.210
MAC Address : 00:24:E8:46:46:D6
Mapped to ethernet port : eth4
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
set mgmtport auto on page 76
set mgmtport speed and duplex on page 77
show netstat
This command displays the management port netstat output.
This command has no parameters.
Syntax:
show netstat
Sample Output:
•
For Sensor, the output is as shown
Figure 4-1 show netstat command output for Sensors
324
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show nfcstats
•
4
For an NTBA Appliance, the output is as shown
Figure 4-2 show netstats command output for NTBA
Applicable to:
M-series and NS-series, and NTBA Appliances.
show nfcstats
Displays the flow collector statistics. Check the output to verify if the packets are being processed
correctly by NTBA.
Syntax:
show nfcstats
Sample Output:
ntbaSensor@vNTBA> show nfcstats
[Netflow-Collector Statistics]
-------------------------------
McAfee Network Security Platform 8.2
CLI Guide
325
4
NTBA CLI commands
show nfcstats
Total packets received : 1047496
Total flow data records received : 2291170
Total v10 flow data records : 20000
Total v9 flow data records : 2091170
Total v5 flow data records : 0
IPS flow data records : 2091170
Total Templates : 2467
V10 Templates : 2000
IPS templates : 467
Total TCP conversations : 240259
Total UDP conversations : 86656
Total ICMP conversations : 74702
Total L7 URL count : 20842
Total L7 FILE count : 12
Internal Hosts : 823
[Netflow Processing Stats]
Duplicate flow data records : 0
Flows excluded by User Config : 0
L7 data excluded by User Config : 0
Flows getting processed : 2824
Flows processed in last minute : 3107
Coalesced Conversations count : 318593
Template Cache : 1
Throttled flow data records : 0
Write index : 0
Remove index : 0
Nba read index : 0
Recon read index : 0
Htf read index : 0
Anomaly read index : 0
[Packet Parsing and Preprocessing Errors]
Erroneous flow data records : 0
Pkts from unconfigured exporter : 0
326
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show pktrecvstats
4
Pkts with invalid netflow version : 0
Pkts with IP version other than 4 : 0
Unidirectional flow in ips pkt : 760371
Needs dedup count : 0
Update nxthop failed : 0
Functional buf insert failed : 0
Invalid L7 data length : 0
Invalid templates : 0
Flows ignored after max host limit : 0
Flows ignored for not-enough memory : 0
Flows ignored for external traffic : 187
Flows ignored for non-match template: 1444
Misc preprocessing error : 0
[Netflow-Collector Incoming Load Stats]
Last netflow seen time : Mon Sep 30 04:41:42 2013
Incoming flows per sec for last 10 minutes : 7
Incoming flows for last 10 minutes :
Flows for last 0 - 1 minute : 4432
Flows for last 1 - 2 minute : 0
Flows for last 2 - 3 minute : 0
Flows for last 3 - 4 minute : 0
Flows for last 4 - 5 minute : 0
Flows for last 5 - 6 minute : 0
Flows for last 6 - 7 minute : 0
Flows for last 7 - 8 minute : 0
Flows for last 8 - 9 minute : 0
Flows for last 9 -10 minute : 0
show pktrecvstats
Displays the statistics of the packets received by NTBA.
Syntax:
show pktrecvstats
McAfee Network Security Platform 8.2
CLI Guide
327
4
NTBA CLI commands
show route
Sample Output:
ntbaSensor@vNTBA> show pktrecvstats
[Pktrecv Info]
Start Time : Sat Sep 21 14:25:43 2013
Last Packet Recv Time : Never
Packets observed : 0
Packets Read : 0
Pktrecv socket mode : 0
Number of Restarts : 0
Netflow Listen Port : 9996
Thread status : PROCESSING_PKT
show route
This command is used to show routes configured in the NTBA Appliance using Manager interface.
Syntax:
show route
Sample Output:
ntbaSensor@vNTBA> show route
network 10.10.210.0 netmask 255.255.255.0 gateway 192.168.0.251 port 1
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.213.173.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt
10.10.210.0 0.0.0.0 255.255.255.0 U 0 0 0 4
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 mgmt
22.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 2
0.0.0.0 10.213.173.252 0.0.0.0 UG 0 0 0 mgmt
show store-url-type
This command displays the current settings of the URL. The setting can be either ONLY-DOMAIN or
FULL-URL.
Syntax:
show store-url-type
Sample Output:
328
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
show tsstats
4
ntbaSensor@vNTBA> show store-url-type
[store url type]
Url Store Type : ONLY-DOMAIN
show tsstats
Displays statistics for GTI-related lookups.
Syntax:
show tsstats
Sample Output:
ntbaSensor@vNTBA> show tsstats
[Trusted-Source Stats]
Trusted Source Activate Failed : 0
Trusted Source NetConfigInternal Failed : 0
Trusted Source NetConfigSetting Failed : 0
Trusted Source NetLookup Failed : 0
Trusted Source DB Download Failed : 0
Trusted Source DB Load Failed : 0
Trusted Source Create Attribute Failed count : 0
Trusted Source Create Url Failed count : 0
Trusted Source Ip Cache Insert Failed count : 2559
Trusted Source Parse Url Failed count : 0
Trusted Source Create Category Failed count : 0
Trusted Source Remove Category Failed count : 0
Trusted Source Category to Array Failed count : 0
Trusted Source Category to String Failed count : 0
Trusted Source Rate Ip Failed count : 23046
Trusted Source Rate Url Failed count : 6
Trusted Source NTBA DB Ip Updates Failed count : 0
Trusted Source NTBA DB Url Failed count : 2939
Trusted Source Conversation Drop count : 5188
Trusted Source Urls Drop count : 12157
Trusted Source Conversation Send Drop count : 0
McAfee Network Security Platform 8.2
CLI Guide
329
4
NTBA CLI commands
shutdown
Trusted Source Urls Send Drop count : 0
Trusted Source Number of Ip's Updated : 56848
Trusted Source Number of Ips Loaded from File : 0
Trusted Source Number of Entries in Cache : 2025
Trusted Source Lookup drops due to configuration : 732359
Trusted Source Total Conv Request Count : 30894
Trusted Source Successful Connection Lookup count : 0
Trusted Source Total Url Request Count : 19313
Trusted Source Successful Url Lookup count : 7144
Trusted Source Conversation Cachehit Count : 121992
Trusted Source Conversation Cache Busy Count : 28
Trusted Source Rate cache Lookup Time : 0
Time Of Day In Seconds : 1380516471
shutdown
Halts the Sensor so you can turn it off. You can turn off the Sensor manually after a minute (for
example, unplug the I-4010). The Sensor does not turn off automatically. You must confirm that you
want to shut down the Sensor.
This command has no parameters.
Syntax:
shutdown
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
reboot on page 59
status
Shows Sensor system status, such as System Health, Manager communication, signature set details,
total number of alerts detected, and total number of alerts sent to the Manager.
This command has no parameters.
Syntax:
status
Sample Output:
330
McAfee Network Security Platform 8.2
CLI Guide
NTBA CLI commands
status
4
For Sensor, the output is as shown:
intruShell@john> status
[Sensor]
System Initialized : yes
System Health Status : good
Layer 2 Status : normal (IDS/IPS)
Installation Status : complete
IPv6 Status : Parse and Detect Attacks
Reboot Status : Not Required
Guest Portal Status : up
Hitless Reboot : Not-Available
Last Reboot reason : reboot issued from CLI
[Signature Status]
Present : yes
Version : 8.6.0.6
Power up signature : good
Geo Location database : Present
DAT file : Present
Version : 318.0
[Manager Communications]
Trust Established : yes (RSA 1024-bit or 2048-bit)
Alert Channel : up
Log Channel : up
Authentication Channel : up
Last Error : None
Alerts Sent : 961
Logs Sent : 974
[Alerts Detected]
Signature : 4246 Alerts Suppressed : 3483
Scan : 0 Denial of Service : 2
Malware : 0
[McAfee NTBA Communication]
Status : up
McAfee Network Security Platform 8.2
CLI Guide
331
4
NTBA CLI commands
tcpdump sec
IP : 10.213.174.132
Port : 8505
[McAfee MATD Communication]
Status : up
IP : 10.213.174.134
Port : 8506
The same status message appears in an NTBA Appliance also.
If there is a failure in establishing trust relationship between the Sensor and Manager due to mismatch
in shared secret key, the Last Error displays the message Alert Channel - Install Keys
Mismatch. In such an instance, check the shared secret key on the Manager and set it on the Sensor
using set sensor sharedsecretkey command.
Applicable to:
M-series and NS-series, and NTBA Appliances.
tcpdump sec
Displays tcpdump capture for specified duration in seconds; optionally, tcpdump arguments can be
placed after second duration value.
Syntax:
tcpdump sec <1-30> WORD WORD …
Sample Output:
ntbaSensor@vNTBA> tcpdump sec 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
Examples:
tcpdump sec 5
tcpdump sec 5 -i eth4 dst host A.B.C.D
Applicable to:
NTBA Appliances only.
traceupload
Uploads an encoded diagnostic trace file to the configured TFTP server, from which you can send it to
the McAfee Technical Support for diagnosing a problem with the Sensor. A trace upload facility is also
available in the Manager interface.
Syntax:
332
McAfee Network Security Platform 8.2
CLI Guide
4
NTBA CLI commands
unknown-interfaces-flows
traceupload WORD
where WORD stands for the file name to which the trace must be written.
Note the following:
•
Before executing this command, configure TFTP server on NTBA Appliance by running the set
tftpserver ip command.
•
When loading a trace file from the configured TFTP server the pathname of the file should be
relative to /tftpboot.
•
Before executing this command (uploading on the TFTP server), ensure that the file is created on
the TFTP server with write permissions for everyone.
As part of traceupload, additional information is collected using logstat. Due to this, additional time is
required to collect logs from the Sensor, and can take around 10-30 minutes based on the Sensor
model.
On executing the command the following messages are displayed:
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Sample Output:
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> traceupload ntbaTraceFile
Make sure the file ntbaTraceFile exists on the server with 'WRITE' permission for
everyone. If it doesn't exist, then create an empty ntbaTraceFile file with 'WORLD
WRITE' permissions.
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Applicable to:
M-series and NS-series, and NTBA Appliances.
See also
logstat on page 54
unknown-interfaces-flows
Flows from an unknown interfaces to NTBA Appliance. The unknown interfaces are only from known
exporters.
Syntax:
unknown-interfaces-flows <accept> | <reject> | <status>
McAfee Network Security Platform 8.2
CLI Guide
333
4
NTBA CLI commands
watchdog
Parameter
Description
<accept>
NTBA accepts flows from an unknown interface
<reject>
NTBA rejects flows from an unknown interface
<status>
displays the status of the unknown interface flows (accepted or rejected)
If SNMP is not configured, NTBA cannot discover interfaces and does not accept any flows from a router
unless this command is set to accept. You also need to configure proper CIDR ranges in inside and
outside zones. If not configured, all endpoints are treated as inside by NTBA.
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> unknown-interfaces-flows accept
Accepted
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> unknown-interfaces-flows accept
ntbaSensor@vNTBA> unknown-interfaces-flows status
interface status: Reject
Applicable to:
Only NTBA Appliances
watchdog
The watchdog process reboots the device whenever an unrecoverable failure is detected in the device.
Syntax:
watchdog <on | off | status>
Parameter Description
<on>
enables the watchog
<off>
disables the watchdog. Use it when a Sensor reboots continuously due to repeated
system failure.
<status>
displays the status of the watchdog process ('on' or 'off')
Sample Output:
•
For Sensor, the output is as shown:
intruShell@john> watchdog status
watchdog = off
•
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> watchdog status
watchdog = on
Applicable to:
M-series and NS-series, and NTBA Appliances.
334
McAfee Network Security Platform 8.2
CLI Guide
Index
A
I
about this guide 13
IP address; Manager 94
C
M
CLI command matrix 23
CLI commands issue 15
auto-complete 18
console 15
mandatory commands 18
ssh 17
CLI logon 28
CLI syntax 18
command sequence 18
management port configuration; Sensor 94
McAfee ServicePortal, accessing 14
conventions and icons used in this guide 13
D
default gateway; Sensor 94
documentation
audience for this guide 13
product-specific, finding 14
typographical conventions and icons 13
P
password; Sensor 92
S
Sensor
about 15
Sensor logon; ssh 18
Sensor name 92
Sensor; NTBA 15
ServicePortal, finding product documentation 14
setup command 91
setup; Sensor 92
shared secret key; Sensor 94
subnet mask; Sensor 93
F
T
factorydefaults 67
technical support, finding product information 14
G
granular access control 19
McAfee Network Security Platform 8.2
CLI Guide
335
0F00

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz