Blue Coat Systems Port 80 Security Appliance

Command Line Reference

Blue Coat Systems Inc. 650 Almanor Avenue Sunnyvale, California 94086 info@bluecoat.com

(866) 302-2628 Corporate (866) 362-2628 Technical Support (866) 382-2628 Inside Sales www.bluecoat.com

Copyright 2003 Blue Coat Systems, Inc. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Printed in U.S.A. Document Number: 231-02585 Document Revision: 2.1.09-08/21/2003

Contents

Chapter 1: Introduction Audience for this Document ............................................................................................. 7 Organization of this Document ........................................................................................ 7 Related Blue Coat Documentation ................................................................................... 8 Document Conventions ..................................................................................................... 8 Telnet and Script Considerations ..................................................................................... 8 Standard and Privileged Modes ....................................................................................... 9 Accessing Quick Command Line Help ........................................................................... 9 Chapter 2: Standard and Privileged Mode Commands Standard Mode Commands ............................................................................................ 11 >display ...................................................................................................................... 11 >enable ....................................................................................................................... 12 >exit ............................................................................................................................ 12 >ping ........................................................................................................................... 12 >show ......................................................................................................................... 13 >traceroute ................................................................................................................. 18 Privileged Mode................................................................................................................ 18 #acquire-utc ............................................................................................................... 18 #cancel-upload .......................................................................................................... 19 #clear-arp ................................................................................................................... 19 #clear-cache ................................................................................................................ 20 #clear-statistics .......................................................................................................... 20 #configure .................................................................................................................. 20 #disable ...................................................................................................................... 20 #disk ............................................................................................................................ 21 #display ...................................................................................................................... 21 #exit ............................................................................................................................. 22 #hide-advanced ......................................................................................................... 22 #inline ......................................................................................................................... 23 #kill ............................................................................................................................. 24 #load ........................................................................................................................... 25 #pcap .......................................................................................................................... 26 #ping ........................................................................................................................... 30 #purge-dns-cache ...................................................................................................... 30 #restart ........................................................................................................................ 31 #restore-cacheos4-config .......................................................................................... 32 #restore-defaults ....................................................................................................... 32 #reveal-advanced ...................................................................................................... 32

.................................................................................................................................................... 77 #(config)http ...................................................................................................................... 69 #(config)event-log ..............................................................................................................................................................................Security Appliance Command Line Reference #show ...................................................................................................................................................................................... 68 #(config)error-pages ............................................................................................................................................................................................................................................................................. 77 #(config)https ............................................ 47 #(config)archive-configuration ................................................................................................................... 84 #(config)identd .. 85 #(config)inline ................................................................................................................. 45 #(config)accelerated-pac ..................................................................................................................................................................................................................................................... 53 #(config)bypass-list ............................................................. 41 Chapter 3: Privileged Mode Configure Commands #configure ......................................................................................... 92 #(config)management-port ..................................................................................... 76 #(config)hostname ..................................................................... 66 #(config)dns .............. 68 #(config)dynamic-bypass ....................................................... 58 #(config)content-filter .......................................................................................................................................................................................................................................... 72 #(config)forwarding ........................................................... 59 #(config content-filter)smartfilter ................................... 62 #(config content-filter)websense4 off-box ............................. 94 iv ................................................................................. 93 #(config)netbios ................................................. 61 #(config content-filter)websense3 ....................................................................................................................................................... 80 #(config)icap ............................................................................................................... 47 #(config)access-log .............................. 67 #(config)domain-alias ...................................... 91 #(config)load ..................................................................... 65 #(config)diagnostics ............................ 70 #(config)exit .................................................................................................................................................................................................................. 57 #(config)content ............................ 51 #(config)bandwidth-gain .................................................... 54 #(config)caching .................................................................................................................................... 55 #(config)clock .......................................................................................................................................... 72 #(config)health-check .............................................. 33 #temporary-route ........................................................................................................................................................................................................................................................................ 83 #(config)icp ....................................... 40 #traceroute .................................................................................... 40 #test http .......................................... 89 #(config)ip-default-gateway ............................. 52 #(config)banner .......................................................................................................... 88 #(config)interface fast-ethernet ............................................................................................................................. 86 #(config)installed-systems ......................... 75 #(config)hide-advanced ............................

....................................................................................... 122 #(config)splash-generator ...................................... 95 #(config)policy ................................................................................................................................... 137 #(config)tcp-rtt ......................................................................................................................................................................................................................................... 97 #(config)reveal-advanced ....................................................... 138 #(config)upgrade-path ................................................................................ 115 #(config)show ................................. 128 #(config)system-resource-percent ................................................................................................... 122 #(config)sshd ........................................... 111 #(config services)ftp .................................................. 138 #(config)virtual-ip ............................. 112 #(config services)http .......................... 95 #(config)restart .............................. 139 #(config)wccp ................................................................................................ 137 #(config)telnet ............................................................................................................................... 120 #(config)socks-machine-id .............................................. 99 #(config)security ................................................................................................................. 98 #(config)rip .......................................... 97 #(config)return-to-sender ..................................................................................................................................... 125 #(config)static-routes ......................................... 139 #(config)web-management ........................................................................................................................................................................................................................................Contents #(config)no ........................................................................................................ 94 #(config)ntp ............................................................................................................................................................................................ 116 #(config)snmp ....................................................................................................................... 140 v ... 113 #(config services)telnet ................................................................................................................................................................................................................................. 127 #(config)streaming .. 138 #(config)timezone .......................................................................................................................................................................... 99 #(config)services ........................................................................

Security Appliance Command Line Reference vi .

The CLI allows you to perform the superset of configuration and management tasks. All of the configure commands that are required to view your current configuration settings. that you and your Blue Coat Sales representative have determined the correct number and placement of the Security Appliances. and for the more complicated commands. the Management Console. Furthermore.Chapter 1: Introduction To configure and manage your Blue Coat™ Systems Port 80 Security Appliance. in alphabetical order. including syntax and examples. Organization of this Document This document contains the following chapters: Chapter 1 – Introduction The organization of this document. Blue Coat assumes that the Blue Coat appliance has been configured for reverse proxy server acceleration. in alphabetical order. in alphabetical order. descriptions of the CLI modes. the parent command prompt is included as well. including syntax and examples. For better readability you will notice that in the command reference chapters. each command heading is preceded with the appropriate prompt. Audience for this Document This reference guide is written for system administrators and experienced users who are familiar with network configuration. Blue Coat developed a software suite that includes an easy-to-use graphical interface called the Management Console and a Command Line Interface (CLI). in alphabetical order. and instructions for saving your configuration. This reference guide describes each of the commands available in the CLI. . transparent reverse proxy server acceleration. View Configuration Settings Commands. and that those appliances have been installed in an equipment rack and at least minimally configured as outlined in the Blue Coat Installation Guide that accompanied the appliance. All of the configure commands that are required to load your configuration and to save changes. including syntax and examples. or a variant of either. Blue Coat assumes that you have a functional network topography. which are described in Chapter 3). Chapter 3 – #Configure Commands The configure command is the most used and most elaborate of all of the CLI commands. This chapter is divided into the following functional sections: Load and Save Commands. a subset. All of the privileged mode commands (except for the configure commands. conventions used. including syntax and examples. Chapter 2 – Standard and Privileged Mode Commands All of the standard mode commands.

including syntax and examples. All of the privileged mode configure commands that are required to change your current or factory-default configuration settings. For example: SGOS#configure terminal 8 . and 545i) Blue Coat Systems 600 and 700 Installation Guide Blue Coat Systems 3000 Installation Guide Blue Coat Systems 5000 Installation Guide Blue Coat Systems 6000 and 7000 Installation Guide Blue Coat Systems 800 Installation Guide Blue Coat Systems Configuration and Management Guide Blue Coat Systems Policy Language Reference Manual Document Conventions The following table lists the typographical and CLI syntax conventions used in this manual. You may abbreviate CLI commands. in alphabetical order. A CLI literal that should be entered as shown.Security Appliance Command Line Reference Change Configuration Settings Commands. 525. One of the parameters enclosed within the braces must be supplied An optional parameter or parameters. A command-line variable that should be substituted with a literal name or value pertaining to the appropriate facet of your network system. 525i. CLI command literals and parameters are not case sensitive. 510. provided you supply enough command characters as to be unambiguous. Command-line text that will appear on your administrator workstation. Convention Italics Courier font Courier Italics Courier Boldface {} [] | Definition The first use of a new or Blue Coat-proprietary term. Command Abbreviations. Either the parameter before or after the pipe character can or must be selected. Telnet and Script Considerations Consider the following when using the CLI during a Telnet session or in a script: Case Sensitivity. but not both. 545. and 520) Blue Coat Systems 500ec Installation Guide (includes information on installing the 515. Related Blue Coat Documentation Blue Coat Systems 500 Installation Guide (includes information on installing the 500.

In addition. For a list of arguments applicable to a command. For example: SGOS> help Help may be requested at any point in a command by typing a question mark '?'. To access a comprehensive list of mode-specific commands: Type help or ? at the prompt. 9 . For example. 'show ?') 3. followed by a space. • Standard mode prompt: > • Privileged mode prompt: # Accessing Quick Command Line Help You can access command line help at any time during a session. The help command displays how to use CLI help. Refer to the introduction in Chapter 2: Standard and Privileged Mode Commands details about the different modes. 2. do not precede the '?' with a space (e. to get command completion help for pcap: SGOS# pcap ? filter Setup the current capture filter info Display current capture information . For a list of available commands.g. 'sh?') The ? command displays the available commands. 1.g. enter '?' at the prompt. privileged mode has several subordinate modes. For help completing a command.Chapter 1: Introduction Can be shortened to: SGOS# conf t Standard and Privileged Modes The Security Appliance CLI has two major modes—standard and privileged. For example: SGOS> ? display enable exit help ping show traceroute Display a text based url Turn on privileged commands Exit command line interface Information on help Send echo messages Show running system information Trace route to destination To access a command-specific parameter list: Type the command name. The following commands are available in both standard mode and privileged mode. followed by a question mark. Note that you must be in the correct mode—standard or privileged—to access the appropriate help information. precede the '?' with a space (e.

or more. followed by a question mark (no spaces). of the command. . For example: SGOS# p? pcap ping purge-dns-cache 10 . given a partial command: Type the first letter. To get command completion for configuring SNMP: SGOS#(config) snmp ? <cr> To access the correct spelling and syntax. Note that you must be in the correct mode—standard or privileged to access the appropriate help information.Security Appliance Command Line Reference .

Note: The help command and how to use the CLI help is described in “Accessing Quick Command Line Help” on page 9. Standard mode has a short list of commands. for example: telnet> open 10. Example SGOS> display http://www. bandwidth savings. web. Standard Mode Commands Standard mode is the default mode when you first log on.36.</title> <meta NAME="KEYWORDS" CONTENT="cache. Enterprise Internet Management. web cache. active.__________________________________________________________________ .25.47 username: admin password: ****** SGOS> >display Use this command to display the source code (such as HTML or Javascript) used to build the named URL.bluecoat. fast. turnkey. content delivery networks. press the Enter key to display one additional line of code. Blue Coat. intelligent. you can view but you cannot change configuration settings. speed. network cache. streaming. caching.0 Transitional//EN"> <html> <head> <title>Blue Coat Inc.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4. fully-qualified text Web address. cache server.Chapter 2: Standard and Privileged Mode Commands This chapter describes and provides examples for the Blue Coat Systems Port 80 Security Appliance standard and privileged mode CLI commands. proxy. this mode cannot be password-protected. In contrast to privileged mode. media streaming. The standard mode prompt is a greater-than sign. Syntax display url where url is a valid. internet"> <meta NAME="DESCRIPTION" CONTENT="Blue Coat products are intelligent appliances specifically architected to accelerate the Internet. internet caching. Content delivery. hit rate. cache appliance. transparent caching. CDNs. From standard mode. access control. Press the Spacebar to display the next batch of code. This source code is displayed one screen at a time."> <!-. "—More—" at the bottom of the terminal screen indicates that there is additional code.

. Example SGOS> enable Enable Password:****** SGOS#configure terminal SGOS(config) . See also disable (disable is a Privileged mode command.) >exit Use this command to exit the CLI. Syntax ping ip_address 12 .Security Appliance Command Line Reference Copyright 1998-2002 Blue Coat Systems Inc. you must provide a password. . please refer to the instructions provided in the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide. Syntax exit The exit command does not have any parameters or subcommands. Privileged mode commands enable you to view and change your configuration settings. To set username and password. Example SGOS> exit >ping Use this command to verify that a particular IP address exists and can accept requests. All rights reserved. . Syntax enable The enable command does not have any parameters or subcommands. >enable Use this command to enter Privileged mode. In some configurations. . .

47. Example SGOS> ping 10.25. round-trip min/avg/max = 0/0/0 ms Number of duplicate packets received = 0 >show Use this command to display system information.25. timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5).Chapter 2: Standard and Privileged Mode Commands where: ip_address Specifies the address you want to verify.47 Type escape sequence to abort. 100-byte ICMP Echos to 10. Sending 5.36. Syntax option 1 : show accelerated-pac option 2 : show access-log statistics option 3 : show arp-table option 4 : show bandwidth-gain option 5 : show bypass-list option 6 : show caching option 7 : show clock option 8 : show commands {delimited | formatted} option 9 : show content-distribution option 10 : show cpu option 11 : show diagnostics option 12 : show disk {disk_number | all} option 13 : show dns option 14 : show domain-alias option 15 : show download-paths option 16 : show dynamic-bypass option 17 : show efficiency option 18 : show environmental option 19 : show event-log option 20 : show forwarding option 21 : show health-checks option 22 : show hostname option 23 : show http option 24 : show http-stats option 25 : show icap {clusters | services | statistics} 13 .36.

Security Appliance Command Line Reference option 26 : show icp-settings option 27 : show identd option 28 : show installed-systems option 29 : show interface {all | interface#} option 30 : show ip-default-gateway option 31 : show ip-route-table option 32 : show ip-stats option 33 : show netbios option 34 : show ntp option 35 : show policy [order | proxy-default] option 36 : show ports option 37 : show resources option 38 : show restart option 39 : show return-to-sender option 40 : show rip option 41 : show rtsp option 42 : show sessions option 43 : show services option 44 : show snmp option 45 : show socks-machine-id option 46 : show sources {bypass-list | error-pages | icp-settings | policy {central | local | vpm-cpl | vpm-xml} | rip-settings | static-route-table | streaming real-media | wccp-settings} option 47 : show static-routes option 48 : show status option 49 : show streaming {configuration| real-media | statistics | windows-media} option 50 : show system-resource-percent option 51 : show tcp-rtt option 52 : show terminal option 53 : show telnet-management option 54 : show timezones option 55 : show transparent-proxy option 56 : show user-authentication option 57 : show version option 58 : show virtual-ip option 59 : show wccp {configuration | statistics} option 60 : show web-management 14 .

as well as information about non-cacheable objects and access patterns. accelerated PAC file. and the number of active client connections. including event level and event log size. clock – Displays the current time. commands – Displays a list of the available (root. upgrade image. disk – Displays disk information. vendor." and "never refresh before specified object expiry" features." "substitute get for HTTP 1. forwarding – Displays advanced forwarding settings. caching – Displays data regarding cache refresh rates and settings and caching policies. Displays information about all disks. arp-table – Displays TCP/IP ARP table information. bypass-list – Displays your bypass list. domain-alias –Displays domain alias configuration information. revision and serial number. download-paths – Displays downloaded configuration path information. diagnostics – Displays remote diagnostics information. icp-settings – Displays ICP settings. and status. and event recipients. 15 . and the status of the "substitute get for get-if-modified-since.Specifies to display access log statistics data. RIP settings. efficiency – Displays efficiency statistics by objects and by bytes.Chapter 2: Standard and Privileged Mode Commands where: accelerated-pac – Displays accelerated PAC file information. http-stats – Displays HTTP statistics. and the definition of forwarding hosts/groups and advanced forwarding rules. including slot number. and type.1 conditional get. Displays commands so that they can be viewed easily. mode. number of connections accepted by HTTP. IP address. bypass list. dns – Displays primary and alternate DNS server data. capacity. including version number. number of persistent connections that were reused. and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled. dynamic-bypass – Displays dynamic bypass configuration status information. including download-via-forwarding. health check. environmental – Displays environmental sensor information. HTTP error page. and WCCP settings. bandwidth-gain –Displays bandwidth gain status. disk_number all Displays information about the disk specified. icap {clusters | services | statistics} – Displays ICAP cluster. services. identd – Displays IDENTD settings. http – Displays HTTP configuration information. static route table. product ID. including log and upload information. hostname – Displays hostname. and configuration information. health-checks – Displays health-check statistics. and load balancing status. non-privileged) CLI commands. including HTTP statistics version number. content-distribution – Displays the average sizes of objects in the cache. cpu – Displays current CPU usage. ICP settings. delimited formatted Displays commands in such a way that they can be parsed. including the policy list. access-log statistics . event-log – Displays event log settings.

socks-machine-id –Displays the id of the secure sockets machine. RIP routes. including configuration information and general status information. policy files. restart – Displays system restart settings. ip-default-gateway – Displays default IP gateway IP address. ICP settings. streaming –Displays Microsoft Windows Media or RealNetworks information. and timestamp information. ntp – Displays NTP servers status and information. return-to-sender – Displays "return to sender" inbound and outbound settings. ip-route-table – Displays route table information. RIP settings. tcp-rtt –Displays TCP round trip time ticks.Security Appliance Command Line Reference installed-systems – Displays Security Appliance system information such as version and release numbers. services – Displays information about services. bypass-list error-pages icp-settings policy rip-settings static-route-table streaming real-media wccp-settings Displays the source file for the current bypass list. Displays Microsoft Windows Media streaming configuration information or statistics. streaming configurations. and group membership. such as the bypass-list. rtsp – Displays RTSP settings. rip – Displays information on RIP settings. Displays the source file for the current RIP settings. type. Displays RealNetworks streaming media information. status – Displays current system status information. static-routes – Displays static route table information. and WCCP settings files. and RIP statistics. Specify real-media to display real streaming information. netbios – Displays NETBIOS settings. resources – Displays allocation of disk and memory resources. Displays the source file for the current WCCP settings. Displays the source file for the current static route table. including core image information and compression status. weight. including status and MIB variable and trap information. sessions – Displays information about Telnet connections. policy [order | proxy-default] – Displays the policy files order or the policy default of allow or deny. terminal – Displays terminal configuration parameters. configuration real-media statistics windows-media Displays client and total bandwidth configurations. Displays the source file for the current streaming configurations. sources – Displays source listings for installable lists. boot and lock status. 16 . system-resource-percent –Displays the distribution of resources. Displays the source file for the specified policy file. Displays the source file for error pages. ports – Displays HTTP and console port number. snmp – Displays SNMP statistics. ip-stats – Displays TCP/IP statistics for the current session. Displays client and total bandwidth usage. static route table. Displays the source file for the current ICP settings. including parameters and configuration. and properties.

Examples SGOS> show caching Refresh: Desired access freshness is 97. wccp – Displays WCCP configuration and statistics information. version – Displays Security Appliance hardware and software version and release information and backplane PIC status. timezones – Displays current and supported timezones. transparent-proxy – Displays transparent proxy information. web-management – Displays Web management status.Chapter 2: Standard and Privileged Mode Commands telnet-management – Displays telnet management status and the status of SSH configuration through Telnet. and the length of the longest chain in the hash table. including last reset time. initially cached for 24 hours SGOS> show resources Disk resources: Available to cache: In use by cache: In use by system: In use by access log: Total disk installed: Memory resources: In use by cache: In use by system: In use by network: Total RAM installed: 3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728 17 . configuration statistics Displays WCCP configuration information. Displays WCCP statistics information. user-authentication – Displays Authenticator Credential Cache Statistics. maximum number of clients queued for cache entry.0% Let the Port 80 Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/sec Policies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Port 80 Security Appliance manage freshness FTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date. cached for 10% of last modified time FTP objects without last modified date. including version number and status. including credential cache information.5% Estimated access freshness is 100. and packets and bytes sent and received. virtual-ip – Displays virtual IP addresses.

36. authentication.47 1 10. For 18 . Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command. enter privileged mode using the enable command.25. To prevent unauthorized access to your Security Appliance configuration and network.36.47 Type escape sequence to abort.Security Appliance Command Line Reference >traceroute Use this command to trace the route from the current host to the specified destination host. caching. To manage objects. Example SGOS> traceroute 10. Specifies the name of the destination host.47 0 0 0 Privileged Mode Privileged mode provides a robust set of commands that enable you to view. the UTC time must be set manually. manage. packet capture filters. The default privileged mode password is admin. To access privileged mode: From standard mode. we recommend that you always require a privileged mode password. you will be prompted to supply that also. Note: The privileged mode subcommand configure. Tracing the route to 10. #acquire-utc Use this command to acquire the Universal Time Coordinates (UTC) from a Network Time Protocol (NTP) server. Syntax traceroute {ip_address | hostname} where: ip_address hostname Specifies the IP address of the destination host.36. as shown below: SGOS> enable Enable Password: ******** SGOS# If the network administrator who performed the initial network configuration assigned a privileged mode password.25. acting as an indicator that you are in privileged mode now. Your Security Appliance comes pre-populated with a list of NTP servers available on the Internet. enables you to manage the Security Appliance features. a Security Appliance must know the current UTC time. and change Security Appliance settings for feautures such as log files. HTTPS. It is important to note that the prompt changes from a greater than sign (>) to a pound sign (#). DNS. and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. and security.25. If the Security Appliance cannot access any of the listed NTP servers.

The cancel-upload command allows you to stop repeated upload attempts if the Web server becomes unreachable while an upload is in progress. Example SGOS# cancel-upload ok #clear-arp The clear-arp command clears the Address Resolution Protocol (ARP) table. Syntax acquire-utc The aquire-utc command does not have any parameters or subcommands. and vice versa. ARP tables are used to correlate an IP address to a physical machine address recognized only in a local area network. Syntax cancel-upload The cancel-upload command does not have any parameters or subcommands. Syntax clear-arp The clear-arp command does not have any parameters or subcommands. a flag is set to the log. refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide. This command sets log uploading back to idle if the log is waiting to retry the upload. ARP provides the protocol rules for providing address conversion between a physical machine address (also known as a Media Access Control or MAC address) and its corresponding IP address.Chapter 2: Standard and Privileged Mode Commands instructions on how to set the UTC time manually. Example SGOS# clear-arp ok 19 . This flag sets the log back to idle if the upload fails. Example SGOS# acquire-utc ok #cancel-upload This command cancels a pending access-log upload. If the log is in the process of uploading.

Example SGOS#disable ok 20 . enables you to manage the Security Appliance features. Syntax clear-cache Example SGOS# clear-cache ok #clear-statistics This command clears the Windows Media Streaming statistics collected by the Security Appliance. Syntax disable The disable command does not have any parameters or subcommands.Security Appliance Command Line Reference #clear-cache The clear-cache command sets all objects in the cache to expired. Although objects are not immediately removed from memory or disk. Syntax clear-statistics windows-media Example SGOS# clear-statistics windows-media ok #configure The privileged mode subcommand configure. go to Statistics>Volume>Windows Media. all subsequent first requests for objects will be retrieved from the source. Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command. To view streaming statistics from the Management Console. #disable The disable command returns you to Standard mode from Privileged mode. You can clear the system cache at any time. You can also clear the Windows Media streaming statistics through the Streaming applet.

Syntax display url 21 . If this disk is taken offline. or declared invalid or unusable. in turn. Valid indicates that the disk is online. a point is reached where no disk can be chosen as the master. and is not marked as invalid or unusable. that disk is not available for caching. "—More—" at the bottom of the terminal screen indicates that there is additional code. are not affected. At this point. Reinitialization is done without rebooting the Security Appliance. Example SGOS# disk offline 3 ok SGOS# disk reinitialize 3 ok #display Use this command to display the source code (such as HTML or Javascript) used to build the named URL. after issuing the disk reinitialize disk_number command. although during the time the disk is being reinitialized. reinitialized or declared invalid or unusable. Reinitializes the disk numbered disk_number. has been properly initialized. Note that only the master disk reinitialization might restart the Security Appliance. press the Enter key to display one additional line of code. the leftmost valid disk that has not been reinitialized since restart becomes the master disk. This source code is displayed one screen at a time. Thus as disks are reinitialized in sequence. Press the Spacebar to display the next batch of code. Note: If the current master disk is taken offline. the current master disk is the last disk. The master disk is the leftmost valid disk. On a multi-disk Security Appliance. The Security Appliance operations. reinitialized.Chapter 2: Standard and Privileged Mode Commands See also enable (Standard mode command) #disk Use the disk command to take a disk offline or to reinitialize a disk. Syntax disk {offline disk_number | reinitialize disk_number} where: offline disk_number reinitialize Takes the disk numbered disk_number off line. and system images from the master disk to the reinitialized disk. the Security Appliance is restarted. boot programs and starter programs. complete the reinitialization by setting it to empty and copying pre-boot programs. Indicates the number of the disk you want to take off line or reinitialize.

from Privileged mode to Standard mode.<P> </BODY></HTML> #exit Exits from Configuration mode to Privileged mode. Syntax hide-advanced {all | expand | tcp-ip} where: all expand tcp-ip Disables all advanced commands. fully-qualified text Web address. Example SGOS# display www. Disables only the TCP/IP advanced commands. for details.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2. Example SGOS# exit #hide-advanced The hide-advanced command enables you to disable all or a subset of the advanced commands available to you when using the CLI. Displays the expanded advanced commands.company1. and TCP/IP commands. the exit command closes the CLI session.Security Appliance Command Line Reference where url is a valid. The advanced commands that you can disable include: HTTP.com/cgi-bin/log in">here</A>. From Standard mode. Example SGOS# hide-advanced expand ok 22 . Refer to the description of the configure command tcp-ip. the status of the other advanced commands remains unchanged.company1. Syntax exit The exit command does not have any parameters or subcommands.passport.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://lc2.law5.

. Syntax option 1 : inline accelerated-pac token option 2 : inline bypass-list central token option 3 : inline bypass-list local token option 4 : inline error-pages token option 5 : inline error-pages token option 6 : inline icp-settings token option 7 : inline policy central token option 8 : inline policy local token option 9 : inline policy vpm-cpl token option 10 : inline policy vpm-xml token option 11 : inline rip-settings token option 12 : inline static-route-table token option 13 : inline streaming real-media token option 14 : inline wccp-settings token 23 . SGOS# See also reveal-advanced #inline Installs configuration elements based on your console port input. You can use the inline command or you can create a text file to house the configuration commands and settings.Chapter 2: Standard and Privileged Mode Commands SGOS# show expand ^ % Invalid input detected at '^' marker. refer to the example below: SGOS# configure terminal SGOS#(config) inline accelerated-pac token . To configure using the CLI and the inline command. There are two ways to create a configuration file for your Security Appliance. . end token Where token marks the end of the inline commands.

(This options is designed to be used with the Blue Coat Director product.Security Appliance Command Line Reference where: token accelerated-pac bypass-list central bypass-list local error-pages forwarding icp-settings policy central policy local policy vpm-cpl Is used at the beginning of the inline commands to indicate what the end-of-commands marker will be. Updates the current Real Media streaming settings with the settings you include between the beginning token and the ending token.) Updates the XML policy with the settings you include between the beginning token and the ending token. (This options is designed to be used with the Blue Coat Director product.0 sibling 8080 3130 eof #kill Terminates a Telnet session. Updates the forwarding configuration with the settings you include between the beginning token and the ending token. policy xml-cpl rip-settings static-route-table streaming real-media wccp-settings Example SGOS# inline icp-settings eof icp_port 3130 icp_host 127. Is used again at the end of the commands. Updates the current WCCP settings with the settings you include between the beginning token and the ending token. Updates the current static route table settings with the settings you include between the beginning token and the ending token. Updates the current central policy file with the settings you include between the beginning token and the ending token. Updates the central bypass list with the settings you include between the beginning token and the ending token. Updates the accelerated pac file with the settings you include between the beginning token and the ending token. Syntax kill session_number 24 . Updates the current ICP settings with the settings you include between the beginning token and the ending token. Updates the local HTTP error pages with the settings you include between the beginning token and the ending token. Updates the VPM policy with the settings you include between the beginning token and the ending token.0. Updates the local bypass list with the settings you include between the beginning token and the ending token. Updates the current local policy file with the settings you include between the beginning token and the ending token.0.) Updates the current RIP settings with the settings you include between the beginning token and the ending token.

Downloads the current Real Media streaming settings. Downloads the current RIP settings. Downloads the current local bypass list settings. Downloads the current local policy file settings. Downloads the current HTTP error pages. Downloads a new VPM version. Downloads the current ICP settings. Downloads the current static route table settings.Chapter 2: Standard and Privileged Mode Commands where session_number is a valid Telnet session number. Example SGOS# kill 3 ok #load Downloads installable lists or system upgrade images. Downloads the latest system image. Downloads the current WCCP settings. These installable lists or settings can be updated using the inline command. Downloads the current central bypass list settings. Examples 25 . Syntax option 1 : load accelerated-pac option 2 : load bypass-list central option 3 : load bypass-list local option 4 : load error-pages option 5 : load icp-settings option 6 : load policy central option 7 : load policy local option 8 : load policy vpm-software option 9 : load rip-settings option 10 : load static-route-table option 11 : load streaming real-media option 12 : load upgrade option 13 : load wccp-settings where: accelerated-pac bypass-list central bypass-list local error-pages icp-settings policy central policy local policy local vpm-software rip-settings static-route-table streaming real-media upgrade wccp-settings Downloads the current accelerated pac file settings. Downloads the current central policy file settings.

consider that packet capturing doubles the amount of processor usage performed in TCP/IP.Security Appliance Command Line Reference SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# load accelerated-pac load bypass-list local load bypass-list central load error-pages load policy local load policy central load icp-settings load rip-settings load static-route-table load streaming real-media load wccp-settings load upgrade See also inline #pcap This command enables you to capture packets of Ethernet frames going into or leaving a Security Appliance. Syntax option 1 : pcap filter iface {in | out} option 2 : pcap filter iface {in | out} iface-num option 3 : pcap filter iface iface-num option 4 : pcap filter expr filter_expression option 5 : pcap info option 6 : pcap coreimage option 7 : pcap start option 8 : pcap start [first n] 26 .1 files (for example. EtherReal or Packet Sniffer Pro 3. Packet capturing allows filtering on various attributes of the frame to limit the amount of data collected. Note: Note: Before using the pcap command. you must have a tool that can read Packet Sniffer Pro 1. To capture packets. The collected data can then be transferred to the desktop for analysis.0).

If no parameters are specified. Range is 0 to 2147483647. The packet capture file size is limited to 1% of total RAM. The range is 0 to 2147483647. The saved packets in memory are written to disk when the capture is terminated.Chapter 2: Standard and Privileged Mode Commands option 9 : pcap start [capsize n(k)] option 10 : pcap start [trunc n] option 11 : pcap start [last n] option 12 : pcap stop option 13 : pcap transfer url username password Where: filter -. The trunc n parameter collects. The last n parameter capture saves up to n bytes of packets in memory. capturing stops. the default is to capture until the stop subcommand is issued or the maximum limit reached. start (commonly requested by Blue Coat Customer Support for system analysis) capsize n(k) trunc n last n stop transfer url username password 27 . Displays the current packet capture information. coreimage info first n Includes packets within a core image. Stops the capture. The capsize n(k) parameter stops the collection after n Kilobytes (up to 100 MB) of packets have been captured. Transfers captured data to an FTP site. which might be reached before n packets have been captured. at most.see the Filter table that follows. The first n parameter collects n (up to 100 MB) packets. Note: The parameter capsize n is an approximate command. (The maximum amount of memory used for saving packets is limited to 100 MB.) Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. it captures an approximate number of packets. The packet capture file size is limited to 1% of total RAM. If no parameters are specified. the default is to capture until the stop subcommand is issued or the maximum limit reached. which might be reached before n packets have been captured. Note: The parameter first n is a specific command. After the number of packets n is reached. it captures an exact number of packets. n bytes of packets from each frame. Refer to the examples for details. This continues until the 1% of total RAM for file size limitation is reached.

specifies the | “src name or dst name” | transfer direction. Important: Define filter expr parameters with double-quotes to avoid confusion with special characters. {“host name” | “net number” Type qualifier. host is the default. expr <cr> The following table provides more paramters that can be used to create complex filter expressions. For example: “tcp src name”. | “port number”} {“src name” | “dst number” Direction qualifier. {ether | ip | arp | rarp | Proto qualifier. captures all. restrict matches to a tcp | udp} expr specific protocol.Security Appliance Command Line Reference filter Command iface in | out iface in | out iface expr expr Parameter/Subcommand in | out interface_number interface_number Description Captures either in or out from a interface. Captures either in or out from a particular interface. src or dist is “src name and dst name”} the default. 28 . No filtering. Captures both in and out from a particular interface.

True if either the IP address of the packet has a network number of net. you must reset or redefine all filtering options. each address is checked for a match.1 || host 10. May be qualified with src or dst. The following are examples of the pcap parameters/subcommands filter.Chapter 2: Standard and Privileged Mode Commands expr Parameter/Subcommand {dst host | src host |host} ip_address [ip_address .. udp. and a client (10. If multiple ehost addresses are specified. tcp). True if the packet length is greater than or equal to length. it remains in effect until it is redefined..1.2.. if the Security Appliance is rebooted. filtering is set to off. Maybe prepended with tcp or udp. info. but since these identifiers are also keywords within the filter expression parser. they must be escaped with a backslash. Also. True if the packet length is less than or equal to length. True if the packet is an Ethernet broadcast or IP broadcast packet. Negation. {dst port | src port | port} port True if packet has source or destination valueof port. net net mask mask True if the IP address matches the net value with the specified netmask value.1. Example 1 Capture transactions between a Security Appliance (10.1.2. arp. less length greater length ip proto protocol {ether | ip} broadcast {ether | ip} multicast ether proto protocol ! or not && or and || or or Note: Once a filter is set. each address is checked for a match.2). protocol can be a number or name (icmp.] {dst net | src net | net} net Description If multiple IP addresses are specified. True if the packet is an Ethernet multicast or IP multicast packet. a server (10.2.1).] {ether dst | ether dst | ether host} ehost [ehost . Concatenation Alternation. rarp).2 || host 10.1.2” Example 2 SGOS# pcap filter expr “port 80” SGOS# pcap start 29 .1.1.. start and transfer.1. protocol can be a number or name (ip. ehost is a valid Ethernet address.2). SGOS# pcap filter expr “host 10. but since these identifiers are also keywords within the filter expression parser.1. they must be escaped with a backslash.2.

30 . SGOS# pcap transfer ftp://10. maximum. Example SGOS# ping 10. An error message is generated.36.47/path/filename. and average time it took for the ping test data to reach the other computer and return to the origin. You might need to do so if you have experienced a problem with your DNS server. Note that the username and password are provided.cap username password If the folders in the path do not exist. Sending 5.47.25.25. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). SGOS# pcap start capsize 3 Example 3 This transfers captured packets to the FTP site 10.25. Example 3 This stops the capturing of packets after approximately three Kilobytes of packets have been collected. You can purge the DNS cache at any time. Ping output will also tell you the minimum. they are not created. #ping Use this command to verify that a particular IP address exists and can accept requests.Security Appliance Command Line Reference This captures outbound packets that have a source port of 80 from the interface using the IP protocol TCP.47 Type escape sequence to abort.36. SGOS# pcap info packet capture information: Packets captured: 301 Bytes captured: 1198 Packets written: 256 Bytes written: 0 Current state: Stopped Filtering: Off This shows relevant information regarding current packet-capturing. Syntax ping {IP_address | hostname} where IP_address is the IP address and hostname is the host name of the remote computer. 100-byte ICMP Echos to 10.36.36.25.47. round-trip min/avg/max = 0/0/0 ms Number of duplicate packets received = 0 #purge-dns-cache This command clears the DNS cache. or if you have changed your DNS configuration.

Boot Status: Last boot succeeded The default boot system is: 4: Version: CA 5.5 This machine has the following bootable systems: >1: Version: SG 2. Example SGOS# purge-dns-cache ok #restart Restarts the system. Boot Status: Last boot succeeded 2: Version: CA 5.99 Release id: 16486 Tuesday October 2 2001 10:51:02 UTC. Example SGOS# restart upgrade ok SGOS#Initiating a hardware restart Waiting for disk activity to cease Starter Version 1.1.2.99 Release id: 18882 Tuesday November 2 2001 10:51:02 UTC. Boot Status: Last boot succeeded 5: Version: CA 4.00 Release id: 16455 Press the space key to select an alternate system to boot.0.05 Release id: 19999 Wednesday July 26 2002 09:46:14 UTC. Syntax restart {regular | upgrade} where regular reboots the version of the Security Appliance that is currently installed and upgrade reboots the entire system image.0.01 Release id: 18742 Friday September 28 2002 09:11:42 UTC.99 Release id: 16577 wmt Tuesday October 16 2001 11:55:31 UTC.05 Release id: 19999" See also load 31 . Seconds remaining until the default system is booted: 5 Boot system number: 3 Booting "Version: SG 2. The restart options determine whether the Security Appliance should simply reboot the Security Appliance (regular).0.0. Boot Status: Last boot succeeded 4: Version: CA 4.Chapter 2: Standard and Privileged Mode Commands Syntax purge-dns-cache The purge-dns-cache command does not have any parameters or subcommands. or should reboot using the new image previously downloaded using the load upgrade command (upgrade).1. Boot Status: Last boot succeeded 3: Version: CA 4.

See also restore-defaults #restore-defaults Restores the Security Appliance to the default configuration. After restoring system defaults. Or if there is no 4. and the DNS server addresses are cleared. The Security Appliance appliance retains the network settings.x to SGOS 2. default gateway. % Use "restart regular" to restart the system. Example SGOS# restore-defaults % "restore-defaults" requires a restart to take full effect. forwarding or bypass) are cleared. the Security Appliance’s IP address.x. you need to restore the Security Appliance’s basic network settings. any lists (for example. as described in the Blue Coat Configuration and Management Guide.x configuration found: SGOS# restore-cacheos4-config % No CacheOS 4. and reset any customizations. Syntax restore-defaults [keep-console] where the restore-defaults command by itself will restore using the default configuration and restore-defaults keep-console restores using the default configuration but retains any configuration settings that affect console access.Security Appliance Command Line Reference #restore-cacheos4-config Restores the Security Appliance to the initial configuration derived upon an upgrade from Cache OS 4. Syntax restore-cacheos4-config Example SGOS# restore-cacheos4-config % "restore-cacheos4-configuration" requires a restart to take effect. In addition. % Use "restart regular" to restart the system. Syntax reveal-advanced {all | expand | tcp-ip} 32 . #reveal-advanced The reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI. When you restore system defaults.x configuration is available on this system.

Displays expanded commands. the status of the other advanced commands remains unchanged. #show Use this command to display system information. Enables only the TCP/IP advanced commands.Chapter 2: Standard and Privileged Mode Commands where: all expand tcp-ip Enables all advanced commands. Syntax option 1 : show accelerated-pac option 2 : show access-log {configuration | statistics} option 3 : show archive-configuration option 4 : show arp-table option 5 : show bandwidth-gain option 6 : show bypass-list option 7 : show caching option 8 : show clock option 9 : show commands {delimited | formatted} option 10 : show configuration {brief | expanded} option 11 : show content {outstanding-requests | priority [regex regex | url url] | url url} option 12 : show content-distribution option 13 : show cpu option 14 : show diagnostics option 15 : show disk {disk_number | all} option 16 : show dns option 17 : show domain-alias option 18 : show download-paths option 19 : show dynamic-bypass option 20 : show efficiency option 21 : show environmental option 22 : show event-log option 23 : show forwarding option 24 : show health-checks option 25 : show hostname option 26 : show http option 27 : show http-stats 33 .

Security Appliance Command Line Reference option 28 : show icap {clusters | services | statistics} option 29 : show icp-settings option 30 : show identd option 31 : show installed-systems option 32 : show interface {interface# | all} option 33 : show ip-default-gateway option 34 : show ip-route-table option 35 : show ip-stats option 36 : show netbios option 37 : show ntp option 38 : show policy [order | proxy-default] option 39 : show ports option 40 : show realms option 41 : show resources option 42 : show restart option 43 : show return-to-sender option 44 : show rip option 45 : show rtsp option 46 : show security option 47 : show sessions option 48 : show services option 49 : show snmp option 50 : show socks-machine-id option 51 : show sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming real-media | wccp-settings} option 52 : show splash-generator option 53 : show static-routes option 54 : show status option 55 : show streaming option 56 : show system-resource-percents option 57 : how tcp-rtt option 58 : show terminal option 59 : show telnet-management option 60 : show timezones option 61 : show transparent-proxy option 62 : show user-authentication option 63 : show version 34 .

" and "never refresh before specified object expiry" features. arp-table – Displays TCP/IP ARP table information. dns – Displays primary and alternate DNS server data. diagnostics – Displays remote diagnostics information. or to restore the configuration using the privileged mode configure network url command. archive-configuration – Displays archive configuration settings including protocol. capacity. and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled. including version number. username. commands – Displays a list of the available (root. cpu – Displays the current CPU usage. mode. including log and upload information. outstanding-requests priority [regex regex | url url] url url content-distribution – Displays the average sizes of cached objects. content – Displays various content management commands current in effect. vendor. filename. path. Displays the current non-default configuration commands with inline expansion. Displays the deletion priority value assigned to the regex or url. Displays statistics of the specified URL. host. product ID.1 conditional get. 35 . caching – Displays data regarding cache refresh rates and settings and caching policies." "substitute get for HTTP 1. Indicates that you want to display access log statistics data. Displays commands so that they can be viewed easily. where url is the URL location of the configuration file. delimited formatted Displays commands in such a way that they can be parsed. and the status of the "substitute get for get-if-modified-since. respectively. disk_number all Displays information about the disk specified. including slot number. and status. and password. clock – Displays the current time. bypass-list – Displays your bypass list. configuration – Displays the current Security Appliance configuration as it differs from the default settings. You can capture the output of this command to a text file for future reference. configuration statistics Indicates that you want to display access log configuration information. access-log – Displays access log configuration settings or statistics. Displays information about all disks. bandwidth-gain – Displays bandwidth gain status. disk – Displays disk information. privileged) CLI commands.Chapter 2: Standard and Privileged Mode Commands option 64 : show virtual-ip option 65 : show wccp option 66 : show web-management where: accelerated-pac – Displays accelerated PAC file information. brief expanded Displays the current non-default configuration commands without inline expansion. revision and serial number. Displays the complete list of outstanding asynchronous content revalidation and distribute requests.

netbios – Displays NETBIOS information. including IP address. health-checks – Displays health-check statistics. ip-default-gateway – Displays default IP gateway IP address. efficiency – Displays efficiency statistics by objects and by bytes. source for instructions. and inbound connection disposition for the current interface. and the number of active client connections. rip – Displays information on RIP settings. including event level and event log size. icap {clusters | services | statistics} – Displays ICAP cluster. environmental – Displays environmental sensor information. boot and lock status. IP address. including download-via-forwarding. policy – Displays TCP/IP statistics for the current session. download-paths – Displays downloaded configuration path information. type. event-log – Displays event log settings. and configuration information. and type. and properties. bypass list. weight. and event recipients. and load balancing status. number of connections accepted by HTTP.Security Appliance Command Line Reference domain-alias –Displays domain alias configuration information. restart – Displays system restart settings. static route table. identd – Displays IDENTD information. icp-settings –Displays current ICP configuration information. hostname – Displays hostname. number of persistent connections that were reused. ntp – Displays NTP servers status and information. and properties. subnet mask. accelerated PAC file. ports – Displays HTTP and console port number. autosense information. and RIP statistics. [order] [proxy-default] Displays policy evaluation order. http-stats – Displays HTTP statistics. all interface# Displays the above information for all interfaces. including parameters and configuration. as well as information about non-cacheable objects and access patterns. health check. interface – Displays interface status and configuration information. http – Displays HTTP information. including core image information and compression status. HTTP error page. and the definition of forwarding hosts/groups and advanced forwarding rules. including HTTP statistics version number. including filter list. MTU size. type. and WCCP settings. return-to-sender – Displays "return to sender" inbound and outbound settings. 36 . ip-route-table – Displays route table information. realms – Displays configured authentication realms. resources – Displays allocation of disk and memory resources. ip-stats – Displays TCP/IP statistics for the current session. and timestamp information. RIP routes. Displays the above information for the specified interface. ports – Displays HTTP and console port number. and group membership. services. forwarding – Displays advanced forwarding settings. upgrade image. installed-systems – Displays Security Appliance system information such as version and release numbers. Displays the proxy default policy. dynamic-bypass – Displays dynamic bypass configuration status information. RIP settings.

including configuration information and general status information. streaming – Displays Microsoft Media or RealNetworks information. streaming configurations. timezones – Displays current and supported timezones. and the length of the longest chain in the hash table. 37 . including credential cache information. terminal – Displays terminal configuration parameters. and WCCP settings files. services – Displays information about services snmp – Displays SNMP statistics. configuration statistics Displays WCCP configuration information. Displays the source file for the CPL policy. security – Displays information about Telnet connections. filter list. such as the bypass-list. including status and MIB variable and trap information. Displays the source file for the current streaming configurations. radius accounting and TACACS accounting information. system-resource-percent –Displays the distribution of resources. status – Displays current system status information. static-routes – Displays static route table information. Displays Microsoft Media streaming information. "direct or deny" list. including version number and status. including last reset time. Displays the source file for the current ICP settings. version – Displays Security Appliance hardware and software version and release information and backplane PIC status. web-management – Displays Web management status. and packets and bytes sent and received. maximum number of clients queued for cache entry. user-authentication – Displays Authenticator Credential Cache Statistics. Displays the source file for the error pages. sources – Displays source listings for installable lists. socks-machine-id –Displays the id of the secure sockets machine. Displays WCCP statistics information. transparent-proxy – Displays transparent proxy information. bypass-list error-pages icp-settings policy rip-settings static-route-table streaming real-media wccp-settings Displays the source file for the current bypass list. wccp – Displays WCCP configuration and statistics information. Displays the source file for the current static route table. real-media windows-media Displays RealNetworks streaming media information. telnet-management – Displays telnet management status and the status of SSH configuration through Telnet. splash-generator –Displays general. ICP settings.Chapter 2: Standard and Privileged Mode Commands rtsp – Displays security parameters. static route table. Displays the source file for the current WCCP settings. RIP settings. Specify real-media to display real streaming information. Displays the source file for the current RIP settings. virtual-ip – Displays virtual IP addresses. tcp-rtt –Displays TCP round trip time ticks.

5% Estimated access freshness is 100. Boot Status: Last boot succeeded.02. Version: CA 4. 38 .0. cached for 10% of last modified time FTP objects without last modified date.0% Let the Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/sec Policies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Security Appliance manage freshness FTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date. Version: CA 4. Version: SG 2.03. Release ID: 19999 Tuesday September 10 2002 08:35:58 UTC. Boot Status: Last boot succeeded. Boot Status: Last boot succeeded. Version: CA 4. Boot Status: Last boot succeeded. Version: CA 4.03. initially cached for 24 hours SGOS# show resources Disk resources: Available to cache: In use by cache: In use by system: In use by access log: Total disk installed: Memory resources: In use by cache: In use by system: In use by network: Total RAM installed: 3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728 SGOS# show installed-systems SGOS Systems 1. Lock Status: Unlocked 4. Lock Status: Unlocked 2.1. Release ID: 15484 Real Media Tuesday May 15 2001 08:35:58 UTC.Security Appliance Command Line Reference Examples SGOS# show caching Refresh: Desired access freshness is 97. Boot Status: Last boot succeeded.03.05. (oldest unlocked system) Current running system: 3 When a new system is loaded. Release ID: 15566 Real Media Friday May 25 2001 08:30:38 UTC.0. Lock Status: Unlocked 3. Release ID: 15436 Real Media Monday May 7 2001 18:51:55 UTC.0. only the system number that was replaced is changed.0. Lock Status: Unlocked Default system to run on next hardware restart: 3 Default replacement being used. Lock Status: Unlocked 5. Release ID: 15452 Real Media Wednesday May 9 2001 08:35:18 UTC.

0 percent SGOS# show dns Primary DNS servers: 10.36.Blue Coat 5000 SGOS# show icp-settings # Current ICP Configuration # Written on Wed. 23 Jan 2002 22:43:57 UTC # ICP Port to listen on (0 to disable ICP) icp_port 0 # Neighbor timeout (seconds) neighbor_timeout 2 # ICP and HTTP failure counts icp_failcount 20 http_failcount 5 # Host failure/recovery notification flags host_recover_notify off host_fail_notify off # 0 neighbors defined. SGOS# SGOS# show cpu Current cpu usage: 0.249 Alternate DNS servers: Imputed names: SGOS# show dynamic-bypass Dynamic bypass: disabled Non-HTTP trigger: disabled HTTP 400 trigger: disabled HTTP 401 trigger: disabled HTTP 403 trigger: disabled HTTP 405 trigger: disabled HTTP 406 trigger: disabled HTTP 500 trigger: disabled SGOS# show hostname Hostname: 10.220. 32 maximum # ICP host configuration # icp_host hostname peertype http_port icp_port [options] # Forwarding host configuration # fwd_host hostname http_port [options] # 0 groups defined.25. 256 maximum # Forwarding host domain configuration # fwd_host_domain targetname domainname # targetname of ‘deny’ means deny access # targetname of ‘direct’ means no forwarding # 0 forwarding host domains defined. 256 maximum # Forwarding host ip configuration # fwd_host_ip targetname IP[/netmask] 39 .253.Chapter 2: Standard and Privileged Mode Commands The ordering of the rest of the systems remains unchanged. 16 maximum # Forwarding host URL regex configuration # fwd_host_url_regex targetname url_regex # targetname of ‘deny’ means deny access # targetname of ‘direct’ means no forwarding # 0 forwarding host URL regexes defined.47 .

#test http This command is used to test subsystems. A test http get command to a particular origin server or URL.com ntp2. for example. 256 maximum ICP access domain configuration SGOS# show ntp NTP is enabled NTP servers: ntp. Syntax temporary-route {add destination_address netmask gateway_address | delete destination_address} where: add delete destination_address netmask gateway_address destination_address Adds a temporary route entry.0. Deletes a temporary route entry. can verify Layer 3 connectivity and also verify upper layer functionality. 40 .com SGOS# show rtsp Proxy port: Parent proxy address: Parent proxy port: 1091 0.Blue Coat.Security Appliance Command Line Reference # # # # targetname of ‘deny’ means deny access targetname of ‘direct’ means no forwarding 0 IPs defined.0.0 1091 SGOS# show snmp General info: SNMP is disabled MIB variables: sysContact: Rita sysLocation: Traps: Trap address 1: Trap address 2: Trap address 3: Authorization traps: disabled SGOS# show transparent-proxy Transparent proxy Send client IP: disabled #temporary-route This command is used to manage temporary route entries.Blue Coat.

0 200 OK Connection: close Date: Fri. expires=Sun. Executing HTTP get test * HTTP request header sent: GET http://www.com. Executing HTTP loopback test Measured throughput rate is 20026. The syntax from a Microsoft-based client is: tracert [ip | hostname].11 Set-Cookie: PREF=ID=7af9837f5988933d:TM=1002920911:LM=1002920911. Performs a loopback test. Names the object that you want to Get. 12 Oct 2001 21:08:31 GMT Server: GWS/1. and a Web server. Examples SGOS# test http loopback Type escape sequence to abort. Microsoft operating systems generally support the trace route command from a DOS prompt.google .71 Kbytes/sec HTTP get test passed #traceroute Use this command to trace the route to a destination.google.google.) 41 .Chapter 2: Standard and Privileged Mode Commands Syntax test http {get url | loopback} where: get url loopback Performs a test Get of an HTTP object. (Note that you can also use the trace route command from your client station (if supported) to trace the network path between the client. 17-Jan-2038 19:14:07 GMT Content-Type: text/html Content-Length: 2184 Cache-Control: private Measured throughput rate is 6. a Security Appliance. The traceroute command can be helpful in determining where a problem may lie between two points in a network.76 Kbytes/sec HTTP loopback test passed SGOS# test http get http://www. Use traceroute to trace the network path from a Security Appliance back to a client or to a specific origin Web server.0 User-Agent: HTTP_TEST_CLIENT * HTTP response header recv'd: HTTP/1.com/ HTTP/1. path=/.com Type escape sequence to abort. domain=.

36. Examples SGOS> enable Enable Password: ***** SGOS# upload configuration ok To restore an archived system configuration: 1.25.36.47 Type escape sequence to abort. Executing HTTP get test HTTP response code: HTTP/1. The archive contains all system settings differing from system defaults. and filename 42 .47 212 0 0 0 #upload Uploads the current access log or running configuration.25. Archiving a Security Appliance’s system configuration on a regular basis is a generally prudent measure. server name or IP address. if the filename contains spaces.36.25. restoring a Security Appliance to its previous state is simplified if you recently uploaded an archived system configuration to an FTP or HTTP server. Indicates the host name of the origin server. Tracing the route to 10. In the rare case of a complete system failure. enter the following command: SGOS> configure network url The URL must be in quotation marks. path. and must be fully-qualified (including the protocol.47 1 10.Security Appliance Command Line Reference Syntax traceroute {IP_address | hostname} where: IP_address hostname Indicates the IP address of the client or origin server. along with any forwarding and security lists installed on the Security Appliance.36.25.47#traceroute 10.0 503 Service Unavailable Throughput rate is non-deterministic HTTP get test passed 10. At the enable command prompt.47 Type escape sequence to abort.25. Syntax upload {access-log | configuration} where: access-log configuration Specifies to upload the current access log Specifies to upload the current configuration.36. Example SGOS# traceroute 10.

.25.Blue Coat 5000 0216214521. 2. The configuration archive is downloaded from the server. ok 43 . and the Security Appliance settings are updated.47 .config % Configuring from ftp://10.36.25.config .25.Chapter 2: Standard and Privileged Mode Commands of the archive). quotation marks surrounding the URL are unnecessary.46/path/10.36. . If your archived configuration filename does not contain any spaces.36.36. Enter the following command to restart the Security Appliance with the restored settings: SGOS> restart mode software For example: SGOS> enable Enable Password: ***** SGOS# configure network ftp://10.46/path/10.47 .Blue Coat 5000 0216214521.25.

Security Appliance Command Line Reference 44 .

Enables or disables Web console. . Options Configures bandwidth gain.2: Change Configuration Settings Commands: This Configure Command: accelerated-pac access-log bandwidth-gain bypass-list caching clock content content-filter Does this: Configures installation parameters for PAC file.Chapter 3: Privileged Mode Configure Commands #configure The configure command allows you to configure the Blue Coat Systems Port 80 Security Appliance settings from your current terminal session. Identifies the network path that should be used to download system software. Table 3. Installation parameters for bypass list. Modifies clock settings. Specifies a port and protocol for a Web console. Enables or disables Telnet access to the CLI. Modify caching parameters. Adds or deletes objects from the Security Appliance. Table 3. or by loading a text file of configuration settings from the network. where configure_command is any of the following: This Configure Command: archive-configuration banner management-port telnet-management upgrade-path web-management Does this: Saves the system configuration. . Defines a login banner. Syntax configure {{terminal | t} | network url} configure_command configure_command .1: View Configuration Settings Commands: This Configure Command: show Does this: Displays running system information. Configures the access log for each HTTP request made. Configures the content filter. .

Configures HTTPS parameters.Security Appliance Command Line Reference diagnostics domain-alias dns dynamic-bypass error-pages event-log exit forwarding hide-advanced hostname http https icap icp identd inline installed-systems interface ip-default-gateway line-vty load netbios no ntp policy restart return-to-sender reveal-advanced rip rtsp security services snmp socks-machine-id splash-generator sshd static-routes streaming system-resource-percent Configures remote diagnostics. Returns to the previous prompt. Configures splash pages. Specifies CPL rules. Configures system resource allocation. 46 . Specifies RTSP proxy ports and IP addresses. Configures NETBIOS parameters Clears certain parameters. Configures IDENTD. System restart behavior. Enables or disables commands for advanced subsystems. Modifies RIP configuration. Configures HTTP error pages. Modifies NTP parameters. Selects an interface to configure. Configures forwarding parameters. Specifies the machine ID for SOCKS. Modifies dynamic bypass configuration. Specifies the default IP gateway. Configures domain alias attributes. Configures ICP. Sets the system hostname. Disables commands for advanced subsystems. Modifies security parameters. Maintain the list of currently installed Security Appliance systems. Configures ICAP. Installation parameters for static routes table. Modifies SSHD parameters. Configures streaming parameters. Configures HTTP parameters. Loads an installable list. Installs configurations from console input. Configures a terminal line. Modifies DNS settings. IP “return to sender” behavior. Configures event log parameters. Modifies SNMP parameters. Configures protocol attributes.

There are two ways to create an Accelerated PAC file: (1) customize the default PAC file and save it as a new file. or (2) create a new custom PAC file. This feature allows you to load a PAC file onto the Security Appliance for high performance PAC file serving right from the Security Appliance. Configures virtual IP addresses.8081/accelerated_pac_base. Syntax accelerated-pac {no path | path url} where: accelerated-pac – Configures accelerated PAC file information. The access log can be stored in one of three formats. which can be read by a variety of reporting utilities. Specifies the location to which the PAC file should be downloaded. Configures WCCP parameters.Chapter 3: Privileged Mode Configure Commands tcp-rtt timezone virtual-ip wccp Specifies the default TCP Round Trip Time. Sets the local timezone. a Web server is kept around to serve the PAC file to client browsers.36. See the Access Log Formats chapter for additional information on log formats. Example SGOS#(config) accelerated-pac path 10. no path url Clears the network path to download PAC file. it is important that the client instructions for configuring Security Appliance settings contain the URL of the Accelerated-PAC file. Clients load PAC files from: http://your_security_appliance. Syntax access-log This changes the prompt to: SGOS#(config access-log) -subcommandsoption 1: bandwidth kbps option 2: client-type {custom | ftp} 47 . In either case.47 ok #(config)access-log The Security Appliance can maintain an access log for each HTTP request made.25. #(config)accelerated-pac Normally.pac.

cancel-upload close-connection delete-logs open-connection rotate-remote-log send-keep-alive test-upload upload-now Cancels a pending access log upload. Switches to a new remote log file. Tests the upload configuration by uploading a verification file.Security Appliance Command Line Reference option 3: commands {cancel-upload | close-connection | delete-logs | open-connection | rotate-remote-log | send-keep-alive | test-upload | upload-now} option 4: connect-wait-time seconds option 5: continuous-upload {disable | enable | keep-alive seconds | lag-time seconds | rotate-remote {daily rotation_hour | hourly rotation_interval}} option 6: custom-client {alternate-server IP_address | primary-server IP_address} option 7: disable option 8: early-upload megabytes option 9: enable option 10: exit option 11: format {common | custom format_string | elff format_string | no string | squid-compatible} option 12: ftp-client {alternate {host host_name | password password | path path | username username} | filename format | no {alternate | filename | primary} | pasv {no | yes} | primary {host host_name | password password | encrypted-password encrypted-password | path path | username username} secure {yes | no}} option 13: max-size megabytes option 14: overflow-policy {delete | stop} option 15: remote-size megabytes option 16: show option 17: time-format {gmt | local} option 18: upload-interval {daily upload_hour | hourly upload_interval} option 19: upload-type {gzip | text} where: bandwidth kbps – Use this command to specify the maximum amount of bandwidth used during log uploading. Sends a keep-alive log packet to the remote server. client-type – Use this command to specify which upload client to use. Permanently deletes all access logs on the Security Appliance. Closes a manually-opened connection to the remote server. Uploads an access log file. commands – Use this command to manage log file connections. 48 . Opens a connection to the remote server.

megabytes Specifies the file size. enable – Use this subcommand to enable access logging. early-upload – Use this subcommand to trigger an early upload when the access log file reaches the specified size. filename no pasv Specifies the remote filename format. alternate-server primary-server IP_address [port] IP_address [port] disable – Use this subcommand to disable access logging. when reached. format – Use this subcommand to specify the access log format. continuous-upload – Use this subcommand to configure continuous upload settings. squid-compatible custom ftp-client – Use this subcommand to configure the FTP client. Specifies the interval between keep-alive timeouts. custom_string Indicates that the access log format should be compatible with the format specified by custom_string. Specifies the alternate server. alternate {host hostname [port] | password password | encrypted-password encrypted-password| path path | username username} format {alternate | filename | primary} {no | yes} Specifies the alternate FTP host site. will cause the access log file to be uploaded to the primary upload site.Chapter 3: Privileged Mode Configure Commands connect-wait-time seconds – Use this command to the time to wait between server connection attempts. Specifies when to switch to a new remote logfile. in megabytes. Deletes the specified parameter. Specifies whether the PASV command is sent. Specifies the primary server. 49 . {enable | disable} keep-alive lag-time rotate-remote seconds seconds {daily | hourly} Enables or disables continuous upload. that. Specifies the maximum time between log packets (text upload only). common Indicates that the access-log output should be generically server-compatible. custom-client – Use this subcommand to configure the custom client. Indicates that the access log format should be SQUID proxy caching server-compatible.

in MB. gzip text 50 . upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour. upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour. overflow-policy – Use this access-log subcommand to determine what to do if access log exceeds its maximum size delete Indicates that the access log file should be deleted when the file reaches the defined maximum size. Use the local time. Indicates that the access log file should be uploaded every number of hours specified by upload_interval. secure Specifies whether to use secure connections. max-size – Use this subcommand to set the maximum size. Indicates that the access log file should be uploaded as a text file. to which the access log can grow. hourly upload_interval upload-type – Use this access-log subcommand to specify whether to upload gzip file or text file. gmt local daily upload-interval – Use this access-log subcommand to specify access log upload interval. daily hourly upload_interval time-format – Use this access-log subcommand to specify the time format to use with the filename.Security Appliance Command Line Reference primary {host hostname [port] | [password password | encrypted-password encrypted password] path path | username username} {no | yes} Specifies the primary FTP host site. Indicates that the access log file should be uploaded as a GNU zip file. Use GMT. Refer to the max-size subcommand for more information. Indicates that no new access log data should be added to the access log file when the file reaches the defined maximum size. megabytes Maximum size of the access log file. Refer to the max-size subcommand for more information. Set the overflow-policy subcommand to determine the action that should occur when this file size is reached. Indicates that the access log file should be uploaded every number of hours specified by upload_interval. stop remote-size megabytes – Use this access-log subcommand to specify maximum remote file size (MB).

Archive and restore operations must be performed from the CLI. There is no Management Console Web interface for archive and restore. along with any forwarding and security lists installed on the Security Appliance. Specifies the FTP host to which the archive configuration should be uploaded.Chapter 3: Privileged Mode Configure Commands Example SGOS#(config) SGOS #(config ok SGOS #(config ok SGOS #(config access-log access-log) enable access-log) format squid-compatible access-log) #(config)archive-configuration Archiving a Security Appliance system configuration on a regular basis is always a good idea. Specifies the password for the FTP host to which the archive configuration should be uploaded. and password. path. host host_name password password path path 51 .Configures archive configuration settings including protocol. filename. filename-prefix file_name Specifies the prefix that should be applied to the archive configuration on upload. In the rare case of a complete system failure. Syntax option 1: archive-configuration filename-prefix filename option 2: archive-configuration host host_name option 3: archive-configuration password password option 4: archive-configuration path path option 5: archive-configuration protocol {ftp | tftp} option 6: archive-configuration username username where: archive-configuration . The archive contains all system settings differing from system defaults. host. username. Specifies the path to the FTP host to which the archive configuration should be uploaded. restoring a Security Appliance to its previous state is simplified by loading an archived system configuration from an FTP or HTTP server.

" and "never refresh before specified object expire" features. For example.Security Appliance Command Line Reference protocol username {ftp | tftp} username Indicates the upload protocol to be used for the archive configuration.1 conditional get.Configures bandwidth gain status. a bandwidth gain of 100% means that traffic volume from the Security Appliance to its clients is twice as great as the traffic volume being delivered to the Security Appliance from the origin server(s). Example SGOS#(config) archive-configuration host host3 ok #(config)bandwidth-gain Bandwidth gain is a measure of the effective increase of server bandwidth resulting from the client’s use of a content accelerator. Syntax bandwidth-gain This changes the prompt to: SGOS#(config bandwidth-gain) -subcommandsoption 1: disable option 2: enable option 3: custom pipelining {disable | enable} option 4: custom if-modified-since {disable | enable} option 5: custom conditionals {disable | enable} option 6: custom refresh {disable | enable} option 7: exit option 8: mode [custom | default] option 9: show option 10: view where: bandwidth-gain ." "substitute get for HTTP 1. 52 . mode. Using bandwidth gain mode can provide substantial gains in apparent performance. and the status of the "substitute get for get-if-modified-since. Enables bandwidth-gain mode. Specifies the username for the FTP or FTP host to which the archive configuration should be uploaded. disable enable Disables bandwidth-gain mode. Keep in mind that bandwidth gain is a relative measure of the Security Appliance’s ability to amplify traffic volume between an origin server and the clients served by the Security Appliance.

Chapter 3: Privileged Mode Configure Commands custom pipelining custom if-modified-since custom conditionals custom refresh exit mode show bandwidth-gain | view {disable | enable} {disable | enable} {disable | enable} {disable | enable} Enables or disables custom pipelining." "substitute get for HTTP 1. Example SGOS#(config) banner login "Sales and Marketing Intranet Web" ok 53 .1 conditional substitution." and "never refresh before specified object expire" features. Syntax banner {login string | no login} where: banner login no login string Sets the login banner to the value of string. Exits configure bandwidth-gain mode and returns to configure mode.1 conditional get. and the status of the "substitute get for get-if-modified-since. mode. Effectively sets the login banner to null. Example SGOS#(config) bandwidth-gain SGOS#(config bandwidth-gain) enable ok SGOS#(config bandwidth-gain) custom pipelining en ok SGOS#(config bandwidth-gain) exit SGOS#(config) #(config)banner This command enables you to define a login banner for your users. Enables or disables custom HTTP 1. {custom | default} Sets bandwidth-gain mode to either custom or default. Displays bandwidth gain status. Enables or disables custom asynchronous refresh. Enables or disables custom if-modified-since substitution.

When a request matches an IP address and subnet mask specification in the bypass list. the request is sent to the designated gateway. Specifies the network path used to download the local bypass list. To use bypass routes. Once you have created the bypass list. or you can use the central bypass list maintained by Blue Coat Technical Support at: http://www. Specifies to change the bypass list when changes are made to the central bypass list. The bypass list contains IP addresses.Security Appliance Command Line Reference #(config)bypass-list A bypass list prevents the Security Appliance from transparently accelerating requests to servers that perform IP authentication with clients.txt The central bypass list maintained by Blue Coat contains addresses Blue Coat has identified as using client authentication. place it on an HTTP server so it can be installed onto the Security Appliance. Checks the central bypass list for changes. subscribe notify poll-now subscribe Example 54 . Sets the central bypass list path to null. Instructs the Security Appliance to not send an e-mail notification if the central bypass list changes.bluecoat. The file should be named with a . Sets the local bypass list path to null.com/support/subscriptions/CentralBypassList. A bypass list is only used for transparent caching.Configures bypass list settings. There are two types of bypass lists: local and central. central-path local-path no url url central-path local-path notify Specifies the network path used to download the central bypass list.txt extension. You can create your own central bypass list to manage multiple Security Appliances. and gateways. Specifies that you do not want to change the bypass list when changes are made to the central bypass list. create a text file that contains a list of address specifications. subnet masks. Syntax bypass-list {central-path url | local-path url | no {central-path | local-path | notify | subscribe} | notify | poll-now | subscribe} where: bypass-list . Instructs the Security Appliance to send an e-mail notification if the central bypass list changes.

when it is not serving requests. The Security Appliance processes the refresh list in the background. When the Security Appliance retrieves and caches an FTP object.36. the Security Appliance caches the object for a set period of time. Refresh policies define how the Security Appliance handles the refresh process.47/files/bypasslist.Chapter 3: Privileged Mode Configure Commands SGOS#(config) bypass-list local-path 10. The HTTP caching options allow you to specify: • • • Maximum object size Negative responses Freshness In addition to HTTP objects. • • If the object has a last-modified date. The FTP caching options also allows you to specify: • • • • Transparency Maximum object size Caching objects by date Caching objects without a last-modified date: if an FTP object is served without a last modified date. it is placed in a refresh list. it uses two methods to determine how long the object should stay cached. the Security Appliance can cache objects requested using FTP. the Security Appliance assigns a refresh date to the object based on a fixed period of time.25. the Security Appliance assigns a refresh date to the object that is a percentage of the last-modified date. Syntax caching This changes the prompt to: SGOS#(config caching) -subcommandsoption 1: always-verify-source option 2: ftp {disable | enable | max-cache-size megabytes | show | type-m-percent percent |type-n-initial percent} option 3: max-cache-size megabytes option 4: negative-response minutes option 5: no always-verify-source option 6: refresh {automatic | bandwidth kbps | desired-freshness percent | no automatic} 55 .txt ok #(config)caching When an cached HTTP object expires. If the object does not have a last-modified date.

Security Appliance Command Line Reference option 7: show where: caching – Configures cache refresh rates and settings and caching policies. Specifies the TTL for objects with no expiration. ftp negative-response minutes no always-verify-source refresh automatic bandwidth kbps desired-freshness percent no automatic Example SGOS#(config) caching SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) always-verify-source max-cache-size 100 negative-response 15 refresh automatic ftp 56 . Specifies the amount of bandwidth in kilobits to utilize for maintaining object freshness. Specifies the TTL for objects with a last-modified time. {disable | enable} max-cache-size megabytes type-m-percent percent type-n-initial percent max-cache-size megabytes Enables or disables the caching of FTP objects. Specifies the maximum size of the cache to the value indicated by megabytes. Specifies that the Security Appliance should manage the refresh bandwidth. always-verify-source Specifies the Security Appliance to always verify the freshness of an object with the object source. Specifies that the Security Appliance should never verify the freshness of an object with the object source. Specifies that the Security Appliance should attempt to maintain freshness for the percentage of objects indicated by percent. Specifies that the Security Appliance should not manage the refresh bandwidth. Specifies the maximum allowable of FTP object size to cache. Specifies that negative responses should be cached for the time period identified by minutes.

Sets the UTC minute to the minute indicated by minute. Sets the UTC year to the year indicated by year. The value can be any integer from 0 through 59. Sets the UTC second to the second indicated by second. If the Security Appliance cannot access any of the listed NTP servers. The Security Appliance includes a list of NTP servers available on the Internet. Sets the UTC hour to the hour indicated by hour. Sets the UTC month to the month indicated by month. day day Sets the Universal Time Code (UTC) day to the day indicated by day. The value can be any integer from 1 through 12. The value can be any integer from 1 through 31. a Security Appliance must know the current Universal Time Coordinates (UTC) time. you must manually set the UTC time using the clock command. hour hour minutes minute month month second second year year Example 57 . The value must take the form xxxx. The value can be any integer from 0 through 59. and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. The value can be any integer from 0 through 23. the Security Appliance attempts to connect to a Network Time Protocol (NTP) server to acquire the UTC time. By default.Chapter 3: Privileged Mode Configure Commands SGOS#(config caching ftp) enable ok SGOS#(config caching ftp) max-cache-size 200 ok SGOS#(config caching ftp) type-m-percent 20 ok SGOS#(config caching ftp) type-n-initial 10 ok SGOS#(config caching ftp) exit SGOS#(config caching) exit SGOS#(config) #(config)clock To manage objects in the cache. Syntax clock {day day | hour hour | minute minute | month month | second second | year year} where: clock – Configures the current time.

Specifies to delete content based on the regular expression identified by regex. cancel outstanding-requests Specifies to cancel all outstanding content distribution requests and re-validate requests. Specifies to delete content for the URL identified by url. Specifies to add a content deletion policy for the URL identified by url. url url delete regex regex url url distribute url priority regex 0-7 regex url 0-7 url revalidate {url url | regex regex} 58 . Syntax content {cancel {outstanding-requests | url url} | delete {regex regex | url url} | distribute url | priority {regex 0-7 regex | url 0-7 url} | revalidate {url | regex regex}} where: content – Manages and manipulates content pull requests and re-validate requests. Note: The content command options are not compatible with transparent FTP. Specifies to cancel outstanding content distribution requests and re-validate requests for the URL identified by url. Revalidates the content associated with either url or the regular expression identified by regex with the origin server.Security Appliance Command Line Reference SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok clock year 2002 clock month 4 clock day 1 clock hour 0 clock minute 30 clock second 59 #(config)content Use this command to manage and manipulate content distribution requests and re-validate requests. Specifies to add a content deletion policy based on the regular expression identified by regex. Specifies that the content associated with url should be distributed from the origin server.

The Security Appliance supports these content filtering methods: • Using vendor-based content filtering This method allows you to block URLs using vendor-defined categories. a provider of Web filtering software used locally on the Security Appliance. Syntax content-filter This changes the prompt to: SGOS#(config content-filter) . For this method.bluecoat. use content filtering solutions from either of the following vendors: • • SmartFilter™.com Last load time: Mon. 01 Apr 2002 00:34:07 GMT ok SGOS#(config) content revalidate url http://www. You can also combine this type of content filtering with the Security Appliance policies.com Current time: Mon. Websense®. • Denying access to URLs This method allows you to block by URL. you define Security Appliance policies. For this method.subcommands- 59 . Refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide and the Blue Coat Systems Port 80 Security Appliance Policy Language Guide and Reference for complete descriptions of these features.bluecoat. used either locally on the Security Appliance and or remotely on a separate Websense Enterprise Server. 01 Apr 2002 00:34:07 GMT ok SGOS#(config) content distribute http://www. which use the Blue Coat Policy Language.com ok SGOS#(config) content cancel outstanding-requests ok SGOS#(config) content delete url http://www.Chapter 3: Privileged Mode Configure Commands Example SGOS#(config) content distribute http://www. domain. a provider of Web filtering software. 01 Apr 2002 00:35:01 GMT ok SGOS#(config) content priority url 7 http://www. which use the Blue Coat Policy Language. including filtering by scheme. or individual host or IP address.bluecoat.bluecoat.com Current time: Mon.bluecoat.com ok #(config)content-filter The Security Appliance offers the option of using content filtering to control the type of retrieved content and to filter requests made by clients.

system restart required for changes to take effect. websense3 – see #(config content-filter)websense3 websense4 offbox . Specifies the content filter provider to use. SGOS#(config content-filter) exit SGOS#(config) exit SGOS# restart regular ok SGOS# Initiating software only restart with uncompressed partial core image Waiting for disk activity to cease 60 .see #(config content-filter)websense4 off-box Example SGOS#(config) content-filter SGOS#(config content-filter) select-provider smartfilter Configuration updated.Security Appliance Command Line Reference option 1: disable option 2: enable option 3: exit option 4: select-provider {smartfilter | websense3 | websense4 off-box} option 5: show option 6: smartfilter (see following commands for details) option 7: test-url url option 8: websense3 (see following commands for details) option 9: websense4 off-box (see following commands for details) where: content-filter – Configures filters that control the type of retrieved content and filter requests made by clients. Displays the current content filter settings. Exits configure content filter mode and returns you to configure mode. {smartfilter | websense3 | websense4 off-box} Disables the current content filter settings Enables the current content filter settings. disable enable exit select-provider show smartfilter – see #(config content-filter)smartfilter download password download encrypted-password test-url password encrypted-password ur Tests the URL indicated by url against the specified content filter using a reverse DNS-lookup.

Chapter 3: Privileged Mode Configure Commands

#(config content-filter)smartfilter
Use this command to configure SmartFilter filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.

Syntax
smartfilter

This changes the prompt to:
SGOS# (config smartfilter)

- subcommandsoption 1: view-categories option 2: download option 3: exit option 4: no where:
Smartfilter – Configures SmartFilter filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. download control-file filename Identifies the file containing all SmartFilter parameters for downloading to client machines. Sets the day of the week for the automatic download of the control-file to occur. Disables automatic download of the control-file to client machines. Enables automatic download of the control-file to client machines. Initiates automatic download of the control-file to client machines. password Indicates the password used to access the network path to the download database. Indicates the encrypted password used to access the network path to the download database. Indicates the network path to the download database. Sets the time of day for the automatic download of the control-file to occur. Specifies the username used to access the network path to the download database.

day-of-week

{all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}

disable-auto enable-auto get-now password

encrypted-password

encrypted-password

path time-of-day username

url hour username

61

Security Appliance Command Line Reference

exit

Exits configure smart filter mode and returns you to configure content-filter mode.

view-categories – Displays all of the categories.

Example
SGOS#(config) content-filter SGOS#(config content-filter) smartfilter SGOS#(config smartfilter) view-categories Anonymizer/Translator Art/Culture Chat . . . Travel Webmail SGOS#(config smartfilter) download username anonymous ok SGOS#(config smartfilter) download password Blue Coat ok SGOS#(config smartfilter) download control-file sfcontrol ok SGOS#(config smartfilter) download enable-auto ok SGOS#(config smartfilter) download day-of-week all ok SGOS#(config smartfilter) download time-of-day 12 ok SGOS#(config smartfilter) exit SGOS#(config content-filter) exit

#(config content-filter)websense3
Use this command to configure WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.

Syntax
websense3

This changes the prompt to:
SGOS#(config websense3.x)

- subcommandsoption 1: view-categories option 2: download option 3: exit option 4: no

62

Chapter 3: Privileged Mode Configure Commands

where:
websense3 – Configures WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. download address1 address2 text text Specifies the company street address for download verification. Specifies the company extended street address for download verification. Specifies the company city for download verification. Specifies the company name for download verification. Specifies the company country for download verification. Specifies the day of the week for the automatic download of the control-file to occur. Disables the automatic download feature. text Specifies the company contact e-mail address. Enables the automatic download feature. text Specifies the company contact first name. Initiates automatic download of the database to client machines. text text text password encrypted-password text text text url Specifies the company contact last name. Specifies the company license key for access to the Websense3 database. Specifies the company contact middle name. Specifies the password for access to the Websense3 database. Specifies the encrypted password for access to the Websense3 database. Specifies the company contact telephone number. Specifies the company postal code. Specifies the company province. Specifies the Websense3 server from which the database should be downloaded.

city company country day-of-week

text text text {all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}

disable-auto email enable-auto firstname get-now lastname license-key middlename password encrypted-password phone-number postcode province server

63

Sets the company country to null.x) download company Company Inc.x) download email sallysmith@company. Sets the company contact address to null.x) download phone-number 555-555-2975 SGOS#(config websense 3. Sets the company contact first name to null.x) download enable-auto SGOS#(config websense 3.x) download password wolverine SGOS#(config websense 3.x) download address2 Suite 100 SGOS#(config websense 3.x) download firstname Sally SGOS#(config websense 3.x) download middlename Anne SGOS#(config websense 3.Security Appliance Command Line Reference time-of-day username no hour username address1 address2 city company country email firstname lastname license-key password phone-number postcode province username Sets the time of day for the automatic download of the database to occur.x) download province WA SGOS#(config websense 3.download.com SGOS#(config websense 3. Sets the company license key to null. SGOS#(config websense 3.x) download postcode 10808 SGOS#(config websense 3. Sets the company contact e-mail to null. Sets the company name to null.x) download country USA SGOS#(config websense 3.x) download username centerfield SGOS#(config websense 3. Sets the company contact last name to null. Example SGOS#(config)content-filter SGOS#(config content-filter) websense3 SGOS#(config websense 3.x) download license-key SKDI837SKFIVNW740FM SGOS#(config websense 3. Specifies the company contact's network username.x) download server asia.x) download lastname Smith SGOS#(config websense 3. Sets the company contact network username to null.x) download city Redmond SGOS#(config websense 3. Sets the company province to null.websense. view-categories – Displays all of the categories.com SGOS#(config websense 3. Sets the company password to null.x) download time-of-day 5 64 . Sets the company contact extended address to null. Sets the company contact postal code to null.x) download address1 1230 Main St. Sets the company contact city to null. Sets the company contact phone number to null. SGOS#(config websense 3.

x) download day-of-week tuesday SGOS#(config websense 3.x off-box mode and returns you to configure content-filter mode. Syntax websense4 off-box This changes the prompt to: SGOS#(config websense4.subcommandsoption 1: default-domain string option 2: directory-service string option 3: exit option 4: fail-open option 5: ip-address ip_address option 6: no {fail-open | ip_address | port | send-user-name} option 7: port port_number option 8: send-user-name where: websense4 off-box – Configures WebSense4 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. directory-service string exit fail-open 65 ." Specifies the directory service used by the remote Websense4 server.x off-box) .Chapter 3: Privileged Mode Configure Commands SGOS#(config websense 3. Indicates that the username should not be sent to the Websense4 off-box if the remote Websense server is not available. This is an NTLM-specific command." Exits configure websense4. default-domain is usually set to "Default-Domain. default-domain string Specifies the default domain of the remote Websense4 server. directory-service is usually set to "WinNT.x) download day-of-week monday SGOS#(config websense 3. This is an NTLM-specific command.x) exit SGOS#(config content-filter) exit SGOS#(config) #(config content-filter)websense4 off-box Use this command to configure WebSense4 filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.

x off-box) SGOS#(config websense 4. Sets the send username to null. Syntax diagnostics This changes the prompt to: SGOS#(config diagnostics) . Disables the fail-open setting.x off-box) ip-address 10.subcommandsoption 1: exit option 2: heartbeat {disable | enable} option 3: monitor {disable | enable} option 4: request-heartbeat option 5: reset heartbeat option 6: show where: diagnostics – Configures for remote diagnostics through the Blue Coat Heartbeat feature.x off-box) default-domain NT4PDC SGOS#(config websense 4. Sets the remote Websense4 server IP address to null. Sets the remote Websense4 server port number to null.x off-box) send-user-name-yes SGOS#(config websense 4.57 SGOS#(config websense 4. exit Exits configure diagnostics mode and returns you to configure mode. Specifies the Websense4 port number.x off-box) exit SGOS#(config content-filter) exit SGOS#(config) #(config)diagnostics This command enables you to configure the remote diagnostic feature Heartbeat. port send-user-name port Example SGOS#(config) content-filter SGOS#(config content-filter) websense4 off-box SGOS#(config websense 4.Security Appliance Command Line Reference ip-address no ip_address fail-open ip_address port send-user-name Specifies the IP address of the remote Websense4 server. 66 . Sends the requestor user name to the remote Websense4 server (avoiding end-user re-authentication).3.252.

Chapter 3: Privileged Mode Configure Commands heartbeat monitor request-heartbeat reset show {disable | enable} {disable | enable} Enables or disables the Security Appliance Heartbeat features. Note that the alternate DNS servers are only checked if the servers in the standard DNS list return: "Name not found. alternate ip_address Adds the new alternate domain name server indicated by ip_address to the alternate DNS server list. Removes the imputed name identified by imputed_name from the name imputing list." Syntax dns {alternate ip_address | clear {alternate | imputing | server} | imputing name | no {alternate ip_address | imputing imputed_name | server ip_address} | server ip_address} where: dns – Enables you to modify domain name server settings. Sets all entries in the alternate DNS server list to null. Displays the current diagnostics settings. Sets all entries in the primary DNS server list to null. heartbeat Example SGOS#(config) diagnostics SGOS#(config diagnostics) reset heartbeat ok #(config)dns The dns command enables you to modify the DNS settings for the Security Appliance. Removes the alternate DNS server identified by ip_address from the alternate DNS server list. Creates a Heartbeat report. Reset Heartbeat settings to system defaults. Identifies the file indicated by name as the name imputing list. Sets all entries in the name imputing list to null. clear alternate imputing server imputing no name alternate ip_address imputing imputed_name 67 . Enables or disables the monitoring feature.

68 . to the Security Appliance’s local bypass list. For a configured period of time. server ip_address Example SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) dns dns dns dns dns dns dns dns dns clear server server 10.253. further requests for the error-causing URL are sent immediately to the origin server. With dynamic bypass. is configurable from the CLI. containing the server IP address of sites that have returned an error. and the types of errors that cause the Security Appliance to add a site to the list.220. The amount of time a dynamic bypass entry stays in the list. Deletes all domain aliases from the configuration. Deletes the alternate name identified by alias to from the list of domain aliases for the domain identified by original. along with several other settings.249 clear alternate alternate 216. the Security Appliance adds dynamic bypass entries. Syntax domain-alias {add original alias | delete {original alias | all}} where: domain-alias – Enables you to configure one or multiple aliases for your domain.Security Appliance Command Line Reference server ip_address Removes the primary DNS server identified by ip_address from the primary DNS server list.101 clear imputing imputing com imputing net imputing gov imputing edu #(config)domain-alias Use this command to configure aliases for your domain.23. delete original alias all #(config)dynamic-bypass Dynamic bypass provides a maintenance-free method for improving performance of the Security Appliance by automatically compiling a list of requested URLs that return various kinds of errors. add original alias Adds the alternate name identified by alias to the list of domain aliases for the domain identified by original.52. Adds the new primary domain name server indicated by ip_address to the primary DNS server list. saving the Security Appliance processing time.

This could result in subversion of on-box policy. ok SGOS#(config) dynamic-bypass trigger all ok SGOS#(config) #(config)error-pages The error-pages command enables you to configure HTTP error pages. the request is handled in the normal manner. Syntax dynamic-bypass {clear | disable | enable | no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} | trigger {400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http}} where: dynamic-bypass – Enables you to modify the dynamic bypass list. the Security Appliance removes the URL from the bypass list. and clients are requesting many error-causing URLs in a short period of time (for example. If the origin server still returns an error. all HTTP response codes. the Security Appliance attempts to contact the origin server. On the next client request for the URL. all HTTP response codes. Disables dynamic bypass for the specified HTTP response code.Chapter 3: Privileged Mode Configure Commands Once the dynamic bypass timeout for a URL has ended. The performance gains realized with this feature are substantial if the client base is large. many users clicking a browser’s refresh button over and over to get an overloaded origin server to load a URL). clear disable | enable no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} Clears all entries in the dynamic bypass list. Dynamic bypass increases efficiency because redundant attempts to contact the origin server are minimized. The use of dynamic bypass is cautioned. or all non-HTTP responses. Disables or enables the current dynamic bypass list. Enables dynamic bypass for the specified HTTP response code. If the URL does not return an error. trigger Example SGOS#(config) dynamic-bypass clear ok SGOS#(config) dynamic-bypass enable WARNING: Requests to sites that are put into the dynamic bypass list will bypass future policy evaluation. 69 . the URL is once again added to the local bypass list for the configured dynamic bypass timeout. or all non-HTTP responses.

and to configure Syslog monitoring.txt #(config)event-log You can configure the Security Appliance to log system events as they occur. no path path url Sets the current error-pages path url setting to null. Syntax event-log This changes the prompt from to: SGOS#(config event-log) .Security Appliance Command Line Reference Syntax error-pages {no path | path url} where: error-pages – Permits download of customized HTTP error pages.bluecoat. exit Exits configure event-log mode and returns you to configure mode.com/errorpages. The Security Appliance can also notify you by email if an event is logged. Specifies the network path location (url) of the customized HTTP error pages. Event logging allows you to specify the types of system events logged. the size of the event log. Example SGOS#(config) error-pages path http://download. 70 .subcommandsoption 1: exit option 2: level {informational | resource | severe | verbose} option 3: log-size megabytes option 4: mail {add email_address | bluecoat-notify | clear | no {bluecoat-notify | smtp-gateway} | remove email_address | smtp-gateway domain_name} option 5: show option 6: syslog {disable | enable | facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp} | loghost domain_name | no loghost} option 7: when-full {overwrite | stop} where: event-log – Enables you to specify event log settings for a customized event log.

Removes the e-mail recipient indicated by email_address from the event log e-mail output distribution list. Write all error messages to the event log. you can use the Blue Coat gateway to send event 71 . Write severe and resource error messages to the event log. Specifies Blue Coat to be an additional recipient of the event log e-mail output. Write only severe error messages to the event log. and informational error messages to the event log. Removes all e-mail recipients from the event log e-mail output distribution list.Chapter 3: Privileged Mode Configure Commands level informational Write severe. Note: You must replace the default Blue Coat SMTP gateway with your gateway. Specifies the SMTP gateway to use for event log e-mail output notifications. no bluecoat-notify specifies that Blue Coat does not receive event log e-mail output. resource severe verbose log-size mail megabytes add email_address bluecoat-notify clear no {bluecoat-notify | smtp-gateway} remove email_address smtp-gateway {domain_name | IP_address} syslog {disable | enable} {facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp}} loghost domain_name no loghost when-full {overwrite | stop} Specifies the host domain used for system log notifications. Specifies the types of system log messages to be collected in the system log. overwrite overwrites the oldest information in a FIFO manner. Disables or enables the collection of system log messages. Specifies what should happen to the event log when the maximum size has been reached. If you do not have access to an SMTP gateway. Specifies the maximum size of the event log in megabytes. Specifies an e-mail recipient for the event log output. resource. stop disables event logging. Clears the loghost setting.

rather than to an unavailable host.subcommandsoption 1: add hostname port [ftp | http] [deferred] [socks] [default | backup | group=groupname] [allow_credentials] option 2: delete {all | group groupname | host hostname} 72 . health checks are important to the Security Appliance. the exit command closes the CLI session. With a single forwarding host. it determines whether the host returns a response and is available to fulfill a content request. After adding forwarding hosts and groups. you must define which acts as a default and which acts as a backup. add a host and use the group= subcommand to add a group. it is still important for the Security Appliance to use health checks to detect whether the host is available. Add up to 512 hosts and up to 32 groups. From Standard mode. When the Security Appliance performs a health check. You must add each host and group to use in forwarding content requests. and the Security Appliance can more quickly fulfill content requests. it will not forward mail to other domains). the Security Appliance supports the use of default and backup hosts and host groups.Security Appliance Command Line Reference messages to Blue Coat (the Blue Coat SMTP gateway will only send mail to Blue Coat. Syntax exit The exit command does not have any parameters or subcommands. To define a group. Syntax forwarding This changes the prompt to: SGOS#(config forwarding) . A positive health check indicates (1) that there is an end-to-end connection and (2) that the host is up and running and will most likely be able to return a response. With multiple forwarding hosts. When hosts respond positively to health checks. from Privileged mode to Standard mode. The Security Appliance performs health checks with one or more forwarding hosts. #(config)forwarding When forwarding content requests. Example SGOS#(config) event-log SGOS#(config event-log) syslog enable ok #(config)exit Exits from Configuration mode to Privileged mode. the Security Appliance can forward requests to those hosts.

backup indicates that it should be the backup forwarding host. groups. not a proxy server. and rules. port [ftp | http] [deferred] [socks] [default | backup | group=groupname] [allow_credentials] delete group groupname host hostname all download-viaforwarding {enable | disable} 73 . add hostname Indicates that the host identified by hostname should be added to the forwarding group. Specifies the port number associated with hostname. Deletes all hosts. Use the group= subcommand to add a group. Deletes only the host identified by hostname. Enables or disables configuration file downloading using forwarding. and load balancing status.Chapter 3: Privileged Mode Configure Commands option 3: download-via-forwarding {disable | enable} option 4: exit option 5: health-check {failcount count | interval seconds | pause | resume | type {layer-3 | layer-4 | layer-7 object} | send-pnc {enable | disable}} option 6: rules {deny | direct | group | host | view} option 7: set name option 8: show option 9: view where: forwarding – Enables you to configure advanced forwarding settings. health check. Indicates whether the host identified by hostname uses FTP or HTTP. Up to 512 forwarding hosts and up to 32 forwarding groups are permitted. Add up to 512 hosts and up to 32 groups. including download-via-forwarding. Indicates that the host identified by hostname uses the SOCKS protocol. Deletes only the group identified by groupname. default indicates that hostname be the default host for forwarding. Specifies to use the relative path for URLs in the HTTP header because the next hop is a Web server. Use the group=groupname subcommand to add a group. and the definition of forwarding hosts/groups and advanced forwarding rules. Allows credentials (in HTTP headers) to be passed to another proxy.

2.com 80 http group=proxy ok SGOS#(config forwarding) rules direct SGOS#(config forwarding direct) add domain companyA.com 80 http group=proxy ok SGOS#(config forwarding) add www. Manages forwarding rules that direct addresses out to the network without passing through the Security Appliance.4 ok 74 .com 80 http default ok SGOS#(config forwarding) add www. Temporarily halts health-checking. Species a forwarding host to be the default or backup host.com ok SGOS#(config forwarding direct) add ip 1. View all rules for the specified host or group.bluecoat. Displays the currently defined forwarding groups or hosts. rules direct {add | delete | exit | view} deny {add | delete | exit | view} group group_name host host_name view set group name {default | backup} host name port {default | backup} view Example SGOS#(config) forwarding SGOS#(config forwarding) delete all ok SGOS#(config forwarding) download-via-forwarding disable ok SGOS#(config forwarding) add www.server3. Manages forwarding rules that instruct the Security Appliance to deny access to specific addresses. Adds forwarding rules to a forwarding group. Determines the layer of health-checking.3. Specifies the number of seconds between health checks. Resumes health-checking after a pause command. Species a forwarding group to be the default or backup group.com 80 ftp group=proxy ok SGOS#(config forwarding) add www. Adds forwarding rules to a forwarding host.server2.server1.Security Appliance Command Line Reference health-check failcount count interval seconds pause resume type {layer-3 | layer-4 | layer-7 object} send-pnc {enable | disable} Specifies the number of failed health-checks tolerated. Enables sending Pragma: no cache for health checks.

com ok SGOS#(config forwarding proxy) exit SGOS#(config forwarding) exit SGOS#(config) #(config)health-check Use this command to configure ICAP and Websense 4 offbox health checks. Deletes the specified health check . Range is 0 to 65535. Sets the failure count that triggers a health-check.bluecoat.com:80) exit SGOS#(config forwarding) rules group proxy SGOS#(config forwarding proxy) add domain proxy.Chapter 3: Privileged Mode Configure Commands SGOS#(config forwarding direct) add url http://. add delete edit name name name failure-trigger trigger Adds a health check configuration specified by name.* ok SGOS#(config forwarding direct) exit SGOS#(config forwarding) rules host www.*companyB.com:80)delete rules ok SGOS#(config forwarding www. Specifes the type of health check for this service. type icap | websense4-offbox 75 .bluecoat. Enables edit mode to configure the health check.bluecoat.subcommandsoption 1: add option 2: delete option 3: edit option 4: show option 5: statistics option 6: view option 7: exit where: health-check—Enables you to configure anICAP or Websense 4 health check. the default is 0. Syntax health-check This changes the prompt to: SGOS#(config health-check) .com 80 SGOS#(config forwarding www.

Specifies the seconds between health checks on servers that have been determined to be healthy or sick. Displays the current health-check configurations for ICAP and Websense 4 types. This setting does not display ICAP or Websense 4 settings. threshold {healthy | sick} attempts notify perform-health-check statistics view show health-check statistics view Example SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# (config) health-check (config health-check) add hc1 (config health-ckeck) edit hc1 (config health-check hc1) type layer-3 (config health-check hc1) layer-3 foo (config health-check hc1) interval healthy 30 (config health-check hc1) interval sick 15 (config health-check hc1) threshold healthy 20 (config health-check hc1) failure-trigger 5 #(config)hide-advanced Use this command to hide and disable advanced commands. Specifies the name of the URL used to obtain box status upon bootup.Security Appliance Command Line Reference icap |websense4-offbox service_name websense4-offbox default-url | test-url interval {healthy | sick} seconds Specifies the name of the service that receives health checks. Displays the health check configuration for the service. Specifies the number of attempts before a server is considered healthyy or sick. Performs an instant health check on the service. Syntax hide-advanced {all | expand | tcp-ip} 76 . Displays health check settings for layer-3 and layer-4 types. Displays health check statistics for the service. The default is 10. Enables email notification of state changes. Displays statistics for all configured health checks. the default is 1. The range is 1 to 65535.

Syntax hostname name where: hostname – Configures hostname. Example SGOS#(config) hide-advanced all ok #(config)hostname Use this command to assign a name to a Security Appliance. Example SGOS#(config) hostname "Blue Coat Demo" ok #(config)http Use this command to configure HTTP settings. name Associates name with the current Security Appliance. Syntax option 1: http add-header client-ip option 2: http add-header via option 3: http add-header x-forwarded-for option 4: http byte-ranges option 5: http cache authenticated-data option 6: http cache expired option 7: http cache personal-pages option 8: http cache reverse-dns 77 . and type. and TCP/IP advanced commands. Disables all TCP/IP advanced commands. Disables all expanded advanced commands. IP address.Chapter 3: Privileged Mode Configure Commands where: hide-advanced – Enables the system administrator to hide and disable certain advanced commands. all expand tcp-ip Disables all expanded. HTTP. Any descriptive name that helps identify the system will do.

Security Appliance Command Line Reference option 9: http force-ntlm option 10: http ftp-proxy-url option 11: http no add-header client-ip option 12: http no add-header via option 13: http no add-header x-forwarded-for option 14: http no byte-ranges option 15: http no cache authenticated-data option 16: http no cache expired option 17: http no cache personal-pages option 18: http no cache reverse-dns option 19: http no force-ntlm option 20: http no parse meta-tag expires option 21: http no persistent client option 22: http no persistent server option 23: http no pipeline client requests option 24: http no pipeline client redirects option 25: http no pipeline prefetch requests option 26: http no pipeline prefetch redirects option 27: http no proprietary-headers bluecoat option 28: http no strict-expiration refresh option 29: http no strict-expiration serve option 30: http no strip-from-header option 31: http no substitute conditional option 32: http no substitute ie-reload option 33: http no substitute if-modified-since option 34: http no substitute pragma-no-cache option 35: http parse meta-tag expires option 36: http persistent client option 37: http persistent server option 38: http persistent-timeout client num_seconds option 39: http persistent-timeout server num_seconds option 40: http pipeline client requests option 41: http pipeline client redirects option 42: http pipeline prefetch requests option 43: http pipeline prefetch redirects option 44: http proprietary-headers bluecoat option 45: http receive-timeout client num_seconds 78 .

Uses NTLM for Microsoft Internet Explorer proxy. force-ntlm no parse meta-tag expires persistent persistent-timeout {client num_seconds | server num_seconds} 79 . personal-pages caches objects that appear to be personal pages. Enables HTTP byte range support. {client | server} Enables support for persistent client requests (from the browser) or persistent server requests (to the Web server).Chapter 3: Privileged Mode Configure Commands option 46: http receive-timeout server num_seconds option 47: http receive-timeout refresh num_seconds option 48: http strict-expiration refresh option 49: http strict-expiration serve option 50: http strip-from-header option 51: http substitute conditional option 52: http substitute ie-reload option 53: http substitute if-modified-since option 54: http substitute pragma-no-cache option 55: http upload-with-pasv option 56: http version 1. authenticated-data caches any data that appears to be authenticated. Adds the via header to forwarded requests. reverse-dns stores objects under the name of the associated host instead of the IP address.1 where: http – add-header client-ip via x-forwarded-for byte-ranges cache {authenticated-data | expired | personal-pages | reverse-dns} Adds the client-ip header to forwarded requests. parameter Negates the specified command. expired retains cached objects older than the explicit expiration.0 option 57: http version 1. Sets persistent connection timeout for the client or the server to num_seconds. Parses HTML objects for the "expires" meta-tag. Adds the x-forwarded-for header to forwarded requests.

Removes HTTP information from headers. server. or refresh to num_seconds.Security Appliance Command Line Reference pipeline client {redirects | requests} prefetch {redirects | requests} Prefetches either embedded objects in client requests or redirected responses to client requests. 80 .0 | 1." Enables or disables uploading with Passive FTP. Prefetches either embedded objects in pipelined objects or redirected responses to pipelined requests. strict-expiration strip-from-header substitute {conditional | ie-reload | if-modified-since | pragma-no-cache} Replaces complex requests with a simple "get.1 conditional get. Enables Blue Coat's proprietary HTTP header extensions.1} Example SGOS#(config) http version 1. proprietary-headers bluecoat receive-timeout {client num_seconds | refresh num_seconds | server num_seconds} refresh | serve Sets receive timeout for client." pragma-no-cache uses an HTTP "get" instead of "get pragma: no-cache. Note: These commands are not available through a telnet session." conditional uses an HTTP "get" instead of an HTTP 1. Indicates the version of HTTP that should be used by the Security Appliance. ie-reload uses an HTTP "get" for Microsoft Internet Explorer reload requests. upload-with-pasv version {disable | enable} {1.1 ok SGOS#(config) http byte-ranges ok SGOS#(config) http no force-ntlm ok SGOS#(config) #(config)https Use this command to configure HTTPS options. Forces compliance with explicit expirations by either never refreshing objects before their explicit expiration or never serving objects after their explicit expiration. if-modified-since uses an HTTP "get" instead of "get-if-modified.

certificate console-map keyringID keyringID Creates a certificate using the named keyring.Chapter 3: Privileged Mode Configure Commands Syntax https This changes the prompt to: SGOS#(config https) . Creates a console map using the named keyring. certificates.subcommandsoption 1: create certificate keyringID option 2: create console-map keyringID option 3: create keyring {show | no-show} keyringID [key_length] option 4: create signing-request keyringID option 5: delete ca-certificate name option 6: delete certificate keyringID option 7: delete console-map option 8: delete keyring keyringID option 9: delete signing-request keyringID option 10: import ca-certificate name option 11: import certificate keyringID option 12: import keyring {no-show keyringID | show keyringID} option 13: import signing-request keyringID option 14: set cipher-suite console-map option 15: view ca-certificate name option 16: view certificate keyringID option 17: view cipher-suite console-map option 18: view console-map option 19: view keypair {des keyringID | des3 keyringID | unencrypted keyringID} option 20: view keyring keyringID option 21: view send-client-ip option 22: view signing-request keyringID option 23: view ssl-nego-timout option 24: view summary ca-certificate name where: https create – Creates keypairs. and signing requests. 81 .

certificates. https view – Enables you to view keypairs. and signing requests. Deletes the keyring specified by keyringID. Displays the keyring associated with the named keyringID. or unencrypted keypair associated with the named keyring. cipher-suite console-map Specifies that the cipher suite defined in the console map should be used. • the type of signature algorithm (hash) that should be used. Displays the management console map. ca-certificate certificate keyring signing-request name keyringID {no-show keyringID | show keyringID} keyringID https set – Sets cipher suites. keyringID keyringID https import – Enables you to import keypairs. certificates. key_length indicates the length of the key. Displays the cipher suite named in the console map. signing-request ca-certificate certificate console-map keyring signing-request keyringID name keyringID https delete – Deletes keypairs. Deletes the certificate identified by keyringID. certificates. Deletes the console map. A cipher suite names: • the type of certificate. SSL supports a variety of alternate encryption protocols for communication called cipher suites. Displays the named Certificate Authority certificate. Displays the certificate identified by keyringID. Deletes the certificate signing request identified by keyringID. and signing requests. Creates a certificate signing request. Imports the certificate identified by keyringID. and signing requests. triple-DES. Displays the send-client-ip status.Security Appliance Command Line Reference keyring {show | no-show} keyringID [key_length] Creates a keyring with a "non-showable" keypair. {des keyringID | des3 keyringID | unencrypted keyringID} keyringID Displays the Data Encryption Standard (DES). Imports the "show" or "no show" keyring identified by keyringID. view ca-certificate certificate cipher-suite console-map keypair name keyringID console-map keyring send-client-ip 82 . Deletes the named Certificate Authority certificate. • the type of encryption that should be used. Imports the named Certificate Authority certificate. Imports the certificate signing request identified by keyringID.

whether you are configuring the service on the Security Appliance or defining policies since the name retrieves the other configuration settings for that service. Note: When you define virus scanning policies. as well as the supported number of connections.Chapter 3: Privileged Mode Configure Commands signing-request ssl-nego-timout summary ca-certificate keyringID Displays the certificate-signing request associated with keyringID. 83 . add an ICAP service for each server or scanning service. Displays the SSL negotiation timeout period status. Make sure you type the ICAP service name accurately. The configuration is specific to the virus scanning server and includes the server IP address. Deletes the ICAP service identified by service_name. Set the method (REQMOD or RESPMOD) cluster_name Manage ICAP clusters. #(config)icap Use this command to configure the ICAP service used to integrate the Security Appliance with a virus scanning server. use the same service name. If you are using the Security Appliance with multiple virus scanning servers or multiple scanning services on the same server. clusters {add | delete | edit | view} services add delete edit service_name service_name service_name methods Adds the ICAP service identified by service_name. Syntax icap This changes the prompt to: SGOS#(config icap) . name Displays a summary of the Certificate Authority certificate commands used in this session for name.subcommandsoption 1: clusters option 2: services option 3: exit where: icap – Enables you to configure the ICAP service used to integrate the Security Appliance with a virus scanning server.

Security Appliance Command Line Reference

icap-version man-conn max_num_connections preview-size bytes

Sets the ICAP version (1.0 or 0.95). Sets the maximum number of connections. Sets how many bytes are previewed by the ICAP server to determine if a content transformation is required. Contacts the ICAP server and automically configures the ICAP service. Note: applies to v1.0 only; ICAP method must already be specified. Sets the timeout value. Specifies the URL of the ICAP server. Specifies the ICAP vendor. Specifies the ICAP service pattern version. Displays the current ICAP configurations. Displays the current ICAP configurations.

sense-settings

timeout seconds url url vendor {generic | symantec | trendmicro} version version view view

Example
SGOS#(config) icap SGOS#(config icap) services SGOS#(config icap services) add virusservice1 ok SGOS#(config icap services) edit virusservice1 SGOS#(config icap services virusservice1) url http://10.1.1.1:1344 SGOS#(config icap services virusservice1) icap-version 1.0 SGOS#(config icap services virusservice1) method RESPMOD SGOS#(config icap services virusservice1) sense-settings SGOS#(config icap services virusservice1) exit SGOS#(config icap services) exit SGOS#(config icap) clusters SGOS#(config icap clusters) add virusscancluster1 ok SGOS#(config icap clusters) edit virusscancluster1 SGOS#(config icap clusters virusscancluster1) add virusservice1 ok SGOS#(config icap clusters virusscancluster1) exit SGOS#(config icap clusters) exit SGOS#(config icap)

#(config)icp
ICP is a caching communication protocol. It allows a cache to query other caches for an object, without actually requesting the object. By using ICP, the Security Appliance determines if the object is available from a neighboring cache, and which Security Appliance will provide the fastest response.

84

Chapter 3: Privileged Mode Configure Commands

Once you have created the ICP or advanced forwarding configuration file, place the file on an FTP or HTTP server so it can be downloaded to the Security Appliance.

Syntax
icp {no path | path url}

where:
icp – Specifies an ICP configuration file. no path path url Negates the path previously set using the command icp path url. Specifies the network location of the ICP configuration file to download.

Example
SGOS#(config) icp path 10.25.36.47/files/icpconfig.txt ok

#(config)identd
IDENTD implements the TCP/IP IDENT user identification protocol. IDENTD operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection.

Syntax
identd

This changes the prompt to:
SGOS#(config identd)

-subcommandsoption 1: disable option 2: enable option 3: exit option 4: show where:
identd – Configure identd. disable enable Disables IDENTD. Enables IDENTD.

Example
SGOS#(config) identd SGOS#(config identd) enable ok

85

Security Appliance Command Line Reference

#(config)inline
There are two ways to create a configuration file for your Security Appliance. You can use the SGOS inline command or you can create a text file to house the configuration commands. If you choose to configure using the inline command, refer to the example below:
SGOS# configure terminal SGOS#(config) inline wccp token . . . end token

Where token marks the end of the inline commands. If you choose to create a configuration file, be sure to assign the file the extension .txt. Use a text editor to create this file, noting the following Security Appliance configuration file rules: • • • Only one command (and any associated parameters) permitted, per line Comments must begin with a semicolon (;) Comments can begin in any column, however, all characters from the beginning of the comment to the end of the line are considered part of the comment and, therefore, are ignored

When entering input for the inline command, you can correct mistakes on the current line using the backspace key. If you detect a mistake in a line that has already been terminated using the Enter key, you can abort the inline command by typing Ctrl-C. If the mistake is detected after you terminate input to the inline command, type the same inline command again but with the correct configuration information. The corrected information replaces the information from the last inline command. The end-of-input marker is an arbitrary string chosen by the you to mark the end of input for the current inline command. The string can be composed of standard characters and numbers, but cannot contain any spaces, punctuation marks, or other symbols. Take care to choose a unique end-of-input string that does not match any string of characters in the configuration information.

Syntax
option 1: inline accelerated-pac eof_marker option 2: inline bypass-list central eof_marker option 3: inline bypass-list local eof_marker option 4: inline error-pages eof_marker option 5: inline forwarding eof_marker option 6: inline icp-settings eof_marker option 7: inline policy central eof_marker option 8: inline policy local eof_marker option 9: inline policy vpm-cpl eof_marker option 10: inline policy xml-cpl eof_marker

86

local. or vpm-xml eof_marker and the next eof_marker. Creates and installs a policy file using the console input commands you enter between policy central. Creates and installs forwarding configurations using the console input commands you enter between error-pages eof_marker and the next eof_marker. Creates and installs a bypass list file using the console input commands you enter between bypass-list central or local eof_marker and the next eof_marker. Creates and installs HTTP error pages using the console input commands you enter between error-pages eof_marker and the next eof_marker. vpm-cpl.Chapter 3: Privileged Mode Configure Commands option 11: inline rip-settings eof_marker option 12: inline static-route-table eof_marker option 13: inline streaming real-media eof_marker option 14: inline wccp-settings eof_marker where: inline – Enables you to add or edit configuration commands using the CLI instead of a distinct configuration file. Creates and installs a RIP settings file using the console input commands you enter between rip-settings eof_marker and the next eof_marker. Creates and installs a static route table file using the console input commands you enter between static-route-table eof_marker and the next eof_marker. bypass-list {central | local} eof_marker error-pages eof_marker forwarding eof_marker icp-settings eof_marker policy {central | local | vpm-cpl | xml-cpl} eof_marker rip-settings eof_marker static-route-table eof_marker 87 . accelerated-pac eof_marker Creates and installs an accelerated PAC file using the console input commands you enter between accelerated-pac eof_marker and the next eof_marker. Creates and installs an ICP settings file using the console input commands you enter between icp-settings eof_marker and the next eof_marker.

Creates and installs a WCCP settings file using the console input commands you enter between wccp-settings eof_marker and the next eof_marker. . Deletes the system indicated by system_number. . eof ok #(config)installed-systems Use this command to manage the list of installed Security Appliance systems.Security Appliance Command Line Reference streaming real-media eof_marker Creates and installs a streaming configuration file using the console input commands you enter between real-media eof_marker and the next eof_marker. default delete system_number system_number Sets the default system to the system indicated by system_number. boot and lock status. and timestamp information. 88 .Configures Security Appliance system information such as version and release numbers. Syntax isntalled-systems This changes the prompt to: SGOS#(config installed-systems) -subcommandsoption 1: default system_number option 2: delete system_number option 3: exit option 4: lock system_number option 5: no {lock system_number | replace} option 6: replace system_number where: installed-systems . wccp-settings eof_marker Example SGOS#(config) inline wccp-settings eof wccp enable .

system_number lock system_number Locks the system indicated by system_number.Chapter 3: Privileged Mode Configure Commands exit Exits configure installed-system mode and returns you to configure mode. Syntax interface fast-ethernet interface_num fast-ethernet interface_num Sets the number of the fast Ethernet connection to interface_num. you can configure each one using the command-line interface. lock no replace replace system_number Example SGOS#(config) installed-systems SGOS#(config installed-systems) default 2 ok SGOS#(config installed-systems) lock 1 ok SGOS#(config installed-systems) exit SGOS#(config) Note: To view the currently installed Security Appliance systems. inclusive. Unlocks the system indicated by system_number if it is currently locked. Valid values for interface_num are 0 through 3.subcommandsoption 1: accept-inbound option 2: full-duplex 89 . Specifies that the system currently tagged for replacement should not be replaced. use the show installed-systems command. Specifies that the system identified by system_number is to be replaced next. This changes the prompt to: SGOS#(config interface x) . If you want to modify the built-in adapter configuration. #(config)interface fast-ethernet This command enables you to configure the network interfaces. or if you have multiple adapters. The default replacement will be used (oldest unlocked system). The built-in Ethernet adapter is configured for the first time using the setup console.

{10 | 100} mask Specifies the interface speed.255.10.252. Configures for the specified client proxy instructions.255. Specifies that the interface should autosense speed and duplex. Configures this interface for half duplex. Sets the IP address for this interface to ip_address.255. Configures this interface for full duplex.255.Security Appliance Command Line Reference option 3: half-duplex option 4: ip-address ip_address option 5: instructions {proxy | default-pac | central-pac url | accelerated-pac} option 6: link-autosense option 7: mtu-size option 8: no {accept-inbound | link-autosense} option 9: show option 10: speed {10 | 100} option 11: subnet-mask mask where: interface fast-ethernet– accept-inbound full-duplex half-duplex ip-address instructions ip_address {proxy | default-pac | central-pac url | accelerated-pac} Permits inbound connections to this interface. link-autosense mtu-size no show speed subnet-mask Example SGOS#(config) interface 0 SGOS#(config interface 0) ok SGOS#(config interface 0) ok SGOS#(config interface 0) ok SGOS#(config interface 0) SGOS#(config)interface 1 SGOS#(config interface 1) ok SGOS#(config interface 1) ip-address 10. {accept-inbound | link-autosense} Negates the current accept-inbound or link-autosense settings. Sets the subnet mask for the interface.0 exit ip-address 10.72 subnet-mask 255.252.54 instructions accelerated-pac subnet-mask 255. Displays running system information.10.0 90 .

static routes or RIP). Note: Load balancing through multiple IP gateways is independent from the per-interface load balancing that the Security Appliance automatically does when more than one network interface is installed. you can fine tune how the traffic is distributed among gateways. ip_address Specifies the IP address of the default gateway to be used by the Security Appliance.36. weight. You can set the timeout and other session-specific options using the line-vty command. If you leave the session idle. the connection will eventually timeout and you will have to reconnect.subcommandsoption 1: exit option 2: length num_lines_on_screen option 3: show option 4: telnet {no transparent | transparent} 91 .47 #(config)line-vty When you have a Telnet session to the CLI.25. Further. The default timeout is five minutes. {preference group (1-10)} {weight (1-100)} Example SGOS#(config) ip-default-gateway 10. Syntax line-vty This changes the prompt to: SGOS#(config line-vty) .Chapter 3: Privileged Mode Configure Commands ok SGOS#(config interface 1) exit SGOS#(config) #(config)ip-default-gateway A key feature of the Security Appliance is the ability to distribute traffic originating at the cache through multiple IP gateways. that session will remain open as long as there is activity. and group membership for the default gateway. This feature works with any routing protocol (for example. Syntax ip-default-gateway ip_address {preference group (1-10)} {weight (1-100)} where: ip-default-gateway – Enables you to configure default IP gateway IP address.

carriage returns are sent to the console as a carriage return. Specifies the number of lines of code that should appear on the screen at once.Security Appliance Command Line Reference option 5: timeout minutes where: line-vty – exit length num_lines_on_screen Returns you to the config prompt. If you specify no transparent. carriage returns are sent to the console as a carriage return plus linefeed. Syntax option 1: load accelerated-pac option 2: load bypass-list central option 3: load bypass-list local option 4: load error-pages option 5: load forwarding option 6: load icp-settings option 7: load policy central option 8: load policy local option 9: load rip-settings option 10: load static-route-table option 11: load streaming real-media option 12: load upgrade 92 . show telnet timeout minutes Example SGOS#(config) line-vty SGOS#(config line vty) timeout 60 ok #(config)load Use this command to load specific configuration or settings files. Specify 0 to scroll without pausing. Sets the line timeout to the number of minutes indicated by minutes. {no transparent | transparent} Indicates that this is a Telnet protocol-specific configuration. Displays running system information. If you specify transparent.

or a new version of the VPM. Example SGOS#(config) management-port 8086 ok 93 . Downloads a new ICP settings file. Downloads a new system image. port_number protocol {http | https} Specifies the port number to use for the Security Appliance.Chapter 3: Privileged Mode Configure Commands option 13: load wccp-settings where: load – Loads any of various ancillary configuration files. Downloads a new WCCP configuration file. Syntax management-port {port_number | protocol {http | https}} where: management-port – Names the management port to use for the Security Appliance and the protocol to use. Downloads either a new central or local bypass list file. Specifies the protocol for the management console port. Downloads either a new central. Downloads a new RIP settings file. rip-settings static-route-table streaming upgrade wccp-settings Example SGOS#(config) load bypass-list central ok #(config)management-port This command sets the IP port to which the Security Appliance listens for Web console connections. Downloads a new static route table. Downloads a new error pages file. a local policy file. Downloads a new forwarding configuration file. accelerated-pac bypass-list error-pages forwarding icp-settings policy {central | local | vpm-software} {central | local} Downloads a new accelerated PAC file. {real-media | windows-media} Downloads either a new RealNetworks or Windows media file.

archive-configuration content priority {regex regex | url url outstanding-requests {delete | priority | revalidate} regex ip-default-gateway socks-machine-id upgrade-path ip_address Clears the archive configuration upload site. SOCKS machine. or deletion). IP default gateway. 94 . Removes a deletion regular expression policy or a deletion URL policy. Clears the upgrade image download path. Syntax option 1: no archive-configuration option 2: no content priority regex regex option 3: no content {priority {regex regex | url url} | outstanding-requests {delete | priority | revalidate} regex} option 4: no ip-default-gateway ip_address option 5: no socks-machine-id option 6: no upgrade-path where: no – Negates certain configuration settings. priority. regular expression command in-progress (revalidation. url Remove a deletion URL policy. Removes the SOCKS machine ID from the configuration.Security Appliance Command Line Reference #(config)netbios Use this command to configure NETBIOS. content priority. Syntax option 1: netbios {enable | disable} #(config)no Use this command to negate the current settings for the archive configuration. Sets the default gateway IP address to zero. or system upgrade path. Deletes a specific. Example SGOS#(config) no archive-configuration ok SGOS#(config) no content priority % Type no content priority ? for a list of subcommands SGOS#(config) no content priority ? regex Remove a deletion regular expression policy.

Chapter 3: Privileged Mode Configure Commands SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok no content priority regex http://. The Security Appliance sets the UTC time by connecting to an NTP server. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers. Adds the NTP server named domain_name from the NTP server list. Syntax option 1: policy central-path url option 2: policy local-path url option 3: policy no central-path 95 . server domain_name Example SGOS#(config) ntp server clock.bluecoat. The Security Appliance includes a list of NTP servers available on the Internet. Removes the NTP server named domain_name from the NTP server list. Disables NTP.252. clear disable enable no server domain_name Removes all entries from the NTP server list.10.edu ok #(config)policy Use this command to specify central and local policy file location. you can set the time manually using the Management Console. Syntax ntp {clear | disable | enable | no server domain_name | server domain_name} where: ntp – Specifies the status and name of the NTP server.*cnn.wsu.com no content priority url http://www. Enables NTP.50 no socks-machine-id no upgrade-path #(config)ntp Use this command to set NTP parameters. If an NTP server is not available.tricity.com no ip-default-gateway 10. status. and other options.

For notify. central-path url Specifies the network path (indicated by url) from which the central policy file may be downloaded. specifies that no e-mail notification should be sent if the central policy file should change. For subscribe. specifies that the current central or local policy file URL setting should be cleared. order of v)pm. {allow | deny} Allows or denies the default proxy policy.Security Appliance Command Line Reference option 4: policy no local-path option 5: policy no notify option 6: policy no subscribe option 7: policy no vpm-software option 8: policy notify option 9: policy order option 10: policy poll-interval minutes option 11: policy poll-now option 12: policy proxy-default option 13: policy reset option 14: policy subscribe option 15: policy vpm-software where: policy – Specifies central and local policy file location and status. For central-path or local-path. Clears all policies. specifies that the current policy should not be automatically updated in the event of a central policy change. Specifies the number of minutes that should pass between tests for central policy file changes. clears the network path to download VPM software. Specifies that an e-mail notification should be sent if the central policy file should change. c)entral minutes Specifies the policy evaluation order. local-path url no {central-path | local-path | notify | subscribe | vpm-software} notify order poll-interval poll-now proxy-default reset 96 . l)ocal. For vpm-software. Specifies the network path (indicated by url) from which the local policy file may be downloaded. Tests for central policy file changes immediately.

txt ok SGOS#(config) policy poll-interval 10 ok #(config)restart Use this command to set restart options for the Security Appliance. Under these conditions.com/local. Syntax restart {compress | core-image {context | full | none} | mode {hardware | software} where: restart – Configures system restart settings.com/central. including core image information and compression status. vpm-software Example SGOS#(config) policy local-path http://www. 97 .Chapter 3: Privileged Mode Configure Commands subscribe Indicates that the current local policy should be automatically updated in the event of a central policy change. There are no static routes or RIP routes defined that apply to the IP addresses of the clients and servers. Specifies either a hardware or software restart. if the return-to-sender feature is enabled. Example SGOS#(config) restart mode software ok #(config)return-to-sender The return-to-sender feature eliminates unnecessary network traffic when the three following conditions are met: • • • The Security Appliance has connections to clients or servers on a different subnet. compress core-image mode {context | full | none} {hardware | software} Indicates that a compressed core image should be written on restart.txt ok SGOS#(config) policy central-path http://www. url Specifies the network path to download the VPM software.server2. The shortest route to the clients or servers is not through the default gateway. the Security Appliance remembers the MAC address of the last hop for a packet from the client or server and sends any responses or requests to the MAC address instead of the default gateway. Indicates the type of core image that should be written on restart.server1.

Security Appliance Command Line Reference Under the same conditions. HTTP. This effectively doubles the number of packets transmitted on the LAN compared to when return-to-sender is enabled. which then sends the packets to the gateway representing the last hop to the Security Appliance for the associated connection. Example SGOS#(config) return-to-sender inbound enable ok #(config)reveal-advanced The reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI. and TCP/IP advanced commands. all expand tcp-ip Disables all expanded. The advanced commands that you can enable include HTTP and TCP/IP commands. Disables all expanded advanced commands. inbound outbound {disable | enable} {disable | enable} Enables or disables return-to-sender for inbound sessions. if return-to-sender is disabled. Enables or disables return-to-sender for outbound sessions. the Security Appliance sends requests or responses to the default gateway. Outbound return-to-sender affects connections initiated by the Security Appliance to origin servers. Note: Return-to-sender functionality should only be used if static routes cannot be defined for the clients and servers or if routing information for the clients and servers is not available through RIP packets. Example SGOS#(config) reveal-advanced expand ok SGOS#(config) reveal-advanced tcp-ip 98 . Disables all TCP/IP advanced commands. Syntax reveal-advanced {all | expand | tcp-ip} where: reveal-advanced – Enables the system administrator to hide and disable certain advanced commands. Inbound return-to-sender affects connections initiated to the Security Appliance by clients. Syntax return-to-sender {inbound {disable | enable} | outbound {disable | enable}} where: return-to-sender – Configures return-to-sender inbound and outbound settings.

path url Example SGOS#(config) rip path 10. a host and router can send a routing table list of all other known hosts to its closest neighbor host every 30 seconds.47/files/rip. Syntax rip {disable | enable | no path | path url} where: rip – Specifies information regarding RIP settings. first create a text file of RIP commands and then load the file by using the load command.) Each host in the network can then use the routing table information to determine the most efficient route for a packet. The authentication services supported are: LDAP – Lightweight Directory Access Protocol NTLM – Windows NT Challenge Response (integrated authentication) RADIUS – Remote Authentication for Dialup Users 99 .txt ok #(config)security The Security Appliance provides the ability to authenticate using industry-standard proxy authentication and authorization (AA) services for users accessing one or multiple Security Appliance(s)—in either explicit proxy mode or transparent proxy mode. including status and location. (RIP uses the hop count measurement to derive network distance.25.Chapter 3: Privileged Mode Configure Commands ok SGOS#(config) reveal-advanced all ok SGOS#(config) #(config)rip Use this command to set RIP (Routing Information Protocol) configuration options. disable enable no path Disables the current RIP configuration. Using RIP. Sets the path to the RIP configuration file to the URL indicated by url. The neighbor host passes this information on to its next closest neighbor and so on until all hosts have perfect knowledge of each other. The RIP configuration is defined in a configuration file.36. Enables the current RIP configuration. To configure RIP. Clears the current RIP configuration path as determined using the rip path url command.

"Authentication and Authorization" chapter. and so forth) within each authentication scheme with the introduction of a new concept: the realm. and even disparate. LDAP directory servers together with NT domains with no trust relationship. external server configuration – backend server configuration information such as IP address. for example. backend servers (for example. and other relevant information based on the selected service. A realm defines a schema used to authenticate and authorize users for access to Security Appliance services using either of the authentication mechanisms mentioned above. Even for companies using only one protocol. or UNIX). authentication schema – the definition that will be used to authenticate users. A realm configuration is composed of the following: • • • • • realm name authentication service – (LDAP. in a Blue Coat proprietary format The Security Appliance provides a flexible authentication architecture that supports all of the above services with the ability to specify multiple. groups and passwords are stored in a file on the Security Appliance. multiple realms may be necessary--as in the case of a company using an LDAP server with multiple authentication boundaries. or your company has merged with or acquired another company.Security Appliance Command Line Reference UNIX – Users. refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide. NTLM. authorization schema – the definition that will be used to authorize users for membership in defined groups and check for attributes that trigger evaluation against any defined policy rules. It is important to note that multiple authentication realms and multiple policy realms can be used on a single Security Appliance. port. Multiple realms become essential if your enterprise is a Managed Service provider. RADIUS. For details. Syntax option 1: security allowed-access source_ip [mask] option 2: security destroy-old-passwords option 3: security enable-password password option 4: security flush-credentials option 5: security flush-credentials on-policy-change disable option 6: security flush-credentials on-policy-change enable option 7: security front-panel-pin PIN option 8: security hashed-front-panel-pin hashed-PIN option 9: security hashed-enable-password hashed-password option 10: security hashed-password hashed-password option 11: security enforce-acl option 12: security ldap all alternate-server ip_address [port] option 13: security ldap all cache-duration minutes option 14: security ldap all case-sensitive disable option 15: security ldap all case-sensitive enable 100 .

Chapter 3: Privileged Mode Configure Commands option 16: security ldap all distinguished-name user-attribute-type user_attribute_type option 17: security ldap all distinguished-name [{add | | demote | no | promote}] base-dn base_dn option 18: security ldap all distinguished-name clear base-dn option 19: security ldap all membership-attribute attribute_name option 20: security ldap all membership-type group option 21: security ldap all membership-type user option 22: security ldap all no alternate-server option 23: security ldap all no membership-attribute option 24: security ldap all no spoof-authentication option 25: security ldap all primary-server ip_address port option 26: security ldap all search anonymous disable option 27: security ldap all search anonymous enable option 28: security ldap realm_name all search dereference {always | finding | never | searching} option 29: security ldap all search encrypted-password encrypted_password option 30: security ldap all search password password option 31: security ldap all search user-dn user_dn option 32: security ldap all server-type {ad | iplanet | nds | other} option 33: security ldap all spoof-authentication option 34: security ldap create-realm {ad | iplanet | nds | other} realm_name [base_DN] primary_ip [port] option 35: security ldap delete-realm realm_name option 36: security ldap edit-realm realm_name option 37: security ldap edit-realm realm_name all search encrypted-password encrypted_password option 38: security ldap edit-realm realm_name all search password password option 39: security ldap edit-realm realm_name no spoof-authentication option 40: security ldap edit-realm realm_name search encrypted-password encrypted_password option 41: security ldap edit-realm realm_name search encrypted-password encrypted_password option 42: security ldap edit-realm realm_name search password password option 43: security ldap edit-realm spoof-authentication option 44: security ldap view option 45: security ldap view realm_name option 46: security ldap realm_name option 47: security ldap realm_name search dereference {always | finding | never | searching} 101 .

Security Appliance Command Line Reference option 48: security management auto-logout-timeout seconds option 49: security management display-realm name option 50: security management no auto-logout-timeout option 51: security management no display-realm option 52: security no allowed-access source_ip [ip_mask] option 53: security no enforce-acl option 54: security ntlm all alternate-server ip_address port option 55: security ntlm all cache-duration minutes option 56: security ntlm all no alternate-server option 57: security ntlm all primary-server ip_address [port] option 58: security ntlm all timeout seconds option 59: security ntlm all server-retry count option 60: security ntlm create-realm realm_name primary_server_ip [primary_server_port] option 61: security ntlm delete-realm realm_name option 62: security ntlm edit-realm realm_name option 63: security ntlm view option 64: security ntlm view realm_name option 65: security ntlm realm_name option 66: security password password option 67: security password-display {encrypted | keyring | none | view} option 68: security radius create-realm-encrypted realm_name encrypted-secret primary_server_ip [primary_server_port] option 69: security radius create-realm realm_name encrypted_secret primary_server_ip [primary_server_port] option 70: security radius create-realm realm_name secret primary_server_ip [primary_server_port] option 71: security radius delete-realm realm_name option 72: security radius edit-realm realm_name option 73: security radius edit-realm realm alternate-server encrypted-secret encrypted_secret option 74: security radius edit-realm realm primary-server encrypted-secret encrypted_secret option 75: security radius edit-realm realm alternate-server secret secret option 76: security radius edit-realm realm no spoof-authentication option 77: security radius edit-realm realm primary-server secret secret option 78: security radius edit-realm realm spoof-authentication option 79: security radius view option 80: security radius view realm_name 102 .

flush-credentials on-policy-change enable flushes the credentials cache when a change to the central policy file has been detected. RADIUS. allowed-access destroy-old-passwords source_ip [mask] [force] Adds the IP address indicated by source_IP to the Access Control List. and UNIX). This command. while improving security. [on-policy-change [disable | enable]] With no additional parameters. Destroys recoverable passwords in the registry key from previous versions. Specifies the PIN for the front panel console. flush-credentials on-policy-change disable does not.Chapter 3: Privileged Mode Configure Commands option 81: security radius realm_name option 82: security username user_name option 83: security transparent-proxy-auth cookie persistent option 84: security transparent-proxy-auth cookie session option 85: security transparent-proxy-auth cookie virtual-url url option 86: security transparent-proxy-auth method ip option 87: security transparent-proxy-auth method cookie option 88: security transparent-proxy-auth time-to-live {ip minutes | persistent-cookie minutes} option 89: security unix create-realm realm_name option 90: security unix delete-realm realm_name option 91: security unix edit-realm realm_name no spoof-authentication option 92: security unix edit-realm realm_name parameter option 93: security unix edit-realm realm_name spoof-authentication option 94: security unix view option 95: security unix view realm_name option 96: security unix realm_name where: security – Configures authorization and authentication methods and realms (LDAP. flushes the credentials cache immediately. This does not affect modules that allow configuration for the front panel. NTLM. should only be used if you do not plan to upgrade. Puts into effect the console enable (or privileged mode) password specified by password. Enforces the console Access Control List. enable-password password enforce-acl flush-credentials front-panel-pin pin 103 .

demote moves the specified base distinguished name down in the search order in each realm that contains a match. Clears the current alternate LDAP server IP address and port for all LDAP realms. Enables searching using the user encrypted password if anonymous search is disabled. Specifies the hashed PIN for the front panel console. 104 . promote moves the specified base distinguished name up in the search order in each realm that contains a match. Configures the base distinguish names for all of the LDAP realms. alternate-server cache-duration case-sensitive distinguished-name user-attribute-type distinguished-name ip_address [port] minutes {disable | enable} user_attribute_type {add | | demote | no | promote} base-dn base_dn ~or~ clear base-dn membership-attribute membership-type no alternate-server no membership-attribute no spoof-authentication primary-server search anonymous search encrypted-password attribute_name {group | user} ip_address [port] {disable | enable} encrypted_password Sets the current primary LDAP server IP address and port for all LDAP realms. Specifies the length of time to cache user credentials for all LDAP realms. Enables or disables the case-sensitivity of all LDAP realms. no deletes the specified base distinguished name from the realm.Security Appliance Command Line Reference hashed-enablepassword hashed-front-panelpin hashed password Puts into effect the console hashed enable password specified by hashed-password. Disables spoof-authentication. Specifies the membership attribute for all LDAP realms. Specifies the alternate LDAP server IP address and port for all LDAP realms. Specifies group or user name mapping authorization mode. clear deletes all distinguish names from every realm. Enables or disables anonymous searches for all LDAP realms. This does not affect modules that allow configuration for the front panel. Clears the membership attribute for all LDAP realms. add appends a base distinguished name to each realm. Configures the distinguished name (DN) user attribute type for all LDAP realms. hashed pin security ldap all – Configures security aspects of all LDAP realms.

Finding: Derefrence aliases in locating the base object of the search but not during searching Always (the default): Derefrence aliases both during searching and locating. deletes. Finding: Derefrence aliases in locating the base object of the search but not during searching Always (the default): Derefrence aliases both during searching and locating Configures alternate LDAP server. Deletes the LDAP realm named realm_name. Never: Do not derefrence aliases in searching or in locating the base object Searching: Derefrence aliases only during searching and not locating the object. Changes prompt to config radius realm_name. Enables searching using the user distinguished name if anonymous search is disabled. search user-dn user_DN spoof-authentication security ldap – Creates. Creates a new LDAP realm named realm_name.Chapter 3: Privileged Mode Configure Commands search password password Enables searching using the user password if anonymous search is disabled. Allows forwarding user credentials from the credential cache to the origin content server. or displays information about a particular LDAP realm. Changes the dereference level for a single realm.) Never: Do not derefrence aliases in searching or in locating the base object Searching: Derefrence aliases only during searching and not locating the object. all search [dereference {always | finding | never | searching}] [password password] [encrypted-password encrypted_password] Specify if and when to follow alias pointers on the LDAP server. (Dereferencing specifies if and when to follow alias pointers on the LDAP server. Edits the LDAP realm named realm_name. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. create-realm {ad | iplanet | nds | other} realm_name base_DN primary_ip [primary_port] realm_name realm_name delete-realm edit-realm edit-realm realm_name dereference [always | finding | never | searching] alternate-server ip_address [port] 105 .

exit membership-attribute type membership-type {group | user} no {alternate-server | membership-attribute | spoof-authentication} primary-server ip_address [port] rename realm_name search {anonymous {enable | disable} | password password | user-dn user-dn} server-type {ad | iplanet | nds | other} spoof-authentication Changes the server type for this realm. Displays information about the LDAP realm named realm_name. Sets the LDAP distinguished name user attribute type. Exits edit-realm mode. Configures the distinguished names. add appends a distinguished name to the realm. Enables or disables case sensitivity within the realm. Configures the primary server. Allows forwarding user credentials from the credential cache to the origin content server. clear deletes all distinguished names from the realm. the membership attribute or disables spoof-authentication. Configures realm search options.Sets Security Appliance realm settings 106 . promote moves the specified distinguished name up one in the search order.Security Appliance Command Line Reference cache-duration minutes case-sensitive {enable | disable} distinguished-name user-attribute-type attribute_type distinguished-name {add | | demote | no | promote} base-dn base_dn ~or~ distinguished-name clear base-dn Specifies the length of time to cache user credentials. Displays running system information or displays information for this realm. Renames the realm. Specifies the membership attribute type Specifies group mapping authorization mode or user attribute mapping authorization mode. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. no deletes the specified distinguished name from the realm. Deletes the alternate server. {show | view} view realm_name security management . demote moves the specified distinguished name down in the search order.

or displays information about a particular NTLM realm. Disables the IP address indicated by source_ip in the Access Control List. Renames the realm. Configures the number of authentication retry attempts for all NTLM realms. Exits edit-realm mode. Specifies the length of time to cache user credentials. display-realm name no display-realm auto-logout-timeout security no – Negates certain Access Control List features. The default is the IP address that was used to connect to the system Resets the name of the Security Appliance realm to the Security Appliance IP address. The default is 900 seconds (15 minutes). Specifies the length of time to cache user credentials for all NTLM realms. Sets the name of the Security Appliance realm. Deletes the NTLM realm named realm_name. ip_address [port] seconds count Specifies the primary LDAP server IP address and port for all NTLM realms. Configure the primary server. Configures the NTLM query timeout for all NTLM realms. Disables the session timeout feature. Specifies the alternate LDAP server IP address and port for all NTLM realms. primary-server timeout server-retry security ntlm – Creates. Configures alternate RADIUS server. deletes. Edits the NTLM realm named realm_name. Creates a new NTLM realm named realm_name. Disables the console Access Control List. allowed-access enforce-acl alternate-server cache-duration no alternate-server ip_address [port] minutes source_ip [ip_mask] security ntlm all – Configures security aspects of all NTLM realms.Chapter 3: Privileged Mode Configure Commands auto-logout-timeout seconds Sets the length of the Security Appliance session before requiring login credentials. create-realm realm_name primary_server_ip [primary_server_port] realm_name realm_name alternate-server ip_address [port] cache-duration minutes exit no alternate-server primary-server ip_address [port] rename realm_name delete-realm edit-realm 107 . Deletes the alternate server. Clears the current alternate NTLM server IP address and port for all NTLM realms.

Security Appliance Command Line Reference

timeout seconds server-retry count {show | view} view realm_name

Specifies query duration before timeout. Specifies the number of authentication retry attempts. Show running system information or view information for this realm. Displays information about the NTLM realm named realm_name. Puts into effect the console account password indicated by password. Puts into effect the console account password indicated by hashed-password. Sets the CLI handling of passwords for this session. Keyring is meant for Director use. Director stores its keyring in a public key that is used when pulling a configuration from one Security Appliance to multiple Security Appliances. Creates a new RADIUS realm named realm_name.

security password – Changes the console account password. password hashed-password

password-display

[none | encrypted | keyring name | view]

security radius – Creates, deletes, or displays information about a particular RADIUS realm. create-realm realm_name [secret | encrypted_secret] primary_server_ip [primary_server_port] realm_name encrypted_secret primary_server_ip [primary_server_port] realm_name realm_name alternate-server ip_address [port] | [secret secret | encrypted-secret encrypted_secret | service-type type] cache-duration minutes case-sensitive {enable | disable} exit no alternate-server | spoof-authentication

create-realmencrypted

Creates a new RADIUS realm named realm_name. It also accepts encrypted secrets. Deletes the RADIUS realm named realm_name. Edits the RADIUS realm named realm_name. Configures alternate RADIUS server.

delete-realm edit-realm

Specifies the length of time to cache user credentials. Enables or disables case sensitivity within the realm. Exits edit-realm mode. Deletes the alternate server or disables spoof-authentication.

108

Chapter 3: Privileged Mode Configure Commands

primary-server ip_address [port] | [secret secret | encrypted-secret | encrypted_secret | service-type type] rename realm_name timeout seconds server-retry count {show | view} spoof-authentication

Configure the primary server. Can also specify a shared secret for the primary RADIUS server and specify a checklist service type sent to the primary RADIUS server. Renames the realm. Specifies query duration before timeout. Specifies the number of authentication retry attempts. Show running system information or view information for this realm. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. Displays information about the RADIUS realm named realm_name. Puts into effect the console account user name indicated by user_name. Specifies that this realm should use persistent cookies with no TTL expiration. Specifies that this realm should use cookies that expire at the end of a session.

view

realm_name

security username – Changes the console account user name. user_name

security transparent-proxy-auth – Configures transparent-proxy cookie options. cookie persistent

cookie session

cookie virtual-url

url

Specifies that this realm should use cookies with the virtual URL indicated by url. Specifies that this realm should use the IP method for transparent proxy (as opposed to the cookie method). Specifies that this realm should use the cookie method for transparent proxy (as opposed to the IP method).

method ip

method cookie

time-to-live

{ip minutes | persistent-cookie minutes} realm_name realm_name

Specifies the duration the IP or persistent cookie is valid.

security unix – Creates, deletes, or displays information about a particular UNIX realm. create-realm delete-realm Creates a new UNIX realm named realm_name. Deletes the UNIX realm named realm_name.

109

Security Appliance Command Line Reference

edit-realm

realm_name cache-duration minutes no exit rename realm_name {show | view} spoof-authentication

Edits the UNIX realm named realm_name. Specifies the length of time to cache user credentials. Disables spoof-authentication. Exits edit-realm mode. Renames the realm. Show running system information or view information for this realm. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. Displays information about the UNIX realm named realm_name.

view

realm_name

Example
SGOS#(config) security ldap create-realm iplanet AuthRealm "dc=ads2001,dc=bluecoat,dc=com" 10.252.3.78 389 ok SGOS#(config) security ldap edit-realm AuthRealm SGOS#(config ldap AuthRealm) search password "user" ok SGOS#(config ldap AuthRealm) search user-dn "cn=UserAG,ou=bluecoat,dc=ads2001,dc=bluecoat,dc=com" ok SGOS#(config ldap AuthRealm) search anonymous disable ok SGOS#(config ldap AuthRealm) exit SGOS#(config) security allowed-access 10.253.101.23 255.255.255.255 ok SGOS#(config) security allowed-access 10.253.101.24 255.255.255.255 ok SGOS#(config) security allowed-access 10.252.10.90 255.255.255.255 ok SGOS#(config) security enable-password "enable" ok SGOS#(config) security front-panel-pin "1234" ok SGOS#(config) security password "test" ok SGOS#(config) security username "test" ok SGOS#(config)

110

See the (services) ftp command for options. Example SGOS#(config services) view Port: 8080 Type: http Properties: enabled. exit ftp http show telnet view See the (services) telnet command for options.Chapter 3: Privileged Mode Configure Commands #(config)services Use this command to configure FTP. transparent 111 . Configures Telnet services. or Telnet services. explicit-proxy Port: 21 Type: ftp Properties: enabled. Configures HTTP services. explicit-proxy Port: 80 Type: http Properties: enabled. Configures Transparent FTP services.subcommandsoption 1: exit option 2: ftp {attribute | create | delete | disable | enable | exit | show | view} option 3: http {attribute | create | delete | disable | enable | exit | show | view} option 4: show option 5: telnet {create | delete | disable | enable | exit | show | view} option 6: view where: services – Configures services. transparent. Displays all services-related configuration information. Exits the config services mode and returns you to the config prompt. See the (services) http command for options. HTTP. Displays running system information. Syntax services This changes the prompt to: SGOS#(config services) .

attribute passive-mode create delete disable enable exit {disable | enable} port port [port=21] [port=21] Enables or disables support for passive mode to clients.Security Appliance Command Line Reference #(config services)ftp Use this command to configure transparent FTP services.subcommandsoption 1: attribute passive-mode {disable | enable} option 2: create option 3: delete option 4: disable option 5: enable option 6: exit option 7: view where: services ftp – Configures transparent FTP services. Deletes a transparent FTP services port. view Example SGOS#(config) services SGOS#(config services) ftp SGOS#(config services ftp) create 2002 ok SGOS#(config services ftp) exit SGOS#(config services) 112 . Enables the transparent FTP services port. Disables the transparent FTP services port. Creates a transparent FTP services port. Syntax ftp This changes the prompt to: SGOS#(config services ftp) . Exits config services ftp mode and returns you to the config services prompt. Displays the transparent FTP services configuration.

Chapter 3: Privileged Mode Configure Commands #(config services)http Use this command to create and configure HTTP services. Syntax http This changes the prompt to: SGOS#(config services http) . 113 . Rejects requests for non-transparent content on the specified port.subcommandsoption 1: attribute authenticate-401 {enable | disable} port option 2: attribute explicit disable port option 3: attribute explicit enable port option 4: attribute nap disable port option 5: attribute nap enable port option 6: attribute send-client-ip disable port option 7: attribute send-client-ip enable port option 8: attribute transparent disable port option 9: attribute transparent enable port option 10: attribute head enable port option 11: attribute head disable drop port option 12: attribute head disable error portattribute connect disable port option 13: attribute connect enable port option 14: attribute connect disable drop port option 15: attribute connect disable error port option 16: create port option 17: delete port option 18: disable port option 19: enable port option 20: exit option 21: show option 22: view where: services http attribute – Configures HTTP services attributes. authenticate-401 explicit disable {enable | disable} port port Enables or disables transparent authentication.

Disables the HTTP services on the specified port. Rejects requests for transparent content on the specified port. Exits config services http mode and returns you to the config services prompt. Blocks CONNECT requests on the specified port. Accepts requests for transparent content on the specified port. Creates an HTTP services port. Prevents blocking of HEAD requests on the specified port. Disables the spoof attribute on the specified port. Deletes the specified HTTP services port. create delete disable enable exit port port port port show view Example SGOS#(config) services SGOS#(config services) http 114 . services http – Establishes HTTP services port. Displays running system information. Returns error 405 for CONNECT requests on the specified port. Drops connection for CONNECT requests on the specified port. Enables non-accelerated attribute on the specified port. Displays the HTTP services configuration.Security Appliance Command Line Reference explicit enable nap disable nap enable send-client-ip disable send-client-ip enable transparent disable transparent enable head enable head disable drop head disable error connect disable connect enable connect disable drop connect disable error port port port port port port port port port port port port port port Accepts requests for non-transparent content on the specified port. Returns error 405 for HEAD requests on the specified port. Enables the HTTP services on the specified port. Drops connections for HEAD requests on the specified port. Disables the non-accelerated attribute on the specified port. Enables the spoof attribute on the specified port. Prevents blocking of CONNECT requests on the specified port.

Syntax telnet This changes the prompt to: SGOS#(config services telnet) . Displays the Telnet services configuration.subcommandsoption 1: create port option 2: delete port option 3: disable port option 4: enable port option 5: exit option 6: show option 7: view where: services telnet – Configures Telnet services. Exits config services telnet mode and returns you to the config services prompt. Displays running system information. Disables the Telnet services port. Deletes the Telnet services port indicated by port. create delete disable enable exit port port port port Creates a Telnet services port indicated by port. show view Example SGOS#(config) services SGOS#(config services) telnet 115 .Chapter 3: Privileged Mode Configure Commands SGOS#(config services http) create 8085 ok SGOS#(config services http) attribute authenticate-401 enable 8085 ok SGOS#(config services http) exit SGOS#(config services) exit SGOS#(config) #(config services)telnet Use this command to create and configure Telnet services. Enables the Telnet services port.

Security Appliance Command Line Reference SGOS#(config services telnet) view Port: 23 Type: telnet Properties: enabled. explicit Port: 9003 Type: telnet Properties: enabled. explicit Port: 30 Type: telnet Properties: enabled. explicit SGOS#(config services telnet) delete 9003 ok SGOS#(config services telnet) create 25 ok SGOS#(config services telnet) disable 9003 ok SGOS#(config services telnet) exit SGOS#(config services) exit SGOS#(config) #(config)show Use this command to display specific configuration settings or options. Syntax option 1: show accelerated-pac option 2: show access-log {configuration | statistics} option 3: show archive-configuration option 4: show arp-table option 5: show bandwidth-gain option 6: show bypass-list option 7: show caching option 8: show clock option 9: show commands [delimited | formatted] option 10: show configuration [brief | expanded | noprompts] option 11: show content {outstanding-requests {[deletes] | [revalidates] | [priority]} | priority {[regex regex] | [url url]} | statistics | url url} option 12: show content-distribution option 13: show content-filter {smartfilter | status | websense3 | websense4} option 14: show cpu option 15: show diagnostics option 16: show disk {disk_number | all} option 17: show dns option 18: show domain-alias option 19: show download-paths 116 . explicit Port: 9002 Type: telnet Properties: enabled.

Chapter 3: Privileged Mode Configure Commands option 20: show dynamic-bypass option 21: show efficiency option 22: show environmental option 23: show event-log option 24: show forwarding option 25: show health-checks option 26: show hostname option 27: show http option 28: show http-stats option 29: show icap {clusters | services | statistics} option 30: show icp-settings option 31: show identd option 32: show installed-systems option 33: show interface option 34: show ip-default-gateway option 35: show ip-route-table option 36: show ip-stats {all | e# | ip | memory | summary | tcp | udp} option 37: show netbios option 38: show ntp option 39: show policy [order | proxy-default] option 40: show ports option 41: show realms option 42: show resources option 43: show restart option 44: show return-to-sender option 45: show rip {parameters | routes | statistics} option 46: show rtsp option 47: show security option 48: show services [ftp | http | telnet] option 49: show sessions option 50: show snmp option 51: show socks-machine-id option 52: show sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming | wccp-settings} option 53: show splash-generator option 54: show static-routes option 55: show status 117 .

Displays the current Security Appliance time setting. content content-filter cpu diagnostics disk dns {smartfilter | status | websense3 | websense4} 118 . Displays the current bandwidth-gain commands. Displays the current non-default configuration settings.Security Appliance Command Line Reference option 56: show streaming {real-media | windows-media | configuration | statistics} option 57: show system-resource-percent option 58: show tcp-rtt option 59: show telnet-management option 60: show terminal option 61: show timezones option 62: show transparent-proxy option 63: show user authentication option 64: show version option 65: show virtual-ip option 66: show wccp {configuration | statistics} option 67: show web-management where: show – Displays running system information. Displays the current content filter settings. Use the optional parameters to customize the output. Displays the current caching settings. Displays the available CLI commands. or information for a cached object. Displays archive configuration settings. Displays the remote diagnostics commands. Displays ARP information. accelerated-pac access-log archive-configuration arp-table bandwidth-gain bypass-list caching clock commands configuration [delimited | formatted] [brief | expanded | noprompts] {outstanding-requests | priority | url} {configuration | statistics} Displays the current accelerated PAC settings. {disk_number | all} Displays disk status and information. Displays CPU usage. policy deletion priorities. Displays the current bypass list. Displays outstanding distribution and revalidation requests. Displays the current access log settings. Displays DNS servers and name imputing settings.

Displays current authentication realms. Displays the current event log settings. Displays ICAP settings. Displays security settings. Displays "return to sender" settings. Displays SNMP statistics. Displays the current dynamic bypass configuration settings.Chapter 3: Privileged Mode Configure Commands domain-alias download-paths dynamic-bypass efficiency environmental event-log forwarding health-checks hostname http http-stats icap icp-settings identd installed-systems interface ip-default-gateway ip-route-table ip-stats netbios ntp policy ports realms resources restart return-to-sender rip rtsp security services sessions snmp socks-machine-id [ftp | http | telnet] {parameters | routes | statistics} [order | proxy-default] {all | e# | ip | memory | summary | tcp | udp} {clusters | services | statistics} Dispalys any defined domain aliases. Displays the current hostname. Displays route table information. Displays TCP/IP statistics. Displays ICP settings. Displays health check settings. Displays the IP address of the default gateway. Displays OS versions available on the Security Appliance. Displays current policy rules. Displays interface status and configuration information. Displays system restart settings. Displays efficiency statistics. Displays HTTP settings. Displays RIP settings. Displays information about Telnet connections. Displays the current downloaded configuration paths. Displays RTSP settings. Displays HTTP statistics. Displays services settings. Displays NETBIOS settings. 119 . Displays HTTP and console ports. Displays IDENTD service settings. Displays allocation of system resources. Displays the SOCKS machine ID. Displays environmental statistics. Displays the current forwarding settings. Displays NTP servers and information.

Displays static route table information. Displays system hardware and software status. Syntax snmp This changes the prompt to: 120 . Displays Telnet management status. Displays timezones used. Displays transparent-proxy settings. Example SGOS#(config) show bypass-list TCP/IP Bypass List Information Destination Mask Source Mask Gateway Interface Life(secs) UseCount #(config)snmp Use this command to set SNMP (Simple Network Management Protocol) options for the Security Appliance. The Security Appliance supports MIB-2 (RFC 1213). Displays the current WCCP configuration. Displays the current virtual IP settings. Displays current system status. The Security Appliance can be viewed using an SNMP management station. Displays default TCP Round Trip Time. Displays terminal configuration parameters and subcommands.Security Appliance Command Line Reference sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming | wccp-settings} Displays source listings for installable lists. system-resourcepercent tcp-rtt telnet-management terminal timezones transparent-proxy user-authentication version virtual-ip wccp web-management {configuration | statistics} Displays system resource allocation commands. splash-generator static-routes status streaming {real-media | windows-media | configuration | statistics} Displays spash generator commands. Displays user authentication information. Displays streaming settings and protocol-specific streaming settings. Displays Web management status.

authorize-traps disable enable exit no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2 | 3}} password | encrypted_password Enables SNMP authorize traps. Resets the SNMP configuration to the default settings. system location. Exits config snmp mode and returns you to the config prompt. system contact. Displays running system information. or trap address settings. Enables SNMP for the Security Appliance. Disables SNMP for the Security Appliance.Chapter 3: Privileged Mode Configure Commands SGOS#(config snmp) . Sets the "sysContact" MIB variable to string. Disables the current authorize traps.subcommandsoption 1: authorize-traps option 2: disable option 3: enable option 4: exit option 5: no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2 | 3}} option 6: read-community password option 7: reset-configuration option 8: show option 9: snmp-writes {disable | enable} option 10: sys-contact string option 11: sys-location string option 12: trap-address {1 ip_address | 2 ip_address | 3 ip_address} option 13: trap-community password option 14: write-community password where: snmp – Sets SNMP options on the Security Appliance. Sets the read community password or encrypted-password. {disable | enable} string string Enables or disables SNMP write capability. Sets the "sysLocation" MIB variable to string. read-community reset-configuration show snmp-writes sys-contact sys-location 121 .

Security Appliance Command Line Reference trap-address trap-community {1 ip_address | 2 ip_address | 3 ip_address} password | encrypted_password password | encrypted_password Indicates which IP address(es) can receive traps and in which priority. Sets the write community password or encrypted-password. or splash page. Subsequent URL requests from the client then provide the user with the requested content.36. Example SGOS#(config) socks-machine-id 10. write-community Example SGOS#(config) snmp SGOS#(config snmp) authorize-traps ok #(config)socks-machine-id Use this command to set the machine ID for SOCKS.25. machine_id Indicates the machine ID for the SOCKS server. you must specify the Security Appliance machine ID for the Identification (Ident) protocol used by the SOCKS gateway. If you are using a SOCKS server for the primary or alternate gateway. Syntax socks-machine-id machine_id where: socks-machine-id – Specifies the SOCKS machine ID.47 ok #(config)splash-generator Use this command to display a custom message page. Syntax splash-generator This changes the prompt to: SGOS#(config splash-generator) . to a user the first time he or she starts the client browser.subcommandsoption 1: cluster disable 122 . Sets the trap community password or encrypted-password.

Displays running system information. and TACACS+ accounting information. disable enable exit show Disables the splash generator. RADIUS accounting. Exits config splash-generator mode and returns to the config prompt.Chapter 3: Privileged Mode Configure Commands option 2: cluster enable option 3: cluster peer-ip {1 | 2 | 3 | 4 | 5 | ip_address} option 4: cluster sdp-port port option 5: disable option 6: enable option 7: exit option 8: protocol tacacs option 9: protocol radius option 10: radius acct-listen-port port option 11: radius auth-listen-port port option 12: radius forwarding disable option 13: radius forwarding ip-spoof option 14: radius forwarding proxy-state option 15: radius no secret-key option 16: radius encrypted-secrety-key key option 17: radius secret-key key option 18: show option 19: tacacs forwarding disable option 20: tacacs forwarding enable option 21: tacacs listen-port port option 22: tacacs multi-session disable option 23: tacacs multi-session enable option 24: tacacs no all-servers option 25: tacacs no one-server IP_address [port] option 26: tacacs no secret-key option 27: tacacs server IP_address [port] option 28: tacacs encrypted-secret-key key option 29: tacacs secret-key key option 30: timeout seconds where: splash-generator – Specifies general. Enables the splash generator. 123 .

multi-session disable 124 . splash-generator cluster – Sets splash generator cluster support options. Sets the encrypted secret key to encrypted-key. Enables splash-generator cluster support. port Listens for incoming TACACS+ requests on the port indicated by port. Disables forwarding of RADIUS requests. Indicates that the RADIUS protocol should be used. Sets the encrypted secret key to encrypted-key. Indicates the Session Distributor Protocol port. splash-generator protocol – Indicates which protocol should be used for splash generator support. Disables splash-generator cluster support. Enables forwarding of RADIUS packets using proxy state. tacacs radius splash-generator radius – Sets various splash generator RADIUS options. auth-listen-port port encrypted-secret-key forwarding disable forwarding ip-spoof forwarding proxy-state no secret-key secret-key encrypted-secret-key forwarding disable forwarding enable listen-port encrypted-key splash-generator tacacs – Sets various splash generator TACACS+ options. disable enable peer-ip sdp-port {1 | 2 | 3 | 4 | 5 | ip_address} port Indicates the cluster peer address. acct-listen-port port Listens for incoming RADIUS accounting requests on the port indicated by port. Listens for incoming RADIUS authorization requests on the port indicated by port. Indicates that the TACACS+ protocol should be used.Security Appliance Command Line Reference timeout minutes Indicates the splash timeout in minutes. Enables forwarding of RADIUS packets using IP spoofing. Enables forwarding of TACACS+ requests. Disables forwarding of TACACS+ requests. key encrypted-key Sets the MD5 secret key to key. Disables multiple TACACS+ sessions capability. Sets the MD5 secret key to an empty string.

The Security Appliance requires SSH1. Removes all TACACS+ server entries. Specify SSH1 as the protocol. You’ll need to open this file in a text editor. try searching popular software archives for a free key-generator utility. are downwardly compatible. all data transmitted between the SSH client and SSH host is encrypted and decrypted using public and private keys established on the Security Appliance and by the SSH application on the client. many versions of SSH2.Chapter 3: Privileged Mode Configure Commands multi-session enable no all-servers no one-server no secret-key server IP_address [port] IP_address [port] Enables multiple TACACS+ sessions capability. however. If the SSH client you're using cannot create the identity. Sets the secret key to key. and paste it in when the CLI requests it.pub file. secret-key key Example SGOS#(config) splash-generator SGOS#(config splash-generator) enable ok SGOS#(config splash-generator) protocol radius ok SGOS#(config splash-generator) exit SGOS#(config) #(config)sshd After doing the initial setup and installation. Prerequisite To configure a secure CLI connection with SSH: 1. you can connect to the Security Appliance Serial Console CLI securely using secure shell protocol (SSH).pub file. Removes the TACACS+ server entry indicated by IP_address. During the following process. Note: The Security Appliance supports a combined maximum of 16 Telnet and SSH sessions. Adds the server indicated by IP_address to the TACACS+ server list. When enabled. There are many SSH clients commercially available for UNIX and Windows. copy the contents of the file. or if you are using a Telnet client. including keys from Blue Coat Director. the SSH client application usually creates an identity. It also supports up to 24 client keys. Start your Telnet or SSH client application and create a new connection to the Security Appliance. Sets the secret key to an empty string. Think of SSH as a secure Telnet. Using a secure connection with RSA authentication requires public and private keys. 125 .

use the serial cable supplied with the system.Security Appliance Command Line Reference Figure 3-1: Setting up an SSH using RSA authenticated connection 2. Enter the following commands: 3. Syntax sshd This changes the prompt to: SGOS#(config sshd) . Open a Telnet or serial port terminal session with the Security Appliance and enter your username and password when prompted.subcommandsoption 1: create host-keypair option 2: delete {client-key clientID | host-keypair} option 3: delete director-client-key clientID option 4: exit option 5: import client-key clientID option 6: import director-client-key option 7: show option 8: view {client-key {clientID} | host-public-key} option 9: view director-client-key [clientID] where: sshd – create host-keypair Creates a host keypair. 126 . If you are using a serial connection. SGOS> enable SGOS> enable_password SGOS# conf t 4. Continue with the appropriate syntax described below.

To use static routes on the Security Appliance. To download the routing table to the Security Appliance.255.0. exit import client-key clientID Imports the fingerprint of the client key associated with the indicated clientID.0. place it on an HTTP server so it can be downloaded to the device. and gateways.0255.255. 127 . subnet masks.Chapter 3: Privileged Mode Configure Commands delete {client-key clientID | host-keypair} director-client-key clientID Deletes either the host keypair or the client key associated with the indicated clientID. Once the routing table is created. The routing table is a text file that contains a list of IP addresses.0255.0.226 When a routing table is loaded. When you download a routing table. director-client-key show view {client-key {clientID} | host-public-key} Displays the fingerprint of either the host keypair or the client key associated with the indicated clientID. Exits config sshd mode and returns you to config mode. Imports the fingerprint of the Director client.0. and gateways.158.213 10. and routed based on the best match.0.64. the table is stored in the device until it is replaced by downloading a new table. Displays running system information.63.0.010. subnet masks.65.0255.63.255. Displays the fingerprint of the client key associated with the indicated Director clientID.010. The routing table is a simple text file containing a list of IP addresses. use the load command.213 10.63. automatically determined from the imported key. you must create a routing table and place it on an HTTP server accessible to the Security Appliance. director-client-key clientID Example SGOS#(config) telnet allow sshd-config SGOS#(config sshd) create host-keypair ok #(config)static-routes Use this command to set the network path to download the static routes configuration file. A sample routing table is illustrated below: 10.158. all requested addresses are compared to the list.63.010. Deletes the client key associated with the indicated clientID of a Security Appliance that is being used in Blue Coat Director configurations.158.

Sets the network path location of the static route table to url.36. Syntax option 1: streaming max-client-bandwidth kbps option 2: streaming max-gateway-bandwidth kbps option 3: streaming no max-client-bandwidth option 4: streaming no max-gateway-bandwidth option 5: streaming windows-media license pak_string option 6: streaming windows-media logging enable option 7: streaming windows-media logging disable option 8: streaming windows-media log-forwarding enable option 9: streaming windows-media log-forwarding disable option 10: streaming windows-media max-connections number option 11: streaming windows-media max-client-bandwidth kbps option 12: streaming windows-media max-gateway-bandwidth kbps option 13: streaming windows-media transparent-port disable option 14: streaming windows-media transparent-port enable option 15: streaming windows-media explicit-port port_number option 16: streaming windows-media refresh-interval hours option 17: streaming windows-media http-handoff disable option 18: streaming windows-media http-handoff enable option 19: streaming windows-media live-retransmit disable option 20: streaming windows-media live-retransmit enable 128 . Example SGOS#(config) static-routes path 10.25.txt ok #(config)streaming Use this command to configure general streaming settings and Microsoft Windows Media or RealNetworks Real Media settings.Security Appliance Command Line Reference Syntax static-routes {no path | path url} where: static-routes – Specifies the location of the static route table.47/files/routes. no path path url Clears the network path location of the static route table.

Chapter 3: Privileged Mode Configure Commands option 21: streaming windows-media multicast address-range first_address-last_address option 22: streaming windows-media multicast port-range first_port-last_port option 23: streaming windows-media multicast ttl ttl option 24: streaming windows-media proxy-route number in_proto in_addr gw_proto gw_addr option 25: streaming windows-media asx-rewrite number in_addr cache_proto cache_addr option 26: streaming windows-media multicast-alias alias url option 27: streaming windows-media unicast-alias alias url option 28: streaming windows-media broadcast-alias alias url loops date time option 29: streaming windows-media multicast-station name [alias | url] ip port ttl option 30: streaming windows-media server-auth-type {basic | ntlm} ip_address option 31: streaming windows-media no max-connections option 32: streaming windows-media no max-client-bandwidth option 33: streaming windows-media no max-gateway_bandwidth option 34: streaming windows-media no refresh-interval option 35: streaming windows-media no proxy-route number option 36: streaming windows-media no asx-rewrite number option 37: streaming windows-media no multicast-alias alias option 38: streaming windows-media no unicast-alias alias option 39: streaming windows-media no broadcast-alias alias option 40: streaming windows-media no multicast-station name option 41: streaming windows-media no auth-type cache_ip_address option 42: streaming real-media max-connections number option 43: streaming real-media max-gateway bandwidth kbps option 44: streaming real-media max-client bandwidth kbps option 45: streaming real-media rtsp-port port option 46: streaming real-media pna-port port option 47: streaming real-media license pak_string option 48: streaming real-media proxy-route number rule parent_address rtsp-port port pna-port port mei-port port option 49: streaming real-media path path option 50: streaming real-media cache max-object-size kbps option 51: streaming real-media logging disable option 52: streaming real-media logging enable option 53: streaming real-media logging stats-mask mask option 54: streaming real-media logging style 129 .

streaming windows-media – Configures Microsoft Windows Media-specific streaming options. See the access-log command for more information. You must also enable the access-log command. Clears the current maximum gateway bandwidth setting. logging {enable | disable} log-forwarding {enable | disable} 130 . Enables the Security Appliance to record Windows Media proxy activities in the machine’s access log. max-client-bandwidth streaming max-gateway-bandwidth no max-client-bandwidth no max-gateway-bandwidth license pak_string kbps kbps Sets the maximum client bandwidth permitted to kbps. Enters the product authorization key for Blue Coat support for Windows Media. Clears the current maximum client bandwidth setting. The default is enabled.Security Appliance Command Line Reference option 55: streaming real-media multicast accept {number | subnet} option 56: streaming real-media multicast address-range first address–last address option 57: streaming real-media multicast disable option 58: streaming real-media multicast enable option 59: streaming real-media multicast pna-port port option 60: streaming real-media multicast rtsp-port port option 61: streaming real-media multicast ttl number option 62: streaming real-media multicast delivery-only enable option 63: streaming real-media multicast delivery-only disable option 64: streaming real-media pull-splitting udp option 65: streaming real-media pull-splitting tcp option 66: streaming real-media no max-connections option 67: streaming real-media no max-gateway-bandwidth option 68: streaming real-media no max-client-bandwidth option 69: streaming real-media no license option 70: streaming real-media no proxy-route option 71: streaming real-media no path option 72: streaming real-media no multicast where: streaming– Configures Microsoft Windows Media or Real Networks streaming media settings. Enables forwarding of the client log to the origin media server. Sets the maximum gateway bandwidth permitted to kbps.

enter streaming windows-media no max-gateway-bandwidth. Enables the transparent proxy on port 1755. The IP address range for the Security Appliance's multicast-station.128. max-client-bandwidth max-gateway-bandwidth kbps kbps transparent-port explicit-port {enable | disable} port_number refresh-interval hours http-handoff {enable | disable} live-retransmit {enable | disable} multicast address-range multicast port-range first_address-last_address first_port-last_port multicast ttl ttl 131 . you effectively lock out all client connections to the Security Appliance. The default is enabled. expressed in hops. a valid number is between 1 and 255. hours must be a floating point number to specify refresh interval. To allow maximum gateway bandwidth.Chapter 3: Privileged Mode Configure Commands max-connections number Limits the concurrent number of client connections. Time to live value for the multicast-station on the Security Appliance. To allow maximum client bandwidth.255. Default is from 224. If this variable is set to 0. enter streaming windows-media no max-connections. Port range for the Security Appliance's multicast-station. Allows the Security Appliance to retransmit dropped packets sent through MMS-UDP for unicast. The default is enable. Default is between 32768 and 65535. Allows the Windows Media proxy to listen for Windows Media traffic on the port specified. Checks the refresh interval for cached streaming content. If this variable is set to 0.2.0 and 224. Default is 5. Sets the maximum client bandwidth permitted to kbps. A port number of 0 deletes the explicit-port setting. The default is enabled. in kilobits per second (Kbps). for the amount of bandwidth Windows Media uses to send requests to its gateway. you effectively prevent the Security Appliance from initiating any connections to the gateway. Sets the maximum limit. 0 means always check for freshness.255. Allows the Windows Media module to control the HTTP port when Windows Media streaming content is present.2.

the Security Appliance can operate as a proxy for Windows Media Player 6. cache_proto rewrites the protocol on the Security Appliance and can take any of the following forms: mmsu (MMS-UDP) mmst (MMS-TCP) http (HTTP) mms (MMS-UDP or MMS-TCP) cache_addr rewrites the address on the Security Appliance. gw_proto is the protocol used at the gateway and gw_addr is the gateway address. and * (follow client's protocol). asx-rewrite number in_addr cache_proto cache_addr [cache_port] multicast-alias alias url [preload] 132 . number is any positive number. in_addr specifies the hostname.4 clients by rewriting the . mms (MMS-UDP or MMS-TCP). Smaller numbers indicate higher priority.asx file (which links web pages to Windows Media ASF files) to point to the Windows Media streaming media cache rather than the Windows Media server.Security Appliance Command Line Reference proxy-route number in_proto in_addr gw_proto gw_addr [gw_port] Replaces the hostname/IP address on the URL with a new hostname/IP address. It can have a maximum of one wildcard character. If your environment does not use a Layer 4 switch or WCCP. It defines the priority of all the asx-rewrite rules. in_proto is the protocol being used: mmsu (MMS-UDP). Creates an alias on the Security Appliance that reflects the multicast station on the origin content server. number can be any positive number. http (HTTP). Smaller numbers indicate higher priority. mmst (MMS-TCP). Direct indicates the origin content server. Provides proxy support for Windows Player 6. in_addr is the hostname string with no more than one wildcard character.4. It defines the priority of all the proxy-route rules.

4pm. 6pm. 4am. name specifies the name of the alias.Chapter 3: Privileged Mode Configure Commands unicast-alias alias url Creates an alias on the Security Appliance that reflects the content specified by the URL. 9am. 10am. 7pm. 8am. 1pm. 8pm. date can take any of the following formats: yyyy-mm-dd today time specifies the broadcast-alias starting time. 12am. The default ttl is 5. url specifies the address of the video-on-demand stream. 12pm. as well as a url to a live stream source. 9pm. 11am. 2am. 6am. enter the time as a comma-separated string. expressed in hops (and must be a valid number between 1 and 255). loops specifies the number of times the stream should be played back. date specifies the broadcast alias starting date. ip is an optional parameter and specifies the multicast station's IP address. 10pm. Enables multicast transmission of Windows Media content from the Security Appliance. alias can be a unicast alias. 11pm. Enables scheduled live unicast or multicast transmission of video-on-demand content. 3am. 2pm. port specifies the multicast station's port value address. noon. It must be unique. To specify multiple starting times within the same date. alias must be unique. 0 means forever. 5am. broadcast-alias alias url loops date time multicast-station name [alias | url] ip port ttl 133 . a multicast-alias or a broadcast alias. 5pm. ttl specifies the multicast-station's time-to-live value. 7am. When a client requests the alias content. 1am. No spaces are permitted. 3pm. the Security Appliance uses the URL specified in the unicast-alias command to request the content from the origin streaming server. enter the date as a comma-separated string. To specify multiple starting dates. time can take any of the following formats: hh:mm midnight.

Deletes the ASX rewrite rule associated with number. Limits the concurrent number of client connections. uses the maximum available bandwidth. Clears the authentication type associated with cache_ip_address. max-connections max-client-bandwidth max-gateway-bandwidth refresh-interval proxy-route asx-rewrite multicast-alias unicast-alias number number alias alias Deletes the proxy route rule associated with number.Security Appliance Command Line Reference server-auth-type [basic | ntlm] cache_ip_address Sets the authentication type of the Security Appliance indicated by cache_ip_address to BASIC or NTLM. Zero (0) is not an accepted value. The name of the alias. Changing the setting to no max-connections uses the maximum available bandwidth. If the protocol is mms. Negates maximum connections settings. max-connections number max-gateway-bandwidth kbps 134 . such as "welcome1" that is created on the Security Appliance and reflects the content specified by the URL. Deletes the multicast alias rule associated with alias." streaming windows-media no – Negates the indicated Windows Media settings. Sets the current Windows Media refresh interval to "never refresh. Changing the setting to no max-gateway-bandwidth. Deletes the broadcast alias rule associated with alias. Zero (0) is not an accepted value. Negates maximum gateway bandwidth settings. mmsu. Limits the total bandwidth used between the proxy and the gateway. broadcast-alias multicast-station server-auth-type alias name cache_ip_address streaming real-media – Configures RealNetworks Real Media-specific streaming options. Deletes the unicast alias rule associated with alias. The protocol is specified by the URL if the protocol is mmst. the same protocol as the client is used. or http. Negates maximum client bandwidth settings. Deletes the multicast station rule associated with name.

Zero (0) is not an accepted value. The default is 1090. Changing the setting to no max-client-bandwidth uses the maximum available bandwidth. The default is 7878. rtsp-port specifies the RTSP port to connect to for streaming. Specifies the PNA port that a RealPlayer client will connect through when using the proxy. The default is 1090. Restart is required if you change this setting. Restart is required if you change this setting. rtsp-port port pna-port port license pak_string proxy-route {* | number number | rule rule | parent-address parent_address | rtsp-port port | pna-port port | mei-port port} path path cache max-object-size kbps 135 . Restart is required if you change this setting. rule specifies the name of the rule.Chapter 3: Privileged Mode Configure Commands max-client-bandwidth kbps Limits the total bandwidth used by all connected clients. parent-address specifies the IP address of the host. The default is 1091. pna-port specifies the PNA port to use for streaming. Creates and applies rules for directing client traffic. Sets the maximum size of the streaming object to cache. Enters the product authorization key (PAK) for Blue Coat support for RealMedia. The default is 1091. Indicates where a configuration file is located (either FTP or HTTP). The RTSP port that a RealPlayer client will connect through when using the proxy. you must use the upload command to upload the configuration file. After you have set up the file and told the system where it is. mei-port specifies the media export interface port to connect to for streaming.

ttl indicates the number of router hops allowed. multicast accept {number | subnet} | address-range first address–last address | disable | enable | pna-port port | rtsp-port port | ttl number | delivery-only {enable | disable} pull-splitting no {udp | tcp} {max-connections | max-gateway-bandwidth | max-client-bandwidth | license | proxy-route | path | multicast} Example 136 . pna-port specifies the PNA port that a client will connect through when using the proxy. enable enables logging. The default is disabled. Negates the specified Real Networks settings.255. UDP is the default. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging style. The default is 554. Restart is required if you change any option except disabled or accept. Enables multicast support for RealMedia streaming.) address-range must be between 224. style controls that fields appear in the cache access log for each RealMedia event record. delivery-only limits clients to those who are set up for multicast. accept limits the use of multicast to clients on specific subnets. The default value is 3. Default is "any". The default is 16. stats-mask controls which statistics are recorded in log entries. The default is 7070.Security Appliance Command Line Reference logging {disable | enable | stats-mask mask| style} Enables access logging for RealMedia streaming disable disables logging. (If you use "any. The default value is 0. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging statistics.255.255.255 and 239.0. Restart is required if you change stats-mask option. The maximum is 255." everyone has access. rtsp-port specifies the RTSP port that a client will connect through when using the proxy. Indicates the protocol to use for pull splitting.0.

Example 137 .asf SGOS#(config) streaming windows-media no unicast-alias welcome1 #(config)system-resource-percent Use this command to configure system resource allocation. num_500ms_ticks Indicates the default TCP Round Trip Time in ticks.com mmst direct SGOS#(config) streaming windows-media no proxy-route 900 SGOS#(config) streaming windows-media unicast-alias welcome1 mmst://10.asf 1 today 14:00 SGOS#(config) streaming windows-media explicit-port 1756 SGOS#(config) streaming windows-media http-handoff enable SGOS#(config) streaming windows-media license 1WWDTFMY-7W5C7AMY-7Q26YW SGOS#(config) streaming windows-media live-retransmit disable SGOS#(config) streaming windows-media log-forwarding disable SGOS#(config) streaming windows-media max-connections 1600 SGOS#(config) streaming windows-media no max-connections SGOS#(config) streaming windows-media proxy-route 900 mmst *. 25.bluecoat.25. Syntax tcp-rtt num_500ms_ticks where: tcp-rtt – Configures the number of TCP round trip time ticks. 75. Syntax system-resource-percent Example SGOS(config) system-resource-percent Please choose from the following percentages: 0.9.47/cthd. 50.Chapter 3: Privileged Mode Configure Commands SGOS#(config) streaming windows-media broadcast-alias ba1 mms://10.36.33.54/welcom1. 95 Windows Media [50%]:25 HTTP: 75% This change will be effective following system reboot #(config)tcp-rtt Use this command to configure the number of TCP round trip time ticks.

(Use show timezones to display a list of supported timezones.) Example SGOS#(config) timezone 3 ok #(config)upgrade-path Use this command to specify the network path to download system software. Syntax timezone timezone_num where: timezone – Sets the timezone to use for all time-related procedures and calculations. Syntax telnet {allow-sshd-config | deny-sshd-config} where: telnet – Specifies the status of SSH configuration through Telnet. Disables configuring of SSHD through Telnet. Syntax upgrade-path url 138 . timezone_num Enables you to set the local time zone.Security Appliance Command Line Reference SGOS#(config) tcp-rtt 500 ok #(config)telnet Enables or disables the ability to configure SSHD through Telnet. allow-sshd-config deny-sshd-config Enables configuring of SSHD through Telnet. Example SGOS#(config) telnet allow-sshd-config ok #(config)timezone Use this command to set the local time zone on the Security Appliance.

Syntax virtual-ip {address ip_address | clear | no address ip_address} where: virtual-ip – Sets or clears any virtual IP addresses for the Security Appliance.36. Removes the specified virtual IP from the list. refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide. where a WCCP-capable router collaborates with a set of WCCP-configured Security Appliances to service requests. use the load command. Example SGOS#(config) upgrade-path 10. For more information about WCCP.25. To download the WCCP configuration to the Security Appliance. place the file on an HTTP server so it can be downloaded to the Security Appliance.47 ok #(config)wccp The Security Appliance can be configured to participate in a WCCP (Web Cache Control Protocol) scheme. Once you have created the WCCP configuration file.25.Chapter 3: Privileged Mode Configure Commands where: upgrade-path – Specifies the location of the Security Appliance upgrades.47 ok #(config)virtual-ip This command allows you to configure virtual IP addresses. Enables WCCP. url Indicates the network path to use to download Security Appliance system software. address clear no address ip_address ip_address Specifies the virtual IP to add. Example SGOS#(config) virtual-ip address 10. Syntax wccp {disable | enable | no path | path url} where: wccp – Enables or disables the WCCP configuration file and specifies the location of the configuration file.36. Removes all virtual IP addresses. disable enable Disables WCCP. WCCP is a Cisco-developed protocol. 139 .

Example SGOS#(config) wccp path 10. Syntax web-management {disable | enable} where: web-management – Enables or disables the Management Console.txt ok #(config)web-management Use this command to enable or disable the Web-based Management Console.47/files/wccp. 140 . Enables the Management Console.Security Appliance Command Line Reference no path path url Negates certain WCCP settings. Only the management and statistics applications are disabled. Specifies the network path from which to download WCCP settings.25. disable enable Disables the Management Console.36. When web-management is disabled. you can still access the Security Appliance homepage and online documentation.

Sign up to vote on this title
UsefulNot useful