Secure SD-WAN Manager commands

Secure SD-WAN Manager commands include commands for the Management Server, Log Server, and Web Portal Server.

In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts. Commands are found in the following locations:

  • For Secure SD-WAN Manager installations on Linux or Windows, commands are found in the <installation directory>/bin directory.

Commands that require parameters must be run through the command line (cmd.exe in Windows). Commands that do not require parameters can alternatively be run through a graphical user interface, and can be added as shortcuts during installation.

CAUTION:
login and password parameters are optional. Giving them as command-line parameters can pose a security vulnerability. Do not enter logon and password information unless explicitly prompted to do so by a command line tool.
Table 1. Secure SD-WAN Manager commands
Command Description
revert

Reverts to the previous installation saved during the upgrade process.

The previous installation can be restored at any time, even after a successful upgrade.

Note: This script is located in <installation directory>/bin/uninstall.

sgActivateWebswing

[host=<Management Server Address[\Domain>]

login=<login name>

pass=<password>

port=<port number>

mgtserver=<name>

enable=<true|false>

hostname=<host name>

listening_address=<IP address>

https=<true|false>

generate_logs=<true|false>

use_ssl=<true|false>

https_validity=<number of days>

public_key_output=<path>

Configures Secure SD-WAN Manager Web Access to run the Management Client in a web browser.

Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

port specifies the port number of the Secure SD-WAN Manager Web Access service on the Management Server. The default is 8085.

mgtserver specifies the name of the Management Server element. The default is Management Server.

enable specifies whether Secure SD-WAN Manager Web Access is enabled (true) or disabled (false). The default is true.

hostname specifies the host name of the Secure SD-WAN Manager Web Access service.

listening_address specifies the listening IP address of the Secure SD-WAN Manager Web Access service if the server has several addresses. If not specified, requests to any of this server's IP addresses are allowed.

https specifies whether HTTPS is enabled for the Secure SD-WAN Manager Web Access service. If true, the public key is returned in the output. The default is true.

generate_logs specifies whether to log all file load events in Combined Log format in a file on the server for further analysis with external web statistics software. The default is false.

use_ssl specifies whether SSL is used to track sessions in your web application. If SSL connections are managed by a proxy or a hardware accelerator they must populate the SSL request headers. The default is false.

https_validity specifies the number of days for which the self-signed certificate for HTTPS is valid. The default is 365.

public_key_output specifies the path for the HTTPS public key.

sgArchiveExport

[host=<Management Server Address[\Domain>]

[login=<login name>]

[pass=<password>]

[format=<exporter format: CSV or XML>]

i=<input files and/or directories>

[o=<output file name>]

[f=<filter file name>]

[e=<filter expression>]

[-h|-help|-?]

[-v]

Shows and exports logs from archive. Supports CEF, LEEF, and ESM formats in addition to CSV and XML.

This command is only available on the Log Server. The operation checks permissions for the supplied administrator account from the Management Server to prevent unauthorized access to the logs.

Enclose details in double quotes if they contain spaces.

Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

format defines the file format for the output file. If this parameter is not defined, the XML format is used.

i defines the source from which the logs are exported. Can be a folder or a file. The processing recurses into subfolders.

o defines the destination file where the logs are exported. If this parameter is not defined, the output is shown on screen.

f defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through Tools > Save for Command Line Tools in the filter's right-click menu.

e allows you to enter a filter expression manually (using the same syntax as exported filter files).

-h, -help, or -? shows information about using the script.

-v shows verbose output on the command execution.

Example (exports logs from one full day to a file using a filter): sgArchiveExport login=admin pass=abc123 i=C:\Program Files\Forcepoint\SDWAN Manager\data\archive\firewall\year2011\month12\.\sgB.day01\ f=C:\Program Files\Forcepoint\SDWAN Manager\export\MyExportedFilter.flp format=CSV o=MyExportedLogs.csv

sgBackupLogSrv

[-pwd=<password>]

[-path=<destpath>]

[-nodiskcheck]

[-comment=<comment>]

[-nofsstorage]

[-h|--help]

Creates a backup of Log Server configuration data.

The backup file is stored in the <installation directory>/backups/ directory.

Twice the size of the log database is required on the destination drive. Otherwise, the operation fails.

pwd enables encryption.

path defines the destination path.

nodiskcheck ignores the free disk check before creating the backup.

comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.

nofsstorage creates a backup only of the Log Server configuration without the log data.

-h or --help shows information about using the script.

Also see sgRestoreLogBackup.

sgBackupMgtSrv

[pwd=<password>]

[path=<destpath>]

[nodiskcheck]

[comment=<comment>]

[-h|--help]

Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory.

Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails.

pwd enables encryption.

path defines the destination path.

nodiskcheck ignores the free disk check before creating the backup.

comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.

-h or --help shows information about using the script.

Also see sgRestoreMgtBackup and sgRecoverMgtDatabase.

sgCertifyLogSrv

[host=<Management Server Address[\Domain]>

Contacts the Management Server and creates a certificate for the Log Server to allow secure communications with other Secure SD-WAN Manager components. Renewing an existing certificate does not require changing the configuration of any other Secure SD-WAN Manager components.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain the Log Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

Stop the Log Server before running this command. Restart the server after running this command.

sgCertifyMgtSrv

[login=<login name>]

[pass=<password>]

[standby-server=<name of additional Management Server>]

[active-server=<IP address of active Management Server>]

[mode=ext-pki-init

[dn=<Subject DN>

dns=<SubjectAltName DNS>

key-size=<256|384|521>

csr-out=<path>

crt-in=<path>

ca-file=<path>]]

[-nodisplay]

[-h|-help|-?]

Creates a certificate for the Management Server to allow secure communications between the Secure SD-WAN Manager components. Renewing an existing certificate does not require changes on any other Secure SD-WAN Manager components.

In an environment with only one Management Server, or to certify the active Management Server, stop the Management Server before running the sgCertifyMgtSrv command. Run the command without parameters. Restart the Management Server after running this command.

To certify an additional Management Server, stop the additional Management Server before running the sgCertifyMgtSrv command. The active Management Server must be running when you run this command. The management database is replicated to the additional Management Server during the certification. The additional Management Server must have a connection to the active Management Server when you run this command.

[login=<login name>] defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

[pass=<password>] defines the password for the user account.

[standby-server] specifies the name of the additional Management Server to be certified.

[active-server] specifies the IP address of the active Management Server.

[mode=ext-pki-init] enables commands for external certificate management.

[dn] specifies the Subject DN to use in the certificate request for the Management Server.

[dns] specifies the SubjectAltName DNS value to use in the certificate request for the Management Server.

[key-size] specifies the key size to use in the certificate request for the Management Server.

[csr-out] specifies the output path where the certificate request is saved.

[crt-in] specifies the input path for importing a certificate in PEM format.

[ca-file] specifies the input path for importing a CA file in PEM format.

-nodisplay sets a text-only console.

-h, -help, or -? shows information about using the script.

sgCertifyWebPortalSrv

[host=<Management Server Address[\Domain]>]

Contacts the Management Server and creates a certificate for the Web Portal Server to allow secure communications with other Secure SD-WAN Manager components. Renewing an existing certificate does not require changing the configuration of any other Secure SD-WAN Manager components.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain the Web Portal Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

Stop the Web Portal Server before running this command. Restart the server after running this command.

sgChangeMgtIPOnLogSrv <IP address>

Changes the Management Server's IP address in the Log Server's local configuration to the IP address you give as a parameter.

Use this command if you change the Management Server's IP address. Restart the Log Server service after running this command.

sgChangeMgtIPOnMgtSrv <IP address>

Changes the Management Server's IP address in the local configuration to the IP address you give as a parameter.

Use this command if you change the Management Server's IP address. Restart the Management Server service after running this command.

sgClient Starts a locally installed Management Client.
sgCreateAdmin

Creates an unrestricted (superuser) administrator account.

The Management Server must be stopped before running this command.

sgExport

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=password]

file=<file path and name>

[type=<all|nw|ips|sv|rb|al|vpn>

[name=<element name 1, element name 2, ...>]

[recursion]

[-system]

[-h|-help|-?]

Exports elements stored on the Management Server to an XML file.

Enclose details in double quotes if they contain spaces.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

file defines the name and location of the export .zip file.

type specifies which types of elements are included in the export file:
  • all for all exportable elements
  • nw for network elements
  • ips for IPS elements
  • sv for services
  • rb for security policies
  • al for alerts
  • vpn for VPN elements.

name allows you to specify by name the elements that you want to export.

recursion includes referenced elements in the export, for example, the network elements used in a policy that you export.

-system includes any system elements that are referenced by the other elements in the export.

-h, -help, or -? shows information about using the script.

sgHA

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=<password>]

[master=<Management Server used as master server for the operation>]

[-set-active]

[-set-standby]

[-check]

[-retry]

[-force]

[-restart]

[-h|-help|-?]

Controls active and standby Management Servers.

If you want to perform a full database synchronization, use the sgOnlineReplication command.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

master defines the Management Server used as a master Management Server for the operation.

-set-active activates and locks all administrative Domains.

-set-standby deactivates and unlocks all administrative Domains.

-check checks that the Management Server's database is in sync with the master Management Server.

-retry retries replication if this has been stopped due to a recoverable error.

-force enforces the operation even if all Management Servers are not in sync.
Note: This option can cause instability if used carelessly.

-restart restarts the specified Management Server.

-h, -help, or -? shows information about using the script.

sgImport

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=<password>]

file=<file path and name>

[-replace_all]

[-h|-help|-?]

Imports Management Server database elements from an XML file.

When importing, existing (non-default) elements are overwritten if both the name and type match.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

file defines the .zip file whose contents you want to import.

-replace_all ignores all conflicts by replacing all existing elements with new ones.

-h, -help, or -? shows information about using the script.

sgImportExportUser

[host=<<Management Server Address[\Domain]>>]

[login=<login name>]

[pass=password]

action=<import|export>

file=<file path and name>

[-h|-help|-?]

Imports and exports a list of Users and User Groups in an LDIF file from or to a Management Server's internal LDAP database.

To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).

CAUTION:
The user information in the export file is stored as plaintext. Handle the file securely.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

action defines whether users are imported or exported.

file defines the file that is used for the operation.

Example: sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif

-h, -help, or -? shows information about using the script.

sgInfo

SG_ROOT_DIR

FILENAME

[fast=<timestamp>]

[list]

[hprof=none|limited|all]

[-nolog]

[-client]

[-h|-help|-?]

Creates a .zip file that contains copies of configuration files and the system trace files.

The resulting .zip file is stored in the logged on user's home directory. The file location is shown on the last line of screen output. Provide the generated file to support for troubleshooting purposes.

Note: On the Appliance, you must always specify the path to the directory in which the .zip file is stored. The directory must be accessible from the account that you use to log on to the command line of the Appliance.

SG_ROOT_DIR Secure SD-WAN Manager installation directory.

FILENAME name of output file.

fast collects only traces that changed after the specified time stamp. Enter the time stamp in milliseconds or in the format yyyy-MM-dd HH:mm:ss. No other information is collected, except for threaddumps.

[list] only lists files. It does not create a .zip file or generate threaddumps.

hprof defines whether hprof memory dump files are included.
  • none does not include hprof memory dump files.
  • limited includes only hprof memory dump files that are created with makeheap.
  • all includes memory dump files that are created with makeheap and java_pid.

-nolog extended Log Server information is not collected.

-client collects traces only from the Management Client.

-h, -help, or -? shows information about using the script.

sgOnlineReplication

[active-server=<name of active Management Server>]

[-nodisplay]

[-h|-help|-?]

Replicates the Management Server's database from the active Management Server to an additional Management Server.

Stop the Management Server to which the database is replicated before running this command. Restart the Management Server after running this command.

Use this script to replicate the database only in the following cases:
  • The additional Management Server's configuration has been corrupted.
  • In new Secure SD-WAN Manager installations if the automatic database replication between the Management Servers has not succeeded.
Otherwise, synchronize the database through the Management Client.
CAUTION:
This script also has parameters that are for the internal use of the Management Server only. Do not use this script with any parameters other than the ones listed here.

active-server specifies the IP address of the active Management Server from which the Management database is replicated.

-nodisplay sets a text-only console.

-h, -help, or -? shows information about using the script.

sgReinitializeLogServer Creates a Log Server configuration if the configuration file has been lost.
Note: This script is located in <installation directory>/bin/install.
sgRestoreArchive <ARCHIVE_DIR>

Restores logs from archive files to the Log Server.

This command is available only on the Log Server.

ARCHIVE_DIR is the number of the archive directory (0–31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_ xx=PATH.

sgRestoreLogBackup

[-pwd=<password>]

[-backup=<backup file name>]

[-nodiskcheck]

[-overwrite-syslog-template]

[-h|-help]

Restores the Log Server (logs or configuration files) from a backup file in the <installation directory>/backups/ directory.

-pwd defines a password for encrypted backup.

-backup defines a name for the backup file.

-nodiskcheck ignores the free disk check before backup restoration.

-overwrite-syslog-template overwrites a syslog template file if found in the backup.

-h or -help shows information about using the script.

sgRestoreMgtBackup

[-pwd=<password>]

[-backup=<backup file name>]

[-import-license <license file name>]

[-nodiskcheck]

[-h|-help]

Restores the Management Server (database or configuration files) from a backup file in the <installation directory>/backups/ directory.

-pwd defines a password for encrypted backup.

-backup defines a name for the backup file.

-import-license specifies a license file to import during the backup restoration.

-nodiskcheck ignores the free disk check before backup restoration.

-h or -help shows information about using the script.

sgShowFingerPrint Shows the CA certificate's fingerprint on the Management Server.
sgStartLogSrv Starts the Log Server and its database.
sgStartMgtDatabase

Starts the Management Server's database.

There is usually no need to use this script.

sgStartMgtSrv Starts the Management Server and its database.
sgStartWebPortalSrv Starts the Web Portal Server.
sgStopLogSrv Stops the Log Server.
sgStopMgtSrv Stops the Management Server and its database.
sgStopMgtDatabase

Stops the Management Server's database.

There is usually no need to use this script.

sgStopWebPortalSrv Stops the Web Portal Server.

sgStopRemoteMgtSrv

[host=<Management Server address[\Domain]>]

[login=<login name>]

[pass=<password>]

[-h|-help|-?]

Stops the Management Server service when run without arguments.

To stop a remote Management Server service, provide the arguments to connect to the Management Server.

host is the Management Server's host name if not localhost.

login is an Secure SD-WAN Manager administrator account for the logon.

pass is the password for the administrator account.

-h, -help, or -? shows information about using the script.

sgTextBrowser

[host=<Management Server address[\Domain]>]

[login=<login name>]

[pass=<password>]

[format=<CSV|XML>]

[o=<output file>]

[f=<filter file>]

[e=<filter expression>]

[m=<current|stored>]

[limit=<maximum number of unique records to fetch>]

[-h|-help|-?]

Shows or exports current or stored logs.

This command is available on the Log Server.

Enclose the file and filter names in double quotes if they contain spaces.

host defines the address of the Management Server used for checking the logon information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this export. If this parameter is not defined, the user name root is used.

pass defines the password for the user account used for this operation.

format defines the file format for the output file. If this parameter is not defined, the XML format is used.

o defines the destination output file where the logs will be exported. If this parameter is not defined, the output is shown on screen.

f defines the exported filter file that you want to use for filtering the log data.

e defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client.

m defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.

limit defines the maximum number of unique records to be fetched. The default value is unlimited.

-h, -help, or -? shows information about using the script.