Secure SD-WAN Manager commands

Secure SD-WAN Manager commands include commands for the Management Server, Log Server, and Web Portal Server.

In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts. Commands are found in the following locations:

For Secure SD-WAN Manager installations on Linux or Windows, commands are found in the <installation directory>/bin directory.

Commands that require parameters must be run through the command line (cmd.exe in Windows). Commands that do not require parameters can alternatively be run through a graphical user interface, and can be added as shortcuts during installation.

CAUTION:

login and password parameters are optional. Giving them as command-line parameters can pose a security vulnerability. Do not enter logon and password information unless explicitly prompted to do so by a command line tool.

Table 1. Secure SD-WAN Manager commands
Command	Description
`revert`	Reverts to the previous installation saved during the upgrade process. The previous installation can be restored at any time, even after a successful upgrade. Note: This script is located in <installation directory>/bin/uninstall.
`sgActivateWebswing` `[host=<Management Server Address[\Domain>]` `login=<login name>` `pass=<password>` `port=<port number>` `mgtserver=<name>` `enable=<true\|false>` `hostname=<host name>` `listening_address=<IP address>` `https=<true\|false>` `generate_logs=<true\|false>` `use_ssl=<true\|false>` `https_validity=<number of days>` `public_key_output=<path>`	Configures Secure SD-WAN Manager Web Access to run the Management Client in a web browser. `Host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account. `port` specifies the port number of the Secure SD-WAN Manager Web Access service on the Management Server. The default is 8085. `mgtserver` specifies the name of the Management Server element. The default is Management Server. `enable` specifies whether Secure SD-WAN Manager Web Access is enabled (true) or disabled (false). The default is true. `hostname` specifies the host name of the Secure SD-WAN Manager Web Access service. `listening_address` specifies the listening IP address of the Secure SD-WAN Manager Web Access service if the server has several addresses. If not specified, requests to any of this server's IP addresses are allowed. `https` specifies whether HTTPS is enabled for the Secure SD-WAN Manager Web Access service. If true, the public key is returned in the output. The default is true. `generate_logs` specifies whether to log all file load events in Combined Log format in a file on the server for further analysis with external web statistics software. The default is false. `use_ssl` specifies whether SSL is used to track sessions in your web application. If SSL connections are managed by a proxy or a hardware accelerator they must populate the SSL request headers. The default is false. `https_validity` specifies the number of days for which the self-signed certificate for HTTPS is valid. The default is 365. `public_key_output` specifies the path for the HTTPS public key.
`sgArchiveExport` `[host=<Management Server Address[\Domain>]` `[login=<login name>]` `[pass=<password>]` `[format=<exporter format: CSV or XML>]` `i=<input files and/or directories>` `[o=<output file name>]` `[f=<filter file name>]` `[e=<filter expression>]` `[-h\|-help\|-?]` `[-v]`	Shows and exports logs from archive. Supports CEF, LEEF, and ESM formats in addition to CSV and XML. This command is only available on the Log Server. The operation checks permissions for the supplied administrator account from the Management Server to prevent unauthorized access to the logs. Enclose details in double quotes if they contain spaces. `Host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account. `format` defines the file format for the output file. If this parameter is not defined, the XML format is used. `i` defines the source from which the logs are exported. Can be a folder or a file. The processing recurses into subfolders. `o` defines the destination file where the logs are exported. If this parameter is not defined, the output is shown on screen. `f` defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through Tools > Save for Command Line Tools in the filter's right-click menu. `e` allows you to enter a filter expression manually (using the same syntax as exported filter files). `-h`, `-help`, or `-?` shows information about using the script. `-v` shows verbose output on the command execution. Example (exports logs from one full day to a file using a filter): `sgArchiveExport login=admin pass=abc123 i=`C:\Program Files\Forcepoint\SDWAN Manager`\data\archive\firewall\year2011\month12\.\sgB.day01\ f=`C:\Program Files\Forcepoint\SDWAN Manager`\export\MyExportedFilter.flp format=CSV o=MyExportedLogs.csv`
`sgBackupLogSrv` `[-pwd=<password>]` `[-path=<destpath>]` `[-nodiskcheck]` `[-comment=<comment>]` `[-nofsstorage]` `[-h\|--help]`	Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the log database is required on the destination drive. Otherwise, the operation fails. `pwd` enables encryption. `path` defines the destination path. `nodiskcheck` ignores the free disk check before creating the backup. `comment` allows you to enter a comment for the backup. The maximum length of a comment is 60 characters. `nofsstorage` creates a backup only of the Log Server configuration without the log data. `-h` or `--help` shows information about using the script. Also see `sgRestoreLogBackup`.
`sgBackupMgtSrv` `[pwd=<password>]` `[path=<destpath>]` `[nodiskcheck]` `[comment=<comment>]` `[-h\|--help]`	Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails. `pwd` enables encryption. `path` defines the destination path. `nodiskcheck` ignores the free disk check before creating the backup. `comment` allows you to enter a comment for the backup. The maximum length of a comment is 60 characters. `-h` or `--help` shows information about using the script. Also see `sgRestoreMgtBackup` and `sgRecoverMgtDatabase`.
`sgCertifyLogSrv` `[host=<Management Server Address[\Domain]>`	Contacts the Management Server and creates a certificate for the Log Server to allow secure communications with other Secure SD-WAN Manager components. Renewing an existing certificate does not require changing the configuration of any other Secure SD-WAN Manager components. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain the Log Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. Stop the Log Server before running this command. Restart the server after running this command.
`sgCertifyMgtSrv` `[login=<login name>]` `[pass=<password>]` `[standby-server=<name of additional Management Server>]` `[active-server=<IP address of active Management Server>]` `[mode=ext-pki-init` `[dn=<Subject DN>` `dns=<SubjectAltName DNS>` `key-size=<256\|384\|521>` `csr-out=<path>` `crt-in=<path>` `ca-file=<path>]]` `[-nodisplay]` `[-h\|-help\|-?]`	Creates a certificate for the Management Server to allow secure communications between the Secure SD-WAN Manager components. Renewing an existing certificate does not require changes on any other Secure SD-WAN Manager components. In an environment with only one Management Server, or to certify the active Management Server, stop the Management Server before running the `sgCertifyMgtSrv` command. Run the command without parameters. Restart the Management Server after running this command. To certify an additional Management Server, stop the additional Management Server before running the `sgCertifyMgtSrv` command. The active Management Server must be running when you run this command. The management database is replicated to the additional Management Server during the certification. The additional Management Server must have a connection to the active Management Server when you run this command. `[login=<login name>]` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `[pass=<password>]` defines the password for the user account. `[standby-server]` specifies the name of the additional Management Server to be certified. `[active-server]` specifies the IP address of the active Management Server. `[mode=ext-pki-init]` enables commands for external certificate management. `[dn]` specifies the Subject DN to use in the certificate request for the Management Server. `[dns]` specifies the SubjectAltName DNS value to use in the certificate request for the Management Server. `[key-size]` specifies the key size to use in the certificate request for the Management Server. `[csr-out]` specifies the output path where the certificate request is saved. `[crt-in]` specifies the input path for importing a certificate in PEM format. `[ca-file]` specifies the input path for importing a CA file in PEM format. `-nodisplay` sets a text-only console. `-h`, `-help`, or `-?` shows information about using the script.
`sgCertifyWebPortalSrv` `[host=<Management Server Address[\Domain]>]`	Contacts the Management Server and creates a certificate for the Web Portal Server to allow secure communications with other Secure SD-WAN Manager components. Renewing an existing certificate does not require changing the configuration of any other Secure SD-WAN Manager components. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain the Web Portal Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. Stop the Web Portal Server before running this command. Restart the server after running this command.
`sgChangeMgtIPOnLogSrv <IP address>`	Changes the Management Server's IP address in the Log Server's local configuration to the IP address you give as a parameter. Use this command if you change the Management Server's IP address. Restart the Log Server service after running this command.
`sgChangeMgtIPOnMgtSrv <IP address>`	Changes the Management Server's IP address in the local configuration to the IP address you give as a parameter. Use this command if you change the Management Server's IP address. Restart the Management Server service after running this command.
`sgClient`	Starts a locally installed Management Client.
`sgCreateAdmin`	Creates an unrestricted (superuser) administrator account. The Management Server must be stopped before running this command.
`sgExport` `[host=<Management Server Address[\Domain]>]` `[login=<login name>]` `[pass=password]` `file=<file path and name>` `[type=<all\|nw\|ips\|sv\|rb\|al\|vpn>` `[name=<element name 1, element name 2, ...>]` `[recursion]` `[-system]` `[-h\|-help\|-?]`	Exports elements stored on the Management Server to an XML file. Enclose details in double quotes if they contain spaces. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account. `file` defines the name and location of the export .zip file. `type` specifies which types of elements are included in the export file: `all` for all exportable elements `nw` for network elements `ips` for IPS elements `sv` for services `rb` for security policies `al` for alerts `vpn` for VPN elements. `name` allows you to specify by name the elements that you want to export. `recursion` includes referenced elements in the export, for example, the network elements used in a policy that you export. `-system` includes any system elements that are referenced by the other elements in the export. `-h`, `-help`, or `-?` shows information about using the script.
`sgHA` `[host=<Management Server Address[\Domain]>]` `[login=<login name>]` `[pass=<password>]` `[master=<Management Server used as master server for the operation>]` `[-set-active]` `[-set-standby]` `[-check]` `[-retry]` `[-force]` `[-restart]` `[-h\|-help\|-?]`	Controls active and standby Management Servers. If you want to perform a full database synchronization, use the `sgOnlineReplication` command. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account. `master` defines the Management Server used as a master Management Server for the operation. `-set-active` activates and locks all administrative Domains. `-set-standby` deactivates and unlocks all administrative Domains. `-check` checks that the Management Server's database is in sync with the master Management Server. `-retry` retries replication if this has been stopped due to a recoverable error. `-force` enforces the operation even if all Management Servers are not in sync. Note: This option can cause instability if used carelessly. `-restart` restarts the specified Management Server. `-h`, `-help`, or `-?` shows information about using the script.
`sgImport` `[host=<Management Server Address[\Domain]>]` `[login=<login name>]` `[pass=<password>]` `file=<file path and name>` `[-replace_all]` `[-h\|-help\|-?]`	Imports Management Server database elements from an XML file. When importing, existing (non-default) elements are overwritten if both the name and type match. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account. `file` defines the .zip file whose contents you want to import. `-replace_all` ignores all conflicts by replacing all existing elements with new ones. `-h`, `-help`, or `-?` shows information about using the script.
`sgImportExportUser` `[host=<<Management Server Address[\Domain]>>]` `[login=<login name>]` `[pass=password]` `action=<import\|export>` `file=<file path and name>` `[-h\|-help\|-?]`	Imports and exports a list of Users and User Groups in an LDIF file from or to a Management Server's internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate). CAUTION: The user information in the export file is stored as plaintext. Handle the file securely. `host` specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. `Domain` specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used. `login` defines the user name for the account that is used for this operation. If this parameter is not defined, the user name `root` is used. `pass` defines the password for the user account. `action` defines whether users are imported or exported. `file` defines the file that is used for the operation. Example: `sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif` `-h`, `-help`, or `-?` shows information about using the script.
`sgInfo` `SG_ROOT_DIR` `FILENAME` `[fast=<timestamp>]` `[list]` `[hprof=none\|limited\|all]` `[-nolog]` `[-client]` `[-h\|-help\|-?]`	Creates a .zip file that contains copies of configuration files and the system trace files. The resulting .zip file is stored in the logged on user's home directory. The file location is shown on the last line of screen output. Provide the generated file to support for troubleshooting purposes. Note: On the Appliance, you must always specify the path to the directory in which the .zip file is stored. The directory must be accessible from the account that you use to log on to the command line of the Appliance. `SG_ROOT_DIR` Secure SD-WAN Manager installation directory. `FILENAME` name of output file. `fast` collects only traces that changed after the specified time stamp. Enter the time stamp in milliseconds or in the format yyyy-MM-dd HH:mm:ss. No other information is collected, except for threaddumps. `[list]` only lists files. It does not create a .zip file or generate threaddumps. `hprof` defines whether hprof memory dump files are included. `none` does not include hprof memory dump files. `limited` includes only hprof memory dump files that are created with makeheap. `all` includes memory dump files that are created with makeheap and java_pid. `-nolog` extended Log Server information is not collected. `-client` collects traces only from the Management Client. `-h`, `-help`, or `-?` shows information about using the script.
`sgOnlineReplication` `[active-server=<name of active Management Server>]` `[-nodisplay]` `[-h\|-help\|-?]`	Replicates the Management Server's database from the active Management Server to an additional Management Server. Stop the Management Server to which the database is replicated before running this command. Restart the Management Server after running this command. Use this script to replicate the database only in the following cases: The additional Management Server's configuration has been corrupted. In new Secure SD-WAN Manager installations if the automatic database replication between the Management Servers has not succeeded. Otherwise, synchronize the database through the Management Client. CAUTION: This script also has parameters that are for the internal use of the Management Server only. Do not use this script with any parameters other than the ones listed here. `active-server` specifies the IP address of the active Management Server from which the Management database is replicated. `-nodisplay` sets a text-only console. `-h`, `-help`, or `-?` shows information about using the script.
`sgReinitializeLogServer`	Creates a Log Server configuration if the configuration file has been lost. Note: This script is located in <installation directory>/bin/install.
`sgRestoreArchive <ARCHIVE_DIR>`	Restores logs from archive files to the Log Server. This command is available only on the Log Server. `ARCHIVE_DIR` is the number of the archive directory (0–31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: `ARCHIVE_DIR_ xx=PATH`.
`sgRestoreLogBackup` `[-pwd=<password>]` `[-backup=<backup file name>]` `[-nodiskcheck]` `[-overwrite-syslog-template]` `[-h\|-help]`	Restores the Log Server (logs or configuration files) from a backup file in the <installation directory>/backups/ directory. `-pwd` defines a password for encrypted backup. `-backup` defines a name for the backup file. `-nodiskcheck` ignores the free disk check before backup restoration. `-overwrite-syslog-template` overwrites a syslog template file if found in the backup. `-h` or `-help` shows information about using the script.
`sgRestoreMgtBackup` `[-pwd=<password>]` `[-backup=<backup file name>]` `[-import-license <license file name>]` `[-nodiskcheck]` `[-h\|-help]`	Restores the Management Server (database or configuration files) from a backup file in the <installation directory>/backups/ directory. `-pwd` defines a password for encrypted backup. `-backup` defines a name for the backup file. `-import-license` specifies a license file to import during the backup restoration. `-nodiskcheck` ignores the free disk check before backup restoration. `-h` or `-help` shows information about using the script.
`sgShowFingerPrint`	Shows the CA certificate's fingerprint on the Management Server.
`sgStartLogSrv`	Starts the Log Server and its database.
`sgStartMgtDatabase`	Starts the Management Server's database. There is usually no need to use this script.
`sgStartMgtSrv`	Starts the Management Server and its database.
`sgStartWebPortalSrv`	Starts the Web Portal Server.
`sgStopLogSrv`	Stops the Log Server.
`sgStopMgtSrv`	Stops the Management Server and its database.
`sgStopMgtDatabase`	Stops the Management Server's database. There is usually no need to use this script.
`sgStopWebPortalSrv`	Stops the Web Portal Server.
`sgStopRemoteMgtSrv` `[host=<Management Server address[\Domain]>]` `[login=<login name>]` `[pass=<password>]` `[-h\|-help\|-?]`	Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server. `host` is the Management Server's host name if not localhost. `login` is an Secure SD-WAN Manager administrator account for the logon. `pass` is the password for the administrator account. `-h`, `-help`, or `-?` shows information about using the script.
`sgTextBrowser` `[host=<Management Server address[\Domain]>]` `[login=<login name>]` `[pass=<password>]` `[format=<CSV\|XML>]` `[o=<output file>]` `[f=<filter file>]` `[e=<filter expression>]` `[m=<current\|stored>]` `[limit=<maximum number of unique records to fetch>]` `[-h\|-help\|-?]`	Shows or exports current or stored logs. This command is available on the Log Server. Enclose the file and filter names in double quotes if they contain spaces. `host` defines the address of the Management Server used for checking the logon information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If `domain` is not specified, the Shared Domain is used. `login` defines the user name for the account that is used for this export. If this parameter is not defined, the user name root is used. `pass` defines the password for the user account used for this operation. `format` defines the file format for the output file. If this parameter is not defined, the XML format is used. `o` defines the destination output file where the logs will be exported. If this parameter is not defined, the output is shown on screen. `f` defines the exported filter file that you want to use for filtering the log data. `e` defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. `m` defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used. `limit` defines the maximum number of unique records to be fetched. The default value is unlimited. `-h`, `-help`, or `-?` shows information about using the script.