Table of Contents
Profense™ command-line interface is used for initial network configuration and basic network administrative tasks. Rest of the administration is performed using Profense™ web-based management interface.
This section provides the information about the command-line interface (CLI) Profense™ web application firewalls and how to use the CLI.
Profense™ CLI is available at the console a via SSH.
Make sure a screen and a keyboard is properly attached to the system before accessing the CLI.
Profense™/i386 (ttyC0)
login:
To login, enter your username and password.
Note: The first time you log in to the CLI, use the default username "operator" and the default password "profense". This should be changed using the set password command.
If the login is successful, you enter the CLI and are presented with a welcome greeting.
If SSH is enabled in the web based administration interface the system can be accessed on port 22 on the same ip addresses as the web based management management interface is bound to (see Section 4.2, “Role” for details).
Connect using an SSH client like Putty (a.o.) and follow the procedure above.
This section provides detailed description of all available CLI commands.
To display a list of available interfaces use the show interfaces command.
psh> show interfaces em0: Intel PRO/1000MT (82545EM) (00:0c:29:5c:42:82, UP/LINK) em1: Intel PRO/1000MT (82545EM) (00:0c:29:5c:42:84, UP/LINK)
To display information about an interface use the
show
interface
interface_alias
command.
psh> show interface em0 ip: 192.168.0.10 netmask: 255.255.255.0 desc: DMZ interface
To display information about the configured hostname use the show gateway command.
psh> show gateway gateway: 192.168.0.1
To display information about the configured hostname use the show hostname command.
psh> show hostname
hostname: Profense™.lab.armorlogic.com
To display information about the configured routes and other routing information use the show routes command.
psh> show routes Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.0.1 UGS 0 113 - em0 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 3 40391 33224 lo0 192.168.0/24 link#1 UC 5 0 - em0 192.168.0.1 8:0:2b:c3:7f:da UHLc 2 277 - em0 192.168.0.9 0:30:5:47:63:34 UHLc 1 15616 - em0 192.168.0.11 0:d:60:76:7:5f UHLc 0 553 - em0 192.168.0.55 0:c:29:5c:42:84 UHLc 0 1512 - lo0 192.168.0.93 0:d:60:60:2:e9 UHLc 7 81599 - em0 224/4 127.0.0.1 URS 0 0 33224 lo0
To display the current Profense™ version use the show version command.
psh> show version
version: Profense™ 1.6.2-release-i386
To configure the default gateway use the
set
gateway
ip_address
command.
psh> set gateway 192.168.0.1
To configure the default gateway use the
set
interface
interface_alias
ip
ip_address
netmask
netmask
command.
psh> set interface em0 ip 192.168.0.10 netmask 255.255.255.0
To configure the console operator password use the
set password
command.
psh> set password Changing local password for operator. Old password: New password: Retype new password:
To run configured auto-backup (either FTP or SCP), use the system backup run command. This command can be used to force the backup to run on-demand.
psh> system backup run backup started in the background
To remove all cached HTTP resources, use the system cache flush command. This command can be used to flush all locally cached documents.
psh> system cache flush flushing document cache in the background
To send an ICMP ECHO request to a given IP address, use the
system ping
ip_address
command. This command can be useful for testing network connectivity
issues.
psh> system ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=1.666 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.523 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.462 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.506 ms 64 bytes from 192.168.0.1: icmp_seq=4 ttl=255 time=0.421 ms --- 192.168.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.421/0.715/1.666/0.477 ms
To force a up to date check on new available updates, use the system updates fetch command.
psh> system updates fetch fetch started in the background
To display pending updates, use the system updates query pending command.
psh> system updates query pending AL-PF-1.2.4-i386, Performance improvements and feature updates
To display installed updates, use the system updates query installed command.
psh> system update query installed AL-PF-1.2.2-i386, Cache module configuration update AL-PF-1.2.3-i386, Stability/security updates and improvements
To install a pending update, use the
system updates
install
update_id
command.
psh> system updates install AL-PF-1.2.4-i386 done
To display the system status use the system status command.
psh> system status application server (as): OK (pid: 5958) management interface (mi): OK (pid: 1768) core components (cc): OK (pid: 7058) rule daemon (rd): OK (pid: 20772) sync daemon (sd): OK (pid: 2620)
To restart system components use the
system
restart
command.component
Available components are:
Application server
Management interface
Core components
Rule daemon
Synchronization daemon
psh> system restart as done
To view status, enable and disable remote support (Section 2.9, “Remote support”) use the system remotesupport command.
psh> system reboot
To see the current status of remote support (i.e. are requests from Armorlogic being redirected from port 80 to port 22 enter system remotesupport status .
When remote support is enabled:
psh> system remotesupport status Current remote support setting: Enabled pf Status: Enabled for 0 days 00:00:11 Debug: Urgent pass in inet proto tcp from 130.226.138.37 to any port = ssh flags S/SA keep state rdr inet proto tcp from 130.226.138.37 to any port = www -> 127.0.0.1 port 22
When remote support is disabled (default):
psh>system remotesupport status Current remote support setting: Disabled pf Status: Disabled for 0 days 00:00:05 Debug: Urgent
To enable remote support (i.e. redirecting of requests from Armorlogic from port 80 to port 22 enter system remotesupport enable .
psh> system remotesupport enable pf enabled remote support set Current remote support setting: Enabled pf Status: Enabled for 0 days 00:00:00 Debug: Urgent pass in inet proto tcp from 130.226.138.37 to any port = ssh flags S/SA keep state rdr inet proto tcp from 130.226.138.37 to any port = www -> 127.0.0.1 port 22
To disable remote support (i.e. stopping redirecting of requests from Armorlogic from port 80 to port 22 enter system remotesupport disable .
psh> system remotesupport disable pf disabled remote support set Current remote support setting: Disabled pf Status: Disabled for 0 days 00:00:00 Debug: Urgent
On non trial versions of Profense™ Professional access to the OS platform (OpenBSD) is available.
Access is given to the superuser root so do not
use this feature unles you know what you are doing. The intention of
superuser access is to facilitate troubleshooting and enable remote
assistance if needed. DO NOT use OS access to configure the platform. The
settings will be overwritten by Profense next time you save something in
the system management interface. ONLY use this feature for
troubleshooting, for performing tasks that are not made available in the
administrative interface.
When applying a non trial Profense Professional license key the root user password is reset to the license key applied. The password is only reset once and should be changed after the key is applied. If the key is applied again the root password will not be changed.
When the license key is applied log in as:
Username: root
Password: license key (exactly as is is entered in the management interface).
Remember, the root user can do anything on the platform, including messing things up. With great power comes great responsibility!
Better call support if you are not sure what to do.