CLI on MHO and SMO Plus Downlink VLANs
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 53 minutes
Difficulty
Beginner
Video Transcription
00:01
Hello and
00:02
welcome back to
00:04
Checkpoint Jumpstart. Maestro training.
00:07
I'd like to go over
00:09
some more useful command line utilities
00:12
and config files.
00:15
First,
00:16
there are six
00:18
security gateway modules attached to this orchestrator,
00:24
and
00:25
the unattached or unassigned gateways
00:28
can see the serial numbers of those gateways
00:33
of those that are already in security group
00:36
Just have to mouse over and see them.
00:40
Uh,
00:41
you really can't
00:43
copy
00:45
these
00:46
serial numbers. It's It's
00:49
just not very convenient.
00:51
So if you log in to the, uh, orchestrator,
00:56
call that there's, ah command that,
01:00
uh, uses the link lawyer Discovery Protocol
01:03
L L D p
01:06
cto
01:07
and
01:08
it spits out a bunch of
01:10
output.
01:11
You can
01:15
rep out
01:17
pull out
01:19
just ah
01:23
specific string. And I should probably put the command there.
01:30
And that
01:30
will display the list of known
01:34
security gateway modules that this orchestrator has received
01:41
lean, clear discovery protocol frames.
01:46
So this is handy because you can copy and paste
01:51
from this as as you need to.
01:53
So the two unassigned security gateway modules and in 553 and 551
02:04
and see them here, they're the first to listed.
02:09
So I want to demonstrate some Klay Shell commands.
02:20
First, I need to get the lock.
02:30
So, um,
02:30
you can
02:32
manage security groups through the Web user interface. But sometimes it's just
02:38
easier to do some operations. Be a the
02:44
Mannlein
02:45
and scripting. For instance.
02:47
Invoking Klay shell in a script
02:51
can
02:52
speed up repetitive tasks. That's that's just one way to handle repetitive tasks.
02:58
So from from Cle Show,
03:00
you want to create a new security group,
03:08
types command incorrectly,
03:19
and I have to know that
03:21
I mean, I could I could show,
03:23
uh, the
03:24
security groups that exist on DSI, which I DS are currently
03:30
in use as a security group
03:32
and and the ideas correspond here. Security a one security group to
03:38
those numbers
03:39
respond to the I. D.
03:42
So I'll just pick three,
03:46
and I can
03:50
add a
03:53
clients
03:53
to the security group.
04:00
Add Maestro
04:01
Security Group
04:04
hand.
04:11
And
04:12
since I'm
04:14
this this is actually this this
04:15
demo environment is actually a dual site
04:18
set up. Ah, I have to provide the site I d parameter.
04:30
I copied the appliance serial number above
04:33
paste it here,
04:35
so that's very handy. To be able to get the appliance serial numbers
04:41
be of the l L
04:43
DPC TL command.
04:50
I can add interfaces.
04:59
So, uh, by the way, I should I should show this If I want to delete an appliance from a security group
05:15
like I either specify the appliance by its member number
05:19
in the security group
05:21
or by the Appliance Serial number
05:31
and
05:33
started well
05:45
to command incorrectly.
05:54
I will type commanding correctly
05:56
assigned it to security Group three.
06:00
But I'm fickle. I actually wanted in that security group.
06:04
So
06:06
it's back.
06:09
I have created a new
06:11
security group, i d three. I added an appliance to that security group,
06:15
and now I want to add some interfaces to the security group.
06:55
Couple of more.
07:15
So I've raided the security group. I've added an appliance. I've added interfaces to the security group.
07:21
Next, I might want to Ah, run the are configure the first time wizard,
07:30
by the way,
07:30
delete the interface. The grand is
07:34
the wheat.
07:53
So delete Maestro Security Group
07:55
I, D
07:56
member of the security group
07:58
in her face and name of interface and very helpfully cliche
08:03
tab Complete
08:05
possible
08:05
interfaces for you
08:15
earlier. I am I showed you that you can get the appliance serial numbers from the L L D P CTL Command,
08:24
and I did that because I wanted to show you
08:26
back to man and how toe pull the appliance serial numbers out of it. But
08:31
if I want to add
08:35
another appliance
08:37
to the security group,
08:39
there's there's actually an easier way
09:05
it'll tab complete
09:07
the serial,
09:09
and no serial here is more than what I copied.
09:13
Doesn't matter.
09:18
So I've added that appliance to the security group without having toe
09:24
going expert mode and run the l l
09:28
DPC Teal command. Pipe it through grip.
09:33
So I want Teoh configure the information for the first time wizard.
10:13
And now you know the super secret password
10:26
and
10:28
this country either over yes and will say no.
10:37
So now I'm going to, uh,
10:39
actually create the security group
10:54
and there's, ah, an option
10:58
that I could specify telling it. Don't confirm.
11:18
So, like in the Web user interface, it takes a bit
11:22
to verify the security group configuration,
11:24
which you can push it out to the security gateway modules
11:28
and ah,
11:31
now the security gateway modules will be restarting.
11:35
And in the Web user interface,
11:39
I refresh
11:41
security free is now displayed.
12:03
I decide that
12:05
I don't want to create the security group. I can throw away
12:09
the configuration that I have been working on.
12:11
Uh,
12:13
in and off it goes.
12:20
There wasn't any
12:22
UN applied configuration, so nothing actually thrown away there.
12:39
You can also see the details of the security group in Cle show
12:43
in
12:45
expert mode.
12:46
This data is in a CONFIG file which will look at
12:50
in cle show
12:52
Shell Maestro, Security Group I D.
12:54
And then
12:56
number of the security group
12:58
dump the information about the security group
13:05
eso the the
13:09
orchestrator has several ports. Depending on the model of orchestrator, it may have different types of ports.
13:18
You can
13:18
see
13:20
information about
13:22
ports on the orchestrator.
13:46
I want to see what type of port it is.
13:52
So
13:52
this port is currently defined as a management port
13:56
and we'll pick a different port.
14:01
The sport should be an up link port.
14:05
Yes,
14:07
unless it has been changed.
14:09
And then something near the right side
14:11
1 70
14:16
should be a down link.
14:20
Now you can
14:22
change the type of port
14:41
and so I could make it a management port or a sink port
14:48
are not playing port.
14:50
Ah,
14:50
I'm not gonna make a change
14:54
that command is available.
15:00
You can also set the port administratively down. You can configure the
15:05
maximum transmission unit mtu of that port.
15:09
You can configure the speed
15:15
and there's
15:15
also ah, no confirmation option at the end and that you can use to not have to go through the compliment confirmation
15:24
dialogue.
15:28
Next,
15:28
I'm gonna switch.
15:31
Actually, I'm not going to switch yet. I had one more thing. I wanted to show you an expert mode
15:48
as there to config files here of interest.
15:54
This config file describes
15:58
the, uh,
16:00
orchestrator eso like
16:03
back plane service networks that are that are used for the various communications
16:11
V lands that have been defined and so on.
16:14
So, like the chassis internal network here defines the i p address ranges for that
16:25
Yeah, the Sink network. And so one
16:30
of the burying
16:32
degrees of
16:33
interesting
16:37
The other command are the other config file
16:42
I
16:44
that shows the configuration of security groups and on the orchestrator. It lists all of the security groups
16:52
this orchestrator knows about.
16:53
You can also find this file in the single management object
16:57
and there it has the security groups,
17:02
security group information for that single
17:04
management object
17:07
that this shows the
17:10
aim of the security group,
17:12
the, uh,
17:15
bsx state
17:17
What up links are assigned to it.
17:21
Security. Too scary Group three.
17:26
There's, um,
17:29
not a whole lot That's interesting in Cle Shell on a single management object, except
17:34
the fact that it's actually by default
17:37
global. Please show.
17:40
And so setting changes that you make here in the global Beashel will be synchronized out
17:45
to the other
17:48
security group members.
17:51
And so, if you have 20
17:53
security gateway modules
17:56
that, uh,
17:57
you need to make a change on
18:00
connect to one of them. Usually the single management object
18:07
is the first security gateway module in the list and
18:11
then using the global Klay show. You make your change
18:15
and you don't have to do it
18:17
20 times, and that's
18:21
a big convenience
18:23
in expert mode.
18:26
Want to show just a few commands?
18:36
So a SG policy.
18:40
This is useful, for instance, to to do the
18:45
scaled will platform equivalent of FW, unload local FW unload local, of course, removes the unloads the firewall policy
18:53
and essentially turns the firewall host into a
19:00
router that is unplugged.
19:02
Packets packets do not pass
19:06
So here
19:07
the equivalent
19:07
is
19:08
a SG policy unload,
19:12
and there's an option in, ah, non scalable platform
19:18
dia.
19:18
In expert mode,
19:21
you can
19:22
right
19:22
a value of one to a magic
19:26
device. File
19:29
slash
19:30
rock p r o c slash cysts
19:33
slash net slash i p forward
19:36
and
19:37
and Do that
19:40
and
19:41
FW unload
19:41
local so your firewall policy will be removed.
19:45
But then the linen routing will be enabled.
19:48
So that essentially turns your security gateway host into
19:53
a random
19:55
that is plugged in
19:56
the equivalent in the scale of will platform is
20:03
so
20:06
add the minus I p underscore
20:11
forward
20:14
option
20:21
except with two minuses.
20:29
So, um,
20:32
pretty dire warning. And I'm not going toe. Have it actually do that,
20:37
that when you install policy,
20:41
the management server connects to the single management object
20:45
and
20:48
installs policy to the single management object. The single management object
20:52
then
20:55
copies the new policy
20:57
miles involved in the new policy to the other security gateway modules in the group.
21:03
And then they independently installed a new policy
21:08
essentially at their convenience when
21:12
they do it quickly. But
21:15
it won't be instantaneous,
21:18
and
21:21
that holds true for access control, policy and threat prevention policy
21:26
that prevention Paul at least starting with our 80 dot
21:30
10 with threat prevention policy
21:33
in our 80
21:34
versions of of the firewall product.
21:37
The threat prevention policy is also
21:42
pushed out as part of a policy install.
21:45
It will be
21:48
copied from the single management object to the other security gateway modules
21:53
in the security group, and they will install the threat prevention policy.
21:59
Essentially, at their convenience,
22:06
can see
22:14
the latest
22:15
access control,
22:30
access control file
22:32
or policy that was installed.
22:34
It is at Dollar Sign, FW dear, which is an environment variable that expands
22:45
into slash opt slash cp Sweet dash already not 20 slash FW one. This is Lennox. Lennox is case sensitive, so you have to type to capital C the capital p the capital are
22:57
and everything else lower case.
23:07
To see the contents of this
23:10
G zipped tar file
23:15
is the magic incantation. Tar space minus
23:18
t z v
23:21
t the ZF
23:23
T Z v f. It doesn't matter. The minus T option
23:29
lists the files in this G zip tar file
23:33
minus V option. Does it ever mostly the minus Z option says
23:38
you're looking at a G zipped tar file instead of, ah, non G zipped tar file. And then the minus F option
23:45
indicates what file will you want to read?
23:51
And
23:52
there it is. We have another
23:55
Jesup tar file that actually has the policy,
23:57
and then we have an empty five. Check some of that file.
24:04
Perhaps you have a
24:07
security gateway module
24:10
that is having a problem with
24:12
properly getting the policy for for whatever reason,
24:18
in expert mode,
24:21
there is a
24:22
useful command.
24:33
It's command has many options.
24:41
One option, for instance,
24:44
uh
24:45
allows you to reset sick
24:48
globally, which is
24:48
very handy.
24:49
Uh, you need to reset sick on X number of security gateway modules.
24:56
Um,
24:56
that can That can be a bit of a process.
25:07
You can use the SG underscore blade on a score config command to pull
25:14
config
25:15
and specified that the type of config
25:19
from another security gateway module.
25:26
So once you do that
25:29
good. Uh,
25:30
run Cp, Stop CP start.
25:33
Oh, and if necessary,
25:34
Run, Cluster Excel Underscore Admin up
25:37
to get
25:38
clustering
25:41
back out of a problem state. If it is
25:48
another
25:48
MANNLEIN command, that is useful.
25:51
The
25:53
G update comp file,
25:56
man.
26:00
So this command it wants a config file too
26:04
At it, or or two.
26:07
Add an entry in two.
26:10
And you also have to provide a
26:12
variable or key equals value pair.
26:22
So I don't wanna risk accidentally messing up
26:26
a, uh,
26:27
medical config file. So I'll just use
26:32
a non critical CONFIG file.
26:37
And there's another top secret password for you.
26:41
It always displays his *** tricks for me. Anyway, the, uh,
26:48
g update config file command will
26:52
propagate this out.
27:03
There's that test dot com file.
27:07
I assure you, it did not exist before.
27:11
Let me.
27:27
It was created by this,
27:32
uh, utility.
27:47
And
27:48
there's the CONFIG file entry That was added.
27:51
So, uh,
27:53
you should have a very good reason to be editing config files.
27:57
Now, you're probably following ah SK article or something like that,
28:03
but, um, this provides a convenient way to
28:07
the same change to that config file on all of the security gateway modules
28:11
in the in the security group.
28:18
Bring back Teoh Klay Shell
28:21
Global the show.
28:27
So, uh,
28:29
this set S m o image command
28:33
allows you to
28:36
enable auto clone mode.
28:45
Actually, before I said it, I won't show it
28:56
so
28:56
Auto clone currently has turned off, but Auto clone does is
29:03
it will clone
29:06
the
29:07
the image of the single management object host
29:12
on to
29:14
another
29:15
security get way module in the security group
29:19
if needed.
29:21
So
29:22
the
29:25
module
29:26
or so the security gateway module will determine if it needs to be cloned
29:33
through empty five check sums. So the uh,
29:37
single management object host will generate an empty five, check some of its
29:41
configuration
29:44
and propagate that out to all of the other security gateway modules. And and if they have a different empty five, check something they can pull
29:52
could figure over,
29:55
and
29:56
this again could be very handy. For instance, if you have
30:00
on appliance that
30:02
bales and you get an Army replacement,
30:07
the new appliance is going to start off without the configuration. So,
30:12
uh,
30:14
image cloning would be one way to get it
30:18
up to speed.
30:21
Or if you add a new security gateway module to your security group,
30:26
this can provide a way to get that
30:29
to the same configuration. Is everyone else not should happen automatically. In some cases, it doesn't
30:34
and so image cloning could be useful,
30:41
and image cloning can also copy over hot fixes
30:48
and hot a jumble hot fixes, which could be very convenient.
30:57
Next,
30:59
I would like to go over this this graphic that that I'd already shown in an earlier
31:04
module, but
31:07
I wanted I just wanted to cover it a little bit more
31:11
down. Link interfaces
31:14
between the orchestrator and the security gateway module
31:18
use several different V lands to separate different types of traffic.
31:25
For instance, if
31:26
we have, say, to uplink interfaces
31:32
that have been assigned to this security group, traffic
31:36
to and from
31:37
each
31:38
up link interface
31:41
will be sent from the orchestrator to the security gateway module
31:45
through
31:47
the down Link connection. And it will be tagged with a villain number of 10 to 3, plus
31:56
port number on the orchestrator
31:59
that
32:00
received the traffic.
32:06
And so, if you
32:09
have
32:12
a management interface and a couple of up link interfaces, management interfaces are sort of like up link interfaces
32:20
than traffic. Coming into the management interface,
32:24
the
32:25
heath won dash
32:27
management. One
32:29
will be
32:30
the land 10 to 3 plus number of interface. That's that's one. So it'll be villain
32:35
10 to 4.
32:37
If you have an up link port of 8th 105 it will be
32:42
one or 23 plus five or 1028
32:46
Villain
32:47
102
32:50
nine would be
32:52
Keith 1-06
32:55
So
32:58
the different V lands are used to separate
33:00
the the up link
33:04
traffic to and from.
33:07
And then I already sort of discussed the other villains.
33:12
There's ah, villain
33:14
that handles correction layer traffic and
33:17
correction layer again is
33:21
they're too.
33:22
Make sure that Navid packets
33:25
are always processed by the right security gateway module.
33:30
So when
33:31
a new connection arrives
33:34
on the orchestrator,
33:36
it'll use its distribution mode algorithm to determine
33:40
which
33:42
security gateway module in that security group
33:45
should handle
33:45
this connection. The traffic for this connection and
33:51
the
33:52
the uh,
33:53
distribution algorithm
33:55
works in both directions.
33:58
So outgoing traffic from this source to that destination and then the return traffic from
34:04
that destination to this source
34:07
will always be sent to the same
34:10
security gateway module again. Technically, it's being sent to a particular down lake port on the orchestrator.
34:17
You only have one security eight way
34:20
module plugged into that down Lakeport so implicitly that selects
34:24
the security gateway
34:27
module.
34:30
So once we have determined the down Lakeport and the security gateway module attached to that
34:37
should be
34:38
handling the traffic for this connection
34:42
in both directions.
34:44
That security Gateway module will be active that connection, and it will then determine another security gateway module in the security group
34:52
that should be back up, and it will start synchronizing the state of the connection to the backup.
35:00
However, if Nat policy is in use,
35:04
then
35:06
perhaps the source i p address
35:08
and or the destination I P address and and even perhaps layer for ports
35:15
maybe changed
35:16
as part of the gnat policy. So
35:21
we have
35:22
packets going out with a different source or destination I P address, or perhaps a different source port,
35:30
then
35:31
the original packets that came in.
35:35
And so when the return traffic the return added traffic arrives on the orchestrator,
35:40
the
35:42
distribution algorithm
35:44
likely
35:45
determined that a different security gateway modules should be handling this traffic
35:50
because it keys off of depending on the distribution mode
35:53
source I P or Destination I p or both or something else. And
35:59
by default. It also looks at the layer for sore sport or destination port or both.
36:06
So
36:07
correction layer exists
36:09
to allow
36:13
the security Gateway module, which is handling the Navid traffic, to forward that traffic
36:19
through this
36:20
direction. Layer villain to the security gateway
36:23
module that is handling the original traffic
36:27
because
36:28
it has the state table entries. So
36:31
we have the same security gateway module handling
36:35
both the original and then added
36:37
traffic.
36:39
So it can, for instance, reverse the NAT for return traffic
36:45
and then the synchronization
36:47
villain that is useful for synchronizing configuration changes.
36:55
Then there's the chassis Internal Network, which
36:59
carries information between the orchestrator and the security gateway modules attached to it.
37:07
So I I hope this review of the
37:14
command line demands that might be useful and of the, uh,
37:19
down link be lands
37:22
has been useful. Thank you very much for attending.
Up Next
Instructed By
Similar Content
