Security Management Center commands

SMC commands include commands for the Management Server, Log Server, and Web Portal Server.

In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts. Commands are found in the following locations:

  • For SMC installations on Linux or Windows, commands are found in the <installation directory>/bin directory.
  • For the SMC Appliance, general SMC commands are found in the /usr/local/forcepoint/smc/bin directory.
  • Commands that are specific to the SMC Appliance are found in the /usr/bin directory.

If you enabled the restricted shell when you installed the SMC Appliance, only a limited set of commands is available. These commands include patching utilities, appliance maintenance, service handling, and other basic functionality. To show the list of allowed commands, enter ?.

Note: When the restricted shell is enabled, all administrator accounts that you create in the SMC automatically use the restricted shell.

On the SMC Appliance, some commands must be run with elevated permissions using sudo. Commands in the restricted shell automatically prompt you to enter the password when required. A list of available sudo commands can be found by running sudo -l at the command line.

Note: Only administrators who have SMC Appliance Superuser administrator permissions can log on to the SMC Appliance command line.

Commands that require parameters must be run through the command line (cmd.exe in Windows). Commands that do not require parameters can alternatively be run through a graphical user interface, and can be added as shortcuts during installation.

CAUTION:
login and password parameters are optional. Giving them as command-line parameters can pose a security vulnerability. Do not enter logon and password information unless explicitly prompted to do so by a command line tool.
Table 1. Security Management Center commands
Command Description
ambr-crl

(SMC Appliance only)

[-a ADD|--add=ADD]

[-d DELETE|--delete=DELETE]

[-q|--query]

[-i IMPORT_CRL|--import=IMPORT_CRL]

[-v]

[-l <log file path>]

[-h|--help]

Fetches the certificate revocation lists (CRLs) for the CA certificates used by the appliance maintenance and bug remediation (AMBR) utilities.

-a ADD, --add=ADD adds a CRL distribution point URL in the form of http://<url>.

-d DELETE, --delete=DELETE deletes a CRL distribution point URL.

-q, --query lists CRL distribution points.

-i IMPORT_CRL, --import=IMPORT_CRL imports a CRL from a file.

-v increases the verbosity of the command. You can repeat this command up to two times (-vv or -v -v) to further increase the verbosity.

-l <log file path> specifies the path to a log file.

-h, --help shows information about the command.

ambr-decrypt

(SMC Appliance only)

Decrypts an ambr patch; not normally used by administrators. ambr-install automatically decrypts patches.

ambr-install <patch>

(SMC Appliance only)

[-F|--force]

[-r|--skip-revocation]

[--no-backup]

[--no-snapshot]

[--no-prompt]

[-v]

[-l <log file path>]

[-h|--help]

Installs an ambr patch that has been loaded on the system.

You can install multiple patches with a space between each patch name.

-F, --force forces the reinstallation of the patch or patches.

-r, --skip-revocation skips the certificate revocation checks.

--no-backup does not create a configuration backup.

--no-snapshot does not create a recovery snapshot.

--no-prompt does not prompt before restarting.

-v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity.

-l <log file path> specifies the path to a log file.

-h, --help shows information about the command.

ambr-load <patch>

(SMC Appliance only)

[-f IN_FILES|--file=IN_FILES]

[-r|--skip-revocation]

[-v]

[-l <log file path>]

[-h|--help]

Loads an ambr patch onto the system from either the patch server or from the local file system. A loaded patch means that the file is copied to the local file system, but not installed.

You can load multiple patches with a space between each patch name.

-f IN_FILES, --file=IN_FILES specifies the local file to load.

-r, --skip-revocation skips the certificate revocation checks.

-v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity.

-l <log file path> specifies the path to a log file.

-h, --help shows information about the command.

ambr-query

(SMC Appliance only)

[-c|--clean]

[-u|--update]

[-a|--all]

[-j|--json]

[-i INFO|--info=INFO <patch>]

[-L <log file path>]

[-v]

[-h|--help]

Shows patch information including:
  • What is loaded or installed on the system
  • A list of available updates from the patch server
  • Detailed information about a specific patch

-u , --update updates the remote patch list from a web server .

-c, --clean cleans the remote patch cache.

-a, --all shows all local and remote patches.

-j, --json formats output as JSON.

-i INFO, --info=INFO <patch> shows detailed information about the patch. You can get information about multiple patches in one command by separating the patch names with a space.

-v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity.

-L <log file path> specifies the path to the file where log messages are written.

-h, --help shows information about the command.

ambr-unload <patch>

(SMC Appliance only)

[-a|--all]

[-v]

[-l <log file path>]

[-h|--help]

Unloads an ambr patch from the system. The command deletes the patch file if it has not been installed, but it does not uninstall the patch.

You can unload multiple patches with a space between each patch name.

-a, --all unloads all loaded patches.

-v increases the verbosity of the command. You can repeat this command up to two times to further increase the verbosity.

-l <log file path> specifies the path to a log file.

-h, --help shows information about the command.

ambr-verify

(SMC Appliance only)

Verifies the signature of a patch file; not normally used by administrators. ambr-install automatically verifies patches.

revert

Reverts to the previous installation saved during the upgrade process.

The previous installation can be restored at any time, even after a successful upgrade.

Note: This script is located in <installation directory>/bin/uninstall.

sgActivateWebswing

[host=<Management Server Address[\Domain>]

login=<login name>

pass=<password>

port=<port number>

mgtserver=<name>

enable=<true|false>

hostname=<host name>

listening_address=<IP address>

https=<true|false>

generate_logs=<true|false>

use_ssl=<true|false>

https_validity=<number of days>

public_key_output=<path>

Configures SMC Web Access to run the Management Client in a web browser.

Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

port specifies the port number of the SMC Web Access service on the Management Server. The default is 8085.

mgtserver specifies the name of the Management Server element. The default is Management Server.

enable specifies whether SMC Web Access is enabled (true) or disabled (false). The default is true.

hostname specifies the host name of the SMC Web Access service.

listening_address specifies the listening IP address of the SMC Web Access service if the server has several addresses. If not specified, requests to any of this server's IP addresses are allowed.

https specifies whether HTTPS is enabled for the SMC Web Access service. If true, the public key is returned in the output. The default is true.

generate_logs specifies whether to log all file load events in Combined Log format in a file on the server for further analysis with external web statistics software. The default is false.

use_ssl specifies whether SSL is used to track sessions in your web application. If SSL connections are managed by a proxy or a hardware accelerator they must populate the SSL request headers. The default is false.

https_validity specifies the number of days for which the self-signed certificate for HTTPS is valid. The default is 365.

public_key_output specifies the path for the HTTPS public key.

sgArchiveExport

[host=<Management Server Address[\Domain>]

[login=<login name>]

[pass=<password>]

[format=<exporter format: CSV, XML, or JSON>]

i=<input files and/or directories>

[o=<output file name>]

[f=<filter file name>]

[e=<filter expression>]

[-h|-help|-?]

[-v]

Shows and exports logs from archive. Supports CEF, LEEF, and ESM formats in addition to CSV, XML, and JSON.

This command is only available on the Log Server. The operation checks permissions for the supplied administrator account from the Management Server to prevent unauthorized access to the logs.

Enclose details in double quotes if they contain spaces.

Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

format defines the file format for the output file. If this parameter is not defined, the XML format is used.

i defines the source from which the logs are exported. Can be a folder or a file. The processing recurses into subfolders.

o defines the destination file where the logs are exported. If this parameter is not defined, the output is shown on screen.

f defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through Tools > Save for Command Line Tools in the filter's right-click menu.

e allows you to enter a filter expression manually (using the same syntax as exported filter files).

-h, -help, or -? shows information about using the script.

-v shows verbose output on the command execution.

Example (exports logs from one full day to a file using a filter): sgArchiveExport login=admin pass=abc123 i=C:\Program Files\Forcepoint\SMC\data\archive\firewall\year2011\month12\.\sgB.day01\ f=C:\Program Files\Forcepoint\SMC\export\MyExportedFilter.flp format=CSV o=MyExportedLogs.csv

sgBackupLogSrv

[-pwd=<password>]

[-path=<destpath>]

[-nodiskcheck]

[-comment=<comment>]

[-nofsstorage]

[-h|--help]

Note: For the SMC Appliance, use the smca-backup command.

Creates a backup of Log Server configuration data.

The backup file is stored in the <installation directory>/backups/ directory.

Twice the size of the log database is required on the destination drive. Otherwise, the operation fails.

pwd enables encryption.

path defines the destination path.

nodiskcheck ignores the free disk check before creating the backup.

comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.

nofsstorage creates a backup only of the Log Server configuration without the log data.

-h or --help shows information about using the script.

Also see sgRestoreLogBackup.

sgBackupMgtSrv

[pwd=<password>]

[path=<destpath>]

[nodiskcheck]

[comment=<comment>]

[-h|--help]

Note: For the SMC Appliance, use the smca-backup command.

Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory.

Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails.

pwd enables encryption.

path defines the destination path.

nodiskcheck ignores the free disk check before creating the backup.

comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.

-h or --help shows information about using the script.

Also see sgRestoreMgtBackup and sgRecoverMgtDatabase.

sgCertifyLogSrv

[host=<Management Server Address[\Domain]>

Contacts the Management Server and creates a certificate for the Log Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain the Log Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

Stop the Log Server before running this command. Restart the server after running this command.

sgCertifyMgtSrv

[login=<login name>]

[pass=<password>]

[standby-server=<name of additional Management Server>]

[active-server=<IP address of active Management Server>]

[mode=ext-pki-init

[dn=<Subject DN>

dns=<SubjectAltName DNS>

key-size=<256|384|521>

csr-out=<path>

crt-in=<path>

ca-file=<path>]]

[-nodisplay]

[-h|-help|-?]

Creates a certificate for the Management Server to allow secure communications between the SMC components. Renewing an existing certificate does not require changes on any other SMC components.

In an environment with only one Management Server, or to certify the active Management Server, stop the Management Server before running the sgCertifyMgtSrv command. Run the command without parameters. Restart the Management Server after running this command.

To certify an additional Management Server, stop the additional Management Server before running the sgCertifyMgtSrv command. The active Management Server must be running when you run this command. The management database is replicated to the additional Management Server during the certification. The additional Management Server must have a connection to the active Management Server when you run this command.

[login=<login name>] defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

[pass=<password>] defines the password for the user account.

[standby-server] specifies the name of the additional Management Server to be certified.

[active-server] specifies the IP address of the active Management Server.

[mode=ext-pki-init] enables commands for external certificate management.

[dn] specifies the Subject DN to use in the certificate request for the Management Server.

[dns] specifies the SubjectAltName DNS value to use in the certificate request for the Management Server.

[key-size] specifies the key size to use in the certificate request for the Management Server.

[csr-out] specifies the output path where the certificate request is saved.

[crt-in] specifies the input path for importing a certificate in PEM format.

[ca-file] specifies the input path for importing a CA file in PEM format.

-nodisplay sets a text-only console.

-h, -help, or -? shows information about using the script.

sgCertifyWebPortalSrv

[host=<Management Server Address[\Domain]>]

Contacts the Management Server and creates a certificate for the Web Portal Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain the Web Portal Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

Stop the Web Portal Server before running this command. Restart the server after running this command.

sgChangeMgtIPOnLogSrv <IP address>

Changes the Management Server's IP address in the Log Server's local configuration to the IP address you give as a parameter.

Use this command if you change the Management Server's IP address. Restart the Log Server service after running this command.

sgChangeMgtIPOnMgtSrv <IP address>

Changes the Management Server's IP address in the local configuration to the IP address you give as a parameter.

Use this command if you change the Management Server's IP address. Restart the Management Server service after running this command.

sgClient Starts a locally installed Management Client.
sgCreateAdmin

Creates an unrestricted (superuser) administrator account.

The Management Server must be stopped before running this command.

sgExport

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=password]

file=<file path and name>

[type=<all|nw|ips|sv|rb|al|vpn>

[name=<element name 1, element name 2, ...>]

[recursion]

[-system]

[-h|-help|-?]

Exports elements stored on the Management Server to an XML file.

Enclose details in double quotes if they contain spaces.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

file defines the name and location of the export .zip file.

type specifies which types of elements are included in the export file:
  • all for all exportable elements
  • nw for network elements
  • ips for IPS elements
  • sv for services
  • rb for security policies
  • al for alerts
  • vpn for VPN elements.

name allows you to specify by name the elements that you want to export.

recursion includes referenced elements in the export, for example, the network elements used in a policy that you export.

-system includes any system elements that are referenced by the other elements in the export.

-h, -help, or -? shows information about using the script.

sgHA

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=<password>]

[master=<Management Server used as master server for the operation>]

[-set-active]

[-set-standby]

[-check]

[-retry]

[-force]

[-restart]

[-h|-help|-?]

Controls active and standby Management Servers.

If you want to perform a full database synchronization, use the sgOnlineReplication command.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

master defines the Management Server used as a master Management Server for the operation.

-set-active activates and locks all administrative Domains.

-set-standby deactivates and unlocks all administrative Domains.

-check checks that the Management Server's database is in sync with the master Management Server.

-retry retries replication if this has been stopped due to a recoverable error.

-force enforces the operation even if all Management Servers are not in sync.
Note: This option can cause instability if used carelessly.

-restart restarts the specified Management Server.

-h, -help, or -? shows information about using the script.

sgImport

[host=<Management Server Address[\Domain]>]

[login=<login name>]

[pass=<password>]

file=<file path and name>

[-replace_all]

[-h|-help|-?]

Imports Management Server database elements from an XML file.

When importing, existing (non-default) elements are overwritten if both the name and type match.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

file defines the .zip file whose contents you want to import.

-replace_all ignores all conflicts by replacing all existing elements with new ones.

-h, -help, or -? shows information about using the script.

sgImportExportUser

[host=<<Management Server Address[\Domain]>>]

[login=<login name>]

[pass=password]

action=<import|export>

file=<file path and name>

[-h|-help|-?]

Imports and exports a list of Users and User Groups in an LDIF file from or to a Management Server's internal LDAP database.

To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).

CAUTION:
The user information in the export file is stored as plaintext. Handle the file securely.

host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.

Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this operation. If this parameter is not defined, the user name root is used.

pass defines the password for the user account.

action defines whether users are imported or exported.

file defines the file that is used for the operation.

Example: sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif

-h, -help, or -? shows information about using the script.

sgInfo

SG_ROOT_DIR

FILENAME

[fast=<timestamp>]

[list]

[hprof=none|limited|all]

[-nolog]

[-client]

[-h|-help|-?]

Creates a .zip file that contains copies of configuration files and the system trace files.

The resulting .zip file is stored in the logged on user's home directory. The file location is shown on the last line of screen output. Provide the generated file to support for troubleshooting purposes.

Note: On the SMC Appliance, you must always specify the path to the directory in which the .zip file is stored. The directory must be accessible from the account that you use to log on to the command line of the SMC Appliance.

SG_ROOT_DIR SMC installation directory.

FILENAME name of output file.

fast collects only traces that changed after the specified time stamp. Enter the time stamp in milliseconds or in the format yyyy-MM-dd HH:mm:ss. No other information is collected, except for threaddumps.

[list] only lists files. It does not create a .zip file or generate threaddumps.

hprof defines whether hprof memory dump files are included.
  • none does not include hprof memory dump files.
  • limited includes only hprof memory dump files that are created with makeheap.
  • all includes memory dump files that are created with makeheap and java_pid.

-nolog extended Log Server information is not collected.

-client collects traces only from the Management Client.

-h, -help, or -? shows information about using the script.

sgOnlineReplication

[active-server=<name of active Management Server>]

[-nodisplay]

[-h|-help|-?]

Replicates the Management Server's database from the active Management Server to an additional Management Server.

Stop the Management Server to which the database is replicated before running this command. Restart the Management Server after running this command.

Use this script to replicate the database only in the following cases:
  • The additional Management Server's configuration has been corrupted.
  • In new SMC installations if the automatic database replication between the Management Servers has not succeeded.
Otherwise, synchronize the database through the Management Client.
CAUTION:
This script also has parameters that are for the internal use of the Management Server only. Do not use this script with any parameters other than the ones listed here.

active-server specifies the IP address of the active Management Server from which the Management database is replicated.

-nodisplay sets a text-only console.

-h, -help, or -? shows information about using the script.

sgReinitializeLogServer Creates a Log Server configuration if the configuration file has been lost.
Note: This script is located in <installation directory>/bin/install.
sgRestoreArchive <ARCHIVE_DIR>

Restores logs from archive files to the Log Server.

This command is available only on the Log Server.

ARCHIVE_DIR is the number of the archive directory (0–31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_ xx=PATH.

sgRestoreLogBackup

[-pwd=<password>]

[-backup=<backup file name>]

[-nodiskcheck]

[-overwrite-syslog-template]

[-h|-help]

Restores the Log Server (logs or configuration files) from a backup file in the <installation directory>/backups/ directory.

-pwd defines a password for encrypted backup.

-backup defines a name for the backup file.

-nodiskcheck ignores the free disk check before backup restoration.

-overwrite-syslog-template overwrites a syslog template file if found in the backup.

-h or -help shows information about using the script.

sgRestoreMgtBackup

[-pwd=<password>]

[-backup=<backup file name>]

[-import-license <license file name>]

[-nodiskcheck]

[-h|-help]

Restores the Management Server (database or configuration files) from a backup file in the <installation directory>/backups/ directory.

-pwd defines a password for encrypted backup.

-backup defines a name for the backup file.

-import-license specifies a license file to import during the backup restoration.

-nodiskcheck ignores the free disk check before backup restoration.

-h or -help shows information about using the script.

sgShowFingerPrint

[-server]

Shows the CA certificate's fingerprint on the Management Server.

-server displays Management Server Certificate Fingerprint.

sgStartLogSrv Starts the Log Server and its database.
sgStartMgtDatabase

Starts the Management Server's database.

There is usually no need to use this script.

sgStartMgtSrv Starts the Management Server and its database.
sgStartWebPortalSrv Starts the Web Portal Server.
sgStopLogSrv Stops the Log Server.
sgStopMgtSrv Stops the Management Server and its database.
sgStopMgtDatabase

Stops the Management Server's database.

There is usually no need to use this script.

sgStopWebPortalSrv Stops the Web Portal Server.

sgStopRemoteMgtSrv

[host=<Management Server address[\Domain]>]

[login=<login name>]

[pass=<password>]

[-h|-help|-?]

Stops the Management Server service when run without arguments.

To stop a remote Management Server service, provide the arguments to connect to the Management Server.

host is the Management Server's host name if not localhost.

login is an SMC administrator account for the logon.

pass is the password for the administrator account.

-h, -help, or -? shows information about using the script.

sgTextBrowser

[host=<Management Server address[\Domain]>]

[login=<login name>]

[pass=<password>]

[format=<CSV|XML|JSON>]

[o=<output file>]

[f=<filter file>]

[e=<filter expression>]

[m=<current|stored>]

[limit=<maximum number of unique records to fetch>]

[-h|-help|-?]

Shows or exports current or stored logs.

This command is available on the Log Server.

Enclose the file and filter names in double quotes if they contain spaces.

host defines the address of the Management Server used for checking the logon information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If domain is not specified, the Shared Domain is used.

login defines the user name for the account that is used for this export. If this parameter is not defined, the user name root is used.

pass defines the password for the user account used for this operation.

format defines the file format for the output file. If this parameter is not defined, the XML format is used.

o defines the destination output file where the logs will be exported. If this parameter is not defined, the output is shown on screen.

f defines the exported filter file that you want to use for filtering the log data.

e defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client.

m defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.

limit defines the maximum number of unique records to be fetched. The default value is unlimited.

-h, -help, or -? shows information about using the script.

smca-agent

(SMC Appliance only)

SMC uses it to exchange configuration data between SMC and the operating system; not normally used by administrators. The agent configures the NTP and SNMP daemons and sets the logon and SSH banners.

smca-backup

(SMC Appliance only)

[-pwd <password>]

[-comment <comment>]

[-nodiskcheck]

[-nofsstorage]

[-path <destination>]

[-log]

[-mgt]

[-h|--help]

Creates a configuration backup of the SMC Appliance operating system and includes an SMC backup.

-pwd <password> enables the encryption of the backup file and sets the password.

-comment <comment> adds a comment to the backup file name.

-nodiskcheck turns off the available disk space check.

-nofsstorage excludes the log files for the Log Server from the backup.

-path <destination> specifies a path for backup file storage. The default directory for backups is /usr/local/forcepoint/smc/backups.

-log creates a Log Server backup.

-mgt creates a Management Server backup.

-h, --help shows information about the command.

Also see sgRestoreLogBackup and sgRestoreMgtBackup.

smca-backup-remove

(SMC Appliance only)

[-f|--file]

[--force]

[--age <days>]

[--log]

[--mgt]

[-h|--help]

Removes old SMC Appliance backup files.

-f,--file specifies the backup file to be removed.

--force forces backup file delete without confirmation.

[--age <days>] remove any backups older than the specified number of days. The default is 30 days.

[--log] removes Log Server backups.

[--mgt] removes Management Server backups.

-h, --help shows information about the command.

smca-cifs

(SMC Appliance only)

[add]

[remove]

[-n <name>]

[-s //<server>/<share>]

[-u <username>]

[-p <password>]

[-d <domain>]

Configures the mounting of remote CIFS file shares on the SMC Appliance.

add adds the CIFS share.

remove removes the CIFS share. Use with the name option.

-n <name> specifies the name of the share.

-s //<server>/<share> specifies the server or IP address of the share.

-u <username> specifies the user name to authenticate with the CIFS server to get access to the share.

-p <password> specifies the password on remote system.

-d <domain> specifies the domain of the share.

smca-restore

(SMC Appliance only)

[-pwd <password>]

[-nodiskcheck]

[-backup <filename>]

[-nosmca]

[-smcaonly]

[-overwrite-syslog-template]

[-h|-help]

Restores a backup on the SMC Appliance.

-pwd <password> specifies the password for decrypting an encrypted backup file.

-nodiskcheck turns off the available disk space check.

-backup <filename> specifies the backup file name. If you do not specify the backup file name, you are prompted to select the backup file.

[-nosmca] restores the Management Server or Log Server backup without restoring the SMC Appliance configuration

[-smcaonly] restores the SMC Appliance configuration without restoring the Management Server or Log Server backup.

-overwrite-syslog-template overwrites any existing syslog templates in the log backup file.

-h, --help shows information about the command.

smca-rsync

(SMC Appliance only)

[add]

[modify]

[remove]

[enable]

[disable]

[list]

[run]

[-t task_id]

[-i <source directory>]

[-o <destination directory>]

[-m <mode>]

[-h|-help]

Configures automated backup tasks. Typically used with the smca-cifs command to move backups off the appliance.

add adds a backup task. You can specify an existing source and destination directories. If not specified, the default is /usr/local/forcepoint/smc/backups/.

modify changes an existing backup task by its task ID. All attributes can be changed, except for the task ID. To change an attribute, use the appropriate option with a new value.

remove removes an existing backup task by its task ID.

enable enables an existing backup task by its task ID.

disable disables an existing backup task by its task ID.

list provides a list of all configured backup tasks.

run runs all enabled backup tasks.

-t task_id specifies the task ID. Use the list command to view the task IDs.

-i <source directory> specifies the directory where the backups are stored when they are created. If omitted, the source directory defaults to the SMC backups directory /usr/local/forcepoint/smc/backups/.

-o <destination directory> specifies the remote location to store the backups.

-m <mode> specifies the rsync mode. You can indicate whether rsync appends or mirrors the source directory to the destination directory. Appending the directory means that existing files in the destination directory, that are not in the source directory or are newer than those files in the source directory, are not changed. If omitted, the mode defaults to append.

-h, --help shows information about the command.

smca-system

(SMC Appliance only)

[toggle]

[toggle-vcdrom]

[mirror [-n <name>]]

[snapshot [-C|--create] [-R|--restore] [-D, --delete] [-n <name>]]

[serial-number]

[fingerprint]

[toggle-console]

[bootloader-password [-s|--set] [-r|--remove]]

[netconfig]

[log-view [<filename>]]

[fips-config]

[file-remove [filename] [-h] [-l] [--autoremove] [-a <age>] [--no-prompt]]

[-f]

[-h|-help]

Manages recovery snapshots, alternate partition mirroring, and changing system partition boot preference.

toggle restarts the appliance to the alternate partition.

toggle-vcdrom sets the appliance's default boot option to the vcdrom.

mirror mirrors the active system to the alternate system. -n <name> specifies the name of the snapshot used for mirror operations.

snapshot manages recovery snapshots.
  • -C, --create creates a snapshot.
  • -D, --delete deletes the snapshot.
  • -R, --restore restores the snapshot.
  • -n <name> specifies the name of the snapshot used for snapshot operations.

[serial-number] shows the hardware serial number for the SMC Appliance.

[fingerprint] shows the CA certificate fingerprint. If an external CA is configured, shows the Management Server certificate fingerprint instead.

toggle-console enables or disables the serial console on the SMC Appliance.

bootloader-password manages the bootloader password for the SMC Appliance.
  • -s, --set sets or changes the bootloader password.
  • -r, --remove removes the bootloader password.

netconfig sets up network-related configuration, such as IPv6 configuration.

log-view <filename> shows the contents of the specified log file in the SMC Appliance log data directory /var/log or in any of the subdirectories of /var/log. log-view -l shows a list of all available log files.

fips-config modifies the SMC Appliance configuration to support FIPS certification.

file-remove deletes the specified SMC files from the SMC Appliance.
  • filename specifies the file to remove. This command can remove files in the following directories:
    • <SMC_DATA_DIR>/storage
    • <SMC_DATA_DIR>/mgtserver
    • <SMC_DATA_DIR>/SGInfo
    • <SMC_DATA_DIR>/TrafficCapture
    • <SMC_DATA_DIR>/datamgtserver/webswing/users
  • -h, --help shows information about the remove command.
  • -l, --list lists the files that can be deleted.
  • --autoremove removes Web Swing files that are older than the number of days that are specified in the -a <age>, --age <age> option.
  • -a <age>, --age <age> specifies the age of Web Swing files to remove with the --autoremove option. The default is 30 days.
  • --no-prompt deletes the selected files without prompting for confirmation.

-f forces the procedure, does not prompt for any confirmation.

-h, --help shows information about the command.

smca-user

(SMC Appliance only)

This utility is used by the SMC Appliance to keep user accounts in sync between the SMC and the operating system; not normally used by administrators.