Command Line Tour
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Now, I would like to show you some command line utilities
both on the orchestrator and on the single management object
that are helpful in
monitoring or maestro deployment.
But also troubleshooting your maestro deployment if you're having an issue
good to know specifically where the cause of that issue is,
using the old adage. When in doubt, rebooted out
on the, uh,
orchestrator, you can restart the orchestration service and this will be an outage.
It's sort of silently
Another useful command is
this o r ch underscore info.
this command here is useful for collecting extensive diagnostic information about the orchestrator.
sort of like CP Dump
pulling information from multiple sources
and writing it too.
One archive file. Ah, gee, zipped tar file.
Some of this output is the result of the orchestrator
service not restarting correctly because of an issue in this demonstration environment.
A lot of files in there let's go through it one page at a time.
So long files
this python script
will provide ah list of the interfaces and the status of those interfaces. Are they up? Are they down?
Have something plugged in to the interface port
running these commands an expert mode. So I have to provide my own pagination by piping it through the I use the less command.
this command will show you the status of your orchestrator ports.
And it needs to be run on the orchestrator. Of course not on Ah single management object.
Security Gateway modules
use the link Layer Discovery Protocol to inform the orchestrator
of their presence.
What? Ah, what
model they are
for the appliance
and you can see what Linklater Discovery Protocol has discovered with this
l l d p
c t l one word command
I also want to point out config file.
This configuration file on the orchestrator contains
the configuration of all security groups that have been defined.
This same file is found in the single management object and the rest of the security gateways.
at that level it only contains information about that security group
and there are only two security group. Unless I only one security group that has been defined. So this information is very short
in production, there would be many, many more entries.
Next, Um, you can move between the orchestrator and single management objects.
when you're in a single management object, you can move within the security gateway modules that are in
that security group
and the command can be abbreviated. Move.
So I'm gonna move to the first security group,
the first host, which would be by default, the
the host answering the single management object i p address.
And it uses secure shell
so you can set up
keys to do the authentication or
password authentication works.
Now I am
the single management object of my first and only security group,
you can see this same etcetera. SG db dot Jay's on file.
again, this is a very simple demonstration configuration.
If I had to find multiple security groups
at the orchestrator level,
this file in this security would only contain information about this security group. To see all of the security groups,
you have to look at
on the orchestrator.
Next the A S G command.
This is useful to get information about the security group,
security gateway modules in the group are working. Which ones aren't who's active,
So the A s G monitor command
refresh by default every five seconds you can given interval
as a decimal number.
right now, the security group,
uh, it doesn't have policy installed on it
anymore. So it's showing that
policy date never happened.
Threat policy never happened. And we're in active attention mode
we're supposed to be a cluster
active inactive, but we don't have a policy.
Strand will run until you
accident. I use control. See,
with the minus V option, you get a little bit different information
for this next command a SG bug Verify.
I find it to be
This command runs several diagnostics
orchestrator and on the
and it provides
concise summary of the results of each of those diagnostics.
See that some are failing that just for various read, such as I've not yet installed Policy
Also, my demo environment. It's having a bit too.
This command is typically followed by the A S G e bug list commit
useful for visualizing distribution modes
distribution modes determined
security gateway modules should handle the traffic for a given connection.
the default is general, where
both the source and destination I P address and by default
layer for ports are also
considered. So source
I P address and port Destination I P address and port
are all used in the algorithm to determine
which security Gateway module should handle the traffic for this connection.
Another option is user distribution mode, which uses the source port
and destination I P.
Or network distribution, which uses the
destination port and source. I P.
Well, look a little bit more
into the distribution modes coming up.
Another useful A SG command.
This shows you
key performance indicators.
Um, so note Ah, the load averages
are displayed for
both the cork cell cores and secure excel or, uh,
And this is ah, very small deployment with no policy, no traffic. So this isn't very interesting, but this command automatically updates
and is useful in a production system.
Next, Really quickly. I wanted to show the
all sorts of tests that can be done, so
use a SG diag print and the test number and it will conduct that test. This is just a handy cheat sheet,
so you have to remember the numbers.
Diack, you man, is very useful for
running system diagnostics.
Earlier, we talked about distribution modes
Set the algorithm, which determines which security gateway modules should handle. The traffic forgiven connection
does that by
either the source or destination i P address, depending on the mode chosen
source or destination. Port, depending on if later four
is enabled, is part of the
the decision process.
And so the default distribution mode is general,
which uses both the source and destination I P addresses
and source and destination ports for the decision.
user distribution mode.
It uses the
destination I P address and Source Port.
the Network Distribution Road, which uses the source I P and the Destination port. And there's also a
auto topology mode, which uses the information from
Single Management Object
Security Gateway object that was created in smart dashboard
are so smart, consul with
indicating which interfaces or internal which interfaces are external, it uses that
so you can see the current distribution
and you need to be in global Klay Shell, which I was an expert. Modi exited out of that back into the global Klay show,
and right now the distribution mode is
and you can change that.
You can show
per interface basis.
Also see the status of the distribution mode.
Earlier, we talked a little bit about the correction layer on again. The job of the correction layer
is to handle nada traffic
because the distribution mode algorithm uses source and or destination I P source and our destination port.
this packet. Which security Gateway module should be handling the traffic for this connection.
And with Nat, you're changing either the source and or the destination I P address
and possibly source and or destination port.
the distribution mode algorithm will pick the wrong security gateway module.
The correction layer exists to forward the traffic
tanned it off to this second security it way module
back to the original security gateway module, which was handling the Anat ID traffic.
So it sees all of the traffic, which is necessary with state full inspection,
can see some correction layer. Statistics
begin in this demonstration environment. There is really no traffic
and I certainly haven't turned on Nat. So the correction layer hasn't had to do anything so far,
so some best practices
It depends on the specific network mix of the deployment site.
Generally distribution mode
using both source and destination I P. Source and destination port will do the most granular distribution
of connections to the security gateway modules in the security group.
However, if you're using Nat, then too
simplify the job of the correction layer
any Heiden added. Networks set them to use user mode. So we're looking at the destination I P and Source Port
the destination networks. If, for instance, static Nat, you would use ah
which uses the source. I pee in the destination port
in the distribution algorithm.
the global Klay shell is very convenient in a
security group because configuration changes that you make
in global Klay shell are automatically propagated to the other security gateway modules
in the security group.
But in expert mode,
there are a number of
MANNLEIN global commands
begin with G underscore,
so one g underscore command that that's useful. G underscore update, com file
and So this man wants the path to convict file
and of articles. Value pair, though if you leave off the
value, it'll just remove that bar from the config file.
you obviously don't want to do this unless you
have a very good reason to be editing config file.
For example, this f w
Kern config file.
I'm going to change
the art forwarding setting
other than risk type owing it
You could see that
the values been changed in the conflict config file on this security gateway module.
You can ignore that
build system diagnostics
You can see that the values been changed here is Well, I'm gonna go ahead and put it back
and see that it's been changed on the second security gateway module
and the security group
going back to the first security gateway module.
You see, it's been changed back.
useful command. If you need to update some config file parameter
on all of the security gateway modules in your security group.
And you probably noticed that I
got to the second security get way module in the security from the first by typing M space to
this is sort of shorthand for move. Move from one security gateway module to another and within a security group. If you if you execute this on a security get way module. We moved other security gateway modules in that group,
and it uses secure shell over,
back and network.
You can also move from the orchestrator too.
Specific security gateway module. In a security group, you specify the security group number first
and then the security gateway module number.
Another useful command is a global TCP dump command.
same syntax as TCP dump.
It will aggregate all of the
packet capture data
they're useful or getting a large
out of packet capture data fairly quickly.
Probably one of his capture filters.
Generically, the G all command
will run whatever
command you give it as
an argument, it will run that on all of the security gateway modules.
come up with a command.
Possibly. Someday be useful.
Show me the tail end of this same config. File fw current dot com
only two lines in that file. That wasn't a hard thing for tail to do, but it ran it
on all of the security gateway modules in the security group and then showed
I security Gateway module here.
If you have
a security group defined,
you automatically get
active backup clustering.
There will be one security gateway module that has designated act active
and then one
that is designated back up in the same security group.
So what? What happens with packets?
The orchestrator receives a packet
from an up link interface.
It uses the distribution mode algorithm to calculate
That connection should be handled by
and and the algorithm guarantees it will always be a down link port that
security gateway module is
so it'll calculate that it needs to go out this port. It will send switch the packet out that port will be received by the security Gateway module
that security gateway module. If this is a new connection,
which other security gateway module in the security group should be back up
and start doing state synchronization to that security gateway module
and thats done over the synchronization villain.
So you have, ah, the active that's processing the traffic for the connection and the backup that's being synchronized so it has up to date state tables such as connections, table information.
And so because there's on Lee
two security gateway modules that are participating in the clustering,
you don't have the
extra overhead that the
the General Products Cluster Excel experiences
I guess, version of clustering that call it
the overhead. And so
there's, ah, performance penalty of about 1% of throughput
her security gateway module
in the security group.
So if you have
for security gateway modules in the security group, then
you are getting
roughly 96% of the aggregate throughput
Of those four security gateway modules.
There's some overhead,
and this is much, much better than
Cluster Excel load sharing, where,
in my experience, when you get to maybe five active, active load sharing gateways in the cluster,
adding any more makes it worse because of all the overhead of synchronizing everybody to everybody
by limiting the
between the active and the backup, that really eliminates a lot of the overhead
of the synchronization. Then again, it's it's about
that wraps up the command line and ah, a little bit of trouble shooting that I wanted to show you.
Thank you very much for attending this
jump. Start training on the Maestro Hyper scale network security solution.
Security Groups on Dual MHO
VSX Security Group Virtual System Virtual Router
CLI on MHO and SMO Plus Downlink VLANs
Review Questions and Answers
Additional Features and Limitations