Sgos Cli Guide 2-1-09

Blue Coat Systems Port 80 Security Appliance
Command Line Reference
Blue Coat Systems Inc. 650 Almanor Avenue Sunnyvale, California 94086 info@bluecoat.com
(866) 302-2628 Corporate (866) 362-2628 Technical Support (866) 382-2628 Inside Sales www.bluecoat.com
Copyright 2003 Blue Coat Systems, Inc. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Printed in U.S.A. Document Number: 231-02585 Document Revision: 2.1.09-08/21/2003
Contents
Chapter 1: Introduction Audience for this Document ............................................................................................. 7 Organization of this Document ........................................................................................ 7 Related Blue Coat Documentation ................................................................................... 8 Document Conventions ..................................................................................................... 8 Telnet and Script Considerations ..................................................................................... 8 Standard and Privileged Modes ....................................................................................... 9 Accessing Quick Command Line Help ........................................................................... 9 Chapter 2: Standard and Privileged Mode Commands Standard Mode Commands ............................................................................................ 11 >display ...................................................................................................................... 11 >enable ....................................................................................................................... 12 >exit ............................................................................................................................ 12 >ping ........................................................................................................................... 12 >show ......................................................................................................................... 13 >traceroute ................................................................................................................. 18 Privileged Mode................................................................................................................ 18 #acquire-utc ............................................................................................................... 18 #cancel-upload .......................................................................................................... 19 #clear-arp ................................................................................................................... 19 #clear-cache ................................................................................................................ 20 #clear-statistics .......................................................................................................... 20 #configure .................................................................................................................. 20 #disable ...................................................................................................................... 20 #disk ............................................................................................................................ 21 #display ...................................................................................................................... 21 #exit ............................................................................................................................. 22 #hide-advanced ......................................................................................................... 22 #inline ......................................................................................................................... 23 #kill ............................................................................................................................. 24 #load ........................................................................................................................... 25 #pcap .......................................................................................................................... 26 #ping ........................................................................................................................... 30 #purge-dns-cache ...................................................................................................... 30 #restart ........................................................................................................................ 31 #restore-cacheos4-config .......................................................................................... 32 #restore-defaults ....................................................................................................... 32 #reveal-advanced ...................................................................................................... 32
Security Appliance Command Line Reference
#show .......................................................................................................................... 33 #temporary-route ...................................................................................................... 40 #test http ..................................................................................................................... 40 #traceroute ................................................................................................................. 41 Chapter 3: Privileged Mode Configure Commands #configure .......................................................................................................................... 45 #(config)accelerated-pac .......................................................................................... 47 #(config)access-log .................................................................................................... 47 #(config)archive-configuration ............................................................................... 51 #(config)bandwidth-gain ......................................................................................... 52 #(config)banner ......................................................................................................... 53 #(config)bypass-list ................................................................................................... 54 #(config)caching ........................................................................................................ 55 #(config)clock ............................................................................................................ 57 #(config)content ........................................................................................................ 58 #(config)content-filter .............................................................................................. 59 #(config content-filter)smartfilter ........................................................................... 61 #(config content-filter)websense3 .......................................................................... 62 #(config content-filter)websense4 off-box ............................................................. 65 #(config)diagnostics ................................................................................................. 66 #(config)dns ............................................................................................................... 67 #(config)domain-alias .............................................................................................. 68 #(config)dynamic-bypass ........................................................................................ 68 #(config)error-pages ................................................................................................. 69 #(config)event-log ..................................................................................................... 70 #(config)exit ............................................................................................................... 72 #(config)forwarding ................................................................................................. 72 #(config)health-check ............................................................................................... 75 #(config)hide-advanced ........................................................................................... 76 #(config)hostname .................................................................................................... 77 #(config)http .............................................................................................................. 77 #(config)https ............................................................................................................ 80 #(config)icap .............................................................................................................. 83 #(config)icp ................................................................................................................ 84 #(config)identd .......................................................................................................... 85 #(config)inline ........................................................................................................... 86 #(config)installed-systems ....................................................................................... 88 #(config)interface fast-ethernet ............................................................................... 89 #(config)ip-default-gateway .................................................................................... 91 #(config)load .............................................................................................................. 92 #(config)management-port ...................................................................................... 93 #(config)netbios ......................................................................................................... 94
iv
Contents
#(config)no ................................................................................................................. 94 #(config)ntp ............................................................................................................... 95 #(config)policy .......................................................................................................... 95 #(config)restart .......................................................................................................... 97 #(config)return-to-sender ........................................................................................ 97 #(config)reveal-advanced ........................................................................................ 98 #(config)rip ................................................................................................................ 99 #(config)security ....................................................................................................... 99 #(config)services ..................................................................................................... 111 #(config services)ftp ............................................................................................... 112 #(config services)http ............................................................................................. 113 #(config services)telnet .......................................................................................... 115 #(config)show .......................................................................................................... 116 #(config)snmp ......................................................................................................... 120 #(config)socks-machine-id ..................................................................................... 122 #(config)splash-generator ...................................................................................... 122 #(config)sshd ........................................................................................................... 125 #(config)static-routes .............................................................................................. 127 #(config)streaming .................................................................................................. 128 #(config)system-resource-percent ........................................................................ 137 #(config)tcp-rtt ........................................................................................................ 137 #(config)telnet ........................................................................................................ 138 #(config)timezone ................................................................................................... 138 #(config)upgrade-path ........................................................................................... 138 #(config)virtual-ip ................................................................................................... 139 #(config)wccp .......................................................................................................... 139 #(config)web-management .................................................................................... 140
vi
Chapter 1:
Introduction
To configure and manage your Blue Coat Systems Port 80 Security Appliance, Blue Coat developed a software suite that includes an easy-to-use graphical interface called the Management Console and a Command Line Interface (CLI). The CLI allows you to perform the superset of configuration and management tasks; the Management Console, a subset. This reference guide describes each of the commands available in the CLI.
Audience for this Document

This reference guide is written for system administrators and experienced users who are familiar with network configuration. Blue Coat assumes that you have a functional network topography, that you and your Blue Coat Sales representative have determined the correct number and placement of the Security Appliances, and that those appliances have been installed in an equipment rack and at least minimally configured as outlined in the Blue Coat Installation Guide that accompanied the appliance. Furthermore, Blue Coat assumes that the Blue Coat appliance has been configured for reverse proxy server acceleration, transparent reverse proxy server acceleration, or a variant of either.
Organization of this Document

This document contains the following chapters:
Chapter 1 Introduction
The organization of this document; conventions used; descriptions of the CLI modes; and instructions for saving your configuration.
Chapter 2 Standard and Privileged Mode Commands

All of the standard mode commands, including syntax and examples, in alphabetical order. All of the privileged mode commands (except for the configure commands, which are described in Chapter 3), including syntax and examples, in alphabetical order.
Chapter 3 #Configure Commands

The configure command is the most used and most elaborate of all of the CLI commands. For better readability you will notice that in the command reference chapters, each command heading is preceded with the appropriate prompt, and for the more complicated commands, the parent command prompt is included as well. This chapter is divided into the following functional sections: Load and Save Commands. All of the configure commands that are required to load your configuration and to save changes, including syntax and examples, in alphabetical order. View Configuration Settings Commands. All of the configure commands that are required to view your current configuration settings, including syntax and examples, in alphabetical order.
Change Configuration Settings Commands. All of the privileged mode configure commands that are required to change your current or factory-default configuration settings, including syntax and examples, in alphabetical order.
Related Blue Coat Documentation

Blue Coat Systems 500 Installation Guide (includes information on installing the 500, 510, and 520) Blue Coat Systems 500ec Installation Guide (includes information on installing the 515, 525, 525i, 545, and 545i) Blue Coat Systems 600 and 700 Installation Guide Blue Coat Systems 3000 Installation Guide Blue Coat Systems 5000 Installation Guide Blue Coat Systems 6000 and 7000 Installation Guide Blue Coat Systems 800 Installation Guide Blue Coat Systems Configuration and Management Guide Blue Coat Systems Policy Language Reference Manual
Document Conventions
The following table lists the typographical and CLI syntax conventions used in this manual.
Convention Italics Courier font Courier Italics Courier Boldface {} [] |
Definition The first use of a new or Blue Coat-proprietary term. Command-line text that will appear on your administrator workstation. A command-line variable that should be substituted with a literal name or value pertaining to the appropriate facet of your network system. A CLI literal that should be entered as shown. One of the parameters enclosed within the braces must be supplied An optional parameter or parameters. Either the parameter before or after the pipe character can or must be selected, but not both.
Telnet and Script Considerations

Consider the following when using the CLI during a Telnet session or in a script: Case Sensitivity. CLI command literals and parameters are not case sensitive. Command Abbreviations. You may abbreviate CLI commands, provided you supply enough command characters as to be unambiguous. For example:
SGOS#configure terminal
Chapter 1: Introduction
Can be shortened to:

SGOS# conf t
Standard and Privileged Modes

The Security Appliance CLI has two major modesstandard and privileged. In addition, privileged mode has several subordinate modes. Refer to the introduction in Chapter 2: Standard and Privileged Mode Commands details about the different modes. Standard mode prompt: > Privileged mode prompt: #
Accessing Quick Command Line Help

You can access command line help at any time during a session. The following commands are available in both standard mode and privileged mode. To access a comprehensive list of mode-specific commands: Type help or ? at the prompt. The help command displays how to use CLI help. For example:
SGOS> help Help may be requested at any point in a command by typing a question mark '?'. 1. For a list of available commands, enter '?' at the prompt. 2. For a list of arguments applicable to a command, precede the '?' with a space (e.g. 'show ?') 3. For help completing a command, do not precede the '?' with a space (e.g. 'sh?') The ? command displays the available commands. For example: SGOS> ? display enable exit help ping show traceroute Display a text based url Turn on privileged commands Exit command line interface Information on help Send echo messages Show running system information Trace route to destination
To access a command-specific parameter list: Type the command name, followed by a space, followed by a question mark. Note that you must be in the correct modestandard or privilegedto access the appropriate help information. For example, to get command completion help for pcap:
SGOS# pcap ? filter Setup the current capture filter info Display current capture information .
. .
To get command completion for configuring SNMP:

SGOS#(config) snmp ? <cr>
To access the correct spelling and syntax, given a partial command: Type the first letter, or more, of the command, followed by a question mark (no spaces). Note that you must be in the correct modestandard or privileged to access the appropriate help information. For example:
SGOS# p? pcap ping purge-dns-cache
10
Chapter 2:
Standard and Privileged Mode Commands
This chapter describes and provides examples for the Blue Coat Systems Port 80 Security Appliance standard and privileged mode CLI commands.
Standard Mode Commands

Standard mode is the default mode when you first log on. From standard mode, you can view but you cannot change configuration settings. In contrast to privileged mode, this mode cannot be password-protected. Standard mode has a short list of commands. Note: The help command and how to use the CLI help is described in Accessing Quick Command Line Help on page 9.
The standard mode prompt is a greater-than sign; for example:

telnet> open 10.25.36.47 username: admin password: ****** SGOS>
>display
Use this command to display the source code (such as HTML or Javascript) used to build the named URL. This source code is displayed one screen at a time. "More" at the bottom of the terminal screen indicates that there is additional code. Press the Spacebar to display the next batch of code; press the Enter key to display one additional line of code.
Syntax
display url where url is a valid, fully-qualified text Web address.
Example
SGOS> display http://www.bluecoat.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Blue Coat Inc.</title> <meta NAME="KEYWORDS" CONTENT="cache, caching, cache appliance, network cache, web cache, Blue Coat, internet caching, active, transparent caching, intelligent, proxy, fast, cache server, Content delivery, streaming, media streaming, content delivery networks, CDNs, access control, Enterprise Internet Management, turnkey, web, speed, bandwidth savings, hit rate, internet"> <meta NAME="DESCRIPTION" CONTENT="Blue Coat products are intelligent appliances specifically architected to accelerate the Internet."> <!-- __________________________________________________________________
Copyright 1998-2002 Blue Coat Systems Inc. All rights reserved. . . .
>enable
Use this command to enter Privileged mode. Privileged mode commands enable you to view and change your configuration settings. In some configurations, you must provide a password. To set username and password, please refer to the instructions provided in the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide.
Syntax
enable
The enable command does not have any parameters or subcommands. Example
SGOS> enable Enable Password:****** SGOS#configure terminal SGOS(config) . . .
See also
disable (disable is a Privileged mode command.)
>exit
Use this command to exit the CLI.
Syntax
exit
The exit command does not have any parameters or subcommands. Example
SGOS> exit
>ping
Use this command to verify that a particular IP address exists and can accept requests.
Syntax
ping ip_address
12
Chapter 2: Standard and Privileged Mode Commands
where:
ip_address Specifies the address you want to verify.
Example
SGOS> ping 10.25.36.47 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms Number of duplicate packets received = 0
>show
Use this command to display system information.
Syntax
option 1 : show accelerated-pac option 2 : show access-log statistics option 3 : show arp-table option 4 : show bandwidth-gain option 5 : show bypass-list option 6 : show caching option 7 : show clock option 8 : show commands {delimited | formatted} option 9 : show content-distribution option 10 : show cpu option 11 : show diagnostics option 12 : show disk {disk_number | all} option 13 : show dns option 14 : show domain-alias option 15 : show download-paths option 16 : show dynamic-bypass option 17 : show efficiency option 18 : show environmental option 19 : show event-log option 20 : show forwarding option 21 : show health-checks option 22 : show hostname option 23 : show http option 24 : show http-stats option 25 : show icap {clusters | services | statistics}
13
option 26 : show icp-settings option 27 : show identd option 28 : show installed-systems option 29 : show interface {all | interface#} option 30 : show ip-default-gateway option 31 : show ip-route-table option 32 : show ip-stats option 33 : show netbios option 34 : show ntp option 35 : show policy [order | proxy-default] option 36 : show ports option 37 : show resources option 38 : show restart option 39 : show return-to-sender option 40 : show rip option 41 : show rtsp option 42 : show sessions option 43 : show services option 44 : show snmp option 45 : show socks-machine-id option 46 : show sources {bypass-list | error-pages | icp-settings | policy
{central | local | vpm-cpl | vpm-xml} | rip-settings | static-route-table | streaming real-media | wccp-settings}
option 47 : show static-routes option 48 : show status option 49 : show streaming {configuration| real-media | statistics |
windows-media}
option 50 : show system-resource-percent option 51 : show tcp-rtt option 52 : show terminal option 53 : show telnet-management option 54 : show timezones option 55 : show transparent-proxy option 56 : show user-authentication option 57 : show version option 58 : show virtual-ip option 59 : show wccp {configuration | statistics} option 60 : show web-management
14
where:
accelerated-pac Displays accelerated PAC file information. access-log statistics - Specifies to display access log statistics data, including log and upload information. arp-table Displays TCP/IP ARP table information. bandwidth-gain Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features. bypass-list Displays your bypass list. caching Displays data regarding cache refresh rates and settings and caching policies. clock Displays the current time. commands Displays a list of the available (root, non-privileged) CLI commands. delimited formatted Displays commands in such a way that they can be parsed. Displays commands so that they can be viewed easily.
content-distribution Displays the average sizes of objects in the cache. cpu Displays current CPU usage. diagnostics Displays remote diagnostics information, including version number, and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled. disk Displays disk information, including slot number, vendor, product ID, revision and serial number, capacity, and status. disk_number all Displays information about the disk specified. Displays information about all disks.
dns Displays primary and alternate DNS server data. domain-alias Displays domain alias configuration information. download-paths Displays downloaded configuration path information, including the policy list, bypass list, accelerated PAC file, HTTP error page, ICP settings, RIP settings, static route table, upgrade image, and WCCP settings. dynamic-bypass Displays dynamic bypass configuration status information. efficiency Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects and access patterns. environmental Displays environmental sensor information. event-log Displays event log settings, including event level and event log size, and event recipients. forwarding Displays advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules. health-checks Displays health-check statistics. hostname Displays hostname, IP address, and type. http Displays HTTP configuration information. http-stats Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by HTTP, number of persistent connections that were reused, and the number of active client connections. icap {clusters | services | statistics} Displays ICAP cluster, services, and configuration information. icp-settings Displays ICP settings. identd Displays IDENTD settings.
15
installed-systems Displays Security Appliance system information such as version and release numbers, boot and lock status, and timestamp information. ip-default-gateway Displays default IP gateway IP address, weight, and group membership. ip-route-table Displays route table information. ip-stats Displays TCP/IP statistics for the current session. netbios Displays NETBIOS settings. ntp Displays NTP servers status and information. policy [order | proxy-default] Displays the policy files order or the policy default of allow or deny. ports Displays HTTP and console port number, type, and properties. resources Displays allocation of disk and memory resources. restart Displays system restart settings, including core image information and compression status. return-to-sender Displays "return to sender" inbound and outbound settings. rip Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP statistics. rtsp Displays RTSP settings. sessions Displays information about Telnet connections. services Displays information about services. snmp Displays SNMP statistics, including status and MIB variable and trap information. socks-machine-id Displays the id of the secure sockets machine. sources Displays source listings for installable lists, such as the bypass-list, policy files, ICP settings, RIP settings, static route table, streaming configurations, and WCCP settings files. bypass-list error-pages icp-settings policy rip-settings static-route-table streaming real-media wccp-settings Displays the source file for the current bypass list. Displays the source file for error pages. Displays the source file for the current ICP settings. Displays the source file for the specified policy file. Displays the source file for the current RIP settings. Displays the source file for the current static route table. Displays the source file for the current streaming configurations. Specify real-media to display real streaming information. Displays the source file for the current WCCP settings.
static-routes Displays static route table information. status Displays current system status information, including configuration information and general status information. streaming Displays Microsoft Windows Media or RealNetworks information. configuration real-media statistics windows-media Displays client and total bandwidth configurations. Displays RealNetworks streaming media information. Displays client and total bandwidth usage. Displays Microsoft Windows Media streaming configuration information or statistics.
system-resource-percent Displays the distribution of resources. tcp-rtt Displays TCP round trip time ticks. terminal Displays terminal configuration parameters.
16
telnet-management Displays telnet management status and the status of SSH configuration through Telnet. timezones Displays current and supported timezones. transparent-proxy Displays transparent proxy information. user-authentication Displays Authenticator Credential Cache Statistics, including credential cache information, maximum number of clients queued for cache entry, and the length of the longest chain in the hash table. version Displays Security Appliance hardware and software version and release information and backplane PIC status. virtual-ip Displays virtual IP addresses. wccp Displays WCCP configuration and statistics information. configuration statistics Displays WCCP configuration information, including version number and status. Displays WCCP statistics information, including last reset time, and packets and bytes sent and received.
web-management Displays Web management status.
Examples
SGOS> show caching Refresh: Desired access freshness is 97.5% Estimated access freshness is 100.0% Let the Port 80 Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/sec Policies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Port 80 Security Appliance manage freshness FTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date, cached for 10% of last modified time FTP objects without last modified date, initially cached for 24 hours SGOS> show resources Disk resources: Available to cache: In use by cache: In use by system: In use by access log: Total disk installed: Memory resources: In use by cache: In use by system: In use by network: Total RAM installed:
3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728
17
>traceroute
Use this command to trace the route from the current host to the specified destination host.
Syntax
traceroute {ip_address | hostname}
where:
ip_address hostname Specifies the IP address of the destination host. Specifies the name of the destination host.
Example
SGOS> traceroute 10.25.36.47 Type escape sequence to abort. Tracing the route to 10.25.36.47 1 10.25.36.47 0 0 0
Privileged Mode
Privileged mode provides a robust set of commands that enable you to view, manage, and change Security Appliance settings for feautures such as log files, authentication, caching, DNS, HTTPS, packet capture filters, and security. Note: The privileged mode subcommand configure, enables you to manage the Security Appliance features. Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command.
To access privileged mode: From standard mode, enter privileged mode using the enable command, as shown below:
SGOS> enable Enable Password: ******** SGOS#
If the network administrator who performed the initial network configuration assigned a privileged mode password, you will be prompted to supply that also. To prevent unauthorized access to your Security Appliance configuration and network, we recommend that you always require a privileged mode password. The default privileged mode password is admin. It is important to note that the prompt changes from a greater than sign (>) to a pound sign (#), acting as an indicator that you are in privileged mode now.
#acquire-utc
Use this command to acquire the Universal Time Coordinates (UTC) from a Network Time Protocol (NTP) server. To manage objects, a Security Appliance must know the current UTC time. Your Security
Appliance comes pre-populated with a list of NTP servers available on the Internet, and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. If the Security Appliance cannot access any of the listed NTP servers, the UTC time must be set manually. For
18
instructions on how to set the UTC time manually, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide.
Syntax
acquire-utc
The aquire-utc command does not have any parameters or subcommands. Example
SGOS# acquire-utc ok
#cancel-upload
This command cancels a pending access-log upload. The cancel-upload command allows you to stop repeated upload attempts if the Web server becomes unreachable while an upload is in progress. This command sets log uploading back to idle if the log is waiting to retry the upload. If the log is in the process of uploading, a flag is set to the log. This flag sets the log back to idle if the upload fails.
Syntax
cancel-upload
The cancel-upload command does not have any parameters or subcommands. Example
SGOS# cancel-upload ok
#clear-arp
The clear-arp command clears the Address Resolution Protocol (ARP) table. ARP tables are used to correlate an IP address to a physical machine address recognized only in a local area network. ARP provides the protocol rules for providing address conversion between a physical machine address (also known as a Media Access Control or MAC address) and its corresponding IP address, and vice versa.
Syntax
clear-arp
The clear-arp command does not have any parameters or subcommands. Example
SGOS# clear-arp ok
19
#clear-cache
The clear-cache command sets all objects in the cache to expired. You can clear the system cache at any time. Although objects are not immediately removed from memory or disk, all subsequent first requests for objects will be retrieved from the source.
Syntax
clear-cache
Example
SGOS# clear-cache ok
#clear-statistics
This command clears the Windows Media Streaming statistics collected by the Security Appliance. You can also clear the Windows Media streaming statistics through the Streaming applet. To view streaming statistics from the Management Console, go to Statistics>Volume>Windows Media.
Syntax
clear-statistics windows-media
Example
SGOS# clear-statistics windows-media ok
#configure
The privileged mode subcommand configure, enables you to manage the Security Appliance features. Refer to Chapter 3: Privileged Mode Configure Commands for detailed information about this command.
#disable
The disable command returns you to Standard mode from Privileged mode.
Syntax
disable
The disable command does not have any parameters or subcommands. Example
SGOS#disable ok
20
See also
enable (Standard mode command)
#disk
Use the disk command to take a disk offline or to reinitialize a disk. On a multi-disk Security Appliance, after issuing the disk reinitialize disk_number command, complete the reinitialization by setting it to empty and copying pre-boot programs, boot programs and starter programs, and system images from the master disk to the reinitialized disk. The master disk is the leftmost valid disk. Valid indicates that the disk is online, has been properly initialized, and is not marked as invalid or unusable. Note: If the current master disk is taken offline, reinitialized or declared invalid or unusable, the leftmost valid disk that has not been reinitialized since restart becomes the master disk. Thus as disks are reinitialized in sequence, a point is reached where no disk can be chosen as the master. At this point, the current master disk is the last disk. If this disk is taken offline, reinitialized, or declared invalid or unusable, the Security Appliance is restarted.
Reinitialization is done without rebooting the Security Appliance. The Security Appliance operations, in turn, are not affected, although during the time the disk is being reinitialized, that disk is not available for caching. Note that only the master disk reinitialization might restart the Security Appliance.
Syntax
disk {offline disk_number | reinitialize disk_number}
where:
offline disk_number reinitialize Takes the disk numbered disk_number off line. Indicates the number of the disk you want to take off line or reinitialize. Reinitializes the disk numbered disk_number.
Example
SGOS# disk offline 3 ok SGOS# disk reinitialize 3 ok
#display
Use this command to display the source code (such as HTML or Javascript) used to build the named URL. This source code is displayed one screen at a time. "More" at the bottom of the terminal screen indicates that there is additional code. Press the Spacebar to display the next batch of code; press the Enter key to display one additional line of code.
Syntax
display url
21
where url is a valid, fully-qualified text Web address. Example

SGOS# display www.company1.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://lc2.law5.company1.passport.com/cgi-bin/log in">here</A>.<P> </BODY></HTML>
#exit
Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From Standard mode, the exit command closes the CLI session.
Syntax
exit
The exit command does not have any parameters or subcommands. Example
SGOS# exit
#hide-advanced
The hide-advanced command enables you to disable all or a subset of the advanced commands available to you when using the CLI. The advanced commands that you can disable include: HTTP, and TCP/IP commands.
Syntax
hide-advanced {all | expand | tcp-ip}
where:
all expand tcp-ip Disables all advanced commands. Displays the expanded advanced commands. Disables only the TCP/IP advanced commands; the status of the other advanced commands remains unchanged. Refer to the description of the configure command tcp-ip, for details.
Example
SGOS# hide-advanced expand ok
22
SGOS# show expand ^ % Invalid input detected at '^' marker. SGOS#
See also
reveal-advanced
#inline
Installs configuration elements based on your console port input. There are two ways to create a configuration file for your Security Appliance. You can use the inline command or you can create a text file to house the configuration commands and settings. To configure using the CLI and the inline command, refer to the example below:
SGOS# configure terminal SGOS#(config) inline accelerated-pac token . . . end token
Where token marks the end of the inline commands.
Syntax
option 1 : inline accelerated-pac token option 2 : inline bypass-list central token option 3 : inline bypass-list local token option 4 : inline error-pages token option 5 : inline error-pages token option 6 : inline icp-settings token option 7 : inline policy central token option 8 : inline policy local token option 9 : inline policy vpm-cpl token option 10 : inline policy vpm-xml token option 11 : inline rip-settings token option 12 : inline static-route-table token option 13 : inline streaming real-media token option 14 : inline wccp-settings token
23
where:
token accelerated-pac bypass-list central bypass-list local error-pages forwarding icp-settings policy central policy local policy vpm-cpl Is used at the beginning of the inline commands to indicate what the end-of-commands marker will be. Is used again at the end of the commands. Updates the accelerated pac file with the settings you include between the beginning token and the ending token. Updates the central bypass list with the settings you include between the beginning token and the ending token. Updates the local bypass list with the settings you include between the beginning token and the ending token. Updates the local HTTP error pages with the settings you include between the beginning token and the ending token. Updates the forwarding configuration with the settings you include between the beginning token and the ending token. Updates the current ICP settings with the settings you include between the beginning token and the ending token. Updates the current central policy file with the settings you include between the beginning token and the ending token. Updates the current local policy file with the settings you include between the beginning token and the ending token. Updates the VPM policy with the settings you include between the beginning token and the ending token. (This options is designed to be used with the Blue Coat Director product.) Updates the XML policy with the settings you include between the beginning token and the ending token. (This options is designed to be used with the Blue Coat Director product.) Updates the current RIP settings with the settings you include between the beginning token and the ending token. Updates the current static route table settings with the settings you include between the beginning token and the ending token. Updates the current Real Media streaming settings with the settings you include between the beginning token and the ending token. Updates the current WCCP settings with the settings you include between the beginning token and the ending token.
policy xml-cpl
rip-settings static-route-table streaming real-media wccp-settings
Example
SGOS# inline icp-settings eof icp_port 3130 icp_host 127.0.0.0 sibling 8080 3130 eof
#kill
Terminates a Telnet session.
Syntax
kill session_number
24
where session_number is a valid Telnet session number. Example

SGOS# kill 3 ok
#load
Downloads installable lists or system upgrade images. These installable lists or settings can be updated using the inline command. Syntax option 1 : load accelerated-pac option 2 : load bypass-list central option 3 : load bypass-list local option 4 : load error-pages option 5 : load icp-settings option 6 : load policy central option 7 : load policy local option 8 : load policy vpm-software option 9 : load rip-settings option 10 : load static-route-table option 11 : load streaming real-media option 12 : load upgrade option 13 : load wccp-settings where:
accelerated-pac bypass-list central bypass-list local error-pages icp-settings policy central policy local policy local vpm-software rip-settings static-route-table streaming real-media upgrade wccp-settings Downloads the current accelerated pac file settings. Downloads the current central bypass list settings. Downloads the current local bypass list settings. Downloads the current HTTP error pages. Downloads the current ICP settings. Downloads the current central policy file settings. Downloads the current local policy file settings. Downloads a new VPM version. Downloads the current RIP settings. Downloads the current static route table settings. Downloads the current Real Media streaming settings. Downloads the latest system image. Downloads the current WCCP settings.
Examples
25
SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS# ok SGOS#
load accelerated-pac load bypass-list local load bypass-list central load error-pages load policy local load policy central load icp-settings load rip-settings load static-route-table load streaming real-media load wccp-settings load upgrade
See also
inline
#pcap
This command enables you to capture packets of Ethernet frames going into or leaving a Security Appliance. Packet capturing allows filtering on various attributes of the frame to limit the amount of data collected. The collected data can then be transferred to the desktop for analysis. Note: Note: Before using the pcap command, consider that packet capturing doubles the amount of processor usage performed in TCP/IP. To capture packets, you must have a tool that can read Packet Sniffer Pro 1.1 files (for example, EtherReal or Packet Sniffer Pro 3.0).
Syntax
option 1 : pcap filter iface {in | out} option 2 : pcap filter iface {in | out} iface-num option 3 : pcap filter iface iface-num option 4 : pcap filter expr filter_expression option 5 : pcap info option 6 : pcap coreimage option 7 : pcap start option 8 : pcap start [first n]
26
option 9 : pcap start [capsize n(k)] option 10 : pcap start [trunc n] option 11 : pcap start [last n] option 12 : pcap stop option 13 : pcap transfer url username password Where:
filter -- see the Filter table that follows. coreimage info first n Includes packets within a core image. Displays the current packet capture information. The first n parameter collects n (up to 100 MB) packets. After the number of packets n is reached, capturing stops. The packet capture file size is limited to 1% of total RAM, which might be reached before n packets have been captured. Note: The parameter first n is a specific command; it captures an exact number of packets. If no parameters are specified, the default is to capture until the stop subcommand is issued or the maximum limit reached. The capsize n(k) parameter stops the collection after n Kilobytes (up to 100 MB) of packets have been captured. The packet capture file size is limited to 1% of total RAM, which might be reached before n packets have been captured. Note: The parameter capsize n is an approximate command; it captures an approximate number of packets. If no parameters are specified, the default is to capture until the stop subcommand is issued or the maximum limit reached. The trunc n parameter collects, at most, n bytes of packets from each frame. This continues until the 1% of total RAM for file size limitation is reached. Range is 0 to 2147483647. The last n parameter capture saves up to n bytes of packets in memory. (The maximum amount of memory used for saving packets is limited to 100 MB.) Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. The saved packets in memory are written to disk when the capture is terminated. The range is 0 to 2147483647. Stops the capture. Transfers captured data to an FTP site. Refer to the examples for details.
start (commonly requested by Blue Coat Customer Support for system analysis)
capsize n(k)
trunc n
last n
stop transfer url username password
27
filter
Command iface in | out iface in | out iface expr expr Parameter/Subcommand in | out interface_number interface_number Description Captures either in or out from a interface. Captures either in or out from a particular interface. Captures both in and out from a particular interface.
{host name | net number Type qualifier. host is the default. | port number} {src name | dst number Direction qualifier; specifies the | src name or dst name | transfer direction. src or dist is src name and dst name} the default. {ether | ip | arp | rarp | Proto qualifier; restrict matches to a tcp | udp} expr specific protocol. For example: tcp src name. No filtering; captures all.
expr
<cr>
The following table provides more paramters that can be used to create complex filter expressions. Important: Define filter expr parameters with double-quotes to avoid confusion with special characters.
28
expr
Parameter/Subcommand {dst host | src host |host} ip_address [ip_address ...] {ether dst | ether dst | ether host} ehost [ehost ...] {dst net | src net | net} net Description If multiple IP addresses are specified, each address is checked for a match. ehost is a valid Ethernet address. If multiple ehost addresses are specified, each address is checked for a match. True if either the IP address of the packet has a network number of net.
{dst port | src port | port} port True if packet has source or destination valueof port. Maybe prepended with tcp or udp. net net mask mask True if the IP address matches the net value with the specified netmask value. May be qualified with src or dst. True if the packet length is less than or equal to length. True if the packet length is greater than or equal to length. protocol can be a number or name (icmp, udp, tcp), but since these identifiers are also keywords within the filter expression parser, they must be escaped with a backslash. True if the packet is an Ethernet broadcast or IP broadcast packet. True if the packet is an Ethernet multicast or IP multicast packet. protocol can be a number or name (ip, arp, rarp), but since these identifiers are also keywords within the filter expression parser, they must be escaped with a backslash. Negation. Concatenation Alternation.
less length greater length ip proto protocol
{ether | ip} broadcast {ether | ip} multicast ether proto protocol
! or not && or and || or or
Note:
Once a filter is set, it remains in effect until it is redefined. Also, if the Security Appliance is rebooted, filtering is set to off; you must reset or redefine all filtering options.
The following are examples of the pcap parameters/subcommands filter, info, start and transfer. Example 1 Capture transactions between a Security Appliance (10.1.1.1), a server (10.2.2.2), and a client (10.1.1.2).
SGOS# pcap filter expr host 10.1.1.1 || host 10.2.2.2 || host 10.1.1.2
Example 2
SGOS# pcap filter expr port 80 SGOS# pcap start
29
This captures outbound packets that have a source port of 80 from the interface using the IP protocol TCP.
SGOS# pcap info packet capture information: Packets captured: 301 Bytes captured: 1198 Packets written: 256 Bytes written: 0 Current state: Stopped Filtering: Off
This shows relevant information regarding current packet-capturing. Example 3 This stops the capturing of packets after approximately three Kilobytes of packets have been collected.
SGOS# pcap start capsize 3
Example 3 This transfers captured packets to the FTP site 10.25.36.47. Note that the username and password are provided.
SGOS# pcap transfer ftp://10.25.36.47/path/filename.cap username password
If the folders in the path do not exist, they are not created. An error message is generated.
#ping
Use this command to verify that a particular IP address exists and can accept requests. Ping output will also tell you the minimum, maximum, and average time it took for the ping test data to reach the other computer and return to the origin.
Syntax
ping {IP_address | hostname}
where IP_address is the IP address and hostname is the host name of the remote computer. Example
SGOS# ping 10.25.36.47 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms Number of duplicate packets received = 0
#purge-dns-cache
This command clears the DNS cache. You can purge the DNS cache at any time. You might need to do so if you have experienced a problem with your DNS server, or if you have changed your DNS configuration.
30
Syntax
purge-dns-cache
The purge-dns-cache command does not have any parameters or subcommands. Example
SGOS# purge-dns-cache ok
#restart
Restarts the system. The restart options determine whether the Security Appliance should simply reboot the Security Appliance (regular), or should reboot using the new image previously downloaded using the load upgrade command (upgrade).
Syntax
restart {regular | upgrade}
where regular reboots the version of the Security Appliance that is currently installed and upgrade reboots the entire system image. Example
SGOS# restart upgrade ok SGOS#Initiating a hardware restart Waiting for disk activity to cease Starter Version 1.5 This machine has the following bootable systems: >1: Version: SG 2.1.05 Release id: 19999 Wednesday July 26 2002 09:46:14 UTC, Boot Status: Last boot succeeded 2: Version: CA 5.0.99 Release id: 18882 Tuesday November 2 2001 10:51:02 UTC, Boot Status: Last boot succeeded 3: Version: CA 4.2.01 Release id: 18742 Friday September 28 2002 09:11:42 UTC, Boot Status: Last boot succeeded 4: Version: CA 4.0.99 Release id: 16577 wmt Tuesday October 16 2001 11:55:31 UTC, Boot Status: Last boot succeeded 5: Version: CA 4.0.99 Release id: 16486 Tuesday October 2 2001 10:51:02 UTC, Boot Status: Last boot succeeded The default boot system is: 4: Version: CA 5.0.00 Release id: 16455 Press the space key to select an alternate system to boot. Seconds remaining until the default system is booted: 5 Boot system number: 3 Booting "Version: SG 2.1.05 Release id: 19999"
See also
load
31
#restore-cacheos4-config
Restores the Security Appliance to the initial configuration derived upon an upgrade from Cache OS 4.x to SGOS 2.x. The Security Appliance appliance retains the network settings.
Syntax
restore-cacheos4-config
Example
SGOS# restore-cacheos4-config % "restore-cacheos4-configuration" requires a restart to take effect. % Use "restart regular" to restart the system.
Or if there is no 4.x configuration found:

SGOS# restore-cacheos4-config % No CacheOS 4.x configuration is available on this system.
See also
restore-defaults
#restore-defaults
Restores the Security Appliance to the default configuration. When you restore system defaults, the Security Appliances IP address, default gateway, and the DNS server addresses are cleared. In addition, any lists (for example, forwarding or bypass) are cleared. After restoring system defaults, you need to restore the Security Appliances basic network settings, as described in the Blue Coat Configuration and Management Guide, and reset any customizations.
Syntax
restore-defaults [keep-console]
where the restore-defaults command by itself will restore using the default configuration and restore-defaults keep-console restores using the default configuration but retains any configuration settings that affect console access. Example
SGOS# restore-defaults % "restore-defaults" requires a restart to take full effect. % Use "restart regular" to restart the system.
#reveal-advanced
The reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI.
Syntax
reveal-advanced {all | expand | tcp-ip}
32
where:
all expand tcp-ip Enables all advanced commands. Displays expanded commands. Enables only the TCP/IP advanced commands; the status of the other advanced commands remains unchanged.
#show
Use this command to display system information.
Syntax
option 1 : show accelerated-pac option 2 : show access-log {configuration | statistics} option 3 : show archive-configuration option 4 : show arp-table option 5 : show bandwidth-gain option 6 : show bypass-list option 7 : show caching option 8 : show clock option 9 : show commands {delimited | formatted} option 10 : show configuration {brief | expanded} option 11 : show content {outstanding-requests | priority [regex regex | url url]
| url url}
option 12 : show content-distribution option 13 : show cpu option 14 : show diagnostics option 15 : show disk {disk_number | all} option 16 : show dns option 17 : show domain-alias option 18 : show download-paths option 19 : show dynamic-bypass option 20 : show efficiency option 21 : show environmental option 22 : show event-log option 23 : show forwarding option 24 : show health-checks option 25 : show hostname option 26 : show http option 27 : show http-stats
33
option 28 : show icap {clusters | services | statistics} option 29 : show icp-settings option 30 : show identd option 31 : show installed-systems option 32 : show interface {interface# | all} option 33 : show ip-default-gateway option 34 : show ip-route-table option 35 : show ip-stats option 36 : show netbios option 37 : show ntp option 38 : show policy [order | proxy-default] option 39 : show ports option 40 : show realms option 41 : show resources option 42 : show restart option 43 : show return-to-sender option 44 : show rip option 45 : show rtsp option 46 : show security option 47 : show sessions option 48 : show services option 49 : show snmp option 50 : show socks-machine-id option 51 : show sources {bypass-list | error-pages | icp-settings | policy |
rip-settings | static-route-table | streaming real-media | wccp-settings}
option 52 : show splash-generator option 53 : show static-routes option 54 : show status option 55 : show streaming option 56 : show system-resource-percents option 57 : how tcp-rtt option 58 : show terminal option 59 : show telnet-management option 60 : show timezones option 61 : show transparent-proxy option 62 : show user-authentication option 63 : show version
34
option 64 : show virtual-ip option 65 : show wccp option 66 : show web-management where:
accelerated-pac Displays accelerated PAC file information. access-log Displays access log configuration settings or statistics. configuration statistics Indicates that you want to display access log configuration information. Indicates that you want to display access log statistics data, including log and upload information.
archive-configuration Displays archive configuration settings including protocol, host, path, filename, username, and password. arp-table Displays TCP/IP ARP table information. bandwidth-gain Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features. bypass-list Displays your bypass list. caching Displays data regarding cache refresh rates and settings and caching policies. clock Displays the current time. commands Displays a list of the available (root, privileged) CLI commands. delimited formatted Displays commands in such a way that they can be parsed. Displays commands so that they can be viewed easily.
configuration Displays the current Security Appliance configuration as it differs from the default settings. You can capture the output of this command to a text file for future reference, or to restore the configuration using the privileged mode configure network url command, where url is the URL location of the configuration file. brief expanded Displays the current non-default configuration commands without inline expansion. Displays the current non-default configuration commands with inline expansion. Displays the complete list of outstanding asynchronous content revalidation and distribute requests. Displays the deletion priority value assigned to the regex or url, respectively. Displays statistics of the specified URL.
content Displays various content management commands current in effect. outstanding-requests priority [regex regex | url url] url url
content-distribution Displays the average sizes of cached objects. cpu Displays the current CPU usage. diagnostics Displays remote diagnostics information, including version number, and whether or not the Heartbeats feature and the Security Appliance monitor are currently enabled. disk Displays disk information, including slot number, vendor, product ID, revision and serial number, capacity, and status. disk_number all Displays information about the disk specified. Displays information about all disks.
dns Displays primary and alternate DNS server data.
35
domain-alias Displays domain alias configuration information. download-paths Displays downloaded configuration path information, including filter list, bypass list, accelerated PAC file, HTTP error page, RIP settings, static route table, upgrade image, and WCCP settings. dynamic-bypass Displays dynamic bypass configuration status information. efficiency Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects and access patterns. environmental Displays environmental sensor information. event-log Displays event log settings, including event level and event log size, and event recipients. forwarding Displays advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules. health-checks Displays health-check statistics. hostname Displays hostname, IP address, and type. http Displays HTTP information. http-stats Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by HTTP, number of persistent connections that were reused, and the number of active client connections. icap {clusters | services | statistics} Displays ICAP cluster, services, and configuration information. icp-settings Displays current ICP configuration information. identd Displays IDENTD information. installed-systems Displays Security Appliance system information such as version and release numbers, boot and lock status, and timestamp information. interface Displays interface status and configuration information, including IP address, subnet mask, MTU size, source for instructions, autosense information, and inbound connection disposition for the current interface. all interface# Displays the above information for all interfaces. Displays the above information for the specified interface.
ip-default-gateway Displays default IP gateway IP address, weight, and group membership. ip-route-table Displays route table information. ip-stats Displays TCP/IP statistics for the current session. netbios Displays NETBIOS information. ntp Displays NTP servers status and information. policy Displays TCP/IP statistics for the current session. [order] [proxy-default] Displays policy evaluation order. Displays the proxy default policy.
ports Displays HTTP and console port number, type, and properties. realms Displays configured authentication realms. resources Displays allocation of disk and memory resources. restart Displays system restart settings, including core image information and compression status. return-to-sender Displays "return to sender" inbound and outbound settings. rip Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP statistics. ports Displays HTTP and console port number, type, and properties.
36
rtsp Displays security parameters. security Displays information about Telnet connections. services Displays information about services snmp Displays SNMP statistics, including status and MIB variable and trap information. socks-machine-id Displays the id of the secure sockets machine. sources Displays source listings for installable lists, such as the bypass-list, "direct or deny" list, filter list, ICP settings, RIP settings, static route table, streaming configurations, and WCCP settings files. bypass-list error-pages icp-settings policy rip-settings static-route-table streaming real-media wccp-settings Displays the source file for the current bypass list. Displays the source file for the error pages. Displays the source file for the current ICP settings. Displays the source file for the CPL policy. Displays the source file for the current RIP settings. Displays the source file for the current static route table. Displays the source file for the current streaming configurations. Specify real-media to display real streaming information. Displays the source file for the current WCCP settings.
splash-generator Displays general, radius accounting and TACACS accounting information. static-routes Displays static route table information. status Displays current system status information, including configuration information and general status information. streaming Displays Microsoft Media or RealNetworks information. real-media windows-media Displays RealNetworks streaming media information. Displays Microsoft Media streaming information.
system-resource-percent Displays the distribution of resources. tcp-rtt Displays TCP round trip time ticks. terminal Displays terminal configuration parameters. telnet-management Displays telnet management status and the status of SSH configuration through Telnet. timezones Displays current and supported timezones. transparent-proxy Displays transparent proxy information. user-authentication Displays Authenticator Credential Cache Statistics, including credential cache information, maximum number of clients queued for cache entry, and the length of the longest chain in the hash table. version Displays Security Appliance hardware and software version and release information and backplane PIC status. virtual-ip Displays virtual IP addresses. wccp Displays WCCP configuration and statistics information. configuration statistics Displays WCCP configuration information, including version number and status. Displays WCCP statistics information, including last reset time, and packets and bytes sent and received.
web-management Displays Web management status.
37
Examples
SGOS# show caching Refresh: Desired access freshness is 97.5% Estimated access freshness is 100.0% Let the Security Appliance manage refresh bandwidth Current bandwidth used is 0 Kbits/sec Policies: Do not cache objects larger than 50 megabytes Cache negative responses for 0 minutes Let the Security Appliance manage freshness FTP caching: Caching FTP objects is enabled Do not cache FTP objects larger than 50 megabytes FTP objects with last modified date, cached for 10% of last modified time FTP objects without last modified date, initially cached for 24 hours SGOS# show resources Disk resources: Available to cache: In use by cache: In use by system: In use by access log: Total disk installed: Memory resources: In use by cache: In use by system: In use by network: Total RAM installed:
3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728
SGOS# show installed-systems SGOS Systems 1. Version: SG 2.1.05, Release ID: 19999 Tuesday September 10 2002 08:35:58 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked 2. Version: CA 4.0.03, Release ID: 15484 Real Media Tuesday May 15 2001 08:35:58 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked 3. Version: CA 4.0.03, Release ID: 15566 Real Media Friday May 25 2001 08:30:38 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked 4. Version: CA 4.0.02, Release ID: 15436 Real Media Monday May 7 2001 18:51:55 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked 5. Version: CA 4.0.03, Release ID: 15452 Real Media Wednesday May 9 2001 08:35:18 UTC, Boot Status: Last boot succeeded, Lock Status: Unlocked Default system to run on next hardware restart: 3 Default replacement being used. (oldest unlocked system) Current running system: 3 When a new system is loaded, only the system number that was replaced is changed.
38
The ordering of the rest of the systems remains unchanged. SGOS# SGOS# show cpu Current cpu usage: 0.0 percent SGOS# show dns Primary DNS servers: 10.253.220.249 Alternate DNS servers: Imputed names: SGOS# show dynamic-bypass Dynamic bypass: disabled Non-HTTP trigger: disabled HTTP 400 trigger: disabled HTTP 401 trigger: disabled HTTP 403 trigger: disabled HTTP 405 trigger: disabled HTTP 406 trigger: disabled HTTP 500 trigger: disabled SGOS# show hostname Hostname: 10.25.36.47 - Blue Coat 5000 SGOS# show icp-settings # Current ICP Configuration # Written on Wed, 23 Jan 2002 22:43:57 UTC # ICP Port to listen on (0 to disable ICP) icp_port 0 # Neighbor timeout (seconds) neighbor_timeout 2 # ICP and HTTP failure counts icp_failcount 20 http_failcount 5 # Host failure/recovery notification flags host_recover_notify off host_fail_notify off # 0 neighbors defined, 32 maximum # ICP host configuration # icp_host hostname peertype http_port icp_port [options] # Forwarding host configuration # fwd_host hostname http_port [options] # 0 groups defined, 16 maximum # Forwarding host URL regex configuration # fwd_host_url_regex targetname url_regex # targetname of deny means deny access # targetname of direct means no forwarding # 0 forwarding host URL regexes defined, 256 maximum # Forwarding host domain configuration # fwd_host_domain targetname domainname # targetname of deny means deny access # targetname of direct means no forwarding # 0 forwarding host domains defined, 256 maximum # Forwarding host ip configuration # fwd_host_ip targetname IP[/netmask]
39
# # # #
targetname of deny means deny access targetname of direct means no forwarding 0 IPs defined, 256 maximum ICP access domain configuration
SGOS# show ntp NTP is enabled NTP servers: ntp.Blue Coat.com ntp2.Blue Coat.com SGOS# show rtsp Proxy port: Parent proxy address: Parent proxy port: 1091 0.0.0.0 1091
SGOS# show snmp General info: SNMP is disabled MIB variables: sysContact: Rita sysLocation: Traps: Trap address 1: Trap address 2: Trap address 3: Authorization traps: disabled SGOS# show transparent-proxy Transparent proxy Send client IP: disabled
#temporary-route
This command is used to manage temporary route entries.
Syntax
temporary-route {add destination_address netmask gateway_address | delete destination_address}
where:
add delete destination_address netmask gateway_address destination_address Adds a temporary route entry. Deletes a temporary route entry.
#test http
This command is used to test subsystems. A test http get command to a particular origin server or URL, for example, can verify Layer 3 connectivity and also verify upper layer functionality.
40
Syntax
test http {get url | loopback}
where:
get url loopback Performs a test Get of an HTTP object. Names the object that you want to Get. Performs a loopback test.
Examples
SGOS# test http loopback Type escape sequence to abort. Executing HTTP loopback test Measured throughput rate is 20026.76 Kbytes/sec HTTP loopback test passed SGOS# test http get http://www.google.com Type escape sequence to abort. Executing HTTP get test * HTTP request header sent: GET http://www.google.com/ HTTP/1.0 User-Agent: HTTP_TEST_CLIENT * HTTP response header recv'd: HTTP/1.0 200 OK Connection: close Date: Fri, 12 Oct 2001 21:08:31 GMT Server: GWS/1.11 Set-Cookie: PREF=ID=7af9837f5988933d:TM=1002920911:LM=1002920911; domain=.google .com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT Content-Type: text/html Content-Length: 2184 Cache-Control: private Measured throughput rate is 6.71 Kbytes/sec HTTP get test passed
#traceroute
Use this command to trace the route to a destination. The traceroute command can be helpful in determining where a problem may lie between two points in a network. Use traceroute to trace the network path from a Security Appliance back to a client or to a specific origin Web server. (Note that you can also use the trace route command from your client station (if supported) to trace the network path between the client, a Security Appliance, and a Web server. Microsoft operating systems generally support the trace route command from a DOS prompt. The syntax from a Microsoft-based client is: tracert [ip | hostname].)
41
Syntax
traceroute {IP_address | hostname}
where:
IP_address hostname Indicates the IP address of the client or origin server. Indicates the host name of the origin server.
Example
SGOS# traceroute 10.25.36.47 Type escape sequence to abort. Executing HTTP get test HTTP response code: HTTP/1.0 503 Service Unavailable Throughput rate is non-deterministic HTTP get test passed 10.25.36.47#traceroute 10.25.36.47 Type escape sequence to abort. Tracing the route to 10.25.36.47 1 10.25.36.47 212 0 0 0
#upload
Uploads the current access log or running configuration. Archiving a Security Appliances system configuration on a regular basis is a generally prudent measure. In the rare case of a complete system failure, restoring a Security Appliance to its previous state is simplified if you recently uploaded an archived system configuration to an FTP or HTTP server. The archive contains all system settings differing from system defaults, along with any forwarding and security lists installed on the Security Appliance.
Syntax
upload {access-log | configuration}
where:
access-log configuration Specifies to upload the current access log Specifies to upload the current configuration.
Examples
SGOS> enable Enable Password: ***** SGOS# upload configuration ok
To restore an archived system configuration: 1. At the enable command prompt, enter the following command:
SGOS> configure network url
The URL must be in quotation marks, if the filename contains spaces, and must be fully-qualified (including the protocol, server name or IP address, path, and filename
42
of the archive). The configuration archive is downloaded from the server, and the Security Appliance settings are updated. If your archived configuration filename does not contain any spaces, quotation marks surrounding the URL are unnecessary. 2. Enter the following command to restart the Security Appliance with the restored settings:
SGOS> restart mode software
For example:
SGOS> enable Enable Password: ***** SGOS# configure network ftp://10.25.36.46/path/10.25.36.47 - Blue Coat 5000 0216214521.config % Configuring from ftp://10.25.36.46/path/10.25.36.47 - Blue Coat 5000 0216214521.config . . . ok
43
44
Chapter 3:
Privileged Mode Configure Commands
#configure
The configure command allows you to configure the Blue Coat Systems Port 80 Security Appliance settings from your current terminal session, or by loading a text file of configuration settings from the network.
Syntax
configure {{terminal | t} | network url} configure_command configure_command . . .
where configure_command is any of the following:

This Configure Command: archive-configuration banner management-port telnet-management upgrade-path web-management Does this: Saves the system configuration. Defines a login banner. Specifies a port and protocol for a Web console. Enables or disables Telnet access to the CLI. Identifies the network path that should be used to download system software. Enables or disables Web console.
Table 3.1: View Configuration Settings Commands: This Configure Command: show Does this: Displays running system information.
Table 3.2: Change Configuration Settings Commands: This Configure Command: accelerated-pac access-log bandwidth-gain bypass-list caching clock content content-filter Does this: Configures installation parameters for PAC file. Configures the access log for each HTTP request made. Options Configures bandwidth gain. Installation parameters for bypass list. Modify caching parameters. Modifies clock settings. Adds or deletes objects from the Security Appliance. Configures the content filter.
diagnostics domain-alias dns dynamic-bypass error-pages event-log exit forwarding hide-advanced hostname http https icap icp identd inline installed-systems interface ip-default-gateway line-vty load netbios no ntp policy restart return-to-sender reveal-advanced rip rtsp security services snmp socks-machine-id splash-generator sshd static-routes streaming system-resource-percent
Configures remote diagnostics. Configures domain alias attributes. Modifies DNS settings. Modifies dynamic bypass configuration. Configures HTTP error pages. Configures event log parameters. Returns to the previous prompt. Configures forwarding parameters. Disables commands for advanced subsystems. Sets the system hostname. Configures HTTP parameters. Configures HTTPS parameters. Configures ICAP. Configures ICP. Configures IDENTD. Installs configurations from console input. Maintain the list of currently installed Security Appliance systems. Selects an interface to configure. Specifies the default IP gateway. Configures a terminal line. Loads an installable list. Configures NETBIOS parameters Clears certain parameters. Modifies NTP parameters. Specifies CPL rules. System restart behavior. IP return to sender behavior. Enables or disables commands for advanced subsystems. Modifies RIP configuration. Specifies RTSP proxy ports and IP addresses. Modifies security parameters. Configures protocol attributes. Modifies SNMP parameters. Specifies the machine ID for SOCKS. Configures splash pages. Modifies SSHD parameters. Installation parameters for static routes table. Configures streaming parameters. Configures system resource allocation.
46
Chapter 3: Privileged Mode Configure Commands
tcp-rtt timezone virtual-ip wccp
Specifies the default TCP Round Trip Time. Sets the local timezone. Configures virtual IP addresses. Configures WCCP parameters.
#(config)accelerated-pac
Normally, a Web server is kept around to serve the PAC file to client browsers. This feature allows you to load a PAC file onto the Security Appliance for high performance PAC file serving right from the Security Appliance. There are two ways to create an Accelerated PAC file: (1) customize the default PAC file and save it as a new file, or (2) create a new custom PAC file. In either case, it is important that the client instructions for configuring Security Appliance settings contain the URL of the Accelerated-PAC file. Clients load PAC files from:
http://your_security_appliance.8081/accelerated_pac_base.pac.
Syntax
accelerated-pac {no path | path url}
where:
accelerated-pac Configures accelerated PAC file information. no path url Clears the network path to download PAC file. Specifies the location to which the PAC file should be downloaded.
Example
SGOS#(config) accelerated-pac path 10.25.36.47 ok
#(config)access-log
The Security Appliance can maintain an access log for each HTTP request made. The access log can be stored in one of three formats, which can be read by a variety of reporting utilities. See the Access Log Formats chapter for additional information on log formats.
Syntax
access-log
This changes the prompt to:

SGOS#(config access-log)
-subcommandsoption 1: bandwidth kbps option 2: client-type {custom | ftp}
47
option 3: commands {cancel-upload | close-connection | delete-logs | open-connection | rotate-remote-log | send-keep-alive | test-upload | upload-now} option 4: connect-wait-time seconds option 5: continuous-upload {disable | enable | keep-alive seconds | lag-time seconds | rotate-remote {daily rotation_hour | hourly rotation_interval}} option 6: custom-client {alternate-server IP_address | primary-server IP_address} option 7: disable option 8: early-upload megabytes option 9: enable option 10: exit option 11: format {common | custom format_string | elff format_string | no string | squid-compatible} option 12: ftp-client {alternate {host host_name | password password | path path | username username} | filename format | no {alternate | filename | primary} | pasv {no | yes} | primary {host host_name | password password | encrypted-password encrypted-password | path path | username username} secure {yes | no}} option 13: max-size megabytes option 14: overflow-policy {delete | stop} option 15: remote-size megabytes option 16: show option 17: time-format {gmt | local} option 18: upload-interval {daily upload_hour | hourly upload_interval} option 19: upload-type {gzip | text} where:
bandwidth kbps Use this command to specify the maximum amount of bandwidth used during log uploading. client-type Use this command to specify which upload client to use. commands Use this command to manage log file connections. cancel-upload close-connection delete-logs open-connection rotate-remote-log send-keep-alive test-upload upload-now Cancels a pending access log upload. Closes a manually-opened connection to the remote server. Permanently deletes all access logs on the Security Appliance. Opens a connection to the remote server. Switches to a new remote log file. Sends a keep-alive log packet to the remote server. Tests the upload configuration by uploading a verification file. Uploads an access log file.
48
connect-wait-time seconds Use this command to the time to wait between server connection attempts. continuous-upload Use this subcommand to configure continuous upload settings. {enable | disable} keep-alive lag-time rotate-remote seconds seconds {daily | hourly} Enables or disables continuous upload. Specifies the interval between keep-alive timeouts. Specifies the maximum time between log packets (text upload only). Specifies when to switch to a new remote logfile. Specifies the alternate server. Specifies the primary server.
custom-client Use this subcommand to configure the custom client. alternate-server primary-server IP_address [port] IP_address [port]
disable Use this subcommand to disable access logging. early-upload Use this subcommand to trigger an early upload when the access log file reaches the specified size. megabytes Specifies the file size, in megabytes, that, when reached, will cause the access log file to be uploaded to the primary upload site.
enable Use this subcommand to enable access logging. format Use this subcommand to specify the access log format. common Indicates that the access-log output should be generically server-compatible. Indicates that the access log format should be SQUID proxy caching server-compatible. custom_string Indicates that the access log format should be compatible with the format specified by custom_string.
squid-compatible
custom
ftp-client Use this subcommand to configure the FTP client. alternate {host hostname [port] | password password | encrypted-password encrypted-password| path path | username username} format {alternate | filename | primary} {no | yes} Specifies the alternate FTP host site.
filename no pasv
Specifies the remote filename format. Deletes the specified parameter. Specifies whether the PASV command is sent.
49
primary
{host hostname [port] | [password password | encrypted-password encrypted password] path path | username username} {no | yes}
Specifies the primary FTP host site.
secure
Specifies whether to use secure connections.
max-size Use this subcommand to set the maximum size, in MB, to which the access log can grow. megabytes Maximum size of the access log file. Set the overflow-policy subcommand to determine the action that should occur when this file size is reached.
overflow-policy Use this access-log subcommand to determine what to do if access log exceeds its maximum size delete Indicates that the access log file should be deleted when the file reaches the defined maximum size. Refer to the max-size subcommand for more information. Indicates that no new access log data should be added to the access log file when the file reaches the defined maximum size. Refer to the max-size subcommand for more information. upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour. Indicates that the access log file should be uploaded every number of hours specified by upload_interval. Use GMT. Use the local time. upload_hour Indicates that the access log file should be uploaded each day at the military time hour indicated by upload_hour. Indicates that the access log file should be uploaded every number of hours specified by upload_interval. Indicates that the access log file should be uploaded as a GNU zip file. Indicates that the access log file should be uploaded as a text file.
stop
remote-size megabytes Use this access-log subcommand to specify maximum remote file size (MB). daily
hourly
upload_interval
time-format Use this access-log subcommand to specify the time format to use with the filename. gmt local daily
upload-interval Use this access-log subcommand to specify access log upload interval.
hourly
upload_interval
upload-type Use this access-log subcommand to specify whether to upload gzip file or text file. gzip text
50
Example
SGOS#(config) SGOS #(config ok SGOS #(config ok SGOS #(config access-log access-log) enable access-log) format squid-compatible access-log)
#(config)archive-configuration
Archiving a Security Appliance system configuration on a regular basis is always a good idea. In the rare case of a complete system failure, restoring a Security Appliance to its previous state is simplified by loading an archived system configuration from an FTP or HTTP server. The archive contains all system settings differing from system defaults, along with any forwarding and security lists installed on the Security Appliance. Archive and restore operations must be performed from the CLI. There is no Management Console Web interface for archive and restore.
Syntax
option 1: archive-configuration filename-prefix filename option 2: archive-configuration host host_name option 3: archive-configuration password password option 4: archive-configuration path path option 5: archive-configuration protocol {ftp | tftp} option 6: archive-configuration username username where:
archive-configuration - Configures archive configuration settings including protocol, host, path, filename, username, and password. filename-prefix file_name Specifies the prefix that should be applied to the archive configuration on upload. Specifies the FTP host to which the archive configuration should be uploaded. Specifies the password for the FTP host to which the archive configuration should be uploaded. Specifies the path to the FTP host to which the archive configuration should be uploaded.
host
host_name
password
password
path
path
51
protocol username
{ftp | tftp} username
Indicates the upload protocol to be used for the archive configuration. Specifies the username for the FTP or FTP host to which the archive configuration should be uploaded.
Example
SGOS#(config) archive-configuration host host3 ok
#(config)bandwidth-gain
Bandwidth gain is a measure of the effective increase of server bandwidth resulting from the clients use of a content accelerator. For example, a bandwidth gain of 100% means that traffic volume from the Security Appliance to its clients is twice as great as the traffic volume being delivered to the Security Appliance from the origin server(s). Using bandwidth gain mode can provide substantial gains in apparent performance. Keep in mind that bandwidth gain is a relative measure of the Security Appliances ability to amplify traffic volume between an origin server and the clients served by the Security Appliance.
Syntax
bandwidth-gain

SGOS#(config bandwidth-gain)
-subcommandsoption 1: disable option 2: enable option 3: custom pipelining {disable | enable} option 4: custom if-modified-since {disable | enable} option 5: custom conditionals {disable | enable} option 6: custom refresh {disable | enable} option 7: exit option 8: mode [custom | default] option 9: show option 10: view where:
bandwidth-gain - Configures bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expire" features. disable enable Disables bandwidth-gain mode. Enables bandwidth-gain mode.
52
custom pipelining custom if-modified-since custom conditionals custom refresh exit mode show bandwidth-gain | view
{disable | enable} {disable | enable} {disable | enable} {disable | enable}
Enables or disables custom pipelining. Enables or disables custom if-modified-since substitution. Enables or disables custom HTTP 1.1 conditional substitution. Enables or disables custom asynchronous refresh. Exits configure bandwidth-gain mode and returns to configure mode.
{custom | default}
Sets bandwidth-gain mode to either custom or default. Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," "substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expire" features.
Example
SGOS#(config) bandwidth-gain SGOS#(config bandwidth-gain) enable ok SGOS#(config bandwidth-gain) custom pipelining en ok SGOS#(config bandwidth-gain) exit SGOS#(config)
#(config)banner
This command enables you to define a login banner for your users.
Syntax
banner {login string | no login}
where:
banner login no login string Sets the login banner to the value of string. Effectively sets the login banner to null.
Example
SGOS#(config) banner login "Sales and Marketing Intranet Web" ok
53
#(config)bypass-list
A bypass list prevents the Security Appliance from transparently accelerating requests to servers that perform IP authentication with clients. The bypass list contains IP addresses, subnet masks, and gateways. When a request matches an IP address and subnet mask specification in the bypass list, the request is sent to the designated gateway. A bypass list is only used for transparent caching. There are two types of bypass lists: local and central. To use bypass routes, create a text file that contains a list of address specifications. The file should be named with a .txt extension. Once you have created the bypass list, place it on an HTTP server so it can be installed onto the Security Appliance. You can create your own central bypass list to manage multiple Security Appliances, or you can use the central bypass list maintained by Blue Coat Technical Support at:
http://www.bluecoat.com/support/subscriptions/CentralBypassList.txt
The central bypass list maintained by Blue Coat contains addresses Blue Coat has identified as using client authentication.
Syntax
bypass-list {central-path url | local-path url | no {central-path | local-path | notify | subscribe} | notify | poll-now | subscribe}
where:
bypass-list - Configures bypass list settings. central-path local-path no url url central-path local-path notify Specifies the network path used to download the central bypass list. Specifies the network path used to download the local bypass list. Sets the central bypass list path to null. Sets the local bypass list path to null. Instructs the Security Appliance to not send an e-mail notification if the central bypass list changes. Specifies that you do not want to change the bypass list when changes are made to the central bypass list. Instructs the Security Appliance to send an e-mail notification if the central bypass list changes. Checks the central bypass list for changes. Specifies to change the bypass list when changes are made to the central bypass list.
subscribe
notify
poll-now subscribe
Example
54
SGOS#(config) bypass-list local-path 10.25.36.47/files/bypasslist.txt ok
#(config)caching
When an cached HTTP object expires, it is placed in a refresh list. The Security Appliance processes the refresh list in the background, when it is not serving requests. Refresh policies define how the Security Appliance handles the refresh process. The HTTP caching options allow you to specify: Maximum object size Negative responses Freshness
In addition to HTTP objects, the Security Appliance can cache objects requested using FTP. When the Security Appliance retrieves and caches an FTP object, it uses two methods to determine how long the object should stay cached. If the object has a last-modified date, the Security Appliance assigns a refresh date to the object that is a percentage of the last-modified date. If the object does not have a last-modified date, the Security Appliance assigns a refresh date to the object based on a fixed period of time.
The FTP caching options also allows you to specify: Transparency Maximum object size Caching objects by date Caching objects without a last-modified date: if an FTP object is served without a last modified date, the Security Appliance caches the object for a set period of time.
Syntax
caching

SGOS#(config caching)
-subcommandsoption 1: always-verify-source option 2: ftp {disable | enable | max-cache-size megabytes | show | type-m-percent percent |type-n-initial percent} option 3: max-cache-size megabytes option 4: negative-response minutes option 5: no always-verify-source option 6: refresh {automatic | bandwidth kbps | desired-freshness percent | no
automatic}
55
option 7: show where:

caching Configures cache refresh rates and settings and caching policies. always-verify-source Specifies the Security Appliance to always verify the freshness of an object with the object source. {disable | enable} max-cache-size megabytes type-m-percent percent type-n-initial percent max-cache-size megabytes Enables or disables the caching of FTP objects. Specifies the maximum allowable of FTP object size to cache. Specifies the TTL for objects with a last-modified time. Specifies the TTL for objects with no expiration. Specifies the maximum size of the cache to the value indicated by megabytes. Specifies that negative responses should be cached for the time period identified by minutes. Specifies that the Security Appliance should never verify the freshness of an object with the object source. Specifies that the Security Appliance should manage the refresh bandwidth. Specifies the amount of bandwidth in kilobits to utilize for maintaining object freshness. Specifies that the Security Appliance should attempt to maintain freshness for the percentage of objects indicated by percent. Specifies that the Security Appliance should not manage the refresh bandwidth.
ftp
negative-response
minutes
no
always-verify-source
refresh
automatic
bandwidth kbps
desired-freshness percent
no automatic
Example
SGOS#(config) caching SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) ok SGOS#(config caching) always-verify-source max-cache-size 100 negative-response 15 refresh automatic ftp
56
SGOS#(config caching ftp) enable ok SGOS#(config caching ftp) max-cache-size 200 ok SGOS#(config caching ftp) type-m-percent 20 ok SGOS#(config caching ftp) type-n-initial 10 ok SGOS#(config caching ftp) exit SGOS#(config caching) exit SGOS#(config)
#(config)clock
To manage objects in the cache, a Security Appliance must know the current Universal Time Coordinates (UTC) time. By default, the Security Appliance attempts to connect to a Network Time Protocol (NTP) server to acquire the UTC time. The Security Appliance includes a list of NTP servers available on the Internet, and attempts to connect to them in the order they appear in the NTP server list on the NTP tab. If the Security Appliance cannot access any of the listed NTP servers, you must manually set the UTC time using the clock command.
Syntax
clock {day day | hour hour | minute minute | month month | second second | year year}
where:
clock Configures the current time. day day Sets the Universal Time Code (UTC) day to the day indicated by day. The value can be any integer from 1 through 31. Sets the UTC hour to the hour indicated by hour. The value can be any integer from 0 through 23. Sets the UTC minute to the minute indicated by minute. The value can be any integer from 0 through 59. Sets the UTC month to the month indicated by month. The value can be any integer from 1 through 12. Sets the UTC second to the second indicated by second. The value can be any integer from 0 through 59. Sets the UTC year to the year indicated by year. The value must take the form xxxx.
hour
hour
minutes
minute
month
month
second
second
year
year
Example
57
SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok
clock year 2002 clock month 4 clock day 1 clock hour 0 clock minute 30 clock second 59
#(config)content
Use this command to manage and manipulate content distribution requests and re-validate requests. Note: The content command options are not compatible with transparent FTP.
Syntax
content {cancel {outstanding-requests | url url} | delete {regex regex | url url} | distribute url | priority {regex 0-7 regex | url 0-7 url} | revalidate {url | regex regex}}
where:
content Manages and manipulates content pull requests and re-validate requests. cancel outstanding-requests Specifies to cancel all outstanding content distribution requests and re-validate requests. Specifies to cancel outstanding content distribution requests and re-validate requests for the URL identified by url. Specifies to delete content based on the regular expression identified by regex. Specifies to delete content for the URL identified by url. Specifies that the content associated with url should be distributed from the origin server. Specifies to add a content deletion policy based on the regular expression identified by regex. Specifies to add a content deletion policy for the URL identified by url. Revalidates the content associated with either url or the regular expression identified by regex with the origin server.
url url
delete
regex regex
url url distribute url
priority
regex 0-7 regex
url 0-7 url revalidate {url url | regex regex}
58
Example
SGOS#(config) content distribute http://www.bluecoat.com Current time: Mon, 01 Apr 2002 00:34:07 GMT ok SGOS#(config) content revalidate url http://www.bluecoat.com Last load time: Mon, 01 Apr 2002 00:34:07 GMT ok SGOS#(config) content distribute http://www.bluecoat.com Current time: Mon, 01 Apr 2002 00:35:01 GMT ok SGOS#(config) content priority url 7 http://www.bluecoat.com ok SGOS#(config) content cancel outstanding-requests ok SGOS#(config) content delete url http://www.bluecoat.com ok
#(config)content-filter
The Security Appliance offers the option of using content filtering to control the type of retrieved content and to filter requests made by clients. The Security Appliance supports these content filtering methods: Using vendor-based content filtering This method allows you to block URLs using vendor-defined categories. For this method, use content filtering solutions from either of the following vendors: SmartFilter, a provider of Web filtering software used locally on the Security Appliance. Websense, a provider of Web filtering software, used either locally on the Security Appliance and or remotely on a separate Websense Enterprise Server.
You can also combine this type of content filtering with the Security Appliance policies, which use the Blue Coat Policy Language. Denying access to URLs This method allows you to block by URL, including filtering by scheme, domain, or individual host or IP address. For this method, you define Security Appliance policies, which use the Blue Coat Policy Language. Refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide and the Blue Coat Systems Port 80 Security Appliance Policy Language Guide and Reference for complete descriptions of these features.
Syntax
content-filter

SGOS#(config content-filter)
- subcommands-
59
option 1: disable option 2: enable option 3: exit option 4: select-provider {smartfilter | websense3 | websense4 off-box} option 5: show option 6: smartfilter (see following commands for details) option 7: test-url url option 8: websense3 (see following commands for details) option 9: websense4 off-box (see following commands for details) where:
content-filter Configures filters that control the type of retrieved content and filter requests made by clients. disable enable exit select-provider show smartfilter see #(config content-filter)smartfilter download password download encrypted-password test-url password encrypted-password ur Tests the URL indicated by url against the specified content filter using a reverse DNS-lookup. {smartfilter | websense3 | websense4 off-box} Disables the current content filter settings Enables the current content filter settings. Exits configure content filter mode and returns you to configure mode. Specifies the content filter provider to use. Displays the current content filter settings.
websense3 see #(config content-filter)websense3 websense4 offbox - see #(config content-filter)websense4 off-box
Example
SGOS#(config) content-filter SGOS#(config content-filter) select-provider smartfilter Configuration updated, system restart required for changes to take effect. SGOS#(config content-filter) exit SGOS#(config) exit SGOS# restart regular ok SGOS# Initiating software only restart with uncompressed partial core image Waiting for disk activity to cease
60
#(config content-filter)smartfilter
Use this command to configure SmartFilter filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.
Syntax
smartfilter

SGOS# (config smartfilter)
- subcommandsoption 1: view-categories option 2: download option 3: exit option 4: no where:

Smartfilter Configures SmartFilter filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. download control-file filename Identifies the file containing all SmartFilter parameters for downloading to client machines. Sets the day of the week for the automatic download of the control-file to occur. Disables automatic download of the control-file to client machines. Enables automatic download of the control-file to client machines. Initiates automatic download of the control-file to client machines. password Indicates the password used to access the network path to the download database. Indicates the encrypted password used to access the network path to the download database. Indicates the network path to the download database. Sets the time of day for the automatic download of the control-file to occur. Specifies the username used to access the network path to the download database.
day-of-week
{all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}
disable-auto enable-auto get-now password
encrypted-password
encrypted-password
path time-of-day username
url hour username
61
exit
Exits configure smart filter mode and returns you to configure content-filter mode.
view-categories Displays all of the categories.
Example
SGOS#(config) content-filter SGOS#(config content-filter) smartfilter SGOS#(config smartfilter) view-categories Anonymizer/Translator Art/Culture Chat . . . Travel Webmail SGOS#(config smartfilter) download username anonymous ok SGOS#(config smartfilter) download password Blue Coat ok SGOS#(config smartfilter) download control-file sfcontrol ok SGOS#(config smartfilter) download enable-auto ok SGOS#(config smartfilter) download day-of-week all ok SGOS#(config smartfilter) download time-of-day 12 ok SGOS#(config smartfilter) exit SGOS#(config content-filter) exit
#(config content-filter)websense3
Use this command to configure WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients.
Syntax
websense3

SGOS#(config websense3.x)
- subcommandsoption 1: view-categories option 2: download option 3: exit option 4: no
62
where:
websense3 Configures WebSense3 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. download address1 address2 text text Specifies the company street address for download verification. Specifies the company extended street address for download verification. Specifies the company city for download verification. Specifies the company name for download verification. Specifies the company country for download verification. Specifies the day of the week for the automatic download of the control-file to occur. Disables the automatic download feature. text Specifies the company contact e-mail address. Enables the automatic download feature. text Specifies the company contact first name. Initiates automatic download of the database to client machines. text text text password encrypted-password text text text url Specifies the company contact last name. Specifies the company license key for access to the Websense3 database. Specifies the company contact middle name. Specifies the password for access to the Websense3 database. Specifies the encrypted password for access to the Websense3 database. Specifies the company contact telephone number. Specifies the company postal code. Specifies the company province. Specifies the Websense3 server from which the database should be downloaded.
city company country day-of-week
text text text {all | none | monday | tuesday | wednesday | thursday | friday | saturday | sunday}
disable-auto email enable-auto firstname get-now lastname license-key middlename password encrypted-password phone-number postcode province server
63
time-of-day username no
hour username address1 address2 city company country email firstname lastname license-key password phone-number postcode province username
Sets the time of day for the automatic download of the database to occur. Specifies the company contact's network username. Sets the company contact address to null. Sets the company contact extended address to null. Sets the company contact city to null. Sets the company name to null. Sets the company country to null. Sets the company contact e-mail to null. Sets the company contact first name to null. Sets the company contact last name to null. Sets the company license key to null. Sets the company password to null. Sets the company contact phone number to null. Sets the company contact postal code to null. Sets the company province to null. Sets the company contact network username to null.
view-categories Displays all of the categories.
Example
SGOS#(config)content-filter SGOS#(config content-filter) websense3 SGOS#(config websense 3.x) download server asia.download.websense.com SGOS#(config websense 3.x) download firstname Sally SGOS#(config websense 3.x) download middlename Anne SGOS#(config websense 3.x) download lastname Smith SGOS#(config websense 3.x) download company Company Inc. SGOS#(config websense 3.x) download address1 1230 Main St. SGOS#(config websense 3.x) download address2 Suite 100 SGOS#(config websense 3.x) download city Redmond SGOS#(config websense 3.x) download province WA SGOS#(config websense 3.x) download country USA SGOS#(config websense 3.x) download postcode 10808 SGOS#(config websense 3.x) download email sallysmith@company.com SGOS#(config websense 3.x) download phone-number 555-555-2975 SGOS#(config websense 3.x) download license-key SKDI837SKFIVNW740FM SGOS#(config websense 3.x) download username centerfield SGOS#(config websense 3.x) download password wolverine SGOS#(config websense 3.x) download enable-auto SGOS#(config websense 3.x) download time-of-day 5
64
SGOS#(config websense 3.x) download day-of-week monday SGOS#(config websense 3.x) download day-of-week tuesday SGOS#(config websense 3.x) exit SGOS#(config content-filter) exit SGOS#(config)
#(config content-filter)websense4 off-box

Use this command to configure WebSense4 filters that control the type of content retrieved by the Security Appliance and filter requests made by clients.
Syntax
websense4 off-box

SGOS#(config websense4.x off-box)
- subcommandsoption 1: default-domain string option 2: directory-service string option 3: exit option 4: fail-open option 5: ip-address ip_address option 6: no {fail-open | ip_address | port | send-user-name} option 7: port port_number option 8: send-user-name where:
websense4 off-box Configures WebSense4 filters that: control the type of content retrieved by the Security Appliance and filter requests made by clients. default-domain string Specifies the default domain of the remote Websense4 server. This is an NTLM-specific command. default-domain is usually set to "Default-Domain." Specifies the directory service used by the remote Websense4 server. This is an NTLM-specific command. directory-service is usually set to "WinNT." Exits configure websense4.x off-box mode and returns you to configure content-filter mode. Indicates that the username should not be sent to the Websense4 off-box if the remote Websense server is not available.
directory-service
string
exit
fail-open
65
ip-address no
ip_address fail-open ip_address port send-user-name
Specifies the IP address of the remote Websense4 server. Disables the fail-open setting. Sets the remote Websense4 server IP address to null. Sets the remote Websense4 server port number to null. Sets the send username to null. Specifies the Websense4 port number. Sends the requestor user name to the remote Websense4 server (avoiding end-user re-authentication).
port send-user-name
port
Example
SGOS#(config) content-filter SGOS#(config content-filter) websense4 off-box SGOS#(config websense 4.x off-box) SGOS#(config websense 4.x off-box) ip-address 10.252.3.57 SGOS#(config websense 4.x off-box) default-domain NT4PDC SGOS#(config websense 4.x off-box) send-user-name-yes SGOS#(config websense 4.x off-box) exit SGOS#(config content-filter) exit SGOS#(config)
#(config)diagnostics
This command enables you to configure the remote diagnostic feature Heartbeat.
Syntax
diagnostics

SGOS#(config diagnostics)
- subcommandsoption 1: exit option 2: heartbeat {disable | enable} option 3: monitor {disable | enable} option 4: request-heartbeat option 5: reset heartbeat option 6: show where:
diagnostics Configures for remote diagnostics through the Blue Coat Heartbeat feature. exit Exits configure diagnostics mode and returns you to configure mode.
66
heartbeat monitor request-heartbeat reset show
{disable | enable} {disable | enable}
Enables or disables the Security Appliance Heartbeat features. Enables or disables the monitoring feature. Creates a Heartbeat report. Reset Heartbeat settings to system defaults. Displays the current diagnostics settings.
heartbeat
Example
SGOS#(config) diagnostics SGOS#(config diagnostics) reset heartbeat ok
#(config)dns
The dns command enables you to modify the DNS settings for the Security Appliance. Note that the alternate DNS servers are only checked if the servers in the standard DNS list return: "Name not found."
Syntax
dns {alternate ip_address | clear {alternate | imputing | server} | imputing name | no {alternate ip_address | imputing imputed_name | server ip_address} | server ip_address}
where:
dns Enables you to modify domain name server settings. alternate ip_address Adds the new alternate domain name server indicated by ip_address to the alternate DNS server list. Sets all entries in the alternate DNS server list to null. Sets all entries in the name imputing list to null. Sets all entries in the primary DNS server list to null. Identifies the file indicated by name as the name imputing list. Removes the alternate DNS server identified by ip_address from the alternate DNS server list. Removes the imputed name identified by imputed_name from the name imputing list.
clear
alternate imputing server
imputing no
name alternate ip_address
imputing imputed_name
67
server ip_address
Removes the primary DNS server identified by ip_address from the primary DNS server list. Adds the new primary domain name server indicated by ip_address to the primary DNS server list.
server
ip_address
Example
SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) SGOS#(config) dns dns dns dns dns dns dns dns dns clear server server 10.253.220.249 clear alternate alternate 216.52.23.101 clear imputing imputing com imputing net imputing gov imputing edu
#(config)domain-alias
Use this command to configure aliases for your domain.
Syntax
domain-alias {add original alias | delete {original alias | all}}
where:
domain-alias Enables you to configure one or multiple aliases for your domain. add original alias Adds the alternate name identified by alias to the list of domain aliases for the domain identified by original. Deletes the alternate name identified by alias to from the list of domain aliases for the domain identified by original. Deletes all domain aliases from the configuration.
delete
original alias
all
#(config)dynamic-bypass
Dynamic bypass provides a maintenance-free method for improving performance of the Security Appliance by automatically compiling a list of requested URLs that return various kinds of errors. With dynamic bypass, the Security Appliance adds dynamic bypass entries, containing the server IP address of sites that have returned an error, to the Security Appliances local bypass list. For a configured period of time, further requests for the error-causing URL are sent immediately to the origin server, saving the Security Appliance processing time. The amount of time a dynamic bypass entry stays in the list, and the types of errors that cause the Security Appliance to add a site to the list, along with several other settings, is configurable from the CLI.
68
Once the dynamic bypass timeout for a URL has ended, the Security Appliance removes the URL from the bypass list. On the next client request for the URL, the Security Appliance attempts to contact the origin server. If the origin server still returns an error, the URL is once again added to the local bypass list for the configured dynamic bypass timeout. If the URL does not return an error, the request is handled in the normal manner. The performance gains realized with this feature are substantial if the client base is large, and clients are requesting many error-causing URLs in a short period of time (for example, many users clicking a browsers refresh button over and over to get an overloaded origin server to load a URL). Dynamic bypass increases efficiency because redundant attempts to contact the origin server are minimized.
Syntax
dynamic-bypass {clear | disable | enable | no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} | trigger {400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http}}
where:
dynamic-bypass Enables you to modify the dynamic bypass list. clear disable | enable no trigger {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} {400 | 403 | 405 | 406 | 500 | 502 | 503 | 504 | all | non-http} Clears all entries in the dynamic bypass list. Disables or enables the current dynamic bypass list. Disables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all non-HTTP responses. Enables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all non-HTTP responses.
trigger
Example
SGOS#(config) dynamic-bypass clear ok SGOS#(config) dynamic-bypass enable WARNING: Requests to sites that are put into the dynamic bypass list will bypass future policy evaluation. This could result in subversion of on-box policy. The use of dynamic bypass is cautioned. ok SGOS#(config) dynamic-bypass trigger all ok SGOS#(config)
#(config)error-pages
The error-pages command enables you to configure HTTP error pages.
69
Syntax
error-pages {no path | path url}
where:
error-pages Permits download of customized HTTP error pages. no path path url Sets the current error-pages path url setting to null. Specifies the network path location (url) of the customized HTTP error pages.
Example
SGOS#(config) error-pages path http://download.bluecoat.com/errorpages.txt
#(config)event-log
You can configure the Security Appliance to log system events as they occur. Event logging allows you to specify the types of system events logged, the size of the event log, and to configure Syslog monitoring. The Security Appliance can also notify you by email if an event is logged.
Syntax
event-log
This changes the prompt from to:

SGOS#(config event-log)
- subcommandsoption 1: exit option 2: level {informational | resource | severe | verbose} option 3: log-size megabytes option 4: mail {add email_address | bluecoat-notify | clear | no {bluecoat-notify |
smtp-gateway} | remove email_address | smtp-gateway domain_name}
option 5: show option 6: syslog {disable | enable | facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp} | loghost domain_name | no loghost} option 7: when-full {overwrite | stop} where:
event-log Enables you to specify event log settings for a customized event log. exit Exits configure event-log mode and returns you to configure mode.
70
level
informational
Write severe, resource, and informational error messages to the event log. Write severe and resource error messages to the event log. Write only severe error messages to the event log. Write all error messages to the event log. Specifies the maximum size of the event log in megabytes. Specifies an e-mail recipient for the event log output. Specifies Blue Coat to be an additional recipient of the event log e-mail output. Removes all e-mail recipients from the event log e-mail output distribution list. no bluecoat-notify specifies that Blue Coat does not receive event log e-mail output. Removes the e-mail recipient indicated by email_address from the event log e-mail output distribution list. Specifies the SMTP gateway to use for event log e-mail output notifications. Disables or enables the collection of system log messages. Specifies the types of system log messages to be collected in the system log.
resource severe verbose log-size mail megabytes add email_address bluecoat-notify
clear
no {bluecoat-notify | smtp-gateway} remove email_address
smtp-gateway {domain_name | IP_address} syslog {disable | enable} {facility {auth | daemon | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | syslog | user | uucp}} loghost domain_name no loghost when-full {overwrite | stop}
Specifies the host domain used for system log notifications. Clears the loghost setting. Specifies what should happen to the event log when the maximum size has been reached. overwrite overwrites the oldest information in a FIFO manner; stop disables event logging.
Note:
You must replace the default Blue Coat SMTP gateway with your gateway. If you do not have access to an SMTP gateway, you can use the Blue Coat gateway to send event
71
messages to Blue Coat (the Blue Coat SMTP gateway will only send mail to Blue Coat; it will not forward mail to other domains). Example
SGOS#(config) event-log SGOS#(config event-log) syslog enable ok
#(config)exit
Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From Standard mode, the exit command closes the CLI session.
Syntax
exit
The exit command does not have any parameters or subcommands.
#(config)forwarding
When forwarding content requests, the Security Appliance supports the use of default and backup hosts and host groups. You must add each host and group to use in forwarding content requests. To define a group, add a host and use the group= subcommand to add a group. Add up to 512 hosts and up to 32 groups. After adding forwarding hosts and groups, you must define which acts as a default and which acts as a backup. The Security Appliance performs health checks with one or more forwarding hosts. When the Security Appliance performs a health check, it determines whether the host returns a response and is available to fulfill a content request. A positive health check indicates (1) that there is an end-to-end connection and (2) that the host is up and running and will most likely be able to return a response. With multiple forwarding hosts, health checks are important to the Security Appliance. When hosts respond positively to health checks, the Security Appliance can forward requests to those hosts, rather than to an unavailable host, and the Security Appliance can more quickly fulfill content requests. With a single forwarding host, it is still important for the Security Appliance to use health checks to detect whether the host is available.
Syntax
forwarding

SGOS#(config forwarding)
- subcommandsoption 1: add hostname port [ftp | http] [deferred] [socks] [default | backup | group=groupname] [allow_credentials] option 2: delete {all | group groupname | host hostname}
72
option 3: download-via-forwarding {disable | enable} option 4: exit option 5: health-check {failcount count | interval seconds | pause | resume | type {layer-3 | layer-4 | layer-7 object} | send-pnc {enable | disable}} option 6: rules {deny | direct | group | host | view} option 7: set name option 8: show option 9: view where:
forwarding Enables you to configure advanced forwarding settings, including download-via-forwarding, health check, and load balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules. add hostname Indicates that the host identified by hostname should be added to the forwarding group. Use the group= subcommand to add a group. Add up to 512 hosts and up to 32 groups. Specifies the port number associated with hostname. Indicates whether the host identified by hostname uses FTP or HTTP. Specifies to use the relative path for URLs in the HTTP header because the next hop is a Web server, not a proxy server. Indicates that the host identified by hostname uses the SOCKS protocol. default indicates that hostname be the default host for forwarding; backup indicates that it should be the backup forwarding host. Use the group=groupname subcommand to add a group. Up to 512 forwarding hosts and up to 32 forwarding groups are permitted. Allows credentials (in HTTP headers) to be passed to another proxy. Deletes only the group identified by groupname. Deletes only the host identified by hostname. Deletes all hosts, groups, and rules. Enables or disables configuration file downloading using forwarding.
port [ftp | http] [deferred]
[socks] [default | backup | group=groupname]
[allow_credentials] delete group groupname host hostname all download-viaforwarding {enable | disable}
73
health-check
failcount count interval seconds pause resume type {layer-3 | layer-4 | layer-7 object} send-pnc {enable | disable}
Specifies the number of failed health-checks tolerated. Specifies the number of seconds between health checks. Temporarily halts health-checking. Resumes health-checking after a pause command. Determines the layer of health-checking. Enables sending Pragma: no cache for health checks. Manages forwarding rules that direct addresses out to the network without passing through the Security Appliance. Manages forwarding rules that instruct the Security Appliance to deny access to specific addresses. Adds forwarding rules to a forwarding group. Adds forwarding rules to a forwarding host. View all rules for the specified host or group. Species a forwarding group to be the default or backup group. Species a forwarding host to be the default or backup host. Displays the currently defined forwarding groups or hosts.
rules
direct {add | delete | exit | view}
deny {add | delete | exit | view} group group_name host host_name view set group name {default | backup} host name port {default | backup} view
Example
SGOS#(config) forwarding SGOS#(config forwarding) delete all ok SGOS#(config forwarding) download-via-forwarding disable ok SGOS#(config forwarding) add www.bluecoat.com 80 http default ok SGOS#(config forwarding) add www.server1.com 80 http group=proxy ok SGOS#(config forwarding) add www.server2.com 80 ftp group=proxy ok SGOS#(config forwarding) add www.server3.com 80 http group=proxy ok SGOS#(config forwarding) rules direct SGOS#(config forwarding direct) add domain companyA.com ok SGOS#(config forwarding direct) add ip 1.2.3.4 ok
74
SGOS#(config forwarding direct) add url http://.*companyB.* ok SGOS#(config forwarding direct) exit SGOS#(config forwarding) rules host www.bluecoat.com 80 SGOS#(config forwarding www.bluecoat.com:80)delete rules ok SGOS#(config forwarding www.bluecoat.com:80) exit SGOS#(config forwarding) rules group proxy SGOS#(config forwarding proxy) add domain proxy.com ok SGOS#(config forwarding proxy) exit SGOS#(config forwarding) exit SGOS#(config)
#(config)health-check
Use this command to configure ICAP and Websense 4 offbox health checks.
Syntax
health-check

SGOS#(config health-check)
- subcommandsoption 1: add option 2: delete option 3: edit option 4: show option 5: statistics option 6: view option 7: exit where:
health-checkEnables you to configure anICAP or Websense 4 health check. add delete edit name name name failure-trigger trigger Adds a health check configuration specified by name. Deletes the specified health check . Enables edit mode to configure the health check. Sets the failure count that triggers a health-check. Range is 0 to 65535; the default is 0. Specifes the type of health check for this service.
type icap | websense4-offbox
75
icap |websense4-offbox service_name websense4-offbox default-url | test-url interval {healthy | sick} seconds
Specifies the name of the service that receives health checks. Specifies the name of the URL used to obtain box status upon bootup. Specifies the seconds between health checks on servers that have been determined to be healthy or sick. The default is 10. Specifies the number of attempts before a server is considered healthyy or sick. The range is 1 to 65535; the default is 1. Enables email notification of state changes. Performs an instant health check on the service. Displays health check statistics for the service. Displays the health check configuration for the service. Displays health check settings for layer-3 and layer-4 types. This setting does not display ICAP or Websense 4 settings. Displays statistics for all configured health checks. Displays the current health-check configurations for ICAP and Websense 4 types.
threshold {healthy | sick} attempts
notify perform-health-check statistics view show health-check
statistics view
Example
SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# SGOS# (config) health-check (config health-check) add hc1 (config health-ckeck) edit hc1 (config health-check hc1) type layer-3 (config health-check hc1) layer-3 foo (config health-check hc1) interval healthy 30 (config health-check hc1) interval sick 15 (config health-check hc1) threshold healthy 20 (config health-check hc1) failure-trigger 5
#(config)hide-advanced
Use this command to hide and disable advanced commands.
Syntax
hide-advanced {all | expand | tcp-ip}
76
where:
hide-advanced Enables the system administrator to hide and disable certain advanced commands. all expand tcp-ip Disables all expanded, HTTP, and TCP/IP advanced commands. Disables all expanded advanced commands. Disables all TCP/IP advanced commands.
Example
SGOS#(config) hide-advanced all ok
#(config)hostname
Use this command to assign a name to a Security Appliance. Any descriptive name that helps identify the system will do.
Syntax
hostname name
where:
hostname Configures hostname, IP address, and type. name Associates name with the current Security Appliance.
Example
SGOS#(config) hostname "Blue Coat Demo" ok
#(config)http
Use this command to configure HTTP settings.
Syntax
option 1: http add-header client-ip option 2: http add-header via option 3: http add-header x-forwarded-for option 4: http byte-ranges option 5: http cache authenticated-data option 6: http cache expired option 7: http cache personal-pages option 8: http cache reverse-dns
77
option 9: http force-ntlm option 10: http ftp-proxy-url option 11: http no add-header client-ip option 12: http no add-header via option 13: http no add-header x-forwarded-for option 14: http no byte-ranges option 15: http no cache authenticated-data option 16: http no cache expired option 17: http no cache personal-pages option 18: http no cache reverse-dns option 19: http no force-ntlm option 20: http no parse meta-tag expires option 21: http no persistent client option 22: http no persistent server option 23: http no pipeline client requests option 24: http no pipeline client redirects option 25: http no pipeline prefetch requests option 26: http no pipeline prefetch redirects option 27: http no proprietary-headers bluecoat option 28: http no strict-expiration refresh option 29: http no strict-expiration serve option 30: http no strip-from-header option 31: http no substitute conditional option 32: http no substitute ie-reload option 33: http no substitute if-modified-since option 34: http no substitute pragma-no-cache option 35: http parse meta-tag expires option 36: http persistent client option 37: http persistent server option 38: http persistent-timeout client num_seconds option 39: http persistent-timeout server num_seconds option 40: http pipeline client requests option 41: http pipeline client redirects option 42: http pipeline prefetch requests option 43: http pipeline prefetch redirects option 44: http proprietary-headers bluecoat option 45: http receive-timeout client num_seconds
78
option 46: http receive-timeout server num_seconds option 47: http receive-timeout refresh num_seconds option 48: http strict-expiration refresh option 49: http strict-expiration serve option 50: http strip-from-header option 51: http substitute conditional option 52: http substitute ie-reload option 53: http substitute if-modified-since option 54: http substitute pragma-no-cache option 55: http upload-with-pasv option 56: http version 1.0 option 57: http version 1.1 where:
http add-header client-ip via x-forwarded-for byte-ranges cache {authenticated-data | expired | personal-pages | reverse-dns} Adds the client-ip header to forwarded requests. Adds the via header to forwarded requests. Adds the x-forwarded-for header to forwarded requests. Enables HTTP byte range support. authenticated-data caches any data that appears to be authenticated. expired retains cached objects older than the explicit expiration. personal-pages caches objects that appear to be personal pages. reverse-dns stores objects under the name of the associated host instead of the IP address. Uses NTLM for Microsoft Internet Explorer proxy. parameter Negates the specified command. Parses HTML objects for the "expires" meta-tag. {client | server} Enables support for persistent client requests (from the browser) or persistent server requests (to the Web server). Sets persistent connection timeout for the client or the server to num_seconds.
force-ntlm no parse meta-tag expires persistent
persistent-timeout
{client num_seconds | server num_seconds}
79
pipeline
client {redirects | requests} prefetch {redirects | requests}
Prefetches either embedded objects in client requests or redirected responses to client requests. Prefetches either embedded objects in pipelined objects or redirected responses to pipelined requests. Enables Blue Coat's proprietary HTTP header extensions.
proprietary-headers bluecoat receive-timeout {client num_seconds | refresh num_seconds | server num_seconds} refresh | serve
Sets receive timeout for client, server, or refresh to num_seconds. Forces compliance with explicit expirations by either never refreshing objects before their explicit expiration or never serving objects after their explicit expiration. Removes HTTP information from headers.
strict-expiration
strip-from-header substitute {conditional | ie-reload | if-modified-since | pragma-no-cache}
Replaces complex requests with a simple "get." conditional uses an HTTP "get" instead of an HTTP 1.1 conditional get. ie-reload uses an HTTP "get" for Microsoft Internet Explorer reload requests. if-modified-since uses an HTTP "get" instead of "get-if-modified." pragma-no-cache uses an HTTP "get" instead of "get pragma: no-cache." Enables or disables uploading with Passive FTP. Indicates the version of HTTP that should be used by the Security Appliance.
upload-with-pasv version
{disable | enable} {1.0 | 1.1}
Example
SGOS#(config) http version 1.1 ok SGOS#(config) http byte-ranges ok SGOS#(config) http no force-ntlm ok SGOS#(config)
#(config)https
Use this command to configure HTTPS options. Note: These commands are not available through a telnet session.
80
Syntax
https

SGOS#(config https)
- subcommandsoption 1: create certificate keyringID option 2: create console-map keyringID option 3: create keyring {show | no-show} keyringID [key_length] option 4: create signing-request keyringID option 5: delete ca-certificate name option 6: delete certificate keyringID option 7: delete console-map option 8: delete keyring keyringID option 9: delete signing-request keyringID option 10: import ca-certificate name option 11: import certificate keyringID option 12: import keyring {no-show keyringID | show keyringID} option 13: import signing-request keyringID option 14: set cipher-suite console-map option 15: view ca-certificate name option 16: view certificate keyringID option 17: view cipher-suite console-map option 18: view console-map option 19: view keypair {des keyringID | des3 keyringID | unencrypted keyringID} option 20: view keyring keyringID option 21: view send-client-ip option 22: view signing-request keyringID option 23: view ssl-nego-timout option 24: view summary ca-certificate name where:
https create Creates keypairs, certificates, and signing requests. certificate console-map keyringID keyringID Creates a certificate using the named keyring. Creates a console map using the named keyring.
81
keyring {show | no-show}
keyringID [key_length]
Creates a keyring with a "non-showable" keypair. key_length indicates the length of the key. Creates a certificate signing request. Deletes the named Certificate Authority certificate. Deletes the certificate identified by keyringID. Deletes the console map. Deletes the keyring specified by keyringID. Deletes the certificate signing request identified by keyringID. Imports the named Certificate Authority certificate. Imports the certificate identified by keyringID. Imports the "show" or "no show" keyring identified by keyringID. Imports the certificate signing request identified by keyringID.
signing-request ca-certificate certificate console-map keyring signing-request
keyringID name keyringID
https delete Deletes keypairs, certificates, and signing requests.
keyringID keyringID
https import Enables you to import keypairs, certificates, and signing requests. ca-certificate certificate keyring signing-request name keyringID {no-show keyringID | show keyringID} keyringID
https set Sets cipher suites. SSL supports a variety of alternate encryption protocols for communication called cipher suites. A cipher suite names: the type of certificate, the type of encryption that should be used, the type of signature algorithm (hash) that should be used. cipher-suite console-map Specifies that the cipher suite defined in the console map should be used. Displays the named Certificate Authority certificate. Displays the certificate identified by keyringID. Displays the cipher suite named in the console map. Displays the management console map. {des keyringID | des3 keyringID | unencrypted keyringID} keyringID Displays the Data Encryption Standard (DES), triple-DES, or unencrypted keypair associated with the named keyring. Displays the keyring associated with the named keyringID. Displays the send-client-ip status.
https view Enables you to view keypairs, certificates, and signing requests. view ca-certificate certificate cipher-suite console-map keypair name keyringID console-map
keyring send-client-ip
82
signing-request ssl-nego-timout summary ca-certificate
keyringID
Displays the certificate-signing request associated with keyringID. Displays the SSL negotiation timeout period status.
name
Displays a summary of the Certificate Authority certificate commands used in this session for name.
#(config)icap
Use this command to configure the ICAP service used to integrate the Security Appliance with a virus scanning server. The configuration is specific to the virus scanning server and includes the server IP address, as well as the supported number of connections. If you are using the Security Appliance with multiple virus scanning servers or multiple scanning services on the same server, add an ICAP service for each server or scanning service. Note: When you define virus scanning policies, use the same service name. Make sure you type the ICAP service name accurately, whether you are configuring the service on the Security Appliance or defining policies since the name retrieves the other configuration settings for that service.
Syntax
icap

SGOS#(config icap)
- subcommandsoption 1: clusters option 2: services option 3: exit where:

icap Enables you to configure the ICAP service used to integrate the Security Appliance with a virus scanning server. clusters {add | delete | edit | view} services add delete edit service_name service_name service_name methods Adds the ICAP service identified by service_name. Deletes the ICAP service identified by service_name. Set the method (REQMOD or RESPMOD) cluster_name Manage ICAP clusters.
83
icap-version man-conn max_num_connections preview-size bytes
Sets the ICAP version (1.0 or 0.95). Sets the maximum number of connections. Sets how many bytes are previewed by the ICAP server to determine if a content transformation is required. Contacts the ICAP server and automically configures the ICAP service. Note: applies to v1.0 only; ICAP method must already be specified. Sets the timeout value. Specifies the URL of the ICAP server. Specifies the ICAP vendor. Specifies the ICAP service pattern version. Displays the current ICAP configurations. Displays the current ICAP configurations.
sense-settings
timeout seconds url url vendor {generic | symantec | trendmicro} version version view view
Example
SGOS#(config) icap SGOS#(config icap) services SGOS#(config icap services) add virusservice1 ok SGOS#(config icap services) edit virusservice1 SGOS#(config icap services virusservice1) url http://10.1.1.1:1344 SGOS#(config icap services virusservice1) icap-version 1.0 SGOS#(config icap services virusservice1) method RESPMOD SGOS#(config icap services virusservice1) sense-settings SGOS#(config icap services virusservice1) exit SGOS#(config icap services) exit SGOS#(config icap) clusters SGOS#(config icap clusters) add virusscancluster1 ok SGOS#(config icap clusters) edit virusscancluster1 SGOS#(config icap clusters virusscancluster1) add virusservice1 ok SGOS#(config icap clusters virusscancluster1) exit SGOS#(config icap clusters) exit SGOS#(config icap)
#(config)icp
ICP is a caching communication protocol. It allows a cache to query other caches for an object, without actually requesting the object. By using ICP, the Security Appliance determines if the object is available from a neighboring cache, and which Security Appliance will provide the fastest response.
84
Once you have created the ICP or advanced forwarding configuration file, place the file on an FTP or HTTP server so it can be downloaded to the Security Appliance.
Syntax
icp {no path | path url}
where:
icp Specifies an ICP configuration file. no path path url Negates the path previously set using the command icp path url. Specifies the network location of the ICP configuration file to download.
Example
SGOS#(config) icp path 10.25.36.47/files/icpconfig.txt ok
#(config)identd
IDENTD implements the TCP/IP IDENT user identification protocol. IDENTD operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection.
Syntax
identd

SGOS#(config identd)
-subcommandsoption 1: disable option 2: enable option 3: exit option 4: show where:

identd Configure identd. disable enable Disables IDENTD. Enables IDENTD.
Example
SGOS#(config) identd SGOS#(config identd) enable ok
85
#(config)inline
There are two ways to create a configuration file for your Security Appliance. You can use the SGOS inline command or you can create a text file to house the configuration commands. If you choose to configure using the inline command, refer to the example below:
SGOS# configure terminal SGOS#(config) inline wccp token . . . end token
Where token marks the end of the inline commands. If you choose to create a configuration file, be sure to assign the file the extension .txt. Use a text editor to create this file, noting the following Security Appliance configuration file rules: Only one command (and any associated parameters) permitted, per line Comments must begin with a semicolon (;) Comments can begin in any column, however, all characters from the beginning of the comment to the end of the line are considered part of the comment and, therefore, are ignored
When entering input for the inline command, you can correct mistakes on the current line using the backspace key. If you detect a mistake in a line that has already been terminated using the Enter key, you can abort the inline command by typing Ctrl-C. If the mistake is detected after you terminate input to the inline command, type the same inline command again but with the correct configuration information. The corrected information replaces the information from the last inline command. The end-of-input marker is an arbitrary string chosen by the you to mark the end of input for the current inline command. The string can be composed of standard characters and numbers, but cannot contain any spaces, punctuation marks, or other symbols. Take care to choose a unique end-of-input string that does not match any string of characters in the configuration information.
Syntax
option 1: inline accelerated-pac eof_marker option 2: inline bypass-list central eof_marker option 3: inline bypass-list local eof_marker option 4: inline error-pages eof_marker option 5: inline forwarding eof_marker option 6: inline icp-settings eof_marker option 7: inline policy central eof_marker option 8: inline policy local eof_marker option 9: inline policy vpm-cpl eof_marker option 10: inline policy xml-cpl eof_marker
86
option 11: inline rip-settings eof_marker option 12: inline static-route-table eof_marker option 13: inline streaming real-media eof_marker option 14: inline wccp-settings eof_marker where:
inline Enables you to add or edit configuration commands using the CLI instead of a distinct configuration file. accelerated-pac eof_marker Creates and installs an accelerated PAC file using the console input commands you enter between accelerated-pac eof_marker and the next eof_marker. Creates and installs a bypass list file using the console input commands you enter between bypass-list central or local eof_marker and the next eof_marker. Creates and installs HTTP error pages using the console input commands you enter between error-pages eof_marker and the next eof_marker. Creates and installs forwarding configurations using the console input commands you enter between error-pages eof_marker and the next eof_marker. Creates and installs an ICP settings file using the console input commands you enter between icp-settings eof_marker and the next eof_marker. Creates and installs a policy file using the console input commands you enter between policy central, local, vpm-cpl, or vpm-xml eof_marker and the next eof_marker. Creates and installs a RIP settings file using the console input commands you enter between rip-settings eof_marker and the next eof_marker. Creates and installs a static route table file using the console input commands you enter between static-route-table eof_marker and the next eof_marker.
bypass-list
{central | local} eof_marker
error-pages
eof_marker
forwarding
eof_marker
icp-settings
eof_marker
policy
{central | local | vpm-cpl | xml-cpl} eof_marker
rip-settings
eof_marker
static-route-table
eof_marker
87
streaming
real-media eof_marker
Creates and installs a streaming configuration file using the console input commands you enter between real-media eof_marker and the next eof_marker. Creates and installs a WCCP settings file using the console input commands you enter between wccp-settings eof_marker and the next eof_marker.
wccp-settings
eof_marker
Example
SGOS#(config) inline wccp-settings eof wccp enable . . . eof ok
#(config)installed-systems
Use this command to manage the list of installed Security Appliance systems.
Syntax
isntalled-systems

SGOS#(config installed-systems)
-subcommandsoption 1: default system_number option 2: delete system_number option 3: exit option 4: lock system_number option 5: no {lock system_number | replace} option 6: replace system_number where:
installed-systems - Configures Security Appliance system information such as version and
release numbers, boot and lock status, and timestamp information.

default delete system_number system_number Sets the default system to the system indicated by system_number. Deletes the system indicated by system_number.
88
exit
Exits configure installed-system mode and returns you to configure mode. system_number lock system_number Locks the system indicated by system_number. Unlocks the system indicated by system_number if it is currently locked. Specifies that the system currently tagged for replacement should not be replaced. The default replacement will be used (oldest unlocked system). Specifies that the system identified by system_number is to be replaced next.
lock no
replace
replace
system_number
Example
SGOS#(config) installed-systems SGOS#(config installed-systems) default 2 ok SGOS#(config installed-systems) lock 1 ok SGOS#(config installed-systems) exit SGOS#(config)
Note:
To view the currently installed Security Appliance systems, use the show
installed-systems command.
#(config)interface fast-ethernet
This command enables you to configure the network interfaces. The built-in Ethernet adapter is configured for the first time using the setup console. If you want to modify the built-in adapter configuration, or if you have multiple adapters, you can configure each one using the command-line interface.
Syntax
interface fast-ethernet interface_num fast-ethernet interface_num Sets the number of the fast Ethernet connection to interface_num. Valid values for interface_num are 0 through 3, inclusive.

SGOS#(config interface x)
- subcommandsoption 1: accept-inbound option 2: full-duplex
89
option 3: half-duplex option 4: ip-address ip_address option 5: instructions {proxy | default-pac | central-pac url | accelerated-pac} option 6: link-autosense option 7: mtu-size option 8: no {accept-inbound | link-autosense} option 9: show option 10: speed {10 | 100} option 11: subnet-mask mask where:
interface fast-ethernet accept-inbound full-duplex half-duplex ip-address instructions ip_address {proxy | default-pac | central-pac url | accelerated-pac} Permits inbound connections to this interface. Configures this interface for full duplex. Configures this interface for half duplex. Sets the IP address for this interface to ip_address. Configures for the specified client proxy instructions. Specifies that the interface should autosense speed and duplex. {accept-inbound | link-autosense} Negates the current accept-inbound or link-autosense settings. Displays running system information. {10 | 100} mask Specifies the interface speed. Sets the subnet mask for the interface.
link-autosense mtu-size no show speed subnet-mask
Example
SGOS#(config) interface 0 SGOS#(config interface 0) ok SGOS#(config interface 0) ok SGOS#(config interface 0) ok SGOS#(config interface 0) SGOS#(config)interface 1 SGOS#(config interface 1) ok SGOS#(config interface 1) ip-address 10.252.10.54 instructions accelerated-pac subnet-mask 255.255.255.0 exit ip-address 10.252.10.72 subnet-mask 255.255.255.0
90
ok SGOS#(config interface 1) exit SGOS#(config)
#(config)ip-default-gateway
A key feature of the Security Appliance is the ability to distribute traffic originating at the cache through multiple IP gateways. Further, you can fine tune how the traffic is distributed among gateways. This feature works with any routing protocol (for example, static routes or RIP). Note: Load balancing through multiple IP gateways is independent from the per-interface load balancing that the Security Appliance automatically does when more than one network interface is installed.
Syntax
ip-default-gateway ip_address {preference group (1-10)} {weight (1-100)}
where:
ip-default-gateway Enables you to configure default IP gateway IP address, weight, and group membership for the default gateway. ip_address Specifies the IP address of the default gateway to be used by the Security Appliance. {preference group (1-10)} {weight (1-100)}
Example
SGOS#(config) ip-default-gateway 10.25.36.47
#(config)line-vty
When you have a Telnet session to the CLI, that session will remain open as long as there is activity. If you leave the session idle, the connection will eventually timeout and you will have to reconnect. The default timeout is five minutes. You can set the timeout and other session-specific options using the line-vty command.
Syntax
line-vty

SGOS#(config line-vty)
- subcommandsoption 1: exit option 2: length num_lines_on_screen option 3: show option 4: telnet {no transparent | transparent}
91
option 5: timeout minutes where:

line-vty exit length num_lines_on_screen Returns you to the config prompt. Specifies the number of lines of code that should appear on the screen at once. Specify 0 to scroll without pausing. Displays running system information. {no transparent | transparent} Indicates that this is a Telnet protocol-specific configuration. If you specify no transparent, carriage returns are sent to the console as a carriage return plus linefeed. If you specify transparent, carriage returns are sent to the console as a carriage return. Sets the line timeout to the number of minutes indicated by minutes.
show telnet
timeout
minutes
Example
SGOS#(config) line-vty SGOS#(config line vty) timeout 60 ok
#(config)load
Use this command to load specific configuration or settings files.
Syntax
option 1: load accelerated-pac option 2: load bypass-list central option 3: load bypass-list local option 4: load error-pages option 5: load forwarding option 6: load icp-settings option 7: load policy central option 8: load policy local option 9: load rip-settings option 10: load static-route-table option 11: load streaming real-media option 12: load upgrade
92
option 13: load wccp-settings where:

load Loads any of various ancillary configuration files. accelerated-pac bypass-list error-pages forwarding icp-settings policy {central | local | vpm-software} {central | local} Downloads a new accelerated PAC file. Downloads either a new central or local bypass list file. Downloads a new error pages file. Downloads a new forwarding configuration file. Downloads a new ICP settings file. Downloads either a new central, a local policy file, or a new version of the VPM. Downloads a new RIP settings file. Downloads a new static route table. {real-media | windows-media} Downloads either a new RealNetworks or Windows media file. Downloads a new system image. Downloads a new WCCP configuration file.
rip-settings static-route-table streaming
upgrade wccp-settings
Example
SGOS#(config) load bypass-list central ok
#(config)management-port
This command sets the IP port to which the Security Appliance listens for Web console connections.
Syntax
management-port {port_number | protocol {http | https}}
where:
management-port Names the management port to use for the Security Appliance and the protocol to use. port_number protocol {http | https} Specifies the port number to use for the Security Appliance. Specifies the protocol for the management console port.
Example
SGOS#(config) management-port 8086 ok
93
#(config)netbios
Use this command to configure NETBIOS.
Syntax
option 1: netbios {enable | disable}
#(config)no
Use this command to negate the current settings for the archive configuration, content priority, IP default gateway, SOCKS machine, or system upgrade path.
Syntax
option 1: no archive-configuration option 2: no content priority regex regex option 3: no content {priority {regex regex | url url} | outstanding-requests {delete | priority | revalidate} regex} option 4: no ip-default-gateway ip_address option 5: no socks-machine-id option 6: no upgrade-path where:
no Negates certain configuration settings. archive-configuration content priority {regex regex | url url outstanding-requests {delete | priority | revalidate} regex ip-default-gateway socks-machine-id upgrade-path ip_address Clears the archive configuration upload site. Removes a deletion regular expression policy or a deletion URL policy. Deletes a specific, regular expression command in-progress (revalidation, priority, or deletion). Sets the default gateway IP address to zero. Removes the SOCKS machine ID from the configuration. Clears the upgrade image download path.
Example
SGOS#(config) no archive-configuration ok SGOS#(config) no content priority % Type no content priority ? for a list of subcommands SGOS#(config) no content priority ? regex Remove a deletion regular expression policy. url Remove a deletion URL policy.
94
SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok SGOS#(config) ok
no content priority regex http://.*cnn.com no content priority url http://www.bluecoat.com no ip-default-gateway 10.252.10.50 no socks-machine-id no upgrade-path
#(config)ntp
Use this command to set NTP parameters. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers. The Security Appliance sets the UTC time by connecting to an NTP server. The Security Appliance includes a list of NTP servers available on the Internet. If an NTP server is not available, you can set the time manually using the Management Console.
Syntax
ntp {clear | disable | enable | no server domain_name | server domain_name}
where:
ntp Specifies the status and name of the NTP server. clear disable enable no server domain_name Removes all entries from the NTP server list. Disables NTP. Enables NTP. Removes the NTP server named domain_name from the NTP server list. Adds the NTP server named domain_name from the NTP server list.
server
domain_name
Example
SGOS#(config) ntp server clock.tricity.wsu.edu ok
#(config)policy
Use this command to specify central and local policy file location, status, and other options.
Syntax
option 1: policy central-path url option 2: policy local-path url option 3: policy no central-path
95
option 4: policy no local-path option 5: policy no notify option 6: policy no subscribe option 7: policy no vpm-software option 8: policy notify option 9: policy order option 10: policy poll-interval minutes option 11: policy poll-now option 12: policy proxy-default option 13: policy reset option 14: policy subscribe option 15: policy vpm-software where:
policy Specifies central and local policy file location and status. central-path url Specifies the network path (indicated by url) from which the central policy file may be downloaded. Specifies the network path (indicated by url) from which the local policy file may be downloaded. For central-path or local-path, specifies that the current central or local policy file URL setting should be cleared. For notify, specifies that no e-mail notification should be sent if the central policy file should change. For subscribe, specifies that the current policy should not be automatically updated in the event of a central policy change. For vpm-software, clears the network path to download VPM software. Specifies that an e-mail notification should be sent if the central policy file should change. order of v)pm, l)ocal, c)entral minutes Specifies the policy evaluation order. Specifies the number of minutes that should pass between tests for central policy file changes. Tests for central policy file changes immediately. {allow | deny} Allows or denies the default proxy policy. Clears all policies.
local-path
url
no
{central-path | local-path | notify | subscribe | vpm-software}
notify
order poll-interval
poll-now proxy-default reset
96
subscribe
Indicates that the current local policy should be automatically updated in the event of a central policy change. url Specifies the network path to download the VPM software.
vpm-software
Example
SGOS#(config) policy local-path http://www.server1.com/local.txt ok SGOS#(config) policy central-path http://www.server2.com/central.txt ok SGOS#(config) policy poll-interval 10 ok
#(config)restart
Use this command to set restart options for the Security Appliance.
Syntax
restart {compress | core-image {context | full | none} | mode {hardware | software}
where:
restart Configures system restart settings, including core image information and compression status. compress core-image mode {context | full | none} {hardware | software} Indicates that a compressed core image should be written on restart. Indicates the type of core image that should be written on restart. Specifies either a hardware or software restart.
Example
SGOS#(config) restart mode software ok
#(config)return-to-sender
The return-to-sender feature eliminates unnecessary network traffic when the three following conditions are met: The Security Appliance has connections to clients or servers on a different subnet. The shortest route to the clients or servers is not through the default gateway. There are no static routes or RIP routes defined that apply to the IP addresses of the clients and servers.
Under these conditions, if the return-to-sender feature is enabled, the Security Appliance remembers the MAC address of the last hop for a packet from the client or server and sends any responses or requests to the MAC address instead of the default gateway.
97
Under the same conditions, if return-to-sender is disabled, the Security Appliance sends requests or responses to the default gateway, which then sends the packets to the gateway representing the last hop to the Security Appliance for the associated connection. This effectively doubles the number of packets transmitted on the LAN compared to when return-to-sender is enabled. Inbound return-to-sender affects connections initiated to the Security Appliance by clients. Outbound return-to-sender affects connections initiated by the Security Appliance to origin servers. Note: Return-to-sender functionality should only be used if static routes cannot be defined for the clients and servers or if routing information for the clients and servers is not available through RIP packets.
Syntax
return-to-sender {inbound {disable | enable} | outbound {disable | enable}}
where:
return-to-sender Configures return-to-sender inbound and outbound settings. inbound outbound {disable | enable} {disable | enable} Enables or disables return-to-sender for inbound sessions. Enables or disables return-to-sender for outbound sessions.
Example
SGOS#(config) return-to-sender inbound enable ok
#(config)reveal-advanced
The reveal-advanced command allows you to enable all or a subset of the advanced commands available to you when using the CLI. The advanced commands that you can enable include HTTP and TCP/IP commands.
Syntax
reveal-advanced {all | expand | tcp-ip}
where:
reveal-advanced Enables the system administrator to hide and disable certain advanced commands. all expand tcp-ip Disables all expanded, HTTP, and TCP/IP advanced commands. Disables all expanded advanced commands. Disables all TCP/IP advanced commands.
Example
SGOS#(config) reveal-advanced expand ok SGOS#(config) reveal-advanced tcp-ip
98
ok SGOS#(config) reveal-advanced all ok SGOS#(config)
#(config)rip
Use this command to set RIP (Routing Information Protocol) configuration options. Using RIP, a host and router can send a routing table list of all other known hosts to its closest neighbor host every 30 seconds. The neighbor host passes this information on to its next closest neighbor and so on until all hosts have perfect knowledge of each other. (RIP uses the hop count measurement to derive network distance.) Each host in the network can then use the routing table information to determine the most efficient route for a packet. The RIP configuration is defined in a configuration file. To configure RIP, first create a text file of RIP commands and then load the file by using the load command.
Syntax
rip {disable | enable | no path | path url}
where:
rip Specifies information regarding RIP settings, including status and location. disable enable no path Disables the current RIP configuration. Enables the current RIP configuration. Clears the current RIP configuration path as determined using the rip path url command. Sets the path to the RIP configuration file to the URL indicated by url.
path
url
Example
SGOS#(config) rip path 10.25.36.47/files/rip.txt ok
#(config)security
The Security Appliance provides the ability to authenticate using industry-standard proxy authentication and authorization (AA) services for users accessing one or multiple Security Appliance(s)in either explicit proxy mode or transparent proxy mode. The authentication services supported are: LDAP Lightweight Directory Access Protocol NTLM Windows NT Challenge Response (integrated authentication) RADIUS Remote Authentication for Dialup Users
99
UNIX Users, groups and passwords are stored in a file on the Security Appliance, in a Blue Coat proprietary format The Security Appliance provides a flexible authentication architecture that supports all of the above services with the ability to specify multiple, and even disparate, backend servers (for example, LDAP directory servers together with NT domains with no trust relationship, and so forth) within each authentication scheme with the introduction of a new concept: the realm. A realm defines a schema used to authenticate and authorize users for access to Security Appliance services using either of the authentication mechanisms mentioned above. It is important to note that multiple authentication realms and multiple policy realms can be used on a single Security Appliance. Multiple realms become essential if your enterprise is a Managed Service provider, or your company has merged with or acquired another company, for example. Even for companies using only one protocol, multiple realms may be necessary--as in the case of a company using an LDAP server with multiple authentication boundaries. A realm configuration is composed of the following: realm name authentication service (LDAP, NTLM, RADIUS, or UNIX). external server configuration backend server configuration information such as IP address, port, and other relevant information based on the selected service. authentication schema the definition that will be used to authenticate users. authorization schema the definition that will be used to authorize users for membership in defined groups and check for attributes that trigger evaluation against any defined policy rules.
For details, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide, "Authentication and Authorization" chapter.
Syntax
option 1: security allowed-access source_ip [mask] option 2: security destroy-old-passwords option 3: security enable-password password option 4: security flush-credentials option 5: security flush-credentials on-policy-change disable option 6: security flush-credentials on-policy-change enable option 7: security front-panel-pin PIN option 8: security hashed-front-panel-pin hashed-PIN option 9: security hashed-enable-password hashed-password option 10: security hashed-password hashed-password option 11: security enforce-acl option 12: security ldap all alternate-server ip_address [port] option 13: security ldap all cache-duration minutes option 14: security ldap all case-sensitive disable option 15: security ldap all case-sensitive enable
100
option 16: security ldap all distinguished-name user-attribute-type

user_attribute_type
option 17: security ldap all distinguished-name [{add | | demote | no | promote}]

base-dn base_dn
option 18: security ldap all distinguished-name clear base-dn option 19: security ldap all membership-attribute attribute_name option 20: security ldap all membership-type group option 21: security ldap all membership-type user option 22: security ldap all no alternate-server option 23: security ldap all no membership-attribute option 24: security ldap all no spoof-authentication option 25: security ldap all primary-server ip_address port option 26: security ldap all search anonymous disable option 27: security ldap all search anonymous enable option 28: security ldap realm_name all search dereference {always | finding |
never | searching}
option 29: security ldap all search encrypted-password encrypted_password option 30: security ldap all search password password option 31: security ldap all search user-dn user_dn option 32: security ldap all server-type {ad | iplanet | nds | other} option 33: security ldap all spoof-authentication option 34: security ldap create-realm {ad | iplanet | nds | other} realm_name [base_DN] primary_ip [port] option 35: security ldap delete-realm realm_name option 36: security ldap edit-realm realm_name option 37: security ldap edit-realm realm_name all search encrypted-password encrypted_password option 38: security ldap edit-realm realm_name all search password password option 39: security ldap edit-realm realm_name no spoof-authentication option 40: security ldap edit-realm realm_name search encrypted-password encrypted_password option 41: security ldap edit-realm realm_name search encrypted-password encrypted_password option 42: security ldap edit-realm realm_name search password password option 43: security ldap edit-realm spoof-authentication option 44: security ldap view option 45: security ldap view realm_name option 46: security ldap realm_name option 47: security ldap realm_name search dereference {always | finding | never
| searching}
101
option 48: security management auto-logout-timeout seconds option 49: security management display-realm name option 50: security management no auto-logout-timeout option 51: security management no display-realm option 52: security no allowed-access source_ip [ip_mask] option 53: security no enforce-acl option 54: security ntlm all alternate-server ip_address port option 55: security ntlm all cache-duration minutes option 56: security ntlm all no alternate-server option 57: security ntlm all primary-server ip_address [port] option 58: security ntlm all timeout seconds option 59: security ntlm all server-retry count option 60: security ntlm create-realm realm_name primary_server_ip
[primary_server_port]
option 61: security ntlm delete-realm realm_name option 62: security ntlm edit-realm realm_name option 63: security ntlm view option 64: security ntlm view realm_name option 65: security ntlm realm_name option 66: security password password option 67: security password-display {encrypted | keyring | none | view} option 68: security radius create-realm-encrypted realm_name encrypted-secret
primary_server_ip [primary_server_port]
option 69: security radius create-realm realm_name encrypted_secret primary_server_ip [primary_server_port] option 70: security radius create-realm realm_name secret primary_server_ip [primary_server_port] option 71: security radius delete-realm realm_name option 72: security radius edit-realm realm_name option 73: security radius edit-realm realm alternate-server encrypted-secret encrypted_secret option 74: security radius edit-realm realm primary-server encrypted-secret encrypted_secret option 75: security radius edit-realm realm alternate-server secret secret option 76: security radius edit-realm realm no spoof-authentication option 77: security radius edit-realm realm primary-server secret secret option 78: security radius edit-realm realm spoof-authentication option 79: security radius view option 80: security radius view realm_name
102
option 81: security radius realm_name option 82: security username user_name option 83: security transparent-proxy-auth cookie persistent option 84: security transparent-proxy-auth cookie session option 85: security transparent-proxy-auth cookie virtual-url url option 86: security transparent-proxy-auth method ip option 87: security transparent-proxy-auth method cookie option 88: security transparent-proxy-auth time-to-live {ip minutes | persistent-cookie minutes} option 89: security unix create-realm realm_name option 90: security unix delete-realm realm_name option 91: security unix edit-realm realm_name no spoof-authentication option 92: security unix edit-realm realm_name parameter option 93: security unix edit-realm realm_name spoof-authentication option 94: security unix view option 95: security unix view realm_name option 96: security unix realm_name where:
security Configures authorization and authentication methods and realms (LDAP, NTLM, RADIUS, and UNIX). allowed-access destroy-old-passwords source_ip [mask] [force] Adds the IP address indicated by source_IP to the Access Control List. Destroys recoverable passwords in the registry key from previous versions. This command, while improving security, should only be used if you do not plan to upgrade. Puts into effect the console enable (or privileged mode) password specified by password. Enforces the console Access Control List. [on-policy-change [disable | enable]] With no additional parameters, flushes the credentials cache immediately. flush-credentials on-policy-change enable flushes the credentials cache when a change to the central policy file has been detected; flush-credentials on-policy-change disable does not. Specifies the PIN for the front panel console. This does not affect modules that allow configuration for the front panel.
enable-password
password
enforce-acl flush-credentials
front-panel-pin
pin
103
hashed-enablepassword hashed-front-panelpin
hashed password
Puts into effect the console hashed enable password specified by hashed-password. Specifies the hashed PIN for the front panel console. This does not affect modules that allow configuration for the front panel. Specifies the alternate LDAP server IP address and port for all LDAP realms. Specifies the length of time to cache user credentials for all LDAP realms. Enables or disables the case-sensitivity of all LDAP realms. Configures the distinguished name (DN) user attribute type for all LDAP realms. Configures the base distinguish names for all of the LDAP realms. add appends a base distinguished name to each realm. demote moves the specified base distinguished name down in the search order in each realm that contains a match. no deletes the specified base distinguished name from the realm. promote moves the specified base distinguished name up in the search order in each realm that contains a match. clear deletes all distinguish names from every realm. Specifies the membership attribute for all LDAP realms. Specifies group or user name mapping authorization mode. Clears the current alternate LDAP server IP address and port for all LDAP realms. Clears the membership attribute for all LDAP realms. Disables spoof-authentication.
hashed pin
security ldap all Configures security aspects of all LDAP realms. alternate-server cache-duration case-sensitive distinguished-name user-attribute-type distinguished-name ip_address [port] minutes {disable | enable} user_attribute_type
{add | | demote | no | promote} base-dn base_dn ~or~ clear base-dn
membership-attribute membership-type no alternate-server no membership-attribute no spoof-authentication primary-server search anonymous search encrypted-password
attribute_name {group | user}
ip_address [port] {disable | enable} encrypted_password
Sets the current primary LDAP server IP address and port for all LDAP realms. Enables or disables anonymous searches for all LDAP realms. Enables searching using the user encrypted password if anonymous search is disabled.
104
search password
password
Enables searching using the user password if anonymous search is disabled. Enables searching using the user distinguished name if anonymous search is disabled. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations.
search user-dn
user_DN
spoof-authentication
security ldap Creates, deletes, or displays information about a particular LDAP realm. all search [dereference {always | finding | never | searching}] [password password] [encrypted-password encrypted_password] Specify if and when to follow alias pointers on the LDAP server. Never: Do not derefrence aliases in searching or in locating the base object Searching: Derefrence aliases only during searching and not locating the object. Finding: Derefrence aliases in locating the base object of the search but not during searching Always (the default): Derefrence aliases both during searching and locating. Creates a new LDAP realm named realm_name. Deletes the LDAP realm named realm_name. Edits the LDAP realm named realm_name. Changes prompt to config radius realm_name. Changes the dereference level for a single realm. (Dereferencing specifies if and when to follow alias pointers on the LDAP server.) Never: Do not derefrence aliases in searching or in locating the base object Searching: Derefrence aliases only during searching and not locating the object. Finding: Derefrence aliases in locating the base object of the search but not during searching Always (the default): Derefrence aliases both during searching and locating Configures alternate LDAP server.
create-realm
{ad | iplanet | nds | other} realm_name base_DN primary_ip [primary_port] realm_name realm_name
delete-realm edit-realm
edit-realm
realm_name dereference [always | finding | never | searching]
alternate-server ip_address [port]
105
cache-duration minutes case-sensitive {enable | disable} distinguished-name user-attribute-type attribute_type distinguished-name {add | | demote | no | promote} base-dn base_dn ~or~ distinguished-name clear base-dn
Specifies the length of time to cache user credentials. Enables or disables case sensitivity within the realm. Sets the LDAP distinguished name user attribute type. Configures the distinguished names. add appends a distinguished name to the realm. demote moves the specified distinguished name down in the search order. no deletes the specified distinguished name from the realm. promote moves the specified distinguished name up one in the search order. clear deletes all distinguished names from the realm. Exits edit-realm mode. Specifies the membership attribute type Specifies group mapping authorization mode or user attribute mapping authorization mode. Deletes the alternate server, the membership attribute or disables spoof-authentication. Configures the primary server. Renames the realm. Configures realm search options.
exit membership-attribute type membership-type {group | user} no {alternate-server | membership-attribute | spoof-authentication} primary-server ip_address [port] rename realm_name search {anonymous {enable | disable} | password password | user-dn user-dn} server-type {ad | iplanet | nds | other} spoof-authentication
Changes the server type for this realm. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. Displays running system information or displays information for this realm. Displays information about the LDAP realm named realm_name.
{show | view} view realm_name
security management - Sets Security Appliance realm settings
106
auto-logout-timeout
seconds
Sets the length of the Security Appliance session before requiring login credentials. The default is 900 seconds (15 minutes). Sets the name of the Security Appliance realm. The default is the IP address that was used to connect to the system Resets the name of the Security Appliance realm to the Security Appliance IP address. Disables the session timeout feature. Disables the IP address indicated by source_ip in the Access Control List. Disables the console Access Control List.
display-realm
name
no
display-realm
auto-logout-timeout security no Negates certain Access Control List features. allowed-access enforce-acl alternate-server cache-duration no alternate-server ip_address [port] minutes source_ip [ip_mask]
security ntlm all Configures security aspects of all NTLM realms. Specifies the alternate LDAP server IP address and port for all NTLM realms. Specifies the length of time to cache user credentials for all NTLM realms. Clears the current alternate NTLM server IP address and port for all NTLM realms. ip_address [port] seconds count Specifies the primary LDAP server IP address and port for all NTLM realms. Configures the NTLM query timeout for all NTLM realms. Configures the number of authentication retry attempts for all NTLM realms. Creates a new NTLM realm named realm_name. Deletes the NTLM realm named realm_name. Edits the NTLM realm named realm_name. Configures alternate RADIUS server. Specifies the length of time to cache user credentials. Exits edit-realm mode. Deletes the alternate server. Configure the primary server. Renames the realm.
primary-server timeout server-retry
security ntlm Creates, deletes, or displays information about a particular NTLM realm. create-realm realm_name primary_server_ip [primary_server_port] realm_name realm_name alternate-server ip_address [port] cache-duration minutes exit no alternate-server primary-server ip_address [port] rename realm_name
107
timeout seconds server-retry count {show | view} view realm_name
Specifies query duration before timeout. Specifies the number of authentication retry attempts. Show running system information or view information for this realm. Displays information about the NTLM realm named realm_name. Puts into effect the console account password indicated by password. Puts into effect the console account password indicated by hashed-password. Sets the CLI handling of passwords for this session. Keyring is meant for Director use. Director stores its keyring in a public key that is used when pulling a configuration from one Security Appliance to multiple Security Appliances. Creates a new RADIUS realm named realm_name.
security password Changes the console account password. password hashed-password
password-display
[none | encrypted | keyring name | view]
security radius Creates, deletes, or displays information about a particular RADIUS realm. create-realm realm_name [secret | encrypted_secret] primary_server_ip [primary_server_port] realm_name encrypted_secret primary_server_ip [primary_server_port] realm_name realm_name alternate-server ip_address [port] | [secret secret | encrypted-secret encrypted_secret | service-type type] cache-duration minutes case-sensitive {enable | disable} exit no alternate-server | spoof-authentication
create-realmencrypted
Creates a new RADIUS realm named realm_name. It also accepts encrypted secrets. Deletes the RADIUS realm named realm_name. Edits the RADIUS realm named realm_name. Configures alternate RADIUS server.
Specifies the length of time to cache user credentials. Enables or disables case sensitivity within the realm. Exits edit-realm mode. Deletes the alternate server or disables spoof-authentication.
108
primary-server ip_address [port] | [secret secret | encrypted-secret | encrypted_secret | service-type type] rename realm_name timeout seconds server-retry count {show | view} spoof-authentication
Configure the primary server. Can also specify a shared secret for the primary RADIUS server and specify a checklist service type sent to the primary RADIUS server. Renames the realm. Specifies query duration before timeout. Specifies the number of authentication retry attempts. Show running system information or view information for this realm. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. Displays information about the RADIUS realm named realm_name. Puts into effect the console account user name indicated by user_name. Specifies that this realm should use persistent cookies with no TTL expiration. Specifies that this realm should use cookies that expire at the end of a session.
view
realm_name
security username Changes the console account user name. user_name
security transparent-proxy-auth Configures transparent-proxy cookie options. cookie persistent
cookie session
cookie virtual-url
url
Specifies that this realm should use cookies with the virtual URL indicated by url. Specifies that this realm should use the IP method for transparent proxy (as opposed to the cookie method). Specifies that this realm should use the cookie method for transparent proxy (as opposed to the IP method).
method ip
method cookie
time-to-live
{ip minutes | persistent-cookie minutes} realm_name realm_name
Specifies the duration the IP or persistent cookie is valid.
security unix Creates, deletes, or displays information about a particular UNIX realm. create-realm delete-realm Creates a new UNIX realm named realm_name. Deletes the UNIX realm named realm_name.
109
edit-realm
realm_name cache-duration minutes no exit rename realm_name {show | view} spoof-authentication
Edits the UNIX realm named realm_name. Specifies the length of time to cache user credentials. Disables spoof-authentication. Exits edit-realm mode. Renames the realm. Show running system information or view information for this realm. Allows forwarding user credentials from the credential cache to the origin content server. Authentication to an upstream server can only be done when the Security Appliance and the OCS have the same set of username/password combinations. Displays information about the UNIX realm named realm_name.
view
realm_name
Example
SGOS#(config) security ldap create-realm iplanet AuthRealm "dc=ads2001,dc=bluecoat,dc=com" 10.252.3.78 389 ok SGOS#(config) security ldap edit-realm AuthRealm SGOS#(config ldap AuthRealm) search password "user" ok SGOS#(config ldap AuthRealm) search user-dn "cn=UserAG,ou=bluecoat,dc=ads2001,dc=bluecoat,dc=com" ok SGOS#(config ldap AuthRealm) search anonymous disable ok SGOS#(config ldap AuthRealm) exit SGOS#(config) security allowed-access 10.253.101.23 255.255.255.255 ok SGOS#(config) security allowed-access 10.253.101.24 255.255.255.255 ok SGOS#(config) security allowed-access 10.252.10.90 255.255.255.255 ok SGOS#(config) security enable-password "enable" ok SGOS#(config) security front-panel-pin "1234" ok SGOS#(config) security password "test" ok SGOS#(config) security username "test" ok SGOS#(config)
110
#(config)services
Use this command to configure FTP, HTTP, or Telnet services.
Syntax
services

SGOS#(config services)
- subcommandsoption 1: exit option 2: ftp {attribute | create | delete | disable | enable | exit | show |
view}
option 3: http {attribute | create | delete | disable | enable | exit | show |

view}
option 4: show option 5: telnet {create | delete | disable | enable | exit | show | view} option 6: view where:
services Configures services. exit ftp http show telnet view See the (services) telnet command for options. See the (services) ftp command for options. See the (services) http command for options. Exits the config services mode and returns you to the config prompt. Configures Transparent FTP services. Configures HTTP services. Displays running system information. Configures Telnet services. Displays all services-related configuration information.
Example
SGOS#(config services) view Port: 8080 Type: http Properties: enabled, explicit-proxy Port: 80 Type: http Properties: enabled, transparent, explicit-proxy Port: 21 Type: ftp Properties: enabled, transparent
111
#(config services)ftp
Use this command to configure transparent FTP services.
Syntax
ftp

SGOS#(config services ftp)
- subcommandsoption 1: attribute passive-mode {disable | enable} option 2: create option 3: delete option 4: disable option 5: enable option 6: exit option 7: view where:
services ftp Configures transparent FTP services. attribute passive-mode create delete disable enable exit {disable | enable} port port [port=21] [port=21] Enables or disables support for passive mode to clients. Creates a transparent FTP services port. Deletes a transparent FTP services port. Disables the transparent FTP services port. Enables the transparent FTP services port. Exits config services ftp mode and returns you to the config services prompt. Displays the transparent FTP services configuration.
view
Example
SGOS#(config) services SGOS#(config services) ftp SGOS#(config services ftp) create 2002 ok SGOS#(config services ftp) exit SGOS#(config services)
112
#(config services)http
Use this command to create and configure HTTP services.
Syntax
http

SGOS#(config services http)
- subcommandsoption 1: attribute authenticate-401 {enable | disable} port option 2: attribute explicit disable port option 3: attribute explicit enable port option 4: attribute nap disable port option 5: attribute nap enable port option 6: attribute send-client-ip disable port option 7: attribute send-client-ip enable port option 8: attribute transparent disable port option 9: attribute transparent enable port option 10: attribute head enable port option 11: attribute head disable drop port option 12: attribute head disable error portattribute connect disable port option 13: attribute connect enable port option 14: attribute connect disable drop port option 15: attribute connect disable error port option 16: create port option 17: delete port option 18: disable port option 19: enable port option 20: exit option 21: show option 22: view where:
services http attribute Configures HTTP services attributes. authenticate-401 explicit disable {enable | disable} port port Enables or disables transparent authentication. Rejects requests for non-transparent content on the specified port.
113
explicit enable nap disable nap enable send-client-ip disable send-client-ip enable transparent disable transparent enable head enable head disable drop head disable error connect disable connect enable connect disable drop connect disable error
port port port port port port port port port port port port port port
Accepts requests for non-transparent content on the specified port. Disables the non-accelerated attribute on the specified port. Enables non-accelerated attribute on the specified port. Disables the spoof attribute on the specified port. Enables the spoof attribute on the specified port. Accepts requests for transparent content on the specified port. Rejects requests for transparent content on the specified port. Prevents blocking of HEAD requests on the specified port. Drops connections for HEAD requests on the specified port. Returns error 405 for HEAD requests on the specified port. Blocks CONNECT requests on the specified port. Prevents blocking of CONNECT requests on the specified port. Drops connection for CONNECT requests on the specified port. Returns error 405 for CONNECT requests on the specified port. Creates an HTTP services port. Deletes the specified HTTP services port. Disables the HTTP services on the specified port. Enables the HTTP services on the specified port. Exits config services http mode and returns you to the config services prompt. Displays running system information. Displays the HTTP services configuration.
services http Establishes HTTP services port. create delete disable enable exit port port port port
show view
Example
SGOS#(config) services SGOS#(config services) http
114
SGOS#(config services http) create 8085 ok SGOS#(config services http) attribute authenticate-401 enable 8085 ok SGOS#(config services http) exit SGOS#(config services) exit SGOS#(config)
#(config services)telnet
Use this command to create and configure Telnet services.
Syntax
telnet

SGOS#(config services telnet)
- subcommandsoption 1: create port option 2: delete port option 3: disable port option 4: enable port option 5: exit option 6: show option 7: view where:
services telnet Configures Telnet services. create delete disable enable exit port port port port Creates a Telnet services port indicated by port. Deletes the Telnet services port indicated by port. Disables the Telnet services port. Enables the Telnet services port. Exits config services telnet mode and returns you to the config services prompt. Displays running system information. Displays the Telnet services configuration.
show view
Example
SGOS#(config) services SGOS#(config services) telnet
115
SGOS#(config services telnet) view Port: 23 Type: telnet Properties: enabled, explicit Port: 9002 Type: telnet Properties: enabled, explicit Port: 9003 Type: telnet Properties: enabled, explicit Port: 30 Type: telnet Properties: enabled, explicit SGOS#(config services telnet) delete 9003 ok SGOS#(config services telnet) create 25 ok SGOS#(config services telnet) disable 9003 ok SGOS#(config services telnet) exit SGOS#(config services) exit SGOS#(config)
#(config)show
Use this command to display specific configuration settings or options.
Syntax
option 1: show accelerated-pac option 2: show access-log {configuration | statistics} option 3: show archive-configuration option 4: show arp-table option 5: show bandwidth-gain option 6: show bypass-list option 7: show caching option 8: show clock option 9: show commands [delimited | formatted] option 10: show configuration [brief | expanded | noprompts] option 11: show content {outstanding-requests {[deletes] | [revalidates] |
[priority]} | priority {[regex regex] | [url url]} | statistics | url url}
option 12: show content-distribution option 13: show content-filter {smartfilter | status | websense3 | websense4} option 14: show cpu option 15: show diagnostics option 16: show disk {disk_number | all} option 17: show dns option 18: show domain-alias option 19: show download-paths
116
option 20: show dynamic-bypass option 21: show efficiency option 22: show environmental option 23: show event-log option 24: show forwarding option 25: show health-checks option 26: show hostname option 27: show http option 28: show http-stats option 29: show icap {clusters | services | statistics} option 30: show icp-settings option 31: show identd option 32: show installed-systems option 33: show interface option 34: show ip-default-gateway option 35: show ip-route-table option 36: show ip-stats {all | e# | ip | memory | summary | tcp | udp} option 37: show netbios option 38: show ntp option 39: show policy [order | proxy-default] option 40: show ports option 41: show realms option 42: show resources option 43: show restart option 44: show return-to-sender option 45: show rip {parameters | routes | statistics} option 46: show rtsp option 47: show security option 48: show services [ftp | http | telnet] option 49: show sessions option 50: show snmp option 51: show socks-machine-id option 52: show sources {bypass-list | error-pages | icp-settings | policy |
rip-settings | static-route-table | streaming | wccp-settings}
option 53: show splash-generator option 54: show static-routes option 55: show status
117
option 56: show streaming {real-media | windows-media | configuration |

statistics}
option 57: show system-resource-percent option 58: show tcp-rtt option 59: show telnet-management option 60: show terminal option 61: show timezones option 62: show transparent-proxy option 63: show user authentication option 64: show version option 65: show virtual-ip option 66: show wccp {configuration | statistics} option 67: show web-management where:
show Displays running system information. accelerated-pac access-log archive-configuration arp-table bandwidth-gain bypass-list caching clock commands configuration [delimited | formatted] [brief | expanded | noprompts] {outstanding-requests | priority | url} {configuration | statistics} Displays the current accelerated PAC settings. Displays the current access log settings. Displays archive configuration settings. Displays ARP information. Displays the current bandwidth-gain commands. Displays the current bypass list. Displays the current caching settings. Displays the current Security Appliance time setting. Displays the available CLI commands. Displays the current non-default configuration settings. Use the optional parameters to customize the output. Displays outstanding distribution and revalidation requests, policy deletion priorities, or information for a cached object. Displays the current content filter settings. Displays CPU usage. Displays the remote diagnostics commands. {disk_number | all} Displays disk status and information. Displays DNS servers and name imputing settings.
content
content-filter cpu diagnostics disk dns
{smartfilter | status | websense3 | websense4}
118
domain-alias download-paths dynamic-bypass efficiency environmental event-log forwarding health-checks hostname http http-stats icap icp-settings identd installed-systems interface ip-default-gateway ip-route-table ip-stats netbios ntp policy ports realms resources restart return-to-sender rip rtsp security services sessions snmp socks-machine-id [ftp | http | telnet] {parameters | routes | statistics} [order | proxy-default] {all | e# | ip | memory | summary | tcp | udp} {clusters | services | statistics}
Dispalys any defined domain aliases. Displays the current downloaded configuration paths. Displays the current dynamic bypass configuration settings. Displays efficiency statistics. Displays environmental statistics. Displays the current event log settings. Displays the current forwarding settings. Displays health check settings. Displays the current hostname. Displays HTTP settings. Displays HTTP statistics. Displays ICAP settings. Displays ICP settings. Displays IDENTD service settings. Displays OS versions available on the Security Appliance. Displays interface status and configuration information. Displays the IP address of the default gateway. Displays route table information. Displays TCP/IP statistics. Displays NETBIOS settings. Displays NTP servers and information. Displays current policy rules. Displays HTTP and console ports. Displays current authentication realms. Displays allocation of system resources. Displays system restart settings. Displays "return to sender" settings. Displays RIP settings. Displays RTSP settings. Displays security settings. Displays services settings. Displays information about Telnet connections. Displays SNMP statistics. Displays the SOCKS machine ID.
119
sources
{bypass-list | error-pages | icp-settings | policy | rip-settings | static-route-table | streaming | wccp-settings}
Displays source listings for installable lists.
splash-generator static-routes status streaming {real-media | windows-media | configuration | statistics}
Displays spash generator commands. Displays static route table information. Displays current system status. Displays streaming settings and protocol-specific streaming settings.
system-resourcepercent tcp-rtt telnet-management terminal timezones transparent-proxy user-authentication version virtual-ip wccp web-management {configuration | statistics}
Displays system resource allocation commands. Displays default TCP Round Trip Time. Displays Telnet management status. Displays terminal configuration parameters and subcommands. Displays timezones used. Displays transparent-proxy settings. Displays user authentication information. Displays system hardware and software status. Displays the current virtual IP settings. Displays the current WCCP configuration. Displays Web management status.
Example
SGOS#(config) show bypass-list TCP/IP Bypass List Information Destination Mask Source Mask
Gateway
Interface
Life(secs)
UseCount
#(config)snmp
Use this command to set SNMP (Simple Network Management Protocol) options for the Security Appliance. The Security Appliance can be viewed using an SNMP management station. The Security Appliance supports MIB-2 (RFC 1213).
Syntax
snmp
120
SGOS#(config snmp)
- subcommandsoption 1: authorize-traps option 2: disable option 3: enable option 4: exit option 5: no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2
| 3}}
option 6: read-community password option 7: reset-configuration option 8: show option 9: snmp-writes {disable | enable} option 10: sys-contact string option 11: sys-location string option 12: trap-address {1 ip_address | 2 ip_address | 3 ip_address} option 13: trap-community password option 14: write-community password where:
snmp Sets SNMP options on the Security Appliance. authorize-traps disable enable exit no {authorize-traps | sys-contact | sys-location | trap-address {1 | 2 | 3}} password | encrypted_password Enables SNMP authorize traps. Disables SNMP for the Security Appliance. Enables SNMP for the Security Appliance. Exits config snmp mode and returns you to the config prompt. Disables the current authorize traps, system contact, system location, or trap address settings. Sets the read community password or encrypted-password. Resets the SNMP configuration to the default settings. Displays running system information. {disable | enable} string string Enables or disables SNMP write capability. Sets the "sysContact" MIB variable to string. Sets the "sysLocation" MIB variable to string.
read-community reset-configuration show snmp-writes sys-contact sys-location
121
trap-address trap-community
{1 ip_address | 2 ip_address | 3 ip_address} password | encrypted_password password | encrypted_password
Indicates which IP address(es) can receive traps and in which priority. Sets the trap community password or encrypted-password. Sets the write community password or encrypted-password.
write-community
Example
SGOS#(config) snmp SGOS#(config snmp) authorize-traps ok
#(config)socks-machine-id
Use this command to set the machine ID for SOCKS. If you are using a SOCKS server for the primary or alternate gateway, you must specify the Security Appliance machine ID for the Identification (Ident) protocol used by the SOCKS gateway.
Syntax
socks-machine-id machine_id
where:
socks-machine-id Specifies the SOCKS machine ID. machine_id Indicates the machine ID for the SOCKS server.
Example
SGOS#(config) socks-machine-id 10.25.36.47 ok
#(config)splash-generator
Use this command to display a custom message page, or splash page, to a user the first time he or she starts the client browser. Subsequent URL requests from the client then provide the user with the requested content.
Syntax
splash-generator

SGOS#(config splash-generator)
- subcommandsoption 1: cluster disable
122
option 2: cluster enable option 3: cluster peer-ip {1 | 2 | 3 | 4 | 5 | ip_address} option 4: cluster sdp-port port option 5: disable option 6: enable option 7: exit option 8: protocol tacacs option 9: protocol radius option 10: radius acct-listen-port port option 11: radius auth-listen-port port option 12: radius forwarding disable option 13: radius forwarding ip-spoof option 14: radius forwarding proxy-state option 15: radius no secret-key option 16: radius encrypted-secrety-key key option 17: radius secret-key key option 18: show option 19: tacacs forwarding disable option 20: tacacs forwarding enable option 21: tacacs listen-port port option 22: tacacs multi-session disable option 23: tacacs multi-session enable option 24: tacacs no all-servers option 25: tacacs no one-server IP_address [port] option 26: tacacs no secret-key option 27: tacacs server IP_address [port] option 28: tacacs encrypted-secret-key key option 29: tacacs secret-key key option 30: timeout seconds where:
splash-generator Specifies general, RADIUS accounting, and TACACS+ accounting information. disable enable exit show Disables the splash generator. Enables the splash generator. Exits config splash-generator mode and returns to the config prompt. Displays running system information.
123
timeout
minutes
Indicates the splash timeout in minutes. Disables splash-generator cluster support. Enables splash-generator cluster support.
splash-generator cluster Sets splash generator cluster support options. disable enable peer-ip sdp-port {1 | 2 | 3 | 4 | 5 | ip_address} port
Indicates the cluster peer address. Indicates the Session Distributor Protocol port. Indicates that the TACACS+ protocol should be used. Indicates that the RADIUS protocol should be used.
splash-generator protocol Indicates which protocol should be used for splash generator support. tacacs radius
splash-generator radius Sets various splash generator RADIUS options. acct-listen-port port Listens for incoming RADIUS accounting requests on the port indicated by port. Listens for incoming RADIUS authorization requests on the port indicated by port. Sets the encrypted secret key to encrypted-key. Disables forwarding of RADIUS requests. Enables forwarding of RADIUS packets using IP spoofing. Enables forwarding of RADIUS packets using proxy state. Sets the MD5 secret key to an empty string. key encrypted-key Sets the MD5 secret key to key. Sets the encrypted secret key to encrypted-key. Disables forwarding of TACACS+ requests. Enables forwarding of TACACS+ requests. port Listens for incoming TACACS+ requests on the port indicated by port. Disables multiple TACACS+ sessions capability.
auth-listen-port
port
encrypted-secret-key forwarding disable forwarding ip-spoof forwarding proxy-state no secret-key secret-key encrypted-secret-key forwarding disable forwarding enable listen-port
encrypted-key
splash-generator tacacs Sets various splash generator TACACS+ options.
multi-session disable
124
multi-session enable no all-servers no one-server no secret-key server IP_address [port] IP_address [port]
Enables multiple TACACS+ sessions capability. Removes all TACACS+ server entries. Removes the TACACS+ server entry indicated by IP_address. Sets the secret key to an empty string. Adds the server indicated by IP_address to the TACACS+ server list. Sets the secret key to key.
secret-key
key
Example
SGOS#(config) splash-generator SGOS#(config splash-generator) enable ok SGOS#(config splash-generator) protocol radius ok SGOS#(config splash-generator) exit SGOS#(config)
#(config)sshd
After doing the initial setup and installation, you can connect to the Security Appliance Serial Console CLI securely using secure shell protocol (SSH). Think of SSH as a secure Telnet. When enabled, all data transmitted between the SSH client and SSH host is encrypted and decrypted using public and private keys established on the Security Appliance and by the SSH application on the client. Note: The Security Appliance supports a combined maximum of 16 Telnet and SSH sessions. It also supports up to 24 client keys, including keys from Blue Coat Director.
There are many SSH clients commercially available for UNIX and Windows. The Security Appliance requires SSH1; many versions of SSH2, however, are downwardly compatible. Using a secure connection with RSA authentication requires public and private keys. During the following process, the SSH client application usually creates an identity.pub file. Youll need to open this file in a text editor, copy the contents of the file, and paste it in when the CLI requests it. If the SSH client you're using cannot create the identity.pub file, or if you are using a Telnet client, try searching popular software archives for a free key-generator utility.
Prerequisite
To configure a secure CLI connection with SSH: 1. Start your Telnet or SSH client application and create a new connection to the Security Appliance. Specify SSH1 as the protocol.
125
Figure 3-1: Setting up an SSH using RSA authenticated connection
2.
Open a Telnet or serial port terminal session with the Security Appliance and enter your username and password when prompted. If you are using a serial connection, use the serial cable supplied with the system. Enter the following commands:
3.
SGOS> enable SGOS> enable_password SGOS# conf t
4.
Continue with the appropriate syntax described below.
Syntax
sshd

SGOS#(config sshd)
- subcommandsoption 1: create host-keypair option 2: delete {client-key clientID | host-keypair} option 3: delete director-client-key clientID option 4: exit option 5: import client-key clientID option 6: import director-client-key option 7: show option 8: view {client-key {clientID} | host-public-key} option 9: view director-client-key [clientID] where:
sshd create host-keypair Creates a host keypair.
126
delete
{client-key clientID | host-keypair} director-client-key clientID
Deletes either the host keypair or the client key associated with the indicated clientID. Deletes the client key associated with the indicated clientID of a Security Appliance that is being used in Blue Coat Director configurations. Exits config sshd mode and returns you to config mode.
exit import client-key clientID
Imports the fingerprint of the client key associated with the indicated clientID. Imports the fingerprint of the Director client, automatically determined from the imported key. Displays running system information.
director-client-key
show view {client-key {clientID} | host-public-key}
Displays the fingerprint of either the host keypair or the client key associated with the indicated clientID. Displays the fingerprint of the client key associated with the indicated Director clientID.
director-client-key clientID
Example
SGOS#(config) telnet allow sshd-config SGOS#(config sshd) create host-keypair ok
#(config)static-routes
Use this command to set the network path to download the static routes configuration file. To use static routes on the Security Appliance, you must create a routing table and place it on an HTTP server accessible to the Security Appliance. The routing table is a text file that contains a list of IP addresses, subnet masks, and gateways. When you download a routing table, the table is stored in the device until it is replaced by downloading a new table. The routing table is a simple text file containing a list of IP addresses, subnet masks, and gateways. A sample routing table is illustrated below:
10.63.0.0255.255.0.010.63.158.213 10.64.0.0255.255.0.010.63.158.213 10.65.0.0255.255.0.010.63.158.226
When a routing table is loaded, all requested addresses are compared to the list, and routed based on the best match. Once the routing table is created, place it on an HTTP server so it can be downloaded to the device. To download the routing table to the Security Appliance, use the load command.
127
Syntax
static-routes {no path | path url}
where:
static-routes Specifies the location of the static route table. no path path url Clears the network path location of the static route table. Sets the network path location of the static route table to url.
Example
SGOS#(config) static-routes path 10.25.36.47/files/routes.txt ok
#(config)streaming
Use this command to configure general streaming settings and Microsoft Windows Media or RealNetworks Real Media settings.
Syntax
option 1: streaming max-client-bandwidth kbps option 2: streaming max-gateway-bandwidth kbps option 3: streaming no max-client-bandwidth option 4: streaming no max-gateway-bandwidth option 5: streaming windows-media license pak_string option 6: streaming windows-media logging enable option 7: streaming windows-media logging disable option 8: streaming windows-media log-forwarding enable option 9: streaming windows-media log-forwarding disable option 10: streaming windows-media max-connections number option 11: streaming windows-media max-client-bandwidth kbps option 12: streaming windows-media max-gateway-bandwidth kbps option 13: streaming windows-media transparent-port disable option 14: streaming windows-media transparent-port enable option 15: streaming windows-media explicit-port port_number option 16: streaming windows-media refresh-interval hours option 17: streaming windows-media http-handoff disable option 18: streaming windows-media http-handoff enable option 19: streaming windows-media live-retransmit disable option 20: streaming windows-media live-retransmit enable
128
option 21: streaming windows-media multicast address-range

first_address-last_address
option 22: streaming windows-media multicast port-range first_port-last_port option 23: streaming windows-media multicast ttl ttl option 24: streaming windows-media proxy-route number in_proto in_addr gw_proto
gw_addr
option 25: streaming windows-media asx-rewrite number in_addr cache_proto

cache_addr
option 26: streaming windows-media multicast-alias alias url option 27: streaming windows-media unicast-alias alias url option 28: streaming windows-media broadcast-alias alias url loops date time option 29: streaming windows-media multicast-station name [alias | url] ip port
ttl
option 30: streaming windows-media server-auth-type {basic | ntlm} ip_address option 31: streaming windows-media no max-connections option 32: streaming windows-media no max-client-bandwidth option 33: streaming windows-media no max-gateway_bandwidth option 34: streaming windows-media no refresh-interval option 35: streaming windows-media no proxy-route number option 36: streaming windows-media no asx-rewrite number option 37: streaming windows-media no multicast-alias alias option 38: streaming windows-media no unicast-alias alias option 39: streaming windows-media no broadcast-alias alias option 40: streaming windows-media no multicast-station name option 41: streaming windows-media no auth-type cache_ip_address option 42: streaming real-media max-connections number option 43: streaming real-media max-gateway bandwidth kbps option 44: streaming real-media max-client bandwidth kbps option 45: streaming real-media rtsp-port port option 46: streaming real-media pna-port port option 47: streaming real-media license pak_string option 48: streaming real-media proxy-route number rule parent_address rtsp-port port pna-port port mei-port port option 49: streaming real-media path path option 50: streaming real-media cache max-object-size kbps option 51: streaming real-media logging disable option 52: streaming real-media logging enable option 53: streaming real-media logging stats-mask mask option 54: streaming real-media logging style
129
option 55: streaming real-media multicast accept {number | subnet} option 56: streaming real-media multicast address-range first addresslast address option 57: streaming real-media multicast disable option 58: streaming real-media multicast enable option 59: streaming real-media multicast pna-port port option 60: streaming real-media multicast rtsp-port port option 61: streaming real-media multicast ttl number option 62: streaming real-media multicast delivery-only enable option 63: streaming real-media multicast delivery-only disable option 64: streaming real-media pull-splitting udp option 65: streaming real-media pull-splitting tcp option 66: streaming real-media no max-connections option 67: streaming real-media no max-gateway-bandwidth option 68: streaming real-media no max-client-bandwidth option 69: streaming real-media no license option 70: streaming real-media no proxy-route option 71: streaming real-media no path option 72: streaming real-media no multicast where:
streaming Configures Microsoft Windows Media or Real Networks streaming media settings. max-client-bandwidth streaming max-gateway-bandwidth no max-client-bandwidth no max-gateway-bandwidth license pak_string kbps kbps Sets the maximum client bandwidth permitted to kbps. Sets the maximum gateway bandwidth permitted to kbps. Clears the current maximum client bandwidth setting. Clears the current maximum gateway bandwidth setting. Enters the product authorization key for Blue Coat support for Windows Media. Enables the Security Appliance to record Windows Media proxy activities in the machines access log. The default is enabled. You must also enable the access-log command. See the access-log command for more information. Enables forwarding of the client log to the origin media server.
streaming windows-media Configures Microsoft Windows Media-specific streaming options.
logging
{enable | disable}
log-forwarding
{enable | disable}
130
max-connections
number
Limits the concurrent number of client connections. If this variable is set to 0, you effectively lock out all client connections to the Security Appliance. To allow maximum client bandwidth, enter streaming windows-media no max-connections. Sets the maximum client bandwidth permitted to kbps. Sets the maximum limit, in kilobits per second (Kbps), for the amount of bandwidth Windows Media uses to send requests to its gateway. If this variable is set to 0, you effectively prevent the Security Appliance from initiating any connections to the gateway. To allow maximum gateway bandwidth, enter streaming windows-media no max-gateway-bandwidth. Enables the transparent proxy on port 1755. The default is enable. Allows the Windows Media proxy to listen for Windows Media traffic on the port specified. A port number of 0 deletes the explicit-port setting. Checks the refresh interval for cached streaming content. hours must be a floating point number to specify refresh interval. 0 means always check for freshness. Allows the Windows Media module to control the HTTP port when Windows Media streaming content is present. The default is enabled. Allows the Security Appliance to retransmit dropped packets sent through MMS-UDP for unicast. The default is enabled. The IP address range for the Security Appliance's multicast-station. Default is from 224.2.128.0 and 224.2.255.255. Port range for the Security Appliance's multicast-station. Default is between 32768 and 65535. Time to live value for the multicast-station on the Security Appliance, expressed in hops. Default is 5; a valid number is between 1 and 255.
max-client-bandwidth max-gateway-bandwidth
kbps kbps
transparent-port explicit-port
{enable | disable} port_number
refresh-interval
hours
http-handoff
{enable | disable}
live-retransmit
{enable | disable}
multicast address-range multicast port-range
first_address-last_address
first_port-last_port
multicast ttl
ttl
131
proxy-route
number in_proto in_addr gw_proto gw_addr [gw_port]
Replaces the hostname/IP address on the URL with a new hostname/IP address. number is any positive number. It defines the priority of all the proxy-route rules. Smaller numbers indicate higher priority. in_proto is the protocol being used: mmsu (MMS-UDP), mmst (MMS-TCP), http (HTTP), mms (MMS-UDP or MMS-TCP), and * (follow client's protocol). in_addr is the hostname string with no more than one wildcard character. gw_proto is the protocol used at the gateway and gw_addr is the gateway address. Direct indicates the origin content server. Provides proxy support for Windows Player 6.4. If your environment does not use a Layer 4 switch or WCCP, the Security Appliance can operate as a proxy for Windows Media Player 6.4 clients by rewriting the .asx file (which links web pages to Windows Media ASF files) to point to the Windows Media streaming media cache rather than the Windows Media server. number can be any positive number. It defines the priority of all the asx-rewrite rules. Smaller numbers indicate higher priority. in_addr specifies the hostname. It can have a maximum of one wildcard character. cache_proto rewrites the protocol on the Security Appliance and can take any of the following forms: mmsu (MMS-UDP) mmst (MMS-TCP) http (HTTP) mms (MMS-UDP or MMS-TCP) cache_addr rewrites the address on the Security Appliance. Creates an alias on the Security Appliance that reflects the multicast station on the origin content server.
asx-rewrite
number in_addr cache_proto cache_addr [cache_port]
multicast-alias
alias url [preload]
132
unicast-alias
alias url
Creates an alias on the Security Appliance that reflects the content specified by the URL. When a client requests the alias content, the Security Appliance uses the URL specified in the unicast-alias command to request the content from the origin streaming server. Enables scheduled live unicast or multicast transmission of video-on-demand content. alias must be unique. url specifies the address of the video-on-demand stream. loops specifies the number of times the stream should be played back. 0 means forever. date specifies the broadcast alias starting date. To specify multiple starting dates, enter the date as a comma-separated string. date can take any of the following formats: yyyy-mm-dd today time specifies the broadcast-alias starting time. To specify multiple starting times within the same date, enter the time as a comma-separated string. No spaces are permitted. time can take any of the following formats: hh:mm midnight, 12am, 1am, 2am, 3am, 4am, 5am, 6am, 7am, 8am, 9am, 10am, 11am, noon, 12pm, 1pm, 2pm, 3pm, 4pm, 5pm, 6pm, 7pm, 8pm, 9pm, 10pm, 11pm. Enables multicast transmission of Windows Media content from the Security Appliance. name specifies the name of the alias. It must be unique. alias can be a unicast alias, a multicast-alias or a broadcast alias, as well as a url to a live stream source. ip is an optional parameter and specifies the multicast station's IP address. port specifies the multicast station's port value address. ttl specifies the multicast-station's time-to-live value, expressed in hops (and must be a valid number between 1 and 255). The default ttl is 5.
broadcast-alias
alias url loops date time
multicast-station
name [alias | url] ip port ttl
133
server-auth-type
[basic | ntlm] cache_ip_address
Sets the authentication type of the Security Appliance indicated by cache_ip_address to BASIC or NTLM. Negates maximum connections settings. Negates maximum client bandwidth settings. Negates maximum gateway bandwidth settings. Sets the current Windows Media refresh interval to "never refresh."
streaming windows-media no Negates the indicated Windows Media settings. max-connections max-client-bandwidth max-gateway-bandwidth refresh-interval proxy-route asx-rewrite multicast-alias unicast-alias number number alias alias
Deletes the proxy route rule associated with number. Deletes the ASX rewrite rule associated with number. Deletes the multicast alias rule associated with alias. Deletes the unicast alias rule associated with alias. The name of the alias, such as "welcome1" that is created on the Security Appliance and reflects the content specified by the URL. The protocol is specified by the URL if the protocol is mmst, mmsu, or http. If the protocol is mms, the same protocol as the client is used. Deletes the broadcast alias rule associated with alias. Deletes the multicast station rule associated with name. Clears the authentication type associated with cache_ip_address. Limits the concurrent number of client connections. Changing the setting to no max-connections uses the maximum available bandwidth. Zero (0) is not an accepted value. Limits the total bandwidth used between the proxy and the gateway. Changing the setting to no max-gateway-bandwidth, uses the maximum available bandwidth. Zero (0) is not an accepted value.
broadcast-alias multicast-station server-auth-type
alias name cache_ip_address
streaming real-media Configures RealNetworks Real Media-specific streaming options. max-connections number
max-gateway-bandwidth
kbps
134
max-client-bandwidth
kbps
Limits the total bandwidth used by all connected clients. Changing the setting to no max-client-bandwidth uses the maximum available bandwidth. Zero (0) is not an accepted value. The RTSP port that a RealPlayer client will connect through when using the proxy. The default is 1091. Restart is required if you change this setting. Specifies the PNA port that a RealPlayer client will connect through when using the proxy. The default is 1090. Restart is required if you change this setting. Enters the product authorization key (PAK) for Blue Coat support for RealMedia. Creates and applies rules for directing client traffic. Restart is required if you change this setting. rule specifies the name of the rule. parent-address specifies the IP address of the host. rtsp-port specifies the RTSP port to connect to for streaming. The default is 1091. pna-port specifies the PNA port to use for streaming. The default is 1090. mei-port specifies the media export interface port to connect to for streaming. The default is 7878. Indicates where a configuration file is located (either FTP or HTTP). After you have set up the file and told the system where it is, you must use the upload command to upload the configuration file. Sets the maximum size of the streaming object to cache.
rtsp-port
port
pna-port
port
license
pak_string
proxy-route
{* | number number | rule rule | parent-address parent_address | rtsp-port port | pna-port port | mei-port port}
path
path
cache
max-object-size kbps
135
logging
{disable | enable | stats-mask mask| style}
Enables access logging for RealMedia streaming disable disables logging. enable enables logging. stats-mask controls which statistics are recorded in log entries. The default value is 0. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging statistics. Restart is required if you change stats-mask option. style controls that fields appear in the cache access log for each RealMedia event record. The default value is 3. Refer to the chapter on RealMedia streaming in the Blue Coat Configuration and Management Guide for information about logging style. Enables multicast support for RealMedia streaming. accept limits the use of multicast to clients on specific subnets. Default is "any". (If you use "any," everyone has access.) address-range must be between 224.0.0.255 and 239.255.255.255. pna-port specifies the PNA port that a client will connect through when using the proxy. The default is 7070. rtsp-port specifies the RTSP port that a client will connect through when using the proxy. The default is 554. ttl indicates the number of router hops allowed. The default is 16. The maximum is 255. delivery-only limits clients to those who are set up for multicast. The default is disabled. Restart is required if you change any option except disabled or accept. Indicates the protocol to use for pull splitting. UDP is the default. Negates the specified Real Networks settings.
multicast
accept {number | subnet} | address-range first addresslast address | disable | enable | pna-port port | rtsp-port port | ttl number | delivery-only {enable | disable}
pull-splitting no
{udp | tcp} {max-connections | max-gateway-bandwidth | max-client-bandwidth | license | proxy-route | path | multicast}
Example
136
SGOS#(config) streaming windows-media broadcast-alias ba1 mms://10.25.36.47/cthd.asf 1 today 14:00 SGOS#(config) streaming windows-media explicit-port 1756 SGOS#(config) streaming windows-media http-handoff enable SGOS#(config) streaming windows-media license 1WWDTFMY-7W5C7AMY-7Q26YW SGOS#(config) streaming windows-media live-retransmit disable SGOS#(config) streaming windows-media log-forwarding disable SGOS#(config) streaming windows-media max-connections 1600 SGOS#(config) streaming windows-media no max-connections SGOS#(config) streaming windows-media proxy-route 900 mmst *.bluecoat.com mmst direct SGOS#(config) streaming windows-media no proxy-route 900 SGOS#(config) streaming windows-media unicast-alias welcome1 mmst://10.9.33.54/welcom1.asf SGOS#(config) streaming windows-media no unicast-alias welcome1
#(config)system-resource-percent
Use this command to configure system resource allocation.
Syntax
system-resource-percent
Example
SGOS(config) system-resource-percent Please choose from the following percentages: 0, 25, 50, 75, 95 Windows Media [50%]:25 HTTP: 75% This change will be effective following system reboot
#(config)tcp-rtt
Use this command to configure the number of TCP round trip time ticks.
Syntax
tcp-rtt num_500ms_ticks
where:
tcp-rtt Configures the number of TCP round trip time ticks. num_500ms_ticks Indicates the default TCP Round Trip Time in ticks.
Example
137
SGOS#(config) tcp-rtt 500 ok
#(config)telnet
Enables or disables the ability to configure SSHD through Telnet.
Syntax
telnet {allow-sshd-config | deny-sshd-config}
where:
telnet Specifies the status of SSH configuration through Telnet. allow-sshd-config deny-sshd-config Enables configuring of SSHD through Telnet. Disables configuring of SSHD through Telnet.
Example
SGOS#(config) telnet allow-sshd-config ok
#(config)timezone
Use this command to set the local time zone on the Security Appliance.
Syntax
timezone timezone_num
where:
timezone Sets the timezone to use for all time-related procedures and calculations. timezone_num Enables you to set the local time zone. (Use show timezones to display a list of supported timezones.)
Example
SGOS#(config) timezone 3 ok
#(config)upgrade-path
Use this command to specify the network path to download system software.
Syntax
upgrade-path url
138
where:
upgrade-path Specifies the location of the Security Appliance upgrades. url Indicates the network path to use to download Security Appliance system software.
Example
SGOS#(config) upgrade-path 10.25.36.47 ok
#(config)virtual-ip
This command allows you to configure virtual IP addresses.
Syntax
virtual-ip {address ip_address | clear | no address ip_address}
where:
virtual-ip Sets or clears any virtual IP addresses for the Security Appliance. address clear no address ip_address ip_address Specifies the virtual IP to add. Removes all virtual IP addresses. Removes the specified virtual IP from the list.
Example
SGOS#(config) virtual-ip address 10.25.36.47 ok
#(config)wccp
The Security Appliance can be configured to participate in a WCCP (Web Cache Control Protocol) scheme, where a WCCP-capable router collaborates with a set of WCCP-configured Security Appliances to service requests. WCCP is a Cisco-developed protocol. For more information about WCCP, refer to the Blue Coat Systems Port 80 Security Appliance Configuration and Management Guide. Once you have created the WCCP configuration file, place the file on an HTTP server so it can be downloaded to the Security Appliance. To download the WCCP configuration to the Security Appliance, use the load command.
Syntax
wccp {disable | enable | no path | path url}
where:
wccp Enables or disables the WCCP configuration file and specifies the location of the configuration file. disable enable Disables WCCP. Enables WCCP.
139
no path path url
Negates certain WCCP settings. Specifies the network path from which to download WCCP settings.
Example
SGOS#(config) wccp path 10.25.36.47/files/wccp.txt ok
#(config)web-management
Use this command to enable or disable the Web-based Management Console. When web-management is disabled, you can still access the Security Appliance homepage and online documentation. Only the management and statistics applications are disabled.
Syntax
web-management {disable | enable}
where:
web-management Enables or disables the Management Console. disable enable Disables the Management Console. Enables the Management Console.
140

Sgos Cli Guide 2-1-09

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sgos Cli Guide 2-1-09

Uploaded by

Copyright:

Available Formats

Blue Coat Systems Port 80 Security Appliance

Command Line Reference

Security Appliance Command Line Reference

Security Appliance Command Line Reference

Audience for this Document

Organization of this Document

Chapter 2 Standard and Privileged Mode Commands

Chapter 3 #Configure Commands

Security Appliance Command Line Reference

Related Blue Coat Documentation

Convention Italics Courier font Courier Italics Courier Boldface {} [] |

Telnet and Script Considerations

Can be shortened to:

Standard and Privileged Modes

Accessing Quick Command Line Help

Security Appliance Command Line Reference

To get command completion for configuring SNMP:

Standard and Privileged Mode Commands

Standard Mode Commands

The standard mode prompt is a greater-than sign; for example:

Security Appliance Command Line Reference

Copyright 1998-2002 Blue Coat Systems Inc. All rights reserved. . . .

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

web-management Displays Web management status.

3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

where url is a valid, fully-qualified text Web address. Example

Chapter 2: Standard and Privileged Mode Commands

SGOS# show expand ^ % Invalid input detected at '^' marker. SGOS#

Where token marks the end of the inline commands.

Security Appliance Command Line Reference

rip-settings static-route-table streaming real-media wccp-settings

Chapter 2: Standard and Privileged Mode Commands

where session_number is a valid Telnet session number. Example

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

stop transfer url username password

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

less length greater length ip proto protocol

{ether | ip} broadcast {ether | ip} multicast ether proto protocol

! or not && or and || or or

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

Or if there is no 4.x configuration found:

Chapter 2: Standard and Privileged Mode Commands

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

dns Displays primary and alternate DNS server data.

Security Appliance Command Line Reference

Chapter 2: Standard and Privileged Mode Commands

web-management Displays Web management status.

Security Appliance Command Line Reference

3852673024 190489725 268771328 48003 4311982080 90218496 37226528 6772704 134217728