Multi-Domain Security Management Commands and Utilities

Cross-Domain Management Server Search

Overview

The Cross-Domain Management Server Search feature lets you search across multiple Domain Management Server databases for specified network objects (including groups, dynamic objects and Global objects). You can also search for rules (including Global and implied rules) that contain or affect a specified object.

Cross-Domain Management Server Search is a powerful tool for analyzing the functioning of network components in the context of a Multi-Domain Security Management environment. The search function is similar to the Where Used feature in SmartDashboard.

Searching

You can access Cross-Domain Management Server search from the General - Domain Contents or from the General - Network Objects view of the SmartDomain Manager.

To open the Cross-Domain Management Server search window, select Cross-Domain Management Server Search from the Manage menu, or click the Cross-Domain Management Server Search icon.

Select a query, what you want to search for, and the Domain or Domains to search in. The following queries are available:

Specified Object query:

• Find network objects by exact name - finds objects defined in the Domain Management Server database, where the object's name exactly matches the query entry.
• Find network objects by partial name - finds objects defined in the Domain Management Server database, where the object's name contains the query entry.
• Find network objects by IP address - finds objects defined in the Domain Management Server database, where the object's IP address matches the query entry.

  Results for object queries include object and Domain information.

• Find Policy rules that use a global object - the query entry is a global object name. The query finds rules in the Domain Management Server Policies, where the global object is part of the rule definition. This includes cases where the global object is not explicit in the rule definition, but is included in some object (such as a group or cluster) that appears in the rule.

  Results include Domain, Policy and rule information, and the specific rule column where the global object appears. The first Results column, Object Name, indicates the applicable object as defined in the rule. This object may be one that includes, but is not identical to, the query entry.

• Find Policy rules that use a global object explicitly - this query is the same as the previous query, except that the results are limited to rules where the global object is explicit. Rules where the global object is merely included in some object (such as a group or cluster) that appears in the rule are excluded.

  Results include Domain, Policy and rule information, and the specific rule column where the global object appears. Two additional Results columns are:

  Last in Cell? - Shows whether the object is the sole object in its rule column, so that removing it would cause the cell content to become Any.

  Is Removable? - Show whether you can delete an object.

• Find network objects that use a global object explicitly- the query entry is the name of a global object. The query finds network objects (such as groups or clusters), defined in the Domain Management Server database, that contain the global object explicitly.

  Results include object and Domain information.

  The Object Name Results column indicates the applicable object as defined in the rule. This object may be one that includes, but is not identical to, the query entry.

  Is Removable? - Shows if you can delete the object.

Copying Search Results

You can copy search results to use them in other applications.

To copy search results to the clipboard, right-click in the Results pane and select Copy. The copied results are in Comma Separated Values (CSV) text format.

Performing a Search in CLI

You can do a cross-Domain Management Server search using the CLI. The search results will be sent to standard output in Comma Separated Values (CSV) format.

The command syntax is:

mdscmd runcrossdomainquery <find_in> <query_type> <entry_type> <entry>

where <find_in> is one of the following parameters:

<query_type> refers to one of the following parameters:

<entry_type> refers to one of the following parameters:

<entry> refers to the query entry.

Example

To search Domain Management Servers for all Domains for objects containing 'my_gw' in their names:

mdscmd runcrossdomainquery -all query_network_obj -n my_gw

P1Shell

Overview

P1Shell is a command line shell that allows administrators to run Multi-Domain Security Management CLI commands on the Multi-Domain Server, in both Multi-Domain Server and Domain Management Server environments, without root permissions. P1Shell authorizes users who are recognized by the Multi-Domain Server as Multi-Domain Security Management Superusers or Domain Superusers. Lower level Multi-Domain Security Management administrators must use the SmartDomain Manager (unless they have root permissions).

P1Shell can be defined as the default login shell for Multi-Domain Security Management users, or it can be manually started in the CLI.

Multi-Domain Security Management authentication is provided by the Multi-Domain Server, which must be running for an administrator to be authorized for P1Shell. To make sure non-authorized users cannot start Multi-Domain Server processes, a password is required for mdsstart. You can set the password in mdsconfig, and give it only to Multi-Domain Security Management administrators.

P1Shell maintains a connection with the Multi-Domain Server. P1Shell may be disconnected from the Multi-Domain Server by a SmartDomain Manager user (from the Connected Administrators view of the SmartDomain Manager), but as soon as P1Shell processes a command, P1Shell will reconnect to the Multi-Domain Server. The P1Shell user will be notified neither of the disconnecting nor of reconnecting. The SmartDomain Manager Connected Administrators view will display the reconnected P1Shell user only when the view is refreshed.

Starting P1Shell

To work in P1Shell, it must first be enabled. To enable P1Shell, run:

mdsconfig

and select P1Shell.

To start P1Shell, if it is not your default login shell, run:

p1shell

If the Multi-Domain Server is not running, you will be prompted for the Start-Multi-Domain Server password to authorize starting the Multi-Domain Server. Then, you will be prompted to enter your Multi-Domain Security Management user name and password to authorize you for P1Shell.

File Constraints for P1Shell Commands

For security reasons, commands that run in P1Shell can read files only from within a defined input directory. Commands can write only to a defined output directory.

Upon starting, P1Shell defines both input and output directories as the user's home directory. They can be changed for the work session, only within the home directory. Change the directories with the following commands:

set_inputdir <path>

set_outputdir <path>

where <path> is an existing directory, defined relative to the user's home directory.

To view existing input and output directories, enter:

display_io_dirs

Filenames appearing in commands cannot be paths (/ will be considered an illegal character) and must be located in the defined input or output directory.

Multi-Domain Security Management Shell Commands

P1Shell includes both general Multi-Domain Security Management commands and its own Native P1Shell commands.

To view a list of available Multi-Domain Security Management commands, enter help or ? . When the logged-in user is a Domain Superuser, commands that are available only to Multi-Domain Security Management Superusers, not to Domain Superusers, will not appear in the list.

General Multi-Domain Security Management Commands

Available commands are listed below. To learn more, see the R77 Command Line Interface Reference Guide.

Commands indicated as Limited are available only to Multi-Domain Security Management Superusers, not to Domain Superusers. All other listed commands are available to both Multi-Domain Security Management Superusers and to Domain Superusers.

Any commands listed in the Not Supported column are not currently supported in P1Shell. If the Available Command Options column says All, it should be understood as: All commands are available, except for those in the Not Supported column.

fetch; log;
fetchlogs;
|monitor;
stat; tab;
mergefiles

dbimport;
logexport

cpinstall;
snapshot;
delete;
revert

migrate
management

Native P1Shell Commands

Besides enabling Multi-Domain Security Management commands, P1Shell implements the following shell commands:

help [<command>]

Idle [<minutes>]

exit

? [<command>]

set_outputdir <path>

set_inputdir <path>

display_io_dirs

copy_logfiles -<process_name> [<-l>]

run <batch_file>

scroll [on | off]

Audit Logging

P1Shell logs audits in two different ways.

P1Shell saves all audits to a text file:

$MDS_SYSTEM/p1shell/log/p1shell_cmd_audit.log

In addition, P1Shell sends audits to the Multi-Domain Server to be logged. These audits can be viewed in SmartView Tracker. If the Multi-Domain Server is not running at the time as the audited event, and the Multi-Domain Server later starts during the same P1Shell session, the audit is then sent to the Multi-Domain Server. If the Multi-Domain Server is down from the time of the event until the end of the P1Shell session, the Multi-Domain Server does not receive the audit.

Command Line Reference

cma_migrate

Description

This command imports an existing Security Management Server or Domain Management Server into a Multi-Domain Server so that it will become one of its Domain Management Servers. If the imported Security Management or Domain Management Server is of a version earlier than the Multi-Domain Server to which it is being imported, then the Upgrade process is performed as part of the import.

It is recommended that you run cma_migrate to import Domain Management Server or Security Management Server database files created using the export_database tool.

It is important to note that the source and target platforms can be different. The source management to be imported can be Solaris, Linux, Windows, Gaia, SecurePlatform or IPSO.

Syntax

cma_migrate <source management directory path> <target Domain Management Server FWDIR directory>

cpmiquerybin

Description cpmiquerybin utility is the binary core of the Database Query Tool.
(For the Database Query Tool, see mdsquerydb.)
This command-line CPMI client connects to the specified database, executes a query and displays results as either a collection of FW-1 Sets or tab-delimited list of requested fields from each retrieved object. The target database of the query tool depends on the environment settings of the shell being used by the user.
Whenever the user desires to access one of Multi-Domain Server databases, he/she should execute the mdsenv command, in order to define the environment variables necessary for database connection. In order to connect to a database of a certain Domain Management Server, the user should execute mdsenv command providing Domain Management Server name or IP address as a first parameter. (See also mdsenv.)

Exit Code
0 when query succeeds, 1 if query fails, or query syntax is bad.

Usage cpmiquerybin <query_result_type> <database> <table> <query> [-a <attributes_list>]

Example §Print all network objects in the default database
cpmiquerybin object "" network_objects ""

Print hosted_by_mds and ipaddr attributes of all network objects in database "mdsdb"
mdsenv
cpmiquerybin attr "mdsdb" network_objects "" -a hosted_by_mds,ipaddr

dbedit

Description This utility can be used in Multi-Domain Security Management configuration with the mdsenv command. Particular commands for accessing the Multi-Domain Server and Domain Management Server environment are included here.

Usage dbedit –mds
dbedit –s <SeverIP> –d mdsdb -u <Admin> -p <password>
dbedit –s <Domain Management Server_IP> -u <Domain Management Server_Admin> -p <password>

Examples:

To edit the database that resides on the Multi-Domain Server Global database, use the following commands:

mdsenv

dbedit -mds

To edit the database that resides on the Multi-Domain Server MDSDB database, use the following commands:

mdsenv

dbedit –mds –d mdsdb

To edit the Domain Management Server database, use the following command:

mdsenv Domain Management Server_Flower

dbedit 10.10.10.10 -mds

where 10.10.10.10 is the Domain Management Server IP.

To use dbedit on a remote Multi-Domain Server/Domain Management Server, the computer that you are running the dbedit on must be defined as an authorized GUI Client. The user must be a Multi-Domain Security Management administrator and provide a user name and password:
dbedit –s 10.10.10.10 -u CANDACE -p ****

where 10.10.10.10 is the Multi-Domain Server or Domain Management Server IP, and **** is a password.

To edit the remote Multi-Domain Server MDSDB database:

dbedit –s 10.10.9.1 –d mdsdb -u ROGER -p ****

where 10.10.9.1 is the Multi-Domain Server IP, ROGER is an administrator and **** is a password.

To edit the remote Domain Management Server database:

dbedit –s 10.10.19.1 -u SAMANTHA -p ****

where 10.10.19.1 is the Domain Management Server IP, SAMANTHA is an administrator and **** is a password.

mcd bin | scripts | conf

Description This command provides a quick directory change to $FWDIR/<param>.

Example mdsenv MyDServer1
mcd conf
Brings you to: /opt/CPmds-R77/Domains/MyDServer1/CPsuite-R77/fw1/conf.

mds_backup

The mds_backup command backs up binaries and data from your Multi-Domain Server to the working directory. This command requires Superuser privileges.

mds_backup executes the gtar command on product root directories containing data and binaries, and backs up all files except those specified in mds_exclude.dat ($MDSDIR/conf) file. The collected information is stored in a single .tgz file. This .tgz file name consists of the backup date and time, which is saved in the current working directory. For example: 13Sep2002-141437.mdsbk.tgz

To perform a backup:

1. Execute mds_backup from any location outside the product directory tree to be backed up. This becomes the working directory.
2. Upon completion of the backup process, copy the backup .tgz file, together with the mds_restore, gtar and gzip command files, to your external backup location.

Usage mds_backup [-g -L {all|best} -b {-d <target dir name>} -v -l -h]
mds_backup [-g -b {-d <target dir name>} -v -h]

Syntax

Comments When using the -g or -b options, make sure that no GUI clients or SmartReporter servers are connected. Otherwise, the backup file may contain inconsistencies due to database changes made during the backup process.

It is important not to run mds_backup from any of the directories that will be backed up. For example, when backing up a Multi-Domain Server, do not run mds_backup from /opt/CPmds-<current releaese> because it is a circular reference (backing up directory that you need to write into).

Active log files are not backed up, in order to avoid read-during-write inconsistencies. It is recommended to perform a log switch prior to the backup procedure.

Further Info. The Multi-Domain Server configuration can be backed up without backing up the log files. Such a backup will usually be significantly smaller in size than a full backup with logs. To back up without log files, add the following line to the file $MDSDIR/conf/mds_exclude.dat:
log/*

mds_restore

Description Restores a Multi-Domain Server that was previously backed up with mds_backup. For correct operation, mds_restore should be restored onto a clean Multi-Domain Server installation.

Syntax ./mds_restore <backup file>

mds_user_expdate

Description - Changes multiple administrator expiration dates in one operation. You can do this for administrators on all Domain Management Servers or for users on one or more specified Domain Management Server.

Usage - mds_user_expdate

mdscmd

Description This command is used to execute different commands on the Multi-Domain Server system. It connects to a Multi-Domain Server as a CPMI client and causes it to execute one of the specified commands described below.
Connection parameters [-m serverName -u user -p password] are required to log into a remote Multi-Domain Server. If these arguments are omitted, mdscmd connects to the local machine. The command is a CPMI client and has an audit log.

Usage mdscmd <sub command and sub command parameters> [-m <serverName> -u user -p password]
mdscmd help

mdscmd adddomain

Description

Use the mdscmd adddomain command to create a Domain, locally or remotely. If run remotely, add login details. You can also create the first Domain Management Server with this command.

Syntax

mdscmd adddomain <DomainName> <-n Name | -i IPv4 | -a IPv6> [-t target <ServerName>][-m <ServerName> -u user -p password]

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

mdscmd addmanagement

Description

This command creates a new Domain Management Server. You must first create at least one Domain before you can use this command. We recommend that you close SmartDomain Manager before running this command.

Syntax

mdscmd addmanagement <DomainName> [-n <Name> | -i <IPv4> | -a <IPv6>] [-t target <ServerName>] [-m <ServerName> -u user -p password]

mdscmd addlogserver

Description

Use the addlogserver command to add a Domain Log Server to an existing Domain. To add a Domain Log Server to a Domain, you must define at least one Domain Management Server.

Syntax

mdscmd addlogserver <DomainName> [-n Name | -i IPv4 | -a IPv6] [-t target <ServerName>] [-m <ServerName> -u user -p password]

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

mdscmd assignadmin

mdscmd assignadmin <administrator name> <administrator profile> <domain name>

administrator name

administrator profile

domain name

Example:

mdscmd assignadmin Reuven Default_Profile NewYorkBranch

mdscmd assignguiclient

Description -

Assigns a GUI client to the specified domain

Syntax

dscmd assignguiclient <domain name> <gui client>

domain name

gui client

Example

mdscmd assignguiclient NewYorkBranch Telco_Admins

mdscmd deletedomain

Description

Use this command to delete an existing Domain. When deleting a Domain, you also delete the Domain Management Servers.

Usage

mdscmd deletedomain <DomainName> -m <ServerName> -u <user> -p <password>

mdscmd deletelogserver

Description

Use this command to delete an existing Domain Log Server.

Syntax

mdscmd deletelogserver <DomainName> <-n Name | -i IPv4 | -a IPv6 > -m <ServerName> -u user name -p password

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

mdscmd enableglobaluse

Description Use this command to connect a Domain Security Gateway to a Global VPN Community. Executing this command with a Domain name and a Security Gateway name, creates a global Security Gateway object and a VPN Domain object for the specific Domain Security Gateway in the Global database.
[-g global name] is used to determine the global Security Gateway object name. If [-g global name] is omitted, the global name will be gGW1_of_CUST1 for the Security Gateway GW1 and Domain CUST1.
The VPN domain object will receive the same name as the global Security Gateway object with a '_Domain' extension.

Usage mdscmd enableglobaluse <DomainName> <gatewayName> [-g <globalName>] [-m <ServerName> -u user -p password]

Syntax

Comments: mdscmd enableglobaluse is equivalent to enabling global use of a Security Gateway from SmartDomain Manager.

mdscmd disableglobaluse

Description Use this command to remove a Domain global Security Gateway object and VPN Domain object from the global database.

Usage mdscmd disableglobaluse <DomainName> <gatewayName> [-m <ServerName> -u user -p password]

Syntax

Comments mdscmd disableglobaluse is equivalent to disabling the global use of a Security Gateway from SmartDomain Manager.

mdscmd removeadmin

mdscmd removeguiclient

domainName

guiClient

mdscmd startmanagement

Description

Use this command to start an existing Domain Management Server.

Syntax

mdscmd startmanagement <DomainName> <-n name | -i IPv4 | -a IPv6 > -m <ServerName> -u user name -p password

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

mdscmd stopmanagement

Description

Use this command to stop a running Domain Management Server.

Syntax

mdscmd stopmanagement <DomainName> [-n <Name> | -i <IPv4> | -a <IPv6>] -m <ServerName> -u user name -p password

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

mdscmd migratemanagement

Description

Use this command to migrate/import an existing source database (from a Security Management Server or Domain Management Server) into another Domain Management Server.

You can use mdscmd migratemanagement to import files created using the export_database tool.

Usage

mdscmd migratemanagement <DomainName> <-l path> <-n name>

Example

Migrate a source database from an NGX R65 version Domain Management Server, named MyFirstDMS, into the Domain Management Server BestDomain, defined for the Domain BestDomain:
mdscmd migratemanagement BestDomain -l/opt/CPmds-R65/Domains/ MyFirstDMS/CPfw1-R65 -n BestDomain
See also cma_migrate.

mdscmd mirrormanagement

Description

Use this command to mirror the Domain Management Server configuration from one Multi-Domain Server to another Multi-Domain Server. This command is used to create Domain Management Server High Availability. This command parses all Domains and checks which Domains have a single Domain Management Server defined. If a Domain has a Domain Management Server on the source Multi-Domain Server, a secondary Domain Management Server is created on the target Multi-Domain Server.

Syntax

mdscmd mirrormanagement -s source_mds -t target_mds [-m ServerName -u user -p password]

-m ServerName

mdsenv

Description This command prepares the shell environment variables for running Multi-Domain Server level command lines or specific Domain Management Server command lines. Without an argument, the command sets the shell for Multi-Domain Server level commands (mdsstart, mdsstop, and so on).

Usage mdsenv [<Name>]

mdsquerydb

Description The mdsquerydb command runs the Database Query Tool. The purpose of the Database Query Tool is to allow advanced users to create UNIX shell scripts which can easily access information stored inside the Check Point Security Management Server databases. These include the Global Database (which are usually accessed from the Global SmartDashboard), Multi-Domain Server Database (usually accessed from the SmartDomain Manager) and the Domain Management Server databases (usually accessed from SmartDashboard).
Just as the mdscmd tool allows users to write UNIX shell scripts that add, remove or alter specified Multi-Domain Security Management database objects, the Database Query Tool allows users to access the information related to these database objects. The command is used with specific arguments to perform various queries on Security Management Server databases.

Usage mdsquerydb key_name [-f output_file_name]

To retrieve list of all defined keys:

mdsquerydb

To send the list of Domains in the Multi-Domain Server database to the standard output:

mdsenv
mdsquerydb Domains

To retrieve the list of network objects in the Global database and place the list in:

/tmp/gateways.txt:
mdsenv
mdsquerydb NetworkObjects –f /tmp/gateways.txt

To retrieve the list of gateway objects of the Domain Management Server called DServer1:

mdsenv DServer1
mdsquerydb Gateways –f /tmp/gateways.txt

Comments The purpose of the Database Query Tool is to provide advanced users of Multi-Domain Security Management with means of querying different Security Management Server databases from UNIX shell scripts. Some Database queries are pre-defined in the configuration file. The configuration file (queries.conf) can be found in $MDSDIR/conf. The file should not be edited by the end-users in any case.

mdsstart

Description This command starts the Multi-Domain Server and all Domain Management Servers. You can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to start or stop up to 10 Domain Management Servers simultaneously.

Usage mdsstart [-m|-s]

mdsstat

Description This command utility gives detailed information on the status of the processes of the Multi-Domain Server and Domain Management Servers, the up/down status per process.

Usage mdsstat [-h] [-m] [<Name>]

Status:

up: The process is up.
down: The process is down.
pnd: The process is pending initialization.
init: The process is initializing.
N/A: The process's PID is not yet available.
N/R: The process is not relevant for this Multi-Domain Server.

mdsstop

Description This command stops the Multi-Domain Server and all the Domain Management Servers. You can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to start or stop up to 10 Domain Management Servers simultaneously.

Usage mdsstop [-m]

merge_plug-in_tables

Description The merge_plug-in_tables utility is included in the export_database utility. It searches for all Domain Management Server or Version and Blade Updates and merges the plug-in tables with the Domain Management Server or Security Management tables.

In Linux and, the merge_plug-in_tables tool runs automatically when you run the export_database tool and its output becomes part of the Domain Management Server database .tgz file.

If you have a Security Management running on FreeBSD, IPSO 6.x, or Windows, use merge_plug-in_tables to consolidate plug-in data before migrating.

Before using the merge_plug-in_tables utility, you must:

1. Copy the export tool .tgz file for your operating system to the source Domain Management Server or Security Management machine. The export tool files can be found on your installation DVD.
2. Extract the export tool .tgz file to some path in the source machine.

   A directory called export_tools is extracted.

3. Run the merge_plug-in_tables command from the export_tools directory.

Usage merge_plug-in_tables <-p conf_dir> [-s] [-h]

where <-p conf_dir> is the path of $FWDIR directory of the Domain Management Server/Security Management Server, -s performs the utility in silent mode (default is interactive mode), and -h displays usage.

Example To merge the plug-in tables of a Domain Management Server, DSERVER1, run:
mdsenv DServer1
merge_plug-in_tables -p "$FWDIR"

migrate_global_policies

Description This utility transfers (and upgrades, if necessary) the global policies database from one Multi-Domain Server to the global policies database of another Multi-Domain Server. migrate_global_policies replaces all existing Global Policies and Global Objects. Each of the existing Global Policies is saved with a *.pre_migrate extension.

If you only migrate the global policies (without the Domain Management Servers) to a new Multi-Domain Server, you should disable any Security Gateways that are enabled for global use.

You can migrate global policies from these Multi-Domain Security Management versions:

• R71.30 and later minor releases
• R75.x
• R76.x
• R77.x

You can use migrate_global_policies to import files created using the export_database tool.

Usage migrate_global_policies <path>

Example migrate_global_policies /tmp/exported_global_db.22Jul2007-124547.tgz

Configuration Procedures

Description There is one primary command to configure the thresholds in the command line, threshold_config. You must be in expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.

Usage threshold_config

When you run threshold_config, you get these options:

• Show policy name - Shows you the name configured for the threshold policy.
• Set policy name - Lets you set a name for the threshold policy.
• Save policy- Lets you save the policy.
• Save policy to file - Lets you export the policy to a file.
• Load policy from file - Lets you import a threshold policy from a file.
• Configure global alert settings - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.
• Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are sent.
• View thresholds overview - Shows a list of all thresholds that you can set including: The category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.
• Configure thresholds - Open the list of threshold categories to let you select thresholds to configure.