Multi-Domain Security Management Commands and Utilities
Cross-Domain Management Server Search
Overview
The Cross-Domain Management Server Search feature lets you search across multiple Domain Management Server databases for specified network objects (including groups, dynamic objects and Global objects). You can also search for rules (including Global and implied rules) that contain or affect a specified object.
Cross-Domain Management Server Search is a powerful tool for analyzing the functioning of network components in the context of a Multi-Domain Security Management environment. The search function is similar to the feature in SmartDashboard.
Searching
You can access Cross-Domain Management Server search from the General - Domain Contents or from the General - Network Objects view of the SmartDomain Manager.
To open the Cross-Domain Management Server search window, select Cross-Domain Management Server Search from the Manage menu, or click the Cross-Domain Management Server Search icon.
Select a query, what you want to search for, and the Domain or Domains to search in. The following queries are available:
Specified Object query:
- Find network objects by exact name - finds objects defined in the Domain Management Server database, where the object's name exactly matches the query entry.
- Find network objects by partial name - finds objects defined in the Domain Management Server database, where the object's name contains the query entry.
- Find network objects by IP address - finds objects defined in the Domain Management Server database, where the object's IP address matches the query entry.
Results for object queries include object and Domain information.
- Find Policy rules that use a global object - the query entry is a global object name. The query finds rules in the Domain Management Server Policies, where the global object is part of the rule definition. This includes cases where the global object is not explicit in the rule definition, but is included in some object (such as a group or cluster) that appears in the rule.
Results include Domain, Policy and rule information, and the specific rule column where the global object appears. The first Results column, Object Name, indicates the applicable object as defined in the rule. This object may be one that includes, but is not identical to, the query entry.
- Find Policy rules that use a global object explicitly - this query is the same as the previous query, except that the results are limited to rules where the global object is explicit. Rules where the global object is merely included in some object (such as a group or cluster) that appears in the rule are excluded.
Results include Domain, Policy and rule information, and the specific rule column where the global object appears. Two additional Results columns are:
Last in Cell? - Shows whether the object is the sole object in its rule column, so that removing it would cause the cell content to become Any.
Is Removable? - Show whether you can delete an object.
- Find network objects that use a global object explicitly- the query entry is the name of a global object. The query finds network objects (such as groups or clusters), defined in the Domain Management Server database, that contain the global object explicitly.
Results include object and Domain information.
The Object Name Results column indicates the applicable object as defined in the rule. This object may be one that includes, but is not identical to, the query entry.
Is Removable? - Shows if you can delete the object.
Copying Search Results
You can copy search results to use them in other applications.
To copy search results to the clipboard, right-click in the Results pane and select Copy. The copied results are in Comma Separated Values (CSV) text format.
Performing a Search in CLI
You can do a cross-Domain Management Server search using the CLI. The search results will be sent to standard output in Comma Separated Values (CSV) format.
The command syntax is:
mdscmd runcrossdomainquery <find_in> <query_type> <entry_type> <entry>
where <find_in> is one of the following parameters:
Parameter
|
Description
|
-f <filename>
|
Searches in Domains listed in file <filename> .
|
-list <list>
|
Searches in Domains in <list>. <list> should be Domain names separated by commas (e.g. domain1 , domain2 ).
|
-all
|
Searches in all Domains.
|
<query_type> refers to one of the following parameters:
Parameter
|
SmartDomain Manager version of the query
|
query_network_obj
|
One of the Specified Object queries (according to <entry_type> )
|
query_rulebase
|
Find Policy rules that use a global object
|
whereused_rules
|
Find Policy rules that use a global object explicitly
|
whereused_objs
|
Find network objects that use a global object explicitly
|
<entry_type> refers to one of the following parameters:
Parameter
|
Description
|
-n
|
Specifies that <entry> is the full object name. Available for all values of <query type>.
|
-c
|
Specifies that <entry> is a partial object name. Available only for query_network_obj .
|
-i
|
Specifies that <entry> is an IP address. Available only for query_network_obj .
|
<entry> refers to the query entry.
Example
To search Domain Management Servers for all Domains for objects containing 'my_gw' in their names:
mdscmd runcrossdomainquery -all query_network_obj -n my_gw
P1Shell
Overview
P1Shell is a command line shell that allows administrators to run Multi-Domain Security Management CLI commands on the Multi-Domain Server, in both Multi-Domain Server and Domain Management Server environments, without root permissions. P1Shell authorizes users who are recognized by the Multi-Domain Server as Multi-Domain Security Management Superusers or Domain Superusers. Lower level Multi-Domain Security Management administrators must use the SmartDomain Manager (unless they have root permissions).
P1Shell can be defined as the default login shell for Multi-Domain Security Management users, or it can be manually started in the CLI.
Multi-Domain Security Management authentication is provided by the Multi-Domain Server, which must be running for an administrator to be authorized for P1Shell. To make sure non-authorized users cannot start Multi-Domain Server processes, a password is required for mdsstart . You can set the password in mdsconfig , and give it only to Multi-Domain Security Management administrators.
P1Shell maintains a connection with the Multi-Domain Server. P1Shell may be disconnected from the Multi-Domain Server by a SmartDomain Manager user (from the Connected Administrators view of the SmartDomain Manager), but as soon as P1Shell processes a command, P1Shell will reconnect to the Multi-Domain Server. The P1Shell user will be notified neither of the disconnecting nor of reconnecting. The SmartDomain Manager Connected Administrators view will display the reconnected P1Shell user only when the view is refreshed.
|
Note - P1Shell settings and commands are defined in configuration files that should not be changed. Any change to P1Shell configuration files will block P1Shell. If that happens, restore the files to their original versions to enable access to P1Shell.
|
Starting P1Shell
To work in P1Shell, it must first be enabled. To enable P1Shell, run:
mdsconfig
and select P1Shell .
To start P1Shell, if it is not your default login shell, run:
p1shell
If the Multi-Domain Server is not running, you will be prompted for the Start-Multi-Domain Server password to authorize starting the Multi-Domain Server. Then, you will be prompted to enter your Multi-Domain Security Management user name and password to authorize you for P1Shell.
File Constraints for P1Shell Commands
For security reasons, commands that run in P1Shell can read files only from within a defined input directory. Commands can write only to a defined output directory.
|
Note - The mds_backup command is an exception to this rule. The output of the backup is created at the path: /var/opt/< SeverName>_backups/< timestamp> , where <timestamp> is the time that the backup started.
|
Upon starting, P1Shell defines both input and output directories as the user's home directory. They can be changed for the work session, only within the home directory. Change the directories with the following commands:
set_inputdir <path>
set_outputdir <path>
where <path> is an existing directory, defined relative to the user's home directory.
To view existing input and output directories, enter:
display_io_dirs
Filenames appearing in commands cannot be paths (/ will be considered an illegal character) and must be located in the defined input or output directory.
|
Note - For security reasons, the output directory cannot be soft linked.
|
Multi-Domain Security Management Shell Commands
P1Shell includes both general Multi-Domain Security Management commands and its own Native P1Shell commands.
To view a list of available Multi-Domain Security Management commands, enter help or ? . When the logged-in user is a Domain Superuser, commands that are available only to Multi-Domain Security Management Superusers, not to Domain Superusers, will not appear in the list.
General Multi-Domain Security Management Commands
Available commands are listed below. To learn more, see the R77 Command Line Interface Reference Guide.
Commands indicated as Limited are available only to Multi-Domain Security Management Superusers, not to Domain Superusers. All other listed commands are available to both Multi-Domain Security Management Superusers and to Domain Superusers.
Any commands listed in the Not Supported column are not currently supported in P1Shell. If the Available Command Options column says All, it should be understood as: All commands are available, except for those in the Not Supported column.
Command
|
Limited ?
|
Not Supported
|
Available Command Options
|
cpca_dbutil
|
|
|
print; convert; d2u; get_crl_mode
|
cpd_admin
|
|
|
For Multi-Domain Security Management Superuser: All; for Domain Superuser: debug on; list; ver
|
cpinfo
|
|
|
All
|
cplic
|
|
|
All with these commands specific to Multi-Domain Security Management:
cplic print shows all Domain Management Server and Multi-Domain Server licenses.
cplic print -D shows only Domain Management Server licenses.
|
CPperfmon
|
|
|
hw; mdsconfig; procmem; monitor; off;
summary
|
cppkg
|
|
|
add; setroot; del; print; getroot;
get
|
cpprod_util
|
Limited
|
|
All
|
cprinstall
|
|
|
get; verify; install; transfer;
uninstall; boot; cprestart; cpstart;
cpstop; show; snapshot; revert;
delete
|
cprlic
|
|
|
All
|
cpstat
|
|
|
All
|
cpstat_monitor
|
|
|
All
|
cpvinfo
|
|
|
All
|
cpwd_admin
|
|
|
list
|
dbedit
|
|
|
All
|
dbver
|
|
|
-help; -s; -c; -u; -w; -m; -p
|
enable_mds_deletion
|
Limited
|
|
|
fw
|
|
fetch; log; fetchlogs; |monitor; stat; tab; mergefiles
|
For Multi-Domain Security Management Superuser: All
for Domain Superuser: logswitch; debug
fwd; debug fwm
|
fwm
|
|
dbimport; logexport
|
For Multi-Domain Security Management Superuser: All
for Domain Superuser: load; dbload;
ver; unload; logexport; mds
recalc_lics; mds fwmconnect
rebuild_global_communities_status
|
LSMcli
|
|
cpinstall; snapshot; delete; revert
|
All
|
mds_backup
|
Limited
|
|
All
|
mds_user_expdate
|
|
|
All
|
mdscmd
|
Limited
|
migrate management
|
All
|
mdsconfig
|
Limited
|
|
All
|
mdsenv
|
|
|
All
|
mdsquerydb
|
|
|
All
|
mdsstart
|
Limited
|
|
All
|
mdsstart_customer
|
|
|
All
|
mdsstat
|
|
|
All
|
mdsstop
|
Limited
|
|
All
|
mdsstop_customer
|
|
|
All
|
promote_util
|
|
|
All
|
sam_alert
|
|
|
All
|
Native P1Shell Commands
Besides enabling Multi-Domain Security Management commands, P1Shell implements the following shell commands:
Command
|
Description
|
help [<command>]
|
Displays the command's help text, or (without arguments) lists available commands.
|
Idle [<minutes>]
|
Sets idle time before automatic logout to <minutes> , or (without arguments) displays current idle time (default is 10 minutes).
|
exit
|
Exits P1Shell.
|
? [<command>]
|
Same as help .
|
set_outputdir <path>
|
Sets the output directory to be <path> , where <path> is relative to the user's home directory.
|
set_inputdir <path>
|
Sets the input directory to be <path> , where <path> is relative to the user's home directory.
|
display_io_dirs
|
Displays the input and output directories.
|
copy_logfiles -<process_name> [<-l>]
|
Copies the process's debug log files according to the environment context (Domain Management Server/Multi-Domain Server) to the output directory. <process_name> is one of: fwm, fwd, cpd, cpca . If -l is used, only the most recent log file is copied.
|
run <batch_file>
|
Runs a batch of Multi-Domain Server commands in sequence. The batch file must be in the defined input directory.
|
scroll [on | off]
|
Sets output scrolling on or off, or displays current scroll setting. Scrolling is similar to the 'more' command.
|
Audit Logging
P1Shell logs audits in two different ways.
P1Shell saves all audits to a text file:
$MDS_SYSTEM/p1shell/log/p1shell_cmd_audit.log
In addition, P1Shell sends audits to the Multi-Domain Server to be logged. These audits can be viewed in SmartView Tracker. If the Multi-Domain Server is not running at the time as the audited event, and the Multi-Domain Server later starts during the same P1Shell session, the audit is then sent to the Multi-Domain Server. If the Multi-Domain Server is down from the time of the event until the end of the P1Shell session, the Multi-Domain Server does not receive the audit.
Command Line Reference
cma_migrate
Description
This command imports an existing Security Management Server or Domain Management Server into a Multi-Domain Server so that it will become one of its Domain Management Servers. If the imported Security Management or Domain Management Server is of a version earlier than the Multi-Domain Server to which it is being imported, then the Upgrade process is performed as part of the import.
It is recommended that you run cma_migrate to import Domain Management Server or Security Management Server database files created using the export_database tool.
It is important to note that the source and target platforms can be different. The source management to be imported can be Solaris, Linux, Windows, Gaia, SecurePlatform or IPSO.
Syntax
cma_migrate <source management directory path> <target Domain Management Server FWDIR directory>
Argument
|
Description
|
source database directory path
|
The root of the original source database directory; the FWDIR directory, or a copy of it.
|
target Domain Management Server FWDIR directory
|
The directory of the Domain Management Server that you are migrating to.
The target Domain Management Server cannot ever have been started before running cma_migrate . There is no need to stop the Multi-Domain Server before running cma_migrate
|
cpmiquerybin
Description cpmiquerybin utility is the binary core of the Database Query Tool. (For the Database Query Tool, see mdsquerydb.) This command-line CPMI client connects to the specified database, executes a query and displays results as either a collection of FW-1 Sets or tab-delimited list of requested fields from each retrieved object. The target database of the query tool depends on the environment settings of the shell being used by the user. Whenever the user desires to access one of Multi-Domain Server databases, he/she should execute the mdsenv command, in order to define the environment variables necessary for database connection. In order to connect to a database of a certain Domain Management Server, the user should execute mdsenv command providing Domain Management Server name or IP address as a first parameter. (See also mdsenv.)
|
Note - A MISSING_ATTR string is displayed when the user specifies an attribute name that does not exist in one of the objects in query result. The MISSING_ATTR string indicates that that attribute is missing.
|
Exit Code 0 when query succeeds, 1 if query fails, or query syntax is bad.
Usage cpmiquerybin <query_result_type> <database> <table> <query> [-a <attributes_list>]
Argument
|
Description
|
query_result_type
|
Requested format of the query result. Possible values:
attr – display values of specified (with –a parameter) field of each retrieved objectobject – display FW-1 sets containing data of each retrieved object.
|
database
|
Name of the database to connect to, in quotes. For instance, "mdsdb " or "".
|
table
|
Table to retrieve the data from, for instance, network_objects
|
query
|
Empty query ("") or a query specifying objects range for retrieval, for instance name='a*' .
|
-a attributes_list
|
If query_result_type was specified "attr ", this field should contain a comma delimited list of objects fields to display. Object name can be accessed using a special "virtual " field called "__name__ ". Example: __name__,ipaddr
|
Example §Print all network objects in the default database
cpmiquerybin object "" network_objects ""
Print hosted_by_mds and ipaddr attributes of all network objects in database "mdsdb "
mdsenv
cpmiquerybin attr "mdsdb" network_objects "" -a hosted_by_mds,ipaddr
dbedit
Description This utility can be used in Multi-Domain Security Management configuration with the mdsenv command. Particular commands for accessing the Multi-Domain Server and Domain Management Server environment are included here.
Usage dbedit –mds
dbedit –s <SeverIP> –d mdsdb -u <Admin> -p <password>
dbedit –s <Domain Management Server_IP> -u <Domain Management Server_Admin> -p <password>
Argument
|
Description
|
–mds
|
Access without user name and password. Use this command only for Domain Management Server or Multi-Domain Server configuration on the computer on which you run this command.
|
–s <SeverIP>
|
IP address of the Multi-Domain Server to connect to.
|
-u <Admin> -p <password>
|
Credentials of Multi-Domain Security Management administrator with password for remote login, from a valid Multi-Domain Server GUI Client. Beware not to expose your administrator password during remote login.
|
–d mdsdb
|
Edit the - Multi-Domain Server database.
|
Examples:
To edit the database that resides on the Multi-Domain Server Global database, use the following commands:
mdsenv
dbedit -mds
To edit the database that resides on the Multi-Domain Server MDSDB database, use the following commands:
mdsenv
dbedit –mds –d mdsdb
To edit the Domain Management Server database, use the following command:
mdsenv Domain Management Server_Flower
dbedit 10.10.10.10 -mds
where 10.10.10.10 is the Domain Management Server IP.
To use dbedit on a remote Multi-Domain Server/Domain Management Server, the computer that you are running the dbedit on must be defined as an authorized GUI Client. The user must be a Multi-Domain Security Management administrator and provide a user name and password:
dbedit –s 10.10.10.10 -u CANDACE -p ****
where 10.10.10.10 is the Multi-Domain Server or Domain Management Server IP, and **** is a password.
To edit the remote Multi-Domain Server MDSDB database:
dbedit –s 10.10.9.1 –d mdsdb -u ROGER -p ****
where 10.10.9.1 is the Multi-Domain Server IP, ROGER is an administrator and **** is a password.
To edit the remote Domain Management Server database:
dbedit –s 10.10.19.1 -u SAMANTHA -p ****
where 10.10.19.1 is the Domain Management Server IP, SAMANTHA is an administrator and **** is a password.
mcd bin | scripts | conf
Description This command provides a quick directory change to $FWDIR/<param> .
Example mdsenv MyDServer1
mcd conf
Brings you to: /opt/CPmds-R77/Domains/MyDServer1/CPsuite-R77/fw1/conf .
mds_backup
The mds_backup command backs up binaries and data from your Multi-Domain Server to the working directory. This command requires Superuser privileges.
mds_backup executes the gtar command on product root directories containing data and binaries, and backs up all files except those specified in mds_exclude.dat ($MDSDIR/conf ) file. The collected information is stored in a single .tgz file. This .tgz file name consists of the backup date and time, which is saved in the current working directory. For example: 13Sep2002-141437.mdsbk.tgz
To perform a backup:
- Execute
mds_backup from any location outside the product directory tree to be backed up. This becomes the working directory. - Upon completion of the backup process, copy the backup .tgz file, together with the
mds_restore , gtar and gzip command files, to your external backup location.
Usage mds_backup [-g -L {all|best} -b {-d <target dir name>} -v -l -h]
mds_backup [-g -b {-d <target dir name>} -v -h]
Syntax
Argument
|
Description
|
-g
|
Executes without prompting to disconnect GUI clients.
|
-b
|
Batch mode - executes without asking anything (-g is implied).
|
-d
|
Specifies a directory store for the backup file. When not specified, the backup file is stored in the current directory. You cannot store the backup file in any location inside the product root directory tree.
|
-v
|
"Dry run" - Show all files to be backed up, but does not perform the backup operation.
|
-l
|
Exclude logs from the backup.
|
- L
|
Lock databases on the computer being backed up so that SmartDashboard cannot connect in the Read/Write mode. You must use one of these argument options:
- If a lock attempt fails on a database (global or local), the backup stops. - If a lock attempt fails on a database, the command continues to back up the database, but does no lock it.
Note: The lock databases option has no effect on SmartDomain Manager clients because they can only connect in the Read/Write mode.
|
-h
|
Help - displays help text.
|
Comments When using the -g or -b options, make sure that no GUI clients or SmartReporter servers are connected. Otherwise, the backup file may contain inconsistencies due to database changes made during the backup process.
It is important not to run mds_backup from any of the directories that will be backed up. For example, when backing up a Multi-Domain Server, do not run mds_backup from /opt/CPmds-<current releaese> b ecause it is a circular reference (backing up directory that you need to write into).
Active log files are not backed up, in order to avoid read-during-write inconsistencies. It is recommended to perform a log switch prior to the backup procedure.
Further Info. The Multi-Domain Server configuration can be backed up without backing up the log files. Such a backup will usually be significantly smaller in size than a full backup with logs. To back up without log files, add the following line to the file $MDSDIR/conf/mds_exclude.dat:
log/*
mds_restore
Description Restores a Multi-Domain Server that was previously backed up with mds_backup . For correct operation, mds_restore should be restored onto a clean Multi-Domain Server installation.
|
Note - The mds_restore command must use the script that was created in the directory into which the backup file was created.
|
Syntax ./mds_restore <backup file>
|
Important - In Gaia, you have to run this command in expert mode and in the same directory as the backup file itself.
|
mds_user_expdate
Description - Changes multiple administrator expiration dates in one operation. You can do this for administrators on all Domain Management Servers or for users on one or more specified Domain Management Server.
Usage - mds_user_expdate
|
Important
- Disconnect all GUI clients before running the
mds_user_expdate command. If you do not do this, the SmartDomain Manager will overwrite changes done by the command. - You can use the
mds_user_expdate command only on an Active Multi-Domain Server in a High Availability deployment. You must synchronize your servers and install policies on your Security Gateways after using this command. - We recommend that you backup your Multi-Domain Servers before using the
mds_user_expdate command.
|
mdscmd
Description This command is used to execute different commands on the Multi-Domain Server system. It connects to a Multi-Domain Server as a CPMI client and causes it to execute one of the specified commands described below. Connection parameters [-m serverName -u user -p password] are required to log into a remote Multi-Domain Server. If these arguments are omitted, mdscmd connects to the local machine. The command is a CPMI client and has an audit log.
Usage mdscmd <sub command and sub command parameters> [-m <serverName> -u user -p password]
mdscmd help
Argument
|
Description
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
help
|
Print the usage of an mdscmd command and a list of examples.
|
mdscmd adddomain
Description
Use the mdscmd adddomain command to create a Domain, locally or remotely. If run remotely, add login details. You can also create the first Domain Management Server with this command.
Syntax
mdscmd adddomain <DomainName> <-n Name | -i IPv4 | -a IPv6> [-t target <ServerName>][-m <ServerName> -u user -p password]
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n name
|
Domain Management Server name.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-t target ServerName
|
Optional: Name of the Multi-Domain Server that the Domain Management Server is assigned to. This argument is necessary only if you assign the Domain Management Server to a remote Multi-Domain Server.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old form of this command (mdscmd addcustomer ) is still supported in this release.
|
mdscmd addmanagement
Description
This command creates a new Domain Management Server. You must first create at least one Domain before you can use this command. We recommend that you close SmartDomain Manager before running this command.
Syntax
mdscmd addmanagement <DomainName> [-n <Name> | -i <IPv4> | -a <IPv6>] [-t target <ServerName>] [-m <ServerName> -u user -p password]
|
|
|
|
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned.
|
-n Name
|
Domain Management Server name. The name cannot include spaces or special characters (except for the underscore character).
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-t ServerName
|
Optional: Name of the Multi-Domain Server that the Domain Management Server is assigned to. This argument is necessary only if you assign the Domain Management Server to a remote Multi-Domain Server.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
|
Note - The old form of this command (mdscmd addcma ) is still supported.
|
mdscmd addlogserver
Description
Use the addlogserver command to add a Domain Log Server to an existing Domain. To add a Domain Log Server to a Domain, you must define at least one Domain Management Server.
Syntax
mdscmd addlogserver <DomainName> [-n Name | -i IPv4 | -a IPv6] [-t target <ServerName>] [-m <ServerName> -u user -p password]
Argument
|
Description
|
DomainName
|
Domain to which this Domain Log Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name. If you do not use the -n argument, the system automatically generates a Domain Management Server name with this format: Domain_Management_Server_<sequence number>.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-t target ServerName
|
Optional: Name of the Multi-Domain Server that the Domain Management Server is assigned to. This argument is necessary only if you assign the Domain Management Server to a remote Multi-Domain Server.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd addclm ) is still supported.
|
mdscmd assignadmin
Description
|
Assigns an administrator to a Domain using the specified permissions profile.
|
Syntax
|
mdscmd assignadmin <administrator name> <administrator profile> <domain name>
|
Parameters
|
Parameter
|
Description
|
administrator name
|
Administrator name
|
administrator profile
|
Administrator permissions profile
|
domain name
|
Name of the Domain to which the administrator is assigned.
|
|
|
Example:
mdscmd assignadmin Reuven Default_Profile NewYorkBranch
mdscmd assignguiclient
Description -
Assigns a GUI client to the specified domain
dscmd assignguiclient <domain name> <gui client>
Parameter
|
Description
|
domain name
|
Domain name
|
gui client
|
Name of a Multi-Domain Security Management gui client used by the specified Domain
|
mdscmd assignguiclient NewYorkBranch Telco_Admins
mdscmd deletedomain
Description
Use this command to delete an existing Domain. When deleting a Domain, you also delete the Domain Management Servers.
Usage
mdscmd deletedomain <DomainName> -m <ServerName> -u <user> -p <password>
|
|
|
|
Argument
|
Description
|
DomainName
|
Name of the Domain
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
|
Note - The old version of this command (mdscmd deletecustomer) is still supported.
|
mdscmd deletelogserver
Description
Use this command to delete an existing Domain Log Server.
Syntax
mdscmd deletelogserver <DomainName> <-n Name | -i IPv4 | -a IPv6 > -m <ServerName> -u user name -p password
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd deleteclm ) is still supported.
|
mdscmd enableglobaluse
Description Use this command to connect a Domain Security Gateway to a Global VPN Community. Executing this command with a Domain name and a Security Gateway name, creates a global Security Gateway object and a VPN Domain object for the specific Domain Security Gateway in the Global database.
[-g global name] is used to determine the global Security Gateway object name. If [-g global name] is omitted, the global name will be gGW1_of_CUST1 for the Security Gateway GW1 and Domain CUST1 . The VPN domain object will receive the same name as the global Security Gateway object with a '_Domain' extension.
Usage mdscmd enableglobaluse <DomainName> <gatewayName> [-g <globalName>] [-m <ServerName> -u user -p password]
Syntax
Argument
|
Description
|
DomainName
|
Domain to which the Domain Management Server belongs.
|
gatewayName
|
Gateway to connect to the VPN.
|
-g globalName
|
The global Security Gateway object name. If omitted, the global name will be gGW1_of_CUST1 for the Security Gateway GW1 and Domain CUST1
|
-m ServerName
|
Name or IP address of the Multi-Domain Server to connect to.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
Comments: mdscmd enableglobaluse is equivalent to enabling global use of a Security Gateway from SmartDomain Manager.
mdscmd disableglobaluse
Description Use this command to remove a Domain global Security Gateway object and VPN Domain object from the global database.
Usage mdscmd disableglobaluse <DomainName> <gatewayName> [-m <ServerName> -u user -p password]
Syntax
Argument
|
Description
|
DomainName
|
Specifies the name of the Domain to which the Domain Management Server belongs.
|
gatewayName
|
Specifies the name of the Security Gateway.
|
-m <ServerName>
|
Specifies the name or IP of the Multi-Domain Server you want to connect to.
|
-u user and -p password
|
Used as a pair, they must specify a valid Superuser administrator and password for remote login. In addition, the computer on which the command is executed must be a valid Multi-Domain Server GUI Client. Beware not to expose your administrator password during remote login.
|
Comments mdscmd disableglobaluse is equivalent to disabling the global use of a Security Gateway from SmartDomain Manager.
mdscmd removeadmin
Description
|
Remove an administrator from the specified domain.
|
Syntax
|
mdscmd removeadmin <administratorName> <domainName>
|
Parameters
|
Parameter
|
Description
|
administratorName
|
Administrator name
|
domainName
|
Domain name
|
|
|
Example
|
mdscmd removeadmin George NewYorkBranch
|
mdscmd removeguiclient
Description
|
Remove a GUI client from the specified domain
|
Syntax
|
mdscmd assignguiclient <domainName> <guiClient>
|
Parameters
|
Parameter
|
Description
|
domainName
|
Domain name
|
guiClient
|
Name of a Multi-Domain Security Management gui client used by the specified Domain
|
|
|
Example
|
mdscmd removeguiclient NewYorkBranch Telco_Admins
|
mdscmd startmanagement
Description
Use this command to start an existing Domain Management Server.
Syntax
mdscmd startmanagement <DomainName> <-n name | -i IPv4 | -a IPv6 > -m <ServerName> -u user name -p password
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd startcma ) is still supported.
|
mdscmd stopmanagement
Description
Use this command to stop a running Domain Management Server.
Syntax
mdscmd stopmanagement <DomainName> [-n <Name> | -i <IPv4> | -a <IPv6>] -m <ServerName> -u user name -p password
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd stopcma ) is still supported.
|
mdscmd migratemanagement
Description
Use this command to migrate/import an existing source database (from a Security Management Server or Domain Management Server) into another Domain Management Server.
You can use mdscmd migratemanagement to import files created using the export_database tool.
Usage
mdscmd migratemanagement <DomainName> <-l path> <-n name>
Argument
|
Description
|
DomainName
|
Domain to which the new Domain Management Server belongs.
|
-n name
|
New Domain Management Server into which the source database information is migrated.
|
-l path
|
Path containing the conf directory migrated into the new Domain Management Server.
|
Example
Migrate a source database from an NGX R65 version Domain Management Server, named MyFirstDMS , into the Domain Management Server BestDomain , defined for the Domain BestDomain:
mdscmd migratemanagement BestDomain -l/opt/CPmds-R65/Domains/ MyFirstDMS/CPfw1-R65 -n BestDomain
See also cma_migrate.
|
Note - The old version of this command (mdscmd mirrrorcma ) is still supported.
|
mdscmd mirrormanagement
Description
Use this command to mirror the Domain Management Server configuration from one Multi-Domain Server to another Multi-Domain Server. This command is used to create Domain Management Server High Availability. This command parses all Domains and checks which Domains have a single Domain Management Server defined. If a Domain has a Domain Management Server on the source Multi-Domain Server, a secondary Domain Management Server is created on the target Multi-Domain Server.
Syntax
mdscmd mirrormanagement -s source_mds -t target_mds [-m ServerName -u user -p password]
|
|
|
|
Argument
|
Description
|
-s source_mds
|
Multi-Domain Server the mirroring is performed from.
|
-t target_mds
|
Multi-Domain Server the mirroring is targeted toward.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Used as a pair, they must specify a valid Superuser administrator and password for remote login. In addition, the computer on which the command is executed must be a valid Multi-Domain Server GUI Client. Beware not to expose your administrator password during remote login.
|
|
Note - The old version of this command (mdscmd mirrorcma ) is still supported.
|
mdsenv
Description This command prepares the shell environment variables for running Multi-Domain Server level command lines or specific Domain Management Server command lines. Without an argument, the command sets the shell for Multi-Domain Server level commands (mdsstart, mdsstop , and so on).
Usage mdsenv [<Name>]
Argument
|
Description
|
Name
|
Domain Management Server name. If given, the command prepares the shell for the Domain Management Server command line.
|
mdsquerydb
Description The mdsquerydb command runs the Database Query Tool. The purpose of the Database Query Tool is to allow advanced users to create UNIX shell scripts which can easily access information stored inside the Check Point Security Management Server databases. These include the Global Database (which are usually accessed from the Global SmartDashboard), Multi-Domain Server Database (usually accessed from the SmartDomain Manager) and the Domain Management Server databases (usually accessed from SmartDashboard). Just as the mdscmd tool allows users to write UNIX shell scripts that add, remove or alter specified Multi-Domain Security Management database objects, the Database Query Tool allows users to access the information related to these database objects. The command is used with specific arguments to perform various queries on Security Management Server databases.
Usage mdsquerydb key_name [-f output_file_name]
Argument
|
Description
|
key_name
|
Query key, which must be defined in the pre-defined queries configuration file.
|
-f output_file_nam
|
Write query results to file with the specified file name, instead of to the standard output.
|
To retrieve list of all defined keys:
mdsquerydb
To send the list of Domains in the Multi-Domain Server database to the standard output:
mdsenv
mdsquerydb Domains
To retrieve the list of network objects in the Global database and place the list in:
/tmp/gateways.txt:
mdsenv
mdsquerydb NetworkObjects –f /tmp/gateways.txt
To retrieve the list of gateway objects of the Domain Management Server called DServer1:
mdsenv DServer1
mdsquerydb Gateways –f /tmp/gateways.txt
Comments The purpose of the Database Query Tool is to provide advanced users of Multi-Domain Security Management with means of querying different Security Management Server databases from UNIX shell scripts. Some Database queries are pre-defined in the configuration file. The configuration file (queries.conf ) can be found in $MDSDIR/conf . The file should not be edited by the end-users in any case.
mdsstart
Description This command starts the Multi-Domain Server and all Domain Management Servers. You can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to start or stop up to 10 Domain Management Servers simultaneously.
Usage mdsstart [-m|-s]
Argument
|
Description
|
-m
|
Starts only the Multi-Domain Server and not the Domain Management Servers.
|
-s
|
Starts the Domain Management Servers sequentially: waits for each Domain Management Server to come up before starting the next.
|
mdsstat
Description This command utility gives detailed information on the status of the processes of the Multi-Domain Server and Domain Management Servers, the up/down status per process.
Usage mdsstat [-h] [-m] [<Name>]
Argument
|
Description
|
-h
|
Displays help message.
|
-m
|
Test status for Multi-Domain Server only.
|
Name
|
The name of the Domain Management Server whose status is tested.
|
:
up: The process is up.
down: The process is down.
pnd: The process is pending initialization.
init : The process is initializing.
N/A: The process's PID is not yet available.
N/R: The process is not relevant for this Multi-Domain Server.
mdsstop
Description This command stops the Multi-Domain Server and all the Domain Management Servers. You can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to start or stop up to 10 Domain Management Servers simultaneously.
Usage mdsstop [-m]
Argument
|
Description
|
-m
|
Stop the Multi-Domain Server without stopping Domain Management Servers.
|
merge_plug-in_tables
Description The merge_plug-in_tables utility is included in the export_database utility. It searches for all Domain Management Server or Version and Blade Updates and merges the plug-in tables with the Domain Management Server or Security Management tables.
In Linux and, the merge_plug-in_tables tool runs automatically when you run the export_database tool and its output becomes part of the Domain Management Server database .tgz file.
If you have a Security Management running on FreeBSD, IPSO 6.x, or Windows, use merge_plug-in_tables to consolidate plug-in data before migrating.
Before using the merge_plug-in_tables utility, you must:
- Copy the export tool
.tgz file for your operating system to the source Domain Management Server or Security Management machine. The export tool files can be found on your installation DVD. - Extract the export tool
.tgz file to some path in the source machine.A directory called export_tools is extracted.
- Run the
merge_plug-in_tables command from the export_tools directory.
Usage merge_plug-in_tables <-p conf_dir> [-s] [-h]
where <-p conf_dir> is the path of $FWDIR director y of the Domain Management Server/Security Management Server, -s performs the utility in silent mode (default is interactive mode), and -h displays usage.
Example To merge the plug-in tables of a Domain Management Server, DSERVER1, run:
mdsenv DServer1
merge_plug-in_tables -p "$FWDIR"
migrate_global_policies
Description This utility transfers (and upgrades, if necessary) the global policies database from one Multi-Domain Server to the global policies database of another Multi-Domain Server. migrate_global_policies replaces all existing Global Policies and Global Objects. Each of the existing Global Policies is saved with a *.pre_migrate extension.
If you only migrate the global policies (without the Domain Management Servers) to a new Multi-Domain Server, you should disable any Security Gateways that are enabled for global use.
You can migrate global policies from these Multi-Domain Security Management versions:
- R71.30 and later minor releases
- R75.x
- R76.x
- R77.x
You can use migrate_global_policies to import files created using the export_database tool.
Usage migrate_global_policies <path>
Argument
|
Description
|
path
|
The fully qualified path to the directory where the global policies files, originally exported from the source Multi-Domain Server ($MDSDIR/conf ), are located.
|
Example migrate_global_policies /tmp/exported_global_db.22Jul2007-124547.tgz
Configuration Procedures
Description There is one primary command to configure the thresholds in the command line, threshold_config . You must be in expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.
Usage threshold_config
When you run threshold_config , you get these options:
- - Shows you the name configured for the threshold policy.
- - Lets you set a name for the threshold policy.
- - Lets you save the policy.
- - Lets you export the policy to a file.
- - Lets you import a threshold policy from a file.
- - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.
- - Lets you configure a location or locations where the SNMP alerts are sent.
- - Shows a list of all thresholds that you can set including: The category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.
- - Open the list of threshold categories to let you select thresholds to configure.
|