Sgos Cli Guide 2-1-09

Blue Coat Systems Port 80 Security Appliance

Command Line Reference

Blue Coat Systems Inc. (866) 302-2628 Corporate

650 Almanor Avenue (866) 362-2628 Technical Support

Sunnyvale, California 94086 (866) 382-2628 Inside Sales

[email protected] www.bluecoat.com

Copyright 2003 Blue Coat Systems, Inc. All rights reserved. No part of this document may bereproduced by any means nor translated to any electronic medium without the written consent ofBlue Coat Systems, Inc. Specifications are subject to change without notice. Information contained inthis document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes noresponsibility for its use, Blue Coat is a trademark of Blue Coat Systems, Inc. in the U.S. andworldwide. All other trademarks mentioned in this document are the property of their respectiveowners.

Printed in U.S.A.

Document Number: 231-02585

Document Revision: 2.1.09-08/21/2003

Contents

Chapter 1: Introduction

Audience for this Document ............................................................................................. 7Organization of this Document ........................................................................................ 7Related Blue Coat Documentation ................................................................................... 8Document Conventions ..................................................................................................... 8Telnet and Script Considerations ..................................................................................... 8Standard and Privileged Modes ....................................................................................... 9Accessing Quick Command Line Help ........................................................................... 9

Chapter 2: Standard and Privileged Mode Commands

Standard Mode Commands ............................................................................................ 11>display ...................................................................................................................... 11>enable ....................................................................................................................... 12>exit ............................................................................................................................ 12>ping ........................................................................................................................... 12>show ......................................................................................................................... 13>traceroute ................................................................................................................. 18

Privileged Mode................................................................................................................ 18#acquire-utc ............................................................................................................... 18#cancel-upload .......................................................................................................... 19#clear-arp ................................................................................................................... 19#clear-cache ................................................................................................................ 20#clear-statistics .......................................................................................................... 20#configure .................................................................................................................. 20#disable ...................................................................................................................... 20#disk ............................................................................................................................ 21#display ...................................................................................................................... 21#exit ............................................................................................................................. 22#hide-advanced ......................................................................................................... 22#inline ......................................................................................................................... 23#kill ............................................................................................................................. 24#load ........................................................................................................................... 25#pcap .......................................................................................................................... 26#ping ........................................................................................................................... 30#purge-dns-cache ...................................................................................................... 30#restart ........................................................................................................................ 31#restore-cacheos4-config .......................................................................................... 32#restore-defaults ....................................................................................................... 32#reveal-advanced ...................................................................................................... 32

Security Appliance Command Line Reference

iv

#show .......................................................................................................................... 33#temporary-route ...................................................................................................... 40#test http ..................................................................................................................... 40#traceroute ................................................................................................................. 41

Chapter 3: Privileged Mode Configure Commands

#configure .......................................................................................................................... 45#(config)accelerated-pac .......................................................................................... 47#(config)access-log .................................................................................................... 47#(config)archive-configuration ............................................................................... 51#(config)bandwidth-gain ......................................................................................... 52#(config)banner ......................................................................................................... 53#(config)bypass-list ................................................................................................... 54#(config)caching ........................................................................................................ 55#(config)clock ............................................................................................................ 57#(config)content ........................................................................................................ 58#(config)content-filter ..............................................................................................59#(config content-filter)smartfilter ........................................................................... 61#(config content-filter)websense3 .......................................................................... 62#(config content-filter)websense4 off-box ............................................................. 65#(config)diagnostics ................................................................................................. 66#(config)dns ............................................................................................................... 67#(config)domain-alias ..............................................................................................68#(config)dynamic-bypass ........................................................................................ 68#(config)error-pages ................................................................................................. 69#(config)event-log ..................................................................................................... 70#(config)exit ............................................................................................................... 72#(config)forwarding ................................................................................................. 72#(config)health-check ............................................................................................... 75#(config)hide-advanced ........................................................................................... 76#(config)hostname .................................................................................................... 77#(config)http .............................................................................................................. 77#(config)https ............................................................................................................ 80#(config)icap .............................................................................................................. 83#(config)icp ................................................................................................................ 84#(config)identd .......................................................................................................... 85#(config)inline ........................................................................................................... 86#(config)installed-systems ....................................................................................... 88#(config)interface fast-ethernet ............................................................................... 89#(config)ip-default-gateway .................................................................................... 91#(config)load .............................................................................................................. 92#(config)management-port ...................................................................................... 93#(config)netbios ......................................................................................................... 94

Contents

v

#(config)no ................................................................................................................. 94#(config)ntp ............................................................................................................... 95#(config)policy .......................................................................................................... 95#(config)restart .......................................................................................................... 97#(config)return-to-sender ........................................................................................ 97#(config)reveal-advanced ........................................................................................ 98#(config)rip ................................................................................................................ 99#(config)security ....................................................................................................... 99#(config)services ..................................................................................................... 111#(config services)ftp ............................................................................................... 112#(config services)http ............................................................................................. 113#(config services)telnet .......................................................................................... 115#(config)show .......................................................................................................... 116#(config)snmp ......................................................................................................... 120#(config)socks-machine-id ..................................................................................... 122#(config)splash-generator ...................................................................................... 122#(config)sshd ........................................................................................................... 125#(config)static-routes .............................................................................................. 127#(config)streaming .................................................................................................. 128#(config)system-resource-percent ........................................................................ 137#(config)tcp-rtt ........................................................................................................137#(config)telnet ........................................................................................................138#(config)timezone ................................................................................................... 138#(config)upgrade-path ........................................................................................... 138#(config)virtual-ip ................................................................................................... 139#(config)wccp .......................................................................................................... 139#(config)web-management .................................................................................... 140


vi


To configure and manage your Blue Coat™ Systems Port 80 Security Appliance, Blue Coat developed a software suite that includes an easy-to-use graphical interface called the Management Console and a Command Line Interface (CLI). The CLI allows you to perform the superset of configuration and management tasks; the Management Console, a subset.

This reference guide describes each of the commands available in the CLI.

Audience for this DocumentThis reference guide is written for system administrators and experienced users who are familiar with network configuration. Blue Coat assumes that you have a functional network topography, that you and your Blue Coat Sales representative have determined the correct number and placement of the Security Appliances, and that those appliances have been installed in an equipment rack and at least minimally configured as outlined in the Blue Coat Installation Guide that accompanied the appliance. Furthermore, Blue Coat assumes that the Blue Coat appliance has been configured for reverse proxy server acceleration, transparent reverse proxy server acceleration, or a variant of either.

Organization of this DocumentThis document contains the following chapters:

Chapter 1 – Introduction

The organization of this document; conventions used; descriptions of the CLI modes; and instructions for saving your configuration.

Chapter 2 – Standard and Privileged Mode Commands

All of the standard mode commands, including syntax and examples, in alphabetical order. All of the privileged mode commands (except for the configure commands, which are described in Chapter 3), including syntax and examples, in alphabetical order.

Chapter 3 – #Configure Commands

The configure command is the most used and most elaborate of all of the CLI commands. For better readability you will notice that in the command reference chapters, each command heading is preceded with the appropriate prompt, and for the more complicated commands, the parent command prompt is included as well. This chapter is divided into the following functional sections:

Load and Save Commands. All of the configure commands that are required to load your configuration and to save changes, including syntax and examples, in alphabetical order.

View Configuration Settings Commands. All of the configure commands that are required to view your current configuration settings, including syntax and examples, in alphabetical order.


8

Change Configuration Settings Commands. All of the privileged mode configure commands that are required to change your current or factory-default configuration settings, including syntax and examples, in alphabetical order.

Related Blue Coat DocumentationBlue Coat Systems 500 Installation Guide (includes information on installing the 500, 510, and 520)

Blue Coat Systems 500ec Installation Guide (includes information on installing the 515, 525, 525i, 545, and 545i)

Blue Coat Systems 600 and 700 Installation Guide

Blue Coat Systems 3000 Installation Guide


Blue Coat Systems 6000 and 7000 Installation Guide


Blue Coat Systems Configuration and Management Guide

Blue Coat Systems Policy Language Reference Manual

Document ConventionsThe following table lists the typographical and CLI syntax conventions used in this manual.

Telnet and Script ConsiderationsConsider the following when using the CLI during a Telnet session or in a script:

Case Sensitivity. CLI command literals and parameters are not case sensitive.

Command Abbreviations. You may abbreviate CLI commands, provided you supply enough command characters as to be unambiguous. For example:

SGOS#configure terminal

Convention Definition

Italics The first use of a new or Blue Coat-proprietary term.

Courier font Command-line text that will appear on your administrator workstation.

Courier Italics A command-line variable that should be substituted with a literal name or value pertaining to the appropriate facet of your network system.

Courier Boldface A CLI literal that should be entered as shown.

{ } One of the parameters enclosed within the braces must be supplied

[ ] An optional parameter or parameters.

| Either the parameter before or after the pipe character can or must be selected, but not both.


9

Can be shortened to:

SGOS# conf t

Standard and Privileged ModesThe Security Appliance CLI has two major modes—standard and privileged. In addition, privileged mode has several subordinate modes. Refer to the introduction in Chapter 2: Standard and Privileged Mode Commands details about the different modes.• Standard mode prompt: >

• Privileged mode prompt: #

Accessing Quick Command Line HelpYou can access command line help at any time during a session. The following commands are available in both standard mode and privileged mode.

To access a comprehensive list of mode-specific commands:Type help or ? at the prompt.

The help command displays how to use CLI help. For example:

SGOS> help

Help may be requested at any point in a commandby typing a question mark '?'.1. For a list of available commands, enter '?' at the prompt.2. For a list of arguments applicable to a command, precede the '?' with a space (e.g. 'show ?')3. For help completing a command, do not precede the '?' with a space (e.g. 'sh?')The ? command displays the available commands. For example:

SGOS> ?display Display a text based urlenable Turn on privileged commandsexit Exit command line interfacehelp Information on helpping Send echo messagesshow Show running system informationtraceroute Trace route to destination

To access a command-specific parameter list:Type the command name, followed by a space, followed by a question mark.

Note that you must be in the correct mode—standard or privileged—to access the appropriate help information. For example, to get command completion help for pcap:

SGOS# pcap ?filter Setup the current capture filterinfo Display current capture information.


10

.

.To get command completion for configuring SNMP:

SGOS#(config) snmp ? <cr>

To access the correct spelling and syntax, given a partial command:Type the first letter, or more, of the command, followed by a question mark (no spaces).

Note that you must be in the correct mode—standard or privileged to access the appropriate help information. For example:

SGOS# p?pcap ping purge-dns-cache

This chapter describes and provides examples for the Blue Coat Systems Port 80 Security Appliance standard and privileged mode CLI commands.

Standard Mode CommandsStandard mode is the default mode when you first log on. From standard mode, you can view but you cannot change configuration settings. In contrast to privileged mode, this mode cannot be password-protected. Standard mode has a short list of commands.

Note: The help command and how to use the CLI help is described in “Accessing Quick Command Line Help” on page 9.

The standard mode prompt is a greater-than sign; for example:

telnet> open 10.25.36.47username: adminpassword: ******SGOS>

>displayUse this command to display the source code (such as HTML or Javascript) used to build the named URL. This source code is displayed one screen at a time. "—More—" at the bottom of the terminal screen indicates that there is additional code. Press the Spacebar to display the next batch of code; press the Enter key to display one additional line of code.

Syntax

display urlwhere url is a valid, fully-qualified text Web address.

Example

SGOS> display http://www.bluecoat.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html><head><title>Blue Coat Inc.</title><meta NAME="KEYWORDS" CONTENT="cache, caching, cache appliance, network cache, web cache, Blue Coat, internet caching, active, transparent caching, intelligent, proxy, fast, cache server, Content delivery, streaming, media streaming, content delivery networks, CDNs, access control, Enterprise Internet Management, turnkey, web, speed, bandwidth savings, hit rate, internet"><meta NAME="DESCRIPTION" CONTENT="Blue Coat products are intelligent appliances specifically architected to accelerate the Internet.">

<!-- __________________________________________________________________


12

Copyright 1998-2002 Blue Coat Systems Inc. All rights reserved....

>enableUse this command to enter Privileged mode. Privileged mode commands enable you to view and change your configuration settings. In some configurations, you must provide a password.

To set username and password, please refer to the instructions provided in the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide.

Syntax

enable

The enable command does not have any parameters or subcommands.

Example

SGOS> enableEnable Password:******SGOS#configure terminalSGOS(config)...

See also

disable (disable is a Privileged mode command.)

>exitUse this command to exit the CLI.

Syntax

exit

The exit command does not have any parameters or subcommands.

Example

SGOS> exit

>pingUse this command to verify that a particular IP address exists and can accept requests.

Syntax

ping ip_address


13

where:

Example

SGOS> ping 10.25.36.47Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 msNumber of duplicate packets received = 0

>showUse this command to display system information.

Syntaxoption 1 : show accelerated-pac

option 2 : show access-log statistics

option 3 : show arp-table

option 4 : show bandwidth-gain

option 5 : show bypass-list

option 6 : show caching

option 7 : show clock

option 8 : show commands {delimited | formatted}

option 9 : show content-distribution

option 10 : show cpu

option 11 : show diagnostics

option 12 : show disk {disk_number | all}

option 13 : show dns

option 14 : show domain-alias

option 15 : show download-paths

option 16 : show dynamic-bypass

option 17 : show efficiency

option 18 : show environmental

option 19 : show event-log

option 20 : show forwarding

option 21 : show health-checks

option 22 : show hostname

option 23 : show http

option 24 : show http-stats

option 25 : show icap {clusters | services | statistics}

ip_address Specifies the address you want to verify.


14

option 26 : show icp-settings

option 27 : show identd

option 28 : show installed-systems

option 29 : show interface {all | interface#}

option 30 : show ip-default-gateway

option 31 : show ip-route-table

option 32 : show ip-stats

option 33 : show netbios

option 34 : show ntp

option 35 : show policy [order | proxy-default]

option 36 : show ports

option 37 : show resources

option 38 : show restart

option 39 : show return-to-sender

option 40 : show rip

option 41 : show rtsp

option 42 : show sessions

option 43 : show services

option 44 : show snmp

option 45 : show socks-machine-id

option 46 : show sources {bypass-list | error-pages | icp-settings | policy {central | local | vpm-cpl | vpm-xml} | rip-settings | static-route-table | streaming real-media | wccp-settings}

option 47 : show static-routes

option 48 : show status

option 49 : show streaming {configuration| real-media | statistics | windows-media}

option 50 : show system-resource-percent

option 51 : show tcp-rtt

option 52 : show terminal

option 53 : show telnet-management

option 54 : show timezones

option 55 : show transparent-proxy

option 56 : show user-authentication

option 57 : show version

option 58 : show virtual-ip

option 59 : show wccp {configuration | statistics}

option 60 : show web-management


15

where:

accelerated-pac – Displays accelerated PAC file information.

access-log statistics - Specifies to display access log statistics data, including log and upload information.

arp-table – Displays TCP/IP ARP table information.

bandwidth-gain –Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features.

bypass-list – Displays your bypass list.

caching – Displays data regarding cache refresh rates and settings and caching policies.

clock – Displays the current time.

commands – Displays a list of the available (root, non-privileged) CLI commands.

delimited Displays commands in such a way that they can be parsed.

formatted Displays commands so that they can be viewed easily.

content-distribution – Displays the average sizes of objects in the cache.

cpu – Displays current CPU usage.

diagnostics – Displays remote diagnostics information, including version number, and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled.

disk – Displays disk information, including slot number, vendor, product ID, revision and serial number, capacity, and status.

disk_number Displays information about the disk specified.

all Displays information about all disks.

dns – Displays primary and alternate DNS server data.

domain-alias –Displays domain alias configuration information.

download-paths – Displays downloaded configuration path information, including the policy list, bypass list, accelerated PAC file, HTTP error page, ICP settings, RIP settings, static route table, upgrade image, and WCCP settings.

dynamic-bypass – Displays dynamic bypass configuration status information.

efficiency – Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects and access patterns.

environmental – Displays environmental sensor information.

event-log – Displays event log settings, including event level and event log size, and event recipients.

forwarding – Displays advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules.

health-checks – Displays health-check statistics.

hostname – Displays hostname, IP address, and type.

http – Displays HTTP configuration information.

http-stats – Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by HTTP, number of persistent connections that were reused, and the number of active client connections.

icap {clusters | services | statistics} – Displays ICAP cluster, services, and configuration information.

icp-settings – Displays ICP settings.

identd – Displays IDENTD settings.


16

installed-systems – Displays Security Appliance system information such as version and release numbers, boot and lock status, and timestamp information.

ip-default-gateway – Displays default IP gateway IP address, weight, and group membership.

ip-route-table – Displays route table information.

ip-stats – Displays TCP/IP statistics for the current session.

netbios – Displays NETBIOS settings.

ntp – Displays NTP servers status and information.

policy [order | proxy-default] – Displays the policy files order or the policy default of allow or deny.

ports – Displays HTTP and console port number, type, and properties.

resources – Displays allocation of disk and memory resources.

restart – Displays system restart settings, including core image information and compression status.

return-to-sender – Displays "return to sender" inbound and outbound settings.

rip – Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP statistics.

rtsp – Displays RTSP settings.

sessions – Displays information about Telnet connections.

services – Displays information about services.

snmp – Displays SNMP statistics, including status and MIB variable and trap information.

socks-machine-id –Displays the id of the secure sockets machine.

sources – Displays source listings for installable lists, such as the bypass-list, policy files, ICP settings, RIP settings, static route table, streaming configurations, and WCCP settings files.

bypass-list Displays the source file for the current bypass list.

error-pages Displays the source file for error pages.

icp-settings Displays the source file for the current ICP settings.

policy Displays the source file for the specified policy file.

rip-settings Displays the source file for the current RIP settings.

static-route-table Displays the source file for the current static route table.

streaming real-media Displays the source file for the current streaming configurations. Specify real-media to display real streaming information.

wccp-settings Displays the source file for the current WCCP settings.

static-routes – Displays static route table information.

status – Displays current system status information, including configuration information and general status information.

streaming –Displays Microsoft Windows Media or RealNetworks information.

configuration Displays client and total bandwidth configurations.

real-media Displays RealNetworks streaming media information.

statistics Displays client and total bandwidth usage.

windows-media Displays Microsoft Windows Media streaming configuration information or statistics.

system-resource-percent –Displays the distribution of resources.

tcp-rtt –Displays TCP round trip time ticks.

terminal – Displays terminal configuration parameters.


17

Examples

SGOS> show cachingRefresh: Desired access freshness is 97.5% Estimated access freshness is 100.0% Let the Port 80 Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/secPolicies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Port 80 Security Appliance manage freshnessFTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date, cached for 10% of last modified time FTP objects without last modified date, initially cached for 24 hours

SGOS> show resourcesDisk resources: Available to cache: 3852673024 In use by cache: 190489725 In use by system: 268771328 In use by access log: 48003 Total disk installed: 4311982080Memory resources: In use by cache: 90218496 In use by system: 37226528 In use by network: 6772704 Total RAM installed: 134217728

telnet-management – Displays telnet management status and the status of SSH configuration through Telnet.

timezones – Displays current and supported timezones.

transparent-proxy – Displays transparent proxy information.

user-authentication – Displays Authenticator Credential Cache Statistics, including credential cache information, maximum number of clients queued for cache entry, and the length of the longest chain in the hash table.

version – Displays Security Appliance hardware and software version and release information and backplane PIC status.

virtual-ip – Displays virtual IP addresses.

wccp – Displays WCCP configuration and statistics information.

configuration Displays WCCP configuration information, including version number and status.

statistics Displays WCCP statistics information, including last reset time, and packets and bytes sent and received.

web-management – Displays Web management status.


18

>tracerouteUse this command to trace the route from the current host to the specified destination host.

Syntax

traceroute {ip_address | hostname}

where:

Example

SGOS> traceroute 10.25.36.47Type escape sequence to abort.Tracing the route to 10.25.36.471 10.25.36.47 0 0 0

Privileged ModePrivileged mode provides a robust set of commands that enable you to view, manage, and change Security Appliance settings for feautures such as log files, authentication, caching, DNS, HTTPS, packet capture filters, and security.

Note: The privileged mode subcommand configure, enables you to manage the Security Appliance features. Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command.

To access privileged mode:From standard mode, enter privileged mode using the enable command, as shown below:

SGOS> enableEnable Password: ********SGOS#

If the network administrator who performed the initial network configuration assigned a privileged mode password, you will be prompted to supply that also. To prevent unauthorized access to your Security Appliance configuration and network, we recommend that you always require a privileged mode password. The default privileged mode password is admin.

It is important to note that the prompt changes from a greater than sign (>) to a pound sign (#), acting as an indicator that you are in privileged mode now.

#acquire-utcUse this command to acquire the Universal Time Coordinates (UTC) from a Network Time Protocol (NTP) server. To manage objects, a Security Appliance must know the current UTC time. Your Security Appliance comes pre-populated with a list of NTP servers available on the Internet, and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. If the Security Appliance cannot access any of the listed NTP servers, the UTC time must be set manually. For

ip_address Specifies the IP address of the destination host.

hostname Specifies the name of the destination host.


19

instructions on how to set the UTC time manually, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide.

Syntax

acquire-utc

The aquire-utc command does not have any parameters or subcommands.

Example

SGOS# acquire-utc ok

#cancel-uploadThis command cancels a pending access-log upload. The cancel-upload command allows you to stop repeated upload attempts if the Web server becomes unreachable while an upload is in progress. This command sets log uploading back to idle if the log is waiting to retry the upload. If the log is in the process of uploading, a flag is set to the log. This flag sets the log back to idle if the upload fails.

Syntax

cancel-upload

The cancel-upload command does not have any parameters or subcommands.

Example

SGOS# cancel-upload ok

#clear-arpThe clear-arp command clears the Address Resolution Protocol (ARP) table. ARP tables are used to correlate an IP address to a physical machine address recognized only in a local area network. ARP provides the protocol rules for providing address conversion between a physical machine address (also known as a Media Access Control or MAC address) and its corresponding IP address, and vice versa.

Syntax

clear-arp

The clear-arp command does not have any parameters or subcommands.

Example

SGOS# clear-arp ok


20

#clear-cacheThe clear-cache command sets all objects in the cache to expired. You can clear the system cache at any time. Although objects are not immediately removed from memory or disk, all subsequent first requests for objects will be retrieved from the source.

Syntax

clear-cache

Example

SGOS# clear-cache ok

#clear-statisticsThis command clears the Windows Media Streaming statistics collected by the Security Appliance. You can also clear the Windows Media streaming statistics through the Streaming applet. To view streaming statistics from the Management Console, go to Statistics>Volume>Windows Media.

Syntax

clear-statistics windows-media

Example

SGOS# clear-statistics windows-media ok

#configureThe privileged mode subcommand configure, enables you to manage the Security Appliance features. Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command.

#disableThe disable command returns you to Standard mode from Privileged mode.

Syntax

disable

The disable command does not have any parameters or subcommands.

Example

SGOS#disable ok


21

See also

enable (Standard mode command)

#diskUse the disk command to take a disk offline or to reinitialize a disk.

On a multi-disk Security Appliance, after issuing the disk reinitialize disk_number command, complete the reinitialization by setting it to empty and copying pre-boot programs, boot programs and starter programs, and system images from the master disk to the reinitialized disk. The master disk is the leftmost valid disk. Valid indicates that the disk is online, has been properly initialized, and is not marked as invalid or unusable.

Note: If the current master disk is taken offline, reinitialized or declared invalid or unusable, the leftmost valid disk that has not been reinitialized since restart becomes the master disk. Thus as disks are reinitialized in sequence, a point is reached where no disk can be chosen as the master. At this point, the current master disk is the last disk. If this disk is taken offline, reinitialized, or declared invalid or unusable, the Security Appliance is restarted.

Reinitialization is done without rebooting the Security Appliance. The Security Appliance operations, in turn, are not affected, although during the time the disk is being reinitialized, that disk is not available for caching. Note that only the master disk reinitialization might restart the Security Appliance.

Syntax

disk {offline disk_number | reinitialize disk_number}

where:

Example

SGOS# disk offline 3 okSGOS# disk reinitialize 3 ok

#displayUse this command to display the source code (such as HTML or Javascript) used to build the named URL. This source code is displayed one screen at a time. "—More—" at the bottom of the terminal screen indicates that there is additional code. Press the Spacebar to display the next batch of code; press the Enter key to display one additional line of code.

Syntax

display url

offline Takes the disk numbered disk_number off line.

disk_number Indicates the number of the disk you want to take off line or reinitialize.

reinitialize Reinitializes the disk numbered disk_number.


22

where url is a valid, fully-qualified text Web address.

Example

SGOS# display www.company1.com<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>302 Found</TITLE></HEAD><BODY><H1>Found</H1>The document has moved <A HREF="http://lc2.law5.company1.passport.com/cgi-bin/login">here</A>.<P></BODY></HTML>

#exitExits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From Standard mode, the exit command closes the CLI session.

Syntax

exit


Example

SGOS# exit

#hide-advancedThe hide-advanced command enables you to disable all or a subset of the advanced commands available to you when using the CLI. The advanced commands that you can disable include: HTTP, and TCP/IP commands.

Syntax

hide-advanced {all | expand | tcp-ip}

where:

Example

SGOS# hide-advanced expand ok

all Disables all advanced commands.

expand Displays the expanded advanced commands.

tcp-ip Disables only the TCP/IP advanced commands; the status of the other advanced commands remains unchanged. Refer to the description of the configure command tcp-ip, for details.


23

SGOS# show expand ^% Invalid input detected at '^' marker.SGOS#

See also

reveal-advanced

#inlineInstalls configuration elements based on your console port input. There are two ways to create a configuration file for your Security Appliance. You can use the inline command or you can create a text file to house the configuration commands and settings.

To configure using the CLI and the inline command, refer to the example below:

SGOS# configure terminalSGOS#(config) inline accelerated-pac token

.

.

.endtoken

Where token marks the end of the inline commands.

Syntaxoption 1 : inline accelerated-pac token

option 2 : inline bypass-list central token

option 3 : inline bypass-list local token

option 4 : inline error-pages token

option 5 : inline error-pages token

option 6 : inline icp-settings token

option 7 : inline policy central token

option 8 : inline policy local token

option 9 : inline policy vpm-cpl token

option 10 : inline policy vpm-xml token

option 11 : inline rip-settings token

option 12 : inline static-route-table token

option 13 : inline streaming real-media token

option 14 : inline wccp-settings token


24

where:

Example

SGOS# inline icp-settings eof icp_port 3130 icp_host 127.0.0.0 sibling 8080 3130 eof

#killTerminates a Telnet session.

Syntax

kill session_number

token Is used at the beginning of the inline commands to indicate what the end-of-commands marker will be. Is used again at the end of the commands.

accelerated-pac Updates the accelerated pac file with the settings you include between the beginning token and the ending token.

bypass-list central Updates the central bypass list with the settings you include between the beginning token and the ending token.

bypass-list local Updates the local bypass list with the settings you include between the beginning token and the ending token.

error-pages Updates the local HTTP error pages with the settings you include between the beginning token and the ending token.

forwarding Updates the forwarding configuration with the settings you include between the beginning token and the ending token.

icp-settings Updates the current ICP settings with the settings you include between the beginning token and the ending token.

policy central Updates the current central policy file with the settings you include between the beginning token and the ending token.

policy local Updates the current local policy file with the settings you include between the beginning token and the ending token.

policy vpm-cpl Updates the VPM policy with the settings you include between the beginning token and the ending token. (This options is designed to be used with the Blue Coat Director product.)

policy xml-cpl Updates the XML policy with the settings you include between the beginning token and the ending token. (This options is designed to be used with the Blue Coat Director product.)

rip-settings Updates the current RIP settings with the settings you include between the beginning token and the ending token.

static-route-table Updates the current static route table settings with the settings you include between the beginning token and the ending token.

streaming real-media Updates the current Real Media streaming settings with the settings you include between the beginning token and the ending token.

wccp-settings Updates the current WCCP settings with the settings you include between the beginning token and the ending token.


25

where session_number is a valid Telnet session number.

Example

SGOS# kill 3 ok

#loadDownloads installable lists or system upgrade images. These installable lists or settings can be updated using the inline command.

Syntax

option 1 : load accelerated-pac

option 2 : load bypass-list central

option 3 : load bypass-list local

option 4 : load error-pages

option 5 : load icp-settings

option 6 : load policy central

option 7 : load policy local

option 8 : load policy vpm-software

option 9 : load rip-settings

option 10 : load static-route-table

option 11 : load streaming real-media

option 12 : load upgrade

option 13 : load wccp-settings

where:

Examples

accelerated-pac Downloads the current accelerated pac file settings.

bypass-list central Downloads the current central bypass list settings.

bypass-list local Downloads the current local bypass list settings.

error-pages Downloads the current HTTP error pages.

icp-settings Downloads the current ICP settings.

policy central Downloads the current central policy file settings.

policy local Downloads the current local policy file settings.

policy local vpm-software

Downloads a new VPM version.

rip-settings Downloads the current RIP settings.

static-route-table Downloads the current static route table settings.

streaming real-media Downloads the current Real Media streaming settings.

upgrade Downloads the latest system image.

wccp-settings Downloads the current WCCP settings.


26

SGOS# load accelerated-pac okSGOS# load bypass-list local okSGOS# load bypass-list central okSGOS# load error-pages okSGOS# load policy local okSGOS# load policy central okSGOS# load icp-settings okSGOS# load rip-settings okSGOS# load static-route-table okSGOS# load streaming real-media okSGOS# load wccp-settings okSGOS# load upgrade

See also

inline

#pcapThis command enables you to capture packets of Ethernet frames going into or leaving a Security Appliance. Packet capturing allows filtering on various attributes of the frame to limit the amount of data collected. The collected data can then be transferred to the desktop for analysis.

Note: Before using the pcap command, consider that packet capturing doubles the amount of processor usage performed in TCP/IP.

Note: To capture packets, you must have a tool that can read Packet Sniffer Pro 1.1 files (for example, EtherReal or Packet Sniffer Pro 3.0).

Syntaxoption 1 : pcap filter iface {in | out}

option 2 : pcap filter iface {in | out} iface-num

option 3 : pcap filter iface iface-num

option 4 : pcap filter expr filter_expression

option 5 : pcap info

option 6 : pcap coreimage

option 7 : pcap start

option 8 : pcap start [first n]


27

option 9 : pcap start [capsize n(k)]

option 10 : pcap start [trunc n]

option 11 : pcap start [last n]

option 12 : pcap stop

option 13 : pcap transfer url username password

Where:

filter -- see the Filter table that follows.

coreimage Includes packets within a core image.

info Displays the current packet capture information.

start (commonly requested by Blue Coat Customer Support for system analysis)

first n The first n parameter collects n (up to 100 MB) packets. After the number of packets n is reached, capturing stops. The packet capture file size is limited to 1% of total RAM, which might be reached before n packets have been captured.Note: The parameter first n is a specific command; it captures an exact number of packets. If no parameters are specified, the default is to capture until the stop subcommand is issued or the maximum limit reached.

capsize n(k) The capsize n(k) parameter stops the collection after n Kilobytes (up to 100 MB) of packets have been captured. The packet capture file size is limited to 1% of total RAM, which might be reached before n packets have been captured.Note: The parameter capsize n is an approximate command; it captures an approximate number of packets. If no parameters are specified, the default is to capture until the stop subcommand is issued or the maximum limit reached.

trunc n The trunc n parameter collects, at most, n bytes of packets from each frame. This continues until the 1% of total RAM for file size limitation is reached. Range is 0 to 2147483647.

last n The last n parameter capture saves up to n bytes of packets in memory. (The maximum amount of memory used for saving packets is limited to 100 MB.) Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. The saved packets in memory are written to disk when the capture is terminated. The range is 0 to 2147483647.

stop Stops the capture.

transfer url username password

Transfers captured data to an FTP site. Refer to the examples for details.


28

filter

The following table provides more paramters that can be used to create complex filter expressions.

Important: Define filter expr parameters with double-quotes to avoid confusion with special characters.

Command Parameter/Subcommand Description

iface in | out in | out Captures either in or out from a interface.

iface in | out interface_number Captures either in or out from a particular interface.

iface interface_number Captures both in and out from a particular interface.

expr {“host name” | “net number” | “port number”}

Type qualifier. host is the default.

expr {“src name” | “dst number” | “src name or dst name” | “src name and dst name”}

Direction qualifier; specifies the transfer direction. src or dist is the default.

expr {ether | ip | arp | rarp | tcp | udp} expr

Proto qualifier; restrict matches to a specific protocol. For example: “tcp src name”.

<cr> No filtering; captures all.


29

expr

Note: Once a filter is set, it remains in effect until it is redefined. Also, if the Security Appliance is rebooted, filtering is set to off; you must reset or redefine all filtering options.

The following are examples of the pcap parameters/subcommands filter, info, start and transfer.

Example 1

Capture transactions between a Security Appliance (10.1.1.1), a server (10.2.2.2), and a client (10.1.1.2).

SGOS# pcap filter expr “host 10.1.1.1 || host 10.2.2.2 || host 10.1.1.2”

Example 2

SGOS# pcap filter expr “port 80”SGOS# pcap start

Parameter/Subcommand Description

{dst host | src host |host} ip_address [ip_address ...]

If multiple IP addresses are specified, each address is checked for a match.

{ether dst | ether dst | ether host} ehost [ehost ...]

ehost is a valid Ethernet address. If multiple ehost addresses are specified, each address is checked for a match.

{dst net | src net | net} net True if either the IP address of the packet has a network number of net.

{dst port | src port | port} port True if packet has source or destination valueof port. Maybe prepended with tcp or udp.

net net mask mask True if the IP address matches the net value with the specified netmask value. May be qualified with src or dst.

less length True if the packet length is less than or equal to length.

greater length True if the packet length is greater than or equal to length.

ip proto protocol protocol can be a number or name (icmp, udp, tcp), but since these identifiers are also keywords within the filter expression parser, they must be escaped with a backslash.

{ether | ip} broadcast True if the packet is an Ethernet broadcast or IP broadcast packet.

{ether | ip} multicast True if the packet is an Ethernet multicast or IP multicast packet.

ether proto protocol protocol can be a number or name (ip, arp, rarp), but since these identifiers are also keywords within the filter expression parser, they must be escaped with a backslash.

! or not Negation.

&& or and Concatenation

|| or or Alternation.


30

This captures outbound packets that have a source port of 80 from the interface using the IP protocol TCP.

SGOS# pcap infopacket capture information:Packets captured: 301Bytes captured: 1198 Packets written: 256 Bytes written: 0Current state: StoppedFiltering: Off

This shows relevant information regarding current packet-capturing.

Example 3

This stops the capturing of packets after approximately three Kilobytes of packets have been collected.

SGOS# pcap start capsize 3

Example 3

This transfers captured packets to the FTP site 10.25.36.47. Note that the username and password are provided.

SGOS# pcap transfer ftp://10.25.36.47/path/filename.cap username password

If the folders in the path do not exist, they are not created. An error message is generated.

#pingUse this command to verify that a particular IP address exists and can accept requests. Ping output will also tell you the minimum, maximum, and average time it took for the ping test data to reach the other computer and return to the origin.

Syntax

ping {IP_address | hostname}

where IP_address is the IP address and hostname is the host name of the remote computer.

Example

SGOS# ping 10.25.36.47Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 msNumber of duplicate packets received = 0

#purge-dns-cacheThis command clears the DNS cache. You can purge the DNS cache at any time. You might need to do so if you have experienced a problem with your DNS server, or if you have changed your DNS configuration.


31

Syntax

purge-dns-cache

The purge-dns-cache command does not have any parameters or subcommands.

Example

SGOS# purge-dns-cache ok

#restartRestarts the system. The restart options determine whether the Security Appliance should simply reboot the Security Appliance (regular), or should reboot using the new image previously downloaded using the load upgrade command (upgrade).

Syntax

restart {regular | upgrade}

where regular reboots the version of the Security Appliance that is currently installed and upgrade reboots the entire system image.

Example

SGOS# restart upgrade okSGOS#Initiating a hardware restartWaiting for disk activity to ceaseStarter Version 1.5This machine has the following bootable systems:>1: Version: SG 2.1.05 Release id: 19999 Wednesday July 26 2002 09:46:14 UTC, Boot Status: Last boot succeeded 2: Version: CA 5.0.99 Release id: 18882 Tuesday November 2 2001 10:51:02 UTC, Boot Status: Last boot succeeded 3: Version: CA 4.2.01 Release id: 18742 Friday September 28 2002 09:11:42 UTC, Boot Status: Last boot succeeded 4: Version: CA 4.0.99 Release id: 16577 wmt Tuesday October 16 2001 11:55:31 UTC, Boot Status: Last boot succeeded 5: Version: CA 4.0.99 Release id: 16486 Tuesday October 2 2001 10:51:02 UTC, Boot Status: Last boot succeeded The default boot system is: 4: Version: CA 5.0.00 Release id: 16455Press the space key to select an alternate system to boot.Seconds remaining until the default system is booted: 5Boot system number: 3

Booting "Version: SG 2.1.05 Release id: 19999"

See also

load


32

#restore-cacheos4-configRestores the Security Appliance to the initial configuration derived upon an upgrade from Cache OS 4.x to SGOS 2.x. The Security Appliance appliance retains the network settings.

Syntax

restore-cacheos4-config

Example

SGOS# restore-cacheos4-config% "restore-cacheos4-configuration" requires a restart to take effect.% Use "restart regular" to restart the system.Or if there is no 4.x configuration found:

SGOS# restore-cacheos4-config% No CacheOS 4.x configuration is available on this system.

See also

restore-defaults

#restore-defaultsRestores the Security Appliance to the default configuration. When you restore system defaults, the Security Appliance’s IP address, default gateway, and the DNS server addresses are cleared. In addition, any lists (for example, forwarding or bypass) are cleared. After restoring system defaults, you need to restore the Security Appliance’s basic network settings, as described in the Blue Coat Configuration and Management Guide, and reset any customizations.

Syntax

restore-defaults [keep-console]

where the restore-defaults command by itself will restore using the default configuration and restore-defaults keep-console restores using the default configuration but retains any configuration settings that affect console access.

Example

SGOS# restore-defaults % "restore-defaults" requires a restart to take full effect. % Use "restart regular" to restart the system.

#reveal-advancedThe reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI.

Syntax

reveal-advanced {all | expand | tcp-ip}


33

where:

#showUse this command to display system information.

Syntaxoption 1 : show accelerated-pac

option 2 : show access-log {configuration | statistics}

option 3 : show archive-configuration

option 4 : show arp-table

option 5 : show bandwidth-gain

option 6 : show bypass-list

option 7 : show caching

option 8 : show clock

option 9 : show commands {delimited | formatted}

option 10 : show configuration {brief | expanded}

option 11 : show content {outstanding-requests | priority [regex regex | url url] | url url}

option 12 : show content-distribution

option 13 : show cpu

option 14 : show diagnostics

option 15 : show disk {disk_number | all}

option 16 : show dns

option 17 : show domain-alias

option 18 : show download-paths

option 19 : show dynamic-bypass

option 20 : show efficiency

option 21 : show environmental

option 22 : show event-log

option 23 : show forwarding

option 24 : show health-checks

option 25 : show hostname

option 26 : show http

option 27 : show http-stats

all Enables all advanced commands.

expand Displays expanded commands.

tcp-ip Enables only the TCP/IP advanced commands; the status of the other advanced commands remains unchanged.


34

option 28 : show icap {clusters | services | statistics}

option 29 : show icp-settings

option 30 : show identd

option 31 : show installed-systems

option 32 : show interface {interface# | all}

option 33 : show ip-default-gateway

option 34 : show ip-route-table

option 35 : show ip-stats

option 36 : show netbios

option 37 : show ntp

option 38 : show policy [order | proxy-default]

option 39 : show ports

option 40 : show realms

option 41 : show resources

option 42 : show restart

option 43 : show return-to-sender

option 44 : show rip

option 45 : show rtsp

option 46 : show security

option 47 : show sessions

option 48 : show services

option 49 : show snmp

option 50 : show socks-machine-id

option 51 : show sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming real-media | wccp-settings}

option 52 : show splash-generator

option 53 : show static-routes

option 54 : show status

option 55 : show streaming

option 56 : show system-resource-percents

option 57 : how tcp-rtt

option 58 : show terminal

option 59 : show telnet-management

option 60 : show timezones

option 61 : show transparent-proxy

option 62 : show user-authentication

option 63 : show version


35

option 64 : show virtual-ip

option 65 : show wccp

option 66 : show web-management

where:

accelerated-pac – Displays accelerated PAC file information.

access-log – Displays access log configuration settings or statistics.

configuration Indicates that you want to display access log configuration information.

statistics Indicates that you want to display access log statistics data, including log and upload information.

archive-configuration – Displays archive configuration settings including protocol, host, path, filename, username, and password.

arp-table – Displays TCP/IP ARP table information.

bandwidth-gain – Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features.

bypass-list – Displays your bypass list.

caching – Displays data regarding cache refresh rates and settings and caching policies.

clock – Displays the current time.

commands – Displays a list of the available (root, privileged) CLI commands.

delimited Displays commands in such a way that they can be parsed.

formatted Displays commands so that they can be viewed easily.

configuration – Displays the current Security Appliance configuration as it differs from the default settings. You can capture the output of this command to a text file for future reference, or to restore the configuration using the privileged mode configure network url command, where url is the URL location of the configuration file.

brief Displays the current non-default configuration commands without inline expansion.

expanded Displays the current non-default configuration commands with inline expansion.

content – Displays various content management commands current in effect.

outstanding-requests Displays the complete list of outstanding asynchronous content revalidation and distribute requests.

priority [regex regex | url url]

Displays the deletion priority value assigned to the regex or url, respectively.

url url Displays statistics of the specified URL.

content-distribution – Displays the average sizes of cached objects.

cpu – Displays the current CPU usage.

diagnostics – Displays remote diagnostics information, including version number, and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled.

disk – Displays disk information, including slot number, vendor, product ID, revision and serial number, capacity, and status.

disk_number Displays information about the disk specified.

all Displays information about all disks.

dns – Displays primary and alternate DNS server data.


36

domain-alias –Displays domain alias configuration information.

download-paths – Displays downloaded configuration path information, including filter list, bypass list, accelerated PAC file, HTTP error page, RIP settings, static route table, upgrade image, and WCCP settings.

dynamic-bypass – Displays dynamic bypass configuration status information.

efficiency – Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects and access patterns.

environmental – Displays environmental sensor information.

event-log – Displays event log settings, including event level and event log size, and event recipients.

forwarding – Displays advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules.

health-checks – Displays health-check statistics.

hostname – Displays hostname, IP address, and type.

http – Displays HTTP information.

http-stats – Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by HTTP, number of persistent connections that were reused, and the number of active client connections.

icap {clusters | services | statistics} – Displays ICAP cluster, services, and configuration information.

icp-settings –Displays current ICP configuration information.

identd – Displays IDENTD information.

installed-systems – Displays Security Appliance system information such as version and release numbers, boot and lock status, and timestamp information.

interface – Displays interface status and configuration information, including IP address, subnet mask, MTU size, source for instructions, autosense information, and inbound connection disposition for the current interface.

all Displays the above information for all interfaces.

interface# Displays the above information for the specified interface.

ip-default-gateway – Displays default IP gateway IP address, weight, and group membership.

ip-route-table – Displays route table information.

ip-stats – Displays TCP/IP statistics for the current session.

netbios – Displays NETBIOS information.

ntp – Displays NTP servers status and information.

policy – Displays TCP/IP statistics for the current session.

[order] Displays policy evaluation order.

[proxy-default] Displays the proxy default policy.


realms – Displays configured authentication realms.

resources – Displays allocation of disk and memory resources.

restart – Displays system restart settings, including core image information and compression status.

return-to-sender – Displays "return to sender" inbound and outbound settings.

rip – Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP statistics.



37

rtsp – Displays security parameters.

security – Displays information about Telnet connections.

services – Displays information about services

snmp – Displays SNMP statistics, including status and MIB variable and trap information.

socks-machine-id –Displays the id of the secure sockets machine.

sources – Displays source listings for installable lists, such as the bypass-list, "direct or deny" list, filter list, ICP settings, RIP settings, static route table, streaming configurations, and WCCP settings files.

bypass-list Displays the source file for the current bypass list.

error-pages Displays the source file for the error pages.

icp-settings Displays the source file for the current ICP settings.

policy Displays the source file for the CPL policy.

rip-settings Displays the source file for the current RIP settings.

static-route-table Displays the source file for the current static route table.

streaming real-media Displays the source file for the current streaming configurations. Specify real-media to display real streaming information.

wccp-settings Displays the source file for the current WCCP settings.

splash-generator –Displays general, radius accounting and TACACS accounting information.

static-routes – Displays static route table information.

status – Displays current system status information, including configuration information and general status information.

streaming – Displays Microsoft Media or RealNetworks information.

real-media Displays RealNetworks streaming media information.

windows-media Displays Microsoft Media streaming information.

system-resource-percent –Displays the distribution of resources.

tcp-rtt –Displays TCP round trip time ticks.

terminal – Displays terminal configuration parameters.

telnet-management – Displays telnet management status and the status of SSH configuration through Telnet.

timezones – Displays current and supported timezones.

transparent-proxy – Displays transparent proxy information.

user-authentication – Displays Authenticator Credential Cache Statistics, including credential cache information, maximum number of clients queued for cache entry, and the length of the longest chain in the hash table.

version – Displays Security Appliance hardware and software version and release information and backplane PIC status.

virtual-ip – Displays virtual IP addresses.

wccp – Displays WCCP configuration and statistics information.

configuration Displays WCCP configuration information, including version number and status.

statistics Displays WCCP statistics information, including last reset time, and packets and bytes sent and received.

web-management – Displays Web management status.


38

Examples

SGOS# show cachingRefresh: Desired access freshness is 97.5% Estimated access freshness is 100.0% Let the Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/secPolicies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Security Appliance manage freshnessFTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date, cached for 10% of last modified time FTP objects without last modified date, initially cached for 24 hours

SGOS# show resourcesDisk resources: Available to cache: 3852673024 In use by cache: 190489725 In use by system: 268771328 In use by access log: 48003 Total disk installed: 4311982080Memory resources: In use by cache: 90218496 In use by system: 37226528 In use by network: 6772704 Total RAM installed: 134217728

SGOS# show installed-systemsSGOS Systems1. Version: SG 2.1.05, Release ID: 19999 Tuesday September 10 2002 08:35:58 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked2. Version: CA 4.0.03, Release ID: 15484 Real Media Tuesday May 15 2001 08:35:58 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked3. Version: CA 4.0.03, Release ID: 15566 Real Media Friday May 25 2001 08:30:38 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked4. Version: CA 4.0.02, Release ID: 15436 Real Media Monday May 7 2001 18:51:55 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked5. Version: CA 4.0.03, Release ID: 15452 Real Media Wednesday May 9 2001 08:35:18 UTC, Boot Status: Last boot succeeded, Lock Status: UnlockedDefault system to run on next hardware restart: 3Default replacement being used. (oldest unlocked system)Current running system: 3

When a new system is loaded, only the system number that was replaced is changed.


39

The ordering of the rest of the systems remains unchanged.SGOS#

SGOS# show cpuCurrent cpu usage: 0.0 percent

SGOS# show dnsPrimary DNS servers: 10.253.220.249Alternate DNS servers:Imputed names:

SGOS# show dynamic-bypassDynamic bypass: disabled Non-HTTP trigger: disabled HTTP 400 trigger: disabled HTTP 401 trigger: disabled HTTP 403 trigger: disabled HTTP 405 trigger: disabled HTTP 406 trigger: disabled HTTP 500 trigger: disabled

SGOS# show hostname Hostname: 10.25.36.47 - Blue Coat 5000

SGOS# show icp-settings# Current ICP Configuration# Written on Wed, 23 Jan 2002 22:43:57 UTC# ICP Port to listen on (0 to disable ICP)icp_port 0# Neighbor timeout (seconds)neighbor_timeout 2# ICP and HTTP failure countsicp_failcount 20http_failcount 5# Host failure/recovery notification flagshost_recover_notify offhost_fail_notify off# 0 neighbors defined, 32 maximum# ICP host configuration# icp_host hostname peertype http_port icp_port [options] # Forwarding host configuration# fwd_host hostname http_port [options]# 0 groups defined, 16 maximum# Forwarding host URL regex configuration# fwd_host_url_regex targetname url_regex# targetname of ‘deny’ means deny access# targetname of ‘direct’ means no forwarding# 0 forwarding host URL regexes defined, 256 maximum# Forwarding host domain configuration# fwd_host_domain targetname domainname# targetname of ‘deny’ means deny access# targetname of ‘direct’ means no forwarding# 0 forwarding host domains defined, 256 maximum# Forwarding host ip configuration# fwd_host_ip targetname IP[/netmask]


40

# targetname of ‘deny’ means deny access# targetname of ‘direct’ means no forwarding# 0 IPs defined, 256 maximum# ICP access domain configuration

SGOS# show ntpNTP is enabledNTP servers: ntp.Blue Coat.com ntp2.Blue Coat.com

SGOS# show rtspProxy port: 1091Parent proxy address: 0.0.0.0Parent proxy port: 1091

SGOS# show snmpGeneral info: SNMP is disabledMIB variables: sysContact: Rita sysLocation:Traps: Trap address 1: Trap address 2: Trap address 3: Authorization traps: disabled

SGOS# show transparent-proxyTransparent proxySend client IP: disabled

#temporary-routeThis command is used to manage temporary route entries.

Syntax

temporary-route {add destination_address netmask gateway_address | delete destination_address}

where:

#test httpThis command is used to test subsystems. A test http get command to a particular origin server or URL, for example, can verify Layer 3 connectivity and also verify upper layer functionality.

add destination_address netmask gateway_address

Adds a temporary route entry.

delete destination_address Deletes a temporary route entry.


41

Syntax

test http {get url | loopback}

where:

Examples

SGOS# test http loopback

Type escape sequence to abort.Executing HTTP loopback testMeasured throughput rate is 20026.76 Kbytes/secHTTP loopback test passed

SGOS# test http get http://www.google.com

Type escape sequence to abort.Executing HTTP get test

* HTTP request header sent:GET http://www.google.com/ HTTP/1.0User-Agent: HTTP_TEST_CLIENT

* HTTP response header recv'd:HTTP/1.0 200 OKConnection: closeDate: Fri, 12 Oct 2001 21:08:31 GMTServer: GWS/1.11Set-Cookie: PREF=ID=7af9837f5988933d:TM=1002920911:LM=1002920911; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMTContent-Type: text/htmlContent-Length: 2184Cache-Control: private

Measured throughput rate is 6.71 Kbytes/secHTTP get test passed

#tracerouteUse this command to trace the route to a destination. The traceroute command can be helpful in determining where a problem may lie between two points in a network. Use traceroute to trace the network path from a Security Appliance back to a client or to a specific origin Web server. (Note that you can also use the trace route command from your client station (if supported) to trace the network path between the client, a Security Appliance, and a Web server. Microsoft operating systems generally support the trace route command from a DOS prompt. The syntax from a Microsoft-based client is: tracert [ip | hostname].)

get Performs a test Get of an HTTP object.

url Names the object that you want to Get.

loopback Performs a loopback test.


42

Syntax

traceroute {IP_address | hostname}

where:

Example

SGOS# traceroute 10.25.36.47Type escape sequence to abort.Executing HTTP get testHTTP response code: HTTP/1.0 503 Service UnavailableThroughput rate is non-deterministicHTTP get test passed10.25.36.47#traceroute 10.25.36.47

Type escape sequence to abort.Tracing the route to 10.25.36.471 10.25.36.47 212 0 0 0

#upload

Uploads the current access log or running configuration. Archiving a Security Appliance’s system configuration on a regular basis is a generally prudent measure. In the rare case of a complete system failure, restoring a Security Appliance to its previous state is simplified if you recently uploaded an archived system configuration to an FTP or HTTP server. The archive contains all system settings differing from system defaults, along with any forwarding and security lists installed on the Security Appliance.

Syntax

upload {access-log | configuration}

where:

Examples

SGOS> enableEnable Password: *****SGOS# upload configurationok

To restore an archived system configuration:1. At the enable command prompt, enter the following command:

SGOS> configure network urlThe URL must be in quotation marks, if the filename contains spaces, and must be fully-qualified (including the protocol, server name or IP address, path, and filename

IP_address Indicates the IP address of the client or origin server.

hostname Indicates the host name of the origin server.

access-log Specifies to upload the current access log

configuration Specifies to upload the current configuration.


43

of the archive). The configuration archive is downloaded from the server, and the Security Appliance settings are updated.

If your archived configuration filename does not contain any spaces, quotation marks surrounding the URL are unnecessary.

2. Enter the following command to restart the Security Appliance with the restored settings:

SGOS> restart mode softwareFor example:

SGOS> enableEnable Password: *****SGOS# configure network ftp://10.25.36.46/path/10.25.36.47- Blue Coat 5000 0216214521.config% Configuring from ftp://10.25.36.46/path/10.25.36.47 - Blue Coat 50000216214521.config...ok


44


#configureThe configure command allows you to configure the Blue Coat Systems Port 80 Security Appliance settings from your current terminal session, or by loading a text file of configuration settings from the network.

Syntax

configure {{terminal | t} | network url}configure_commandconfigure_command...

where configure_command is any of the following:

Table 3.1: View Configuration Settings Commands:

Table 3.2: Change Configuration Settings Commands:

This Configure Command: Does this:

archive-configuration Saves the system configuration.

banner Defines a login banner.

management-port Specifies a port and protocol for a Web console.

telnet-management Enables or disables Telnet access to the CLI.

upgrade-path Identifies the network path that should be used to download system software.

web-management Enables or disables Web console.


show Displays running system information.


accelerated-pac Configures installation parameters for PAC file.

access-log Configures the access log for each HTTP request made. Options

bandwidth-gain Configures bandwidth gain.

bypass-list Installation parameters for bypass list.

caching Modify caching parameters.

clock Modifies clock settings.

content Adds or deletes objects from the Security Appliance.

content-filter Configures the content filter.


46

diagnostics Configures remote diagnostics.

domain-alias Configures domain alias attributes.

dns Modifies DNS settings.

dynamic-bypass Modifies dynamic bypass configuration.

error-pages Configures HTTP error pages.

event-log Configures event log parameters.

exit Returns to the previous prompt.

forwarding Configures forwarding parameters.

hide-advanced Disables commands for advanced subsystems.

hostname Sets the system hostname.

http Configures HTTP parameters.

https Configures HTTPS parameters.

icap Configures ICAP.

icp Configures ICP.

identd Configures IDENTD.

inline Installs configurations from console input.

installed-systems Maintain the list of currently installed Security Appliance systems.

interface Selects an interface to configure.

ip-default-gateway Specifies the default IP gateway.

line-vty Configures a terminal line.

load Loads an installable list.

netbios Configures NETBIOS parameters

no Clears certain parameters.

ntp Modifies NTP parameters.

policy Specifies CPL rules.

restart System restart behavior.

return-to-sender IP “return to sender” behavior.

reveal-advanced Enables or disables commands for advanced subsystems.

rip Modifies RIP configuration.

rtsp Specifies RTSP proxy ports and IP addresses.

security Modifies security parameters.

services Configures protocol attributes.

snmp Modifies SNMP parameters.

socks-machine-id Specifies the machine ID for SOCKS.

splash-generator Configures splash pages.

sshd Modifies SSHD parameters.

static-routes Installation parameters for static routes table.

streaming Configures streaming parameters.

system-resource-percent Configures system resource allocation.


47

#(config)accelerated-pacNormally, a Web server is kept around to serve the PAC file to client browsers. This feature allows you to load a PAC file onto the Security Appliance for high performance PAC file serving right from the Security Appliance. There are two ways to create an Accelerated PAC file: (1) customize the default PAC file and save it as a new file, or (2) create a new custom PAC file. In either case, it is important that the client instructions for configuring Security Appliance settings contain the URL of the Accelerated-PAC file. Clients load PAC files from:

http://your_security_appliance.8081/accelerated_pac_base.pac.

Syntax

accelerated-pac {no path | path url}

where:

Example

SGOS#(config) accelerated-pac path 10.25.36.47 ok

#(config)access-logThe Security Appliance can maintain an access log for each HTTP request made. The access log can be stored in one of three formats, which can be read by a variety of reporting utilities. See the Access Log Formats chapter for additional information on log formats.

Syntax

access-log

This changes the prompt to:

SGOS#(config access-log)

-subcommands-

option 1: bandwidth kbps

option 2: client-type {custom | ftp}

tcp-rtt Specifies the default TCP Round Trip Time.

timezone Sets the local timezone.

virtual-ip Configures virtual IP addresses.

wccp Configures WCCP parameters.

accelerated-pac – Configures accelerated PAC file information.

no Clears the network path to download PAC file.

path url Specifies the location to which the PAC file should be downloaded.


48

option 3: commands {cancel-upload | close-connection | delete-logs | open-connection | rotate-remote-log | send-keep-alive | test-upload | upload-now}

option 4: connect-wait-time seconds

option 5: continuous-upload {disable | enable | keep-alive seconds | lag-time seconds | rotate-remote {daily rotation_hour | hourly rotation_interval}}

option 6: custom-client {alternate-server IP_address | primary-server IP_address}

option 7: disable

option 8: early-upload megabytes

option 9: enable

option 10: exit

option 11: format {common | custom format_string | elff format_string | no string | squid-compatible}

option 12: ftp-client {alternate {host host_name | password password | path path | username username} | filename format | no {alternate | filename | primary} | pasv {no | yes} | primary {host host_name | password password | encrypted-password encrypted-password | path path | username username} secure {yes | no}}

option 13: max-size megabytes

option 14: overflow-policy {delete | stop}

option 15: remote-size megabytes

option 16: show

option 17: time-format {gmt | local}

option 18: upload-interval {daily upload_hour | hourly upload_interval}

option 19: upload-type {gzip | text}

where:

bandwidth kbps – Use this command to specify the maximum amount of bandwidth used during log uploading.

client-type – Use this command to specify which upload client to use.

commands – Use this command to manage log file connections.

cancel-upload Cancels a pending access log upload.

close-connection Closes a manually-opened connection to the remote server.

delete-logs Permanently deletes all access logs on the Security Appliance.

open-connection Opens a connection to the remote server.

rotate-remote-log Switches to a new remote log file.

send-keep-alive Sends a keep-alive log packet to the remote server.

test-upload Tests the upload configuration by uploading a verification file.

upload-now Uploads an access log file.


49

connect-wait-time seconds – Use this command to the time to wait between server connection attempts.

continuous-upload – Use this subcommand to configure continuous upload settings.

{enable | disable} Enables or disables continuous upload.

keep-alive seconds Specifies the interval between keep-alive timeouts.

lag-time seconds Specifies the maximum time between log packets (text upload only).

rotate-remote {daily | hourly} Specifies when to switch to a new remote logfile.

custom-client – Use this subcommand to configure the custom client.

alternate-server IP_address [port] Specifies the alternate server.

primary-server IP_address [port] Specifies the primary server.

disable – Use this subcommand to disable access logging.

early-upload – Use this subcommand to trigger an early upload when the access log file reaches the specified size.

megabytes Specifies the file size, in megabytes, that, when reached, will cause the access log file to be uploaded to the primary upload site.

enable – Use this subcommand to enable access logging.

format – Use this subcommand to specify the access log format.

common Indicates that the access-log output should be generically server-compatible.

squid-compatible Indicates that the access log format should be SQUID proxy caching server-compatible.

custom custom_string Indicates that the access log format should be compatible with the format specified by custom_string.

ftp-client – Use this subcommand to configure the FTP client.

alternate {host hostname [port] | password password | encrypted-password encrypted-password| path path | username username}

Specifies the alternate FTP host site.

filename format Specifies the remote filename format.

no {alternate | filename | primary}

Deletes the specified parameter.

pasv {no | yes} Specifies whether the PASV command is sent.


50

primary {host hostname [port] | [password password | encrypted-password encrypted password] path path | username username}

Specifies the primary FTP host site.

secure {no | yes} Specifies whether to use secure connections.

max-size – Use this subcommand to set the maximum size, in MB, to which the access log can grow.

megabytes Maximum size of the access log file. Set the overflow-policy subcommand to determine the action that should occur when this file size is reached.

overflow-policy – Use this access-log subcommand to determine what to do if access log exceeds its maximum size

delete Indicates that the access log file should be deleted when the file reaches the defined maximum size. Refer to the max-size subcommand for more information.

stop Indicates that no new access log data should be added to the access log file when the file reaches the defined maximum size. Refer to the max-size subcommand for more information.

remote-size megabytes – Use this access-log subcommand to specify maximum remote file size (MB).

daily upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour.

hourly upload_interval Indicates that the access log file should be uploaded every number of hours specified by upload_interval.

time-format – Use this access-log subcommand to specify the time format to use with the filename.

gmt Use GMT.

local Use the local time.

upload-interval – Use this access-log subcommand to specify access log upload interval.

daily upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour.

hourly upload_interval Indicates that the access log file should be uploaded every number of hours specified by upload_interval.

upload-type – Use this access-log subcommand to specify whether to upload gzip file or text file.

gzip Indicates that the access log file should be uploaded as a GNU zip file.

text Indicates that the access log file should be uploaded as a text file.


51

Example

SGOS#(config) access-logSGOS #(config access-log) enableokSGOS #(config access-log) format squid-compatibleokSGOS #(config access-log)

#(config)archive-configurationArchiving a Security Appliance system configuration on a regular basis is always a good idea. In the rare case of a complete system failure, restoring a Security Appliance to its previous state is simplified by loading an archived system configuration from an FTP or HTTP server. The archive contains all system settings differing from system defaults, along with any forwarding and security lists installed on the Security Appliance.

Archive and restore operations must be performed from the CLI. There is no Management Console Web interface for archive and restore.

Syntaxoption 1: archive-configuration filename-prefix filename

option 2: archive-configuration host host_name

option 3: archive-configuration password password

option 4: archive-configuration path path

option 5: archive-configuration protocol {ftp | tftp}

option 6: archive-configuration username username

where:

archive-configuration - Configures archive configuration settings including protocol, host, path, filename, username, and password.

filename-prefix file_name Specifies the prefix that should be applied to the archive configuration on upload.

host host_name Specifies the FTP host to which the archive configuration should be uploaded.

password password Specifies the password for the FTP host to which the archive configuration should be uploaded.

path path Specifies the path to the FTP host to which the archive configuration should be uploaded.


52

Example

SGOS#(config) archive-configuration host host3 ok

#(config)bandwidth-gainBandwidth gain is a measure of the effective increase of server bandwidth resulting from the client’s use of a content accelerator. For example, a bandwidth gain of 100% means that traffic volume from the Security Appliance to its clients is twice as great as the traffic volume being delivered to the Security Appliance from the origin server(s). Using bandwidth gain mode can provide substantial gains in apparent performance.

Keep in mind that bandwidth gain is a relative measure of the Security Appliance’s ability to amplify traffic volume between an origin server and the clients served by the Security Appliance.

Syntax

bandwidth-gain


SGOS#(config bandwidth-gain)

-subcommands-

option 1: disable

option 2: enable

option 3: custom pipelining {disable | enable}

option 4: custom if-modified-since {disable | enable}

option 5: custom conditionals {disable | enable}

option 6: custom refresh {disable | enable}

option 7: exit

option 8: mode [custom | default]

option 9: show

option 10: view

where:

protocol {ftp | tftp} Indicates the upload protocol to be used for the archive configuration.

username username Specifies the username for the FTP or FTP host to which the archive configuration should be uploaded.

bandwidth-gain - Configures bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expire" features.

disable Disables bandwidth-gain mode.

enable Enables bandwidth-gain mode.


53

Example

SGOS#(config) bandwidth-gainSGOS#(config bandwidth-gain) enable ok SGOS#(config bandwidth-gain) custom pipelining en okSGOS#(config bandwidth-gain) exitSGOS#(config)

#(config)bannerThis command enables you to define a login banner for your users.

Syntax

banner {login string | no login}

where:

Example

SGOS#(config) banner login "Sales and Marketing Intranet Web" ok

custom pipelining {disable | enable} Enables or disables custom pipelining.

custom if-modified-since

{disable | enable} Enables or disables custom if-modified-since substitution.

custom conditionals {disable | enable} Enables or disables custom HTTP 1.1 conditional substitution.

custom refresh {disable | enable} Enables or disables custom asynchronous refresh.

exit Exits configure bandwidth-gain mode and returns to configure mode.

mode {custom | default} Sets bandwidth-gain mode to either custom or default.

show bandwidth-gain | view

Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expire" features.

banner -

login string Sets the login banner to the value of string.

no login Effectively sets the login banner to null.


54

#(config)bypass-listA bypass list prevents the Security Appliance from transparently accelerating requests to servers that perform IP authentication with clients. The bypass list contains IP addresses, subnet masks, and gateways. When a request matches an IP address and subnet mask specification in the bypass list, the request is sent to the designated gateway. A bypass list is only used for transparent caching.

There are two types of bypass lists: local and central.

To use bypass routes, create a text file that contains a list of address specifications. The file should be named with a .txt extension. Once you have created the bypass list, place it on an HTTP server so it can be installed onto the Security Appliance.

You can create your own central bypass list to manage multiple Security Appliances, or you can use the central bypass list maintained by Blue Coat Technical Support at:

http://www.bluecoat.com/support/subscriptions/CentralBypassList.txt

The central bypass list maintained by Blue Coat contains addresses Blue Coat has identified as using client authentication.

Syntax

bypass-list {central-path url | local-path url | no {central-path | local-path | notify | subscribe} | notify | poll-now | subscribe}

where:

Example

bypass-list - Configures bypass list settings.

central-path url Specifies the network path used to download the central bypass list.

local-path url Specifies the network path used to download the local bypass list.

no central-path Sets the central bypass list path to null.

local-path Sets the local bypass list path to null.

notify Instructs the Security Appliance to not send an e-mail notification if the central bypass list changes.

subscribe Specifies that you do not want to change the bypass list when changes are made to the central bypass list.

notify Instructs the Security Appliance to send an e-mail notification if the central bypass list changes.

poll-now Checks the central bypass list for changes.

subscribe Specifies to change the bypass list when changes are made to the central bypass list.


55

SGOS#(config) bypass-list local-path 10.25.36.47/files/bypasslist.txt ok

#(config)cachingWhen an cached HTTP object expires, it is placed in a refresh list. The Security Appliance processes the refresh list in the background, when it is not serving requests. Refresh policies define how the Security Appliance handles the refresh process.

The HTTP caching options allow you to specify:

• Maximum object size

• Negative responses

• Freshness

In addition to HTTP objects, the Security Appliance can cache objects requested using FTP. When the Security Appliance retrieves and caches an FTP object, it uses two methods to determine how long the object should stay cached.

• If the object has a last-modified date, the Security Appliance assigns a refresh date to the object that is a percentage of the last-modified date.

• If the object does not have a last-modified date, the Security Appliance assigns a refresh date to the object based on a fixed period of time.

The FTP caching options also allows you to specify:

• Transparency

• Maximum object size

• Caching objects by date

• Caching objects without a last-modified date: if an FTP object is served without a last modified date, the Security Appliance caches the object for a set period of time.

Syntax

caching


SGOS#(config caching)

-subcommands-

option 1: always-verify-source

option 2: ftp {disable | enable | max-cache-size megabytes | show | type-m-percent percent |type-n-initial percent}

option 3: max-cache-size megabytes

option 4: negative-response minutes

option 5: no always-verify-source

option 6: refresh {automatic | bandwidth kbps | desired-freshness percent | no automatic}


56

option 7: show

where:

Example

SGOS#(config) cachingSGOS#(config caching) always-verify-source okSGOS#(config caching) max-cache-size 100 okSGOS#(config caching) negative-response 15 okSGOS#(config caching) refresh automatic okSGOS#(config caching) ftp

caching – Configures cache refresh rates and settings and caching policies.always-verify-source Specifies the Security Appliance to

always verify the freshness of an object with the object source.

ftp {disable | enable} Enables or disables the caching of FTP objects.

max-cache-size megabytes Specifies the maximum allowable of FTP object size to cache.

type-m-percent percent Specifies the TTL for objects with a last-modified time.

type-n-initial percent Specifies the TTL for objects with no expiration.

max-cache-size megabytes Specifies the maximum size of the cache to the value indicated by megabytes.

negative-response minutes Specifies that negative responses should be cached for the time period identified by minutes.

no always-verify-source Specifies that the Security Appliance should never verify the freshness of an object with the object source.

refresh automatic Specifies that the Security Appliance should manage the refresh bandwidth.

bandwidth kbps Specifies the amount of bandwidth in kilobits to utilize for maintaining object freshness.

desired-freshness percent Specifies that the Security Appliance should attempt to maintain freshness for the percentage of objects indicated by percent.

no automatic Specifies that the Security Appliance should not manage the refresh bandwidth.


57

SGOS#(config caching ftp) enable okSGOS#(config caching ftp) max-cache-size 200 okSGOS#(config caching ftp) type-m-percent 20 okSGOS#(config caching ftp) type-n-initial 10 okSGOS#(config caching ftp) exitSGOS#(config caching) exitSGOS#(config)

#(config)clockTo manage objects in the cache, a Security Appliance must know the current Universal Time Coordinates (UTC) time. By default, the Security Appliance attempts to connect to a Network Time Protocol (NTP) server to acquire the UTC time. The Security Appliance includes a list of NTP servers available on the Internet, and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. If the Security Appliance cannot access any of the listed NTP servers, you must manually set the UTC time using the clock command.

Syntax

clock {day day | hour hour | minute minute | month month | second second | year year}

where:

Example

clock – Configures the current time.day day Sets the Universal Time Code (UTC)

day to the day indicated by day. The value can be any integer from 1 through 31.

hour hour Sets the UTC hour to the hour indicated by hour. The value can be any integer from 0 through 23.

minutes minute Sets the UTC minute to the minute indicated by minute. The value can be any integer from 0 through 59.

month month Sets the UTC month to the month indicated by month. The value can be any integer from 1 through 12.

second second Sets the UTC second to the second indicated by second. The value can be any integer from 0 through 59.

year year Sets the UTC year to the year indicated by year. The value must take the form xxxx.


58

SGOS#(config) clock year 2002 okSGOS#(config) clock month 4 okSGOS#(config) clock day 1 okSGOS#(config) clock hour 0 okSGOS#(config) clock minute 30 okSGOS#(config) clock second 59 ok

#(config)contentUse this command to manage and manipulate content distribution requests and re-validate requests.

Note: The content command options are not compatible with transparent FTP.

Syntax

content {cancel {outstanding-requests | url url} | delete {regex regex | url url} | distribute url | priority {regex 0-7 regex | url 0-7 url} | revalidate {url | regex regex}}

where:

content – Manages and manipulates content pull requests and re-validate requests.

cancel outstanding-requests Specifies to cancel all outstanding content distribution requests and re-validate requests.

url url Specifies to cancel outstanding content distribution requests and re-validate requests for the URL identified by url.

delete regex regex Specifies to delete content based on the regular expression identified by regex.

url url Specifies to delete content for the URL identified by url.

distribute url Specifies that the content associated with url should be distributed from the origin server.

priority regex 0-7 regex Specifies to add a content deletion policy based on the regular expression identified by regex.

url 0-7 url Specifies to add a content deletion policy for the URL identified by url.

revalidate {url url | regex regex} Revalidates the content associated with either url or the regular expression identified by regex with the origin server.


59

Example

SGOS#(config) content distribute http://www.bluecoat.comCurrent time: Mon, 01 Apr 2002 00:34:07 GMT okSGOS#(config) content revalidate url http://www.bluecoat.comLast load time: Mon, 01 Apr 2002 00:34:07 GMT okSGOS#(config) content distribute http://www.bluecoat.comCurrent time: Mon, 01 Apr 2002 00:35:01 GMT okSGOS#(config) content priority url 7 http://www.bluecoat.com okSGOS#(config) content cancel outstanding-requests okSGOS#(config) content delete url http://www.bluecoat.com ok

#(config)content-filterThe Security Appliance offers the option of using content filtering to control the type of retrieved content and to filter requests made by clients. The Security Appliance supports these content filtering methods:

• Using vendor-based content filtering

This method allows you to block URLs using vendor-defined categories. For this method, use content filtering solutions from either of the following vendors:

• SmartFilter™, a provider of Web filtering software used locally on the Security Appliance.

• Websense®, a provider of Web filtering software, used either locally on the Security Appliance and or remotely on a separate Websense Enterprise Server.

You can also combine this type of content filtering with the Security Appliance policies, which use the Blue Coat Policy Language.

• Denying access to URLs

This method allows you to block by URL, including filtering by scheme, domain, or individual host or IP address. For this method, you define Security Appliance policies, which use the Blue Coat Policy Language.

Refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide and the Blue Coat Systems Port 80 Security Appliance Policy Language Guide and Reference for complete descriptions of these features.

Syntax

content-filter


SGOS#(config content-filter)

- subcommands-


60

option 1: disable

option 2: enable

option 3: exit

option 4: select-provider {smartfilter | websense3 | websense4 off-box}

option 5: show

option 6: smartfilter (see following commands for details)

option 7: test-url url

option 8: websense3 (see following commands for details)

option 9: websense4 off-box (see following commands for details)

where:

Example

SGOS#(config) content-filterSGOS#(config content-filter) select-provider smartfilterConfiguration updated, system restart required for changes to take effect.SGOS#(config content-filter) exitSGOS#(config) exitSGOS# restart regular okSGOS# Initiating software only restart with uncompressed partial core image Waiting for disk activity to cease

content-filter – Configures filters that control the type of retrieved content and filter requests made by clients.

disable Disables the current content filter settings

enable Enables the current content filter settings.

exit Exits configure content filter mode and returns you to configure mode.

select-provider {smartfilter | websense3 | websense4 off-box}

Specifies the content filter provider to use.

show Displays the current content filter settings.

smartfilter – see #(config content-filter)smartfilter

download password passworddownload encrypted-password

encrypted-password

test-url ur Tests the URL indicated by url against the specified content filter using a reverse DNS-lookup.

websense3 – see #(config content-filter)websense3

websense4 offbox - see #(config content-filter)websense4 off-box


61

#(config content-filter)smartfilterUse this command to configure SmartFilter filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.

Syntax

smartfilter


SGOS# (config smartfilter)

- subcommands-

option 1: view-categories

option 2: download

option 3: exit

option 4: no

where:

Smartfilter – Configures SmartFilter filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.

download

control-file filename Identifies the file containing all SmartFilter parameters for downloading to client machines.

day-of-week {all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Sets the day of the week for the automatic download of the control-file to occur.

disable-auto Disables automatic download of the control-file to client machines.

enable-auto Enables automatic download of the control-file to client machines.

get-now Initiates automatic download of the control-file to client machines.

password password Indicates the password used to access the network path to the download database.

encrypted-password encrypted-password Indicates the encrypted password used to access the network path to the download database.

path url Indicates the network path to the download database.

time-of-day hour Sets the time of day for the automatic download of the control-file to occur.

username username Specifies the username used to access the network path to the download database.


62

Example

SGOS#(config) content-filterSGOS#(config content-filter) smartfilterSGOS#(config smartfilter) view-categoriesAnonymizer/TranslatorArt/CultureChat...TravelWebmailSGOS#(config smartfilter) download username anonymous okSGOS#(config smartfilter) download password Blue Coat okSGOS#(config smartfilter) download control-file sfcontrol okSGOS#(config smartfilter) download enable-auto okSGOS#(config smartfilter) download day-of-week all okSGOS#(config smartfilter) download time-of-day 12 okSGOS#(config smartfilter) exitSGOS#(config content-filter) exit

#(config content-filter)websense3Use this command to configure WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.

Syntax

websense3


SGOS#(config websense3.x)

- subcommands-

option 1: view-categories

option 2: download

option 3: exit

option 4: no

exit Exits configure smart filter mode and returns you to configure content-filter mode.

view-categories – Displays all of the categories.


63

where:

websense3 – Configures WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.

download

address1 text Specifies the company street address for download verification.

address2 text Specifies the company extended street address for download verification.

city text Specifies the company city for download verification.

company text Specifies the company name for download verification.

country text Specifies the company country for download verification.

day-of-week {all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Specifies the day of the week for the automatic download of the control-file to occur.

disable-auto Disables the automatic download feature.

email text Specifies the company contact e-mail address.

enable-auto Enables the automatic download feature.

firstname text Specifies the company contact first name.

get-now Initiates automatic download of the database to client machines.

lastname text Specifies the company contact last name.

license-key text Specifies the company license key for access to the Websense3 database.

middlename text Specifies the company contact middle name.

password password Specifies the password for access to the Websense3 database.

encrypted-password encrypted-password Specifies the encrypted password for access to the Websense3 database.

phone-number text Specifies the company contact telephone number.

postcode text Specifies the company postal code.

province text Specifies the company province.

server url Specifies the Websense3 server from which the database should be downloaded.


64

Example

SGOS#(config)content-filterSGOS#(config content-filter) websense3SGOS#(config websense 3.x) download server asia.download.websense.comSGOS#(config websense 3.x) download firstname SallySGOS#(config websense 3.x) download middlename AnneSGOS#(config websense 3.x) download lastname SmithSGOS#(config websense 3.x) download company Company Inc.SGOS#(config websense 3.x) download address1 1230 Main St.SGOS#(config websense 3.x) download address2 Suite 100SGOS#(config websense 3.x) download city RedmondSGOS#(config websense 3.x) download province WASGOS#(config websense 3.x) download country USASGOS#(config websense 3.x) download postcode 10808SGOS#(config websense 3.x) download email [email protected]#(config websense 3.x) download phone-number 555-555-2975SGOS#(config websense 3.x) download license-key SKDI837SKFIVNW740FMSGOS#(config websense 3.x) download username centerfieldSGOS#(config websense 3.x) download password wolverineSGOS#(config websense 3.x) download enable-autoSGOS#(config websense 3.x) download time-of-day 5

time-of-day hour Sets the time of day for the automatic download of the database to occur.

username username Specifies the company contact's network username.

no address1 Sets the company contact address to null.

address2 Sets the company contact extended address to null.

city Sets the company contact city to null.

company Sets the company name to null.

country Sets the company country to null.

email Sets the company contact e-mail to null.

firstname Sets the company contact first name to null.

lastname Sets the company contact last name to null.

license-key Sets the company license key to null.

password Sets the company password to null.

phone-number Sets the company contact phone number to null.

postcode Sets the company contact postal code to null.

province Sets the company province to null.

username Sets the company contact network username to null.

view-categories – Displays all of the categories.


65

SGOS#(config websense 3.x) download day-of-week mondaySGOS#(config websense 3.x) download day-of-week tuesdaySGOS#(config websense 3.x) exitSGOS#(config content-filter) exitSGOS#(config)

#(config content-filter)websense4 off-boxUse this command to configure WebSense4 filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.

Syntax

websense4 off-box


SGOS#(config websense4.x off-box)

- subcommands-

option 1: default-domain string

option 2: directory-service string

option 3: exit

option 4: fail-open

option 5: ip-address ip_address

option 6: no {fail-open | ip_address | port | send-user-name}

option 7: port port_number

option 8: send-user-name

where:

websense4 off-box – Configures WebSense4 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.

default-domain string Specifies the default domain of the remote Websense4 server. This is an NTLM-specific command. default-domain is usually set to "Default-Domain."

directory-service string Specifies the directory service used by the remote Websense4 server. This is an NTLM-specific command. directory-service is usually set to "WinNT."

exit Exits configure websense4.x off-box mode and returns you to configure content-filter mode.

fail-open Indicates that the username should not be sent to the Websense4 off-box if the remote Websense server is not available.


66

Example

SGOS#(config) content-filterSGOS#(config content-filter) websense4 off-boxSGOS#(config websense 4.x off-box)SGOS#(config websense 4.x off-box) ip-address 10.252.3.57SGOS#(config websense 4.x off-box) default-domain NT4PDCSGOS#(config websense 4.x off-box) send-user-name-yesSGOS#(config websense 4.x off-box) exitSGOS#(config content-filter) exitSGOS#(config)

#(config)diagnosticsThis command enables you to configure the remote diagnostic feature Heartbeat.

Syntax

diagnostics


SGOS#(config diagnostics)

- subcommands-

option 1: exit

option 2: heartbeat {disable | enable}

option 3: monitor {disable | enable}

option 4: request-heartbeat

option 5: reset heartbeat

option 6: show

where:

ip-address ip_address Specifies the IP address of the remote Websense4 server.

no fail-open Disables the fail-open setting.

ip_address Sets the remote Websense4 server IP address to null.

port Sets the remote Websense4 server port number to null.

send-user-name Sets the send username to null.

port port Specifies the Websense4 port number.

send-user-name Sends the requestor user name to the remote Websense4 server (avoiding end-user re-authentication).

diagnostics – Configures for remote diagnostics through the Blue Coat Heartbeat feature.

exit Exits configure diagnostics mode and returns you to configure mode.


67

Example

SGOS#(config) diagnosticsSGOS#(config diagnostics) reset heartbeat ok

#(config)dnsThe dns command enables you to modify the DNS settings for the Security Appliance. Note that the alternate DNS servers are only checked if the servers in the standard DNS list return: "Name not found."

Syntax

dns {alternate ip_address | clear {alternate | imputing | server} | imputing name | no {alternate ip_address | imputing imputed_name | server ip_address} | server ip_address}

where:

heartbeat {disable | enable} Enables or disables the Security Appliance Heartbeat features.

monitor {disable | enable} Enables or disables the monitoring feature.

request-heartbeat Creates a Heartbeat report.

reset heartbeat Reset Heartbeat settings to system defaults.

show Displays the current diagnostics settings.

dns – Enables you to modify domain name server settings.

alternate ip_address Adds the new alternate domain name server indicated by ip_address to the alternate DNS server list.

clear alternate Sets all entries in the alternate DNS server list to null.

imputing Sets all entries in the name imputing list to null.

server Sets all entries in the primary DNS server list to null.

imputing name Identifies the file indicated by name as the name imputing list.

no alternate ip_address Removes the alternate DNS server identified by ip_address from the alternate DNS server list.

imputing imputed_name Removes the imputed name identified by imputed_name from the name imputing list.


68

Example

SGOS#(config) dns clear serverSGOS#(config) dns server 10.253.220.249SGOS#(config) dns clear alternateSGOS#(config) dns alternate 216.52.23.101SGOS#(config) dns clear imputingSGOS#(config) dns imputing comSGOS#(config) dns imputing netSGOS#(config) dns imputing govSGOS#(config) dns imputing edu

#(config)domain-aliasUse this command to configure aliases for your domain.

Syntax

domain-alias {add original alias | delete {original alias | all}}

where:

#(config)dynamic-bypassDynamic bypass provides a maintenance-free method for improving performance of the Security Appliance by automatically compiling a list of requested URLs that return various kinds of errors.

With dynamic bypass, the Security Appliance adds dynamic bypass entries, containing the server IP address of sites that have returned an error, to the Security Appliance’s local bypass list. For a configured period of time, further requests for the error-causing URL are sent immediately to the origin server, saving the Security Appliance processing time. The amount of time a dynamic bypass entry stays in the list, and the types of errors that cause the Security Appliance to add a site to the list, along with several other settings, is configurable from the CLI.

server ip_address Removes the primary DNS server identified by ip_address from the primary DNS server list.

server ip_address Adds the new primary domain name server indicated by ip_address to the primary DNS server list.

domain-alias – Enables you to configure one or multiple aliases for your domain.

add original alias Adds the alternate name identified by alias to the list of domain aliases for the domain identified by original.

delete original alias Deletes the alternate name identified by alias to from the list of domain aliases for the domain identified by original.

all Deletes all domain aliases from the configuration.


69

Once the dynamic bypass timeout for a URL has ended, the Security Appliance removes the URL from the bypass list. On the next client request for the URL, the Security Appliance attempts to contact the origin server. If the origin server still returns an error, the URL is once again added to the local bypass list for the configured dynamic bypass timeout. If the URL does not return an error, the request is handled in the normal manner.

The performance gains realized with this feature are substantial if the client base is large, and clients are requesting many error-causing URLs in a short period of time (for example, many users clicking a browser’s refresh button over and over to get an overloaded origin server to load a URL). Dynamic bypass increases efficiency because redundant attempts to contact the origin server are minimized.

Syntax

dynamic-bypass {clear | disable | enable | no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} | trigger {400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http}}

where:

Example

SGOS#(config) dynamic-bypass clear okSGOS#(config) dynamic-bypass enableWARNING: Requests to sites that are put into the dynamic bypass list will bypass future policy evaluation. This could result in subversion of on-box policy. The use of dynamic bypass is cautioned.

okSGOS#(config) dynamic-bypass trigger all okSGOS#(config)

#(config)error-pagesThe error-pages command enables you to configure HTTP error pages.

dynamic-bypass – Enables you to modify the dynamic bypass list.

clear Clears all entries in the dynamic bypass list.

disable | enable Disables or enables the current dynamic bypass list.

no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http}

Disables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all non-HTTP responses.

trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http}

Enables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all non-HTTP responses.


70

Syntax

error-pages {no path | path url}

where:

Example

SGOS#(config) error-pages path http://download.bluecoat.com/errorpages.txt

#(config)event-logYou can configure the Security Appliance to log system events as they occur. Event logging allows you to specify the types of system events logged, the size of the event log, and to configure Syslog monitoring. The Security Appliance can also notify you by email if an event is logged.

Syntax

event-log

This changes the prompt from to:

SGOS#(config event-log)

- subcommands-

option 1: exit

option 2: level {informational | resource | severe | verbose}

option 3: log-size megabytes

option 4: mail {add email_address | bluecoat-notify | clear | no {bluecoat-notify | smtp-gateway} | remove email_address | smtp-gateway domain_name}

option 5: show

option 6: syslog {disable | enable | facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp} | loghost domain_name | no loghost}

option 7: when-full {overwrite | stop}

where:

error-pages – Permits download of customized HTTP error pages.

no path Sets the current error-pages path url setting to null.

path url Specifies the network path location (url) of the customized HTTP error pages.

event-log – Enables you to specify event log settings for a customized event log.

exit Exits configure event-log mode and returns you to configure mode.


71

Note: You must replace the default Blue Coat SMTP gateway with your gateway. If you do not have access to an SMTP gateway, you can use the Blue Coat gateway to send event

level informational Write severe, resource, and informational error messages to the event log.

resource Write severe and resource error messages to the event log.

severe Write only severe error messages to the event log.

verbose Write all error messages to the event log.

log-size megabytes Specifies the maximum size of the event log in megabytes.

mail add email_address Specifies an e-mail recipient for the event log output.

bluecoat-notify Specifies Blue Coat to be an additional recipient of the event log e-mail output.

clear Removes all e-mail recipients from the event log e-mail output distribution list.

no {bluecoat-notify | smtp-gateway}

no bluecoat-notify specifies that Blue Coat does not receive event log e-mail output.

remove email_address Removes the e-mail recipient indicated by email_address from the event log e-mail output distribution list.

smtp-gateway {domain_name | IP_address}

Specifies the SMTP gateway to use for event log e-mail output notifications.

syslog {disable | enable} Disables or enables the collection of system log messages.

{facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp}}

Specifies the types of system log messages to be collected in the system log.

loghost domain_name Specifies the host domain used for system log notifications.

no loghost Clears the loghost setting.

when-full {overwrite | stop} Specifies what should happen to the event log when the maximum size has been reached. overwrite overwrites the oldest information in a FIFO manner; stop disables event logging.


72

messages to Blue Coat (the Blue Coat SMTP gateway will only send mail to Blue Coat; it will not forward mail to other domains).

Example

SGOS#(config) event-logSGOS#(config event-log) syslog enable ok

#(config)exitExits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From Standard mode, the exit command closes the CLI session.

Syntax

exit


#(config)forwardingWhen forwarding content requests, the Security Appliance supports the use of default and backup hosts and host groups. You must add each host and group to use in forwarding content requests. To define a group, add a host and use the group= subcommand to add a group. Add up to 512 hosts and up to 32 groups.

After adding forwarding hosts and groups, you must define which acts as a default and which acts as a backup.

The Security Appliance performs health checks with one or more forwarding hosts. When the Security Appliance performs a health check, it determines whether the host returns a response and is available to fulfill a content request. A positive health check indicates (1) that there is an end-to-end connection and (2) that the host is up and running and will most likely be able to return a response.

With multiple forwarding hosts, health checks are important to the Security Appliance. When hosts respond positively to health checks, the Security Appliance can forward requests to those hosts, rather than to an unavailable host, and the Security Appliance can more quickly fulfill content requests. With a single forwarding host, it is still important for the Security Appliance to use health checks to detect whether the host is available.

Syntax

forwarding


SGOS#(config forwarding)

- subcommands-

option 1: add hostname port [ftp | http] [deferred] [socks] [default | backup | group=groupname] [allow_credentials]

option 2: delete {all | group groupname | host hostname}


73

option 3: download-via-forwarding {disable | enable}

option 4: exit

option 5: health-check {failcount count | interval seconds | pause | resume | type {layer-3 | layer-4 | layer-7 object} | send-pnc {enable | disable}}

option 6: rules {deny | direct | group | host | view}

option 7: set name

option 8: show

option 9: view

where:

forwarding – Enables you to configure advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules.

add hostname Indicates that the host identified by hostname should be added to the forwarding group. Use the group= subcommand to add a group. Add up to 512 hosts and up to 32 groups.

port Specifies the port number associated with hostname.

[ftp | http] Indicates whether the host identified by hostname uses FTP or HTTP.

[deferred] Specifies to use the relative path for URLs in the HTTP header because the next hop is a Web server, not a proxy server.

[socks] Indicates that the host identified by hostname uses the SOCKS protocol.

[default | backup | group=groupname]

default indicates that hostname be the default host for forwarding; backup indicates that it should be the backup forwarding host. Use the group=groupname subcommand to add a group. Up to 512 forwarding hosts and up to 32 forwarding groups are permitted.

[allow_credentials] Allows credentials (in HTTP headers) to be passed to another proxy.

delete group groupname Deletes only the group identified by groupname.

host hostname Deletes only the host identified by hostname.

all Deletes all hosts, groups, and rules.

download-via-forwarding

{enable | disable} Enables or disables configuration file downloading using forwarding.


74

Example

SGOS#(config) forwardingSGOS#(config forwarding) delete all okSGOS#(config forwarding) download-via-forwarding disable okSGOS#(config forwarding) add www.bluecoat.com 80 http default okSGOS#(config forwarding) add www.server1.com 80 http group=proxy okSGOS#(config forwarding) add www.server2.com 80 ftp group=proxy okSGOS#(config forwarding) add www.server3.com 80 http group=proxy okSGOS#(config forwarding) rules directSGOS#(config forwarding direct) add domain companyA.com okSGOS#(config forwarding direct) add ip 1.2.3.4 ok

health-check failcount count Specifies the number of failed health-checks tolerated.

interval seconds Specifies the number of seconds between health checks.

pause Temporarily halts health-checking.

resume Resumes health-checking after a pause command.

type {layer-3 | layer-4 | layer-7 object}

Determines the layer of health-checking.

send-pnc {enable | disable}

Enables sending Pragma: no cache for health checks.

rules direct {add | delete | exit | view}

Manages forwarding rules that direct addresses out to the network without passing through the Security Appliance.

deny {add | delete | exit | view}

Manages forwarding rules that instruct the Security Appliance to deny access to specific addresses.

group group_name Adds forwarding rules to a forwarding group.

host host_name Adds forwarding rules to a forwarding host.

view View all rules for the specified host or group.

set group name {default | backup}

Species a forwarding group to be the default or backup group.

host name port {default | backup}

Species a forwarding host to be the default or backup host.

view Displays the currently defined forwarding groups or hosts.


75

SGOS#(config forwarding direct) add url http://.*companyB.* okSGOS#(config forwarding direct) exitSGOS#(config forwarding) rules host www.bluecoat.com 80SGOS#(config forwarding www.bluecoat.com:80)delete rules okSGOS#(config forwarding www.bluecoat.com:80) exitSGOS#(config forwarding) rules group proxySGOS#(config forwarding proxy) add domain proxy.com okSGOS#(config forwarding proxy) exitSGOS#(config forwarding) exitSGOS#(config)

#(config)health-checkUse this command to configure ICAP and Websense 4 offbox health checks.

Syntax

health-check


SGOS#(config health-check)

- subcommands-

option 1: add

option 2: delete

option 3: edit

option 4: show

option 5: statistics

option 6: view

option 7: exit

where:

health-check—Enables you to configure anICAP or Websense 4 health check.

add name Adds a health check configuration specified by name.

delete name Deletes the specified health check .

edit name Enables edit mode to configure the health check.

failure-trigger trigger Sets the failure count that triggers a health-check. Range is 0 to 65535; the default is 0.

type icap | websense4-offbox

Specifes the type of health check for this service.


76

Example

SGOS# (config) health-checkSGOS# (config health-check) add hc1SGOS# (config health-ckeck) edit hc1SGOS# (config health-check hc1) type layer-3SGOS# (config health-check hc1) layer-3 fooSGOS# (config health-check hc1) interval healthy 30SGOS# (config health-check hc1) interval sick 15SGOS# (config health-check hc1) threshold healthy 20SGOS# (config health-check hc1) failure-trigger 5

#(config)hide-advancedUse this command to hide and disable advanced commands.

Syntax

hide-advanced {all | expand | tcp-ip}

icap |websense4-offbox service_name

Specifies the name of the service that receives health checks.

websense4-offbox default-url | test-url

Specifies the name of the URL used to obtain box status upon bootup.

interval {healthy | sick} seconds

Specifies the seconds between health checks on servers that have been determined to be healthy or sick. The default is 10.

threshold {healthy | sick} attempts

Specifies the number of attempts before a server is considered healthyy or sick. The range is 1 to 65535; the default is 1.

notify Enables email notification of state changes.

perform-health-check Performs an instant health check on the service.

statistics Displays health check statistics for the service.

view Displays the health check configuration for the service.

show health-check Displays health check settings for layer-3 and layer-4 types. This setting does not display ICAP or Websense 4 settings.

statistics Displays statistics for all configured health checks.

view Displays the current health-check configurations for ICAP and Websense 4 types.


77

where:

Example

SGOS#(config) hide-advanced all ok

#(config)hostnameUse this command to assign a name to a Security Appliance. Any descriptive name that helps identify the system will do.

Syntax

hostname name

where:

Example

SGOS#(config) hostname "Blue Coat Demo" ok

#(config)httpUse this command to configure HTTP settings.

Syntaxoption 1: http add-header client-ip

option 2: http add-header via

option 3: http add-header x-forwarded-for

option 4: http byte-ranges

option 5: http cache authenticated-data

option 6: http cache expired

option 7: http cache personal-pages

option 8: http cache reverse-dns

hide-advanced – Enables the system administrator to hide and disable certain advanced commands.

all Disables all expanded, HTTP, and TCP/IP advanced commands.

expand Disables all expanded advanced commands.

tcp-ip Disables all TCP/IP advanced commands.

hostname – Configures hostname, IP address, and type.

name Associates name with the current Security Appliance.


78

option 9: http force-ntlm

option 10: http ftp-proxy-url

option 11: http no add-header client-ip

option 12: http no add-header via

option 13: http no add-header x-forwarded-for

option 14: http no byte-ranges

option 15: http no cache authenticated-data

option 16: http no cache expired

option 17: http no cache personal-pages

option 18: http no cache reverse-dns

option 19: http no force-ntlm

option 20: http no parse meta-tag expires

option 21: http no persistent client

option 22: http no persistent server

option 23: http no pipeline client requests

option 24: http no pipeline client redirects

option 25: http no pipeline prefetch requests

option 26: http no pipeline prefetch redirects

option 27: http no proprietary-headers bluecoat

option 28: http no strict-expiration refresh

option 29: http no strict-expiration serve

option 30: http no strip-from-header

option 31: http no substitute conditional

option 32: http no substitute ie-reload

option 33: http no substitute if-modified-since

option 34: http no substitute pragma-no-cache

option 35: http parse meta-tag expires

option 36: http persistent client

option 37: http persistent server

option 38: http persistent-timeout client num_seconds

option 39: http persistent-timeout server num_seconds

option 40: http pipeline client requests

option 41: http pipeline client redirects

option 42: http pipeline prefetch requests

option 43: http pipeline prefetch redirects

option 44: http proprietary-headers bluecoat

option 45: http receive-timeout client num_seconds


79

option 46: http receive-timeout server num_seconds

option 47: http receive-timeout refresh num_seconds

option 48: http strict-expiration refresh

option 49: http strict-expiration serve

option 50: http strip-from-header

option 51: http substitute conditional

option 52: http substitute ie-reload

option 53: http substitute if-modified-since

option 54: http substitute pragma-no-cache

option 55: http upload-with-pasv

option 56: http version 1.0

option 57: http version 1.1

where:

http –

add-header client-ip Adds the client-ip header to forwarded requests.

via Adds the via header to forwarded requests.

x-forwarded-for Adds the x-forwarded-for header to forwarded requests.

byte-ranges Enables HTTP byte range support.

cache {authenticated-data | expired | personal-pages | reverse-dns}

authenticated-data caches any data that appears to be authenticated. expired retains cached objects older than the explicit expiration. personal-pages caches objects that appear to be personal pages. reverse-dns stores objects under the name of the associated host instead of the IP address.

force-ntlm Uses NTLM for Microsoft Internet Explorer proxy.

no parameter Negates the specified command.

parse meta-tag expires

Parses HTML objects for the "expires" meta-tag.

persistent {client | server} Enables support for persistent client requests (from the browser) or persistent server requests (to the Web server).

persistent-timeout {client num_seconds | server num_seconds}

Sets persistent connection timeout for the client or the server to num_seconds.


80

Example

SGOS#(config) http version 1.1 okSGOS#(config) http byte-ranges okSGOS#(config) http no force-ntlm okSGOS#(config)

#(config)httpsUse this command to configure HTTPS options.

Note: These commands are not available through a telnet session.

pipeline client {redirects | requests}

Prefetches either embedded objects in client requests or redirected responses to client requests.

prefetch {redirects | requests}

Prefetches either embedded objects in pipelined objects or redirected responses to pipelined requests.

proprietary-headers bluecoat

Enables Blue Coat's proprietary HTTP header extensions.

receive-timeout {client num_seconds | refresh num_seconds | server num_seconds}

Sets receive timeout for client, server, or refresh to num_seconds.

strict-expiration refresh | serve Forces compliance with explicit expirations by either never refreshing objects before their explicit expiration or never serving objects after their explicit expiration.

strip-from-header Removes HTTP information from headers.

substitute {conditional | ie-reload | if-modified-since | pragma-no-cache}

Replaces complex requests with a simple "get." conditional uses an HTTP "get" instead of an HTTP 1.1 conditional get. ie-reload uses an HTTP "get" for Microsoft Internet Explorer reload requests. if-modified-since uses an HTTP "get" instead of "get-if-modified." pragma-no-cache uses an HTTP "get" instead of "get pragma: no-cache."

upload-with-pasv {disable | enable} Enables or disables uploading with Passive FTP.

version {1.0 | 1.1} Indicates the version of HTTP that should be used by the Security Appliance.


81

Syntax

https


SGOS#(config https)

- subcommands-

option 1: create certificate keyringID

option 2: create console-map keyringID

option 3: create keyring {show | no-show} keyringID [key_length]

option 4: create signing-request keyringID

option 5: delete ca-certificate name

option 6: delete certificate keyringID

option 7: delete console-map

option 8: delete keyring keyringID

option 9: delete signing-request keyringID

option 10: import ca-certificate name

option 11: import certificate keyringID

option 12: import keyring {no-show keyringID | show keyringID}

option 13: import signing-request keyringID

option 14: set cipher-suite console-map

option 15: view ca-certificate name

option 16: view certificate keyringID

option 17: view cipher-suite console-map

option 18: view console-map

option 19: view keypair {des keyringID | des3 keyringID | unencrypted keyringID}

option 20: view keyring keyringID

option 21: view send-client-ip

option 22: view signing-request keyringID

option 23: view ssl-nego-timout

option 24: view summary ca-certificate name

where:

https create – Creates keypairs, certificates, and signing requests.

certificate keyringID Creates a certificate using the named keyring.

console-map keyringID Creates a console map using the named keyring.


82

keyring {show | no-show}

keyringID [key_length] Creates a keyring with a "non-showable" keypair. key_length indicates the length of the key.

signing-request keyringID Creates a certificate signing request.

https delete – Deletes keypairs, certificates, and signing requests.

ca-certificate name Deletes the named Certificate Authority certificate.

certificate keyringID Deletes the certificate identified by keyringID.

console-map Deletes the console map.

keyring keyringID Deletes the keyring specified by keyringID.

signing-request keyringID Deletes the certificate signing request identified by keyringID.

https import – Enables you to import keypairs, certificates, and signing requests.

ca-certificate name Imports the named Certificate Authority certificate.

certificate keyringID Imports the certificate identified by keyringID.

keyring {no-show keyringID | show keyringID}

Imports the "show" or "no show" keyring identified by keyringID.

signing-request keyringID Imports the certificate signing request identified by keyringID.

https set – Sets cipher suites. SSL supports a variety of alternate encryption protocols for communication called cipher suites. A cipher suite names:• the type of certificate, • the type of encryption that should be used, • the type of signature algorithm (hash) that should be used.

cipher-suite console-map Specifies that the cipher suite defined in the console map should be used.

https view – Enables you to view keypairs, certificates, and signing requests.

view ca-certificate name Displays the named Certificate Authority certificate.

certificate keyringID Displays the certificate identified by keyringID.

cipher-suite console-map Displays the cipher suite named in the console map.

console-map Displays the management console map.

keypair {des keyringID | des3 keyringID | unencrypted keyringID}

Displays the Data Encryption Standard (DES), triple-DES, or unencrypted keypair associated with the named keyring.

keyring keyringID Displays the keyring associated with the named keyringID.

send-client-ip Displays the send-client-ip status.


83

#(config)icapUse this command to configure the ICAP service used to integrate the Security Appliance with a virus scanning server. The configuration is specific to the virus scanning server and includes the server IP address, as well as the supported number of connections. If you are using the Security Appliance with multiple virus scanning servers or multiple scanning services on the same server, add an ICAP service for each server or scanning service.

Note: When you define virus scanning policies, use the same service name. Make sure you type the ICAP service name accurately, whether you are configuring the service on the Security Appliance or defining policies since the name retrieves the other configuration settings for that service.

Syntax

icap


SGOS#(config icap)

- subcommands-

option 1: clusters

option 2: services

option 3: exit

where:

signing-request keyringID Displays the certificate-signing request associated with keyringID.

ssl-nego-timout Displays the SSL negotiation timeout period status.

summary ca-certificate

name Displays a summary of the Certificate Authority certificate commands used in this session for name.

icap – Enables you to configure the ICAP service used to integrate the Security Appliance with a virus scanning server.

clusters

{add | delete | edit | view}

cluster_name Manage ICAP clusters.

services

add service_name Adds the ICAP service identified by service_name.

delete service_name Deletes the ICAP service identified by service_name.

edit service_name methods Set the method (REQMOD or RESPMOD)


84

Example

SGOS#(config) icapSGOS#(config icap) servicesSGOS#(config icap services) add virusservice1ok

SGOS#(config icap services) edit virusservice1SGOS#(config icap services virusservice1) url http://10.1.1.1:1344SGOS#(config icap services virusservice1) icap-version 1.0SGOS#(config icap services virusservice1) method RESPMODSGOS#(config icap services virusservice1) sense-settingsSGOS#(config icap services virusservice1) exitSGOS#(config icap services) exitSGOS#(config icap) clustersSGOS#(config icap clusters) add virusscancluster1

okSGOS#(config icap clusters) edit virusscancluster1SGOS#(config icap clusters virusscancluster1) add virusservice1

okSGOS#(config icap clusters virusscancluster1) exitSGOS#(config icap clusters) exitSGOS#(config icap)

#(config)icpICP is a caching communication protocol. It allows a cache to query other caches for an object, without actually requesting the object. By using ICP, the Security Appliance determines if the object is available from a neighboring cache, and which Security Appliance will provide the fastest response.

icap-version Sets the ICAP version (1.0 or 0.95).

man-conn max_num_connections

Sets the maximum number of connections.

preview-size bytes Sets how many bytes are previewed by the ICAP server to determine if a content transformation is required.

sense-settings Contacts the ICAP server and automically configures the ICAP service. Note: applies to v1.0 only; ICAP method must already be specified.

timeout seconds Sets the timeout value.

url url Specifies the URL of the ICAP server.

vendor {generic | symantec | trendmicro}

Specifies the ICAP vendor.

version version Specifies the ICAP service pattern version.

view Displays the current ICAP configurations.

view Displays the current ICAP configurations.


85

Once you have created the ICP or advanced forwarding configuration file, place the file on an FTP or HTTP server so it can be downloaded to the Security Appliance.

Syntax

icp {no path | path url}

where:

Example

SGOS#(config) icp path 10.25.36.47/files/icpconfig.txt ok

#(config)identdIDENTD implements the TCP/IP IDENT user identification protocol. IDENTD operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection.

Syntax

identd


SGOS#(config identd)

-subcommands-

option 1: disable

option 2: enable

option 3: exit

option 4: show

where:

Example

SGOS#(config) identdSGOS#(config identd) enable ok

icp – Specifies an ICP configuration file.

no path Negates the path previously set using the command icp path url.

path url Specifies the network location of the ICP configuration file to download.

identd – Configure identd.

disable Disables IDENTD.

enable Enables IDENTD.


86

#(config)inlineThere are two ways to create a configuration file for your Security Appliance. You can use the SGOS inline command or you can create a text file to house the configuration commands.

If you choose to configure using the inline command, refer to the example below:

SGOS# configure terminalSGOS#(config) inline wccp token

.

.

.endtoken

Where token marks the end of the inline commands.

If you choose to create a configuration file, be sure to assign the file the extension .txt. Use a text editor to create this file, noting the following Security Appliance configuration file rules:

• Only one command (and any associated parameters) permitted, per line

• Comments must begin with a semicolon (;)

• Comments can begin in any column, however, all characters from the beginning of the comment to the end of the line are considered part of the comment and, therefore, are ignored

When entering input for the inline command, you can correct mistakes on the current line using the backspace key. If you detect a mistake in a line that has already been terminated using the Enter key, you can abort the inline command by typing Ctrl-C. If the mistake is detected after you terminate input to the inline command, type the same inline command again but with the correct configuration information. The corrected information replaces the information from the last inline command.

The end-of-input marker is an arbitrary string chosen by the you to mark the end of input for the current inline command. The string can be composed of standard characters and numbers, but cannot contain any spaces, punctuation marks, or other symbols.

Take care to choose a unique end-of-input string that does not match any string of characters in the configuration information.

Syntaxoption 1: inline accelerated-pac eof_marker

option 2: inline bypass-list central eof_marker

option 3: inline bypass-list local eof_marker

option 4: inline error-pages eof_marker

option 5: inline forwarding eof_marker

option 6: inline icp-settings eof_marker

option 7: inline policy central eof_marker

option 8: inline policy local eof_marker

option 9: inline policy vpm-cpl eof_marker

option 10: inline policy xml-cpl eof_marker


87

option 11: inline rip-settings eof_marker

option 12: inline static-route-table eof_marker

option 13: inline streaming real-media eof_marker

option 14: inline wccp-settings eof_marker

where:

inline – Enables you to add or edit configuration commands using the CLI instead of a distinct configuration file.

accelerated-pac eof_marker Creates and installs an accelerated PAC file using the console input commands you enter between accelerated-pac eof_marker and the next eof_marker.

bypass-list {central | local} eof_marker

Creates and installs a bypass list file using the console input commands you enter between bypass-list central or local eof_marker and the next eof_marker.

error-pages eof_marker Creates and installs HTTP error pages using the console input commands you enter between error-pages eof_marker and the next eof_marker.

forwarding eof_marker Creates and installs forwarding configurations using the console input commands you enter between error-pages eof_marker and the next eof_marker.

icp-settings eof_marker Creates and installs an ICP settings file using the console input commands you enter between icp-settings eof_marker and the next eof_marker.

policy {central | local | vpm-cpl | xml-cpl} eof_marker

Creates and installs a policy file using the console input commands you enter between policy central, local, vpm-cpl, or vpm-xml eof_marker and the next eof_marker.

rip-settings eof_marker Creates and installs a RIP settings file using the console input commands you enter between rip-settings eof_marker and the next eof_marker.

static-route-table eof_marker Creates and installs a static route table file using the console input commands you enter between static-route-table eof_marker and the next eof_marker.


88

Example

SGOS#(config) inline wccp-settings eofwccp enable...eof ok

#(config)installed-systemsUse this command to manage the list of installed Security Appliance systems.

Syntax

isntalled-systems


SGOS#(config installed-systems)

-subcommands-

option 1: default system_number

option 2: delete system_number

option 3: exit

option 4: lock system_number

option 5: no {lock system_number | replace}

option 6: replace system_number

where:

streaming real-media eof_marker Creates and installs a streaming configuration file using the console input commands you enter between real-media eof_marker and the next eof_marker.

wccp-settings eof_marker Creates and installs a WCCP settings file using the console input commands you enter between wccp-settings eof_marker and the next eof_marker.

installed-systems - Configures Security Appliance system information such as version and release numbers, boot and lock status, and timestamp information.default system_number Sets the default system to the system

indicated by system_number.

delete system_number Deletes the system indicated by system_number.


89

Example

SGOS#(config) installed-systemsSGOS#(config installed-systems) default 2 okSGOS#(config installed-systems) lock 1 okSGOS#(config installed-systems) exitSGOS#(config)

Note: To view the currently installed Security Appliance systems, use the show installed-systems command.

#(config)interface fast-ethernetThis command enables you to configure the network interfaces.

The built-in Ethernet adapter is configured for the first time using the setup console. If you want to modify the built-in adapter configuration, or if you have multiple adapters, you can configure each one using the command-line interface.

Syntax

interface fast-ethernet interface_num


SGOS#(config interface x)

- subcommands-

option 1: accept-inbound

option 2: full-duplex

exit Exits configure installed-system mode and returns you to configure mode.

lock system_number Locks the system indicated by system_number.

no lock system_number Unlocks the system indicated by system_number if it is currently locked.

replace Specifies that the system currently tagged for replacement should not be replaced. The default replacement will be used (oldest unlocked system).

replace system_number Specifies that the system identified by system_number is to be replaced next.

fast-ethernet interface_num Sets the number of the fast Ethernet connection to interface_num. Valid values for interface_num are 0 through 3, inclusive.


90

option 3: half-duplex

option 4: ip-address ip_address

option 5: instructions {proxy | default-pac | central-pac url | accelerated-pac}

option 6: link-autosense

option 7: mtu-size

option 8: no {accept-inbound | link-autosense}

option 9: show

option 10: speed {10 | 100}

option 11: subnet-mask mask

where:

Example

SGOS#(config) interface 0SGOS#(config interface 0) ip-address 10.252.10.54 okSGOS#(config interface 0) instructions accelerated-pac okSGOS#(config interface 0) subnet-mask 255.255.255.0 okSGOS#(config interface 0) exitSGOS#(config)interface 1SGOS#(config interface 1) ip-address 10.252.10.72 okSGOS#(config interface 1) subnet-mask 255.255.255.0

interface fast-ethernet–

accept-inbound Permits inbound connections to this interface.

full-duplex Configures this interface for full duplex.

half-duplex Configures this interface for half duplex.

ip-address ip_address Sets the IP address for this interface to ip_address.

instructions {proxy | default-pac | central-pac url | accelerated-pac}

Configures for the specified client proxy instructions.

link-autosense Specifies that the interface should autosense speed and duplex.

mtu-size

no {accept-inbound | link-autosense}

Negates the current accept-inbound or link-autosense settings.


speed {10 | 100} Specifies the interface speed.

subnet-mask mask Sets the subnet mask for the interface.


91

okSGOS#(config interface 1) exitSGOS#(config)

#(config)ip-default-gatewayA key feature of the Security Appliance is the ability to distribute traffic originating at the cache through multiple IP gateways. Further, you can fine tune how the traffic is distributed among gateways. This feature works with any routing protocol (for example, static routes or RIP).

Note: Load balancing through multiple IP gateways is independent from the per-interface load balancing that the Security Appliance automatically does when more than one network interface is installed.

Syntax

ip-default-gateway ip_address {preference group (1-10)} {weight (1-100)}

where:

Example

SGOS#(config) ip-default-gateway 10.25.36.47

#(config)line-vty

When you have a Telnet session to the CLI, that session will remain open as long as there is activity. If you leave the session idle, the connection will eventually timeout and you will have to reconnect. The default timeout is five minutes. You can set the timeout and other session-specific options using the line-vty command.

Syntax

line-vty


SGOS#(config line-vty)

- subcommands-

option 1: exit

option 2: length num_lines_on_screen

option 3: show

option 4: telnet {no transparent | transparent}

ip-default-gateway – Enables you to configure default IP gateway IP address, weight, and group membership for the default gateway.

ip_address Specifies the IP address of the default gateway to be used by the Security Appliance.

{preference group (1-10)}

{weight (1-100)}


92

option 5: timeout minutes

where:

Example

SGOS#(config) line-vtySGOS#(config line vty) timeout 60 ok

#(config)loadUse this command to load specific configuration or settings files.

Syntaxoption 1: load accelerated-pac

option 2: load bypass-list central

option 3: load bypass-list local

option 4: load error-pages

option 5: load forwarding

option 6: load icp-settings

option 7: load policy central

option 8: load policy local

option 9: load rip-settings

option 10: load static-route-table

option 11: load streaming real-media

option 12: load upgrade

line-vty –

exit Returns you to the config prompt.

length num_lines_on_screen Specifies the number of lines of code that should appear on the screen at once. Specify 0 to scroll without pausing.


telnet {no transparent | transparent}

Indicates that this is a Telnet protocol-specific configuration. If you specify no transparent, carriage returns are sent to the console as a carriage return plus linefeed. If you specify transparent, carriage returns are sent to the console as a carriage return.

timeout minutes Sets the line timeout to the number of minutes indicated by minutes.


93

option 13: load wccp-settings

where:

Example

SGOS#(config) load bypass-list central ok

#(config)management-portThis command sets the IP port to which the Security Appliance listens for Web console connections.

Syntax

management-port {port_number | protocol {http | https}}

where:

Example

SGOS#(config) management-port 8086ok

load – Loads any of various ancillary configuration files.

accelerated-pac Downloads a new accelerated PAC file.

bypass-list {central | local} Downloads either a new central or local bypass list file.

error-pages Downloads a new error pages file.

forwarding Downloads a new forwarding configuration file.

icp-settings Downloads a new ICP settings file.

policy {central | local | vpm-software}

Downloads either a new central, a local policy file, or a new version of the VPM.

rip-settings Downloads a new RIP settings file.

static-route-table Downloads a new static route table.

streaming {real-media | windows-media}

Downloads either a new RealNetworks or Windows media file.

upgrade Downloads a new system image.

wccp-settings Downloads a new WCCP configuration file.

management-port – Names the management port to use for the Security Appliance and the protocol to use.

port_number Specifies the port number to use for the Security Appliance.

protocol {http | https} Specifies the protocol for the management console port.


94

#(config)netbiosUse this command to configure NETBIOS.

Syntaxoption 1: netbios {enable | disable}

#(config)noUse this command to negate the current settings for the archive configuration, content priority, IP default gateway, SOCKS machine, or system upgrade path.

Syntaxoption 1: no archive-configuration

option 2: no content priority regex regex

option 3: no content {priority {regex regex | url url} | outstanding-requests {delete | priority | revalidate} regex}

option 4: no ip-default-gateway ip_address

option 5: no socks-machine-id

option 6: no upgrade-path

where:

Example

SGOS#(config) no archive-configuration ok

SGOS#(config) no content priority% Type no content priority ? for a list of subcommandsSGOS#(config) no content priority ? regex Remove a deletion regular expression policy. url Remove a deletion URL policy.

no – Negates certain configuration settings.

archive-configuration Clears the archive configuration upload site.

content priority {regex regex | url url

Removes a deletion regular expression policy or a deletion URL policy.

outstanding-requests {delete | priority | revalidate} regex

Deletes a specific, regular expression command in-progress (revalidation, priority, or deletion).

ip-default-gateway ip_address Sets the default gateway IP address to zero.

socks-machine-id Removes the SOCKS machine ID from the configuration.

upgrade-path Clears the upgrade image download path.


95

SGOS#(config) no content priority regex http://.*cnn.com okSGOS#(config) no content priority url http://www.bluecoat.com okSGOS#(config) no ip-default-gateway 10.252.10.50 okSGOS#(config) no socks-machine-id okSGOS#(config) no upgrade-path ok

#(config)ntpUse this command to set NTP parameters. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers. The Security Appliance sets the UTC time by connecting to an NTP server. The Security Appliance includes a list of NTP servers available on the Internet. If an NTP server is not available, you can set the time manually using the Management Console.

Syntax

ntp {clear | disable | enable | no server domain_name | server domain_name}

where:

Example

SGOS#(config) ntp server clock.tricity.wsu.edu ok

#(config)policyUse this command to specify central and local policy file location, status, and other options.

Syntaxoption 1: policy central-path url

option 2: policy local-path url

option 3: policy no central-path

ntp – Specifies the status and name of the NTP server.

clear Removes all entries from the NTP server list.

disable Disables NTP.

enable Enables NTP.

no server domain_name Removes the NTP server named domain_name from the NTP server list.

server domain_name Adds the NTP server named domain_name from the NTP server list.


96

option 4: policy no local-path

option 5: policy no notify

option 6: policy no subscribe

option 7: policy no vpm-software

option 8: policy notify

option 9: policy order

option 10: policy poll-interval minutes

option 11: policy poll-now

option 12: policy proxy-default

option 13: policy reset

option 14: policy subscribe

option 15: policy vpm-software

where:

policy – Specifies central and local policy file location and status.

central-path url Specifies the network path (indicated by url) from which the central policy file may be downloaded.

local-path url Specifies the network path (indicated by url) from which the local policy file may be downloaded.

no {central-path | local-path | notify | subscribe | vpm-software}

For central-path or local-path, specifies that the current central or local policy file URL setting should be cleared. For notify, specifies that no e-mail notification should be sent if the central policy file should change. For subscribe, specifies that the current policy should not be automatically updated in the event of a central policy change. For vpm-software, clears the network path to download VPM software.

notify Specifies that an e-mail notification should be sent if the central policy file should change.

order order of v)pm, l)ocal, c)entral

Specifies the policy evaluation order.

poll-interval minutes Specifies the number of minutes that should pass between tests for central policy file changes.

poll-now Tests for central policy file changes immediately.

proxy-default {allow | deny} Allows or denies the default proxy policy.

reset Clears all policies.


97

Example

SGOS#(config) policy local-path http://www.server1.com/local.txt okSGOS#(config) policy central-path http://www.server2.com/central.txt okSGOS#(config) policy poll-interval 10 ok

#(config)restartUse this command to set restart options for the Security Appliance.

Syntax

restart {compress | core-image {context | full | none} | mode {hardware | software}

where:

Example

SGOS#(config) restart mode software ok

#(config)return-to-senderThe return-to-sender feature eliminates unnecessary network traffic when the three following conditions are met:

• The Security Appliance has connections to clients or servers on a different subnet.

• The shortest route to the clients or servers is not through the default gateway.

• There are no static routes or RIP routes defined that apply to the IP addresses of the clients and servers.

Under these conditions, if the return-to-sender feature is enabled, the Security Appliance remembers the MAC address of the last hop for a packet from the client or server and sends any responses or requests to the MAC address instead of the default gateway.

subscribe Indicates that the current local policy should be automatically updated in the event of a central policy change.

vpm-software url Specifies the network path to download the VPM software.

restart – Configures system restart settings, including core image information and compression status.

compress Indicates that a compressed core image should be written on restart.

core-image {context | full | none} Indicates the type of core image that should be written on restart.

mode {hardware | software} Specifies either a hardware or software restart.


98

Under the same conditions, if return-to-sender is disabled, the Security Appliance sends requests or responses to the default gateway, which then sends the packets to the gateway representing the last hop to the Security Appliance for the associated connection. This effectively doubles the number of packets transmitted on the LAN compared to when return-to-sender is enabled.

Inbound return-to-sender affects connections initiated to the Security Appliance by clients. Outbound return-to-sender affects connections initiated by the Security Appliance to origin servers.

Note: Return-to-sender functionality should only be used if static routes cannot be defined for the clients and servers or if routing information for the clients and servers is not available through RIP packets.

Syntax

return-to-sender {inbound {disable | enable} | outbound {disable | enable}}

where:

Example

SGOS#(config) return-to-sender inbound enable ok

#(config)reveal-advancedThe reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI. The advanced commands that you can enable include HTTP and TCP/IP commands.

Syntax

reveal-advanced {all | expand | tcp-ip}

where:

Example

SGOS#(config) reveal-advanced expand okSGOS#(config) reveal-advanced tcp-ip

return-to-sender – Configures return-to-sender inbound and outbound settings.

inbound {disable | enable} Enables or disables return-to-sender for inbound sessions.

outbound {disable | enable} Enables or disables return-to-sender for outbound sessions.

reveal-advanced – Enables the system administrator to hide and disable certain advanced commands.

all Disables all expanded, HTTP, and TCP/IP advanced commands.

expand Disables all expanded advanced commands.

tcp-ip Disables all TCP/IP advanced commands.


99

okSGOS#(config) reveal-advanced all okSGOS#(config)

#(config)ripUse this command to set RIP (Routing Information Protocol) configuration options.

Using RIP, a host and router can send a routing table list of all other known hosts to its closest neighbor host every 30 seconds. The neighbor host passes this information on to its next closest neighbor and so on until all hosts have perfect knowledge of each other. (RIP uses the hop count measurement to derive network distance.) Each host in the network can then use the routing table information to determine the most efficient route for a packet.

The RIP configuration is defined in a configuration file. To configure RIP, first create a text file of RIP commands and then load the file by using the load command.

Syntax

rip {disable | enable | no path | path url}

where:

Example

SGOS#(config) rip path 10.25.36.47/files/rip.txt ok

#(config)securityThe Security Appliance provides the ability to authenticate using industry-standard proxy authentication and authorization (AA) services for users accessing one or multiple Security Appliance(s)—in either explicit proxy mode or transparent proxy mode. The authentication services supported are:

LDAP – Lightweight Directory Access Protocol

NTLM – Windows NT Challenge Response (integrated authentication)

RADIUS – Remote Authentication for Dialup Users

rip – Specifies information regarding RIP settings, including status and location.

disable Disables the current RIP configuration.

enable Enables the current RIP configuration.

no path Clears the current RIP configuration path as determined using the rip path url command.

path url Sets the path to the RIP configuration file to the URL indicated by url.


100

UNIX – Users, groups and passwords are stored in a file on the Security Appliance, in a Blue Coat proprietary format

The Security Appliance provides a flexible authentication architecture that supports all of the above services with the ability to specify multiple, and even disparate, backend servers (for example, LDAP directory servers together with NT domains with no trust relationship, and so forth) within each authentication scheme with the introduction of a new concept: the realm. A realm defines a schema used to authenticate and authorize users for access to Security Appliance services using either of the authentication mechanisms mentioned above. It is important to note that multiple authentication realms and multiple policy realms can be used on a single Security Appliance. Multiple realms become essential if your enterprise is a Managed Service provider, or your company has merged with or acquired another company, for example. Even for companies using only one protocol, multiple realms may be necessary--as in the case of a company using an LDAP server with multiple authentication boundaries.

A realm configuration is composed of the following:

• realm name

• authentication service – (LDAP, NTLM, RADIUS, or UNIX).

• external server configuration – backend server configuration information such as IP address, port, and other relevant information based on the selected service.

• authentication schema – the definition that will be used to authenticate users.

• authorization schema – the definition that will be used to authorize users for membership in defined groups and check for attributes that trigger evaluation against any defined policy rules.

For details, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide, "Authentication and Authorization" chapter.

Syntaxoption 1: security allowed-access source_ip [mask]

option 2: security destroy-old-passwords

option 3: security enable-password password

option 4: security flush-credentials

option 5: security flush-credentials on-policy-change disable

option 6: security flush-credentials on-policy-change enable

option 7: security front-panel-pin PIN

option 8: security hashed-front-panel-pin hashed-PIN

option 9: security hashed-enable-password hashed-password

option 10: security hashed-password hashed-password

option 11: security enforce-acl

option 12: security ldap all alternate-server ip_address [port]

option 13: security ldap all cache-duration minutes

option 14: security ldap all case-sensitive disable

option 15: security ldap all case-sensitive enable


101

option 16: security ldap all distinguished-name user-attribute-type user_attribute_type

option 17: security ldap all distinguished-name [{add | | demote | no | promote}] base-dn base_dn

option 18: security ldap all distinguished-name clear base-dn

option 19: security ldap all membership-attribute attribute_name

option 20: security ldap all membership-type group

option 21: security ldap all membership-type user

option 22: security ldap all no alternate-server

option 23: security ldap all no membership-attribute

option 24: security ldap all no spoof-authentication

option 25: security ldap all primary-server ip_address port

option 26: security ldap all search anonymous disable

option 27: security ldap all search anonymous enable

option 28: security ldap realm_name all search dereference {always | finding | never | searching}

option 29: security ldap all search encrypted-password encrypted_password

option 30: security ldap all search password password

option 31: security ldap all search user-dn user_dn

option 32: security ldap all server-type {ad | iplanet | nds | other}

option 33: security ldap all spoof-authentication

option 34: security ldap create-realm {ad | iplanet | nds | other} realm_name [base_DN] primary_ip [port]

option 35: security ldap delete-realm realm_name

option 36: security ldap edit-realm realm_name

option 37: security ldap edit-realm realm_name all search encrypted-password encrypted_password

option 38: security ldap edit-realm realm_name all search password password

option 39: security ldap edit-realm realm_name no spoof-authentication

option 40: security ldap edit-realm realm_name search encrypted-password encrypted_password

option 41: security ldap edit-realm realm_name search encrypted-password encrypted_password

option 42: security ldap edit-realm realm_name search password password

option 43: security ldap edit-realm spoof-authentication

option 44: security ldap view

option 45: security ldap view realm_name

option 46: security ldap realm_name

option 47: security ldap realm_name search dereference {always | finding | never | searching}


102

option 48: security management auto-logout-timeout seconds

option 49: security management display-realm name

option 50: security management no auto-logout-timeout

option 51: security management no display-realm

option 52: security no allowed-access source_ip [ip_mask]

option 53: security no enforce-acl

option 54: security ntlm all alternate-server ip_address port

option 55: security ntlm all cache-duration minutes

option 56: security ntlm all no alternate-server

option 57: security ntlm all primary-server ip_address [port]

option 58: security ntlm all timeout seconds

option 59: security ntlm all server-retry count

option 60: security ntlm create-realm realm_name primary_server_ip [primary_server_port]

option 61: security ntlm delete-realm realm_name

option 62: security ntlm edit-realm realm_name

option 63: security ntlm view

option 64: security ntlm view realm_name

option 65: security ntlm realm_name

option 66: security password password

option 67: security password-display {encrypted | keyring | none | view}

option 68: security radius create-realm-encrypted realm_name encrypted-secret primary_server_ip [primary_server_port]

option 69: security radius create-realm realm_name encrypted_secret primary_server_ip [primary_server_port]

option 70: security radius create-realm realm_name secret primary_server_ip [primary_server_port]

option 71: security radius delete-realm realm_name

option 72: security radius edit-realm realm_name

option 73: security radius edit-realm realm alternate-server encrypted-secret encrypted_secret

option 74: security radius edit-realm realm primary-server encrypted-secret encrypted_secret

option 75: security radius edit-realm realm alternate-server secret secret

option 76: security radius edit-realm realm no spoof-authentication

option 77: security radius edit-realm realm primary-server secret secret

option 78: security radius edit-realm realm spoof-authentication

option 79: security radius view

option 80: security radius view realm_name


103

option 81: security radius realm_name

option 82: security username user_name

option 83: security transparent-proxy-auth cookie persistent

option 84: security transparent-proxy-auth cookie session

option 85: security transparent-proxy-auth cookie virtual-url url

option 86: security transparent-proxy-auth method ip

option 87: security transparent-proxy-auth method cookie

option 88: security transparent-proxy-auth time-to-live {ip minutes | persistent-cookie minutes}

option 89: security unix create-realm realm_name

option 90: security unix delete-realm realm_name

option 91: security unix edit-realm realm_name no spoof-authentication

option 92: security unix edit-realm realm_name parameter

option 93: security unix edit-realm realm_name spoof-authentication

option 94: security unix view

option 95: security unix view realm_name

option 96: security unix realm_name

where:

security – Configures authorization and authentication methods and realms (LDAP, NTLM, RADIUS, and UNIX).

allowed-access source_ip [mask] Adds the IP address indicated by source_IP to the Access Control List.

destroy-old-passwords [force] Destroys recoverable passwords in the registry key from previous versions. This command, while improving security, should only be used if you do not plan to upgrade.

enable-password password Puts into effect the console enable (or privileged mode) password specified by password.

enforce-acl Enforces the console Access Control List.

flush-credentials [on-policy-change [disable | enable]]

With no additional parameters, flushes the credentials cache immediately. flush-credentials on-policy-change enable flushes the credentials cache when a change to the central policy file has been detected; flush-credentials on-policy-change disable does not.

front-panel-pin pin Specifies the PIN for the front panel console. This does not affect modules that allow configuration for the front panel.


104

hashed-enable-password

hashed password Puts into effect the console hashed enable password specified by hashed-password.

hashed-front-panel-pin

hashed pin Specifies the hashed PIN for the front panel console. This does not affect modules that allow configuration for the front panel.

security ldap all – Configures security aspects of all LDAP realms.

alternate-server ip_address [port] Specifies the alternate LDAP server IP address and port for all LDAP realms.

cache-duration minutes Specifies the length of time to cache user credentials for all LDAP realms.

case-sensitive {disable | enable} Enables or disables the case-sensitivity of all LDAP realms.

distinguished-name user-attribute-type

user_attribute_type Configures the distinguished name (DN) user attribute type for all LDAP realms.

distinguished-name {add | | demote | no | promote} base-dn base_dn

~or~

clear base-dn

Configures the base distinguish names for all of the LDAP realms. add appends a base distinguished name to each realm. demote moves the specified base distinguished name down in the search order in each realm that contains a match. no deletes the specified base distinguished name from the realm. promote moves the specified base distinguished name up in the search order in each realm that contains a match. clear deletes all distinguish names from every realm.

membership-attribute attribute_name Specifies the membership attribute for all LDAP realms.

membership-type {group | user} Specifies group or user name mapping authorization mode.

no alternate-server Clears the current alternate LDAP server IP address and port for all LDAP realms.

no membership-attribute

Clears the membership attribute for all LDAP realms.

no spoof-authentication

Disables spoof-authentication.

primary-server ip_address [port] Sets the current primary LDAP server IP address and port for all LDAP realms.

search anonymous {disable | enable} Enables or disables anonymous searches for all LDAP realms.

search encrypted-password

encrypted_password Enables searching using the user encrypted password if anonymous search is disabled.


105

search password password Enables searching using the user password if anonymous search is disabled.

search user-dn user_DN Enables searching using the user distinguished name if anonymous search is disabled.

spoof-authentication Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations.

security ldap – Creates, deletes, or displays information about a particular LDAP realm.

all search [dereference {always | finding | never | searching}] [password password] [encrypted-password encrypted_password]

Specify if and when to follow alias pointers on the LDAP server.Never: Do not derefrence aliases in searching or in locating the base objectSearching: Derefrence aliases only during searching and not locating the object.Finding: Derefrence aliases in locating the base object of the search but not during searchingAlways (the default): Derefrence aliases both during searching and locating.

create-realm {ad | iplanet | nds | other} realm_name base_DN primary_ip [primary_port]

Creates a new LDAP realm named realm_name.

delete-realm realm_name Deletes the LDAP realm named realm_name.

edit-realm realm_name Edits the LDAP realm named realm_name. Changes prompt to config radius realm_name.

edit-realm realm_name dereference [always | finding | never | searching]

Changes the dereference level for a single realm. (Dereferencing specifies if and when to follow alias pointers on the LDAP server.)Never: Do not derefrence aliases in searching or in locating the base objectSearching: Derefrence aliases only during searching and not locating the object.Finding: Derefrence aliases in locating the base object of the search but not during searchingAlways (the default): Derefrence aliases both during searching and locating

alternate-server ip_address [port]

Configures alternate LDAP server.


106

cache-duration minutes Specifies the length of time to cache user credentials.

case-sensitive {enable | disable}

Enables or disables case sensitivity within the realm.

distinguished-name user-attribute-type attribute_type

Sets the LDAP distinguished name user attribute type.

distinguished-name {add | | demote | no | promote} base-dn base_dn

~or~

distinguished-name clear base-dn

Configures the distinguished names. add appends a distinguished name to the realm. demote moves the specified distinguished name down in the search order. no deletes the specified distinguished name from the realm. promote moves the specified distinguished name up one in the search order. clear deletes all distinguished names from the realm.

exit Exits edit-realm mode.

membership-attribute type Specifies the membership attribute type

membership-type {group | user}

Specifies group mapping authorization mode or user attribute mapping authorization mode.

no {alternate-server | membership-attribute | spoof-authentication}

Deletes the alternate server, the membership attribute or disables spoof-authentication.

primary-server ip_address [port]

Configures the primary server.

rename realm_name Renames the realm.

search {anonymous {enable | disable} | password password | user-dn user-dn}

Configures realm search options.

server-type {ad | iplanet | nds | other}

Changes the server type for this realm.


{show | view} Displays running system information or displays information for this realm.

view realm_name Displays information about the LDAP realm named realm_name.

security management - Sets Security Appliance realm settings


107

auto-logout-timeout seconds Sets the length of the Security Appliance session before requiring login credentials. The default is 900 seconds (15 minutes).

display-realm name Sets the name of the Security Appliance realm. The default is the IP address that was used to connect to the system

no display-realm Resets the name of the Security Appliance realm to the Security Appliance IP address.

auto-logout-timeout Disables the session timeout feature.

security no – Negates certain Access Control List features.

allowed-access source_ip [ip_mask] Disables the IP address indicated by source_ip in the Access Control List.

enforce-acl Disables the console Access Control List.

security ntlm all – Configures security aspects of all NTLM realms.alternate-server ip_address [port] Specifies the alternate LDAP server IP

address and port for all NTLM realms.

cache-duration minutes Specifies the length of time to cache user credentials for all NTLM realms.

no alternate-server Clears the current alternate NTLM server IP address and port for all NTLM realms.

primary-server ip_address [port] Specifies the primary LDAP server IP address and port for all NTLM realms.

timeout seconds Configures the NTLM query timeout for all NTLM realms.

server-retry count Configures the number of authentication retry attempts for all NTLM realms.

security ntlm – Creates, deletes, or displays information about a particular NTLM realm.

create-realm realm_name primary_server_ip [primary_server_port]

Creates a new NTLM realm named realm_name.

delete-realm realm_name Deletes the NTLM realm named realm_name.

edit-realm realm_name Edits the NTLM realm named realm_name.

alternate-server ip_address [port]

Configures alternate RADIUS server.



no alternate-server Deletes the alternate server.

primary-server ip_address [port]

Configure the primary server.



108

timeout seconds Specifies query duration before timeout.

server-retry count Specifies the number of authentication retry attempts.

{show | view} Show running system information or view information for this realm.

view realm_name Displays information about the NTLM realm named realm_name.

security password – Changes the console account password.

password Puts into effect the console account password indicated by password.

hashed-password Puts into effect the console account password indicated by hashed-password.

password-display [none | encrypted | keyring name | view]

Sets the CLI handling of passwords for this session. Keyring is meant for Director use. Director stores its keyring in a public key that is used when pulling a configuration from one Security Appliance to multiple Security Appliances.

security radius – Creates, deletes, or displays information about a particular RADIUS realm.

create-realm realm_name [secret | encrypted_secret] primary_server_ip [primary_server_port]

Creates a new RADIUS realm named realm_name.

create-realm-encrypted

realm_name encrypted_secret primary_server_ip [primary_server_port]

Creates a new RADIUS realm named realm_name. It also accepts encrypted secrets.

delete-realm realm_name Deletes the RADIUS realm named realm_name.

edit-realm realm_name Edits the RADIUS realm named realm_name.

alternate-server ip_address [port] | [secret secret | encrypted-secret encrypted_secret | service-type type]

Configures alternate RADIUS server.


case-sensitive {enable | disable}

Enables or disables case sensitivity within the realm.


no alternate-server | spoof-authentication

Deletes the alternate server or disables spoof-authentication.


109

primary-server ip_address [port] | [secret secret | encrypted-secret | encrypted_secret | service-type type]

Configure the primary server. Can also specify a shared secret for the primary RADIUS server and specify a checklist service type sent to the primary RADIUS server.


timeout seconds Specifies query duration before timeout.

server-retry count Specifies the number of authentication retry attempts.



view realm_name Displays information about the RADIUS realm named realm_name.

security username – Changes the console account user name.

user_name Puts into effect the console account user name indicated by user_name.

security transparent-proxy-auth – Configures transparent-proxy cookie options.

cookie persistent Specifies that this realm should use persistent cookies with no TTL expiration.

cookie session Specifies that this realm should use cookies that expire at the end of a session.

cookie virtual-url url Specifies that this realm should use cookies with the virtual URL indicated by url.

method ip Specifies that this realm should use the IP method for transparent proxy (as opposed to the cookie method).

method cookie Specifies that this realm should use the cookie method for transparent proxy (as opposed to the IP method).

time-to-live {ip minutes | persistent-cookie minutes}

Specifies the duration the IP or persistent cookie is valid.

security unix – Creates, deletes, or displays information about a particular UNIX realm.

create-realm realm_name Creates a new UNIX realm named realm_name.

delete-realm realm_name Deletes the UNIX realm named realm_name.


110

Example

SGOS#(config) security ldap create-realm iplanet AuthRealm "dc=ads2001,dc=bluecoat,dc=com" 10.252.3.78 389 okSGOS#(config) security ldap edit-realm AuthRealmSGOS#(config ldap AuthRealm) search password "user" okSGOS#(config ldap AuthRealm) search user-dn "cn=UserAG,ou=bluecoat,dc=ads2001,dc=bluecoat,dc=com" okSGOS#(config ldap AuthRealm) search anonymous disable okSGOS#(config ldap AuthRealm) exitSGOS#(config) security allowed-access 10.253.101.23 255.255.255.255 okSGOS#(config) security allowed-access 10.253.101.24 255.255.255.255 okSGOS#(config) security allowed-access 10.252.10.90 255.255.255.255 okSGOS#(config) security enable-password "enable" okSGOS#(config) security front-panel-pin "1234" okSGOS#(config) security password "test" okSGOS#(config) security username "test" okSGOS#(config)

edit-realm realm_name Edits the UNIX realm named realm_name.


no Disables spoof-authentication.





view realm_name Displays information about the UNIX realm named realm_name.


111

#(config)servicesUse this command to configure FTP, HTTP, or Telnet services.

Syntax

services


SGOS#(config services)

- subcommands-

option 1: exit

option 2: ftp {attribute | create | delete | disable | enable | exit | show | view}

option 3: http {attribute | create | delete | disable | enable | exit | show | view}

option 4: show

option 5: telnet {create | delete | disable | enable | exit | show | view}

option 6: view

where:

Example

SGOS#(config services) viewPort: 8080 Type: httpProperties: enabled, explicit-proxyPort: 80 Type: httpProperties: enabled, transparent, explicit-proxyPort: 21 Type: ftpProperties: enabled, transparent

services – Configures services.

exit Exits the config services mode and returns you to the config prompt.

ftp See the (services) ftp command for options.

Configures Transparent FTP services.

http See the (services) http command for options.

Configures HTTP services.


telnet See the (services) telnet command for options.

Configures Telnet services.

view Displays all services-related configuration information.


112

#(config services)ftpUse this command to configure transparent FTP services.

Syntax

ftp


SGOS#(config services ftp)

- subcommands-

option 1: attribute passive-mode {disable | enable}

option 2: create

option 3: delete

option 4: disable

option 5: enable

option 6: exit

option 7: view

where:

Example

SGOS#(config) servicesSGOS#(config services) ftpSGOS#(config services ftp) create 2002 okSGOS#(config services ftp) exitSGOS#(config services)

services ftp – Configures transparent FTP services.

attribute passive-mode

{disable | enable} Enables or disables support for passive mode to clients.

create port Creates a transparent FTP services port.

delete port Deletes a transparent FTP services port.

disable [port=21] Disables the transparent FTP services port.

enable [port=21] Enables the transparent FTP services port.

exit Exits config services ftp mode and returns you to the config services prompt.

view Displays the transparent FTP services configuration.


113

#(config services)httpUse this command to create and configure HTTP services.

Syntax

http


SGOS#(config services http)

- subcommands-

option 1: attribute authenticate-401 {enable | disable} port

option 2: attribute explicit disable port

option 3: attribute explicit enable port

option 4: attribute nap disable port

option 5: attribute nap enable port

option 6: attribute send-client-ip disable port

option 7: attribute send-client-ip enable port

option 8: attribute transparent disable port

option 9: attribute transparent enable port

option 10: attribute head enable port

option 11: attribute head disable drop port

option 12: attribute head disable error portattribute connect disable port

option 13: attribute connect enable port

option 14: attribute connect disable drop port

option 15: attribute connect disable error port

option 16: create port

option 17: delete port

option 18: disable port

option 19: enable port

option 20: exit

option 21: show

option 22: view

where:

services http attribute – Configures HTTP services attributes.

authenticate-401 {enable | disable} port Enables or disables transparent authentication.

explicit disable port Rejects requests for non-transparent content on the specified port.


114

Example

SGOS#(config) servicesSGOS#(config services) http

explicit enable port Accepts requests for non-transparent content on the specified port.

nap disable port Disables the non-accelerated attribute on the specified port.

nap enable port Enables non-accelerated attribute on the specified port.

send-client-ip disable

port Disables the spoof attribute on the specified port.

send-client-ip enable port Enables the spoof attribute on the specified port.

transparent disable port Accepts requests for transparent content on the specified port.

transparent enable port Rejects requests for transparent content on the specified port.

head enable port Prevents blocking of HEAD requests on the specified port.

head disable drop port Drops connections for HEAD requests on the specified port.

head disable error port Returns error 405 for HEAD requests on the specified port.

connect disable port Blocks CONNECT requests on the specified port.

connect enable port Prevents blocking of CONNECT requests on the specified port.

connect disable drop port Drops connection for CONNECT requests on the specified port.

connect disable error port Returns error 405 for CONNECT requests on the specified port.

services http – Establishes HTTP services port.

create port Creates an HTTP services port.

delete port Deletes the specified HTTP services port.

disable port Disables the HTTP services on the specified port.

enable port Enables the HTTP services on the specified port.

exit Exits config services http mode and returns you to the config services prompt.


view Displays the HTTP services configuration.


115

SGOS#(config services http) create 8085 okSGOS#(config services http) attribute authenticate-401 enable 8085 okSGOS#(config services http) exitSGOS#(config services) exitSGOS#(config)

#(config services)telnetUse this command to create and configure Telnet services.

Syntax

telnet


SGOS#(config services telnet)

- subcommands-

option 1: create port

option 2: delete port

option 3: disable port

option 4: enable port

option 5: exit

option 6: show

option 7: view

where:

Example

SGOS#(config) servicesSGOS#(config services) telnet

services telnet – Configures Telnet services.

create port Creates a Telnet services port indicated by port.

delete port Deletes the Telnet services port indicated by port.

disable port Disables the Telnet services port.

enable port Enables the Telnet services port.

exit Exits config services telnet mode and returns you to the config services prompt.


view Displays the Telnet services configuration.


116

SGOS#(config services telnet) view Port: 23 Type: telnet Properties: enabled, explicit Port: 9002 Type: telnet Properties: enabled, explicit Port: 9003 Type: telnet Properties: enabled, explicit Port: 30 Type: telnet Properties: enabled, explicitSGOS#(config services telnet) delete 9003 okSGOS#(config services telnet) create 25 okSGOS#(config services telnet) disable 9003 okSGOS#(config services telnet) exitSGOS#(config services) exitSGOS#(config)

#(config)showUse this command to display specific configuration settings or options.

Syntaxoption 1: show accelerated-pac

option 2: show access-log {configuration | statistics}

option 3: show archive-configuration

option 4: show arp-table

option 5: show bandwidth-gain

option 6: show bypass-list

option 7: show caching

option 8: show clock

option 9: show commands [delimited | formatted]

option 10: show configuration [brief | expanded | noprompts]

option 11: show content {outstanding-requests {[deletes] | [revalidates] | [priority]} | priority {[regex regex] | [url url]} | statistics | url url}

option 12: show content-distribution

option 13: show content-filter {smartfilter | status | websense3 | websense4}

option 14: show cpu

option 15: show diagnostics

option 16: show disk {disk_number | all}

option 17: show dns

option 18: show domain-alias

option 19: show download-paths


117

option 20: show dynamic-bypass

option 21: show efficiency

option 22: show environmental

option 23: show event-log

option 24: show forwarding

option 25: show health-checks

option 26: show hostname

option 27: show http

option 28: show http-stats

option 29: show icap {clusters | services | statistics}

option 30: show icp-settings

option 31: show identd

option 32: show installed-systems

option 33: show interface

option 34: show ip-default-gateway

option 35: show ip-route-table

option 36: show ip-stats {all | e# | ip | memory | summary | tcp | udp}

option 37: show netbios

option 38: show ntp

option 39: show policy [order | proxy-default]

option 40: show ports

option 41: show realms

option 42: show resources

option 43: show restart

option 44: show return-to-sender

option 45: show rip {parameters | routes | statistics}

option 46: show rtsp

option 47: show security

option 48: show services [ftp | http | telnet]

option 49: show sessions

option 50: show snmp

option 51: show socks-machine-id

option 52: show sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming | wccp-settings}

option 53: show splash-generator

option 54: show static-routes

option 55: show status


118

option 56: show streaming {real-media | windows-media | configuration | statistics}

option 57: show system-resource-percent

option 58: show tcp-rtt

option 59: show telnet-management

option 60: show terminal

option 61: show timezones

option 62: show transparent-proxy

option 63: show user authentication

option 64: show version

option 65: show virtual-ip

option 66: show wccp {configuration | statistics}

option 67: show web-management

where:

show – Displays running system information.

accelerated-pac Displays the current accelerated PAC settings.

access-log {configuration | statistics}

Displays the current access log settings.

archive-configuration Displays archive configuration settings.

arp-table Displays ARP information.

bandwidth-gain Displays the current bandwidth-gain commands.

bypass-list Displays the current bypass list.

caching Displays the current caching settings.

clock Displays the current Security Appliance time setting.

commands [delimited | formatted] Displays the available CLI commands.

configuration [brief | expanded | noprompts]

Displays the current non-default configuration settings. Use the optional parameters to customize the output.

content {outstanding-requests | priority | url}

Displays outstanding distribution and revalidation requests, policy deletion priorities, or information for a cached object.

content-filter {smartfilter | status | websense3 | websense4}

Displays the current content filter settings.

cpu Displays CPU usage.

diagnostics Displays the remote diagnostics commands.

disk {disk_number | all} Displays disk status and information.

dns Displays DNS servers and name imputing settings.


119

domain-alias Dispalys any defined domain aliases.

download-paths Displays the current downloaded configuration paths.

dynamic-bypass Displays the current dynamic bypass configuration settings.

efficiency Displays efficiency statistics.

environmental Displays environmental statistics.

event-log Displays the current event log settings.

forwarding Displays the current forwarding settings.

health-checks Displays health check settings.

hostname Displays the current hostname.

http Displays HTTP settings.

http-stats Displays HTTP statistics.

icap {clusters | services | statistics}

Displays ICAP settings.

icp-settings Displays ICP settings.

identd Displays IDENTD service settings.

installed-systems Displays OS versions available on the Security Appliance.

interface Displays interface status and configuration information.

ip-default-gateway Displays the IP address of the default gateway.

ip-route-table Displays route table information.

ip-stats {all | e# | ip | memory | summary | tcp | udp}

Displays TCP/IP statistics.

netbios Displays NETBIOS settings.

ntp Displays NTP servers and information.

policy [order | proxy-default] Displays current policy rules.

ports Displays HTTP and console ports.

realms Displays current authentication realms.

resources Displays allocation of system resources.

restart Displays system restart settings.

return-to-sender Displays "return to sender" settings.

rip {parameters | routes | statistics}

Displays RIP settings.

rtsp Displays RTSP settings.

security Displays security settings.

services [ftp | http | telnet] Displays services settings.

sessions Displays information about Telnet connections.

snmp Displays SNMP statistics.

socks-machine-id Displays the SOCKS machine ID.


120

Example

SGOS#(config) show bypass-listTCP/IP Bypass List InformationDestination Mask Source Mask Gateway Interface Life(secs) UseCount

#(config)snmpUse this command to set SNMP (Simple Network Management Protocol) options for the Security Appliance.

The Security Appliance can be viewed using an SNMP management station. The Security Appliance supports MIB-2 (RFC 1213).

Syntax

snmp


sources {bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming | wccp-settings}

Displays source listings for installable lists.

splash-generator Displays spash generator commands.

static-routes Displays static route table information.

status Displays current system status.

streaming {real-media | windows-media | configuration | statistics}

Displays streaming settings and protocol-specific streaming settings.

system-resource-percent

Displays system resource allocation commands.

tcp-rtt Displays default TCP Round Trip Time.

telnet-management Displays Telnet management status.

terminal Displays terminal configuration parameters and subcommands.

timezones Displays timezones used.

transparent-proxy Displays transparent-proxy settings.

user-authentication Displays user authentication information.

version Displays system hardware and software status.

virtual-ip Displays the current virtual IP settings.

wccp {configuration | statistics}

Displays the current WCCP configuration.

web-management Displays Web management status.


121

SGOS#(config snmp)

- subcommands-

option 1: authorize-traps

option 2: disable

option 3: enable

option 4: exit

option 5: no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2 | 3}}

option 6: read-community password

option 7: reset-configuration

option 8: show

option 9: snmp-writes {disable | enable}

option 10: sys-contact string

option 11: sys-location string

option 12: trap-address {1 ip_address | 2 ip_address | 3 ip_address}

option 13: trap-community password

option 14: write-community password

where:

snmp – Sets SNMP options on the Security Appliance.

authorize-traps Enables SNMP authorize traps.

disable Disables SNMP for the Security Appliance.

enable Enables SNMP for the Security Appliance.

exit Exits config snmp mode and returns you to the config prompt.

no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2 | 3}}

Disables the current authorize traps, system contact, system location, or trap address settings.

read-community password | encrypted_password

Sets the read community password or encrypted-password.

reset-configuration Resets the SNMP configuration to the default settings.


snmp-writes {disable | enable} Enables or disables SNMP write capability.

sys-contact string Sets the "sysContact" MIB variable to string.

sys-location string Sets the "sysLocation" MIB variable to string.


122

Example

SGOS#(config) snmpSGOS#(config snmp) authorize-traps ok

#(config)socks-machine-idUse this command to set the machine ID for SOCKS.

If you are using a SOCKS server for the primary or alternate gateway, you must specify the Security Appliance machine ID for the Identification (Ident) protocol used by the SOCKS gateway.

Syntax

socks-machine-id machine_id

where:

Example

SGOS#(config) socks-machine-id 10.25.36.47 ok

#(config)splash-generatorUse this command to display a custom message page, or splash page, to a user the first time he or she starts the client browser. Subsequent URL requests from the client then provide the user with the requested content.

Syntax

splash-generator


SGOS#(config splash-generator)

- subcommands-

option 1: cluster disable

trap-address {1 ip_address | 2 ip_address | 3 ip_address}

Indicates which IP address(es) can receive traps and in which priority.

trap-community password | encrypted_password

Sets the trap community password or encrypted-password.

write-community password | encrypted_password

Sets the write community password or encrypted-password.

socks-machine-id – Specifies the SOCKS machine ID.

machine_id Indicates the machine ID for the SOCKS server.


123

option 2: cluster enable

option 3: cluster peer-ip {1 | 2 | 3 | 4 | 5 | ip_address}

option 4: cluster sdp-port port

option 5: disable

option 6: enable

option 7: exit

option 8: protocol tacacs

option 9: protocol radius

option 10: radius acct-listen-port port

option 11: radius auth-listen-port port

option 12: radius forwarding disable

option 13: radius forwarding ip-spoof

option 14: radius forwarding proxy-state

option 15: radius no secret-key

option 16: radius encrypted-secrety-key key

option 17: radius secret-key key

option 18: show

option 19: tacacs forwarding disable

option 20: tacacs forwarding enable

option 21: tacacs listen-port port

option 22: tacacs multi-session disable

option 23: tacacs multi-session enable

option 24: tacacs no all-servers

option 25: tacacs no one-server IP_address [port]

option 26: tacacs no secret-key

option 27: tacacs server IP_address [port]

option 28: tacacs encrypted-secret-key key

option 29: tacacs secret-key key

option 30: timeout seconds

where:

splash-generator – Specifies general, RADIUS accounting, and TACACS+ accounting information.

disable Disables the splash generator.

enable Enables the splash generator.

exit Exits config splash-generator mode and returns to the config prompt.



124

timeout minutes Indicates the splash timeout in minutes.

splash-generator cluster – Sets splash generator cluster support options.

disable Disables splash-generator cluster support.

enable Enables splash-generator cluster support.

peer-ip {1 | 2 | 3 | 4 | 5 | ip_address}

Indicates the cluster peer address.

sdp-port port Indicates the Session Distributor Protocol port.

splash-generator protocol – Indicates which protocol should be used for splash generator support.

tacacs Indicates that the TACACS+ protocol should be used.

radius Indicates that the RADIUS protocol should be used.

splash-generator radius – Sets various splash generator RADIUS options.

acct-listen-port port Listens for incoming RADIUS accounting requests on the port indicated by port.

auth-listen-port port Listens for incoming RADIUS authorization requests on the port indicated by port.

encrypted-secret-key encrypted-key Sets the encrypted secret key to encrypted-key.

forwarding disable Disables forwarding of RADIUS requests.

forwarding ip-spoof Enables forwarding of RADIUS packets using IP spoofing.

forwarding proxy-state

Enables forwarding of RADIUS packets using proxy state.

no secret-key Sets the MD5 secret key to an empty string.

secret-key key Sets the MD5 secret key to key.

splash-generator tacacs – Sets various splash generator TACACS+ options.

encrypted-secret-key encrypted-key Sets the encrypted secret key to encrypted-key.

forwarding disable Disables forwarding of TACACS+ requests.

forwarding enable Enables forwarding of TACACS+ requests.

listen-port port Listens for incoming TACACS+ requests on the port indicated by port.

multi-session disable Disables multiple TACACS+ sessions capability.


125

Example

SGOS#(config) splash-generatorSGOS#(config splash-generator) enable okSGOS#(config splash-generator) protocol radius okSGOS#(config splash-generator) exitSGOS#(config)

#(config)sshdAfter doing the initial setup and installation, you can connect to the Security Appliance Serial Console CLI securely using secure shell protocol (SSH). Think of SSH as a secure Telnet. When enabled, all data transmitted between the SSH client and SSH host is encrypted and decrypted using public and private keys established on the Security Appliance and by the SSH application on the client.

Note: The Security Appliance supports a combined maximum of 16 Telnet and SSH sessions. It also supports up to 24 client keys, including keys from Blue Coat Director.

There are many SSH clients commercially available for UNIX and Windows. The Security Appliance requires SSH1; many versions of SSH2, however, are downwardly compatible.

Using a secure connection with RSA authentication requires public and private keys. During the following process, the SSH client application usually creates an identity.pub file. You’ll need to open this file in a text editor, copy the contents of the file, and paste it in when the CLI requests it. If the SSH client you're using cannot create the identity.pub file, or if you are using a Telnet client, try searching popular software archives for a free key-generator utility.

Prerequisite

To configure a secure CLI connection with SSH:1. Start your Telnet or SSH client application and create a new connection to the

Security Appliance. Specify SSH1 as the protocol.

multi-session enable Enables multiple TACACS+ sessions capability.

no all-servers Removes all TACACS+ server entries.

no one-server IP_address [port] Removes the TACACS+ server entry indicated by IP_address.

no secret-key Sets the secret key to an empty string.

server IP_address [port] Adds the server indicated by IP_address to the TACACS+ server list.

secret-key key Sets the secret key to key.


126

Figure 3-1: Setting up an SSH using RSA authenticated connection

2. Open a Telnet or serial port terminal session with the Security Appliance and enter your username and password when prompted. If you are using a serial connection, use the serial cable supplied with the system.

3. Enter the following commands:

SGOS> enableSGOS> enable_passwordSGOS# conf t

4. Continue with the appropriate syntax described below.

Syntax

sshd


SGOS#(config sshd)

- subcommands-

option 1: create host-keypair

option 2: delete {client-key clientID | host-keypair}

option 3: delete director-client-key clientID

option 4: exit

option 5: import client-key clientID

option 6: import director-client-key

option 7: show

option 8: view {client-key {clientID} | host-public-key}

option 9: view director-client-key [clientID]

where:

sshd –

create host-keypair Creates a host keypair.


127

Example

SGOS#(config) telnet allow sshd-configSGOS#(config sshd) create host-keypair ok

#(config)static-routesUse this command to set the network path to download the static routes configuration file.

To use static routes on the Security Appliance, you must create a routing table and place it on an HTTP server accessible to the Security Appliance. The routing table is a text file that contains a list of IP addresses, subnet masks, and gateways. When you download a routing table, the table is stored in the device until it is replaced by downloading a new table.

The routing table is a simple text file containing a list of IP addresses, subnet masks, and gateways. A sample routing table is illustrated below:

10.63.0.0255.255.0.010.63.158.21310.64.0.0255.255.0.010.63.158.21310.65.0.0255.255.0.010.63.158.226

When a routing table is loaded, all requested addresses are compared to the list, and routed based on the best match.

Once the routing table is created, place it on an HTTP server so it can be downloaded to the device. To download the routing table to the Security Appliance, use the load command.

delete {client-key clientID | host-keypair}

Deletes either the host keypair or the client key associated with the indicated clientID.

director-client-key clientID

Deletes the client key associated with the indicated clientID of a Security Appliance that is being used in Blue Coat Director configurations.

exit Exits config sshd mode and returns you to config mode.

import client-key clientID Imports the fingerprint of the client key associated with the indicated clientID.

director-client-key Imports the fingerprint of the Director client, automatically determined from the imported key.


view {client-key {clientID} | host-public-key}

Displays the fingerprint of either the host keypair or the client key associated with the indicated clientID.

director-client-key clientID

Displays the fingerprint of the client key associated with the indicated Director clientID.


128

Syntax

static-routes {no path | path url}

where:

Example

SGOS#(config) static-routes path 10.25.36.47/files/routes.txt ok

#(config)streamingUse this command to configure general streaming settings and Microsoft Windows Media or RealNetworks Real Media settings.

Syntaxoption 1: streaming max-client-bandwidth kbps

option 2: streaming max-gateway-bandwidth kbps

option 3: streaming no max-client-bandwidth

option 4: streaming no max-gateway-bandwidth

option 5: streaming windows-media license pak_string

option 6: streaming windows-media logging enable

option 7: streaming windows-media logging disable

option 8: streaming windows-media log-forwarding enable

option 9: streaming windows-media log-forwarding disable

option 10: streaming windows-media max-connections number

option 11: streaming windows-media max-client-bandwidth kbps

option 12: streaming windows-media max-gateway-bandwidth kbps

option 13: streaming windows-media transparent-port disable

option 14: streaming windows-media transparent-port enable

option 15: streaming windows-media explicit-port port_number

option 16: streaming windows-media refresh-interval hours

option 17: streaming windows-media http-handoff disable

option 18: streaming windows-media http-handoff enable

option 19: streaming windows-media live-retransmit disable

option 20: streaming windows-media live-retransmit enable

static-routes – Specifies the location of the static route table.

no path Clears the network path location of the static route table.

path url Sets the network path location of the static route table to url.


129

option 21: streaming windows-media multicast address-range first_address-last_address

option 22: streaming windows-media multicast port-range first_port-last_port

option 23: streaming windows-media multicast ttl ttl

option 24: streaming windows-media proxy-route number in_proto in_addr gw_proto gw_addr

option 25: streaming windows-media asx-rewrite number in_addr cache_proto cache_addr

option 26: streaming windows-media multicast-alias alias url

option 27: streaming windows-media unicast-alias alias url

option 28: streaming windows-media broadcast-alias alias url loops date time

option 29: streaming windows-media multicast-station name [alias | url] ip port ttl

option 30: streaming windows-media server-auth-type {basic | ntlm} ip_address

option 31: streaming windows-media no max-connections

option 32: streaming windows-media no max-client-bandwidth

option 33: streaming windows-media no max-gateway_bandwidth

option 34: streaming windows-media no refresh-interval

option 35: streaming windows-media no proxy-route number

option 36: streaming windows-media no asx-rewrite number

option 37: streaming windows-media no multicast-alias alias

option 38: streaming windows-media no unicast-alias alias

option 39: streaming windows-media no broadcast-alias alias

option 40: streaming windows-media no multicast-station name

option 41: streaming windows-media no auth-type cache_ip_address

option 42: streaming real-media max-connections number

option 43: streaming real-media max-gateway bandwidth kbps

option 44: streaming real-media max-client bandwidth kbps

option 45: streaming real-media rtsp-port port

option 46: streaming real-media pna-port port

option 47: streaming real-media license pak_string

option 48: streaming real-media proxy-route number rule parent_address rtsp-port port pna-port port mei-port port

option 49: streaming real-media path path

option 50: streaming real-media cache max-object-size kbps

option 51: streaming real-media logging disable

option 52: streaming real-media logging enable

option 53: streaming real-media logging stats-mask mask

option 54: streaming real-media logging style


130

option 55: streaming real-media multicast accept {number | subnet}

option 56: streaming real-media multicast address-range first address–last address

option 57: streaming real-media multicast disable

option 58: streaming real-media multicast enable

option 59: streaming real-media multicast pna-port port

option 60: streaming real-media multicast rtsp-port port

option 61: streaming real-media multicast ttl number

option 62: streaming real-media multicast delivery-only enable

option 63: streaming real-media multicast delivery-only disable

option 64: streaming real-media pull-splitting udp

option 65: streaming real-media pull-splitting tcp

option 66: streaming real-media no max-connections

option 67: streaming real-media no max-gateway-bandwidth

option 68: streaming real-media no max-client-bandwidth

option 69: streaming real-media no license

option 70: streaming real-media no proxy-route

option 71: streaming real-media no path

option 72: streaming real-media no multicast

where:

streaming– Configures Microsoft Windows Media or Real Networks streaming media settings.

max-client-bandwidth kbps Sets the maximum client bandwidth permitted to kbps.

streaming max-gateway-bandwidth

kbps Sets the maximum gateway bandwidth permitted to kbps.

no max-client-bandwidth

Clears the current maximum client bandwidth setting.

no max-gateway-bandwidth

Clears the current maximum gateway bandwidth setting.

streaming windows-media – Configures Microsoft Windows Media-specific streaming options.license pak_string Enters the product authorization key

for Blue Coat support for Windows Media.

logging {enable | disable} Enables the Security Appliance to record Windows Media proxy activities in the machine’s access log. The default is enabled. You must also enable the access-log command. See the access-log command for more information.

log-forwarding {enable | disable} Enables forwarding of the client log to the origin media server.


131

max-connections number Limits the concurrent number of client connections. If this variable is set to 0, you effectively lock out all client connections to the Security Appliance. To allow maximum client bandwidth, enter streaming windows-media no max-connections.

max-client-bandwidth kbps Sets the maximum client bandwidth permitted to kbps.

max-gateway-bandwidth kbps Sets the maximum limit, in kilobits per second (Kbps), for the amount of bandwidth Windows Media uses to send requests to its gateway. If this variable is set to 0, you effectively prevent the Security Appliance from initiating any connections to the gateway. To allow maximum gateway bandwidth, enter streaming windows-media no max-gateway-bandwidth.

transparent-port {enable | disable} Enables the transparent proxy on port 1755. The default is enable.

explicit-port port_number Allows the Windows Media proxy to listen for Windows Media traffic on the port specified. A port number of 0 deletes the explicit-port setting.

refresh-interval hours Checks the refresh interval for cached streaming content. hours must be a floating point number to specify refresh interval. 0 means always check for freshness.

http-handoff {enable | disable} Allows the Windows Media module to control the HTTP port when Windows Media streaming content is present. The default is enabled.

live-retransmit {enable | disable} Allows the Security Appliance to retransmit dropped packets sent through MMS-UDP for unicast. The default is enabled.

multicast address-range

first_address-last_address The IP address range for the Security Appliance's multicast-station. Default is from 224.2.128.0 and 224.2.255.255.

multicast port-range first_port-last_port Port range for the Security Appliance's multicast-station. Default is between 32768 and 65535.

multicast ttl ttl Time to live value for the multicast-station on the Security Appliance, expressed in hops. Default is 5; a valid number is between 1 and 255.


132

proxy-route number in_proto in_addr gw_proto gw_addr [gw_port]

Replaces the hostname/IP address on the URL with a new hostname/IP address. number is any positive number. It defines the priority of all the proxy-route rules. Smaller numbers indicate higher priority. in_proto is the protocol being used: mmsu (MMS-UDP), mmst (MMS-TCP), http (HTTP), mms (MMS-UDP or MMS-TCP), and * (follow client's protocol). in_addr is the hostname string with no more than one wildcard character. gw_proto is the protocol used at the gateway and gw_addr is the gateway address. Direct indicates the origin content server.

asx-rewrite number in_addr cache_proto cache_addr [cache_port]

Provides proxy support for Windows Player 6.4.If your environment does not use a Layer 4 switch or WCCP, the Security Appliance can operate as a proxy for Windows Media Player 6.4 clients by rewriting the .asx file (which links web pages to Windows Media ASF files) to point to the Windows Media streaming media cache rather than the Windows Media server. number can be any positive number. It defines the priority of all the asx-rewrite rules. Smaller numbers indicate higher priority. in_addr specifies the hostname. It can have a maximum of one wildcard character. cache_proto rewrites the protocol on the Security Appliance and can take any of the following forms:mmsu (MMS-UDP)mmst (MMS-TCP)http (HTTP)mms (MMS-UDP or MMS-TCP)cache_addr rewrites the address on the Security Appliance.

multicast-alias alias url [preload] Creates an alias on the Security Appliance that reflects the multicast station on the origin content server.


133

unicast-alias alias url Creates an alias on the Security Appliance that reflects the content specified by the URL. When a client requests the alias content, the Security Appliance uses the URL specified in the unicast-alias command to request the content from the origin streaming server.

broadcast-alias alias url loops date time Enables scheduled live unicast or multicast transmission of video-on-demand content.alias must be unique. url specifies the address of the video-on-demand stream. loops specifies the number of times the stream should be played back. 0 means forever. date specifies the broadcast alias starting date. To specify multiple starting dates, enter the date as a comma-separated string. date can take any of the following formats:yyyy-mm-ddtodaytime specifies the broadcast-alias starting time. To specify multiple starting times within the same date, enter the time as a comma-separated string. No spaces are permitted. time can take any of the following formats:hh:mmmidnight, 12am, 1am, 2am, 3am, 4am, 5am, 6am, 7am, 8am, 9am, 10am, 11am, noon, 12pm, 1pm, 2pm, 3pm, 4pm, 5pm, 6pm, 7pm, 8pm, 9pm, 10pm, 11pm.

multicast-station name [alias | url] ip port ttl

Enables multicast transmission of Windows Media content from the Security Appliance. name specifies the name of the alias. It must be unique. alias can be a unicast alias, a multicast-alias or a broadcast alias, as well as a url to a live stream source. ip is an optional parameter and specifies the multicast station's IP address. port specifies the multicast station's port value address. ttl specifies the multicast-station's time-to-live value, expressed in hops (and must be a valid number between 1 and 255). The default ttl is 5.


134

server-auth-type [basic | ntlm] cache_ip_address

Sets the authentication type of the Security Appliance indicated by cache_ip_address to BASIC or NTLM.

streaming windows-media no – Negates the indicated Windows Media settings.

max-connections Negates maximum connections settings.

max-client-bandwidth Negates maximum client bandwidth settings.

max-gateway-bandwidth Negates maximum gateway bandwidth settings.

refresh-interval Sets the current Windows Media refresh interval to "never refresh."

proxy-route number Deletes the proxy route rule associated with number.

asx-rewrite number Deletes the ASX rewrite rule associated with number.

multicast-alias alias Deletes the multicast alias rule associated with alias.

unicast-alias alias Deletes the unicast alias rule associated with alias. The name of the alias, such as "welcome1" that is created on the Security Appliance and reflects the content specified by the URL. The protocol is specified by the URL if the protocol is mmst, mmsu, or http. If the protocol is mms, the same protocol as the client is used.

broadcast-alias alias Deletes the broadcast alias rule associated with alias.

multicast-station name Deletes the multicast station rule associated with name.

server-auth-type cache_ip_address Clears the authentication type associated with cache_ip_address.

streaming real-media – Configures RealNetworks Real Media-specific streaming options.

max-connections number Limits the concurrent number of client connections. Changing the setting to no max-connections uses the maximum available bandwidth. Zero (0) is not an accepted value.

max-gateway-bandwidth kbps Limits the total bandwidth used between the proxy and the gateway. Changing the setting to no max-gateway-bandwidth, uses the maximum available bandwidth. Zero (0) is not an accepted value.


135

max-client-bandwidth kbps Limits the total bandwidth used by all connected clients. Changing the setting to no max-client-bandwidth uses the maximum available bandwidth. Zero (0) is not an accepted value.

rtsp-port port The RTSP port that a RealPlayer client will connect through when using the proxy. The default is 1091. Restart is required if you change this setting.

pna-port port Specifies the PNA port that a RealPlayer client will connect through when using the proxy. The default is 1090. Restart is required if you change this setting.

license pak_string Enters the product authorization key (PAK) for Blue Coat support for RealMedia.

proxy-route {* | number number | rule rule | parent-address parent_address | rtsp-port port | pna-port port | mei-port port}

Creates and applies rules for directing client traffic. Restart is required if you change this setting.rule specifies the name of the rule. parent-address specifies the IP address of the host. rtsp-port specifies the RTSP port to connect to for streaming. The default is 1091. pna-port specifies the PNA port to use for streaming. The default is 1090. mei-port specifies the media export interface port to connect to for streaming. The default is 7878.

path path Indicates where a configuration file is located (either FTP or HTTP). After you have set up the file and told the system where it is, you must use the upload command to upload the configuration file.

cache max-object-size kbps Sets the maximum size of the streaming object to cache.


136

Example

logging {disable | enable | stats-mask mask| style}

Enables access logging for RealMedia streaming disable disables logging. enable enables logging. stats-mask controls which statistics are recorded in log entries. The default value is 0. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging statistics. Restart is required if you change stats-mask option. style controls that fields appear in the cache access log for each RealMedia event record. The default value is 3. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging style.

multicast accept {number | subnet} | address-range first address–last address | disable | enable | pna-port port | rtsp-port port | ttl number | delivery-only {enable | disable}

Enables multicast support for RealMedia streaming. accept limits the use of multicast to clients on specific subnets. Default is "any". (If you use "any," everyone has access.) address-range must be between 224.0.0.255 and 239.255.255.255. pna-port specifies the PNA port that a client will connect through when using the proxy. The default is 7070. rtsp-port specifies the RTSP port that a client will connect through when using the proxy. The default is 554. ttl indicates the number of router hops allowed. The default is 16. The maximum is 255. delivery-only limits clients to those who are set up for multicast. The default is disabled. Restart is required if you change any option except disabled or accept.

pull-splitting {udp | tcp} Indicates the protocol to use for pull splitting. UDP is the default.

no {max-connections | max-gateway-bandwidth | max-client-bandwidth | license | proxy-route | path | multicast}

Negates the specified Real Networks settings.


137

SGOS#(config) streaming windows-media broadcast-alias ba1 mms://10.25.36.47/cthd.asf 1 today 14:00

SGOS#(config) streaming windows-media explicit-port 1756

SGOS#(config) streaming windows-media http-handoff enable

SGOS#(config) streaming windows-media license 1WWDTFMY-7W5C7AMY-7Q26YW

SGOS#(config) streaming windows-media live-retransmit disable

SGOS#(config) streaming windows-media log-forwarding disable

SGOS#(config) streaming windows-media max-connections 1600SGOS#(config) streaming windows-media no max-connections

SGOS#(config) streaming windows-media proxy-route 900 mmst *.bluecoat.com mmst directSGOS#(config) streaming windows-media no proxy-route 900

SGOS#(config) streaming windows-media unicast-alias welcome1 mmst://10.9.33.54/welcom1.asfSGOS#(config) streaming windows-media no unicast-alias welcome1

#(config)system-resource-percentUse this command to configure system resource allocation.

Syntax

system-resource-percent

Example

SGOS(config) system-resource-percentPlease choose from the following percentages: 0, 25, 50, 75, 95 Windows Media [50%]:25 HTTP: 75%This change will be effective following system reboot

#(config)tcp-rttUse this command to configure the number of TCP round trip time ticks.

Syntax

tcp-rtt num_500ms_ticks

where:

Example

tcp-rtt – Configures the number of TCP round trip time ticks.

num_500ms_ticks Indicates the default TCP Round Trip Time in ticks.


138

SGOS#(config) tcp-rtt 500 ok

#(config)telnet Enables or disables the ability to configure SSHD through Telnet.

Syntax

telnet {allow-sshd-config | deny-sshd-config}

where:

Example

SGOS#(config) telnet allow-sshd-config ok

#(config)timezoneUse this command to set the local time zone on the Security Appliance.

Syntax

timezone timezone_num

where:

Example

SGOS#(config) timezone 3 ok

#(config)upgrade-pathUse this command to specify the network path to download system software.

Syntax

upgrade-path url

telnet – Specifies the status of SSH configuration through Telnet.

allow-sshd-config Enables configuring of SSHD through Telnet.

deny-sshd-config Disables configuring of SSHD through Telnet.

timezone – Sets the timezone to use for all time-related procedures and calculations.timezone_num Enables you to set the local time zone.

(Use show timezones to display a list of supported timezones.)


139

where:

Example

SGOS#(config) upgrade-path 10.25.36.47 ok

#(config)virtual-ipThis command allows you to configure virtual IP addresses.

Syntax

virtual-ip {address ip_address | clear | no address ip_address}

where:

Example

SGOS#(config) virtual-ip address 10.25.36.47 ok

#(config)wccpThe Security Appliance can be configured to participate in a WCCP (Web Cache Control Protocol) scheme, where a WCCP-capable router collaborates with a set of WCCP-configured Security Appliances to service requests. WCCP is a Cisco-developed protocol. For more information about WCCP, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide.

Once you have created the WCCP configuration file, place the file on an HTTP server so it can be downloaded to the Security Appliance. To download the WCCP configuration to the Security Appliance, use the load command.

Syntax

wccp {disable | enable | no path | path url}

where:

upgrade-path – Specifies the location of the Security Appliance upgrades.

url Indicates the network path to use to download Security Appliance system software.

virtual-ip – Sets or clears any virtual IP addresses for the Security Appliance.

address ip_address Specifies the virtual IP to add.

clear Removes all virtual IP addresses.

no address ip_address Removes the specified virtual IP from the list.

wccp – Enables or disables the WCCP configuration file and specifies the location of the configuration file.

disable Disables WCCP.

enable Enables WCCP.


140

Example

SGOS#(config) wccp path 10.25.36.47/files/wccp.txt ok

#(config)web-managementUse this command to enable or disable the Web-based Management Console. When web-management is disabled, you can still access the Security Appliance homepage and online documentation. Only the management and statistics applications are disabled.

Syntax

web-management {disable | enable}

where:

no path Negates certain WCCP settings.

path url Specifies the network path from which to download WCCP settings.

web-management – Enables or disables the Management Console.

disable Disables the Management Console.

enable Enables the Management Console.

Sgos Cli Guide 2-1-09

Documents

Transcript of Sgos Cli Guide 2-1-09