Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Mac OS X Engine CLI Commands

 

This chapter describes the CLI commands available for the Mac Mini Mac OS X “Secondary Core” detection engine device. There is no Collector Mode on this device.

Note

You must enclose non-alphabet characters in double quotes in CLI commands.

Basic Mode Commands

Use general system commands to configure the appliance, view appliance history, enter other CLI modes, obtain help with CLI syntax, and to exit the CLI session.

The general commands are:

Refer to the respective chapters in this guide to review Collector Mode, Diagnosis Mode and Server Mode commands per device-- All-in-One, Mac OS X Engine, Traffic Collector and CoreCM.

Core Mode Commands

Server Mode Commands

Diagnosis Mode Commands

Mac OS X Detection Engine CLI Commands

capture-start

Table 1: capture-start

Description

Starts packet capture as a means for diagnosing and debugging network traffic and obtaining stats.

See Also: diagnosis[mode];copy

Product(s) CLI

All-in-One | Collector | Core | Mac OS X Detection Engine

Mode(s)

Diagnosis

Syntax

capture-start

Parameters

<IP address> <interface_name>

Sub-Commands

None

Example

The following example starts a packet capture process on interface eth1 for a Traffic Collector with IP address 8.8.8.8:

hostname # diagnosis

hostname (diagnosis)# capture-start 8.8.8.8 eth1

Note: Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that the capture filters on.

copy

Table 2: copy

Description

Uses Secure Copy (SCP) to scp to copy and transfer packet capture or traceback (crash) data to a remote location, providing the same authentication and level of security as an SSH transfer.

See Also: diagnosis [mode]; capture-start

Product(s) CLI

All-in-One | Collector | Core | Mac OS X Detection Engine

Mode(s)

Diagnosis

Syntax

copy capture <scp source_file_name username@destination_host:destination_folder> | traceback all <string URI as user@hostname:path>

Parameters

copy capture <scp remote filename_location>
copy traceback all <path string>
copy traceback <tab> [tab displays all available crash filenames]

Sub-Commands

None

Example

The following example copies the file "captureEth1.txt" from the local host to a remote host:

hostname (diagnosis)# copy capture scp captureEth1.txt

admin@remotehost.edu:/some/remote/directory

core

Table 3: core

Description

Enters core mode.

See Also: basic [mode];

Product(s) CLI

All-in-One | Collector | Core | Mac OS X Detection Engine

Mode(s)

Basic

Syntax

core

Parameters

None

Sub-Commands

exit, help, history, show, updateimage

Example

The following command example enters core configuration mode:

hostname # core

hostname (core)#

diagnosis

Table 4: diagnosis

Description

Enters the Diagnosis configuration and status check mode.

See Also: collector [mode], server [mode]

Product(s) CLI

All-in-One | Collector | Mac OS X Detection Engine

Mode(s)

Basic

Syntax

diagnosis

Parameters

None

Sub-Commands

capture-start;copy;exit; gssreport; help; histroy; set (server mode);setupcheck; show (diagnosis mode); shutdown

Example

The following example enters diagnosis configuration and status check mode:

hostname # diagnosis

hostname (diagnosis)# ?

exit

Table 5: exit

Description

Ends the CLI session.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Basic | Server | Diagnosis

Syntax

exit

Parameters

None

Example

The following example ends a command mode or CLI session.

JATP# (diagnosis) exit
JATP#

gssreport

Table 6: gssreport

Description

Use the gssreport command to submit reports to Juniper Global Security Services (GSS), and to display the status of the current GSS report.

See Also:gssreport;diagnosis[mode]

Product(s) CLI

All-in-One | Collector | Mac OS X Detection Engine

Mode(s)

diagnosis

Syntax

gssreport status | submit

Parameters

status - displays the status of the current GSS report.

submit - submits a report to Juniper ATP Appliance GSS.

Sub-Commands

None

Example

The following examples display the status of a GSS report submission:

	hostname # diagnosis				
hostname (diagnosis)# gssreport submit
Successfully started GSS report
hostname (diagnosis)# gssreport status
GSS is currently enabled
Last 5-minute GSS report at 2015-07-28 10:34:24.414322:
successfully submitted
Last hourly GSS report at 2015-07-28 10:34:24.468259:
successfully submitted
Last daily GSS report at 2015-07-28 10:34:28.225512:
successfully submitted

help

Table 7: help

Description

Displays information about the CLI help system.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Basic | Server | Diagnosis

Syntax

help

Parameters

None

Example

The following example shows some of the output of the help command.

CONTEXT SENSITIVE HELP
[?] - Display context sensitive help. This is either a list of possible command completions with summaries, or the full syntax of the current command. A subsequent repeat of this key, when a command has been resolved, will display a detailed reference.
AUTO-COMPLETION
The following keys both perform auto-completion for the current command line. If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions.
[enter] - Auto-completes, syntax-checks then executes a command. If there is a syntax error then offending part of the command line will be highlighted and explained.
[tab] - Auto-completes
[space] - Auto-completes, or if the command is already resolved inserts a space.
If “<cr>” is shown, that means that what you have entered so far is a complete command, and you may press Enter (carriage return) to execute it.
Use ? to learn command parameters and option:
JATP (server)# show f?
firewall Show the firewall configuration settings
interface
JATP (server)# show firewall?
all Show the current iptables settings
whitelist Show the iptables whitelist settings
show firewall whitelist?
<cr>
show firewall whitelist

histroy

Table 8: history

Description

Displays the current CLI session command line history.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Basic | Server | Diagnosis

Syntax

history

Parameters

None

Example

The following examples returns command line history for the current CLI session.

JATP# (core) history

ifrestart

Table 9: ifrestart

Description

Restarts the interface driver and services using the interface.

Product(s) CLI

All-in-One | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

ifrestart eth0 | eth1

Parameters

eth0  		Restarts the management network administra interface.
eth1  		Restarts the monitoring network interface.

Example

The following example restarts the eth0 interface for the management network.

<FireEye_name># ifrestart eth0

ping

Table 10: ping

Description

Sends ICMP (Internet Control Message Protocol) echo request packets to a specified host name or IP address to verify that the destination is reachable over the network.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

ping [-c count] [-h hops] [string]

Parameters

-ccount

Number of echo requests to send. By default, pings ar continuously until you press Ctrl+C.

-hhops

Number of next hops between pings (default is 1).

string

IP address, hostname or interface name used to ping device address

Example

The following example sends three echo requests to the device with the IP Address 10.10.10.1

<FireEye_name># ping -c 3 10.10.10.1

PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_req=1 ttl=64 time=0.314 ms
64 bytes from 10.10.10.1: icmp_req=2 ttl=64 time=0.277 ms
64 bytes from v: icmp_req=3 ttl=64 time=0.274 m
--- 10.10.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.274/0.288/0.314/0.022 ms

reboot

Table 11: reboot

Description

Reboots the Juniper ATP Appliance.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

reboot

Parameters

None

Example

The following example reboots the system.

hostname# reboot

restart

Table 12: restart

Description

Restarts Juniper ATP Appliance services.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

restart [all | behaviorengine | cm | collector | core | correlationengine | database | ntpserver | sshserver | staticengine | webserver]

Parameters

all

Restarts all Juniper ATP Appliance services.

database

Restarts the Database.

ntpserver

Restarts the NTP server.

sshserver

Restarts the SSH server.

Example

The following example restarts the Central manager service.

JATP# restart cm

restore

Table 13: restore

Description

Restores the system configuration to the factory default settings.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

server

Syntax

restore [support | firewall {backup | default} | hostname | network]

Parameters

support

Restores the default support password setting remote login (set during initial installation per l See also (server)# set (server mode)

firewall {backup | default}

Restores the firewall settings from either the pr backup, or from the default factory settings.

Whitelist rules rely on normal service shutdown to be backed up.Powering off a VM directly will lose the whitelist state as rules cannot be saved in that case.

hostname

Restores the system’s hostname to the factory hostname.

network

Restores the IP address and DNS settings to th factory default settings.

 

Warning: This command option removes the IP address and DNS settings, and reloads the d values for these settings.

Example

The following example restores the system.

JATP# restore

This next example restores the SSH login “support” password to the default

JATP # restore support password

Restore the default support password? (Yes/No)? yes

support password was restored successfully!

server

Table 14: server

Description

Enters the server configuration mode.

Product(s) CLI

All-in-One | Collector | Core/CM | Mac Mini Mac OS X

Mode(s)

Basic

Syntax

server

Sub-Commands

exit; help; histroy; ifrestart; ping; reboot; restore; set (server mode); show (server mode); traceroute; updateimage

Whitelist rules rely on normal service shutdown to be backed up.Powering off a VM directly will lose the whitelist state as rules cannot be saved in that case.

Example

The following example enters server configuration mode:

hostname # server
hostname (server) # ?

set (server mode)

Table 15: set

Description

Configure the system settings.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server, See Also: set (diagnosis mode)

Syntax

set [autoupdate {on | off} | cli timeout secs | clock | cm address | support {enable | disable} localmode {enable | disable}| passphrase string | dns | firewall {all <backup | flush> | whitelist} | hostname string | ip interface {management | alternate-exhaust}| ntpserver | password | proxy {config | enabled | remove} | timezone string | uipassword]

Parameters

(See table below)

autoupdate {content | software} {on | off}
cli timeout secs

clock

cm address
set support {enable | disable} | {localmode}
passphrase string

dns

firewall {all <backup | flush> | whitelist <add | delete | flush>}

Note: Whitelist rules rely on normal service shutdown for backup.Powering off a VM directly loses the whitelist state as rules cannot be saved in that case.

hostname string
ip interface {management | alternateexhaust} <dhcp | address | netmask | gateway}

Turn on or off automatic product updates.

set autoupdate content on

Set CLI timeout period in seconds (0 = no timeout).

Sets the current date and time.

Sets the IP address of the Central Manager and netmask using slash notation; ex: AAA.BBB.CCC.DD/X

Enables remote SSH login “support” account or localmode enable|/disable.

Sets the device key password; enter a string.

Sets DNS (or enables DHCP for DNS) for the management interface by default if interface is unspecified.

Backs up or flushes (clears) all current iptables for a firewall, or adds, deletes or flushes the current iptables whitelist-specific settings for the firewall.

The “add” option adds an IP address to the iptables outbound whitelist.

# set firewall whitelist add 10.1.1.1

Sets the system’s host name.

Sets the IP address, netmask, or default gateway, or enables DHCP for the management or alternate-exhaust interface.

ntpserver

Sets the Network Time Protocol (NTP) server.

password

Sets a new password for the CLI administrator.

proxy {config <all|http> | enable <on|off> | remove <all|http>}

Config, enable/disable, or remove “all” proxy configs, or remove an HTTP-specific proxy server.

Tip: Config the proxy for “all” protocols first, and then change HTTP proxy as needed.

timezone {US/ Eastern | US/ Central | US/ Mountain

Show the current timezone; example:

set timezone US/Pacific

Tip: set timezone <tab> shows options.

uipassword

Sets a new admin password for CM Web UI access.

Examples

The following example sets an ip address for the device management interface eth0.

JATP# set ip interface 10.1.1.1

set (diagnosis mode)

Table 16: set

Description

Sets the logging levels for Juniper ATP Appliance components from diagnosis mode.

See Also:set (server mode)

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

diagnosis

Syntax

set logging

Parameters

all

Sets logging for all Juniper ATP Appliance components.

default

Sets logging to the default parameters

debug

Sets logging at the debug level.

info

Sets logging at the info level.

warning

Sets logging at the warning level.

error

Sets logging at the error level.

critical

Sets logging at the critical level.

Example

The following example sets the default logging level for all Juniper ATP Appliance components.

JATP# set logging all

setupcheck

Table 17: setupcheck

Description

Checks and reports on basic configuration settings and analysis pipeline setup.

Product(s) CLI

All-in-One | Core CM | Mac Mini OS X Detection Engine

Mode(s)

diagnosis

Syntax

setupcheck {all | report | basic | analysis}

Parameters

all

Checks both basic settings and analysis pipelin.

report

Shows report of last setupcheck.

basic

Checks basic configuration settings.

analysis

Checks the analysis pipeline.

Example

The following example checks all basic configuration settings as well as the analysis pipeline:

JATP (diagnosis) # setupcheck all

show (core mode)

Table 18: show

Description

Displays the guest image(s) status.

See Also: show (server mode); show (diagnostic mode)

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Core

Syntax

show

Parameters

images

Displays guest image update and status information.

whitelist

Displays the name, hit count and the time of last hit of a user configured whitelist.

Note that when a whitelist rule is deleted, it will be removed from the list. Updates to existing rule are not affected by the presence of the rule in the output, but hit count could increment. Further, more than one rule can be hit by a single incident.

alternate-exhaustinterface

Displays the status of the alternate exhaust interface eth2.

Example

The following example demonstrates the show images command usage:

JATP(core)# show images

The following example shows how to get the alternate-exhaust interface (eth2) status:

JATP(core)# show alternate-exhaust interface

show (diagnosis mode)

Description

Sets the logging levels for Juniper ATP Appliance components from diagnosis mode.

See Also:show (server mode)

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

diagnosis

Syntax

show

Parameters

device {collectorstatus | | corestatus | slavecorestatus}

Display connected device statistics for Traffic Collector, CoreCM, or Mac Mini Detection Engine Secondary “slave core.”

Note: Not available from the Mac Mini CLI.

protocol {web | email}

Displays the session counts for network web or email protocols.

Note: Not available from the Mac Mini CLI.

objects

Displays the current number of file objects.

Note: Not available from the Mac Mini CLI.

logging

Displays the currently-configured logging level.

See Also: set (diagnosis mode) logging

log error traceback

Displays only the tracebacks (if any) generated by Juniper ATP Appliance OS process error logs. A traceback is a stack

of functions that were executing when an error condition was encountered.

log error last <integer: number of lines to display>

Displays n [1-1000] lines of the contents of the common log file.

Example

The following example displays the connected Traffic Collector status.

osx-1(server)# show devicetype
Device type: slave_core.

show (server mode)

Table 19: show

Description

Display configurations and status information.

Product(s)CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server, See Also: show (diagnosis mode)

Syntax

show

Parameters

(See the columns below)

 

autoupdate

Show the automatic update setting.

cli

Show the CLI setting.

clock

Show the current date and time.

cm

Show the Central Manager IP address.

controller

Show the driver state for interfaces.

support

Show support status.

description

Show the server or system description.

devicekey

Show the device key.

devicetype

Show the device type.

dns

Show the DNS servers settings.

eula

Show the End User License Agreement.

firewall [all <| whitelist]

Show the firewall configuration settings.

hostname

Show the system’s host name.

interface [management | monitoring | alternateexhaust]

(administrative) network interface eth0, or the monitoring interface (eth1), or the alternate-exhaust interface (eth2).

See Also: show controller

ip

Show the IP address of the management (administrative) interface eth0.

name

Show the server name.

ntpserver

Show the Network Time Protocol (NTP) server settings.

proxy

Show current proxy configuration.

stats [cpuload | disk | memory]

Show system statistics:

  • cpuload shows the average CPU load in the system for running processes in the last 1, 5 and 15 minute intervals.

  • disk shows the disk space usage in the system.

  • memory shows the system memory usage.

timezone

Show the current timezone.

upgrade

Show the last manual upgrade-related information.

uuid

Show the system UUID (universally unique ID).

uptime

Show how long the system has been running.

version

Show Juniper ATP Appliance software and content security versions.

Example

The following example displays information about the MacOSX cpuload statistics:

MacOSX (server)# # show stats cpuload
(0.06, 0.13, 0.13)

The following example requests details for the Collector’s monitoring interface (eth1):

MacOSX(server)# show interface monitoring

shutdown

Table 20: shutdown

Description

Shuts down the Juniper ATP Appliance server.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

shutdown

Parameters

None

Example

The following example performs a shutdown of the current device.

JATP# shutdown

traceroute

Table 21: traceroute

Description

Displays the route packets trace to a host name or an IP address.

Product(s) CLI

All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine

Mode(s)

Server

Syntax

traceroute

Parameters

-h unsigned integer

Specifies the number of hops

string

Names the remote system to be traced.

Example

The following example performs a traceroute of the named device.

MacOSX1# traceroute -h 2 MacMininOSX2-Engine

updateimage

Table 22: updateimage

Description

Update or correct the guest-image OS profile used by the detection and analysis behavioral engine.

The updateimage command will update the guest images from a USB drive attached to the Juniper ATP Appliance.

Product(s) CLI

Mac Mini OS X Detection Engine

Mode(s)

Core

Syntax

updateimage

Parameters

built-in

Updates the guest-image on the Mac OSX Detection “Secondary core.”.

Example

The following example performs a built-in profile update for the Core detection engine.

MAC2(core)# updateimage built-in
Installing image SC-OSX-20131003.img...
Previous version of SC-OSX-20131003.img exists. Checking
integrity...
Latest Image SC-OSX-20131003.img is already installed
Installing image SC-XP-20140617.img...
Previous version of SC-XP-20140617.img exists. Checking
integrity...
Image SC-XP-20140617.img is already installed
Installing image SC-W7-20140521.img...
Previous version of SC-W7-20140521.img exists. Checking
integrity...
Image SC-W7-20140521.img is already installed

upgrade

Table 23: upgrade

Description

Upgrade a configured Juniper ATP Appliance Mac OSX Mac Mini device. If the Mac Mini has already been upgraded to Ubuntu 14.04, this upgrade command will not be visible at the CLI because it will not be needed.

Please note that this command will only show up for existing customers that have Mac Mini devices configured as Juniper ATP Appliance Mac OSX detection engine Secondary Cores (running Ubuntu 13.10). For new customers running Juniper ATP Appliance Release 3.2.5, each Mac Mini device is shipped with the new Ubuntu 14.04 version already installed, so in this case, the upgrade command will again not be available from the Juniper ATP Appliance Mac OSX Engine CLI.

Product(s) CLI

Mac Mini OS X Detection Engine

Mode(s)

Core

Syntax

upgrade

Parameters

built-in

Updates the guest-image on the Mac OSX Detection “secondary core.”.

Example

The following example performs a built-in Mac OS X profile update for the Mac Mini-based Secondary core detection engine..

MAC2(core)# upgrade

wizard

Table 24: wizard

Description

Enters the Configuration Wizard. For Configuration Wizard commands and response, see “Configuration Wizard for the CoreCM Server” in the next section to follow command prompts and recommended responses.

Product(s) CLI

All-in-One | Core/CM | Collector | Mac Mini Mac OS X

Mode(s)

Basic

Parameters

wizard

Example

None

The following command starts the configuration wizard.

hostname # wizard

Configuration Wizard Command Prompt Responses

Configuration Wizard Prompts

Customer Response from the Mac Mini

Use DHCP to obtain the IP address and DNS server address for the administrative interface (Yes/No)?

Note: Only if your DHCP response is no,enter the following information when prompted:

  1. IP address (no CIDR format)

  2. Netmask

  3. Enter a gateway IP address for this management (administrative) interface:

  4. Enter primary DNS server IP address.

  5. Do you have a secondary DNS Server (Yes/ No).

  6. Do you want to enter the search domains?

  7. Enter the search domain (separate multiple search domains by space):

Restart the administrative interface (Yes/No)?

We strongly discourage the use of DHCP addressing because it changes dynamically. A static IP address is preferred.

Recommended: Respond with no:

  1. Enter an IP address

  2. Enter a netmask using the form 255.255.255.0.

  3. Enter a gateway IP address.

  4. Enter the DNS server IP address

  5. If yes, enter the IP address of the secondary DNS server.

  6. Enter yes if you want DNS lookups to use a specific domain.

  7. Enter search domain(s) separated by spaces; for example: example.com lan.com dom2.com

Enter yes to restart with the new configuration settings applied.

Enter a valid hostname.

Type a hostname when prompted; do not include the domain; for example: juniperatp1

Note: Only alphanumeric characters and hyphens (in the middle of the hostname) are allowed.

[OPTIONAL]

If the system detects a Secondary Core with an eth2 port, then the alternate CnC exhaust option is displayed:

Use alternate-exhaust for the analysis engine exhaust traffic (Yes/No)?

Enter IP address for the alternate-exhaust (eth2) interface:

Enter netmask for the alternate-exhaust (eth2) interface: (example: 255.255.0.0)

Enter gateway IP Address for the alternate-exhaust (eth2) interface: (example:10.6.0.1)

Enter primary DNS server IP Address for the alternate-exhaust (eth2) interface: (example: 8.8.8.8)

Do you have a secondary DNS server for the alternate-exhaust (eth2) interface?

Do you want to enter the search domains for the alternate-exhaust (eth2) interface?

Note: A complete network interface restart can take more than 60 seconds

Refer to “Configuring an Alternate Analysis Engine Interface” in the Juniper ATP Appliance Operator’s Guide for more information.

Enter yes to configure an alternate eth2 interface.

Enter the IP address for the eth2 interface.

Enter the eth2 netmask.

Enter the gateway IP address.

Enter the primary DNS server IP Address for the alternate-exhaust (eth2) interface.

Enter yes or no to confirm or deny an eth2 secondary DNS server.

Enter yes or no to indicate whether you want to enter search domain.

Regenerate the SSL self-signed certificate (Yes/ No)?

Enter yes to create a new SSL certificate for the Juniper ATP Appliance Server Web UI.

If you decline the self-signed certificate by entering no, be prepared to install a certificate authority (CA) certificate.

Enter the following server attributes:

Central Manager (CM) IP Address:

Device Name: (must be unique)

Device Description

Device Key PassPhrase

Note: Remember this passphrase and use it for all distributed devices!

Required:Enter the IP address of the Juniper ATP Appliance Server Core/CM or All-in-One.

Enter a Juniper ATP Appliance Mac Mini or Core/CM Device Name; this identifies the Mac OS X or Core Engine in the Web UI.

Enter a device Description

Enter the same PassPhrase used to authenticate the Core or Mac Mini to the Central Manager.