Use the following CLI commands for configuration and control.
When entering a command, enter a question mark at any point to display the arguments.
Syntax
<partial_command> ?
Example
CLI> show account strike ?
USAGE: show account strike <arg>, where arg is:
?, count, interval, max
ok
CLI>
Displays an alphabetical listing of all CLI commands.
Syntax
commands
Enable/disable debug mode. Without an argument, it toggles the debug state. Optionally, a state argument can be passed.
Syntax
debug <on | off>
To delete a patch install request, use the CLI command delete scheduled-patch
See the CLI command, store system patch install for further information on patch installation.
When the support-state option is enabled (which it is by default), this command sets the email address to receive system alerts.
Syntax
forward support email to <email address>
Show Command
show support-email
Indicates if the installed license if valid. Use this command after installing a new product key.
Syntax
license check
Sends ICMP ping packets to a remote host. This command is useful for checking network connectivity. The value of host can be an IP address or host name.
Syntax
ping <host>
Exits the command line interface.
Syntax
quit
Command to restore failed CSV/PDF transfer files, placing the files back into the export folder for another export attempt.
Syntax
recover failed [csv|pdf]
Restarts the IBM® Guardium® Web interface. To optionally schedule a restart of the GUI once a day or once a week, use additional parameters. HH is hours 01-24. MM is minutes 01-60. W is the day of the week, 0-6, Sunday is 0. If HHMM is listed twice, only the last entry is used. The parameter clear deletes the scheduled time.
In order to restart the Classifier and Security Assessments processes, run the restart gui command from the CLI (not from the GUI).
Running restart GUI from the GUI only restarts the web services. It is necessary to run the restart GUI command from the CLI to fully restart all processes, including Classifier and Security Assessments processes. It is necessary to run the restart GUI command from the CLI for each managed unit to restart the Classifier listener.
Syntax
restart gui [HHMM|HHMMW|clear]
Use this CLI command to restart services previously stopped with the store auto_stop_services_when_full CLI command.
Syntax
restart stopped_services
Reboots the Guardium system. The system will completely shut down and restart, which means that the cli session will be terminated.
Syntax
restart system
Use this CLI command to display the buffer usage of the sniffer.
Displays build information for the installed software (build, release, snif version).
Syntax
show build
Permit the user to have only one IP address per appliance (through eth0) and direct traffic through different routers using static routing tables. List the current static routes, with IDs.
Syntax
show network routes static
Delete command
delete network routes static
This CLI command displays password functions. Password disable [0|1] removes the use of a password by storing the value 1. Password Expiration [CLI|GUI] [Number of days] displays the number of days between required password changes. Default is 90 days. Password Validation [ON|OFF] determines how strong the password is.
Syntax
show password disable [0|1]
show password expiration [CLI|GUI] 90
show password validation [ON|OFF]
Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.
Syntax
show system patch installed
Displays the already installed patches and patches scheduled to be installed--showing date/time and the install status.
Syntax
show system patch installed
Displays the public key for cli or tomcat. If none exists, this command creates one.
Note: See show system key, store system key in Certificate CLI commands.
Syntax
show system public key <cli | tomcat | grdapi>
Stops the Web user interface.
Syntax
stop gui
Stops and powers down the appliance.
Syntax
stop system
Use this CLI to regulate the amount of data that will be logged.
Usage: store alp_throttle <num>
where <num> is the number in range of -2147483647 and 2147483647.
Default is 0.
0 - do not log into GDM_FLAT_LOG and do not create tapks files
>0 - log into GDM_FLAT_LOG and do not create tapks files
<0 - log into GDM_FLAT_LOG and create tapks files
99999 - do not log into GDM_FLAT_LOG, but create tapks files.
Example
10 - log into GDM_FLAT_LOG 10% of statements.
10 - log into GDM_FLAT_LOG 10% of statements and create tapks files
Use this CLI command to set the template for the HTTP session.
Usage
store gdm_http_session_template [activate] [add] [deactivate] [remove]Show command
show gdm_http_session_templateAttempting to retrieve the template information. It may take time. Please wait.
| ID# | Active URL Regex | Session Regex | Username Regex | Login_Session Regex | Comment | Logout_Session_ID | Logout_URL_Regex |
|---|---|---|---|---|---|---|---|
| 1 | 1 | Cookie.*PHPSESSID=([[:a | .*user_name=([[:alnum:] | Set-Cookie:.*PHPSESSID= | example of HTTP session deleted | ||
| 2 | 1 | Cookie.*PSJSESSIONID=([ | .*SignOnDefault=([[:aln | example of HTTP session | cmd=logout | ||
| 3 | 1 | Cookie.*JSESSIONID=([0- | .*username=([[:alnum:]] | Set-Cookie:.*JSESSIONID | example of HTTP session | Logout.jsp |
Use this command to set file size, flush period, gdm error and state of the log external.
Usage
store log external [file_size] [flush_period] [gdm_error] [state]Usage: store log external gdm_error <state>
where state is on/off. 'on' is to enable and 'off' is to disable.
Usage: store log external file_size <num>
where <num> is the size of the file.
Default is 4096 bytes.
Usage: store log external flush_period <num>
where <num> is the flush period.
Default is 60 seconds.
Usage: store log external state <state>
where state is on/off. 'on' is to enable and 'off' is to disable.
Show command
show log external [file_size] [flush_period] [gdm_error] [state]Use this CLI command to get information about the Unit Utilization. Default is 1 (run the script every hour).
Syntax
CLI> store monitor gdm_statistics
USAGE: store monitor gdm_statistics <hour>, where hour is value from 0 to 24.
Default value is 1, means to run the script every hour.
Value 0, means not to run the script.Show command
CLI> show monitor gdm_statistics
Disable gdm_statistics monitor
store gui [port | session_timeout | csrf_status]
Sets the TCP/IP port number on which the IBM Guardium appliance management interface accepts connections. The default is 8443. n must be a value in the range of 1024 to 65535. Be sure to avoid the use of any port that is required or in use for another purpose.
Set timeout of session - Sets the length of time (in seconds) with no activity before timeout. After the no-activity-timeout has been reached, it is necessary to log on again to IBM Guardium. The default length is 900 seconds (15-minutes).
Set Cross-site Report Forgery (CSRF) (ON | OFF) - See the section CSRF and 403 Permission Errors in the Getting Started with GUI help topic. The default value is enabled on an upgraded system. Trying to use certain web browser functions (for example, F5/CTRL-R/Refresh/Reload, Back/Forward) will result in a 403 Permission Error message.
The new session timeout value will take effect only after the next GUI restart.
Syntax
store gui port <n>
store gui session_timeout <n>
store gui csrf_status [on | off]
Show command
Displays the GUI port number, state, session timeout (in seconds) and/or CSRF status.
Syntax
show gui [port | state | all | session_timeout | csrf_status ]
Use this CLI command to turn web browser caching ON or OFF (Enable or Disable).
The response is
The parameter has been changed.
Restarting gui
Changing to port 8443
Stopping.......
Safekeeping xregs
ok
The default setting for browser caching is enabled.
The act of changing the cache setting will automatically restart the Guardium web server.
For Firefox, in order for the setting to take affect, the cache on the respective browsers has to be cleared.
Syntax
store gui cache [ON | OFF]
Show command
show gui cache
Sets the length of time (in seconds) with no activity before timeout. After the no activity timeout has been reached, it is necessary to log on again to IBM Guardium. The default length is 900 seconds (15-minutes).
Syntax
store gui session_timeout
Show command
show gui session_timeout
Use this CLI command to enable or disable the Cross-site Request Forgery (CSRF) status.
Syntax
store gui scrf_status [ on | off ]
Show command
show gui scrf_status
Use this CLI command to enable or disable the Cross-Site Scripting (XSS) status. This option is enabled by default on upgraded systems.
Syntax
store gui xss_status [ on | off ]
Show command
show gui xss_status
Sets the security policy named policy-name as the installed security policy.
Syntax
store installed security policy <policy-name>
Show Command
show installed security policy
Store LDAP mapping parameters - allow a custom mapping for the LDAP server schema. This command permits customized mapping to the LDAP server schema for email, firstname and lastname attributes. The paging parameter is used to facilitate transfer between any LDAP server type (Active Directory, Novell Directory, Open LDAP, Sun One Directory, Tivoli® Directory). If the paging parameter is set to on, but paging is not supported by the server, the search is performed without paging.
Example for paging. If the CLI command, ldap-mapping paging is set to ON, then Microsoft Active Directory will download the maximum number users defined under the limit value on the LDAP Import configuration screen. If CLI command, ldap-mapping paging is set to OFF, then Active Directory will download up to only 1000 users not matter what the limit value is set to. All other LDAP server configurations must use the CLI command, ldap-mapping paging off in order to download users up to the set limit value.
Note: Each time you change the CLI ldap-mapping attributes you also need to select Override Existing Changes on the LDAP Import configuration screen in IBM Guardium GUI before updating. This action must occur each time you change the CLI ldap-mapping email, firstname or lastname attributes and import LDAP users.
Show commands
show ldap-mapping [email] [firstname][lastname] <name>
show ldap-mapping paging ON|OFF
A GUI restart of the CLI is required for new parameters to take effect.
Examples
Some examples are shown.
store ldap-mapping firstname name
store ldap-mapping lastname sn
store ldap-mapping email mail
store ldap-mapping paging on
If the attributes are written as follows, the mapping process will use the first attribute it finds. If this is not what you want, use one of the examples to map to specific attributes.
Values for firstname attribute: gn,givenName,name
Values for lastname: attribute: sn,surname,name
Values for email attribute: userPrincipalName,mail,email,emailAddress,pkcs9email,rfc822Mailbox
Values for paging: on, off
This command applies a new license key to the appliance.
A license key may be of one of two kinds: override type or append type; an override type replaces the currently installed license while the append type license will be appended to the currently installed license. Append-type licenses can only add functionality; new functions may be enabled and when relevant - expiration dates be updated, remaining number of scans and datasources will be increased, and a certain numeric fields in the license, such as number of managed units will be replaced.
The help icon help for this command shows three options for the store license command: console, FD, or USB. When the command is entered, the system will prompt for the license. The store license console command is the only choice supported.
Syntax
store license console
Show Command
show license
Example
When using the store license console command, you will be prompted to paste the new product key:
CLI> store license console
Paste the string received from IBM Guardium and then press Enter.
Copy and paste the new product key at the cursor location, and then press Enter. The product key contains no line breaks or white space characters, and it always ends with (and includes) a trailing equal sign. A series of messages will display, ending with:
We recommend that the machine be rebooted at the earliest opportunity in order to complete the license updating process.
ok
CLI>
Run the restart gui command at this time.
Displays the audit report threshold. The default is 32. When defining reports in Audit Process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default).
Syntax
store max_audit_reporting
Show command
show max_audit_reporting
Sets the maximum number of seconds for a query to the value specified by n. The default is 180. We recommend that you do not set this value greater than the default, because doing so increases the chances of overloading the system with query processing. This value can also be set from the Running Status Monitor panel on the administrator portal.
Syntax
store maximum query duration <n>
Show Command
show maximum query duration
Use the CLI command, store monitor custom_db_usage to set the state to on and to specify a time to run this job.
Syntax
CLI> store monitor custom_db_usage
USAGE: store monitor custom_db_usage <state> <hour>
where state is on/off.
If state is on, specify the hour to run.
Valid value is number from 0 to 23Use the CLI command, store monitor gdm_statistics to get information about the Unit Utilization. Default is 1 (run the script every hour).
Syntax
CLI> store monitor gdm_statistics
USAGE: store monitor gdm_statistics <hour>, where hour is value from 0 to 24.
Default value is 1, means to run the script every hour.
Value 0, means not to run the script.Show Commands
show monitor buffer
show monitor custom_db_usage
show monitor gdm_statistics
Limit the maximum size of packets from the sniffer.
Syntax
store packet max-size 1536
Show Command
show packet max-size
Use this command to change the pdf font size and pdf orientation of the PDF image body content (excluding header/footer).
Size unit ranges from 1 (smallest) to 10 (largest) with default value of 6.
Orientation unit is 1 (for landscape orientation) or 2 (for portrait). The default value is 1.
The change takes effect immediately after typing the CLI command and pressing the Enter key.
Syntax
store pdf-config [ orientation | size ]
Show Command
show pdf-config [ orientation | size ]
There are different static pdf generator config files for English (Used on English version) and language C/J (Used on Chinese/Japanese). Use this CLI command to define the fonts in the PDF generator. Default is English. Multi-language is language C/J.
Syntax
CLI> store pdf-config multilanguage_support
Current setting is Default
1 Default
2 Multi-language
Please select the option (1,2, or q to quit)Show command
show pdf-config multilanguage_support
Sets the maximum number of records that can be used to populate groups and aliases from a query.
Use caution when setting a maximum records value via this CLI command. Setting it too high may result in incomplete populate group from query processes. The maximum threshold is dynamic and dependent on the system load and memory utilization. This CLI command is limited to a high value of 200000.
Syntax
store populate_from_query_maxrecs 100000
Show command
show populate_from_query_maxrecs
Sets the stored unique product <n> GID value.
Syntax
store product gid <n>
Show Command
show product gid
Sets the age (in days) at which non-essential objects will be purged. Use the show purge objects age command to display a table showing the index, object name, and age for each object type for which a purge age is maintained. Then use the appropriate index from that table in the command to set the purge age.
Syntax
store purge object age <index> <days>
Show Command
show purge object age
Example
Assume you want to keep an Event Log for 30 days. First issue the show purge objects age command to determine the index (do not use the table; your list may be different). Then enter the store purge object command.
Enable/disable a console or other terminal connection via serial port.
Syntax
store serial ON|OFF
store storage-system
Adds or deletes a storage system type for archiving or system backup.
Syntax
store storage-system <Centera | TSM> <backup | archive> <on | off>
Show Command
show storage-system
Example
Assume you are currently using Centera for system backups, but want to switch to a TSM system. You must turn off the Centera backup option (unless you want to leave that as another option), and turn on the TSM backup option. The commands to do this are highlighted in the example. The show commands are not necessary, but are for illustration only.
CLI> show storage-system
NETWORK :
CENTERA : backing-up
TSM :
SCP : archiving and backing-up
FTP : archiving and backing-up
ok
CLI>store storage centera backup off
ok
CLI> store storage tsm backup on
ok
CLI> show storage-system
NETWORK :
CENTERA :
TSM : backing-up
SCP : archiving and backing-up
FTP : archiving and backing-up
ok
CLI>
Enables (on) or disables (off) the sending of email alerts to the support email address, which can be configured using the forward support email command. By default, the support state is enabled (on), and the default support email address is support@guardium.com.
Syntax
store support state <on | off>
Show Command
show support state
Sets the timeout value of a CLI session and/or fileserver session. The default value is 600 seconds. A timeout will also close the CLI session.
If the fileserver is stopped because of a timeout, a message will appear, Warning : Fileserver stopped because of timeout. The file upload may not be complete. Stopping the process.
Syntax
store timeout cli_session <n>
store timeout fileserver_session <n>
Show command
show timeout cli_session 600
show timeout fileserver_session 600
Sets the file transfer method used for CSV/CEF export. For export file, need to use CLI command, store transfer-method csv, to set the method of transfer. For backup/archive, use the CLI command, store transfer-method backup, to set the method of transfer.
Syntax
store transfer-method [csv | backup>
Show Command
show transfer-method