FireEye CLI Reference Guide Release 7.9.pdf

F I R E E Y E

T E C H N I C A L   D O C U M E N T A T I O N

CLI CLI REFERENCE GUIDE RELEASE 7.9

CLI / 2016

FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other countries. All other trademarks are the property of their respective owners. FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Copyright © 2016 FireEye, Inc. All rights reserved. CLI Reference Guide Release 7.9.1 Revision 2

FireEye Contact Information: Website: www.fireeye.com Support Email: [email protected] Support Website: csportal.fireeye.com Phone: United States: 1.877.FIREEYE (1.877.347.3393) United Kingdom: 44.203.106.4828 Other: 1.408.321.6300

Contents

Contents

PART I: Introduction

45

Accessing the CLI

45

Online Help and Keyboard Shortcuts

46

CLI Modes

47

PART II: Command Groups

49

AAA Accounting Commands

51

AAA Authentication Commands

52

AAA Authorization Command Family

54

Advanced Threat Intelligence Commands

55

Alerts Command Family

56

Analysis Commands

57

Appliance Boot Image Commands

58

Appliance Upgrade Commands

59

ARP Command Family

60

AV Suite Command Family

61

Backup Command Family

62

Banner Command Family

63

Block by Proxy Commands

64

Bridge Command Family

65

Boot Manager Command Family

66

CAC Commands

67

CLI Session Commands

69

CM Peer Service Command Family

70

CM Series High Availability (HA) Command Family

71

CMC Appliance Authentication Commands

72

CMC Client Server Command Family

73

© 2016 FireEye

3

Contents

4

Compliance Commands

74

Configuration Management Commands

75

Cryptographic Commands

76

Date and Time Commands

78

DTI Cache Proxy Command Family

79

DTI Network Service Commands

80

Email Analysis Commands

82

Email Analysis Password Extraction Command Family

85

Email Command Family

86

Event Notification Commands

87

Events Database Configuration Commands

89

Events Database Management Commands

91

Events Commands

92

FMPS (FX) Scan Command Family

93

Forensic Analysis Command Family

94

FUME Command Family

95

Connect to FireEye as a Service Commands

96

Guest Images Commands

97

Incident Command Family

98

Intelligent Platform Management Interface (IPMI) Commands

99

Interface Commands

100

IP Addressing Commands

101

IPS Commands

102

License Management Command Family

103

Local BA Signer Whitelist Command Family

104

Local Signature Commands

105

Log Management Commands

106

Malware Object Analysis Command Family

107

Malware Submission Command Family

108

Media Disk Commands

109

Media USB Commands

110

MTP Command Family

111

© 2016 FireEye

Contents

MVX Appliance Command Family

112

MVX Cluster Command Family

113

MVX Submission Command Family

115

Network Deployment Check Commands

116

NX Series High Availability (HA) Command Family

117

Policy Manager Command Family

118

RAID Management Commands

119

Remote Correlation Commands

119

Report Email Commands

120

Report Generation Commands

121

Static Analysis Tools Command Family

122

Submission Sampling Command Family

123

TAP Sender Module Command Family

124

Third-Party IOC Feeds Command Family

125

User Account Commands

126

Virtual System Command Family

128

Web Analysis Command Family

129

Web Incident Command Family

130

Web Service API Commands

131

Web UI Configuration Commands

132

Workorder Command Family

133

AX Series Command Family

134

CM Series Command Family

135

EX Series Commands

137

FX Series Commands

140

HX Series Commands

142

PART III: Commands

147

aaa accounting changes default stop-only

148

aaa authentication attempts class-override admin no-lockout

150

aaa authentication attempts class-override unknown hash-username

152

aaa authentication attempts class-override unknown no-track

154

© 2016 FireEye

5

Contents

6

aaa authentication attempts lockout enable

156

aaa authentication attempts lockout lock-time

158

aaa authentication attempts lockout max-fail

160

aaa authentication attempts lockout unlock-time

162

aaa authentication attempts reset all [no-clear-history | no-unlock]

164

aaa authentication attempts reset user [no-clear-history | no-unlock]

166

aaa authentication attempts track downcase

168

aaa authentication attempts track enable

169

aaa authentication certificate crl delete filename

170

aaa authentication certificate crl fetch url

171

aaa authentication certificate ocsp default url

173

aaa authentication certificate ocsp enable

175

aaa authentication certificate ocsp override-responder

176

aaa authentication certificate username x509-cert-san-email

177

aaa authentication certificate username x509-cert-san-email-username

178

aaa authentication certificate username x509-cert-san-upn

179

aaa authentication certificate username x509-cert-san-upn-username

180

aaa authentication certificate username x509-cert-subject

181

aaa authentication certificate username x509-cert-subject-cn

183

aaa authentication certificate validation allow-missing-basic-constraints

184

aaa authentication certificate web policy allowed

186

aaa authentication certificate web policy disabled

188

aaa authentication certificate web policy required

189

aaa authentication login default

190

aaa authentication password lcd length minimum

192

aaa authentication password local change allow-encrypt

193

aaa authentication password local change require-current

195

aaa authentication password local character-type minimum

197

aaa authentication password local history clear

199

aaa authentication password local history compare

201

aaa authentication password local length

203

aaa authentication password local max-char-repeats

205

© 2016 FireEye

Contents

aaa authentication password local no-userid

207

aaa authentication password local require-change advance-warning

208

aaa authentication password local require-change force

210

aaa authentication password local require-change max-password-days

212

aaa authentication password local require-change new-account

214

aaa authorization certificate map-ldap enable

216

aaa authorization certificate map-ldap match-cert-field x509-cert-san-email

217

aaa authorization certificate map-ldap match-cert-field x509-cert-san-emailusername

218

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn

219

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject

222

aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn

224

aaa authorization certificate map-ldap match-ldap-attribute mail

225

aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName

226

aaa authorization certificate map-ldap match-ldap-attribute uid

228

aaa authorization certificate map-ldap search-filter

229

aaa authorization certificate map-ldap username-override

231

aaa authorization map default-user

233

aaa authorization map order

235

aaa authorization roles

238

aaa authorization rules enable

240

aaa authorization rules rule append tail [ ...]

242

aaa authorization rules rule insert

246

aaa authorization rules rule modify

249

aaa authorization rules rule set

253

alerts whitelist src ip

257

analysis live check-connection

259

analysis live default-gateway ip

260

analysis live external ip

261

analysis live http-proxy

262

analysis live nameserver ip

264

© 2016 FireEye

7

Contents

8

analysis live proxy-authentication

265

arp

266

ati auto-update enable

268

ati enable

270

av-suite enable

272

backup cancel

274

backup delete from name

275

backup profile to

276

banner login

280

banner login-local

282

banner login-remote

284

banner motd

286

blacklist files auto past_hours

288

blat enable

289

boot bootmgr disable password

290

boot next fallback-reboot enable

291

boot system location

293

boot system next

295

bridge ageing-time

297

bridge enable

299

bridge forward-time

301

bridge hello-time

303

bridge max-age

304

bridge priority

305

bridge spanning-tree enable

306

bridge

307

clear aaa authentication attempts all

308

clear aaa authentication attempts user

310

clear arp-cache

312

clear ipv6 neighbors

313

cli clear-history

314

cli default

315

© 2016 FireEye

Contents

cli disable-histor

317

cli enable-history

318

cli session auto-logout

318

cli session paging enable

319

cli session prefix-modes {enable | show-config}

320

cli session progress enable

321

cli session terminal length

322

cli session terminal resize

323

cli session terminal type

324

cli session terminal width

325

cli session x-display full

325

clock set

327

clock timezone

328

cmc appliance

330

cmc appliance auth password password

333

cmc appliance auth password username

334

cmc appliance auth ssh-dsa2 identity push [username password []]

335

cmc appliance auth ssh-dsa2 identity

337

cmc appliance auth ssh-dsa2 username

338

cmc appliance auth ssh-rsa2 identity push [username password []]

339

cmc appliance auth ssh-rsa2 identity

341

cmc appliance auth ssh-rsa2 username

342

cmc appliance authtype

343

cmc auth

345

cmc cancel

347

cmc client

348

cmc client server

350

cmc client server auth

353

cmc execute

356

cmc group

357

© 2016 FireEye

9

Contents

10

cmc ha nx rename

358

cmc ha nx appliances enable-nx-ipv6

359

cmc ha nx comment

361

cmc ha nx sync config with

363

cmc mvx cluster

365

cmc mvx cluster broker enable

366

cmc mvx cluster description

367

cmc mvx cluster master

368

cmc mvx cluster node

369

cmc mvx cluster sync-config

370

cmc mvx sensor enrollment {enroll | unenroll}

371

cmc mvx status cluster-sizing enable

372

cmc mvx status cluster-sizing threshold critical

373

cmc mvx status cluster-sizing threshold warning

374

cmc profile

375

cmc profile apply appliance

376

cmc profile apply appliance fail-continue

377

cmc profile apply appliance no-save

379

cmc profile apply group

381

cmc profile apply group fail-continue

383

cmc profile apply group no-save

385

cmc profile command

387

cmc profile comment

388

cmc profile copy

389

cmc profile extract-from

391

cmc profile rename

392

cmc rendezvous client

393

cmc rendezvous server

396

cmc rendezvous service-name

399

cmc server

400

cmc status

401

cms feature peer-service enable

402

© 2016 FireEye

Contents

cms peer delete

403

cms peer enable

404

cms peer interaction dist-correlation enable

405

cms peer interaction dti enable

406

cms peer interaction dti proxy mode no-proxy

407

cms peer interaction dti proxy mode use-fenet

408

cms peer-service auth-token export

409

cms peer-service auth-token generate

410

cms peer-service auth-token import

412

cms peer-service enable

414

compliance apply standard

415

compliance declassify zeroize

416

compliance options fips-mode-crypto enable

417

compliance options ftp-file-transfer enable

418

compliance options http-file-transfer enable

419

compliance options manual-key-entry enable

420

compliance options restricted-license enable

421

compliance options secure-channel-logs enable

422

compliance options snmp-crypto-limit enable

423

compliance options user-key-access enable

424

compliance options webui enable

425

configuration audit max-changes

426

configuration copy

428

configuration delete

430

configuration factory

431

configuration fetch

432

configuration jump-start

433

configuration merge

439

configuration move

440

configuration new

441

configuration revert factory keep-basic

441

configuration revert factory keep-connect

442

© 2016 FireEye

11

Contents

12

configuration revert saved

444

configuration switch-to

446

configure terminal

447

configuration text

448

configuration upload

451

configuration write [to [no-switch]]

452

custom content enable

453

custom content enable on lms

455

crypto certificate bundle cert-name

457

crypto certificate bundle comment

459

crypto certificate bundle fetch url

461

crypto certificate

463

crypto certificate ca-chain chain-name web-server

467

crypto ipsec

470

debug generate

473

deployment check network clear

474

deployment check network duration

476

deployment check network start

478

disable

480

email

481

email-analysis adv-url-defense cache {whitelist | blacklist}

486

email-analysis adv-url-defense rewrite enable

487

email-analysis allowed-list

489

email-analysis blocked-list

492

email-analysis controlled-live-mode enable

495

email-analysis delete

497

email-analysis delete-message

498

email-analysis domain

499

email-analysis pass-extract add ignoreword

500

email-analysis pass-extract add keyword

501

email-analysis pass-extract add password

502

email-analysis pass-extract delete ignoreword

503

© 2016 FireEye

Contents

email-analysis pass-extract delete keyword

504

email-analysis pass-extract delete password

504

email-analysis pass-extract limit

505

email-analysis filter

507

email-analysis flush-message

508

email-analysis interface

509

email-analysis mode

513

email-analysis mta certificate name

514

email-analysis mta smtp stop

515

email-analysis mta smtp start

517

email-analysis mta start

518

email-analysis mta stop

519

email-analysis policy adv-url-defense enable

520

email-analysis policy att-limit

520

email-analysis policy congestion bypass-threshold

521

email-analysis policy congestion high-threshold

522

email-analysis policy congestion mode bypass enable

522

email-analysis policy congestion mode refuse-connection enable

523

email-analysis policy feature-extractor enable

524

email-analysis policy image-analysis enable

524

email-analysis policy max-size-limit

525

email-analysis policy message-tracking max-days-records

526

email-analysis policy message-tracking syslog-enable

527

email-analysis policy monitor backoff

527

email-analysis policy monitor bypass-threshold

528

email-analysis policy monitor defer-threshold

529

email-analysis policy monitor enable

530

email-analysis policy monitor interval

530

email-analysis policy notice admin

531

email-analysis policy notice bcc

532

email-analysis policy notice body

532

email-analysis policy notice enable

533

© 2016 FireEye

13

Contents

14

email-analysis policy notice from

534

email-analysis policy notice subject

534

email-analysis policy parse-https enable

535

email-analysis policy reload

536

email-analysis policy typosquatting enable

537

email-analysis policy url-images enable

538

email-analysis policy url-limit

538

email-analysis policy url-phishing blacklist enable

539

email-analysis policy url-phishing whitelist enable

539

email-analysis policy use-header enable

540

email-analysis policy xheader enable

541

email-analysis policy yara-analysis enable

542

email-analysis quarantine

543

email-analysis reroute-message

544

email-analysis suppress

545

email-analysis url-dynamic-analysis enable

546

email-analysis url-dynamic-analysis

547

email auth enable

548

email auth password []

548

email auth username

549

email autosupport enable

550

email autosupport event

550

email dead-letter cleanup max-age

552

email dead-letter enable

553

email domain

554

email mailhub

554

email mailhub-port

555

email notify event

556

email notify recipient [class {failure | info} | detail]

558

email return-addr

559

email return-host

560

email send-test

561

© 2016 FireEye

Contents

email ssl

562

embedded-analysis enable

564

eml attachment limit

565

eml recursive limit

566

enable

567

exit

568

fe-access connect

569

fe-access enable

570

fe-access proxy enable

571

fe-access proxy set

572

fe-access proxy use-fenet

573

fe-access set

574

fedb backup

575

fedb events archival age days

576

fedb events archival himark

577

fedb events archival journal

578

fedb events archival time

579

fedb events source ip resolve-dns

580

fedb events source ip resolve-dns-first

581

fedb events source ip resolve-netbios

582

fedb hold

583

fedb malware

584

fedb restore

585

fenet appliance image

586

fenet appliance  manage

588

fenet appliance patch

589

fenet dti cache populate guest-images all

590

fenet dti cache populate guest-images appliance

592

fenet dti cache populate image product

594

fenet dti cache populate image product all

596

fenet dti cache populate image product version

599

fenet dti custom address available

601

© 2016 FireEye

15

Contents

fenet dti enrollment service default DTI

602

fenet dti enrollment service override enable

604

fenet dti enrollment service type DTI address

606

fenet dti enrollment service type DTI username password 608

16

fenet dti faude service

610

fenet dti mil service

612

fenet dti proxy cache purge

614

fenet dti proxy cache purge auto

615

fenet dti proxy cache purge file

616

fenet dti proxy cache purge file-type

617

fenet dti proxy check-certificate

618

fenet dti source

619

fenet dti upload destination

624

fenet enable

626

fenet guest-images

627

fenet hx-agent autoupdate enable

629

fenet hx-agent image apply

630

fenet hx-agent image check

632

fenet hx-agent image fetch

633

fenet hx-agent metadata refresh

634

fenet image

635

fenet license update [force]

636

fenet license update enable

638

fenet metadata refresh

639

fenet op-mode local

640

fenet op-mode online

641

fenet op-mode proxy

642

fenet op-mode url

643

fenet proxy

644

fenet time sync

645

fenet proxy enable

646

fenet security-content

647

© 2016 FireEye

Contents

fenet security-content custom rule enable

650

fenet session

651

fenet ssl

652

fenet stats-content aggregator enable

654

fenet stats-content upload {auto | now}

655

fenet update appliance

656

fenet update appliance cancel

657

fenet update appliance guest-image

658

fenet update appliance guest-image cancel

659

fenet update appliance guest-image delete

660

fenet update appliance guest-image download

661

fenet update appliance guest-image install

662

fenet update appliance guest-image resume

663

fenet update appliance no-reboot

664

fenet update appliance resume

665

fenet update appliance suspend

666

fenet update appliance system-image

667

fenet update appliance system-image no-reboot

668

fenet update appliance system-image reboot

669

fenet update appliance system-image version

670

fenet update appliance version

671

fenet update cluster

672

fenet update cluster cancel

674

fenet update cluster guest-image

675

fenet update cluster guest-image cancel

676

fenet update cluster guest-image delete

677

fenet update cluster guest-image download

678

fenet update cluster guest-image install

679

fenet update cluster guest-image resume

680

fenet update cluster no-reboot

681

fenet update cluster resume

682

fenet update cluster suspend

683

© 2016 FireEye

17

Contents

18

fenet update cluster system-image no-reboot

684

fenet update cluster system-image reboot

685

fenet update cluster system-image version

686

fenet update cluster system-image

687

fenet update cluster version

689

fenet update config task parallel-execution

690

fenet update config task retry

692

fenet update config task timeout

694

fenet user

696

fenotify default timezone

697

fenotify email

698

fenotify enable

702

fenotify http alert

703

fenotify http default

704

fenotify http enable

706

fenotify http service

707

fenotify preferences alerts-update ati enable

711

fenotify preferences bbp enable

712

fenotify preferences bbp max-time-wait

712

fenotify preferences bbp subject-desc

713

fenotify preferences ips-delivery-mode

715

fenotify preferences json

716

fenotify preferences normalize-ips-event enable

717

fenotify preferences process-order

718

fenotify preferences rsyslog-strip-lnfb enable

719

fenotify preferences sender-cpu-ratio

720

fenotify preferences support-riskware enable

720

fenotify preferences text

722

fenotify preferences use-fenet-proxy enable

723

fenotify preferences xml

724

fenotify rsyslog alert enable

725

fenotify rsyslog default

727

© 2016 FireEye

Contents

fenotify rsyslog enable

730

fenotify rsyslog trap-sink address

731

fenotify rsyslog trap-sink chunk-size

732

fenotify rsyslog trap-sink enable

733

fenotify rsyslog trap-sink port

734

fenotify rsyslog trap-sink prefer message delivery

735

fenotify rsyslog trap-sink prefer message format

737

fenotify rsyslog trap-sink prefer message item-order

740

fenotify rsyslog trap-sink prefer message send-as

741

fenotify rsyslog trap-sink prefer notification

743

fenotify rsyslog trap-sink protocol

745

fenotify rsyslog trap-sink user

746

fenotify rsyslog trap-sink

747

fenotify snmp

748

fenotify ssl

750

fenotify test-fire

752

file-analysis suppress

753

file debug-dump

754

file stats

755

file tcpdump

756

fmps scan abort

757

fmps scan delete

758

fmps scan pause

759

fmps scan restart

760

fmps scan resume

761

fmps file config analysis_tmo

762

fmps file config maxsize

763

fmps file config scan_delay

764

fmps file config share-timeout

765

fmps file config wins_server

766

fmps scan configure filetypes

767

fmps scan configure scan-name

769

© 2016 FireEye

19

Contents

20

fmps scan configure start-time

770

fmps scan configure subdirectories

772

fmps scan configure target-shares

773

fmps scan create

775

fmps scan delete

776

fmps scan schedule

777

fmps scan start

778

fmps scan start scan-id listen

779

fmps share configure share-name auth

780

fmps share configure share-name ca-file

781

fmps share configure share-name protocol

782

fmps share configure share-name server

784

fmps share create quarantine

785

fmps share create source

786

fmps share create target

787

fmps share delete

788

fmps share mount

789

fmps share unmount

790

forensic analysis enable

791

gen-emps-rpt

792

guest-images configure

795

guest-images disable-list

797

guest-images download

798

guest-images file-association reset

801

guest-images install

802

guest-images limit-rate

803

ha address vip

804

ha engine failover

806

ha engine reset cluster-config

808

ha engine restart

810

ha engine split-brain shutdown auto

813

ha engine stop

815

© 2016 FireEye

Contents

ha interface backup

817

ha interface default

818

ha node failover auto

819

ha node join

821

ha node leave

823

ha node leave

825

ha replicate alerts enable

827

ha replicate updates enable

829

ha resource enable

831

help

834

homenet ip

835

hostname

836

hx agent agent-log-exception enable

837

hx agent agent-log-exception level

838

hx agent aging enable

840

hx agent aging inactive-period

841

hx agent aging new-orphan-period

842

hx agent concurrent-host-exception enable

843

hx agent concurrent-host-exception limit

844

hx agent config-poll

845

hx agent event-buf-size

846

hx agent events enable

847

hx agent events whitelist enable

848

hx agent events whitelist paths

849

hx agent fastpoll

851

hx agent inactivity period

852

hx agent indicator

853

hx agent max-cpu

854

hx agent poll

855

hx agent resource-exception enable

856

hx agent resource-exception event-buf-size

857

hx agent resource-exception max-cpu

858

© 2016 FireEye

21

Contents

22

hx agent server hostname

859

hx agent server provisioning enable

860

hx agent server provisioning primary

861

hx config agent exd exceptions whitelist enable

862

hx config agent exd exceptions whitelist paths

863

hx config agent exd whitelist enable

865

hx config agent exd whitelist paths

866

hx ecosystem dmz attach

868

hx ecosystem dmz attach-initiate

869

hx ecosystem dmz provisioning-enabled

870

hx pki agent ca-days

871

hx pki agent cert-bits

872

hx pki agent cert-days

873

hx pki export file

874

hx pki import file

875

hx pki provisioning

876

hx pki regenerate

877

hx pki regenerate crl

878

hx pki regenerate subordinate

879

hx pki server ca-days

880

hx pki server cert-bits

881

hx pki server cert-days

882

hx pki server crl-days

883

hx pki server crl-upload

884

hx pki subject prefix

885

hx server acquisition aging completed-period

886

hx server acquisition aging disk-limit

887

hx server acquisition aging enable

888

hx server acquisition aging failed-period

889

hx server acquisition aging pending-period

890

hx server acquisition default-zip-passphrase

891

hx server acquisition enable

892

© 2016 FireEye

Contents

hx server app-proc quiesce

893

hx server containment blocked

894

hx server containment enable

895

hx server containment notification custom

896

hx server containment notification enable

897

hx server containment notification source

898

hx server containment notification url

899

hx server containment task-timeout

900

hx server containment whitelist

901

hx server detection aging alert fp-period

902

hx server detection aging alert period

903

hx server detection aging indicator generated enable

904

hx server detection aging indicator generated period

905

hx server detection inbound bookmark

906

hx server detection inbound ignore-type

907

hx server detection inbound min-threshold

908

hx server detection inbound poll-interval

909

hx server detection intel matching enable

910

hx server detection legacy enable

911

hx server detection legacy malicious-url enable

912

hx server detection legacy noisy-indicator enable

913

hx server exd enable

914

hx server msm-link api domain-hash

915

hx server msm-link api key

916

hx server msm-link api secret

917

hx server msm-link enable

918

hx server msm-link hostname

919

hx server msm-link prefix

920

hx server script aging period

921

hx server search issues items-limit

922

hx server sysinfo dispatch-duration

923

hx server sysinfo task-timeout

924

© 2016 FireEye

23

Contents

24

hx server sysinfo-interval

925

hx server task aging period

926

hx server triage auto enable

927

hx server triage auto throttle agent limit

928

hx server triage auto throttle agent period

929

hx server triage auto throttle agent-condition limit

930

hx server triage auto throttle agent-condition period

931

hx server triage auto throttle condition limit

932

hx server triage auto throttle condition period

933

hx server triage auto throttle exd limit

934

hx server triage auto throttle exd period

935

hx server triage auto throttle global limit

936

hx server triage auto throttle global period

937

hx server triage auto throttle indicator limit

938

hx server triage auto throttle indicator period

939

hx server triage auto throttle ioc limit

940

hx server triage auto throttle ioc period

941

hx server triage extraction retry-limit

942

hx server triage extraction task-limit

943

hx server triage extraction timeout

944

hx server triage task-limit

945

hx server triage task-timeout

946

hx server triage window after

947

hx server triage window prior

948

hx server upgrade task-limit

949

hx server upgrade task-timeout

950

image boot location

950

image delete

952

image fetch

953

image install

954

image move

956

image options

957

© 2016 FireEye

Contents

interface

958

ip default-gateway

961

ip dhcp

962

ip domain-list

963

ip filter chain

964

ip filter enable

968

ip filter options include-bridges

969

ip host

970

ip map-hostname

971

ip name-server

972

ip route

973

ipmi firmware reload

974

ipmi firmware update latest

975

ipmi firmware update notice enable

976

ipmi lan defgw

977

ipmi lan ipaddr

978

ipmi lan ipsrc

979

ipmi lan netmask

980

ipmi lan shutdown

981

ipmi log clear

982

ipmi user set password

983

ips auto-update enable

984

ips blockmode

986

ips brute-force threshold

988

ips detail-filter

989

ips reconnaissance enable

991

ips reconnaissance threshold

992

ips signature id

994

ips signature name

998

ipv6 default-gateway

1002

ipv6 enable

1003

ipv6 host

1004

© 2016 FireEye

25

Contents

26

ipv6 map-hostname

1005

ipv6 neighbor

1006

ipv6 route

1007

job

1008

lcd

1009

ldap

1011

ldap ssl

1014

Syntax

1014

User Role

1014

Release Information

1014

Parameters

1014

Example

1015

license activation code

1016

license activation reapply

1017

license delete

1018

license install

1021

localsig enable

1023

logging

1024

logging fields

1026

logging files audit upload

1027

logging files rotation

1028

logging files upload

1029

logging format

1030

logging local

1031

logging receive

1033

logging remote

1035

logging trap

1037

malware abort queued

1038

malware analyze live

1039

malware analyze sandbox

1040

malware delete

1042

malware file

1043

© 2016 FireEye

Contents

Managed Defense vpn enable

1045

Managed Defense vpn http proxy

1046

malware-intrinsic-analysis dti

1048

malware-intrinsic-analysis local

1050

management interface allow

1051

media disk activity-light off

1052

media disk activity-light on

1053

media disk offline

1054

media disk online

1055

media disk rebuild cancel

1056

media disk rebuild start

1057

media usb auto-mount enable

1058

media usb eject

1059

media usb mount

1060

media usb web-access enable local

1061

media usb web-access top-dir

1062

msm admin password reset

1063

msm common certs deploy

1064

msm compatibility {old-hmac | ""}

1066

msm ip-security-policy clear

1069

msm mgmt-interface {false | true}

1070

msm mgmt-interface gw

1072

mtp enable

1073

mvx cluster cloud enable

1074

mvx cluster {enroll | unenroll} now

1075

mvx cluster enrollment-service client enable

1076

mvx cluster enrollment-service preferred name

1077

mvx node config cluster-if

1078

mvx node config submission-if

1079

mvx node config submission-if default-gateway {ipv4 | ipv6}

1080

mvx sensor config submission-if

1081

mvx sensor config submission-if default-gateway {ipv4 | ipv6} 1082

© 2016 FireEye

27

Contents

28

mvx sensor enable

1083

netwitness analysis enable

1084

no aaa accounting changes

1085

no aaa accounting changes default

1086

no cmc ha nx appliance

1087

no cmc profile command

1089

no cmc profile command

1090

no mvx cluster enroll

1091

no mvx cluster enrollment-service client

1092

no mvx cluster enrollment-service

1093

no ntp authentication key

1094

no ntp server authentication

1095

no raid alarm enable

1096

npulse analysis enable

1097

nslookup

1098

ntp authentication enable

1099

ntp authentication key

1101

ntp disable

1103

ntp enable

1105

ntp peer

1106

ntp peer authentication

1107

ntp peer disable

1108

ntp peer version

1109

ntp server

1110

ntp server authentication

1111

ntp server disable

1112

ntp server version

1114

ntpdate

1116

object-analysis salvage

1117

ping

1119

ping6

1121

policymgr drop-interface

1123

© 2016 FireEye

Contents

policymgr interface drop http comfort-page enable

1124

policymgr interface drop http comfort-page response-type

1125

policymgr interface drop out-interface

1127

policymgr interface drop tcp reset client enable

1128

policymgr interface drop tcp reset enable

1129

policymgr interface drop tcp reset server enable

1130

policymgr interface drop udp icmpport-unreachable enable

1131

policymgr interface

1132

policymgr interface mirror port

1134

policymgr interface mirror clear

1136

policymgr interface op-mode block

1137

policymgr interface op-mode bypass

1139

policymgr interface op-mode monitor

1140

policymgr interface op-mode tap

1141

ips policy

1142

ips policy clone

1143

ips apply

1144

ips policy match

1146

ips policy rules

1151

policymgr network

1153

policymgr refresh-policy

1155

policymgr signature

1156

pup enable

1157

qserver enable

1158

radius-server

1159

raid alarm enable

1161

raid alarm silence

1162

raid log clear

1163

raid test consistency cancel

1164

raid test consistency start

1165

reload

1166

remote-correlation enable

1166

© 2016 FireEye

29

Contents

30

remote-correlation run-frequency

1167

remote-correlation url-duration

1168

report delete

1170

report email recipient

1172

report email snmp domain

1173

report email snmp port

1174

report generate type alert_details (update)

1175

report generate type alert_details

1181

report generate type callback_server

1184

report generate type email_activity

1187

report generate type email_av_report

1190

report generate type email_executive_summary

1193

report generate type email_hourly_stat

1196

report generate type executive_summary

1199

report generate type File_Executive_Summary

1202

report generate type infected_hosts_trend

1205

report generate type malware_activity

1208

report generate type web_av_report

1211

report schedule

1214

reset factory

1217

resolver cache flush

1219

resolver

1220

restore profile from name

1221

sharepoint ssl ca-list

1224

signer-whitelist disable

1226

signer-whitelist enable

1228

signer-whitelist mode

1230

slogin

1232

snmp-server

1235

snmp-server host

1237

ssh server listen enable

1238

ssh server listen interface

1239

© 2016 FireEye

Contents

snmp-server user

1241

ssh client

1243

ssh server

1247

ssh server listen enable

1249

ssh server listen interface

1250

static-info enable

1252

static-analysis av-check enable

1253

static-analysis av-suite enable

1254

static-analysis dropper enable

1255

static-analysis enable

1256

static-analysis malware-intrinsic-analysis enable

1257

static-analysis sa-python enable

1258

stats alarm

1259

stats chd

1261

stats clear-all

1262

stats export

1263

stats group submission sampling interval minutes

1263

stats sample

1265

stty baud

1266

system virtual bootstrap reset

1267

tacacs-server host

1268

tacacs-server host auth-port

1270

tacacs-server host auth-type

1272

tacacs-server host enable

1274

tacacs-server host key

1275

tacacs-server host prompt-key

1277

tacacs-server host retransmit

1279

tacacs-server host timeout

1281

tacacs-server key

1283

tacacs-server retransmit

1285

tacacs-server timeout

1287

tapsender enable

1289

© 2016 FireEye

31

Contents

32

tapsender VPC

1290

tcpdump

1291

telnet

1295

terminal

1297

tpm enable

1298

tpm rng enable

1299

traceroute

1300

username

1302

username disable

1304

username fe services password

1305

username password

1306

web-analysis

1308

web auto-logout

1310

web client ssl

1312

web logging level

1314

web preferences config global alerts auto-refresh enable

1315

web server

1316

web server listen enable

1318

web server listen interface

1319

web server ssl ca-chain

1321

web session renewal

1322

web session timeout

1324

write

1326

wsapi

1327

wsapi rtstats

1328

yara

1329

yara match limit

1330

yara policy

1331

yara weight default

1332

show aaa

1333

show aaa authentication certificate crl

1336

show aaa authentication certificate

1338

© 2016 FireEye

Contents

show aaa authentication attempts

1341

show aaa authentication password

1342

show aaa authentication password

1344

show aaa authorization certificate

1345

show aaa authorization rules

1347

show alerts

1350

show alerts whitelist src ip

1354

show analysis live config

1355

show analysis summary by

1357

show arp

1359

show arp static

1360

show ati status

1361

show avc vms

1363

show backup available

1364

show backup estimate profile

1366

show backup status

1369

show banner

1370

show blat

1372

show bootvar

1374

show bottracker sigmatch

1375

show bottracker stats

1376

show bridges

1379

show cli

1380

show cli commands

1381

show clock

1383

show cmc appliances

1384

show cmc auth identities

1388

show cmc auth ssh

1390

show cmc client

1392

show cmc groups

1394

show cmc ha nx

1396

show cmc ha nx

1399

© 2016 FireEye

33

Contents

34

show cmc mvx cluster

1401

show cmc mvx cluster {brief | detail}

1402

show cmc mvx cluster enrollment status

1404

show cmc mvx cluster nodes

1405

show cmc mvx cluster stats daily

1406

show cmc mvx cluster stats hourly

1408

show cmc mvx cluster

1410

show cmc mvx status cluster-sizing config

1412

show cmc profiles

1413

show cmc rendezvous

1414

show cmc server

1416

show cmc status

1417

show cmc

1419

show cms peer-service

1420

show compliance

1424

show compliance options

1425

show compliance standard

1426

show configuration audit

1428

show configuration

1429

show configuration files

1434

show crypto certificate bundle

1435

show crypto certificate ca-chain

1439

show crypto certificate ca-chain brief

1440

show crypto certificate ca-chain chain-name

1441

show crypto certificate ca-chain chain-name brief

1443

show crypto certificate ca-chain chain-name detail

1444

show crypto certificate ca-chain detail

1445

show crypto certificate decode raw pem

1446

show crypto certificate

1449

show crypto ipsec

1451

show custom content enable status

1452

show custom content feed status

1454

© 2016 FireEye

Contents

show deployment check network

1456

show email

1462

show email-analysis

1463

show email-analysis all

1465

show email-analysis allowed-list statistics

1465

show email-analysis attachment

1466

show email-analysis blocked-list statistics

1467

show email-analysis done

1468

show email-analysis log

1470

show email-analysis message-queue max-num

1471

show email-analysis mta mynetworks

1473

show email-analysis mta status

1473

show email-analysis pass-extract ignorewords

1475

show email-analysis pass-extract keywords

1476

show email-analysis pass-extract passwords

1477

show email-analysis policy

1478

show email-analysis queued

1482

show email-analysis running

1483

show email-analysis statistics

1484

show email-analysis url

1485

show email-analysis url-dynamic-analysis

1487

show email-analysis yara-statistics

1489

show email-analysis adv-url-defense configuration

1491

show email-analysis adv-url-defense statistics

1493

show email-analysis mta status

1495

show email-analysis url-dynamic-analysis

1497

show email-analysis url

1500

show email-analysis policy

1502

show eml

1507

show eula status

1508

show eula text

1509

show events after

1511

© 2016 FireEye

35

Contents

36

show events before

1514

show events between

1518

show events count

1523

show events on

1524

show events today

1528

show events type

1532

show events yesterday

1536

show events []

1540

show fe-access

1543

show fedb backups

1544

show fedb events configuration

1545

show fenet

1547

show fenet appliance

1548

show fenet dti cache populate guest-images status

1549

show fenet dti cache populate images status

1551

show fenet dti proxy cached-content

1553

show fenet dti proxy cached-content freshness-info

1555

show fenet dti proxy cached-content show-stale

1558

show fenet dti proxy cached-content version

1560

show fenet dti proxy configuration

1562

show fenet dti proxy configuration all

1564

show fenet dti configuration

1567

show fenet guest-images status

1570

show fenet hx-agent image available

1571

show fenet image

1573

show fenet key

1574

show fenet license

1575

show fenet metadata status

1576

show fenet security-content

1579

show fenet security-content status

1581

show fenet stats-content

1583

show fenet status

1585

© 2016 FireEye

Contents

show fenet update config

1587

show fenet update operations

1589

show fenet update status appliance {brief | detail}

1591

show fenotify alerts

1594

show fenet update status appliance

1596

show fenet update status cluster

1598

show fenet update status cluster {brief | detail}

1600

show fenotify email

1602

show fenotify http

1604

show fenotify preferences

1606

show fenotify preferences appliance-id

1609

show fenotify preferences bbp

1610

show fenotify preferences json

1611

show fenotify preferences text

1612

show fenotify preferences xml

1613

show fenotify rsyslog

1614

show fenotify snmp

1616

show files

1618

show file-analysis

1620

show file-analysis all

1622

show file-analysis done

1624

show file-analysis events

1626

show file-analysis id

1628

show file-analysis list

1630

show file-analysis md5

1631

show fmps file config

1632

show fmps file shares

1633

show fmps scan-id

1635

show fmps share

1640

show forensic analysis

1641

show fume content-version

1642

show fume network stats

1644

© 2016 FireEye

37

Contents

38

show fume object stats

1646

show guest-images

1649

show ha configuration

1654

show ha image check status

1658

show ha interfaces

1660

show ha members

1662

show ha members all

1663

show ha replication status

1664

show ha resources

1666

show ha status (for CM)

1669

show ha status (for NX)

1673

show hosts

1677

show hx agent

1678

show hx agent aging

1680

show hx agent inactivity

1681

show hx app-proc

1682

show hx ecosystem

1683

show hx pki

1684

show hx server containment

1686

show hx server containment notification

1688

show hx server detection

1689

show hx server exd

1691

show hx server general

1692

show hx server msm-link

1695

show hx server search

1697

show images

1698

show incident all

1699

show incident list

1702

show incident

1704

show interfaces

1706

show ip

1708

show ip filter

1709

© 2016 FireEye

Contents

show ipmi

1711

show ipmi interface

1713

show ipmi log

1714

show ipmi version

1716

show ipmi version include-firmware-update-notice

1717

show ips reconnaissance

1719

show ips signatures

1721

show ipv6

1724

show ipv6 filter

1725

show jobs

1727

show lcd

1728

show ldap

1729

show licenses

1730

show licenses tokens

1734

show licenses tokens configured

1736

show localsig

1737

show log

1738

show log audit

1740

show log audit files all

1742

show log files all

1743

show logging

1744

show malware all

1745

show malware config

1748

show malware done

1750

show malware events

1753

show malware file analysis_tmo

1757

show malware file repositories

1758

show malware id

1761

show malware list

1765

show malware md5

1766

show malware mode

1767

show malware no-events

1770

© 2016 FireEye

39

Contents

40

show malware no-os-change-anomaly

1773

show malware no-vm-outbound-comm

1776

show malware priority

1779

show malware queued

1782

show malware running

1785

show malware

1787

show management interface

1789

show managed-defense vpn connection

1790

show media disk

1791

show media disk rebuild

1792

show media disk smart

1793

show media usb

1794

show memory

1795

show msm [common]

1796

show mvx cluster enrollment status

1799

show mvx node queuemgr status

1801

show mvx node status

1803

show mvx node status full

1805

show mvx status

1806

show mvx submission

1809

show mvx submission done

1810

show mvx submission done limit

1813

show mvx submission from to

1815

show mvx submission limit

1817

show mvx submission malicious

1819

show mvx submission malicious limit

1821

show mvx submission md5sum

1823

show mvx submission md5sum limit

1825

show mvx submission sensor-id { | ALL}

1827

show mvx submission sha256

1828

show mvx submission sha256 limit

1830

show mvx submission since

1832

© 2016 FireEye

Contents

show mvx submission tenant-id

1834

show mvx submission uuid

1835

show netwitness analysis

1836

show network

1837

show npulse analysis

1838

show ntp

1839

show ntp authentication

1841

show ntp authentication configured

1843

show ntp configured

1844

show object-analysis

1846

show object-analysis all

1848

show object-analysis done

1851

show object-analysis events

1854

show object-analysis id from

1858

show object-analysis id

1862

show object-analysis list

1868

show object-analysis running

1870

show policymgr drop configuration

1873

show policymgr

1875

show policymgr interfaces

1877

show ips interfaces

1879

show ips policies

1881

show ips status

1885

show raid

1889

show raid log

1890

show radius

1891

show report

1892

show restore status

1894

show remote-correlation status

1895

show running-config

1896

show signer-whitelist [disabled]

1901

show signer-whitelist mode

1905

© 2016 FireEye

41

Contents

42

show sizing stats

1907

show snmp

1908

show ssh client

1909

show ssh server

1910

show static-analysis config

1912

show stats

1914

show stats group submission

1916

show submission

1917

show submission done

1921

show submission dst

1925

show submission from

1927

show submission id

1930

show submission limit

1934

show submission malicious

1938

show submission md5sum

1942

show submission queued

1946

show submission range

1948

show submission running

1952

show submission since

1955

show submission src

1960

show submission uuid

1962

show stty

1966

show system entropy

1967

show system hardware status

1969

show system health

1972

show system load

1973

show system serial-number

1974

show tacacs

1975

show tapsender health

1977

show tapsender stats

1979

show tapsender status

1980

show tapsender VPCIP

1981

© 2016 FireEye

Contents

show terminal

1982

show tpm

1983

show users

1984

show usernames

1985

show version

1988

show web

1990

show web-analysis greylists dump-files

1992

show web-analysis greylists ips

1993

show web-analysis greylists urls

1994

show web-analysis greylists

1995

show web-analysis ports

1996

show web-analysis stats

1997

show web-incident done

2000

show web-incident dst

2002

show web-incident id

2004

show web-incident limit

2006

show web-incident malicious

2009

show web-incident src

2012

show whoami

2014

show workorders all

2016

show workorders done

2020

show workorders id

2023

show workorders pending

2027

show workorders range

2029

show workorders running

2035

show workorders stats

2038

show workorders traces dst

2041

show workorders traces src

2045

show workorders

2049

show wsapi

2052

Technical Support

© 2016 FireEye

2053

43

Contents

44

© 2016 FireEye

Release 7.9

Accessing the CLI

PART I: Introduction

This chapter describes how to use the command-line interface (CLI) to configure and administer the FireEye appliance. l

Accessing the CLI

l

Online Help and Keyboard Shortcuts

l

CLI Modes

Accessing the CLI You can access the CLI of a FireEye appliance in two ways as shown below. l

Console

l

SSH

Using the Console To access the CLI of the FireEye appliance using the console port, follow these steps: 1. Connect the serial port of your computer directly to the DB-9 console port on the FireEye appliance. 2. Open a terminal program on your system, such as HyperTerminal on Windows or Minicom on Linux.

© 2016 FireEye

45

CLI Reference Guide

PART I: Introduction

3. Configure the serial communication settings of your program as follows: l

Bits per second: 115,200

l

Data bits: 8

l

Stop bit: 1

l

Parity: None

4. When prompted, enter your username and password. By default, the admin username requires the password admin. If the password field is left blank, the default will be used. Be sure to change the default password for the admin account after initial setup; the password must be at least 8 characters long. 5. Enable the CLI configuration mode: hostname # enable hostname # configure terminal

6. Start the configuration wizard: hostname (config) # configuration jump-start

7. Answer the questions as described in configuration jump-start on page 433.

Using SSH To remotely and securely access the CLI of the FireEye appliance over the network, follow these steps: 1. Open a terminal window on your system. 2. Use the ssh command to access the appliance. For example, if the IP address of the appliance is 192.168.1.2, enter > ssh user_ [email protected] 3. When prompted, enter the admin password.

Online Help and Keyboard Shortcuts To view the CLI online help, enter a “?” as follows: l

After the prompt to view a list of the commands available in the current mode

l

After a typed command to view the available parameters

l

After a partially typed keyword to view the possible completions The amount of help information displayed depends on the CLI mode you are in (refer to CLI Modes).

46

© 2016 FireEye

Release 7.9

CLI Modes

You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword. For example, the show configuration command can be abbreviated as sh co. To identify a keyword’s minimum abbreviation, type one or more characters and press Tab. If you have entered enough characters, the keyword will be completed. The following table summarizes the keyboard shortcuts. Action

Shortcut

Description

Complete commands

Tab or Ctrl+I

Complete a partially typed keyword if enough characters are entered to uniquely identify it.

Recall commands

Ctrl+P or ↑

Retrieve previous command from the CLI history.

Ctrl+N or ↓

Retrieve next command from the CLI history. Redisplay the current command line.

Ctrl+L Delete characters Ctrl+D

Delete character at the cursor.

Ctrl+H

Delete character before the cursor (same as Backspace key).

Ctrl+K

Delete all characters from the cursor to the end of the line.

Ctrl+U or Ctrl+W

Delete all characters on the line.

Ctrl+A

Move the cursor to the start of the line.

Ctrl+B

Move the cursor back one character.

Ctrl+E

Move the cursor to the end of the line.

Ctrl+F

Move the cursor forward one character.

Transpose characters

Ctrl+T

Transpose the character at the cursor and the preceding character.

Interrupt command output

Ctrl+C

Interrupt presentation of output on the screen. It may take a while for the interrupt to register and stop the command execution.

Move cursor

Exit Type configuration exit mode or log out

Change from configuration mode to enabled mode or close the CLI session.

CLI Modes The CLI commands that you can enter depend on your user privileges and the CLI command mode. User privileges are defined by the user account (refer to username). The following table describes the CLI command modes. Note that the prompt in each mode includes the hostname of the FireEye appliance.

© 2016 FireEye

47

CLI Reference Guide

PART I: Introduction

Mode standard

Description Monitor system operation and issue some system commands, such as ping and traceroute. This is the default login mode. The following prompt is displayed:

How to Exit Enter exit to log out.

hostname >

enabled

Set up and monitor the system (includes all commands Enter disable. in the standard mode). To access the enabled mode, enter enable in the standard mode. The > in the prompt changes to a hash mark (#): hostname > enable hostname #

configuration Configure the FireEye application (includes all commands). To access configuration mode, enter configure terminal in the enabled mode. The prompt changes to indicate the mode:

Enter exit.

hostname # configure terminal

To determine the CLI mode for any of the commands in this guide, refer to the system prompt that is shown in the example or examples that accompany the command.

48

© 2016 FireEye

Release 7.9

PART II: Command Groups

This section lists related commands based on specific use cases.

© 2016 FireEye

49

CLI Reference Guide

50

PART II: Command Groups

© 2016 FireEye

Release 7.9

AAA Accounting Commands

AAA Accounting Commands The following commands are used to configure AAA accounting on a FireEye appliance: aaa accounting changes default stop-only on page 148 no aaa accounting changes on page 1085 no aaa accounting changes default on page 1086 show aaa on page 1333 tacacs-server host on page 1268 tacacs-server key on page 1283 tacacs-server retransmit on page 1285 tacacs-server timeout on page 1287 show tacacs on page 1975 tacacs-server host auth-port on page 1270 tacacs-server host auth-type on page 1272 tacacs-server host enable on page 1274 tacacs-server host key on page 1275 tacacs-server host prompt-key on page 1277 tacacs-server host retransmit on page 1279 tacacs-server host timeout on page 1281

© 2016 FireEye

51

CLI Reference Guide

PART II: Command Groups

AAA Authentication Commands The following commands are used to configure AAA authentication on a FireEye appliance: aaa authentication attempts class-override admin no-lockout on page 150 aaa authentication attempts class-override unknown hash-username on page 152 aaa authentication attempts class-override unknown no-track on page 154 aaa authentication attempts lockout enable on page 156 aaa authentication attempts lockout lock-time on page 158 aaa authentication attempts lockout max-fail on page 160 aaa authentication attempts lockout unlock-time on page 162 aaa authentication attempts reset all [no-clear-history | no-unlock] on page 164 aaa authentication attempts reset user [no-clear-history | no-unlock] on page 166 aaa authentication attempts track downcase on page 168 aaa authentication attempts track enable on page 169 clear aaa authentication attempts all on page 308 clear aaa authentication attempts user on page 310 aaa authentication login default on page 190 aaa authentication certificate crl delete filename on page 170 aaa authentication certificate crl fetch url on page 171 aaa authentication certificate ocsp default url on page 173 aaa authentication certificate ocsp enable on page 175 aaa authentication certificate ocsp override-responder on page 176 aaa authentication certificate username x509-cert-san-email on page 177 aaa authentication certificate username x509-cert-san-email-username on page 178 aaa authentication certificate username x509-cert-san-upn on page 179 aaa authentication certificate username x509-cert-san-upn-username on page 180 aaa authentication certificate username x509-cert-subject on page 181 aaa authentication certificate username x509-cert-subject-cn on page 183 aaa authentication certificate validation allow-missing-basic-constraints on page 184 aaa authentication certificate web policy allowed on page 186 aaa authentication certificate web policy disabled on page 188

52

© 2016 FireEye

Release 7.9

AAA Authentication Commands

aaa authentication certificate web policy required on page 189 show aaa authentication certificate crl on page 1336 show aaa authentication certificate on page 1338 aaa authentication password lcd length minimum on page 192 aaa authentication password local change allow-encrypt on page 193 aaa authentication password local change require-current on page 195 aaa authentication password local character-type minimum on page 197 aaa authentication password local history clear on page 199 aaa authentication password local history compare on page 201 aaa authentication password local length on page 203 aaa authentication password local max-char-repeats on page 205 aaa authentication password local no-userid on page 207 aaa authentication password local require-change advance-warning on page 208 aaa authentication password local require-change force on page 210 aaa authentication password local require-change max-password-days on page 212 aaa authentication password local require-change new-account on page 214 aaa authentication password lcd length minimum on page 192 aaa authentication password local change allow-encrypt on page 193 aaa authentication password local change require-current on page 195 aaa authentication password local character-type minimum on page 197 aaa authentication password local history clear on page 199 aaa authentication password local history compare on page 201 aaa authentication password local length on page 203 aaa authentication password local max-char-repeats on page 205 aaa authentication password local no-userid on page 207 aaa authentication password local require-change advance-warning on page 208 aaa authentication password local require-change force on page 210 aaa authentication password local require-change max-password-days on page 212 aaa authentication password local require-change new-account on page 214

© 2016 FireEye

53

CLI Reference Guide

PART II: Command Groups

AAA Authorization Command Family The following commands are used to configure AAA authorization on a FireEye appliance: aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228 aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization map default-user on page 233 aaa authorization map order on page 235 aaa authorization roles on page 238 aaa authorization rules enable on page 240 aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347

54

© 2016 FireEye

Release 7.9

Advanced Threat Intelligence Commands

Advanced Threat Intelligence Commands This section describes the CLI commands used to enable or disable Advanced Threat Intelligence (ATI). ati auto-update enable on page 1 ati enable on page 1 show ati status on page 1

© 2016 FireEye

55

CLI Reference Guide

PART II: Command Groups

Alerts Command Family The following commands are used to configure alers on a FireEye appliance: alerts whitelist src ip on page 257 show alerts whitelist src ip on page 1354

56

© 2016 FireEye

Release 7.9

Analysis Commands

Analysis Commands The following commands are used to configure and test network settings used for controlled live mode and URL dynamic analysis on a FireEye appliance: analysis live check-connection on page 259 analysis live default-gateway ip on page 260 analysis live external ip on page 261 analysis live http-proxy on page 262 analysis live nameserver ip on page 264 analysis live proxy-authentication on page 265 show analysis live config on page 1355

© 2016 FireEye

57

CLI Reference Guide

PART II: Command Groups

Appliance Boot Image Commands image delete on page 952 image fetch on page 953 image install on page 954 image move on page 956 image options on page 957 qserver enable on page 1158 show bootvar on page 1374 show images on page 1698 show version on page 1988

58

© 2016 FireEye

Release 7.9

Appliance Upgrade Commands

Appliance Upgrade Commands These commands are used to download new versions of the appliance boot image and install them on a boot partition. You can then reboot the system to load the new boot image (refer to reload on page 1166). The appliance upgrade commands are: image boot on page 1 image boot location on page 950 image delete on page 952 image fetch on page 953 image install on page 954 image move on page 956 image options on page 957 qserver enable on page 1158 show bootvar on page 1374 show images on page 1698

© 2016 FireEye

59

CLI Reference Guide

PART II: Command Groups

ARP Command Family The following commands are used to configure Address Resolution Protocol (ARP) commands on a FireEye appliance: arp on page 266 clear arp-cache on page 312 show arp on page 1359 show arp static on page 1360

60

© 2016 FireEye

Release 7.9

AV Suite Command Family

AV Suite Command Family The following commands are used to configure the AV Suite feature on a FireEye appliance: av-suite enable on page 272 show fenet security-content status on page 1581 show static-analysis config on page 1912

© 2016 FireEye

61

CLI Reference Guide

PART II: Command Groups

Backup Command Family This section describes the CLI commands used to administer the backup function on the appliance. backup cancel on page 274 backup delete from name on page 275 backup profile to on page 276 restore profile from name on page 1221 show backup available on page 1364 show backup estimate profile on page 1366 show backup status on page 1369 show restore status on page 1894

62

© 2016 FireEye

Release 7.9

Banner Command Family

Banner Command Family This section describes the CLI commands used to administer the banner function on the appliance. banner login on page 280 banner login-local on page 282 banner login-remote on page 284 banner motd on page 286 show banner on page 1370

© 2016 FireEye

63

CLI Reference Guide

PART II: Command Groups

Block by Proxy Commands This chapter describes the application commands specific to the Block by Proxy feature. fenotify preferences bbp enable on page 712

64

© 2016 FireEye

Release 7.9

Bridge Command Family

Bridge Command Family This section describes the CLI commands used to administer the bridge function on the appliance. bridge on page 307 bridge enable on page 299 bridge forward-time on page 301 bridge hello-time on page 303 bridge max-age on page 304 bridge priority on page 305 bridge spanning-tree enable on page 306 interface bridge-group on page 1 interface bridge-group path-cost on page 1 interface bridge-group priority on page 1

© 2016 FireEye

65

CLI Reference Guide

PART II: Command Groups

Boot Manager Command Family The following commands are used to configure the boot manager feature on a FireEye appliance: boot bootmgr disable password on page 290 boot next fallback-reboot enable on page 291 boot system location on page 293 boot system next on page 295 image boot location on page 950 show bootvar on page 1374 show images on page 1698

66

© 2016 FireEye

Release 7.9

CAC Commands

CAC Commands The following commands are used to configure the appliance to use the Common Access Card (CAC) for all user authentications. aaa authentication certificate crl delete filename on page 170 aaa authentication certificate crl fetch url on page 171 aaa authentication certificate ocsp default url on page 173 aaa authentication certificate ocsp enable on page 175 aaa authentication certificate ocsp override-responder on page 176 aaa authentication certificate username x509-cert-san-email on page 177 aaa authentication certificate username x509-cert-san-email-username on page 178 aaa authentication certificate username x509-cert-san-upn on page 179 aaa authentication certificate username x509-cert-san-upn-username on page 180 aaa authentication certificate username x509-cert-subject on page 181 aaa authentication certificate username x509-cert-subject-cn on page 183 aaa authentication certificate validation allow-missing-basic-constraints on page 184 aaa authentication certificate web policy allowed on page 186 aaa authentication certificate web policy disabled on page 188 aaa authentication certificate web policy required on page 189 aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228

© 2016 FireEye

67

CLI Reference Guide

PART II: Command Groups

aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 crypto certificate bundle cert-name on page 457 crypto certificate bundle comment on page 459 crypto certificate bundle fetch url on page 461 show aaa on page 1333 show aaa authentication certificate crl on page 1336 show aaa authentication certificate on page 1338 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347 show crypto certificate bundle on page 1435 show crypto certificate decode raw pem on page 1446

68

© 2016 FireEye

Release 7.9

CLI Session Commands

CLI Session Commands The CLI session commands are used to specify the default CLI settings for future sessions and the CLI settings for the current session. cli clear-history on page 314 cli default on page 315 cli disable-histor on page 317 cli enable-history on page 318 cli session auto-logout on page 318 cli session paging enable on page 319 cli session prefix-modes {enable | show-config} on page 320 cli session progress enable on page 321 cli session terminal length on page 322 cli session terminal resize on page 323 cli session terminal type on page 324 cli session terminal width on page 325 cli session x-display full on page 325 show cli on page 1380 show terminal on page 1982 terminal on page 1297

© 2016 FireEye

69

CLI Reference Guide

PART II: Command Groups

CM Peer Service Command Family The following commands are used to configure and manage CM Peer Service and associated features. cms feature peer-service enable on page 402 cms peer delete on page 403 cms peer enable on page 404 cms peer interaction dist-correlation enable on page 405 cms peer interaction dti enable on page 406 cms peer interaction dti proxy mode no-proxy on page 407 cms peer interaction dti proxy mode use-fenet on page 408 cms peer-service auth-token export on page 409 cms peer-service auth-token generate on page 410 cms peer-service auth-token import on page 412 cms peer-service enable on page 414 show cms peer-service on page 1420

70

© 2016 FireEye

Release 7.9

CM Series High Availability (HA) Command Family

CM Series High Availability (HA) Command Family The following commands are used to configure, manage, and monitor a CM Series High Availability (HA) cluster. ha address vip on page 804 ha engine failover on page 806 ha engine reset cluster-config on page 808 ha engine restart on page 810 ha engine split-brain shutdown auto on page 813 ha engine stop on page 815 ha interface backup on page 817 ha interface default on page 818 ha node failover auto on page 819 ha node join on page 821 ha node leave on page 823 ha node leave on page 825 ha replicate alerts enable on page 827 ha replicate updates enable on page 829 ha resource enable on page 831 show ha configuration on page 1654 show ha image check status on page 1658 show ha interfaces on page 1660 show ha members on page 1662 show ha members all on page 1663 show ha replication status on page 1664 show ha resources on page 1666 show ha status (for CM) on page 1669

© 2016 FireEye

71

CLI Reference Guide

PART II: Command Groups

CMC Appliance Authentication Commands The following commands are used to configure the CMC appliance authentication: cmc appliance auth password password on page 333 cmc appliance auth password username on page 334 cmc appliance auth ssh-dsa2 identity push [username password []] on page 335 cmc appliance auth ssh-dsa2 identity on page 337 cmc appliance auth ssh-dsa2 username on page 338 cmc appliance auth ssh-rsa2 identity push [username password []] on page 339 cmc appliance auth ssh-rsa2 identity on page 341 cmc appliance auth ssh-rsa2 username on page 342 cmc appliance authtype on page 343

72

© 2016 FireEye

Release 7.9

CMC Client Server Command Family

CMC Client Server Command Family The following commands are used to configure, manage, and monitor the CMC Client Server on the sensors. cmc client server address cmc client server auth authtype cmc client server auth password password cmc client server auth password username cmc client server auth ssh-dsa2 identity cmc client server auth ssh-dsa2 username cmc client server auth ssh-rsa2 identity cmc client server auth ssh-rsa2 username cmc client server capabilities username cmc client server port cmc client server remove-key cmc client server source address cmc client server source port

© 2016 FireEye

73

CLI Reference Guide

PART II: Command Groups

Compliance Commands The compliance commands bring a system into compliance with one or more standards. compliance apply standard on page 415 compliance declassify zeroize on page 416 compliance options fips-mode-crypto enable on page 417 compliance options ftp-file-transfer enable on page 418 compliance options http-file-transfer enable on page 419 compliance options manual-key-entry enable on page 420 compliance options restricted-license enable on page 421 compliance options secure-channel-logs enable on page 422 compliance options snmp-crypto-limit enable on page 423 compliance options user-key-access enable on page 424 compliance options webui enable on page 425 show compliance options on page 1425 show compliance standard on page 1426

74

© 2016 FireEye

Release 7.9

Configuration Management Commands

Configuration Management Commands The configuration management commands are used to create new configurations, specify the current active configuration, save configuration changes, and view the settings in each configuration. configuration audit max-changes on page 426 configuration autosave on page 1 configuration copy on page 428 configuration delete on page 430 configuration factory on page 431 configuration fetch on page 432 configuration jump-start on page 433 configuration merge on page 439 configuration move on page 440 configuration new on page 441 configuration revert factory keep-basic on page 441 configuration revert factory keep-connect on page 442 configuration revert saved on page 444 configuration switch-to on page 446 configuration text on page 448 configuration upload on page 451 configuration write [to [no-switch]] on page 452 show configuration on page 1429 show configuration audit on page 1428 show configuration files on page 1434 show running-config on page 1896 write on page 1326

© 2016 FireEye

75

CLI Reference Guide

PART II: Command Groups

Cryptographic Commands These commands are used to configure certificates and other X.509 (TLS/SSL) features, to configure HTTP/HTTPS authentication for remote access to the Web UI, and to configure Secure Shell (SSH) authentication for remote access to the CLI. Other commands configure user and host authentication for the connection between the CM Series platform and the appliances it manages. For details, see CM Series Command Family on page 135.

76

l

crypto certificate on page 463

l

crypto certificate ca chain web server

l

crypto ipsec on page 470

l

email ssl on page 562

l

ldap ssl on page 1014

l

show crypto certificate on page 1449

l

show crypto certificate ca-chain on page 1439

l

show crypto certificate ca-chain brief on page 1440

l

show crypto certificate ca-chain detail on page 1445

l

show crypto certificate ca-chain chain-name on page 1441

l

show crypto certificate ca-chain chain-name brief on page 1443

l

show crypto certificate ca-chain chain-name detail on page 1444

l

show crypto ipsec on page 1451

l

show email on page 1462

l

show ldap on page 1729

l

show ssh client on page 1909

l

show ssh server on page 1910

l

show web on page 1990

l

snmp-server user on page 1241

l

ssh client on page 1243

l

ssh server on page 1247

l

ssh server listen enable

l

ssh server listen interface

l

web client ssl on page 1312

l

web server on page 1316

© 2016 FireEye

Release 7.9

l

web server listen enable

l

web server listen interface

l

web server ssl ca-chain

© 2016 FireEye

Cryptographic Commands

77

CLI Reference Guide

PART II: Command Groups

Date and Time Commands The date and time commands are used to set the system clock and time zone, and to configure Network Time Protocol (NTP). The Z character in syslog output indicates that the time displayed is in the UTC time zone; for example: Oct 19 2012 16:10:10 Z. clock set on page 327 clock timezone on page 328 fenet time sync on page 645 show clock on page 1383 ntp authentication enable on page 1099 ntp authentication key on page 1101 no ntp authentication key on page 1094 no ntp server authentication on page 1095 ntp disable on page 1103 ntp enable on page 1105 ntp peer on page 1106 ntp peer authentication on page 1107 ntp peer disable on page 1108 ntp peer version on page 1109 ntp server on page 1110 ntp server authentication on page 1111 ntp server disable on page 1112 ntp server version on page 1114 ntpdate on page 1116 show ntp on page 1839 show ntp authentication on page 1841 show ntp authentication configured on page 1843 show ntp configured on page 1844

78

© 2016 FireEye

Release 7.9

DTI Cache Proxy Command Family

DTI Cache Proxy Command Family The following commands are used to download software updates from the DTI network to a cache on the CM Series platform, and to manage the cache: fenet dti cache populate guest-images all on page 590 fenet dti cache populate guest-images appliance on page 592 fenet dti cache populate image product on page 594 fenet dti cache populate image product all on page 596 fenet dti cache populate image product version on page 599 fenet dti proxy cache purge on page 614 fenet dti proxy cache purge auto on page 615 fenet dti proxy cache purge file on page 616 fenet dti proxy cache purge file-type on page 617 show fenet dti cache populate guest-images status on page 1549 show fenet dti cache populate images status on page 1551 show fenet dti proxy cached-content on page 1553 show fenet dti proxy cached-content freshness-info on page 1555 show fenet dti proxy cached-content show-stale on page 1558 show fenet dti proxy cached-content version on page 1560 show fenet dti proxy configuration on page 1562 show fenet dti proxy configuration all on page 1564

© 2016 FireEye

79

CLI Reference Guide

PART II: Command Groups

DTI Network Service Commands The Dynamic Threat Intelligence (DTI) network service commands allow the appliance to participate in the FireEye DTI network to receive timely updates of security content and optionally upload malware intelligence to the FireEye Malware Intelligence Labs.

80

l

fe-access connect

l

fe-access enable

l

fe-access proxy enable

l

fe-access proxy set

l

fe-access proxy use-fenet

l

fe-access set

l

fenet appliance image

l

fenet appliance  manage

l

fenet appliance patch

l

fenet dti faude service

l

fenet dti mil service

l

fenet dti source

l

fenet dti upload destination

l

fenet enable

l

fenet guest-images

l

fenet image

l

fenet metadata refresh

l

fenet op-mode local

l

fenet op-mode online

l

fenet op-mode url

l

fenet proxy

l

fenet proxy enable

l

fenet security-content

l

fenet session

l

fenet ssl

l

fenet stats-content aggregator enable

l

fenet stats-content upload {auto | now}

l

fenet user

© 2016 FireEye

Release 7.9

l

show fe-access

l

show fenet

l

show fenet appliance

l

show fenet dti configuration

l

show fenet guest-images status

l

show fenet image

l

show fenet key

l

show fenet metadata status

l

show fenet security-content

l

show fenet stats-content

l

show fenet status

© 2016 FireEye

DTI Network Service Commands

81

CLI Reference Guide

PART II: Command Groups

Email Analysis Commands The following commands are used to configure email analysis on an EX Series appliance: email-analysis adv-url-defense rewrite enable on page 487 email-analysis allowed-list on page 489 email-analysis blocked-list on page 492 email-analysis controlled-live-mode enable on page 495 email-analysis delete on page 497 email-analysis delete-message on page 498 email-analysis domain on page 499 email-analysis filter on page 507 email-analysis flush-message on page 508 email-analysis interface on page 509 email-analysis mode on page 513 email-analysis mta certificate name on page 514 email-analysis mta smtp start on page 517 email-analysis mta smtp stop on page 515 email-analysis mta start on page 518 email-analysis mta stop on page 519 email-analysis pass-extract add on page 1 email-analysis pass-extract delete on page 1 email-analysis policy adv-url-defense enable on page 520 email-analysis policy att-limit on page 520 email-analysis policy congestion bypass-threshold on page 521 email-analysis policy congestion high-threshold on page 522 email-analysis policy congestion mode bypass enable on page 522 email-analysis policy congestion mode refuse-connection enable on page 523 email-analysis policy feature-extractor enable on page 524 email-analysis policy image-analysis enable on page 524 email-analysis policy max-size-limit on page 525 email-analysis policy message-tracking max-days-records on page 526 email-analysis policy message-tracking syslog-enable on page 527

82

© 2016 FireEye

Release 7.9

Email Analysis Commands

email-analysis policy monitor backoff on page 527 email-analysis policy monitor bypass-threshold on page 528 email-analysis policy monitor defer-threshold on page 529 email-analysis policy monitor enable on page 530 email-analysis policy monitor interval on page 530 email-analysis policy notice admin on page 531 email-analysis policy notice bcc on page 532 email-analysis policy notice body on page 532 email-analysis policy notice enable on page 533 email-analysis policy notice from on page 534 email-analysis policy notice subject on page 534 email-analysis policy parse-https enable on page 535 email-analysis policy reload on page 536 email-analysis policy url-images enable on page 538 email-analysis policy url-limit on page 538 email-analysis policy url-phishing blacklist enable on page 539 email-analysis policy url-phishing whitelist enable on page 539 email-analysis policy use-header enable on page 540 email-analysis policy xheader enable on page 541 email-analysis policy yara-analysis enable on page 542 email-analysis policy typosquatting enable on page 537 email-analysis quarantine on page 543 email-analysis reroute-message on page 544 email-analysis suppress on page 545 email-analysis adv-url-defense cache {whitelist | blacklist} on page 486 email-analysis url-dynamic-analysis enable on page 546 show email-analysis on page 1463 show email-analysis adv-url-defense configuration on page 1491 show email-analysis adv-url-defense statistics on page 1493 show email-analysis all on page 1465 show email-analysis allowed-list statistics on page 1465 show email-analysis attachment on page 1466

© 2016 FireEye

83

CLI Reference Guide

PART II: Command Groups

show email-analysis blocked-list statistics on page 1467 show email-analysis done on page 1468 show email-analysis log on page 1470 show email-analysis message-queue max-num on page 1471 show email-analysis mta mynetworks on page 1473 show email-analysis mta status on page 1495 show email-analysis pass-extract ignorewords on page 1475 show email-analysis pass-extract keywords on page 1476 show email-analysis pass-extract passwords on page 1477 show email-analysis policy on page 1502 show email-analysis queued on page 1482 show email-analysis running on page 1483 show email-analysis statistics on page 1484 show email-analysis url on page 1500 show email-analysis url-dynamic-analysis on page 1497 show email-analysis yara-statistics on page 1489

84

© 2016 FireEye

Release 7.9

Email Analysis Password Extraction Command Family

Email Analysis Password Extraction Command Family The following commands are used to configure password extraction for embedded email objects. email-analysis pass-extract add ignoreword on page 500 email-analysis pass-extract add keyword on page 501 email-analysis pass-extract add password on page 502 email-analysis pass-extract delete ignoreword on page 503 email-analysis pass-extract delete keyword on page 504 email-analysis pass-extract delete password on page 504 email-analysis pass-extract limit on page 505 show email-analysis pass-extract ignorewords on page 1475 show email-analysis pass-extract keywords on page 1476 show email-analysis pass-extract passwords on page 1477

© 2016 FireEye

85

CLI Reference Guide

PART II: Command Groups

Email Command Family The following commands are used to configure the events to be emailed to one or more email addresses using a Simple Mail Transfer Protocol (SMTP) server: email auth enable on page 548 email auth password [] on page 548 email auth username on page 549 email autosupport enable on page 550 email autosupport event on page 550 email dead-letter cleanup max-age on page 552 email dead-letter enable on page 553 email domain on page 554 email mailhub on page 554 email mailhub-port on page 555 email notify event on page 556 email notify recipient [class {failure | info} | detail] on page 558 email return-addr on page 559 email return-host on page 560 email send-test on page 561 email ssl on page 562

86

© 2016 FireEye

Release 7.9

Event Notification Commands

Event Notification Commands This section describes the commands for configuring event notifications, which relate to the detection and protection functions of the FireEye appliance. The event notification framework triggers notifications to the registered consumers whenever there is an anomalous situation detected by the FireEye appliance. Supported notification protocols include email/SMTP, HTTP/HTTPS, SNMP, and rsyslog. Notification formats include Text Normal, Text Concise, Text Extended, JSON Normal, JSON Concise, JSON Extended, XML Normal, XML Concise, or XML Extended. Notifications formatted with the “normal” formats are the same as “concise” but also include OS Changes, callback details, and malware details, if available. Extended Text is the same as “normal” but also includes data-theft and static analysis information. The notification commands are available for NX, AX, FX, and EX Series appliances. They are not available for the CM Series appliance. l

fenotify default timezone on page 697

l

fenotify email on page 698

l

fenotify enable on page 702

l

fenotify http alert on page 703

l

fenotify http default on page 704

l

fenotify http enable on page 706

l

fenotify http service on page 707

l

fenotify http service <service_name> prefer http-version on page 1

l

fenotify preferences alerts-update ati enable on page 711

l

fenotify preferences json on page 716

l

fenotify preferences normalize-ips-event enable on page 717

l

fenotify preferences rsyslog-strip-lnfb enable on page 719

l

fenotify preferences sender-cpu-ratio on page 720

l

fenotify preferences text on page 722

l

fenotify preferences support-riskware enable on page 720

l

fenotify preferences use-fenet-proxy enable on page 723

l

fenotify preferences xml on page 724

l

fenotify rsyslog alert enable on page 725

l

fenotify rsyslog default delivery on page 1

© 2016 FireEye

87

CLI Reference Guide

88

PART II: Command Groups

l

fenotify rsyslog default facility on page 1

l

fenotify rsyslog default format on page 1

l

fenotify rsyslog default send-as on page 1

l

fenotify rsyslog enable on page 730

l

fenotify rsyslog trap-sink address on page 731

l

fenotify rsyslog trap-sink chunk-size on page 732

l

fenotify rsyslog trap-sink enable on page 733

l

fenotify rsyslog trap-sink port on page 734

l

fenotify rsyslog trap-sink prefer message delivery on page 735

l

fenotify rsyslog trap-sink prefer message format on page 737

l

fenotify rsyslog trap-sink prefer message item-order on page 740

l

fenotify rsyslog trap-sink prefer message send-as on page 741

l

fenotify rsyslog trap-sink prefer notification on page 743

l

fenotify rsyslog trap-sink protocol on page 745

l

fenotify rsyslog trap-sink user on page 746

l

fenotify rsyslog trap-sink on page 747

l

fenotify snmp on page 748

l

fenotify ssl on page 750

l

fenotify test-fire on page 752

l

show fenotify alerts on page 1594

l

show fenotify email on page 1602

l

show fenotify http on page 1604

l

show fenotify preferences on page 1606

l

show fenotify preferences json on page 1611

l

show fenotify preferences text on page 1612

l

show fenotify preferences xml on page 1613

l

show fenotify rsyslog on page 1614

l

show fenotify snmp on page 1616

© 2016 FireEye

Release 7.9

Events Database Configuration Commands

Events Database Configuration Commands This section describes the CLI commands used to configure the events database. fedb events archival age days on page 576 fedb events archival himark on page 577 fedb events archival journal on page 578 fedb events archival time on page 579 fedb events source ip resolve-dns on page 580 fedb events source ip resolve-dns-first on page 581 fedb events source ip resolve-netbios on page 582  show fedb events configuration on page 1545

© 2016 FireEye

89

CLI Reference Guide

90

PART II: Command Groups

© 2016 FireEye

Release 7.9

Events Database Management Commands

Events Database Management Commands This section describes the CLI commands for managing the appliance database. fedb backup on page 575 fedb hold on page 583 fedb malware on page 584 fedb restore on page 585 show fedb backups on page 1544

© 2016 FireEye

91

CLI Reference Guide

Events Commands This section describes the CLI commands used to display detailed information about events detected by the appliance. alerts whitelist src ip on page 257 show events after on page 1511 show events before on page 1514 show events between on page 1518 show events count on page 1523 show events on on page 1524 show events today on page 1528 show events type on page 1532 show events yesterday on page 1536 show events [] on page 1540

92

© 2016 FireEye

Release 7.9

FMPS (FX) Scan Command Family

FMPS (FX) Scan Command Family This section describes the CLI commands used to configure and manage FX Scans. fmps scan configure filetypes on page 767 fmps scan configure scan-name on page 769 fmps scan configure start-time on page 770 fmps scan configure subdirectories on page 772 fmps scan configure target-shares on page 773 fmps scan create on page 775 fmps scan delete on page 758 fmps scan schedule on page 777 fmps scan start on page 778 fmps scan start scan-id listen on page 779

© 2016 FireEye

93

CLI Reference Guide

Forensic Analysis Command Family This section describes the CLI commands used to integrate the NX Series with the applicable packet analyzer application from the supported partner. forensic analysis enable on page 791 netwitness analysis enable on page 1084 npulse analysis enable on page 1097 show forensic analysis on page 1641 show netwitness analysis on page 1836 show npulse analysis on page 1838

94

© 2016 FireEye

Release 7.9

FUME Command Family

FUME Command Family The following FireEye Unified Multiflow Engine (FUME) commands are used to display the network statistics and malware object statistics based on the Web traffic that the NX Series appliance monitors in your network: show fume content-version on page 1642 show fume network stats on page 1644 show fume object stats on page 1646

© 2016 FireEye

95

CLI Reference Guide

Connect to FireEye as a Service Commands You can connect your FireEye appliance to FireEye as a Service over the internet using a secure VPN connection. The open VPN port establishes connectivity from the FireEye as a Service to the FireEye Appliance.

96

l

username fe services password on page 1305

l

Managed Defense vpn http proxy on page 1046

l

Managed Defense vpn enable on page 1045

l

show managed-defense vpn connection on page 1790

l

write on page 1326

© 2016 FireEye

Release 7.9

Guest Images Commands

Guest Images Commands This section describes the CLI commands for managing the Guest Images that are used to analyze and validate suspicious or captured traffic. Each Guest Image represents an operating system and applications. l

guest-images configure

l

guest-images disable-list

l

guest-images download

l

guest-images file-association reset

l

guest-images install

l

guest-images limit-rate

l

show guest-images

Related Commands fenet guest-images on page 627 show fenet guest-images status on page 1570

© 2016 FireEye

97

CLI Reference Guide

Incident Command Family This section describes the CLI commands used to display information about web analysis incident jobs that are confirmed on the appliance. show incident all on page 1699 show incident list on page 1702 show incident   on page 1704

98

© 2016 FireEye

Release 7.9

Intelligent Platform Management Interface (IPMI) Commands

Intelligent Platform Management Interface (IPMI) Commands The IPMI interface uses a network connection to the IPMI port of the appliance and is accessed through a secure Web browser session. (The standard IPMI interface allows connections using third-party tools such as Supermicroʼs IPMIView; however, all such external access to the IPMI interface from the appliance is disabled.) You must configure the IPMI interface using the appliance CLI before logging in to it. You can specify a static IP address for the IPMI port or use Dynamic Host Configuration Protocol (DHCP) to assign an IP address. The default configuration uses a static IP address, with “0.0.0.0” as the IP address, netmask, and default gateway. It is recommended that you do not configure a public IP address as the default gateway IP address. For details about the IPMI interface and the tasks you can perform with it, see the System Administration Guide for your appliance. l

ipmi firmware reload

l

ipmi firmware update latest

l

ipmi firmware update notice enable

l

ipmi lan defgw

l

ipmi lan ipaddr

l

ipmi lan ipsrc

l

ipmi lan netmask

l

ipmi lan shutdown

l

ipmi log clear

l

ipmi user set password

l

show ipmi

l

show ipmi interface

l

show ipmi log

l

show ipmi version

l

show ipmi version include-firmware-update-notice

© 2016 FireEye

99

CLI Reference Guide

Interface Commands The interface commands are used to configure the network interfaces on the FireEye appliance, including the email interface, the Liquid Crystal Display (LCD) on the front panel, the Secure Shell (SSH) management interface, and the Simple Network Management Protocol (SNMP).

100

l

email

l

interface

l

lcd

l

show bridges

l

show email

l

show interfaces

l

show lcd

l

show snmp

l

snmp-server

l

snmp-server host

© 2016 FireEye

Release 7.9

IP Addressing Commands

IP Addressing Commands The IP addressing commands are used to specify Domain Name Service (DNS) servers, map hostnames to IP addresses, define the default gateway, and add static routes. l

arp

l

clear arp-cache

l

clear ipv6 neighbors

l

ip default-gateway

l

ip dhcp

l

ip domain-list

l

ip map-hostname

l

ip name-server

l

ip route

l

ipv6 default-gateway

l

ipv6 enable

l

ipv6 host

l

ipv6 neighbor

l

ipv6 route

l

job

l

management interface allow (deprecated)

l

nslookup

l

resolver

l

show arp

l

show hosts

l

show ip

l

show ipv6

l

show jobs

l

show management interface

© 2016 FireEye

101

CLI Reference Guide

IPS Commands On an IPS-enabled platform, you can use the ips and show ips commands to configure IPS policies, apply IPS policies to monitoring interfaces, and display IPS policy attributes. ips apply on page 1144 ips auto-update enable on page 984 ips blockmode on page 986 ips brute-force threshold on page 988 ips detail-filter on page 989 ips policy clone on page 1143 ips policy match on page 1146 ips policy rules on page 1151 ips policy on page 1142 ips reconnaissance enable on page 991 ips reconnaissance threshold on page 992 ips signature id on page 994 ips signature name on page 998 show ips interfaces on page 1879 show ips policies on page 1881 show ips reconnaissance on page 1719 show ips signatures on page 1721 show ips status on page 1885

102

© 2016 FireEye

Release 7.9

License Management Command Family

License Management Command Family The following commands are used to activate licensed features. fenet license update [force] on page 636 fenet license update enable on page 638 license delete on page 1018 license install on page 1021 show eula status on page 1508 show eula text on page 1509 show fenet license on page 1575 show licenses on page 1730

© 2016 FireEye

103

CLI Reference Guide

Local BA Signer Whitelist Command Family The following commands are used to configure the local BA signer whitelist on a FireEye appliance: show signer-whitelist [disabled] on page 1901 show signer-whitelist mode on page 1905 signer-whitelist disable on page 1226 signer-whitelist enable on page 1228 signer-whitelist mode on page 1230

104

© 2016 FireEye

Release 7.9

Local Signature Commands

Local Signature Commands After the local signature generation is enabled, this component can generate the local bot rules that are based on the alerts generated in the system. The following local signature commands are described: l

localsig enable

l

show localsig

© 2016 FireEye

105

CLI Reference Guide

Log Management Commands The log management commands are used to view the log files, send log messages to one or more syslog servers, and manage the log files saved on the local disk. The log management commands are:

106

l

logging

l

logging fields

l

logging files rotation

l

logging files audit upload

l

logging files upload

l

logging format

l

logging local

l

logging receive

l

logging remote

l

logging trap

l

show log

l

show log audit

l

show log audit files all

l

show log files all

l

show logging

© 2016 FireEye

Release 7.9

Malware Object Analysis Command Family

Malware Object Analysis Command Family This section describes the CLI commands used to display detailed statistics about the malware objects that have been analyzed on the appliance. show object-analysis on page 1846 show object-analysis all on page 1848 show object-analysis done on page 1851 show object-analysis events on page 1854 show object-analysis id from on page 1858 show object-analysis id on page 1862 show object-analysis list on page 1868 show object-analysis running on page 1870

© 2016 FireEye

107

CLI Reference Guide

Malware Submission Command Family This section describes the CLI commands used to display detailed statistics about the malware submission jobs that were submitted on the appliance. show submission done on page 1921 show submission dst on page 1925 show submission from on page 1927 show submission id on page 1930 show submission limit on page 1934 show submission malicious on page 1938 show submission md5sum on page 1942 show submission queued on page 1946 show submission range on page 1948 show submission running on page 1952 show submission since on page 1955 show submission src on page 1960 show submission uuid on page 1962 show submission on page 1917

108

© 2016 FireEye

Release 7.9

Media Disk Commands

Media Disk Commands This section describes the CLI commands used to configure and manage RAID hard drives. Related commands: RAID l

media disk activity-light off

l

media disk activity-light on

l

media disk offline

l

media disk online

l

media disk rebuild cancel

l

media disk rebuild start

l

show media disk

l

show media disk rebuild

l

show media disk smart

© 2016 FireEye

109

CLI Reference Guide

Media USB Commands This section describes the CLI commands used to configure auto-mounting on a USB device.

110

l

media usb auto-mount enable

l

media usb eject

l

media usb mount

l

media usb web-access enable local

l

media usb web-access top-dir

l

show media usb

© 2016 FireEye

Release 7.9

MTP Command Family

MTP Command Family This following commands are used to configure FireEye Mobile Threat Prevention (MTP) on an MX Series appliance: msm admin password reset on page 1063 msm common certs deploy on page 1064 msm compatibility {old-hmac | ""} on page 1066 msm ip-security-policy clear on page 1069 msm mgmt-interface {false | true} on page 1070 msm mgmt-interface gw on page 1072 mtp enable on page 1073 show msm [common] on page 1796 Additional core commands that are also available for FireEye MTP include the following: l

License Management Command Family on page 103

l

DTI Network Service Commands on page 80

l

IP Addressing Commands on page 101

l

Configuration Management Commands on page 75

l

CLI Session Commands on page 69

l

Date and Time Commands on page 78

l

Events Database Management Commands on page 91

l

Interface Commands on page 100

l

Log Management Commands on page 106

l

Intelligent Platform Management Interface (IPMI) Commands on page 99

© 2016 FireEye

111

CLI Reference Guide

MVX Appliance Command Family The following commands are used to configure MVX appliances: fenet update appliance on page 656 fenet update appliance cancel on page 657 fenet update appliance guest-image cancel on page 659 fenet update appliance guest-image delete on page 660 fenet update appliance guest-image download on page 661 fenet update appliance guest-image install on page 662 fenet update appliance guest-image resume on page 663 fenet update appliance guest-image on page 658 fenet update appliance no-reboot on page 664 fenet update appliance resume on page 665 fenet update appliance suspend on page 666 fenet update appliance system-image no-reboot on page 668 fenet update appliance system-image reboot on page 669 fenet update appliance system-image version on page 670 fenet update appliance system-image on page 667 fenet update appliance version on page 671 fenet update appliance on page 656 show fenet update status appliance on page 1596

112

© 2016 FireEye

Release 7.9

MVX Cluster Command Family

MVX Cluster Command Family The following commands are used to configure the MVX Cluster: cmc mvx cluster on page 365 cmc mvx cluster broker enable on page 366 cmc mvx cluster description on page 367 cmc mvx cluster master on page 368 cmc mvx cluster node on page 369 cmc mvx cluster sync-config on page 370 cmc mvx sensor enrollment {enroll | unenroll} on page 371 fenet dti enrollment service default DTI on page 602 fenet dti enrollment service override enable on page 604 fenet dti enrollment service type DTI address on page 606 fenet dti enrollment service type DTI username password on page 608 fenet update cluster on page 672 fenet update cluster cancel on page 674 fenet update cluster guest-image cancel on page 676 fenet update cluster guest-image delete on page 677 fenet update cluster guest-image download on page 678 fenet update cluster guest-image install on page 679 fenet update cluster guest-image resume on page 680 fenet update cluster guest-image on page 675 fenet update cluster no-reboot on page 681 fenet update cluster resume on page 682 fenet update cluster suspend on page 683 fenet update cluster system-image no-reboot on page 684 fenet update cluster system-image reboot on page 685 fenet update cluster system-image version on page 686 fenet update cluster system-image on page 687 fenet update cluster version on page 689 mvx cluster cloud enable on page 1074 mvx cluster {enroll | unenroll} now on page 1075

© 2016 FireEye

113

CLI Reference Guide

no mvx cluster enroll on page 1091 no mvx cluster enrollment-service on page 1093 no mvx cluster enrollment-service client on page 1092 mvx cluster enrollment-service client enable on page 1076 mvx cluster enrollment-service preferred name on page 1077 mvx sensor config submission-if on page 1081 mvx sensor config submission-if default-gateway {ipv4 | ipv6} on page 1082 mvx sensor enable on page 1083 show fenet update status cluster {brief | detail} on page 1600 show mvx cluster enrollment status on page 1799 show mvx node queuemgr status on page 1801 show mvx node status full on page 1805 show mvx node status on page 1803 show mvx status on page 1806

114

© 2016 FireEye

Release 7.9

MVX Submission Command Family

MVX Submission Command Family The following commands display information about submissions that the cluster processed: show mvx submission show mvx submission done on page 1810 show mvx submission done limit on page 1813 show mvx submission from to on page 1815 show mvx submission limit on page 1817 show mvx submission malicious on page 1819 show mvx submission malicious limit on page 1821 show mvx submission md5sum on page 1823 show mvx submission md5sum limit on page 1825 show mvx submission sensor-id { | ALL} on page 1827 show mvx submission sha256 on page 1828 show mvx submission sha256 limit on page 1830 show mvx submission since on page 1832 show mvx submission tenant-id on page 1834 show mvx submission uuid on page 1835

© 2016 FireEye

115

CLI Reference Guide

Network Deployment Check Commands Use the network deployment check commands to manage the daily check for network status information that indicates deployment problems for an NX Series appliance. The network deployment check commands are: l

deployment check network clear

l

deployment check network duration

l

deployment check network start

l

show deployment check network

For more information about the network deployment checking function, see the NX Series System Administration Guide.

116

© 2016 FireEye

Release 7.9

NX Series High Availability (HA) Command Family

NX Series High Availability (HA) Command Family The following commands are used to configure, manage, and monitor an NX Series High Availability (HA) pair. cmc ha nx rename on page 358 cmc ha nx appliances enable-nx-ipv6 on page 359 cmc ha nx comment on page 361 cmc ha nx sync config with on page 363 no cmc ha nx appliance on page 1087 object-analysis salvage on page 1117 show cmc ha nx on page 1396 show cmc ha nx on page 1399 show ha status (for NX) on page 1673

© 2016 FireEye

117

CLI Reference Guide

Policy Manager Command Family The following commands are used to configure policies on the NX Series appliance for routing packets. policymgr drop-interface on page 1123 policymgr interface on page 1132 policymgr interface drop http comfort-page enable on page 1124 policymgr interface drop http comfort-page response-type on page 1125 policymgr interface drop out-interface on page 1127 policymgr interface drop tcp reset client enable on page 1128 policymgr interface drop tcp reset enable on page 1129 policymgr interface drop tcp reset server enable on page 1130 policymgr interface drop udp icmpport-unreachable enable on page 1131 policymgr interface mirror port on page 1134 policymgr interface mirror clear on page 1136 policymgr interface op-mode block on page 1137 policymgr interface op-mode bypass on page 1139 policymgr interface op-mode monitor on page 1140 policymgr interface op-mode tap on page 1141 policymgr network on page 1153 policymgr refresh-policy on page 1155 policymgr signature on page 1156 show policymgr on page 1875 show policymgr drop configuration on page 1873 show policymgr interfaces on page 1877

118

© 2016 FireEye

Release 7.9

RAID Management Commands

RAID Management Commands This section describes the CLI commands used to configure and manage RAID hard drives. Related commands: l

Media Disk

l

no raid alarm enable

l

raid alarm enable

l

raid alarm silence

l

raid log clear

l

raid test consistency cancel

l

raid test consistency start

l

show raid

l

show raid log

Remote Correlation Commands This section describes the CLI commands used to manage alert correlation between NX series appliances and EX series appliances that are managed by a CM series appliance. remote-correlation enable on page 1166 remote-correlation run-frequency on page 1167 remote-correlation url-duration on page 1168 show remote-correlation status on page 1895

© 2016 FireEye

119

CLI Reference Guide

Report Email Commands This section describes the CLI commands used to configure the email distribution of generated reports. report email recipient on page 1172 report email snmp domain on page 1173 report email snmp port on page 1174 report email snmp return-address on page 1 report email snmp server on page 1

120

© 2016 FireEye

Release 7.9

Report Generation Commands

Report Generation Commands This section describes the CLI commands used to generate and distribute reports. You can generate reports manually or schedule them for automatic generation on an hourly, daily, weekly, or monthly basis. l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

© 2016 FireEye

121

CLI Reference Guide

Static Analysis Tools Command Family This section describes the CLI commands used to enable supplemental static analysis tools available on FireEye appliances. l

l

122

malware-intrinsic-analysis dti on page 1048 malware-intrinsic-analysis local on page 1050

l

show avc vms

l

show object-analysis

l

show static analysis config

l

static-analysis av-check enable

l

static-analysis av-suite enable

l

static-analysis dropper enable on page 1255

l

static-analysis enable

l

static-analysis sa-python enable

l

static-analysis malware-intrinsic-analysis enable

l

yara

© 2016 FireEye

Release 7.9

Submission Sampling Command Family

Submission Sampling Command Family The following commands are used to configure submission sampling on a FireEye appliance: stats group submission sampling interval minutes on page 1 show stats group submission on page 1916

© 2016 FireEye

123

CLI Reference Guide

TAP Sender Module Command Family The following commands are used to configure the TAP sender module on a FireEye appliance: tapsender enable on page 1289 tapsender VPC on page 1290 show tapsender health on page 1977 show tapsender stats on page 1979 show tapsender status on page 1980 show tapsender VPCIP on page 1981

124

© 2016 FireEye

Release 7.9

Third-Party IOC Feeds Command Family

Third-Party IOC Feeds Command Family The following commands are used to configure and manage third-party indicator of compromise (IOC) feeds. custom content enable on page 453 custom content enable on lms on page 455 show custom content enable status on page 1452 show custom content feed status on page 1454

© 2016 FireEye

125

CLI Reference Guide

User Account Commands The user account commands are applied in order to manage user accounts and access the privileges of FireEye appliance users. aaa authentication attempts class-override admin no-lockout on page 150 aaa authentication attempts class-override unknown hash-username on page 152 aaa authentication attempts class-override unknown no-track on page 154 aaa authentication attempts lockout enable on page 156 aaa authentication attempts lockout lock-time on page 158 aaa authentication attempts lockout max-fail on page 160 aaa authentication attempts lockout unlock-time on page 162 aaa authentication attempts reset all [no-clear-history | no-unlock] on page 164 aaa authentication attempts reset user [no-clear-history | no-unlock] on page 166 aaa authentication attempts track downcase on page 168 aaa authentication attempts track enable on page 169 aaa authentication login default on page 190 aaa authentication password lcd length minimum on page 192 aaa authentication password local change allow-encrypt on page 193 aaa authentication password local change require-current on page 195 aaa authentication password local character-type minimum on page 197 aaa authentication password local history clear on page 199 aaa authentication password local history compare on page 201 aaa authentication password local length on page 203 aaa authentication password local max-char-repeats on page 205 aaa authentication password local no-userid on page 207 aaa authentication password local require-change advance-warning on page 208 aaa authentication password local require-change force on page 210 aaa authentication password local require-change max-password-days on page 212 aaa authentication password local require-change new-account on page 214 aaa authentication password local character-type aaa authentication password local history aaa authentication password local length

126

© 2016 FireEye

Release 7.9

User Account Commands

aaa authentication password local max-char-repeats aaa authentication password local no-userid aaa authentication password local require-change advance-warning on page 208 aaa authorization map default-user on page 233 aaa authorization map order on page 235 aaa authorization roles on page 238 aaa authorization rules enable on page 240 aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 aaa authorization rules on page 1 ldap on page 1011 radius-server on page 1159 show aaa authentication attempts on page 1341 show aaa authentication password on page 1344 show aaa authorization rules on page 1347 show aaa on page 1333 show ldap on page 1729 show radius on page 1891 show users on page 1984 tacacs-server on page 1 username on page 1302

© 2016 FireEye

127

CLI Reference Guide

Virtual System Command Family This section describes the CLI commands used to manage virtual instances of our appliances. system virtual bootstrap reset on page 1267 show licenses tokens on page 1734 show system entropy on page 1967

128

© 2016 FireEye

Release 7.9

Web Analysis Command Family

Web Analysis Command Family This section describes the CLI commands used to display the status of greylist files that contain either IP addresses or URLs, a list of greylist dump files, a list of Web ports, and Web traffic statistics that were generated on the appliance. show web-analysis greylists dump-files on page 1992 show web-analysis greylists ips on page 1993 show web-analysis greylists urls on page 1994 show web-analysis greylists on page 1995 show web-analysis ports on page 1996 show web-analysis stats on page 1997

© 2016 FireEye

129

CLI Reference Guide

Web Incident Command Family This section describes the CLI commands used to display detailed statistics about web incident and malware submission jobs that were analyzed on the appliance. show web-incident done on page 2000 show web-incident dst on page 2002 show web-incident id on page 2004 show web-incident limit on page 2006 show web-incident malicious on page 2009 show web-incident src on page 2012

130

© 2016 FireEye

Release 7.9

Web Service API Commands

Web Service API Commands The Web Services APIs can be used to access and update reports and alerts through the FireEye Central Management System (CMS). These APIs can also be used to submit suspicious objects through the CMS to the Malware Analysis System (MAS). l

wsapi

l

wsapi rtstats

l

show wsapi

© 2016 FireEye

131

CLI Reference Guide

Web UI Configuration Commands The Web UI commands allow you to control interaction with the Web interface.

132

l

web auto-logout on page 1310

l

web logging level on page 1314

l

web preferences config global alerts auto-refresh enable on page 1315

l

web session renewal on page 1322

l

web session timeout on page 1324

© 2016 FireEye

Release 7.9

Workorder Command Family

Workorder Command Family This section describes the CLI commands used to display workorder statistics about the number of malware submissions that were analyzed on the appliance. show workorders all on page 2016 show workorders done on page 2020 show workorders id on page 2023 show workorders pending on page 2027 show workorders range on page 2029 show workorders running on page 2035 show workorders stats on page 2038 show workorders traces dst on page 2041 show workorders traces src on page 2045 show workorders on page 2049

© 2016 FireEye

133

CLI Reference Guide

AX Series Command Family This chapter describes the application commands specific to the FireEye AX Series appliance (also known as Malware Analysis System, or MAS). These commands configure malware analysis policies and allow you to view analysis results. The following commands are specific to the AX Series appliance: malware abort queued on page 1038 malware analyze live on page 1039 malware analyze sandbox on page 1040 malware delete on page 1042 malware file on page 1043 show malware all on page 1745 show malware config on page 1748 show malware done on page 1750 show malware events on page 1753 show malware file analysis_tmo on page 1757 show malware file repositories on page 1758 show malware id on page 1761 show malware list on page 1765 show malware md5 on page 1766 show malware mode on page 1767 show malware no-events on page 1770 show malware no-os-change-anomaly on page 1773 show malware no-vm-outbound-comm on page 1776 show malware priority on page 1779 show malware queued on page 1782 show malware running on page 1785 show malware on page 1787 static-info enable on page 1252

134

© 2016 FireEye

Release 7.9

CM Series Command Family

CM Series Command Family The following commands are used to configure, manage, and monitor the appliances in a CM Series network. cmc appliance on page 330 cmc appliance auth password password on page 333 cmc appliance auth password username on page 334 cmc appliance auth ssh-dsa2 identity push [username password []] on page 335 cmc appliance auth ssh-dsa2 identity on page 337 cmc appliance auth ssh-dsa2 username on page 338 cmc appliance auth ssh-rsa2 identity push [username password []] on page 339 cmc appliance auth ssh-rsa2 identity on page 341 cmc appliance auth ssh-rsa2 username on page 342 cmc appliance authtype on page 343 cmc auth on page 345 cmc cancel on page 347 cmc client on page 348 cmc client server on page 350 cmc client server auth on page 353 cmc execute on page 356 cmc group on page 357 cmc profile on page 375 cmc profile apply appliance on page 376 cmc profile apply appliance fail-continue on page 377 cmc profile apply appliance no-save on page 379 cmc profile apply group on page 381 cmc profile apply group fail-continue on page 383 cmc profile apply group no-save on page 385 cmc profile command on page 387 cmc profile comment on page 388

© 2016 FireEye

135

CLI Reference Guide

cmc profile copy on page 389 cmc profile extract-from on page 391 cmc profile rename on page 392 no cmc profile command on page 1089 no cmc profile command on page 1090 show cmc profiles on page 1413 cmc rendezvous client on page 393 cmc rendezvous server on page 396 cmc rendezvous service-name on page 399 cmc server on page 400 cmc status on page 401 The CM Series platform can be configured for active/standby failover. See CM Series High Availability (HA) Command Family on page 71 for HA-specific commands.

136

© 2016 FireEye

Release 7.9

EX Series Commands

EX Series Commands The following topics describe the application commands specific to the FireEye EX Series (also known as Email MPS) appliance. These commands define email handling, quarantine, and analysis policies. These commands are available on the EX Series appliance only. analysis live check-connection on page 259 analysis live default-gateway ip on page 260 analysis live external ip on page 261 analysis live http-proxy on page 262 analysis live nameserver ip on page 264 analysis live proxy-authentication on page 265 show analysis live config on page 1355 email-analysis adv-url-defense rewrite enable on page 487 email-analysis allowed-list on page 489 email-analysis blocked-list on page 492 email-analysis controlled-live-mode enable on page 495 email-analysis delete on page 497 email-analysis delete-message on page 498 email-analysis domain on page 499 email-analysis filter on page 507 email-analysis flush-message on page 508 email-analysis interface on page 509 email-analysis mode on page 513 email-analysis mta certificate name on page 514 email-analysis mta smtp start on page 517 email-analysis mta smtp stop on page 515 email-analysis mta start on page 518 email-analysis mta stop on page 519 email-analysis pass-extract add on page 1 email-analysis pass-extract delete on page 1 email-analysis policy adv-url-defense enable on page 520

© 2016 FireEye

137

CLI Reference Guide

email-analysis policy att-limit on page 520 email-analysis policy congestion bypass-threshold on page 521 email-analysis policy congestion high-threshold on page 522 email-analysis policy congestion mode bypass enable on page 522 email-analysis policy congestion mode refuse-connection enable on page 523 email-analysis policy feature-extractor enable on page 524 email-analysis policy image-analysis enable on page 524 email-analysis policy max-size-limit on page 525 email-analysis policy message-tracking max-days-records on page 526 email-analysis policy message-tracking syslog-enable on page 527 email-analysis policy monitor backoff on page 527 email-analysis policy monitor bypass-threshold on page 528 email-analysis policy monitor defer-threshold on page 529 email-analysis policy monitor enable on page 530 email-analysis policy monitor interval on page 530 email-analysis policy notice admin on page 531 email-analysis policy notice bcc on page 532 email-analysis policy notice body on page 532 email-analysis policy notice enable on page 533 email-analysis policy notice from on page 534 email-analysis policy notice subject on page 534 email-analysis policy parse-https enable on page 535 email-analysis policy reload on page 536 email-analysis policy url-images enable on page 538 email-analysis policy url-limit on page 538 email-analysis policy url-phishing blacklist enable on page 539 email-analysis policy url-phishing whitelist enable on page 539 email-analysis policy use-header enable on page 540 email-analysis policy xheader enable on page 541 email-analysis policy yara-analysis enable on page 542 email-analysis policy typosquatting enable on page 537 email-analysis quarantine on page 543

138

© 2016 FireEye

Release 7.9

EX Series Commands

email-analysis reroute-message on page 544 email-analysis suppress on page 545 email-analysis adv-url-defense cache {whitelist | blacklist} on page 486 email-analysis url-dynamic-analysis enable on page 546 show email-analysis on page 1463 show email-analysis adv-url-defense configuration on page 1491 show email-analysis adv-url-defense statistics on page 1493 show email-analysis all on page 1465 show email-analysis allowed-list statistics on page 1465 show email-analysis attachment on page 1466 show email-analysis blocked-list statistics on page 1467 show email-analysis done on page 1468 show email-analysis log on page 1470 show email-analysis message-queue max-num on page 1471 show email-analysis mta mynetworks on page 1473 show email-analysis mta status on page 1495 show email-analysis pass-extract ignorewords on page 1475 show email-analysis pass-extract keywords on page 1476 show email-analysis pass-extract passwords on page 1477 show email-analysis policy on page 1502 show email-analysis queued on page 1482 show email-analysis running on page 1483 show email-analysis statistics on page 1484 show email-analysis url on page 1500 show email-analysis url-dynamic-analysis on page 1497 show email-analysis yara-statistics on page 1489 embedded-analysis enable gen-emps-rpt

© 2016 FireEye

139

CLI Reference Guide

FX Series Commands This chapter describes the application commands specific to the FX Series platform. These commands configure file scan analysis policies and allow you to view scan results.

140

l

file-analysis suppress

l

fmps file config analysis_tmo

l

fmps file config maxsize

l

fmps file config scan_delay

l

fmps file config share-timeout

l

fmps file config wins_server

l

fmps scan abort on page 757

l

fmps scan configure filetypes

l

fmps scan configure scan-name

l

fmps scan configure start-time

l

fmps scan configure subdirectories

l

fmps scan configure target-shares

l

fmps scan create

l

fmps scan delete on page 758

l

fmps scan pause on page 759

l

fmps scan restart on page 760

l

fmps scan resume on page 761

l

fmps scan schedule

l

fmps scan start

l

fmps scan start scan-id listen on page 779

l

fmps share configure share-name auth on page 780

l

fmps share configure share-name ca-file on page 781

l

fmps share configure share-name protocol on page 782

l

fmps share configure share-name server on page 784

l

fmps share create quarantine on page 785

l

fmps share create source on page 786

l

fmps share create target on page 787

l

fmps share delete on page 788

© 2016 FireEye

Release 7.9

l

fmps share mount on page 789

l

fmps share unmount on page 790

l

show file-analysis

l

show file-analysis all (deprecated)

l

show file-analysis done (deprecated)

l

show file-analysis events (deprecated)

l

show file-analysis id (deprecated)

l

show file-analysis list (deprecated)

l

show file-analysis md5 (deprecated)

l

show fmps file config

l

show fmps file shares (deprecated)

l

show fmps scan-id

l

show fmps share on page 1640

© 2016 FireEye

FX Series Commands

141

CLI Reference Guide

HX Series Commands The following commands are specific to the FireEye HX Series appliance. fenet hx-agent autoupdate enable on page 629 fenet hx-agent image apply on page 630 fenet hx-agent image check on page 632 fenet hx-agent image fetch on page 633 fenet hx-agent metadata refresh on page 634 hx agent agent-log-exception enable on page 837 hx agent agent-log-exception level on page 838 hx agent aging enable on page 840 hx agent aging inactive-period on page 841 hx agent aging new-orphan-period on page 842 hx agent concurrent-host-exception enable on page 843 hx agent concurrent-host-exception limit on page 844 hx agent config-poll on page 845 hx agent event-buf-size on page 846 hx agent events enable on page 847 hx agent events whitelist enable on page 848 hx agent events whitelist paths on page 849 hx agent fastpoll on page 851 hx agent inactivity period on page 852 hx agent indicator on page 853 hx agent max-cpu on page 854 hx agent poll on page 855 hx agent resource-exception enable on page 856 hx agent resource-exception event-buf-size on page 857 hx agent resource-exception max-cpu on page 858 hx agent server hostname on page 859 hx agent server provisioning enable on page 860 hx agent server provisioning primary on page 861 hx config agent exd exceptions whitelist enable on page 862

142

© 2016 FireEye

Release 7.9

HX Series Commands

hx config agent exd exceptions whitelist paths on page 863 hx config agent exd whitelist enable on page 865 hx config agent exd whitelist paths on page 866 hx ecosystem dmz attach on page 868 hx ecosystem dmz attach-initiate on page 869 hx ecosystem dmz provisioning-enabled on page 870 hx pki agent ca-days on page 871 hx pki agent cert-bits on page 872 hx pki agent cert-days on page 873 hx pki export file on page 874 hx pki import file on page 875 hx pki provisioning on page 876 hx pki regenerate on page 877 hx pki regenerate crl on page 878 hx pki regenerate subordinate on page 879 hx pki server ca-days on page 880 hx pki server cert-bits on page 881 hx pki server cert-days on page 882 hx pki server crl-days on page 883 hx pki server crl-upload on page 884 hx pki subject prefix on page 885 hx server acquisition aging completed-period on page 886 hx server acquisition aging disk-limit on page 887 hx server acquisition aging enable on page 888 hx server acquisition aging failed-period on page 889 hx server acquisition aging pending-period on page 890 hx server acquisition default-zip-passphrase on page 891 hx server acquisition enable on page 892 hx server app-proc quiesce on page 893 hx server containment blocked on page 894 hx server containment enable on page 895 hx server containment notification custom on page 896

© 2016 FireEye

143

CLI Reference Guide

hx server containment notification enable on page 897 hx server containment notification source on page 898 hx server containment notification url on page 899 hx server containment task-timeout on page 900 hx server containment whitelist on page 901 hx server detection aging alert fp-period on page 902 hx server detection aging alert period on page 903 hx server detection aging indicator generated enable on page 904 hx server detection aging indicator generated period on page 905 hx server detection inbound bookmark on page 906 hx server detection inbound ignore-type on page 907 hx server detection inbound min-threshold on page 908 hx server detection inbound poll-interval on page 909 hx server detection intel matching enable on page 910 hx server detection legacy enable on page 911 hx server detection legacy malicious-url enable on page 912 hx server detection legacy noisy-indicator enable on page 913 hx server exd enable on page 914 hx server msm-link api domain-hash on page 915 hx server msm-link api key on page 916 hx server msm-link api secret on page 917 hx server msm-link enable on page 918 hx server msm-link hostname on page 919 hx server msm-link prefix on page 920 hx server script aging period on page 921 hx server search issues items-limit on page 922 hx server sysinfo dispatch-duration on page 923 hx server sysinfo task-timeout on page 924 hx server sysinfo-interval on page 925 hx server task aging period on page 926 hx server triage auto enable on page 927 hx server triage auto throttle agent limit on page 928

144

© 2016 FireEye

Release 7.9

HX Series Commands

hx server triage auto throttle agent period on page 929 hx server triage auto throttle agent-condition limit on page 930 hx server triage auto throttle agent-condition period on page 931 hx server triage auto throttle condition limit on page 932 hx server triage auto throttle condition period on page 933 hx server triage auto throttle exd limit on page 934 hx server triage auto throttle exd period on page 935 hx server triage auto throttle global limit on page 936 hx server triage auto throttle global period on page 937 hx server triage auto throttle indicator limit on page 938 hx server triage auto throttle indicator period on page 939 hx server triage auto throttle ioc limit on page 940 hx server triage auto throttle ioc period on page 941 hx server triage extraction retry-limit on page 942 hx server triage extraction task-limit on page 943 hx server triage extraction timeout on page 944 hx server triage task-limit on page 945 hx server triage task-timeout on page 946 hx server triage window after on page 947 hx server triage window prior on page 948 hx server upgrade task-limit on page 949 hx server upgrade task-timeout on page 950 show fenet hx-agent image available on page 1571 show hx agent on page 1678 show hx agent aging on page 1680 show hx agent inactivity on page 1681 show hx app-proc on page 1682 show hx ecosystem on page 1683 show hx pki on page 1684 show hx server containment on page 1686 show hx server containment notification on page 1688 show hx server detection on page 1689

© 2016 FireEye

145

CLI Reference Guide

show hx server exd on page 1691 show hx server general on page 1692 show hx server msm-link on page 1695 show hx server search on page 1697

146

© 2016 FireEye

Release 7.9

PART III: Commands

This section lists all CLI commands in alphabetical order.

© 2016 FireEye

147

CLI Reference Guide

PART III: Commands

aaa accounting changes default stop-only Enables or disables the logging of system changes to a AAA accounting server. When change accounting is enabled, system actions are logged when the action is started, not when the action has completed. When more than one accounting server is specified, the configuration logging process contacts each accounting server in the order listed in the configuration until a server accepts the accounting data. If no accounting server accepts the accounting data, the log entry is discarded. While change accounting includes configuration changes and system actions that are visible with audit logging, change accounting is an independent process. Change accounting is not affected by the configuration audit max-changes configuration.

Syntax [no] aaa accounting changes default stop-only

Parameters no

Use the no form of this command to remove the configuration options currently set. method

Specify the accounting protocol used. The following accounting protocols are available: l

tacacs+: Terminal Access Controller Access Control System Plus (TACACS+)

access control protocol

Example The following example enables system change logging on a TACACS+ server: hostname (config) # aaa accounting changes default stop-only tacacs+

The following example disables system change logging on a TACACS+ server:. hostname (config) # no aaa accounting changes default stop-only tacacs+

User Role Administrator

Command Mode Configuration

148

© 2016 FireEye

Release 7.9

aaa accounting changes default stop-only

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

Related Commands For a list of related commands, see: AAA Accounting Commands on page 51.

© 2016 FireEye

149

CLI Reference Guide

PART III: Commands

aaa authentication attempts class-override admin nolockout This command prevents the admin account from being locked due to multiple failed authentication attempts. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts class-override admin no-lockout

Parameters no

Use the no form of this command to reenable admin account lockouts.

Example The following disables admin account lockouts on the appliance: hostname (config) # aaa authentication attempts class-override admin no-lockout

The following enables admin account lockouts on the appliance: hostname (config) # no aaa authentication attempts class-override admin no-lockout

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

150

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

© 2016 FireEye

Release 7.9

aaa authentication attempts class-override admin no-lockout

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

151

CLI Reference Guide

PART III: Commands

aaa authentication attempts class-override unknown hash-username Protects unknown user names by hashing them. An unknown user name is one that is not recognized as a locally configured account. This command applies a hash function to the unknown user name, and stores the hashed result in place of the original. This is offered for security purposes, since sometimes unknown user names can include sensitive information. For example, sometimes users enter their passwords accidentally when prompted for a user name, and the password would otherwise end up stored and printed in plain text. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts class-override unknown hash-username

Parameters no

Use the no form of this command to remove the hash-username override from unknown users and store unknown user names as plain text.

Example The following command hashes unknown user names: hostname (config) # aaa authentication attempts class-override unknown hash-username

The following command stores unknown user names as plaintext: hostname (config) # no aaa authentication attempts class-override unknown hash-username

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

152

l

AX Series: Before release 6.4

l

CM Series: 7.1

© 2016 FireEye

Release 7.9

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication attempts class-override unknown hash-username

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

153

CLI Reference Guide

PART III: Commands

aaa authentication attempts class-override unknown notrack Disables tracking of authentication failures for unknown user names. An unknown user name is one that is not recognized as a locally configured account. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts class-override unknown no-track

Parameters no

Use the no form of this command to enable tracking of authentication failures for unknown user names.

Example The following command disables tracking of authentication failures for unknown user names: hostname (config) # aaa authentication attempts class-override unknown no-track

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

154

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

© 2016 FireEye

Release 7.9

aaa authentication attempts class-override unknown no-track

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

155

CLI Reference Guide

PART III: Commands

aaa authentication attempts lockout enable Enables lockout of accounts based on failed authentication attempts. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts lockout enable

Parameters no

Use the no form of this command to disable lockout of accounts based on failed authentication attempts.

Example The following enables account lockouts on the appliance based on failed authentication attempts: hostname (config) # aaa authentication attempts lockout enable

The following disables lockouts on the appliance: hostname (config) # no aaa authentication attempts lockout enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

156

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

© 2016 FireEye

Release 7.9

aaa authentication attempts lockout enable

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

157

CLI Reference Guide

PART III: Commands

aaa authentication attempts lockout lock-time Temporarily locks an account after every authentication failure for a fixed period of time. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts lockout lock-time

Parameters no

Use the no form of this command to disable temporary lockout on accounts. seconds

Number of seconds to lock an account.

Example The following locks an account for 15 seconds after every failed authentication attempt: hostname (config) # aaa authentication attempts lockout lock-time 15

The following disables temporary account lockouts on the appliance: hostname (config) # no aaa authentication attempts lockout lock-time

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

158

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

© 2016 FireEye

Release 7.9

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication attempts lockout lock-time

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

159

CLI Reference Guide

PART III: Commands

aaa authentication attempts lockout max-fail Sets the maximum permitted consecutive authentication failures before an account is locked out. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts lockout max-fail

Parameters no

Use the no form of this command to disable locking out users based on consecutive authentication failures. failure_count

Maximum number of failed attempts.

Example The following locks an account after 3 failed login attempts: hostname (config) # aaa authentication attempts lockout max-fail 3

The following disables account lockouts based on failed attempts: hostname (config) # no aaa authentication attempts lockout max-fail

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

160

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

© 2016 FireEye

Release 7.9

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication attempts lockout max-fail

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

161

CLI Reference Guide

PART III: Commands

aaa authentication attempts lockout unlock-time Allows authentication retry on a locked account after a period of time. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts lockout unlock-time

Parameters no

Use the no form of this command to disable authentication retry on a locked account seconds

Number of seconds before retry is allowed.

Example The following allows authentication retry 45 seconds after an account is locked: hostname (config) # aaa authentication attempts lockout unlock-time 45

The following disables authentication retry on locked accounts: hostname (config) # no aaa authentication attempts unlockout lock-time

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

162

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

© 2016 FireEye

Release 7.9

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication attempts lockout unlock-time

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

163

CLI Reference Guide

PART III: Commands

aaa authentication attempts reset all [no-clear-history | no-unlock] Clears the authentication history and unlocks all accounts. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax aaa authentication attempts reset all [no-clear-history | no-unlock]

Parameters no-clear-history

Unlock all accounts, but do not clear the authentication history. no-unlock

Clear authentication history for all accounts, but do not unlock them.

Example The following unlocks all accounts without clearing the authentication history: hostname (config) # aaa authentication attempts reset all no-clear-history

The following clears the authentication history without unlocking accounts: hostname (config) # aaa authentication attempts reset all no-unlock

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

164

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

© 2016 FireEye

Release 7.9

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication attempts reset all [no-clear-history | no-unlock]

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

165

CLI Reference Guide

PART III: Commands

aaa authentication attempts reset user [noclear-history | no-unlock] Clears the authentication history and unlocks of the specified account. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax aaa authentication attempts reset user [no-clear-history | no-unlock]

Parameters username

Username to reset. no-clear-history

Unlock the specified account, but do not clear the authentication history. no-unlock

Clear authentication history for the specified account, but do not unlock it.

Example The following unlocks the specified account without clearing the authentication history: hostname (config) # aaa authentication attempts reset user no-clear-history

The following clears the specified account's authentication history without unlocking it: hostname (config) # aaa authentication attempts reset user no-unlock

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

166

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

© 2016 FireEye

Release 7.9

aaa authentication attempts reset user [no-clear-history | no-unlock]

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

167

CLI Reference Guide

PART III: Commands

aaa authentication attempts track downcase Converts all user names to lowercase for authentication failure tracking purposes only. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts track downcase

Parameters no

Use the no form of this command to stop converting all user names to lowercase for authentication failure tracking purposes.

Example The following converts all user names to lowercase: hostname (config) # aaa authentication attempts track downcase

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

168

© 2016 FireEye

Release 7.9

aaa authentication attempts track enable

aaa authentication attempts track enable Enables tracking of failed authentication attempts. This command only applies to the admin user account. It does not apply to other user accounts with administrative privileges.

Syntax [no] aaa authentication attempts track enable

Parameters no

Use the no form of this command to disable tracking of failed authentication attempts.

Example The following enables tracking of failed authentication attempts: hostname (config) # aaa authentication attempts track enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

l

NX Series: Before release 6.4

l

VX Series: 7.9

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

169

CLI Reference Guide

PART III: Commands

aaa authentication certificate crl delete filename Deletes a specified Certificate Revocation List (CRL) file from the appliance. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate crl delete filename

Parameters name_of_file

Name of the specified CRL file.

Example The following example shows how to delete a specified CRL file from the appliance. hostname (config) # aaa authentication certificate crl delete filename john-doe.crl.pem

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

170

© 2016 FireEye

Release 7.9

aaa authentication certificate crl fetch url

aaa authentication certificate crl fetch url Downloads a local Certificate Revocation List (CRL) file from a specified remote location so that the appliance can validate certificate revocation. Only one CRL file can be present on the system. When you download a new CRL file, the existing CRL file will be automatically deleted. A CRL contains a list of certificates that have been revoked or can no longer be trusted. When a TLS connection is set up with the appliance, part of the authentication process is to validate that the certificate is not listed in the CRL. Each entry in the list corresponds to the certificate number and the date of the revoked certificate. If you do not specify a filename, the CRL file will be saved to the appliance or node locally and the remote filename will be used. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate crl fetch url [filename ]

Parameters URL

Direct path to the certificate file. The is specified with remote server Administrator credentials ( and ), the remote server (), the path and filename in which to save the certificate bundle () in the following format: scp://[:]@/

If you do not specify the remote host administrator password in the aaa authentication certificate crl fetch url command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. filename

(Optional) Saves the CRL file that you downloaded. name_of_file

(Optional) Name of the saved CRL file.

Example The following example shows how to download a local CRL file from a specified remote location.

© 2016 FireEye

171

CLI Reference Guide

PART III: Commands

hostname (config) # aaa authentication certificate crl fetch url http://172.16.142.99/QA/test/cac/johndoe.crl.pem

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

172

© 2016 FireEye

Release 7.9

aaa authentication certificate ocsp default url

aaa authentication certificate ocsp default url Configures the default Online Certificate Status Protocol (OCSP) URL so that the appliance can validate certificate revocation. If an OCSP URL is found in the certificate, the OCSP responder (also referred as an OCSP server) is queried to determine the status of the certificate revocation. If an OCSP URL is not found in the certificate or the appliance cannot communicate with the OCSP responder from the certificate, a default URL, which is configured on the appliance, is used. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authentication certificate ocsp default url

Parameters no

Use the no form of this command to remove the default OCSP URL. URL

Default URL that is configured on the appliance. This URL is based on the configuration of the OCSP override responder.

Example The following example shows how to configure the default Online Certificate Status Protocol (OCSP) URL. hostname (config) # aaa authentication certificate ocsp default url http://10.3.13.219:80

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

173

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

174

© 2016 FireEye

Release 7.9

aaa authentication certificate ocsp enable

aaa authentication certificate ocsp enable Enables the Online Certificate Status Protocol (OCSP) so that the appliance can verify the status of the certificate revocation. When OCSP is enabled and the appliance cannot reach the OCSP server, the user is denied access to the Web UI. OCSP allows the appliance to check if a certificate has been revoked without downloading and searching the entire list. OCSP is enabled by default. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authentication certificate ocsp enable

Parameters no

Use the no form of this command to disable OCSP for certificate authentication.

Example The following example shows how to enable OCSP. hostname (config) # aaa authentication certificate ocsp enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

175

CLI Reference Guide

PART III: Commands

aaa authentication certificate ocsp override-responder Enables the override of the OCSP responder so that the default OCSP responder is used when the certificate is being validated even if the certificate references an OCSP responder. The OCSP override responder setting is disabled by default. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authentication certificate ocsp override-responder

Parameters no

Use the no form of this command to disable the override of the OCSP responder from the certificate that is being validated.

Example The following example shows how to enable the OCSP override responder. hostname (config) # aaa authentication certificate ocsp override-responder

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

176

© 2016 FireEye

Release 7.9

aaa authentication certificate username x509-cert-san-email

aaa authentication certificate username x509-cert-sanemail Configures an email address in the Subject Alternative Name (SAN) field of the X.509 certificate. You are allowed to have multiple subfields for SAN. Use the no aaa authentication certificate username command to reset the certificate field for the username to use the default x509-cert-san-upn attribute. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-san-email no aaa authentication certificate username

Parameters None

Example The following example shows how to configure an email address in the Subject Alternative Name (SAN) field of the certificate. hostname (config) # aaa authentication certificate username x509-cert-san-email

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

177

CLI Reference Guide

PART III: Commands

aaa authentication certificate username x509-cert-sanemail-username Configures the username of an email address without the domain name in the X.509 certificate. Use the no aaa authentication certificate username command to reset the certificate field for the username to use the default x509-cert-san-upn attribute. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-san-email-username no aaa authentication certificate username

Parameters None

Example The following example shows how to configure the username of an email address without the domain name in the certificate. hostname (config) # aaa authentication certificate username x509-cert-san-email-username

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

178

© 2016 FireEye

Release 7.9

aaa authentication certificate username x509-cert-san-upn

aaa authentication certificate username x509-cert-sanupn Configures the User Principal Name (UPN) that is encoded in the Other Name field of the SAN field in the X.509 certificate. The default is the x509-cert-san-upn attribute. Use the no aaa authentication certificate username command to reset the certificate field for the username. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-san-upn no aaa authentication certificate username

Parameters None

Example The following example shows how to configure the UPN of the SAN field in the certificate. hostname (config) # aaa authentication certificate username x509-cert-san-upn

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

179

CLI Reference Guide

PART III: Commands

aaa authentication certificate username x509-cert-sanupn-username Configures the username of the UPN attribute in the certificate. Use the no aaa authentication certificate username command to reset the certificate field for the username to use the default x509-cert-san-upn attribute. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-san-upn-username no aaa authentication certificate username

Parameters None

Example The following example shows how to configure the username of the UPN attribute in the certificate. hostname (config) # aaa authentication certificate username x509-cert-san-upn-username

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

180

© 2016 FireEye

Release 7.9

aaa authentication certificate username x509-cert-subject

aaa authentication certificate username x509-certsubject Configures the name of the entry for the subject field in the X.509 certificate. The subject is the Distinguished Name (DN) and is the X.509 structure. Each entry has a unique identifier. The following example shows the DN format for the Common Access Card (CAC): C=US, O=Test Government, OU=Test Department, OU=Test Agency, CN=Test Cardholder

Use the no aaa authentication certificate username command to reset the certificate field for the username to use the default x509-cert-san-upn attribute. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-subject no aaa authentication certificate username

Parameters None

Example The following example shows how to configure the name of the entry for the subject field in the X.509 certificate. hostname (config) # aaa authentication certificate username x509-cert-subject

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

181

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

182

© 2016 FireEye

Release 7.9

aaa authentication certificate username x509-cert-subject-cn

aaa authentication certificate username x509-certsubject-cn Configures an entry for the Common Name (CN) from the DN attribute that is associated in the X.509 certificate. For example, CN=Test Cardholder. Use the no aaa authentication certificate username command to reset the certificate field for the username to use the default x509-cert-san-upn attribute. For details about the user attributes for the X.509 certificate, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate username x509-cert-subject-cn no aaa authentication certificate username

Parameters None

Example The following example shows how to configure the CN entry from the DN attribute. hostname (config) # aaa authentication certificate username x509-cert-subject-cn

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

183

CLI Reference Guide

PART III: Commands

aaa authentication certificate validation allow-missingbasic-constraints Enables the appliance to allow the user to log in to the Web UI even when the basic constraints extension is not included in the X.509 certificate. The basic constraints extension is used to identify that the certificate is issued for a Certificate Authority (CA). By default, the appliance verifies if the basic constraints extension is included in the X.509 certificate, and the login fails if the extension is not found. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authentication certificate validation allow-missing-basic-constraints

Parameters no

Use the no form of this command to disable the option to allow the user to log in to the Web UI when the basic constraints extension is not included in the X.509 certificate.

Example The following example shows how to enable the appliance to allow a certificate with a missing basic constraints extension. hostname (config) # aaa authentication certificate validation allow-missing-basic-constraints

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

184

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

aaa authentication certificate validation allow-missing-basic-constraints

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

185

CLI Reference Guide

PART III: Commands

aaa authentication certificate web policy allowed Enables the policy settings of the Web UI to accept an optional X.509 certificate for user authentication. The administrator can use the aaa authentication certificate web policy allowed command to allow the user to log in to the Web UI using their provided user name and password or using an optional X.509 certificate. Use the no aaa authentication certificate web policy command to reset the policy not to accept a certificate for user authentication. The VX Series compute node does not have a Web UI. For details about the policy settings of the Web UI that are used for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate web policy allowed no aaa authentication certificate web policy

Parameters None

Example The following example shows how to allow the user to log in to the Web UI using the user name and password provided by their administrator or using an optional X.509 certificate. hostname (config) # aaa authentication certificate web policy allowed

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

186

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

aaa authentication certificate web policy allowed

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

187

CLI Reference Guide

PART III: Commands

aaa authentication certificate web policy disabled Disables the policy settings of the Web UI to accept a client X.509 certificate when certificate authentication is not mandatory. By default, the policy settings are disabled and do not accept an X.509 certificate.

The VX Series appliance does not have a Web UI. For details about the policy settings of the Web UI that are used for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate web policy disabled no aaa authentication certificate web policy

Parameters None

Example The following example shows how to disable the policy settings of the Web UI and not to accept a client X.509 certificate. hostname (config) # aaa authentication certificate web policy disabled

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

188

© 2016 FireEye

Release 7.9

aaa authentication certificate web policy required

aaa authentication certificate web policy required Enables the policy settings of the Web UI to require only a client X.509 certificate for user authentication. Use the no aaa authentication certificate web policy command to reset the policy not to accept a certificate for user authentication. The VX Series compute node does not have a Web UI. For details about the policy settings of the Web UI that are used for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authentication certificate web policy required no aaa authentication certificate web policy

Parameters None

Example The following example shows how to allow the user to log in to the Web UI using a mandatory X.509 certificate. hostname (config) # aaa authentication certificate web policy required

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

189

CLI Reference Guide

PART III: Commands

aaa authentication login default Specifies the type of login method.

Syntax aaa authentication login default [ [ []]]

Parameters auth_method

One or more authentication methods. Authentication is attempted in the order in which the methods are specified. Available methods are: l

local—Use the local user database. This method is required.

l

radius—Use Remote Authentication Dial In User Service (RADIUS) for user

authentication. l

tacacs+—Use Terminal Access Controller Access-Control System Plus (TACACS+) for

user authentication. l

ldap—Use Lightweight Directory Access Protocol (LDAP) for user authentication.

Example The following example sets the default login method to LDAP. followed by RADIUS and local: hostname (config) # aaa authentication login default ldap radius local

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

190

l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: 2.5

© 2016 FireEye

Release 7.9

l

NX Series: Before release 6.4

l

VX Series: 7.9

aaa authentication login default

Related Commands show aaa

© 2016 FireEye

191

CLI Reference Guide

PART III: Commands

aaa authentication password lcd length minimum To configure the minimum length for the password used to log in to the LCD panel, use the aaa authentication password lcd length command in configuration mode. Administrators must use a special password to log in to the LCD. Before you can change the minimum number of characters for it, you must change the existing LCD password to meet the minimum requirements, using the lcd password command.

Syntax [no] aaa authentication password lcd length minimum

Parameters no

Removes any minimum requirement set for the LCD password. number

The minimum length of the password.

Example This example specifies that the LCD password must be at least eight characters. hostname (config) # aaa authentication password lcd length minimum 8

User Role Admin

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4 VX Series: 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

192

© 2016 FireEye

Release 7.9

aaa authentication password local change allow-encrypt

aaa authentication password local change allow-encrypt Allows or prevents the use of hashed values as passwords. Password validation rules are not applied to hashed passwords. To prevent admin users from using the username username password 7 hashValue command to set a hashed (already encrypted) value as a user password, use the no aaa authentication password local change allow-encrypted command in configuration mode. Exclude the no parameter to allow admin users to set hashed passwords (the default behavior). Prohibiting hashed passwords is a way to keep password validation rules from being circumvented. However, the show configuration command output contains commands to restore system user accounts. These commands include hashed passwords, because plaintext passwords are unavailable. If you prohibit hashed passwords, this restoration cannot be done, and those commands will be commented out in the output.

Syntax [no] aaa authentication password local change allow-encrypt

Syntax no Use the no form of this command to prevent the use of hashed values as passwords.

Example The following example allows admin users to use hashed values as user passwords. hostname (config) # aaa authentication password local change allow-encrypt

The following example prevents admin users from using hashed values as user passwords. hostname (config) # no aaa authentication password local change allow-encrypt

User Role Admin

Release Information This command was introduced as follows: l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

HX Series: Release 3.0

© 2016 FireEye

193

CLI Reference Guide

l

NX Series: Release 7.5

l

VX Series: Release 7.9

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

194

© 2016 FireEye

Release 7.9

aaa authentication password local change require-current

aaa authentication password local change require-current To require non-admin users attempting to change their passwords to enter their current password in addition to the new password, use the aaa authenication password local change require-current command in configuration mode. When this feature is enabled: l

l

The My Account Setting page in the Web UI includes a Current Password field. Local login commands such as username password prompt for the current password, if the user does not supply it as a command parameter. Custom scripts that use the CLI to configure user accounts may need to be updated if this feature is enabled. For example, a script that sets the password for a user would need to be modified so that it includes the current password.

Syntax [no] aaa authentication password local change require-current {userType}

Syntax no

Use the no form of this command to allow non-admin users to change their password without providing their current password. userType

The user types affected by this rule. The current types are available: l

non-admin—Non admin users will be required to provide a current passwords. Admin users are exempt from this rule.

Example The following example requires non-admin users to enter their current password as well as the new password: hostname (config) # aaa authentication password local change require-current non-admin

The following example removes the current password rule for all users: hostname (config) #no aaa authentication password local change require-current

User Role Admin

Release Information This command was introduced as follows:

© 2016 FireEye

195

CLI Reference Guide

l

CM Series: Release 7.4

l

EX Series: Release 7.6

l

AX Series: Release 7.4

l

FX Series: Release 7.5

l

HX Series: Release 2.5

l

NX Series: Release 7.4

l

VX Series: Release 7.9

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

196

© 2016 FireEye

Release 7.9

aaa authentication password local character-type minimum

aaa authentication password local character-type minimum This command allows you to set the minimum number of characters required in a password based on character types. Requiring a minimum number of various character types is a way to establish password strength. The validation rules defined by this command do not apply to passwords that already exist. They are only enforced on plain-text passwords; they are not applied to passwords set as hashed values. For more information, see the System Administration Guide or Administration Guide for your appliance.

Syntax [no] authentication password local character-type minimum

Parameters no

Removes any minimum requirement set for the specified character type. characterType

The character type to set a minimum value. The following character types can be used: l

lower-case—The minimum number of lowercase alphabetic characters

required in the password. l

upper-case—The minimum number of uppercase alphabetic characters

required in the password. l

special—The minimum number of special characters required in the

password. (For example: !, @, $, %, &, etc.) l

numeral—The minimal number of numbers required in the password.

Example The following example requires a password to include 6 lower-case letters as a minimum requirement:: hostname (config) # aaa authentication password local character-type lower-case minimum 6

The following example requires a password to include 3 upper-case letters as a minimum requirement:: hostname (config) # aaa authentication password local character-type upper-case minimum 3

The following example requires a password to include 1 special character as a minimum requirement:: hostname (config) # aaa authentication password local character-type special minimum 1

The following example the removes the minimum password character limit for numbers.

© 2016 FireEye

197

CLI Reference Guide

PART III: Commands

hostname (config) # no aaa authentication password local character-type numbers minimum

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Release 7.1

l

CM Series: Release 7.2

l

EX Series: Release 7.1

l

FX Series: Release 7.1

l

NX Series: Release 7.2

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

198

© 2016 FireEye

Release 7.9

aaa authentication password local history clear

aaa authentication password local history clear Use this command to to clear the password history for a specific user or all users. When the local password history feature is enabled, the history of a specified number of passwords is maintained. For example, if 5 is the specified number, users can reuse a password after they change it to something else five times. If the configured number is changed to a lower number, the oldest excess passwords are removed from the history. The password history is cleared in the following cases: l

l

The feature is disabled using the no aaa authentication password local history command. An administrator clears the history using the aaa authentication password local history clear command.

A password can be reused immediately after the password history is cleared, or after the feature is disabled. In both cases, information about the current password, such as the date and time it was set, is retained.

Syntax aaa authentication password local history clear {all | user }

Parameters all

Clears the password history for all users. user

Clears the password history for the specified user.

Example This example clears the password history for Martin. hostname (config) # aaa authentication password local history clear user martinw

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

CM Series: Release 7.6

l

EX Series: Release 7.6

l

FX Series: Release 7.7

© 2016 FireEye

199

CLI Reference Guide

l

HX Series: Release 3.0

l

NX Series: Release 7.6

l

VX Series: Release 7.9

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

200

© 2016 FireEye

Release 7.9

aaa authentication password local history compare

aaa authentication password local history compare Use this command to set the number of passwords that are required to be used before a previous password can be reused. When the local password history feature is enabled, the history of a specified number of passwords is maintained. For example, if 5 is the specified number, users can reuse a password after they change it to something else five times. If the configured number is changed to a lower number, the oldest excess passwords are removed from the history. The password history is cleared in the following cases: l

l

The feature is disabled using the no aaa authentication password local history command. An administrator clears the history using the aaa authentication password local history clear command.

A password can be reused immediately after the password history is cleared, or after the feature is disabled. In both cases, information about the current password, such as the date and time it was set, is retained.

Syntax [no] aaa authentication password local history compare

Parameters no

Removes any constraints about reusing a password (the default behavior). number

The number of times a password must change before it can be reused. Range: 0–50. Specifying 0 has the same result as using the no parameter.

Example In this example, all users are required to provide 3 new passwords before repeating a previous password. hostname (config) # aaa authentication password local history compare 3

User Role Admin

Release Information This command was introduced as follows:

© 2016 FireEye

201

CLI Reference Guide

l

CM Series: Release 7.6

l

EX Series: Release 7.6

l

NX Series: Release 7.6

l

AX Series: Release 7.7

l

FX Series: Release 7.7

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

202

© 2016 FireEye

Release 7.9

aaa authentication password local length

aaa authentication password local length Use this command to configure the minimum or maximum length of a password. Requiring a minimum or maximum number of characters in a password is a way to establish password strength. These requirements do not apply to passwords that already exist. They are only enforced on plain-text passwords; they are not applied to passwords set as hashed values. For more information, see the System Administration Guide or Administration Guide for your appliance. Sets the maximum number of characters.

Syntax [no] authentication password local length {minimum | maximum}

Parameters no

Removes the minimum or maximum character length requirement set for the password. minimum

Sets the minimum number of characters required for a password. maximum

Sets the maximum number of characters allowed for a password. number

Specifies the value of the maximum limit or minimum length.

Example In this example, the minimum password length is set to 8. hostname (config) # aaa authentication password local length minimum 8

In this example, the maximum password length is set to 20. hostname (config) # aaa authentication password local length maximum 20

In this example, the maximum password length requirements are removed. hostname (config) # no aaa authentication password local length minimum

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Release 7.1

l

CM Series: Release 7.2

l

EX Series: Release 7.1

l

FX Series: Release 7.1

© 2016 FireEye

203

CLI Reference Guide

l

HX Series: Release 3.0

l

NX Series: Release 7.2

l

VX Series: Release 7.9

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

204

© 2016 FireEye

Release 7.9

aaa authentication password local max-char-repeats

aaa authentication password local max-char-repeats Use this command to configure the maximum number of times in a row a character can repeat in a password. Requiring a maximum number of character repeats is a way to establish password strength. This requirement does not apply to passwords that already exist. It is only enforced on plain-text passwords; it is not applied to passwords set as hashed values. The default value is no limit; to specify that a character cannot repeat, specify 1. For more information, see the System Administration Guide or Administration Guide for your appliance.

Syntax [no] aaa authentication password local max-char-repeats

Parameters no

Removes any restriction on the maximum number of times a character can repeat consecutively. number

The maximum number of times a character can repeat consecutively.

Example This example specifies that no characters can repeat consecutively. For example, a user can set a password of Ab8#dedg, but not Ab8#dedd. hostname (config) # aaa authentication password local max-char-repeats 1

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Release 7.1

l

CM Series: Release 7.2

l

EX Series: Release 7.1

l

FX Series: Release 7.1

l

NX Series: Release 7.2

l

HX Series: Release 3.0

l

VX Series: Release 7.9

© 2016 FireEye

205

CLI Reference Guide

PART III: Commands

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

206

© 2016 FireEye

Release 7.9

aaa authentication password local no-userid

aaa authentication password local no-userid Use this command to prevent users from setting a password that matches their username. For stricter password security, you can require users to select a password that is not the same as their username. For more information, see the System Administration Guide or CM Series Administration Guide.

Syntax [no] authentication password local no-userid

Parameters no

Restores the default behavior, where the username and password can match.

Example This example specifies that the password must be different from the username. hostname (config) # aaa authentication password local no-userid

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

FX Series: Release 7.7

l

HX Series: Release 3.0

l

NX Series: Release 7.5

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

207

CLI Reference Guide

PART III: Commands

aaa authentication password local require-change advance-warning Use this command to set an advance warning to users when their passwords are about to expire. You can configure when the system should start warning users that their passwords will expire. The warnings are displayed on the Dashboard in the Web UI and in the CLI after the user logs in. If the password is not changed and expires, the account will not be locked. However, users cannot do anything until they change their passwords. Password change policies only apply to users who authenticate locally. They are not enforced if a user authenticates remotely and is then mapped to a local user account that requires a password change, or if a user authenticates using an SSH authorized key. The connection between the CM Series platform and its managed appliances requires "admin" credentials. The CM Series Web services API uses "admin" credentials to authenticate requests. There are ramifications in both scenarios when the "admin" password changes. For details, see the CM Series Administration Guide and the CM Series Web Services API Guide. For more information about password change policies, see your System Administration Guide or Administration Guide.

Syntax [no] aaa authentication password local require-change advance-warning

Parameters no Removes the advanced warning notification. days The number of days in advance of the password expiration to start providing notification to the users.

Example This example warns users 15 days before their passwords expires hostname (config) # aaa authentication password local require-change advance-warning 15

User Role Admin

208

© 2016 FireEye

Release 7.9

aaa authentication password local require-change advance-warning

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

FX Series: Release 7.5

l

HX Series: Release 3.0

l

NX Series: Release 7.5

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

209

CLI Reference Guide

PART III: Commands

aaa authentication password local require-change force Use this command to force one or more users to update their passwords when they next log in to the system. The new password must be different from the current password, even if no password reuse restrictions are configured. After users change their passwords, they must log out and then log in again to access the functionality their role allows. If the password is not changed and expires, the account will not be locked. However, users cannot do anything until they change their passwords. Password change policies only apply to users who authenticate locally. They are not enforced if a user authenticates remotely and is then mapped to a local user account that requires a password change, or if a user authenticates using an SSH authorized key. The connection between the CM Series platform and its managed appliances requires "admin" credentials. The CM Series Web services API uses "admin" credentials to authenticate requests. There are ramifications in both scenarios when the "admin" password changes. For details, see the CM Series Administration Guide and the CM Series Web Services API Guide. For more information about password change policies, see your System Administration Guide or Administration Guide.

Syntax [no] aaa authentication password local require-change force {all | user }

Parameters no

Removes the new password restriction. all

Requires a password change for all users at the next login attempt. user

Requires a password change for the specified user at the next login attempt.

Example This example requires Laura to change her password the next time she logs in. hostname (config) # aaa authentication password local require-change force user laura

User Role Admin

210

© 2016 FireEye

Release 7.9

aaa authentication password local require-change force

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

FX Series: Release 7.5

l

HX Series: Release 3.0

l

NX Series: Release 7.5

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

211

CLI Reference Guide

PART III: Commands

aaa authentication password local require-change maxpassword-days Use this command to set the maximum amount of time (in days) that a password can remain valid. At the end of this time, the password expires. If the password is not changed and expires, the account will not be locked. However, users cannot do anything until they change their passwords. Password change policies only apply to users who authenticate locally. They are not enforced if a user authenticates remotely and is then mapped to a local user account that requires a password change, or if a user authenticates using an SSH authorized key. The connection between the CM Series platform and its managed appliances requires "admin" credentials. The CM Series Web services API uses "admin" credentials to authenticate requests. There are ramifications in both scenarios when the "admin" password changes. For details, see the CM Series Administration Guide and the CM Series Web Services API Guide. For more information about password change policies, see your System Administration Guide or Administration Guide.

Syntax [no] aaa authentication password local require-change max-password-age

Parameters no

Removes the maximum password age setting. days

Specifies the number of days before a password must be changed. Range: 1–999 (in days) For testing, you can specify a decimal value as small as one minute (.0007).

Example This example specifies that users change their passwords every 90 days. hostname (config) # aaa authentication password local require-change max-password-age 90

User Role Admin

212

© 2016 FireEye

Release 7.9

aaa authentication password local require-change max-password-days

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

FX Series: Release 7.5

l

HX Series: Release 3.0

l

NX Series: Release 7.5

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

213

CLI Reference Guide

PART III: Commands

aaa authentication password local require-change newaccount This command allows you to specify that users with new accounts must change their password when they first log in to the account. Password change policies only apply to users who authenticate locally. They are not enforced if a user authenticates remotely and is then mapped to a local user account that requires a password change, or if a user authenticates using an SSH authorized key. The connection between the CM Series platform and its managed appliances requires "admin" credentials. The CM Series Web services API uses "admin" credentials to authenticate requests. There are ramifications in both scenarios when the "admin" password changes. For details, see the CM Series Administration Guide and the CM Series Web Services API Guide. For more information about password change policies, see your System Administration Guide or Administration Guide.

Syntax [no] aaa authentication password local require-change new-account

Parameters no

Removes the requirement to change the password when users first log in to the account.

Example In this example, the system will require users to reset their password when they first log in to their account. hostname (config) # no aaa authentication password local require-change new-account

User Role Admin

Release Information This command was introduced as follows:

214

l

AX Series: Release 7.7

l

CM Series: Release 7.5

l

EX Series: Release 7.6

© 2016 FireEye

Release 7.9

l

FX Series: Release 7.5

l

HX Series: Release 3.0

l

NX Series: Release 7.5

l

VX Series: Release 7.9

aaa authentication password local require-change new-account

Related Topics For a list of related commands, see: AAA Authentication Commands on page 52.

© 2016 FireEye

215

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap enable Enables the LDAP server to map a remote user to a local user account for certificate authentication. The LDAP server is used to authorize users that are already authenticated using the X.509 certificate. For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authorization certificate map-ldap enable

Parameters no

Use the no form of this command to disable the LDAP server for certificate authentication.

Example The following example shows how to enable the LDAP server to map a remote user to a local user account for certificate authentication. hostname (config) # aaa authorization certificate map-ldap enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

216

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-cert-field x509-cert-san-email

aaa authorization certificate map-ldap match-cert-field x509-cert-san-email Configures an email address in the Subject Alternative Name (SAN) field of the certificate to match against the LDAP field. You are allowed to have multiple SAN subfields. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field to use the default x509-cert-san-upn attribute. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-san-email no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure an email address in the SAN field of the certificate to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-san-email

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

217

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username Configures the user name of an email address without the domain name in the certificate to match against the LDAP field. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field to use the default x509-cert-san-upn attribute. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure the user name of an email address without the domain name in the certificate to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-san-emailusername

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

218

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn Configures the User Principal Name (UPN) that is encoded in the Other Name field of the Subject Alternative Name (SAN) field to match against the LDAP field. The default is the x509-cert-san-upn attribute. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure the UPN field of the SAN field to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

219

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

220

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username Configures the user name of the User Principal Name (UPN) field without the domain name in the certificate to match against the LDAP field. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field to use the default x509-cert-san-upn attribute. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure the user name of the UPN field without the domain name in the certificate to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-san-upnusername

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

221

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap match-cert-field x509-cert-subject Configures the name of the subject field in the X.509 certificate to match the LDAP field. The subject is the Distinguished Name (DN) and is the X.509 structure. Each entry has an unique identifier. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field to use the default x509-cert-san-upn attribute. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-subject no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure the name of the subject field in the X.509 certificate to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-subject

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

222

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-cert-field x509-cert-subject

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

223

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn Configures an entry for the Common Name (CN) attribute from the DN attribute that is associated in the X.509 certificate to match the LDAP field. Use the no aaa authorization certificate map-ldap match-cert-field command to reset the matched certificate field to use the default x509-cert-san-upn attribute. For details about configuring user attributes for the X.509 certificates, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn no aaa authorization certificate map-ldap match-cert-field

Parameters None

Example The following example shows how to configure an entry for the CN attribute from the DN attribute to match the LDAP field. hostname (config) # aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

224

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-ldap-attribute mail

aaa authorization certificate map-ldap match-ldapattribute mail Configures which attribute holds an email address to match the configured certificate authorization field. Use the no aaa authorization certificate map-ldap match-ldap-attribute command to reset the attribute of the LDAP account to use the default sAMAccountName attribute. For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-ldap-attribute mail no aaa authorization certificate map-ldap match-ldap-attribute

Parameters None

Example The following example shows how to configure which attribute holds an email address to match the configured certificate authorization field. hostname (config) # aaa authorization certificate map-ldap match-ldap-attribute mail

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

225

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap match-ldapattribute sAMAccountName Configures which attribute holds the login name to match the configured certificate authorization field. The default is the sAMAccountName attribute. Use the no aaa authorization certificate map-ldap match-ldap-attribute command to reset the attribute of the LDAP account.

For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName no aaa authorization certificate map-ldap match-ldap-attribute

Parameters None

Example The following example shows how to configure which attribute holds the login name to match the configured certificate authorization field. hostname (config) # aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

226

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

227

CLI Reference Guide

PART III: Commands

aaa authorization certificate map-ldap match-ldapattribute uid Configures the LDAP user schema name for LDAP to match the configured certificate authorization field. Use the no aaa authorization certificate map-ldap match-ldap-attribute command to reset the attribute of the LDAP account to use the default sAMAccountName attribute. For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax aaa authorization certificate map-ldap match-ldap-attribute uid no aaa authorization certificate map-ldap match-ldap-attribute

Parameters None

Example The following example shows how to configure the LDAP user schema name to match the configured certificate authorization field. hostname (config) # aaa authorization certificate map-ldap match-ldap-attribute uid

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

228

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap search-filter

aaa authorization certificate map-ldap search-filter Defines an LDAP search filter for certificate authentication. An administrator can define an LDAP search filter in the configuration that controls which user can log in using a certificate and then be authorized using LDAP. If the text of the parameter contains spaces, enclose the string with double quotation marks. For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authorization certificate map-ldap search-filter

Parameters no

Use the no form of this command to remove the LDAP search filter for certificate authentication. filter_string

LDAP search filter string for certificate authentication.

Example The following example shows how to configure the LDAP search filter for certificate authorization. hostname (config) # aaa authorization certificate map-ldap search-filter "(!(cn=Test Cardholder))"

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

229

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

230

© 2016 FireEye

Release 7.9

aaa authorization certificate map-ldap username-override

aaa authorization certificate map-ldap username-override Enables the LDAP override of the username setting that was specified with the aaa authentication certificate username command. By default, the username setting in the aaa authentication certificate username command is used. If the login is mapped to the LDAP account, an administrator can use the ldap loginattribute command to override the username setting, and instead use the username from the LDAP attribute. For details about configuring LDAP authorization for certificate authentication, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] aaa authorization certificate map-ldap username-override

Parameters no

Use the no form of this command to disable the LDAP override of the username setting that was specified with the aaa authentication certificate username command.

Example The following example shows how to enable the LDAP override of the username setting that was specified with the aaa authentication certificate username command. hostname (config) # aaa authorization certificate map-ldap username-override

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

231

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

232

© 2016 FireEye

Release 7.9

aaa authorization map default-user

aaa authorization map default-user Use this command to specify the default local user account that the user logs in to if the user does not have a local account and is authenticated by RADIUS, TACACS+, or Active Directory via LDAP. This command does not apply to users logging into the system using a local account.

Syntax [no] aaa authorization map default-user

Parameters no

Removes the user account set as the default user. If no default user is specified, the system uses the admin account as default. This will allow any partially or incorrectly configured user to have admin privileges. user

The user account to be mapped as the default user.

Examples The following example sets the default user account to monitor. hostname (config) # aaa authorization map default-user monitor

The following example removes the specified default local user account and then sets it to admin. hostname (config) # no aaa authorization map default-user

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Before Release 6.4

l

CM Series: Before Release 6.4

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

NX Series: Before Release 6.4

l

VX Series: Release 7.9

© 2016 FireEye

233

CLI Reference Guide

PART III: Commands

Related Topics For a list of related commands, see: AAA Authorization Command Family on page 54. aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228 aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization map default-user on the previous page aaa authorization map order on the facing page aaa authorization roles on page 238 aaa authorization rules enable on page 240 aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347

234

© 2016 FireEye

Release 7.9

aaa authorization map order

aaa authorization map order Use this command to which remote users will be mapped to the default user account specified by the You can specify one of three mapping behaviors when authenticating users with a remote authentication server: l

l

l

Remote First: (Default) The appliance will attempt to map the local-user mapping attribute to a local account. If a local account exists, the system will map the user to that account. If no local user exists, the system will map the user to the default user specified by the aaa authorization map default-user on page 233 command. Remote Only: The appliance will attempt to map the local-user mapping to a local account. If a local account exists, the system will map the user to that account. If no account exists, the system will deny access to the user. Local Only: The system will map all users to the default user specified by the aaa authorization map default-user on page 233 command. This mapping is only used when the user is authenticated using a remote authentication server (RADIUS, TACACS+, or LDAP). This mapping is ignored for users authenticating locally.

Syntax [no] aaa authorization map order {remote-first | remote-only| local-only}

Parameters no

Resets the map order to the default (remote-first) remote-first

(Default) Sets the mapping behavior to Remote First. remote-only

Sets the mapping behavior to Remote Only. local-only

Sets the mapping behavior to Local Only.

Examples The following example sets the mapping behavior to local only. hostname (config) # aaa authorization map order local-only

The following example returns the appliance to the default mapping beavior (remote first) hostname (config) # no aaa authorization map order

User Role Admin

© 2016 FireEye

235

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before Release 6.4

l

CM Series: Before Release 6.4

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

NX Series: Before Release 6.4

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authorization Command Family on page 54. aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228 aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization map default-user on page 233 aaa authorization map order on the previous page aaa authorization roles on page 238 aaa authorization rules enable on page 240 aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249

236

© 2016 FireEye

Release 7.9

aaa authorization map order

aaa authorization rules rule set on page 253 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347

© 2016 FireEye

237

CLI Reference Guide

PART III: Commands

aaa authorization roles Changes the default role assigned to a new user. If no default role is defined, new users must be assigned a role before they can log in to the appliance.

Syntax [no] aaa authorization roles default

Parameters no

Removes the default role for new users. role

The default role assigned to a new user. By default, the following roles are available on your appliance: l

admin: Unrestricted administrative privileges

l

operator: Limited administrative privileges

l

monitor: Limited read-only privileges (default role)

l

analyst: Malware Analyst

l

auditor: Audit log access

l

api_analyst: Analyst limited to Web services APIs

l

api_monitor: Monitor limited to Web services APIs

Example The following command changes the default role for new users to operator. hostname (config) # aaa authorization roles default operator

User Role Admin

Release Information This command was introduced as follows:

238

l

AX Series: Before Release 6.4

l

CM Series: Before Release 6.4

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

© 2016 FireEye

Release 7.9

l

NX Series: Before Release 6.4

l

VX Series: Release 7.9

aaa authorization roles

Related Topics For a list of related commands, see: AAA Authorization Command Family on page 54. aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228 aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization map default-user on page 233 aaa authorization map order on page 235 aaa authorization roles on the previous page aaa authorization rules enable on the next page aaa authorization rules rule append tail [ ...] on page 242 aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347

© 2016 FireEye

239

CLI Reference Guide

PART III: Commands

aaa authorization rules enable Use this command to enable or disable all rules related to authorization. Disabling authorization rules does not remove the rules, but preserves them for later use if needed.

Syntax [no] aaa authorization rules enable

Parameters no

Disables the rules.

Example The following command changes the default role for new users to operator. hostname (config) # aaa authorization rules enable

User Role Admin

Release Information This command was introduced as follows: l

AX Series: Before Release 6.4

l

CM Series: Before Release 6.4

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

NX Series: Before Release 6.4

l

VX Series: Release 7.9

Related Topics For a list of related commands, see: AAA Authorization Command Family on page 54. aaa authorization certificate map-ldap enable on page 216 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email on page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-username on page 218 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn on page 219

240

© 2016 FireEye

Release 7.9

aaa authorization rules enable

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username on page 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject on page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn on page 224 aaa authorization certificate map-ldap match-ldap-attribute mail on page 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName on page 226 aaa authorization certificate map-ldap match-ldap-attribute uid on page 228 aaa authorization certificate map-ldap search-filter on page 229 aaa authorization certificate map-ldap username-override on page 231 aaa authorization map default-user on page 233 aaa authorization map order on page 235 aaa authorization roles on page 238 aaa authorization rules enable on the previous page aaa authorization rules rule append tail [ ...] on the next page aaa authorization rules rule insert on page 246 aaa authorization rules rule modify on page 249 aaa authorization rules rule set on page 253 show aaa authorization certificate on page 1345 show aaa authorization rules on page 1347

© 2016 FireEye

241

CLI Reference Guide

PART III: Commands

aaa authorization rules rule append tail [ ...] Creates a new rule after the highest-numbered existing rule, or at position 1 if there are no rules. This command configures rules in the local configuration to override the local user account that a remote authentication server determines a remote user should use to log in to an appliance. The remote authentication server uses one of the following methods to determine the local user account: l

l

Mapping to a local user account according to rules set by the aaa authorization map order on page 235 command. Directly from an attribute in the remote authentication server's response.

An administrator can use the aaa authorization rules rule commands to override this mapping when the specified conditions are met. Rule criteria include the following: l

Authentication type

l

Remote user name

l

Local user name (before the override)

l

LDAP group

l

LDAP search filter

The first rule that evaluates as "true" will override the initial mapping, and the remaining rules will not considered. If a rule contains multiple criteria, each criterion must be met before the rule itself can evaluate as true. For example, if a rule specifies that the remote user name must be "alice" and that the LDAP group cannot be "group_a", the rule will evaluate as true if the user is Alice, but only if she is not in Group A.

Syntax aaa authorization rules rule append tail [ ...]

Parameters rule

A variable argument list. Each match- option is a match criterion. If a criterion lists multiple options, they are ORed, but if there are multiple criteria, they are ANDed (see the example, below).

242

© 2016 FireEye

Release 7.9

aaa authorization rules rule append tail [ ...]

You can specify any of the arguments, in any order. However, the positive and negative forms of the same argument (for example, match-auth-method and match-notauth-method) are mutually exclusive. With the no form of a command, the match-not argument is unnecessary because the positive form of the argument will delete both forms. A rule with no match criteria matches no users. To match all remote users, use matchauth-method remote as the only criterion. A rule that specifies no mapped local user effectively strips the user of any privileges on the system. The user will be able to log in, but will have no role, and then can only log out. The following options are available: l

comment —Adds a user-readable annotation that makes the rule easier to

understand. l

dup-delete—Specifies that after the rule is added, any others that are exact duplicates

of it (except not showing a comment) are deleted. Deleting duplicate rules prevents inadvertent modifications to the configuration. l

match-auth-method specifies the comma-separated list of authentication

methods: l

radius—RADIUS authentication

l

tacacs+—TACACS+ authentication

l

ldap—LDAP authentication

l

remote—any remote authentication. The remote method is a special keyword

that matches all remote authentication methods (that is, it is the same as listing all of the other four options). l l

l

l

x509-cert—X.509 certificate authentication.

match-not-auth-method match-remote-username —Matches a specific remote user name. match-not-remote-username match-mapped-local-username —Matches a specific mapped local user

name. match-not-mapped-local-username l

l

match-ldap-group —Matches a specific LDAP group DN. match-not-ldap-group match-ldap-search-filter search —Matches a specific LDAP search filter.

© 2016 FireEye

243

CLI Reference Guide

l

PART III: Commands

map-local-user —Expresses the outcome of a matched rule. If a rule

matches, the user gets the outcome specified by this parameter, and additional rules are not processed. The outcome fully overrides the results of the local user mapping performed after remote authentication, as configured by the aaa authorization map order on page 235 command. The user gets the specified mapped local user, as well as the role configured locally for that user. If an unknown user (for example, a deleted user) is specified as the and the rule matches, the user will be unable to log in. l

match-x509-cert-san-email —Matches against an email address in the Subject

Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-email-username —Matches against the username of an

email address without the domain name in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn —Matches against the User Principal Name (UPN)

that is encoded in the Other Name field in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn-username —Matches against the username of the

UPN in the Subject Alternate Name field of the client X.509 certificate. l

match-x509-cert-subject-cn —Matches against the Common Name (CN) from

the subject field of the client X.509 certificate. l

match-x509-cert-subject —Matches against the subject field in the client X.509

certificate. Each parameter mentioned above is a comma-delimited list of strings. Each of the strings involved is either unlikely or unable to include commas; but if a literal comma is needed, it may be backslash-escaped.

Examples Each of the options beginning with match- is a match criterion. If a criterion lists multiple options, these are ORed; but if there are multiple criteria, these and ANDed. So if you ran this command: aaa authorization rules rule append tail match-remote-username alice,bob,carol match-not-ldap-group xylophones,yurts,zucchinis

then the rule would match if: ((username == alice || username == bob || username == carol) && !(group == xylophones || group == yurts || group == zucchinis

User Mode Administrator

244

© 2016 FireEye

Release 7.9

aaa authorization rules rule append tail [ ...]

Release Information This command was introduced as follows: l

l

AX Series: Before Release 6.4 CM Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

l

NX Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1. VX Series: Release 7.9. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

Related Commands For a list of related commands, see: AAA Authorization Command Family on page 54.

© 2016 FireEye

245

CLI Reference Guide

PART III: Commands

aaa authorization rules rule insert Creates a new rule at the specified number. If another rule is already at that position, it is shifted up by one, along with the other existing rules above it.

Syntax aaa authorization rules rule insert no aaa authorization rules rule insert

Parameters no

The no form of this command deletes the rule at the specified position. Note that the no form does not use the rule-number parameter. rule-number

Number of rule at which to insert the new rule. The rules must be numbered consecutively, starting with 1. The numbers must be specified as 1...n+1, where n is the highest-numbered existing rule (or 0 if there are no rules). rule

A variable argument list. Each match- option is a match criterion. If a criterion lists multiple options, they are ORed, but if there are multiple criteria, they are ANDed (see the example, below). You can specify any of the arguments, in any order. However, the positive and negative forms of the same argument (for example, match-auth-method and match-notauth-method) are mutually exclusive. With the no form of a command, the match-not argument is unnecessary because the positive form of the argument will delete both forms. A rule with no match criteria matches no users. To match all remote users, use matchauth-method remote as the only criterion. A rule that specifies no mapped local user effectively strips the user of any privileges on the system. The user will be able to log in, but will have no role, and then can only log out. The following options are available: l

comment —Adds a user-readable annotation that makes the rule easier to

understand. l

dup-delete—Specifies that after the rule is added, any others that are exact duplicates

of it (except not showing a comment) are deleted. Deleting duplicate rules prevents inadvertent modifications to the configuration.

246

© 2016 FireEye

Release 7.9

l

aaa authorization rules rule insert

match-auth-method specifies the comma-separated list of authentication

methods: l

radius—RADIUS authentication

l

tacacs+—TACACS+ authentication

l

ldap—LDAP authentication

l

remote—any remote authentication. The remote method is a special keyword

that matches all remote authentication methods (that is, it is the same as listing all of the other four options). l l

l

l

x509-cert—X.509 certificate authentication.

match-not-auth-method match-remote-username —Matches a specific remote user name. match-not-remote-username match-mapped-local-username —Matches a specific mapped local user

name. match-not-mapped-local-username l

match-ldap-group —Matches a specific LDAP group DN. match-not-ldap-group

l

match-ldap-search-filter search —Matches a specific LDAP search filter.

l

map-local-user —Expresses the outcome of a matched rule. If a rule

matches, the user gets the outcome specified by this parameter, and additional rules are not processed. The outcome fully overrides the results of the local user mapping performed after remote authentication, as configured by the aaa authorization map order on page 235 command. The user gets the specified mapped local user, as well as the role configured locally for that user. If an unknown user (for example, a deleted user) is specified as the and the rule matches, the user will be unable to log in. l

match-x509-cert-san-email —Matches against an email address in the Subject

Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-email-username —Matches against the username of an

email address without the domain name in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn —Matches against the User Principal Name (UPN)

that is encoded in the Other Name field in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn-username —Matches against the username of the

UPN in the Subject Alternate Name field of the client X.509 certificate.

© 2016 FireEye

247

CLI Reference Guide

l

PART III: Commands

match-x509-cert-subject-cn —Matches against the Common Name (CN) from

the subject field of the client X.509 certificate. l

match-x509-cert-subject —Matches against the subject field in the client X.509

certificate. Each parameter mentioned above is a comma-delimited list of strings. Each of the strings involved is either unlikely or unable to include commas; but if a literal comma is needed, it may be backslash-escaped.

Examples The following inserts the rule match-ldap-group green at position 5: aaa authorization rules rule insert 5 match-ldap-group green

The rule previously at position 5 is moved to position 6, and so on.

User Mode Administrator

Release Information This command was introduced as follows: l

l

AX Series: Before Release 6.4 CM Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

l

NX Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1. VX Series: Release 7.9. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

Related Commands For a list of related commands, see: AAA Authorization Command Family on page 54.

248

© 2016 FireEye

Release 7.9

aaa authorization rules rule modify

aaa authorization rules rule modify Creates or modifies a rule at the specified number. If there was already a rule at that number, its old values are preserved, except where they are overwritten by new values specified in this command. This command configures rules in the local configuration to override the local user account that a remote authentication server determines a remote user should use to log in to an appliance. The remote authentication server uses one of the following methods to determine the local user account: l

l

Mapping to a local user account according to rules set by the aaa authorization map order on page 235 command. Directly from an attribute in the remote authentication server's response.

An administrator can use the aaa authorization rules rule commands to override this mapping when the specified conditions are met. Rule criteria include the following: l

Authentication type

l

Remote user name

l

Local user name (before the override)

l

LDAP group

l

LDAP search filter

The first rule that evaluates as "true" will override the initial mapping, and the remaining rules will not considered. If a rule contains multiple criteria, each criterion must be met before the rule itself can evaluate as true. For example, if a rule specifies that the remote user name must be "alice" and that the LDAP group cannot be "group_a", the rule will evaluate as true if the user is Alice, but only if she is not in Group A.

Syntax aaa authorization rules rule modify no aaa authorization rules rule modify

Parameters no

The no form of this command deletes the specified criteria. This parameter does not apply to dup-delete, map-local-user, or the match-not-* rules. no The no form of this command deletes the specified rule. Note that the no form does not use the rule-number parameter.

© 2016 FireEye

249

CLI Reference Guide

PART III: Commands

rule-number

Number of rule before which to insert the new rule. The rules must be numbered consecutively, starting with 1. The numbers must be specified as 1...n+1, where n is the highest-numbered existing rule (or 0 if there are no rules).

A variable argument list. Each match- option is a match criterion. If a criterion lists multiple options, they are ORed, but if there are multiple criteria, they are ANDed (see the example, below). You can specify any of the arguments, in any order. However, the positive and negative forms of the same argument (for example, match-auth-method and match-notauth-method) are mutually exclusive. With the no form of a command, the match-not argument is unnecessary because the positive form of the argument will delete both forms. A rule with no match criteria matches no users. To match all remote users, use matchauth-method remote as the only criterion. A rule that specifies no mapped local user effectively strips the user of any privileges on the system. The user will be able to log in, but will have no role, and then can only log out. The following options are available: l

comment —Adds a user-readable annotation that makes the rule easier to

understand. l

dup-delete—Specifies that after the rule is added, any others that are exact duplicates

of it (except not showing a comment) are deleted. Deleting duplicate rules prevents inadvertent modifications to the configuration. l

match-auth-method specifies the comma-separated list of authentication

methods: l

radius—RADIUS authentication

l

tacacs+—TACACS+ authentication

l

ldap—LDAP authentication

l

remote—any remote authentication. The remote method is a special keyword

that matches all remote authentication methods (that is, it is the same as listing all of the other four options). l l

l

250

x509-cert—X.509 certificate authentication.

match-not-auth-method match-remote-username —Matches a specific remote user name. match-not-remote-username

© 2016 FireEye

Release 7.9

l

aaa authorization rules rule modify

match-mapped-local-username —Matches a specific mapped local user

name. match-not-mapped-local-username l

match-ldap-group —Matches a specific LDAP group DN. match-not-ldap-group

l

match-ldap-search-filter search —Matches a specific LDAP search filter.

l

map-local-user —Expresses the outcome of a matched rule. If a rule

matches, the user gets the outcome specified by this parameter, and additional rules are not processed. The outcome fully overrides the results of the local user mapping performed after remote authentication, as configured by the aaa authorization map order on page 235 command. The user gets the specified mapped local user, as well as the role configured locally for that user. If an unknown user (for example, a deleted user) is specified as the and the rule matches, the user will be unable to log in. l

match-x509-cert-san-email —Matches against an email address in the Subject

Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-email-username —Matches against the username of an

email address without the domain name in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn —Matches against the User Principal Name (UPN)

that is encoded in the Other Name field in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn-username —Matches against the username of the

UPN in the Subject Alternate Name field of the client X.509 certificate. l

match-x509-cert-subject-cn —Matches against the Common Name (CN) from

the subject field of the client X.509 certificate. l

match-x509-cert-subject —Matches against the subject field in the client X.509

certificate. Each parameter mentioned above is a comma-delimited list of strings. Each of the strings involved is either unlikely or unable to include commas; but if a literal comma is needed, it may be backslash-escaped.

Examples The following modifies the rule in the 12th position to match any authentication method that is not RADIUS or LDAP: aaa authorization rules rule modify 12 match-not-auth-method radius,ldap

© 2016 FireEye

251

CLI Reference Guide

PART III: Commands

User Mode Administrator

Release Information This command was introduced as follows: l

l

AX Series: Before Release 6.4 CM Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

l

NX Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1. VX Series: Release 7.9. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

Related Commands For a list of related commands, see: AAA Authorization Command Family on page 54.

252

© 2016 FireEye

Release 7.9

aaa authorization rules rule set

aaa authorization rules rule set Creates a new rule at the specified number. If there was already a rule at that number, it is replaced. This command configures rules in the local configuration to override the local user account that a remote authentication server determines a remote user should use to log in to an appliance. The remote authentication server uses one of the following methods to determine the local user account: l

l

Mapping to a local user account according to rules set by the aaa authorization map order on page 235 command. Directly from an attribute in the remote authentication server's response.

An administrator can use the aaa authorization rules rule commands to override this mapping when the specified conditions are met. Rule criteria include the following: l

Authentication type

l

Remote user name

l

Local user name (before the override)

l

LDAP group

l

LDAP search filter

The first rule that evaluates as "true" will override the initial mapping, and the remaining rules will not considered. If a rule contains multiple criteria, each criterion must be met before the rule itself can evaluate as true. For example, if a rule specifies that the remote user name must be "alice" and that the LDAP group cannot be "group_a", the rule will evaluate as true if the user is Alice, but only if she is not in Group A.

Syntax aaa authorization rules rule set no aaa authorization rules rule set

Parameters no

The no form of this command deletes the specified rule. Note that the no form does not use the rule-number parameter. rule-number

Number of the rule to create or replace. The rules must be numbered consecutively, starting with 1. The numbers must be specified as 1...n+1, where n is the highestnumbered existing rule (or 0 if there are no rules).

© 2016 FireEye

253

CLI Reference Guide

PART III: Commands

rule

A variable argument list. Each match- option is a match criterion. If a criterion lists multiple options, they are ORed, but if there are multiple criteria, they are ANDed (see the example, below). You can specify any of the arguments, in any order. However, the positive and negative forms of the same argument (for example, match-auth-method and match-notauth-method) are mutually exclusive. With the no form of a command, the match-not argument is unnecessary because the positive form of the argument will delete both forms. A rule with no match criteria matches no users. To match all remote users, use matchauth-method remote as the only criterion. A rule that specifies no mapped local user effectively strips the user of any privileges on the system. The user will be able to log in, but will have no role, and then can only log out. The following options are available: l

comment —Adds a user-readable annotation that makes the rule easier to

understand. l

dup-delete—Specifies that after the rule is added, any others that are exact duplicates

of it (except not showing a comment) are deleted. Deleting duplicate rules prevents inadvertent modifications to the configuration. l

match-auth-method specifies the comma-separated list of authentication

methods: l

radius—RADIUS authentication

l

tacacs+—TACACS+ authentication

l

ldap—LDAP authentication

l

remote—any remote authentication. The remote method is a special keyword

that matches all remote authentication methods (that is, it is the same as listing all of the other four options). l l

l

l

x509-cert—X.509 certificate authentication.

match-not-auth-method match-remote-username —Matches a specific remote user name. match-not-remote-username match-mapped-local-username —Matches a specific mapped local user

name. match-not-mapped-local-username l

254

match-ldap-group —Matches a specific LDAP group DN. match-not-ldap-group

© 2016 FireEye

Release 7.9

aaa authorization rules rule set

l

match-ldap-search-filter search —Matches a specific LDAP search filter.

l

map-local-user —Expresses the outcome of a matched rule. If a rule

matches, the user gets the outcome specified by this parameter, and additional rules are not processed. The outcome fully overrides the results of the local user mapping performed after remote authentication, as configured by the aaa authorization map order on page 235 command. The user gets the specified mapped local user, as well as the role configured locally for that user. If an unknown user (for example, a deleted user) is specified as the and the rule matches, the user will be unable to log in. l

match-x509-cert-san-email —Matches against an email address in the Subject

Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-email-username —Matches against the username of an

email address without the domain name in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn —Matches against the User Principal Name (UPN)

that is encoded in the Other Name field in the Subject Alternative Name field of the client X.509 certificate. l

match-x509-cert-san-upn-username —Matches against the username of the

UPN in the Subject Alternate Name field of the client X.509 certificate. l

match-x509-cert-subject-cn —Matches against the Common Name (CN) from

the subject field of the client X.509 certificate. l

match-x509-cert-subject —Matches against the subject field in the client X.509

certificate. Each parameter mentioned above is a comma-delimited list of strings. Each of the strings involved is either unlikely or unable to include commas; but if a literal comma is needed, it may be backslash-escaped.

Examples The following replaces the 9th rule with match-ldap-group blue,green and deletes any preexisting duplicates of this rule: aaa authorization rules rule set 9 match-ldap-group blue,green dup-delete

The following deletes matching authentication criteria: no aaa authorization rules rule set match-auth-method

User Mode Administrator

© 2016 FireEye

255

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

l

AX Series: Before Release 6.4 CM Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4

l

l

NX Series: Before Release 6.4. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1. VX Series: Release 7.9. The x509-cert authentication method was added in Release 7.9.1. New authorization rules were added to match against the fields in the X.509 certificate in Release 7.9.1.

Related Commands For a list of related commands, see: AAA Authorization Command Family on page 54.

256

© 2016 FireEye

Release 7.9

alerts whitelist src ip

alerts whitelist src ip Suppresses alerts generated from specific IP addresses by adding these IP addresses to the alert whitelist. The alerts whitelist src ip command can be used to omit duplicate alerts. For example, when you have two NX series appliances configured so that one scans for vulnerabilities before a proxy and the second scans for vulnerabilities after a proxy, you may encounter situations where the same IP address is listed twice on the network. You can use this command to whitelist the IP address on the second NX series appliance so that the IP address is only listed once on the alert screen of the UI. This command can also be used to suppress alerts for false positives. This command is specific to NX Series appliances. When using a CM series appliance to manage multiple NX series appliances, you need to log into individual NX series appliances to add an IP address to each appliance's alert whitelist.

Syntax [no] alerts whitelist src ip

Parameters no

Use the no form of this command to remove the configuration options currently set. ipAddress

The source IPv4 or IPv6 IP address to be whitelisted.

Example The following example adds the specified IP address to the alerts whitelist. hostname (config) # alerts whitelist src ip 172.1.0.0

The following example removes the specified IP address from the alerts whitelist. hostname (config) # no alerts whitelist src ip 192.168.1.1

User Role administrator, monitor, and operator

Command Mode enable and configuration

© 2016 FireEye

257

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

l

VX Series: Before release 6.4

Related Commands For a list of related commands, see: Alerts Command Family on page 56

258

© 2016 FireEye

Release 7.9

analysis live check-connection

analysis live check-connection Checks end-to-end connectivity between pether2 and the Internet and, if a proxy server is configured for pether2, between the proxy server and the Internet. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled. Do not enable controlled live mode or URL dynamic analysis until you have validated end-to-end connectivity between pether2 and the Internet and, if a proxy server is configured, between the proxy server and the Internet. To perform this validation using the CLI, use the analysis live check-connection command in configure mode.

Syntax analysis live check-connection

Parameters None

Example The following example shows that the connection between pether2 and the Internet is not configured correctly: hostname (config) # analysis live check-connection Data Interface not configured correctly. Download failed. Err: Timeout was reached

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

© 2016 FireEye

259

CLI Reference Guide

PART III: Commands

analysis live default-gateway ip Configures the IPv4 address of default gateway for pether2. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled.

Syntax [no] analysis live default-gateway ip

Parameters ipAddress

IPv4 address of the default gateway for pether2. Although FireEye recommends that you keep the pether2 interface logically separate from the main network traffic, this default gateway can be the same gateway used by the appliance itself. no

Use the no form of the command to clear the default gateway IP address.

Example The following example specifies that the default gateway for pether2 is at 172.16.1.1: hostname (config) # analysis live default-gateway ip 172.16.1.1

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

260

© 2016 FireEye

Release 7.9

analysis live external ip

analysis live external ip Configures the external IPv4 address and subnet mask or mask length of the pether2 data interface. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled. You must also configure the default gateway and DNS name server for pether2.

Syntax [no] analysis live external ip

Parameters ipAddress

External IPv4 address for the pether2 data interface. mask

IPv4 address mask length (such as 255.255.255.0 or /24) of the ether2 data interface. no

Use the no form of the command to clear the pether2 IP address and mask length.

Example The following example specifies that the pether2 interface configured at IPv4 address 172.16.0.0 in the  /24 domain: hostname (config) # analysis live external ip 172.16.0.0 255.255.255.0

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

© 2016 FireEye

261

CLI Reference Guide

PART III: Commands

analysis live http-proxy Specifies the IPv4 address and port number of the optional proxy server for pether2. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled. If a proxy server is configured for pether2, the connectivity test checks the connectivity between pether2 and the Internet through the proxy server.

Syntax [no] analysis live http-proxy

Parameters

Fully qualified domain name (FQDN) or IPv4 address of the proxy server for pether2.

Port number that the proxy server uses for client connections. no

Use the no form of the command to clear the proxy IP address and port number.

Example The following example specifies that pether2 connects to the Internet through port 8080 of the proxy server www.lagado.com. hostname (config) # analysis live http-proxy www.lagado.com 8080

The following example specifies that pether2 connects to the Internet through the proxy server at IPv4 address 172.18.0.0, port 8080. hostname (config) # analysis live http-proxy 172.18.0.0 8080

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

262

EX Series: Release 7.8

© 2016 FireEye

Release 7.9

analysis live http-proxy

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

© 2016 FireEye

263

CLI Reference Guide

PART III: Commands

analysis live nameserver ip Configures the IPv4 address of the Domain Name System (DNS) name server for pether2. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled.

Syntax [no] analysis live nameserver ip

Parameters ipAddress

IPv4 address of the DNS server for the pether2 data interface. no

Use the no form of the command to clear the name server IP address.

Example The following example specifies that the DNS name server at IPv4 address 172.17.1.1: hostname (config) # analysis live nameserver ip 172.17.1.1

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

264

© 2016 FireEye

Release 7.9

analysis live proxy-authentication

analysis live proxy-authentication Configures proxy authentication credentials if the traffic between pether2 and the Internet goes through an optional proxy server. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled. If a proxy server is configured for pether2, the connectivity test checks the connectivity between pether2 and the Internet through the proxy server.

Syntax [no] analysis live proxy-authentication  

Parameters username

Username used to authenticate with the proxy server used for pether2. password

Password used to authenticate with the proxy server used for pether2. no

Use the no form of the command to clear proxy authentication for pether2.

Example The following example shows how to configure the proxy authentication settings for controlled live mode or URL dynamic analysis: hostname (config) # analysis live proxy-authentication admin123 abcdefgh

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

© 2016 FireEye

265

CLI Reference Guide

PART III: Commands

arp Creates a static link between the FireEye appliance and another device. While ARP is a dynamic protocol and the IP to MAC address mapping is dynamically produced and stored in the ARP Cache, there are times when it is advantageous to add static links directly to the FireEye appliance. For example, dynamic IP to MAC address mapping does not occur across subnets. This prevents Ethernet communication across subnets. Proxy Address Resolution Protocol (ARP), defined by RFC 1027, provides a means to bridge subnet gateways using of static links. These static links are added to the ARP cache and provide the means to communicate across the subnets.

Syntax arp [no] arp

Parameters no

Use the no form of this command to remove the static link. This command cannot be used to remove dynamic ARP entries. To remove dynamic ARP entries, use the clear arp-cache command. ipAddress

The IP address of the device you are adding to the ARP cache. macAddress

The MAC address of the device you are adding to the ARP cache.

Example The following example adds a static link to a device with the IP address 192.168.0.1 and the MAC address 00:00:10:AA:AA:00. arp 192.168.0.1 00:00:10:AA:AA:00

The following example removes a static link to a device with the IP address 192.168.0.1. no arp 192.168.0.1

User Role Administrator

Command Mode Configuration

266

© 2016 FireEye

Release 7.9

arp

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Topics For a list of related commands, see: ARP Command Family on page 60.

© 2016 FireEye

267

CLI Reference Guide

PART III: Commands

ati auto-update enable Enables or disables automatic updates to Advanced Threat Intelligence (ATI) alerts on an ATI-enabled EX Series appliance, ATI-enabled NX Series appliance, or an ATI-enabled CMSeries platform. For managed EX Series or NX Series appliances, you must run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism. This command is available only on an appliance that is installed with a two-way sharing CONTENT_UPDATES license with ATI support. When you install this license, the ATI feature itself and automatic updates to ATI alerts are enabled by default. For managed EX Series or NX Series appliances, you configure ATI settings from the CLI of the CM Series platform. Use the show ati status on page 1361command to display the status of the ATI feature. For more information about ATI, see the EX Series Threat Management Guide or the NX Series User Guide.

Syntax [no] ati auto-update enable

Parameters no

Use the no form of this command to disable automatic updates to ATI alerts.

Examples The following example enables automatic updates to ATI alerts on the appliance: hostname (config) # ati auto-update enable

The following example disables automatic updates to ATI alerts on the appliance hostname (config) # no ati auto-update enable

User Role Administrator or Analyst

Command Mode Configuration

Release Information This command was introduced as follows:

268

© 2016 FireEye

Release 7.9

l

CM Series: Release 7.5

l

EX Series: Release 7.6

l

NX Series: Release 7.5.

ati auto-update enable

Related Commands For a list of related commands, see Advanced Threat Intelligence Commands on page 55.

© 2016 FireEye

269

CLI Reference Guide

PART III: Commands

ati enable Enables or disables the Advanced Threat Intelligence (ATI) feature on an EX Series appliance, NX Series appliance, or a CM Series platform. For managed EX Series or NX Series appliances, you must run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism. This command is available only on an appliance that is installed with a two-way sharing CONTENT_UPDATES license with ATI support. When you install this license, the ATI feature itself and automatic updates to ATI alerts are enabled by default. For managed EX Series or NX Series appliances, you configure ATI settings from the CLI of the CM Series platform. Use the show ati status on page 1361command to display the status of the ATI feature. For more information about ATI, see the EX Series Threat Management Guide or the NX Series User Guide.

Syntax [no] ati enable

Parameters no

Use the no form of this command to disable the ATI feature.

Examples The following example enables ATI on the appliance: hostname (config) # ati enable

The following example disables ATI on the appliance: hostname (config) # no ati enable

User Role Administrator or Analyst

Command Mode Configuration

Release Information This command was introduced as follows:

270

© 2016 FireEye

Release 7.9

l

CM Series: Release 7.4

l

EX Series: Release 7.6

l

NX Series: Release 7.5.

ati enable

Related Commands For a list of related commands, see Advanced Threat Intelligence Commands on page 55.

© 2016 FireEye

271

CLI Reference Guide

PART III: Commands

av-suite enable Use this command to enable FireEye’s AV-Suite analysis tool. Once enabled, no other configuration is required. With AV-Suite integration, each infection binary is submitted by the appliance to the AVSuite detection and comparison tool which determines whether antivirus vendors were able to detect the malware that was captured and analyzed by FireEye. The results of AVSuite assessment are displayed on the appliance Web UI results page. AV-Suite analysis is enabled by default. AV-Suite analysis is only available to customers using a two-way license.

Syntax [no] av-suite enable

Parameters no

Use the no form of this command to disable the AV-Suite integration tool.

Example The following example enables AV-Suite integration. hostname (config) # av-suite enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

l

EX Series: Before Release 6.4

l

FX Series: Before Release 6.4. Command deprecated in Release 7.7 and later releases.

l

272

AX Series: Before Release 6.4. Command deprecated in Release 7.7 and later releases.

NX Series: Before Release 6.4. Command deprecated in Release 7.7 and later releases.

© 2016 FireEye

Release 7.9

av-suite enable

Related Commands For a list of related commands, see AV Suite Command Family on page 61.

© 2016 FireEye

273

CLI Reference Guide

PART III: Commands

backup cancel Cancels a backup that is in progress. When you cancel a currently running backup operation, the software finishes the current step before canceling the operation.

Syntax backup cancel

Parameters None

Example The following example cancels the backup that is currently running: hostname (config) # backup cancell

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin

Command Mode configuration

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

274

© 2016 FireEye

Release 7.9

backup delete from name

backup delete from name This command deletes backup files located on the device's local drive or an attached USB drive.

Syntax backup delete from name

Parameters location

The drive where the backup file is located. Choose one of the following options: l

local — The appliance local drive

l

usb — A USB drive attached to the appliance

backupName

The backup (.febkp) file to delete.

Example The following example deletes a backup file that resides locally on the appliance: hostname (config) # backup delete from local name CMS-Config-7.5.0-NX900-20141021135859.febkp

User Role Admin

Command Mode configuration

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

Related Commands For a list of commands, see the Backup Command Family on page 62

© 2016 FireEye

275

CLI Reference Guide

PART III: Commands

backup profile to This command provides the ability to backup your appliance based on a set of profiles listed below. When backing up your appliance, you can choose the following profiles (options):  l

config – Performs a backup of the appliance configuration

l

fedb – Performs a backup of the fedb database

l

l

config+fedb – Performs a backup of the appliance configuration and the fedb database full – Performs a full back up of the appliance software

You can choose to backup your appliance to the following locations: l

local – On the appliance's local drive

l

usb – On a USB device attached to your local machine

l

url – To a remote location using the secure copy protocol (SCP). To backup the appliance to a remote location, the remote location must be on the same subnet or otherwise directly accessible from the appliance.

The file save location must have sufficient space to save the back up file. You cannot proceed with the backup operation if there is not enough space at the file save location.

Syntax backup profile to [no-encryption] [prefix ] [progress {track | notrack}]

Parameters profileName

The profile used to back up the appliance data: The following profiles are available: l

config – Backs up the configuration database and appliance-specific data.

l

fedb – Backs up the FireEye appliance database.

This profile is not available on CM Series platforms. l

config+fedb – Backs up the configuration database, the FireEye appliance

database, and appliance-specific data. This profile is not available on CM Series platforms.

276

© 2016 FireEye

Release 7.9

backup profile to

l

full – Backs up the configuration database, FireEye appliance database, and

detected data (malware, alerts, reports, and so on). Profile is not available on CM Series platforms. location

Specifies the destination of the generated backup file. l

local – Saves the backup file to the local destination on your appliance.

l

url – Saves the backup file to a remote location specified by using the following format: scp://[:]@/

where and are remote server Administor credentials, is the remote server IP address, and is the directory in which the backup file is saved. If you do not specify the remote host administrator password in the backup profile command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. l

usb – Saves the backup file to the USB drive location on your local machine.

Options The following options can be included with the backup command. These options can be included individually or combined in one comand. For more information, see the examples below. no-encryption

Disables encryption. Each backup file is signed by default using the public and private key pairs. Encryption delays the backup operation. Backups are encrypted only using static keys. prefix

Adds a prefix to the backup file name. progress {notrack | track}

Allows you to override the default CLI configuration and display the progress of the backup operation: l

© 2016 FireEye

no-track – Disables progress tracking for the backup operation.

277

CLI Reference Guide

l

PART III: Commands

track – Enables progress tracking for the backup operation. By default,

progress tracking is enabled. You can cancel progress tracking by using Ctrl+C. The backup operation still happens in the background. Use the show backup status command to find the status of the backup operation.

Example The following example backs up the system configuration database, detected data, and artifacts to a local destination on the appliance: hostname (config) # backup profile full to local

When the backup command is issued, you should see the following output: Step 1 of 5: Performing Sanity checks 100.0% [#################################################################] Step 2 of 5: Backing up config db 100.0% [#################################################################] Step 3 of 5: Backing up fedb 100.0% [#################################################################] Step 4 of 5: Backing up Artifacts 100.0% [#################################################################] Step 5 of 5: Generating Backup package 100.0% [#################################################################]

This example backs up the system configuration database to a remote server at the URL:  admin:admin@remotehost/tmp while adding the prefix remote to the file name. hostname (config) # backup profile config to url scp;//admin:admin@remotehost/tmp prefix remote

This example backs up the system configuration database to a local server. During the backup, encryption has been disabled and progress tracking has been enabled. hostname (config) # backup profile config to local no-encryption progress track

User Role admin

Command Mode configuration

Release Information AX Series: Release 7.7 CM Series: Release 7.5

278

© 2016 FireEye

Release 7.9

backup profile to

EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

Related Commands For a list of commands, see the Backup Command Family on page 62

© 2016 FireEye

279

CLI Reference Guide

PART III: Commands

banner login Allows you to set a custom login banner. This banner shown to users before they log in to the appliance. By default, the banner text is as follows: Login: This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

To customize the login text, use the following guidelines: l

The text string must start and end with quotation marks (")

l

You can include multiple lines of text.

Syntax [no] banner motd

Parameters no

Resets the banner to the default value. text

The text string to display before the user logs in to the appliance.

Example The following example sets a custom login banner. hostname (config) # banner login " > > This FireEye appliance is the property of Acme Inc. Unauthorized access is prohibited and punishable as a criminal offense. > >"

The following example resets the login banner to the default value: hostname (config) # no banner login

280

© 2016 FireEye

Release 7.9

banner login

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of commands, see the Banner Command Family on page 63.

© 2016 FireEye

281

CLI Reference Guide

PART III: Commands

banner login-local Allows you to set a custom message of the day banner. This banner shown to users after they log in to the appliance. The local login banner is empty by default. To customize the login text, use the following guidelines: l

The text string must start and end with quotation marks (")

l

You can include multiple lines of text.

Syntax banner login-local

Parameters text

The text string to display when the user logs in to the appliance.

Example The following example sets a custom login-local banner: hostname (config) # banner login-local " > > This FireEye appliance is the property of Acme Inc. Unauthorized access is prohibited and punishable as a criminal offense. > >"

The following example will remove a custom login-local banner: hostname (config) # banner login-local ""

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5

282

© 2016 FireEye

Release 7.9

banner login-local

NX Series: Before Release 6.4

Related Commands For a list of commands, see the Banner Command Family on page 63.

© 2016 FireEye

283

CLI Reference Guide

PART III: Commands

banner login-remote Allows you to set a custom login message for remote users. This banner is shown to users after they log in to the appliance. By default, the banner is empty. To customize the login-local text, use the following guidelines: l

The text string must start and end with quotation marks (")

l

You can include multiple lines of text.

Syntax banner login-local

Parameters text

The text string to display after the user logs in to the appliance.

Example The following example sets a custom remote login banner: hostname (config) # banner login-remote " > > This FireEye appliance is the property of Acme Inc. Unauthorized access is prohibited and punishable as a criminal offense. > >"

The following example removes the custom login banner: hostname (config) # banner login-remote ""

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5

284

© 2016 FireEye

Release 7.9

banner login-remote

NX Series: Before Release 6.4

Related Commands For a list of commands, see the Banner Command Family on page 63.

© 2016 FireEye

285

CLI Reference Guide

PART III: Commands

banner motd Allows you to set a custom message of the day banner. This banner shown to users after they log in to the appliance. By default, the banner text is as follows: FireEye Command Line Interface

To customize the message of the day text, use the following guidelines: l

The text string must start and end with quotation marks (")

l

You can include multiple lines of text.

Syntax [no] banner motd

Parameters no

Resets the banner to the default value. text

The text to be displayed before login.

Example The following example sets a custom a Message of the Day. hostname (config) # banner motd "Tip: User 'show alerts' to view detected malware events."

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

286

© 2016 FireEye

Release 7.9

banner motd

Related Commands For a list of commands, see the Banner Command Family on page 63.

© 2016 FireEye

287

CLI Reference Guide

PART III: Commands

blacklist files auto past_hours The blacklist command number is indicative of the age-out time, in hours, for blacklisted MD5 that has been previously analyzed. The value can be checked at any time with show static-analysis config on page 1912.

Syntax blacklist files auto past_hours

Parameters past_hours

The number of hours to keep the auto-generated blacklist files.

Example The following sets the age-out time at 4 hours hostname (config) # blacklist files auto past_hours 4

The following sets the age-out time at 3 hours hostname (config) # blacklist files auto past_hours 3

User Role Administrator or Analyst

Command Mode Configuration

Release Information AX Series: Before Release 7.5 EX Series: Before Release 7.5 FX Series: Before Release 7.5 NX Series: Before Release 7.5

Related Commands show static-analysis config on page 1912

288

© 2016 FireEye

Release 7.9

blat enable

blat enable Enables Blacklisted DNS Traffic (blat) monitoring.

Syntax [no] blat enable

Parameters no

Disables blat functionality on the appliance.

Example The following example enables blat functionality. hostname (config) # blat enable

User Role admin and operator

Command Mode configuration

Release Information NX Series: Before Release 6.4

Related Commands blacklist files auto past_hours on the previous page blat enable above show blat on page 1372

© 2016 FireEye

289

CLI Reference Guide

PART III: Commands

boot bootmgr disable password Use this command to enabale or disable password cotrolled access to the boot manager parameters. By default, password access is enabled.

Syntax [no] boot bootmgr disable password

Parameters no

Enables password access to the boot manager parameters.

Example The following example disables password controlled access to the boot manager parameters hostname (config) # boot bootmgr disable password

The following example enables password controlled access to the boot manager parameters. hostname (config) # no boot bootmgr disable password

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8 HX Series: 3.2 NX Series: 7.8

Related Commands For a list of commands, see the Boot Manager Command Family on page 66

290

© 2016 FireEye

Release 7.9

boot next fallback-reboot enable

boot next fallback-reboot enable Use this command to enable or disable the fallback reboot during upgrade or downgrade activities. By default, if the appliance fails to apply the configuration during a software upgrade or downgrade action, the appliance will reboot using the backup partition. You can use the no variant of this command to disable this action. The fallback reboot is always triggered if you are downgrading to an older software version that has never been run on the appliance before. You can suppress this behavior by using the no boot next fallback-reboot enable command.

Syntax [no] boot next fallback-reboot enable

Parameters no

Disables the reboot fallback behavior on the appliance.

Example The following example enables the fallback behavior. (default behavior) hostname (config) # boot next fallback-reboot enable

The following example disables the fallback behavior. hostname (config) # no boot next fallback-reboot enable

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

© 2016 FireEye

291

CLI Reference Guide

PART III: Commands

Related Commands For a list of commands, see the Boot Manager Command Family on page 66

292

© 2016 FireEye

Release 7.9

boot system location

boot system location Use this command to specify which partition the system should boot from by default. The appliance includes two boot partitions (1 and 2). By default, the appliance will always boot from partition 1. The image boot location command performs the same function as the boot system location command.

Syntax boot system location { 1 | 2 }

Parameters 1

Sets the default boot partition to 1. (default) 2

Sets the default boot partition to 2.

Example The following example sets the default boot partition to 1. (default) hostname (config) # boot system location 1

The following example sets the default boot partition to 2. hostname (config) # boot system location 2

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

© 2016 FireEye

293

CLI Reference Guide

PART III: Commands

Related Commands For a list of commands, see the Boot Manager Command Family on page 66

294

© 2016 FireEye

Release 7.9

boot system next

boot system next Use this command to enable or disable booting the appliance from alternating boot partitions. When enabled, the appliance will boot from the alternate boot partitions. For example, if the appliance booted from boot partition 1 previously, when rebooted, the appliance will boot off of partition 2. If a fallback reboot event occurs, this behavior is suppressed unless the db-fallback parameter is used.

Syntax [no] boot system next [db-fallback]

Parameters no

Disables rebooting from alternate partitions. db-fallback

Enables rebooting from alternate partitions even when a fallback reboot event occurs.

Example The following example enables rebooting from alternate partitions. hostname (config) # boot system next

The following example disables rebooting from alternate partitions. (default) hostname (config) # no boot system next

The following example enables rebooting from alternate partitions even if a fallback reboot event occurs. hostname (config) # boot system next db-fallback

The following example disables rebooting from alternate partitions. hostname (config) # no boot system next db-fallback

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4

© 2016 FireEye

295

CLI Reference Guide

PART III: Commands

CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of commands, see the Boot Manager Command Family on page 66

296

© 2016 FireEye

Release 7.9

bridge ageing-time

bridge ageing-time Sets the amount of time (in seconds) that a MAC addresses remain in the forwarding table. Once the specified time is exceeded, the MAC address is removed from the forwarding table. The time starts at the moment the MAC address is last seen.

Syntax [no] bridge ageing-time

Parameters no

Removes the previously set forward time. time

Time in seconds.

Example The following example sets the aging time on ether1 to 30 seconds. hostname (config) # bridge ether1 ageing-time 30

The following example removes the previously set aging time. hostname (config) # no bridge ether2 ageing-time

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65. VX Series: Release 7.9

© 2016 FireEye

297

CLI Reference Guide

PART III: Commands

Related Commands For a list of commands, see the Bridge Command Family on page 65.

298

© 2016 FireEye

Release 7.9

bridge enable

bridge enable Enables the bridge interface. By default, when you create a bridge interface using the bridge command, the bridging is enabled.

Syntax [no] bridge

Parameters no

Disables the bridge interface. interface

The interface to be used as a bridge.

Example The following example enables bridging on ether1. hostname (config) # bridge ether1 enable

The following example disables bridging on ether2. hostname (config) # no bridge ether2 enable

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65. NX Series: Before Release 6.4

© 2016 FireEye

299

CLI Reference Guide

PART III: Commands

VX Series: Release 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

300

© 2016 FireEye

Release 7.9

bridge forward-time

bridge forward-time Sets the forward delay interval on the bridge. This is the amount of time the interface waits after joining a bridge group before it starts to forward traffic across the bridge.

Syntax [no] bridge forward-time

Parameters no

Removes the previously set forward time. time

Time in seconds

Example The following example sets to forward-time to 30 seconds: hostname (config) # bridge ether1 forward-time 30

The following example removes the forward time from ether2: hostname (config) # no bridge ether2 forward-time

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65. VX Series: Release 7.9

© 2016 FireEye

301

CLI Reference Guide

PART III: Commands

Related Commands For a list of commands, see the Bridge Command Family on page 65.

302

© 2016 FireEye

Release 7.9

bridge hello-time

bridge hello-time The interval between hello packet transmissions. Hello packets provides information about the bridge interface to the bridge group.

Syntax [no] bridge hello-time

Parameters no

Resets the hello interval to the default. time

Time (in seconds).

Example The following example sets the ether1 hello-time to 30 seconds: hostname (config) # bridge ether1 hello-time 30

The following example returns ether2's hello-time to the default value. hostname (config) # no bridge ether2 hello-time

User Role admin and operator

Command Mode configuration VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

© 2016 FireEye

303

CLI Reference Guide

PART III: Commands

bridge max-age Sets the maximum time a bridge will be considered active without receiving a hello message.

Syntax [no] bridge max-age

Parameters no

Restores the default max-time value. time

Time in seconds.

Example The following example sets the ether1 max-time interval to 45 seconds. hostname (config) # bridge ether1 max-time 45

The following example returns the ether2 maxt-time interval to the default value. hostname (config) # no bridge ether2 max-time

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

304

© 2016 FireEye

Release 7.9

bridge priority

bridge priority Sets the bridge priority. This priority is used to determine signal path. A lower number represents a higher priority.

Syntax [no] bridge priority

Parameters no

Sets the bridge priority at the default value. priority

The priority value. Range: -1 to 65535

Example The following example sets ether1's bridge priority to 60. hostname (config) # bridge ether1 priority 60

The following example resets ether2's bridge priority to the default value. hostname (config) # no bridge ether2 priority

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

© 2016 FireEye

305

CLI Reference Guide

PART III: Commands

bridge spanning-tree enable Enables spanning tree on the specified bridge.

Syntax [no] bridge spanning-tree enable

Parameters no

Disables spanning tree.

Example The following example enables spanning tree on ether1. hostname (config) # bridge ether1 spanning-tree enable

The following example disables spanning tree on ether2. hostname (config) # no bridge ether2 spanning-tree enable

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

306

© 2016 FireEye

Release 7.9

bridge

bridge Defines a bridge group. Use a bridge group to group interfaces into the same broadcast domain.

Syntax [no] bridge

Parameters no

Deletes the specified bridge group.

Example The following example creates a bridge group on ether1. hostname (config) # bridge ether1

The following example detetes the bridge group on ether2. hostname (config) # no bridge ether2

User Role admin and operator

Command Mode configuration

Release Information AX Series: Before Release 6.4 EX Series:  Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4 VX Series: Releaes 7.9

Related Commands For a list of commands, see the Bridge Command Family on page 65.

© 2016 FireEye

307

CLI Reference Guide

PART III: Commands

clear aaa authentication attempts all Clears the authentication history and unlocks all accounts.

Syntax clear aaa authentication attempts all [no-clear-history]

Parameters no-clear-history

Unlock all accounts, but do not clear the authentication history.

Example The following unlocks all accounts and clears the authentication history: hostname (config) # clear aaa authentication attempts all

The following unlocks all accounts without clearing the authentication history: hostname (config) # clear aaa authentication attempts all no-clear-history

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

NX Series: Before release 6.4

l

VX Series: 7.9

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52. aaa authentication attempts class-override admin no-lockout on page 150 aaa authentication attempts class-override unknown hash-username on page 152 aaa authentication attempts class-override unknown no-track on page 154

308

© 2016 FireEye

Release 7.9

clear aaa authentication attempts all

aaa authentication attempts lockout enable on page 156 aaa authentication attempts lockout lock-time on page 158 aaa authentication attempts lockout max-fail on page 160 aaa authentication attempts lockout unlock-time on page 162 aaa authentication attempts reset all [no-clear-history | no-unlock] on page 164 aaa authentication attempts reset user [no-clear-history | no-unlock] on page 166 aaa authentication attempts track downcase on page 168 aaa authentication attempts track enable on page 169 clear aaa authentication attempts all on the previous page clear aaa authentication attempts user on the next page aaa authentication login default on page 190 aaa authentication password lcd length minimum on page 192 aaa authentication password local change allow-encrypt on page 193 aaa authentication password local change require-current on page 195 aaa authentication password local character-type minimum on page 197 aaa authentication password local history clear on page 199 aaa authentication password local history compare on page 201 aaa authentication password local length on page 203 aaa authentication password local max-char-repeats on page 205 aaa authentication password local no-userid on page 207 aaa authentication password local require-change advance-warning on page 208 aaa authentication password local require-change force on page 210 aaa authentication password local require-change max-password-days on page 212 aaa authentication password local require-change new-account on page 214

© 2016 FireEye

309

CLI Reference Guide

PART III: Commands

clear aaa authentication attempts user Clears the authentication history and unlocks a specific user account.

Syntax clear aaa authentication attempts user [no-clear-history] [no-unlock]

Parameters userAccount

The user account to clear. no-clear-history

Unlock all accounts, but do not clear the authentication history. no-unlock

Clear authentication history for all accounts, but do not unlock them.

Example The following unlocks the madhu account and clears the authentication history: hostname (config) # clear aaa authentication attempts user madhu

The following unlocks the fazia account without clearing the authentication history: hostname (config) # clear aaa authentication attempts user fazia no-clear-history

The following clears unlocks the phani account authentication history without unlocking the account: hostname (config) # clear aaa authentication attempts user phani no-unlock

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

310

l

AX Series: Before release 6.4

l

CM Series: 7.1

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

NX Series: Before release 6.4

l

VX Series: 7.9

© 2016 FireEye

Release 7.9

clear aaa authentication attempts user

Related Commands For a list of related commands, see: AAA Authentication Commands on page 52. aaa authentication attempts class-override admin no-lockout on page 150 aaa authentication attempts class-override unknown hash-username on page 152 aaa authentication attempts class-override unknown no-track on page 154 aaa authentication attempts lockout enable on page 156 aaa authentication attempts lockout lock-time on page 158 aaa authentication attempts lockout max-fail on page 160 aaa authentication attempts lockout unlock-time on page 162 aaa authentication attempts reset all [no-clear-history | no-unlock] on page 164 aaa authentication attempts reset user [no-clear-history | no-unlock] on page 166 aaa authentication attempts track downcase on page 168 aaa authentication attempts track enable on page 169 clear aaa authentication attempts all on page 308 clear aaa authentication attempts user on the previous page aaa authentication login default on page 190 aaa authentication password lcd length minimum on page 192 aaa authentication password local change allow-encrypt on page 193 aaa authentication password local change require-current on page 195 aaa authentication password local character-type minimum on page 197 aaa authentication password local history clear on page 199 aaa authentication password local history compare on page 201 aaa authentication password local length on page 203 aaa authentication password local max-char-repeats on page 205 aaa authentication password local no-userid on page 207 aaa authentication password local require-change advance-warning on page 208 aaa authentication password local require-change force on page 210 aaa authentication password local require-change max-password-days on page 212 aaa authentication password local require-change new-account on page 214

© 2016 FireEye

311

CLI Reference Guide

PART III: Commands

clear arp-cache Removes the dynamic entries from the Address Resolution Protocol (ARP) cache. This command does not remove static links added to the cache with the arp command.

Syntax clear arp-cache

Parameters None

Example The following example clears the ARP cache. hostname # clear arp-cache

User Role Administrator

Command Mode Enable and Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Topics For a list of related commands, see: ARP Command Family on page 60.

312

© 2016 FireEye

Release 7.9

clear ipv6 neighbors

clear ipv6 neighbors Clears the dynamic entries from the IPv6 neighbors cache.

Syntax clear ipv6 neighbors

Parameters None

Example The following example clears the IPv6 neighbors. hostname # clear ipv6 neighbors

User Role Administrator or Operator

Command Mode Enable or Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4 VX Series: 7.9

Related Topics For a list of related commands, see: CLI Session Commands on page 69.

© 2016 FireEye

313

CLI Reference Guide

PART III: Commands

cli clear-history Clears the history of CLI commands entered by the current user.

Syntax cli clear-history

Parameters None

Example The following example clears the CLI history for the current user. hostname # cli clear-history

User Role Administrator or Operator

Command Mode Disable, Enable or Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4 VX Series: 7.9

Related Topics For a list of related commands, see: IPv6 Commands on page 1.

314

© 2016 FireEye

Release 7.9

cli default

cli default Sets the user idle timeout, enables paging of CLI output, and enables the display of hidden CLI commands in the output of the show configuration commands. These settings affect the current session and all new CLI sessions. Use the no form of this command to clear the settings.

Syntax [no | cli default auto-logout minutes [no] cli default paging enable [no] cli default prefix-modes {enable | show-config} [no] cli default progress enable [no] cli default prompt {confirm-reload | confirm-reset | confirm-unsaved | emptypassword} [no] cli default show config-hidden enable

Parameters auto-logout minutes Number of minutes a session can be idle before the user is logged off (default is 15). paging enable

Enables a pause between each page of multi-page output (enabled by default). Press any key to display the next page.

prefix-modes {enable Configures the CLI prefix modes. | show-config} show config-hidden Includes hidden configuration settings in the output of the various enable show configuration commands (enabled by default). confirm-reload

Prompt for confirmation before rebooting.

confirm-reset

Confirm whether to save unsaved changes before resetting to factory state.

confirm-unsaved

Confirm whether to save unsaved changes before rebooting.

empty-password

Prompt for a password if none is specified in a pseudo-URL for secure copy (scp).

Example The following example changes the idle timeout for the current session and all new sessions to ten minutes. hostname (config) # cli default auto-logout 10

© 2016 FireEye

315

CLI Reference Guide

PART III: Commands

Related Commands cli clear-history on page 314 cli default on the previous page cli disable-histor on the facing page cli enable-history on page 318 cli session auto-logout on page 318 cli session paging enable on page 319 cli session prefix-modes {enable | show-config} on page 320 cli session progress enable on page 321 cli session terminal length on page 322 cli session terminal resize on page 323 cli session terminal type on page 324 cli session terminal width on page 325 cli session x-display full on page 325 show cli on page 1380 show terminal on page 1982 terminal on page 1297

316

© 2016 FireEye

Release 7.9

cli disable-histor

cli disable-histor Inactivates command history for the current user.

Syntax cli disable-history

Parameters None

Example The following example inactivates the command history for the current user. hostname # cli disable-history

© 2016 FireEye

317

CLI Reference Guide

PART III: Commands

cli enable-history Activates command history for the current user.

Syntax cli enable-history

Parameters None

Example The following example activates the command history for the current user. hostname # cli enable-history

cli session auto-logout Sets the number of minutes a session can be idle before the user is logged off.

Syntax [no] cli session auto-logout

Parameters no

Use the no form of this command to not automatically log users out due to keyboard inactivity in the current session. minutes

The number of minutes before a user is logged out. A value of zero disables autologout. The value must be at least 0.25 (15 seconds). The default is 15.

Example The following example changes the idle timeout for the current session to 10 minutes: hostname > cli session auto-logout 10

The following command disables automatically logging out users due to keyboard inactivity: hostname > no cli session auto-logout

User Role Admin or Operator

318

© 2016 FireEye

Release 7.9

cli session paging enable

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session paging enable Enables a pause between each page of multi-page output (enabled by default). Press any key to display the next page. This setting applies only to the current session.

Syntax [no] cli session paging enable

Parameters no

Use the no form of this command to disable paging for the current session.

Example The following example disables paging for the current session: hostname > no cli session enable paging

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows:

© 2016 FireEye

319

CLI Reference Guide

PART III: Commands

AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session prefix-modes {enable | show-config} Configures the CLI prefix modes feature for this session.

Syntax [no] cli session prefix_modes {enable | show-config}

Parameters no

Use the no form of this command to disable these settings for the current session. enable

Enables the use of prefix modes in the CLI. If prefix modes are disabled, the commands that were used to enter prefix modes may or may not remain valid standalone commands, depending on the command. Changing this option's default will affect this session as well as all future ones, but will not affect other sessions already in progress. show-config

Use prefix modes in show configuration output for this session. If prefix modes are disabled, this flag will not automatically be cleared, but it will be ignored.

Example The following example enables prefix-mode for this session: hostname > cli session prefix-modes enable

User Role Admin or Operator

Command Mode Standard

320

© 2016 FireEye

Release 7.9

cli session progress enable

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session progress enable Enables progress updates for long operations.

Syntax [no] cli session progress enable

Parameters no

Use the no form of this command to disable these settings for the current session.

Example The following example enables progress updates for long operations: hostname > cli session progress enable

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4

© 2016 FireEye

321

CLI Reference Guide

PART III: Commands

FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session terminal length Sets the number of lines to display on one page of CLI output for this session. This setting overrides the auto-detected size of the terminal. This is useful mostly when the size could not be auto-detected and the CLI is using the default 80x24.

Syntax cli session terminal length

Parameters length

Number of lines to show on one page of CLI output. The default is 24.

Example The following example sets the terminal display to 36 lines: hostname > cli session terminal length 36

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

322

© 2016 FireEye

Release 7.9

cli session terminal resize

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session terminal resize Attempts to detect the size of the terminal window, and adjusts CLI settings accordingly. This should only be necessary on a serial console, as the terminal size in an SSH connection should already be detected automatically. Do not type any additional characters on the terminal while this command is running. Doing so could cause its execution to fail, and junk characters to appear on the screen.

Syntax cli session terminal resize

Parameters None

Example The following command resizes the terminal window:. hostname > cli session terminal resize

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

© 2016 FireEye

323

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session terminal type Sets the terminal type for the current session.

Syntax cli session terminal type no cli session terminal type

Parameters no

Use the no form of this command to disable these settings for the current session. type

Terminal type. Can be ansi, dumb, vt100, vt102, or xterm. Default is dumb.

Example The following example sets the terminal type to vt100: hostname > cli session termina type vt100l

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

324

© 2016 FireEye

Release 7.9

cli session terminal width

cli session terminal width Sets the number of characters per line.

Syntax cli session terminal width

Parameters width

Number of characters per line (default is 80).

Example The following example changes the number of characters per line to 100: hostname > cli session terminal width 100

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

cli session x-display full Sets the specific display to use for X Windows applications

Syntax cli session x-display full

© 2016 FireEye

325

CLI Reference Guide

PART III: Commands

no cli session x-display

Parameters no

Use the no form of this command to unset the X Windows display. display-string

The raw string to use for the display.

Example The following example sets the display string to localhost:0.0: hostname > cli session x-display full localhost:0.0

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: CLI Session Commands on page 69.

326

© 2016 FireEye

Release 7.9

clock set

clock set Description Sets the current date and time on the FireEye appliance. The date and time are stored as Coordinated Universal Time (UTC) in the database. The Z character in syslog output indicates that the time displayed is in the UTC time zone; for example: Oct 19 2012 16:10:10 Z.

Syntax clock set hh:mm:ss [date]

Parameters hh:mm:ss Time of day in 24-hour format. date

Day of the year in the following format: yyyy/mm/dd If the date is omitted, the current date is not changed.

Example The following example sets the time to 2:00 p.m. hostname (config) # clock set 14:00

Related Commands show clock on page 1383

© 2016 FireEye

327

CLI Reference Guide

PART III: Commands

clock timezone Description Sets the time zone on the FireEye appliance. The time zone is for display purposes and should match other security device settings. The Z character in syslog output indicates that the time displayed is in the UTC time zone; for example: Oct 19 2012 16:10:10 Z. Use the no form of this command to delete the time zone or to reset the time zone on the FireEye appliance to Greenwich Mean Time (GMT).

Syntax [no] clock timezone tzone

Parameters tzone Enter one of the following areas, and then type “?” to view the specific time zones in that area: l

Africa

l

America

l

Antarctica

l

Arctic

l

Asia

l

Atlantic_Ocean

l

Australia

l

Europe

l

Indian_Ocean

l

Pacific_Ocean

l

UTC

l

UTC-offset

If you enter UTC-offset (Coordinated Universal Time), you must also enter one of the following:

328

l

UTC+hours. Number of hours (1 to 12) after UTC

l

UTC-hours. Number of hours (1 to 14) before UTC

© 2016 FireEye

Release 7.9

clock timezone

Example The following example sets the time zone to eight hours after UTC. hostname (config) # clock timezone UTC-offset UTC+8

The following example also sets the time zone to Pacific Standard Time. hostname (config) # clock timezone America North United_States Pacific

© 2016 FireEye

329

CLI Reference Guide

PART III: Commands

cmc appliance To specifies the appliance settings the CM Series platform will use to connect an appliance for management, use the cmc appliance commands in configuration mode. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax [no] cmc appliance applianceName cmc appliance applianceName rename newName [no] cmc appliance applianceName enable [no] cmc appliance applianceName connection auto cmc appliance applianceName connection connect | maintain cmc appliance applianceName connection reconnect | maintain cmc appliance applianceName connection disconnect cmc appliance applianceName address {ipAddress | hostname} no cmc appliance applianceNameaddress cmc appliance applianceName port portNumber no cmc appliance applianceName port cmc appliance applianceName source address ipAddress no cmc appliance applianceName source address cmc appliance applianceName source port portNumber no cmc appliance applianceName source port [no] cmc appliance applianceName check-status [no] cmc appliance applianceName client-requests enable cmc appliance applianceName comment comment no cmc appliance applianceName comment cmc appliance applianceName remove-key

User Role Operator or Admin

330

© 2016 FireEye

Release 7.9

cmc appliance

Description These commands are run on the CM Series platform.

Parameters applianceName Specifies the name of the appliance record. The cmc appliance applianceName command creates a new record. Using the no parameter (no cmc appliance applianceName deletes the record. rename newName Changes the name of the appliance record. The name must be unique; it cannot be the name of an existing appliance record. This command interrupts any active operations on the appliance, such as applying a profile. It immediately disconnects the appliance from the CM Series platform and then reconnects it. enable Enable the appliance to be managed by the CM Series platform. Use the no parameter to disable the appliance from being managed. The appliance must be enabled before it can be connected to the CM Series platform. connection auto Specifies that the CM Series platform should automatically attempt to connect to the appliance. Use the no parameter to disable automatic attempts, and instead wait for either a manual connection attempt or for the appliance to initiate a request to be managed. connection connect | maintain Attempts to connect to the appliance. The maintain parameter temporarily enables the connection auto behavior, until the appliance is manually disconnected or the system is rebooted. connection reconnect | maintain Specifies that any connection to the appliance should be broken and then reconnected. If the reconnection attempt fails, the reconnection retry interval is reset to its shortest value. The maintain parameter temporarily enables the connection auto behavior, until the appliance is manually disconnected or the system is rebooted.

© 2016 FireEye

331

CLI Reference Guide

PART III: Commands

connection disconnect Breaks the connection between the CM Series platform and the appliance. If autoconnect is enabled through the connection auto parameter, the CM Series platform will attempt to reconnect. If the appliance is in temporary auto-connect mode through the connection connect maintain or connection reconnect maintain parameter, the override is canceled, so auto-connect will happen only if it is enabled by the connection auto command. address {ipAddress | hostname} The IPv4 or IPv6 address or hostname of the appliance to connect to for management. When the CM Series platform receives a connection request from an appliance, the appliance IP address is used to validate whether the appliance record exists. To avoid the need to synchronize settings later, it is recommended that you use the IP address instead of the hostname in this command. no cmc appliance applianceName address Resets the appliance address to the name of its appliance record. port portNumber Sets the port of the appliance to connect to for management. If the port is not specified, it defaults to port 22. no cmc appliance applianceName port Resets the port number to 22. no cmc appliance applianceName web port http Not currently used. no cmc appliance applianceName web port https Not currently used. source address ipv4Address Sets the IPv4 address of the appliance. This parameter is used when the appliance initiates a request to be managed. The CM Series platform accepts the connection request only if the source address matches this address. If the source address is not set (or cleared with the no parameter), the connection request will be accepted only if the source address matches the main address specified by the cmc appliance applianceName address command. This command does not support IPv6 addresses.

332

© 2016 FireEye

Release 7.9

cmc appliance auth password password

no cmc appliance applianceName source address Resets the source appliance address to the main address specified by the cmc appliance applianceName address command. source port portNumber Sets the source port for the appliance configured in the cmc appliance applianceName source address command. The connection request will be accepted only if the source port matches this port. no cmc appliance applianceName source port Clears the source port parameter and stops the source port from being verified. comment comment Adds a comment about the appliance to be displayed in the show cmc appliances command output. no cmc appliance applianceName comment Deletes the comment. remove-key Removes any known host entry for the appliance.

Example The following example adds the nx-04 appliance and then configures its IP address. hostname (config) # cmc appliance nx-04 hostname (config) # cmc appliance nx-04 address 172.30.0.0

cmc appliance auth password password Sets the password which will be used for password authentication. If the positive form of the password command is used with no password, the user will be prompted for the password. Any entries made at this prompt will only echo with the '*' character, and the user will have to enter the same string twice for confirmation. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth password password [] no cmc appliance auth password password

© 2016 FireEye

333

CLI Reference Guide

PART III: Commands

Parameters no

The no form of this command resets the password to its default. appliance_name

Name of the appliance on which to configure the user's password. password

The password. The default is an empty password.

Example The following example configures password authentication parameters for the nx-32 appliance. hostname (config) # cmc appliance nx-32 auth authtype password hostname (config) # cmc appliance nx-32 auth password username cmcadmin2 hostname (config) # cmc appliance nx-32 auth password password e9%Pn2bd

User Role Operator or Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5.0

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth password username Sets the remote user name which will be used for password authentication. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth password username

334

© 2016 FireEye

Release  7.9

cmc appliance auth ssh-dsa2 identity push [username password []]

no cmc appliance auth password username

Parameters no

The no form of this command sets the user name to its default. appliance_name

hm username

The user name to configure. The default is admin.

Example The following example configures password authentication parameters for the nx-32 appliance. hostname (config) # cmc appliance nx-32 auth authtype password hostname (config) # cmc appliance nx-32 auth password username cmcadmin2 hostname (config) # cmc appliance nx-32 password password e9%Pn2bd

User Role Operator or Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-dsa2 identity push [username password []] Pushes the public key part of the specified identity onto the specified appliance using SSH. If the user name and password are specified, those are used to log into the appliance for pushing the key.

© 2016 FireEye

335

CLI Reference Guide

PART III: Commands

If the user name and password are omitted, the configured settings for password authentication on this appliance are used, even if password authentication is not the enabled authentication type. The user name is not verified, other than explicitly forbidding user names that contain the '@' character. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-dsa2 identity push [username password []]

Parameters appliance_name

Name of the appliance on which to configure the ssh-dsa2 identity. identity

Specifies the named identity to log in to the appliance using ssh-dsa2 authentication. username

User name used to log into the appliance for pushing the key. password

Password for the specified user name. If the password is specified as "", the user will be prompted.

Examples The following example pushes the public key string to the EX Series appliance: CM-08 (config) # cmc appliance EX-03 auth ssh-dsa2 identity admin4 push Push of identity for user admin onto EX-03 succeeded. EX-03 # show ssh client . . SSH authorized keys: User admin: Key 1: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwA A . . .

336

© 2016 FireEye

Release 7.9

cmc appliance auth ssh-dsa2 identity

The following example logs the remote user into the EX Series appliance to push the CM Series SSH-DSA2 identity named admin6 to the EX Series appliance: CM-02 (config) # cmc appliance EX-05 auth ssh-dsa2 identity admin6 push username admin password admin

User Role Operator or Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5.0

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-dsa2 identity Sets the name of the identity which will be used for ssh-dsa2 authentication. There is no default identity, so it must be specified if ssh-dsa2 authentication is used. The identity is the name of an identity previously created with one of the cmc auth ... commands. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-dsa2 identity no cmc appliance auth ssh-dsa2 identity

Parameters no

The no form of this command removes the ssh-dsa2 identity from the appliance. appliance_name

Name of the appliance on which to configure the ssh-dsa2 identity.

© 2016 FireEye

337

CLI Reference Guide

PART III: Commands

identity

Specifies the named identity to log in to the appliance using ssh-dsa2 authentication.

Example The following example configures SSH-DSA2 authentication parameters used to log in to the NX-04 appliance: hostname (config) # cmc appliance NX-04 auth authtype ssh-dsa2 hostname (config) # cmc appliance NX-04 auth ssh-dsa2 username cmcadmin2 hostname (config) # cmc appliance NX-04 auth ssh-dsa2 identity admin2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-dsa2 username Sets the remote user name which will be used for ssh-dsa2 authentication. The user name defaults to admin. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-dsa2 username no cmc appliance auth ssh-dsa2 username

Parameters no

The no form of this command removes the ssh-dsa2 user name from the appliance.

338

© 2016 FireEye

Release  7.9

cmc appliance auth ssh-rsa2 identity push [username password []]

appliance_name

Name of the appliance on which to configure the ssh-dsa2 user name. user_name

Specifies theuser name to log in to the appliance using ssh-dsa2 authentication.

Example The following example configures SSH-DSA2 authentication parameters used to log in to the NX-04 appliance: hostname (config) # cmc appliance NX-04 auth authtype ssh-dsa2 hostname (config) # cmc appliance NX-04 auth ssh-dsa2 username cmcadmin2 hostname (config) # cmc appliance NX-04 auth ssh-dsa2 identity admin2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-rsa2 identity push [username password []] Pushes the public key part of the specified identity onto the specified appliance using SSH. If the user name and password are specified, those are used to log into the appliance for pushing the key. If the user name and password are omitted, the configured settings for password authentication on this appliance are used, even if password authentication is not the enabled authentication type. The user name is not verified, other than explicitly forbidding user names that contain the '@' character.

© 2016 FireEye

339

CLI Reference Guide

PART III: Commands

The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-rsa2 identity push [username password []]

Parameters appliance_name

Name of the appliance on which to configure the ssh-rsa2 identity. identity

Specifies the named identity to log in to the appliance using ssh-rsa2 authentication. username

User name used to log into the appliance for pushing the key. password

Password for the specified user name. If the password is specified as "", the user will be prompted.

Examples The following example pushes the public key string to the EX Series appliance: CM-08 (config) # cmc appliance EX-03 auth ssh-rsa2 identity admin4 push Push of identity for user admin onto EX-03 succeeded. EX-03 # show ssh client . . SSH authorized keys: User admin: Key 1: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwA A . . .

The following example logs the remote user into the EX Series appliance to push the CM Series SSH-RSA2 identity named admin6 to the EX Series appliance: CM-02 (config) # cmc appliance EX-05 auth rsh-dsa2 identity admin6 push username admin password admin

User Role Operator or Admin

340

© 2016 FireEye

Release 7.9

cmc appliance auth ssh-rsa2 identity

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5.0

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-rsa2 identity Sets the name of the identity which will be used for ssh-rsa2 authentication. There is no default identity, so it must be specified if ssh-rsa2 authentication is used. The identity is the name of an identity previously created with one of the cmc auth ... commands. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-rsa2 identity no cmc appliance auth ssh-rsa2 identity

Parameters no

The no form of this command removes the ssh-rsa2 identity from the appliance. appliance_name

Name of the appliance on which to configure the ssh-rsa2 identity. identity

Specifies the named identity to log in to the appliance using ssh-rsa2 authentication.

Example The following example configures SSH-RSA2 authentication parameters used to log in to the NX-04 appliance: hostname (config) # cmc appliance NX-04 auth authtype ssh-rsa2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 username cmcadmin2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 identity admin2

© 2016 FireEye

341

CLI Reference Guide

PART III: Commands

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance auth ssh-rsa2 username Sets the remote user name which will be used for ssh-rsa2 authentication. The user name defaults to 'admin'. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance auth ssh-rsa2 username no cmc appliance auth ssh-rsa2 username

Parameters no

The no form of this command removes the ssh-rsa2 user name from the appliance. appliance_name

Name of the appliance on which to configure the ssh-rsa2 user name. user_name

Specifies theuser name to log in to the appliance using ssh-rsa2 authentication.

Example The following example configures SSH-RSA2 authentication parameters used to log in to the NX-04 appliance:

342

© 2016 FireEye

Release 7.9

cmc appliance authtype

hostname (config) # cmc appliance NX-04 auth authtype ssh-rsa2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 username cmcadmin2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 identity admin2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

cmc appliance authtype Sets the authentication type that will be used when connecting to the appliance. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc appliance authtype no cmc appliance authtype

Parameters no

The no form of this command resets authtype to its default. appliance_name

Name of the appliance on which to configure the authentication type. authtype

Authentication type to use when connecting to the appliance. The permitted values are: l

password (Default)

l

ssh-dsa2

© 2016 FireEye

343

CLI Reference Guide

l

PART III: Commands

ssh-rsa2

Example The following example configures ssh-dsa2 authentication for the nx-32 appliance: hostname (config) # cmc appliance nx-32 authtype ssh-dsa2

User Role Operator or Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.5

Related Commands For a list of related commands, see: CMC Appliance Authentication Commands on page 72

344

© 2016 FireEye

Release 7.9

cmc auth

cmc auth To configure Central Management Console (CMC) SSH authentication settings for the CM Series appliance or for the local FireEye appliance, use the cmc auth command in configuration mode.

Syntax [no] cmc auth cipher-list {original | fips | cc-ndpp | fips-and-cc-ndpp | high-security | compatible} cmc auth ssh host-key {global-only | strict} [no] cmc auth ssh min-key-length bits [no] cmc auth ssh min-version version_number cmc auth ssh trusted-hosts {clear-install | install | verify} cmc auth {ssh-dsa2 | ssh-rsa2} identity identity {generate | private private_key | public public_key} no cmc auth {ssh-dsa | ssh-rsa2} identity name

User Role Administrator or Operator

Release Information Command introduced before Release 7.6.0. Parameters

cipher-list {original | fips | cc-ndpp | fips- Configures the CMC cipher list bundle of and-cc-ndpp | high-security | compatible} ciphers, MACs, and KEX for SSH: l

l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

© 2016 FireEye

original—Original FireEye cipher list (maximum compatibility)

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

345

CLI Reference Guide

ssh host-key {global-only | strict}

PART III: Commands

Configures SSH host-key operations: l

l

global-only—Configures only globalconfigured known hosts. strict—Sets strict host-key checking on the SSH session.

ssh min-key-length bits

Sets the minimum key length for the SSH server keys.

ssh min-version version_number

Sets the minimum version of the CMC SSH protocol supported.

ssh trusted-hosts {clear-install | install | verify}

Configures SSH trust-host operations: l

l

l

{ssh-dsa2 | ssh-rsa2} identityidentity {generate | privateprivate_key | publicpublic_key}

install—Installs SSH trusted-host data from the server. verify—Verifies the SSH trusted-host data with the server.

Configures ssh-dsa2 or ssh-rsa2 authentication settings: l

l

l

l

no

clear-install—Clears the SSH trustedhost list, then installs trusted-host data from the server.

identity identity—Edits or creates an ssh-dsa2 or ssh-rsa2 identity. generate—Generates an ssh-dsa2 or ssh-rsa2 keypair for the specified identity. private private_key—Sets an ssh-dsa2 or ssh-rsa2 private key for the specified identity. public public_key—Sets an ssh-dsa2 or ssh-rsa2 public key for the specified identity.

Removes the ssh-dsa2 or ssh-rsa2 identity.

Example

The following example sets strict host-key checking on the SSH session: hostname (config) # cmc auth ssh host-key strict

346

© 2016 FireEye

Release 7.9

cmc cancel

cmc cancel Description Cancels pending commands on a connected appliance or group of appliances.

Syntax cmc cancel {appliance [all] | group [all]}

Parameters applianceID_string [all]

Name or ID of the appliance; includes option to cancel “all” outstanding commands on the specified appliance. group_name [all]

Name or ID of the appliance group; includes option to cancel “all” outstanding commands on the specified appliance group.

Example The following example cancels all commands on the group of appliances named sysgroup.EmailMPS: hostname (config) # cmc cancel sysgroup.EmailMPS all

© 2016 FireEye

347

CLI Reference Guide

PART III: Commands

cmc client To enables an appliance to connect to and be managed by the CM Series platform, use the cmc client commands in configuration mode. Appliances can request to be managed by the CM Series platform, as described in the CM Series Administration Guide. For this type of connection to work, the CM Series platform's appliance record must have the appliance's IP address, not only its hostname. In this release, the NX Series appliance is the only appliance that can initiate a request to be added to the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax [no] cmc client enable [no] cmc client connection auto cmc client connection connect [maintain] cmc client connection disconnect cmc client connection reconnect [maintain] cmc client bw-limit limit kBps [no] cmc client confirm-config

User Role Operator or Admin

Description These commands are run on an appliance being managed by the CM Series platform.

Parameters enable Allows the appliance to be managed by the CM Series platform. Use the no parameter to prevent the appliance from being managed. connection auto Specifies that the appliance should automatically attempt to connect to the CM Series platform. Use the no parameter to disable automatic attempts.

348

© 2016 FireEye

Release 7.9

cmc client

connection connect | maintain Specifies that the appliance should connect to the CM Series platform. The maintain parameter temporarily keeps the appliance connected until it is manually disconnected from the CM Series platform or the system is rebooted. connection disconnect Specifies that the client should disconnect from the CM Series platform. connection reconnect | maintain Specifies that the client should reconnect to the CM Series platform. The maintain parameter temporarily keeps the appliance connected until it is manually disconnected from the CM Series platform or the system is rebooted. bw-limit limit kBps Sets a limit on the bandwidth (in kilobytes per second) the appliance will use to transmit to the CM Series platform if it is connected. By default, there is no limit. confirm-config Requires confirmation before entering configuration mode on an appliance that is under the management of a CM Series platform. When enabled, you cannot enter configuration mode until you confirm that you understand that configuration changes you make could override the CM Series settings for the appliance. Use the no parameter to disable the confirmation.

Example The following example enables a FireEye appliance to be managed by the FireEye CM Series platform. hostname (config) # cmc client enable

© 2016 FireEye

349

CLI Reference Guide

PART III: Commands

cmc client server To specify the CM Series platform settings the appliance will use to initiate a request for management, use the cmc client server commands in configuration mode. In this release, the NX Series appliance is the only appliance that can initiate a request to be added to the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc client server address {hostname| ipAddress} cmc client server remove-key cmc client server port portNumber no cmc client server port cmc client server source address ipAddress no cmc client server source address cmc client server source port portNumber no cmc client server source port [no] cmc client server source validate cmc client server capabilities username username

User Role Operator or Admin

Description These commands are run on the appliance being managed by the CM Series platform.

Parameters address {hostname | ipAddress} The hostname or IPv4 or IPv6 address of the CM Series platform to connect to for management. This parameter is used in a request by an appliance to be managed by the CM Series platform.

350

© 2016 FireEye

Release 7.9

cmc client server

remove-key Removes any known host entry for the CM Series platform. This command is used only if the host key changes. port portNumber Sets the port of the CM Series platform to connect to for management. This parameter is used in a request by an appliance to be managed by the CM Series platform. If not specified, it defaults to port 22. no cmc client server port Resets the port number to 22. source address ipv4Address Sets the IPv4 address of the CM Series platform. This parameter is used when the CM Series platform initiates the connection (as opposed to when the appliance initiates a request to be managed). If the source address is not specified (or if it is cleared with the no parameter) the main address specified by the cmc client server address command will be used instead. This command does not support IPv6 addresses. no cmc client server source address Resets the source address to the main address specified by the cmc client server address command. source port portNumber Sets the source port for the CM Series platform configured in the cmc client server source address command. If the source port not specified (or if it is cleared with the no parameter) the source port will not be verified. no cmc client server source port Clears the source port parameter and stops the source port from being verified. [no] source validate Checks the originating IP address and port of the CM Series platform specified in the configuration (either the main address or the source address and port). If this validation is enabled and there is no match, the connection between the CM Series platform and the appliance is broken. Use the no parameter to disable this validation. capabilities username username Sets the username whose credentials should be used to execute proxied requests from the CM Series platform. This pertains to the case where the appliance initiated the request to be managed.

© 2016 FireEye

351

CLI Reference Guide

PART III: Commands

If this user is subsequently deleted or disabled, the username will be reset to admin. The ability to execute proxied requests will be disabled.

Example The following example sets the IP address the appliance will connect to when it requests management. hostname (config) # cmc client server address 172.00.00.00

352

© 2016 FireEye

Release 7.9

cmc client server auth

cmc client server auth To configure authentication parameters used to log in to the CM Series platform for management, use the cmc client server auth commands in configuration mode. In this release, the NX Series appliance is the only appliance that can initiate a request to be added to the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc client server auth authtype {password | ssh-dsa2 | ssh-rsa2} cmc client server auth password {username username | password password} cmc client server auth ssh-dsa2 {username username | identity identity} cmc client server auth ssh-rsa2 username username | identity identity no cmc client server auth authtype no cmc client server auth password {username | password} no cmc client server auth ssh-dsa2 {username | identity} no cmc client server auth ssh-rsa2 {username | identity}

User Role Operator or Admin

Description These commands are run on an appliance being managed by the CM Series platform.

Parameters authtype {password | ssh-dsa2 | ssh-rsa2} Specifies whether a password or an ssh-dsa2 or ssh-rsa identity should be used to connect to the CM Series platform. password username username Specifies the remote user to log in to the CM Series platform using password authentication.

© 2016 FireEye

353

CLI Reference Guide

PART III: Commands

password password password Specifies the password to log in to the CM Series platform using password authentication. If no password is specified, the user will be prompted to enter the password and then enter it again to confirm it. The entries will be displayed as asterisks (*). ssh-dsa2 username username Specifies the remote user to log in to the CM Series platform using ssh-dsa2 authentication. ssh-dsa2 identity identity Specifies the named identity to log in to the CM Series platform using ssh-dsa2 authentication. ssh-rsa2 username username Specifies the remote user to log in to the CM Series platform using ssh-rsa2 authentication. ssh-rsa identity identity Specifies the named identity to log in to the CM Series platform using ssh-rsa2 authentication. no cmc client server auth authtype Resets the authentication method to the default ("password"). no cmc client server auth password username Resets the password authentication username to the default ("admin"). no cmc client server auth password password Resets the password authentication password to the default (an empty password). no cmc client server auth ssh-dsa2 username Resets the ssh-dsa2 username to the default ("admin"). no cmc client server auth ssh-dsa2 identity Removes the ssh-dsa2 identity from the appliance. no cmc client server auth ssh-rsa2 username Resets the ssh-rsa2 username to the default ("admin"). no cmc client server auth ssh-rsa2 identity Removes the ssh-rsa2 identity from the appliance.

Example The following example configures password authentication parameters.

354

© 2016 FireEye

Release 7.9

cmc client server auth

hostname (config) # cmc client server auth authtype password hostname (config) # cmc client server auth password username cmcadmin hostname (config) # cmc client server auth password password w3*Rn0cx

© 2016 FireEye

355

CLI Reference Guide

PART III: Commands

cmc execute Executes a CLI command on a remote FireEye appliance or appliance group.

Syntax cmc execute {appliance | group | all} command

Parameters appliance name | group name | all

Specifies an appliance, appliance group, or all groups of appliances. command command_text

CLI command to be executed. A command that includes spaces must be enclosed in quotation marks.

Example The following example reboots the remote appliance “FireEye1.” hostname (config) # cmc execute appliance FireEye1 command reload

Related Commands cmc group on the facing page

356

© 2016 FireEye

Release 7.9

cmc group

cmc group Defines groups of FireEye appliances to be managed by the CM Series platform.

Syntax [no] cmc group groupName [appliance applianceName] cmc group groupName comment comment cmc group groupName rename newName no cmc group groupName [applianceName] no group groupName comment

Parameters [no] cmc group groupName [appliance applianceName]

Adds a new group, adds an appliance to an existing group, or adds an appliance to a new group. The no parameter deletes the group or removes the appliance from the group.

groupName comment comment

Adds a comment about the specified group.

groupName rename newName

Renames the specified group.

no cmc group groupName comment

Removes the comment about the specified group.

Example The following example creates the London group, adds the nx-05 appliance to it, and notes that the group is for appliances in the UK region. hostname (config) # cmc group London appliance nx-05 hostname (config) # cmc group London comment "UK region appliances"

© 2016 FireEye

357

CLI Reference Guide

PART III: Commands

cmc ha nx rename Changes the name of an NX Series High Availability (HA) pair.

Syntax cmc ha nx rename

Parameters existingName

The existing name. newName

The new name.

Example The following example renames the "Acme_NXHA" pair to "Acme_NXHA_East." cm-hostname (config) # cmc ha nx Acme_NXHA rename Acme_NXHA_East

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

358

© 2016 FireEye

Release 7.9

cmc ha nx appliances enable-nx-ipv6

cmc ha nx appliances enable-nx-ipv6 Creates an NX Series High Availability (HA) pair.

Syntax cmc ha nx appliances enable-nx-ipv6

Parameters pair

A unique name that identifies the HA pair. member1

The name of one appliance that will form the pair. member2

The name of the other appliance that will form the pair. The enable-nx-ipv6 keyword automatically enables IPv6 on the appliances, if it is not already enabled.

Example The following example creates an HA pair named "Acme_NXHA" that includes the nx-1 and nx-2 appliances. cm-hostname (config) # cmc ha nx Acme_NXHA appliances nx-1 nx-2 enable-nx-ipv6 cm-hostname (config) # show cmc ha nx NX-HA Acme_NXHA nx-1 nx-2 Status: OK Comment: Connected:  yes Software version match: yes Configuration match: yes GI image version match: yes Security content version match:  yes NX health status OK: yes System time in sync: yes Peer id verified: yes Hardware model match: yes

User Role Admin or Operator

Command Mode Configuration

© 2016 FireEye

359

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

360

© 2016 FireEye

Release 7.9

cmc ha nx comment

cmc ha nx comment Adds or removes a comment that describes an NX Series High Availability (HA) pair. You must use the CLI to add a comment. You can view the comment from the CM Series CLI or Web UI.

Syntax cmc ha nx comment

Parameters pair

The name of the pair. "comment"

A brief description of the HA pair, enclosed in double quotation marks. To delete a comment, enter "" (an empty string) as the comment.

Example The following example adds a description to the Acme_NXHA pair. cm-hostname (config) # cmc ha nx Acme_NXHA comment "Western region NX pair" cm-hostname (config) # show cmc ha nx NX-HA Acme_NXHA nx-1 nx-2 Status: OK Comment: Western region NX pair Connected: yes

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117.

© 2016 FireEye

361

CLI Reference Guide

PART III: Commands

For more information about NX Series HA, see the NX Series High Availability Guide.

362

© 2016 FireEye

Release 7.9

cmc ha nx sync config with

cmc ha nx sync config with Synchronizes the configuration settings of one member of an NX Series HA pair with the settings of the other member.

Syntax cmc ha nx sync config with

Parameters pair

The name of the HA pair. targetMember

The name of the appliance whose settings you want to update. sourceMember

The name of the appliance whose settings you want to keep.

Description Most configuration settings must be identical for the two NX Series appliances in an HA pair. This is because each appliance must assume the detection functions of the other appliance in the event of a failover. When there is a configuration setting mismatch, the HA pair is in a degraded state. You can choose which appliance should be updated with the other appliance's settings.

Example The following example uses the nx-1 settings to synchronize the Acme_NXHA pair. For example, if nx-1 has four NTP (Network Time Protocol) servers configured, and nx-2 has three, this command adds the fourth server to nx-2. cm-hostname (config) # cmc ha nx Acme_NXHA sync nx-2 config with nx-1 Configuration is synced with nx-1 successfully

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

363

CLI Reference Guide

PART III: Commands

NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

364

© 2016 FireEye

Release 7.9

cmc mvx cluster

cmc mvx cluster Creates an MVX cluster with the specified name.

Syntax [no] cmc mvx cluster

Parameters no

Use no form of this command to delete an existing MVX cluster. cluster-name

The name of the MVX cluster.

Example The following example creates an MVX cluster named mvx1. hostname (config) # cmc mvx cluster mvx1

The following example deletes an MVX cluster named mvx2. hostname (config) # no cmc mvx cluster mvx2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

365

CLI Reference Guide

PART III: Commands

cmc mvx cluster broker enable Enables or disables broker mode on a VX Series compute node enrolled in an MVX cluster.

Syntax [no] cmc mvx cluster broker  enable

Parameters no

Use the no form of this command to disable the broker mode on the VX Series node. cluster-name

The name of the MVX cluster. node-name

The name of the VX Series node.

Example The following example enables broker mode on the node named vx1 on an MVX cluster named mvx1. hostname (config) # cmc mvx cluster mvx1 broker vx1 enable

The following example disables broker mode on a node named vx2 on an MVX cluster named mvx2. hostname (config) # no cmc mvx cluster mvx2 broker vx2 enable

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

366

© 2016 FireEye

Release 7.9

cmc mvx cluster description

cmc mvx cluster description Adds or removes a description for the cluster. This description can be viewed using the show cmc mvx cluster command.

Syntax cmc mvx cluster description

Parameters cluster-name

The name of the MVX cluster.

Example The following example adds a single word description to the MVX cluster mvx1: hostname (config) # cmc mvx cluster mvx1 desription production01

To add a multi-word description, you must enclose the description in quotes ("). For example: hostname (config) # cmc mvx cluster Cluster-Acme description "This sentence will be added as a description."

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

367

CLI Reference Guide

PART III: Commands

cmc mvx cluster master Sets the specified node as the master config node.

Syntax cmc mvx cluster master

Parameters cluster-name

The name of the MVX cluster. node-name

The name of the node to be designated master.

Example The following example sets the node node3 as the master node for the MVX cluster mvx1. hostname (config) # cmc mvx cluster mvx1 master node node3

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

368

© 2016 FireEye

Release 7.9

cmc mvx cluster node

cmc mvx cluster node Adds or removes a node from the specified MVX cluster.

Syntax [no] cmc mvx cluster node

Parameters no

Use the no form of this command to remove the node from the cluster. cluster-name

The name of the MVX cluster. node-name

The name of the VX Series node.

Example The following example adds the node vx1 to the MVX cluster mvx1. hostname (config) # cmc mvx cluster mvx1 node vx1

The following example removes the node vx2 from the MVX cluster mvx2. hostname (config) # no cmc mvx cluster mvx2 node vx2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

369

CLI Reference Guide

PART III: Commands

cmc mvx cluster sync-config Synchronizes the MVX cluster with the master configuration.

Syntax cmc mvx cluster sync-config

Parameters cluster-name

The name of the MVX cluster.

Example hostname (config) # cmc mvx cluster mvx1 sync-config

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

370

© 2016 FireEye

Release 7.9

cmc mvx sensor enrollment {enroll | unenroll}

cmc mvx sensor enrollment {enroll | unenroll} Enrolls or unsubscribes an NX Series sensor from the cluster.

Syntax cmc mvx sensor enrollment {enroll | unenroll}

Parameters sensorName

Name of the NX Series sensor to enroll or unsubscribe from the cluster.

Example The following example enrolls an NX Series sensor named mvx1. hostname (config) # cmc mvx sensor enrollment enroll mvx1

The following example unenrolls an NX Series sensor named mvx2. hostname (config) # cmc mvx sensor enrollment unenroll mvx2

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

371

CLI Reference Guide

PART III: Commands

cmc mvx status cluster-sizing enable Enables the collection and display of MVX cluster utilization statistics.

Syntax [no] cmc mvx status cluster-sizing enable

Parameters no

Use the no form of this command to disable MVX cluster sizing

Example The following example enables MVX cluster sizing: hostname (config) # cmc mvx status cluster-sizing enable

The following example disables MVX cluster sizing: hostname (config) # no cmc mvx status cluster-sizing enable

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

372

© 2016 FireEye

Release 7.9

cmc mvx status cluster-sizing threshold critical

cmc mvx status cluster-sizing threshold critical Configures the critical threshold of MVX cluster utilization. A critical alert is generated if utilization exceeds this value.

Syntax cmc mvx status cluster-sizing threshold critical

Parameters percentage

The critical utilization threshold percentage (20-100). The default value is 85.

Example The following example sets the MVX cluster utilization critical threshold to 75 percent: hostname (config) # cmc mvx status cluster-sizing threshold critical 75

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

373

CLI Reference Guide

PART III: Commands

cmc mvx status cluster-sizing threshold warning Configures the warning threshold of MVX cluster utilization. A warning alert is generated if utilization exceeds this value.

Syntax cmc mvx status cluster-sizing threshold warning

Parameters percentage

The warning utilization threshold percentage (10-90). The default value is 60.

Example The following example sets the MVX cluster utilization critical threshold to 42 percent: hostname (config) # cmc mvx status cluster-sizing threshold warning 42

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

374

© 2016 FireEye

Release 7.9

cmc profile

cmc profile Creates a command profile.

Syntax [no] cmc profile

Parameters name

The name of the profile. no

The no form of the command deletes the specified profile.

Example The following example creates a "password" profile that will contain commands that configure password authentication policies. hostname (config) # cmc profile password hostname (config) # show cmc profiles password Profile password Comment: Commands: No commands. ...

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

© 2016 FireEye

375

CLI Reference Guide

PART III: Commands

cmc profile apply appliance Applies a profile of commands to a specific managed appliance. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply appliance

Parameters name

The name of the profile. applianceName

The name of the appliance.

Example The following example applies the "acctmgt" profile to the NX-04 appliance to apply password validation policies to the appliance users. hostname (config) # cmc profile acctmgt apply appliance NX-04 =================Appliance NX-04============================= Execution was successful. Execution output: Saving configuration file...Done!

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

376

© 2016 FireEye

Release 7.9

cmc profile apply appliance fail-continue

cmc profile apply appliance fail-continue Applies a profile of commands to a specific managed appliance, and allows the execution of commands to continue after one command fails. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply appliance fail-continue [no-save]

Parameters name

The name of the profile. applianceName

The name of the appliance. no-save

Prevents the configuration changes from being written to memory.

Example The following example applies the "general" profile to the NX-01 appliance. The failcontinue option allowed the command execution to continue, even though the clock set command failed. hostname (config) # cmc profile general apply appliance FX-02 fail-continue =================Appliance NX-01============================= Error code 6 (CLI command execution failure) Error output: %NTP enabled, clock adjustment not allowed Execution output: Saving configuration file...Done!

Command Mode Configuration

© 2016 FireEye

377

CLI Reference Guide

PART III: Commands

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

378

© 2016 FireEye

Release 7.9

cmc profile apply appliance no-save

cmc profile apply appliance no-save Applies a profile of commands to a specific managed appliance, and prevents the configuration changes from being written to memory after the profile is applied. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply appliance no-save [fail-continue]

Parameters name

The name of the profile. applianceName

The name of the appliance. fail-continue

Allows the execution of commands to continue after one command fails.

Example The following example applies the "banner" profile to the FX-02 appliance and prevents the configuration changes from being written to memory. hostname (config) # cmc profile banner apply appliance FX-02 =================Appliance FX-02============================= Execution was successful. Execution output: (none)

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

© 2016 FireEye

379

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CM Series Command Family on page 135

380

© 2016 FireEye

Release 7.9

cmc profile apply group

cmc profile apply group Applies a profile of commands to a specific group of managed appliance. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply group

Parameters name

The name of the profile. groupName

The name of the group.

Examples The following example applies the banner profile to the EX-West group to change login messages on all appliances in the group. hostname (config) # cmc profile banner apply group EX-West =================Appliance EX-04============================= Execution was successful. Execution output: Saving configuration file...Done!

The following example attempts to apply the "DateTimeJpn" profile to the Tokyo group, but fails because manual time and date settings are not permitted when NTP is enabled. hostname (config) # cmc profile DateTimeJpn apply group Tokyo =================Appliance EX-05 ============================= Error code 6 (CLI command execution failure) Error output: %NTP enabled, clock adjustment not allowed Execution output: (none)

© 2016 FireEye

381

CLI Reference Guide

PART III: Commands

User Role Admin

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

382

© 2016 FireEye

Release 7.9

cmc profile apply group fail-continue

cmc profile apply group failcontinue Applies a profile of commands to a specific group of managed appliances, and allows the execution of commands to continue after one command fails. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply group fail-continue [no-save]

Parameters name

The name of the profile. groupName

The name of the group. no-save

Prevents the configuration changes from being written to memory.

Example The following example applies the "general" profile to the NX_West group. The fail-continue option allowed the command execution to continue, even though the clock set command in the profile failed. hostname (config) # cmc profile general apply group NX_West fail-continue =================Appliance NX-01============================ Error code 6 (CLI command execution failure) Error output: %NTP enabled, clock adjustment not allowed Execution output: Saving configuration file...Done! =================Appliance NX-02============================ Error code 6 (CLI command execution failure) Error output:

© 2016 FireEye

383

CLI Reference Guide

PART III: Commands

%NTP enabled, clock adjustment not allowed Execution output: Saving configuration file...Done!

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

384

© 2016 FireEye

Release 7.9

cmc profile apply group no-save

cmc profile apply group no-save Applies a profile of commands to a specific group of managed appliances, and prevents the configuration changes from being written to memory after the profile is applied. The reset form of this command was deprecated in Release 7.8.0 and will be removed in a future release. It can have serious consequences, and should not be used.

Syntax cmc profile apply group no-save [fail-continue]

Parameters name

The name of the profile. groupName

The name of the group. fail-continue

Allows the command execution to continue after one command fails.

Example The following example applies the "banner" profile to the FX_East appliance group and prevents the configuration changes from being written to memory. hostname (config) # cmc profile banner apply group FX_East =================Appliance FX-02============================= Execution was successful. Execution output: (none =================Appliance FX-03============================= Execution was successful. Execution output: (none)

Command Mode Configuration

© 2016 FireEye

385

CLI Reference Guide

PART III: Commands

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

386

© 2016 FireEye

Release 7.9

cmc profile command

cmc profile command Adds a command to a profile.

Syntax cmc profile command ""

Parameters name

The name of the profile. sequenceNumber

An integer that controls the order in which the commands within the profile will be executed. The command with the smallest number is executed first. command

The CLI command. It must be enclosed in double quotation marks.

Example The following example populates the "acctmgt" profile with commands that will add an Operator3 user account to the appliances to which the profile is applied. hostname (config) # cmc profile acctmgt command 1 "username Operator3 role operator" hostname (config) # cmc profile acctmgt command 2 "username Operator3 password evtk*643u" hostname (config) # show cmc profiles acctmgt Profile acctmgt Comment: Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

© 2016 FireEye

387

CLI Reference Guide

PART III: Commands

cmc profile comment Adds a descriptive comment to a profile.

Syntax cmc profile comment "" no cmc profile comment

Parameters name

The name of the profile. comment

The comment text. It must be enclosed in double quotation marks. no

The no form of the command removes a comment.

Example The following example adds a comment that describes the purpose of the profile. hostname (config) # cmc profile acctmgt comment "Adds operator user account." hostname (config) # show cmc profiles acctmgt Profile acctmgt Comment: Adds operator user account. Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

388

© 2016 FireEye

Release 7.9

cmc profile copy

cmc profile copy Copies a profile.

Syntax cmc profile copy

Parameters sourceProfile

The name of the original profile. targetProfile

The name of the new profile.

Example The following example copies the "acctmgt" profile, names the new profile "acctmgtOper", and adds a second operator user account to the new profile. hostname (config) # cmc profile acctmgt copy acctmgtOper hostname (config) # show cmc profiles Profile acctmgt Comment: Adds operator user account. Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u Profile acctmgtOper Comment: Adds operator user account. Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u hostname (config) # cmc profile acctmgtOper command 3 "username Operator4 role operator" hostname (config) # cmc profile acctmgtOper command 4 "username operator4 password gers*532o" hostname (config) # cmc profile acctmgtOper comment "Adds operator user accounts." hostname (config) # show cmc profiles Profile acctmgt Comment: Adds operator user account. Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u Profile acctmgtOper Comment: Adds operator user accounts. Commands: 1. username Operator3 role operator 2. username Operator3 password evtk*643u 3. username Operator4 role operator 4. username Operator4 password gers*532o

© 2016 FireEye

389

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

390

© 2016 FireEye

Release 7.9

cmc profile extract-from

cmc profile extract-from Extracts commands from the running configuration of an appliance and adds them to an empty profile. Some commands in the running configuration may be incompatible with a different product type or appliance model. Review the commands to determine if they are compatible before you apply a profile using this command.

Syntax cmc profile extract-from appliance

Parameters name

The name of the empty profile. applianceName

The name of the appliance from which to extract commands.

Example The following example extracts commands from the running configuration of the EX-03 appliance, populates the "general" profile with them, and then applies the profile to the FX05 appliance. hostname (config) # cmc profile general extract-from appliance EX-03 hostname (config) # cmc profile general apply appliance FX-05 =======================Appliance FX-05======================= Execution was successful. Execution output: Saving configuration file...Done!

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

© 2016 FireEye

391

CLI Reference Guide

PART III: Commands

cmc profile rename Renames a profile.

Syntax cmc profile rename

Parameters name

The existing profile name. newName

The new profile name.

Example The following example renames the "banner" profile to "loginBanner." hostname (config) # cmc profile banner rename loginBanner

Command Mode Configuration

Release Information This command was released as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135

392

© 2016 FireEye

Release 7.9

cmc rendezvous client

cmc rendezvous client To enable an appliance to send a request to the CM Series platform for management, use the cmc rendezvous client commands in configuration mode. The rendezvous process requires configuration on both the requesting appliance and the CM Series platform. See cmc rendezvous server on page 396 and cmc rendezvous service-name on page 399 for additional commands. In this release, the NX Series and EX Series appliances are the only appliances that can initiate a request to be added to the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax cmc rendezvous client server-addr {hostname | ipAddress} [no] cmc rendezvous client auto cmc rendezvous client auto {initial-delay seconds | interval-short seconds | interval-long seconds} cmc rendezvous client force cmc rendezvous client auth authtype {password | ssh-dsa2 | ssh-rsa2} cmc rendezvous client auth password password [password] [no] cmc rendezvous client enable-client-init [no] cmc rendezvous client send-client-address no cmc rendezvous client server-addr no cmc rendezvous client auth authtype no cmc rendezvous client auth password password

User Role Operator or Admin

Description These commands are run on the appliance requesting management.

© 2016 FireEye

393

CLI Reference Guide

PART III: Commands

Parameters server-addr {hostname | ipAddress} Specifies the hostname or IPv4 or IPv6 address of the CM Series platform with which the appliance will attempt rendezvous. auto Enables automatic rendezvous attempts from the appliance requesting management. Use the no parameter to disable automatic rendezvous attempts, which is the default setting. auto initial-delay seconds Configures the number of seconds the appliance will wait before the initial rendezvous attempt after it is rebooted or disconnected. The default is 30 seconds. auto interval-short seconds Configures the number of seconds the appliance will wait to reattempt rendezvous after an automatic rendezvous attempt fails for a transitory reason, with the expectation that the next attempt will succeed. The default is 300 seconds (five minutes). auto interval-long seconds Configures the number of seconds the appliance will wait to reattempt rendezvous after an event such as the CM Series platform losing the appliance information. The default is 86400 seconds (one day). force Forces the appliance to attempt discovery and rendezvous with the CM Series platform now, regardless of whether automatic rendezvous attempts are enabled or how much time has elapsed since the last attempt. If the attempt fails, the appliance will not automatically reattempt rendezvous. This command has no effect if the appliance is not enabled for management. auth authtype {password | ssh-dsa2 | ssh-rsa2} Specifies whether a password or an ssh-dsa2 or ssh-rsa2 identity should be used for the appliance to log into the CM Series platform to announce itself and attempt rendezvous. The "cmcrendv" system user is the username for all authentication types. The sshdsa2 and ssh-rsa2 identities must be configured on that user account. If rendezvous attempts fail because your system has an expired host key for the CM Series platform, use the ssh client user cmcrendv known-host {hostname | ipAddress} command to remove it.

394

© 2016 FireEye

Release 7.9

cmc rendezvous client

auth password password password Specifies the password used to attempt rendezvous using password authentication. If no password is specified, the user will be prompted to enter the password and then enter it again to confirm it. The entries will be displayed as asterisks (*). enable-client-init Uses the configuration set by the cmc client server commands, which includes the CM Series platform IP address, management port, and authentication information. Use the no parameter to use the configuration set with the cmc rendezvous client server-addr command. This setting is enabled by default. FireEye recommends that you not change it for appliance-initiated requests for management. send-client-address Uses the local IP address of the appliance requesting management to perform rendezvous. This setting is enabled by default. Use the no parameter to prevent the local address from being part of the rendezvous request; the IP address will instead be decoded on the CM Series platform using SSH parameters. This is needed when the appliance is behind a NAT gateway, where a virtual NAT gateway IP address will become the appliance's IP address. no cmc rendezvous client server-addr Resets the CM Series platform address to the default ("cmc"). no cmc rendezvous client auth authtype Resets the authentication type to the default ("password"). no cmc rendezvous client auth password password Clears the configured password for password authentication.

Example In this example, automatic rendezvous attempts are enabled, and the local appliance IP address will be excluded from the rendezvous request because the appliance is behind a NAT gateawy. hostname (config) # cmc rendezvous client auto hostname (config) # no cmc rendezvous client send-client-address

© 2016 FireEye

395

CLI Reference Guide

PART III: Commands

cmc rendezvous server To enable the CM Series platform to discover requests from appliances for management, use the cmc rendezvous server commands in configuration mode. The rendezvous process requires configuration on both the CM Series platform and the requesting appliance. See cmc rendezvous client on page 393 and cmc rendezvous service-name on page 399 for additional commands. In this release, the NX Series and EX Series appliances are the only appliances that can be managed by the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax [no] cmc rendezvous server enable [no] cmc rendezvous server auto-accept [no] cmc rendezvous server accept client ipAddress [no] cmc rendezvous server accept all cmc rendezvous server auth default authtype {password | ssh-dsa2 | ssh-rsa2} cmc rendezvous server auth default password {username username | passwordpassword} cmc rendezvous server auth default ssh-dsa2 {usernameusername | identity identityName} cmc rendezvous server auth default ssh-rsa2 usernameusername | identityidentityName no cmc rendezvous server auth default authtype no cmc rendezvous server auth default password {username | password} no cmc rendezvous server auth default ssh-dsa2 {username | identity} no cmc rendezvous server auth default ssh-rsa2 {username | identity}

User Role Operator or Admin

Parameters enable Enables the CM Series platform to accept rendezvous attempts by appliances, which is the default setting. Use the no parameter to prevent the attempts from being accepted.

396

© 2016 FireEye

Release 7.9

cmc rendezvous server

auto-accept Enables the CM Series platform to automatically accept rendezvous attempts by appliances. (If this setting is enabled, the appliances must still log in to the CM Series platform before they can be added to the list of pending requests.) Use the no parameter to disable this feature, which is the default setting. If it is disabled, the CM Series administrator must accept each request individually. accept client ipAddress Accepts the request by the appliance with the specified IPv4 or IPv6 address. Use the no parameter to reject the request. accept all Accepts the requests by all appliances in the list of pending requests. Use the no parameter to reject all requests. auth default authtype {password | ssh-dsa2 | ssh-rsa2} Specifies whether a password or an ssh-dsa2 or ssh-rsa identity should be used to log in to appliances that attempt rendezvous. auth default password usernameusername Specifies the remote user to log in to the appliance using password authentication. auth default password password password Specifies the password to log in to the appliance using password authentication. If no password is specified, the user will be prompted to enter the password and then enter it again to confirm it. The entries will be displayed as asterisks (*). auth default ssh-dsa2 usernameusername Specifies the remote user to log in to the appliance using ssh-dsa2 authentication. auth default ssh-dsa2 identityidentityName Specifies the named identity to log in to the appliance using ssh-dsa2 authentication. auth default ssh-rsa2 usernameusername Specifies the remote user to log in to the appliance using ssh-rsa2 authentication. auth default ssh-rsa2 identityidentityName Specifies the named identity to log in to the appliance using ssh-rsa2 authentication. no cmc rendezvous server auth default authtype Resets the authentication method to the default ("password"). no cmc rendezvous server auth default password username Resets the password authentication username to the default ("admin"). no cmc rendezvous server auth default password password Resets the password authentication password to the default (an empty password).

© 2016 FireEye

397

CLI Reference Guide

PART III: Commands

no cmc rendezvous server auth default ssh-dsa2 username Resets the ssh-dsa2 username to the default ("admin"). no cmc rendezvous server auth default ssh-dsa2 identity Removes the ssh-dsa2 identity from the appliance. no cmc rendezvous server auth default ssh-rsa2 username Resets the ssh-rsa2 username to the default ("admin"). no cmc rendezvous server auth default ssh-rsa2 identity Removes the ssh-rsa2 identity from the appliance.

Example In this example, the request from the nx-02 appliance is accepted and the request from the nx-04 appliance is rejected. hostname (config) # show cmc rendezvous CMC rendezvous service name: cmc CMC server: Server rendezvous enabled: yes Auto-accept enabled: no Clients waiting approval: nx-02 (172.14.10.00) nx-04 (172.14.20.00) ... hostname (config) # cmc rendezvous server accept client nx-02 hostname (config) # no cmc rendezvous server accept client nx-04

398

© 2016 FireEye

Release 7.9

cmc rendezvous service-name

cmc rendezvous service-name An appliance (for example, an NX Series) administrator can send a request to add the appliance to the CM Series platform for management. A rendezvous process enables the appliance to attempt the request and allows the CM Series administrator to see the list of pending requests. The rendezvous process has an identifier (known as service name) that is set to "cmc" by default. To change the service name, use the cmc rendezvous service-name command in configuration mode. In this release, the NX Series and EX Series appliances are the only appliance that can initiate a request to be added to the CM Series platform for management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances). This command can be run on both the CM Series platform and its managed appliances. The CM Series platform and the appliances must have the same service name; if you change the service name on one, you must change it on the others as well. For more information about sending a management request from an appliance, see the CM Series Administration Guide.

Syntax [no] cmc rendezvous service-name hostname

Parameters hostname The service name. no Resets the service name to the default ("cmc").

User Role Operator or Admin

© 2016 FireEye

399

CLI Reference Guide

PART III: Commands

cmc server Description Enables the CM Series server and allows you to change command execution settings for remote FireEye appliances.

Syntax cmc server bw-limit per-appliance limit kbytes/second cmc server client-requests {enable | username {name | admin | cmcclient | cmcrendv | hacluster | monitor}} [no] cmc server enable cmc server execution timeout average milliseconds

Parameters bw-limit per-appliance limit kbytes/second

Configures bandwidth limiting options.

client-requests {enable | username Configures CMC server handling of requests from {name | admin | cmcclient | clients; username sets the account of the user whose cmcrendv | hacluster | monitor}} credentials are used to execute requests from clients. server enable

Enables CMC server functionality and the handling of requests from clients. Use the no parameter to disable them.

execution timeout average milliseconds

Average number of milliseconds allowed for each command to be executed on a FireEye appliance (default is one hour).

Examples The following example enables the CM Series server. hostname (config)# cmc server enable

The following example configures client requests from the HA cluster. hostname(config)# cmc server client-requests hacluster hostname(config)# cmc server client-requests enable

400

© 2016 FireEye

Release 7.9

cmc status

cmc status Description Specifies how the remote FireEye appliances are monitored by a CM Series appliance.

Syntax cmc status check-interval seconds cmc status criteria {alive | cpu_util | disk_space | paging} enable cmc status enable cmc status force-check cmc status timeout seconds

Parameters status check-interval Number of seconds between status checks of each managed FireEye seconds appliance (default is 60). [no] status criteria {alive | cpu_util | disk_space | paging} enable

Enables status checks for appliance operation, CPU utilization, available disk space, or paging of data in and out of memory (all are enabled by default). Use the no parameter to disable theses status checkes.

[no] status enable

Enables periodic status checks of each managed FireEye appliance (enabled by default). Use the no parameter to disable them.

status force-check

Initiates a status check of each managed FireEye appliance.

status timeout seconds

Sets the length of the timeout on appliance responses in seconds.

Example The following example initiates a status check of all managed appliances. hostname (config) # cmc status force-check

© 2016 FireEye

401

CLI Reference Guide

PART III: Commands

cms feature peer-service enable Enables CM Peer Service on each of the participating CM Series platforms. When you disable the CM Peer Service on a CM Series platform, it can no longer interact with other CM peers. CM Peer Service is enabled by default. The difference between this command and the cms peer-service enable command is that you cannot make configuration changes to the Peer Service when the CM Peer Service is disabled.

Syntax [no] cms feature peer-service enable

Parameters no

Use the no form of this command to disable CM Peer Service.

Example The following example enables CM Peer Service. hostname (config) # cms feature peer-service enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

402

© 2016 FireEye

Release 7.9

cms peer delete

cms peer delete Deletes a CM peer from the Peer Service relationship (not from the network). All configuration information and data associated with that peer will be removed, including the IP address and peer name. The CM peer is no longer connected to the Peer Service. If you want to reconnect to the same peer, you must import the existing token again. If you delete a CM peer and then want to add the CM peer back, you must import the token again. For information about how to import a token for an existing CM peer, refer to the CM Series Administration Guide.

Syntax cms peer delete

Parameters None

Example The following example deletes a specified CM peer. hostname (config) # cms peer IE-CM4400 delete

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

403

CLI Reference Guide

PART III: Commands

cms peer enable Enables the CM Peer Distributed Correlation and CM Peer Signature Sharing features of the CM Peer Service on each CM peer. When you enable each CM peer, all the features are enabled. When you disable the CM Peer Service, CM peers can no longer interact with your CM Series platform. However, you can enable or disable access to the CM Peer Distributed Correlation and CM Peer Signature features individually on each CM peer. For details about all the CM Peer Service features, refer to the CM Series Administration Guide.

Syntax [no] cms peer enable

Parameters no

Use the no form of this command to disable all the CM Peer Service features on a CM peer.

Example The following example enables all the CM Peer Service features on a specified CM peer. hostname (config) # cms peer IE-CM4400 enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

404

© 2016 FireEye

Release 7.9

cms peer interaction dist-correlation enable

cms peer interaction dist-correlation enable Enables the CM Peer Distributed Correlation feature on each CM peer. CM Peer Distributed Correlation matches events detected by an appliance with events that are received from a CM peer in another network. CM Peer Distributed Correlation allows two CM Series networks to share information. Information about a malicious URL found in one CM Series network is shared with other CM Series networks. A typical correlation matches malicious URL events detected by the NX Series appliance with email events detected by the EX Series appliance. URL events and email events are linked to each other in the Web UI after they have been matched. For example, when a malicious URL is detected by the NX Series appliance, the URL is correlated by the CM Series platform with the originating email on the EX Series appliance. For details about NX Series and EX Series event correlation, refer to the CM Series Administration Guide.

Syntax [no] cms peer interaction dist-correlation enable

Parameters no

Use the no form of this command to disable the CM Peer Distributed Correlation feature on a CM peer.

Example The following example enables CM Peer Distributed Correlation on a specified CM peer. hostname (config) # cms peer IE-CM4400 interaction dist-correlation enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

405

CLI Reference Guide

PART III: Commands

cms peer interaction dti enable Allows CM peers to share locally generated signatures with remote CM peers using the CM Peer Service. When CM Peer Signature Sharing is disabled, local and remote peers do not share locally generated signatures. For information about the CM Peer Signature Sharing feature, refer to the CM Series Administration Guide.

Syntax [no] cms peer interaction dti enable

Parameters no

Use the no form of this command to disable DTI interaction with a CM peer for CM Peer Signature Sharing.

Example The following example generates a key file to enable DTI interaction between CM peers to share locally generated signatures with remote CM peers. hostname (config) # cms peer IE-CM4400 interaction dti enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

406

© 2016 FireEye

Release 7.9

cms peer interaction dti proxy mode no-proxy

cms peer interaction dti proxy mode no-proxy Prevents a CM peer from using a proxy server to connect to other remote CM peers. By default, a CM peer does not use a proxy server to connect to other remote peers.

Syntax cms peer interaction dti proxy mode no-proxy

Parameters None

Example The following example prevents a CM peer from using any proxy server to connect to other remote CM peers for DTI interaction. hostname (config) # cms peer IE-CM4400 interaction dti proxy mode no-proxy

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

407

CLI Reference Guide

PART III: Commands

cms peer interaction dti proxy mode use-fenet Allows a CM peer to use a proxy server to connect to other remote CM peers. If you allow a CM peer to use a proxy server, the proxy settings will be the same as those configured for DTI interaction to connect to other remote CM peers.

Syntax cms peer interaction dti proxy mode use-fenet

Parameters None

Example The following example allows a CM peer to use the same proxy server settings that are configured for DTI interaction to connect to other remote peers. hostname (config) # cms peer IE-CM4400 interaction dti proxy mode use-fenet

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

408

© 2016 FireEye

Release 7.9

cms peer-service auth-token export

cms peer-service auth-token export Exports an existing authentication token from a CM peer. Use the cms peer-service authtoken export command when you want to use an existing token with another CM peer but do not want to generate a new token. When a token is exported, it is displayed. You can copy the existing token and send it to the administrator of a CM peer.

Syntax cms peer-service auth-token export

Parameters None

Example The following example shows partial output on how to export an existing token. hostname (config) # cms peer-service auth-token export PD94bWwg

AUTH-TOKEN = "PD94bWwg.........."

AUTH-TOKEN CHECKSUM = "234b19a369887ef5b0bbfd269c477704" . . .

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

409

CLI Reference Guide

PART III: Commands

cms peer-service auth-token generate Generates a new authentication token for CM peers for peer service setup. This command will overwrite the existing token. After the token is generated, it can be reused for the token exchange with all other peers. FireEye recommends that you reuse the same token for each exchange. If you generate a new token for that CM peer, it must be reimported on all the other participating CM peers to resume CM Peer Service functionality. If you change the hostname or IP address of any CM peer, you must generate a new token for that CM peer and import it on all the peers of that CM Series network.

Syntax cms peer-service auth-token generate

Parameters None

Example The following example shows partial output on how to generate a new token for a CM peer. hostname (config) # cms peer-service auth-token generate

AUTH-TOKEN = "PD94bWwg.........."

AUTH-TOKEN CHECKSUM = "360a37cc532b9e2e75b674eb3b5fe2e0" . . .

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

410

© 2016 FireEye

Release 7.9

l

cms peer-service auth-token generate

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

411

CLI Reference Guide

PART III: Commands

cms peer-service auth-token import Imports an authentication token for peer setup. In order for the CM peers to interact, each peer that wants to participate in the CM Peer Service must import the unique authentication token from the other CM peers. When a peer's authentication token is imported, the peer is approved for CM Peer Service (and associated features) with your CM Series platform. Importing a token is similar to creating an account. Therefore, the token must be from a trusted source that is authenticated with a secure out-of -band mechanism. For example, if the token is sent in a signed email, the sender of the email can be validated to be the administrator of the originating CM peer. If you change the hostname or IP address of any CM peer, you must generate a new token for that CM peer and import it on all the peers of that CM Series network. After you import a token, a CM peer is able to interact with the CM Peer Service on your CM Series platform. The hostname of the peer is automatically used as the name of the peer, and the IP address is determined by the value of the token. All CM peers must have unique IP addresses and hostnames. When you import a token, a CM peer is disabled, by default, while the features are enabled by default.

Syntax cms peer-service auth-token import

Parameters

Authentication token to import from the specified CM peer.

Example The following example shows how to import a new token from the specified CM peer. hostname (config) # cms peer-service auth-token import PD94bWwg

User Role Administrator

Command Mode Configuration

412

© 2016 FireEye

Release 7.9

cms peer-service auth-token import

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

413

CLI Reference Guide

PART III: Commands

cms peer-service enable Enables CM Peer Service on each of the participating CM Series platforms. When you disable the CM Peer Service on a CM Series platform, it can no longer interact with other CM peers. CM Peer Service is enabled by default. The difference between this command and the cms feature peer-service enable command is that you can make configuration changes to the Peer Service when the CM Peer Service is disabled.

Syntax [no] cms peer-service enable

Parameters no

Use the no form of this command to disable CM Peer Service.

Example The following example enables CM Peer Service. hostname (config) # cms peer-service enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

414

© 2016 FireEye

Release 7.9

compliance apply standard

compliance apply standard To specify a standard with which to comply, use the compliance apply standard command in configuration mode.

Syntax compliance apply standard {fips | cc-ndpp | all}

Parameters fips Brings the system into compliance with the Federal Information Processing Standards (FIPS). cc-ndpp Brings the system into compliance with the Common Criteria Network Device Protection Profile (CC-NDPP). all Brings the system into compliance with all supported standards.

Example The following example brings the system into compliance with all supported standards: hostname (config) # compliance apply standard all

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

415

CLI Reference Guide

PART III: Commands

compliance declassify zeroize To overwrite all passwords, keys, and non-active configuration files with zeros, use the compliance declassify zeroize command in configuration mode. This action cannot be undone.

Syntax compliance declassify zeroize

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters None

Example The following example overwrites all passwords, keys, and non-active configuration files with zeros: hostname (config) # compliance declassify zeroize

Related Commands For a list of related commands, see: Compliance Commands on page 74

416

© 2016 FireEye

Release 7.9

compliance options fips-mode-crypto enable

compliance options fips-mode-crypto enable Enables the Federal Information Processing Standards (FIPS) mode for cryptographic functions.

Syntax [no] compliance options fips-mode-crypto enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables the FIPS mode for cryptographic functions: hostname (config) # compliance options fips-mode-crypto enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

417

CLI Reference Guide

PART III: Commands

compliance options ftp-file-transfer enable Enables FTP/TFTP transfers.

Syntax [no] compliance options ftp-file-transfer enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables FTP/TFTP transfers: hostname (config) # compliance options ftp-file-transfer enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

418

© 2016 FireEye

Release 7.9

compliance options http-file-transfer enable

compliance options http-file-transfer enable Enables HTTP file transfers.

Syntax [no] compliance options http-file-transfer enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables HTTP file transfers: hostname (config) # compliance options http-file-transfer enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

419

CLI Reference Guide

PART III: Commands

compliance options manual-key-entry enable Enables manual key configuration on the physical console.

Syntax [no] compliance options manual-key-entry enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables manual key configuration on the physical console: hostname (config) # compliance options manual-key-entry enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

420

© 2016 FireEye

Release 7.9

compliance options restricted-license enable

compliance options restricted-license enable Enables the restricted command license.

Syntax [no] compliance options restricted-license enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables the restricted command license: hostname (config) # compliance options restricted-license enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

421

CLI Reference Guide

PART III: Commands

compliance options secure-channel-logs enable Enables the secure channel logs.

Syntax [no] compliance options secure-channel-logs enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example This example enables the secure channel logs: hostname (config) # compliance options secure-channel-logs enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

422

© 2016 FireEye

Release 7.9

compliance options snmp-crypto-limit enable

compliance options snmp-crypto-limit enable Enables limits on cryptographic algorithms used by SNMP.

Syntax [no] compliance options snmp-crypto-limit enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables limits on cryptographic algorithms used by SNMP: hostname (config) # compliance options snmp-crypto-limit enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

423

CLI Reference Guide

PART III: Commands

compliance options user-key-access enable Enables user access to SSH keys and debugging data.

Syntax [no] compliance options user-key-access enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example enables user access to SSH keys and debugging data: hostname (config) # compliance options user-key-access enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

424

© 2016 FireEye

Release 7.9

compliance options webui enable

compliance options webui enable Makes the Settings: Compliance page visible in the Web UI.

Syntax [no] compliance options webui enable

Parameters no

Use the no form of this command to remove the configuration options currently set.

Example The following example makes the Settings: Compliance page visible in the Web UI: hostname (config) # compliance options webui enable

User Role Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0.

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

425

CLI Reference Guide

PART III: Commands

configuration audit max-changes Sets the maximum number of audit messages to log per change. If more changes occur in a single request than this setting permits to be shown, a log message will be added saying how many changes were not logged.

Syntax [no] configuration audit max-changes

Parameters no

The no form of this command specifies that there be no limit on the number of changes to log. number

Sets the maximum number of audit messages to log per change.

Example The following example sets 6 as the maximum number of audit messages to log per configuration change. hostname (config) # configuration audit max-changes 6

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

426

l

CM Series: Before Release 7.6

l

AX Series: Before Release 7.6

l

NX Series: Before Release 7.6

l

EX Series: Before Release 7.6

l

FX Series: Before Release 7.6

l

HX Series: Before Release 7.6

l

VX Series: Before Release 7.6

© 2016 FireEye

Release 7.9

configuration audit max-changes

Related Commands show configuration on page 1429

© 2016 FireEye

427

CLI Reference Guide

PART III: Commands

configuration copy Description Creates a copy of an existing configuration file.

Syntax configuration copy

Parameters file_name

Name of the configuration file to be copied. There may be a list of configuration files in the copy command directory, such as "initial" or "initial.bak." These files may be copied using the copy command. copy_name

Name of the copied configuration file. You cannot specify the name of the current active configuration, and the name cannot be “active.”

Example The following example copies “newconfig” to the “main_config” configuration file. hostname(config)# configuration copy newconfig main_config

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

428

l

CM Series: Before Release 7.6

l

AX Series: Before Release 7.6

l

NX Series: Before Release 7.6

l

EX Series: Before Release 7.6

l

FX Series: Before Release 7.6

l

HX Series: Before Release 7.6

l

VX Series: Before Release 7.6

© 2016 FireEye

Release 7.9

configuration copy

Related Commands show configuration files on page 1434

© 2016 FireEye

429

CLI Reference Guide

PART III: Commands

configuration delete Description Deletes a specified configuration file.

Syntax configuration delete

Parameters file_name

Name of the configuration file to be deleted. There may be a list of configuration files in the delete command directory, such as initial and initial.bak. You cannot delete the current active configuration.

Example The following example deletes the newconfig configuration file. hostname (config)# configuration delete newconfig

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Before Release 7.6

l

AX Series: Before Release 7.6

l

NX Series: Before Release 7.6

l

EX Series: Before Release 7.6

l

FX Series: Before Release 7.6

l

HX Series: Before Release 7.6

l

VX Series: Before Release 7.6

Related Commands show configuration files on page 1434

430

© 2016 FireEye

Release 7.9

configuration factory

configuration factory Description Creates a new configuration file with factory default settings. No licensing or IP settings are retained with this command.

Syntax configuration factory file_name

Parameters file_name Name of the configuration file to be created with factory defaults.

Example The following example creates a new configuration file with factory default settings. hostname (config) # configuration factory newconfig

Related Commands configuration new on page 441

© 2016 FireEye

431

CLI Reference Guide

PART III: Commands

configuration fetch Description Downloads a FireEye configuration file from a specified remote host or network location.

Syntax configuration fetch path [file_name_or_URL]

Parameters path

URL that specifies the location of the configuration. The format can be one of the following: ftp://// sftp://// tftp://// http://// https://// scp://username:password@hostname//

file_ Name of the downloaded configuration file (defaults to the name on the remote name_ server). You cannot specify the name of the current active configuration, and the or_URL name cannot be “active.”

Example The following example downloads the specified configuration from the FireEye website. hostname (config) # configuration fetch http://www.fireeye.com/support/config-dir/newconfig

Related Commands configuration switch-to on page 446

432

© 2016 FireEye

Release 7.9

configuration jump-start

configuration jump-start Description Reruns the Configuration Wizard to change the factory default settings or the settings you specified during the initial configuration of the appliance or the CM Series platform.

Syntax configuration jump-start

Parameters None

Example The following example reruns the Configuration Wizard. Respond to the configuration prompts as they appear (see table below). hostname (config) # configuration jump-start

To change an answer while running the Wizard, press CTRL+C, and then enter the step number. After all the questions are answered, the Wizard summarizes the answers. To change an answer, enter the step number. To save changes and exit, press Enter. Step

Response

Hostname?

Enter the hostname for the appliance.

Admin password?

Enter a new administrator password. The new password must be from 8–32 characters. If you do not change the password, the administrator will be unable to log in to the appliance.

Confirm admin password?

Re-enter the new administrator password.

Enable remote access for ‘admin’ user?

Enter yes to enable the administrator to log in to the appliance remotely. Enter no to disable remote access.

Use DHCP on ether1 interface?

Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure the appliance IP address and other network parameters. Enter no to manually configure your IP address and network settings. (If you enter yes, the zeroconf and static IP addressing steps are skipped.)

© 2016 FireEye

433

CLI Reference Guide

Step

PART III: Commands

Response

Use zeroconf on ether1 interface?

Enter yes to use zero-configuration (zeroconf) networking. Enter no to specify a static IP address and network mask. (If you specify yes, the next step is skipped.) NOTE: Do not use zeroconf on the primary interface.

Primary IP address and masklen?

Enter the IP address for the management interface in A.B.C.D format and enter the network mask, for example: 1.1.1.2/12.

Default gateway?

Enter the gateway IP address for the management interface.

Primary DNS server?

Enter the IP address of the DNS server.

Domain name?

Enter the domain for the management interface; for example: it.acme.com.

Activation code

Enter the activation code you obtained from FireEye.

(Virtual appliances only) Enable Incident Response or Compromise Assessment? 

Enter yes to configure an Incident Response or Compromise Assessment deployment. (If you enter yes, the next four steps are performed automatically, and the "Enable NTP?" and "Enable IPv6?" steps are skipped.)

(NX Series only)

434

Enable fenet service?

Enter yes to enable access to the DTI network. (If you enter no, the next three steps are skipped.)

Enable fenet license update service?

Enter yes to enable the licensing service to automatically download your licenses from the DTI network and install them. (If licenses are downloaded and installed successfully, the wizard skips the step that prompts for the product license key and the step that prompts for the security-content updates key.)

Sync appliance time with fenet?

Enter yes to synchronize the appliance time with the DTI server time. If you enabled the licensing service, synchronization prevents a feature from being temporarily unlicensed due to a time gap. The wizard makes three attempts to perform this step before it gives up and moves to the next step.

Update licenses from fenet?

Enter yes to download and install your licenses. The wizard makes three attempts to perform this step before giving up and moving on to the next step.

© 2016 FireEye

Release 7.9

configuration jump-start

Step Enable NTP?

Response Enter yes to enable automatic time synchronization with one or more Network Time Protocol (NTP) servers. Enter no to manually set the time and date on the appliance. (This step is skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable Incident Response or Compromise Assessment?" step.) NOTE: HX Series appliances: If you enter no, specify the time and date in Greenwich Mean Time (GMT).

Enable FaaS VPN?

Enter yes to enable the appliance to connect to FireEye as a Service over the Internet using a secure SSL VPN connection. (This step is skipped if no MD_ACCESS license is installed. On NX series appliances, this step is performed automatically if you entered yes in the "Enable Incident Response or Compromise Assessment?" step.)

Set time (::)?

Enter the appliance time. (This step and the next step are skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable NTP?" step.)

Set date Enter the appliance date. (//)? Enable IPv6?

Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 to IPv6. (This step and the next two steps are skipped if you entered yes in the "Enable Incident Response or Compromise Assessment?" step. This step and the next two steps will be automatically performed if you entered yes in the “Enable FaaS VPN” step.) NOTE: Do not enable IPv6 for HX Series appliances. HX Series appliances do not support IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface?

Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. (This step is skipped if you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface?

Enter yes to use DHCPv6 to configure IPv6 hosts with IP addresses. (This step is skipped if you entered no in the "Enable DHCP?" or "Enable IPV6?" step.)

© 2016 FireEye

435

CLI Reference Guide

Step

PART III: Commands

Response

Submission: Interface? Press Enter to accept ether1 as the interface through which sensors and brokers communicate. Otherwise, enter the name of (NX Series sensors and the other interface. (If you accept ether1, the next three steps are VX Series appliances skipped.) only) NOTE: To keep management and data traffic separate, FireEye recommends that you use another management interface such as ether2, and not a monitoring interface. Submission:  Use DHCP on interface?

DHCP is not currently supported on the submission interface. Enter no to manually configure the address settings.

Submission: IP address and masklen?

Enter the IP address for the submission interface in A.B.C.D format and enter the network mask, for example: 10.1.1.1 /24.

Submission: Default Ipv4 gateway?

Enter the gateway IP address for the submission interface.

Cluster: Interface?

Press Enter to accept ether1 as the interface through which brokers and compute nodes communicate. Otherwise, enter the name of the other interface. (If you accept ether1, the next two steps are skipped.)

(VX Series only)

NOTE: To keep management and data traffic separate, FireEye recommends that you use another management interface such as ether2, and not a monitoring interface.

436

Cluster: Use DHCP on interface?

Enter yes to use DHCP to configure the cluster interface IP address. (If you enter yes, the next step is skipped.)

Cluster:  IP address and masklen?

Enter the IP address for the cluster interface in A.B.C.D format and enter the network mask, for example: 10.1.1.1 /24.

© 2016 FireEye

Release 7.9

configuration jump-start

Step

Response

Mirror traffic to a PX appliance?

Enter yes to use port mirroring to forward NX Series traffic to the PX Series appliance in an Incident Response deployment. If you enter no, you must manually configure your PX Series appliance to receive the proper traffic. (This step is skipped if you entered no in the "Enable Incident Response or Compromise Assessment?" step.)

(NX Series only)

IMPORTANT! : FireEye recommends using port mirroring in an Incident Response deployment. Interface pair to mirror traffic to PX?

Enter the NX Series interface pair or pairs whose traffic will be forwarded to the PX Series appliance. If multiple mirror ports are already configured, this skip and the next step are skipped. If a single mirror port is already configured for one or more pairs, that pair or pairs are provided as the default for this step. IMPORTANT! FireEye recommends using the default pair (A) if you are configuring a new appliance. Otherwise, manual configuration steps may be required.

Interface to mirror traffic to PX?

Enter the NX Series port that will forward the traffic to the PX Series capture port. Do not specify a port that belongs to an interface pair you entered in the previous step. If a single mirror port is already configured, it is provided as the default for this step. IMPORTANT! FireEye recommends using the default port (pether6) if you are configuring a new appliance. Otherwise, manual configuration steps may be required.

Enable forensic analysis?

Enter yes to perform full packet capture and analysis on the mirrored traffic.

(NX Series only) IP address of PX (NX Series only)

© 2016 FireEye

Enter the IP address of the PX Series appliance. (This step is skipped if you entered no in the "Enable forensic analysis?" step.)

437

CLI Reference Guide

PART III: Commands

Step

Response

Product license key?

Enter the product license key you obtained from FireEye, or press Enter to install a 15-day evaluation license. (This step and the next step are skipped if you entered yes in the "Enable fenet license update service?" step and if licenses were successfully installed as a result.)

Security-content updates key?

Enter the security-content license key you obtained from FireEye, or press Enter to skip this step and install the license later. NOTE: A support license is also required and should be installed after you complete the configuration wizard.

Configure CMS HA?

Enter yes to configure the [[[Undefined variable SAG.CM]]] platform in a high availability (HA) environment. (For the remaining HA configuration steps, see the CM Series High Availability Guide.)

(CM Series only)

Related Commands configuration new on page 441

438

© 2016 FireEye

Release 7.9

configuration merge

configuration merge Description Merges a specified configuration file with the running configuration. Appliance-specific settings, such as the IP address, are not merged.

Syntax configuration merge file_name

Parameters file_ Name of the configuration file to be merged with the running configuration. You name cannot specify the active configuration file.

Example The following example merges “newconfig” with the running configuration. hostname (config) # configuration merge newconfig

Related Commands configuration merge on page 1 configuration write [to [no-switch]] on page 452

© 2016 FireEye

439

CLI Reference Guide

PART III: Commands

configuration move Description Changes the name of a configuration file.

Syntax configuration move current_name new_name

Parameters current_ name

Name of the configuration file to be renamed. You cannot rename the currently active configuration.

new_ name

New name of the configuration file. The name cannot be “active.”

Example The following example renames “newconfig” as “config1.” hostname (config) # configuration move newconfig config1

Related Commands show configuration files on page 1434

440

© 2016 FireEye

Release 7.9

configuration new

configuration new Description Creates a new configuration file with the factory default settings which include the license from the running configuration as well as the active configuration’s IP settings, host keys, and CMC rendezvous configuration.

Syntax configuration new file_name [factory {keep-basic [keep-connect] | keep-connect}]

Parameters file_ name

Name of the new configuration file. The name cannot be “active.”

factory Creates a new file with only factory defaults. Excludes the license from the new configuration. keepbasic

Creates a new factory configuration file but retains basic licensing, host keys, and CMC rendezvous configuration settings. This parameter can include: l

keep-connect—Keeps configuration necessary for network connectivity, including interfaces, routes, and Address Resolution Protocol (ARP).

keep- Creates a new factory configuration file but retains established IP settings from connect the active configuration (interfaces, routes, and ARP).

Example The following example creates a new configuration with the factory default settings and the current license and basic configuration as well as the keep-connect IP settings. hostname (config) # configuration new newconfig factory keep-basic keep-connect

Related Commands configuration factory on page 431 configuration fetch on page 432

configuration revert factory keep-basic Reverts running and saved configurations to factory defaults, and keeps licenses, host keys, and rendezvous configuration. If the appliance is managed by a FireEye CM Series appliance, the configuration revert factory keep-basic command removes managed appliances from the database, the Web UI, and the CLI, and resets all configuration settings.

© 2016 FireEye

441

CLI Reference Guide

PART III: Commands

You must add managed appliances back to the CM Series appliance after the configuration has been reverted.

Syntax configuration revert factory keep-basic

Parameters None

Example The following example reverts running and saved configurations to factory defaults while keeping licenses, host keys, and rendezvous configuration: hostname (config) # configuration revert factory keep-basic

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: Configuration Management Commands on page 75.

configuration revert factory keep-connect Reverts running and saved configurations to factory defaults and keeps configuration necessary for network connectivity, including interfaces, routes, and Address Resolution Protocol (ARP).

442

© 2016 FireEye

Release 7.9

configuration revert factory keep-connect

If the appliance is managed by a FireEye CM Series appliance, the configuration revert factory keep-connect command removes managed appliances from the database, the Web UI, and the CLI, and resets all configuration settings. You must add managed appliances back to the CM Series appliance after the configuration has been reverted.

Syntax configuration revert factory keep-connect

Parameters None

Example The following example reverts running and saved configurations to factory defaults while keeping configuration necessary for network connectivity: hostname (config) # configuration revert factory keep-connect

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

Related Commands For a list of related commands, see: Configuration Management Commands on page 75.

© 2016 FireEye

443

CLI Reference Guide

PART III: Commands

configuration revert saved Changes the running configuration to the last saved version of the active configuration. Restoring the last saved active configuration allows you to discard temporary changes to the running configuration. If the appliance is managed by a FireEye CM Series appliance and appliances have been added since the last saved configuration, using the configuration revert saved command removes those appliances that were added after the last saved configuration from the database, the Web UI, and the CLI, and restores all configurations from the saved configuration. You must add managed appliances back to the CM Series appliance after the configuration has been reverted.

Syntax configuration revert saved

Parameters None

Example The following example changes the running configuration to the last saved active configuration. hostname (config) # configuration revert saved

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

444

© 2016 FireEye

Release 7.9

configuration revert saved

Related Commands For a list of related commands, see: Configuration Management Commands on page 75.

© 2016 FireEye

445

CLI Reference Guide

PART III: Commands

configuration switch-to Description Switches to a specified configuration file, which becomes the new active configuration. This active configuration is loaded automatically when you reboot the system. When you save configuration changes, they are saved to the active configuration by default.

Syntax configuration switch-to file_name

Parameters file_name Name of the new active configuration file.

Example The following example specifies “newconfig” as the active configuration. hostname (config) # configuration switch-to newconfig

Related Commands configuration write [to [no-switch]] on page 452 show configuration files on page 1434

446

© 2016 FireEye

Release 7.9

configure terminal

configure terminal Enters configuration mode from enabled mode. To return to enabled mode, enter the exit command or use the no form of this command.

Syntax configure terminal [cmc-force] [no] configure

Parameters cmc- Enters configuration mode, bypassing the prompt if the FireEye appliance is a CMC force (Central Management Console) client under management of a CMC server.

Example hostname # configure terminal hostname (config) #

© 2016 FireEye

447

CLI Reference Guide

PART III: Commands

configuration text Description Performs operations on text-based configuration files. Text-based files support copy-andpaste file operations.

Syntax configuration text {fetch download_URL | file file_name | generate {active | file} configuration text fetch download_URL [apply {discard | fail-continue | file filename | verbose} | filename filename | overwrite] configuration text generate active {running {save file_name | upload upload_URL } | saved {save file_name | upload upload_URL}}

Related Commands show configuration files on page 1434

Parameters fetch

Downloads a text-based configuration file from a remote host. The apply option generates the text-based configuration file from the active configuration: configuration text fetch download_URL [apply {discard | fail-continue | filename | verbose} | overwrite] l

apply—Applies the downloaded configuration to the running system. l

l

l

fail-continue—If applying commands, continues execution even if one of the commands fails.

filename—Specifies the file name for saving the downloaded text file. l

l

discard—Deletes the downloaded text file after applying it to the system.

verbose—Display all commands being executed, including their output, instead of displaying only those commands that encounter errors. The file option generates the text-based configuration file from an inactive saved configuration.

overwrite—Replaces the configuration text file if, when saving, the file name already exists.

configuration text generate file file_name

448

© 2016 FireEye

Release 7.9

download_ URL

configuration text

URL that specifies the location of the configuration text file. The format can be one of the following: ftp://// sftp://// tftp://// http://// https://// scp://username:password@hostname//

file

Use to manipulate stored text-based configuration files from the system’s configuration.

file_name

Name of the new active text-based configuration file. Options include: configuration text file file_name [apply | delete | rename | upload] l

generate active | file

apply {fail-continue | verbose}—Executes the commands in the configuration file. If the parameter fail-continue is used, execution continues even if one command fails; if the parameter verbose is used, all commands being executed are displayed, including their output, instead of displaying only those commands that encounter errors.

l

delete—Deletes this configuration file.

l

rename—Renames this configuration file.

l

upload—Uploads this configuration file to a remote host.

Generates a new text-based configuration file. l

The active option generates the text-based configuration file from the active configuration: configuration text generate active {running {save file_name | upload upload_URL} | saved {save file_name | upload upload_URL}}

l

The file option generates the text-based configuration file from an inactive saved configuration configuration text generate file file_name

upload

© 2016 FireEye

Uploads this configuration file to a remote host.

449

CLI Reference Guide

PART III: Commands

upload_URL URL that specifies the location of the configuration text file. The format can be one of the following: ftp://// sftp://// tftp://// http://// https://// scp://username:password@hostname//

Example The following example generates a new text-based configuration file from the active running configuration. hostname(config) # configuration text generate active running save textBasedFile

450

© 2016 FireEye

Release 7.9

configuration upload

configuration upload Description Uploads a configuration file to a specified network location.

Syntax configuration upload {file_name | active} path

Parameters file_name Name of the configuration file to be uploaded. active

Uploads the active configuration file.

path

URL that specifies the network location of the uploaded configuration. The format can be one of the following: ftp://// sftp://// tftp://// http://// https://// scp://username:password@hostname//

Example The following example uploads the active configuration as “testconfig.” hostname (config) # configuration upload active ftp://ftp.example.com/config-dir/testconfig

Related Commands show configuration files on page 1434

© 2016 FireEye

451

CLI Reference Guide

PART III: Commands

configuration write [to [no-switch]] Saves the running configuration to the current active configuration file, or to a specified configuration file which becomes the new active configuration. The active configuration is loaded automatically when you reboot the system. The configuration changes are applied immediately to the running configuration, but they must be saved to a configuration file if you want to retain them after the next reboot.

Syntax configuration write [to [no-switch]]

Parameters to

Name of the configuration file where the running configuration is saved. This file becomes the new active configuration with a new name. This command includes an optional parameter: l

no-switch—Saves the configuration to a new file but keeps the current configuration

active.

Example The following example saves the running configuration to a configuration file but keeps the current configuration file active. hostname (config) # configuration write to newconfig no-switch

Related Commands For a list of related commands, see: Configuration Management Commands on page 75.

452

© 2016 FireEye

Release 7.9

custom content enable

custom content enable Enables or disables a CM Series platform to receive indicator (IOC) customizations from a third-party feed and distribute them to all managed NX Series appliances. When the thirdparty IOC feed feature is disabled, DTI feeds are not pushed to all managed NX Series appliances. Before you can receive third-party IOC feeds, you need to create a custom blacklist for the IOCs in the Web UI. For more information on creating a custom blacklist, see Creating a Custom Blacklist from a Third-Party Feed.

IOC customizations are not supported on managed FireEye NX 300 models. This feature is enabled by default when you add the NX Series appliance to the CM Series platform. The DTI feeds are automatically pushed to the managed NX Series appliance.

Syntax [no] custom content enable

Parameters no

Use the no form of this command to disable third-party IOCs.

Example The following example enables third-party IOCs on all managed NX Series appliances: hostname (config) # custom content enable

The following example disables third-party IOCs on all managed NX Series appliances: hostname (config) # no custom content enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9

© 2016 FireEye

453

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see Third-Party IOC Feeds Command Family on page 125 custom content enable on the previous page custom content enable on lms on the facing page show custom content enable status on page 1452 show custom content feed status on page 1454

454

© 2016 FireEye

Release 7.9

custom content enable on lms

custom content enable on lms Enables or disables a specific managed NX Series appliance to receive indicator (IOC) customizations from a third-party feed. You can verify that this feature is enabled or disabled when you log in to a managed NX Series appliance. Before you can receive third-party IOC feeds, you need to create a custom blacklist for the IOCs in the Web UI. For more information on creating a custom blacklist, see Creating a Custom Blacklist from a Third-Party Feed.

IOC customizations are not supported on managed FireEye NX 300 models. This feature is enabled by default when you add the NX Series appliance to the CM Series platform. The DTI feeds are automatically pushed to the managed NX Series appliance.

Syntax [no] custom content enable on lms

Parameters no

Use the no form of this command to disable third-party IOCs on a specific managed NX Series appliance..

An NX Series appliance record name.

Example The following example enables third-party IOCs on a specific managed NX Series appliance: hostname (config) # custom content enable on lms nx1

The following example disables third-party IOCs on a specific managed NX Series appliance: hostname (config) # no custom content enable on lms nx1

User Role Administrator

Command Mode Configuration

© 2016 FireEye

455

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

CM Series: Release 7.9

Related Commands For a list of related commands, see Third-Party IOC Feeds Command Family on page 125 custom content enable on page 453 custom content enable on lms on the previous page show custom content enable status on page 1452 show custom content feed status on page 1454

456

© 2016 FireEye

Release 7.9

crypto certificate bundle cert-name

crypto certificate bundle cert-name Adds a certificate that already has been configured to a bundle. The appliance or node supports single PEM-encoded certificates. A set of intermediate and root CA certificates are used to validate the certificates from the Common Access Card (CAC) card and they are presented to the appliance. The certificate name must already exist in the system. For details about how to configure a CA certificate bundle, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] crypto certificate bundle cert-name [keep-member-cert]

Parameters no

Use the no form of this command to remove the certificate that already has been configured from the specified bundle. bundle_name

Name of the certificate bundle. The bundle must be named client-cert-auth. certificate_name

Name of the certificate that already has been configured. keep-member-cert

(Optional) Removes the certificates from the specified bundle but keeps them in the database.

Example The following example shows how to add a certificate that already has been configured to a bundle. hostname (config) # crypto certificate bundle client-cert-auth cert-name client-cert-auth-0235cfce

User Role Administrator

Command Mode Configuration

© 2016 FireEye

457

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

458

© 2016 FireEye

Release 7.9

crypto certificate bundle comment

crypto certificate bundle comment Configures a description for the certificate bundle. For details about how to configure a CA certificate bundle, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax [no] crypto certificate bundle comment

Parameters no

Use the no form of this command to delete the comment from the specified certificate bundle. bundle_name

Name of the certificate bundle. The bundle must be named client-cert-auth. comment

Description of the certificate bundle. The comment is added automatically when you import a certificate bundle.

Example The following example shows how to configure a comment for the certificate bundle. hostname (config) # crypto certificate bundle client-cert-auth comment Imported from http://builds.eng.fireeye.com/~john.doe/vps1-cacerts.pem

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

459

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see CAC Commands on page 67.

460

© 2016 FireEye

Release 7.9

crypto certificate bundle fetch url

crypto certificate bundle fetch url Downloads a CA certificate bundle and adds an imported certificate to an existing bundle from a specified URL. The bundle must be a single concatenated PEM file. Each certificate is imported into the bundle configuration. The imported certificates are listed in the specified bundle. By default, if the bundle name already exists, it will be replaced with an imported certificate. For details about how to configure a CA certificate bundle, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax crypto certificate bundle fetch url [append] [keep-member-cert]

Parameters bundle_name

Name of the certificate bundle. The bundle must be named client-cert-auth. URL

Direct path to the certificate file. The is specified with remote server Administrator credentials ( and ), the remote server (), the path and filename in which to save the certificate bundle () in the following format: scp://[:]@/

If you do not specify the remote host administrator password in the crypto certificate bundle fetch url command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. append

(Optional) Adds a new certificate to an existing certificate bundle. The existing certificates will be retained in the database. keep-member-cert

(Optional) Removes the certificates from the specified bundle but keeps them in the database.

Example The following example shows how to download a certificate bundle. hostname (config) # crypto certificate bundle client-cert-auth fetch url http://172.16.142.99/QA/test/cac/vps1-cacerts.pem

© 2016 FireEye

461

CLI Reference Guide

PART III: Commands

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

462

© 2016 FireEye

Release 7.9

crypto certificate

crypto certificate To manage X.509 certificates, use the crypto certificate command in configuration mode.

Syntax crypto certificate name cert-name public-cert pem pem-string [comment comment] crypto certificate name cert-name private-key pem pem-string crypto certificate name cert-name prompt-private-key no crypto certificate name cert-name crypto certificate name cert-name fetch public-cert-url pem-file-url [private-key-url pem-fileurl] [comment comment] crypto certificate name cert-name generate self-signed [key-size-bits bits] [serial-num serialnumber] [days-valid days] [common-name common-name] [country-code country-code] [stateor-prov state-or-province-name] [locality locality-name] [organization organization-name] [orgunit organization-unit-name] [email-addr email-address] [comment comment] crypto certificate name cert-name regenerate [days-valid days] crypto certificate name old-cert-name rename new-cert-name [no] crypto certificate name cert-name comment comment crypto certificate generation default [country-code country-code] crypto certificate generation default [state-or-prov state-or-province-name] crypto certificate generation default [locality locality-name] crypto certificate generation default [organization organization-name] crypto certificate generation default [org-unit organization-unit-name] crypto certificate generation default [email-addr email-address] crypto certificate generation default [key-size-bits bits] crypto certificate generation default [days-valid days] crypto certificate min-key-size number_of_bits [no] crypto certificate secure-hashes-only [no] crypto certificate ca-list default-ca-list name cert-name crypto certificate sharepoint ca-chain chain-name ca-chain-name pem-bundle quoted_PEM_ bundle_string comment member_certificate_comment no crypto certificate sharepoint ca-chain chain-name ca-chain-name

© 2016 FireEye

463

CLI Reference Guide

PART III: Commands

PEM String Format The certificate and private key must be configured as a Privacy Enhanced Email (PEM) encrypted ASCII string. The string must be formatted in the following order: 1. Double quotation marks 2. A new line 3. BEGIN delimiter string 4. ASCII block 5. END delimiter string 6. A new line 7. Double quotation marks You can press Enter in the CLI to add a new line. If a comment is added, it must follow the final double quotation marks and be on the same line. Any commentary outside the BEGIN and END delimiter strings is ignored. The following is an example PEM string (with a truncated ASCII block): >" > >----BEGIN CERTIFICATE---->MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ >UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p >YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx= >. >. >. >----END CERTIFICATE----> >"

User Role Administrator

Release Information This command was introduced before Release 7.6.0. The fetch option of this command was reintroduced in releases as follows:

464

l

NX Series: Release 7.6.0

l

EX Series: Release 7.6.0

l

CM Series: Release 7.6.0

© 2016 FireEye

Release 7.9

crypto certificate

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

The default-cert option was deprecated in the releases listed above.

Parameters no Use the no form of this command to clear the settings. name cert_name The certificate name. l

comment—Includes a text comment about the certificate.

l

common-name—Specifies the hostname or fully qualified domain name.

l

country-code—The country code for the certificate. A two-character code, or “- - ” for none.

l

days-valid—The duration for which the certificate is valid (in days).

l

email addr—The email address associated with the certificate.

l

l

l

fetch—Downloads and installs a certificate, optionally with a matching private key and an optional comment for the certificate. Self-identifying certificates such as those used for an appliance Web service require a private key for the service to operate. generate self-signed—Generates a self-signed certificate. The keyword that applies to your description. key-size-bits—The size of the private key in bits (RSA only). The size should be at least 1024, and 2048 is strongly recommended.

l

locality—The default value for the certificateʼs locality, for example, city or town.

l

org-unit—The default value for the certificateʼs organizational unit name.

l

organization—The default value for the certificateʼs organization.

l

public-cert—Installs a certificate. o

l

l

pem—Specify certificate contents in PEM format.

private-key pem—Adds a certificate private key in PEM format. prompt-private-key—Prompts for a private key in PEM format, including BEGIN and END delimiter lines. This command must be terminated with Ctrl+D when you are finished.

l

regenerate [days-valid days]—Regenerates the named certificate and specifies the validity period in days.

© 2016 FireEye

465

CLI Reference Guide

PART III: Commands

l

rename—Renames a certificate.

l

serial-num—A lowercase, hexadecimal serial number prefixed with '0x'.

l

state-or-prov—The default value for the certificateʼs state or province.

generation default Configures the default values for self-signed certificate generation. l

country-code—The default country code for the certificate. A two-character code, or “- - ” for none.

l

days-valid—The default duration for which the certificate is valid (in days).

l

email addr—The default email address associated with the certificate.

l

key-size-bits—The size of the private key (in bits). The size should be at least 1024, and 2048 is strongly recommended.

l

locality—The default value for the certificateʼs locality.

l

org-unit—The default value for the certificateʼs organizational unit name.

l

organization—The default value for the certificateʼs organization.

l

state-or-prov—The default value for the certificateʼs state or province

crypto certificate min-key-size number_of_bits Configures the minimum key size for a CA certificate to be applied. crypto certificate secure-hashes-only Uses sha-256, sha-384, and sha-512 only for signature algorithms for certificates. ca-list default-ca-list name Sends the named certificate to the default CA trust pool. sharepoint ca-chain chain-name ca-chain-name pem-bundle quoted_PEM_bundle_string Configures the named SharePoint CA certificate chain from a PEM bundle string.

Example The following example sends the named certificate to the default CA trust pool. hostname (config) # crypto certificate ca-list default-ca-list name my_ca_cert

Related Commands show crypto certificate on page 1449

466

© 2016 FireEye

Release 7.9

crypto certificate ca-chain chain-name web-server

crypto certificate ca-chain chain-name web-server Use this command to configure a Web server CA certificate chain. Adding the certificate chain to an Apache Web server establishes a chain of trust for a server SSL certificate by providing signing CA certificates to the Web browsers running the Web UI. After you configure the certificate chain, you must activate it using the command web server ssl cachain on page 1321.

Syntax crypto certificate ca-chain chain-name web-server pem-bundle "" [comment ""] no crypto certificate ca-chain chain-name

Parameters no

Use the no form of this command to remove the certificate chain. chainName

Unique name for the CA chain. The name must begin with a letter or number. The remaining characters in the name can be letters, numbers, periods (.), dashes (-), and underscores (_). pemChainString

Chain of PEM strings, enclosed by double quotation marks. comment

Comment text, enclosed by double quotation marks.

PEM String Format The certificate and private key must be configured as a Privacy Enhanced Email (PEM) encrypted ASCII string. The string must be formatted in the following order: 1. Double quotation marks 2. A new line 3. BEGIN delimiter string 4. ASCII block 5. END delimiter string 6. A new line 7. Double quotation marks

© 2016 FireEye

467

CLI Reference Guide

PART III: Commands

You can press Enter in the CLI to add a new line. If a comment is added, it must follow the final double quotation marks and be on the same line. Any commentary outside the BEGIN and END delimiter strings is ignored. The following is an example PEM string (with a truncated ASCII block): >" > >----BEGIN CERTIFICATE---->MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ >UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p >YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx= >. >. >. >----END CERTIFICATE----> >"

Example The following example configures the "acme_Cert-Web_US" Web server CA certificate chain that includes three intermediate CAs and a root certificate. hostname (config) # crypto certificate ca-chain chain-name acme_Cert-Web_US web-server pembundle " > > -----BEGIN CERTIFICATE----> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx > FjAUB+NVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw > GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMx/DAOBgNVBAsTB3Rtkq1lbmcxHjAc > BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh ... > -----END CERTIFICATE------> -----BEGIN CERTIFICATE----> HUE457jJheR86GJD3Iye987cdIYuP238DCBsDELMAkGA1UEBhMCVVMxh32Aq0iF7 > V75TYoiuY368pW+Bd8A8345Oc3PIUB4uw0821NMQaq9YEw397Ne409NCDE987c9u > VE397gi/yTMNXd84Tuq0pie4n451r0oieRxcsWe70abcie$529omE2wXyrwR3784 > NTTdi239csUEi7dgOp391VCWetrnEp983Yr4B14Dw9URwo7NVC3xaY7vA2Aq874= ... > -----END CERTIFICATE------> -----BEGIN CERTIFICATE----> n4Qw21ou4VeTe8BE29780dv7APR2rc92g4ublselcisla5do3tGBy9873cslIExu > v38csf8bu/w9UjeRcsltsiv3u23kd+abiY6TRB5596aqin3h4Jh423jc0oWqnr3m > cAy65Lku53eCsD9Uo0pKmE235Dcwiyti754TDlOUnrd3677903dwr456mHjyDew7 > he3T58ET86udaUOi328VEw78Texpuy457swQmRe7ck3yswo8dmvhts52vBdl43== ... > -----END CERTIFICATE------> -----BEGIN CERTIFICATE----> 49JysE20gjaasfaMKTSIKEdycTe84mbnn4Qw21ou4Vejt4W9j6e37APR2rc92vde > g4ublselcisla5do3tGBy9873cslI/xun471sWeid873RiuvY67Wf3873NywpYUm > ges98R3kc+asdf7683lc09TNTD7utB2894Htdm0982JeubJyiRWe98Ldkey1slfo

468

© 2016 FireEye

Release 7.9

crypto certificate ca-chain chain-name web-server

> n35De89adkj;298jkgkk38GESlgisU6e3T8UBd2TIu7B184hK3rp98c1rW398vlr ... > -----END CERTIFICATE------> >"

The following example deletes the certificate chain. hostname (config) # no crypto certificate ca-chain chain-name acme_Cert-Web_US

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

469

CLI Reference Guide

PART III: Commands

crypto ipsec This command is now deprecated. It will be removed in a future release.

Description Configures IPSec cryptographic settings. Use the no form of this command to clear the settings.

Syntax crypto ipsec {ike | peer} crypto ipsec ike [clear sa {peer {IPv4 address or IPv6 address | any local IPv4 address or IPv6 address}} | restart] crypto ipsec peer paddress local laddress keying {ike | manual} crypto ipsec peer paddress local laddress keying manual { | auth | encrypt | local-spi | mode | remote-spi} crypto ipsec peer paddress local laddress keying ike auth {hmac-md5 | hmac-sha1 | null} crypto ipsec peer paddress local laddress keying ike encrypt {3des-cbc | aes-cbc | null} crypto ipsec peer paddress local laddress keying ike exchange-mode {main | aggressive | base} crypto ipsec peer paddress local laddress keying ike lifetime seconds crypto ipsec peer paddress local laddress keying ike mode {transport | tunnel} crypto ipsec peer paddress local laddress keying ike pfs-group gname crypto ipsec peer paddress local laddress keying ike preshared-key kname crypto ipsec peer paddress local laddress keying ike prompt-preshared-key crypto ipsec peerpaddresslocalladdress enable [no] crypto ipsec peer paddress local laddress

User Role Admin.

Parameters ike Manages the IKE (ISAKMP) process or database state.

470

© 2016 FireEye

Release 7.9

l

l

l

l

crypto ipsec

clear sa—Clears IKE-generated ISAKMP and IPsec security associations (peers may be affected). peer IPv4 address or IPv6 address—Clears security associations for the specified IKE peer (remote peers are affected). any local IPv4 address or IPv6 address—Clears security associations for all IKE peerings with a specific local address (remote peers are affected). restart—Restarts the IKE (ISAKMP) daemon (clears all IKE state; peers may be affected).

peer paddress Configures an IPv4 or IPv6 IPsec cryptographic peer IP address. local laddress Local IP address. manual Configures IPsec using manual keys via the following options: l

auth—Configures the authentication algorithm for this IPsec peering. l

l

l

crypto ipsec peer paddress local laddress keying manual auth {hmac-md5 | hmac-sha1 | null} hmac-md5 authentication, hmac-sha1 authentication, or null (encryption without authentication).

encrypt—Configures the encryption algorithm for this IPsec peering. l

l

crypto ipsec peer paddress local laddress keying manual encrypt {3des-cbc | aes-cbc | null} 3des-cbc encryption, aes-cbc encryption, or null (uses null encryption per RFC 2410).

l

local-spi—Configures the local SPI for this manual IPsec peering.

l

mode—Configures the peering mode for this IPsec peering.

l

remote-spi—Configures the remote SPI for this manual IPsec peering.

auth {hmac-md5 | hmac-sha1} Authentication algorithm. encrypt {3des-cbc | aes-cbc | null} Encryption algorithms. With the null option, encryption per RFC 2410 is still used for proposal. exchange-mode {main | aggressive | base} Internet Key Exchange (IKE) exchange mode for the IPsec peer (main, aggressive, or base).

© 2016 FireEye

471

CLI Reference Guide

PART III: Commands

lifetime seconds Duration (seconds) of an IKE group for the IPsec peer. mode {transport | tunnel} Type of IPsec connection (tunnel or transport). pfs-group gname Name of the perfect forward secrecy (PFS) group for the IPsec peer. preshared-key kname Preshared key for authenticating the IPsec peer. prompt-preshared-key Indication that the system should prompt for the preshared key. The system prompts for the key when you press ENTER. enable Enables this IPSec peering.

Example The following example assigns the main IKE exchange mode for the IPsec peer. hostname (config) # crypto ipsec peer 192.168.5.4 local 192.168.4.3 exchange-mode main

Related Commands show crypto ipsec on page 1451

472

© 2016 FireEye

Release 7.9

debug generate

debug generate Description Generates a system debug file named sysdump-hostname-yyyymmdd-hhmmss.tgz. The generated file is stored in /var/opt/tms/sysdumps.

Syntax debug generate dump

Parameters None

Example The following example generates a system debug file. hostname # debug generate dump

© 2016 FireEye

473

CLI Reference Guide

PART III: Commands

deployment check network clear To clear the results of the last network deployment check on an NX Series appliance, enter the deployment check network clear command in enable mode. This command requires the Monitor, Analyst, Operator, or Admin role. You can also run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism.

Syntax deployment check network clear

Parameters None.

Description This command clears the results of the last network deployment check. Performing this operation leaves the packet capture itself intact and downloadable from the deployment_ check.pcap file. If a network deployment check results in failure and you clear the those results, then system restarts and managed process restarts do not trigger network deployment check event notifications for those results. The next network deployment check, whether started automatically at 00:00 (midnight) or started explicitly at the CLI or Web UI, generates a new set of results. For more information, see the NX Series System Administration Guide.

Examples l

l

deployment check network clear deployment check network clear (Initiated on CM Series for Managed Appliance 'NX-1')

deployment check network clear The following example clears the results of the last network deployment check on an NX Series appliance. hostname # deployment check network clear

deployment check network clear (Initiated on CM Series for Managed Appliance 'NX-1') The following example, executed on a CM Series appliance, clears the results of the last network deployment check on the managed NX Series appliance named NX-1. hostname # cmc execute appliance NX-1 command "deployment check network clear"

474

© 2016 FireEye

Release 7.9

deployment check network clear

Release Information Command introduced in Release 7.4.0 for NX Series appliances.

© 2016 FireEye

475

CLI Reference Guide

PART III: Commands

deployment check network duration To configure the maximum packet capture duration used by the network deployment checking feature on an NX Series appliance, use the deployment check network duration command in enable mode. This command requires the Operator or Admin role. You can also run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism.

Syntax deployment check network duration seconds

Parameters seconds Maximum packet capture duration. The minimum value is 20. There is no maximum value. The default value is 120 seconds. The maximum capture amount is 100,000 packets.

Description This command specifies an override to the default maximum packet capture duration used by the network deployment checking feature. To display the setting of the network deployment check duration, enter the show deployment check network command in enable mode. Regardless of the packet capture duration, the maximum packet capture size is 100,000 packets. For more information, see the NX Series System Administration Guide.

Examples l

l

deployment check network duration deployment check network duration (Initiated on CM Series for All Managed Appliances)

deployment check network duration The following example sets the upper limit for packet capture duration to 60 seconds. hostname # deployment check network duration 60

deployment check network duration (Initiated on CM Series for All Managed Appliances) The following example, executed on a CM Series appliance, sets the upper limit for packet capture duration to 60 seconds on all managed NX Series appliances.

476

© 2016 FireEye

Release 7.9

deployment check network duration

hostname # cmc execute appliance all command "deployment check network duration 60"

Release Information Command introduced in Release 7.4.0 for NX Series appliances.

© 2016 FireEye

477

CLI Reference Guide

PART III: Commands

deployment check network start To explicitly start a network deployment check on an NX Series appliance, enter the deployment check network start command in enable mode. This command requires the Monitor, Analyst, Operator, or Admin role. You can also run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism.

Syntax deployment check network start

Parameters None.

Description This command explicitly starts a network deployment check. If no monitoring interfaces are up, network deployment checking cannot start. For more information, see the NX Series System Administration Guide.

Examples l

deployment check network start

l

deployment check network start (No Monitoring Interfaces Up)

l

deployment check network start (Initiated on CM Series for Managed Appliance 'NX-1')

deployment check network start The following example explicitly starts a network deployment check on an NX Series appliance. hostname (config) # deployment check network start

deployment check network start (No Monitoring Interfaces Up) The following example explicitly starts a network deployment check on an NX Series appliance on which the previous deployment check has not completed. hostname # deployment check network start All dataport link down. Deployment check could not be started.

deployment check network start (Initiated on CM Series for Managed Appliance 'NX-1') The following example, executed on a CM Series appliance, starts a network deployment check on the managed NX Series appliance named NX-1.

478

© 2016 FireEye

Release 7.9

deployment check network start

hostname # cmc execute appliance NX-1 command "deployment check network start"

Release Information Command introduced in Release 7.4.0 for NX Series appliances.

© 2016 FireEye

479

CLI Reference Guide

PART III: Commands

disable Description Returns the user to standard mode from enabled mode. To access enabled mode, enter the enable command.

Syntax disable

Parameters None

Example The following example returns the user to standard mode from enabled mode, which changes the prompt from “#” to “>”. hostname # disable hostname >

480

© 2016 FireEye

Release 7.9

email

email To configure the events to be emailed to one or more email addresses using a Simple Mail Transfer Protocol (SMTP) server, use the email command in configuration mode. See email ssl on page 562 for the commands used to secure email. Related commands: show email, fenotify email, report email

Syntax [no] email auth enable [no] email auth username username [no] email auth password password [no] email autosupport enable [no] email autosupport event event_name [no] email dead-letter cleanup max-age duration [no] email dead-letter enable [no] email domain domain_name [no] email mailhub hostname_or_ip_address [no] email mailhub-port TCP_port [no] email notify event event_name [no] email notify recipient email_address [class {failure | info} | detail] [no] email return-addr username [no] email return-host email send-test

User Role Administrator, Operator, or Analyst

Release Information Command introduced before Release 7.6.0.

Parameters no Use the no form of this command to clear the email configuration. auth enable Enable or disable SMTP authentication for sending email.

© 2016 FireEye

481

CLI Reference Guide

PART III: Commands

auth username Set the user name for SMTP authentication. auth password Set the password for SMTP authentication. autosupport enable Sends email to FireEye at “[email protected]” (disabled by default). autosupport event event_name Specifies for which events to send autosupport notification emails. l

disk-space-low—Free disk space is low (enabled by default).

l

disk-space-ok—Free disk space returned to normal(enabled by default).

l

l

user-login—User logged in to the system.

l

user-logout—User logged out of the system.

l

syslog-rotation—System log files rotation.

l

excessive-temperature—Excessive temperature is reached

l

interface-up—An interface’s link state has changed to up.

l

interface-down—An interface’s link state has changed to down.

l

normal-temperature—Temperature is normal.

l

process-crash—A process in which the system has crashed.

l

482

smart-warning—Disk warnings generated by the Self-Monitoring, Analysis and Reporting Technology (SMART) system (disabled by default).

raid-status-failure—A Redundant Array of Inexpensive Disks (RAID) error has occurred.

l

raid-status-recover—A RAID has been recovered.

l

physical-disk-failure—A physical disk has failed.

l

physical-disk-recover—A physical disk has been recovered.

l

power-supply-failure—A power supply has failed.

l

power-supply-recover—A power supply has been recovered.

l

fan-failure—A fan has failed.

l

fan-recover—A fan has been recovered.

l

license-state-changed—A license state has changed.

l

security-update-failure—Security update has failed.

l

http-throughput—HTTP throughput has not increased for a specified time.

© 2016 FireEye

Release 7.9

l

l

l

l

email

hardware-bypass-entered—Permanent hardware bypass mode entered. inline-engine-up—Inline packet inspection process has started (IPS-enabled platforms only). inline-engine-down—Inline packet inspection process has stopped (IPS-enabled platforms only). if-link-change—An interface link has changed.

dead-letter cleanup max-age duration Sets maximum age of dead.letter files. Files older than the specified duration are deleted. Duration format is "5d4h3m2s" for 5 days, 4 hours, 3 minutes, 2 seconds. dead-letter enable Saves dead.letter for undeliverable emails. domain domain_name IP address or hostname of the sender of the notification emails that are sent out, such as “example.com” (default is “fireeye.com”). mailhub hostname_or_ip_address Hostname or IPv4 or IPv6 address of the mail server used to send email alerts. mailhub-port TCP_port Port number used by the specified mail server (default is port 25). notify event event_name Enables email alerts for the specified event type: l

disk-space-low—Free disk space is low (enabled by default).

l

disk-space-ok—Free disk space returned to normal(enabled by default).

l

l

inline-engine-down—Inline packet inspection process has stopped (IPS-enabled platforms only). inline-engine-up—Inline packet inspection process has started (IPS-enabled platforms only).

l

user-login—User logged in to the system.

l

user-logout—User logged out of the system.

l

excessive-temperature—Excessive temperature is reached.

l

normal-temperature—Temperature is normal.

l

smart-warning—Disk warnings generated by the Self-Monitoring, Analysis and Reporting Technology (SMART) system (disabled by default).

l

interface-up—An interface’s link state has changed to up.

l

interface-down—An interface’s link state has changed to down.

© 2016 FireEye

483

CLI Reference Guide

l

syslog-rotation—System log fileʼs rotation.

l

process-crash—A process in which the system has crashed.

l

PART III: Commands

raid-status-failure—A Redundant Array of Inexpensive Disks (RAID) error has occurred.

l

raid-status-recover—A RAID has been recovered.

l

physical-disk-failure—A physical disk has failed.

l

physical-disk-recover—A physical disk has been recovered.

l

power-supply-failure—A power supply has failed.

l

power-supply-recover—A power supply has been recovered.

l

fan-failure—A fan has failed.

l

fan-recover—A fan has been recovered.

l

license-state-changed—A license state has changed.

l

security-update-failure—Security update has failed.

l

http-throughput—HTTP throughput has not increased for a specified time.

l

hardware-bypass-entered—Permanent hardware bypass mode entered.

l

if-link-change—An interface link has changed. The stats alarm command should be set to no stats alarm enable. Refer to stats alarm.

notify recipient email_address [class {failure | info} | detail] Email address of an alert recipient, such as “[email protected]“ (one address per command). By default, detailed emails are sent to the recipient for all failure and informational events that are enabled. All events are informational, except for processcrash, smartwarning, and unexpected-shutdown events. return-addr return_address Email address shown in the “Reply-To” field of alert emails (default is “do-not-reply”). return-host username Specify whether to include the hostname in the return address for emails (default is the configured appliance hostname). send-test Sends a test email alert to all configured recipients.

Example The following commands specify a mail server, domain, and one address to receive email alerts for smart-warning events:

484

© 2016 FireEye

Release 7.9

email

hostname (config) # email mailhub 10.0.0.1 hostname (config) # email domain example.com hostname (config) # email notify recipient [email protected] hostname (config) # email notify event smart-warning

© 2016 FireEye

485

CLI Reference Guide

PART III: Commands

email-analysis adv-url-defense cache {whitelist | blacklist} Configures how long you want to store both the whitelist (nonmalicious)and blacklist (malicious) URLs in the system. Nonmalicious URLs are automatically deleted from the system after 24 hours. Malicious URLs expire after one hour.

Syntax email-analysis adv-url-defense cache whitelist email-analysis adv-url-defense cache blacklist

Parameters whitelist

Specifies how long you want to store the whitelist URLs. The range is from 1 to 168 hours. The default is 24 hours. blacklist

Specifies how long you want to store the blacklist URLs. The range is from 1 to 168 hours. The default is one hour.

Examples The following example specifies that the whitelist URLs are stored for 48 hours: hostname (config) # email-analysis adv-url-defense cache whitelist 48

The following example specifies that the blacklist URLs are stored for four hours: hostname (config) # email-analysis adv-url-defense cache blacklist 4

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced in Release 7.6.0 for EX Series appliances.

Related Commands For a list of related commands, see Email Analysis Commands on page 82 Email Command Family on page 86.

486

© 2016 FireEye

Release 7.9

email-analysis adv-url-defense rewrite enable

email-analysis adv-url-defense rewrite enable To enable or disable rewriting URLs based on the Advanced URL Defense analysis, use the email-analysis adv-url-defense rewrite enable command in configuration mode.

Syntax [no] email-analysis adv-url-defense rewrite enable

User Role Administrator or Operator

Release Information Command introduced in Release 7.6.0 for EX Series appliances.

Description When the EX Series appliance is deployed in block mode, you can enable the EX Series appliance to rewrite one or more URLs within a message. One email can contain one or more suspicious URLs. The URLs that match the heuristic rules are sent back to the DTI Cloud for further analysis. The EX Series appliance prepends protect.fireeye.com to the rewritten URL in the following example: https://protect.fireeye.com/url?k=df35d163-2d4a-45fb-8df2-62d3517eae72&u=http://protectionupdate.team.com1serv13.webs001cr-cm-l0gin-submit-id.app1-lo0gin-submit-id.pp1-login-login2014.ap.serv64.idmsa-protection.com

URLs are rewritten only if they are detected as new or in the process of being analyzed by the FireEye Advanced URL Defense Detection Engine. If the URL is detected as malicious, you are redirected to a block page to inform you that the site contains malicious content. If the URL is detected as suspicious, you are redirected to a warning page to inform you that the site might contain malicious content. If the URL is detected as nonmalicious, you can access the original URL in the email message. You must enable rewriting URLs when the EX Series appliance is deployed in block mode and Advanced URL Defense is enabled. If you do not enable rewriting URLs, emails containing a URL will be delivered to you with the links intact. If a verdict is returned later from the FireEye Advanced URL Defense Detection Engine that the email is malicious, your system will not be protected if you click on the link. Use the show email-analysis adv-url defense configuration command to verify that rewriting URLs is enabled.

© 2016 FireEye

487

CLI Reference Guide

PART III: Commands

Parameters no Use the no form of this command to disable rewriting URLs based on the Advanced URL Defense analysis.

Examples The following example enables rewriting URLs based on the Advanced URL Defense analysis: hostname (config) # email-analysis adv-url-defense rewrite enable

The following example disables rewriting URLs based on the Advanced URL Defense analysis: hostname (config) # no email-analysis adv-url-defense rewrite enable

488

© 2016 FireEye

Release 7.9

email-analysis allowed-list

email-analysis allowed-list To configure rules on an allowed list, use the email-analysis allowed-list command in configuration mode.

Syntax [no] email-analysis allowed-list sender-email-address email_address [no] email-analysis allowed-list sender-domain domain_name [no] email-analysis allowed-list sender-ip IP_address [no] email-analysis allowed-list recipient-email-address email_address [no] email-analysis allowed-list url URL [no] email-analysis allowed-list md5sum MD5_checksum_attachment

User Role Administrator or Operator

Release Information Command introduced in Release 7.6.0 for EX Series appliances.

Description These commands allow you to control which messages can be bypassed based on the matched email entries. No further analysis is performed. The EX Series appliance will not scan an email for malicious content if it contains the sender email address, sender domain, sender IP address, or recipient email address that you defined. Both the URL and MD5 checksum attachment are automatically whitelisted. When you configure the URL rule on an allowed list, you need to understand the following parts in a URL to enable wildcard and substring matches: l

l

l

Protocol—http:// or https//. The protocol is case-insensitive. The domain name—for example, www.yahoo.com. The domain name is caseinsensitive. The path—for example, /2015/report.htm. The path is case-sensitive. You do not need to include an asterisk (*) to enable wildcard and substring matches in a URL rule.

To apply a wildcard match on a domain name, omit the protocol. For example, the rule www.yahoo.com matches http://finance.yahoo.com, https://finance.yahoo.com, http://yahoo.com, https://www.yahoo.com, and so on. If you specify a protocol in a URL, the EX Series appliance rejects the attempt to apply a wildcard match.

© 2016 FireEye

489

CLI Reference Guide

PART III: Commands

You can apply a substring match on a path, a word, a query parameter, or any other substring that might appear in the path. Each part of the path is fully qualified. For example, the URL rule yahoo.com/finance matches http://finance.yahoo.com/finance/2015/report.html, but not http://finance.yahoo.com/finance2015report.html.

Parameters sender-email-address email_address Adds the allow policy rule based on the email address of the sender. Use the no form of the command to delete the allow policy rule based on the email address of the sender. sender-domain domain_name Adds the allow policy rule based on the domain of the sender. Use the no form of the command to delete the allow policy rule based on the domain of the sender. You cannot use non-ASCII characters when adding a rule for the sender domain. sender-ip IP_address Adds the allow policy rule based on the IP address of the sender. Use the no form of the command to delete the allow policy rule based on the IP address of the sender. Only IPv4 addresses are supported. recipient-email-address email_address Adds the allow policy rule based on the email address of the recipient. Use the no form of the command to delete the allow policy rule based on the email address of the recipient. url URL Adds the allow policy rule based on the URL. Use the no form of the command to delete the allow policy rule based on the URL. md5sum MD5_checksum_attachment Adds the allow policy rule based on the MD5 checksum attachment. Use the no form of the command to delete the allow policy rule based on the MD5 checksum attachment.

Examples The following example adds the email address of the sender to an allowed list: hostname (config) # email-analysis allowed-list sender-email-address [email protected]

490

© 2016 FireEye

Release 7.9

email-analysis allowed-list

The following example deletes the email address of the sender from an allowed list: hostname (config) # no email-analysis allowed-list sender-email-address [email protected]

The following example adds the domain of the sender to an allowed list: hostname (config) # email-analysis allowed-list sender-domain somedomain.net

The following example deletes the domain of the sender from an allowed list: hostname (config) # no email-analysis allowed-list sender-domain somedomain.net

The following example adds the IP address of the sender to an allowed list: hostname (config) # email-analysis allowed-list sender-ip 11.22.33.44

The following example deletes the IP address of the sender from an allowed list: hostname (config) # no email-analysis allowed-list sender-ip 11.22.33.44

The following example adds the email address of the recipient to an allowed list: hostname (config) # email-analysis allowed-list recipient-email-address [email protected]

The following example deletes the email address of the recipient from an allowed list: hostname (config) # no email-analysis allowed-list recipient-email-address [email protected]

The following example adds the URL to an allowed list: hostname (config) # email-analysis allowed-list url http://www.redu.com

This example deletes the URL from an allowed list: hostname (config) # no email-analysis allowed-list url http://www.redu.com

The following example adds the MD5 checksum attachment to an allowed list: hostname (config) # email-analysis allowed-list md5sum d41d8cd98f00b204e9800998ecf8427e

The following example deletes the MD5 checksum attachment from an allowed list: hostname (config) # no email-analysis allowed-list md5sum d41d8cd98f00b204e9800998ecf8427e

© 2016 FireEye

491

CLI Reference Guide

PART III: Commands

email-analysis blocked-list To configure rules on a blocked list, use the email-analysis blocked-list command in configuration mode.

Syntax [no] email-analysis blocked-list sender-email-address email_address [no] email-analysis blocked-list sender-domain domain_name [no] email-analysis blocked-list sender-ip IP_address [no] email-analysis blocked-list url URL [no] email-analysis blocked-list md5sum MD5_checksum_attachment

User Role Administrator or Operator

Release Information Command introduced in Release 7.6.0 for EX Series appliances.

Description These commands allow you to control which messages must be considered as malicious based on the matched email entries. The EX Series appliance immediately marks an email for quarantine if it includes the sender email address, sender domain, or sender IP address that you defined. No further analysis is performed on either the URL or MD5 checksum attachment. All the recipients will receive a copy of the original malicious email with a different subject. In the EX Series Web UI, an email can either be deleted or released from the eQuarantine page. When you configure the URL rule on a blocked list, you need to understand the following parts in a URL to enable wildcard and substring matches: l

l

l

Protocol—http:// or https//. The protocol is case-insensitive. The domain name—for example, www.yahoo.com. The domain name is caseinsensitive. The path—for example, /2015/report.htm. The path is case-sensitive. You do not need to include an asterisk (*) to enable wildcard and substring matches in a URL rule.

To apply a wildcard match on a domain name, omit the protocol. For example, the rule www.yahoo.com matches http://finance.yahoo.com, https://finance.yahoo.com,

492

© 2016 FireEye

Release 7.9

email-analysis blocked-list

http://yahoo.com, https://www.yahoo.com, and so on. If you specify a protocol in a URL, the EX Series appliance rejects the attempt to apply a wildcard match. You can apply a substring match on a path, a word, a query parameter, or any other substring that might appear in the path. Each part of the path is fully qualified. For example, the URL rule yahoo.com/finance matches http://finance.yahoo.com/finance/2015/report.html, but not http://finance.yahoo.com/finance2015report.html.

Parameters sender-email-address email_address Adds the block policy rule based on the email address of the sender. Use the no form of the command to delete the block policy rule based on the email address of the sender. sender-domain domain_name Adds the block policy rule based on the domain of the sender. Use the no form of the command to delete the block policy rule based on the domain of the sender. You cannot use non-ASCII characters when adding a rule for the sender domain. sender-ip IP_address Adds the block policy rule based on the IP address of the sender. Use the no form of the command to delete the block policy rule based on the IP address of the sender. Only IPv4 addresses are supported. url URL Adds the block policy rule based on the URL. Use the no form of the command to delete the block policy rule based on the URL. md5sum MD5_checksum_attachment Adds the block policy rule based on the MD5 checksum attachment. Use the no form of the command to delete the block policy rule based on the MD5 checksum attachment. When you remove the rule based on the MD5 checksum attachment from a blocked list, files matching that rule are automatically marked as malicious without analysis.

Examples The following example adds the email address of the sender to a blocked list:

© 2016 FireEye

493

CLI Reference Guide

PART III: Commands

hostname (config) # email-analysis blocked-list sender-email-address [email protected]

The following example deletes the email address of the sender from a blocked list: hostname (config) # no email-analysis blocked-list sender-email-address [email protected]

The following example adds the domain of the sender to a blocked list: hostname (config) # email-analysis blocked-list sender-domain somedomain.net

The following example deletes the domain of the sender from a blocked list: hostname (config) # no email-analysis blocked-list sender-domain somedomain.net

The following example adds the IP address of the sender to a blocked list: hostname (config) # email-analysis blocked-list sender-ip 44.33.22.11

The following example deletes the IP address of the sender from a blocked list: hostname (config) # no email-analysis blocked-list sender-ip 44.33.22.11

The following example adds the URL to a blocked list: hostname (config) # email-analysis blocked-list url http://www.redu.com

This example deletes the URL from a blocked list: hostname (config) # no email-analysis blocked-list url http://www.redu.com

The following example adds the MD5 checksum attachment to a blocked list: hostname (config) # email-analysis blocked-list md5sum d41d8cd98f00b204e9800998ecf8427e

The following example deletes the MD5 checksum attachment from a blocked list: hostname (config) # no email-analysis blocked-list md5sum d41d8cd98f00b204e9800998ecf8427e

494

© 2016 FireEye

Release 7.9

email-analysis controlled-live-mode enable

email-analysis controlled-live-mode enable Enables controlled live mode. In controlled live mode, the EX Series appliance monitors and manages communication between the Internet and the suspicious binary under analysis. MVX sends and receives this traffic on pether2. Operating in controlled live mode enables the appliance to detect malware that requires remote objects. Controlled live mode is disabled by default. You enable the feature separately from configuring the feature settings. Do not enable controlled live mode or URL dynamic analysis until you have validated end-to-end connectivity between pether2 and the Internet and, if a proxy server is configured, between the proxy server and the Internet. To perform this validation using the CLI, use the analysis live check-connection command in configure mode. Controlled live mode requires pether2 network configuration settings: l

pether2 IPv4 address and mask length

l

Default gateway IPv4 address

l

DNS name server IPv4 address

If the local network uses a proxy server to access the Internet, additional configuration settings are required: l

Proxy server IPv4 address and port number

l

Proxy server credentials (if authentication is required)

Syntax [no] email-analysis controlled-live-mode enable

Parameters no

Use the no form of the command to disable multistage exploit detection.

Example The following example enables multistage exploit detection: hostname (config) # email-analysis controlled-live-mode enable

The following example disables multistage exploit detection: hostname (config) # no email-analysis controlled-live-mode enable

User Role Administrator

© 2016 FireEye

495

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

496

© 2016 FireEye

Release 7.9

email-analysis delete

email-analysis delete Description Deletes email analysis statistics. This command is available on the Email MPS.

Syntax email-analysis delete statistics

Parameters None

Example The following example removes all email analysis statistics. hostname (config) #  email-analysis delete statistics

© 2016 FireEye

497

CLI Reference Guide

PART III: Commands

email-analysis delete-message Description Deletes messages based on queue ID. This command is available on the EX Series appliance.

Syntax email-analysis delete-message queue-id queue_id

Parameters None

Example The following example deletes the message in queue 2. hostname (config) #  email-analysis delete-message queue-id 2

498

© 2016 FireEye

Release 7.9

email-analysis domain

email-analysis domain Description Adds an email domain for email analysis and forwarding. This command is available on the Email MPS.

Syntax [no] email-analysis domain domain_name [next-hop hostname] [tls_policy {none | opportunistic | mandatory | verify} mx {yes | no | true | false}

Parameters domain_name Specifies a domain name to add. next-hop hostname

Option to specify a hostname for the Mail Transfer Agent (MTA) next-hop. It should be a Fully Qualified Domain Name (FQDN).

tls_policy Specifies the Transport Layer Security (TLS) policy setting: {none | l None provides no support for incoming TLS connections. opportunistic l Opportunistic receiving mode option accepts emails over | mandatory | connections that may be either TLS encrypted or not encrypted, verify} depending on the upstream configuration (both TLS and non-TLS connections are supported). l

l

Mandatory receiving mode option requires TLS encryption for the connection. If the upstream device does not support TLS, the emails are not received by the Email MPS and remain on the upstream device until the connection is modified to allow for non-encrypted delivery. Verify verifies the TLS policy.

mx{ yes | no | Enables next-hop MTA Domain Name Service (DNS) mail exchange (MX) true | false} lookup.

Example The following example adds a domain for email analysis, specifies a TLS policy setting of Opportunistic, and enables next-hop MX lookup. hostname (config) #  email-analysis domain at1.com next-hop at1-linux3.at1.com tls_policy opportunistic mx yes

© 2016 FireEye

499

CLI Reference Guide

PART III: Commands

email-analysis pass-extract add ignoreword Adds an ignored word to an ignored word candidate list. Ignored word candidates are words that are excluded from the password candidate list. You can use the same word in both the keyword candidate list and the ignored word candidate list. However, the same word cannot be used in both the password candidate list and the ignored word list. There are two sources for the ignored word candidates list. They are custom (customer-defined) ignored words and default (FireEye-defined) ignored words. You can add up to 100 ignored word entries. You can view the ignored word in UTF-8 characters using the email-analysis pass-extract add ignoreword command. You cannot use UTF-8 characters to add ignored words using this command. You can use UTF-8 characters to add ignored words only in the Settings: Attachment decryption page in the Web UI. You can configure ignored words only in English using this command. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract add ignoreword

Parameters

Ignored word to be added to the ignored word candidate list.

Example The following example adds the ignored word "fire" to the ignored word candidate list: hostname (config) # email-analysis pass-extract add ignoreword fire

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

500

EX Series: Release 7.8

© 2016 FireEye

Release 7.9

email-analysis pass-extract add keyword

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract add keyword Adds a keyword to a keyword candidate list for password extraction. Keyword candidates are words that are most likely to be in the vicinity of a password candidate. Keywords are the clues for finding the passwords. You can use the same word in both the password candidate list and the keyword candidate list. The same word can also be used in both the keyword candidate list and the ignored word candidate list. There are three sources for the keyword candidates list. They are custom (customer-defined) keywords, default (FireEyedefined) keywords, and data pushed from a secure content update. You can add up to 100 keyword entries. You can view the keyword in UTF-8 characters using the email-analysis passextract add keyword command. You cannot use UTF-8 characters to add keywords using this command. You can use UTF-8 characters to add keywords only in the Settings: Attachment decryption page in the Web UI. You can configure keywords only in English using this command. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract add keyword

Parameters

Keyword to be added to the keyword candidate list.

Example The following example adds the keyword "update" to the keyword candidate list: hostname (config) # email-analysis pass-extract add keyword update

User Role Administrator and Operator

Command Mode Configuration

© 2016 FireEye

501

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

EX Series: Release 7.6

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract add password Adds a password to a password candidate list for password extraction. Password candidates are possible passwords that are used to open a password-protected malware object. You can use the same word in both the password candidate list and the keyword candidate list. The same word cannot be used in both the password candidate list and the ignored word candidate list. There are three sources for the password candidates list. They are the email body, the candidates you configured, and data pushed from a secure content update. You can add up to 100 password entries. You can view the password in UTF-8 characters using the email-analysis passextract add password command. You cannot use UTF-8 characters to add passwords using this command. You can use UTF-8 characters to add passwords only in the Settings: Attachment decryption page in the Web UI. You can configure passwords only in English using this command. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract add password

Parameters

Password to be added to the password candidate list.

Example The following example adds the password "newPa$$w_rd"to the password candidate list: hostname (config) # email-analysis pass-extract add password newPa$$w_rd

User Role Administrator and Operator

502

© 2016 FireEye

Release 7.9

email-analysis pass-extract delete ignoreword

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.6

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract delete ignoreword Deletes an ignored word from the ignored word candidate list. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract delete ignoreword

Parameters

Ignored word to be deleted from the ignored word candidate list.

Example The following example deletes the ignored word "fire" from the ignored word candidate list: hostname (config) # email-analysis pass-extract delete ignoreword fire

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

© 2016 FireEye

503

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract delete keyword Deletes a keyword from the keyword candidate list for password extraction. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract delete keyword

Parameters

Keyword to be deleted from the keyword candidate list.

Example The following example deletes the keyword "removekey" from the keyword candidate list: hostname (config) # email-analysis pass-extract delete keyword removekey

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.6

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract delete password Deletes a password from the password candidate list for password extraction. For details about password candidate extraction, refer to the EX Series 7.8 User Guide.

Syntax email-analysis pass-extract delete password

504

© 2016 FireEye

Release 7.9

email-analysis pass-extract limit

Parameters

Password to be deleted from the password candidate list.

Example The following example deletes the password "removePasscode" from the password candidate list: hostname (config) # email-analysis pass-extract delete password removePasscode

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.6

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

email-analysis pass-extract limit Configures the maximum number of password candidates to be found within an email message body for password-protected malware objects.

Syntax email-analysis pass-extract limit

Parameters

Maximum number of password candidates to be found. The range is from 20 to 100 password candidates. The default value is 20.

Example The following example limits the number of password candidates to be found in an email to 30: hostname (config) # email-analysis pass-extract limit 30

© 2016 FireEye

505

CLI Reference Guide

PART III: Commands

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

506

© 2016 FireEye

Release 7.9

email-analysis filter

email-analysis filter Description Configures analysis filter options.

Syntax email-analysis filter threadcount count

Parameters threadcount count Sets the number of filter threads used to process emails.

Example The following example sets the number of filter threads used during email analysis. hostname (config) #  email-analysis filter threadcount 280

© 2016 FireEye

507

CLI Reference Guide

PART III: Commands

email-analysis flush-message Description Flushes (redelivery of deferred emails) messages. This command is available on the EX Series appliance.

Syntax email-analysis flush-message all email-analysis flush-message queue-id queue_id

Parameters None

Example The following example redelivers the message in queue 12. hostname (config) #  email-analysis flush-message queue-id 12

508

© 2016 FireEye

Release 7.9

email-analysis interface

email-analysis interface Selects the network interface to be used for email analysis.

Syntax email-analysis interface

Parameters interface_name

Name of the network interface to use for email analysis. The IP address of the interface is used by the Message Transfer Agent (MTA). The default network interface is pether3.

Example The following example changes the network interface to use for email analysis to pether2: hostname (config) #  email-analysis interface pether2

User Role Administrator or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0 for EX Series appliances.

Related Commands For a list of related commands, see Email Analysis Commands on page 82. email-analysis adv-url-defense rewrite enable on page 487 email-analysis allowed-list on page 489 email-analysis blocked-list on page 492 email-analysis controlled-live-mode enable on page 495 email-analysis delete on page 497 email-analysis delete-message on page 498 email-analysis domain on page 499 email-analysis filter on page 507 email-analysis flush-message on the previous page

© 2016 FireEye

509

CLI Reference Guide

PART III: Commands

email-analysis interface on the previous page email-analysis mode on page 513 email-analysis mta certificate name on page 514 email-analysis mta smtp start on page 517 email-analysis mta smtp stop on page 515 email-analysis mta start on page 518 email-analysis mta stop on page 519 email-analysis pass-extract add on page 1 email-analysis pass-extract delete on page 1 email-analysis policy adv-url-defense enable on page 520 email-analysis policy att-limit on page 520 email-analysis policy congestion bypass-threshold on page 521 email-analysis policy congestion high-threshold on page 522 email-analysis policy congestion mode bypass enable on page 522 email-analysis policy congestion mode refuse-connection enable on page 523 email-analysis policy feature-extractor enable on page 524 email-analysis policy image-analysis enable on page 524 email-analysis policy max-size-limit on page 525 email-analysis policy message-tracking max-days-records on page 526 email-analysis policy message-tracking syslog-enable on page 527 email-analysis policy monitor backoff on page 527 email-analysis policy monitor bypass-threshold on page 528 email-analysis policy monitor defer-threshold on page 529 email-analysis policy monitor enable on page 530 email-analysis policy monitor interval on page 530 email-analysis policy notice admin on page 531 email-analysis policy notice bcc on page 532 email-analysis policy notice body on page 532 email-analysis policy notice enable on page 533 email-analysis policy notice from on page 534 email-analysis policy notice subject on page 534 email-analysis policy parse-https enable on page 535

510

© 2016 FireEye

Release 7.9

email-analysis interface

email-analysis policy reload on page 536 email-analysis policy url-images enable on page 538 email-analysis policy url-limit on page 538 email-analysis policy url-phishing blacklist enable on page 539 email-analysis policy url-phishing whitelist enable on page 539 email-analysis policy use-header enable on page 540 email-analysis policy xheader enable on page 541 email-analysis policy yara-analysis enable on page 542 email-analysis policy typosquatting enable on page 537 email-analysis quarantine on page 543 email-analysis reroute-message on page 544 email-analysis suppress on page 545 email-analysis adv-url-defense cache {whitelist | blacklist} on page 486 email-analysis url-dynamic-analysis enable on page 546 show email-analysis on page 1463 show email-analysis adv-url-defense configuration on page 1491 show email-analysis adv-url-defense statistics on page 1493 show email-analysis all on page 1465 show email-analysis allowed-list statistics on page 1465 show email-analysis attachment on page 1466 show email-analysis blocked-list statistics on page 1467 show email-analysis done on page 1468 show email-analysis log on page 1470 show email-analysis message-queue max-num on page 1471 show email-analysis mta mynetworks on page 1473 show email-analysis mta status on page 1495 show email-analysis pass-extract ignorewords on page 1475 show email-analysis pass-extract keywords on page 1476 show email-analysis pass-extract passwords on page 1477 show email-analysis policy on page 1502 show email-analysis queued on page 1482 show email-analysis running on page 1483

© 2016 FireEye

511

CLI Reference Guide

PART III: Commands

show email-analysis statistics on page 1484 show email-analysis url on page 1500 show email-analysis url-dynamic-analysis on page 1497 show email-analysis yara-statistics on page 1489

512

© 2016 FireEye

Release 7.9

email-analysis mode

email-analysis mode Description Configures the email analysis mode. This command is available on the EX Series appliance. After you change to another analysis mode, you must use the reload command in CLI configuration mode.reboot the appliance

Syntax email-analysis mode {block | drop | monitor | tap}

Parameters block

Block mode: Blocks all malicious email, and sends recipients a “blocked email” notice instead. This is the default.

drop

Drop mode: Drops all emails after analysis.

monitor Monitor mode: Forwards all emails to the recipient. tap

Tap mode: Analyzes emails for a SPAN/TAP deployment scenario.

Example The following example selects the Monitor mode of email analysis. hostname (config) #  email-analysis mode monitor

© 2016 FireEye

513

CLI Reference Guide

PART III: Commands

email-analysis mta certificate name Designates the certificate that verifies the identity of the EX Series appliance to the downstream MTA. 

Syntax email-analysis mta certificate name {mta-cert | system-self-signed} no email-analysis mta certificate

User Role Operator or Admin

Release Information Command introduced in Release 7.6.0.

Parameters mta-cert A named certificate of your own named "mta-cert." system-self-signed The system-self-signed certificate. no email-analysis mta certificate Restores the system-self-signed certificate as the active MTA certificate.

Example The following example specifies that a named certificate should be the active certificate for the MTA connection. hostname (config) #  email-analysis mta certificate name mta-cert

514

© 2016 FireEye

Release 7.9

email-analysis mta smtp stop

email-analysis mta smtp stop Stops the SMTP interface.

Syntax email-analysis mta smtp stop

Parameters None

Description You can use this command to stop the SMTP interface from receiving SMTP traffic from an antispam device or MTA. The EX Series appliance continues to analyze the emails it already received and continues to block them or deliver them to the downstream mail server until the queue is empty. New incoming emails are either queued in the upstream MTA or routed to another appliance, depending on your network deployment. You can monitor the queue, wait for it to clear, and then start the maintenance activity. The EX Series Congestion Control feature has a "Refuse Connection" threshold. When the threshold is reached, the feature automatically stops the SMTP interface. The Congestion Control in effect? field in the output of show emailanalysis mta status on page 1495 shows whether the SMTP interface is already stopped for this reason. If the traffic falls below the threshold during the maintenance activity, the SMTP interface will automatically start again. To prevent this, use email-analysis mta smtp stop above to manually stop the interface. (For information about the Congestion Control feature, see the EX Series User Guide.)

Example The following example stops the SMTP interface. hostname (config) # email-analysis mta smtp stop hostname (config) # show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: yes MTA Process Status: running

User Role Admin or Operator

Command Mode Configuration

© 2016 FireEye

515

CLI Reference Guide

PART III: Commands

Release Information This command was released as follows: l

EX Series: Release 7.8.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

516

© 2016 FireEye

Release 7.9

email-analysis mta smtp start

email-analysis mta smtp start Restarts the SMTP interface after maintenance activities for which it was stopped are done.

Syntax email-analysis mta smtp start

Parameters None

Example The following example restarts the SMTP interface. hostname (config) # email-analysis mta smtp start hostname (config) # show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: running

User Role Admin or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.8.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

517

CLI Reference Guide

PART III: Commands

email-analysis mta start Restarts the MTA process after maintenance activities for which it was stopped are done.

Syntax email-analysis mta start

Parameters None

Example The following example restarts the MTA process. hostname (config) # email-analysis mta start Restarting the MTA. Check 'show email-analysis mta status' to see status. hostname (config) # show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: running

User Role Admin or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.8.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

518

© 2016 FireEye

Release 7.9

email-analysis mta stop

email-analysis mta stop Stops the MTA process.

Syntax email-analysis mta stop

Parameters None

Description You can use this command to stop the MTA process during maintenance activities to prevent the EX Series appliance from receiving SMTP traffic and from processing the emails it already received. The emails the appliance already received remain in the queue while the MTA is stopped.

Example The following example stops the MTA process. hostname (config) # email-analysis mta stop The MTA has been stopped. No email will be processed. hostname (config) # show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: stopped

User Role Admin or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.8.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

519

CLI Reference Guide

PART III: Commands

email-analysis policy adv-url-defense enable Enables the settings for Advanced URL Defense. The option to parse HTTP links is automatically enabled when Advanced URL Defense is enabled.

Syntax email-analysis policy adv-url-defense enable

Parameters no

Use the no form of the command to disable Advanced URL Defense.

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.6

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy att-limit Sets the maximum number of attachments that are processed per email.

Syntax email-analysis policy att-limit

Parameters count

The number of attachments to process per email. The default is 20.

Example The following example sets the maximum number of attachments to 15: hostname (config) # email-analysis policy att-limit 15

520

© 2016 FireEye

Release 7.9

email-analysis policy congestion bypass-threshold

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy congestion bypass-threshold Sets the number of objects in the attachments queue. When the threshold is exceeded, new incoming emails are accepted but are delivered without being analyzed.

Syntax email-analysis policy congestion bypass-threshold

Parameters number

The number of objects in the attachment queue. The range is from 1 to 20000.

Example The following example sets the number of objects in the queue to 500: hostname (config) # email-analysis policy congestion bypass-threshold 500

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

© 2016 FireEye

521

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy congestion high-threshold Sets the number of emails in the email queue. When the threshold is exceeded, the SMTP interface is disabled and all new incoming SMTP connections are refused.

Syntax email-analysis policy congestion high-threshold

Parameters number

The number of emails in the email queue. The range is from 100 to 30000.

Example The following example sets the number of emails in the queue to 1000: hostname (config) # email-analysis policy congestion high-threshold 1000

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy congestion mode bypass enable Sets bypass mode for congestion control.

Syntax [no] email-analysis policy congestion mode bypass enable

522

© 2016 FireEye

Release 7.9

email-analysis policy congestion mode refuse-connection enable

Parameters no

The no form of this command turns off congestion mode.

Example The following example sets the congestion mode to bypass: hostname (config) # email-analysis policy congestion mode bypass enable

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy congestion mode refuse-connection enable Sets refuse-connection mode for congestion control.

Syntax [no] email-analysis policy congestion mode refuse-connection enable

Parameters no

The no form of this command turns off congestion mode.

Example The following example sets the congestion mode to bypass: hostname (config) # email-analysis policy congestion mode refuse-connection enable

User Role Administrator or Operator

© 2016 FireEye

523

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy feature-extractor enable Enables the pre-processor for email feature extraction.

Syntax [no] email-analysis policy feature-extractor enable

Parameters no

The no form of this command disables email feature extraction.

Example The following example enables email feature extraction: hostname (config) # email-analysis policy feature-extractor enable

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy image-analysis enable Enables the submission of image attachments for signature image analysis. Use the no form of the command to disable the submission of image attachments for analysis.

524

© 2016 FireEye

Release 7.9

email-analysis policy max-size-limit

This command is disabled by default. Image attachments are not submitted for analysis.

Syntax [no] email-analysis policy image-analysis enable

Parameters no

The no form of this command disables image analysis.

Example The following example enables image submission: hostname (config) # email-analysis policy image-analysis enable

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.6.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy max-size-limit Sets the maximum size in MB for email to be submitted for analysis.

Syntax email-analysis policy max-size-limit

Parameters size

The maximum size of email that can be submitted for analysis. The default size is 35 MB.

© 2016 FireEye

525

CLI Reference Guide

PART III: Commands

Example The following example sets the maximum number of attachments to 15: hostname (config) # email-analysis policy max-size-limit

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy message-tracking max-days-records Sets the maximum number of days to retain email records.

Syntax email-analysis policy message-tracking max-days-records

Parameters days

The maximum number of day to retain email records.

Example The following example sets the maximum number of days to 14: hostname (config) # email-analysis policy message-tracking max-days-records 14

User Role Administrator or Operator

Command Mode Configuration

526

© 2016 FireEye

Release 7.9

email-analysis policy message-tracking syslog-enable

Release Information This command was released as follows: l

EX Series: Release 7.6.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy message-tracking syslog-enable Enables syslogging of message tracking records.

Syntax [no] email-analysis policy message-tracking syslog-enable

Parameters no

Use the no form of this command to disable syslogging of message tracking records.

Example The following example enables syslogging of message tracking records: hostname (config) # email-analysis policy message-tracking syslog-enable

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.6.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy monitor backoff Sets the monitor alert backoff time period.

© 2016 FireEye

527

CLI Reference Guide

PART III: Commands

Syntax email-analysis policy monitor backoff

Parameters seconds

The time period in seconds.

Example The following example sets the monitor backoff time to 60 minutes: hostname (config) # email-analysis policy monitor backoff 3600

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy monitor bypass-threshold Sets the monitor alert bypass threshold. When the combined number of email attachments and URLs waiting to be analyzed exceeds a specific threshold, new incoming emails are accepted but are delivered without being analyzed.

Syntax email-analysis policy monitor bypass-threshold

Parameters count

The number of messages. The default is 2000.

Example The following example sets the threshold to 1000: hostname (config) # email-analysis policy monitor bypass-threshold 1000

528

© 2016 FireEye

Release 7.9

email-analysis policy monitor defer-threshold

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy monitor defer-threshold Sets the monitor alert deferred queue threshold.

Syntax email-analysis policy monitor defer-threshold

Parameters count

The number of messages.

Example The following example sets the threshold to 100: hostname (config) # email-analysis policy monitor defer-threshold 100

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

529

CLI Reference Guide

PART III: Commands

email-analysis policy monitor enable Enables email monitoring.

Syntax [no] email-analysis policy monitor enable

Parameters no

The no form of this command disables email monitoring.

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy monitor interval Sets the alert interval for email monitoring.

Syntax email-analysis policy monitor interval

Parameters minutes

The time interval in minutes between monitoring.

Example The following example sets the interval to 15 minutes: hostname (config) # email-analysis policy monitor interval 15

User Role Administrator or Operator

530

© 2016 FireEye

Release 7.9

email-analysis policy notice admin

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy notice admin Adds an administrator recipient to the list to receive block notification messages. When a malicious email is blocked, recipients on this list are sent a blocked email notice.

Syntax [no] email-analysis policy notice admin

Parameters no

The no form of this command removes the email address from the list of recipients. email_addr

Email address.

Example The following example adds [email protected] to the list of blocked email notification message recipients: hostname (config) # email-analysis policy notice admin [email protected]

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

531

CLI Reference Guide

PART III: Commands

email-analysis policy notice bcc Adds bcc recipients to the list to receive block notification messages. When a malicious email is blocked, recipients on this list are sent the original email that was blocked, but with an altered subject line to make easily distinguishable.

Syntax [no] email-analysis policy notice bcc

Parameters no

The no form of this command removes the specified email address from the list of recipients. email_addr

Email address.

Example The following example adds [email protected] to the list of recipients of blocked email notification messages: hostname (config) # email-analysis policy notice bcc [email protected]

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy notice body Sets the body of notification messages. When a malicious email is blocked, recipients on this list are sent a blocked email notice.

Syntax email-analysis policy notice body

532

© 2016 FireEye

Release 7.9

email-analysis policy notice enable

Parameters message_body

Body text of the notification message.

Example The following example sets the body text of email notification messages: hostname (config) # email-analysis policy notice body A malicious email message has been blocked by the FireEye Email Malware Protection System.The message detail is summarized below.[From] %sender% [To] %recipient% [Subject] %subject% [Date] %date% [Attachments(bad/total)] %attachment_bad%/%attachment_total% [URL (bad/total)] %url_bad%/%url_total% The administrator has been notified regarding this message '%message_id%'. Appropriate action will be taken after further analysis. For more information, please contact your administrator.

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy notice enable Enables sending block notices to recipients in block mode.

Syntax [no] email-analysis policy notice enable

Parameters no

The no form of this command disables sending block notices to recipients in block mode.

User Role Administrator or Operator

© 2016 FireEye

533

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy notice from Sets the From header for notification messages.

Syntax email-analysis policy notice from

Parameters email_addr

The email address that notification messages will display in the From header.

Example The following example sets the From address of email notification messages to [email protected]: hostname (config) # email-analysis policy notice from [email protected]

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy notice subject Sets the Subject header of notification messages.

534

© 2016 FireEye

Release 7.9

email-analysis policy parse-https enable

Syntax email-analysis policy notice subject

Parameters subject

The text that notification messages will display in the Subject header.

Example The following example sets the Subject header of notification messages to "Alert": hostname (config) # email-analysis policy notice subject Alert

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy parse-https enable Enables HTTPS link parsing.

Syntax [no] email-analysis policy parse-https enable

Parameters no

The no form of this command disables HTTPS link parsing.

User Role Administrator or Operator

Command Mode Configuration

© 2016 FireEye

535

CLI Reference Guide

PART III: Commands

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy reload Reloads the filter to enable policy changes.

Syntax email-analysis policy reload

Parameters None.

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

536

© 2016 FireEye

Release 7.9

email-analysis policy typosquatting enable

email-analysis policy typosquatting enable Enables the typosquatting detection feature so that the appliance can analyze suspicious sender and URL domains used in URLs within an email message body. The URL is compared against a blacklist of typosquatted domains to determine whether the URL is malicious. The URLs that match the blacklist of typosquatted domains are uploaded to the Dynamic Threat Intelligence (DTI) Cloud for further analysis. Domain blacklists are updated when the system checks for new security content from the DTI Cloud. After you have configured the appliance to detect typosquatting, you can view analysis of the results on the eAlerts > Alerts page. The typosquatting detection feature is enabled by default. A one-way CONTENT_UPDATES license must be installed on the appliance for security content updates.

Syntax [no] email-analysis policy typosquatting enable

Parameters no

Use the no form of this command to disable typosquatting detection.

Example The following example enables typosquatting detection on the appliance: hostname (config) # email-analysis policy typosquatting enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

537

CLI Reference Guide

PART III: Commands

email-analysis policy url-images enable Enables analysis of image URLs.

Syntax [no] email-analysis policy url-images enable

Parameters no

Use the no form of the command to disable analysis of image URLs.

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy url-limit Sets the maximum number of URLs to process per email.

Syntax email-analysis policy url-limit

Parameters count

The maximum number of URLs to process per email. The default value is 5 URLs per email.

Example The following example sets the maximum number of URLs to 15: hostname (config) # email-analysis policy url-limit 15

538

© 2016 FireEye

Release 7.9

email-analysis policy url-phishing blacklist enable

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy url-phishing blacklist enable Enables the URL phishing blacklist feature.

Syntax [no] email-analysis policy url-phishing blacklist enable

Parameters no

Use the no form of the command to disable the URL phishing blacklist feature.

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy url-phishing whitelist enable Enables the URL phishing whitelist feature.

© 2016 FireEye

539

CLI Reference Guide

PART III: Commands

Syntax [no] email-analysis policy url-phishing whitelist enable

Parameters no

Use the no form of the command to disable the URL phishing whitelist feature.

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy use-header enable Enables the Header Envelope feature. You can copy the original SMTP recipient or sender information when the EX Series appliance is deployed in drop mode. This feature is not enabled by default. When the Header Envelope feature is enabled, the original To: and From: email header information is displayed in the eAlerts page and eQuarantine page of the EX Series Web UI. If the Header Envelope feature is not enabled, only the Message Transfer Agent (MTA) sender email address (for example, [email protected]) and the recipient email address (for example, [email protected]) are displayed for all incoming email alerts and quarantines that are obtained through the drop mode traffic.

Syntax [no] email-analysis policy use-header enable

Parameters no

Use the no form of the command to disable the Header Envelope feature.

540

© 2016 FireEye

Release 7.9

email-analysis policy xheader enable

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy xheader enable Enables the X-Header option. When deployed in block mode or monitor mode, the EX Series appliance adds the X-Headers to describe the analysis and detection results by the Multivector Virtual Execution (MVX) engine. The EX Series appliance appends X-FireEye to each header value.

Syntax [no] email-analysis policy xheader enable

Parameters no

Use the no form of the command to disable the X-Header option.

Example The following example appends X-FireEye to each header value: hostname (config) # email-analysis policy xheader enable

This results in the following header: X-FireEye: Malicious Attachment Found

User Role Administrator or Operator

Command Mode Configuration

Release Information Command introduced before Release 7.5.0 for EX Series appliances.

© 2016 FireEye

541

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see EX Series Commands on page 137.

email-analysis policy yara-analysis enable Enables the email YARA analysis option.

Syntax [no] email-analysis policy yara-analysis enable

Parameters no

Use the no form of the command to disable the email YARA analysis option.

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 7.6.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

542

© 2016 FireEye

Release 7.9

email-analysis quarantine

email-analysis quarantine Description Configures the email quarantine. This command is available on the Email MPS. The no form of this command removes a quarantine.

Syntax [no] email-analysis quarantine cleanup {enable | keep days} [no] email-analysis quarantine notice {enable | high-water limit | low-water limit} [no] email-analysis quarantine size limit

Parameters cleanup enable

Enables automatic quarantine clean up.

cleanup keep days

Sets the number of days to keep quarantined email messages.

notice enable

Enables quarantine usage notification emails to be sent to administrators. Recipient email addresses may be added using the fenotify email command.

notice Sets the maximum area of the quarantine (in gigabytes) that can be used high-water before a quarantine usage notification email is sent. limit notice low- Sets the minimum area of the quarantine (in gigabytes) that can be used water limit before a quarantine usage notification email is sent. size limit

Sets the maximum size of the quarantine area in gigabytes.

Example The following example configures the quarantine to keep email messages for 30 days. hostname (config) #  email-analysis quarantine cleanup keep 30

© 2016 FireEye

543

CLI Reference Guide

PART III: Commands

email-analysis reroute-message Description Reroutes messages based on queue ID. This command is available on the EX Series appliance.

Syntax email-analysis reroute-message queue-id queue_id receiver-email receiver_email smtp-port port_number smtp-server ip_address

User Role Administrator or Operator

Parameters queue-id queue_id Specifies the identification number of the queue the message is in. receiver-email receiver_email Specifies the email address of the receiver . smtp-port port_number Specifies the port number of the SMTP server. smtp-server ip_address Specifies the IP address of the SMTP server.

Example The following example reroutes the message in queue 10 to an SMTP server at 172.162.152.10. hostname (config) #  email-analysis reroute-message queue-id 10 receiver-email [email protected] smtpport 554 smtp-server 172.162.152.10

544

© 2016 FireEye

Release 7.9

email-analysis suppress

email-analysis suppress Description If an MD5 was detected as a false-positive event, this command prevents that MD5 from being marked as malicious. All the records matching that MD5 will be marked as nonmalicious. In previous releases, this command was called malware suppress.

Syntax email-analysis suppress md5 md5_id

Parameters md5 md5_id

Suppresses the records with matching MD5 sum.

Example The following example suppresses a false-positive event from being marked as malicious. hostname (config) # email-analysis suppress md5 9e107d9d372bb6826bd81d3542a419d6

© 2016 FireEye

545

CLI Reference Guide

PART III: Commands

email-analysis url-dynamic-analysis enable Enables the URL Dynamic Analysis feature so that the EX Series appliance can analyze both the URL and the objects the URL references. When URL Dynamic Analysis is enabled, the EX Series appliance can also identify malicious shortened URLs (for example, j.mp, tinyurl.com, or bit.ly) that are embedded in an email message body. You can prevent access to these shortened URLs, which may point to sites that contain malware. URL Dynamic Analysis is disabled by default. Do not enable controlled live mode or URL dynamic analysis until you have validated end-to-end connectivity between pether2 and the Internet and, if a proxy server is configured, between the proxy server and the Internet. To perform this validation using the CLI, use the analysis live check-connection command in configure mode.

Syntax [no] email-analysis url-dynamic-analysis enable

Parameters no

Use the no form of this command to disable URL Dynamic Analysis.

Example The following example enables URL Dynamic Analysis on the appliance: hostname (config) # email-analysis url-dynamic-analysis enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

EX Series: Before Release 7.5

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

546

© 2016 FireEye

Release 7.9

email-analysis url-dynamic-analysis

email-analysis url-dynamic-analysis To configure URL dynamic analysis so both the URL and the objects the URL references can be analyzed, use the email-analysis url-dynamic-analysis command in configuration mode.

Syntax email-analysis url-dynamic-analysis external ip IP_address netmask email-analysis url-dynamic-analysis default-gateway ip IP_address email-analysis url-dynamic-analysis nameserver ip IP_address email-analysis url-dynamic-analysis http-proxy IP_address port_number

Release Information This command was introduced as follows: l

EX Series: Before Release 7.6.0. Command deprecated in Release 7.8 and later releases.

Parameters external ipIP_address netmask Sets the IP address to retrieve files in live mode. The mask identifies the subnet that belongs to the IP address. This IP address is for the ether2 interface, which also needs a cable connected to the switch to allow the connection to the Internet. default-gateway ipIP_address Sets the IP address of the node that serves as the access point to the Internet. nameserver ipIP_address Sets the IP address for the Domain Name System (DNS) server. http-proxy IP_address port_number Sets the IP address and port number for the HTTP proxy server.

Example The following example specifies that URL Dynamic Analysis use the DNS name server at IPv4 address 172.17.1.1 hostname (config) # email-analysis url-dynamic-analysis nameserver ip 172.17.1.1

© 2016 FireEye

547

CLI Reference Guide

PART III: Commands

email auth enable Enables SMTP authentication for sending email.

Syntax [no] email auth enable

Parameters no

Use the no form of this command to disable SMTP authentication for sending email.

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email auth password [] Sets the password for SMTP authentication. If no password is specified on the command line when setting the password, the user will be prompted for the password, and the echoed response will be obscured.

Syntax [no] email auth password []

Parameters no

Use the no form of this command to clear the configured password for SMTP authentication. password

Optional user password.

Example The following example sets the password:

548

© 2016 FireEye

Release 7.9

email auth username

hostname (config) # email auth password $parr0wFeathers

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email auth username Sets the user name to use in SMTP authentication.

Syntax [no] email auth username

Parameters no

Use the no form of this command to clear the user name used for SMTP authentication. This effectively disables authentication until username is set again. username

The user name to use for SMTP authentication.

Example The following example sets the user name to administrator: hostname (config) # email auth username administrator

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

© 2016 FireEye

549

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see Email Command Family on page 86.

email autosupport enable Sends automatic support notifications via email.

Syntax [no] email autosupport enable

Parameters no

Use the no form of this command to disable automatic support notifications.

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email autosupport event Enables sending of the specified event to autosupport.

Syntax email autosupport event

Parameters no

Use the no form of this command to disable notification emails for the specified event. event_name

The events for which to send autosupport notification emails.

550

© 2016 FireEye

Release 7.9

email autosupport event

l

process-crash—A process in which the system has crashed.

l

disk-space-low—Free disk space is low (enabled by default).

l

disk-space-ok—Free disk space returned to normal(enabled by default).

l

cmc-new-client—A new potential CMC client has announced itself.

l

cmc-status-failure—The CMC has detected an error in a managed appliance.

l

cmc-status-ok—A CMC status error has been corrected.

l

l

cmc-version-mismatch—The CMC connected to an appliance with a different system software version. smart-warning—Disk warnings generated by the Self-Monitoring, Analysis and Reporting Technology (SMART) system (disabled by default).

l

interface-up—An interface’s link state has changed to up.

l

interface-down—An interface’s link state has changed to down.

l

user-login—User logged in to the system.

l

user-logout—User logged out of the system.

l

syslog-rotation—System log files rotation.

l

excessive-temperature—Excessive temperature is reached

l

normal-temperature—Temperature is normal.

l

raid-status-failure—A Redundant Array of Inexpensive Disks (RAID) error has occurred.

l

raid-status-recover—A RAID has been recovered.

l

physical-disk-failure—A physical disk has failed.

l

physical-disk-recover—A physical disk has been recovered.

l

power-supply-failure—A power supply has failed.

l

power-supply-recover—A power supply has been recovered.

l

fan-failure—A fan has failed.

l

fan-recover—A fan has been recovered.

l

license-state-changed—A license state has changed.

l

security-update-failure—Security update has failed.

l

unexpected-failover—An unexpected fail-over on CMS-HA has occurred.

l

manual-failover—A manual fail-over on CMS-HA has occurred.

l

nxha-health-failure—NX-HA health check failed.

l

mvx-cluster-state-changed—MVX cluster state changed.

© 2016 FireEye

551

CLI Reference Guide

l

PART III: Commands

mvx-cluster-util-threshold-exceeded—MVX cluster utilization has exceeded threshold.

l

http-throughput—HTTP throughput has not increased for a specified time.

l

hardware-bypass-entered—Permanent hardware bypass mode entered.

l

l

inline-engine-up—Inline packet inspection process has started (IPS-enabled platforms only). inline-engine-down—Inline packet inspection process has stopped (IPS-enabled platforms only).

l

if-link-change—An interface link has changed.

l

faas-vpn-status-change—Status of FaaS VPN has changed.

l

token-state-change— Virtual appliance activation state is changed.

l

dupe-appliance-detected—A duplicate virtual appliance detected.

l

token-server-unreachable—Token Server is unreachable.

l

token-server-reachable—Token Server is reachable.

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email dead-letter cleanup max-age Sets the maximum age of dead.letter files. Files older than the specified duration are deleted.

Syntax [no] email dead-letter cleanup max-age

Parameters no

Use the no form of this command to disable cleanup.

552

© 2016 FireEye

Release 7.9

email dead-letter enable



Maximum age of the dead letter files in days, hours, minutes, and seconds. Use the format dhms.

Example The following example specifies a maximum age of 5 days, 4 hours, 3 minutes, and 2 seconds: hostname (config) # email dead-letter cleanup max-age 5d4h3m2s

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email dead-letter enable Enables saving of dead.letter files when a mail is undeliverable (for example, due to bad mail hub). Note that the dead.letter files are actually saved in ~/dead.letters, and each is given a unique filename so old ones can be deleted without disturbing newer ones.

Syntax [no] email dead-letter enable

Parameters no

Use the no form of this command to disable saving dead.letter files.

User Role Administrator, Operator, or Analyst

Command Mode Configuration

© 2016 FireEye

553

CLI Reference Guide

PART III: Commands

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email domain Specifies the domain name from which the emails will appear to come.

Syntax [no] email domain

Parameters no

Use the no form of this command to use the default. domain_name

The domain name from which the emails will appear to come from, provided that the return address is not already fully-qualified. This is used in conjunction with the system hostname to form the full name of the host from which the email appears to come. The default is fireeye.com.

Example The following example sets the domain from which emails appear to come to example.com hostname (config) # email domain example.com

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email mailhub Sets the mail relay to be used to send emails.

554

© 2016 FireEye

Release 7.9

email mailhub-port

Syntax [no] email mailhub

Parameters no

Use the no form of this command to clear the configured mailhub. host_or_ip_addr

Hostname, IPv4 or IPv6 address of the mailhub.

Example The following example sets the mailhub to the host eng39: hostname (config) # email mailhub eng39

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email mailhub-port Sets the mail relay port to use to send notification emails.

Syntax [no] email mailhub-port

Parameters no

© 2016 FireEye

555

CLI Reference Guide

PART III: Commands

The no form of this command resets the port to its default of 25. TCP-port

The TCP port (default is port 25).

Example The following example sets the mailhub port to 26: hostname (config) # email mailhub-port 26

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email notify event Enables or disable sending email notifications for the specified event type. This does not affect autosupport emails. Use email autosupport event on page 550 for that purpose.

Syntax email notify event

Parameters no

Use the no form of this command to disable sending email notifications. event

The events for which to send notifications.

556

l

process-crash—A process in which the system has crashed.

l

disk-space-low—Free disk space is low (enabled by default).

l

disk-space-ok—Free disk space returned to normal(enabled by default).

l

cmc-new-client—A new potential CMC client has announced itself.

l

cmc-status-failure—The CMC has detected an error in a managed appliance.

© 2016 FireEye

Release 7.9

email notify event

l

l

l

cmc-version-mismatch—The CMC connected to an appliance with a different system software version. smart-warning—Disk warnings generated by the Self-Monitoring, Analysis and Reporting Technology (SMART) system (disabled by default).

l

interface-up—An interface’s link state has changed to up.

l

interface-down—An interface’s link state has changed to down.

l

user-login—User logged in to the system.

l

user-logout—User logged out of the system.

l

syslog-rotation—System log files rotation.

l

excessive-temperature—Excessive temperature is reached

l

normal-temperature—Temperature is normal.

l

raid-status-failure—A Redundant Array of Inexpensive Disks (RAID) error has occurred.

l

raid-status-recover—A RAID has been recovered.

l

physical-disk-failure—A physical disk has failed.

l

physical-disk-recover—A physical disk has been recovered.

l

power-supply-failure—A power supply has failed.

l

power-supply-recover—A power supply has been recovered.

l

fan-failure—A fan has failed.

l

fan-recover—A fan has been recovered.

l

license-state-changed—A license state has changed.

l

security-update-failure—Security update has failed.

l

unexpected-failover—An unexpected fail-over on CMS-HA has occurred.

l

manual-failover—A manual fail-over on CMS-HA has occurred.

l

nxha-health-failure—NX-HA health check failed.

l

mvx-cluster-state-changed—MVX cluster state changed.

l

mvx-cluster-util-threshold-exceeded—MVX cluster utilization has exceeded threshold.

l

http-throughput—HTTP throughput has not increased for a specified time.

l

hardware-bypass-entered—Permanent hardware bypass mode entered.

l

© 2016 FireEye

cmc-status-ok—A CMC status error has been corrected.

inline-engine-up—Inline packet inspection process has started (IPS-enabled platforms only).

557

CLI Reference Guide

l

PART III: Commands

inline-engine-down—Inline packet inspection process has stopped (IPSenabled platforms only).

l

if-link-change—An interface link has changed.

l

faas-vpn-status-change—Status of FaaS VPN has changed.

l

token-state-change— Virtual appliance activation state is changed.

l

dupe-appliance-detected—A duplicate virtual appliance detected.

l

token-server-unreachable—Token Server is unreachable.

l

token-server-reachable—Token Server is reachable.

Example The following example enables email notifications in case of a power supply failure: hostname (config) # email notify event power-supply-failure

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email notify recipient [class {failure | info} | detail] Adds an email address to the list of addresses to send email notifications of events. By default, detailed emails are sent to the recipient for all failure and informational events that are enabled. All events are informational, except for process-crash, smartwarning, and unexpected-shutdown events.

Syntax [no] email notify recipient [class failure] [no] email notify recipient [class info] [no] email notify recipient [detail]

558

© 2016 FireEye

Release 7.9

email return-addr

Parameters no

Use the no form of this command to remove an email address from the list of addresses to send email notifications of events. email_address

Email address to receive event notifications. Only one address can be added per command. class {failure | info}

Enables or disable the sending of failure or informational events to the specified recipient. Each event type is classified as either "informational" or "failure". The specified recipient will receive the intersection of the set of events specified by this command, and the set of events specified overall with the email notify event on page 556 command. detail

Specifies whether the emails should be detailed or summarized. Each email potentially has both a detailed and summarized form, where the detailed form has a superset of the information. In practice, only PM process crash emails currently have a detailed form; for everything else, the two are the same.

Example The following example adds the user john.doe to the list of users who receive informational event notifications: hostname (config) # email notify recipient john.doe class info

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email return-addr Sets the email address shown in the “Reply-To” field of alert emails

© 2016 FireEye

559

CLI Reference Guide

PART III: Commands

Syntax [no] email return-addr

Parameters no

Use the no form of this command to reset the return address to its default of do-notreply. username

The username or fully-qualified return address from which email notifications are sent. If the string provided contains an @ character, it is considered to be fully-qualified and used as-is. Otherwise, it is considered to be just the username, and @. is appended. The default is do-not-reply, but this can be changed to admin or something similar in case something along the line doesn't like fictitious addresses.

Example The following example sets the Reply-To address to [email protected]: hostname (config) # email return-addr [email protected]

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email return-host Specifies whether to include the hostname in the return address for emails (default is the configured appliance hostname). This only takes effect if the return address does not contain an @ character.

Syntax [no] email return-host

560

© 2016 FireEye

Release 7.9

email send-test

Parameters no

Use the no form of this command to stop including the hostname in the return address.

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

email send-test Sends a test email alert to all configured notification email recipients.

Syntax email send-test

Parameters None

User Role Administrator, Operator, or Analyst

Command Mode Configuration

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

© 2016 FireEye

561

CLI Reference Guide

PART III: Commands

email ssl To configure security for the server used to send system email notifications, use the email ssl command in configuration mode. See also: email

Syntax [no] email ssl ca-list {none, default-ca-list} [no] email ssl cert-verify [no] email ssl cipher-list {original| fips| cc-ndpp| fips-and-cc-ndpp | high-security | compatible} [no] email ssl min-version tls1 [no] email ssl mode {none | tls | tls-none}

Parameters no Use the no form of this command to clear the email configuration. ca-list {none, default_ca_list} Configures the supplemental CA certificates that are used to verify the server certificates. l

none—No supplemental list; use the built-in supplemental CA certificate list only.

l

default-ca-list—Default supplemental CA certificate list.

cert-verify Verifies the server certificates. If the server certificates cannot be verified, TLS will fail. cipher-list {original| fips| cc-ndpp| fips-and-cc-ndpp | high-security | compatible} Configures the cipher list for SSL/TLS: l

original—Original FireEye cipher list (maximum compatibility)

l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP

l

l

high-security—High security (might include ciphers not compliant with FIPS or CCNDPP) compatible—Improved security while maintaining backward compatibility

min-version tls1 Selects TLSv1 to use for secure email.

562

© 2016 FireEye

Release 7.9

email ssl

mode {none | tls | tls-none} Configures the following security types to use for email: l

l

l

none—TLS is not used to secure email. TLS—Configures TLS over the default server port to secure email. If TLS fails, email cannot be sent. tls-none—Sets TLS Preferred to attempt TLS over the default server port to secure email. If TLS Preferred fails, plain text must be used.

autosupport ssl ca-list {none, default-ca-list} Configures the supplemental Certificate Authority (CA) certificates that are used to verify the server certificates. l

none—No supplemental list; use built-in one only.

l

default-ca-list—Default supplemental CA certificate list.

autosupport ssl cert-verify Verifies the server certificates. autosupport ssl mode {none | tls | tls-none} Configures the following security types to use for autosupport email: l

l

l

none—Transport Layer Security (TLS) is not used to secure autosupport email. TLS—Configures TLS over the default server port to secure autosupport email. Email cannot be sent if TLS fails. tls-none—Sets TLS Preferred to attempt TLS over the default server port to secure autosupport email. Plain text must be used if TLS Preferred fails.

Example This example specifies that TLS must be used to secure mail. hostname (config) # email ssl mode tls

User Role Administrator, Operator, or Analyst

Release Information Command introduced before Release 7.6.0.

Related Commands For a list of related commands, see Email Command Family on page 86.

© 2016 FireEye

563

CLI Reference Guide

PART III: Commands

embedded-analysis enable Extracts embedded objects (specifically, embedded SWF, DLL, and EXE files) from any PDF, PNG, or Office 2003, 2007, or 2010 file for analysis. If the embedded object is a malicious file, it is quarantined by the MVX engine for analysis. The embedded file type is detected by the system regardless of what the extension may indicate. This feature is disabled by default.

Syntax [no] embedded-analysis enable

Parameters no

The no form of this command disables embedded object extraction and analysis.

Example The following example enables the embedded file extraction feature. hostname (config) # embedded-analysis enable hostname (config) # email-analysis mode drop

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was released as follows: l

EX Series: Release 6.3.0

Related Commands email-analysis mode on page 513

564

© 2016 FireEye

Release 7.9

eml attachment limit

eml attachment limit Configures EML attachment parameters. By default, the AX Series appliance analyzes saved email (.eml) files for potential malware issues. Use the eml attachment limit command to configure the maximum number of attachments that can be analyzed for each .eml file. This command is available only on AX Series appliances.

Syntax eml attachment limit

Parameters count

Sets the number of attachments to analyze in .eml files. The default number is 5 and the configurable range is 0 through 20.

Example The following example configures MAS saved email attachment parameters, setting the number of attachments to analyze at 10. ax-1 (config) #  eml attachment limit 10

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.1

Related Commands eml recursive limit on the next page show eml on page 1507

© 2016 FireEye

565

CLI Reference Guide

PART III: Commands

eml recursive limit Configures EML recursive limit parameters. The AX Series appliance analyzes saved email (.eml) files for potential malware issues. You can use this command to configure the maximum recursive depth of the .eml file to be analyzed. This command is available only on AX Series appliances.

Syntax eml recursive limit

Parameters count

The maximum depth. The default is 3, and the configurable range is 0 through 3.

Example The following example sets the maximum recursive depth of the .eml file to be analyzed to 2. ax-1 (config) #  eml recursive limit 2

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.1

Related Commands eml attachment limit on the previous page show eml on page 1507

566

© 2016 FireEye

Release 7.9

enable

enable Description Enters the enabled mode from standard mode.

Syntax enable

Parameters None

Example The following example enters enabled mode from standard mode, which changes the prompt from “>” to “#”. hostname > enable hostname #

© 2016 FireEye

567

CLI Reference Guide

PART III: Commands

exit Description Closes the CLI session or returns the user from configuration mode to enabled mode.

Syntax exit

Parameters None

Example The following example returns the user to enabled mode from configuration mode, which removes “(config)” from the prompt. hostname (config) # exit hostname #

568

© 2016 FireEye

Release 7.9

fe-access connect

fe-access connect Description Establishes a reverse SSH tunneling connection with FireEye Customer Support. First, you must enable reverse SSH tunneling and set a user password.

Syntax fe-access connect [no] fe-access connect

Parameters None

Examples The following example establishes a reverse SSH tunneling connection with FireEye Customer Support without using a proxy. hostname (config) # fe-access enable hostname (config) # fe-access set password feaccess hostname (config) # fe-access connect Connection is in process Please use "show fe-access" to check connection status

The following example establishes a reverse SSH tunneling connection with FireEye Customer Support using a local proxy. hostname (config) # fe-access hostname (config) # fe-access hostname (config) # fe-access hostname (config) # fe-access hostname (config) # fe-access

enable proxy enable proxy set hostname 10.17.153.58 proxy set port-number 3128 connect

Related Commands fe-access enable on the next page fe-access proxy enable on page 571 fe-access set on page 574

© 2016 FireEye

569

CLI Reference Guide

PART III: Commands

fe-access enable Description Enables a reverse SSH tunneling connection with FireEye Customer Support.

Syntax fe-access enable [no] fe-access enable

Parameters None

Example The following example enables and establishes a reverse SSH tunneling connection with FireEye Customer Support without using a proxy. hostname (config) # fe-access enable hostname (config) # fe-access set password feaccess hostname (config) # fe-access connect Connection is in process Please use "show fe-access" to check connection status

Related Commands fe-access connect on the previous page fe-access proxy set on page 572 fe-access set on page 574

570

© 2016 FireEye

Release 7.9

fe-access proxy enable

fe-access proxy enable Description Enables access between the FireEye appliance and the Dynamic Threat Intelligence (DTI) network via a proxy server. The proxy server can be the remote FireEye server or a local server.

Syntax fe-access proxy enable [no] fe-access proxy enable

Parameters None

Examples The following example enables access between the remote FireEye proxy server and the FireEye appliance. hostname (config) # fe-access proxy enable hostname (config) # fe-access proxy use-fenet hostname (config) # fe-access proxy set password testing123

The following example enables access between a local proxy server and the FireEye appliance. hostname (config) # fe-access hostname (config) # fe-access hostname (config) # fe-access hostname (config) # fe-access

© 2016 FireEye

proxy enable proxy set hostname 10.17.153.58 proxy set port-number 3128 proxy set username test password testing123

571

CLI Reference Guide

PART III: Commands

fe-access proxy set Description Enables FireEye Customer Support to access the FireEye appliance through a local proxy server or the remote FireEye proxy server using reverse SSH tunneling. When using the FireEye proxy server, you are required to configure a password. To use a local proxy server instead, configure the port number, username, and password. Proxy access must first be enabled.

Syntax fe-access proxy set {port-number port_id | username username password password}

Parameters port-number port_id

Local proxy port number.

username username password password

Username and password used to access the local proxy.

Example The following example sets the parameters for accessing a local proxy server. fireeye-585d6c (config) # fe-access proxy enable fireeye-585d6c (config) # fe-access proxy set port-number 3128 fireeye-585d6c (config) # fe-access proxy set username test password testing123 fireeye-585d6c (config) # fe-access connect Connection is in process. Please use "show fe-access" to check connection status.

Related Commands fe-access connect on page 569 fe-access proxy enable on the previous page

572

© 2016 FireEye

Release 7.9

fe-access proxy use-fenet

fe-access proxy use-fenet Description Enables the FireEye appliance to be accessed through the remote FireEye proxy server via reverse SSH tunneling. Proxy access must first be enabled.

Syntax fe-access proxy use-fenet [no] fe-access proxy use-fenet

Parameters None

Example hostname (config) # fe-access proxy enable hostname (config) # fe-access proxy use-fenet

Related Commands fe-access proxy enable on page 571

© 2016 FireEye

573

CLI Reference Guide

PART III: Commands

fe-access set Description Sets the password and timeout value that enables FireEye Customer Support representatives to remotely access the FireEye appliance through reverse SSH tunneling without going through a proxy server. You must first enable access. Related commands: fe-access enable

Syntax fe-access set {password password | timeout hours}

Parameters password Clear-text password that will be used by FireEye Customer Support, along with password your FireEye appliance ID, to generate a unique password to access your FireEye appliance securely and remotely. The password must be a minimum of eight characters. timeout hours

Number of hours a FireEye Customer Support representative can access your FireEye appliance before being disconnected. The range of values is 1 through 168. The default is 48 hours.

Example The following example sets the password and a timeout of 72 hours. hostname (config) # fe-access enable hostname (config) # fe-access set password 1bacafbywri7 hostname (config) # fe-access set timeout 72

574

© 2016 FireEye

Release 7.9

fedb backup

fedb backup This command has been deprecated. Please use backup profile to on page 276.

© 2016 FireEye

575

CLI Reference Guide

PART III: Commands

fedb events archival age days Specifies the retention period for nonmalicious and malicious alerts. After this period, alerts are removed from the events database that you configured on the appliance. Currently, only nonmalicious alerts are removed from the events database when the limit specified by the fedb events archival himark command is reached. Use the fedb events archival age days command to automatically remove all malicious and nonmalicious alerts that exceed the retention period from the events database. If you do not specify the retention period or specify the retention period as zero days, data will not be removed from the events database. By default, the retention period is not set on the appliance.

Syntax fedb events archival age days

Parameters

Specify the number of days after which malicious and nonmalicious alerts are removed from the events database.

Example The following example specifies the retention period as seven days: hostname (config) # fedb events archival age days 7

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.8

l

NX Series: Release 7.8

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

576

© 2016 FireEye

Release 7.9

fedb events archival himark

fedb events archival himark Specifies the number of high-water mark entries. When this number is reached, the events database is archived.

Syntax [no] fedb events archival himark

Parameters

Specify the number of high-water mark entries. no

Use the no form of this command to clear the high-water mark entry settings.

Example The following example specifies the high-water mark entries as 250000: hostname (config) # fedb events archival himark 250000

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5.

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

© 2016 FireEye

577

CLI Reference Guide

PART III: Commands

fedb events archival journal Specifies the size of the journal file entries in GB. When this size is reached, the events database is archived.

Syntax [no] fedb events archival journal

Parameters

Specify the size of the journal file entries in GB. no

Use the no form of this command to clear the journal entry settings from the events database.

Example The following example specifies the size of the journal entries as 7 GB: hostname (config) # fedb events archival journal 7

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5.

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

578

© 2016 FireEye

Release 7.9

fedb events archival time

fedb events archival time Specifies the time at which to archive the events database.

Syntax [no] fedb events archival time

Parameters

Specify the hour of the day at which to archive the events database. The range is from 00 to 23 hours. no

Use the no form of this command to clear the time settings from the events database.

Example The following example sets the time at which to archive the events database at 23 hours (11:00 p.m.): hostname (config) # fedb events archival time 23

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5.

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

© 2016 FireEye

579

CLI Reference Guide

PART III: Commands

fedb events source ip resolve-dns Enables hostname lookup by Domain Name Service (DNS) for the related source IP settings.

Syntax [no] fedb events source ip resolve-dns

Parameters no

Use the no form of this command to clear hostname lookup by DNS.

Example The following example enables hostname lookup by DNS: hostname (config) # fedb events source ip resolve-dns

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

580

© 2016 FireEye

Release 7.9

fedb events source ip resolve-dns-first

fedb events source ip resolve-dns-first Enables hostname lookup by DNS first for the related source IP settings.

Syntax [no] fedb events source ip resolve-dns-first

Parameters no

Use the no form of this command to enable hostname lookup by NetBIOS first.

Example The following example enables hostname lookup by DNS first: hostname (config) # fedb events source ip resolve-dns-first

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

© 2016 FireEye

581

CLI Reference Guide

PART III: Commands

fedb events source ip resolve-netbios Enables hostname lookup by NetBIOS for the related source IP settings.

Syntax [no] fedb events source ip resolve-netbios

Parameters no

Use the no form of this command to clear hostname lookup by NetBIOS.

Example The following example enables hostname lookup by NetBIOS: hostname (config) # fedb events source ip resolve-netbios

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

582

© 2016 FireEye

Release 7.9

fedb hold

fedb hold Description Configures settings for how long information about malicious or non-malicious URLs is retained in the FireEye appliance database.

Syntax [no] fedb hold {malicious | non-malicious {url url number days}}

Parameters malicious Specifies the malicious URL to be stored in the database. url url nonSpecifies the non-malicious URL to be stored in the database. malicious url url number days

Number of days the URL is to be stored. For malicious URLs, the range of values is 14 through 180. For non-malicious URLs, the range of values is 1 through 14.

Example The following example configures the FireEye appliance to retain malicious URLs in the database for 30 days. hostname (config) # fedb hold malicious 30 days

© 2016 FireEye

583

CLI Reference Guide

PART III: Commands

fedb malware Description Configures the malware database. This command is available for the File MPS, Web MPS, Email MPS, MAS, and CM Series appliance.

Syntax [no] fedb malware archival himark number_of_entries

Parameters archival

Configures archival settings for the FireEye appliance malware database.

himark

Specifies high-water mark entries for the malware database.

number_of_ entries

Specifies the number of high-water mark entries.

Example The following example configures the FireEye malware database with 250,000 entries as the archival high-water mark. hostname (config) # fedb malware archival himark 250000

584

© 2016 FireEye

Release 7.9

fedb restore

fedb restore Description Performs database restore operations for the FireEye appliance. This command is available for the File MPS, Web MPS, Email MPS, and MAS appliances.

Syntax fedb restore from-file filename

Parameters filename Specifies the backup file to restore.

Example The following example restores a backup file as specified. fedb restore from-file db_aggr.20130628.084249.dump

© 2016 FireEye

585

CLI Reference Guide

PART III: Commands

fenet appliance image Description Manages FireEye appliance images. This command is available on the CM Series appliance.

Syntax fenet appliance image {check | delete   | fetch | rename } fenet appliance image {check | delete   | fetch version force | rename destination_name}

Parameters product

Product type: l

eMPS

l

fMPS

l

wMPS

l

MAS

check

Checks for the latest software image. delete

Deletes the specified software image. fetch

Fetches the latest software image. version

Specifies the software release version. force

Forces the image to be fetched. rename

Renames the appliance image.

Example The following example checks for a new image for the MAS appliance. A new image is available.

586

© 2016 FireEye

Release 7.9

fenet appliance image

brighton (config) # fenet appliance image mas check Operation initiated in the background. Run 'show fenet image status' for status brighton (config) # show fenet image status Progress of latest action taken: action check initiated Fri Apr 5 09:26:02 2013 applying check for image mas action check completed Fri Apr 5 09:26:02 2013 check-done: New appliance image is available: 6.4.0 status

Related commands show fenet image

© 2016 FireEye

587

CLI Reference Guide

PART III: Commands

fenet appliance  manage Description Manages a single FireEye appliance from the CM Series appliance.

Syntax fenet appliance manage appliance_id_string {backup | default-backup | default-restore | restore | update | upgrade}

Parameters appliance_id_ Name of the appliance. string backup

Creates a backup of the appliance's configuration.

defaultbackup

Saves the appliance configuration as a default template that can be applied to other similar appliances.

defaultrestore

Applies the default configuration to the appliance.

restore

Restores the appliance's configuration.

update

Installs the latest patches and reloads the appliance (as needed).

upgrade

Installs the latest image and reloads the appliance.

Restoring the default configuration does not affect appliancespecific configuration settings such as interfaces, licenses, and so on.

Example The following example creates a backup of the appliance's configuration. [hostname] config # fenet appliance manage WebMPS backup

588

© 2016 FireEye

Release 7.9

fenet appliance patch

fenet appliance patch Description Manages patches for FireEye appliances. Available on the CM Series appliance.

Syntax fenet appliance patch> {check-now | deploy-now}

Parameters check-now Checks for the latest patch updates for managed appliances. deploy-now Hosts the latest patch updates for managed appliances.

Example The following example checks for the latest patch updates for managed appliances. [hostname] config # fenet appliance patch check-now

© 2016 FireEye

589

CLI Reference Guide

PART III: Commands

fenet dti cache populate guest-images all Downloads the latest guest images for all supported managed appliances from the DTI network and stores them in a cache on the CM Series platform. You can currently use this command to download guest images for NX Series 7.7.0 appliances only. However, if the guest images in the cache are compatible for other appliances, they can be used for those appliances.

Syntax fenet dti cache populate guest-images all

Parameters None

Description You can explicitly download guest images and store them in the cache. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be flexible about scheduling appliance updates, because the guest images are already downloaded and ready to push to the appliances. For details about the DTI cache, see the CM Series Administration Guide. If the DTI network has a delta file containing the changes between the guest images already installed on an appliance and the latest guest images, only the delta file is downloaded to the cache.

Example The following example downloads guest images for all appliances and shows the download progress. The downloading task displays the hostname of the first appliance of an appliance type. For example, if the CM Series platform manages the nx-01, nx-02, and nx-03 appliances, only the nx-01 hostname is displayed. hostname (config) # fenet dti cache populate guest-images appliance all Operation started in the background. Run 'show fenet dti cache populate guest-images status' to check on status. hostname (config) # show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 13 sec

590

© 2016 FireEye

Release 7.9

fenet dti cache populate guest-images all

============================================================== Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 nx-01 (wMPS) Progress: 4.97% Status:  running Downloading Guest Image-Profile (Full-Image) win7-sp1 for nx-01 (wMPS) Progress: Status: not started Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for nx-01 (wMPS) Progress: Status: not started hostname > show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 218 sec ============================================================== Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for nx-01 (wMPS) Progress: 100.00% Status: success Downloading Guest-Image Profile (Full-Image) win7-sp1 for nx-01 (wMPS) Progress: 14.62% Status:  running Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for nx-01 (wMPS) Progress: Status: not started

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

591

CLI Reference Guide

PART III: Commands

fenet dti cache populate guest-images appliance Downloads guest images for a specific appliance from the DTI network and stores them in a cache on the CM Series platform. You can currently use this command to download guest images for NX Series 7.7.0 appliances only. However, if the guest images in the cache are compatible for other appliances, they can be used for those appliances.

Syntax fenet dti cache populate guest-images appliance

Parameters applianceName

The hostname of the appliance for which you want to download guest images. (Use the fenet dti cache populate guest-images appliance ? command to display the hostnames of the appliances that this CM Series platform is currently managing.)

Description You can explicitly download guest images and store them in the cache. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be flexible about scheduling appliance updates, because the guest images are already downloaded and ready to push to the appliances. For details about the DTI cache, see the CM Series Administration Guide. If the DTI network has a delta file containing the changes between the guest images already installed on an appliance and the latest guest images, only the delta file is downloaded to the cache.

Example The following example downloads guest images for nx-05 appliance and shows the download progress. hostname (config) # fenet dti cache populate guest-images appliance nx-05 Operation started in the background. Run 'show fenet dti cache populate guest-images status' to check on status. hostname (config) # show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 13 sec ==============================================================

592

© 2016 FireEye

Release 7.9

fenet dti cache populate guest-images appliance

Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for nx-05 (wMPS) Progress: 4.97% Status:  running Downloading Guest Image-Profile (Full-Image) win7-sp1 for nx-05 (wMPS) Progress: Status: not started Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for nx-05 (wMPS) Progress: Status: not started hostname > show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 218 sec ============================================================== Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for nx-05 (wMPS) Progress: 100.00% Status: success Downloading Guest-Image Profile (Full-Image) win7-sp1 for nx-05 (wMPS) Progress: 14.62% Status:  running Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for nx-05 (wMPS) Progress: Status: not started

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

593

CLI Reference Guide

PART III: Commands

fenet dti cache populate image product Downloads the latest system image for a specific appliance type from the DTI network and stores it in a cache on the CM Series platform.

Syntax fenet dti cache populate image product

Parameters product

The product identifier, such as wMPS for the NX Series appliance. (Use the fenet dti cache populate image product ? command to display the product identifiers for the appliances that this CM Series platform is currently managing.)

Description You can explicitly download system images and store them in the cache. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be flexible about scheduling appliance updates, because the system images are already downloaded and ready to push to the appliances. For details about the DTI cache, see the CM Series Administration Guide.

Example The following example shows the product identifiers for the managed appliances and then downloads the latest system image for the NX Series appliance. cm-02 (config) # fenet dti cache populate image product ? eMPS wMPS all Prefetch the latest system image for all managed cm-02 (config) # fenet dti cache populate image product wMPS Operation started in the background. Run 'show fenet dti cache populate images status' to check on status. cm-02 (config) # show fenet dti cache populate images status Active Download ID: v54n Start Time: 2015/10/08 00:57:36.139 Elapsed Time: 12 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 59.00 %

594

© 2016 FireEye

Release 7.9

fenet dti cache populate image product

Status: running hostname (config) # show fenet dti cache populate images status Active Download ID: v54n Start Time: 2015/10/08 00:57:36:139 Elapsed Time: 20 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 100 % Status: success

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

595

CLI Reference Guide

PART III: Commands

fenet dti cache populate image product all Downloads the latest system images for all managed appliance types from the DTI network and stores them in a cache on the CM Series platform.

Syntax fenet dti cache populate image product all

Parameters None

Description You can explicitly download system images and store them in the cache. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be flexible about scheduling appliance updates, because the system images are already downloaded and ready to push to the appliances. For details about the DTI cache, see the CM Series Administration Guide.

Example The following example downloads available system images for all managed appliance types to the DTI cache. In this example, the cm-01 CM Series platform manages an EX Series appliance and an FX Series appliance. cm-01 (config) # fenet dti cache populate image product all Operation started in the background. Run 'show fenet dti cache populate images status' to check on status. cm-01 (config) # show fenet dti cache populate images status Active Download ID: u4zg Start Time: 2015/11/06 18:14:46.978 Elapsed Time: 14 sec =========================================================================== Download Tasks =========================================================================== Downloading the 7.7.0 image for fx-02 (fMPS) Progress: 25.77 % Status: running Downloading the 7.6.2 image for ex-03 (eMPS) Progress: Status: not started cm-01 (config) # show fenet dti cache populate images status Active Download ID: u4zg

596

© 2016 FireEye

Release 7.9

fenet dti cache populate image product all

Start Time: 2015/11/06 18:14:46.978 Elapsed Time: 24 sec =========================================================================== Download Tasks =========================================================================== Downloading the 7.7.0 image for fx-02 (fMPS) Progress: 43.68 % Status: running Downloading the 7.6.2 image for ex-03 (eMPS) Progress: Status: not started cm-01 (config) # show fenet dti cache populate images status Active Download ID: u4zg Start Time: 2015/11/06 18:14:46.978 Elapsed Time: 54 sec =========================================================================== Download Tasks =========================================================================== Downloading the 7.7.0 image for fx-02 (fMPS) Progress: 100.00 % Status: success Downloading the 7.6.2 image for ex-03 (eMPS) Progress: 0.00 % Status: running cm-01 (config) # show fenet dti cache populate images status Active Download ID: u4zg Start Time: 2015/11/06 18:14:46.978 Elapsed Time: 92 sec =========================================================================== Download Tasks =========================================================================== Downloading the 7.7.0 image for fx-02 (fMPS) Progress: 100.00 % Status: success Downloading the 7.6.2 image for ex-03 (eMPS) Progress: 51.42 % Status: running cm-01 (config) # show fenet dti cache populate images status Active Download ID: u4zg Start Time: 2015/11/06 18:14:46.978 Elapsed Time: 105 sec ===========================================================================

© 2016 FireEye

597

CLI Reference Guide

PART III: Commands

Download Tasks =========================================================================== Downloading the 7.7.0 image for fx-02 (fMPS) Progress: 100.00 % Status: success Downloading the 7.6.2 image for ex-03 (eMPS) Progress: 100.00 % Status: success

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

598

© 2016 FireEye

Release 7.9

fenet dti cache populate image product version

fenet dti cache populate image product version Downloads the system image for the specified appliance type and version from the DTI network and stores it in a cache on the CM Series platform.

Syntax fenet dti cache populate image product version

Parameters product

The product identifier, such as wMPS for the NX Series appliance. (Use the fenet dti cache populate image product ? command to display the product identifiers for the appliances that this CM Series platform is currently managing.) version

The product version, such as 7.7.0. (Use the fenet dti cache populate image product  version ? command to display the product versions.)

Description You can explicitly download system images and store them in the cache. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be flexible about scheduling appliance updates, because the system images are already downloaded and ready to push to the appliances. For details about the DTI cache, see the CM Series Administration Guide.

Example The following example displays the available NX Series system images and then downloads the NX Series 7.5.3 system image. cm-02 (config) # fenet dti cache populate image product wMPS version ? 7.4.0 7.4.2 7.5.0 7.5.1 7.5.2 7.5.3 7.7.0 cm-02 (config) # fenet dti cache populate image product wMPS 7.5.3 Operation started in the background. Run 'show fenet dti cache populate images status' to check on status. cm-02 (config) # show fenet dti cache populate images status

© 2016 FireEye

599

CLI Reference Guide

PART III: Commands

Active Download ID: pzz2 Start Time: 2015/10/07 14:37:51.220 End Time: 2015/10/07 14:38:02.520 Elapsed Time: 11 sec ============================================================== Download Tasks ============================================================== Downloading the 7.5.3 image for wMPS Progress: 100.00 % Status: success

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

600

© 2016 FireEye

Release 7.9

fenet dti custom address available

fenet dti custom address available To specify that the DTI source address is available, use the fenet dti custom address available command in configuration mode.

Syntax fenet dti custom address available

User Role Admin

Release Information Command introduced in Release 7.5.0 for the CM Series platform.

Parameters None

Description This command specifies that the DTI source address is available for the CM Series platform.

Example The following example specifies that the DTI source address is available: hostname (config ) # fenet dti custom address available

© 2016 FireEye

601

CLI Reference Guide

PART III: Commands

fenet dti enrollment service default DTI By default, the CM Series platform controls the enrollment service for managed sensors, so the enrollment service type is CMS. When manual enrollment is required, the enrollment service type must be DTI. Use this command to set the default enrollment service type to DTI. This command must be used with other commands, as shown in the Examples below. For more information about sensor enrollment, see the Network Security Deployment Guide for MVX Smart Grid and the Network Security Deployment Guide for Cloud MVX.

Syntax fenet dti enrollment service default DTI address

Parameters None

Examples In this example, the nx-02 sensor that is managed by a CM Series appliance with an IP address of 172.4.5.6 will be enrolled with a cluster that is managed by another CM Series appliance with an IP address of 10.11.10.11. nx-02 (config) # no fenet dti enrollment service override enable nx-02 (config) # fenet dti enrollment service type DTI address10.11.10.11 nx-02 fenet dti enrollment service DTI username user8 password 123ABCXYZ nx-02 (config) # fenet dti enrollment service default DTI

In this example, the nx-04 sensor is managed by the local CM Series appliance (cm-1) with an IP address of 172.1.2.3. The local CM Series appliance will act as a proxy to enroll the sensor with Cluster-02, which is managed by another CM Series appliance (cm-2) with an IP address of 10.12.11.13. cm-1 (config) # fenet dti enrollment service type DTI address 10.12.11.13 cm-1(config) # fenet dti enrollment service DTI username user9 password 345DEFUVW cm-1 (config) # fenet dti enrollment service default DTI

User Role Operator and Admin

Command Mode Configuration

602

© 2016 FireEye

Release 7.9

fenet dti enrollment service default DTI

Release Information This command was introduced as follows: l

NX Series: Release 7.9.1

l

CM Series: Release 7.9.1

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

603

CLI Reference Guide

PART III: Commands

fenet dti enrollment service override enable By default, the CM Series platform controls the enrollment service for managed sensors, so the enrollment service type is CMS. When manual enrollment is required, the enrollment service type is DTI. Use this command to prevent the CM Series appliance from overriding manual enrollment settings that change this default behavior. This command must be used with other commands, as shown in the Example below. For more information about sensor enrollment, see the Network Security Deployment Guide for MVX Smart Grid and the Network Security Deployment Guide for Cloud MVX.

Syntax [no] fenet dti enrollment service override enable

Parameters no

Use the no form of this command to restore the default behavior.

Example The following command prevents the CM Series appliance that manages nx-02 from overriding manual enrollment settings, changes the enrollment service type to DTI, configures DTI credentials for the enrollment service, and sets DTI as the default enrollment service type.: nx-02 (config) # no fenet dti enrollment service override enable nx-02 (config) # fenet dti enrollment service type DTI address 10.11.10.11 nx-02 fenet dti enrollment service DTI username user8 password123ABCXYZ nx-02 (config) # fenet dti enrollment service default DTI

User Role Operator and Admin

Command Mode Configuration

Release Information This command was introduced as follows:

604

l

NX Series: Release 7.9.1

l

CM Series: Release 7.9.1

© 2016 FireEye

Release 7.9

fenet dti enrollment service override enable

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

605

CLI Reference Guide

PART III: Commands

fenet dti enrollment service type DTI address By default, the CM Series platform controls the enrollment service for managed sensors. When manual enrollment is required, the enrollment service type is DTI. Use this command to change the enrollment service type from CMS to DTI and to configure the enrollment service address. This command must be used with other commands, as shown in the Examples below. For more information about sensor enrollment, see the Network Security Deployment Guide for MVX Smart Grid and the Network Security Deployment Guide for Cloud MVX.

Syntax fenet dti enrollment service type DTI address

Parameters address

On-premises MVX: IP address of the CM Series that manages the on-premises MVX cluster. Cloud MVX: Cloud MVX service address (cloud.fireeye.com).

Examples In this example, the nx-02 sensor that is managed by a CM Series appliance with an IP address of 172.4.5.6 will be enrolled with a cluster that is managed by another CM Series appliance with an IP address of 10.11.10.11. nx-02 (config) # no fenet dti enrollment service override enable nx-02 (config) # fenet dti enrollment service type DTI address 10.11.10.11 nx-02 fenet dti enrollment service DTI username user8 password 123ABCXYZ nx-02 (config) # fenet dti enrollment service default DTI

In this example, the nx-01 sensor is managed by the local CM Series appliance (cm-1) with an IP address of 172.1.2.3. The local CM Series appliance will act as a proxy to enroll the sensor with Cluster-02, which is managed by another CM Series appliance (cm-2) with an IP address of 10.12.11.13. cm-1 (config) # fenet dti enrollment service type DTI address 10.12.11.13 cm-1(config) # fenet dti enrollment service DTI username user9 password 345DEFUVW cm-1 (config) # fenet dti enrollment service default DTI

User Role Operator and Admin

606

© 2016 FireEye

Release 7.9

fenet dti enrollment service type DTI address

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9.1

l

CM Series: Release 7.9.1

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

607

CLI Reference Guide

PART III: Commands

fenet dti enrollment service type DTI username password By default, the CM Series platform controls the enrollment service for managed sensors, so the enrollment service type is CMS. When manual enrollment is required, the enrollment service type is DTI. Use this command to configure the credentials for the DTI enrollment service type. This command must be used with other commands, as shown in the Examples below. For more information about sensor enrollment, see the Network Security Deployment Guide for MVX Smart Grid and the Network Security Deployment Guide for Cloud MVX.

Syntax fenet dti enrollment service type DTI username password \

Parameters username

The username to authenticate with the DTI enrollment service. password

The password to authenticate with the DTI enrollment service.

Examples In this example, the nx-02 sensor that is managed by a CM Series appliance with an IP address of 172.4.5.6 will be enrolled with a cluster that is managed by another CM Series appliance with an IP address of 10.11.10.11. nx-02 (config) # no fenet dti enrollment service override enable nx-02 (config) # fenet dti enrollment service type DTI address10.11.10.11 nx-02 fenet dti enrollment service DTI username user8 password 123ABCXYZ nx-02 (config) # fenet dti enrollment service default DTI

In this example, the nx-04 sensor is managed by the local CM Series appliance (cm-1) with an IP address of 172.1.2.3. The local CM Series appliance will act as a proxy to enroll the sensor with Cluster-02, which is managed by another CM Series appliance (cm-2) with an IP address of 10.12.11.13. cm-1 (config) # fenet dti enrollment service type DTI address 10.12.11.13 cm-1(config) # fenet dti enrollment service DTI username user9 password 345DEFUVW cm-1 (config) # fenet dti enrollment service default DTI

User Role Operator and Admin

608

© 2016 FireEye

Release 7.9

fenet dti enrollment service type DTI username password

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9.1

l

CM Series: Release 7.9.1

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

© 2016 FireEye

609

CLI Reference Guide

PART III: Commands

fenet dti faude service If you used the fenet dti source on page 619 command to create a custom DTI source that managed appliances can reach for software updates, you must configure the same server for the Advanced URL Defense Engine (FAUDE) service. To configure the custom server as the DTI "faude" service destination, use the fenet dti faude service commands in configuration mode. Do not change the default DTI "faude" service for any other reason. See your System Administration Guide for information about configuring an accessible DTI server address before using this command.

Syntax no fenet dti faude service override enable fenet dti faude service type CUSTOM address address | port port fenet dti faude service type CUSTOM username username password password fenet dti faude service default CUSTOM

User Role Admin

Release Information This command was introduced as follows: l

EX Series: Release 7.8.0

Description If you configure a custom DTI source, you might need to configure the same server for the appliance to send malware detection and callback intelligence to the Faude service. To do this, perform the following steps in order: 1. Prevent the managing CM Series platform from overriding the custom server. 2. Configure the address and port of the custom server. 3. Configure the authentication credentials for the custom server. 4. Set the custom server as the default "faude" service server.

Parameters no fenet dti faude service override enable Prevents the CM Series platform from overriding the custom "faude" service server.

610

© 2016 FireEye

Release 7.9

fenet dti faude service

type CUSTOM address address Configures a custom DTI source. The address is the hostname or IP address of the server. type CUSTOM port port Configures the custom DTI port. This parameter is optional; the port defaults to 443 if not specified. type CUSTOM username username password password Specifies the username and password for the custom server. default CUSTOM Sets "CUSTOM" as the default DTI "faude" service type.

Example This example sets the configured custom DTI server as the DTI "faude" service server. hostname (config) # no fenet dti faude service override enable hostname (config) # fenet dti upload type CUSTOM address 3.3.3.7 hostname (config) # fenet dti upload type CUSTOM port 20000 hostname (config) # fenet dti source type CUSTOM username DTIUser password abCd123#45 hostname (config) # fenet dti faude service default CUSTOM

© 2016 FireEye

611

CLI Reference Guide

PART III: Commands

fenet dti mil service If you used the fenet dti source on page 619 command to create a custom DTI source that managed appliances can reach for software updates, you must configure the same server for the Malware Intelligence Lab (MIL) service. To configure the custom server as the DTI "mil" service destination, use the fenet dti mil service commands in configuration mode. Do not change the default DTI "mil" service for any other reason. See your System Administration Guide for information about configuring an accessible DTI server address before using this command.

Syntax no fenet dti mil service override enable fenet dti mil service type CUSTOM address address | port port fenet dti mil service type CUSTOM username username password password fenet dti mil service default CUSTOM

User Role Admin

Release Information This command was introduced as follows: l

NX Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

Description If you configure a custom DTI source, you might need to configure the same server for the appliance to send malware detection and callback intelligence. To do this, perform the following steps in order: 1. Prevent the managing CM Series platform from overriding the custom server. 2. Configure the address and port of the custom server. 3. Configure the authentication credentials for the custom server. 4. Set the custom server as the default "mil" service server.

612

© 2016 FireEye

Release 7.9

fenet dti mil service

Parameters no fenet dti mil service override enable Prevents the CM Series platform from overriding the custom "mil" service server. type CUSTOM address address Configures a custom DTI source. The address is the hostname or IP address of the server. type CUSTOM port port Configures the custom DTI port. This parameter is optional; the port defaults to 443 if not specified. type CUSTOM username username password password Specifies the username and password for the custom server. default CUSTOM Sets "CUSTOM" as the default DTI "mil" service type.

Example This example sets the configured custom DTI server as the DTI "mil" service server. hostname (config) # no fenet dti mil service override enable hostname (config) # fenet dti upload type CUSTOM address 3.3.3.7 hostname (config) # fenet dti upload type CUSTOM port 20000 hostname (config) # fenet dti source type CUSTOM username DTIUser password abCd123#45 hostname (config) # fenet dti mil service default CUSTOM

© 2016 FireEye

613

CLI Reference Guide

PART III: Commands

fenet dti proxy cache purge Removes all files from the DTI cache on the CM Series platform.

Syntax fenet dti proxy cache purge

Parameters None

Examples The following example removes all files from the cache. cm-02 (config) # fenet dti proxy cache purge Operation started in the background. Run 'show fenet dti proxy cached-content' to check on progress. cm-02 (config) # show fenet dti proxy cached-content The cache is empty.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

614

© 2016 FireEye

Release 7.9

fenet dti proxy cache purge auto

fenet dti proxy cache purge auto Specifies whether stale security content should be automatically removed from the DTI cache on the CM Series platform. This setting is enabled by default.

Syntax [no] fenet dti proxy cache purge auto enable

Parameters no

Use the no form of this command to disable the automatic removal of stale security content.

Examples The following example disables the removal of stale security content. cm-02 (config) # no fenet dti proxy cache purge auto enable

The following example re-enables the removal of stale security content. cm-02 (config) # fenet dti proxy cache purge auto enable

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

615

CLI Reference Guide

PART III: Commands

fenet dti proxy cache purge file Removes a specific file from the DTI cache on the CM Series platform.

Syntax fenet dti proxy cache purge file

Parameters fileName

The file to remove. Use the show fenet dti proxy cached-content command to determine the file name.

Example The following example removes the FX Series 7.7.0 system image from the cache. cm-02 (config) # fenet dti proxy cache purge file image-fmps_7.7.0.img

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

616

© 2016 FireEye

Release 7.9

fenet dti proxy cache purge file-type

fenet dti proxy cache purge file-type Removes the files of a specific type from the DTI cache on the CM Series platform.

Syntax fenet dti proxy cache purge file-type

Parameters fileType

The type of file to remove, where fileType can be: SysImage—Appliance system image GI—Guest image GI-Delta—A file containing the changes between the cached guest image and the latest

version. If a suitable delta image is available, the delta is downloaded instead of the full guest image. GI-Metadata—A listing of the names and versions of the guest images that are available

for the managed appliances. SC-Full—Security content SC-Delta—A file containing the changes between the cached security content and the

latest version.

Example The following example removes all guest image delta files from the DTI cache. cm-02 (config) # fenet dti proxy cache purge file-type GI-Delta

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

617

CLI Reference Guide

PART III: Commands

fenet dti proxy check-certificate To enable the SSL certificate verification, use the fenet dti proxy check-certificate command in configuration mode. The no form of the command disables the SSL certificate verification on the cache proxy.

Syntax [no] fenet dti proxy check-certificate

User Role Admin

Release Information Command introduced in Release 7.5.0 for the CM Series platform.

Parameters None

Description This command enables the SSL certificate verification, which is enabled by default. To implement a cache proxy deployment, you must disable the SSL certificate verification on the cache proxy. The managing CM Series platform uses a self-signed SSL certificate. For this reason, when the cache proxy is communicating with the CM Series platform, all the requests will fail because the self-signed SSL certificate cannot be verified for the managing CM Series platform.

Example The following example disables the SSL certificate verification on the cache proxy: hostname (config ) # no fenet dti proxy check-certificate

618

© 2016 FireEye

Release 7.9

fenet dti source

fenet dti source Use the fenet dti source command in configuration mode to do the following: l

Change the DTI source from which appliances and the CM Series platform download software updates.

l

Create a custom DTI source.

l

Configure DTI server credentials.

l

Change the port over which DTI traffic passes between an appliance and the CM Series platform. Before using these commands, see the CM Series Administration Guide or the System Administration Guide for your appliance for more information about the features they enable.

Syntax fenet dti source default type fenet dti source {managed type | managed sync} fenet dti source type type username username password password fenet dti source type CUSTOM address address [port port] fenet dti source type CMS address-type type no fenet dti source override enable no fenet dti source type no fenet dti source type type address no fenet dti source type CMS address-type no fenet dti source type CUSTOM

User Role Admin

Release Information This command was introduced as follows: l

NX Series: Release 7.5.0

l

CM Series: Release 7.6.0

l

EX Series: Release 7.6.0

© 2016 FireEye

619

CLI Reference Guide

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

PART III: Commands

The fenet dti source type CMS address-type type command is not available on the CM Series platform.

Description Software updates (such as guest images, security content, and appliance images) can be downloaded from the following DTI sources: l

Dynamic Threat Intelligence Network (DTI), the FireEye Dynamic Threat Intelligence server

l

Content Delivery Network (CDN), a content delivery network server

l

The CM Series platform (CMS), available only to managed appliances

l

A custom DTI source (Custom Network), if configured

By default, "CDN" is the active DTI source for the CM Series platform and standalone appliances, and "CMS" is the active DTI source for managed appliances. You can change these values. In addition, you can override the global managed DTI source on individual appliances. For details, such as reasons for changing the default DTI source, see your System Administration Guide or Administration Guide. Only the DTI download server should be configured, not the upload server or the Malware Intelligence Lab (MIL) server. An exception is when you configure a custom DTI source server; you might need to configure the same server as the upload and MIL server. For details, see fenet dti upload destination on page 624 and fenet dti mil service on page 612. Before Release 7.6.0, the CM Series platform and a managed appliance communicated over two ports: l

l

Remote management (SSH) port. The managment port used to initiate the connection and configure the appliance. Port 22 is the default. DTI network service (HTTPS) port. The port used to request the software updates described above. Port 443 is the default.

In Release 7.6.0 and later, this communication is by default limited to only one port (the SSH port) to reduce the complexity of firewall rules, and to provide an additional layer of security and privacy between the CM Series platform and the appliances it manages. In environments in which the CM Series platform is behind a Network Address Translation (NAT) gateway, single-port communication also eliminates the need to map an additional HTTPS port (443) for managed appliances to request software updates from the CM Series platform.

620

© 2016 FireEye

Release 7.9

fenet dti source

Single-port communication pertains only to managed appliances that use the CM Series platform as their DTI source server.

Parameters default type Changes the active download source for the CM Series platform or a standalone appliance. Valid values for type are CDN, DTI, or CUSTOM (if configured). managed type (CM Series platform only) Changes the active DTI source for managed appliances. Valid values for type are CMS, CDN, DTI, or CUSTOM (if configured) managed-sync (CM Series platform only) Applies the managed appliance DTI source to all managed appliances. type CUSTOM address address [port port] Configures a custom DTI source and port. The address is the hostname or IP address of the server. The port is optional and defaults to 443 if not specified. type type username username password password Specifies the DTI username and password. Valid values for type are CDN, DTI, CMS, or CUSTOM (if configured). type CMS address-type type Specifies the type of address that a managed appliance using the CM Series platform as its DTI source server should use to request software updates. Valid values for type are cms-singleport, in which both management traffic and DTI traffic use the SSH port, and cms-auto, in which management traffic uses the SSH port and DTI traffic uses the HTTPS port. The default is cms-singleport. no fenet dti source override enable Prevents the CM Series platform from overriding the custom source server. This command must be run before you configure the custom server (address, port, and authentication credentials) and set the custom server as the default DTI source type. no fenet dti source type Restores "CDN" as the active download source. no fenet dti source type type address Restores the previous address of the DTI source. Valid values for type are DTI, CDN, or CMS. You cannot use restore the previous address of a CUSTOM DTI source.

© 2016 FireEye

621

CLI Reference Guide

PART III: Commands

no fenet dti source type CMS address-type Restores single-port communication, in which both management traffic and DTI traffic use the SSH port. no fenet dti source CUSTOM Deletes the custom DTI source and removes it from the list of available download sources.

Examples Changing the Active Source Type for a CM  Series Platform or a Standalone Appliance

In this example, the active source type for a CM Series platform (or a standalone appliance) is changed to "DTI." hostname (config) fenet dti source type DTI Changing the Active Source Type for Managed Appliances

In this example, the active source type for managed appliances is changed to "CDN" and the change is applied to all managed appliances. hostname (config) # fenet dti source type managed CDN hostname (config) # fenet dti source managed-sync Restoring the Default DTI  Source

In this example, "CDN" is restored as the active DTI source. hostname (config) # no fenet dti source type Restoring the Last Configured Address

In this example, the last configured address for the CDN source type is restored. hostname (config) # no fenet dti source type CDN address Creating a Custom DTI  Source

In this example from an NX Series appliance, an accessible address is configured for a CM Series platform that is behind a NAT gateway, and it is set as the default DTI source. Before it is configured, the CM Series is prevented from subsequently overriding the custom address. hostname (config) # no fenet dti source override enable hostname (config) # fenet dti source type CUSTOM address 3.3.3.7 port 20000 hostname (config) # fenet dti source type CUSTOM username DTIUser password abCd123#45 hosntame (config) # fenet dti source type CUSTOM Deleting the Custom DTI  Source

In this example, the custom DTI source is deleted, which removes it from the list of available options. This command fails if the custom DTI source is the active DTI source for either the CM Series platform or its managed appliances.

622

© 2016 FireEye

Release 7.9

fenet dti source

Changing DTI  Credentials

In this example, the user and password for the CMS DTI source is changed. hostname (config) # fenet dti source type CMS username DTIUser2 password fds$97AVbd

© 2016 FireEye

623

CLI Reference Guide

PART III: Commands

fenet dti upload destination If you used the fenet dti source on page 619 command to create a custom DTI source that managed appliances can reach for software updates, you must configure the same server as the DTI upload destination. To set the custom server as the DTI upload destination, use the fenet dti upload destination commands in configuration mode. Do not change the default DTI upload destination for any other reason. See your System Administration Guide for information about configuring an accessible DTI server address before using this command.

Syntax no fenet dti upload destination override enable fenet dti upload destination type CUSTOM address address | port port fenet dti upload destination type CUSTOM username username password password fenet dti upload destination default CUSTOM

User Role Admin

Release Information This command was introduced as follows: l

NX Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

Description If you configure a custom DTI source, you might need to configure the same server for the appliance to upload system statistics. To accomplish this, perform the following steps in order: 1. Prevent the managing CM Series platform from overriding the custom server. 2. Configure the address and port of the custom server. 3. Configure the authentication credentials for the custom server. 4. Set the custom server as the default upload server.

624

© 2016 FireEye

Release 7.9

fenet dti upload destination

Parameters no fenet dti upload destination override enable Prevents the CM Series platform from overriding the custom upload server. type CUSTOM address address Configures a custom DTI source. The address is the hostname or IP address of the server. type CUSTOM port port Configures the custom DTI port. This parameter is optional; the port defaults to 443 if not specified. type CUSTOM username username password password Specifies the username and password for the custom server. default CUSTOM Sets "CUSTOM" as the default DTI upload destination type.

Example This example sets the configured custom DTI server as the DTI upload server. hostname (config) # no fenet dti upload destination override hostname (config) # fenet dti upload type CUSTOM address 3.3.3.7 hostname (config) # fenet dti upload type CUSTOM port 20000 hostname (config) # fenet dti source type CUSTOM username DTIUser password abCd123#45 hostname (config) # fenet dti upload destination default CUSTOM

© 2016 FireEye

625

CLI Reference Guide

PART III: Commands

fenet enable Description Enables a FireEye appliance to contact the FireEye DTI (MPC) network service and download new updates. This must be enabled for the appliance to receive updates. This command applies to the FireEye appliance and FireEye CM Series appliance. Use the no form of this command to deactivate the content.

Syntax [no] fenet enable

Parameters None

Example The following example enables the FireEye network service on the FireEye appliance. hostname (config) # fenet enable

626

© 2016 FireEye

Release 7.9

fenet guest-images

fenet guest-images Description Configures Dynamic Threat Intelligence (DTI) network (also referred to as MPC) settings for updating and downloading Guest Images and for notifications. Guest Images are guest operating systems and related applications used by the Multivector Virtual Execution (MVX) engine, formerly referred to as the VXE, to analyze suspicious traffic and malware. FireEye provides software updates to Guest Images on a periodic basis. By default, automatic checking for updates and downloading of Guest Images is enabled on the CM Series appliance running release 6.3.0 or later and on MPS appliances running 6.3.0 or later. For automatic updates and downloads to occur, automatic checking and downloading of Guest Images must be enabled on the CM Series appliance and its connected appliances. Email notification is not enabled by default. A CM Series appliance must host a complete and valid set of Guest Images before any connected MPS systems attempt to download Guest Images from the CMS. This is true for both manually-initiated operations as well as any automatic operations. If an automatic download to a connected MPS fails because the CMS has not finished downloading a valid set of Guest Images, the automated download will retry automatically at scheduled times. By default, the check is once every day but you can configure the update schedule using the fenet guest-images check-update schedule command. For manual downloads that fail on connected MPS appliances for the same reason, retry the download after verifying that downloads on the CMS are complete. Related commands:  show fenet guest-images These commands were removed from the CM Series platform in Release 7.5.0. For information about downloading guest images to the CM Series platform to update managed appliances, see the CM Series Administration Guide and the fenet dti cache populate guest-images command. (The fenet guest-images commands are still available on the CM Series platform when it is not connected to the DTI network and instead uses the DTI Offline Portal to obtain guest images.)

Syntax fenetguest-images {auto {download | notify | update}} fenet guest-images check-update schedule {daily at hour:minute | weekly every day-ofweek | monthly on month-day at hour:minute} fenet guest-images notify email no fenet guest-images auto

© 2016 FireEye

627

CLI Reference Guide

PART III: Commands

no fenet guest-images notify email

Parameters auto

The default behavior is to perform automatic checks for updates and perform an automatic download of new Guest Images. To modify the default settings and to enable notification, use: l

l

l

download—Enables the automatic download of new Guest Images. notify—Enables a notification to be sent when a new Guest Image is available. You must also enter the fenet guest-images notify email command. To turn off notifications, issue the no fenet guest-images auto notify and the no fenet guest-images notify email commands. update—Enables the CMS or MPS appliance to automatically check for new Guest Images. If other options have been set, update returns the system to the default behavior of automatic updates and downloads.

check- Sets the schedule for the FireEye appliance to check for Guest Image updates: update l daily at hour:minute—Checks for updates daily at the specified time (for schedule example, 6:15 for 6:15 a.m. or 23:00 for 11:00 p.m.). l

l

notify email

weekly every day-of-week at hour:minute—Checks for updates weekly (sun, mon, tues, wed, thu, fri, or sat) at the specified time. monthly on month-day at hour:minute—Checks for updates monthly on the specified day (1 through 31) at the specified time.

Enables email notification.

Example The following example enables automatic updates and email notification. The FireEye appliance checks for Guest Image updates every Friday at 6:00 p.m. hostname (config) # fenet guest-images auto update hostname (config) # fenet guest-images notify email hostname (config) # fenet guest-images check-update schedule weekly every fri at 18:00

628

© 2016 FireEye

Release 7.9

fenet hx-agent autoupdate enable

fenet hx-agent autoupdate enable Enables and disables automatic downloads of FireEye Endpoint Agent image software from the DTI cloud.

Syntax [no] fenet hx-agent autoupdate enable

Parameters no

Use the no form of this command to disable automatic downloads of FireEye Endpoint Agent image software from the DTI cloud.

Example The following example enables automatic downloads of FireEye Endpoint Agent image software from the DTI cloud: hostname (config) # fenet hx-agent autoupdate enable

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands l

show fenet hx-agent image available

© 2016 FireEye

629

CLI Reference Guide

PART III: Commands

fenet hx-agent image apply Installs a specific FireEye Endpoint Agent image or the latest agent image to the HX Series appliance. The image you are installing must previously have been retrieved from the DTI cloud using the fenet hx-agent image fetch command.

Syntax fenet hx-agent image apply {content-id | latest}

Parameters content-id

Specify the content ID of the agent image you want to verify and install on the HX Series appliance. You can determine the content ID by running the show fenet hxagent image available command. latest

Specify this option if you want to verify and install the latest agent image (the image with the most recent release number) that you retrieved from the DTI cloud.

Example The following example verifies and installs the agent image with the content ID "IMAGE_ HX_AGENT_WIN_21.23.0:" hostname (config) # fenet hx-agent image apply content-id IMAGE_HX_AGENT_WIN_21.23.0

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.6

l

The latest parameter was introduced in Release 3.0

Related Commands

630

l

fenet hx-agent image check

l

fenet hx-agent image fetch

© 2016 FireEye

Release 7.9

l

fenet hx-agent image apply

show fenet hx-agent image available

© 2016 FireEye

631

CLI Reference Guide

PART III: Commands

fenet hx-agent image check Checks for new FireEye Endpoint Agent images in the DTI cloud. After running this command, run the show fenet hx-agent image available command to see the updated list of available agents.

Syntax fenet hx-agent image check

Parameters None

Example The following example checks for new agent images in the DTI cloud: hostname (config) # fenet hx-agent image check Operation initiated in the background. Run 'show fenet hx-agent image available' for status

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands

632

l

fenet hx-agent image apply

l

fenet hx-agent image fetch

l

fenet hx-agent metadata refresh

l

show fenet hx-agent image available

© 2016 FireEye

Release 7.9

fenet hx-agent image fetch

fenet hx-agent image fetch Retrieves a specific FireEye Endpoint Agent image or retrieves the latest agent image from the DTI cloud.

Syntax fenet hx-agent image fetch {content-id | latest}

Parameters content-id

Specify the content ID of the agent image you want to retrieve from the DTI cloud. You can determine the content ID by running the show fenet hx-agent image available command. latest

Specify this option if you want to retrieve the latest agent image (the image with the most recent release number) from the DTI cloud.

Example The following example fetches the agent image with the content ID "IMAGE_HX_AGENT_ WIN_21.23.0:" hostname (config) # fenet hx-agent image fetch content-id IMAGE_HX_AGENT_WIN_21.23.0

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.6

l

The latest parameter was introduced in Release 3.0

Related Commands l

fenet hx-agent image apply

l

fenet hx-agent image check

l

show fenet hx-agent image available

© 2016 FireEye

633

CLI Reference Guide

PART III: Commands

fenet hx-agent metadata refresh Retrieves the list of agents that are available for download from the DTI cloud.

Syntax fenet hx-agent metadata refresh

Parameters None

Example The following example retrieves the list of agents that are available for download: hostname (config) # fenet hx-agent metadata refresh Operation 1 of 1: Fetch Agent Metadata Step 1 of 1 100.0% [#######################################################################] meta data deployed successfully.

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands

634

l

fenet hx-agent image check

l

show fenet hx-agent image available

© 2016 FireEye

Release 7.9

fenet image

fenet image Description Manages the FireEye appliance operating system image using the FireEye DTI (MPC) network.

Syntax fenet image check fenet image configuration {backup | restore [appliance appliance-id]} fenet image delete image_name fenet image fetch [version release_number] [force] fenet image install fenet image rename src-name:dst-name

Parameters check

Checks for a new operating system release.

backup

Backs up the current configuration (on CMS).

restore [appliance appliance-id]

Restores the previously saved configuration. Option to restore the configuration from another FireEye appliance.

delete image_name

Deletes the specified image.

fetch [version Fetches the latest OS release. Option to specify a version to fetch. release_number force] Option to force fetching the specified version. install

Installs the latest OS release.

rename src-name:dst- Renames the image file from the src-name to the dst-name. name

Example The following example checks for the available software releases. hostname (config  )#  fenet image check New OS-image available: 5.1.0 (current release is 5.1.0) hostname (config) #

© 2016 FireEye

635

CLI Reference Guide

PART III: Commands

fenet license update [force] Updates licenses explicitly. You can also force a license to be downloaded to replace an existing license. The license update service, if enabled, automatically downloads and installs licenses in the following cases: l

l

The license is not already installed on the appliance. The license exists, but the downloaded license offers more functionality or a later expiration date.

When you use the force option, if there is a conflict between an existing license and the downloaded license, the downloaded license is installed, even if it is less functional or of a shorter duration than the existing license. Carefully consider the implications before you force updates. For example, with the NX Series appliance, forcing a license update could change its deployment mode. For details about how to force license updates, refer to the License Management chapter in the System Administration Guide for your appliance and release.

Syntax fenet license update [force]

Parameters force

Downloads the licenses and replaces existing licenses with them if there conflicts.

Examples The following examples show the outcome of forcing license updates. l

The licensing service replaced an existing license with one that it downloaded: hostname (config) # fenet license update force Added license(s) from fenet LK2-CONTENT_UPDATES-33XX-00XX-XX00-0X0X-0000-X000-X000-X00X-0XXXJ00 Deleted installed license(s) (superseded by license(s) shown above): LK2-CONTENT_UPDATES-42XX-44XX-00XX-0000-H888-X00X-000R-XX22-XYZ-0

636

© 2016 FireEye

Release 7.9

l

fenet license update [force]

The licensing service installed a license that did not exist already on the appliance: hostname (config) # fenet license update force Added license(s) from fenet LK2-FIREEYE-SUPPORT-000X-XX00-XX00-0X0X-0000-X000-X000-X00X-0XXXX00X No license(s) deleted

l

All licenses were already installed and did not conflict with downloaded licenses: hostname (config) # fenet license update force All licenses fetched from fenet have already been installed

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before Release 7.5

l

EX Series: Before Release 7.5

l

FX Series: Before Release 7.5

l

NX Series: Before Release 7.5

l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see License Management Command Family on page 103.

© 2016 FireEye

637

CLI Reference Guide

PART III: Commands

fenet license update enable Enables the license update feature. After you enable it, you can use the fenet time sync on page 645 command to synchronize the system clock to the DTI server time. For details about the license update feature, refer to the License Management chapter in the System Administration Guide for your appliance and release.

Syntax [no] fenet license update enable

Parameters no

Use the no form of this command to disable the license update feature.

Examples The following example enables the license update feature: hostname (config) # fenet license update enable

The following example disables the license update feature: hostname (config) # no fenet license update enable

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before Release 7.5

l

EX Series: Before Release 7.5

l

FX Series: Before Release 7.5

l

NX Series: Before Release 7.5

l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see License Management Command Family on page 103.

638

© 2016 FireEye

Release 7.9

fenet metadata refresh

fenet metadata refresh Description Refreshes the update metadata file from the Dynamic Threat Intelligence (DTI) network (also known as the MPC) for patches, OS software, and Guest Images. Use this command when there are hosting issues.

Syntax fenet metadata refresh

Parameters None

Example The following example refreshes the update metadata file from the DTI (MPC) network. hostname (config) # fenet metadata refresh

© 2016 FireEye

639

CLI Reference Guide

PART III: Commands

fenet op-mode local Places the appliance in the "local" operational mode. This is an offline operational mode that is used when there is no connection to the DTI network. In this mode, a file containing software updates is uploaded to a local machine. For details, see the FireEye DTI Offline Update Portal Guide.

Syntax fenet op-mode local

Parameters None

Example The following example puts the appliance in the online operational mode. hostname (config) # fenet op-mode local hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode: local ...

User Role Admin

Command Mode Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Commands fenet op-mode url on page 643, fenet op-mode online on the facing page

640

© 2016 FireEye

Release 7.9

fenet op-mode online

fenet op-mode online Places the appliance in the "online" operational mode. The online op-mode is required for a standalone appliance to download software updates from the DTI network, and for a managed appliance to download software updates from the CM Series platform. Both options require a connection to the DTI network.

Syntax fenet op-mode online

Parameters None

Example The following example puts the appliance in the online operational mode. hostname (config) # fenet op-mode online hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode: online ...

User Role Admin

Command Mode Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Commands fenet op-mode local on the previous page, fenet op-mode url on page 643

© 2016 FireEye

641

CLI Reference Guide

PART III: Commands

fenet op-mode proxy To enable proxy mode, use the fenet op-mode proxy command in configuration mode.

Syntax fenet op-mode proxy

User Role Admin

Release Information Command introduced in Release 7.5.0 for the CM Series platform.

Parameters None

Description This command enables proxy mode on the CM Series platform that is used as the cache proxy.

Example The following example enables the CM Series platform as a cache proxy: hostname (config ) # fenet op-mode proxy

642

© 2016 FireEye

Release 7.9

fenet op-mode url

fenet op-mode url Places the appliance in the "url" operational mode. This is an offline operational mode that is used when there is no connection to the DTI network. In this mode, a file containing software updates is hosted on a local site identified by a URL. For details, see the FireEye DTI Offline Update Portal Guide.

Syntax fenet op-mode url

Parameters None

Example The following example puts the appliance in the online operational mode. hostname (config) # fenet op-mode url hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode: url ...

User Role Admin

Command Mode Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Commands fenet op-mode local on page 640, fenet op-mode online on page 641

© 2016 FireEye

643

CLI Reference Guide

PART III: Commands

fenet proxy Description Specifies a proxy server to use to access any external websites or network services. Because the Dynamic Threat Intelligence (DTI) network (also referred to as the MPC) works over the HTTPS protocol, it can work with HTTP proxy. The appliance must have information about the proxy server so that it can access the service.

Syntax fenet proxy auth basic password password fenet proxy auth basic user user_name fenet proxy host hostname:port fenet proxy user-agent userAgentString no fenet proxy no fenet proxy auth basic password no fenet proxy auth basic user no fenet proxy user-agent

Parameters password

Specifies a password for the proxy server.

user_name

Specifies a username for the proxy server.

hostname:port

Specifies the host IP address and port for the proxy server.

user-agent userAgentString Specifies the user agent string to curlrc and wgetrc. Using no fenet proxy user-agentuserAgentString removes the “user-agent” settings from the curlrc and wgetrc files.

Example The following example sets the username for the proxy server. hostname (config ) # fenet proxy auth basic user admin5

644

© 2016 FireEye

Release 7.9

fenet time sync

fenet time sync To synchronize the system clock to the DTI server time, enter the fenet time sync command in configuration mode. This command requires the Admin role.

Syntax fenet time sync

Parameters None

Description This command retrieves the time (in UTC) from the DTI server and then synchronizes the system clock to it. This command is especially useful if you do not use NTP servers to synchronize your system clock. The system time should match the DTI server time as closely as possible. This is necessary for features such as the license update service, in which licenses are downloaded from the DTI server and installed on the appliance. We recommend that you perform this synchronization before you enable the feature to prevent time gaps that could affect the validity of your licenses. This action synchronizes the system clock to the DTI server a single time. It does not change the system timezone. For more information, see the time management and license management sections of the System Administration Guide for your appliance.

Example The following command synchronizes the clocks a single time: hostname (config) # fenet time sync

Release Information Command introduced in Release 7.9.1 for all appliances.

© 2016 FireEye

645

CLI Reference Guide

PART III: Commands

fenet proxy enable To enable the HTTP proxy, use the fenet proxy enable command in configuration mode.

Syntax [no] fenet proxy enable

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters no

Disables the HTTP proxy.

Example The following example enables the HTTP proxy: hostname (config) # fenet proxy enable

646

© 2016 FireEye

Release 7.9

fenet security-content

fenet security-content Description Configures the FireEye security content update settings. The no form of the command resets the configuration.

Syntax fenet security-content acceptance-level {stable | long_beta } [no ]fenet security-content apply-update [no] fenet security-content auto-gen {callback | enable | infect | past_hours} fenet security-content autoupdate action {check | update} [no] fenet security-content custom rule {enable [terminal]} [no] fenet security-content autoupdate notification enable [no] fenet security-content autoupdate notification class {failure | info} fenet security-content autoupdate schedule {hourly atminutes | daily at hour:minute | weekly every day-of-week at hour:minute | monthly on month-day at hour:minute} fenet security-content check-update fenet security-content upload {notify | now} fenet security-content download-update

Parameters acceptancelevel

Defines the acceptance level for the security content updates on this appliance. Options: l

l

© 2016 FireEye

stable—Default. long_beta—Levels of experimental security content. These settings should be used only if it is acceptable to work with experimental security content.

647

CLI Reference Guide

auto-gen

PART III: Commands

Configures automatic security content generation. The following options are available: l

l

enable—Enables security content auto-generation.

l

infect—Enable automatic updates.

l

apply-update

callback enable—Sets auto-generation of security content for callback signatures.

past_hours—Sets the number of past hours to keep auto-generated security content signatures.

Updates the appliance to the latest security content package.

autoupdate Configures action to perform for automatic scheduling. Checks or applies action {check | automatic updates. update} autoupdate notification class {failure | info}

Sends email notifications about auto-update failures or general information.

autoupdate notification enable

Enables or disables email notifications of updates.

autoupdate schedule

Configure to automatically update as available from DTI (MPC) or detected by the appliance: l

l

l

hourly at minutes—Checks every hour at the specified minute. daily at hour:minute—Checks for updates daily at the specified time (for example, 6:15 for 6:15 a.m. or 23:00 for 11:00 p.m.). weekly every day-of-week at hour:minute—Checks for updates weekly (sun, mon, tues, wed, thu, fri, or sat) at the specified time.

check-update

Checks if new updates are available.

custom rule

Configures a FireEye custom rule. l

enable terminal. Enables a custom rule. Use no fenet security-content custom rule to unconfigure a FireEye custom rule. Use no fenet security-content custom rule enableterminal to disable a custom rule.

upload  {enable Enable sharing new security content with the DTI, enable email | notify | notification for auto upload, or upload new content to the DTI. now} download-update Download the latest security-content package to the /data/fenet/updates

directory on the appliance. By default, the appliance fetches the latest security-content from the DTI download source specified in the appliance configuration.

648

© 2016 FireEye

Release 7.9

fenet security-content

Example The following example enables daily automatic updates of security content. hostname (config) # fenet security-content autoupdate schedule daily at 12:30

© 2016 FireEye

649

CLI Reference Guide

PART III: Commands

fenet security-content custom rule enable Description Use this command to enable the use of custom internal security rules on the Web MPS appliance.

Syntax fenet security-content custom rule enable

Parameters None

Example The following example enables custom internal security rules on a Web MPS appliance. hostname # fenet security-content custom rule enable

650

© 2016 FireEye

Release 7.9

fenet session

fenet session Description Configures Dynamic Threat Intelligence (DTI) network (also known as the MPC) update request session settings.

Syntax fenet session {limit-rate rate | max-time seconds | speed-time seconds | timeout seconds | tries num_retries} no fenet session {limit-rate | max-time | speed-time | timeout | tries}

Parameters limit- Specifies the maximum transfer rate that the DTI client will use. This feature is rate useful if you have limited bandwidth and you want to ensure that the transfer seconds does not take up the entire bandwidth. The speed is measured in bytes per second. maxMaximum time in seconds for the transfer to take place. This feature is useful for time preventing DTI client requests from hanging due to slow networks or links going seconds down. speed- If the DTI download is slower than one byte per second during a speed-time time period, the download is aborted. seconds timeout Maximum time in seconds to connect to the server. This only limits the seconds connection phase. Once the DTI client has connected, this option is not needed. tries num_ retries

Specifies the number of attempts to connect before the session times out.

Example The following example sets the session timeout at 120 seconds. hostname (config) #  fenet session timeout 120

© 2016 FireEye

651

CLI Reference Guide

PART III: Commands

fenet ssl To configure Dynamic Threat Intelligence (DTI) SSL/TLS settings, use the fenet ssl command in configuration mode.

Syntax [no] fenet ssl cipher-list { original | fips | cc-ndpp | fips-and-cc-ndpp | high-security |compatible} [no] fenet ssl min-version {tls1 | tls1.1 | tls1.2}

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters cipher-list { original | fips | cc-ndpp | fips-and-cc-ndpp | Configures the DTI cipher list high-security |compatible} for SSL/TLS: l

l

l

l

l

l

652

original—Original FireEye cipher list (maximum compatibility) fips—Compliant with FIPS cc-ndpp—Compliant with CC-NDPP fips-and-cc-ndpp— Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

© 2016 FireEye

Release 7.9

min-version {tls1 | tls1.1 | tls1.2}

fenet ssl

Configures the minimum required version of the SSL protocol for DTI: l

l

l

tls1—Requires TLSv1 or higher. tls1.1—Requires TLSv1.1 or higher. tls1.2—Requires TLSv1.2 or higher.

Example The following example configures the DTI cipher list to be compliant with FIPS: hostname (config) #  fenet ssl cipher-list fips

© 2016 FireEye

653

CLI Reference Guide

PART III: Commands

fenet stats-content aggregator enable Configures the appliance to aggregate statistics for notifications that will be sent to the Dynamic Threat Intelligence (DTI) network. The statistics content framework provides a flexible mechanism to extend aggregations by providing custom aggregators that can be installed on a FireEye appliance.

Syntax [no] fenet stats-content aggregator enable

Parameters aggregator l

db-aggr—Configures fenet aggregate db-aggr information.

l

dmesg-aggr—Configures fenet aggregate dmesg-aggr information.

l

feusage-aggr—Configures fenet aggregate feusage-aggr information.

l

jconf-aggr—Configures fenet aggregate jconf-aggr information.

l

jlog-aggr—Configures fenet aggregate jlog-aggr information.

l

jpri-aggr—Configures fenet aggregate jpri-aggr information.

l

jstats-aggr—Configures fenet aggregate jstats-aggr information.

l

malware-aggr—Configures fenet aggregate malware-aggr information.

l

packetstats-code—Configures fenet aggregate packetstats-aggr information.

l

pcaps-aggr—Configures fenet aggregate pcaps-aggr information.

l

perfstats-aggr—Configures fenet aggregate perfstats-aggr information.

l

rt-stats-aggr—Configures fenet aggregate rt-stats-aggr information.

l

sysconf-aggr—Configures fenet aggregate sysconf-aggr information.

l

syslog-aggr—Configures fenet aggregate syslog-aggr information.

l

techinfo-aggr—Configures fenet aggregate techinfo-aggr information.

l

wuilog-aggr—Configures fenet aggregate wuilog-aggr information.

no

Use the no form of this command to disable the specified aggregator.

Example The following example enables malware aggregation information to be sent to the FireEye network server: hostname (config) # fenet stats-content aggregator malware-aggr enable

654

© 2016 FireEye

Release 7.9

fenet stats-content upload {auto | now}

fenet stats-content upload {auto | now} Sets the schedule for uploading aggregation statistics automatically to the Dynamic Threat Intelligence (DTI) network (also referred to as the MPC).

Syntax fenet stats-content upload auto daily at fenet stats-content upload auto hourly at fenet stats-content upload auto monthly on at fenet stats-content upload auto weekly every at fenet stats-content upload auto none fenet stats-content upload now

Parameters hh:mm

Hours and minutes (24-hour clock). mm

Minute (0-59). date

Day of the month (1-31). day

Day of the week (sun, mon, tue, wed, thu, fri, sat). now

Uploads aggregation information to the FireEye network service now.

Example The following example uploads aggregation information to the FireEye network server at 6:45 PM: hostname (config) # fenet stats-content upload auto daily at 18:45

© 2016 FireEye

655

CLI Reference Guide

PART III: Commands

fenet update appliance Upgrades both the system image and guest images on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance

Parameters applianceName

The name of the VX Series appliance to upgrade.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112on page 1.

656

© 2016 FireEye

Release 7.9

fenet update appliance cancel

fenet update appliance cancel Cancels a full upgrade of the system image and guest images on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance cancel

Parameters applianceName

The name of the VX Series appliance being updated.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112on page 1.

© 2016 FireEye

657

CLI Reference Guide

PART III: Commands

fenet update appliance guest-image Downloads and installs guest images on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image

Parameters applianceName

The name of the VX Series appliance to update.

Example The following example downloads and installs guest images on the vx-1 node: cm-1 (config) # fenet update appliance vx-1 guest-image appliance update for vx-1 success, update started Run 'show fenet update status appliance vx-1' for status

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

658

© 2016 FireEye

Release 7.9

fenet update appliance guest-image cancel

fenet update appliance guest-image cancel Cancels the update of guest images on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image cancel

Parameters applianceName

The name of the VX Series appliance being updated.

Example The following example cancels the upgrade on the node vx-2: hostname (config) # fenet update appliance vx-2 guest-image cancel

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

659

CLI Reference Guide

PART III: Commands

fenet update appliance guest-image delete Deletes the guest images from a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image delete

Parameters applianceName

The name of the VX Series appliance to update.

Example The following example deletes the guest image on vx-2: cm-1 (config) # fenet update appliance vx-2 guest-image delete

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

660

© 2016 FireEye

Release 7.9

fenet update appliance guest-image download

fenet update appliance guest-image download Downloads guest images to a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image download

Parameters applianceName

The name of the appliance

Example The following example downloads the guest image to vx-2: hostname (config) # fenet update appliance vx-2 guest-image download

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

661

CLI Reference Guide

PART III: Commands

fenet update appliance guest-image install Installs the downloaded guest image on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image install

Parameters applianceName

The name of the VX Series appliance to be updated.

Example The following example installs downloaded guest images on the vx-2 node: cm-1 (config) # fenet update appliance vx-2 guest-image install appliance update for vx-2 success, update started Run 'show fenet update status appliance vx-2' for status

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

662

© 2016 FireEye

Release 7.9

fenet update appliance guest-image resume

fenet update appliance guest-image resume Resumes a suspended guest image update on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance guest-image resume

Parameters applianceName

The name of the VX Series appliance being updated.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

663

CLI Reference Guide

PART III: Commands

fenet update appliance no-reboot Upgrades the system image and guest images on a VX Series node in an MVX cluster without rebooting. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance no-reboot

Parameters appliance Name

The name of the VX Series appliance to upgrade.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

664

© 2016 FireEye

Release 7.9

fenet update appliance resume

fenet update appliance resume Resumes a suspended upgrade on a VX Series node in a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance resume

Parameters applianceName

The name of the VX Series appliance being upgraded.

Example The following example resumes an upgrade on the vx-2 node: cm-1 (config) # fenet update appliance vx-2 resume appliance resume for vx-2: success, operation initiated Run 'show fenet update status appliance vx-2' for status

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

665

CLI Reference Guide

PART III: Commands

fenet update appliance suspend Suspends the update of system image and guest images on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance suspend

Parameters applianceName

The name of the appliance being updated.

Example The following example suspends the update on the vx-1 node. In this example, the guestimages download operation was in progress. cm-1 (config) # fenet update appliance vx-2 suspend appliance suspend for vx-2: success, operation initiated Run 'show fenet update status appliance vx-2' for status cm-1 (config) # show fenet update status appliance vx-2 Appliance Update Status: Appliance: vx-2 Status: suspend ...

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

666

© 2016 FireEye

Release 7.9

fenet update appliance system-image

fenet update appliance system-image Installs the latest version of the system image on a VX Series node in an MVX cluster and then reboots. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance system-image

Parameters applianceName

The name of the VX Series appliance to upgrade.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

667

CLI Reference Guide

PART III: Commands

fenet update appliance system-image no-reboot Updates the system image on the specified VX Series node in an MVX cluster without rebooting. This command should only be used for VX Series appliances, as described in the Threat Management Plamtform Administration Guide.

Syntax fenet update appliance system-image no-reboot

Parameters applianceName

The name of the appliance being updated.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

668

© 2016 FireEye

Release 7.9

fenet update appliance system-image reboot

fenet update appliance system-image reboot Updates the system image for the specified VX Series node in an MVX cluster and then reboots the node. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance system-image reboot

Parameters applianceName

The name of the VX Series appliance to upgrade.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

669

CLI Reference Guide

PART III: Commands

fenet update appliance system-image version Upgrades a VX Series node in an MVX cluster with the specified version of the system image. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance system-image version

Parameters applianceName

The name of the VX Series appliance.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

670

© 2016 FireEye

Release 7.9

fenet update appliance version

fenet update appliance version Installs a specific version of the system image on a VX Series node in an MVX cluster. This command should only be used for VX Series appliances, as described in the Threat Management Platform Administration Guide.

Syntax fenet update appliance version

Parameters applianceName

The name of the VX Series appliance to upgrade. version

The system image version.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Appliance Command Family on page 112

© 2016 FireEye

671

CLI Reference Guide

PART III: Commands

fenet update cluster Upgrades both the system image and guest images on all nodes in an MVX cluster.

Syntax fenet update cluster

Parameters clusterName

The name of the cluster to upgrade.

Example The following example shows a full upgrade on Cluster-Acme. In the example, the system image upgrade is complete on both nodes, and guest images are being downloaded to vx2. cm-1 (config) # fenet update cluster Cluster-Acme cluster update for Cluster-Acme: success, update started Run 'show fenet update status cluster Cluster-Acme' for status cm-1 (config) # show fenet update status cluster Cluster-Acme Cluster Update Status: Cluster: Cluster-Acme Status: in-progress Current operation: image-gi-update Current task: gi-download Percent done: 35.07 % Start time: 2016/07/15 20:23:23.480 End time: ******** Node: vx-2 Status: in-progress Percent done: 56.14 % Task (01/10): image-check Status: complete Percent done: 100.00 % Task (02/10): gi-check Status: complete Percent done: 100.00 % Task (03/10): image-fetch Status: complete Percent: 100.00 % Task (04/10): image-install Status: complete Percent done: 100.00 % Task (05/10): image-rename Status: complete Percent done: 100.00 % Task (06/10): image-boot-next

672

© 2016 FireEye

Release 7.9

fenet update cluster

Status: complete Percent done: 100.00 % Task (07/10): gi-download Status: in-progress Percent done: 56.19 % Node: vx-1 Status: in-progress Percent done: 14.00 % Task (01/10): image-check ...

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

673

CLI Reference Guide

PART III: Commands

fenet update cluster cancel Cancels a full upgrade on an MVX cluster:

Syntax fenet update cluster cancel

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

674

© 2016 FireEye

Release 7.9

fenet update cluster guest-image

fenet update cluster guest-image Upgrades the guest image on the specified MVX cluster.

Syntax fenet update cluster guest-image

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

675

CLI Reference Guide

PART III: Commands

fenet update cluster guest-image cancel Cancels a guest images download on an MVX cluster.

Syntax fenet update cluster guest-image cancel

Parameters clusterName

The name of the cluster being upgraded.

Example The following example installs downloaded guest images on the vx-2 node: cm-1 (config) # fenet update appliance vx-2 guest-image cancel

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

676

© 2016 FireEye

Release 7.9

fenet update cluster guest-image delete

fenet update cluster guest-image delete Deletes guest images from all nodes in an MVX cluster.

Syntax fenet update cluster guest-image delete

Parameters clusterName

The name of the cluster.

Example The following example deletes the guest images from Cluster-Acme. cm-hostname (config) # fenet update cluster Cluster-Acme guest-image delete cluster update for Cluster-Acme: update started: success Run 'show fenet update status cluster Cluster-Acme' for status

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

677

CLI Reference Guide

PART III: Commands

fenet update cluster guest-image download Downloads guest images to all nodes in an MVX cluster.

Syntax fenet update cluster guest-image download

Parameters clusterName

The name of the cluster.

Example The following example downloads guest images to all nodes of Cluster-Acme. cm-1 (config) # fenet update cluster Cluster-Acme guest-image download cluster update for Cluster-Acme success, update started Run 'show fenet update status cluster Cluster-Acme' for status

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

678

© 2016 FireEye

Release 7.9

fenet update cluster guest-image install

fenet update cluster guest-image install Installs a guest image on the specified MVX cluster.

Syntax fenet update cluster guest-image install

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

679

CLI Reference Guide

PART III: Commands

fenet update cluster guest-image resume Resumes a suspended upgrade of the guest image on the specified MVX cluster.

Syntax fenet update cluster guest-image resume

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

680

© 2016 FireEye

Release 7.9

fenet update cluster no-reboot

fenet update cluster no-reboot Upgrades the system image and guest image on the specified MVX cluster without rebooting.

Syntax fenet update cluster no-reboot

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

681

CLI Reference Guide

PART III: Commands

fenet update cluster resume Resumes a suspended MVX cluster upgrade.

Syntax fenet update cluster resume

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

682

© 2016 FireEye

Release 7.9

fenet update cluster suspend

fenet update cluster suspend Suspends the MVX cluster upgrade.

Syntax fenet update cluster suspend

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7..9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

683

CLI Reference Guide

PART III: Commands

fenet update cluster system-image noreboot Upgrades the system image on the specified MVX cluster without rebooting.

Syntax fenet update cluster system-image no-reboot

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7..9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

684

© 2016 FireEye

Release 7.9

fenet update cluster system-image reboot

fenet update cluster system-image reboot Installs the latest version of the system image and then reboots the system.

Syntax fenet update cluster system-image reboot

Parameters clusterName

The name of the cluster to upgrade.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

685

CLI Reference Guide

PART III: Commands

fenet update cluster system-image version Installs a specific version of the system image on the MVX cluster.

Syntax fenet update cluster system-image version

Parameters clusterName

The name of the cluster.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

686

© 2016 FireEye

Release 7.9

fenet update cluster system-image

fenet update cluster system-image Installs the latest version of the system image on the MVX cluster and then reboots the system.

Syntax fenet update cluster system-image

Parameters clusterName

The name of the cluster to upgrade.

Example The following example shows a system image upgrade on Cluster-Acme. In the example, the image-check and image-fetch tasks are complete on both nodes, and the image-install task is in progress on vx-2. cm-1 (config) # fenet update cluster Cluster-Acme system-image cluster update for Cluster-Acme: update started: success Run 'show fenet update status cluster Cluster-Acme' for status cm-1 (config) # show fenet update status cluster Cluster-Acme Cluster Update Status: Cluster: Cluster-Acme Status: in-progress Current operation: image-update Current task: image-install Percent done: 19.28 % Start time: 2016/07/18 18:58:33.168 End time: ******** Node: vx-2 Status: in-progress Percent done: 23.56 % Task (01/07): image-check Status: complete Percent done: 100.00 % Task (02/07): image-fetch Status: complete Percent: 100.00 % Task (03/07): image-install Status: in-progress Percent done: 42.82 % Node: vx-1 Status: in-progress ...

© 2016 FireEye

687

CLI Reference Guide

PART III: Commands

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

688

© 2016 FireEye

Release 7.9

fenet update cluster version

fenet update cluster version Installs a specific version of the system image on the MVX cluster.

Syntax fenet update cluster version

Parameters clusterName

The name of the cluster. version

System image version number.

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: MVX Cluster Command Family on page 113.

© 2016 FireEye

689

CLI Reference Guide

PART III: Commands

fenet update config task parallel-execution Enables parallel execution of a configuration task on all nodes in an MVX cluster.

Syntax fenet update config task parallel-execution [no] fenet update config task parallel-execution

Parameters no

Use the no form of this command to stop parallel execution of the specified task. task

The name of the configuration task.

Example The following example enables parallel execution for the image-boot-next task. cm-1 (config) # fenet update config task image-boot-next parallel-execution cm-1 (config) # show fenet update config Update Config: ... Task: image-boot-next Timeout: 300 Max retry: 2 Parallel exec: yes ...

The following example restores the default setting for the image-fetch task. cm-1 (config) # no fenet update config task image-fetch parallel-execution

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands fenet update config task retry on page 692

690

© 2016 FireEye

Release 7.9

fenet update config task parallel-execution

fenet update config task timeout on page 694

© 2016 FireEye

691

CLI Reference Guide

PART III: Commands

fenet update config task retry Specifies the maximum number of times to retry a configuration task.

Syntax fenet update config task retry [no] fenet update config task retry

Parameters no

Use the no form of this command to reset the retry count to 2 (the default). task

The name of the configuration task. number

The number of times (1-5) a failed task is tried again.

Example The following example changes the number of retries for the gi-install task to 3: cm-1 (config) # fenet update config task gi-install retry 3 cm-1 (config) # show fenet update config Update Config: ... Task: gi-install Timeout: 600 Max retry: 3 Parallel exec: no ...

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands fenet update config task parallel-execution on page 690

692

© 2016 FireEye

Release 7.9

fenet update config task retry

fenet update config task timeout on the next page

© 2016 FireEye

693

CLI Reference Guide

PART III: Commands

fenet update config task timeout Configures the timeout setting for configuration tasks.

Syntax fenet update config task timeout [no] fenet update config task timeout

Parameters task

The name of the task. seconds

The number of seconds (1–86400) before the task times out. no

Use the no form of this command to resets the timeout for the specified task to the default value.

Description For details about upgrading system and guest images, see the Threat Management Platform Administration Guide.

Example The following example changes the image-check timeout to 45 seconds. cm-1 (config) # fenet update config task image-check timeout 45 cm-1 (config) # show fenet update config Update Config: ... Task: image-check Timeout: 45 Max retry: 2 Parallel exec: yes ...

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows:

694

© 2016 FireEye

Release 7.9

fenet update config task timeout

CM Series: Release 7.9.0

Related Commands fenet update config task parallel-execution on page 690 fenet update config task retry on page 692

© 2016 FireEye

695

CLI Reference Guide

PART III: Commands

fenet user Description Configures the FireEye DTI network service username and password. This command was deprecated in FireEye 7.5.0 for the NX Series appliance and the CM Series platform, in Release 7.6.0 for the EX Series and NX Series appliance, and in Release 7.7.0 for the AX Series and FX Series appliances. It is replaced by the fenet dti source type command.

Syntax fenet user username password password

Parameters username Username of the DTI network services user. password Password for the specified user.

Example The following example creates the user "mary" with the password "1AmB234Z" hostname (config) # fenet user mary password 1AmB234Z

696

© 2016 FireEye

Release 7.9

fenotify default timezone

fenotify default timezone Description Alert notifications are time stamped with UTC by default, but you can configure the time stamp to UTC ISO or local time.

Syntax [no] fenotify default timezone {utc | localtime | utc_iso}

Parameters utc

Configure Coordinated Universal Time (UTC); the primary time standard by which the world regulates clocks and time.

localtime Configure the local time zone for time stamps. utc_iso

Configure ISO 8601 format for time stamps.

Example The following example sets alert notifications to be time stamped using the local time zone. hostname(config)# fenotify default timezone localtime

© 2016 FireEye

697

CLI Reference Guide

PART III: Commands

fenotify email Description Configures email notification settings. This command is available for the Web MPS, File MPS, MAS, and Email MPS. The alert option is available for the Web MPS only. Use the no form of this command to disable notifications or the notification configuration.

Syntax fenotify email {alert | default | domain | enable | mailhub | recipient | return | send-test} [no ]fenotify {email | http | rsyslog | snmp} enable fenotify email alert {domain-match | infection-match | ips-event | malware-callback | malware-object | web-infection} fenotify email default delivery delivery-method fenotify email default format format-type fenotify email default send-as default-send-as fenotify email domain email-domain fenotify email enable fenotify email mailhub port port-number fenotify email mailhub address ip_address fenotify email recipient rname email-address email_address fenotify email recipient rname prefer message delivery delivery-method fenotify email recipient rname prefer message format format-type fenotify email recipient rname prefer message send-as default-send-as fenotify email recipient rname prefer notification {all-events | domain-match | infectionmatch | ips-event | malware-callback | malware-object | web-infection} fenotify email recipient rname user user_name [no] fenotify email recipient {rname {enable| prefer | user} | test {enable| prefer | user}} fenotify email return user-name user_name fenotify email return host_name fenotify email send-test [no] fenotify email event event-type

698

© 2016 FireEye

Release 7.9

fenotify email

Parameters alert alerttype

Configures email notification events. The following alert-type options are available: l

domain-match—Enables email notifications for domain-match events.

l

infection-match—Enables email notifications for infection-match events.

l

l

ips-event—Enables email notifications for IPS events. Supported on IPSenabled platforms only. malware-callback—Enables email notifications for malware-callback events.

l

malware-object—Enables email notifications for malware-object events.

l

web-infection—Enables email notifications for Web-infection events.

delivery- The following default delivery schedules are supported: method l daily-digest—Information about all events detected in the past 24 hours. l

l

l

l

l

per-event—Information about each event, sent when the event is triggered. daily-per-source—Information about all events detected in the past 24 hours, with one notification sent for each source IP. hourly-per-source—Information about all events detected in the past hour, with one notification sent for each attacker (source). per-1min-per-source—Information about all events detected in the past minute, with one notification sent for each source IP. per-5min-per-source—Information about all events detected in the past 5 minutes, with one notification sent for each source IP.

enable Enable FireEye notifications.

© 2016 FireEye

699

CLI Reference Guide

PART III: Commands

format- Select one of the Text, JSON (JavaScript Object Notation), or XML options: type l json-concise—Sends a notification in JSON CONCISE format containing basic information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

l

l

l

l

l

l

l

json-extended—Sends a notification in JSON EXTENDED format containing detailed information and abstracts including data-theft information (if any) and static analysis details. JSON Extended provides all details about files and objects modified during analysis. json-normal—Sends a notification in JSON NORMAL format containing detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. text-concise—Sends a notification in TEXT CONCISE format containing basic information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. text-extended—Sends a notification in TEXT EXTENDED format containing detailed information and abstracts including data-theft information (if any) and static analysis details. TEXT Extended provides all details about files and objects modified during analysis. text-normal—Sends a notification in TEXT NORMAL format containing detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. xml-concise—Sends a notification in XML CONCISE format containing basic information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. xml-extended—Sends a notification in XML EXTENDED format containing detailed information and abstracts including data-theft information (if any) and static analysis details. XML Extended provides all details about files and objects modified during analysis. xml-normal—Sends a notification in XML NORMAL format containing detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information.

default- The following default delivery options are supported: send-as l attachment—Deliver as an email attachment. l

inline—Deliver in the email body (default).

email Domain from which emails appear to come. domain ip_ Mail relay address used to send the email notifications. address

700

© 2016 FireEye

Release 7.9

fenotify email

portMail port used to send the email notifications. number alerttype

Type of notification: l

domain-match—Notification of domain-match events.

l

infection-match—Notification of infection match events.

l

ips-event—Notification of IPS events. Supported on MVX IPS-enabled platforms only.

l

malware-callback—Notification of malware callback events.

l

malware-object—Notification of malware-object events.

l

web-infection—Notification of Web infection events.

rname

Email notification recipient, identified by address (use enable to enable the notification consumer).

returnname

Email send information: l

l

host_name—Include the hostname in the return address for email notifications. user_name—Set the username in the return address for email notifications (default: do-not-reply).

username

Username of the notification recipient.

sendtest

Execution of a test email notification.

trapsink trapsinkname

Specifies the trap sink server name.

Example The following example enables the sending of emailed alert notifications for malware callback events. hostname (config)# fenotify email alert malware-callback enable

© 2016 FireEye

701

CLI Reference Guide

PART III: Commands

fenotify enable Description Enables FireEye notifications. This command is available for the Web MPS, MAS, and Email MPS. Use the no form of the command to disable FireEye notifications.

Syntax [no] fenotify enable

Parameters enable Protocol for notifications: l

l

l

l

email—Enable e172mail notifications. http—Enable http notifications. rsyslog—Enable rsyslog notifications. snmp—Enable snmp notifications.

Example The following example disables FireEye notifications. hostname (config) # no fenotify enable

702

© 2016 FireEye

Release 7.9

fenotify http alert

fenotify http alert Configures HTTP to send alert notifications. The default is disabled. This command is available on the NX Series appliance.

Syntax [no] fenotify http alert enable

Parameters no

Use the no form of the command to remove the configuration options currently set. alert-type

Type of notification: l

domain-match—Notification of domain-match events.

l

infection-match—Notification of infection-match events.

l

ips-event—Notification of IPS events. Supported on IPS-enabled platforms

only. l

malware-callback—Notification of malware callback events.

l

malware-object—Notification of malware object events.

l

web-infection—Notification of Web infection events.

Example The following example enables HTTP alerts for domain-match events: hostname (config) # fenotify http alert domain-match enable

User Role Administrator, Operator, Analyst

Command Mode Configuration

Release Information l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

703

CLI Reference Guide

PART III: Commands

fenotify http default Updates the defult configuration for HTTP notifications. The default is disabled. This command is available on the NX, AX, and EX Series appliances.

Syntax [no] fenotify http default delivery [no] fenotify http default format [no] fenotify http default provider

Parameters no

Use the no form of this command to remove the configuration options currently set. delivery-method

The following default notification message formats are supported: l

daily-digest—Information about all events detected in the past 24 hours.

l

daily-per-source—Information about all events detected in the past 24 hours,

with one notification sent for each source IP. l

hourly-per-source—Information about all events detected in the past hour,

with one notification sent for each attacker (source). l

per-1min-per-source—Information about all events detected in the past minute,

with one notification sent for each source IP. l

per-5min-per-source—Information about all events detected in the past 5

minutes, with one notification sent for each source IP. l

per-event—Information about each event, sent when the event is triggered.

format-mode

The following default delivery schedules are supported:

704

l

json-concise—JSON concise

l

json-extended—JSON extended

l

json-normal—JSON normal

l

json-legacy-concise—JSON legacy concise

l

json-legacy-extended—JSON legacy extended

l

json-legacy-normal—JSON legacy normal

l

text-concise—Text concise

l

text-extended—Text extended

© 2016 FireEye

Release 7.9

fenotify http default

l

text-normal—Text normal

l

xml-concise—XML concise

l

xml-extended—XML extended

l

xml-normal—XML normal

provider-type

Type of service provider: l

aruba—Specify Aruba as the service provider.

l

default—Set currently active service provider.

l

generic—Configure generic service provider.

Example The following example sets the default delivery option as “daily-digest.” hostname (config) # fenotify http default delivery daily-digest

User Role Administrator, Operator, Analyst

Command Mode Configuration

Release Information l

AX Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

705

CLI Reference Guide

PART III: Commands

fenotify http enable Enables HTTP notifications. The default is disabled. This command is available on the NX, AX, and EX Series appliances.

Syntax [no] fenotify http enable

Parameters no

Use the no form of the command to disable HTTP notifications.

Example The following example enables HTTP notifications: hostname (config)# fenotify http enable

User Role Administrator, Operator, Analyst

Command Mode Configuration

Release Information Command introduced in o l

AX Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

class="notoc" xml:space="preserve">Related Commands For related commands, see Event Notification Commands on page 87.

706

© 2016 FireEye

Release 7.9

fenotify http service

fenotify http service Configures HTTP notification services. The default is disabled. This command is available on the NX, AX, and EX Series appliances.

Syntax [no] fenotify http service [no] fenotify http service alerts-update enable [no] fenotify http service auth enable [no] fenotify http service auth password [no] fenotify http service auth username [no] fenotify http service enable [no] fenotify http service prefer message ip-version [no] fenotify http service prefer message delivery [no] fenotify http service prefer notification [no] fenotify http service provider aruba key [no] fenotify http service provider aruba quarantine action [no] fenotify http service provider aruba quarantine role [no] fenotify http service provider default {aruba | generic} [no] fenotify http service_name> provider generic message format fenotify http service server-url [no] fenotify http service ssl enable [no] fenotify http service ssl verify

Parameters no

Use the no form of this command to remove the configuration options currently set. service_name

A convenient name (nickname) for the FireEye notification consumer of the service. password

Password for HTTP authentication. user_name

User name for HTTP authentication. ip-version

Set notification preferences for IPv4 or IPv6:

© 2016 FireEye

707

CLI Reference Guide

l

ipv4—IPv4. ipv4 is the default.

l

ipv6—IPv6

PART III: Commands

delivery-method

The following default notification message formats are supported: l

daily-digest—Information about all events detected in the past 24 hours.

l

daily-per-source—Information about all events detected in the past 24 hours,

with one notification sent for each source IP. l

hourly-per-source—Information about all events detected in the past hour,

with one notification sent for each attacker (source). l

per-1min-per-source—Information about all events detected in the past minute,

with one notification sent for each source IP. l

per-5min-per-source—Information about all events detected in the past 5

minutes, with one notification sent for each source IP. l

per-event—Information about each event, sent when the event is triggered.

event-type

Configure notifications for a specific class of alerts: l

all-events—All events

l

malware-object—Malware object

l

domain-match—Domain match

l

infection-match—Infection match

l

web-infection—Web infection

l

malware-callback—Malware callback

l

ips-event—IPS event

string

Key string for the Aruba provider. action

Quarantine action for the Aruba provider: l

blacklist—Set the action to quarantine.

l

change-role—Set which role is allowed to quarantine.

role_name

Set which role is allowed to quarantine for Aruba. aruba

Specify Aruba as the service provider.

708

© 2016 FireEye

Release 7.9

fenotify http service

generic

Configure a generic service provider. format-mode

The following default delivery formats are supported: l

json-concise—JSON concise

l

json-extended—JSON extended

l

json-normal—JSON normal

l

json-legacy-concise—JSON legacy concise

l

json-legacy-extended—JSON legacy extended

l

json-legacy-normal—JSON legacy normal

l

text-concise—Text concise

l

text-extended—Text extended

l

text-normal—Text normal

l

xml-concise—XML concise

l

xml-extended—XML extended

l

xml-normal—XML normal

url

Service URL for the notification server. ssl {enable | verify}

SSL settings for the HTTP notification server.

Example The following example enables the FireEye notification consumer: hostname (config) # fenotify http service test enable

User Role Administrator, Operator, Analyst

Command Mode Configuration

Release Information l

AX Series: Before Release 6.3

l

EX Series: Before Release 6.3

© 2016 FireEye

709

CLI Reference Guide

l

PART III: Commands

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

710

© 2016 FireEye

Release 7.9

fenotify preferences alerts-update ati enable

fenotify preferences alerts-update ati enable Enables Advanced Threat Intelligence (ATI) alert updates for notifications through HTTP and email protocols. When you enable ATI alert updates for notifications, notifications will be sent for events with threat intelligence on NX Series appliances. When you disable ATI alert updates for notifications, notifications will not be sent for events with threat intelligence on NX Series appliances. When ATI alert updates are enabled, notifications will not be sent for alerts with threat intelligence that were detected more than 90 days ago. If multiple alerts match the same ATI event triggered on the appliance, notifications will be sent only for the first three alerts per day. For detailed information about ATI, refer to the NX Series User Guide.

Syntax [no] fenotify preferences alerts-update ati enable

Parameters no

Use the no form of this command to disable ATI alert updates for notifications.

Example The following example enables ATI alert update settings for notifications: hostname (config) # fenotify preferences alerts-update ati enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

CM Series: Release 7.7

Related Commands For a list of related commands, see Event Notification Commands on page 87

© 2016 FireEye

711

CLI Reference Guide

PART III: Commands

fenotify preferences bbp enable Use this command to enable or disable the block-by-proxy feature. This feature allows you to receive both FireEye detection results and the actions taken by Web proxy appliances on the network.

Syntax [no] fenotify preferences bbp enable

Parameters no

Use the no form of this command to disable the block by proxy feature.

Example The following example enables the block by proxy feature: hostname (config) # fenotify preferences bbp enable

User Role Administrator and operator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Commands For a list of related commands, see: Block by Proxy Commands on page 64.

fenotify preferences bbp max-time-wait Use this command to set the maximum amount of time the appliance will wait for a notification from a Web proxy appliance before sending a detection alert. The block by proxy feature allows you to receive both FireEye detection results and the actions taken by Web proxy appliances on the network. This delay is required so that the system has time to receive Web proxy alerts and correlate these alerts to the FireEye detection alerts. By default, the delay is 10 seconds.

712

© 2016 FireEye

Release 7.9

fenotify preferences bbp subject-desc

Syntax fenotify preferences bbp max-time-wait

Parameters seconds

The maximum number of seconds for the system to wait for notification from the Web proxy device. Range: 1–99 Default: 10

Example The following example enables the block by proxy feature: hostname (config) # fenotify preferences bbp enable

User Role Administrator and operator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Commands For a list of related commands, see: Block by Proxy Commands on page 64.

fenotify preferences bbp subject-desc Use this command to set or remove the blocked-by-proxy notification subject lines. The blocked-by-proxy feature allows you to receive both FireEye detection results and the actions taken by Web proxy appliances on the network. You can create a custom notification alert subject lines for both blocked and non-blocked actions taken by the Web proxy. This allows you to more quickly see alerts that include Web proxy detections correlated with the FireEye detection alerts.

Syntax fenotify preferences bbp subject-desc { blocked | not-blocked}

© 2016 FireEye

713

CLI Reference Guide

PART III: Commands

no fenotify preferences bbp subject-desc { blocked | not-blocked}

Parameters blocked

The email subject line for blocking action taken by the Web proxy. If this message includes multiple words, enclose the message within doublequotation marks.

not-blocked

The email subject line for non-blocking action taken by the Web proxy. If this message includes multiple words, enclose the message within doublequotation marks. no

Use the no form of this command to disable the block by proxy feature.

Example The following example sets the blocked Web proxy detection notification subject line to blocked by Web proxy. hostname (config) # fenotify preferences bbp subject-desc blocked "blocked by Web proxy"

The following example removes the custom message from non-blocked Web Proxy detection notifications. hostname (config) # no fenotify preferences bbp subject-desc non-blocked

User Role Administrator and operator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Commands For a list of related commands, see: Block by Proxy Commands on page 64.

714

© 2016 FireEye

Release 7.9

fenotify preferences ips-delivery-mode

fenotify preferences ips-delivery-mode To configure when IPS event notifications are delivered, use the fenotify preferences ips-delivery-mode command in configuration mode. This command applies only to IPS-enabled platforms on which you have enabled IPS event notifications services and configured IPS event notification methods.

Syntax fenotify preferences ips-delivery-modemode

User Role Admin or Operator

Release Information Command introduced in Release 7.5.0 for IPS-enabled NX Series platforms only.

Description Configures when IPS event notifications are delivered. For more information, see the NX Series IPS Feature Guide.

Parameters mode Specify the delivery mode for IPS event notifications: l

l

l

instant—Send only when an IPS event is detected. This is the default value. confirmation—Send only when an attack has been confirmed (either positive or negative). dual—Send both when an IPS event is detected and when an attack has been confirmed.

By default, the system is configured to use instant delivery mode, which is useful in an organization that archives notifications and then filters and analyzes the information later. When you first activate IPS features, we recommend that you use dual mode so that you see both detection and confirmation of IPS events. If your organization does not archive the volume of notifications generated in this mode, you can decrease the volume of notifications by using confirmation mode.

Example fenotify preferences ips

hostname (config) # fenotify preferences ips dual

© 2016 FireEye

715

CLI Reference Guide

PART III: Commands

fenotify preferences json Displays whether OS changes are included in JSON notifications for duplicate alerts.

Syntax show fenotify preferences json

Parameters None

Example The following example displays whether OS changes are included in JSON notifications for duplicate alerts: hostname # show fenotify preferences json JSON Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

716

© 2016 FireEye

Release 7.9

fenotify preferences normalize-ips-event enable

fenotify preferences normalize-ips-event enable By default, alert notifications use src/smac/sport for the network traffic source and use dst/dmac/dport as the network traffic destination. This command changes alert notifications to use src/smac/sport as the network traffic destination (victim) and use dst/dmac/dport as the network traffic source (attacker). This command affects all notification data formats. This command applies only to IPS-enabled platforms (NX and CM Series).

Syntax [no] fenotify preferences normalize-ips-event enable

Parameters no

Use the no form of this command to change alert notifications to use src/smac/sport as the network traffic destination (victim) and use dst/dmac/dport as the network traffic source (attacker).

Example The following example returns alert notifications to the default, using src/smac/sport for the network traffic source and using dst/dmac/dport as the network traffic destination: hostname (config) # fenotify preferences normalize-ips-event enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.8

l

CM Series: Release 7.8

Related Commands For a list of related commands, see Event Notification Commands on page 87

© 2016 FireEye

717

CLI Reference Guide

PART III: Commands

fenotify preferences process-order Use this command to manage the notifications processing order. By default, the last received notification is processed first.

Syntax fenotify preferences process-order

Parameters process

The order to process notifications. The following processing orders are available: l

LIFO – Last in, First Out (default) Notifications are processed from last received to first received.

l

FIFO – First in, First Out Notifications are processed from first received to last received.

Example The following example sets the processing order from first received to last received: hostname # (config) fenotify preferences process-order FIFO

User Role Administrator

Command Mode Configuration

Release Information EX Series: Release 7.8.2

718

© 2016 FireEye

Release 7.9

fenotify preferences rsyslog-strip-lnfb enable

fenotify preferences rsyslog-strip-lnfb enable To configure whether to send notifications all in one line or line by line to a remote syslog server, use the fenotify preferences rsyslog-strip-lnfb enable command in configuration mode. The no form of this command sends rsyslog notifications as line-by-line feedback. This command removes embedded line feeds within a CEF message, not the line feed at the end. Related commands: fenotify rsyslog, show fenotify preferences

Syntax fenotify preferences rsyslog-strip-lnfb enable [no] fenotify preferences rsyslog-strip-lnfb enable

User Role Admin or Operator

Release Information Command was introduced in Release 7.5.0.

Parameters None

Description You can configure whether to send rsyslog notifications all in one line or line by line. The default is everything in one line for line feedback. You can switch to line by line feedback.

Example The following example configures sending rsyslog notifications with everything in one line. hostname (config) # fenotify preferences rsyslog-strip-lnfb enable

The following example configures sending rsyslog notifications as line by line feedback. hostname (config) # no fenotify preferences rsyslog-strip-lnfb enable

© 2016 FireEye

719

CLI Reference Guide

PART III: Commands

fenotify preferences sender-cpu-ratio Sets the FireEye notifications CPU-sender ratio.

Syntax fenotify preferences sender-cpu-ratio

Parameters notification cpu-sender ratio

The range of values is 1 to 1024. When the ratio is set to 1, the performance is highest, but more resources are used. When the ratio is set to 1024, the performance is lowest, but less resources are used.

Example The following example sets the ratio to 4: hostname (config) # fenotify preferences sender-cpu-ratio 4

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9.2

l

CM Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

fenotify preferences support-riskware enable Enables riskware notifications through rsyslog using the transmission control protocol (TCP) and user datagram protocol (UDP). When you enable riskware notifications, notifications are sent for both riskware-object and riskware-callback events on NX Series and CM Series appliances and from security information and event management (SIEM) software products. When you disable riskware

720

© 2016 FireEye

Release 7.9

fenotify preferences support-riskware enable

notifications, notifications are not sent for riskware-object or riskware-callback events on NX Series or CM Series appliances or from SIEM software products. The common event format (CEF), log event enhanced format (LEEF), extensible markup language (XML) and JavaScript object notation (JSON) are supported.

Syntax [no] fenotify preferences support-riskware enable

Parameters no

Use the no form of this command to disable riskware notifications.

Example The following example enables riskware notifications: hostname (config) # fenotify preferences support-riskware enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9.1

l

CM Series: Release 7.9.1

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

721

CLI Reference Guide

PART III: Commands

fenotify preferences text Displays whether OS changes are included in text notifications for duplicate alerts.

Syntax show fenotify preferences text

Parameters None

Example The following example displays whether OS changes are included in text notifications for duplicate alerts: hostname # show fenotify preferences text text Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

722

© 2016 FireEye

Release 7.9

fenotify preferences use-fenet-proxy enable

fenotify preferences use-fenet-proxy enable To enable the FireEye network proxy server for HTTP notifications, use the fenotify preferences use-fenet-proxy enable command in configuration mode. The no form of this command disables the proxy server for notifications. Related commands: show fenotify preferences

Syntax fenotify preferences use-fenet-proxy enable [no] fenotify preferences use-fenet-proxy enable

User Role Admin or Operator

Release Information Command was introduced in Release 7.5.0.

Parameters None

Description You can enable or disable the proxy server for notifications. The proxy server is referred to as the FireEye network proxy server. HTTP notifications are currently sent through the FireEye network proxy server. This is the default setting. You can disable the proxy server for outgoing HTTP notifications, such as email reports or Splunk notifications.

Example The following example enables the proxy server for notifications. hostname (config) # fenotify preferences use-fenet-proxy enable

The following example disables the proxy server for outgoing HTTP notifications. hostname (config) # no fenotify preferences use-fenet-proxy enable

© 2016 FireEye

723

CLI Reference Guide

PART III: Commands

fenotify preferences xml Displays whether OS changes are included in XML notifications for duplicate alerts.

Syntax show fenotify preferences xml

Parameters None

Example The following example displays whether OS changes are included in XML notifications for duplicate alerts: hostname # show fenotify preferences xml XML Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

724

© 2016 FireEye

Release 7.9

fenotify rsyslog alert enable

fenotify rsyslog alert enable Enables or disables rsyslog notifications for the specified alert type. This command is available for the NX Series.

Syntax [no] fenotify rsyslog alert enable

Parameters no

Use the no form of this command to disable rsyslog notifications for the specified alert type. alert-type

Type of notification: l

all-riskware—Notification of riskware-object and riskware-callback events.

l

domain-match—Notification of domain-match events.

l

infection-match—Notification of infection-match events.

l

ips-event—Notification of IPS events. Supported on IPS-enabled platforms

only. l

malware-callback—Notification of malware-callback events.

l

malware-object—Notification of malware-object events.

l

riskware-callback—Notification of riskware-callback events.

l

riskware-object—Notification of riskware-object events.

l

web-infection—Notification of Web-infection events.

Example The following example enables rsyslog notifications for riskware-callback events: hostname (config) # fenotify rsyslog alert riskware-callback enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

725

CLI Reference Guide

l

PART III: Commands

NX Series: Before release 7.6. The riskware-callback, riskware-object, and allriskware options were introduced in Release 7.9.1.

Related Commands For a list of related commands, see Event Notification Commands on page 87.

726

© 2016 FireEye

Release 7.9

fenotify rsyslog default

fenotify rsyslog default Sets the default configuration for rsyslog notifications.

Syntax [no] fenotify rsyslog default delivery [no] fenotify rsyslog default facility [no] fenotify rsyslog default format [not] fenotify rsyslog default send-as

Parameters no

Use the no form of this command to remove the default setting. delivery-method

The following default delivery schedules are supported: l

per-event—Information about each event, sent when the event is triggered.

l

daily-per-source—Information about all events detected in the past 24 hours,

with one notification sent for each source IP. l

hourly-per-source—Information about all events detected in the past hour,

with one notification sent for each attacker (source). l

per-1min-per-source—Information about all events detected in the past minute,

with one notification sent for each source IP. l

per-5min-per-source—Information about all events detected in the past 5

minutes, with one notification sent for each source IP. facility-type

Type of facility: l

local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7—Facility options

reserved for site-specific use. l

news—News sub-system.

l

user—Regular user processes.

format-type

The following default delivery formats are supported:

© 2016 FireEye

l

cef—Delivery in common event format (CEF).

l

csv—Delivery in comma-separated values (CSV) format.

l

leef—Delivery in log event enhanced format (LEEF).

727

CLI Reference Guide

PART III: Commands

Select one of the Text, JSON (JavaScript Object Notation), or XML options: l

json-concise—Sends a notification in JSON CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

json-extended—Sends a notification in JSON EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. JSON Extended provides all details about files and objects modified during analysis. l

json-normal—Sends a notification in JSON NORMAL format containing

detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

json-legacy-concise—Sends a notification in JSON legacy CONCISE format

containing basic information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

json-legacy-extended—Sends a notification in JSON legacy EXTENDED format

containing detailed information and abstracts including data-theft information (if any) and static analysis details. JSON legacy Extended provides all details about files and objects modified during analysis. l

json-legacy-normal—Sends a notification in JSON legacy NORMAL format

containing detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

text-concise—Sends a notification in TEXT CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

text-extended—Sends a notification in TEXT EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. TEXT Extended provides all details about files and objects modified during analysis. l

text-normal—Delivery in TEXT NORMAL format containing detailed

information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

xml-concise—Sends a notification in XML CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

xml-extended—Sends a notification in XML EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. XML Extended provides all details about files and objects modified during analysis.

728

© 2016 FireEye

Release 7.9

fenotify rsyslog default

l

xml-normal—Sends a notification in XML NORMAL format containing

detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

secureworks—Sends a notification in SecureWorks format.

send-as-type

The following options are supported: l

alert—Action must be taken immediately (severity 1).

l

crit—Critical conditions (severity 2).

l

debug—Debug-level messages (severity 7).

l

emerg—Emergency: system is unusable (severity 0).

l

error—Error conditions (severity 3).

l

info—Informational messages (severity 6).

l

notice—Normal but significant conditions (severity 5).

l

warning—Warning conditions (severity 4).

Example The following example enables daily notification, per attacker: hostname (config) # fenotify rsyslog default delivery daily-per-source

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

729

CLI Reference Guide

PART III: Commands

fenotify rsyslog enable Enables or disables rsyslog notifications.

Syntax [no] fenotify rsyslog enable

Parameters no

Disables rsyslog notifications.

Example The following example enables rsyslog notifications: hostname (config) # fenotify rsyslog enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

730

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink address

fenotify rsyslog trap-sink address Uses the syslog protocol to send event logs to the server with the specified IP address or domain name.

Syntax [no] fenotify rsyslog trap-sink address

Parameters no

Disables the specified rsyslog notification trap sink. sink_name

The name of the rsyslog notification trap sink. ip_address

The IP address or domain name of the server that the event logs are sent to

Example The following example uses the syslog protocol to send event logs to the server with the specified IP address: hostname (config) # fenotify rsyslog trap-sink rk address 10.0.0.0

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

731

CLI Reference Guide

PART III: Commands

fenotify rsyslog trap-sink chunk-size Splits the message in multiple chunks of size (chunk-size). The default value is 1024 bytes. If you forward your syslog messages to another device and the messages are truncated, use this command to increase the chunk size. There is no restriction to the size requirement of the chunk size.

Syntax [no] fenotify rsyslog trap-sink chunk-size

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. chunk_size

The size of a chunk used to split a message into multiple parts. The default value is 1024 bytes.

Example The following example splits the message in multiple chunks of 2048 bytes: hostname (config) # fenotify rsyslog trap-sink rk chunk-size 2048

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

732

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink enable

fenotify rsyslog trap-sink enable Enables the FireEye notification consumer.

Syntax [no] fenotify rsyslog trap-sink enable

Parameters no

Disables the FireEye notification consumer. sink_name

The name of the rsyslog notification trap sink.

Example The following example enables the FireEye notification consumer: hostname (config) # fenotify rsyslog trap-sink rk enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

733

CLI Reference Guide

PART III: Commands

fenotify rsyslog trap-sink port Sends the event logs to the server using the specified UDP port.

Syntax [no] fenotify rsyslog trap-sink port

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. port_number

The UDP port that event logs will be sent to.

Example The following example sends the event logs to the server using the port 42: hostname (config) # fenotify rsyslog trap-sink rk port 42

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

734

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink prefer message delivery

fenotify rsyslog trap-sink prefer message delivery Selects the default delivery schedule for rsyslog notifications.

Syntax [no] fenotify rsyslog trap-sink prefer message delivery

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. delivery_method

The following default delivery schedules are supported: l

per-event—Information about each event, sent when the event is triggered.

l

daily-per-source—Information about all events detected in the past 24 hours,

with one notification sent for each source IP. l

hourly-per-source—Information about all events detected in the past hour,

with one notification sent for each attacker (source). l

per-1min-per-source—Information about all events detected in the past minute,

with one notification sent for each source IP. l

per-5min-per-source—Information about all events detected in the past 5

minutes, with one notification sent for each source IP.

Example The following example selects information delivered about each event, sent when the event is triggered: hostname (config) # fenotify rsyslog trap-sink rk prefer message delivery per-event

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

735

CLI Reference Guide

l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

PART III: Commands

Related Commands For a list of related commands, see Event Notification Commands on page 87.

736

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink prefer message format

fenotify rsyslog trap-sink prefer message format Selects the default delivery format for rsyslog notifications.

Syntax [no] fenotify rsyslog trap-sink prefer message format

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. format_type

The following default delivery formats are supported: l

cef—Delivery in common event format (CEF).

l

csv—Delivery in comma-separated values (CSV) format.

l

leef—Delivery in log event enhanced format (LEEF).

Select one of the Text, JSON (JavaScript Object Notation), or XML options: l

json-concise—Sends a notification in JSON CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

json-extended—Sends a notification in JSON EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. JSON Extended provides all details about files and objects modified during analysis. l

json-normal—Sends a notification in JSON NORMAL format containing

detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

json-legacy-concise—Sends a notification in JSON legacy CONCISE format

containing basic information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

json-legacy-extended—Sends a notification in JSON legacy EXTENDED format

containing detailed information and abstracts including data-theft information (if any) and static analysis details. JSON legacy Extended provides all details about files and objects modified during analysis.

© 2016 FireEye

737

CLI Reference Guide

l

PART III: Commands

json-legacy-normal—Sends a notification in JSON legacy NORMAL format

containing detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

text-concise—Sends a notification in TEXT CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

text-extended—Sends a notification in TEXT EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. TEXT Extended provides all details about files and objects modified during analysis. l

text-normal—Delivery in TEXT NORMAL format containing detailed

information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

xml-concise—Sends a notification in XML CONCISE format containing basic

information such as Alert type, ID, src_IP, malware name, hostname, and Alert URL. l

xml-extended—Sends a notification in XML EXTENDED format containing

detailed information and abstracts including data-theft information (if any) and static analysis details. XML Extended provides all details about files and objects modified during analysis. l

xml-normal—Sends a notification in XML NORMAL format containing

detailed information and abstracts such as Alert type, ID, src_IP, malware name, hostname, and Alert URL without any redundant information. l

secureworks—Sends a notification in SecureWorks format.

Example The following example selects CEF as the the default delivery format for rsyslog notifications: hostname (config) # fenotify rsyslog trap-sink rk prefer message format cef

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows:

738

© 2016 FireEye

Release 7.9

l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

fenotify rsyslog trap-sink prefer message format

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

739

CLI Reference Guide

PART III: Commands

fenotify rsyslog trap-sink prefer message item-order Configures the order of the items in rsyslog notifications.

Syntax [no] fenotify rsyslog trap-sink prefer message item-order {constant-order | short-first}

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. {constant-order | short-first}

Configures the order of the items: l

constant-order—The order of the items is preserved.

l

short-first—Shortest item first.

Example The following example preserves the order of the items in rsyslog notifications: hostname (config) # fenotify rsyslog trap-sink rk prefer message item-order constant-order

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

740

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink prefer message send-as

fenotify rsyslog trap-sink prefer message send-as Configures the notification message format.

Syntax [no] fenotify rsyslog trap-sink prefer message send-as

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. type

The following message types are supported: l

alert—Action must be taken immediately (severity 1).

l

crit—Critical conditions (severity 2).

l

debug—Debug-level messages (severity 7).

l

emerg—Emergency: system is unusable (severity 0).

l

error—Error conditions (severity 3).

l

info—Informational messages (severity 6).

l

notice—Normal but significant conditions (severity 5).

l

warning—Warning conditions (severity 4).

Example The following example sends the notification messages as alerts: hostname (config) # fenotify rsyslog trap-sink rk prefer message send-as alert

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

741

CLI Reference Guide

l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

PART III: Commands

Related Commands For a list of related commands, see Event Notification Commands on page 87.

742

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink prefer notification

fenotify rsyslog trap-sink prefer notification Selects which alerts that notifications are sent for.

Syntax [no] fenotify rsyslog trap-sink prefer notification

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. event-type

Type of notification: l

all-events—Notification of all events except riskware.

l

all-riskware—Notification of riskware-object and riskware-callback events.

l

domain-match—Notification of domain-match events.

l

infection-match—Notification of infection-match events.

l

ips-event—Notification of IPS events. Supported on IPS-enabled platforms

only. l

malware-callback—Notification of malware-callback events.

l

malware-object—Notification of malware-object events.

l

riskware-callback—Notification of riskware-callback events.

l

riskware-object—Notification of riskware-object events.

l

web-infection—Notification of Web-infection events.

Example The following example enables notifications of riskware-object and riskware-callback events: hostname (config) # fenotify rsyslog trap-sink rk prefer notification all-riskware

User Role Administrator and Operator

Command Mode Configuration

© 2016 FireEye

743

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before release 7.6. Riskware options were introduced in Release 7.9.1.

l

EX Series: Before release 7.6. Riskware options were introduced in Release 7.9.1.

l

FX Series: Before release 7.6. Riskware options were introduced in Release 7.9.1.

l

NX Series: Before release 7.6. Riskware options were introduced in Release 7.9.1.

Related Commands For a list of related commands, see Event Notification Commands on page 87.

744

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink protocol

fenotify rsyslog trap-sink protocol Selects whether to send notifications on TCP or UDP.

Syntax [no] fenotify rsyslog trap-sink protocol {tcp | udp}

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. {tcp | udp}

Selects whether to send notifications on TCP or UDP.

Example The following example sends notifications on TCP: hostname (config) # fenotify rsyslog trap-sink rk protocol tcp

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

745

CLI Reference Guide

PART III: Commands

fenotify rsyslog trap-sink user Sets the owner user name of this consumer.

Syntax [no] fenotify rsyslog trap-sink user

Parameters no

Disables rsyslog notification trap sinks. sink_name

The name of the rsyslog notification trap sink. user_name

The owner user name of this consumer.

Example The following example sets the owner user name of this consumer: hostname (config) # fenotify rsyslog trap-sink rk user johndoe

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6

l

EX Series: Before release 7.6

l

FX Series: Before release 7.6

l

NX Series: Before release 7.6

Related Commands For a list of related commands, see Event Notification Commands on page 87.

746

© 2016 FireEye

Release 7.9

fenotify rsyslog trap-sink

fenotify rsyslog trap-sink Enables the specified rsyslog notification trap sink.

Syntax [no] fenotify rsyslog trap-sink

Parameters no

Disables the specified rsyslog notification trap sink. sink_name

The name of the rsyslog notification trap sink.

Example The following example enables the specified rsyslog notification trap sink: hostname (config) # fenotify rsyslog trap-sink rk

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 7.6.

l

EX Series: Before release 7.6.

l

FX Series: Before release 7.6.

l

NX Series: Before release 7.6.

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

747

CLI Reference Guide

PART III: Commands

fenotify snmp Description Enables Simple Network Management Protocol (SNMP) notifications. This command is available for the Web MPS, MAS, and Email MPS. The event option is available on the Web MPS. This command enables alert notifications. Use the snmp-server host command to enable system notifications.

Syntax [no] fenotify snmp {alert | default {delivery | provider} | enable | trap-sink} [no] fenotify snmp enable [no] fenotify snmp default delivery delivery-method [no] fenotify snmp default version snmp-version [no] fenotify snmp event alert-type enable [no] fenotify snmp trap-sink sink_name fenotify snmp trap-sink sink_name enable fenotify snmp trap-sink sink_name address ip_address fenotify snmp trap-sink sink_name community community_name fenotify snmp trap-sink sink_name prefer message delivery delivery-method fenotify snmp trap-sink sink_name prefer notification event-type fenotify snmp trap-sink sink_name version snmp-version fenotify snmp trap-sink sink_name user user_name

Parameters alert-type

Type of notification: l

domain-match—Notification of domain-match event.

l

infection-match—Notification of infection match events.

l

748

ips-event—Notification of IPS events. Supported on IPS-enabled platforms only.

l

malware-callback—Notification of malware callback events.

l

malware-object—Notification of malware object events.

l

web-infection—Notification of Web infection events.

© 2016 FireEye

Release 7.9

deliverymethod

fenotify snmp

The following default delivery schedules are supported: l

l

l

l

l

l

daily-digest—Information about all events detected in the past 24 hours. per-event—Information about each event, sent when the event is triggered. daily-per-source—Information about all events detected in the past 24 hours, with one notification sent for each source IP. hourly-per-source—Information about all events detected in the past hour, with one notification sent for each attacker (source). per-1min-per-source—Information about all events detected in the past minute, with one notification sent for each source IP. per-5min-per-source—Information about all events detected in the past 5 minutes, with one notification sent for each source IP.

sink-name

A convenient name (nickname) for the SNMP trap sink.

snmpversion

SNMP version used for notifications: 1c or 2c.

ip_address IP address of the trap sink. community_ SNMP community string. name user_name

Username of the notification recipient.

Example The following example enables SNMP notifications to the “ABC” trap-sink. hostname (config)# fenotify snmp trap-sink ABC enable

© 2016 FireEye

749

CLI Reference Guide

PART III: Commands

fenotify ssl To configure the notifications cipher list for SSL/TLS, use the fenotify ssl command in configuration mode.

Syntax [no] fenotify ssl cipher-list { original | fips | cc-ndpp | fips-and-cc-ndpp | high-security |compatible} fenotify ssl min-version {tls1 | tls1.1 | tls1.2}

User Role Administrator, Operator, or Analyst

Release Information Command introduced in Release 7.6.0.

Parameters cipher-list { original | fips | cc-ndpp | fips-and-cc-ndpp | high-security |compatible}

Configures the notifications cipher list for SSL/TLS: l

l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

min-version {tls1 | tls1.1 | tls1.2}

750

original—Original FireEye cipher list (maximum compatibility)

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

Configures the minimum SSL version for notifications: l

tls1—Requires TLSv1 or higher.

l

tls1.1—Requires TLSv1.1 or higher.

l

tls1.2—Requires TLSv1.2 or higher.

© 2016 FireEye

Release 7.9

fenotify ssl

Example The following example configures the notifications cipher list to be compliant with FIPS: hostname (config) #  fenotify ssl cipher-list fips

© 2016 FireEye

751

CLI Reference Guide

PART III: Commands

fenotify test-fire Description Sends a test notification. This command is available for the Web MPS, MAS, and Email MPS.

Syntax fenotify test-fire notification-type

Parameters notification- Type of notification: type l domain-match—Notification of domain-match event. l

l

infection-match—Notification of infection-match events. ips-event—Notification of an IPS event. Supported on MVX IPS-enabled platforms only.

l

malware-callback—Notification of malware callback events.

l

malware-object—Notification of malware object events.

l

web-infection—Notification of Web infection events.

Example The following sends a test notification of malware callback events. hostname (config)# fenotify test-fire malware-callback Sending test notification...

752

© 2016 FireEye

Release 7.9

file-analysis suppress

file-analysis suppress To prevent an MD5 that was detected as a false-positive event from being marked as malicious, use the file-analysis suppress command in enable mode.

Syntax file-analysis suppress md5 md5ID

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description This command prevents an MD5 checksum that was identified as a false-positive event from being marked as malicious. All malware records with a matching MD5 checksum will be marked as non-malicious. For more information, see the FX Series Threat Management Guide.

Parameters md5ID MD5 checksum to suppress.

Example The following example suppresses the specified MD5 checksum. The output lists the IDs of the matching malware records. hostname # file-analysis suppress md5 94978a14a9a3329b28a0735c8992d75a Malware(s) {633,632,634,685,686,688,1246,1197,1198,1199,1248,1247,1230,1231,1232,1256,1257,1255,126 5,1264,1266} suppressed for md5sum 94978a14a9a3329b28a0735c8992d75a

© 2016 FireEye

753

CLI Reference Guide

PART III: Commands

file debug-dump Description Deletes, emails, or uploads a system debug file.

Syntax file debug-dump {delete file_name | email file_name | upload file_name url}

Parameters delete file_ name  

Full path name of the file to be deleted.

email file_ name

Full path name of the file to be emailed to a preconfigured email address.

upload file_ name url

Full path name of the file and a URL that specifies where the file is uploaded. The format can be one of the following: ftp://// tftp://// scp://username:password@hostname//

Example The following example sends the dump file to the preconfigured email address. hostname # file debug-dump email sysdump-4200A-6-20090730-093220.tgz

Related Commands debug generate on page 473

754

© 2016 FireEye

Release 7.9

file stats

file stats Description Deletes, moves, or uploads a statistics report file. This command always fetches files from /var/opt/tms/tcpdumps. Pressing TAB after the delete option shows the available file names.

Syntax file stats {delete | move | upload }

Parameters delete file_name

Full path name of the file to be deleted. move source_file_name destination_file_name

Source and destination file names. upload file_name url

Name of the file and a URL that specifies where the file is uploaded. The format can be one of the following: ftp://// tftp://// scp://username:password@hostname//

Example The following example uploads the specified file to the Web site. hostname # file stats upload report.txt ftp://ftp.example.com/debug/debug.txt

© 2016 FireEye

755

CLI Reference Guide

PART III: Commands

file tcpdump Description Deletes or uploads a TCP dump file.

Syntax file tcpdump {delete file_name | upload file_name url}

Parameters delete file_ name 

Full path name of the file to be deleted.

upload file_ name url

Full path name of the file and a URL that specifies where the file is uploaded. The format can be one of the following: ftp://// tftp://// scp://username:password@hostname//

Example The following example uploads the specified file to the site. hostname # file tcpdump upload tcpdump.txt scp://it123:[email protected]/debug/tcpdump.txt

756

© 2016 FireEye

Release 7.9

fmps scan abort

fmps scan abort Aborts a running scan. When a scan is aborted, the output of the show fmps scan-id the message Scan aborted by user displays in the Description field. When a scheduled scan is aborted, the schedule remains active. Enter the fmps scan restart command to restart an aborted scan.

Syntax fmps scan abort

Parameters id

The identification number of the scan.

Example The following example aborts scan 10. fmps scan abort 10

The following example restarts scan10. fmps scan restart 10

User Role Administrator

Command Mode Configuration

Release Information FX Series: Release 7.7

Related Topics For a list of related commands, see FMPS (FX) Scan Command Family on page 93.

© 2016 FireEye

757

CLI Reference Guide

PART III: Commands

fmps scan delete Deletes a scan.

Syntax fmps scan delete [noconfirm]

Parameters id

The identification number of the scan. noconfirm

Deletes the scan without displaying a confirmation message.

Example The following example deletes scan 10. hostname (config) # fmps scan delete 10

User Role Administrator

Command Mode Configuration

Release Information FX Series: Release 7.7

Related Topics For a list of commands, see the FMPS (FX) Scan Command Family on page 93

758

© 2016 FireEye

Release 7.9

fmps scan pause

fmps scan pause Pauses a running scan. Use the fmps scan resume command to restart the scan at the point where it was paused.

Syntax fmps scan pause

Parameters id

The identification number of the scan.

Example The following example pauses scan10. fmps scan pause scan10

The following example starts scan 10 at the point where it was paused. fmps scan resume 10

User Role Administrator

Command Mode Configuration

Release Information FX Series: Release 7.7

Related Topics For a list of related commands, see FMPS (FX) Scan Command Family on page 93.

© 2016 FireEye

759

CLI Reference Guide

PART III: Commands

fmps scan restart Restarts an aborted scan. You can also restart now scans, continuous scans, and pre-scan scans. In addition, you can restart a scheduled scan if the schedule is active. An schedule is active if you have not deleted it.

Syntax id

The identification number of the scan.

Example The following example restarts scan 10. fmps scan restart 10

User Role Administrator

Command Mode Configuration

Release Information FX Series: Release 7.7

Related Topics For a list of related commands, see FMPS (FX) Scan Command Family on page 93.

760

© 2016 FireEye

Release 7.9

fmps scan resume

fmps scan resume Resumes a paused scan at the point where it was paused

Syntax fmps scan resume

Parameters id

The identification number of the scan.

Example The following example resumes scan 10. fmps scan resume 10

User Role Administrator

Command Mode Configuration

Release Information FX Series: Release 7.7

Related Topics For a list of related commands, see FMPS (FX) Scan Command Family on page 93.

© 2016 FireEye

761

CLI Reference Guide

PART III: Commands

fmps file config analysis_tmo To specify the maximum time for dynamic analysis on a file, use the fmps file config analysis_tmo command in configuration mode.

Syntax fmps file config analysis_tmo seconds

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description This command specifies how long the MVX engine will perform dynamic analysis on a single file. It will stop analyzing the file after this time is reached, and classify the file as "unknown." For more information, see the FX Series Threat Management Guide.

Parameters seconds The maximum time, in seconds. The default is 240 seconds.

Example The following example changes the maximum dynamic analysis time to 300 seconds. hostname (config) # fmps file config analysis_tmo 300

762

© 2016 FireEye

Release 7.9

fmps file config maxsize

fmps file config maxsize To specify the maximum file size the MVX engine will analyze, use the fmps file config maxsize command in configuration mode.

Syntax [no] fmps file config maxsize MB

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description This command specifies the maximum file size. For more information, see the FX Series Threat Management Guide.

Parameters no Reset the maximum file size to be analyzed to the default size of 5 MB. MB The maximum file size. The default size is 5 MB; the maximum is 250 MB.

Example The following example changes the maximum file size to 10 MB. hostname (config) # fmps file config maxsize 10

© 2016 FireEye

763

CLI Reference Guide

PART III: Commands

fmps file config scan_delay To specify the interval at which a continuous scan on the FX Series appliance checks file shares for newly added or modified files, use the fmps file config scan_delay command in configuration mode. FireEye strongly recommends that you configure a scan delay that is at least one minute to accommodate network latency issues with file system operations. Otherwise, a continuous scan could check files that are in the process of being modified.

Syntax [no] fmps file config scan_delay minutes

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description By default, "continuous" scans run on the appliance every three minutes. This command specifies a different interval or resets it to the default. For more information, see the FX Series Threat Management Guide.

Parameters no Reset the interval to the default. minutes The number of minutes between continuous scans. The default is 3 minutes; the minimum is .02 minutes (1 second).

Example The following example specifies an interval of 2 minutes. hostname (config) # fmps file config scan_delay 2

764

© 2016 FireEye

Release 7.9

fmps file config share-timeout

fmps file config share-timeout To specify the maximum amount of time a share can be inaccessible before a running scan is aborted, use the fmps file config share-timeout command in configuration mode.

Syntax [no] fmps file config share-timeout seconds

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description This command specifies the amount of time a share can be inaccessible before scans that are in progress are aborted. For more information, see the FX Series Threat Management Guide.

Parameters no Resets the timeout to the default. seconds The maximum amount of time before the scan times out. The default is 300 seconds.

Example The following example changes the timeout to 350 seconds. hostname (config) # fmps file config share-timeout 350

© 2016 FireEye

765

CLI Reference Guide

PART III: Commands

fmps file config wins_server To configure the IP address of the Windows Internet Name Service (WINS) server used in systems that use Distributed File System (DFS) shares, use the fmps file config wins_ server command in configuration mode.

Syntax [no] fmps file config wins_server ipAddress

User Account Requirement Operator or Admin role

Release Information Command available in FX Series releases.

Description If you are using Distributed File System (DFS) shares, you need to configure the IP address of the WINS server used to resolve link targets using NetBIOS. This command enables you to specify that address. For more information, see the FX Series Threat Management Guide.

Parameters no Removes any configured IP address. ipAddress The IP address of the WINS server.

Example The following example configures the specified WINS server IP address: hostname (config) # fmps file config wins_server 10.0.0.0

766

© 2016 FireEye

Release 7.9

fmps scan configure filetypes

fmps scan configure filetypes To specify the file types a configured scan should check or whitelist, use the fmps scan configure filetypes command in configuration mode. If you do not specify any file types, all files are scanned. You can use this command only on scans that are in the "configured" state. You cannot configure active, paused, aborted, completed, or scheduled scans.

Syntax [no] fmps scan configure scanID filetypes {select | whitelist} fileExtensions

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description One of the ways to tailor a scan is to specify which file types the scan should include. You can specify file types that are enabled for at least one guest images profile on the Settings: Malware File Assoc. page in the FX Series Web UI. If you disable a file type on the Settings>Malware File Assoc. page, subsequent scans will skip those files. You can also specify the file types the scan should skip because they are whitelisted. You can specify any of the file types known to the appliance, which are listed in the Filter this Scan step of the Configure a Scan wizard. If a whitelist folder is configured using the fmps configure target-shares command, the files are automatically moved to it. For more information, see the FX Series Threat Management Guide.

Parameters no Clears the file types that were previously selected by this command. scanID The numeric identifier for the scan.

© 2016 FireEye

767

CLI Reference Guide

PART III: Commands

select fileExtensions Specifies the file types to scan. Separate multiple file types with spaces. whitelist fileExtensions Specifies the file types to whitelist. Separate multiple file types with spaces.

Example The following example specifies that scan 97 should scan for .doc, .docx, .pdf, .ppt, and .xls files and ignore all others. hostname (config) # fmps scan configure 97 select doc docx pdf ppt xls

768

© 2016 FireEye

Release 7.9

fmps scan configure scan-name

fmps scan configure scan-name To provide a name for a configured scan, use the fmps scan configure scan-name command in configuration mode. You can use this command only on scans that are in the "configured" state. You cannot configure active, paused, aborted, completed, or scheduled scans.

Syntax [no] fmps scan configure scanID scan-name scanName

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description The system automatically assigns a unique scan number to each scan. You can configure an optional name for a scan. The name does not have to be unique. For more information, see the FX SeriesThreat Management Guide.

Parameters no Removes the configured scan name. scanID The numeric identifier for the scan, which is automatically assigned by the system. scan-name scanName The scan name. Spaces are not allowed.

Example The following example names scan 95 "WeeklyPayroll." hostname (config) # fmps scan configure 95 scan-name WeeklyPayroll

© 2016 FireEye

769

CLI Reference Guide

PART III: Commands

fmps scan configure start-time To specify how far back in time a configured scan should check for new or modified files, use the fmps scan configure start-time command in configuration mode. You can use this command only on scans that are in the "configured" state. You cannot configure active, paused, aborted, completed, or scheduled scans.

Syntax [no] fmps scan configure scanID start-time after YYYY/MM/DD HH:mm:ss [no] fmps scan configure scanID start-time since number days number hours number minutes number seconds

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description This command allows you to limit the scope of a scan by defining that it scan only files that were added or changed after a specified date and time or since a specified time in the past. For more information, see the FX SeriesThreat Management Guide.

Parameters no Removes the defined start time. scanID The numeric identifier for the scan. after YYYY/MM/DD HH:mm:ss The date and time from which scanning should start, where YYYY is the year, MM is the month (01-12), DD is the day (01-31), HH is the hour (01-23), mm is the minute (0159), and ss is the second (01-59) since number days number hours number minutes number seconds The period of time from which scanning should start. Each parameter must be defined; if you want to skip one, enter 0 as the number.

770

© 2016 FireEye

Release 7.9

fmps scan configure start-time

Examples The following example specifies that scan 98 should check for files that were added or changed after September 15, 2014 at 4:00 a.m. hostname (config) # fmps scan configure 98 start-time after 2014/09/15 04:00:00

The following example specifies that scan 67 should check for files that were added or changed in the last 12 hours. hostname (config) # fmps scan configure 67 start-time since 0 days 12 hours 0 minutes 0 seconds

© 2016 FireEye

771

CLI Reference Guide

PART III: Commands

fmps scan configure subdirectories To specify which subdirectory a configured scan should check, use the fmps scan configure subdirectories command in configuration mode. You can use this command only on scans that are in the "configured" state. You cannot configure active, paused, aborted, completed, or scheduled scans.

Syntax [no] fmps scan configure scanID subdirectories subdirectory

User Account Information Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description This command allows you to limit the scope of a scan by specifying that it should check only the specified subdirectory. For more information, see the FX Series Threat Management Guide.

Parameters no Removes the configured subdirectory. scanID The numeric identifier for the scan. subdirectories The subdirectory to scan.

Example The following example specifies that scan 2 should check only the Hardware subdirectory. hostname (configure) # fmps scan configure 2 subdirectories Hardware

772

© 2016 FireEye

Release 7.9

fmps scan configure target-shares

fmps scan configure target-shares To define the shares for a configured scan to which the FX Series appliance routes malicious, safe, whitelisted, and skipped files, use the fmps scan configure target-shares command in configuration mode. You can use this command only on scans that are in the "configured" state. You cannot configure active, paused, aborted, completed, or scheduled scans.

Syntax [no] fmps scan configure scanID target-shares {good|quarantine|unknown|whitelisted} shareName

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description This command designates shares to which the appliance moves scanned files. The appliance will not scan these shares. l

Quarantine shares store files that were analyzed and classified as malicious. When you configure a quarantine share, you can specify either a quarantine share you added or "local_QF." If you specify "local_QF," the appliance will create a local_QF folder in the source file share the first time it encounters a malicious file, and will move all malicious files into it. FireEye recommends against doing this, because malicious files will not be isolated from the source files.

l

l

l

Good shares store files that were analyzed and classified as non-malicious. Whitelist shares store files that were not analyzed because you designated their file types as safe using the fmps scan configure filetypes command. Unknown shares store files that were skipped for reasons such as their file types being disabled for scanning or unknown to the appliance, or the files themselves being empty.

© 2016 FireEye

773

CLI Reference Guide

PART III: Commands

Storage can be one of three types: Files, Quarantine, or Good/Whitelist/Unknown Files. Only shares with the Good/Whitelist/Unknown Files storage type can be configured for the Good, Whitelist, and Unknown shares. All three of these shares can be associated with the same storage. If any of shares are not configured, the applicable files will not be moved. For more information, see the FX Series Threat Management Guide.

Parameters no Removes the specified share. scanID The numeric identifier for the scan. good shareName Specifies a share for non-malicious files. quarantine shareName Specifies a share for malicious files. unknown shareName Specifies a share for skipped files. whitelisted shareName Specifies a share for whitelisted files.

Example The following example configures a quarantine share and an unknown share for scan 46. hostname (config) # fmps scan configure 46 target-shares quarantine Acme-qua hostname (config) # fmps scan configure 46 target-shares unknown Acme-un

774

© 2016 FireEye

Release 7.9

fmps scan create

fmps scan create To create a new scan, use the fmps scan create command in configuration mode.

Syntax fmps scan create from scan scanID|share shareName

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description The from scan version of this command creates a scan using an existing scan as a template. The new scan has the same parameters as the existing scan but can be modified, and will run on the same share as the existing scan. The from share version of this command creates a base scan with no defined criteria that will run on the specified share. New scans will not be shown on the Currently Configured Scans page in the Web UI until you start or schedule them using the fmps scan start or fmps scan schedule command. For more information, see the FX Series Threat Management Guide.

Parameters scan scanID Creates a new scan based on an existing scan with the specified ID. share shareName Creates a base scan with no defined criteria on the specified share.

Examples The following example creates a new scan based on scan 85. The new scan will run on the same share as scan 85. hostname (config) # fmps scan create from scan 85 Scan 143 configured

The following example creates a new scan on the Acme_IT share: hostname (config) # scan create from share Acme_IT Scan 144 configured

© 2016 FireEye

775

CLI Reference Guide

PART III: Commands

fmps scan delete Deletes a previously configured scan based on the scan-id. Scans are configured using the fmps scan create command.

Syntax fmps scan delete [noconfirm]

Parameters scan-id The identification number of the scan. The scan-id value is set when first configured using the fmps scan create command.

Options noconfirm Delete the scans without asking for a confirmation.

Examples The following example deletes scan number 10. hostname (config) # fmps scan delete 10

Related Commands For a list of commands, see the FMPS (FX) Scan Command Family on page 93

User Roles admin and operator

Command Mode configuration

Release Information FX Series: Release 7.7

776

© 2016 FireEye

Release 7.9

fmps scan schedule

fmps scan schedule To configure a scan that runs regularly on a daily or weekly basis, use the fmps scan configure command in configuration mode.

Syntax [no] fmps scan schedule scanID type {daily time HH:mm | weekly day day time HH:mm}

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series releases.

Description This command schedules a scan to run either daily or weekly. For more information, see the FX Series Threat Management Guide.

Parameters no Removes the scheduling information from the scan. scanID The numeric identifier for the scan. day time HH:mm The time the scan should run each day, where HH is the hour (01-23) and mm is the minute (01-59). weekly day day time HH:mm The day and time the weekly scan should run each week, where day is Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, or Saturday; HH is the hour (01-23) and mm is the minute (01-59).

Example The following example schedules scan 56 to run every Saturday at 8:00 p.m. hostname (config) # fmps scan schedule 56 type weekly day Saturday time 20:00

© 2016 FireEye

777

CLI Reference Guide

PART III: Commands

fmps scan start To define the scan type for a configured scan and start the scan, use the fmps scan start command in configuration mode.

Syntax fmps scan start scanID {prescan|continuous|now}

User Account Requirement Operator or Admin role

Release Information Command introduced in Release 7.5.0 for FX Series appliances.

Description This command both defines the scan type for a configured scan and starts the scan. (When you create a scan using the fmps scan create command, the type of scan is not defined, and it is configured but not started.) For more information, see the FX Series Threat Management Guide.

Parameters scanID The numeric identifier for the configured scan. prescan Defines and starts a pre-scan. continuous Defines and starts a continuous scan. now Defines and starts an on-demand scan.

Example The following example defines scan 203 as a continuous scan and starts it. hostname (config) # fmps scan start 203 continuous

778

© 2016 FireEye

Release 7.9

fmps scan start scan-id listen

fmps scan start scan-id listen Starts a listen scan.

Syntax fmps scan start listen

Parameters

The identification number of the scan.

Examples The following example starts a listen scan using scan s10: hostname (config) # fmps scan start 10 listen

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

779

CLI Reference Guide

PART III: Commands

fmps share configure share-name auth Sets the file share password and user name.

Syntax fmps share configure auth password fmps share configure auth user

Parameters

The name of the file share. password

Specifies the password.

The password for the file share. user

Specifies the user name.

The name of the user of the file share.

Examples The following example sets the password to abc123. hostname (config) # fmps share configure sh1 auth password abc123

The following example sets the user name to shareOne. hostname (config) # fmps share configure sh1 auth user shareOne

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

780

© 2016 FireEye

Release 7.9

fmps share configure share-name ca-file

fmps share configure share-name ca-file Sets the file share Certificate Authority (CA) file name.

Syntax fmps share configure ca-file

Parameters

The name of the file share.

The name of the CA file.

Examples The following example sets the CA file name to fileCA. hostname (config) # fmps share configure shareOne ca-file fileCA

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

781

CLI Reference Guide

PART III: Commands

fmps share configure share-name protocol Sets the file share mount protocol.

Syntax fmps share configure protocol cifs fmps share configure protocol nfs fmps share configure protocol webdav fmps share configure protocol securewebdav

Parameters

The name of the file share. cifs

Specifies the Common Internet File System (CIFS) mount protocol. nfs

Specifies the Network File System (NFS) mount protocol. webdav

Specifies the Web Distributed Authoring and Versioning (WebDAV) mount protocol. webdav

Specifies the secure WebDAV mount protocol.

Examples The following example sets the mount protocol to CIFS. hostname (config) # fmps share configure shareOne protocol cifs

The following example sets the mount protocol to NFS. hostname (config) # fmps share configure shareOne protocol nfs

The following example sets the mount protocol to WebDAV. hostname (config) # fmps share configure shareOne protocol webdav

The following example sets the mount protocol to secure WebDAV. hostname (config) # fmps share configure shareOne protocol securewebdav

User Roles

782

l

Operator

l

Administrator

© 2016 FireEye

Release 7.9

fmps share configure share-name protocol

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

783

CLI Reference Guide

PART III: Commands

fmps share configure share-name server Sets the file share server name and server path.

Syntax fmps share configure server path

Parameters

The name of the file share. server

Specifies the server name.

The name of the server. path

Specifies the path to the server.

The path to the server.

Examples The following example sets the server name to shareOne and the server path to /acmeNetworks/servers. hostname (config) # fmps share configure shareOne server shareOne path /acmeNetworks/servers

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

784

© 2016 FireEye

Release 7.9

fmps share create quarantine

fmps share create quarantine Creates a quarantine share.

Syntax fmps share create quarantine

Parameters

The name of the quarantine share.

Examples The following example creates the qShare quarantine share. hostname (config) # fmps share create quarantine qShare

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

785

CLI Reference Guide

PART III: Commands

fmps share create source Creates a source share.

Syntax fmps share create source

Parameters

The name of the source share.

Examples The following example creates the sShare source share. hostname (config) # fmps share create source sShare

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

786

© 2016 FireEye

Release 7.9

fmps share create target

fmps share create target Creates a target share.

Syntax fmps share create target

Parameters

The name of the target share.

Examples The following example creates the tShare target share. hostname (config) # fmps share create target tShare

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

787

CLI Reference Guide

PART III: Commands

fmps share delete Deletes a file share.

Syntax fmps share delete

Parameters

The name of the file share.

Examples The following example deletes the fsOne file share. hostname (config) # fmps share delete fsOne

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

788

© 2016 FireEye

Release 7.9

fmps share mount

fmps share mount Mounts a file share.

Syntax fmps share mount

Parameters

The name of the file share.

Examples The following example mounts the fsOne file share. hostname (config) # fmps share mount fsOne

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

© 2016 FireEye

789

CLI Reference Guide

PART III: Commands

fmps share unmount Unmounts a file share.

Syntax fmps share unmount

Parameters

The name of the file share.

Examples The following example unmounts the fsOne file share. hostname (config) # fmps share unmount fsOne

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

790

© 2016 FireEye

Release 7.9

forensic analysis enable

forensic analysis enable Enables integration with the Solera Networks packet analyzer application. After it is enabled, the integration must be configured on the Settings: Forensics page in the Web UI.

Syntax [no] forensic analysis enable

Parameters no

Use the no form of this command to disable the integration.

Example The following example enables forensic analysis. hostname (config) # forensic analysis enable

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Forensic Analysis Command Family on page 94.

© 2016 FireEye

791

CLI Reference Guide

PART III: Commands

gen-emps-rpt Description Invokes the gen-emps-rpt daily statistics tool, including bypassed email counts, types of files analyzed, number of attachments, and so on.

Syntax gen-emps-rpt [options]

Parameters -t Sets the time frame of the statistical report: 1d | 1w | 1m | 3m One month is the default. -d Enables debugging. -x Outputs the statistical report in XML.

Example The following example generates a statistical report for the last month (default). The first part of the report highlights attachments contained in emails and the second part highlights URLs contained in emails. See Statistics for descriptions of the information that is returned in these sections. The remainder of the report provides additional details. For example, the lines that are in bold (for emphasis only) indicate that 28422 unique and 33 duplicate attachments were detected, and that there were 22936 attachments with a file type that was not enabled for scanning. hostname(config)# gen-emps-rpt

Date

Tot_Email Bypass_Email Scan_Email With_att Tot_att Tot_dup Mal_att Mal_dup

2012/04/11 538395

Date

9989

25255

51391

51391

33

379

33

Tot_Email With_URL >10_URL >100_URL >200_URL Tot_URL Mal_URL Uniq_URL

2012/04/11 538395

153864

0

0

01538640 1430

1537728

Total emails 538395, total emails with attachments and/or urls (scanned) 205255.

Total attachments from all emails is 51391, that's an average of 0.25 attachments per email.

792

© 2016 FireEye

Release 7.9

gen-emps-rpt

9.55% of emails have attachment(s).

Total urls from all emails is 153864, that's an average of 7.50 urls per email. 28.58% of emails have url(s).

There were 1 unique recipients and 1 unique senders.

Out of a total of 412 malicious attachments, 379 were found to be unique malicious attachments.

There was a total of 28422 unique attachments, 33 duplicate attachments, and 22936 file types that are not enabled.

Average run time was 00:01:09.343221 and the maximum run time was 00:04:04.619241.

Average wait time was 00:05:08.447762 and the maximum wait time was 00:37:00.208561.

There are 22935 attachments of file type 'jpg'. There are 20894 attachments of file type 'pdf', of which 33 are duplicates. There are 2551 attachments of file type 'xls'. There are 2522 attachments of file type 'ppt'. There are 2486 attachments of file type 'doc'. There are 2 attachments of file type 'exe'. There are 1 attachments of file type 'mp4'.

Number of emails in postfix incoming queue: 0

Emails Bypassed: 9989

Showing Malware: Total Binaries Submitted : 1589989 Binaries Analyzed : 1589989 Binaries identified as Malicious - VM verified - Duplicate to VM verified - Known checksum match

© 2016 FireEye

:

: 1842

379 :

33 : 1430

793

CLI Reference Guide

PART III: Commands

Total events

: 4383

vm-signature-match events checksum-match

:

events

112 os-change-anomaly events

: 638

: 3308 vm-outbound-comm events

: 325

Binaries break down by system status, Total : 1589989

Submitted for VM analysis Duplicate Submit Disabled

: 29856 :

33 : 1560100

Statistics The following statistics for the specified time frame are returned in the first part of the report, which highlights the attachments contained in emails. Tot_Email—The number of emails that entered the system. Bypass_Email—The number of emails that were bypassed. (Emails are typically bypassed due to heavy traffic load.) Scan_Email—The number of emails that were submitted to the MVX (Multivector Virtual Execution) Engine for analysis. With_att—The number of emails with at least one attachment. Tot_att—The number of attachments found in all emails. Tot_dup—The number of duplicate attachments. Mal_att—The number of malware samples in the emails that are malicious and unique. Mal_dup—The number of duplicate malware samples. The following statistics for the specified time frame are returned in the second part of the report, which highlights the URLs contained in emails. Tot_Email—The number of emails that entered the system. With_URL—The number of emails with at least one URL. >10_URL—The number of emails that contain more than ten URLs. >100 URL—The number of emails that contain more than 100 URLs. >200 URL—The number of emails that contain more than 200 URLs. Tot_URL—The number of URLs detected in all scanned emails, including duplicate URLs. Mal_URL—The number of scanned malicious URLs across all emails. Uniq_URL—The number of unique URLs detected in all scanned emails.

794

© 2016 FireEye

Release 7.9

guest-images configure

guest-images configure Description Selects Guest Images to be installed. You can install the default Guest Images, a particular FireEye bundle of Guest Images, or one or more individual Guest Image profiles. Each choice is mutually exclusive. However, you can have more than one profile Guest Image. We recommend that you do not use the no form of this command for bundles or defaults; selecting different bundle or default Guest Images automatically resets the current Guest Images. You can use the no form of this command to reconfigure a profile. The ID number used in the guest-images configure bundle and guest-images configure profile commands is obtained from the output of the show guest-images available bundles and show guest-images available profiles commands, respectively. The ID number used in the no guest-images configure bundle and no guest-images configure profile commands is obtained from the output of the show guest-images config command. Related commands: show guest-images

Syntax [no] guest-images configure {bundle bundle_id | defaults | profile profile_id}

Parameters bundle bundle_id Specifies a FireEye Guest Images bundle. defaults

Selects the default Guest Images.

profile profile_id Specifies a Guest Image profile.

Examples The following example displays the available Guest Images profiles installed on the FireEye appliance. hostname (config) # show guest-images available profiles

The following profiles are available: [0] winxp-sp3 - Windows XP sp3 English 32-bit (AMD). [1] win7-sp1 - Windows 7 SP1 English 32-bit (AMD) . [2] win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD).

© 2016 FireEye

795

CLI Reference Guide

PART III: Commands

The following example configures available Guest Images profile 2. hostname (config) # guest-images configure profile 2 Configured [2] win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD). Guest-image configuration settings have been successfully updated. Run 'show guest-images config' to list current Guest-image configuration.

The following example displays the profile IDs for those profiles that you want to reconfigure. hostname (config) # show guest images config Guest-image configuration contains the following profiles: [0] win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD).

The following example reconfigures the configured Guest Images profile 0. hostname (config) # no guest-images configure profile 2 Unconfigured [2] win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD). Guest-image configuration settings have been successfully updated Run 'show guest-images config' to list current Guest-image configuration.

796

© 2016 FireEye

Release 7.9

guest-images disable-list

guest-images disable-list Description Your FireEye appliance comes with five Guest Images, but you can only enable four of them at one time. You may not want to disable the Guest Image that is disabled by default. For example, in NX Series 7.5.0, the default disabled Guest Image is winxp-base. If you want to enable the winxp-base Guest Image, first disable a Guest Image that you do not need, and then enable the winxp-base Guest Image. Use the show guest-images command to display the list of Guest Images installed on the appliance, and then locate disabled Guest Images, as shown in the following example: hostname # show guest-images Name

ID

Disabled Version Type

winxp-sp3

43

-

15.0107 Analysis

win7-sp1

65

-

15.0107 Analysis

win7x64-sp1

66

-

15.0107 Analysis

Syntax Use guest-images disable-list to disable any Guest Images that you do not need. Then, when you have two or more disabled Guest Images, you can enable (up to four) disabled Guest Images using the command  no guest-images disable-list . Related commands: show guest-images [no] guest-images disable-list {name Guest Image name}

Parameters name Guest Image name The name of the Guest Image, such as winxp-base.

Examples The following example disables the win7-sp1 Guest Image profile installed on the FireEye appliance. hostname (config) # guest-images disable-list win7-sp1 The following example enables the previously disabled winxp-base Guest Image profile installed on the FireEye appliance. hostname (config) # no guest-images disable-list winxp-base

© 2016 FireEye

797

CLI Reference Guide

PART III: Commands

guest-images download Description Downloads Guest Images onto the MPS appliance. If a CMS is running release 6.3.0 or later, it is not necessary to run this command, because this process is automated. The 6.3.0 or later MPS appliance is scheduled to check for guest image updates daily. When this appliance is managed by a 6.3.0 or later CMS, the guest image update on the appliance will trigger the CMS to download the requested guest image updates for hosting. The appliance will automatically download and install the updates after the CMS completes the download.

Syntax guest-images download cancel guest-images download delete [no] guest-images download limit-rate number units guest-images download manifest [url http/https-url] guest-images download resume [url http/https-url] guest-images download url http/https-url guest-images download version version

Parameters cancel

Terminates an in-progress Guest Images download and deletes any partial downloads.

delete

Deletes any 6.3.0 Guest Images that have been downloaded but have not been installed. For the CMS or MPS running release 6.3.0 or later, there is only one installed Guest Image and it is automatically managed. On a CMS that is running release 6.3.0 or later and hosting legacy Guest Images, use the guestimages delete command to remove legacy Guest Images. Any number of legacy Guest Images can be hosted.

798

© 2016 FireEye

Release 7.9

guest-images download

limit-rate Sets the limit-rate for all future downloads. The guest-images download number commands use this limit-rate value if another value is not explicitly specified. units l bps—Bits per second l

Bps—Bytes per second

l

Kbps—Kilobits per second

l

KBps—Kilobytes per second

l

Mbps—Megabits per second

l

MBps—Megabytes per second

manifest Downloads a manifest from the DTI (MPC) or 6.3.0 CMS. Use this option if you are customizing Guest Images. url HTTP/HTTPS URL of the Guest Images index. http/httpsurl resume

Continues a download that was unexpectedly terminated (for example, by a network issue). This option functions only for partial downloads. The guest-images download cancel and guest-images download delete commands both clean up partial downloads. Therefore, the resume command cannot be used after these commands have been issued. In this case, use guest-images download to restart the download.

version

Guest Images version to download.

Examples The following example downloads Guest Images. hostname (config) # guest-images downloadThe following new profiles will be downloaded:  win7-sp1   winxp-sp2   winxp-sp3   win7-base  winxp-baseDownloading guest-imagesRun 'show guest-images download' to check status.hostname (config) # show guest-images download A guest image download is in progress (44.79% done) system is now verifying image of file winxp-sp2.img for profile winxp-sp2 time elapsed since start of download: 23s Run 'guest-images download cancel' to cancel. Default download limit-rate: None The following example shows a Guest Images download that has unexpectedly quit and the deletion of the partial download. hostname (config) # show guest-images download A guest-image download has terminated unexpectedly. A partial guest image download exists.

© 2016 FireEye

799

CLI Reference Guide

PART III: Commands

Run 'guest-images download resume' to resume guest-images download. Run 'guest-images download delete' to delete partial download. hostname (config) # guest-images download delete Deleting guest-image downloads. The following example shows how to cancel a Guest Images download that is in progress. hostname (config) # show guest-images download A guest-image download is in progress. Download in progress (3.00% done) system is now decrypting and verifying signature of win7-sp1.img time elapsed since start of download: 7s Run 'guest-images download cancel' to cancel. Default download limit-rate: None hostname (config) # show guest-images download A guest-image download is in progress. Download in progress (39.91% done) system is now decrypting and verifying signature of profile.xml time elapsed since start of download: 27s Run 'guest-images download cancel' to cancel. hostname (config) # guest-images download cancel Download of guest-images cancelled and partial downloads cleaned up. hostname (config) # show guest-images download No guest-images are installed. Run 'guest-images download' to download guest-images  Default download limit-rate: None

800

© 2016 FireEye

Release 7.9

guest-images file-association reset

guest-images file-association reset Description Resets the Guest Images file association to the default settings.

Syntax guest-images file-association reset

Parameters None

Example The following example resets the Guest Images file association to the default settings. hostname (config) # guest-images file-association reset

© 2016 FireEye

801

CLI Reference Guide

PART III: Commands

guest-images install Description Installs the latest Guest Images onto a FireEye MPS appliance. For MPS appliances running 6.2.0 or earlier versions, the id parameter must be included.

Syntax guest-images install {id}

Parameters id The guest image ID, returned in the show guest-images download command output.

Example The following example installs the latest Guest Images. hostname (config) # guest-images install

802

© 2016 FireEye

Release 7.9

guest-images limit-rate

guest-images limit-rate Sets the rate limit for data transfer of all Guest Images. You can use the no form of this command to reconfigure a data transfer limit rate.

Syntax limit-rate number units 

Parameters number Sets the limit-rate for all future downloads. The guest-images download units commands use this limit-rate value if another value is not explicitly specified. l

bps—Bits per second

l

Bps—Bytes per second

l

Kbps—Kilobits per second

l

KBps—Kilobytes per second

l

Mbps—Megabits per second

l

MBps—Megabytes per second

Example The following example downloads legacy Guest Images at a rate of 100 Kbps. hostname (config) # guest-images limit-rate 100 Kbps

© 2016 FireEye

803

CLI Reference Guide

PART III: Commands

ha address vip Configures a virtual IP (VIP) address that provides access to the Web UI of the primary node. The VIP address must be in the same subnet as the two nodes. You must stop the cluster engine on the secondary node first and then on the primary node before you can configure the VIP address. The fe_address resource agent that manages the VIP address must be enabled before you can use the VIP address. This is a global configuration. It is configured on only one node, but is applied to the cluster.

Syntax ha address vip

Parameters ipAddress

The virtual IP address.

Description You can view the Web UI of the primary node, but not the secondary node. In a local area network (LAN) deployment, you can assign a virtual IP (VIP) address for the cluster. The VIP address is dynamic and moves from node to node, depending on which node has the primary role. To access the Web UI, you go to the VIP address, instead of to the management port's IP address or hostname. This eliminates the need to determine which node is primary before you log in to the Web UI. The fe_address resource agent is disabled by default. The VIP address must be defined before you enable the resource agent. If you disable the resource agent later, the VIP address remains in the cluster configuration.

Example The following example configures a VIP address and then enables the fe_address resource agent. node1 (config) # ha address vip 10.11.121.19 node1 (config) # ha resource fe_address enable

User Role Admin

Command Mode Configuration

804

© 2016 FireEye

Release 7.9

ha address vip

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The fe_access resource agent was added in Release 7.7.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

© 2016 FireEye

805

CLI Reference Guide

PART III: Commands

ha engine failover Manually fails over the primary node to the secondary node.

Syntax ha engine failover

Parameters None

Description After the failover completes, the nodes switch roles. The original primary node becomes the secondary node, and the original secondary node becomes the primary node. The following configurations fail over: l

CM Series management configuration (except interface, licensing, and host-specific configurations)

l

Aggregated alerts database (if alert data replication is enabled)

l

Security content updates (if security content replication is enabled)

Example The following example fails over the primary node (node1) to node2. It then monitors the failover as node1's role changes from primary, to unknown, and finally to secondary. node1 (config) # ha engine failover Type 'YES' to confirm failover: YES success Please check the status with CLI 'show ha status' in few seconds. node1 (config) # show ha status Cluster Status Status: running Primary Node:  node1 (self) ... node1 (config) show ha status Cluster status: Status: stopped Primary Node: unknown ... node1 (config) # show ha status Cluster Status Status: running Primary Node:  node2 ...

806

© 2016 FireEye

Release 7.9

ha engine failover

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Before Release 6.4

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

© 2016 FireEye

807

CLI Reference Guide

PART III: Commands

ha engine reset cluster-config Resets the cluster configuration to the factory default cluster settings and removes the node from the cluster. This is a local configuration. It is performed from each node, and is applied to only that node.

Syntax ha engine reset cluster-config

Parameters None

Example The following example stops the cluster engine on node2, which allows you to stop the cluster engine on the primary node (node1). It then resets the default settings for node1. In this example, the fe_address resource agent, which was explictly enabled, becomes disabled (the default state). node2 (config) # ha engine stop node1 (config) # ha engine stop node1 (config) # ha engine reset cluster-config Type 'YES' to confirm HA engine configuration reset: YES success CM HA configure reset is initiated. Please wait for 'stopped' status with CLI 'show ha status'. node1 (config) # show ha status ... node1 (config) # show ha configuration CMS HA Cluster Settings: ... Cluster Resources: ... fe_address enabled: no ... node1 (config) # write memory

User Role Admin

Command Mode Configuration

808

© 2016 FireEye

Release 7.9

ha engine reset cluster-config

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, including how to convert a node to a standard (non-HA) CM Series platform, see the CM Series High Availability Guide.

© 2016 FireEye

809

CLI Reference Guide

PART III: Commands

ha engine restart Starts or restarts the cluster engine on a node. When you restart the cluster engine on the secondary node, if alert replication is enabled, alert data is replicated from the primary node to the secondary node. During this process, do not perform any cluster operation or add or remove appliances from the CM Series platform. Use the show ha status command to confirm that the synchronization is finished. See the second example below for the status messages to expect during this process.

Syntax ha engine restart

Parameters None

Description When you use the CLI to configure a new cluster, you must manually start the cluster engine on each node. When you use the configuration wizard to configure a new cluster, the cluster engine on each node starts automatically. The node that starts first takes the primary role. You cannot restart the cluster engine on the primary node if the secondary node is running. You must either stop the cluster engine on the secondary node first, or fail over to the secondary node, which changes the role of the primary node to secondary.

Examples The following example restarts the cluster engine on the primary node. node1 (config) # ha engine restart success Please check the status with CLI 'show status' in a few seconds. node1 (config) # show ha status ...

The following example restarts the cluster engine on the secondary node, and monitors the status as alert data is synchronized from the primary node. node2 (config) # ha engine restart success Please check the status with CLI 'show status' in a few seconds. node2 (config) # show ha status --------------ALERT: Base database synchronization in progress

810

© 2016 FireEye

Release 7.9

ha engine restart

The database synchronization from primary node (node1) to the secondary node (node2) is in progress. This process may take several minutes depending on the size of aggregated data on the primary node. During this process please do NOT restart HA engine or any other process on any of the CMS HA nodes. Also, please do not add or remove any appliance. You may continue reviewing alerts on the primary node. The rsync process started on node2 at Wed Oct 28 23:50:01 UTC 2015. -------------------Cluster Status: Status: running Primary Node: node1 ... node2 (config) show ha status --------------------INFO: CMS HA cluster is ready The database synchronization from primary node (node1) to node2 is completed and CMS HA cluster is ready for normal CMS operations. All activities must be performed on the primary node i.e node1. You may use CLI on secondary node (node2) to review CMS configuration and aggregated alerts. The cluster was formed on Thu Oct 29 01:37:07 UTC 2015. Please review the primary status to make sure CMS HA cluster is healthy. -----------Cluster Status Status: running Primary Node: node1 ...

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Before Release 6.4

© 2016 FireEye

811

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

812

© 2016 FireEye

Release 7.9

ha engine split-brain shutdown auto

ha engine split-brain shutdown auto In a split-brain scenario, this command enables the automatic shutdown of the cluster engine on the other node, after the cluster resource manager determines which node has quorum and selects the primary node. This feature is disabled by default. This is a local configuration. It is performed from each node, and is applied to only that node.

Syntax [no] ha engine split-brain shutdown auto

Parameters no

The no form of this command disables automatic shutdown.

Description A split-brain condition occurs when a failure in the HA interface causes communication and data synchronization to stop. The secondary node cannot determine whether the primary node crashed or whether the primary node is healthy, because the communication link is broken and there is no heartbeat. The secondary node attempts to take over the primary role. If the primary node is in fact healthy, the two nodes are now operating independently instead of as a cluster pair. To resolve the split-brain condition, the cluster resource manager determines which node should be primary. If both nodes are configured and have connected appliances, the node with the majority of connected appliances is selected as the primary node. If the two nodes have the same number of connected appliances, a string comparison function compares the hostnames of the nodes and breaks the tie. After the primary node is selected, if automatic shutdown is enabled, the other node's cluster engine is stopped. If automatic shutdown is disabled, the other node's cluster engine continues to run.

Example The following example enables automatic shutdown on node2. node2 (config) # ha engine split-brain shutdown auto

User Role Admin

© 2016 FireEye

813

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Before Release 6.4.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

814

© 2016 FireEye

Release 7.9

ha engine stop

ha engine stop Stops the cluster engine on a node. You cannot stop the cluster engine on the primary node if the secondary node is running. You must either stop the cluster engine on the secondary node first, or fail over to the secondary node, which changes the role of the primary node to secondary.

Syntax ha engine stop

Parameters None

Example The following example stops the cluster engine on the secondary node. It monitors the status until the status is stopped, and then stops the cluster engine on the primary node. node2 (config) # ha engine stop node2 (config) # show ha status ... Nodes Status node1 node2 running stopped node1 (config) # ha engine stop ...

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Before Release 6.4

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

815

CLI Reference Guide

PART III: Commands

For more information about CM Series HA, see the CM Series High Availability Guide.

816

© 2016 FireEye

Release 7.9

ha interface backup

ha interface backup Configures the name of the backup HA interface on a node.

Syntax ha interface backup

Parameters name

The name of the designated backup HA interface.

Example The following example configures the backup HA interface by specifying its IP address and mask length, enabling the interface, and then specifying the interface name. node1 (config) # interface ether2 ip address 10.0.1.2 /30 node1 (config) # no interface ether2 shutdown node1 (config) # ha interface backup ether2

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide. For more information about configuring interfaces, see Interface Commands on page 100.

© 2016 FireEye

817

CLI Reference Guide

PART III: Commands

ha interface default Configures the name of the default HA interface on a node.

Syntax ha interface default

Parameters name

The name of the designated default HA interface.

Example The following example configures the default HA interface by specifying its IP address and mask length, enabling the interface, and then specifying the interface name. node1 (config) # interface ether3 ip address 10.0.0.2 /30 node1 (config) # no interface ether3 shutdown node1 (config) # ha interface default ether3

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide. For more information about configuring interfaces, see Interface Commands on page 100.

818

© 2016 FireEye

Release 7.9

ha node failover auto

ha node failover auto Configures whether the cluster should automatically fail over to the secondary node if a failover condition occurs. This feature is enabled by default. This is a local configuration. It is performed from each node, and is applied to only that node.

Syntax [no] ha node failover auto

Parameters no

The no form of this command disables automatic failover.

Description You can disable automatic failover and instead fail over manually after receiving notification of a failure. In a disaster recovery (DR) deployment, you typically disable automatic failover on the secondary node. You can also disable automatic failover for troubleshooting. Automatic failover can be enabled or disabled on both nodes, or enabled on one node and disabled on the other.

Example The following example disables automatic failover on node2. node2 (config) # no ha node failover auto node2 (config) # show ha configuration CMS HA Cluster Settings: ... Auto-failover: no ... ...

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

© 2016 FireEye

819

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

820

© 2016 FireEye

Release 7.9

ha node join

ha node join Joins a node to another node to form a cluster. After you enter this command, the system prompts you to enter the password of the remote admin user on the other node.

Syntax ha node join

Parameters otherNode

The IP address of the existing node in the cluster.

Example The following example adds node2 to form the cluster. node2 (config) # ha node join 172.16.127.144 Enter password for admin account on primary node: **** Node joining has started Please check the status with CLI 'show ha configuration'. node2 (config) # show ha configuration CMS HA Cluster Settings: ... Cluster Communications: Default Interface:  ether1 Enabled: yes Members: 172.16.127.44/node1, 172.16.127.145/node2, ... node2 (config) # show ha members all node2 node1

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

© 2016 FireEye

821

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

822

© 2016 FireEye

Release 7.9

ha node leave

ha node leave Removes the secondary node from the cluster using the CLI of the secondary node.

Syntax ha node leave

Parameters None

Example The following example removes node2 from the cluster while it is online. The two show commands confirm that the cluster is no longer formed, because it has only one member. (The node is still displayed in a cluster configuration, because it has a CM Series HA license. It can be converted to a standard, or non-HA, CM Series platform as described in the CM Series High Availability Guide.) node2 (config) # ha node leave Please type YES to confirm leave: YES Cluster leaving has started Please check the status with CLI 'show ha configuration'. node2 (config) # show ha configuration CMS HA Cluster Settings ... Default Interface: ether1 Enabled: yes Members: 10.11.121.18/node2, ... node2 (config) # show ha members all node2

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

© 2016 FireEye

823

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

824

© 2016 FireEye

Release 7.9

ha node leave

ha node leave Removes an offline secondary node from a cluster using the CLI of the primary node.

Syntax ha node leave

Parameters node

The hostname of the secondary node

Example The following example removes node2 from the cluster using the primary node, because node2 is offline. The two show commands confirm that the cluster is no longer formed, because it has only one member. node1 (config) # ha node node2 leave Please type YES to confirm leave: YES Node leaving has started Please check the status with CLI 'show ha configuration'. node1 (config) # show ha configuration CMS HA Cluster Settings ... Default Interface: ether1 Enabled:  yes Members: 10.11.121.13/node1, .... node1 (config) # show ha members all node1

User Role Admin

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

825

CLI Reference Guide

PART III: Commands

For more information about CM Series HA, see the CM Series High Availability Guide.

826

© 2016 FireEye

Release 7.9

ha replicate alerts enable

ha replicate alerts enable Configures whether aggregated alert data is passed to the secondary node during a failover event. By default, alert replication is enabled. This is a global configuration. It is configured on only one node, but is applied to the cluster.

Syntax [no] ha replicate alerts enable

Parameters no

The no form of this command disables the replication of aggregated alert data.

Description When alert replication is enabled, the alert data the CM Series platform aggregated from its managed appliances is passed to the secondary node when failover occurs. You can disable alert replication and automatic failover in disaster recovery (DR) deployments and other low-bandwidth scenarios in which you need to limit the amount of traffic passing through the HA interface.

Example The following example disables alert replication on the cluster from the primary node. node2 (config) # ha engine stop node1 (config) # ha engine stop node1 (config) # no ha replicate alerts enable node1 (config) # show ha configuration CMS HA Cluster Settings: ... Replicating: Configuration:  yes Alerts: no Security content: yes ... node1 (config) # write memory node1 (config) # ha engine restart node2 (config) # ha engine restart

User Role Admin

© 2016 FireEye

827

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

828

© 2016 FireEye

Release 7.9

ha replicate updates enable

ha replicate updates enable Configures whether security content updates are passed to the secondary node during a failover event. By default, security content replication is enabled. This is a global configuration. It is configured on only one node, but is applied to the cluster.

Syntax [no] ha replicate updates enable

Parameters no

The no form of this command disables the replication of security content updates.

Description When security content update replication is enabled, security content updates on the primary node are passed to the secondary node when failover occurs. You can disable security content replication and automatic failover in disaster recovery (DR) deployments and other low-bandwidth scenarios in which you need to limit the amount of traffic passing through the HA interface.

Example The following example disables security content replication on the cluster from the primary node. node2 (config) # ha engine stop node1 (config) # ha engine stop node1 (config) # no ha replicate alerts enable node1 (config) # show ha configuration CMS HA Cluster Settings: ... Replicating: Configuration:  yes Alerts: yes Security content: no ... node1 (config) # write memory node1 (config) # ha engine restart node2 (config) # ha engine restart

User Role Admin

© 2016 FireEye

829

CLI Reference Guide

PART III: Commands

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

830

© 2016 FireEye

Release 7.9

ha resource enable

ha resource enable Enables or disables the specified resource agent on the cluster. This is a global configuration. It is configured on only one node, but is applied to the cluster.

Syntax [no] ha resource enable

Parameters resource

The name of the resource agent. no

The no form of the command disables the specified resource agent.

Description A resource agent allows the cluster agent to interact with a specific service or resource. You can disable a resource agent without affecting other resource agents or the overall cluster operation. For example, if you stop the database resource agent, the database monitoring stops, but the database and the services that depend on it continue to run. The following table describes each resource agent and shows its normal state on the primary and secondary nodes. Resource Agent Name

Purpose

Primary Normal State

Secondary Normal State

sys_disk_ monitor

Monitors available disk space.

Running Running

sys_ ether1_ monitor

Monitors the management (ether1) interface.

Running Running

fe_address

Monitors and manages the cluster virtual IP (VIP) address, which is shared by both nodes and used to access the Web UI of the primary node.

Off

© 2016 FireEye

Off

831

CLI Reference Guide

PART III: Commands

Resource Agent Name

Purpose

Primary Normal State

Secondary Normal State

fe_ correlator

Monitors and manages the correlation of malicious URL events detected by an NX Series appliance with email events detected by an EX Series appliance. This pertains to a CM Series platform that manages both appliance types.

Running Off

fe_ aggregator

Monitors and manages the aggregation of alert data from managed appliances.

Running Off

fe_fedb

Monitors and manages the FireEye database service.

Running Running

fe_webui

Monitors and manages the Web UI service.

Running Off

fe_peer_ service

Monitors and manages the service that handles interactions among CM Series platforms in different domains. This pertains to CM Series platforms that are licensed to use the CMS Peer Service.

Running Off

fe_ Monitors and manages the service that sends notification malware alert notifications.

Running Off

fe_http

Running Running

Monitors and manages CM Series Web services.

Example The following example disables the database resource agent. node2 (config) # ha engine stop node1 (config) # ha engine stop ... node1 (config) # no ha resource fe_fedb eanble node1 (config) # show ha configuration CMS HA Cluster Settings: ... Cluster Resources: ... fe_fedb enabled: no ...

User Role Admin

832

© 2016 FireEye

Release 7.9

ha resource enable

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

© 2016 FireEye

833

CLI Reference Guide

PART III: Commands

help Description Displays information about using the online help for the CLI.

Syntax help

Parameters None

Example The following example shows the output of the help command. hostname > help

You may request context-sensitive help at any time by pressing '?' on the command line. This will show a list of choices for the word you are on, or a list of top-level commands if you have not typed anything yet. If “” is shown, that means that what you have entered so far is a complete command, and you may press Enter (carriage return) to execute it. Try the following to get started: ? show ? show c? show clock? show clock ? show interfaces ? (from enable mode)

834

© 2016 FireEye

Release 7.9

homenet ip

homenet ip Description Configures the homenet IP for Snort custom rules. This command is available on the Web MPS.

Syntax homenet ip {any | IP_address/mask}

Parameters any

Configures any available homenet IP address or mask for custom rules.

IP_ address/mask

Specifies the custom rule(s) homenet IP address or mask; the default is any.

Example The following example configures any available homenet IP address or mask for custom rules: hostname (config)# homenet ip any

© 2016 FireEye

835

CLI Reference Guide

PART III: Commands

hostname Description Sets the hostname of the FireEye appliance, which is displayed in the CLI prompt. Related commands: show hosts Use the no form of this command to delete the hostname.

Syntax [no] hostname name

Parameters name                 Hostname of the FireEye appliance.

Example The following example specifies the hostname as FireEye-1. hostname (config) # hostname FireEye-1

836

© 2016 FireEye

Release 7.9

hx agent agent-log-exception enable

hx agent agent-log-exception enable Enables and disables the HX Series exception policy for agent logging of specific host sets. This exception policy is disabled when you first install the HX Series software. If a host endpoint is not included in the host sets for this exception policy or if the exception policy is disabled, logging is performed for the agent with a minimum logging level of INFO. The host sets for this agent logging exception policy can only be specified using the Web UI. Syntax [no] hx agent agent-log-exception enable

Parameters no

Use the no form of this command to disable agent logging for specific host sets. Example The following example enables agent logging for selected host sets. hostname (config) # hx agent agent-log-exception enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.2 for version 22 and later FireEye Endpoint Agents

Related Commands l

show hx agent on page 1678

© 2016 FireEye

837

CLI Reference Guide

PART III: Commands

hx agent agent-log-exception level Sets the minimum logging level performed for agent logging of the specified host sets in this HX Series exception policy. The default is INFO. If a host endpoint is not included in the host sets for this exception policy or if the exception policy is disabled, logging is performed for the agent with a minimum logging level of INFO. The host sets for this agent logging exception policy can only be specified using the Web UI. Syntax [no] hx agent agent-log-exception level {EMERG|ALERT|CRIT|ERR|WARN|NOTICE|INFO|DEBUG}

Parameters no

Use the no form of this command to reset this parameter setting to its default (INFO). When you use the no form, do not specify a logging level. level {EMERG|ALERT|CRIT|ERR|WARN|NOTICE|INFO|DEBUG

Specify the minimum logging level. Valid options, in order of severity, are EMERG (highest severity), ALERT, CRIT, ERR, WARN, NOTICE, INFO, and DEBUG (lowest severity), corresponding to the types of events that can be written to the agent log. The default setting is INFO. After you set the minimum logging level, all log messages for that event type and any higher severity messages are logged. For example, if you specify the minimum agent logging level to be CRIT, only log messages for CRIT, ALERT, and EMERG are logged. The following table describes each logging level, in order by severity. Logging Level

Event Type

EMERG

Emergency

Description This is the highest severity logging level. Emergency messages identify total system failures that usually stop the agent from functioning.

838

ALERT

Alert

Alert messages identify crucial conditions that should be corrected immediately, such as a corrupted database.

CRIT

Critical

Critical messages identify serious conditions, such as hardware device errors.

© 2016 FireEye

Release 7.9

hx agent agent-log-exception level

Logging Level

Event Type

ERR

Error

Error messages identify program errors, such as when a file cannot be found.

WARN

Warning

Warning messages identify non-critical, correctable errors, such as specifying a value that is too large.

NOTICE Notice

INFO

Description

Notification (notice) messages identify minor problems that do not inhibit regular agent functioning and for which defaults are used until the problem is resolved.

Information This is the default logging level. Informational messages describe regular system processing events.

DEBUG

Debug

This is the lowest severity logging level and produces the highest volume of messages. Debug messages describe details of system processing and are normally used only for debugging a program.

Example The following example changes the agent logging level to NOTICE for selected host sets. hostname (config) # hx agent agent-log-exception level NOTICE

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.2 for version 20 and later FireEye Endpoint Agents

Related Commands l

show hx agent on page 1678

© 2016 FireEye

839

CLI Reference Guide

PART III: Commands

hx agent aging enable Enables or disables the ability of the HX appliance to delete endpoints when they exceed the agent inactive or orphan aging periods. Syntax [no] hx agent aging enable

Parameters no

Use the no form of this command to disable the ability to delete endpoints when they exceed the inactive or orphan aging settings. enable

Specify this parameter to enable the HX appliance to delete host endpoints when they exceed the agent inactivity or orphan aging periods. Example The following example disables the ability to delete endpoints, regardless of whether they exceed the agent aging or orphan settings. hostname (config) # no hx agent aging enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands

840

l

hx agent aging inactive-period

l

hx agent aging new-orphan-period

l

show hx agent aging

© 2016 FireEye

Release 7.9

hx agent aging inactive-period

hx agent aging inactive-period Sets the aging period for inactive agents after which they are eligible to be deleted from the HX appliance, depending on the setting of the hx agent aging enable command. Syntax [no] hx agent aging inactive-period

Parameters no

Use the no form of this command to reset the aging period for inactive agents to 7776000 seconds (90 days). inactive period

Specify the number of seconds after which inactive agents are deleted. Valid values range from 86400 seconds (1 day) through 31536000 seconds (one year). The default is 7776000 seconds (90 days). Example The following example sets the aging period for inactive agents to 86400 seconds: hostname (config) # hx agent aging inactive-period 86400

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx agent aging enable

l

hx agent aging new-orphan-period

l

show hx agent aging

© 2016 FireEye

841

CLI Reference Guide

PART III: Commands

hx agent aging new-orphan-period Sets the aging period for provisioned host endpoints that fail to respond to initial HX system information requests. These host endpoints are called orphaned agents. Hosts that fail to respond within this orphan period are eligible to be deleted from the HX appliance, depending on the setting of the hx agent aging enable command. Syntax [no] hx agent aging new-orphan-period

Parameters no

Use the no form of this command to reset the aging period for orphaned agents to 86400 seconds (1 day). new-orphan-period

Specify the number of seconds after which orphaned agents are deleted. Valid values range from 86400 seconds (1 day) through 31536000 seconds (365 days). The default is 86400 seconds (1 day). Example The following example sets the aging period for orphaned agents to 7776000 seconds (90 days): hostname (config) # hx agent aging new-orphan-period 7776000

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

842

l

hx agent aging enable

l

hx agent aging inactive-period

l

show hx agent aging

© 2016 FireEye

Release 7.9

hx agent concurrent-host-exception enable

hx agent concurrent-host-exception enable Enables or disables the concurrent host limit exception for specific host sets in the HX appliance. By default, there is no limit to the number of hosts that can run HX tasks concurrently. The host sets to which the concurrent host limit applies can only be identified using the Web UI. This CLI command should only be used to update the setting that has already been established using the Web UI. Syntax [no] hx agent concurrent-host-exception enable

Parameters no

Use the no form of this command to disable the concurrent host limit exception for specific hosts. After specifying the no form of this command, there will be no limit to the number of hosts that can run HX tasks concurrently. Example The following example enables the concurrent host limit exception for host sets identified in the Web UI: hostname (config) # hx agent concurrent-host-exception enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands l

hx agent concurrent-host-exception limit

l

show hx agent

© 2016 FireEye

843

CLI Reference Guide

PART III: Commands

hx agent concurrent-host-exception limit Sets the number of hosts that can concurrently perform HX tasks. This limit applies only to specific host sets identified in the HX appliance. This limit is not honored if the concurrent host exception has not first been enabled. See hx agent concurrent-host-exception enable on the previous page. The host sets to which the concurrent host limit applies can only be identified using the Web UI. This CLI command should only be used to update the setting that has already been established using the Web UI. Syntax [no] hx agent concurrent-host-exception limit

Parameters no

Use the no form of this command to reset the limit to its default. limit

Specify the maximum number of hosts that can concurrently run HX tasks. Valid values range from 1 through 10000. The default is 50. Example The following example sets the maximum number of hosts that can concurrently run HX tasks to 300. hostname (config) # hx agent concurrent-host-exception limit 300

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands

844

l

hx agent concurrent-host-exception enable

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent config-poll

hx agent config-poll Sets the agent configuration file update frequency. Syntax [no] hx agent config-poll

Parameters no

Use the no form of this command to restore the default configuration file update frequency. config-poll []

Specify the number of seconds for the new configuration file update frequency. Valid values range from 60 seconds to 86400 seconds (one minute to one day). the default is 900 seconds (15 minutes). If you are using the no form of this command, you do not need to specify the number of seconds(although you do need to include the keyword config-poll). For example, no hx agent config-poll. Example The following example sets the update frequency to 14,400 seconds (4 hours):: hostname (config) # hx agent config-poll 14400

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands l

show hx agent

© 2016 FireEye

845

CLI Reference Guide

PART III: Commands

hx agent event-buf-size Sets the maximum number of megabytes of event storage that can be used for agent processing. Event storage is also known as the ring buffer. This setting applies to all hosts. Exceptions to this setting can be specified using the hx agent resource-exception event-buf-size command. Syntax [no] hx agent event-buf-size

Parameters no

Use the no form of this command to reset the maximum event storage size to its default. event-buf-size

Specify the maximum number of megabytes of event storage that can be used for agent processing. Valid values range from 10 through 500 MB. The default is 120 MB. Example The following example sets the event storage buffer size to 300 MB: hostname (config) # hx agent event-buf-size 300

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands

846

l

hx agent resource-exception event-buf-size

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent events enable

hx agent events enable Enables or disables real-time indicator detection for all host endpoints. By default, real-time indicator detection is turned on for all hosts. Syntax [no] hx agent events enable

Parameters no

Use the no form of this command to disable the real-time indicator detection for all host endpoints. Example The following example disables real-time indicator detection for all host endpoints: hostname (config) # no hx agent events enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands l

show hx agent

© 2016 FireEye

847

CLI Reference Guide

PART III: Commands

hx agent events whitelist enable Enables and disables the real-time indicator global policy that excludes specific files and folders from HX Series real-time indicator detection. This global policy allows you to define a list of folders and files to be excluded from real-time indicator detection. By default, this policy is disabled. Syntax [no] hx agent events whitelist enable

Parameters no

Use the no form of this command to disable this global policy. Example The following example enables the global policy that excludes specific files and folders from real-time indicator detection. hostname (config) # hx agent events whitelist enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.2 for version 22 and later FireEye Endpoint Agents

Related Commands

848

l

hx agent events whitelist paths on the facing page

l

show hx agent on page 1678

© 2016 FireEye

Release 7.9

hx agent events whitelist paths

hx agent events whitelist paths Maintains the list of files and folders that should be globally excluded from HX Series realtime indicator detection. These files and folders are added to a global exclusion list governed by the global real-time indicator detection policy. By default, this policy is disabled. Syntax hx agent events whitelist paths

or no hx agent events whitelist paths

Parameters no

Use the no form of this command to remove the entry with the specified index number from this global exclusion list. Use show hx agent on page 1678 to determine which index number corresponds to the file or folder you want to remove. paths

Specify an integer between 0 and 65535 to identify the entry in the global exclusion list that you want to remove. paths

Specify the folder or file name that should be added to this global exclusion list. Do not specify the fully qualified path of file names.

© 2016 FireEye

849

CLI Reference Guide

PART III: Commands

For network shares, specify files and folders using universal (or uniform) naming conventions (UNC). See https://msdn.microsoft.com/enus/library/gg465305.aspx. The HX Series appliance does no validation on the file and folder names you specify. Do not specify drive letters or path names. Different endpoints may have different drive mappings. If you explicitly specify a folder name, the path you enter should end with a backslash (for example, \\fireeye.com\shared\). User-specific environment variables (those that include the user name in their expanded path), such as %APPDATA% or %USERPROFILE%, are not supported. You cannot specify which user the environment variable applies to, so they may expand to a value that is not necessarily the user logged onto the endpoint host. Be careful when specifying system environment variables. While they can be specified in folder paths, their expanded paths may vary based on the installed version of Windows. For complete information about Windows environment variables, refer to your Windows documentation (Microsoft TechNet). Examples The following example adds the folder C:\Program Files (x86)\Microsoft Office to the global exclusion list. hostname (config) # hx agent events whitelist paths C:\Program Files (x86)\Microsoft Office

The following example removes entry number 5 from the global exclusion list. hostname (config) # no hx agent events whitelist paths 5

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.2 for version 22 and later FireEye Endpoint Agents

Related Commands

850

l

hx agent events whitelist enable on page 848

l

show hx agent on page 1678

© 2016 FireEye

Release 7.9

hx agent fastpoll

hx agent fastpoll Sets the agent fastpoll interval. After the fastpoll interval, the HX agent establishes a nonsecure connection to determine if the HX Series software has any information or instructions in its queue. If any information is waiting, the agent establishes a poll session. If no information is waiting, the agent closes the connection. Syntax [no] hx agent fastpoll

Parameters no

Use the no form of this command to reset this parameter setting to its default. When you use the no form, do not specify seconds. fastpoll

Specifies the number of seconds for the fastpoll interval. Valid values range from 20 through 86400 seconds (one day). The default is 60 seconds. Example The following example sets the agent fastpoll interval to two minutes (120 seconds): hostname (config) # hx agent fastpoll 120

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx agent

© 2016 FireEye

851

CLI Reference Guide

PART III: Commands

hx agent inactivity period Sets the aging period for inactive agents, after which they are included in the count of inactive agents on the Web UI Dashboard. Syntax [no] hx agent inactivity period

Parameters no

Use the no form of this command to reset the inactivity period for agents to the default of 2592000 seconds (30 days). inactivity period

Specify the number of seconds after which an agent is listed as inactive. Valid values range from 86400 seconds (1 day) through 31536000 seconds (one year). The default is 2592000 seconds (30 days). Example The following example sets the agent inactivity period to 12 days (1036800 seconds): hostname (config) # hx agent inactivity period 1036800

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

852

show hx agent inactivity

© 2016 FireEye

Release 7.9

hx agent indicator

hx agent indicator Sets the HX endpoint agent indicator refresh interval. Syntax [no] hx agent indicator

Parameters no

Use the no form of this command to reset the indicator refresh interval to the default setting. indicator

Specify the number of seconds after which indicators are refreshed on the agent. Valid values range from 60 seconds to 86400 seconds. The default is 1800 seconds (30 minutes). Example The following example sets the indicator refresh interval to 60 seconds: hostname (config) # hx agent indicator 60

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx agent

© 2016 FireEye

853

CLI Reference Guide

PART III: Commands

hx agent max-cpu Sets the general maximum CPU percentage that can be used for agent processing. This setting applies to all hosts. Exceptions to this setting can be specified using the hx agent resource-exception max-cpu command. Syntax [no] hx agent max-cpu

Parameters no

Use the no form of this command to reset the maximum percentage of CPU used for agent processing to its default. max-cpu

Specify the maximum percentage of CPU that can be used for agent processing. Valid values are integers ranging from 10 through 100 (percent). The default is 100. Example The following example sets the maximum amount of CPU that can be used for agent processing to 50 percent. hostname (config) # hx agent max-cpu 50

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands

854

l

hx agent resource-exception max-cpu

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent poll

hx agent poll Sets the interval at which an agent polls the HX appliance for tasks to perform. Syntax [no] hx agent poll

Parameters no

Use the no form of this command to reset the full poll interval back to the default. poll

Specify the number of seconds after which an agent polls the HX appliance for tasks. Valid values range from 60 seconds to 86400 seconds (one day). The default is 600 seconds (10 minutes). Example The following example sets the agent polling interval to 60 seconds: hostname (config) # hx agent poll 60

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx agent

© 2016 FireEye

855

CLI Reference Guide

PART III: Commands

hx agent resource-exception enable Enables or disables exceptions for agent resource use by specific host sets that are identified in the Web UI. General resource use settings for all hosts are set using the hx agent event-buf-size and hx agent max-cpu commands or using the Web UI. When you enable exceptions to these general settings using this command (or the Web UI), you can use the hx agent resourceexception event-buf-size and hx agent resource-exception max-cpu commands to change the resource exception values. The host sets to which the resource exceptions apply can only be identified using the Web UI. This CLI command should only be used when you want to update the settings that have already been established using the Web UI. Syntax [no] hx agent resource-exception enable

Parameters no

Use the no form of this command to disable the resource exceptions for specific host sets. The general resource settings will then apply to these host sets again. Example The following example enables resource exceptions for a specific list of host sets identified in the Web UI: hostname (config) # hx agent resource-exception enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands

856

l

hx agent event-buf-size

l

hx agent max-cpu

l

hx agent resource-exception event-buf-size

l

hx agent resource-exception max-cpu

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent resource-exception event-buf-size

hx agent resource-exception event-buf-size Sets the maximum number of megabytes of event storage that can be used for agent processing for a set of host sets identified in the Web UI. Event storage is also known as the ring buffer. This setting is not honored if the event storage size exception has not first been enabled. See hx agent resource-exception enable on the previous page. The host sets to which this resource exception applies can only be identified using the Web UI. This CLI command should only be used to update the setting that has already been established using the Web UI. Syntax [no] hx agent resource-exception event-buf-size

Parameters no

Use the no form of this command to reset the maximum event storage size used by the specified host sets to its default. megabytes

Specify the maximum number of megabytes of event storage that can be used for agent processing for the specified host sets. Valid values range from 10 through 500 MB. The default is 10 MB. Example The following example sets the event storage buffer size to 300 MB for the host sets included in the exception policy: hostname (config) # hx agent resource-exception event-buf-size 300

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands l

hx agent resource-exception enable

l

hx agent event-buf-size

l

show hx agent

© 2016 FireEye

857

CLI Reference Guide

PART III: Commands

hx agent resource-exception max-cpu Sets the maximum percentage of CPU resources that can be used for agent processing for a set of host sets identified in the Web UI. This setting is not honored if resource exceptions have not first been enabled. See hx agent resource-exception enable on page 856. The host sets to which this resource exception applies can only be identified using the Web UI. This CLI command should only be used to update the setting that has already been established using the Web UI. Syntax [no] hx agent resource-exception max-cpu

Parameters no

Use the no form of this command to reset the maximum CPU used by the specified host sets to the default. max-cpu

Specify the maximum percentage of CPU that can be used for agent processing for the specified host sets. Valid values are integers ranging from 10 through 100 (percent). The default is 50. Example The following example sets the maximum CPU to 50% for the host sets included in the exception policy: hostname (config) # hx agent resource-exception max-cpu 50

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0 for version 20 and later FireEye Endpoint Agents

Related Commands

858

l

hx agent resource-exception enable

l

hx agent max-cpu

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent server hostname

hx agent server hostname Adds or removes an HX appliance in the server address list and specifies its server order number. Optionally, you can specify a hostname for the server when you add it to the server address list. Syntax [no] hx agent server [hostname ]

Parameters no

Use the no form of this command to remove an appliance from the server address list. server

Specify the order number of the appliance in the server address list. The order number represents the position of the appliance in the server address list. It must be a number between 0 and 65535. hostname

Optionally, assign a name to the selected server. The hostname parameter cannot be specified in the "no" form of this command. Example The following example adds the HX appliance with a hostname of myhost as server 2 in the server address list: hostname (config) # hx agent server 2 hostname myhost

The following example removes the HX appliance identified as server 3 from the server address list: hostname (config) # no hx agent server 3

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx agent

© 2016 FireEye

859

CLI Reference Guide

PART III: Commands

hx agent server provisioning enable Enables or disables an HX appliance to provision FireEye Endpoint Agents. After you enable provisioning for the appliance using this command, use the hx agent server provisioning primary command to activate provisioning by the appliance. To enable an HXD (DMZ) appliance to provision FireEye Endpoint Agents, use the hx ecosystem dmz provisioning-enabled command. Syntax [no] hx agent server provisioning enable

Parameters no

Use the no form of this command to disable provisioning by this HX appliance. server

Specify the order number of the appliance in the server address list. Example The following example enables the HX appliance identified as server 2 in the server address list to be a provisioning server for endpoint agents: hostname (config) # hx agent server 2 provisioning enable

The following example disables the HX appliance identified as server 3 in the server address list to be a provisioning server for endpoint agents: hostname (config) # no hx agent server 3 provisioning enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

860

l

hx ecosystem dmz provisioning-enabled

l

hx agent server provisioning primary

l

show hx agent

© 2016 FireEye

Release 7.9

hx agent server provisioning primary

hx agent server provisioning primary Activates provisioning for an HX appliance. When provisioning has been activated for an appliance, it can provision FireEye endpoint agents. Only one HX appliance can be defined as the provisioning appliance for endpoint agents of versions less than 20. Newer agents (version 20 or later) can provision against multiple appliances. Syntax [no] hx agent server provisioning primary

Parameters no

Use the no form of this command to deactivate the appliance as a provisioning appliance. server

Specify the order number of the appliance in the server address list. Example The following example activates provisioning by the HX appliance identified as server 2 in the server address list: hostname (config) # hx agent server 2 provisioning primary

The following example deactivates provisioning by the HX appliance identified as server 3 in the server address list: hostname (config) # no hx agent server 3 provisioning primary

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Before Release 2.5

Related Commands l

hx agent server provisioning enable

l

hx ecosystem dmz provisioning-enabled

l

show hx agent

© 2016 FireEye

861

CLI Reference Guide

PART III: Commands

hx config agent exd exceptions whitelist enable Enables and disables the Exploit Guard monitored application exception policy for host endpoints in specific host sets. This exception policy excludes specific monitored applications during Exploit Guard processing (detection and prevention) of the host endpoints in the host sets. By default, this exception policy is disabled. Monitored applications are applications that Exploit Guard monitors for exploits (such as Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Word, Microsoft Excel, and Microsoft Powerpoint). The host sets for this Exploit Guard exception policy can only be selected using the Web UI. Syntax [no] hx config agent exd exceptions whitelist enable

Parameters no

Use the no form of this command to disable this Exploit Guard exception policy. Example The following example enables the Exploit Guard monitored application exception policy for the host endpoints in the selected host sets. hostname (config) # hx config agent exd exceptions whitelist enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands

862

l

hx config agent exd exceptions whitelist paths on the facing page

l

show hx server exd on page 1691

© 2016 FireEye

Release 7.9

hx config agent exd exceptions whitelist paths

hx config agent exd exceptions whitelist paths Maintains the list of monitored applications in the exclusion list governed by the Exploit Guard monitored application exception policy. The monitored applications in this exclusion list are excluded during Exploit Guard processing of the host endpoints in selected host sets. Monitored applications are applications that Exploit Guard monitors for exploits (such as Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint). The host sets for this Exploit Guard exception policy can only be specified using the Web UI. Syntax hx config agent exd exceptions whitelist paths

or no hx config agent exd exceptions whitelist paths

Parameters no

Use the no form of this command to remove the entry with the specified index number from this exclusion list. Use show hx server exd on page 1691 to determine what index number corresponds to the application you want to remove. paths

Specify an integer between 0 and 65535 to identify the entry in the exclusion list that you want to remove. You can also remove items from the exclusion list using the Web UI Exploit Guard policy page. paths

Specify the file name of a monitored application that should be added to this Exploit Guard exclusion list. Do not specify the fully qualified path of file names. Applications that are monitored for exploits are Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. Examples The following example adds the file winword.exe to the exclusion list for the Exploit Guard monitored application exception policy. hostname (config) # hx config agent exd exceptions whitelist paths winword.exe

The following example removes entry number 4 from the exclusion list for the Exploit Guard monitored application exception policy. hostname (config) # no hx config agent exd exceptions whitelist paths 4

© 2016 FireEye

863

CLI Reference Guide

PART III: Commands

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands

864

l

hx config agent exd exceptions whitelist enable on page 862

l

show hx server exd on page 1691

© 2016 FireEye

Release 7.9

hx config agent exd whitelist enable

hx config agent exd whitelist enable Enables and disables the Exploit Guard monitored application global policy for all host endpoints in your enterprise. This global policy excludes specific monitored applications during Exploit Guard processing (detection and prevention) of the host endpoints. By default, this exception policy is disabled. Monitored applications are applications that Exploit Guard monitors for exploits (such as Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Word, Microsoft Excel, and Microsoft Powerpoint). Syntax [no] hx config agent exd whitelist enable

Parameters no

Use the no form of this command to disable this Exploit Guard global policy. Example The following example enables the Exploit Guard monitored application global policy for all host endpoints in your enterprise. hostname (config) # hx config agent exd whitelist enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands l

hx config agent exd whitelist paths on the next page

l

show hx server exd on page 1691

© 2016 FireEye

865

CLI Reference Guide

PART III: Commands

hx config agent exd whitelist paths Maintains the list of monitored applications in the exclusion list governed by the Exploit Guard monitored application global policy. The monitored applications in this exclusion list are excluded during Exploit Guard processing of all host endpoints in your enterprise. Monitored applications are applications that Exploit Guard monitors for exploits (such as Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint). Syntax hx config agent exd whitelist paths

or no hx config agent exd whitelist paths

Parameters no

Use the no form of this command to remove the entry with the specified index number from this exclusion list. Use show hx server exd on page 1691 to determine what index number corresponds to the application you want to remove. paths

Specify an integer between 0 and 65535 to identify an entry in the global exclusion list that you want to remove. You can also remove items from the exclusion list using the Web UI Exploit Guard policy page. paths

Specify the file name of a monitored application that should be added to this Exploit Guard exclusion list. Do not specify the fully qualified path of file names. Examples The following example adds the file winword.exe to the exclusion list for the Exploit Guard monitored application global policy. hostname (config) # hx config agent exd whitelist paths winword.exe

The following example removes entry number 4 from the exclusion list for the Exploit Guard monitored application global policy. hostname (config) # no hx config agent exd whitelist paths 4

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows:

866

© 2016 FireEye

Release 7.9

l

hx config agent exd whitelist paths

HX Series: Release 3.1

Related Commands l

hx config agent exd whitelist enable on page 865

l

show hx server exd on page 1691

© 2016 FireEye

867

CLI Reference Guide

PART III: Commands

hx ecosystem dmz attach Attaches an HXD (DMZ) appliance to the HX appliance. Enter this command on the HX appliance. Syntax [no] hx ecosystem dmz attach [passphrase ]

Parameters no

Use the no form of this command to detach an HXD appliance from the HX appliance. If you are using the no form of this command, a passphrase is not necessary. attach

Specify the IP address or hostname of the HXD appliance. passphrase

Specify the passphrase for the HXD appliance. This passphrase was generated on the HXD appliance when you ran the hx ecosystem dmz attach-initiate command. If you are using the no form of this command, a passphrase is not necessary. Example The following example attaches HXD appliance with the IP address 12.34.567.89 to the HX appliance. The passphrase for the HXD appliance in this example is password123: hostname (config) # hx ecosystem dmz attach 12.34.567.89 passphrase password123

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

868

l

hx ecosystem dmz attach-initiate

l

hx ecosystem dmz provisioning-enabled

l

show hx ecosystem

© 2016 FireEye

Release 7.9

hx ecosystem dmz attach-initiate

hx ecosystem dmz attach-initiate Generate a passphrase for use by the HX appliance when it attaches to the HXD (DMZ) appliance. Enter this command on the HXD appliance. The system displays a passphrase that you must use on the internal HX appliance by the expiration time shown. Syntax hx ecosystem dmz attach-initiate

Parameters None Example The following example generates a passphrase for the HXD appliance: hostname (config) # hx ecosystem dmz attach-initiate

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx ecosystem dmz attach

l

hx ecosystem dmz provisioning-enabled

l

show hx ecosystem

© 2016 FireEye

869

CLI Reference Guide

PART III: Commands

hx ecosystem dmz provisioning-enabled Enables or disables an HXD (DMZ) appliance to provision FireEye Endpoint Agents. After you enable provisioning for the HXD appliance using this command, use the hx agent server provisioning primary command to activate provisioning by the appliance. To enable an HX (non-DMZ) appliance to provision FireEye Endpoint Agents, use the hx agent server provisioning enable command. Syntax [no] hx ecosystem dmz provisioning-enabled

Parameters no

Use the no form of this command to disable provisioning by this HXD appliance. dmz

Specify the hostname or IP address of the HXD (DMZ) appliance. Example The following example enables the HXD appliance identified by IP address 12.34.567.89 to be a provisioning server for agents: hostname (config) # hx ecosystem dmz 12.34.567.89 provisioning-enabled

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands

870

l

hx ecosystem dmz attach

l

hx ecosystem dmz attach-initiate

l

show hx ecosystem

© 2016 FireEye

Release 7.9

hx pki agent ca-days

hx pki agent ca-days Sets the duration of the FireEye Endpoint Agent PKI certificate authority (CA), in days. Syntax [no] hx pki agent ca-days []

Parameters no

Use the no form of this command to reset the duration of the agent CA to default settings. ca-days []

Specify the number of days that the agent CA will remain active. The number must be between 0 and 65535. The default is 7300 days. If you are using the no form of this command, you do not need to specify the number of days (although you do need to include the keyword ca-days). For example, no hx pki server ca-days. Example The following example sets the duration of the agent PKI CA to 23 days: hostname (config) # hx pki agent ca-days 23

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Before Release 2.5.5

Related Commands l

show hx pki

© 2016 FireEye

871

CLI Reference Guide

PART III: Commands

hx pki agent cert-bits Sets the length of FireEye Endpoint Agent certificates, in bits. Syntax [no] hx pki agent cert-bits []

Parameters no

Use the no form of this command to reset the certificate bit size to the default of 2048 bits. cert-bits []

Specify the number of bits for HX agent PKI certificates. Valid values must be between 1024 and 4096. The default is 2048. If you are using the no form of this command, you do not need to specify the number of bits (although you do need to include the keyword cert-bits). For example, no hx pki server cert-bits. Example The following example sets the certificate length to 1024 bits: hostname (config) # hx pki agent cert-bits 1024

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

872

show hx pki

© 2016 FireEye

Release 7.9

hx pki agent cert-days

hx pki agent cert-days Sets the duration of FireEye Endpoint Agent certificates, in days. Syntax [no] hx pki agent cert-days []

Parameters no

Use the no form of this command to reset the certificate duration to the default of 1825 days. cert-days []

Specify the number of days for which HX agent certificates are valid. Valid values are numbers between 0 and 65535. The default is 1825 (5 years). If you are using the no form of this command, you do not need to specify the number of days (although you do need to include the keyword cert-days). For example, no hx pki server cert-days. Example The following example sets the agent certificate duration to 42 days: hostname (config) # hx pki agent cert-days 42

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx pki

© 2016 FireEye

873

CLI Reference Guide

PART III: Commands

hx pki export file Backs up the FireEye Endpoint Agent certificates by exporting the PKI keys to a file. This is an essential step if you are going to reinstall, update, or reset an appliance. If you do not back up your agent certificates, you will be required to reinstall your agents after upgrading your appliance. Syntax hx pki export file [passphrase ]

Parameters export file

This command specifies a path for the certificate to be sent to. passphrase

Optionally, specify a passphrase for the certificate backup file. Example The following example backs up your agent certificate to a URL and assigns the password "password123" to the backup file: hostname (config) # hx pki export file scp://user@host:/path/to/file passphrase password123

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

874

l

hx pki import

l

show hx pki

© 2016 FireEye

Release 7.9

hx pki import file

hx pki import file Restores the FireEye Endpoint Agent certificates from a backup file. This is an essential step after you have reinstalled, updated, or reset an appliance. If you do not retrieve these keys after you update, reinstall, or reset the appliance, you will be required to reinstall your agents. Syntax hx pki import file [passphrase ]

Parameters import file

Specify the URL of the backup file from which the HX agent certificates should be restored. passphrase

If a passphrase was used to create the backup file, specify it with this parameter. Example The following example imports the HX agent certificates from a URL and specifies the required passphrase: hostname (config) # hx pki import file scp://user@host:/path/to/file passphrase password123

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx pki export file

l

show hx pki

© 2016 FireEye

875

CLI Reference Guide

PART III: Commands

hx pki provisioning Enables or disables the use of a provisioning certificate. Syntax [no] hx pki provisioning enabled

Parameters no

Use the no form of this command to disable the use of a provisioning certificate. Example The following example enables PKI provisioning: hostname (config) # hx pki provisioning enabled

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

876

show hx pki

© 2016 FireEye

Release 7.9

hx pki regenerate

hx pki regenerate Resets the FireEye Endpoint Agent PKI information, including all certificate authorities. Using this command will orphan any existing agents connected to the PKI. Syntax hx pki regenerate

Parameters None Example The following example resets the PKI information: hostname (config) # hx pki regenerate

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx pki regenerate crl on the next page

l

hx pki regenerate above

l

show hx pki on page 1684

© 2016 FireEye

877

CLI Reference Guide

PART III: Commands

hx pki regenerate crl Resets the FireEye Endpoint Agent subordinate certificate revocation list (CRL). Syntax hx pki regenerate crl

Parameters None Example The following example resets the agent subordinate CRL: hostname (config) # hx pki regenerate crl

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 3.2.1

Related Commands

878

l

hx pki regenerate on the previous page

l

hx pki regenerate crl above

l

show hx pki on page 1684

© 2016 FireEye

Release 7.9

hx pki regenerate subordinate

hx pki regenerate subordinate Resets the FireEye Endpoint Agent subordinate PKI information. Using this command will invalidate any existing agent tasks. Syntax hx pki regenerate subordinate

Parameters None Example The following example resets the subordinate PKI information: hostname (config) # hx pki regenerate subordinate

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 3.2.1

Related Commands l

hx pki regenerate on page 877

l

hx pki regenerate crl on the previous page

l

show hx pki on page 1684

© 2016 FireEye

879

CLI Reference Guide

PART III: Commands

hx pki server ca-days Sets the duration of the HX appliance PKI certificate authority (CA). Syntax [no] hx pki server ca-days []

Parameters no

Use the no form of this command to reset the duration of the appliance CA to the default 7300 days. ca-days []

Specify the number of days that the appliance CA will remain active. Valid values must be a number between 0 and 65535 days. The default is 7300 days. If you are using the no form of this command, you do not need to specify the number of days (although you do need to include the keyword ca-days). For example, no hx pki server ca-days. Example The following example sets the duration of the appliance PKI CA to 42 days: hostname (config) # hx pki server ca-days 42

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

880

show hx pki

© 2016 FireEye

Release 7.9

hx pki server cert-bits

hx pki server cert-bits Sets the length of HX appliance certificates. Syntax [no] hx pki server cert-bits []

Parameters no

Use the no form of this command to reset the certificate length to the default size of 2048 bits. cert-bits []

Specify the number of bits for the HX appliance PKI certificates. Valid values must be between 1024 and 4096. The default is 2048. If you are using the no form of this command, you do not need to specify the number of bits (although you do need to include the keyword cert-bits). For example, no hx pki server cert-bits. Example The following example sets the certificate length to 1024 bits: hostname (config) # hx pki server cert-bits 1024

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx pki

© 2016 FireEye

881

CLI Reference Guide

PART III: Commands

hx pki server cert-days Sets the duration of HX appliance certificates, in days. Syntax [no] hx pki server cert-days []

Parameters no

Use the no form of this command to reset the certificate duration to the default of 1825 days. cert-days []

Specify the number of days for which HX appliance certificates are valid. Valid values are numbers between 0 and 65535. The default is 1825 days. If you are using the no form of this command, you do not need to specify the number of days (although you do need to include the keyword cert-days). For example, no hx pki server cert-days. Example The following example sets the appliance certificate duration to 42 days: hostname (config) # hx pki server cert-days 42

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

882

show hx pki

© 2016 FireEye

Release 7.9

hx pki server crl-days

hx pki server crl-days Changes the duration of the certificate revocation list (CRL) in days. When the duration is exceeded, the CRL expires. Syntax [no] hx pki server crl-days []

Parameters no

Use the no form of the crl-days command to reset the duration to the default. crl-days []

Specify the number of days after which the CRL expires. The value must be between 0 and 65535. The default is 30 days. If you are using the no form of this command, you do not need to specify the number of days (although you do need to include the keyword crl-days). For example, no hx pki server crl-days. Examples The following example sets the CRL duration to 42 days: hostname (config) # hx pki server crl-days 42

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx pki

© 2016 FireEye

883

CLI Reference Guide

PART III: Commands

hx pki server crl-upload Imports a certificate revocation list (CRL) from a URL. Syntax hx pki server crl-upload distro

Parameters

Specify the URL from which the CRL should be uploaded. Examples The following example retrieves a CRL from https://10.42.138.20: hostname (config) # hx pki server crl-upload distro https://10.42.138.20

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

884

show hx pki

© 2016 FireEye

Release 7.9

hx pki subject prefix

hx pki subject prefix Sets the PKI certificate prefix. Syntax [no] hx pki subject-prefix

Parameters no

Use the no form of this command to reset the PKI certificate prefix to the default setting. subject-prefix

Assign a prefix for PKI certificates. Example The following example sets the certificate prefix to "example": hostname (config) # hx pki subject-prefix example

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx pki

© 2016 FireEye

885

CLI Reference Guide

PART III: Commands

hx server acquisition aging completed-period Sets the aging period for completed acquisitions. After this period has passed, a completed acquisition is deleted. Syntax [no] hx server acquisition aging completed-period

Parameters no

Use the no form of this command to reset the aging period to its default. completed-period

Specify the number of seconds for the aging period of completed acquisitions. Valid values range from 0 through 31536000 seconds (one year). Specifying 0 disables this aging period. The default is 0 seconds. Example The following example sets the aging period for completed acquisitions to one week (604800 seconds): hostname (config) # hx server acquisition aging completed-period 604800

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands

886

l

hx server acquisition aging disk-limit

l

hx server acquisition aging enable

l

hx server acquisition aging failed-period

l

hx server acquisition aging pending-period

l

show hx server general

© 2016 FireEye

Release 7.9

hx server acquisition aging disk-limit

hx server acquisition aging disk-limit Sets the disk space limit for acquisitions. When the total disk size of completed acquisitions exceeds this limit, the HX Series appliance deletes the oldest completed acquisitions until it has cleared enough disk space to bring the total under the specified limit. Acquisitions that have not yet been completed are unaffected by this limit. Syntax [no] hx server acquisition aging disk-limit

Parameters no

Use the no form of this command to reset the disk limit to its default. disk-limit

Specify the number of megabytes of disk space that should be used to store acquisitions. Valid values range from 6144 MB through 4294967295 MB. The default is 30720 MB. Example The following example sets the disk space limit for acquisitions to 60000 MB: hostname (config) # hx server acquisition aging disk-limit 60000

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands l

hx server acquisition aging completed-period

l

hx server acquisition aging enable

l

hx server acquisition aging failed-period

l

hx server acquisition aging pending-period

l

show hx server general

© 2016 FireEye

887

CLI Reference Guide

PART III: Commands

hx server acquisition aging enable Enables or disables acquisition aging. Syntax [no] hx server acquisition aging enable

Parameters no

Use the no form of this command to disable acquisition aging. Example The following example disables acquisition aging: hostname (config) # no hx server acquisition aging enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands

888

l

hx server acquisition aging completed-period

l

hx server acquisition aging disk-limit

l

hx server acquisition aging failed-period

l

hx server acquisition aging pending-period

l

show hx server general

© 2016 FireEye

Release 7.9

hx server acquisition aging failed-period

hx server acquisition aging failed-period Sets the aging period for failed acquisitions. After this period has passed, a failed acquisition request is deleted. Syntax [no] hx server acquisition aging failed-period

Parameters no

Use the no form of this command to reset the aging period to its default. failed-period

Specify the number of seconds for the aging period of failed acquisition requests. Valid values range from 0 through 31536000 seconds (one year). Specifying 0 disables this aging period. The default is 0 seconds. Example The following example sets the aging period for failed acquisition requests to one week (604800 seconds): hostname (config) # hx server acquisition aging failed-period 604800

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands l

hx server acquisition aging completed-period

l

hx server acquisition aging disk-limit

l

hx server acquisition aging enable

l

hx server acquisition aging pending-period

l

show hx server general

© 2016 FireEye

889

CLI Reference Guide

PART III: Commands

hx server acquisition aging pending-period Sets the aging period for pending acquisitions. If a pending acquisition has not been processed in this period, it is deleted. Syntax [no] hx server acquisition aging pending-period

Parameters no

Use the no form of this command to reset the aging period to its default. pending-period

Specify the number of seconds for the aging period of pending acquisitions. Valid values range from 0 through 31536000 seconds (one year). The default is 1209600 seconds (14 days). Specifying 0 disables this aging period. Example The following example sets the aging period for pending acquisitions to one week (604800 seconds): hostname (config) # hx server acquisition aging pending-period 604800

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands

890

l

hx server acquisition aging completed-period

l

hx server acquisition aging disk-limit

l

hx server acquisition aging enable

l

hx server acquisition aging failed-period

l

show hx server general

© 2016 FireEye

Release 7.9

hx server acquisition default-zip-passphrase

hx server acquisition default-zip-passphrase Sets the passphrase for unzipping acquired files. Syntax [no] hx server acquisition default-zip-passphrase

Parameters no

Use the no form of this command to reset the passphrase to the default (unzip-me). default-zip-passphrase

Specify a new passphrase for acquired files. The maximum number of characters is 8192. The default is unzip-me. Example The following example sets the passphrase for acquired files to "password123": hostname config # hx server acquisition default-zip-passphrase password123

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server general

© 2016 FireEye

891

CLI Reference Guide

PART III: Commands

hx server acquisition enable Enables and disables file and triage acquisitions by the HX Series appliance. Syntax [no] hx server acquisition enable

Parameters no

Use the no form of this command to disable file and triage acquisitions by the HX appliance. Example The following example enables file and triage acquisitions by the HX appliance: hostname (config) # hx server acquisition enable

User Role Administrator or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

892

show hx server general

© 2016 FireEye

Release 7.9

hx server app-proc quiesce

hx server app-proc quiesce Enables and disables quiesce mode for an HX appliance. Enabling quiesce mode causes the HX appliance to stop generating tasks while you update an operational HX environment. Syntax [no] hx server app-proc quiesce

Parameters no

Use the no form of this command to disable quiesce mode. Example The following example enables quiesce mode for the HX appliance. hostname (config) # hx server app-proc quiesce

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx app-proc

© 2016 FireEye

893

CLI Reference Guide

PART III: Commands

hx server containment blocked Blocks access to the containment feature. Syntax [no] hx server containment blocked

Parameters no

Use the no form of this command to unblock the containment feature. Example The following example blocks access to the server containment feature: hostname (config) # hx server containment blocked

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

894

show hx server containment

© 2016 FireEye

Release 7.9

hx server containment enable

hx server containment enable Enables and disables the HX appliance to contain endpoint hosts. Syntax [no] hx server containment enable

Parameters no

Use the no form of this command to disable containment by the HX appliance. Example The following example enables containment by the HX appliance: hostname (config) #hx server containment enable

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server containment

© 2016 FireEye

895

CLI Reference Guide

PART III: Commands

hx server containment notification custom Sets a custom title or text for containment notifications. Syntax [no] hx server containment notification custom {title |text }

Parameters no

Use the no form of this command to reset the notification title and text to the default settings. custom title

Change the alert notification title. Enclose the title in quotation marks. custom text

Change the alert notification message. Enclose the message in quotation marks. Example The following example changes the containment title to "Containment Notice": hostname (config) # hx server containment notification custom title "Containment Notice"

The following example changes the containment text to "This host has been contained": hostname (config) # hx server containment notification custom text "This host has been contained"

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

896

show hx server containment notification

© 2016 FireEye

Release 7.9

hx server containment notification enable

hx server containment notification enable Enables or disables containment notifications for all host machines. Syntax [no] hx server containment notification enable

Parameters no

Use the no form of this command to disable containment notifications. Example The following example enables containment notifications: hostname (config) # hx server containment notification enable

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server containment

© 2016 FireEye

897

CLI Reference Guide

PART III: Commands

hx server containment notification source Identifies the source of the content used for containment notification. The source can be either a URL or a custom source. Syntax hx server containment notification source {custom|url}

Parameters source custom

Set the source to a custom source. source url

Set the source to a URL source. Example The following example sets the source of containment notification content to a URL source. hostname (config) # hx server containment notification source url

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

898

show hx server containment

© 2016 FireEye

Release 7.9

hx server containment notification url

hx server containment notification url Specifies the server containment notification URL to which contained hosts will be redirected. Syntax [no] hx server containment notification url

Parameters no

Use the no form of this command to reset the containment notification URL to the default. notification url

Specify the URL for the Web page to which contained hosts will be redirected. The default is a blank URL. Example The following example sets the containment notification URL to https://12.34.567.89: hostname (config) # hx server containment notification url https://12.34.567.89

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server containment notification

© 2016 FireEye

899

CLI Reference Guide

PART III: Commands

hx server containment task-timeout Sets the amount of time it takes a containment task to time out. Syntax [no] hx server containment task-timeout

Parameters no

Use the no form of this command to reset the timeout period to the default of 1209600 seconds (14 days). task-timeout

Specify the task timeout period in seconds. Valid values range from 0 to 31536000 seconds (1 year). Example The following example sets the server containment task timeout period to 86400 seconds (1 day): hostname (config) # hx server containment task-timeout 86400

User Role Admin or fe_services. Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

900

show hx server containment

© 2016 FireEye

Release 7.9

hx server containment whitelist

hx server containment whitelist Specifies the IP address or hostname of a host machine that cannot be contained. Use this command to maintain a whitelist of hosts that cannot be contained. Every time you enter this command a single host is added or deleted (using the no option) from the whitelist. You can review the list of hosts in the whitelist using the show hx server containment command. Syntax [no] hx server containment whitelist [description ]

Parameters no

Use the no form of this command to remove a host machine from the whitelist. Specify the IP address or hostname of the host you want removed. whitelist

Specify the IP address or hostname of a host machine that should be added or removed from the whitelist. description

Optionally, specify text to identify the host in the whitelist. Enclose the host description in quotation marks. Example The following example adds the host with IP address 12.34.567.89 to the containment whitelist. The host is identified in the whitelist as "My special host": hostname (config) # hx server containment whitelist 12.34.567.89 description "My special host"

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server containment

© 2016 FireEye

901

CLI Reference Guide

PART III: Commands

hx server detection aging alert fp-period Sets the aging period for HX appliance false positive alerts. Syntax [no] hx server detection aging alert fp-period

Parameters no

Use the no form of this command to reset the aging period for false positive alerts to the default. fp-period

Specify the number of seconds for the aging period for false positive alerts. The default is 86400 seconds (1 day). Example The following example sets the false-positive alert aging period to 60 seconds: hostname (config) # hx server detection aging alert fp-period 60

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

902

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection aging alert period

hx server detection aging alert period Sets the aging period for alerts identified by the HX appliance. Syntax [no] hx server detection aging alert period

Parameters no

Use the no form of this command to reset the aging period for alerts to the default. period

Specify the number of seconds for the aging period for alerts. Valid values range from 0 seconds through 31536000 seconds (one year). The default is 2592000 seconds (30 days). Example The following example sets the alert aging period to 3000 seconds (50 minutes): hostname (config) # hx server detection aging alert period 3000

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server detection

© 2016 FireEye

903

CLI Reference Guide

PART III: Commands

hx server detection aging indicator generated enable Enables and disables HX indicator aging. Old alerts and indicators may be of limited value to your organization and they can reduce the performance of your system and analysts. By default, the HX Series software automatically ages (removes) alerts and indicators after specified periods of time. This command allows you to enable or disable this functionality. Syntax [no] hx server detection aging indicator generated enable

Parameters no

Use the no form of this command to disable indicator aging. Example The following example enables indicator aging: hostname (config) # hx server detection aging indicator generated enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

904

l

hx server detection aging indicator generated period

l

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection aging indicator generated period

hx server detection aging indicator generated period Sets the HX indicator aging period. Old alerts and indicators may be of limited value to your organization and they can reduce the performance of your system and analysts. By default, the HX Series software automatically ages (removes) alerts and indicators after specified periods of time. This command allows you to specify the aging period after which older alerts and indicators are removed. Syntax [no] hx server detection aging indicator generated period

Parameters no

Use the no form of this command to reset the indicator aging period to the default settings. period

Specify the number of seconds for the aging period for HX indicators. Valid values range from 60 seconds through 31536000 seconds (one year). The default is 1209600 seconds (14 days). Example The following example sets the indicator aging period to one day (86400 seconds): hostname (config) # hx server detection aging indicator generated period 86400

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server detection aging indicator generated enable

l

show hx server detection

© 2016 FireEye

905

CLI Reference Guide

PART III: Commands

hx server detection inbound bookmark Sets or resets the polling bookmark that reflects the integration status of indicators from the CM Series appliance. This bookmark is usually managed by the CM Series appliance. You might need to reset the bookmark to replay old alerts or if a CM Series appliance was removed and added again. If you set the polling bookmark to zero (0), the CM Series appliance will communicate the correct bookmark to the HX appliance with the next alert. FireEye recommends that you use this command only under the advice of a FireEye Customer Support representative. Syntax [no] hx server detection inbound bookmark

Parameters no

Use the no form of this command to reset the polling bookmark to start with next received alert. bookmark

Specify an ID number for the current polling bookmark. Valid values range from 0 to 18446744073709551615. Example The following example sets the bookmark ID to 0: hostname (config) # hx server detection inbound bookmark 0

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

906

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection inbound ignore-type

hx server detection inbound ignore-type Identifies alert types that should be ignored by the HX appliance. Syntax [no] hx server detection inbound ignore-type

Parameters no

Use the no form of this command to disable ignoring alerts of the specified type. ignore-type

Specify the alert type that the HX appliance should ignore. Valid alert type values are malware-callback, domain-match, infection-match, web-infection, and malware-object. Example The following example ignores web-infection alerts: hostname (config) # hx server detection inbound ignore-type web-infection

The following example stops ignoring web-infection alerts: hostname (config) # no hx server detection inbound ignore-type web-infection

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

show hx server detection

© 2016 FireEye

907

CLI Reference Guide

PART III: Commands

hx server detection inbound min-threshold Sets the minimum severity level threshold for inbound alerts to the HX appliance. Syntax [no] hx server detection inbound min-threshold

Parameters no

Use the no form of this command to reset the minimum threshold to the default setting. min-threshold

Specify the minimum threat level for inbound alerts. Valid threat levels are minr, majr, and crit. The default is majr. Example The following example sets the inbound alert threshold to crit: hostname (config) # hx server detection inbound min-threshold crit

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

908

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection inbound poll-interval

hx server detection inbound poll-interval Sets the amount of time between polls for inbound alerts to the HX appliance. Syntax [no] hx server detection inbound poll-interval

Parameters no

Use the no form of this command to reset the polling interval to the default. poll-interval

Specify the number of minutes for the inbound alert poll interval. The default is 5 minutes. To disable the inbound alert poll interval, set it to 0 (zero) minutes. Example The following example sets the inbound alert poll interval to 10 minutes: hostname (config) # hx server detection inbound poll-interval 10

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server detection

© 2016 FireEye

909

CLI Reference Guide

PART III: Commands

hx server detection intel matching enable Enables and disables matching of intelligence loaded onto the HX appliance from FireEye's Dynamic Threat Intelligence (DTI) cloud. By default, intelligence matching is enabled. Syntax [no] hx server detection intel matching enable

Parameters no

Use the no form of this command to disable intelligence matching. Example The following example disables intelligence matching: hostname (config) # no hx server detection intel matching enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.6

Related Commands l

910

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection legacy enable

hx server detection legacy enable Enables and disables the generation of indicators from NX, EX, FX, and AX Series appliances for HX appliances. Use this command to control the integration between the HX appliance and these other appliances if you do not have a CM Series appliance installed. Syntax [no] hx server detection legacy enable

Parameters no

Use the no form of this command to disable the generation of indicators from NX, EX, FX, and AX Series appliances. Example The following example disables the generation of indicators from NX, EX, FX, and AX Series appliances: hostname (config) # no hx server detection legacy enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server detection legacy malicious-url enable

l

hx server detection legacy noisy-indicator enable

l

show hx server detection

© 2016 FireEye

911

CLI Reference Guide

PART III: Commands

hx server detection legacy malicious-url enable Enables or disables the generation of HX appliance alerts from malicious URLs identified by the NX Series appliance. These malicious URLs can result in a high number of false positives in the HX appliance. By default, the generation of HX appliance alerts from malicious URLs is enabled. Syntax [no] hx server detection legacy malicious-url enable

Parameters no

Use the no form of this command to disable the generation of HX appliance alerts from malicious URLs. Example The following example disables the generation of HX appliance alerts from malicious URLs: hostname (config) # no hx server detection legacy malicious-url enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

912

l

hx server detection legacy enable

l

hx server detection legacy malicious-url enable

l

show hx server detection

© 2016 FireEye

Release 7.9

hx server detection legacy noisy-indicator enable

hx server detection legacy noisy-indicator enable Enables and disables the generation of HX execution indicators from NX, EX, FX, and AX Series appliance alerts, which include alerts on malware callback traffic and host infections. These execution indicators are also referred to as noisy alert indicators. False positives can result when HX noisy alert indicators are enabled. False positives include commonly visited domains that are not malicious, false positive registry entries, and file MD5 indicators. Enable the generation of noisy alert indicators if you feel you can manage the possibility of false positives. They are disabled by default. Syntax [no] hx server detection legacy noisy-indicator enable

Parameters no

Use the no form of this command to disable noisy alert indicators. Example The following example enables noisy alert indicators: hostname (config) # hx server detection legacy noisy-indicator enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server detection legacy enable

l

hx server detection legacy malicious-url enable

l

show hx server detection

© 2016 FireEye

913

CLI Reference Guide

PART III: Commands

hx server exd enable Enables and disables Exploit Guard functions (exploit detection) by the HX Series appliance. Exploit Guard functions are enabled when you initially receive the HX software. Syntax [no] hx server exd enable

Parameters no

Use the no form of this command to disable Exploit Guard functions by the HX Series appliance. Example The following example enables Exploit Guard functions by the HX Series appliance: hostname (config) # hx server exd enable

User Role Admin or fe_services Command Mode Configuration Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands l

914

show hx server exd

© 2016 FireEye

Release 7.9

hx server msm-link api domain-hash

hx server msm-link api domain-hash Specifies the Mobile Threat Prevention (MTP) API access domain hash that should be used for integration between MTP and the HX appliance. To determine values for your MTP API domain hash, see the MTP Analysis Cloud API Guide. Syntax [no] hx server msm-link api domain-hash

Parameters no

Use the no form of this command to reset the domain hash value obtained from MTP. domain-hash

Specify the hexadecimal string representing the domain hash that should be used for integration between MTP and the HX appliance. Example The following example resets the API access domain hash for MTP integration: hostname (config) # no hx server msm-link api domain-hash

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server msm-link api key on the next page

l

hx server msm-link api secret on page 917

l

hx server msm-link enable on page 918

l

hx server msm-link hostname on page 919

l

hx server msm-link prefix on page 1

l

show hx server msm-link on page 1695

© 2016 FireEye

915

CLI Reference Guide

PART III: Commands

hx server msm-link api key Specifies the Mobile Threat Prevention (MTP) API access key that should be used for integration between MTP and the HX appliance. To determine values for your MTP API access key, see the MTP Analysis Cloud API Guide. Syntax [no] hx server msm-link api key

Parameters no

Use the no form of this command to reset the API access key obtained from MTP. api key

Specify the hexadecimal string representing the access key that should be used for integration between MTP and the HX appliance. Example The following example resets the API access key for MTP integration: hostname (config) # no hx server msm-link api key

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

916

l

hx server msm-link api domain-hash on the previous page

l

hx server msm-link api secret on the facing page

l

hx server msm-link enable on page 918

l

hx server msm-link hostname on page 919

l

hx server msm-link prefix on page 1

l

show hx server msm-link on page 1695

© 2016 FireEye

Release 7.9

hx server msm-link api secret

hx server msm-link api secret Specifies the Mobile Threat Prevention (MTP) API access password that should be used for integration between MTP and the HX appliance. To determine values for your MTP API access password (secret), see the MTP Analysis Cloud API Guide. Syntax [no] hx server msm-link api secret

Parameters no

Use the no form of this command to reset the password (secret value) obtained from MTP. api secret

Specify the hexadecimal string representing the access password that should be used for integration between MTP and the HX appliance. Example The following example resets the API access password for MTP integration: hostname (config) # no hx server msm-link api secret

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server msm-link api domain-hash on page 915

l

hx server msm-link api key on the previous page

l

hx server msm-link enable on the next page

l

hx server msm-link hostname on page 919

l

hx server msm-link prefix on page 1

l

show hx server msm-link on page 1695

© 2016 FireEye

917

CLI Reference Guide

PART III: Commands

hx server msm-link enable Enables or disables communication between Mobile Threat Prevention (MTP) and the HX appliance. This command will not work if the hostname, domain hash, API key, and API secret are not added first. See Related Commands. Syntax [no] hx server msm-link enable

Parameters no

Use the no form of this command to disable communication between MTP and the HX appliance. Example The following example enables communication between MTP and the HX appliance: hostname (config) # hx server msm-link enable

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

918

l

hx server msm-link api domain-hash on page 915

l

hx server msm-link api key on page 916

l

hx server msm-link api secret on the previous page

l

hx server msm-link hostname on the facing page

l

hx server msm-link prefix on page 1

l

show hx server msm-link on page 1695

© 2016 FireEye

Release 7.9

hx server msm-link hostname

hx server msm-link hostname Specifies the Mobile Threat Prevention (MTP) hostname or IP address that should be used for integration between MTP and the HX appliance. Syntax [no] hx server msm-link hostname

Parameters no

Use the no form of this command to reset the hostname or IP address for integration with MTP. hostname

Specify the hostname or IP address of the MTP server. Example The following example sets the IP address for MTP integration to 12.34.567.89: hostname (config) # hx server msm-link hostname 12.34.567.89

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server msm-link api domain-hash on page 915

l

hx server msm-link api key on page 916

l

hx server msm-link api secret on page 917

l

hx server msm-link enable on the previous page

l

hx server msm-link prefix on page 1

l

show hx server msm-link on page 1695

© 2016 FireEye

919

CLI Reference Guide

PART III: Commands

hx server msm-link prefix The HX appliance currently hard-codes the Mobile Threat Prevention (MTP) base URI in the API request header as /integration/1.0/devices/highrisk/count. If your installation requires a prefix to this hard-coded path, use this command. Syntax [no] hx server msm-link prefix

Parameters no

Use the no form of this command to reset the prefix to the default value (an empty string). prefix

Specify the prefix to the base URI required for your installation. Do not specify leading and trailing slashes. The HX software will supply them. The default is an empty string. Example The following example adds a prefix of demo to the base URI: hostname (config) # hx server msm-link prefix demo

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 3.0

Related Commands

920

l

hx server msm-link api domain-hash on page 915

l

hx server msm-link api key on page 916

l

hx server msm-link api secret on page 917

l

hx server msm-link enable on page 918

l

hx server msm-link hostname on the previous page

l

show hx server msm-link on page 1695

© 2016 FireEye

Release 7.9

hx server script aging period

hx server script aging period Controls how long bulk acquisition, Enterprise Search, custom acquisition, and live response scripts can remain inactive before they are removed from the HX appliance database. Do not run this command without the advice of a FireEye customer support representative. Syntax [no] hx server script aging period

Parameters no

Use the no form of this command to reset the script aging period to the default of 604800 seconds (1 week). period

Specify the number of seconds for the script aging period. Valid values range from 0 through 31536000 seconds (1 year). The default is 604800 seconds (1 week). Specifying 0 disables the script aging period. Example The following example sets the script aging period to 4 weeks (2419200 seconds): hostname (config) # hx server script aging period 2419200

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

show hx server general

© 2016 FireEye

921

CLI Reference Guide

PART III: Commands

hx server search issues items-limit Sets a limit for the number of unique issues reported for an Enterprise Search that are related to malformed or unexpected data on host endpoints encountered during the search. Such search issues are common, but may mean that the host could not be fully searched for the item types in which the problems were encountered. The default is 10 unique issues. When this limit is reached, the HX appliance stops recording issues for the search, even though the Enterprise Search continues. Syntax [no] hx server search issues items-limit

Parameters no

Use the no form of this command to reset the Enterprise Search issue limit to the default of 10 unique issues. items-limit

Specify the number of unique search issues reported for an Enterprise Search. Valid values range from 0 through 100 issues. The default is 10 issues. Specifying 0 requests that search issues related to malformed or unexpected data on host endpoints should not be reported for Enterprise Searches. Example The following example sets the limit to 50: hostname (config) # hx server search issues items-limit 50

User Role Admin or fe_services Command Mode Configuration mode Release Information This command was introduced as follows: l

HX Series: Release 3.2

Related Commands l

922

show hx server search on page 1697

© 2016 FireEye

Release 7.9

hx server sysinfo dispatch-duration

hx server sysinfo dispatch-duration Sets the dispatch duration period for system information requests. The HX appliance requests host information whenever it sends information to an agent. This is called a system information request. This command sets the amount of time in which system information requests can be dispatched. It can be used to control when sysinfo requests run and may be useful in some situations where load balancing problems exist. Do not run this command without the advice of a FireEye customer support representative. Syntax [no] hx server sysinfo dispatch-duration

Parameters no

Use the no form of this command to disable control over the amount of time during which system information requests can be dispatched. dispatch-duration Riskware page or on the What's Happening panel of the Dashboard page in the Web UI. The riskware detection feature is disabled by default.

Syntax [no] pup enable

Parameters no

Use the no form of this command to disable riskware detection.

Example The following example enables riskware detection on the appliance: hostname (config) # pup enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.7

© 2016 FireEye

1157

CLI Reference Guide

PART III: Commands

qserver enable Enables the sending of HTTP post notifications to the internal server on the NX Series appliance.

Syntax [no] qserver enable

Parameters no

Use the no form of this command to stop sending these notifications.

Example The following example enables the sending of these notifications. hostname (config) # qserver enable

User Role Admin

Command Mode Configuration

Release Information Command introduced before Release 6.4.0, deprecated in Release 7.2.0, and removed in Release 7.8.0.

1158

© 2016 FireEye

Release 7.9

radius-server

radius-server Specifies settings for Remote Authentication Dial In User Service (RADIUS) authentication. Related commands: show radius Use the no form of this command to remove configuration options.

Syntax [no] radius-server host ipaddress [no] radius-server host ipaddress auth-port portnum [no] radius-server host ipaddress key string [no] radius-server host ipaddress login-lat-group string [no] radius-server host ipaddress prompt-key [no] radius-server host ipaddress retransmit retries [no] radius-server host ipaddress timeout seconds [no] radius-server key string [no] radius-server login-lat-group string [no] radius-server retransmit retries [no] radius-server timeout seconds

Parameters host Specifies the IP address of the RADIUS server. ipaddress auth-port Specifies the RADIUS server port number for authentication requests. portnum key string Specifies the shared secret code to use for communication between the appliance and the RADIUS server. This parameter can be set for a specific server or globally. login-lat- Specifies the LOGIN_LAT_GROUP attribute usually used only by shared group resources such as a printer or disk, etc., relative to a RADIUS server. This string parameter can be set for a specific server or globally. promptkey

Specifies that the user is prompted to enter the shared secret rather than entering the shared secret on the command line.

retransmit Specifies the number of attempts to contact the RADIUS server before the retries request fails. This parameter can be set for a specific server or globally. timeout seconds

© 2016 FireEye

Specifies the wait time in seconds before retransmitting a request that previously timed out. This parameter can be set for a specific server or globally.

1159

CLI Reference Guide

PART III: Commands

Example The following example sets the IP address of the RADIUS server and the timeout interval. hostname (config) # radius-server host 192.168.1.1 timeout 5

1160

© 2016 FireEye

Release 7.9

raid alarm enable

raid alarm enable This command enables the raid alarm.

Syntax raid alarm enable

Parameters None

Example The following example enables the raid alarm. raid alarm enable

© 2016 FireEye

1161

CLI Reference Guide

PART III: Commands

raid alarm silence This command silences the active raid alarm.

Syntax raid alarm silence

Parameters None

Example The following example silences the active raid alarm. raid alarm silence

1162

© 2016 FireEye

Release 7.9

raid log clear

raid log clear This command clears the raid log.

Syntax raid log clear

Parameters None

Example The following example clears the raid log. raid log clear

© 2016 FireEye

1163

CLI Reference Guide

PART III: Commands

raid test consistency cancel This command cancels the consistency check for all disks managed by this controller.

Syntax raid test consistency cancel

Parameters None

Example The following example cancel the consistency check for all disks managed by this controller. raid test consistency cancel

1164

© 2016 FireEye

Release 7.9

raid test consistency start

raid test consistency start This command starts the consistency check for all disks managed by this controller.

Syntax raid test consistency start

Parameters None

Example The following example starts the consistency check for all disks managed by this controller. raid test consistency start

© 2016 FireEye

1165

CLI Reference Guide

PART III: Commands

reload Description Reboots or shuts down the FireEye appliance.

Syntax reload [force | fsck | halt | noconfirm]

Parameters force  

Forces an immediate reboot. By default, ongoing management operations are completed before the reboot begins.

fsck

Reboots the system and forces a file system check at the next bootup.

halt Shuts down the system. [ noconfirm] noconfirm Skips the prompt to save unsaved changes.

Example The following example shuts down the system. hostname # reload halt

remote-correlation enable This command allows you to enable or disable correlation between NX series alerts and EX series alerts. By default, when an NX series appliance and an EX series appliance are managed by the same CM series appliance, alert correlation between the appliances is enabled.

Syntax [no] remote-correleation enable

Parameters no

Use the no form of this command to disable correlation between NX series alerts and EX series alerts.

1166

© 2016 FireEye

Release 7.9

remote-correlation run-frequency

Example The following example enables correlation between the NX series alerts and the EX series alerts: hostname (config) # remote-correlation enable

The following example disables correlation between the NX series alerts and the EX series alerts: hostname (config) # no remote-correlation enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

Related Commands For a list of related commands, see Remote Correlation Commands on page 119.

remote-correlation run-frequency This command allows you to set the interval between correlation attempts.

Syntax remote-correlation run-frequency

Parameters frequency

The interval between correlation attempts, in minutes. l

Range: 1 - 60 minutes

l

Default: 3 minutes

Example The following example sets the correlation interval to 10 minutes. hostname (config) # remote-correlation run-frequency 10

© 2016 FireEye

1167

CLI Reference Guide

PART III: Commands

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

Related Commands For a list of related commands, see Remote Correlation Commands on page 119.

remote-correlation url-duration This command allows you to set the maximum time between when a URL is received and when it is tested for correlation.

Syntax remote-correleation url-duration

Parameters days

The maximum time after a URL is received that it can be tested for correlation. l

Range: 1 - 60 days

l

Default: 3 days

Example The following example sets the url duration to 10 minutes. hostname (config) # remote-correlation url-duration 10

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1168

© 2016 FireEye

Release 7.9

l

remote-correlation url-duration

CM Series: Release 7.9.2

Related Commands For a list of related commands, see Remote Correlation Commands on page 119.

© 2016 FireEye

1169

CLI Reference Guide

PART III: Commands

report delete Use this command to remove previously generated reports.

Syntax report delete

Parameters reportName Specifies the location of the report format.

Example The following example deletes the report from hostname (config) # report delete /usr/

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

1170

© 2016 FireEye

Release 7.9

report delete

Command Mode configuration

Release Information CM Series: 7.8.0 EX Series: 7.8.0 NX Series: 7.8.0

© 2016 FireEye

1171

CLI Reference Guide

PART III: Commands

report email recipient Adds or removes an email address from report recipient list.

Syntax [no] report email recipient

Parameters no Use the no form of this command to remove the provided email address from the recipient list emailAddress The email address to add or remove from the recipient list.

Related Commands For a list of commands, see Report Email Commands on page 120

Example The following command adds the email address [email protected] to the report distribution list. hostname (config) # report email recipient [email protected]

The following command removes the email address [email protected] to the report distribution list. hostname (config) # no report email recipient [email protected]

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4

1172

© 2016 FireEye

Release 7.9

report email snmp domain

report email snmp domain Sets the apparent email domain name. Use this command to specify a different email domain from the actual domain where the SNMP server resides. If no domain is specified using this command, the actual domain where the SNMP server resides will appear in the email message.

Syntax [no] report email domain

Parameters no Use the no form of this command to remove the domain name. domainName The doman name or IP address to use as the sender domain name.

Related Commands For a list of commands, see Report Email Commands on page 120

Example The following command uses the domain yourCompany.com as the SNMP domain. hostname (config) # report email snmp domain yourCompany.com

The following command removes the domain yourCompany.com as the SNMP domain. hostname (config) # no report email snmp domain yourCompany.com

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4

© 2016 FireEye

1173

CLI Reference Guide

PART III: Commands

report email snmp port Specifies the port the SNMP server will use to send the reports.

Syntax [no] report email port

Parameters no Use the no form of this command to remove the port. port The port used to send email messages.

Related Commands For a list of commands, see Report Email Commands on page 120

Example The following command uses the port 443 as the SNMP port. hostname (config) # report email snmp port 443

The following command removes the port 443 as the SNMP port. hostname (config) # no report email snmp port 443

User Role admin

Command Mode configuration

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4

1174

© 2016 FireEye

Release 7.9

report generate type alert_details (update)

report generate type alert_details (update) Use this command to generate an alert details report on EX Series, NX Series and CM Series appliances running version 7.8.0 or later. For all other appliances, use report generate type alert_details on page 1181.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type alert_details report_format time_frame report_detail alert_type transport

© 2016 FireEye

1175

CLI Reference Guide

PART III: Commands

Parameters

1176

© 2016 FireEye

Release 7.9

report generate type alert_details (update)

format

© 2016 FireEye

1177

CLI Reference Guide

PART III: Commands

Specifies the report format. The following formats are available:

1178

l

csv - Comma Seperated Value (.csv) spreadsheet

l

json - JavaScript Object Notation

l

text

l

xml

© 2016 FireEye

Release 7.9

report generate type alert_details (update)

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

report_detail The level of detail provided in the report. The following levels are available: l

concise

l

normal

l

extended

alert_type The type of alerts to display in the report. For more information on the alert types, see the user guide. The following alert types are available: l

all

l

domain-match

l

infection-match

l

malware-callback

l

malware-object

l

web-infection

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a concise report of the previous day's malware-ojbect alerts as a .csv file provided as a file on the appliance's Web UI:

© 2016 FireEye

1179

CLI Reference Guide

PART III: Commands

hostname (config) # report generate type alert_details report_format csv time_frame past_day report_detail consise report_type malware-object transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8.0 EX Series: 7.8.0 NX Series: 7.8.0

1180

© 2016 FireEye

Release 7.9

report generate type alert_details

report generate type alert_details Use this command to generate an alert details report on all appliances except EX Series, NX Series and CM Series appliances running version 7.8.0 or later. For EX Series, NX Series and CM Series appliances, running version 7.8.0 or later, use report generate type alert_details (update) on page 1175.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type alert_details report_format report_detail alert_type time_frame transport

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

l

json - JavaScript Object Notation

l

text

l

xml

report_detail The level of detail provided in the report. The following levels are available: l

concise

l

normal

l

extended

alert_type The type of alerts to display in the report. For more information on the alert types, see the user guide. The following alert types are available:

© 2016 FireEye

l

all

l

domain-match

l

infection-match

1181

CLI Reference Guide

PART III: Commands

l

malware-callback

l

malware-object

l

web-infection

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a concise report of the previous day's malware-ojbect alerts as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type alert_details report_format csv report_detail consise report_type malware-object time_frame past_day transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121

1182

l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

Release 7.9

report generate type alert_details

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information AX Series: before 6.4 CM Series: before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175 EX Series before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175 FX Series: before 6.4 NX Series: before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175

© 2016 FireEye

1183

CLI Reference Guide

PART III: Commands

report generate type callback_server Use this command to generate a callback server report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type callback_server report_format time_frame transport

1184

© 2016 FireEye

Release 7.9

report generate type callback_server

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a concise report of the previous day's malware-ojbect alerts as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type alert_details report_format csv time_frame past_day transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on the previous page

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

© 2016 FireEye

1185

CLI Reference Guide

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

PART III: Commands

User Role admin

Command Mode configuration

Release Information CM Series: before 6.4 NX Series: before 6.4

1186

© 2016 FireEye

Release 7.9

report generate type email_activity

report generate type email_activity Use this command to generate an email activity report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type email_av_report report_format time_frame transport

© 2016 FireEye

1187

CLI Reference Guide

PART III: Commands

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous day's anti-virus detections as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type email_av_report report_format csv time_frame past_day transport file

The following example generates a report of the previous week's anti-virus detections as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type email_av_report report_format csv time_frame past_week transport email

The following example generates a report of the anti-virus detections between January 9, 2016 at 8:15 a.m. and March 16, 2016 at 6:30 p.m. as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type email_av_report report_format csv time_frame between start_date 2016/01/09 start_time 08:15:00 end_date 2016/03/16 end_time 18:30:00 transport email

1188

© 2016 FireEye

Release 7.9

report generate type email_activity

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on the next page

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8

© 2016 FireEye

1189

CLI Reference Guide

PART III: Commands

report generate type email_av_report Use this command to generate an email anti-virus report. Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type email_av_report report_format time_frame transport

1190

© 2016 FireEye

Release 7.9

report generate type email_av_report

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous day's anti-virus detections as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type email_av_report report_format csv time_frame past_day transport file

The following example generates a report of the previous week's anti-virus detections as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type email_av_report report_format csv time_frame past_week transport email

The following example generates a report of the anti-virus detections between January 9, 2016 at 8:15 a.m. and March 16, 2016 at 6:30 p.m. as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type email_av_report report_format csv time_frame between start_date 2016/01/09 start_time 08:15:00 end_date 2016/03/16 end_time 18:30:00 transport email

© 2016 FireEye

1191

CLI Reference Guide

PART III: Commands

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on the facing page

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8

1192

© 2016 FireEye

Release 7.9

report generate type email_executive_summary

report generate type email_executive_summary Use this command to generate an email executive summary report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type email_executive_summary report_format time_frame transport

© 2016 FireEye

1193

CLI Reference Guide

PART III: Commands

Parameters format Specifies the report format. The following formats are available: l

pdf - Adobe PDF format

timeFrame Specifies the report's time frame. The following time frames are available: l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous week as a .pdf file provided as a file on the appliance's Web UI: hostname (config) # report generate type executive_summary report_format pdf time_frame past_ week transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121

1194

l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on the previous page

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

Release 7.9

report generate type email_executive_summary

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8

© 2016 FireEye

1195

CLI Reference Guide

PART III: Commands

report generate type email_hourly_stat Use this command to generate an email hourly statistics report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type email_hourly_stat report_format time_frame transport

1196

© 2016 FireEye

Release 7.9

report generate type email_hourly_stat

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

1_day_ago

l

2_days_ago

l

3_days_ago

l

4_days_ago

l

5_days_ago

l

6_days_ago

l

7_days_ago

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report from 2 days ago as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type email_hourly_stat report_format csv time_frame 2_days_ ago transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on the previous page

l

report generate type executive_summary on page 1199

© 2016 FireEye

1197

CLI Reference Guide

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

PART III: Commands

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8

1198

© 2016 FireEye

Release 7.9

report generate type executive_summary

report generate type executive_summary Use this command to generate an NX Series executive summary report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type executive_summary report_format time_frame transport

© 2016 FireEye

1199

CLI Reference Guide

PART III: Commands

Parameters format Specifies the report format. The following formats are available: l

pdf - Adobe PDF format

timeFrame Specifies the report's time frame. The following time frames are available: l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous week as a .pdf file provided as a file on the appliance's Web UI: hostname (config) # report generate type executive_summary report_format pdf time_frame past_ week transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121

1200

l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

Release 7.9

report generate type executive_summary

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on the next page

l

report generate type File_Executive_Summary on the next page

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 NX Series: 7.8

© 2016 FireEye

1201

CLI Reference Guide

PART III: Commands

report generate type File_Executive_Summary Use this command to generate an file executive summary report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type File_Executive_Summary report_format time_frame transport

1202

© 2016 FireEye

Release 7.9

report generate type File_Executive_Summary

Parameters format Specifies the report format. The following formats are available: l

pdf - Adobe PDF format

timeFrame Specifies the report's time frame. The following time frames are available: l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous week as a .pdf file provided as a file on the appliance's Web UI: hostname (config) # report generate type File_Executive_Summary report_format pdf time_frame past_week transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

1203

CLI Reference Guide

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on the facing page

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

PART III: Commands

User Role admin

Command Mode configuration

Release Information CM Series: before 6.4 F☺ X Series: before 6.4

1204

© 2016 FireEye

Release 7.9

report generate type infected_hosts_trend

report generate type infected_hosts_trend Use this command to generate an Infected Hosts Trend report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type infected_hosts_trend report_format time_frame transport

© 2016 FireEye

1205

CLI Reference Guide

PART III: Commands

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous week as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type infected_hosts_trend report_format csv time_frame past_ week transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121

1206

l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

Release 7.9

report generate type infected_hosts_trend

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on the next page

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 NX Series: 7.8

© 2016 FireEye

1207

CLI Reference Guide

PART III: Commands

report generate type malware_activity Use this command to generate an Malware Activity report.

Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type malware_activity report_format time_frame transport

1208

© 2016 FireEye

Release 7.9

report generate type malware_activity

Parameters format Specifies the report format. The following formats are available: l

both

l

csv - Comma Seperated Value (.csv) spreadsheet

l

pdf - Adobe PDF format

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous week as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type malware_activity report_format csv time_frame past_week transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

© 2016 FireEye

1209

CLI Reference Guide

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on the facing page

l

show report on page 1892

PART III: Commands

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 NX Series: 7.8

1210

© 2016 FireEye

Release 7.9

report generate type web_av_report

report generate type web_av_report Use this command to generate an Web anti-virus report. Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report generate type email_av_report report_format time_frame transport

© 2016 FireEye

1211

CLI Reference Guide

PART III: Commands

Parameters format Specifies the report format. The following formats are available: l

csv - Comma Seperated Value (.csv) spreadsheet

timeFrame Specifies the report's time frame. The following time frames are available: l

past_day

l

past_week

l

past_month

l

past_3_months

l

between start_date start_time end_date end_ time l

The start date in the format: YYYY/MM/DD

l

The start time (24 hour clock) in the format: HH/MM/SS

l

The end date in the format: YYYY/MM/DD

l

The end time (24 hour clock) in the format: HH/MM/SS

transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates a report of the previous day's anti-virus detections as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report generate type web_av_report report_format csv time_frame past_day transport file

The following example generates a report of the previous week's anti-virus detections as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type web_av_report report_format csv time_frame past_week transport email

The following example generates a report of the anti-virus detections between January 9, 2016 at 8:15 a.m. and March 16, 2016 at 6:30 p.m. as a .csv file provided by email to the pre-designated recipients: hostname (config) # report generate type web_av_report report_format csv time_frame between start_date 2016/01/09 start_time 08:15:00 end_date 2016/03/16 end_time 18:30:00 transport email

1212

© 2016 FireEye

Release 7.9

report generate type web_av_report

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

User Role admin

Command Mode configuration

Release Information CM Series: 7.8 EX Series: 7.8

© 2016 FireEye

1213

CLI Reference Guide

PART III: Commands

report schedule Use this command to schedule reports to run at a specified interval at a specified time. Reports can be provided as files available on the appliance's Web UI. The reports can also be mailed to pre-specified email accounts. These email accounts are set up using the report email recipient command. You must configure an SMTP mail server before the reports can be emailed to the specified recipients. To configure the SMTP mail server, use the report email smtp server command.

Syntax report schedule run at type report_format time_ frame report_detail alert_type transport

1214

© 2016 FireEye

Release 7.9

report schedule

Parameters interval The interval for the automated reports to be run. l

daily

l

hourly

l

monthly

l

weekly

time Specifies the start time (24 hour clock) for the report to be initiated in the format: HH:MM

report_type The type of report to generate. report_format Specifies the report format. time_frame Specifies the time frame for the report to represent. report_detail The level of detail provided in the report. The following levels are available: transport The method used to obtain the report. The following methods are available: l

l

email - The report will be emailed to the recipient(s) specified with the report email recipient command. file - The report will be added to the Reports tab on appliance's Web UI.

Example The following example generates auto-generated concise report of the previous day's alert details as a .csv file provided as a file on the appliance's Web UI: hostname (config) # report schedule run daily at 20:00 type alert_details report_format csv time_ frame past_day report_detail concise alert_type all transport file

Related Commands For a list of commands, see the Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

© 2016 FireEye

1215

CLI Reference Guide

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report on page 1892

PART III: Commands

User Role admin

Command Mode configuration

Release Information AX Series: before 6.4 CM Series: before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175 EX Series before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175 FX Series: before 6.4 NX Series: before 6.4, updated command on version 7.8.0 (See report generate type alert_ details (update) on page 1175

1216

© 2016 FireEye

Release 7.9

reset factory

reset factory Description Resets the appliance configuration to factory state, deleting all logs and data unless preserved with specified parameters. Reset is performed in two parts: 1. The configuration itself is reset to factory state. 2. The configuration files are reset. In some cases, a reboot following a "reset factory" operation may require a manual power up.

Syntax reset factory {halt | keep-all-config | keep-basic | keep-connect | only-config | reboot} reset factory halt {keep-all-config [keep-connect] | keep-basic [keep-connect] | keepconnect {keep-all-config | keep-basic | only-config} | only-config [keep-connect]} reset factory keep-all-config {halt [keep-connect] | keep-connect [halt]} reset factory keep-basic {halt [keep-connect] | keep-connect [halt]} reset factory keep-connect {halt {keep-all-config | keep-basic | only-config} | keep-allconfig [halt] | keep-basic [halt] | only-config [halt]} reset factory only-config {halt [keep-connect] | keep-connect [halt]}

Parameters halt                          Halts the system after reset instead of rebooting. keep-all-config Preserves all configuration files (supersedes "keep-basic"). IMPORTANT! The "reset factory keep-all-config" CLI command does not preserve uploaded YARA rules. Maintain a copy of your custom YARA rules files on your local system or in another storage area outside the AX Series, EX Series, FX Series, NX Series, and VX Series appliances. keep-basic

Preserves licenses in the active configuration.

keep-connect

Preserves configuration files necessary for connectivity (interfaces, routes, and ARP).

only-config

Reset only the configuration but not the configuration file.

Example The following resets the appliance to factory state without a reboot while preserving all configuration files.

© 2016 FireEye

1217

CLI Reference Guide

PART III: Commands

hostname (config) # reset factory keep-all-config halt

1218

© 2016 FireEye

Release 7.9

resolver cache flush

resolver cache flush Description Clears DNS resolver cache.

Syntax resolver cache flush

Parameters None

Example The following example clears the DNS resolver cache. hostname (config) # resolver cache flush

© 2016 FireEye

1219

CLI Reference Guide

PART III: Commands

resolver Description Clears the cache of the Domain Name Service (DNS) resolver.

Syntax resolver cache flush

Parameters None

Example The following example clears the cache of the DNS resolver. hostname (config) # resolver cache flush

1220

© 2016 FireEye

Release 7.9

restore profile from name

restore profile from name This command provides the ability to restore a backup to your appliance.

Syntax restore profile from name [include-network-config] [progress {notrack | track}]

Parameters

The profile used to back up the appliance data: The following profiles are available: l

config – Restores the configuration database and appliance-specific data.

l

fedb – Restores the FireEye appliance database.

This profile is not available on CM Series platforms. l

config+fedb – Restores the configuration database, the FireEye appliance

database, and appliance-specific data. This profile is not available on CM Series platforms. l

full – Restores the configuration database, FireEye appliance database, and

detected data (malware, alerts, reports, and so on). Profile is not available on CM Series platforms. location

The location where the backup file was saved. The following locations are available: l

© 2016 FireEye

local – Restores the database from the local destination on your appliance.

1221

CLI Reference Guide

l

PART III: Commands

url – Restores the database from a remote location specified by using the following format: {https | scp}://username[:password]@hostname/filepath

where and are remote server Administor credentials, is the remote server IP address, and is the full path of the backup file. If you do not specify the remote host administrator password in the restore profile command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. l

usb – Restores the database from the USB drive location on your local

machine.

Options The following options can be included with the restore command. These options can be included individually or combined in one command. For more information, see the examples below. include-network-config

By default, network configuration settings are not included in the restoration. The network configuration settings are included when this option is included in the CLI command. progress {notrack | track}

Allows you to override the default CLI configuration and display the progress of the restore operation: l

no-track – Disables progress tracking for the restore operation.

l

track – Enables progress tracking for the restore operation. By default, progress

tracking is enabled. You can cancel progress tracking by using Ctrl+C. The restore operation still happens in the background. Use the show restore status command to find the status of the restore operation.

Example This example performs a full restoration using the file wMPS-Full-7.7.0-20150808-001443.febkp located on the local system: hostname (config) # restore profile full from local restore wMPS-Full-7.7.0--20150808001443.febkp

This example restores the configuration (including network settings from a file located on a remote server at the URL:  admin:admin@remotehost/tmp:

1222

© 2016 FireEye

Release 7.9

restore profile from name

hostname (config) # restore profile config from url scp;//admin:admin@remotehost/tmp includenetwork-config restore wMPS-Config-7.7.0--20150808-001589.febkp

This example restores the system configuration database from a local server. During the restore, progress tracking has been disabled. hostname (config) # restore profile config from local backup wMPS-Full-7.7.0-20150808-001443.febkp progress no-track

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin

Command Mode configuration

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

© 2016 FireEye

1223

CLI Reference Guide

PART III: Commands

sharepoint ssl ca-list Description Logs in to a remote device using the Secure Shell (SSH) client on the FireEye appliance.

Syntax slogin [-1246AaCgkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_ char] [-i identity_file] [-L port:host:hostport] [-l login_name] [-m mac_spec ] [-p port] [-R port:host:hostport] [user@hostname] [command]

Parameters -1

Uses SSH version 1 only.

-2

Uses SSH version 2 only.

-4

Uses IPv4 addresses only.

-6

Uses IPv6 addresses only.

-a

Disables forwarding of the authentication agent connection.

-A

Enables forwarding of the authentication agent connection.

-b bind_address

Source address of the connection. Used on systems with more than one address.

-c cipher_spec

Cipher specification for encrypting the session.

-C

Requests compression of all data.

-D port

Used for application-level port forwarding.

-e escape_char

Sets the escape character for sessions with a pseudo terminal (default is "~").

-g

Allows remote hosts to connect to local forwarded ports.

-i identity_file

File that contains the identity (private key) for RSA or DSA authentication. The default is ~/.ssh/identity for SSH version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for SSH version 2.

-k

Disables forwarding of GSSAPI credentials to the server.

-l login_name

Login username on the remote machine.

-L Port on the local (client) host to be forwarded to a host and port on the port:host:hostport remote side. -m mac_spec

A comma-separated list of MAC (message authentication code) algorithms, in order of preference.

-n

Prevents reading from standard input (required when SSH is run in the background).

-N

Do not execute a remote command.

1224

© 2016 FireEye

Release 7.9

sharepoint ssl ca-list

-p port

Port to connect to on the remote host.

-q

Suppresses warning and diagnostic messages.

-R Port on the remote (server) host to be forwarded to a host and port on port:host:hostport the local side. -s

Requests invocation of a sub-system on the remote system (SSHv2 only). The sub-system is specified by the remote command.

-t

Forces pseudo-tty allocation. Used to execute screen-based programs on a remote system.

-T

Disables pseudo-tty allocation.

-v

Displays debugging messages. Multiple -v options increase the verbosity (up to 3).

-V

Displays the version number and exits.

-x

Disables X11 forwarding.

-X

Enables X11 forwarding.

-Y

Enables trusted X11 forwarding.

[user@]hostname Hostname or IP address of the remote device where you want to log in using SSH, optionally preceded by the login name and an "@".

Example The following example uses SSH to log in to a remote device as user "admin." hostname > slogin [email protected]

© 2016 FireEye

1225

CLI Reference Guide

PART III: Commands

signer-whitelist disable Disables the specified signer in the local BA whitelist. The local BA signer whitelist specifies the low-trust code signers that are whitelisted on the appliance. FireEye distributes a list of high-trust code signers and a list of low-trust code signers through security content downloads to the appliance. High-trust and lowtrust signers own signing certificates that FireEye has associated with benign software and scripts only. A signer is categorized as high trust or low trust based on the amount of signing certificate data observed. The local BA signer whitelist contains the FireEye-specified low-trust code signers at all times. The signer-whitelist mode  changes whether this appliance-specific list is used, not its contents. To disable a specified signer in the list, use the signer-whitelist disabled  command. To restore specific signer in the list, use the signer-whitelist enabled  command.

Syntax signer-whitelist disable

Parameters

The index number of the low-trust signer you want to disable in the local BA signer whitelist. To view the index numbers of signers in the local BA signer whitelist, use the show signer-whitelist command.

Options None

Examples The following example enables the low-trust signer with index number 52 in the local BA signer whitelist: hostname (config) # signer-whitelist disable 52

User Role Admin, Analyst

Command Mode Configuration

Related Commands For related commands, see Local BA Signer Whitelist Command Family on page 104.

1226

© 2016 FireEye

Release 7.9

signer-whitelist disable

Release Information This command was introduced as follows: l

NX Series: Release: 7.7

© 2016 FireEye

1227

CLI Reference Guide

PART III: Commands

signer-whitelist enable Restores the specified signer to the local BA signer whitelist. The local BA signer whitelist specifies the low-trust code signers that are whitelisted on the appliance. FireEye distributes a list of high-trust code signers and a list of low-trust code signers through security content downloads to the appliance. High-trust and lowtrust signers own signing certificates that FireEye has associated with benign software and scripts only. A signer is categorized as high trust or low trust based on the amount of signing certificate data observed. The local BA signer whitelist contains the FireEye-specified low-trust code signers at all times. The signer-whitelist mode  changes whether this appliance-specific list is used, not its contents. To disable a specified signer in the list, use the signer-whitelist disabled  command. To restore specific signer in the list, use the signer-whitelist enabled  command.

Syntax signer-whitelist enable

Parameters

The index number of the low-trust signer you want to restore to the local BA signer whitelist. To view the index numbers of disabled signers in the local BA signer whitelist, use the show signer-whitelist disabled command.

Options None

Examples The following example restores the low-confidence signer with index 52 to the local BA signer whitelist: hostname (config) # signer-whitelist enable 52

User Role Admin, Analyst

Command Mode Configuration

1228

© 2016 FireEye

Release 7.9

signer-whitelist enable

Related Commands For related commands, see Local BA Signer Whitelist Command Family on page 104.

Release Information This command was introduced as follows: l

NX Series: Release: 7.7

© 2016 FireEye

1229

CLI Reference Guide

PART III: Commands

signer-whitelist mode Disables or enables the use of the local BA signer whitelist. The local BA signer whitelist specifies the low-trust code signers that are whitelisted on the appliance. FireEye distributes a list of high-trust code signers and a list of low-trust code signers through security content downloads to the appliance. High-trust and lowtrust signers own signing certificates that FireEye has associated with benign software and scripts only. A signer is categorized as high trust or low trust based on the amount of signing certificate data observed. The local BA signer whitelist contains the FireEye-specified low-trust code signers at all times. The signer-whitelist mode  changes whether this appliance-specific list is used, not its contents. To disable a specified signer in the list, use the signer-whitelist disabled  command. To restore specific signer in the list, use the signer-whitelist enabled  command.

Syntax signer-whitelist mode

Parameters

Specify whether the local BA whitelist is in effect: l

default—The local BA whitelist is not in effect. Only the high-trust signers are

whitelisted. l

insecure—The local BA signer whitelist is in effect. It contains the low-trust

signers that have not been disabled.

Options None

Examples The following example changes the local BA signer whitelist mode to default. hostname (config) # signer-whitelist mode default

The following example changes the local BA signer whitelist mode to insecure. hostname (config) # signer-whitelist mode insecure

User Role Admin, Analyst

1230

© 2016 FireEye

Release 7.9

signer-whitelist mode

Command Mode Configuration

Related Commands For related commands, see Local BA Signer Whitelist Command Family on page 104.

Release Information This command was introduced as follows: l

NX Series: Release: 7.7

© 2016 FireEye

1231

CLI Reference Guide

PART III: Commands

slogin Logs in to a remote device using the Secure Shell (SSH) client on the FireEye appliance.

Syntax slogin [-1246AaCgkNnqsTtVvXxY] [-b ] [-c ] [-D ] [-e ] [-i ] [-L ::] [-l ] [-m ] [-p ] [-R ::] [user@hostname] []

Parameters -1

Uses SSH version 1 only. -2

Uses SSH version 2 only. -4

Uses IPv4 addresses only. -6

Uses IPv6 addresses only. -a

Disables forwarding of the authentication agent connection. -A

Enables forwarding of the authentication agent connection. -b

Source address of the connection. Used on systems with more than one address. -c

Cipher specification for encrypting the session. -C

Requests compression of all data. -D

Used for application-level port forwarding. -e

Sets the escape character for sessions with a pseudo terminal. The default character is ~. -g

Allows remote hosts to connect to local forwarded ports.

1232

© 2016 FireEye

Release 7.9

slogin

-i

File that contains the identity (private key) for RSA or DSA authentication. The default is ~/.ssh/identity for SSH version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for SSH version 2. -k

Disables forwarding of GSSAPI credentials to the server. -l

Login username on the remote machine. -L ::

Port on the local (client) host from which to forward traffic to a host and port on the remote side. For security, only port numbers 31000—31999 can be specified for the port parameter. -m

A comma-separated list of MAC (message authentication code) algorithms, in order of preference. -n

Prevents reading from standard input (required when SSH is run in the background). -N

Do not execute a remote command. -p

Port to connect to on the remote host. -q

Suppresses warning and diagnostic messages. -R ::

Port on the remote (server) host from which to forward traffic to a host on the local side. For security, only ports 22 and 443 can be specified for the hostport parameter. -s

(SSHv2 only) Requests invocation of a sub-system on the remote system. The subsystem is specified by the remote command. -t

Forces pseudo-tty allocation. Used to execute screen-based programs on a remote system. -T

Disables pseudo-tty allocation. -v

Displays debugging messages. Multiple (up to three) -v options increase the verbosity.

© 2016 FireEye

1233

CLI Reference Guide

PART III: Commands

-V

Displays the version number and then exits. -x

Disables X11 forwarding. -X

Enables X11 forwarding. -Y

Enables trusted X11 forwarding. user@hostname

Hostname or IP address of the remote device that you want to log into using SSH, optionally preceded by the username and the @ symbol.

Examples The following example uses SSH to log in to a remote device as user "admin." hostname > slogin [email protected]

The following example specifies that connections to port 1234 on the remote side should be forwarded to local port 22. hostname > slogin –R 1234:localhost:22

User Role Admin or Operator Command Mode Standard

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

1234

© 2016 FireEye

Release 7.9

snmp-server

snmp-server To enable support for both remote access by the Simple Network Management Protocol (SNMP) servers and the generation of SNMP traps for health and security events, use the snmp-server command in configuration mode. SNMP support and trap generation are enabled by default. You can also specify the community string that an SNMP server needs to query the FireEye appliance, and the system contact and location information stored in MIB-II. Optionally, SNMP access can be limited to specific interfaces. Related commands: snmp server host and snmp-server user

Syntax [no] snmp-server community community_string [ro] [no] snmp-server contact contact [no] snmp-server enable {communities | mult-communities | notify} [no] snmp-server host ip-address {disable | traps {community_string | port port_id [community_string | version vers [community_string] } [no] snmp-server listen {enable | interface interface_name} [no] snmp-server location location [no] snmp-server port port_id [no] snmp-server user username v3 {enable | [encrypted | prompt] {auth md5 |  sha} password [priv des [password] |priv aes-128 [password]} snmp-server notify event event

User Role Administrator or Operator

Release Information Command introduced before Release 7.6.0.

Parameters no

Use the no form of this command to clear the configuration.

community community_string [ro]

Community [read-only “ro”] string needed by a remote SNMP server to query the FireEye appliance (default is “public”).

contact contact

Contact information stored in the MIB-II sysContact field. Must be enclosed in quotation marks if the text includes spaces.

© 2016 FireEye

1235

CLI Reference Guide

enable {communities | multcommunities | notify}

PART III: Commands

Enables SNMP communities or multiple communities or enables the sending of SNMP notifications (traps and informs) from this system.

host ip-address {disable | traps Configure hosts to receive or disable IPv4- or IPv6-based {community_string | port port_id SNMP traps. See snmp-server host. [community_string | version vers [ community_string] } listen {enable | interface interface_name}

Limits SNMP access to a specified list of “listen” interfaces (disabled by default). The interface name option specifies one or more interfaces (such as “ether1”) that can be used for SNMP access (one interface per command).

location location

Description of the physical location of the FireEye appliance stored in the MIB-II sysLocation field. Must be enclosed in quotation marks if the text includes spaces.

port port_id

Default port to which traps are sent.

user username v3 { enable |[  Configure SNMP v3 user access on a per-user basis. See encrypted | prompt] {auth md5 snmp-server user. | sha} password [priv des [password] | priv aes-128 [password] notify event event

Specify which events will be sent as SNMP notifications.

Example The following example specifies that the “private” community string is required for remote access. hostname (config) # snmp-server community private

The following example specifies the system location. hostname (config) # snmp-server location "Bldg. 1"

1236

© 2016 FireEye

Release 7.9

snmp-server host

snmp-server host Description Enables the sending of Simple Network Management Protocol (SNMP) traps to a specified IPv4 or IPv6 address. You can specify any number of trap “sinks” (one per command). This command enables system notifications. Use the fenotify snmp command to enable alert notifications. Related commands: fenotify snmp and show snmp. Use the no form of this command to disable the sending of SNMP traps.

Syntax [no] snmp-server host ip_address disable [no] snmp-server host ip_address traps {community_string | port port [community_string] | version version_number [community_string]}

Parameters ip_address

IP address where SNMP traps are sent.

disable

Disables the sending of SNMP traps to the specified address.

community_string

Community string needed to send traps to the specified address (default is “public”).

traps

Enables the sending of SNMP traps to the specified address.

port port

Overrides the default target port to which traps are sent.

version version_ number

SNMP version of the generated traps (1, 2c, or 3)

Example The following example enables SNMP version 1 traps to be sent to the specified address using the “private” community string. hostname (config) # snmp-server host 10.0.0.2 traps version 1 private

© 2016 FireEye

1237

CLI Reference Guide

PART III: Commands

ssh server listen enable Use this command to enable listen interface constraints for SSH connections (described in ssh server listen interface on page 1250).

Syntax [no] ssh server listen enable

Parameters no

Use the no form of this command to disable listen interface constraints.

Examples The following example enables listen interface constraints. hostname (config) # web server listen enable

The following example disables listen interface constraints. hostname (config) # no web server listen enable

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1238

l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

NX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

ssh server listen interface

ssh server listen interface Use this command to add an interface to the listen interface list so it can accept SSH connections for remote access to the CLI. The listen interface list is used when listen interface constraints are enabled on the appliance. Listen interface constraints are enabled by default. Use the command show ssh server on page 1910 to verify whether they are enabled, and use the command ssh server listen enable on page 1249 to enable them. The management interface is used for remote access to the Web UI and CLI, and for other management traffic (such as NTP, SNMP, and syslog). The default management interface is ether1. You can define a different interface (such as ether2) for remote access to the Web UI and CLI. When listen interface constraints are enabled on the appliance, only interfaces that meet the following criteria can accept HTTP/HTTPS requests (for Web UI access) and SSH connections (for CLI access). l

The interface must be in the listen interface list. By default, only ether1 is in this list.

l

The interface exists and is running.

l

l

DHCP and zeroconf are disabled on the interface (for IPv4), or IPv6 is enabled on both the interface and the system (for IPv6). The interface has an IPv4 or IPv6 address: l

l

IPv4: At least one static nonzero IPv4 address is available to be assigned to the interface. IPv6: A static IPv6 address is available to assign to the interface, or the address can be obtained dynamically through Stateless Address Autoconfiguration (SLAAC) or DHCP6.

The system prevents remote users from being locked out of the system when the criteria are not met by at least one interface. If no interface meets the criteria, listen interface constraints are not enforced, and all viable interfaces are open and can accept HTTPS/HTTPS requests and SSH connections. For more information, see your System Administration Guide or Administration Guide.

Syntax [no] ssh server listen interface

Parameters no

Use the no form of this command to remove the interface from the listen interface list.

© 2016 FireEye

1239

CLI Reference Guide

PART III: Commands

interface

The interface to add to or remove from the listen interface list.

Examples The following example adds ether2 to the access list. hostname (config) # ssh server listen interface ether2

The following example removes ether1 from the access list. hostname (config) # no ssh server listen interface ether1

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1240

l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

NX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

snmp-server user

snmp-server user To configure Simple Network Management Protocol version 3 (SNMP v3) access on a peruser basis, use the snmp-server user command in configuration mode. Related commands: show snmp

Syntax [no] snmp-server user username v3 enable snmp-server user username v3 auth md5 password [priv [des | aes-128] [password] ] snmp-server user username v3 auth sha password [priv [des | aes-128] [password] ] snmp-server userusernamev3 encrypted auth md5password [priv [des | aes-128] [password] ] snmp-server userusername v3 encrypted auth shapassword [priv [des | aes-128] [password] ] snmp-server user username v3 prompt auth md5 password [priv [des | aes-128] ] snmp-server user username v3 prompt auth sha password [priv [des | aes-128] ]

User Role Administrator or Operator

Release Information Command introduced before Release 7.6.0 on AX Series appliances, EX Series appliances, FX Series appliances, NX Series appliances, and CM Series platforms.

Parameters username v3 enable Enables the SNMPv3 option for the specified user. Use the no form of the command to disable the SNMPv3 option for the specified user. username v3 auth md5 password [priv [des | aes-128] [password] ] Sets the MD5 hash algorithm and password for the specified user. You have the option to use a default privacy algorithm. You can also choose the following privacy options: l

des—Sets the Data Encryption Standard (DES) privacy option.

l

aes-128—Sets the Advanced Encryption Standard (AES), 128-bit privacy option.

username v3 auth sha password [priv [des | aes-128] [password] ] Sets the SHA1 hash algorithm and password for the specified user. You have the option to use a default privacy algorithm. You can also choose the following privacy options:

© 2016 FireEye

1241

CLI Reference Guide

l

des—Sets the DES privacy option.

l

aes-128—Sets the AES, 128-bit privacy option.

PART III: Commands

username v3 encrypted auth md5 password [priv [des | aes-128] [password] ] Sets the MD5 hash algorithm and password for the specified user with encryption. You have the option to use a default privacy algorithm. You can also choose the following privacy options: l

des—Sets the DES privacy option.

l

aes-128—Sets the AES, 128-bit privacy option.

username v3 encrypted auth sha password [priv [des | aes-128] [password] ] Sets the SHA1 hash algorithm and password for the specified user with encryption. You have the option to use a default privacy algorithm. You can also choose the following privacy options: l

des—Sets the DES privacy option.

l

aes-128—Sets the AES, 128-bit privacy option.

username v3 prompt auth md5 password [priv [des | aes-128] ] Sets the MD5 hash algorithm and password for the specified user with follow-up prompts. You have the option to use a default privacy algorithm. You can also choose the following privacy options: l

des—Sets the DES privacy option.

l

aes-128—Sets the AES, 128-bit privacy option.

username v3 prompt auth sha password [priv [des | aes-128] ] Sets the SHA1 hash algorithm and password for the specified user with follow-up prompts. You have the option to use a default privacy algorithm. You can also choose the following privacy options: l

des—Sets the DES privacy option.

l

aes-128—Sets the AES, 128-bit privacy option.

Examples The following example enables SNMP v3 access for the “admin” user: hostname (config) # snmp-server user admin v3 enable

The following example sets the SNMPv3 user and password: hostname (config) # snmp-server user admin v3 enable hostname (config) # snmp-server user admin v3 auth sha 12345678

1242

© 2016 FireEye

Release 7.9

ssh client

ssh client To generate a new identity (public and private keys) that allows a user to open a Secure Shell (SSH) session on another device from the FireEye appliance, use the ssh client command in configuration mode. To view the current SSH client identities, refer to show ssh client.

Syntax [no] ssh client global cipher-list {original | fips | cc-ndpp | fips-and-cc-ndpp | highsecurity | compatible} [no] ssh client global host-key-check {yes | no | ack} [no] ssh client global known-host hostname [no] ssh client global min-version version_number [no] ssh client user {username | admin | analyst | api_analyst | api_monitor | auditor | cmcclient | cmcrendv | fe_services | monitor | operator |updatemgrd} authorized-key sshv2 key [no] ssh client user {username | admin | analyst | api_analyst | api_monitor | auditor | cmcclient | cmcrendv | fe_services | monitor | operator |updatemgrd} identity {rsa2 | dsa2} generate [no] ssh client user {username | admin | analyst | api_analyst | api_monitor | auditor | cmcclient | cmcrendv | fe_services | monitor | operator |updatemgrd} private-key key [no] ssh client user {username | admin | analyst | api_analyst | api_monitor | auditor | cmcclient | cmcrendv | fe_services | monitor | operator |updatemgrd} identity {rsa2 | dsa2} public-key key [no] ssh client user {username | admin | analyst | api_analyst | api_monitor | auditor | cmcclient | cmcrendv | fe_services | monitor | operator |updatemgrd} known-host hostip remove

User Role All roles can use the ssh client user commands. For the other commands, the administrator role is required.

Release Information Command introduced before Release 7.6.0.

Parameters no

© 2016 FireEye

Use the no form of this command to delete an SSH identity.

1243

CLI Reference Guide

PART III: Commands

global cipher-list {original | fips | Configures the cipher list for SSH: cc-ndpp | fips-and-cc-ndpp | l original—Original FireEye cipher list high-security | compatible} (maximum compatibility) l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

host-key-check

l

l

1244

high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

Configures global SSH client host key check settings. The following options are supported: l

known-host hostname

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP

yes—Only permits connection if a matching host key is already in the known hosts file. no—Always permits connection, and accept any new or changed host keys without checking. ack—Prompts the user to accept new host keys, but does not permit a connection if there was already a known host entry that does not match the keys presented by the host.

Adds or removes a known host for the specified user.

© 2016 FireEye

Release 7.9

username | admin | analyst | api_ anlyst | api_monitor | auditor | cmcclient | cmcrendv | fe_ services | monitor | operator |updatemgrd

ssh client

Specifies a user name or role to generate identities or configure an SSH v2 RSA2 or DSA2 authorized key. To view the current user identities, refer to show ssh client. The following options are supported for a specified user: l

l

l

l

l

l

authorized-key sshv2 key—Configures this authorized key for the specified SSH user. identity—Sets SSH client identity settings for a user. Options include: known-host—Manipulates known hosts for the specified user. generate—Generates SSH client keys for the client. private-key—Sets private key SSH client settings for the client. public-key—Sets public key SSH client settings for the client.

global min-version version_number Sets the minimum version of SSH protocol supported. identity {rsa2 | dsa2}

Sets SSH client identity settings using the RSA2 or DSA2 algorithm. Sets SSH client identity settings for a user. Options include: l

l

l

generate—Generates SSH client keys for the client. private-key—Sets private key SSH client settings for the client. public-key—Sets public key SSH client settings for the client.

generate

Generates SSH client keys for the client.

private-key key

The SSH v2 RSA2 or DSA2 authorized key for the specified user. When the keys are generated, the private key is written to the user’s .ssh directory in a file named “id_dsa” or “id_rsa.”

public-key key

The SSH v2 RSA2 or DSA2 authorized key for the specified user. When the keys are generated, the public key is written to the user’s .ssh directory in a file named “id_dsa” or “id_rsa.”

Example The following example removes the known host 1.2.3.4 for user “jsmith”:

© 2016 FireEye

1245

CLI Reference Guide

PART III: Commands

hostname (config) # ssh client user jsmith known-host 1.2.3.4 remove

1246

© 2016 FireEye

Release 7.9

ssh server

ssh server To enable the Secure Shell (SSH) server to allow CLI access over the network and to limit SSH access to specific interfaces, use the ssh server command in configuration mode. Related commands: show ssh server

Syntax [no] ssh server cipher-list {original | fips | cc-ndpp | fips-and-cc-ndpp | high-security | compatible} [no] ssh server enable [no] ssh server host-key options [no] ssh server min-key-length bits [no] ssh server min-version version [no] ssh server x11-forwarding enable [no] ssh server ports port [no] ssh server tcp-forwarding enable See also ssh server listen enable on page 1249 and ssh server listen interface on page 1250.

User Role Administrator

Release Information Command introduced before Release 7.6.0.

Parameters no

© 2016 FireEye

Use the no form of this command to disable or delete the SSH server settings.

1247

CLI Reference Guide

PART III: Commands

cipher-list {original | fips | cc-ndpp | Configures the cipher list for SSH: fips-and-cc-ndpp | high-security | l original—Original FireEye cipher list compatible} (maximum compatibility) l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CCNDPP) compatible—Improved security while maintaining backward compatibility

enable

Enables the SSH server (enabled by default).

host-key options

Manipulates host keys for SSH. Specify the key type. Options include: l

l

l

l

generate—Create new Rivest, Shamir, and Adleman (RSA) and Digital Signature Algorithm (DSA) host keys for SSH. rsa1 {public-key key | private-key key}— Generate public or private keys for RSA version 1. rsa2 {public-key key | private-key key}— Generate public or private keys for RSA version 2. dsa2 {public-key key | private-key key}— Generate public or private keys for DSA version 2.

[no] ssh server min-key-lengthbits

Sets the minimum key length for SSH server keys.

min-version version

Sets the minimum version of the SSH protocol that is supported.

x11-forwarding enable

Enables x11 forwarding on the SSH server. This “x11 forwarding” command is not related to xff forwarding (which is enabled by default and requires no configuration).

ports port

Specifies the ports the SSH server will listen on. Ports that are not specified are removed from the SSH port list. The default port is 22.

ssh server tcp-forwarding enable

Enables configuration of TCP port forwarding on the SSH server.

1248

© 2016 FireEye

Release 7.9

ssh server listen enable

ssh server listen enable Use this command to enable listen interface constraints for SSH connections (described in ssh server listen interface on the next page).

Syntax [no] ssh server listen enable

Parameters no

Use the no form of this command to disable listen interface constraints.

Examples The following example enables listen interface constraints. hostname (config) # web server listen enable

The following example disables listen interface constraints. hostname (config) # no web server listen enable

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

NX Series: Release 7.9.1

© 2016 FireEye

1249

CLI Reference Guide

PART III: Commands

ssh server listen interface Use this command to add an interface to the listen interface list so it can accept SSH connections for remote access to the CLI. The listen interface list is used when listen interface constraints are enabled on the appliance. Listen interface constraints are enabled by default. Use the command show ssh server on page 1910 to verify whether they are enabled, and use the command ssh server listen enable on the previous page to enable them. The management interface is used for remote access to the Web UI and CLI, and for other management traffic (such as NTP, SNMP, and syslog). The default management interface is ether1. You can define a different interface (such as ether2) for remote access to the Web UI and CLI. When listen interface constraints are enabled on the appliance, only interfaces that meet the following criteria can accept HTTP/HTTPS requests (for Web UI access) and SSH connections (for CLI access). l

The interface must be in the listen interface list. By default, only ether1 is in this list.

l

The interface exists and is running.

l

l

DHCP and zeroconf are disabled on the interface (for IPv4), or IPv6 is enabled on both the interface and the system (for IPv6). The interface has an IPv4 or IPv6 address: l

l

IPv4: At least one static nonzero IPv4 address is available to be assigned to the interface. IPv6: A static IPv6 address is available to assign to the interface, or the address can be obtained dynamically through Stateless Address Autoconfiguration (SLAAC) or DHCP6.

The system prevents remote users from being locked out of the system when the criteria are not met by at least one interface. If no interface meets the criteria, listen interface constraints are not enforced, and all viable interfaces are open and can accept HTTPS/HTTPS requests and SSH connections. For more information, see your System Administration Guide or Administration Guide.

Syntax [no] ssh server listen interface

Parameters no

Use the no form of this command to remove the interface from the listen interface list.

1250

© 2016 FireEye

Release 7.9

ssh server listen interface

interface

The interface to add to or remove from the listen interface list.

Examples The following example adds ether2 to the access list. hostname (config) # ssh server listen interface ether2

The following example removes ether1 from the access list. hostname (config) # no ssh server listen interface ether1

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

NX Series: Release 7.9.1

© 2016 FireEye

1251

CLI Reference Guide

PART III: Commands

static-info enable Description This command enables the display of static information for particular files and URLs on the Malware Analyses page of the MAS Web UI when "Show All" is selected. This command is enabled by the default. Use the no form of the command to disable the display of static information.

Syntax [no] static-info enable

Parameters None

Example The following example disables the default display of the static information. MAS (config) # no static-info enable

Related Commands

1252

l

av-suite enable on page 272

l

show object-analysis on page 1846

l

yara on page 1329

© 2016 FireEye

Release 7.9

static-analysis av-check enable

static-analysis av-check enable Enables AV-Check, which provides another type of static analysis tool on the appliance. After the tool is enabled, no other configuration is required. AV-Check allows the appliance to use antivirus tools, such as Sophos and ClamWin, to scan malware samples. AV-Check analysis is enabled by default. AV-Check requires an AV_ENGINE_SOPHOS license.

Syntax [no] static-analysis av-check enable

Parameters no

Use the no form of this command to disable the AV-Check tool.

Example The following example enables AV-Check. hostname (config) # static-analysis av-check enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

© 2016 FireEye

1253

CLI Reference Guide

PART III: Commands

static-analysis av-suite enable Enables FireEye’s AV-Suite analysis tool. After the tool is enabled, no other configuration is required. With AV-Suite integration, each infection binary is submitted by the appliance to the AVSuite detection and comparison tool, which determines whether antivirus vendors were able to detect the malware that was captured and analyzed by FireEye. The results of AVSuite analysis are displayed on the appliance Web UI results page. AV-Suite analysis is enabled by default. AV-Suite analysis is only available to customers using a 2-way license.

Syntax [no] static-analysis av-suite enable

Parameters no

Use the no form of this command to disable the AV-Suite integration tool.

Example The following example enables AV-Suite integration. hostname (config) # static-analysis av-suite enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

1254

© 2016 FireEye

Release 7.9

static-analysis dropper enable

static-analysis dropper enable Enables the dropper detection component to perform static analysis on the appliance. This component allows the appliance to identify malicious files that might have installed additional types of malware on your system. A dropper is not associated with any file extensions, and it is often part of a spearphishing attempt. The appliance sends the dropper files that matched the first ten MD5 checksums to the Dynamic Threat Intelligence (DTI) Cloud for further analysis. When the dropper detection component is disabled, the appliance does not send the dropper files to the DTI Cloud. The dropper detection component is enabled by default.

Syntax [no] static-analysis dropper enable

Parameters no

Use the no form of this command to disable dropper detection.

Example The following example enables the dropper detection component to perform static analysis on the appliance: hostname (config) # static-analysis dropper enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

© 2016 FireEye

1255

CLI Reference Guide

PART III: Commands

static-analysis enable Enables static analysis on the appliance. Static analysis is enabled by default.

Syntax [no] static-analysis enable

Parameters no

Use the no form of this command to disable static analysis.

Example The following example enables static analysis. hostname (config) # static-analysis enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

1256

© 2016 FireEye

Release 7.9

static-analysis malware-intrinsic-analysis enable

static-analysis malware-intrinsic-analysis enable Enables the Intrinsic Analysis feature, which provides another type of static analysis on the appliance. Intrinsic Analysis is a technique that analyzes objects to identify malware based on intrinsic properties in a compromised system. Objects that match known malware families are marked as malicious. Malware samples are updated when the system checks for new security content from the Dynamic Threat Intelligence (DTI) Cloud. Intrinsic Analysis is enabled by default.

Syntax [no] static-analysis malware-intrinsic-analysis enable

Parameters no

Use the no form of this command to disable Intrinsic Analysis on the appliance.

Example The following example enables Intrinsic Analysis. hostname (config) # static-analysis malware-intrinsic-analysis enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

© 2016 FireEye

1257

CLI Reference Guide

PART III: Commands

static-analysis sa-python enable Enables the Python-based static analysis tool on the appliance. After the tool is enabled, no other configuration is required. This tool allows the appliance to perform static analysis on submitted malware samples based on defined YARA rules and based on other file type analysis techniques. The Python-based static analysis tool is enabled by default.

Syntax [no] static-analysis sa-python enable

Parameters no

Use the no form of this command to disable the Python-based static analysis tool.

Example The following example enables the Python-based static analysis tool: hostname (config) # static-analysis sa-python enable

User Role Administrator and Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

1258

© 2016 FireEye

Release 7.9

stats alarm

stats alarm Description Specifies the configuration for performance-based alarms. Related commands: show stats Use the no form of this command to disable performance-based alarms.

Syntax stats alarm {cpu_util_indiv | disk_io | fs_mnt | intf_util | memory_pct_used | paging} {clear | enable | event-repeat | falling | rate-limit | rising} stats alarm {cpu_util_indiv | disk_io | fs_mnt | intf_util | memory_pct_used | paging} {falling | rising} {clear-threshold value | error-threshold value} percent-utilization stats alarm {cpu_util_indiv | disk_io | fs_mnt | intf_util | memory_pct_used | paging} {clear | enable | event-repeat | falling | rate-limit | rising} rate-limit count {long | medium | short} count stats alarm {cpu_util_indiv | disk_io | fs_mnt | intf_util | memory_pct_used | paging} {clear | enable | event-repeat | falling | rate-limit | rising} rate-limit window {long | medium | short} seconds stats alarm {cpu_util_indiv | disk_io | fs_mnt | intf_util | memory_pct_used | paging} {clear | enable | event-repeat | falling | rate-limit | rising} rate-limit reset

Parameters cpu_util_indiv

Displays average CPU utilization too high (percent utilization).

disk_io

Disk I/O per second too high (kbytes/second).

fs_mnt

Free file system space too low (percent of disk space free).

intf_util

Network utilization too high (bytes/second).

memory_pct_used Too much memory in use (percent of physical memory used). paging

Displays paging activity and paging faults.

clear

Clears all the current state information for the specified alarm (available in Enabled mode).

enable

Enables the specified alarm (all alarms are enabled by default).

falling clearthreshold

Clears the alarm when the threshold falls to the specified level.

rising clearthreshold

Clears the alarm when the threshold rises to the specified level.

falling errorthreshold

Sets the alarm when the threshold falls to the specified level.

© 2016 FireEye

1259

CLI Reference Guide

PART III: Commands

rate-limit reset

Clears the current rate-limit counts for the specified m in Enabled mode).

event-repeat

Configure repetition of events from this alarm.

rising errorthreshold

Sets the alarm when the threshold rises to the specified level.

rate-limit count Specifies the maximum number of alarms allowed for the specified {long | medium | metric in the long, medium, and short time periods (windows). The short} count default counts are 50, 20, and 5 for each metric. rate-limit reset

Clears the current rate-limit counts for the specified metric (available in Enabled mode).

rate-limit window Specifies the number of seconds in the long, medium, and short time {long | medium | periods (windows) for the specified metric (used to limit the number of short} seconds alarms). The default windows are 7 days, 24 hours.

Example The following example sets the alarm threshold for CPU utilization at 80%. hostname (config) # stats alarm cpu_util_indiv rising error-threshold 80

1260

© 2016 FireEye

Release 7.9

stats chd

stats chd Description Clears the computed historical datapoints (CHD) for the specified metric.

Syntax stats chd {cpu_util | cpu_util_ave | cpu_util_day | disk_io | fs_mnt_day | fs_mnt_month | fs_mnt_week | intf_day | intf_hour | intf_util | memory_day | memory_pct | paging | paging_day} clear

Parameters cpu_util | cpu_util_ave | cpu_util_ Metrics for individual, average, and daily CPU day utilization. disk_io

Metrics for disk input/output.

fs_mnt_day

File system daily usage average: bytes.

fs_mnt_month

File system monthly usage average: bytes.

fs_mnt_week

File system weekly usage average: bytes.

intf_util

Aggregate network utilization across all interfaces.

intf_day | intf_hour

Daily or hourly interface statistics.

memory_pct

Average physical memory usage.

memory_day

Metric for daily memory utilization.

paging | paging_day

Metric for swapping of data in and out of memory.

clear

Clears the CHD for the specified metric.

Example The following example clears all historical data for daily CPU utilization. hostname (config) # stats chd cpu_util_day clear

© 2016 FireEye

1261

CLI Reference Guide

PART III: Commands

stats clear-all Description Clears all alarms and computed historical datapoints (CHD) for all metrics.

Syntax stats clear-all

Parameters None

Example The following example clears all alarms and historical data. hostname (config) # stats clear-all

1262

© 2016 FireEye

Release 7.9

stats export

stats export Description Exports all performance-based statistics to a file for a specific metric, or just the statistics in a specified time range. Related commands: show files

Syntax stats export csv {cpu_util | memory | paging} [filename filename] [after yyyy/mm/dd hh:mm:ss] [before yyyy/mm/dd hh:mm:ss]

Parameters after yyyy/mm/dd hh:mm:ss

Exports only the statistics collected after the specified date and time.

before yyyy/mm/dd hh:mm:ss

Exports only the statistics collected before the specified date and time.

cpu_util

Metric for CPU utilization.

filename filename

Name of the exported file. The default file name is: -.csv

memory

Metric for memory utilization.

paging

Metric for swapping of data in and out of memory.

Example The following example exports all CPU utilization statistics to file cpu_util-.csv. hostname (config) # stats export csv cpu_util

stats group submission sampling interval minutes This command allows you to set the submission statistics sampling rate.

Syntax stats group submission sampling interval minutes

Parameters minutes

The interval between queries.

© 2016 FireEye

1263

CLI Reference Guide

PART III: Commands

Example The following example sets the query interval to 2. hostname (config) # stats group submission sampling interval minutes 2

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Topics For a list of related commands, see: Submission Sampling Command Family on page 123.

stats group submission sampling interval minutes on page 1 show stats group submission on page 1916 show stats group submission on page 1916

1264

© 2016 FireEye

Release 7.9

stats sample

stats sample Description Specifies the sampling interval for performance-based statistics and alarms. You can also clear the sampled statistics for a specific metric.

Syntax stats sample {sample_id | cpu_util | disk_device_io | disk_io | fs_mnt_bytes | fs_mnt_ inodes | intf_util | interface | memory | paging} clear stats sample interface {interval seconds | clear}

Parameters sample_id

Identifies the sample.

cpu_util

Metric for CPU utilization (milliseconds).

disk_device_io Storage device I/O statistics. disk_io

Metrics for disk input/output.

fs_mnt_bytes

File system usage: bytes.

fs_mnt_inodes File system usage: inodes. intf_util

Network interface utilization: bytes.

interface

Interface statistics.

memory

Metric for memory utilization.

paging

Metric for swapping of data in and out of memory.

clear

Clears all the sampled information for the specified metric.

interval seconds Number of seconds between calculations.

Example hostname (config) # stats sample cpu_util interval 60

© 2016 FireEye

1265

CLI Reference Guide

PART III: Commands

stty baud Description Configures the terminal's baud rate setting. This command is executed only in standard mode and is not available during SSH sessions.

Syntax stty baud baud_rate

Parameters baud_rate Baud rate options are: 2400, 4800, 9600, 19200, 38400, 57600, and 115200.

Example The following example sets the stty baud rate to one of the allowed options. hostname # stty baud 9600

1266

© 2016 FireEye

Release 7.9

system virtual bootstrap reset

system virtual bootstrap reset This command resets the activation code and configuration settings that the system applied during the initial boot of a virtual appliance.

Syntax system virtual bootstrap reset

Parameters None

Example The following resets the activation code and configuration settings on the virtual appliance. system virtual bootstrap reset

User Role Administrator

Command Mode Configuration

Release Information CM Series: 7.9 NX Series: 7.9

Related Topics For a list of related commands, see: Virtual System Command Family on page 128 system virtual bootstrap reset above show licenses tokens on page 1734 show system entropy on page 1967

© 2016 FireEye

1267

CLI Reference Guide

PART III: Commands

tacacs-server host Adds or removes a TACACS+ server to the FireEye appliance configuration. Multiple TACACS+ servers can be added to the FireEye appliance. When multiple TACACS+ servers are configured, the FireEye appliance attempts to connect to each TACACS+ server in the order it was added. To configure multiple services on a single TACACS+ server, use the tacacs server host auth-port subcommand and specify a unique port for each service. When initially added to the configuration, the TACACS+ server is enabled by default. To disable a TACACS server, use the no tacacs-server host enable subcommand.

Syntax [no] tacacs-server host

Parameters no

Use the no form of this command to remove the TACACS+ server from the configuration. When you use the no form of this command without specifying an IP address, all TACACS+ servers are removed from the configuration.

ipaddress

The IPv4 IP address of the TACACS+ server.

Example The following example adds a TACACS+ server to the configuration: hostname (config) # tacacs-server host 172.16.1.1

The following example removeds a TACACS+ server from the configuration: hostname (config) # no tacacs-server host 172.16.1.1

User Role Administrator

Command Mode Configuration

1268

© 2016 FireEye

Release 7.9

tacacs-server host

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For a list of commands, see: AAA Accounting Commands on page 51.

© 2016 FireEye

1269

CLI Reference Guide

PART III: Commands

tacacs-server host auth-port Sets the communication port used on the specified TACACS+ server to establish a communication link with the FireEye appliance. By default, the TACACS+ server uses port 49. However, you may specify any port between 1 and 65535. You can use the same TACACS+ server for multiple services (accounting, authentication, and accounting) by using a different port for each service. For example, you could use port 49 to use the accounting service and port 490 for the authentication service. This authentication port command overrides the global authentication port specified using the tacacs-server auth-port command.

Syntax [no] tacacs-server host auth-port

Parameters no

Use the no form of this command to remove the TACACS+ server from the configuration. When you use the no form of this command without specifying a port number, all ports are removed from the specified TACACS+ server's configuration. ipaddress

The IPv4 IP address of the TACACS+ server. portnumber

The TACACS+ server's port number used to establish communication with the FireEye appliance. default: 49 range: 1-65535

Example The following example sets the specified TACACS+ server's communication port to 490: hostname (config) # tacacs-server host 172.16.1.1 auth-port 490

The following example restores the specified TACACS+ server's communication port to the default value (port 49): hostname (config) # no tacacs-server host 172.16.1.1 auth-port

1270

© 2016 FireEye

Release 7.9

tacacs-server host auth-port

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For related commands, see: AAA Accounting Commands on page 51.

© 2016 FireEye

1271

CLI Reference Guide

PART III: Commands

tacacs-server host auth-type Sets the login authentication method used to establish communication between the FireEye appliance and the TACACS+ server. Currently, the following authentication methods are available: l

l

ASCII – American Standard Code for Information Interchange. The user name and password are transmitted in clear, unencrypted text. PAP – Password Authentication Protocol. The user name and password are transmitted in clear, unencrypted text. (Default method) This authentication type command overrides the global authentication type specified using the tacacs-server auth-type command.

Syntax tacacs-server host auth-type

Parameters ipaddress

The IPv4 IP address of the TACACS+ server. type

The login authentication method. l

ascii

l

pap (default)

Example The following example sets the specified TACACS+ server's login authentication method to ASCII: hostname (config) # tacacs-server host 172.16.1.1 auth-type ascii

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1272

© 2016 FireEye

Release 7.9

l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

tacacs-server host auth-type

Related Commands For related commands, see: AAA Accounting Commands on page 51.

© 2016 FireEye

1273

CLI Reference Guide

PART III: Commands

tacacs-server host enable Enables or disables a specific TACACS+ service. By default, all TACACS+ servers configured on the FireEye appliance are enabled.

Syntax [no] tacacs-server host enable

Parameters no

Use the no form of this command to disable the TACACS+ server.. ipaddress

The IPv4 IP address of the TACACS+ server.

Example The following example enables the specified TACACS+ server: hostname (config) # tacacs-server host 172.16.1.1 enable

The following example disables the specified TACACS+ server: hostname (config) # no tacacs-server host 172.16.1.1 enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For related commands, see: AAA Accounting Commands on page 51.

1274

© 2016 FireEye

Release 7.9

tacacs-server host key

tacacs-server host key Sets the authentication key for the specified TACACS+ server. This key is used when initially establishing a communication link between the FireEye appliance and the TACACS+ server. When issuing this command, the authentication key is appended to the end of the command. The authentication key should be an unencrypted ASCII character key shared with the TACACS+ server. The authentication key on the FireEye appliance must match the authentication key on the TACACS+ server. Alternatively, the tacacs-server host prompt-key command prompts the user to enter the authentication key on a seperate line once executed. This server key command overrides the global server key specified using the tacacs-server key command.

Syntax tacacs-server host key

Parameters ipaddress

The IPv4 IP address of the TACACS+ server. keystring

The authentication key string. This key string is an unencrypted ASCII key and shared with the specific TACACS+ server.

Example The following example adds an authentication key for the specified TACACS+ server: hostname (config) # tacacs-server host 172.16.1.1 key TAcACsAutenticationKey

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

1275

CLI Reference Guide

l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

PART III: Commands

Related Commands For related commands, see: AAA Accounting Commands on page 51.

1276

© 2016 FireEye

Release 7.9

tacacs-server host prompt-key

tacacs-server host prompt-key Sets the authentication key for the specified TACACS+ server. This key is used when initially establishing a communication link between the FireEye appliance and the TACACS+ server. When issuing this command, the user is prompted to enter the authentication key on a separate line once executed. The authentication key should be an unencrypted ASCII character key shared with the TACACS+ server. The authentication key on the FireEye appliance must match the authentication key on the TACACS+ server. Alternatively, the tacacs-server host key command allows the user to enter the authentication key at the end of the command. This server key command overrides the global server key specified using the tacacs-server key command.

Syntax tacacs-server host prompt-key

Parameters ipaddress

The IPv4 IP address of the TACACS+ server.

Example The following example adds an authentication key for the specified TACACS+ server: hostname (config) # tacacs-server host 172.16.1.1 prompt-key Key: TAcACsAutenticationKey

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

© 2016 FireEye

1277

CLI Reference Guide

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

PART III: Commands

Related Commands For related commands, see: AAA Accounting Commands on page 51.

1278

© 2016 FireEye

Release 7.9

tacacs-server host retransmit

tacacs-server host retransmit Sets the number of times the FireEye appliance attempts to connect the specified TACACS+ server. This retransmit command overrides the global server key specified using the tacacs-server retransmit command.

Syntax [no] tacacs server host retransmit

Parameters no

Use the no form of this command to restore the TACACS+ server communication link retries to the default time. ipaddress

The IPv4 IP address of the TACACS+ server. retries

The number of connection retries attempted by the FireEye appliance. l

Range: 0-5

l

Default: 1

Example The following example sets the global TACACS+ communication link retry attempts to 5: hostname (config) # tacacs-server host retransmit 5

The following example restores the global TACACS+ communication link retry attempts to the default value (1): hostname (config) # no tacacs-server host retransmit

The following example disables the global TACACS+ communication link retry attempts: hostname (config) # tacacs-server host retransmit 0

User Role Administrator

Command Mode Configuration

© 2016 FireEye

1279

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For related commands, see: AAA Accounting Commands on page 51.

1280

© 2016 FireEye

Release 7.9

tacacs-server host timeout

tacacs-server host timeout Sets the specified TACACS+ server communication link timeout. The communication link timeout is the amount of time the FireEye appliance will attempt to establish a communication link with a remote TACACS+ server before failing. Using the no parameter in front of this command restores the default communication timeout (5 seconds). This TACACS+ server communication link timeout overrides the global communication link timeout specified using the tacacs-server timeout command.

Syntax [no] tacacs server host timeout

Parameters no

Use the no form of this command to restore the TACACS+ server communication link timeout to the default time. ipaddress

The IPv4 IP address of the TACACS+ server. seconds

The number of seconds before timeout. l

Range: 1-60 (seconds)

l

Default: 5 (seconds)

Example The following example sets the global TACACS+ communication link timeout to 30 seconds: hostname (config) # tacacs-server timeout 30

The following example restores the global TACACS+ communication link timeout to the default value (5 seconds): hostname (config) # no tacacs-server timeout

User Role Administrator

Command Mode Configuration

© 2016 FireEye

1281

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For related commands, see: AAA Accounting Commands on page 51.

1282

© 2016 FireEye

Release 7.9

tacacs-server key

tacacs-server key Sets the global authentication key for all TACACS+ servers. This key is used when initially establishing a communication link between the FireEye appliance and the TACACS+ server. You can use this command in one of two ways: l

Append the authentication key to the end of the command.

l

Issue the command without the key. You will be prompted to enter the key.

The authentication key should be an unencrypted ASCII character key shared with the TACACS+ server. The authentication key on the FireEye appliance must match the authentication key on the TACACS+ server.

This global authentication key can be overridden for individual TACACS+ servers using the tacacs-server host key command.

Syntax [no] tacacs server key [no] tacacs server key

Parameters no

Use the no form of this command to remove the TACACS+ server authentication key. string

The TACACS+ server authentication key

Example The following example adds a global TACACS+ server authentication key: hostname (config) # tacacs-server key TAcACsAutenticationKey

In the following example, you will be prompted for the global TACACS+ server authentication key: hostname (config) # tacacs-server key Key: TAcACsAutenticationKey

The following example removes the global TACACS+ authentication key: hostname (config) # no tacacs-server key

© 2016 FireEye

1283

CLI Reference Guide

PART III: Commands

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

Related Commands For a list of commands, see: AAA Accounting Commands on page 51.

1284

© 2016 FireEye

Release 7.9

tacacs-server retransmit

tacacs-server retransmit Globally sets the number of times the FireEye appliance attempts for all configured TACACS+ server. This global retransmit value can be overridden for individual TACACS+ servers using the tacacs-server host retransmit command.

Syntax [no] tacacs server retransmit

Parameters no

Use the no form of this command to restore the TACACS+ server communication link timeout to the default time. retries

The number of retries. l

Range: 

l

Default: 

Example The following example sets the global TACACS+ communication link retry attempts to 5: hostname (config) # tacacs-server retransmit 5

The following example restores the global TACACS+ communication link retry attempts to the default value (0): hostname (config) # no tacacs-server retransmit

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

© 2016 FireEye

1285

CLI Reference Guide

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

PART III: Commands

Related Commands For a list of commands, see: AAA Accounting Commands on page 51.

1286

© 2016 FireEye

Release 7.9

tacacs-server timeout

tacacs-server timeout Sets the global TACACS+ server communication link timeout. The communication link timeout is the amount of time the FireEye appliance will attempt to establish a communication link with a remote TACACS+ server before failing. Using the no parameter in front of this command restores the default communication timeout (5 seconds). This global timeout can be overridden for individual TACACS+ servers using the tacacs-server host timeout subcommand.

Syntax [no] tacacs server timeout

Parameters no

Use the no form of this command to restore the TACACS+ server communication link timeout to the default time. seconds

The number of seconds before timeout. l

Range: 1-60 (seconds)

l

Default: 5 (seconds)

Example The following example sets the global TACACS+ communication link timeout to 30 seconds: hostname (config) # tacacs-server timeout 30

The following example restores the global TACACS+ communication link timeout to the default value (5 seconds): hostname (config) # no tacacs-server timeout

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

© 2016 FireEye

1287

CLI Reference Guide

l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

PART III: Commands

Related Commands For a list of commands, see: AAA Accounting Commands on page 51.

1288

© 2016 FireEye

Release 7.9

tapsender enable

tapsender enable Enables or disables the TAP sender module to collect logs generated by the FireEye NX 2500 appliance. When you enable the TAP sender module on the appliance, the appliance sends the network event logs to TAP in the AWS endpoint that you specified for further analysis. When you disable the TAP sender module on the appliance, the appliance does not send the network event logs to TAP in the AWS endpoint. TAP integration is supported only on the NX Series 2500 appliance.

Syntax [no] tapsender enable

Parameters no

Use the no form of this command to disable the TAP sender module.

Example The following example enables the TAP sender module. hostname (config) # tapsender enable Enable tapsender Changes might take a few seconds to take effect. Use the CLI show tapsender status to check the status.

The following example disables the TAP sender module. hostname (config) # no tapsender enable Disable tapsender

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

© 2016 FireEye

1289

CLI Reference Guide

PART III: Commands

tapsender VPC Specifies the hostname of the TAP Virtual Private Cloud (VPC) within an Amazon Web Services (AWS) endpoint on the FireEye NX 2500 appliance. The appliance sends the network event logs to TAP in the AWS endpoint that you specified for further analysis. TAP integration is supported only on the NX Series 2500 appliance.

Syntax tapsender VPC

Parameters

A valid hostname of the VPC within an AWS endpoint to which the appliance sends the network event logs to TAP. Port 443 is the default.

Example The following example shows that the hostname of the VPC within an AWS hostname is tapVPC.fireeye.com to which the appliance sends the network event logs to TAP: hostname (config) # tapsender VPC tapVPC.fireeye.com Enabling tapsender

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

1290

© 2016 FireEye

Release 7.9

tcpdump

tcpdump Description Displays packet information for network traffic that matches a specified filter. The traffic can be captured from an interface or read from a previously saved file. Press Ctrl+C to exit this process.

Syntax tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-C file_size] [-E spi@addr algo:secret] [-F file] [-i interface] [-M secret] [-r file] [-s snaplen] [-T type] [-w file] [-W filecount] [-y datalinktype] [-Z user] [filter]

Parameters -a

Attempts to convert network and broadcast addresses to names.

-A

Prints packets in ASCII (no link level headers). Used to capture Web pages.

-c count

Exits after receiving the specified number of packets. If a count is not specified, press Ctrl+C to stop the capture.

-C file_size Specifies the maximum output file size in millions of bytes. Before the value is exceeded, a new file is opened with the name specified by the -w option, followed by a number (starting with 1). -d

Prints the compiled packet-matching code in a human-readable form to standard output.

-D

Lists the network interfaces on which tcpdump can capture packets. The interface name or number can be used with the -i option.

-e

Prints the link-level headers.

-E spi@addr Decrypts IPsec ESP packets that are addressed to addr and contain the algo:secret Security Parameter Index value spi. The algorithms are des-cbc, 3descbc,blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The secret is the ASCII text for the ESP secret key. A hexadecimal value can be preceded by 0x. This option is for debugging purposes, and using a true secret key is not recommended. -f

Prints non-local IPv4 addresses numerically rather than symbolically (used to avoid long translation times). To avoid printing symbolic names, it is recommended that you use the -n or -nn option instead of the -f option.

-F file

© 2016 FireEye

Gets the filter from the specified file. A filter on the command line is ignored.

1291

CLI Reference Guide

-i interface

PART III: Commands

Specifies the name or number of the interface used to capture traffic. If omitted, the lowest numbered, active interface is used (excluding loopback). Use the -D option to list the available interfaces. The interface pether refers to a physical ethernet interface. The physical ethernet interface is bridged to the logical ethernet device.

-l

Buffers the standard output so you can view the data while capturing it.

-L

Lists the known data link types for the interface and exits.

-M secret

Specifies a shared secret used to validate the MD5 digests found in TCP segments.

-n

Disables the conversion of host addresses to names.

-nn

Disables the conversion of protocols and port numbers to names.

-N

Omits domain name qualification of hostnames.

-O

Disables the packet-matching code optimizer (use only if you suspect a bug in the optimizer).

-p

Disables use of promiscuous mode on the interface.

-q

Prints less protocol information so output lines are shorter.

-r file

Reads packets from a file that was created with the -w option.

-R

Assumes ESP/AH packets are based on old specifications (RFC1825 to RFC1829). If specified, tcpdump does not print the replay prevention field.

-s snaplen

Captures the specified number of bytes (snapshot length) from each packet (the default of 68). Note that larger values increase the processing time, and may cause packets to be lost. A zero value captures the entire packet.

-S

Prints absolute, rather than relative, TCP sequence numbers.

-t

Omits the time stamp on each line.

-tt

Prints an unformatted time stamp on each line.

-ttt

Prints the time difference in micro-seconds from the previous line.

-tttt

Prints the date and time on each line.

-T type

Forces the filtered packets to be interpreted as the specified type. The current types are: aodv (Ad-hoc On-demand Distance Vector Protocol), cnfp (Cisco NetFlow Protocol), rpc (Remote Procedure Call), rtcp (Real-Time Applications Control Protocol), rtp (Real-Time Applications Protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), and wb (distributed White Board).

-u

Prints undecoded NFS handles.

-U

When the -w option is used, this option saves each packet as it is processed, rather than waiting until the output buffer is filled.

-v

Prints additional packet information, such as the time to live, identification, total length, and options for IP packets. Enables additional packet integrity checks as well, such as verifying the IP and ICMP header checksum.

1292

© 2016 FireEye

Release 7.9

tcpdump

-vv

Prints more information, such as additional fields from NFS reply packets, and SMB packets are fully decoded.

-vvv

Prints more information. For example, telnet SB ... SE options are printed in full, and -X telnet options are printed in hexadecimal.

-w file

Writes the raw packets to the specified file, rather than parsing and displaying them on the standard output. They can later be displayed with the -r option.

-W filecount Used with the -C option to limit the number of files created. The oldest files are overwritten in a rotating sequence, as needed. -x

Prints each packet in hexadecimal (no link level headers). The smaller of the entire packet or -s bytes are printed. The entire link-layer packet is printed, so for link layers that pad (such as Ethernet), the padding bytes will be printed when the higher layer packet is shorter than the required padding.

-xx

Prints each packet in hexadecimal, including the link level headers.

-X

Prints each packet in hex and ASCII (no link level headers). Useful for analyzing new protocols.

-XX

Prints each packet in hex and ASCII, including the link level headers.

-y Specifies the data link type to use. datalinktype -Z user

Drops privileges (if root), and changes the user ID to the specified user and the group ID to the primary group of the specified user.

filter

Specifies the type of packets to be captured (all traffic is captured by default). For example: dst host host captures packets with the specified hostname or IP address in the destination field; src host host captures packets with the specified hostname or IP address in the source field; and host host captures packets with the specified hostname or IP address in the source OR destination field.

Example The following example shows a sample of the output from tcpdump. hostname # tcpdump 18:48:57.391331 IP 192.168.0.186.1386 > 192.168.0.69.ssh: . ack 23560 win 16404 18:48:57.391359 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 25984:26248(264) ack 105 win 7504 18:48:57.391826 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 26248:26476(228) ack 105 win

© 2016 FireEye

1293

CLI Reference Guide

PART III: Commands

7504 18:48:57.392732 IP 192.168.0.186.1386 > 192.168.0.69.ssh: . ack 23824 win 16140 18:48:57.392763 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 26476:26624(148) ack 105 7504 18:48:57.393210 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 26624:26852(228) ack 105 7504 18:48:57.396132 IP 192.168.0.186.1386 > 192.168.0.69.ssh: . ack 24184 win 17520 18:48:57.396161 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 26852:27000(148) ack 105 7504 18:48:57.396626 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 27000:27228(228) ack 105 7504 18:48:57.397079 IP 192.168.0.69.ssh > 192.168.0.186.1386: P 27228:27376(148) ack 105 7504 18:48:57.400616 IP 192.168.0.186.1386 > 192.168.0.69.ssh: . ack 24544 win 17160  

win win

win win win

333 packets captured 333 packets received by filter 0 packets dropped by kernel

1294

© 2016 FireEye

Release 7.9

telnet

telnet Description Logs in to a remote device using the telnet protocol on the FireEye appliance.

Syntax telnet [-8] [-E] [-L] [-S tos] [-a] [-b hostalias] [-c] [-d] [-e char] [-l login_name] [-n tracefile] [-r [host] [port] ]

Parameters -8

Specifies an 8-bit data path, and attempts to negotiate the TELNET BINARY option on both input and output.

-E

Disables the use of an escape character.

-L

Specifies an 8-bit data path on output, and attempts to negotiate the BINARY option on output.

-S tos

Specifies the Type of Service value (0 to 15) in the telnet packet header.

-a

Attempts automatic login.

-b Binds the local socket to an aliased address or to the address of an interface hostalias other than the one used by default. Allows you to connect to services that use IP addresses for authentication. -c

Disables the reading of the user’s .telnetrc file.

-d

Sets the debug flag to TRUE.

-e char

Sets the initial escape character, which may be a two-character sequence starting with '^'. If the second character is '?', the DEL character is selected. Otherwise, the second character is converted to a control character and used as the escape character. If the escape character is omitted, it is disabled.

-l login_ Login username on the remote machine. This option implies the -a option. This name option may also be used with the telnet open command. -n Records trace information in the specified file. tracefile -r

Specifies a user interface similar to rlogin. In this mode, the escape character is the tilde (~), unless modified by the -e option.

host [:port]

Remote device name or IP address. If the port number is omitted, the default port is 23.

Example The following example uses telnet to log in to a remote device on port 23. hostname > telnet 192.168.0.69

© 2016 FireEye

1295

CLI Reference Guide

PART III: Commands

The following example has the same effect, but uses the telnet “open” command to log in. hostname > telnet telnet > open 192.168.0.69

To close a telnet session, type closequit.

1296

© 2016 FireEye

Release 7.9

terminal

terminal Sets the length and width of the CLI display as well as the terminal type.

Syntax terminal {terminal length length | terminal resize | terminal type type | terminal width width} no terminal type

Parameters no

Use the no form of this command to clear the terminal type.

terminal length length

Number of lines shown on one page of CLI output (default is 24).

terminal resize

Resizes the CLI terminal settings to match the actual terminal in use.

terminal type type

Sets the terminal type, such as “xterm,” “ansi,” “vt100,” and “vt102.” The default is “(none),” which indicates a “dumb” terminal.

terminal Number of characters per line (default is 80). width width

Example The following example sets the number of lines per page at 22. hostname > terminal length 22

Related Commands For related commands, see: CLI Session Commands on page 69.

© 2016 FireEye

1297

CLI Reference Guide

PART III: Commands

tpm enable To enable the trusted platform module (TPM) through physical presence, use the tpm enable command in configuration mode. You enable the TPM only once. You cannot undo this procedure. If you enable the TPM but do not have a keyboard directly attached to your appliance, you might lose access to the system after it restarts. If a serial console or IPMI console is attached to the appliance, the appliance will not enable the TPM. Related commands: show tpm, tpm rng enable

Syntax [no] tpm enable

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters no Cancels the TPM physical presence request.

Example The following example enables the TPM through physical presence: hostname (config) # tpm enable

1298

© 2016 FireEye

Release 7.9

tpm rng enable

tpm rng enable To enable the trusted platform module (TPM) random number generator, use the tpm rng enable command in configuration mode. Related commands: show tpm, tpm enable

Syntax tpm rng enable

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters no Disables the TPM random number generator settings.

Example The following example enables the TPM random number generator: hostname (config) # tpm rng enable

© 2016 FireEye

1299

CLI Reference Guide

PART III: Commands

traceroute Description Sends three probe packets to trace the routers in the path to a specified destination. For each router in the path, the hostname and IP address are shown, along with the roundtrip times measured for each probe.

Syntax traceroute [-dFInvrx] [-f first_ttl] [-g gateway] [-i interface] [-m max_ttl] [-p port] [-t tos] [-w waittime] [-z pause] destination [packetsize]

Parameters -d

Sets the socket debug option.

-f first_ttl Number of routers the first probe packet can traverse before being discarded. -F

Sets the do-not-fragment (DF) flag.

-g gateway

IP address of the source gateway.

-i IP address or interface name used as the source address of the probes. interface -I

Use ICMP echo requests for probes instead of UDP datagrams.

-m max_ Number of routers all probe packets can traverse before being discarded ttl (default is 30). -n

Numeric address output only (no lookup for hostnames).

-p port

Base UDP port number that is incremented at the destination by the number of router hops, minus 1. The result should be an unused port on the destination so that an ICMP port unreachable message is returned.

-r

Indicates the target host is connected directly to the specified interface (-i option required).

-t tos

Type of Service value of the ping packets, such as an IP precedence value (0 to 7) or DSCP value (0 to 63). Default is 0.

-v

Verbose output.

-w Number of seconds to wait for a response to each probe (default is 5). waittime -x

Toggles use of IP checksums.

-z pause Number of milliseconds between probes. destination Destination IP address or hostname. packetsize Number of data bytes per packet (default is 40).

1300

© 2016 FireEye

Release 7.9

traceroute

Example The following example traces the path to the specified address, and omits hostname lookups for the output. hostname > traceroute -n 192.168.0.127 traceroute to 192.168.0.127 (192.168.0.127), 30 hops max, 40 byte packets 1 192.168.53.130 2 ms 0 ms 0 ms 2 192.168.53.70 2 ms 2 ms 4 ms 3 192.168.53.1 0 ms 2 ms 2 ms 4 192.168.52.15 2 ms 2 ms 2 ms 5 192.168.0.127 2 ms 2 ms 2 ms

© 2016 FireEye

1301

CLI Reference Guide

PART III: Commands

username Description Creates a new user account or changes the access privileges on an existing account. Each new user is granted the Monitor role by default. An administrator can change the role or give a user no role; a user with no role cannot log in to the appliance. If a role is changed while the affected user is logged in, the user will be forcibly logged out. When the user logs in again, the capabilities associated with the new role are available to the user. Each role has a corresponding system account by the same name that has the role. System accounts cannot be deleted or modified, with the exception of being locked out so they cannot be used to log in. By default, the provided system accounts for the Operator, Analyst, and Auditor roles have the "local login disabled" status, and are prevented from logging in. A user with this account status can still authenticate remotely and be mapped to this user account. New accounts with the Monitor role default to the "Account locked out" status for security reasons and cannot log in until an administrator changes their account status. For details about roles and their capabilities, see the "User Accounts" information in the Operator's Guide for the appliance. Related commands: show usernames, username disable, username password, and show users Use the no form of this command to delete or disable options. The no username username role command gives the user no role, so the user can do nothing but log out. The default password is “admin” but when you log in and are required to change the default password, be sure your new password is at least 8 characters in length. The "root" user cannot log in via SSH.

Syntax [no] username username access network enable [no] username username role type [no] username username full-name [no] username username subnet network_prefix [no] username username vlan vlan_identifier username disable [ password] | local-login

1302

© 2016 FireEye

Release 7.9

username

Parameters username

Name of a new user account or an existing account whose access privileges you want to change.

role type

Type of access privileges assigned to the user: l

admin—Access to all functions except the FireEye Web services API. To prevent an “admin” user from logging in to the appliance via SSH, use the no form of this command: no username admin access network enable. To allow an “admin” user login access to the appliance via SSH, issue the command: username admin access network enable.

l

l

l

l

password

monitor—Read-only access to some things the admin role can change or configure. operator—Access to a subset of the capabilities associated with the admin role. analyst—Access to capabilities associated with detecting malware and taking appropriate action, including setting up alerts and reports. auditor—Access to capabilities associated with reviewing audit logs and performing forensic analysis to trace how events occurred.

Password, may include specification of the following types: l

l

0 password. Specifies a cleartext password. Enter the cleartext string. 7 password. Specifies an encrypted password. Enter the encrypted string.

full-name

Sets the full name for the specified user.

subnet network_ prefix

Configures a subnet for the user account.

vlan vlan_ Configures a VLAN ID for the user account. identifier disable

Disables the user from logging in.The no form of this command restores the ability to log in. There are two options: password—Disables the user from logging in with a password. local-login—Disables the user from logging in locally, so the user can only log in remotely.

Example The following example creates the user “jsmith” with operator privileges. hostname(config)# username jsmith role operator

© 2016 FireEye

1303

CLI Reference Guide

PART III: Commands

username disable Description Disables a user account so that no new sessions are accepted for the account, or limits the local access for the user. Existing user sessions are not terminated. Only the Admin role can disable or limit other user accounts; users of any role can limit their own local access. Related commands: username password, aaa authentication password local change require-current

Syntax username username disable [ login | local-login | curr-password currentPassword]

Parameters username Name of the user account to be disabled or given limited or no local access. login

Specifies that the user cannot log in to an appliance locally using a password, but can do so using an SSH authorized key.

locallogin

Specifies that the user cannot log in to an appliance locally, but can log in remotely.

currSpecifies the current password of the user entering this command. If this password parameter is not supplied and if the system is configured to require the current password password for password changes, the system prompts for the current password.

Examples The following example disables the "jsmith" user account. hostname (config) # username jsmith disable

The following example prevents the "tjones" user from logging in to the appliance locally. In this scenario, "tjones" is entering the command, and the system is configured to require the current password for password changes. hostname (config) # username tjones disable local-login curr-password password1234

Release Information Command parameter curr-password introduced in Release 7.9.1 for all appliances.

1304

© 2016 FireEye

Release 7.9

username fe services password

username fe services password This sets a password for the fe_services user, which is used by FireEye via the FireEye as a Service VPN.

Syntax username fe_services password PASSWORD

User Role Admin role

Release Information This command was introduced in all FireEye appliances in FireEye Series Release 7.5.0.

Parameters Password l

This sets the password.

Example username fe_services password ABCD1234

© 2016 FireEye

1305

CLI Reference Guide

PART III: Commands

username password Description Configures a password for a new user account or changes the password for an existing account. Configuring a password for a new account is required to enable the account. Only the Admin role can change passwords for other users; users of any role can change their own passwords. By default, the Web UI supports passwords of up to 32 characters, while the CLI supports longer passwords. If a password longer than 32 characters is configured in the CLI, the user will be unable to log in to the Web UI until the password length is reduced or the password rules are changed to allow more characters. To include double quotes ("), spaces, question marks (?), or backslashes (\) as password characters, you must include a backslash as an escape character. For example, for a password of abcde", enter abcde\" as the password parameter.

Related commands: show usernames, aaa authentication password local change requirecurrent, aaa authentication password

Syntax username username {[  password password | password 0 password | password 7 password] | curr-password password}

Parameters username Name of a new user account or an existing account with a password you want to change. password Specifies a cleartext password that will be hashed before it is stored. 0 password password Specifies a hashed password that is stored directly. This option allows you to 7 use the hashed password displayed by the show configuration command. password currSpecifies the current password of the user entering this command. If this password parameter is not supplied and if the system is configured to require the current password password for password changes, the system prompts for the current password.

Examples The following example enters a cleartext password for the user "jsmith." hostname (config) # username jsmith password 0 XJCdvd23

1306

© 2016 FireEye

Release 7.9

username password

In the following examples, the user "tjones" is entering the command, and the system is configured to require the current password for password changes. l

The user supplies the current password in the command: hostname (config) # username tjones password ABCde4H6 curr-password ZYX765RJ

l

The system prompts for the current password because it was not supplied in the command: hostname (config) # username tjones password ABCde4H6 Current password:******** hostname (config) #

l

An invalid current password was entered: hostname (config) # username tjones password ABCde4H6 Current password: *************** % Current password does not match. Please retry after 3 seconds.

Release Information Command parameter curr-password introduced in Release 7.9.1 for all appliances.

© 2016 FireEye

1307

CLI Reference Guide

PART III: Commands

web-analysis Description Specifies the list of Web ports on which to capture traffic for analysis, and configures greylists for the Web MPS. This command is available on the Web MPS.

Syntax web-analysis ports {ports | reset} web-analysis greylists dump-file {delete filename | upload filename} | enable | ips {name name | rename current-namenewname} priority-threshold dump | urls {name name  | rename current-name newname} [no] web-analysis greylists enable | ips {name name | urlsname name}

Release Information The web-analysis ports command is deprecated in NX Series 7.1.0 and later releases.

Parameters ports

Specify up to five Web ports (space separated). l

reset—Reset the specified Web port to the default configuration.

greylists The following greylist configuration options are supported: l

dump-file—Set raw data dump file operations.

l

upload filename

l

delete filename

l

enable—Enable the custom greylists feature.

l

ips—Configure a Web analysis custom IP Address greylist.

l

name name

l

rename current-name newname

l

l

l

l

1308

priority-threshold dump—Generate a raw data dump file for the prioritythreshold table. urls—Configure a Web analysis custom URL greylist by specifying the URL greylist name, setting a priority level, and using the fetch command. name name priority number fetch HTTP/FTP/TFTP URL or SCP://username:password@hostname/path/filename rename current-name newname

© 2016 FireEye

Release 7.9

web-analysis

Example The following example creates a new Web analysis URL greylist. hostname (config)# web-analysis greylists enable hostname (config)# web-analysis greylists urls name url_greylist.txt priority 11 fetch scp://user:pwd@WebMPS12/marketing/url_greylist

© 2016 FireEye

1309

CLI Reference Guide

PART III: Commands

web auto-logout Sets the interval after which users are automatically logged out from the Web UI. Inactive users that are logged in to the Web UI for longer than this period will be logged out. The value set for this command can be viewed using the show web on page 1990 command as the "Inactivity timeout" setting.

Syntax web auto-logout

Parameters no

Use the no form of this command to disable the automatic logout feature. auto-logout

Specify the number of minutes until inactive users are automatically logged out. The default is 15 minutes. The value must be at least 10 seconds less than the value set for the web session renewal on page 1322 command.

Example The following example sets the Web interface logout time to 20 minutes for inactive users. Inactive users who are logged in to the Web UI for more than 20 minutes ago will be logged out. hostname (config) # web auto-logout 20

User Role Admin or fe_services

Command Mode Configuration mode

Release Information This command was introduced as follows:

1310

l

AX Series: Before Release 6.4.0

l

CM Series: Before Release 6.4.0

l

EX Series: Before Release 6.4.0

l

FX Series: Before Release 6.4.0

© 2016 FireEye

Release 7.9

l

HX Series: Release 2.5

l

NX Series: Before Release 6.4.0

web auto-logout

Related Commands l

show web

l

web session renewal

l

web session timeout

© 2016 FireEye

1311

CLI Reference Guide

PART III: Commands

web client ssl To configure security for the HTTP/HTTPS client, use the web client command in configuration mode.

Syntax [no] web client ssl ca-list {none |default-ca-list} [no] web client ssl cert-verify [no] web client ssl cipher-list {original | fips | cc-ndpp | fips-and-cc-ndpp | high-security | compatible} [no] web client ssl min-version tls1

User Role Administrator or Operator

Release Information Command introduced in Release 7.6.0.

Parameters ssl ca-list {none |default-ca-list}

Configures supplemental CA certificates for the verification of server certificates during HTTPS file transfers: l

l

ssl cert-verify

1312

none—No supplemental list; use built-in list only. default-ca-list—Default supplemental CA certificate list

Enables the verification of server certificates during HTTPS file transfers.

© 2016 FireEye

Release 7.9

web client ssl

ssl cipher-list {original | fips | cc-ndpp Configures the SSL settings: | fips-and-cc-ndpp | high-security | l original—Original FireEye cipher list compatible} (maximum compatibility) l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

ssl min-version tls1

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

Requires TLSv1 or higher.

Example The following example enables the verification of server certificates during HTTPS file transfers: hostname (config)# web client ssl cert-verify

© 2016 FireEye

1313

CLI Reference Guide

PART III: Commands

web logging level Allows users to change the minimum severity level for messages to be logged. This command was once the webui logging level command. Its name and syntax have changed.

Syntax web logging level

Parameters

Specify the minimum severity level for messages to be logged. Valid values are: l

none—Disable logging.

l

emerg—Emergency: system is unusable.

l

alert—Action must be taken immediately.

l

crit—Critical conditions.

l

err—Error conditions.

l

warning—Warning conditions.

l

notice—Normal but significant condition.

l

info—Informational messages.

l

debug—Debug-level messages.

Example The following example sets the minimum severity level for logging to error conditions. hostname (config) # web logging level err

User Role Admin or fe_services

Command Mode Configuration mode

Release Information This command was introduced as follows:

1314

© 2016 FireEye

Release 7.9

l

CM Series Release 7.7

l

HX Series: Release 3.0

l

NX Series Release 7.7

web preferences config global alerts auto-refresh enable

Related Commands l

show web logging level

web preferences config global alerts auto-refresh enable Use this command to enable or disable the alert tab auto-refresh.

Syntax [no] web preferences global alerts auto-refresh enable

Parameters no

Use the no form of this command to disable auto refresh of the alert tab.

Example The following example enables auto-refresh. hostname (config) # web preferences global alerts auto-refresh enable

The following example disables auto-refresh hostname (config) # no web preferences global alerts auto-refresh enable

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Commands For a list of related commands, see: Web UI Configuration Commands on page 132.

© 2016 FireEye

1315

CLI Reference Guide

PART III: Commands

web server To configure the Web server, use the web server command in configuration mode.

Syntax web server certificate name {web-cert | system-self-signed} web server certificate regenerate no web server certificate name [no] web server ssl cipher-list {original | fips | cc-ndpp| fips-and-cc-ndpp | high-security | compatible} [no] web server ssl min-version {tls1 | tls1.1 | tls1.2} web server http enable web server https enable

User Role Administrator or Operator

Release Information This command was introduced as follows: l

EX Series: Release 7.6.0

l

CM Series: Release 7.6.0

l

NX Series: Release 7.6.0

l

FX Series: Release 7.7.0

l

AX Series: Release 7.7.0

Parameters certificate name {web-cert | system-selfsigned}

Configures the certificate to use for HTTPS connections: l

l

no web server certificate name

1316

web-cert—Specifies a named certificate of your own named "webcert." system-self-signed—Specifies the system-self-signed certificate.

Restores the system-self-signed certificate as the certificate to use for HTTPS connections.

© 2016 FireEye

Release 7.9

web server

regenerate

Regenerates the Web server certificate for HTTPS connections.

ssl cipher-list {original | fips | cc-ndpp | fips-and-cc-ndpp | high-security | compatible}

Configures the SSL protocol: l

original—Original FireEye cipher list (maximum compatibility)

l

fips—Compliant with FIPS

l

cc-ndpp—Compliant with CC-NDPP

l

l

l

fips-and-cc-ndpp—Compliant with both FIPS and CC-NDPP high-security—High security (might include ciphers not compliant with FIPS or CC-NDPP) compatible—Improved security while maintaining backward compatibility

ssl min-version {tls1 | tls1.1 | tls1.2}

Specifies which version of TLSv1 will be the minimum requirement.

http enable

Enables HTTP access to the Web UI.

https enable

Enables HTTPS access to the Web UI.

Example The following example sets the minimum required version of the SSL protocol to TLSv1 or higher: hostname (config) # web server ssl min-version tls1

© 2016 FireEye

1317

CLI Reference Guide

PART III: Commands

web server listen enable Use this command to enable listen interface constraints for HTTP/HTTPS requests (described in web server listen interface on the facing page).

Syntax [no] web server listen enable

Parameters no

Use the no form of this command to disable listen interface constraints.

Examples The following example enables listen interface constraints. hostname (config) # web server listen enable

The following example disables listen interface constraints. hostname (config) # no web server listen enable

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1318

l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

web server listen interface

web server listen interface Use this command to add an interface to the listen interface list so it can accept HTTP/HTTPS requests for remote access to the Web UI. The listen interface list is used when listen interface constraints are enabled on the appliance. Listen interface constraints are enabled by default. Use the command show web on page 1990 to verify whether they are enabled, and use the command web server listen enable on the previous page to enable them. The management interface is used for remote access to the Web UI and CLI, and for other management traffic (such as NTP, SNMP, and syslog). The default management interface is ether1. You can define a different interface (such as ether2) for remote access to the Web UI and CLI. When listen interface constraints are enabled on the appliance, only interfaces that meet the following criteria can accept HTTP/HTTPS requests (for Web UI access) and SSH connections (for CLI access). l

The interface must be in the listen interface list. By default, only ether1 is in this list.

l

The interface exists and is running.

l

l

DHCP and zeroconf are disabled on the interface (for IPv4), or IPv6 is enabled on both the interface and the system (for IPv6). The interface has an IPv4 or IPv6 address: l

l

IPv4: At least one static nonzero IPv4 address is available to be assigned to the interface. IPv6: A static IPv6 address is available to assign to the interface, or the address can be obtained dynamically through Stateless Address Autoconfiguration (SLAAC) or DHCP6.

The system prevents remote users from being locked out of the system when the criteria are not met by at least one interface. If no interface meets the criteria, listen interface constraints are not enforced, and all viable interfaces are open and can accept HTTPS/HTTPS requests and SSH connections. For more information, see your System Administration Guide or Administration Guide.

Syntax [no] web server listen interface

Parameters no

Use the no form of this command to remove the interface from the listen interface list.

© 2016 FireEye

1319

CLI Reference Guide

PART III: Commands

interface

The interface to add to or remove from the listen interface list.

Examples The following example adds ether2 to the listen interface list. hostname (config) # web server listen interface ether2

The following example removes ether1 from the listen interface list. hostname (config) # no web server listen interface ether1

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows:

1320

l

AX Series: Release 7.7.5

l

CM Series: Release 7.9.1

l

EX Series: Release 7.8

l

FX Series: Release 7.7.5

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

Release 7.9

web server ssl ca-chain

web server ssl ca-chain Use this command to activate a Web server CA certificate chain.

Syntax web server ssl ca-chain no web server ssl ca-chain

Parameters no

Use the no form of the command to deactivate the certificate chain. chainName

Unique name for the certificate chain. The name must begin with a letter or number. The remaining characters in the name can be letters, numbers, periods (.), dashes (-), and underscores (_).

Example The following example activates the "apache01" certificate chain. hostname (config) # web server ssl ca-chain apache01

User Role Operator and Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

1321

CLI Reference Guide

PART III: Commands

web session renewal Configures the length of time before a Web session expires when the appliance issues a new cookie to renew the session.

Syntax [no] web session renewal

Parameters no

Use the no form of this command to reset the value of this command to its default of 30 minutes. renewal

Specify the number of minutes before web session expiration when a new cookie is issued. The default is 30 minutes. The value must be at least 5 seconds less than the value set for the web session timeout on page 1324 command and at least as long as the web auto-logout on page 1310 setting to ensure the cookie is renewed before automatic logout occurs.

Example The following example sets the Web session renewal time to 60 minutes before the session expires. hostname (config) # web session renewal 60

User Role Admin or fe_services

Command Mode Configuration mode

Release Information This command was introduced as follows:

1322

l

AX Series: Before Release 6.4.0

l

CM Series: Before Release 6.4.0

l

EX Series: Before Release 6.4.0

l

FX Series: Before Release 6.4.0

© 2016 FireEye

Release 7.9

l

HX Series: Release 2.5

l

NX Series: Before Release 6.4.0

web session renewal

Related Commands l

show web

l

web auto-logout

l

web session timeout

© 2016 FireEye

1323

CLI Reference Guide

PART III: Commands

web session timeout Sets the maximum lifetime of a Web session cookie. After this time, the Web session ends.

Syntax [no] web session timeout

Parameters no

Use the no form of this command to reset the timeout to its default of 150 minutes (two and a half hours). timeout

Specify the number of minutes for the lifetime of the web session cookie. The default is 150 minutes.

Example The following example sets the web session timeout length to 8 hours (480 minutes). hostname (config) # web session timeout 480

User Role Admin or fe_services

Command Mode Configuration mode

Release Information This command was introduced as follows: l

AX Series: Before Release 6.4.0

l

CM Series: Before Release 6.4.0

l

EX Series: Before Release 6.4.0

l

FX Series: Before Release 6.4.0

l

HX Series: Release 2.5

l

NX Series: Before Release 6.4.0

Related Commands

1324

l

show web

l

web auto-logout

© 2016 FireEye

Release 7.9

l

web session timeout

web session renewal

© 2016 FireEye

1325

CLI Reference Guide

PART III: Commands

write Saves the running configuration to the current active configuration file or displays the CLI commands for the running configuration. The active configuration is loaded automatically when you reboot the system. Note that configuration changes are applied immediately to the running configuration, but they must be saved to a configuration file if you want to retain them after the next reboot. Related commands: configuration write and configuration revert

Syntax write {memory | terminal}

Parameters memory Saves the running configuration to the current active configuration file. terminal Displays the CLI commands for the running configuration.

Example The following example saves the running configuration to the current active configuration. hostname (config) # write memory Saving configuration file ... Done!

Related Commands For a list of related commands, see: Configuration Management Commands on page 75.

1326

© 2016 FireEye

Release 7.9

wsapi

wsapi Description This command allows you to turn on or off the Web Services API server.

Platform CM-Series

Release This command was introduced on the CM Series 7.1.0 release.

Related Commands show wsapi and wsapi rtstats

Syntax wsapi {enable | disable}

Parameters enable—Enables the Web services API server. disable—Disables the Web services API server.

Example The following example enables the Web services API server: hostname (config) # wsapi enable

The following example disables the Web services API server: hostname (config) # wsapi disable

© 2016 FireEye

1327

CLI Reference Guide

PART III: Commands

wsapi rtstats Description This command displays the Web Services API RT statistics.

Platform CM-Series

Release This command was introduced on the CM Series 7.1.0 release.

Related Commands show wsapi and wsapi

Syntax wsapi rtstats

Output client_id|start_date|end_date|api_name|api_path|total_calls|min_time|max_time|avg_time CURRENT_CUSTOMER|2014-01-22 01:34:35|2014-01-22 03:01:39|POST_auth|POST_ auth?|2|3|154|78

1328

© 2016 FireEye

Release 7.9

yara

yara Description Configures YARA rules. FireEye EX Series appliance supports the use of YARA rules for malware analysis. YARA is an open source, static analysis tool that allows information security analysts to specify byte-level rules that can be used to quickly review large quantities of files to find relevant matches.

Syntax yara {match limit | policy {fe | both} }

Parameters match limit number

Configures the limit for YARA matches. During YARA static analysis, FireEye identifies and reports on the first five (5) matching YARA rules seen for a given file. YARA rules are specific enough that only one or two rules will match malicious samples at any given time; therefore, more than five matches is usually rare. However, FireEye matches up to 5 rules in general, and for the dynamic engine, the rule with the highest weight is matched. policy {fe | both} l

fe—Enables FireEye YARA rules.

l

both—Enables both FireEye and customer YARA rules.

Example The following example configures a YARA match limit number of 3. hostname (config) # yara match limit 3

© 2016 FireEye

1329

CLI Reference Guide

PART III: Commands

yara match limit Description Configures the limit for YARA matches. FireEye identifies and reports on the first five (5) matching YARA rules seen for a given file. YARA rules are specific enough that only one or two rules will match malicious samples at any given time; therefore, more than five matches is usually rare. However, FireEye matches up to 5 rules in general, and for the dynamic engine, the rule with the highest weight is matched.

Syntax yara match limit number

User Role Admin or Operator

Release Information Command introduced in Release 7.5.0 for NX Series appliances and CM Series Appliances Command introduced in Release 7.6.0 for EX Series appliances

Parameters number The number of matches to identify and report. Range: 0-5 Default: 5

Example hostname (config) # yara match limit 2

Related Topics yara policy yara weight default

1330

© 2016 FireEye

Release 7.9

yara policy

yara policy Description Configures the type of policies used.

Related Topics yara match limit yara weight default

Syntax yara policy [ fe | cust | both | disable ]

User Role Admin or Operator

Release Information Command introduced in Release 7.5.0 for NX Series appliances and CM Series Appliances Command introduced in Release 7.6.0 for EX Series appliances

Parameters fe

Default Enables FireEye YARA rules. cust

Enables custom rules. both

Enables both FireEye and custom rules. disable

Disables all YARA rules.

Example hostname (config) # yara policy fireeye

© 2016 FireEye

1331

CLI Reference Guide

PART III: Commands

yara weight default Configures the default weight for YARA rules. By default, every custom YARA rule should have an integer weight associated with it, ranging from 0 to 100. During static analysis, when a YARA rule match is made, then the corresponding weight of the matched rule is added to the overall score of the file deemed malicious. As more YARA rules match, the rule with the highest weight is used. If no weight is provided for a given YARA rule, then the default YARA weight is used. This means that FireEye still reports when the rule matches (if it is one of the first five rules matched); however, that matched rule will not contribute to the overall score of the file. YARA rules with a weight of 0 are generally used for informational purposes (for example, when a file is a malformed Win32 portable executable).

Syntax yara weight default number

User Role Admin or Operator

Release Information Command introduced in Release 7.5.0 for NX Series appliances and CM Series Appliances Command introduced in Release 7.6.0 for EX Series appliances

Parameters number The number of matches to identify and report. Range: 0-100 Default: 100

Example The following example configures a YARA weight of 75. hostname (config) # yara weight default 75

Related Topics yara match limit yara policy

1332

© 2016 FireEye

Release 7.9

show aaa

show aaa Shows authentication, authorization, and accounting settings.

Syntax show aaa

Parameters None

Output Fields The following table describes the output fields for the show aaa command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Authentication Type of remote authentication method: method(s) l Local—The appliance authenticates users against the local username database. l

l

l

RADIUS—The appliance authenticates users against a remote RADIUS security server. TACACS+—The appliance authenticates users against a remote TACACS+ security server. LDAP—The appliance authenticates users against a remote LDAP server.

Authorization settings

Default local user account that the user logs in to if the user does not have a local account and is authenticated by RADIUS, TACACS+, or Active Directory through LDAP. This field also displays the mapping behavior when authenticating users with a remote authentication server.

AAA authorization rules

Whether the authorization rules are enabled or disabled.

Number of AAA authorization rules

Number of new authorization rules that are created.

© 2016 FireEye

1333

CLI Reference Guide

PART III: Commands

Field Web UI client certificatebased authentication

Description Policy settings of the Web UI for certificate authentication to allow the user to choose one of the following options: l

l

l

allowed—Users log in to the Web UI either using the user name and password provided by their administrator or using an optional client X.509 certificate for user authentication. required—Users log in to the Web UI using a certificate when a client X.509 certificate is mandatory for user authentication. disabled—Policy settings of the Web UI are disabled and do not accept a certificate.

Example The following example displays the AAA settings and requires the user to log in to the Web UI using a client X.509 certificate: hostname # show aaa Authentication method(s):    local Authorization settings:    Default User: monitor    Map Order: remote-first No accounting methods configured. AAA authorization rules: Enabled Number of AAA authorization rules: 0 Web UI client certificate-based authentication: required

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows:

1334

© 2016 FireEye

Release 7.9

l

l

AX Series: Before release 6.4 CM Series: Before release 6.4. The command output was enhanced to display the Web UI client certificate-based authentication field to support certificate authentication in Release 7.9.1.

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

l

show aaa

NX Series: Before release 6.4. The command output was enhanced to display the Web UI client certificate-based authentication field to support certificate authentication in Release 7.9.1. VX Series: Release 7.9. The command output was enhanced to display the Web UI client certificate-based authentication field to support certificate authentication in Release 7.9.1.

Related Commands For a list of related commands, see: AAA Accounting Commands on page 51.

© 2016 FireEye

1335

CLI Reference Guide

PART III: Commands

show aaa authentication certificate crl Shows the status and content of the Certificate Revocation List (CRL) file. For details about certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax show aaa authentication certificate crl

Parameters None

Output Fields The following table describes the output fields for the show aaa authentication certificate crl command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Filename

Name of the configured CRL file.

File Timestamp Date and time when the CRL file was downloaded. File MD5Sum

Result of the MD5 checksum.

File Content

Content of the CRL file.

Example The following example shows the status and content of the CRL file: hostname # show aaa authentication certificate crl  Filename

: john-doe.crl.pem

 File Timestamp : 2016/10/11 23:56:04  File MD5Sum

: 285d9b706f5636f575c3d2d2e2fc9fb3

 File Content : -----BEGIN X509 CRL----MIIB5zCB0AIBATANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzELMAkGA1UE CAwCQ0ExETAPBgNVBAcMCE1pbHBpdGFzMRAwDgYDVQQKDAdGaXJlRXllMQ0wCwYD VQQLDARDQW91MRIwEAYDVQQDDAl2cHMxX2NhXzMXDTE2MTAxMDE4MDIyNFoXDTE2 MTEwOTE4MDIyNFowKjATAgIgARcNMTYxMDA3MjAzNzQ2WjATAgIgAhcNMTYxMDEw

1336

© 2016 FireEye

Release 7.9

show aaa authentication certificate crl

MTc1NTI1WqAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQELBQADggEBAJcE2qxg QqA9Y2791InwFcJ2xZi3raEXRldZcB6nh421yvRYWsRAsSr6d6JyPJC0mYfWBkOz avsBwoFXygInwF1fDfR4oLM+kQchFE5n9ukwhuK6aGd2sAM+BAIiPyVVFw5UdhQ/ 7cewJ/5sOTW3cO0uA70DEJmKK25mHfR89jSuFjQArj6QvgkWRMYugpqnounX3ujA RBEPhCiTaHpyCxJj6LrBMCvAaSQNg1udAF3I68MHjh5SrVD7fjDruI43pTOeVzFn 0wqDc/YyN+meVlhznsB0IcVqon10zPkIBCxS3k9ditHUaL7Nb5LYxkl65reo6JjG LFadKDokYyzZBBY= -----END X509 CRL-----

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

© 2016 FireEye

1337

CLI Reference Guide

PART III: Commands

show aaa authentication certificate Shows the status of the policy settings of the Web UI, certificate authentication settings, and the certificate revocation settings. The VX Series appliance does not have a Web UI. For details about the policy settings of the Web UI for certificate authentication, user attributes for the X.509 certificate, and certificate revocation, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax show aaa authentication certificate

Parameters None

Output Fields The following table describes the output fields for the show aaa authentication certificate command. Fields are listed in the approximate order in which they appear in the output. Field Web Policy

Description Policy settings of the Web UI for certificate authentication to allow the user to choose one of the following options: l

l

l

allowed—Users log in to the Web UI either using the user name and password provided by their administrator or using an optional client X.509 certificate for user authentication. required—Users log in to the Web UI using a certificate when a client X.509 certificate is mandatory for user authentication. disabled—Policy settings of the Web UI are disabled and do not accept a certificate.

Certificate field for username

User attributes for the X.509 certificate that are used for certificate authentication.

CA certificate bundle

Name of the certificate bundle. The bundle is always named client-cert-auth.

1338

© 2016 FireEye

Release 7.9

show aaa authentication certificate

Field OCSP enabled

Description Whether the Online Certificate Status Protocol (OCSP) is enabled or disabled so that the appliance can verify the status of the certificate revocation.

Default Whether the default URL is configured or not configured on the appliance. OCSP URL This URL is used when the appliance cannot communicate with the OCSP responder from the certificate. OCSP override responder

Whether the OCSP override responder is enabled or disabled so that the default OCSP responder is used when the certificate is being validated even if the certificate references an OCSP responder.

Basic constraints must present

Whether the appliance allows or prohibits a certificate with a missing basic constraints extension.

No CRL file is configured

Whether the CRL file is configured or not configured. Only one CRL file can be present on the system.

Example The following example shows the configuration settings for certificate authentication: hostname # show aaa authentication certificate Certificate based authentication settings:   Web Policy

: allowed

  Certificate field for username : x509-cert-san-upn   CA certificate bundle   OCSP enabled

: client-cert-auth : yes

  Default OCSP URL   OCSP override responder

: Not Configured : yes

  Basic constraints must present : yes   No CRL file is configured.

User Role Administrator

© 2016 FireEye

1339

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

1340

© 2016 FireEye

Release 7.9

show aaa authentication attempts

show aaa authentication attempts Description Displays the configuration and history of authentication failures. Optionally, displays only the configuration of authentication failure tracking or only the status of failure tracking and lockouts.

Syntax show aaa authentication attempts [configured | status]

Parameters show aaa authentication attempts [ configured | status {user}]

Use the configured option to display the current configuration settings for authentication failure tracking. Use the status option to display the status of current authentication failure tracking and lockout settings. Use the user option to show authentication attempts for a specified user.

Example The following example displays the status of authentication attempt failure tracking. MAS-8300 (config) # show aaa authentication attempts status Username Known Locked Failures Last fail time Last fail from -------- ----- ------ -------- -------------- -------------2RAPW5RD8UG3EWWRXR1E73XBHQFW7L1DKQ9YVVW(*) no no 3 2013/07/20 01:18:05 172.16.172.100

(*) Hashed for security reasons

© 2016 FireEye

1341

CLI Reference Guide

PART III: Commands

show aaa authentication password To display password validation and password change settings, run the show aaa authentication password command in enable mode.

Syntax show aaa authentication password

User Role Monitor, Analyst, Operator, or Admin

Release Information Command introduced in Release 7.1.0. Some output settings introduced in Release 7.5.0 for the NX Series appliance and the CM Series platform and in Release 7.6.0 for the EX Series appliance.

Description This command displays the current settings used to enforce password security. For more information, see the aaa authentication password commands and the "Authentication" chapter of your System Administration Guide or Administration Guide.

Parameters None

Example The following example shows password validation rules that require that at least one uppercase character, one numeral, and two special characters be included in a password; that a character can be repeated consecutively one time, and that a password must be changed six times before it can be used again. It also specifies that the password must be different from the username, that non-admin users must enter their current passwords to change their passwords, and that the LCD password must be at least eight characters. Password change rules require new users to change their passwords after the first login, require all other passwords to be changed every 90 days, and specify that users should be warned 15 days before their passwords expire. Default values for all other settings are shown. hostname # show aaa authentication password Local password requirements:

1342

© 2016 FireEye

Release 7.9

show aaa authentication password

Minimum length: 8 Maximum length:  32 Maximum character repeats: 2 Minimum lower case characters:  0 Minimum upper case characters: 1 Minimum special characters: 2 Minimum numeric characters:  1 Recent passwords to check against: 6 Allowed to match userid: no Require current password on change: yes (non-admin users only) Allow set of encrypted password: (admin users only)

yes

Require password change on local accounts:  Require password change for new account:  yes Maximum password age before change required:  90 Warn user before password expires:  15 days ahead LCD password requirements: Minimum length:

© 2016 FireEye

8

1343

CLI Reference Guide

PART III: Commands

show aaa authentication password Description Displays the configuration of each aaa authentication password option and shows whether users changing their own password are required to enter their current password as well as the new password. Related commands: aaa authentication password, aaa authentication password local change require-current

Syntax show aaa authentication password

Parameters None

Example The following command shows that the appliance is configured with a password length of between 8 and 32 characters and a maximum of two character repeats, and that current passwords are required. hostname # show aaa authentication password Local password requirements: Minimum length:  8 Maximum length: 32 Maximum character repeats: 2 Minimum lower case characters: 0 Minimum upper case characters: 0 Minimum special characters: 0 Minimum numeric characters: 0 Require current password on change: yes (non-admin users only) LCD password requirements: Minimum length:

1344

0

© 2016 FireEye

Release 7.9

show aaa authorization certificate

show aaa authorization certificate Shows the configuration settings for certificate authorization. For details about configuring LDAP mappings for authorization, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax show aaa authorization certificate

Parameters None

Output Fields The following table describes the output fields for the show aaa authorization certificate command. Fields are listed in the approximate order in which they appear in the output. Field

Description

LDAP enabled

Whether the LDAP server is enabled or disabled to authorize users that are already authenticated using the X.509 certificate.

LDAP Match Attribute

LDAP attribute to match the certificate authorization field that was specified with the aaa authorization certificate map-ldap match-cert-field command.

Certificate field to match

Certificate field to match the LDAP field for authorization.

LDAP Search Filter

LDAP search filter that is defined for certificate authorization.

Username override

Whether the LDAP override of the username setting is enabled or disabled.

Example The following example shows the configuration settings for certificate authorization: hostname # show aaa authorization certificate Certificate based authorization settings:   LDAP enabled

© 2016 FireEye

: yes

1345

CLI Reference Guide

PART III: Commands

  LDAP Match Attribute

: uid

  Certificate field to match : x509-cert-san-email-username   LDAP Search Filter

: (!(cn=Test Cardholder))

  Username override

: no

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

1346

© 2016 FireEye

Release 7.9

show aaa authorization rules

show aaa authorization rules Shows all configured authorization rules in the local configuration to override the local user account. A remote authentication server determines which method remote users can use to log in to an appliance. You can verify whether all authorization rules are enabled or disabled.

Syntax show aaa authorization rules

Parameters None

Example The following example shows eight rules configured with different matching criteria. hostname # show aaa authorization rules

-----------------------------------------------#

AAA Authorization Rules : Enabled

-----------------------------------------------# Rule

Statements

------------------------------------------------

#1 Match Auth Methods

: ldap

Match LDAP Group

: cn=test_group,ou=groups,dc=vps1,dc=eng,dc=company1,dc=com

-->Action Map Local User : test_user1

#2 Match Remote Users Match Map Local Users

: rem_user1 rem_user2 rem_user3 : loc_user1 loc_user2

-->Action Map Local User : test_user2

#3 Match Auth Methods

: radius

Not-Match Remote Users : rem_user1 rem_user2 -->Action Map Local User : test_user3

© 2016 FireEye

1347

CLI Reference Guide

PART III: Commands

#4 Not-Match Auth Methods : tacacs+ Match Map Local Users

: loc_user1 loc_user4

-->Action Map Local User : test_user4

#5 Match Auth Methods

: ldap

Match LDAP Search Filter : (memberOf=CN=TechUsers,OU=Security Groups,OU=Milpitas,OU=United States,OU=Locations,DC=Company1,DC=com) -->Action Map Local User : test_user5

#6 Match Auth Methods

: ldap

Not-Match Map Local Users: loc_user1 Not-Match LDAP Group

: cn=test_group,ou=groups,dc=vps1,dc=eng,dc=company1,dc=com

-->Action Map Local User : test_user3

#7 Match Auth Methods

: remote

Not-Match Remote Users : rem_user4 -->Action Map Local User : test_user6

#8 Match Auth Methods

: radius tacacs+

Match Remote Users

: rem_user1

-->Action Map Local User : test_user5

The following example shows the new authorization rules that are matched using the X.509 certificate authentication method. hostname # show aaa authorization rules -----------------------------------------------#

AAA Authorization Rules : Enabled

-----------------------------------------------# Rule

Statements

-----------------------------------------------# 1        Match Auth Methods

1348

: x509-cert

© 2016 FireEye

Release 7.9

        -->Action Map Local User # 2        Match x509 Cert Subject         -->Action Map Local User

show aaa authorization rules

: monitor : C=US, ST=CA, L=Milpitas, O=FireEye, OU=Engineering, CN=Test Cardholder : monitor

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

l

AX Series: Before release 6.4 CM Series: Before release 6.4. The command output was enhanced to display the x509-cert authentication method and the new authorization rules to match against the X.509 certificate fields in Release 7.9.1.

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Release 2.5

l

l

NX Series: Before release 6.4. The command output was enhanced to display the x509-cert authentication method and the new authorization rules to match against the X.509 certificate fields in Release 7.9.1. VX Series: Release 7.9. The command output was enhanced to display the x509-cert authentication method and the new authorization rules to match against the X.509 certificate fields in Release 7.9.1.

© 2016 FireEye

1349

CLI Reference Guide

PART III: Commands

show alerts Description Displays information about alerts. Alerts are log records of malicious events. Alerts can be viewed by time frame, host, or infection type. This command is supported on the Web MPS appliance.

Syntax show alerts hosts [timeframe start_time end_time | ip_address] show alerts whitelist source_IP show alerts summary show alerts type {all | malware-callback | infection-match | web-infection | domain-match | malware-object} [detail [timeframe start_time end_time] | id alert_id]

Parameters hosts [timeframe start_time end_time | ip_address]

Displays a list of all alerts, ordered by hosts, with the option to specify a time frame or an IP address. The time frame may be the time from before now (start_time only), or a period with starting and ending times. Times should be in N format; for example, 24h for 24 hours.

whitelist source_IP

Displays alerts whitelist for a given source IP.

summary

Displays a summary of all alerts.

type

Shows alerts for a given alert type. The alert type options are:

1350

l

all

l

malware-callback

l

infection-match

l

web-infection

l

malware-object

l

domain-match

© 2016 FireEye

Release 7.9

detail

show alerts

Selects the level of detailed information displayed for the specified alert type. l

list—Displays one alert per line.

l

concise—Displays a concise summary of every alert.

l

normal—Displays normal details of every alert.

l

extended—Displays extended details of every alert.

timeframe start_time end_time

Displays detailed alert information for all alerts or for one alert in the specified time frame.

id alert_id

Displays information about a particular alert using the specified ID.

Examples The following example displays a list of alerts, ordered by hosts. hostname # show alerts hosts (Showing last 24 hours) SrcIP           Severity #Inf #Cb #Blkd Time                Last Malware ------------------------------------------------------------------------------26.47.126.205 critical 3 62.87.186.81

1 0

critical 5

1 0

66.175.247.126 critical 3 67.189.235.111 major

9

1 0 1 0

2015-04-14 14:24:02 InfoStealer.Fareit 2015-04-14 16:33:06 InfoStealer.Zbot 2015-04-14 15:46:58 Malware.Binary.url 2015-04-14 16:51:36 Worm.Kufgal.B

69.234.187.131 critical 2

2 0

2015-04-14 15:20:32 Malware.Binary.url

69.238.188.227 critical 2

7 0

2015-04-14 16:34:58 Trojan.TDSServ

70.169.234.186 critical 3

1 0

2015-04-14 12:48:23 FE_Packer_UPX

71.189.204.152 critical 3

0 0

2015-04-14 15:12:41 Malware.Binary.url

73.172.213.222 critical 5

7 0

2015-04-14 14:39:55 InfoStealer.Banker.SpyEye

73.184.221.230 critical 2

3 0

2015-04-14 14:48:15 Malware.Binary.url

73.218.224.205 critical 2

3 0

2015-04-14 15:12:36 Local.Callback

73.235.202.159 critical 2

7 0

2015-04-14 16:38:03 Local.Callback

75.91.119.251 critical 12

4 0

2015-04-14 14:23:02 Trojan.Spy

75.170.159.203 critical 8

2 0

2015-04-14 16:40:57 Worm.Kufgal.B

80.156.52.181 critical 3

8 0

2015-04-14 16:20:36 Malware.Binary.url

83.188.60.159 critical 3

1 0

2015-04-14 14:35:44 Trojan.ZBot

84.120.132.174 critical 10

1 0

2015-04-14 13:59:58 FE_Packer_UPX

85.107.221.203 major

1 0

2015-04-14 14:32:38 Malware.Binary.url

89.170.18.187 critical 3

© 2016 FireEye

7

2 0

2015-04-14 16:55:10 Malware.Binary.url

1351

CLI Reference Guide

PART III: Commands

90.104.148.255 critical 10

4 0

92.152.215.204 critical 1

1 0

93.168.122.235 critical 13

2015-04-14 14:22:07 Win.Trojan.Buzus

1 0

99.169.245.138 critical 16 critical 6

2015-04-14 16:23:32 Malware.ZerodayCallback

6 0

95.107.251.219 critical 1

99.230.174.4

2015-04-14 13:28:40 FE_CVE_2010_0840_Malware_Jar

2015-04-14 14:00:33 Trojan.SpyEye

2 0 2 0

103.90.214.239 critical 3

2015-04-14 17:06:20 FE_Packer_UPX 2015-04-14 14:11:19 Win.Trojan.Agent

2 0

2015-04-14 15:03:46 Malware.Binary.url

103.107.210.196 critical 3

2 0

2015-04-14 16:46:39 Trojan.Fraudo

103.188.220.181 critical 2

1 0

2015-04-14 16:59:04 Malware.Binary.url

103.190.76.241 critical 3 107.106.39.60 critical 2

8 0 3 0

2015-04-14 16:04:00 Malware.Binary.url 2015-04-14 13:51:07 InfoStealer.Sinowal gen.Y

The following example displays a summary of all alerts. hostname # show alerts summary Total Alerts             : 1813 Web Infection          : 148     Malware Object         : 335     Malware Callback       : 1143     Infection Match        : 139    Domain Match           : 48

The following command requests display of information for a malware callback alert. hostname # show alerts type malware-callback id 32 detail concise timeframe past-hour

The following table describes each field in the output. Field

Description

Alert Type Malware callback (CB), infection match (IM), Web infection (WI), or binary analysis (BA). Alert ID

Alert ID number (assigned internally).

Occurrence Date and time the event occurred. Time OS Info

Operating system of the virtual machine Guest Image where the event was detected (for Web infection alerts only).

Interface

Interface of the appliance.

Action

Action that was taken, with the policy specified in parentheses.

Source IP

Source IP address.

Source Host

Source host IP address.

1352

© 2016 FireEye

Release 7.9

show alerts

Field

Description

Destination Destination IP address. IP Source MAC

Source hardware address.

Destination Destination hardware address. MAC VLAN ID

Virtual LAN tag.

Target OS

Operating system that is the target of the malware (for Web infection alerts only).

Target App Application that is the target of the malware (for Web infection alerts only). URL count Number of affected URLs (for Web infection alerts only). Page URL

© 2016 FireEye

Addresses of affected pages (for Web infection alerts only).

1353

CLI Reference Guide

PART III: Commands

show alerts whitelist src ip Displays the source IP addresses in the Alert whitelist.

Syntax show alerts whitelist src ip

Parameters None

Example The following example shows the IP addresses on the alerts whitelist. hostname # show alerts whitelist src ip 26.47.126.205 192.168.1.1 192.168.23.1

User Role administrator, monitor, and operator

Command Mode enable and configuration

Release Information This command was introduced as follows: l

NX Series: Before release 6.4

Related Commands For a list of related commands, see: Alerts Command Family on page 56

1354

© 2016 FireEye

Release 7.9

show analysis live config

show analysis live config Shows the configuration of the pether2 data interface and the optional proxy server used to access the Internet. The appliance uses the pether2 interface if controlled live mode or URL dynamic analysis is enabled. Do not enable controlled live mode or URL dynamic analysis until you have validated end-to-end connectivity between pether2 and the Internet and, if a proxy server is configured, between the proxy server and the Internet. To perform this validation using the CLI, use the analysis live check-connection command in configure mode.

Syntax show analysis live config

Parameters None

Output Fields Default Gateway IPv4 address of the node used by pether2 to access the Internet default gateway. External IP External IPv4 address and mask length of the pether2 data interface. Name Server IPv4 address of the Domain Name System (DNS) name server for pether2. HTTP Proxy IPv4 address and port number of the node acting as the HTTP proxy server for pether2. HTTP Proxy Authentication Username used to authenticate at the proxy server..

Example The following example shows the configuration of the pether2 data interface. hostname # show analysis live config Malware Analysis Mode Enabled : yes Malware Download Timeout : 120 (sec) Malware Analysis VMs : 100 (percent) Live Analysis Configuration

© 2016 FireEye

1355

CLI Reference Guide

PART III: Commands

Default Gateway : 172.16.1.1 External IP : 192.168.0.9/16 Internal IP : 169.254.100.1/24 Name Server : 172.16.2.1 Http Proxy : www.lagado.com:8080 Http Proxy Authentication: root/******** Force Data Interface For Prefetch : no

IMPORTANT: Controlled live mode and URL dynamic analysis are each disabled by default. You enable each feature separately from configuring their shared feature settings Do not enable either of these features until after the pether2 and (if used) proxy server settings are configured.

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

EX Series: Release 7.8

Related Commands For a list of related commands, see Analysis Commands on page 57 and EX Series Commands on page 137.

1356

© 2016 FireEye

Release 7.9

show analysis summary by

show analysis summary by To display the details about the malware analysis summary based on the source IP address, destination IP address, MD5 checksum, or URL, use the show analysis summary by command in configuration mode.

Syntax show analysis summary by source IP address and destination IP address show analysis summary by source IP address or destination IP address show analysis summary by source IP address show analysis summary by destination IP address show analysis summary by URL string show analysis summary by checksum value

User Role Admin, Monitor, Operator, or Analyst

Release Information Command introduced in Release 7.5.0 for NX Series appliances and CM Series platforms.

Parameters source Displays the search results from a source IP address. IP address IP address of the source. and destination Displays the search results from a source IP address and destination IP address. IP address IP address of the destination. or destination Displays the search results from a source IP address or destination IP address. URL Displays the search results for a particular URL. string The URL that you want to query.

© 2016 FireEye

1357

CLI Reference Guide

PART III: Commands

checksum Displays the search results for an object of the specified MD5 checksum. value The numeric value of the MD5 checksum.

Description This command searches for the details in the event results table based on the event type (os-change-anomaly, checksum-match, malware-callback, and so on). You can view malicious and nonmalicious objects and URLs from a specified source IP address or destination address. A message is displayed if no data is found based on your search results. When you enter this command on a CM Series platform, the platform displays details about the malware analysis summary on all connected NX Series 7.9.1 appliances based on your search queries.

Example The following example verifies the search results for rmalicious and nonmalicious objects and URLs from a particular source IP address and destination IP address: hostname (config) # show analysis summary by source 172.16.8.87 and destination 172.16.1.11 Source IP Destination IP Checksum

Occurred Time (UTC) Is Malicious URL

--------------------------------------------------------------------------------------------------172.16.8.87 172.16.1.11

707dbb57d9d67214961eed30d48e6570 2014-10-01 04:36:55 No 172.16.1.11/~ywang/poc.doc

When you enter this command on a CM Series platform, the following example verifies the details about the malware analysis symmary on all connected NX Series 7.9.1 appliances based on your search queries: hostname (config) # show analysis summary by checksum 65af4678c1f68dd2d72213087a55160d Appliance  Source IP Destination IP Checksum

      Occurred Time (UTC) Is Malicious URL

--------------------------------------------------------------------------------------------------WEB39   172.19.97.222 171.64.11.133 65af4678c1f68dd2d72213087a55160d 2014-10-08 15:14:30 No itwsus2.stanford.edu/Content/BD/E9B68C5E63ACB786A05B53B4332465DE0EBCEEBD.exe

1358

© 2016 FireEye

Release 7.9

show arp

show arp Displays all entries in the Address Resolution Protocol (ARP) cache. To view only the static routes added to the ARP cache, use the show arp static subcommand.

Syntax show arp

Parameters None

Example The following example shows all entries in the ARP table. hostname # show arp ARP cache contents IP 172.16.2.1 maps to MAC 00:11:00:00:00:00 IP 172.16.2.2 maps to MAC 00:12:00:00:00:00

User Role Admin

Command Mode Enable and Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Topics For a list of related commands, see: ARP Command Family on page 60.

© 2016 FireEye

1359

CLI Reference Guide

PART III: Commands

show arp static Displays static route entries added to the Address Resolution Protocol (ARP) cache. To view all routes added to the ARP cache, use the show arp command.

Syntax show arp static

Parameters None

Example The following example shows all entries in the ARP table. hostname # show arp static Static ARP entries IP 172.16.2.1 maps to MAC 00:11:00:00:00:00 IP 172.16.2.2 maps to MAC 00:12:00:00:00:00

User Role Admin

Command Mode Enable and Configuration

Release Information AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4 FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Topics For a list of related commands, see: ARP Command Family on page 60.

1360

© 2016 FireEye

Release 7.9

show ati status

show ati status Displays information about the status of the Advanced Threat Intelligence (ATI) feature on an EX Series appliance, NX Series appliance, or a CM Series platform. For managed EX Series or NX Series appliances, you must run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism. This command is available only on an appliance that is installed with a two-way sharing CONTENT_UPDATES license with ATI support. When you install this license, the ATI feature itself and automatic updates to ATI alerts are enabled by default. For managed EX Series or NX Series appliances, ATI settings are configurable on CM Series only. Use the [no] ati enable command to explicitly disable or re-enable the ATI feature.

Syntax show ati status

Parameters None

Output Fields The following table describes the output fields for the show ati status command. Fields are listed in the approximate order in which they appear in the output. Field

Description

ATI license status

Displays the status of the ATI license: enabled or disabled.

ATI status

Displays the status of the ATI feature: enabled or disabled. For information about using the ATI feature see the.EX Series Threat Management Guide or the NX Series User Guide.

ATI auto update status

Displays the status of the ATI alerts auto-update feature: enabled or disabled. For information about automatic updates to ATI alerts, see the.EX Series Threat Management Guide or the NX Series User Guide.

Examples The following example displays the default setting with an ATI-enabled license: hostname # show ati status

© 2016 FireEye

1361

CLI Reference Guide

PART III: Commands

ATI license status : enabled ATI status : enabled ATI auto update status : enabled

The following example displays the setting without an ATI-enabled license: hostname # show ati status ATI license status : disabled

The following example initiates ATI on a CM Series platform for managed appliance 'NX1': hostname # cmc execute appliance NX-1 "show ati status"

User Role Administrator or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

l

l

CM Series: Release 7.4 NX Series: Release 7.4. ATI license status and ATI license auto-update status introduced in Release 7.5. EX Series: Release 7.6

Related Commands For a list of related commands, see Advanced Threat Intelligence Commands on page 55.

1362

© 2016 FireEye

Release 7.9

show avc vms

show avc vms Description Displays currently running virtual machines.

Syntax show avc vms

Parameters None

Examples The following example displays running virtual machines. hostname (config) # show avc vms Currently Running VMs :

VM Id: 89, Malware Id: 1444, Work Order Id: 99, Profile {Id: 65, Name: win7-sp1} VM Id: 91, Malware Id: 1445, Work Order Id: 101, Profile {Id: 65, Name: win7-sp1} VM Id: 92, Malware Id: 1447, Work Order Id: 102, Profile {Id: 65, Name: win7-sp1} VM Id: 93, Malware Id: 1448, Work Order Id: 103, Profile {Id: 65, Name: win7-sp1} VM Id: 94, Malware Id: 1449, Work Order Id: 104, Profile {Id: 65, Name: win7-sp1} VM Id: 95, Malware Id: 1450, Work Order Id: 105, Profile {Id: 65, Name: win7-sp1} VM Id: 96, Malware Id: 1451, Work Order Id: 106, Profile {Id: 65, Name: win7-sp1} VM Id: 86, Malware Id: 1441, Work Order Id: 96, Profile {Id: 65, Name: win7-sp1} VM Id: 97, Malware Id: 1452, Work Order Id: 107, Profile {Id: 65, Name: win7-sp1} VM Id: 98, Malware Id: 1453, Work Order Id: 108, Profile {Id: 65, Name: win7-sp1}

© 2016 FireEye

1363

CLI Reference Guide

PART III: Commands

show backup available This command displays a list of the backup files to restore onto the appliance. Details for the appliance, backup profile, version, hostname, and date stamp are validated while the restore operation is in process.

Syntax show backup available

Parameters location The location where the backup file was saved. The following locations are available: l

l

local – Backs up the database to the local destination on your appliance. on-usb – Backs up the database to the USB drive location on your local machine.

Example The following example displays a list of the backup files that resides locally on the appliance: IE-NX900 (config) # show backup available local # Backup :wMPS-Full-7.7.0-IE-NX900-20150825-001543.febkp Profile :Full Create time :2015/08/25 00:15:43 Release :wMPS (wMPS) 7.7.0.405472 Product :wMPS Model :FireEyeNX900 Actual size :58 MB Compressed size :54 MB Hostname :IE-NX900 Custom Prefix :(null) Encrypted :true # Backup :wMPS-Config-7.7.0-IE-NX900-20150825-000332.febkp Profile :Config Create time :2015/08/25 00:03:32 Release :wMPS (wMPS) 7.7.0.405472 Product :wMPS Model :FireEyeNX900 Actual size :3 MB Compressed size :1 MB Hostname :IE-NX900 Custom Prefix :(null) Encrypted :true # Backup :wMPS-Config-7.7.0-IE-NX900-20150825-002141.febkp Profile :Config Create time :2015/08/25 00:21:41

1364

© 2016 FireEye

Release 7.9

show backup available

Release :wMPS (wMPS) 7.7.0.405472 Product :wMPS Model :FireEyeNX900 Actual size :3 MB Compressed size :1 MB Hostname :IE-NX900 Custom Prefix :(null) Encrypted :false

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin, operator, and monitor

Command Mode configuration and enable

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

© 2016 FireEye

1365

CLI Reference Guide

PART III: Commands

show backup estimate profile To display the estimated size of the backup file and the available space for a profile, use the show backup estimate profile command in configuration mode.

Syntax show backup estimate profile

Parameters profileName The profile used to back up the appliance data: The following profiles are available: l

config – Backs up the configuration database and appliance-specific data.

l

fedb – Backs up the FireEye appliance database. This profile is not available on CM Series platforms.

l

config+fedb – Backs up the configuration database, the FireEye appliance database, and appliance-specific data. This profile is not available on CM Series platforms.

l

full – Backs up the configuration database, FireEye appliance database, and detected data (malware, alerts, reports, and so on). Profile is not available on CM Series platforms.

Output Fields The following table describes the output fields for the show backup estimate profile command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Local space available

Displays the available local space (MB) on the disk. The available space is greater than the estimated space required for the backup plus the reserved space on the appliance.

Space reserved for other purposes

Displays the size (MB) of the reserved space that is needed to operate the system.

1366

© 2016 FireEye

Release 7.9

show backup estimate profile

Field

Description

Space available for backups

Displays the available space (MB) to perform the backup.

Estimated space required for backup

Displays the size estimate (MB) that is required to create a backup. This field does not indicate the size of the final compressed backup file.

Can perform local or remote backup

Indicates whether space is available to perform the backup to a local destination or to a remote server.

USB space available

(Optional) If the USB drive is mounted, the appliance automatically detects the available disk space size (MB) and displays the backup estimates.

Can perform USB backup

(Optional) If the USB drive is mounted, this field indicates whether the backup can be performed on a USB device.

Example The following example displays the details for the backup estimates that are available for a complete backup operation: hostname (config) # show backup estimate profile full -----------------------------------------------# Estimates for full backup -----------------------------------------------Local space available : 107483 MB Space reserved for other purposes : 118886 MB Space available for backups : 0 MB Estimated space required for backup : 1338 MB Can perform local or remote backup : no USB space available : 12808 MB

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin, operator, and monitor

Command Mode configuration and enable

© 2016 FireEye

1367

CLI Reference Guide

PART III: Commands

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

1368

© 2016 FireEye

Release 7.9

show backup status

show backup status To display the details for the last backup operation, use the show backup status command in configuration mode. This command displays the details about the last backup, start time, end time, and errors.

Syntax show backup status

Parameters None

Example The following example displays the last backup operation status: hostname (config) # show backup status Backup status: not-running Last backup profile: config Last backup destination: local Last backup start time: 2014/12/04 18:00:18.173 Last backup end time: 2014/12/04 18:00:18.820 Last Backup result: success

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin, operator, and monitor

Command Mode configuration and enable

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

© 2016 FireEye

1369

CLI Reference Guide

PART III: Commands

show banner Description Displays the current login banner and Message of the Day banner that are shown when a user logs in to the CLI.

Syntax show banner

Parameters None

Example The following example shows the Message of the Day (MOTD) and login banners. hostname (config) # show banner Banners: Message of the Day (MOTD): FireEye Command Line Interface Login: This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Related Commands For a list of commands, see the Banner Command Family on page 63.

User Role admin, monitor and operator

Command Mode configuration, enable, disable

1370

© 2016 FireEye

Release 7.9

show banner

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 HX Series: Release 2.5 NX Series: Before Release 6.4

© 2016 FireEye

1371

CLI Reference Guide

PART III: Commands

show blat Description Displays the blacklisted DNS traffic (blat) configuration and stats.

Syntax show blat {configuration | stats}

Parameters None

Examples The following example displays the blat configuration. hostname # show blat configuration BLAT Enabled : yes

The following example displays the blat stats. MPS # show blat stats Packet received :197292 Static rules :28319 Dynamic rules :0 Inactive rules: 0 Blacklist IP rules :0 Static bad rules :0 Dynamic bad rules :0 Events reported :49 Static :49 Static (tcp) :0 Dynamic :0 Events dropped :0 Inline dropped :0 Inactive domain captured :60 Blacklist IPs submitted :0 The output fields for the show blat stats command are described below. Packet received

Total number of packets received by blat.

Static rules

Total number of static rules in the rule file.

Dynamic rules

Total number of dynamic rules added.

Inactive rules

Total number of inactive rules.

Blacklist IP rules

Total number of rules that blacklist IP addresses.

Static bad rules

Total number of static rules that have an error in them.

1372

© 2016 FireEye

Release 7.9

show blat

Dynamic bad rules

Total number of dynamic rules that have an error in them.

Events reported

Total number of events and alerts reported.

Events dropped

Total number of events and alerts dropped.

Inline dropped

Total number of inline packets dropped.

Inactive domain captured

Total number of inactive DNS domains captured.

Blacklist IPs submitted

Total number of blacklisted IP addresses seen.

Related Topics blacklist files auto past_hours on page 288 blat enable on page 289 show blat on the previous page

© 2016 FireEye

1373

CLI Reference Guide

PART III: Commands

show bootvar To display all appliance boot images and identify the active default boot partition, use the show bootvar command in standard mode. Related commands: image install and show images

Syntax show bootvar

Parameters None

User Role Administrator, Monitor, or Operator

Release Information Command introduced before Release 7.6.0.

Example The following example shows the current appliance boot image information. hostname > show bootvar Installed images: Partition 1: cms CMS (CMS) 7.6.0.342929 #342929 2015-04-14 00:44:28 x86_64 build@vta114:Fi reEye/mammoth-dev (eng debug) Partition 2: cms CMS (CMS) 7.6.0.346695 #346695 2015-04-22 22:57:09 x86_64 build@vta114:Fi reEye/mammoth-dev (eng) Last boot partition: 2 Next boot partition: 2 Boot manager password status: password disabled. Image signing: trusted signature always required Admin require signed images: no (not active) Settings for next boot only: Fallback reboot on configuration failure: yes (default)

1374

© 2016 FireEye

Release 7.9

show bottracker sigmatch

show bottracker sigmatch Description This command displays bot tracker signature match results. This feature is specific to the Web MPS appliance. Related commands:  show bottracker stats

Syntax show bottracker sigmatch

Parameters None

Example The following example displays current bot tracker signature match results. hostname (config) # show bottracker sigmatch  rcv_pkts                : 209266409   tcp                     : 212435039   udp                     :     76728   discard                 :         6   alert                   :      8289   log                     :      8289   pkt match               :      7119

© 2016 FireEye

1375

CLI Reference Guide

PART III: Commands

show bottracker stats Description This command displays bot tracker statistics, including detection statistics collected from inline blocking, TAP blocking, and TCP out-of-band blocking events. This command is specific to the Web MPS appliance. Related commands: show bottracker sigmatch

Syntax show bottracker stats

Parameters None

Example The following example displays current bot tracker stats. hostname (config) #  show bottracker stats IP match packet                                   :0 Signature match                                   :7119  content match                                    :7119 Bot connection event                              :0 Bot sigmatch event                                :234  content match events                             :2349    blocking event                                 :2349    non-blocking event                             :0 DNS request                                       :0 DNS reply                                         :0 Sigmatch packet sent                              :209266164 Sigmatch packet sent fail                         :0 Event dropped                                     :0 Pref match events                                 :1245 Pref event dropped                                :241 Pkt rcvd                                          :209389679     Max packet rcvd latency usec                    :18446744073709054811 Bytes rcvd                                        :137158185950 flows dropped                                     :2582

1376

© 2016 FireEye

Release 7.9

show bottracker stats

pkts dropped                                      :115393 bytes dropped                                     :72349457 content match timeout                             :0  ppm                                              :0  match                                            :0  no match                                         :0   content match fastpath flows                    :0 content match fastpath pkts                       :0

The following table describes the output fields for this command. IP match packet

Unused.

Signature match

Number of signatures matched.

Content match

Number of content type matches in the signature matches.

Bot connection event

Unused.

Bot sigmatch event

Number of bot signature events reported.

content match events

Number of content signature events matched.

blocking event

Number of signature match blocking events reported.

non-blocking event

Number of signature match non-blocking events reported.

DNS request

Unused.

DNS reply

Unused.

Sigmatch packet sent

Number of times a packet was sent to the signature match library.

Sigmatch packet sent fail Number of times the send to signature match library was disabled. Event dropped

Unused.

Pref match events

Number of times a rule was matched with a preference rule option.

Pref event dropped

Number of times a preference event was dropped due to a preference check.

Pkt rcvd

Number of packets received from the underlying packet filter.

Max packet rcvd latency Maximum latency for users to see the packet. usec Bytes rcvd

Number of bytes received from the kernel filter.

flows dropped

Number of flows dropped.

pkts dropped

Number of packets dropped.

content match timeout

Unused.

ppm

Unused.

match

Unused.

© 2016 FireEye

1377

CLI Reference Guide

PART III: Commands

nomatch

Unused.

content match fastpath flows

Number of flows set to bypass signature match library content matches.

content match fastpath pkts

Number of packets set to bypass signature match library content matches.

1378

© 2016 FireEye

Release 7.9

show bridges

show bridges Description Displays the configuration and status information for all bridges on the specified interface.

Syntax show bridges interface

Parameters interface Name of the interface.

Example The following example displays current bridge configuration information and status for the interface ether2. hostname(config)# show bridges ether2 Bridge ether2: Enabled:          yes Spanning tree:    no Interfaces: pether2

© 2016 FireEye

1379

CLI Reference Guide

PART III: Commands

show cli Description Displays the CLI settings for the session, such as the user idle timeout, whether paging of CLI output is enabled, and whether hidden commands are shown in the output of the show configuration command. The default settings are shown, along with any settings that have been overridden for the current session. Related commands: show configuration

Syntax show cli

Parameters None

Examples The following example shows all CLI settings. hostname > show cli CLI current session settings: Maximum line size: 8192 Terminal width: 80 columns Terminal length: 37 rows Terminal type: xterm X display setting: (none) Auto-logout: disabled Paging: disabled Progress tracking: enabled Prefix modes: disabled

CLI defaults for future sessions: Auto-logout: disabled Paging: disabled Progress tracking: enabled Prefix modes: disabled

The following example shows settings for both this session and future sessions. Show hidden config: yes Confirm losing changes: yes Confirm reboot/shutdown: no Confirm factory reset: yes Prompt on empty password: yes

1380

© 2016 FireEye

Release 7.9

show cli commands

show cli commands Description Displays the CLI commands available to the current user in the current CLI command mode. Related commands: show cli

Syntax show cli commands | include-incomplete | exclude-cli-only

Parameters includeIncludes the shortened version of the command and a high-level summary of incomplete the command. In the example below, whitelist is an incomplete command. If you issued it, % Incomplete command would be returned. excludecli-only

Exclude the commands that work in the CLI when run interactively, but not in the following scenarios: l

In scheduled jobs, using the job command.

l

When sent by a FireEye CMS for an appliance to execute.

Example An excerpt of the show cli commands include-incomplete results follows. hostname (config) # show cli commands include-incomplete . . . whitelist: Set whitelisted configuration whitelist files: Set whitelisted files configuration whitelist files auto: Set whitelisted files configuration whitelist files auto past_hours: Set number of past hours to keep auto-generated whitelisted files whitelist files auto past_hours write: Save or display the running configuration write memory: Save running configuration to the active configuration file write terminal: Display commands to recreate current running configuration yara: Configure yara yara match: Configure yara customer match settings yara match limit: Configure yara customer match limit

© 2016 FireEye

1381

CLI Reference Guide

PART III: Commands

yara match limit yara policy: Configure yara policy yara policy * yara weight: Set Yara weight configuration yara weight default: Set Yara default weight configuration yara weight default . . .

1382

© 2016 FireEye

Release 7.9

show clock

show clock Description Displays the current system time, date, and time zone. The Z character in syslog output indicates that the time displayed is in the UTC time zone; for example: Oct 19 2012 16:10:10 Z.

Syntax show clock

Parameters None

Example The following example displays the system time, date, and time zone. hostname > show clock Time: 12:51:31 Date: 2012/02/02 Time zone: UTC-offset (Etc/UTC) UTC-offset: same as UTC

© 2016 FireEye

1383

CLI Reference Guide

PART III: Commands

show cmc appliances Displays the full settings and status for all managed appliances that are related to the management and control of appliances by the CM Series platform. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc appliances show cmc appliances [brief | detail]

Parameters

(CM Series platform only) Specified name for the appliance. brief

(CM Series platform only) Shows a brief summary of each managed appliance. detail

(CM Series platform only) Shows a full summary of each managed appliance.

Examples The following example displays the status of each appliance that can be managed by this CM Series platform. In this case, the NX Series appliance initiated the request to be managed, the EX Series appliance is not currently connected, and the CM Series platform initiated the connection between itself and the FX Series appliance. cm-01 # show cmc appliances Appliance nx-02: Address: 172.70.1.1 Enabled: yes Connected: yes (client-initiated) Status check OK: yes Version compatible:  yes Appliance ex-03: Address: 172.30.1.1 Enabled: yes Connected: no Status check OK: no Version compatible: unknown Appliance fx-04: Address: Enabled:

1384

172.20.1.1 yes

© 2016 FireEye

Release 7.9

show cmc appliances

Connected: yes (server-initiated) Status check OK: no Version compatible:  yes

The following example displays the status and settings for the nx-02 appliance. The (Acme_ Pair2) designation indicates that the appliance is a member of the Acme_Pair2 NX Series High Availability (HA) pair. The Connected: line indicates that the CM Series platform initiated the connection with the appliance. cm-01 # show cmc appliances nx-02 Appliance nx-02: (Acme_Pair2) Connection status: Connected: yes (server-initiated) Connection failure reason: None Connection broken reason: None Connection last formed: 2015/12/18 21:13:37 Connection last broken:  2015/12/18 21:13:36 Last connection attempt: 2015/12/18 21:13:36 Next connection attempt:  Current time:  2015/12/18 23:50:03 Status check OK:  yes Server username on client: admin Client username on server: cmcclient Appliance Status: Client software version:  wMPS (wMPS) 7.8.0.297262 Client software match: no Client software compatible: yes Appliance ID:  Product model:  Content version: ...

002590AEE884 FireEye9450 432.198

The following example shows the status and settings for the Essentials edition on the nx203 appliance. cm-01 # show cmc appliances nx-203 Appliance nx-203 Connection status: Connected: yes (server-initiated) Connection failure reason: None Connection last formed: 2015/12/23 21:13:37 Connection last broken:  2015/12/23 21:13:36 Last connection attempt: 2015/12/23 21:13:36 Next connection attempt:  Current time:  2015/12/23 21:25:36 Status check OK:  yes Server username on client: admin Client username on server: cmcclient Appliance Status:

© 2016 FireEye

1385

CLI Reference Guide

PART III: Commands

Client software version:  wMPS (wMPS) 7.7.0.433567       Client product name:          wMPS Essentials       Client software match: no Client software compatible: yes Appliance ID:  002590AEE884 Product model:  FireEyeNX4310 Content version: 434-lb.168 Content channel: stable Content sharing type: all Configuration: Enabled: yes Address: 172.16.127.203 SSH port: 22 Web UI protocol:  http Web UI HTTP port:  11000 (active) Web UI HTTPS port: 443 Auto-connect: yes Status check enabled: yes Client requests enabled: yes Comment:  Authentication: Authentication type:  password password username: admin password password: ******** ssh-dsa2 username: admin ssh-dsa2 identity: ssh-rsa2 username: admin ssh-rsa2 identity: Validation for client-initiated connections: Source address: (same as main address) Source port: (no restriction)

The following example shows that three appliances are enabled for CM Series management. One appliance is disconnected, and two appliances failed status checks. cm-02 # show cmc appliances brief Appliance Address Enabled Connected Health  Product --------------------- --------- ------ -----ex-03 172.30.1.1 yes no CRIT    eMPS nx-02 172.70.1.1 yes yes ok      wMPS fx-04 172.20.1.1 yes yes WARN    fMPS

The following example also shows that three appliances are enabled for CM Series management. The nx-203 appliance is running an Essentials edition. The nx-204 appliance is running a Power edition. cm-02 # show cmc appliances brief Appliance ---------

Address -------

Enabled Connected Health Product ------- --------- ------ -------

nx-203

172.16.127.203        yes

yes    ok

nx-204

172.16.127.204

yes    ok   wMPS Power

1386

 yes

wMPS Essentials

© 2016 FireEye

Release 7.9

ex-77

show cmc appliances

172.16.127.77

yes

yes

ok

eMPS

The show cmc appliances detail command output is the same as the show cmc appliances applianceID command output, except it displays information about all managed appliances, not just one.

User Role Monitor, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5.

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1387

CLI Reference Guide

PART III: Commands

show cmc auth identities Displays all DSA2 and RSA2 identities, DSA2 identities only, RSA2 identities only, or the DSA2 or RSA2 identity with the specified identity name. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc auth identities [ssh-dsa2 []] | [ssh-rsa2 []]

Parameters ssh-dsa2

Displays information about an SSH-DSA2 identity type with the specified identity name. ssh-rsa2

Displays information about an SSH-RSA2 identity type with the specified identity name.

Example The following example displays information about an SSH-DSA2 identity named "admin4" on the NX-04 appliance. hostname # show cmc auth identities DSA2 identity admin4:    Public Key: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwA A . . .

User Role Administrator, Monitor, or Operator

Command Mode Enable

1388

© 2016 FireEye

Release 7.9

show cmc auth identities

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1389

CLI Reference Guide

PART III: Commands

show cmc auth ssh Displays global "CMC" SSH settings. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc auth ssh

Parameters None

Example The following example displays information about strict and global host-key checking on the CM Series platform. hostname # show cmc auth ssh

CMC SSH configuration:    Strict host key checking enabled: yes    Global only known hosts enabled: yes    Minimum protocol version: 2    Cipher list: compatible    Minimum key length: 1024 bits

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

1390

CM Series: Before Release 7.5

© 2016 FireEye

Release 7.9

show cmc auth ssh

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1391

CLI Reference Guide

PART III: Commands

show cmc client Displays information about how managed appliances connect to and authenticate with the CM Series platform. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc client

Parameters None

Example The following example displays CMC information about the managed appliances from the NX Series appliance. nx-02 show # show cmc client CMC client enabled: yes CMC server connection status: Connected: yes CMC server hostname:  cm-01 CMC server IP address: 172.10.1.1 Last connection failure:   None Last connection breakage:  None Connection last formed: 2014/12/23 21:13:37 Connection last broken:  2014/12/23 21:13:36 Last connection attempt: 2014/12/23 21:13:36 Next connection attempt:  Current time:              2014/12/26 19:03:55 Client username on server: admin Server username on client: admin Configuration for client-initiated connections: Server address: 172.10.1.1 Server port:                 22 Auto-connect:                  yes Username for server requests:  admin Authentication: Authentication type: password password username: admin password password: ******** ssh-dsa2 username: cmcclient ssh-dsa2 identity: ssh-rsa2 username: cmcclient ssh-rsa2 identity:

1392

© 2016 FireEye

Release 7.9

show cmc client

General CMC client configuration: Transmit bandwidth limit:         unlimited Confirm configuration if managed: yes Validation for server-initiated connections: Source address:   (same as main address) Source port:      (no restriction) Require match:    no

User Role Monitor, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1393

CLI Reference Guide

PART III: Commands

show cmc groups Displays all managed appliance groups or the group with the specified group name. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc groups []

Parameters

(CM Series platform only) Name of the specified group.

Example The following example shows the "London" group that was added, as well as the preconfigured system groups. cm-01 # show cmc groups Group London Comment: UK region appliances Appliances: nx-02 Group all Comment: Appliances: nx-02 ex-03 fx-04 Group sysgroup.Email_MPS Comment:  System Group: eMPS Appliances:  ex-03 Group sysgroup.File_MPS Comment: System Group: fMPS Appliances: fx-04 Group sysgroup.HX Comment: No members. Group sysgroup.MAAS Comment: No members Group sysgroup.MAS Comment: No members. Group sysgroup.MSM Comment: No members.

1394

© 2016 FireEye

Release 7.9

show cmc groups

Group sysgroup.Web_MPS Comment: System Group: wMPS Appliances: nx-02

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1395

CLI Reference Guide

PART III: Commands

show cmc ha nx Displays the status of all NX Series High Availability (HA) pairs that are connected to this CM Series platform.

Syntax show cmc ha nx

Parameters None

Output Fields The following table describes the output fields for this command. Field Status

Description The status of the NX Series HA pair: l

l

l

OK—The pair is healthy. Degraded—The pair has one or more conditions that generate a critical or warning message. For a list of these conditions, see the NX Series High Availability Guide. Not Connected—At least one appliance is not connected to the CM Series platform.

Comment

Descriptive information about the HA pair, if available.

Connected

Whether both appliances in the HA pair are connected to the CM Series platform.

Software version match

Whether the following is running on both appliances: l

l

The same major and minor version of the NX Series software image The same NX Series edition (Power or Classic)

Configuration Whether all required configuration settings match. match GI image version match

1396

Whether the same version of guest images is installed on both appliances.

© 2016 FireEye

Release 7.9

show cmc ha nx

Field

Description

Security content version match

Whether the same version of security content is installed on both appliances.

NX health status OK

Whether both appliances are healthy.

System time in sync

Whether the system time is synchronized.

Peer id verified

Whether both appliances exchanged their IDs.

Hardware model match

Whether both appliances have the same hardware model.

Example The following example shows the status of all HA pairs configured on this CM Series platform. cm-hostname # show cmc ha nx NX-HA Acme_East: nx-3 nx-4 Status: Degraded Comment: Eastern region NX pair Connected: yes Software version match: yes Configuration match: no GI image version match:  yes Security content version match: yes NX health status OK: yes System time in sync: yes Peer id verified: yes Hardware model match: yes NX-HA NXPair4: Status: Degraded Comment: NX-HA pair is degraded because not all members are configured. NX-HA IT_Pair: nx-06 nx-08 Status: OK Comment: Connected: yes Software version match: yes Configuration match: yes GI image version match:  yes Security content version match: yes NX health status OK: yes System time in sync: yes

© 2016 FireEye

1397

CLI Reference Guide

Peer id verified: yes Hardware model match:

PART III: Commands

yes

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

1398

© 2016 FireEye

Release 7.9

show cmc ha nx

show cmc ha nx Displays the status of the specified NX Series High Availability (HA) pair.

Syntax show cmc ha nx

Parameters pair

The name of the HA pair.

Output Fields See show cmc ha nx on page 1396 for a description of the output fields for this command.

Example The following example shows the status of the Acme_NXHA pair. cm-hostname # show cmc ha nx Acme_NXHA NX-HA Acme_NXHA: nx-1 nx-2 Status: Degraded Comment: Western region NX pair Connected: yes Software version match: yes Configuration match: no GI image version match:  yes Security content version match: yes NX health status OK: yes System time in sync: yes Peer id verified: yes Hardware model match: yes

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Release 7.8.0

© 2016 FireEye

1399

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

1400

© 2016 FireEye

Release 7.9

show cmc mvx cluster

show cmc mvx cluster Shows all managed MVX clusters. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster

Parameters None

Example The following example shows information about the MVX cluster: nx-02 # show cmc mvx cluster MVX Cluster: Cluster-Acme Health OK: yes Health severity: OK Master broker: vx-1 Member node count: 2 All connected: yes Description:

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1401

CLI Reference Guide

PART III: Commands

show cmc mvx cluster {brief | detail} Shows brief or detailed information about all managed MVX clusters. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster {brief | detail}

Parameters None

Example The following example shows brief information: nx-02 # show cmc mx cluster brief CLUSTER NAME HEALTHY CONNECTED NODES MASTER ----------------- --------- ----- -----Cluster-Acme yes yes 2 vx-1

The following example shows detailed information: nx-02 # show cmc mx cluster detail MVX Cluster: Cluster-Acme Health OK: yes Health severity: OK Master broker: vx-1 Member node count: 2 All connected: yes Description: Health Status: Nodes connected all: yes System configuration in sync: yes System software version match: yes Security content version match: yes Guest-images version match: yes Master Node Selected: yes Broker selected: yes Update Status: Latest OS version installed: no GI update available: no Member Status (Total 2 Nodes):

1402

© 2016 FireEye

Release 7.9

show cmc mvx cluster {brief | detail}

Brokers: vx-1 (master) Compute Nodes: vx-2

10.11.121.12 ok

10.11.121.18 ok

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1403

CLI Reference Guide

PART III: Commands

show cmc mvx cluster enrollment status Shows the sensors enrolled in an MVX cluster. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster enrollment status

Parameters None

Example The following example shows the enrollment status of Cluster-Acme: nx-02 # show cmc mvx cluster enrollment status SENSOR NAME CLUSTER NAME BROKER NAME --------------------------------------------nx-1 Cluster-Acme vx-1 10.11.121.12 nx-2 Cluster-Acme vx-1 10.11.121.12

BROKER ADDRESS

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

1404

© 2016 FireEye

Release 7.9

show cmc mvx cluster nodes

show cmc mvx cluster nodes Shows brief information about the cluster's nodes. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster nodes

Parameters name

The name of the MVX Cluster.

Example The following example nx-02 # show cmc mvx cluster Cluster-Acme nodes NODES: Cluster-Acme CONNECTED HEALTHY ADDRESS ---------------- ------ ------vx-1 yes yes 10.11.121.12 vx-2 yes yes 10.11.121.18 Brokers (active) vx-1 yes yes 10.11.121.12 Brokers (ready) vx-2 yes yes 10.11.121.18

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1405

CLI Reference Guide

PART III: Commands

show cmc mvx cluster stats daily Shows daily statistics for MVX cluster utilization. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster stats daily

Parameters name

The name of the cluster.

Example The following example shows daily statistics for Cluster-Acme: nx-02 # show cmc mvx cluster Cluster-Acme stats daily MVX Cluster: Cluster-Acme MVX Submission Submission Submission Time Load Incoming Done Dropped ============================================================================= == 2016/07/26 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/25 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/24 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/23 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/22 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/21 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/20 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/19 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/18 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/17 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/16 00:00:00 - 23:59:59 0.00 0 0 0 2016/07/15 00:00:00 - 23:59:59 0.18 4619 353 4264 2016/07/14 00:00:00 - 23:59:59 0.00 1749 1164 582 2016/07/13 00:00:00 - 23:59:59 0.11 765 396 367 2016/07/12 00:00:00 - 23:59:59 0.19 1751 1166 582 2016/07/11 00:00:00 - 23:59:59 0.43 753 408 345 2016/07/10 00:00:00 - 23:59:59 0.11 1745 1177 568 2016/07/09 00:00:00 - 23:59:59 0.50 739 399 338 2016/07/08 00:00:00 - 23:59:59 0.21 1746 1168 578

1406

© 2016 FireEye

Release 7.9

show cmc mvx cluster stats daily

Output Fields Field

Description

Time

Time period covered by the reported data.

MVX Load (%)

The cluster capacity shown as a percentage of total capacity.

Submission Incoming

Number of submissions the cluster received.

Submission Done

Number of submissions that completed analysis.

Submission Dropped

Number of submissions that were dropped because the cluster was oversubscribed.

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1407

CLI Reference Guide

PART III: Commands

show cmc mvx cluster stats hourly Shows hourly statistics for MVX cluster utilization. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster stats hourly

Parameters name

The name of the cluster.

Example The following example shows hourly statistics for Cluster-Acme: nx-02 # show cmc mvx cluster Cluster-Acme stats hourly MVX Cluster: Cluster-Acme

Time

MVX Submission Submission Submission Load Incoming Done Dropped

============================================================================= == 2016/07/26 22:00:00 - 22:59:59 0.00 0 0 0 2016/07/26 21:00:00 - 21:59:59 0.00 0 0 0 2016/07/26 20:00:00 - 20:59:59 0.00 0 0 0 2016/07/26 19:00:00 - 19:59:59 1.34 2 2 0 2016/07/26 18:00:00 - 18:59:59 0.00 0 0 0 2016/07/26 17:00:00 - 17:59:59 0.00 0 0 0 2016/07/26 16:00:00 - 16:59:59 0.00 0 0 0 2016/07/26 15:00:00 - 15:59:59 0.00 0 0 0 2016/07/26 14:00:00 - 14:59:59 2.86 3 3 0 2016/07/26 13:00:00 - 13:59:59 0.00 0 0 0 2016/07/26 12:00:00 - 12:59:59 0.00 0 0 0 2016/07/26 11:00:00 - 11:59:59 0.00 0 0 0 2016/07/26 10:00:00 - 10:59:59 0.00 0 0 0 2016/07/26 09:00:00 - 09:59:59 0.00 0 0 0 2016/07/26 08:00:00 - 08:59:59 0.00 0 0 0 2016/07/26 07:00:00 - 07:59:59 0.00 0 0 0 2016/07/26 06:00:00 - 06:59:59 0.00 0 0 0 2016/07/26 05:00:00 - 05:59:59 0.00 0 0 0 2016/07/26 04:00:00 - 04:59:59 0.00 0 0 0 2016/07/26 03:00:00 - 03:59:59 0.00 0 0 0 2016/07/26 02:00:00 - 02:59:59 0.00 0 0 0 2016/07/26 01:00:00 - 01:59:59 0.00 0 0 0

1408

© 2016 FireEye

Release 7.9

show cmc mvx cluster stats hourly

2016/07/26 00:00:00 - 00:59:59 2016/07/25 23:00:00 - 23:59:59

0.00 0.00

0 0

0 0

0 0

Output Fields Field

Description

Time

Time period covered by the reported data.

MVX Load (%)

The cluster capacity shown as a percentage of total capacity.

Submission Incoming

Number of submissions the cluster received.

Submission Done

Number of submissions that completed analysis.

Submission Dropped

Number of submissions that were dropped because the cluster was oversubscribed.

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1409

CLI Reference Guide

PART III: Commands

show cmc mvx cluster Shows information about the specified cluster. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx cluster

Parameters name

The name of the MVX cluster.

Example The following example shows information about Cluster-Acme: nx-02 # show cmc mvx cluster Cluster-Acme MVX Cluster: Cluster-Acme Health OK: yes Health severity: OK Master broker: vx-1 Member node count: 2 All connected: yes Description: Health Status: Nodes connected all: yes System configuration in sync: yes System software version match: yes Security content version match: yes Guest-images version match: yes Master Node Selected: yes Broker selected: yes Update Status: Latest OS version installed: no GI update available: no Member Status (Total 2 Nodes): Brokers: vx-1 (master) 10.11.121.12 ok Compute Nodes: vx-2 10.11.121.18 ok

1410

© 2016 FireEye

Release 7.9

show cmc mvx cluster

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1411

CLI Reference Guide

PART III: Commands

show cmc mvx status cluster-sizing config Shows utilization configuration data for the clusters managed by this CM Series platform. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc mvx status cluster-sizing config

Parameters None

Example The following example nx-02 # show cmc mvx status cluster-sizing config MVX Cluster Sizing Configurations: Enabled: yes Utilization Warning Threshold: 80% Utilization Critical Threshold: 95%

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

1412

© 2016 FireEye

Release 7.9

show cmc profiles

show cmc profiles Displays all currently configured profiles or the settings and commands in an individual profile. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc profiles [name>]

Parameters

The name of the profile.

Example The following example displays an "acctmgt" profile with a comment and two commands. hostname # show cmc profiles Profile acctmgt    Comment: Adds operator user account.    Commands:         1. username Operator3 role operator 2. username Operator3 password evtk*643u ...

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 6.4.0

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1413

CLI Reference Guide

PART III: Commands

show cmc rendezvous Displays current information about the rendezvous process. On the CM Series platform, this includes the list of clients that requested rendezvous and are waiting to be accepted. On appliances, this is the rendezvous status and whether the appliance is currently under management. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc rendezvous

Parameters None

Examples The following example displays the rendezvous information from the NX Series appliance. nx-02 # show cmc rendezvous CMC rendezvous service name:  cmc CMC client: Server address:  cmc Automatic rendezvous: no Initial retry delay (after boot or disconnect): 30 seconds Short retry interval (after unsuccessful announcement): 300 seconds Long retry interval (after successful announcement):  86400 seconds Include client address in rendezvous: yes Use client initiated connection's config for rendezous: yes Under CMC management: yes How to authenticate to server for rendezvous: Authentication type: password Password for password auth:  ********

The following example shows the rendezvous information from the CM Series platform. cm-01 # show cmc rendezvous CMC rendezvous service name: cmc CMC server: Server rendezvous enabled: yes Auto-accept enabled: no No clients awaiting approval.

1414

© 2016 FireEye

Release 7.9

show cmc rendezvous

Default authentication configuration for new clients: Authentication type: password password username: admin password password: ******** ssh-dsa2 username: ssh-dsa2 identity: < ssh-rsa2 username:  ssh-rsa2 identity:

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1415

CLI Reference Guide

PART III: Commands

show cmc server Displays general configuration information about the CM Series platform. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc server

Parameters None

Example The following example displays CMC information about the CM Series platform. cm-01 # show cmc server CMC server enabled: yes Enable proxied client requests: yes Username for proxied client requests: cmcclient Command execution timeout: 1 hour per command Per-appliance bandwidth limit: unlimited Server software version:  CMS (CMS) 7.5.0.293263

User Role Monitor, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

1416

© 2016 FireEye

Release 7.9

show cmc status

show cmc status Displays status information about the CM Series platform and its managed appliances. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc status

Parameters None

Example The following example shows the status check settings and criteria, and then shows the status of each appliance that can be managed by this CM Series platform. cm-01 # show cmc status Status checking enabled:  yes Check interval: 60 seconds Timeout: 30 seconds Status criteria: "alive" test enabld: yes "content-key" test enabled: yes "disk_space" test enabled:  yes "eula" test enabled: yes "fan" test enabled: yes "feature: test enabled:  yes "power_supply" test enabled:  yes "product_key" test enabled: yes "raid" test enabled:  yes "support_key" test enabled:  yes "temperature" test enabled:  yes "user_role" test enabled: yes Appliance ex-03: Last checked: 2014/12/23 21:28:02 Connected at last check: no Replied to last check: no Last check succeeded: no Failed checks: alive failed content_key failed disk_space failed eula failed fan failed feature failed

© 2016 FireEye

1417

CLI Reference Guide

PART III: Commands

power_supply failed product_key failed raid failed support_key failed temperature failed user_role failed Appliance nx-02: Last checked: 2014/12/23 21:28:02 Connected at last check: yes Replied to last check: yes Last check succeeded: yes Appliance fx-04: Last checked: 2014/12/23 21:28:02 Connected at last check: yes Replied to last check:  yes Last check succeeded: no Failed checks: content_key failed

User Role Monitor, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

1418

© 2016 FireEye

Release 7.9

show cmc

show cmc Displays settings related to the management and control of appliances by the CM Series platform. This command shows whether functionality that allows the connection between the CM Series platform and the appliances, and that allows the CM Series platform to manage connected appliances, is enabled. The Central Management Console (CMC) is the CM Series platform component that provides basic management and control capabilities for both the server (CM Series platform) and its clients (managed appliances).

Syntax show cmc

Parameters None

Example The following example shows that both the CM Series platform and the appliances are enabled for management. nx-02 # show cmc CMC server enabled: yes CMC client enabled: yes

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see CM Series Command Family on page 135.

© 2016 FireEye

1419

CLI Reference Guide

PART III: Commands

show cms peer-service Displays configuration information and data that is associated with a CM peer. Each administrator must verify the CM Peer Service connection to all CM peers. A status refresh is triggered in the following instances: l

l

l

Periodically about every 1 to 5 minutes. Different interactions and different peers can be refreshed at different 1—minute to 5—minute intervals. Whenever any peer service configuration changes (for example, a new token is imported, a feature on a CM peer is disabled, and so on). When CM Series High Availability (HA) failover occurs (when the secondary becomes the new primary). For information about how the CM Peer Service (and associated features) works in a HA configuration, refer to the CM Series High Availability Guide.

The status might display "UNKNOWN" temporarily until the status is retrieved at the beginning of the refresh cycle. For details about the CM Peer Distributed Correlation and CM Peer Signature Sharing features, refer to the CM Series Administration Guide. For details about the CM Peer Update feature, refer to the CM Series High Availability Guide.

Syntax show cms peer-service []

Parameters peer_hostname

Name of a CM peer.

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field

Description

CMS peerservice enabled

Whether the CM Peer Service is enabled on the participating CM Series platform.

Enabled

Communication status of a CM peer.

1420

© 2016 FireEye

Release 7.9

show cms peer-service

Field

Description

Hostname Name of a CM peer. Address

IP address of a CM peer.

Authtoken checksum

MD5 checksum of an authentication token for a CM peer.

Distributed CMS Correlation Enabled

Whether the CM Peer Distributed Correlation feature is enabled on a CM peer.

Status

Date and time when the status for CM Peer Distributed Correlation was retrieved.

Dynamic Threat Intelligence (DTI) Enabled

Whether DTI interaction is enabled between CM peers to share locally generated signatures with remote CM peers.

Proxy mode

Whether a CM peer can use a proxy server to connect to other remote CM peers.

Status

Date and time when the status for CM Peer Signature Sharing and proxy server were retrieved.

Update Peer Enabled

Whether the CM Peer Update feature is enabled to send the new primary node's address information to the original primary node's peer after a failover. This feature allows seamless routing to the new primary node peer, and it is used in CM Series HA configuration.

Status

Date and time when the status for CM Peer Update was retrieved.

Example The following example displays the status for all the connected CM peers. hostname # show cms peer-service CMS peer-service enabled:

yes

----------------------------------------------------------------------------   CMS peer barcelona:       Enabled:       Hostname:

© 2016 FireEye

yes barcelona

1421

CLI Reference Guide

PART III: Commands

      Address:

10.2.140.73

      Auth-token checksum:

ee4ea5aa3e6e8c6799b6343978f1b271

      Interactions with peer:          Distributed CMS Correlation:              Enabled:

yes

             Status:

OK

@ 2016/02/03 22:20:50

         Dynamic Threat Intelligence (DTI):              Enabled:

yes

             Proxy mode:

No proxy

             Status:

OK

@ 2016/02/03 22:20:50

Update Peer:              Enabled:

yes

             Status:

OK

@ 2016/02/03 22:13:51

----------------------------------------------------------------------------CMS peer fire:    Enabled:    Hostname:    Address:

yes eye 172.16.140.6

   Auth-token checksum:

b1c5f30f02427797b76fbe08fcc3580d

   Interactions with peer:       Distributed CMS Correlation:              Enabled:              Status:

yes OK

@ 2016/02/03 22:20:50

      Dynamic Threat Intelligence (DTI):              Enabled:

yes

             Proxy mode:              Status:

No proxy OK

@ 2016/02/03 22:20:50

      Update Peer:              Enabled:              Status:

yes OK

@ 2016/02/03 22:16:52

-----------------------------------------------------------------------------

User Role Administrator

1422

© 2016 FireEye

Release 7.9

show cms peer-service

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.8

Related Commands For a list of related commands, see CM Peer Service Command Family on page 70.

© 2016 FireEye

1423

CLI Reference Guide

PART III: Commands

show compliance To display compliance with supported standards, use the show compliance command in enable mode. Related commands: show compliance options, show compliance standard, compliance apply standard

Syntax show compliance

User Role Administrator, Operator, or Monitor

Release Information Command introduced in Release 7.6.0.

Parameters None

Example The following example displays compliance with supported standards: hostname # show compliance FIPS: no CC-NDPP: no

1424

© 2016 FireEye

Release 7.9

show compliance options

show compliance options To display compliance options, use the show compliance options command in enable mode.

Syntax show compliance options

User Role Administrator, Operator, or Monitor

Release Information Command introduced in Release 7.6.0.

Parameters None

Example The following example displays the compliance options: hostname # show compliance options Compliance Options: FIPS mode cryptography : disabled Manual key configuration : enabled FTP/TFTP file transfers : enabled HTTP file transfers : enabled Restricted licenses : enabled Secure channel logs : disabled SCP path blacklist : disabled SNMP cryptography limits : disabled

Related Commands For a list of related commands, see: Compliance Commands on page 74

© 2016 FireEye

1425

CLI Reference Guide

PART III: Commands

show compliance standard To display the detailed compliance status for the specified standards, use the show compliance standard command in enable mode. Related commands: show compliance options, show compliance

Syntax show compliance standard {fips | cc-ndpp | all}

User Role Administrator, Operator, or Monitor

Release Information Command introduced in Release 7.6.0.

Parameters fips

Displays the detailed compliance status for the Federal Information Processing Standards (FIPS).

cc-ndpp

Displays the detailed compliance status for the Common Criteria Network Device Protection Profile (CC-NDPP).

all

Displays the detailed compliance status for all supported standards.

Example The following example displays the detailed compliance status for FIPS: hostname # show compliance standard fips Compliance criterion FIPS --------------------------------------------------Audit logging no Boot manager password no CMS backward compatibility no CMS peer service yes Cryptography run in FIPS mode no DTI client no DTI HTTP proxy no File transfer protocols no Front panel no HTTPS client no HTTPS server no Hardware model check yes IPMI no IPsec yes LDAP authentication no Local password security Manual key configuration no

1426

© 2016 FireEye

Release 7.9

show compliance standard

RADIUS authentication yes Restricted licenses no Random number generator yes SCP path blacklist Secure channel logs SMTP no SNMP no SSH client no SSH for CMS no SSH minimum key length no SSH known host keys no SSH server no SSL certificates no Remote syslog encryption yes TACACS+ authentication yes

© 2016 FireEye

1427

CLI Reference Guide

PART III: Commands

show configuration audit Description Displays settings for configuration change auditing. Related commands: show configuration

Syntax show configuration audit

Parameters None

Example The following example displays configuration change auditing details. hostname # show configuration audit Maximum number of changes to log: 1000

1428

© 2016 FireEye

Release 7.9

show configuration

show configuration Description Displays the CLI commands for the settings saved in the current active configuration file, or for the settings in the running configuration. The running configuration may include settings that have not been saved. Related commands: show configuration audit and show configuration files

Syntax show configuration show configuration audit show configuration files [filename] show configuration full show configuration subtree show configuration running [full] show configuration text

Parameters audit

Displays settings for configuration change auditing.

running

Displays commands to recreate the current running configuration.

full

Displays the configuration and does not exclude commands that set default values.

subtree

The root node of the node name for which commands are to be displayed.

files [filename]

Displays a list of configuration files, or the contents of a specified file.

text

Displays a list of available text-based configuration files.

Example The following example lists all CLI commands for the saved active configuration. hostname # show configuration ## ## Active saved database "initial" ## Generated at 2012/02/03 02:06:33 +0000 ## Hostname: WebMPS12 ## ## ## License keys

© 2016 FireEye

1429

CLI Reference Guide

PART III: Commands

## license install LK2-AV_ENGINE_SOPHOS-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000 license install LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-00000000-00 license install LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000-0000-0000-0000-0000-0000-0000-N00 license install LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-00001 license install LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000-0000-CF license install LK2-RESTRICTED_CMDS-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000-0000-0000-0000-0000 ## ## Network interface configuration ## interface ether1 ip address 172.16.216.3 /12 no interface ether1 zeroconf interface pether2 ip address 0.0.0.0 /0 ## ## Routing configuration ## ip default-gateway 172.16.1.1 ## ## Other IP configuration ## arp 172.16.216.3 01:23:45:67:89:AB hostname exit ip domain-list fireeye.com ip name-server 172.16.2.1 ## ## Logging configuration ## logging files rotation criteria size 128 logging files rotation max-num 100 logging local override class mgmt-front priority info ## ## Local user account configuration ##

1430

© 2016 FireEye

Release 7.9

show configuration

username admin access network enable username admin password 7 $0$00000O00$00000000000000O0000000/ ## ## AAA remote server configuration ## # ldap bind-password ******** # radius-server key ******** # tacacs-server key ******** ## ## AAA configuration ## aaa authorization map default-user admin ## ## SNMP configuration ## snmp-server community t562j48zC83gBxY4AM}Z5UW)tBvNZD(f ro ## ## Process Manager configuration ## _debug pcaf-capture never pm process dropd launch auto pm process dropd launch enable no pm process empsf launch enable no pm process fip launch enable pm process glmon launch auto no pm process mta launch enable pm process savdid launch auto pm process savdid launch enable ## ## Network management configuration ## # lcd password ******** _debug avc config vm_extract_files enable _debug binary-analysis capture limit pdf size 0 _debug vmmd max-running-vms 12 alerts whitelist src ip 172.16.216.61 boot bootmgr password 7 $0$00000O00$00000000000000O0000000/. no cli default auto-logout no cli default paging enable

© 2016 FireEye

1431

CLI Reference Guide

PART III: Commands

email domain storm.fireeye.com email mailhub storm.fireeye.com no fenet check-certificate fenet license-control notify bandwidth-high fenet security-content autoupdate daily at 23:50 fenet security-content download enable fenet software-updates auto daily at 0:39 fenet stats-content types db-aggr fenet stats-content types db-aggr enable fenet stats-content types dmesg-aggr fenet stats-content types dmesg-aggr enable fenet stats-content types feusage-aggr fenet stats-content types feusage-aggr enable fenet stats-content types jconf-aggr fenet stats-content types jconf-aggr enable fenet stats-content types jlog-aggr fenet stats-content types jlog-aggr enable fenet stats-content types jpri-aggr fenet stats-content types jpri-aggr enable fenet stats-content types jstats-aggr fenet stats-content types jstats-aggr enable fenet stats-content types packetstats-aggr fenet stats-content types packetstats-aggr enable fenet stats-content types pcaps-aggr fenet stats-content types pcaps-aggr enable fenet stats-content types perfstats-aggr fenet stats-content types perfstats-aggr enable fenet stats-content types rt-stats-aggr fenet stats-content types rt-stats-aggr enable fenet stats-content types sysconf-aggr fenet stats-content types sysconf-aggr enable fenet stats-content types syslog-aggr fenet stats-content types syslog-aggr enable fenet stats-content types techinfo-aggr fenet stats-content types techinfo-aggr enable fenet stats-content types wuilog-aggr fenet stats-content types wuilog-aggr enable fenet stats-content upload auto hourly at 10 fenet user testing password ***** fenotify alert binary-analysis fenotify alert binary-analysis enable no fenotify alert domain-match enable no fenotify alert infection-match enable no fenotify alert malware-callback enable

1432

© 2016 FireEye

Release 7.9

show configuration

fenotify alert mw-analysis-done no fenotify alert mw-analysis-done enable forensic analysis enable guest-images disable-list win7-sp1 malware analyze config vms 25 report schedule run daily at 08:00 type eMPS/Email_Executive_Summary time_frame past_week report_format pdf transport file report schedule run hourly at 00 type MPS/Callback_Server_Report time_frame past_ day report_format csv transport email resolver cache enable web-analysis greylists enable ## ## CMC configuration ## # cmc client server auth password password ******** # cmc rendezvous client auth password password ******** cmc client available cmc client enable

© 2016 FireEye

1433

CLI Reference Guide

PART III: Commands

show configuration files Description Displays all the configuration files on the system, or shows the CLI commands for a specified configuration file. Related commands: show configuration

Syntax show configuration files [file_name]

Parameters file_ Name of the configuration file containing the CLI commands you want to view. The name CLI commands for the default settings are excluded, so a configuration with the factory default settings will appear empty. To view those commands for the active or running configuration, refer to show configuration.

Example The following example lists all the configuration files. hostname # show configuration files initial (active) initial.bak

1434

© 2016 FireEye

Release 7.9

show crypto certificate bundle

show crypto certificate bundle Shows the list of all the certificates that have been added to the bundle. If a bundle name is specified, the attributes of each certificate are displayed. If a bundle name is not specified, the list of all the certificate bundle names are displayed. The comment is also added automatically when you import a certificate bundle. The following important attributes are provided in the certificate: l

Subject

l

Public Key

l

Serial Number

l

Valid to (expiration data)

l

Key Usage

l

Subject Alternative Name

For details about how to configure a CA certificate bundle, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax show crypto certificate bundle [] [pem]

Parameters bundle_name

(Optional) Name of the certificate bundle. The bundle must be named client-cert-auth. pem

(Optional) Displays the Privacy Enhanced Email (PEM) encrypted ASCII string of the certificate bundle.

Output Fields The following table describes the output fields for the show crypto certificate bundle command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Certificate bundle

Name of the certificate bundle.

Certificate with name

Name of the certificate that already has been configured.

© 2016 FireEye

1435

CLI Reference Guide

PART III: Commands

Field

Description

Certificate Type

The class of algorithm used to generate the certificate. Valid values are ECDSA and RSA.

Private Key

Whether a matching private key for the certificate is present.

Serial Number

A unique number that the issuer assigned to the certificate.

SHA-1 Fingerprint

A short sequence of bytes used to authenticate or look up the public key.

Starts

The date and time the certificate will start.

Expires

The date and time the certificate will expire.

Common Name

Common Name (CN) entry from the Distinguished Name (DN) attribute that is associated in a certificate.

Country

The country code of the country where your organization is located.

State or Province

The state or province where your organization is located.

Locality

The city or locality where your organization is located.

Organization

The legal name of your organization.

Organization Unit

The department or unit in your organization using the certificate.

Example The following example shows the attributes of each certificate that have been added to the bundle. hostname # show crypto certificate bundle client-cert-auth Certificate bundle 'client-cert-auth':     Certificate with name 'client-cert-auth-0235cfce'     Certificate Type:     Private Key:     Serial Number:     SHA-1 Fingerprint:

RSA not present 0xfd65e002d268c9bc c2f4c9ea8a283957e49689237150c80d4560c571

    Validity:         Starts:

1436

2016/07/12 07:13:09

© 2016 FireEye

Release 7.9

show crypto certificate bundle

        Expires:

2026/07/10 07:13:09

    Subject:         Common Name:

vps1_root_ca_1

        Country:

US

        State or Province:         Locality:

CA Milpitas

        Organization:

FireEye

        Organizational Unit:

CAou

    Issuer:         Common Name:

vps1_root_ca_1

        Country:

US

        State or Province:         Locality:

CA Milpitas

        Organization:

FireEye

        Organizational Unit:

CAou

Certificate with name 'client-cert-auth-5feb5ce1'     Certificate Type:

RSA

    Private Key:

not present

    Serial Number:

0x1001

    SHA-1 Fingerprint:

12d57293f558e5090502b24fdac4cdaa76360fcd

    Validity:         Starts:

2016/09/10 15:36:21

        Expires:

2026/09/08 15:36:21

    Subject:         Common Name:         Country:

vps1_ca_2 US

        State or Province:         Locality:

CA Milpitas

        Organization:

FireEye

        Organizational Unit:

CAou

    Issuer:         Common Name:         Country:         State or Province:         Locality:

© 2016 FireEye

vps1_root_ca_1 US CA Milpitas

1437

CLI Reference Guide

PART III: Commands

        Organization:

FireEye

        Organizational Unit:

CAou

The following example shows the list of all the certificate bundle names. hostname # show crypto certificate bundle Bundle name

Comment

============================================================================= client-cert-auth

Imported from http://builds.eng.fireeye.com/~john.does/vps1-cacerts.pem

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

1438

© 2016 FireEye

Release 7.9

show crypto certificate ca-chain

show crypto certificate ca-chain Use this command to view all CA certificate chains and their member certificates.

Syntax show crypto certificate ca-chain

Parameters None

Example The following example shows all CA certificate chains and their member certificates. hostname # show crypto certificate ca-chain

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

1439

CLI Reference Guide

PART III: Commands

show crypto certificate ca-chain brief Use this command to view all CA certificate chains and the names of their member certificates.

Syntax show crypto certificate ca-chain brief

Parameters None

Example The following example shows brief information about all CA certificate chains. hostname # show crypto certificate ca-chain brief

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows:

1440

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

Release 7.9

show crypto certificate ca-chain chain-name

show crypto certificate ca-chain chain-name Use this command to view information about the named CA certificate chain.

Syntax show crypto certificate ca-chain chain-name

Parameters chainName

The name of the CA chain. The name must begin with a letter or number. The remaining characters in the name can be letters, numbers, periods (.), dashes (-), and underscores (_).

Example The following example shows the "apache03" Web server CA certificate chain. hostname # show crypto certificate ca-chain chain-name apache03 CA chain name apache03 (web-server): Certificate with name 'apache03-1' Chained CA member certificate (may only be deleted through the chain) Certificate Type: Private Key: Serial Number: SHA-1 Fingerprint: Validity: ...

RSA not present 0x1xxx 4xxxxxx

Subject: Common Name: ...

acme-intermediate

Issuer: Common Name: ...

xxx-intermediate

Certificate with name 'apache03-2' Chained CA member certificate (may only be deleted through the chain) Certificate Type: Private Key: Serial Number: SHA-1 Fingerprint:

RSA not present 0x2xxx 8xxxxxx

Validity:

© 2016 FireEye

1441

CLI Reference Guide

PART III: Commands

... Subject: Common Name: ... Issuer: Common Name:

xxx-intermediate

xxx-root-ca

Certificate with name 'apache03-3' Chained CA member certificate (may only be deleted through the chain) Certificate Type: Private Key: Serial Number: SHA-1 Fingerprint: Validity: ... Subject: Common Name: ... Issuer: Common Name:

RSA not present 03xxx 7xxxxxx

xxx-root-ca

xxx-root-ca

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows:

1442

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

Release 7.9

show crypto certificate ca-chain chain-name brief

show crypto certificate ca-chain chain-name brief Use this command to view the named CA certificate chain and the names of its member certificates.

Syntax show crypto certificate ca-chain chain-name brief

Parameters chainName

The name of the CA chain. The name must begin with a letter or number. The remaining characters in the name can be letters, numbers, periods (.), dashes (-), and underscores (_).

Example The following example shows brief information about the "apache03" Web server CA certificate chain. hostname # show crypto certificate ca-chain chain-name apache03 brief

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

1443

CLI Reference Guide

PART III: Commands

show crypto certificate ca-chain chain-name detail Use this command to view the named CA certificate chain and its member certificates in detail.

Syntax show crypto certificate ca-chain chain-name detail

Parameters chainName

The name of the CA chain. The name must begin with a letter or number. The remaining characters in the name can be letters, numbers, periods (.), dashes (-), and underscores (_).

Example The following example shows the "apache03" Web server CA certificate chain in detail. hostname # show crypto certificate ca-chain chain-name apache03 detail

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows:

1444

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

Release 7.9

show crypto certificate ca-chain detail

show crypto certificate ca-chain detail Use this command to view all CA certificate chains and their member certificates in detail.

Syntax show crypto certificate ca-chain detail

Parameters None

Example The following example shows detailed information about all CA certificate chains and their member certificates. hostname # show crypto certificate ca-chain detail

User Role Monitor, Operator, and Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

l

FX Series: Release 7.5

© 2016 FireEye

1445

CLI Reference Guide

PART III: Commands

show crypto certificate decode raw pem Shows the raw openssl x509 output that is decoded from a valid X.509 certificate Privacy Enhanced Email (PEM) string. The command shows information about the PEM-encoded certificate, and errors that are found during the decoding process. For details about how to configure a CA certificate bundle, refer to the "Configuring CAC for Certificate Authentication" appendix of the System Administration Guide.

Syntax show crypto certificate decode raw pem []

Parameters quoted_PEM_String

(Optional) The PEM-encrypted ASCII string of the certificate that is enclosed with double quotation marks.

Example The following example shows the raw openssl x509 output that is decoded from a valid X.509 certificate PEM string. hostname # show crypto certificate decode raw pem """-----BEGIN CERTIFICATE----MIIFpTCCA42gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC0ZpcmVleWUgSW5jMRQwEgYD ... vURBPtSwN1/pylT/1A6zyIHzrwWBxLUY01ycq3egkfIcGW/85OQJOx2SG4AzvrKR QIkfy/98EI8f -----END CERTIFICATE-----""" Certificate:     Data:         Version: 3 (0x2)         Serial Number: 4096 (0x1000)     Signature Algorithm: sha256WithRSAEncryption         Issuer: C=US, ST=California, O=Fireeye Inc, OU=Engineering, CN=Buzz Intermediate CA         Validity             Not Before: Oct 27 22:20:09 2016 GMT             Not After : Nov 6 22:20:09 2017 GMT         Subject: C=US, ST=California, L=Milpitas, O=Fireeye Inc, OU=Engineering, CN=172.16.216.20

1446

© 2016 FireEye

Release 7.9

show crypto certificate decode raw pem

        Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus:                     00:d4:49:53:c5:f4:e7:22:cd:86:57:c2:e1:78:f4:                     a4:c1:93:94:aa:35:8c:fa:c1:47:32:10:aa:c3:31:                     ...                     4a:b5                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Basic Constraints:                 CA:FALSE             Netscape Cert Type:                 SSL Server             Netscape Comment:                 OpenSSL Generated Server Certificate             X509v3 Subject Key Identifier:                 94:FF:B7:E7:38:F6:62:3D:7C:2D:DC:1F:AF:D2:C7:DD:C4:96:6B:87             X509v3 Authority Key Identifier:             keyid:21:01:9E:EE:8C:D9:0E:A3:61:35:8D:37:03:BB:33:26:4C:79:76:0E             DirName:/C=US/ST=California/L=Milpitas/O=Fireeye Inc/OU=Engineering/CN=Buzz Root CA             serial:10:00             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Extended Key Usage:                  TLS Web Server Authentication      Signature Algorithm: sha256WithRSAEncryption           a0:b1:d7:fc:0e:ec:a7:f1:4d:81:c6:29:7b:51:7d:44:96:3a:           88:da:f0:c3:0d:dd:a2:d6:ea:48:58:c2:d2:ef:d1:9d:99:54:           df:c5:9c:31:6e:bf:13:c3:7c:d6:26:ab:e5:62:88:e2:38:dd:           ...           89:1f:cb:ff:7c:10:8f:1f

User Role Administrator

© 2016 FireEye

1447

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

Related Commands For a list of related commands, see CAC Commands on page 67.

1448

© 2016 FireEye

Release 7.9

show crypto certificate

show crypto certificate Description Displays the appliance’s cryptographic certificate information.

Syntax show crypto certificate show crypto certificate ca-list show crypto certificate ca-list default-ca-list show crypto certificate default-cert show crypto certificate default-cert detail show crypto certificate default-cert public-pem show crypto certificate detail show crypto certificate name show crypto certificate name detail show crypto certificate name public pem show crypto certificate public-pem See also show crypto certificate ca-chain on page 1439 and its variations listed in Cryptographic Commands on page 76.

Parameters ca-list | default-ca-list Show a list of configured trusted certificates of authority (CA), or the list of configured default supplemental trusted CA names. default-cert Show the currently configured default certificate. l

detail—Show the default certificate details.

l

public-pem—Show the PEM contents of the default certificate.

detail Show the details of all certificates in the system. name cert-name [detail] Show all details of the specified crypto certificate name.

© 2016 FireEye

1449

CLI Reference Guide

PART III: Commands

public-pem Show the PEM contents of all certificates in the system.

Example hayabusa (config) # show crypto certificate default-cert Certificate with name 'system-self-signed' (default-cert) Comment:                system-generated self-signed certificate Private Key:            present Serial Number:          0x542cce046007b2fec9fcc7155d67df90 SHA-1 Fingerprint:      4f7c81c4eaca8ee68540cc43073507e397b90603 Validity: Starts:                 2013/06/05 15:16:43 Expires:                2014/06/05 15:16:43 Subject: Common Name:            hay Country:                US State or Province:      California Locality:               Milpitas Organization:           FireEye, Inc. Organizational Unit:    Network Security Management E-mail Address:         admin Issuer: Common Name:            hayabusa Country:                US State or Province:      California Locality:               Milpitas Organization:           FireEye, Inc. Organizational Unit:    Network Security Management E-mail Address:         admin

1450

© 2016 FireEye

Release 7.9

show crypto ipsec

show crypto ipsec This command is now deprecated. It will be removed in a future release.

Description Displays the appliance’s cryptographic configuration and state.

Syntax show crypto ipsec [brief | configured | ike {brief} | policy | sa]

Parameters brief

Displays IPsec peering configuration and status summary.

configured Displays IPsec peering configuration. ike

Displays IPsec peering state for IKE.

policy

Displays IPsec policy database state.

sa

Displays IPsec SA (Security Association) database state.

Example The following example displays IPsec peering configuration. hostname (config) # show crypto ipsec configured

© 2016 FireEye

1451

CLI Reference Guide

PART III: Commands

show custom content enable status Displays whether a CM Series platform can receive indicator (IOC) customizations from a third-party feed and distribute them to all managed NX Series appliances or a specific managed NX Series appliance.

Syntax show custom content enable status

Parameters None

Example The following example shows that a CM Series platform is enabled to receive IOC customizations from a third-party feed and distribute them to all managed NX Series appliances: cm-hostname # show custom content enable status CMS status         CM-1 : enabled LMS status         B9-vNX2500-1 : enabled         B9-vNX6500-1 : enabled         Bolt : enabled         SystemVX12500-1 : enabled         SystemVX12500-2 : enabled

The following example shows that the third-party IOC feed feature is disabled on a managed NX Series appliance: nx-hostname > show custom content enable status Custom content : disabled

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows:

1452

© 2016 FireEye

Release 7.9

l

CM Series: Release 7.9

l

NX Series: Release 7.9

show custom content enable status

Related Commands For a list of related commands, see the Third-Party IOC Feeds Command Family on page 125 custom content enable on page 453 custom content enable on lms on page 455 show custom content enable status on the previous page show custom content feed status on the next page

© 2016 FireEye

1453

CLI Reference Guide

PART III: Commands

show custom content feed status Displays the status of IOC customizations, the total number of third-party feeds, and the total number of all the custom blacklist entries that you configured on managed NX Series appliances from the CM Series platform.

Syntax show custom content feed status

Parameters None

Example The following example shows the output for all managed NX Series appliances from the CM Series platform with a total number of five source feeds: hostname # show custom content feed status Total no. of feeds: 5 Total count of all entries in feeds : 22 custom_feed_1         source: custom feed test         action: alert         type : url         url count : 6         update_date : 2016/06/27 22:38:26 custom_feed_2         source: IP feed         action: alert         type : ip         ip count : 4         update_date : 2016/06/27 22:24:25 custom_feed_3         source: URL flat file         action: alert         type : url         url count : 6         update_date : 2016/06/27 22:26:15 custom_feed_4

1454

© 2016 FireEye

Release 7.9

show custom content feed status

        source: STIX domain watchlist         action: block         type : stix         domain count : 3         update_date : 2016/06/27 22:32:45 custom_feed_5         source: STIX URL watchlist         action: alert         type : stix         url count : 3         update_date : 2016/06/27 22:34:03

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9

Related Commands For a list of related commands, see the Third-Party IOC Feeds Command Family on page 125 custom content enable on page 453 custom content enable on lms on page 455 show custom content enable status on page 1452 show custom content feed status on the previous page

© 2016 FireEye

1455

CLI Reference Guide

PART III: Commands

show deployment check network To display information about network deployment checking on an NX Series appliance, enter the show deployment check network command in enable mode. This command requires the Monitor, Analyst, Operator, or Admin role. You can also run this command remotely from the command line of an integrated FireEye CM Series platform using the central management platform proxying mechanism.

Syntax show deployment check network [ config | status [ detail ]]

Parameters config (Optional) Display network deployment check configuration information only. status (Optional) Display network deployment check status information only. status detail (Optional) Display network deployment check detailed status information only.

Description This command displays network deployment checking configuration and status information. For more information, see the NX Series System Administration Guide.

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field Name Latest deployment check is still running. Following is status for previous check:

1456

Description If you run the command while a previous network deployment check is in progress, this message appears. The remainder of the command output shows the results of the previous network deployment check.

© 2016 FireEye

Release 7.9

show deployment check network

Field Name

Description

Packet Capture Duration

Maximum packet capture duration as configured by the deployment check network duration command.

Status

Overall results of packet capture analysis: success—No network deployment errors were detected. failed—Network deployment check errors were adminfound.

Start time

Date and time the packet capture started.

End time

Date and time the analysis finished.

Following errors were detected

For the status form of the command, this field is followed by the list of network deployment check errors found in the packet capture.

Captured data size (bytes)

Size (in bytes) of the packet capture analyzed.

Captured packet count

Size (in packets) of the packet capture analyzed. If this number is below a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Re-transmit packet count

Number of packets retransmitted. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Dup ACK packet count

Number of TCP DUP ACK records in the capture. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

© 2016 FireEye

1457

CLI Reference Guide

PART III: Commands

Field Name Out-of-order packet count

Description Number of reordered packets in the capture. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Acked unseen packet count

Number of TCP ACKed unseen segments in the capture. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Previous seg not captured packet count Number of packets that arrived with a sequence number greater than the next expected sequence number on that connection. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem. Malformed packet count

Number of packets in the capture that are malformed. A sender might transmit a malformed packet, or a packet can become corrupted in transit. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Stream count

Number of active streams in the capture. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

Asymmetric stream count

Number of asymmetric streams in the capture. If this number exceeds a system-defined threshold, an asterisk ('*') indicates that the value might indicate a network deployment problem.

1458

© 2016 FireEye

Release 7.9

show deployment check network

Field Name

Description

Message: Captured network output is available in file deployment_ check.pcap. It can be uploaded with 'file tcpdump upload deployment_ check.pcap'.

You can upload the captured and analyzed network traffic by using the file tcpdump command in configuration mode.

Message: Please run 'deployment check network start'

If you clear the results of the last network deployment check, this message appears when you enter the following forms of the command: l

show deployment check network

l

show deployment check network status

l

show deployment check network status detail If you clear the results of the last network deployment check, the packet capture itself remains intact and downloadable from the deployment_ check.pcap file.

Examples l

show deployment check network (Success)

l

show deployment check network (Failure)

l

l

l

show deployment check network status detail (Check Still Running and Previous Check Failed) show deployment check network status detail (Last Results Are Cleared) show deployment check network (Initiated on CM Series for Managed Appliance 'NX-1')

show deployment check network (Success)

hostname # show deployment check network Network deployment check configuration: Packet Capture Duration: 120 Network deployment check status: Status: success Start time: 2014/07/21 00:00:00 End time: 2014/07/21 00:00:19 Captured data size (bytes): 10712908 Message: Captured network output is available in file deployment_check.pcap. It can be uploaded with 'file tcpdump upload deployment_check.pcap'.

© 2016 FireEye

1459

CLI Reference Guide

PART III: Commands

show deployment check network (Failure)

hostname # show deployment check network Network deployment check configuration: Packet Capture Duration: 120 Network deployment check status: Status: failed Start time: 2014/07/24 08:36:05 End time: 2014/07/24 08:36:17 Captured data size (bytes): 10981436 Following errors were detected: Out-Of-Order packet count: 17892 Message: Captured network output is available in file deployment_check.pcap. It can be uploaded with 'file tcpdump upload deployment_check.pcap'. show deployment check network status detail (Check Still Running and Previous Check Failed)

hostname # show deployment check network status detail Latest deployment check is still running. Following is status for previous check Network deployment check status: Status: failed Start time: 2014/07/24 08:44:38 End time: 2014/07/24 08:44:48 Captured data size (bytes): 10691225 Captured packet count: 97239 Re-transmit packet count: 12079 Dup ACK packet count: 870 Out-Of-Order packet count: 21303 * Acked unseen packet count: 162 Previous seg not captured packet count: 4180 Malformed packet count: 0 Stream count: 1260 Asymmetric stream count: 94 Message: Captured network output is available in file deployment_check.pcap. It can be uploaded with 'file tcpdump upload deployment_check.pcap'. * Indicates error show deployment check network status detail (Last Results Are Cleared)

hostname # show deployment check network status detail Network deployment check status: Message: Please run 'deployment check network start' show deployment check network (Initiated on CM  Series for Managed Appliance 'NX-1')

hostname (config) # cmc execute appliance NX-1 command "show deployment check network" ============Appliance NX-1===================== Execution was successful. Execution output: Network deployment check configuration: Packet Capture Duration:  60 Network deployment check status: Status: success Start time:  2014/08/25 00:00:00 End time: 2014/08/25 00:00:14

1460

© 2016 FireEye

Release 7.9

show deployment check network

Captured data size (bytes): 9910710 Message: Captured network output is available in file deployement_check.pcap. It can be uploaded with 'file tcpdump upload deployment_check.pcap'.

Release Information Command introduced in Release 7.4.0 for NX Series appliances.

© 2016 FireEye

1461

CLI Reference Guide

PART III: Commands

show email Displays the current configuration for generating email alerts for system events.

Syntax show email [events]

User Role Administrator, Monitor, Operator, or Analyst

Release Information Command introduced before Release 7.6.0.

Parameters events

Lists events for which notification emails will be sent.

Example The following example shows the email configuration: hostname # show email Mail hub: mailhost Mail hub port: 25 Domain override: Return address: [email protected] Include hostname in return address: yes Current reply address: [email protected] Security mode: tls Min protocol version: tls1 Verify server cert: yes Supplemental CA list: default-ca-list SSL cipher list: fips SMTP authentication: disabled Dead letter settings: Save dead.letter files: yes Dead letter max age: 14 days Email notification recipients: [email protected] (all events, summarized) [email protected] (all events, in detail) [email protected] (all events, in detail) [email protected] (all events, in detail) [email protected] (all events, in detail) [email protected] (informational events only, in detail)

1462

© 2016 FireEye

Release 7.9

show email-analysis

Autosupport emails Enabled: yes Recipient: [email protected] Mail hub: owa.fireeye.com Security mode: tls Min protocol version: tls1 Verify server cert: yes Supplemental CA list: default-ca-list SMTP authentication: disabled

show email-analysis Displays configuration information about email analysis.

Syntax show email-analysis

Parameters None

Example The following example shows the Email Analysis Output. hostname (config) # show email-analysis Email-Analysis: enabled: yes mode: monitor interface: pether3 TLS receive mode: none TLS default deliv. mode: none MTA certificate name: system-self-signed Password-protected objs: yes cipher list: compatible minimum protocol version: tls1 Controlled-live-mode enabled: no URL dynamic analysis enabled: no Email-Analysis Policy: Analyze URLs in body: yes Analyze attachments: yes Analyze email using YARA: yes Email YARA Weight Cap: 30 Max Email Size (MB): 35 Analysis Timeout (sec): 240 Analyze image URLs: yes Advanced URL Defense: no Max URLs Analyzed/email: 5 Max Att. Analyzed/email: 20 Congestion Bypass Mode: yes Congestion Bypass Threshold: 2000

© 2016 FireEye

1463

CLI Reference Guide

PART III: Commands

Congestion Bypass Unprocessed Limit: 0 Congestion Refuse-connnection Mode: yes Congestion High Threshold: 10000 Congestion Low Threshold: 9000 Enable X Header: no Use Header for To/From: yes Parse HTTPS URLs: no Invoke Email Feature Extractor: no Enable Notice (tap mode): yes Enable Notice (block mode): yes Block notice from: [email protected] Block notice subject: Malicious email detected Block Admin Recipient(s): Block BCC Recipient(s): TypoSquatting: yes Email-Analysis Quarantine: size: 80 cleanup enable: yes cleanup keep: 30 high-water threshold: 90 low-water threshold: 60 Domain(s): domain: mydomain3.com next hop mta: 172.17.74.400 MX Enable: false TLS mode: none domain: mydomain4.com next hop mta: 172.16.244.100 weight: 40 next hop mta: 172.16.244.200 weight: 20 next hop mta: 172.16.244.300 weight: 20 next hop mta: 172.16.244.400 weight: 20 TLS mode: none

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see Email Analysis Commands on page 82.

1464

© 2016 FireEye

Release 7.9

show email-analysis all

show email-analysis all Displays summary information about all email identified as malware, including the URL, whether the analysis is complete or not, time submitted, run start time, end time, and so on. Use the cli session paging enable on page 319command to enable paging before using this command.

Syntax show email-analysis all [limit ]

Parameters limit Use the limit option to change the number of entries that displayed. number When using the limit option, this sets the number of entries to be displayed. l

default: 5000

l

range: 1 : 4294967295

Example The following example shows the Email Analysis Output. hostname (config) # show email-analysis all

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis allowed-list statistics Displays the statistics for the highest number of matches for each rule type on an allowed list.

© 2016 FireEye

1465

CLI Reference Guide

PART III: Commands

Syntax show email-analysis allowed-list statistics [all]

Parameters all Use the all option to display all the statistics for all rules and the total number of matches for each rule on an allowed list.

Example The following example shows the Email Analysis allowed-list statistics output. hostname (config) # show email-analysis allowed-list statistics

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see Email Analysis Commands on page 82.

show email-analysis attachment Displays summary information about all email attachments, including the number of attachments submitted, total number of events, number of objects submitted for VM analysis, and so on.

Syntax show email-analysis attachment

Parameters None

Example The following example shows summary information about email attachments.

1466

© 2016 FireEye

Release 7.9

show email-analysis blocked-list statistics

hostname (config) # show email-analysis all Total Attachments Submitted : 10102 Objects Analyzed : 10102 Objects identified as Malicious : 6 - VM verified : 6 - Duplicate to VM verified : 0 - Known checksum match : 0 Total events : vm-signature-match events os-change-anomaly events checksum-match events vm-outbound-comm events

340 :

6 216 : 113 : 5 :

Objects break down by system status, Total : 10102 Submitted for VM analysis : 5204 AE Submit Error : 1 Submit Disabled : 4896 Static Analysis Only : 1

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis blocked-list statistics Displays the statistics for the highest number of matches for each rule type on a blocked list.

Syntax show email-analysis blocked-list statistics [all]

© 2016 FireEye

1467

CLI Reference Guide

PART III: Commands

Parameters all Use the all option to display all the statistics for all rules and the total number of matches for each rule on a blocked list.

Example The following example shows the Email Analysis Output. hostname (config) # show email-analysis all

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis done Displays summary information for completed analysis.

Syntax show email-analysis done

Parameters None

Example The following example provide a summary of the completed email analysis. hostname (config) # show email-analysis done WARNING: Output truncated due to limit constraints. Malware ID 11706 Analysis Type: sandbox URL: http://deedskbpssecthats.biz/closest/i9jfuhioejskveohnuojfir.php?pzmhyivq=wndeml&aia=iqnznkpu

1468

© 2016 FireEye

Release 7.9

show email-analysis done

Analysis Timeout: Analysis Priority: normal Force: false Profile Name: ' Profile ID: Application: Md5Sum: b8621f8b56fcdbbf6660c67eab479875 State: done Status: disabled Submitted Time: 2016-12-01 07:35:47 UTC Run End Time: 2016-12-02 17:40:03 UTC IM: YES Number of Events: 1 Children Malware ID(s) Parent Malware ID Malware ID 11705 Analysis Type: sandbox URL: http://alliedconclusion.org/traff.jar Analysis Timeout: Analysis Priority: normal Force: false Profile Name: ' Profile ID: Application: Md5Sum: 895f1b91fdbe69a6d91177495da3b38d State: done Status: disabled Submitted Time: 2016-12-01 04:29:31 UTC Run End Time: 2016-12-02 17:30:02 UTC IM: YES Number of Events: 1 Children Malware ID(s) Parent Malware ID WARNING: Output truncated due to limit constraints.

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

© 2016 FireEye

1469

CLI Reference Guide

PART III: Commands

show email-analysis log Displays the email malware log messages. You can refine your query to display the following options: l

continuous—Displays new email log messages as they arrive.

l

files — Displays selected archived mail-log files.

Syntax show email-analysis log [continuous | files [fileName]] [matching | not matching

Parameters continuous Show log entries as the are added to the logs. files [main | all | fileNumber] When using the files parameter, the following variations can be used: l

files — Lists the currently viewable email log files on the appliance.

l

files main — Searches the current log file.

l

files all — Searches the current and all archived log files.

l

files  — Searches the specified archived log file.

matching Show requested log entries that match the specified regular expression . not matching Show requested log entries that do not match the specified regular expression .

Example The following example shows the current email analysis log file: hostname (config) # show email-analysis log

The following example shows the email analysis log entries as they are added to the log: hostname (config) # show email-analysis log continuous

The following example shows the names of the archived analysis log files on the appliance: hostname (config) # show email-analysis log

The following example shows the log entries within the archived log file 11. hostname (config) # show email-analysis log 11

The following example shows the current email analysis log file entries that match the regular expression error:

1470

© 2016 FireEye

Release 7.9

show email-analysis message-queue max-num

hostname (config) # show email-analysis log matches "error"

The following example shows the current email analysis log file entries that do not incude the regular expression error: hostname (config) # show email-analysis log not matches "error"

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis message-queue max-num Displays the last email messages added to the message-queue based on a specified maximum number. You can combine the parameters listed together to create as specific a query as desired.

Syntax show email-analysis message-queue {max-num | queue | receiver-domain | receiver-email | senderdomain | sender-email}

Parameters max-num

© 2016 FireEye

1471

CLI Reference Guide

PART III: Commands

The maximum number of email messages to return. l

range: 25 to 10,000

queue The queue to return email messages from. The following queues are available:  l

incoming - Email messages that are receieved but not processed

l

hold

l

active - email messages actively under analysis

l

deferred - Email messages that have been deferred from processing

receiver-domain The receiver's domain. receiver-email The receiver's email address. sender-domain The sender's domain. sender-email The sender's email address.

Example The following example lists the last 50 email messages added to the email analysis queue. hostname (config) # show email-analysis message-queue max-num 50

The following example lists the last 50 email messages added to the email analysis queue that are currently in the active queue. hostname (config) # show email-analysis message-queue max-num 50 queue active

The following example lists email message receved from badguy@baddomain: hostname (config) # show email-analysis message-queue sender-email badguy@baddomain

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

1472

EX Series: Before Release 6.4

© 2016 FireEye

Release 7.9

show email-analysis mta mynetworks

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis mta mynetworks Displays the MTA (Message Transfer Agent) access restriction IP addresses.

Syntax show email-analysis mta mynetworks

Parameters None

User Role Admin, Operator, Monitor, or Analyst

Command Mode Standard

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis mta status Displays the status of the SMTP interface and the MTA process. Displays whether a Congestion Control threshold that automatically stops the SMTP interface is in effect.

Syntax show email-analysis mta status

Parameters None

Output Fields The following table describes the output fields for the show email-analysis mta status command.

© 2016 FireEye

1473

CLI Reference Guide

PART III: Commands

Field

Description

Congestion The EX Series Congestion Control feature has a "Refuse Connection" Control in threshold. When the threshold is reached, the feature automatically stops effect? the SMTP interface. This field shows whether the SMTP interface is already stopped for this reason. If the traffic falls below the threshold during the maintenance activity, the SMTP interface will automatically start again. To prevent this, use email-analysis mta smtp stop on page 515 to manually stop the interface. (For information about the Congestion Control feature, see the EX Series User Guide.) Interface Disabled

Whether the SMTP interface is currently disabled. The value is yes if the Congestion Control in effect? value is yes or if you manually stopped the interface.

MTA Process Status

Whether the MTA process is running or stopped.

Examples The following example shows that the SMTP interface is enabled and that the MTA process is running. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: running

The following example shows that the SMTP interface is enabled and that the MTA process is stopped. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: stopped

The following example shows that the SMTP interface is disabled and that the MTA process is running. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: yes MTA Process Status: running

User Role Admin, Operator, Monitor, or Analyst

Command Mode Standard

1474

© 2016 FireEye

Release 7.9

show email-analysis pass-extract ignorewords

Release Information This command was released as follows: EX Series: Release 7.8.0

l

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis pass-extract ignorewords Displays the ignored words for password candidate extraction.

Syntax show email-analysis pass-extract ignorewords

Parameters None

Output Fields The following table describes the output fields for the show email-analysis pass-extract ignorewords command. Fields are listed in the approximate order in which they appear in the output. Field

Description

word

Ignored word that you added to the ignored word candidate list.

hit count

Number of matches for each defined ignored word.

creation time Time that the ignored word was created.

Example The following example displays the ignored word configuration for password extraction: hostname # show email-analysis pass-extract ignorewords word test fe

hit count          0           0

creation time

Tue May 24 00:22:47 2016 Fri Mar 18 21:48:00 2016

User Role Administrator, Analyst, Operator, or Monitor

© 2016 FireEye

1475

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: EX Series: Release 7.8

l

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

show email-analysis pass-extract keywords Displays the keywords for password candidate extraction.

Syntax show email-analysis pass-extract keywords

Parameters None

Output Fields The following table describes the output fields for the show email-analysis pass-extract keywords command. Fields are listed in the approximate order in which they appear in the output. Field

Description

word

Keyword that you added to the keyword candidate list.

hit count

Number of matches for each defined keyword.

creation time Time that the keyword was created.

Example The following example displays the keyword configuration for password extraction: hostname # show email-analysis pass-extract keywords word

hit count

creation time

fireeyetest3

0

Tue May 24 00:22:47 2016

fireeyetest1

0

Fri Mar 18 21:48:00 2016

fire

1476

    0

Tue May 24 18:38:44 2016

© 2016 FireEye

Release 7.9

show email-analysis pass-extract passwords

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: EX Series: Release 7.6. Command output was enhanced to include the keyword and the highest number of matches for each defined password in Release 7.8.0.

l

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

show email-analysis pass-extract passwords Displays the passwords for password candidate extraction.

Syntax show email-analysis pass-extract passwords

Parameters None

Output Fields The following table describes the output fields for the show email-analysis pass-extract passwords command. Fields are listed in the approximate order in which they appear in the output. Field

Description

word

Password that you added to the password candidate list.

hit count

Number of matches for each defined password.

creation time Time that the password was created.

Example The following example displays the password configuration for password extraction: hostname # show email-analysis pass-extract passwords word

© 2016 FireEye

hit count

creation time

1477

CLI Reference Guide

PART III: Commands

fireeyetest3

0

Tue May 24 00:22:47 2016

fireeyetest1

0

Fri Mar 18 21:48:00 2016

admin123

0

Tue May 24 18:38:44 2016

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

EX Series: Release 7.6. Command output was enhanced to include the password and the highest number of matches for each defined password in Release 7.8.0.

Related Commands For a list of related commands, see Email Analysis Password Extraction Command Family on page 85.

show email-analysis policy Displays detailed information about all the policy settings about email malware analysis.

Syntax show email-analysis policy [message-tracking]

Parameters message-tracking

Displays the maximum number of days that email messages are retained.

Output Fields The following table describes the output fields for the show email-analysis policy command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Analyze URLs in body

Status for analyzing URLs that are embedded in an email message body.

Analyze attachments

Status for analyzing all email attachments.

1478

© 2016 FireEye

Release 7.9

Field

show email-analysis policy

Description

Analyze email using YARA

Status for email YARA analysis.

Email YARA Weight Cap

The weights of the matched rules are totaled to determine an overall score for the sample.

Max Email Size Maximum size (MB) limit for email to be submitted for analysis. (MB) Analysis Timeout (sec)

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analyze image URLs

Status for the option to submit a URL image for analysis.

Advanced URL Defense

Status for Advanced URL Defense. The option to parse HTTP links is automatically enabled when Advanced URL Defense is enabled.

Max URLs Maximum number of URLs that are analyzed per email. Analyzed/email Max Att. Maximum number of attachments that are analyzed per email. Analyzed/email Congestion Bypass Mode

Status for bypass congestion mode.

Congestion Bypass Threshold

Number of objects in the attachments queue. When the threshold is exceeded, new incoming emails are accepted but are delivered without being analyzed.

Congestion Refuseconnnection Mode

Status for refuse-congestion mode.

Congestion Number of emails in the email queue. When the threshold is High Threshold exceeded, the SMTP interface is disabled and all new incoming SMTP connections are refused. Congestion Low Threshold

© 2016 FireEye

Number of emails in the email queue. When the number falls below the threshold, the SMTP interface is re-enabled and all new incoming SMTP connections are accepted.

1479

CLI Reference Guide

Field

PART III: Commands

Description

Enable X Header

Status for X-Header option. When deployed in block mode or monitor mode, the appliance adds the X-Headers to describe the analysis and detection results by the Multivector Virtual Execution (MVX) engine.

Use Header for To/From

Status for the Header Envelope feature. When the Header Envelope feature is enabled, the original To: and From: email header information is displayed in the eAlerts page and eQuarantine page from the EX Series Web UI.

Parse HTTPS URLs

Status for the option to parse HTTP links.

Invoke Email Feature Extractor

Status of pre-processor for email feature extraction.

Enable Notice (block mode)

A block notification message is sent to the list of recipients when the EX Series appliance is deployed in block mode.

Block notice from

The From email address header of a block notification message.

Block notice subject

The Subject header of a block notification message.

Block Admin Recipient(s)

Administrators are added to the list of recipients to receive the block notification message.

Block BCC Recipient(s)

Bcc recipients are added to the list of recipients to receive the block notification message.

TypoSquatting

Status of typosquatting detection, which allows the appliance to analyze suspicious sender and URL domains used in URLs within an email message body.

Monitoring Enabled

Status for the monitor policy setting.

Monitoring Interval (min)

Monitor alert interval period in minutes.

Monitoring Bypass Threshold

Monitor alert bypass threshold limit.

1480

© 2016 FireEye

Release 7.9

show email-analysis policy

Field

Description

Monitoring Deferred Threshold

Monitor alert threshold limit in the deferred queue.

Monitoring Backoff (sec)

Monitor alert backoff period in seconds.

Signature Image Analysis

Status for the option to submit an image attachment for analysis.

Examples The following example displays all the policy settings about email malware analysis: hostname # show email-analysis policy   Email-Analysis Policy:     Analyze URLs in body:

yes

    Analyze attachments:

yes

    Analyze email using YARA:

yes

    Email YARA Weight Cap:

30

    Max Email Size (MB):

35

    Analysis Timeout (sec):

240

    Analyze image URLs:

yes

    Advanced URL Defense:

yes

    Max URLs Analyzed/email:

100

    Max Att. Analyzed/email:

20

    Congestion Bypass Mode: yes     Congestion Bypass Threshold: 3000     Congestion Refuse-connnection Mode: yes     Congestion High Threshold: 10000     Congestion Low Threshold:     Enable X Header:

no

    Use Header for To/From:     Parse HTTPS URLs:

9000

no yes

    Invoke Email Feature Extractor: yes     Enable Notice (block mode): no     Block notice from:     Block notice subject:

© 2016 FireEye

[email protected] Malicious email detected

1481

CLI Reference Guide

PART III: Commands

    Block Admin Recipient(s):       [email protected]     Block BCC Recipient(s):       [email protected]     TypoSquatting:

yes

    Monitoring Enabled :

no

    Monitoring Interval (min): 15     Monitoring Bypass Threshold: 1     Monitoring Deferred Threshold: 100     Monitoring Backoff (sec):     Signature Image Analysis:

3600 yes

The following example retains the email records for 5 days: hostname # show email-analysis policy message-tracking Numbers of days of messages-tracking data retained: 5

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

EX Series: Before Release 7.5. The message-tracking parameter was added in Release 7.6. Command output was enhanced to include the Typosquatting setting in Release 7.8.0.

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis queued Displays the queued email messages.

Syntax show email-analysis queued

1482

© 2016 FireEye

Release 7.9

show email-analysis running

Parameters None

Example The following example shows the queued email messages: hostname (config) # show email-analysis queued

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see EX Series Commands on page 137.

show email-analysis running Displays the email messages currently under analysis.

Syntax show email-analysis running

Parameters None

Example The following example shows the queued email messages: hostname (config) # show email-analysis running

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

© 2016 FireEye

1483

CLI Reference Guide

PART III: Commands

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see Email Analysis Commands on page 82.

show email-analysis statistics Displays statistics associated with email analysis

Syntax show email-analysis statistics

Parameters None

Example The following example lists the last 50 email messages added to the email analysis queue. hostname (config) # show email-analysis statistics Email-Analysis Statistics: Total Emails Received: 44090 Total Emails Bypassed: 0 Total Number of bypasses: 0 Total Emails Received with Attachments: 4354 Total Emails Received with URLs: 43644 Total Received Emails Analyzed: 44090 Total Emails Received with Malicious Contents: 38 Total Attachments Received: 4354 Total Attachments Analyzed: 4354 Total Attachments Considered Malicious: 2 Total URLs Received: 218220 Total URLs Analyzed: 218220 Total URLs Considered Malicious: 36 Total URLs Suspicious due to Adv URL Defense: 0 Total URLs Blacklisted due to Phishing: 0 Total URLs Whitelisted due to Phishing: 0 Total URLs Whitelisted due to Adv URL Defense: 0 Total Emails blocked by YARA Analysis: 0 Total Emails not scanned due to allowed-list: 0 Total Emails blocked due to blocked-list: 0 Total Signature Images not Analyzed: 0 Total URLs Extracted From PDF Files Analyzed: 101

User Role Admin, Operator, Monitor, or Analyst

1484

© 2016 FireEye

Release 7.9

show email-analysis url

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows: l

EX Series: Before Release 6.4

Related Commands For a list of related commands, see Email Analysis Commands on page 82.

show email-analysis url Displays the number of URLs submitted, analyzed, identified as malicious, and so on. This command displays cumulative statistics such as the total number of URLs that were submitted for analysis, total number of URLs that were detected as malicious, and total number of events that were detected. It also shows the total number of URLs with each system status type.

Syntax show email-analysis url

Parameters None

Output Fields The following table describes the output fields for the show email-analysis url command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total Total number of URLs submitted for analysis. URLs Submitted Objects Analyzed

Total number of URLs that have been analyzed.

Objects identified as Malicious

Total number of URLs that were detected as malicious.

© 2016 FireEye

1485

CLI Reference Guide

PART III: Commands

Field

Description

Total events

Total number of events that were detected.

Objects break down by system status

Total number of URLs with each system status type. This field also displays the number of URLs that were submitted to the virtual machine for dynamic analysis.

Example The following example displays information about email URLs: hostname # show email-analysis url Total URLs Submitted

: 12042

   Objects Analyzed

: 12042

   Objects identified as Malicious       - VM verified

:

      - Duplicate to VM verified

: 0 :

0

      - Known checksum match Total events    checksum-match

: :

events

494

494

494 :

494

Objects break down by system status, Total : 12042    Submitted for VM analysis    Submit Disabled

:

494

: 11548

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

1486

EX Series: Before Release 7.5

© 2016 FireEye

Release 7.9

show email-analysis url-dynamic-analysis

Related Commands For a list of related commands, see Analysis Commands on page 57 and Analysis Commands on page 57.

show email-analysis url-dynamic-analysis Displays the configuration of the pether2 interface and the optional HTTP proxy server settings used to access the Internet. If URL Dynamic Analysis is enabled, the appliance uses pether2 to retrieve remote objects in a controlled live analysis mode. This command also shows the amount of time that the appliance waits to download the object or respond to a download and submit it to the virtual machine for further analysis before a timeout occurs. URL Dynamic Analysis is disabled by default. Do not enable URL Dynamic Analysis until you have validated end-to-end connectivity between pether2 and the Internet.

Syntax show email-analysis url-dynamic-analysis

Parameters None

Output Fields The following table describes the output fields for the show email-analysis url-dynamicanalysis command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Feature Enabled

Status for URL Dynamic Analysis.

Default Gateway

IPv4 address of the node used by the pether2 interface to access the Internet default gateway. This node serves as the Internet access point for the pether2 interface.

External IP

External IPv4 address and subnet mask of the pether2 interface.

Name Server

IPv4 address of the Domain Name System (DNS) name server used for the pether2 interface.

Http Proxy

IPv4 address and port number of the node acting as the HTTP proxy server for the pether2 interface.

© 2016 FireEye

1487

CLI Reference Guide

PART III: Commands

Field

Description

Http Proxy Credentials used to authenticate the user and permit access to the Authentication HTTP proxy server. Download Complete Timeout (sec)

Number of seconds after which the appliance completes downloading the object from the referenced URL.

Download Response Timeout (sec)

Number of seconds after which the appliance responds to downloading the object from the referenced URL.

Download Disable Timeout (sec)

Number of seconds after which the appliance stops downloading the object from the referenced URL.

Example The following example displays the status for URL Dynamic Analysis, configuration of the pether2 interface, the optional proxy server settings, and the amount of time to wait before a timeout occurs: hostname # show email-analysis url-dynamic-analysis Email-Analysis url dynamic analysis configuration:   Feature Enabled: yes   Default Gateway: 172.16.1.1   External IP: 172.16.0.0/12   Internal IP: 169.254.100.1/24   Name Server: 172.16.2.1   Http Proxy: 10.10.10.5:8080   Http Proxy Authentication: admin/********   Download Complete Timeout (sec): 120   Download Response Timeout (sec): 30   Download Disable Time (sec): 1500

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

1488

© 2016 FireEye

Release 7.9

show email-analysis yara-statistics

Release Information This command was introduced as follows: l

EX Series: Before Release 7.5. Command output was enhanced to include the authentication settings for the HTTP proxy server in Release 7.8.0.

Related Commands For a list of related commands, see Analysis Commands on page 57and Email Analysis Commands on page 82.

show email-analysis yara-statistics Displays the number of objects that have been analyzed by YARA rules.

Syntax show email-analysis yara-statistics

Parameters None

Example The following example lists the last 50 email messages added to the email analysis queue. hostname (config) # show email-analysis message-queue max-num 50 Total Email Headers Analyzed : 23534 Objects identified as Malicious : 26 - VM verified : 24 - Duplicate to VM verified : 2 - Known checksum match : 6 Total events

:

44

Objects break down by system status, Total :

46

User Role Admin, Operator, Monitor, or Analyst

Command Mode Operation, Enable and Configuration

Release Information This command was released as follows:

© 2016 FireEye

1489

CLI Reference Guide

l

PART III: Commands

EX Series: Before Release 6.4

Related Commands For a list of related commands, see Email Analysis Commands on page 82.

1490

© 2016 FireEye

Release 7.9

show email-analysis adv-url-defense configuration

show email-analysis adv-url-defense configuration Displays configuration information about the Advanced URL Defense feature.

Syntax show email-analysis adv-url-defense configuration

Parameters None

Output Fields The following table describes the output fields for the show email-analysis adv-url-defense configuration command. For detailed information, see the EX Series User Guide. Field

Description

Feature Enabled Whether the Advanced URL Defense feature is enabled on the EX Series appliance. The feature is disabled by default. URL Re-writing Enabled

Whether the URL rewriting feature is enabled. FireEye recommends that you enable this feature when Advanced URL Defense is enabled. The URL rewriting feature enables an appliance deployed in block mode to rewrite one or more URLs within a message. URLs are rewritten only if they are detected as new or are in the process of being analyzed by the FireEye Advanced URL Detection Engine (FAUDE). The appliance prepends protect2.fireeye.com (in Release 7.8.0 or later) or protect.fireeye.com (in release 7.6.x) to the rewritten URL. If the URL is detected as malicious or suspicious, the appliance redirects the user to another page, and blocks the URL if it is malicious.

DTI FAUDE Cache Whitelist Period

The number of hours to store nonmalicious URLs in the system. By default, nonmalicious URLs are automatically deleted after 24 hours.

DTI FAUDE Cache Blacklist Period

The number of hours to store malicious URLs in the cache. By default, malicious URLs are automatically deleted from the cache after one hour.

DTI FAUDE A value from 0 - 100. The default is 99. If a URL's score is greater than Score Threshold or equal to this threshold, it is treated as malicious. If the threshold is 0, the check is disabled. DTI The FAUDE protocol version. FAUDE Version

© 2016 FireEye

1491

CLI Reference Guide

PART III: Commands

Example The following example shows the Advanced URL Defense configuration. hostname # show email-analysis adv-url-defense configuration Email-Analysis Advanced URL Defense Configuration: Feature Enabled: yes URL Re-writing Enabled: yes DTI FAUDE Cache Whitelist Period (hours): 24 DTI FAUDE Cache Blacklist Period (hours): 1 DTI FAUDE Score Threshold: 99 DTI FAUDE Version: 2.0

User Role Admin, Operator, Monitor, or Analyst

Command Mode Standard

Release Information This command was released as follows: l

EX Series: Release 7.6.0. The DTI FAUDE Version output field was added in Release 7.8.0.

Related Commands For a list of related commands, see EX Series Commands on page 137.

1492

© 2016 FireEye

Release 7.9

show email-analysis adv-url-defense statistics

show email-analysis adv-url-defense statistics Displays statistics for the total number of URLs that have been sent to the DTI Cloud for analysis.

Syntax show email-analysis adv-url-defense statistics

Parameters None

Output Fields The following table describes the output fields for the show email-analysis adv-url-defense statistics command. For detailed information, see the EX Series User Guide. Field

Description

Total URLs submitted

Total number of URLs submitted for analysis.

FAUDE status new

Total number of URLs detected as new and not seen before by the FireEye Advanced URL Defense Detection Engine (FAUDE).

FAUDE status analyzing

Total number of URLs that have been seen by FAUDE and that are being analyzed. This number does not represent the current number of URLs in the queue, and is not reduced when the URL analysis is done.

FAUDE status clean

Total number of URLs detected as nonmalicious with a known verdict by FAUDE.

FAUDE status malicious

Total number of URLs detected as malicious with a known verdict by FAUDE.

FAUDE status suspicious

Total number of URLs detected as suspicious (such as spam) by FAUDE.

FAUDE status other

Total number of URLs that encountered an error in the status.

Total URLs Rewritten

Total number of URLs that were rewritten and have not been detected before.

© 2016 FireEye

1493

CLI Reference Guide

PART III: Commands

Example The following example shows the statistics for URLs that have been sent to the DTI Cloud for analysis. hostname # show email-analysis adv-url-defense statistics Email-Analysis Advanced URL Defense Statistics:   Total URLs Submitted:

567

  Total URLs FAUDE status new:

311

  Total URLs FAUDE status analyzing:

0

  Total URLs FAUDE status clean:

248

  Total URLs FAUDE status malicious:

2

Total URLs FAUDE status suspicious:   Total URLs FAUDE status other:   Total URLs Rewritten:

4 6

311

User Role Admin, Operator, Monitor, or Analyst

Command Mode Standard

Release Information This command was released as follows: l

EX Series: Release 7.6.0.

Related Commands For a list of related commands, see EX Series Commands on page 137.

1494

© 2016 FireEye

Release 7.9

show email-analysis mta status

show email-analysis mta status Displays the status of the SMTP interface and the MTA process. Displays whether a Congestion Control threshold that automatically stops the SMTP interface is in effect.

Syntax show email-analysis mta status

Parameters None

Output Fields The following table describes the output fields for the show email-analysis mta status command. Field

Description

Congestion The EX Series Congestion Control feature has a "Refuse Connection" Control in threshold. When the threshold is reached, the feature automatically stops effect? the SMTP interface. This field shows whether the SMTP interface is already stopped for this reason. If the traffic falls below the threshold during the maintenance activity, the SMTP interface will automatically start again. To prevent this, use email-analysis mta smtp stop on page 515 to manually stop the interface. (For information about the Congestion Control feature, see the EX Series User Guide.) Interface Disabled

Whether the SMTP interface is currently disabled. The value is yes if the Congestion Control in effect? value is yes or if you manually stopped the interface.

MTA Process Status

Whether the MTA process is running or stopped.

Examples The following example shows that the SMTP interface is enabled and that the MTA process is running. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: running

© 2016 FireEye

1495

CLI Reference Guide

PART III: Commands

The following example shows that the SMTP interface is enabled and that the MTA process is stopped. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: no MTA Process Status: stopped

The following example shows that the SMTP interface is disabled and that the MTA process is running. hostname > show email-analysis mta status Congestion Control in effect? no SMTP Interface Disabled: yes MTA Process Status: running

User Role Admin, Operator, Monitor, or Analyst

Command Mode Standard

Release Information This command was released as follows: l

EX Series: Release 7.8.0

Related Commands For a list of related commands, see EX Series Commands on page 137.

1496

© 2016 FireEye

Release 7.9

show email-analysis url-dynamic-analysis

show email-analysis url-dynamic-analysis Displays the configuration of the pether2 interface and the optional HTTP proxy server settings used to access the Internet. If URL Dynamic Analysis is enabled, the appliance uses pether2 to retrieve remote objects in a controlled live analysis mode. This command also shows the amount of time that the appliance waits to download the object or respond to a download and submit it to the virtual machine for further analysis before a timeout occurs. URL Dynamic Analysis is disabled by default. Do not enable URL Dynamic Analysis until you have validated end-to-end connectivity between pether2 and the Internet.

Syntax show email-analysis url-dynamic-analysis

Parameters None

Output Fields The following table describes the output fields for the show email-analysis url-dynamicanalysis command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Feature Enabled

Status for URL Dynamic Analysis.

Default Gateway

IPv4 address of the node used by the pether2 interface to access the Internet default gateway. This node serves as the Internet access point for the pether2 interface.

External IP

External IPv4 address and subnet mask of the pether2 interface.

Name Server

IPv4 address of the Domain Name System (DNS) name server used for the pether2 interface.

Http Proxy

IPv4 address and port number of the node acting as the HTTP proxy server for the pether2 interface.

Http Proxy Credentials used to authenticate the user and permit access to the Authentication HTTP proxy server.

© 2016 FireEye

1497

CLI Reference Guide

PART III: Commands

Field

Description

Download Complete Timeout (sec)

Number of seconds after which the appliance completes downloading the object from the referenced URL.

Download Response Timeout (sec)

Number of seconds after which the appliance responds to downloading the object from the referenced URL.

Download Disable Timeout (sec)

Number of seconds after which the appliance stops downloading the object from the referenced URL.

Example The following example displays the status for URL Dynamic Analysis, configuration of the pether2 interface, the optional proxy server settings, and the amount of time to wait before a timeout occurs: hostname # show email-analysis url-dynamic-analysis Email-Analysis url dynamic analysis configuration:   Feature Enabled: yes   Default Gateway: 172.16.1.1   External IP: 172.16.0.0/12   Internal IP: 169.254.100.1/24   Name Server: 172.16.2.1   Http Proxy: 10.10.10.5:8080   Http Proxy Authentication: admin/********   Download Complete Timeout (sec): 120   Download Response Timeout (sec): 30   Download Disable Time (sec): 1500

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows:

1498

© 2016 FireEye

Release 7.9

l

show email-analysis url-dynamic-analysis

EX Series: Before Release 7.5. Command output was enhanced to include the authentication settings for the HTTP proxy server in Release 7.8.0.

Related Commands For a list of related commands, see Analysis Commands on page 57and Email Analysis Commands on page 82.

© 2016 FireEye

1499

CLI Reference Guide

PART III: Commands

show email-analysis url Displays the number of URLs submitted, analyzed, identified as malicious, and so on. This command displays cumulative statistics such as the total number of URLs that were submitted for analysis, total number of URLs that were detected as malicious, and total number of events that were detected. It also shows the total number of URLs with each system status type.

Syntax show email-analysis url

Parameters None

Output Fields The following table describes the output fields for the show email-analysis url command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total Total number of URLs submitted for analysis. URLs Submitted Objects Analyzed

Total number of URLs that have been analyzed.

Objects identified as Malicious

Total number of URLs that were detected as malicious.

Total events

Total number of events that were detected.

Objects break down by system status

Total number of URLs with each system status type. This field also displays the number of URLs that were submitted to the virtual machine for dynamic analysis.

Example The following example displays information about email URLs:

1500

© 2016 FireEye

Release 7.9

show email-analysis url

hostname # show email-analysis url Total URLs Submitted

: 12042

   Objects Analyzed

: 12042

   Objects identified as Malicious       - VM verified

:

      - Duplicate to VM verified

: 0 :

0

      - Known checksum match Total events    checksum-match

: :

events

494

494

494 :

494

Objects break down by system status, Total : 12042    Submitted for VM analysis    Submit Disabled

:

494

: 11548

User Role Administrator, Analyst, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

EX Series: Before Release 7.5

Related Commands For a list of related commands, see Analysis Commands on page 57 and Analysis Commands on page 57.

© 2016 FireEye

1501

CLI Reference Guide

PART III: Commands

show email-analysis policy Displays detailed information about all the policy settings about email malware analysis.

Syntax show email-analysis policy [message-tracking]

Parameters message-tracking

Displays the maximum number of days that email messages are retained.

Output Fields The following table describes the output fields for the show email-analysis policy command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Analyze URLs in body

Status for analyzing URLs that are embedded in an email message body.

Analyze attachments

Status for analyzing all email attachments.

Analyze email using YARA

Status for email YARA analysis.

Email YARA Weight Cap

The weights of the matched rules are totaled to determine an overall score for the sample.

Max Email Size Maximum size (MB) limit for email to be submitted for analysis. (MB) Analysis Timeout (sec)

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analyze image URLs

Status for the option to submit a URL image for analysis.

Advanced URL Defense

Status for Advanced URL Defense. The option to parse HTTP links is automatically enabled when Advanced URL Defense is enabled.

Max URLs Maximum number of URLs that are analyzed per email. Analyzed/email

1502

© 2016 FireEye

Release 7.9

Field

show email-analysis policy

Description

Max Att. Maximum number of attachments that are analyzed per email. Analyzed/email Congestion Bypass Mode

Status for bypass congestion mode.

Congestion Bypass Threshold

Number of objects in the attachments queue. When the threshold is exceeded, new incoming emails are accepted but are delivered without being analyzed.

Congestion Refuseconnnection Mode

Status for refuse-congestion mode.

Congestion Number of emails in the email queue. When the threshold is High Threshold exceeded, the SMTP interface is disabled and all new incoming SMTP connections are refused. Congestion Low Threshold

Number of emails in the email queue. When the number falls below the threshold, the SMTP interface is re-enabled and all new incoming SMTP connections are accepted.

Enable X Header

Status for X-Header option. When deployed in block mode or monitor mode, the appliance adds the X-Headers to describe the analysis and detection results by the Multivector Virtual Execution (MVX) engine.

Use Header for To/From

Status for the Header Envelope feature. When the Header Envelope feature is enabled, the original To: and From: email header information is displayed in the eAlerts page and eQuarantine page from the EX Series Web UI.

Parse HTTPS URLs

Status for the option to parse HTTP links.

Invoke Email Feature Extractor

Status of pre-processor for email feature extraction.

Enable Notice (block mode)

A block notification message is sent to the list of recipients when the EX Series appliance is deployed in block mode.

Block notice from

The From email address header of a block notification message.

© 2016 FireEye

1503

CLI Reference Guide

PART III: Commands

Field

Description

Block notice subject

The Subject header of a block notification message.

Block Admin Recipient(s)

Administrators are added to the list of recipients to receive the block notification message.

Block BCC Recipient(s)

Bcc recipients are added to the list of recipients to receive the block notification message.

TypoSquatting

Status of typosquatting detection, which allows the appliance to analyze suspicious sender and URL domains used in URLs within an email message body.

Monitoring Enabled

Status for the monitor policy setting.

Monitoring Interval (min)

Monitor alert interval period in minutes.

Monitoring Bypass Threshold

Monitor alert bypass threshold limit.

Monitoring Deferred Threshold

Monitor alert threshold limit in the deferred queue.

Monitoring Backoff (sec)

Monitor alert backoff period in seconds.

Signature Image Analysis

Status for the option to submit an image attachment for analysis.

Examples The following example displays all the policy settings about email malware analysis: hostname # show email-analysis policy   Email-Analysis Policy:     Analyze URLs in body:     Analyze attachments:

yes yes

    Analyze email using YARA:

yes

    Email YARA Weight Cap:

30

    Max Email Size (MB):

35

    Analysis Timeout (sec):

240

1504

© 2016 FireEye

Release 7.9

show email-analysis policy

    Analyze image URLs:

yes

    Advanced URL Defense:

yes

    Max URLs Analyzed/email:

100

    Max Att. Analyzed/email:

20

    Congestion Bypass Mode: yes     Congestion Bypass Threshold: 3000     Congestion Refuse-connnection Mode: yes     Congestion High Threshold: 10000     Congestion Low Threshold:     Enable X Header:

9000

no

    Use Header for To/From:

no

    Parse HTTPS URLs:

yes

    Invoke Email Feature Extractor: yes     Enable Notice (block mode): no     Block notice from:

[email protected]

    Block notice subject:

Malicious email detected

    Block Admin Recipient(s):       [email protected]     Block BCC Recipient(s):       [email protected]     TypoSquatting:     Monitoring Enabled :

yes no

    Monitoring Interval (min): 15     Monitoring Bypass Threshold: 1     Monitoring Deferred Threshold: 100     Monitoring Backoff (sec):     Signature Image Analysis:

3600 yes

The following example retains the email records for 5 days: hostname # show email-analysis policy message-tracking Numbers of days of messages-tracking data retained: 5

User Role Administrator, Analyst, Operator, or Monitor

© 2016 FireEye

1505

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

EX Series: Before Release 7.5. The message-tracking parameter was added in Release 7.6. Command output was enhanced to include the Typosquatting setting in Release 7.8.0.

Related Commands For a list of related commands, see EX Series Commands on page 137.

1506

© 2016 FireEye

Release 7.9

show eml

show eml Description Displays the current .eml file configurations. Related commands: eml attachment limit and eml recursive limit

Syntax show eml

Parameters None

Example The following example displays the available .eml file configurations. MAS (config) # show eml EML attachments limit : 5 EML recursive limit : 3

© 2016 FireEye

1507

CLI Reference Guide

PART III: Commands

show eula status Displays End User License Agreement (EULA) information for acceptance status.

Syntax show eula status

Parameters None

Example The following example shows the EULA acceptance status. hostname # show eula status End User License Agreement (EULA) Accepted at 2014/02/25 20:14:03

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced before Release 7.5.

Related Commands For a list of related commands, see License Management Command Family on page 103.

1508

© 2016 FireEye

Release 7.9

show eula text

show eula text Displays the text for the End User License Agreement (EULA) information.

Syntax show eula text

Parameters None

Example The following example shows the partial output for the EULA text. hostname # show eula text END USER LICENSE AGREEMENT -------------------------FIREEYE, INC. END USER LICENSE AGREEMENT BY ENTERING "YES", YOU OR THE ENTITY THAT YOU REPRESENT ("LICENSEE") ARE UNCONDITIONALLY CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS END USER LICENSE AGREEMENT ("AGREEMENT") WITH FIREEYE, INC. AND ITS AFFILIATES ("FIREEYE"). IF THESE TERMS ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO SUCH TERMS. IF LICENSEE DOES NOT UNCONDITIONALLY AGREE TO THE FOREGOING, ENTER "NO" AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IF YOU ENTER "YES" TO CONTINUE WITH INSTALLATON, YOU ARE REPRESENTING AND WARRANTING THAT YOU ARE AUTHORIZED TO BIND LICENSEE. . . .

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced before Release 7.5.

© 2016 FireEye

1509

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see License Management Command Family on page 103.

1510

© 2016 FireEye

Release 7.9

show events after

show events after Displays detailed information about events after a specified date. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events after

Parameters date

Displays the events after this date. Date is specified in the format yyyy/mm/dd. time

Displays the events after this time. Time is specified in the format hh:mm:ss.

Output Fields The following table describes the output fields for the show events after command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

© 2016 FireEye

MAC address of the source.

1511

CLI Reference Guide

PART III: Commands

Field

Description

Destination MAC address of the destination. MAC VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events after the specified date and time: hostname # show events after 2015/10/01 15:30:00 Event 1634:    Occurrence Time    Interface    Action    Event Type

: 2015-10-01 08:30:09 PDT

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis : 334

   Malware ID       Source IP

: 334 : 64.28.181.208

      Destination IP

: 2.212.63.220

      Source MAC

: 00:20:18:11:FF:47

      Destination MAC       VLAN ID       Attacked Port

1512

: 02:5E:8B:DA:86:CF

:0 : 80

© 2016 FireEye

Release 7.9

show events after

      IP Protocol

: tcp

      Original Malware ID : 0       Match Type       Name

: av-match : PUA.Packed.PECompact

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=PUA.Packed.PECompact : https://172.16.146.84/event_stream/send_pcap_file?ev_id=1634

      PCAP URL (TEXT)      Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=1634 : https://172.16.146.84/event_stream/events?event_id=1634

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1513

CLI Reference Guide

PART III: Commands

show events before Displays detailed information about events before a specified date. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events before

Parameters date

Displays the events before this date. Date is specified in the format yyyy/mm/dd. time

Displays the events before this time. Time is specified in the format hh:mm:ss.

Output Fields The following table describes the output fields for the show events before command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

1514

MAC address of the source.

© 2016 FireEye

Release 7.9

show events before

Field

Description

Destination MAC address of the destination. MAC VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events before the specified date and time: hostname # show events before 2015/10/01 07:00:00 Event 3:    Occurrence Time    Interface    Action    Event Type

: 2015-09-30 23:45:15 PDT

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis :1

   Malware ID       Source IP

:1 : 115.52.174.36

      Destination IP

: 124.151.168.211

      Source MAC

: 00:0C:29:28:84:3F

      Destination MAC       VLAN ID       Attacked Port

© 2016 FireEye

: 00:03:47:4E:69:AA

:0 : 80

1515

CLI Reference Guide

PART III: Commands

      IP Protocol

: tcp

      Original Malware ID : 0       Match Type

: av-match

      Name

: Mal/Whybo-A

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Mal/Whybo-A

      PCAP URL

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=3

      PCAP URL (TEXT)

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=3

      Event Page URL

: https://172.16.146.84/event_stream/events?event_id=3

Event 2:    Occurrence Time    Interface

: 2015-09-30 23:44:33 PDT

: A2

   Action

: flow permitted (default policy)

   Event Type

: exploit

   Analysis Type    Trace ID

: Content-Analysis :0

      Source IP

: 34.232.235.10

      Destination IP

: 44.142.250.4

      Source MAC

: 8A:2B:65:33:BD:E9

      Destination MAC       VLAN ID

: 00:50:56:F0:7E:18

:0

      Attacked Port

: 80

      IP Protocol

: tcp

   Infection Communication Profile       ID       Name

: 84500406 : Exploit.Kit.Goon

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Exploit.Kit.Goon : https://172.16.146.84/event_stream/send_pcap_file?ev_id=2

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=2 : https://172.16.146.84/event_stream/events?event_id=2

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

1516

© 2016 FireEye

Release 7.9

show events before

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1517

CLI Reference Guide

PART III: Commands

show events between Displays detailed information about events during a specified time period. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events between and

Parameters date

The start and end dates of the events. Date is specified in the format yyyy/mm/dd.

Output Fields The following table describes the output fields for the show events between command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Infected IP

IP address that is infected.

C&C IP

IP address of the command and control (CnC) server.

C&C Port

Port number of the CnC server.

VLAN ID

Network VLAN job number that is associated with an event.

Source MAC

MAC address of the source.

Destination MAC address of the destination. MAC IP Protocol

1518

Type of IP protocol used to transport the threat.

© 2016 FireEye

Release 7.9

show events between

Field

Description

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events between a specified date: hostname # show events between 2015/09/30 and 2015/10/01 Event 717:    Occurrence Time    Interface    Action    Event Type

: 2015-09-30 05:01:57 UTC

: A1 : flow permitted (default policy) : malware-callback

   Analysis Type

: Content-Analysis

      Infected IP

: 205.174.239.214

      C&C IP

: 63.35.171.59

      C&C Port

: 80

      VLAN ID

:0

      Source MAC

: 00:1A:A0:70:2D:B0

      Destination MAC       IP Protocol    C&C Services

: 00:17:DF:86:64:00

: tcp :1

      63.35.171.59:6:80 [0] [fqc]          GET /tred.html?sid=RB2tQ3wIqUgkW64YJwWuS3ENp0N2DqYccwSvTHFcr0l8CJ1adVmsHnYLU50Wa8cdAz7H3xb-Uh0C6ZIdQX5S3Jb_RxGO61KdQ2uSkE3rkhxBK5McQ_uSUAq05DP65PQjnzHXcNl390D6hLcTSWFC5crkp1Da9D HTTP/1.1          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1          Host: 82.98.235.209          Cache-Control: no-cache

© 2016 FireEye

1519

CLI Reference Guide

PART III: Commands

   Malware-C&C Communication Profile       ID

: 33331100

      Name

: Trojan.Vundo

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Trojan.Vundo

      PCAP URL

: https://172.17.74.50/event_stream/send_pcap_file?ev_id=717

      PCAP URL (TEXT)

: https://172.17.74.50/event_stream/send_pcap_ascii?ev_id=717

      Event Page URL

: https://172.17.74.50/event_stream/events?event_id=717

Event 716:    Occurrence Time    Interface

: 2015-09-30 05:01:57 UTC

: A1

   Action

: flow permitted (default policy)

   Event Type

: malware-callback

   Analysis Type

: Content-Analysis

      Infected IP

: 205.174.239.214

      C&C IP

: 51.39.235.249

      C&C Port

: 80

      VLAN ID

:0

      Source MAC

: 00:1A:A0:70:2D:B0

      Destination MAC       IP Protocol

: 00:17:DF:86:64:00

: tcp

   C&C Services

:1

      51.39.235.249:6:80 [0] [fqc]          POST /frame.html?NyRPPgKAXwwl6t2xIqZK8kvLQBMdoSCsL4xTQ70H3WoyfkGWMD0saFUFcjMEBHsK MFglMQQxRgw0NEIJMDFDAzQ1Rkk5N0ITMJ5zAzQ HTTP/1.1          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1          Host: pancolp.com          Content-Length: 164          Cache-Control: no-cache    Malware-C&C Communication Profile       ID       Name

: 33331100 : Trojan.Vundo

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Trojan.Vundo : https://172.17.74.50/event_stream/send_pcap_file?ev_id=716

      PCAP URL (TEXT)       Event Page URL

1520

: https://172.17.74.50/event_stream/send_pcap_ascii?ev_id=716 : https://172.17.74.50/event_stream/events?event_id=716

© 2016 FireEye

Release 7.9

show events between

Event 620:    Occurrence Time    Interface

: 2015-10-01 00:00:07 UTC

: A1

   Action

: flow permitted (default policy)

   Event Type

: malware-callback

   Analysis Type

: Content-Analysis

      Infected IP

: 21.95.174.173

      C&C IP

: 85.95.150.170

      C&C Port

: 80

      VLAN ID

:0

      Source MAC

: 00:50:56:3C:50:49

      Destination MAC       IP Protocol

: 00:09:0F:E2:A6:31

: tcp

   C&C Services

:1

      85.95.150.170:6:80 [0] [fqc]          POST /wp-content/languages/gate.php HTTP/1.0          Host: ebecbaltic.org          Accept: */*          Accept-Encoding: identity, *;q=0          Content-Length: 529          Connection: close          Content-Type: application/octet-stream          Content-Encoding: binary          User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)    Malware-C&C Communication Profile       ID       Name

: 67902082 : Trojan.Zbot

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Trojan.Zbot : https://172.17.74.50/event_stream/send_pcap_file?ev_id=620

      PCAP URL (TEXT)       Event Page URL

: https://172.17.74.50/event_stream/send_pcap_ascii?ev_id=620 : https://172.17.74.50/event_stream/events?event_id=620

User Role Administrator, Operator, Monitor, or Analyst

© 2016 FireEye

1521

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

1522

© 2016 FireEye

Release 7.9

show events count

show events count Displays information about the total number of events.

Syntax show events count

Parameters None

Example The following example displays the number of events for each alert type: hostname # show events count Event Count:         Number of Total Events:         vm-mw-execution

events: 0

        vm-outbound-comm         exploit

1886

events: 224

events: 148

        malware-callback

events: 227

        os-change-anomaly events: 532         checksum-match

events: 503

        vm-malware-callbac events: 252

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1523

CLI Reference Guide

PART III: Commands

show events on Displays detailed information about events that occurred on a specified date. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events on

Parameters date

Displays the events that occurred on this date. Date is specified in the format yyyy/mm/dd.

Output Fields The following table describes the output fields for the show events on command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

1524

MAC address of the source.

© 2016 FireEye

Release 7.9

show events on

Field

Description

Destination MAC address of the destination. MAC VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events that occurred on the specified date: hostname # show events on 2015/09/30 Event 3:    Occurrence Time    Interface    Action    Event Type

: 2015-09-30 23:45:15 PDT

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis :1

   Malware ID       Source IP

:1 : 115.52.174.36

      Destination IP

: 124.151.168.211

      Source MAC

: 00:0C:29:28:84:3F

      Destination MAC       VLAN ID       Attacked Port

© 2016 FireEye

: 00:03:47:4E:69:AA

:0 : 80

1525

CLI Reference Guide

PART III: Commands

      IP Protocol

: tcp

      Original Malware ID : 0       Match Type

: av-match

      Name

: Mal/Whybo-A

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Mal/Whybo-A

      PCAP URL

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=3

      PCAP URL (TEXT)

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=3

      Event Page URL

: https://172.16.146.84/event_stream/events?event_id=3

Event 2:    Occurrence Time    Interface

: 2015-09-30 23:44:33 PDT

: A2

   Action

: flow permitted (default policy)

   Event Type

: exploit

   Analysis Type    Trace ID

: Content-Analysis :0

      Source IP

: 34.232.235.10

      Destination IP

: 44.142.250.4

      Source MAC

: 8A:2B:65:33:BD:E9

      Destination MAC       VLAN ID

: 00:50:56:F0:7E:18

:0

      Attacked Port

: 80

      IP Protocol

: tcp

   Infection Communication Profile       ID

: 84500406

      Name

: Exploit.Kit.Goon

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Exploit.Kit.Goon : https://172.16.146.84/event_stream/send_pcap_file?ev_id=2

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=2 : https://172.16.146.84/event_stream/events?event_id=2

Event 1:    Occurrence Time    Interface    Action    Event Type    Analysis Type

1526

: 2015-09-30 23:42:59 PDT

: A2 : notified (default policy): 0 : malware-callback : Content-Analysis

© 2016 FireEye

Release 7.9

show events on

      Infected IP

: 84.26.164.204

      C&C IP

: 0.0.0.0

      C&C Port

:0

      VLAN ID

:0

      Source MAC

: 00:E0:81:40:32:08

      Destination MAC       IP Protocol

: 00:09:3D:13:AC:EE

: udp

   C&C Services

:1

      img121.imagehacks.biz:17:53 [0]    Malware-C&C Communication Profile       ID

: 80442782

      Name

: Bot.Mariposa.DNS

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Bot.Mariposa.DNS : https://172.16.146.84/event_stream/send_pcap_file?ev_id=1

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=1 : https://172.16.146.84/event_stream/events?event_id=1

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1527

CLI Reference Guide

PART III: Commands

show events today Displays detailed information about events that occurred today. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events today

Parameters None

Output Fields The following table describes the output fields for the show events today command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

MAC address of the source.

Destination MAC address of the destination. MAC

1528

© 2016 FireEye

Release 7.9

show events today

Field

Description

VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events that occurred today: hostname # show events today Event 3:    Occurrence Time    Interface    Action    Event Type

: 2015-09-30 23:45:15 PDT

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis :1

   Malware ID       Source IP

:1 : 115.52.174.36

      Destination IP

: 124.151.168.211

      Source MAC

: 00:0C:29:28:84:3F

      Destination MAC       VLAN ID       Attacked Port       IP Protocol

: 00:03:47:4E:69:AA

:0 : 80 : tcp

      Original Malware ID : 0       Match Type

© 2016 FireEye

: av-match

1529

CLI Reference Guide

      Name

PART III: Commands

: Mal/Whybo-A

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Mal/Whybo-A

      PCAP URL

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=3

      PCAP URL (TEXT)

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=3

      Event Page URL

: https://172.16.146.84/event_stream/events?event_id=3

Event 2:    Occurrence Time    Interface

: 2015-09-30 23:44:33 PDT

: A2

   Action

: flow permitted (default policy)

   Event Type

: exploit

   Analysis Type    Trace ID

: Content-Analysis :0

      Source IP

: 34.232.235.10

      Destination IP

: 44.142.250.4

      Source MAC

: 8A:2B:65:33:BD:E9

      Destination MAC       VLAN ID

: 00:50:56:F0:7E:18

:0

      Attacked Port

: 80

      IP Protocol

: tcp

   Infection Communication Profile       ID

: 84500406

      Name

: Exploit.Kit.Goon

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Exploit.Kit.Goon

      PCAP URL

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=2

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=2 : https://172.16.146.84/event_stream/events?event_id=2

Event 1:    Occurrence Time    Interface    Action    Event Type    Analysis Type

: 2015-09-30 23:42:59 PDT

: A2 : notified (default policy): 0 : malware-callback : Content-Analysis

      Infected IP

: 84.26.164.204

      C&C IP

: 0.0.0.0

      C&C Port

1530

:0

© 2016 FireEye

Release 7.9

show events today

      VLAN ID

:0

      Source MAC

: 00:E0:81:40:32:08

      Destination MAC       IP Protocol

: 00:09:3D:13:AC:EE

: udp

   C&C Services

:1

      img121.imagehacks.biz:17:53 [0]    Malware-C&C Communication Profile       ID

: 80442782

      Name

: Bot.Mariposa.DNS

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Bot.Mariposa.DNS : https://172.16.146.84/event_stream/send_pcap_file?ev_id=1

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=1 : https://172.16.146.84/event_stream/events?event_id=1

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1531

CLI Reference Guide

PART III: Commands

show events type Displays detailed information about a particular type of event. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events type

Parameters event

The following types of alerts are available: l

l

l

l

vm-mw-execution—Displays information of the VM-verified malware execution. vm-outbound-comm—Displays information of the VM-verified outbound communication. exploit—Displays information of the signature match. vm-signature-match—Displays information of the VM Command and Control (CnC) signature match.

l

checksum-match—Displays information of the binary checksum match.

l

malware-callback—Displays information of the CnC signature match.

l

os-change-anomaly—Displays information of the operating system change or anomaly.

Output Fields The following table describes the output fields for the show events type command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

1532

© 2016 FireEye

Release 7.9

show events type

Field

Description

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

MAC address of the source.

Destination MAC address of the destination. MAC VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays partial output about the binary checksum match: hostname # show events type checksum-match Event 15:    Occurrence Time    Interface    Action    Event Type    Analysis Type

© 2016 FireEye

: 2015-09-30 23:49:35 PDT

: any : notified (default policy): 0 : checksum-match : Binary Analysis

1533

CLI Reference Guide

   Trace ID

PART III: Commands

:2

   Malware ID

:2

      Source IP

: 34.232.235.10

      Destination IP

: 44.142.250.4

      Source MAC

: 8A:2B:65:33:BD:E9

      Destination MAC       VLAN ID

: 00:50:56:F0:7E:18

:0

      Attacked Port

: 80

      IP Protocol

: tcp

      Original Malware ID : 0       Match Type       Name

: av-match : Mal/Generic-L

      EDP Page URL

: https://mil.fireeye.com/edp.php?sname=Mal/Generic-L

      PCAP URL

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=15

      PCAP URL (TEXT)

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=15

      Event Page URL

: https://172.16.146.84/event_stream/events?event_id=15

Event 3:    Occurrence Time    Interface    Action

: 2015-09-30 23:45:15 PDT

: any : notified (default policy): 0

   Event Type

: checksum-match

   Analysis Type    Trace ID

: Binary Analysis :1

   Malware ID

:1

      Source IP

: 115.52.174.36

      Destination IP

: 124.151.168.211

      Source MAC

: 00:0C:29:28:84:3F

      Destination MAC       VLAN ID

: 00:03:47:4E:69:AA

:0

      Attacked Port

: 80

      IP Protocol

: tcp

      Original Malware ID : 0       Match Type       Name

: av-match : Mal/Whybo-A

      EDP Page URL

1534

: https://mil.fireeye.com/edp.php?sname=Mal/Whybo-A

© 2016 FireEye

Release 7.9

      PCAP URL

show events type

: https://172.16.146.84/event_stream/send_pcap_file?ev_id=3

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=3 : https://172.16.146.84/event_stream/events?event_id=3

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1535

CLI Reference Guide

PART III: Commands

show events yesterday Displays detailed information about events that occurred yesterday. This command returns the event information such as the event's type, occurrence time, interface, action, analysis type, and so on. The event records are listed in descending order by event ID.

Syntax show events yesterday

Parameters None

Output Fields The following table describes the output fields for the show events yesterday command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

MAC address of the source.

Destination MAC address of the destination. MAC

1536

© 2016 FireEye

Release 7.9

show events yesterday

Field

Description

VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about events that occurred yesterday: hostname # show events yesterday Event 1710:    Occurrence Time    Interface    Action    Event Type

: 2015-10-01 23:41:30 UTC

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis : 3584

   Malware ID       Source IP

: 3584 : 62.87.186.81

      Destination IP

: 123.45.255.234

      Source MAC

: AA:BB:CC:DD:EE:FF

      Destination MAC       VLAN ID       Attacked Port       IP Protocol

: 00:11:22:33:44:55

:0 : 80 : tcp

      Original Malware ID : 111       Match Type

© 2016 FireEye

: yara

1537

CLI Reference Guide

      Name

PART III: Commands

: FE_Heuristic_Malware_Reflection_Jar_6

      EDP Page URL Jar_6

: https://mil.fireeye.com/edp.php?sname=FE_Heuristic_Malware_Reflection_

      PCAP URL

: https://172.17.74.50/event_stream/send_pcap_file?ev_id=1710

      PCAP URL (TEXT)

: https://172.17.74.50/event_stream/send_pcap_ascii?ev_id=1710

      Event Page URL

: https://172.17.74.50/event_stream/events?event_id=1710

Event 1709:    Occurrence Time    Interface

: 2015-10-01 23:41:20 UTC

: A1

   Action

: flow permitted (default policy)

   Event Type

: exploit

   Analysis Type    Trace ID

: Content-Analysis :0

      Source IP

: 62.87.186.81

      Destination IP

: 123.45.255.234

      Source MAC

: AA:BB:CC:DD:EE:FF

      Destination MAC       VLAN ID

: 00:11:22:33:44:55

:0

      Attacked Port

: 80

      IP Protocol

: tcp

   Infection Communication Profile       ID       Name

: 84500055 : Exploit.Kit.Payload

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Exploit.Kit.Payload : https://172.17.74.50/event_stream/send_pcap_file?ev_id=1709

      PCAP URL (TEXT)       Event Page URL

: https://172.17.74.50/event_stream/send_pcap_ascii?ev_id=1709 : https://172.17.74.50/event_stream/events?event_id=1709

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows:

1538

© 2016 FireEye

Release 7.9

l

show events yesterday

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

© 2016 FireEye

1539

CLI Reference Guide

PART III: Commands

show events [] Displays detailed information about events.

Syntax show events []

Parameters None

Options event_ID

Specific event job number.

Output Fields The following table describes the output fields for the show events command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Occurrence Time

Time that the event occurred.

Interface

Type of interface that was active.

Action

Type of action that was taken. The policy is specified in parentheses.

Event Type

Type of event that was identified.

Analysis Type

Type of analysis that is associated with an event.

Trace ID

Specific trace job number that is associated with an event.

Malware ID

Specific malware analysis job number.

Source IP

IP address of the source.

Destination IP address of the destination. IP Source MAC

1540

MAC address of the source.

© 2016 FireEye

Release 7.9

show events []

Field

Description

Destination MAC address of the destination. MAC VLAN ID

Network VLAN job number that is associated with an event.

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Event Page URL

Specific link that is associated with an event.

Example The following example displays detailed information about event number 3: hostname # show events 3 Event 3:    Occurrence Time    Interface    Action    Event Type

: 2015-09-30 23:45:15 PDT

: any : notified (default policy): 0 : checksum-match

   Analysis Type    Trace ID

: Binary Analysis :1

   Malware ID       Source IP

:1 : 115.52.174.36

      Destination IP

: 124.151.168.211

      Source MAC

: 00:0C:29:28:84:3F

      Destination MAC       VLAN ID       Attacked Port       IP Protocol

: 00:03:47:4E:69:AA

:0 : 80 : tcp

      Original Malware ID : 0       Match Type

© 2016 FireEye

: av-match

1541

CLI Reference Guide

      Name

PART III: Commands

: Mal/Whybo-A

      EDP Page URL       PCAP URL

: https://mil.fireeye.com/edp.php?sname=Mal/Whybo-A : https://172.16.146.84/event_stream/send_pcap_file?ev_id=3

      PCAP URL (TEXT)       Event Page URL

: https://172.16.146.84/event_stream/send_pcap_ascii?ev_id=3 : https://172.16.146.84/event_stream/events?event_id=3

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Commands on page 92.

1542

© 2016 FireEye

Release 7.9

show fe-access

show fe-access To display the configuration and status of any connections to FireEye Customer Support through reverse SSH tunneling, use the show fe-access command in enable mode.

Syntax show fe-access

Parameters None

Example The following example indicates that a proxy is not enabled and that the FireEye appliance is connected to FireEye Customer Support through reverse SSH tunneling. hostname (config) # show fe-access fe-access is enabled. username: feaccess password: ******** timeout: 48 hours hostname: 10.17.153.50 port num: 443 base port: 0 fe-access proxy is disabled. fe-access is connected. connection established: Thu Feb 20 23:23:36 2013 time remaining: 47 hours 59 minutes and 57 seconds number of incoming ssh connections: 0 number of incoming web connections: 0

The following example indicates that a proxy is enabled using the FireEye proxy server. fe-access proxy is enabled. fe-access proxy is using its own settings (not fenet settings) proxy hostname: 10.16.50.107 proxy port num: 3128 proxy username: test proxy password: ******** fe-access is connected. connection established: Thu Mar 21 23:28:15 2013 time remaining: 47 hours 59 minutes and 57 seconds number of incoming ssh connections: 0 number of incoming web connections: 0

© 2016 FireEye

1543

CLI Reference Guide

PART III: Commands

show fedb backups Displays a list of FireEye database backup files.

Syntax show fedb backups

Parameters None

Example The following example shows information about two backup files: hostname # show fedb backups Created At

Size

Backup File

2016/01/26 17:19:40

932.0M

fedb.upgrade.backup.IE-NX900.777_796_20160126_171102

2016/01/26 16:35:32

931.9M

fedb.upgrade.backup.IE-NX900.777_800_20160126_162631

2 backup files available!

User Role Administrator or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Before Release 7.5

l

NX Series: Before Release 7.5

l

EX Series: Before Release 7.5

l

FX Series: Before Release 7.5

l

AX Series: Before Release 7.5

Related Commands For a list of related commands, see Events Database Management Commands on page 91.

1544

© 2016 FireEye

Release 7.9

 show fedb events configuration

show fedb events configuration Displays the configuration details about the events database, such as malicious and nonmalicious URLs.

Syntax show fedb events configuration

Parameters None

Example The following example shows the details that are configured for the events database: hostname # show fedb events configuration FireEye Event Database:         Archive himark:     500000         Malware himark:     2000000         Archive time:       3 Source IP Hostname:         Resolve by dns:     yes         Resolve by netbios: no         First by dns:       yes

User Role Administrator and Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Command deprecated before Release 7.5

l

NX Series: Before Release 7.5

l

AX Series: Before Release 7.5

l

FX Series: Before Release 7.5

© 2016 FireEye

1545

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see Events Database Configuration Commands on page 89.

1546

© 2016 FireEye

Release 7.9

show fenet

show fenet To display the Dynamic Threat Intelligence (DTI) network information, use the show fenet command in standard mode. The show fenet guest-images command was removed from the CM Series platform in Release 7.5.0. To view the guest images stored in the CM Series DTI cache, use the show fenet dti proxy cached-content command. For information about how the guest images are downloaded to the cache, see the CM Series Administration Guide. (The show fenet guest-images command is still available on the CM Series platform when it is not connected to the DTI network and instead uses the DTI Offline Portal to obtain guest images.)

Syntax show fenet [appliance | dti configuration | guest-images | image | license | metadata | security-content | stats-content | status]

User Role Administrator, Monitor, or Operator

Release Information Command introduced before Release 7.6.0.

Parameters Each parameter is described as a separate show fenet command. For example, show fenet dti, show fenet image, and so on.

Example The following example displays DTI server information for the appliance. hostname > show fenet DTI CLIENT CONFIGURATION: Download source : CDN ([email protected]) Upload destination : DTI ([email protected]) Update channel : devel Http proxy : None Connect timeout : 30 (max tries: 0) Speed Time : 60 Max Time : 14400 Rate Limit : None Lockdown enabled : No SSL minimum version : tls1 SSL cipher list : fips

© 2016 FireEye

1547

CLI Reference Guide

PART III: Commands

show fenet appliance To display the latest appliance status, use the show fenet appliance command in enable mode.

Syntax show fenet appliance appliance_id_string status

User Role Administrator, Monitor, or Operator

Release Information Command introduced in Release 7.6.0.

Parameters appliance_id_string Hostname or IP address of appliance.

Example The following example displays the latest appliance status: hostname # show fenet appliance 1CM4400 status Currently no upgrade is in progress. Currently no upgrade in progress.

1548

© 2016 FireEye

Release 7.9

show fenet dti cache populate guest-images status

show fenet dti cache populate guest-images status Shows the status of guest images downloads to the DTI cache on the CM Series platform.

Syntax show fenet dti cache populate guest-images status

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Active Download ID

An internal download identifier.

Start Time

The time the download began.

Elapsed Time

The number of seconds since the download began.

Download Tasks

Each guest-images profile being downloaded, listed as a separate task. This field also includes the progress of each download (shown as a percentage of the total download time), and the current status of the download.

Examples The following example shows the progress of an NX Series guest images download to the DTI cache. hostname > show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 13 sec ============================================================== Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for NX-01 Progress: 4.97% Status:  running Downloading Guest Image-Profile (Full-Image) win7-sp1 for NX-01 Progress: -

© 2016 FireEye

1549

CLI Reference Guide

PART III: Commands

Status: not started Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for NX-01 Progress: Status: not started hostname > show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: 2015/10/07 20:24:17.701 Elapsed Time: 218 sec ============================================================== Download Tasks ============================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for NX-01 Progress: 100.00% Status: success Downloading Guest-Image Profile (Full-Image) win7-sp1 for NX-01 Progress: 14.62% Status:  running Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for NX-01 Progress: Status: not started

The following example shows the output of the command when no guest images are being downloaded to the DTI cache. hostname > show fenet dti cache populate guest-images status No cache population task running. Please check if the content is already cached by running 'show fenet dti proxy cached-content'. hostname >

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1550

© 2016 FireEye

Release 7.9

show fenet dti cache populate images status

show fenet dti cache populate images status Shows the status of system image downloads to the DTI cache on the CM Series platform.

Syntax show fenet dti cache populate images status

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Active Download ID

An internal download identifier.

Start Time

The time the download began.

Elapsed Time

The number of seconds since the download began.

Download Tasks

Each system image being downloaded, listed as a separate task. This field also includes the progress of each download (shown as a percentage of the total download time), and the current status of the download.

Examples The following example shows the progress of an NX Series system image download to the DTI cache. hostname > show fenet dti cache populate images status Active Download ID: v54n Start Time: 2015/10/08 00:57:36.139 Elapsed Time: 12 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 59.00 % Status: running hostname > show fenet dti cache populate images status

© 2016 FireEye

1551

CLI Reference Guide

PART III: Commands

Active Download ID: v54n Start Time: 2015/10/08 00:57:36:139 Elapsed Time: 20 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 100 % Status: success

The following example shows the output of the command when no images are being downloaded to the DTI cache. hostname > show fenet dti cache populate images status No cache population task running. Please check if the content are already cached by running 'show fenet dti proxy cached-content'. hostname >

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1552

© 2016 FireEye

Release 7.9

show fenet dti proxy cached-content

show fenet dti proxy cached-content Displays the size, type, and name of each file in the DTI cache on the CM Series platform.

Syntax show fenet dti proxy cached-content

Parameters None

Output Fields The following table describes the output fields for this command. Field Size

Description The size of the guest image, system image, or security content, in bytes.

Type The type of content: SysImage—Appliance system image GI—Guest image GI-Delta—A file containing the changes between the cached guest image and the latest version. If a suitable delta image is available, the delta is downloaded instead of the full guest image. GI-Metadata—A list of the names and versions of the guest images that are available for the managed appliances. SC-Full—Security content SC-Delta—A file containing the changes between the cached security content and the latest version. (Because security content is updated every hour, by default, this file is automatically removed from the cache when it becomes stale.) File

The name of the guest image, system image, or security content file. For example, image-emps_7.6.2.img, win7-sp1.15.086.img, sc-stable_114.150.img.

Example The following example displays the files in the DTI cache. cm-02 > show fenet dti proxy cached-content Size Type File ================================================= 931798 SC-Full sc-stable_114.150.img 294514420 SC-Full sc-stable_409.198.img

© 2016 FireEye

1553

CLI Reference Guide

PART III: Commands

12357897831 GI win7-sp1.15.0826.img 931626 SC-Full sc-stable_114.149.img 6314243531 GI winxp-sp3.15.0826.img 586688050 SysImage image-hx_3.0.0.img 294476781 SC-Full sc-stable_409.194.img 602473341 SysImage image-fmps_7.7.0.img 12783320704 GI win7x64-sp1.15.0826.img 627703972 SysImage image-emps_7.7.0.img

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1554

© 2016 FireEye

Release 7.9

show fenet dti proxy cached-content freshness-info

show fenet dti proxy cached-content freshness-info Displays the size, type, name, and age information for the files in the DTI cache on the CM Series platform.

Syntax show fenet dti proxy cached-content freshness-info

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Size

The size of the guest image, system image, or security content, in bytes.

Type

The type of content: SysImage—Appliance system image GI—Guest image GI-Delta—A file containing the changes between the cached guest image and the latest version. If a suitable delta image is available, the delta is downloaded instead of the full guest image. GI-Metadata—A list of the names and versions of the guest images that are available for the managed appliances. SC-Full—Security content SC-Delta—A file containing the changes between the cached security content and the latest version. (Because security content is updated every hour, by default, this file is automatically removed from the cache when it becomes stale.)

Etag

An internal identifier

Last Modification Time The date and time the file finished downloading from the DTI network to the cache.

© 2016 FireEye

1555

CLI Reference Guide

PART III: Commands

Field

Description

Max-Age

The amount of time the content is in the cache before it is marked stale. System images and guest images become stale after 7776000 seconds (3 months). Security content becomes stale after 10800 seconds (3 hours).

State

Fresh or Stale. If a system image or guest image has been in the cache longer than three months, or if security content has been in the cache longer than three hours, it is marked stale. Otherwise, it is marked fresh. NOTE: If a system image or guest image is the latest available version, but is older than three months, it is still marked stale.

File

The name of the guest image, system image, or security content file. For example, image-emps_7.6.2.img, win7-sp1.15.086.img, scstable_114.150.img.

Example The following example displays the files in the DTI cache, including age information. (The values in the Etag and File columns shown in this example have been shortened.) cm-02 > show fenet dti proxy cached-content freshness-info Size Type

Etag Last Modification Time Max-Age State File

============================================================================= ====== 93179 SC-Full "6xxx" Wed Oct 7 21:53:15 2015 10800 Fresh sc-xxx.img 29451442 SC-Full "6xxx" Wed Oct 7 22:22:28 2015 10800 Fresh sc-xxx.img 12357897831 GI "4xxx" Wed Oct 7 20:31:20 2015 7776000 Fresh win7xx.img 931626 SC-Full "6xxx" Wed Oct 7 20:57:15 2015 10800 Fresh sc-xxx.img 6314243531 GI "4xxx" Wed Oct 7 20:27:22 2015 7776000 Fresh winxp.xx.img 586688050 SysImage "6xxx" Wed Oct 7 20:27:55 2015 7776000 Fresh image-hx_n.img 294476781 SC-Full "6xxx" Wed Oct 7 20:22:20 2015 10800 Fresh sc-xxx.img 602473341 SysImage "6xxx" Wed Oct 7 20:24:25 2015 7760000 Fresh image-fmps_n.img 12783320704 GI "4xxx" Wed Oct 7 20:34:52 2015 7776000 Fresh win7x64.xx.img 627703972 SysImage "6xxx" Wed Oct 7 20:21:02 2015 7776000 Fresh image-emps_n.img

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows:

1556

© 2016 FireEye

Release 7.9

show fenet dti proxy cached-content freshness-info

CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1557

CLI Reference Guide

PART III: Commands

show fenet dti proxy cached-content show-stale Displays the size, type, and name of the files in the DTI cache on the CM Series platform, and shows whether they are fresh or stale.

Syntax show fenet dti proxy cached-content show-stale

Parameters None

Output Fields The following table describes the output fields for this command. Field Size

Description The size of the guest image, system image, or security content, in bytes.

Type The type of content: SysImage—Appliance system image GI—Guest image GI-Delta—A file containing the changes between the cached guest image and the latest version. If a suitable delta image is available, the delta is downloaded instead of the full guest image. GI-Metadata—A list of the names and versions of the guest images that are available for the managed appliances. SC-Full—Security content SC-Delta—A file containing the changes between the cached security content and the latest version. (Because security content is updated every hour, by default, this file is automatically removed from the cache when it becomes stale.) State

Fresh or Stale. If a system image or guest image has been in the cache longer than three months, or if security content has been in the cache longer than three hours, it is marked stale. Otherwise, it is marked fresh. NOTE: If a system image or guest image is the latest available version, but is older than three months, it is still marked stale.

File

1558

The name of the guest image, system image, or security content file. For example, image-emps_7.6.2.img, win7-sp1.15.086.img, sc-stable_114.150.img.

© 2016 FireEye

Release 7.9

show fenet dti proxy cached-content show-stale

Example The following example displays the files in the DTI cache, including their state. cm-02 > show fenet dti proxy cached-content show-stale Size Type State File ========================================================== 931798 SC-Full Fresh sc-stable_114.150.img 294514420 SC-Full Fresh sc-stable_409.198.img 12357897831 GI Fresh win7-sp1.15.0826.img 931626 SC-Full Fresh sc-stable_114.149.img 294156637 SC-Full Stale sc-stable_409.186.img 6314243531 GI Fresh winxp-sp3.15.0826.img 586688050 SysImage Fresh image-hx_3.0.0.img 294415556 SC-Full Stale sc-stable_409.190.img 294476781 SC-Full Fresh sc-stable_409.194.img 602473341 SysImage Fresh image-fmps_7.7.0.img 12783320704 GI Fresh win7x64-sp1.15.0826.img 627703972 SysImage Fresh image-emps_7.7.0.img

User Role Admin or Operator

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1559

CLI Reference Guide

PART III: Commands

show fenet dti proxy cached-content version Displays the size and type of the files in the DTI cache on the CM Series platform, and shows their version.

Syntax show fenet dti proxy cached-content version

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Size

The size of the guest image, system image, or security content, in bytes.

Type

The type of content: SysImage—Appliance system image GI—Guest image GI-Delta—A file containing the changes between the cached guest image and the latest version. If a suitable delta image is available, the delta is downloaded instead of the full guest image. GI-Metadata—A list of the names and versions of the guest images that are available for the managed appliances. SC-Full—Security content SC-Delta—A file containing the changes between the cached security content and the latest version. (Because security content is updated every hour, by default, this file is automatically removed from the cache when it becomes stale.)

File Details

The version of the guest image, system image, or security content file. For example, win7-sp1.15.0826, hx: 3.0.0, fmps: 7.7.0, stable: 409.194.

Example The following example displays the files in the DTI cache, including their version. cm-02 > show fenet dti proxy cached-content version Size Type File Details =============================================

1560

© 2016 FireEye

Release 7.9

show fenet dti proxy cached-content version

931798 SC-Full stable: 114.150 294514420 SC-Full stable: 409.198 12357897831 GI win7-sp1: 15.0826 931626 SC-Full stable: 114:149 6314243531 GI winxp-sp3: 15.0826 586688050 SysImage hx: 3.0.0 294476781 SC-Full stable: 409.194 602473341 SysImage fmps: 7.7.0 12783320704 GI win7x64-sp1: 15.0826 627703972 SysImage emps: 7.7.0

User Role Admin or Operator

Command Mode Configuration

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1561

CLI Reference Guide

PART III: Commands

show fenet dti proxy configuration Shows basic configuration settings for the DTI cache on the CM Series platform. These configuration settings should be changed only under the guidance of FireEye Technical Support.

Syntax show fenet dti proxy configuration

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

DTI Proxy Cache State

Whether the cache proxy is running.

Listening Port

The port the cache proxy listens to for incoming requests from the CM Series platform.

Cache Size

The size of the DTI cache, in megabytes.

Maximum Cache-able Object Size The maximum size for a file in the DTI cache, in bytes. Minimum Cache-able Object Size

The minimum size for a file in the DTI cache, in bytes.

Example The following example shows basic DTI cache configuration. cm-02 > show fenet dti proxy configuration DTI Cache Proxy State: running DTI Cache Proxy Configurations: Listening Port: 8443 Cache Size: 130000 MB Maximum Cache-able Object Size: 26843545600 bytes Minimum Cache-able Object Size: 1 bytes

User Role Admin, Operator, or Monitor

1562

© 2016 FireEye

Release 7.9

show fenet dti proxy configuration

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1563

CLI Reference Guide

PART III: Commands

show fenet dti proxy configuration all Shows full configuration settings for the DTI cache on the CM Series platform. With the exception of the Auto-Purge Cached Security-Content Deltas setting, these configuration settings should be changed only under the guidance of FireEye Technical Support.

Syntax show fenet dti proxy configuration all

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

DTI Proxy Cache State

Whether the cache proxy is running.

Listening Port

The port the cache proxy listens to for incoming requests from the CM Series platform.

Cache Size

The size of the DTI cache, in megabytes.

Maximum Cache-able Object Size

The maximum size for a file in the DTI cache, in bytes.

Minimum Cache-able Object Size

The minimum size for a file in the DTI cache, in bytes.

CDN Server

The DTI source server from which the cache proxy requests software updates.

Auto-Purge Cached Security-Content Deltas

Whether stale security content should be automatically removed from the DTI cache. This setting is enabled by default, but can be disabled using the no fenet dti proxy cache purge auto command.

1564

© 2016 FireEye

Release 7.9

show fenet dti proxy configuration all

Field

Description

Terminate Connection on SSL error

Whether the connection with the DTI source server should be terminated if the cache proxy encounters an SSL error while sending a request for software updates through the network to the DTI server.

Debug Options

The logging levels for the cache proxy, and the verbosity of the log messages (where 1 is the least verbose and 9 is the most verbose).

URL Query String Logging

Whether queries are used to filter the messages in the cache proxy log.

Example The following example shows basic DTI cache configuration. cm-02 > show fenet dti proxy configuration DTI Cache Proxy State: running DTI Cache Proxy Configurations: Listening Port: 8443 Cache Size: 130000 MB Maximum Cache-able Object Size: 26843545600 bytes Minimum Cache-able Object Size: 1 bytes Additional Configurations: CDN Server: download.fireeye.com Auto-Purge Cached Security-Content Deltas: yes Terminate Connection on SSL error: yes Debug Options: ALL,1 URL Query String Logging: no

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.7

© 2016 FireEye

1565

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1566

© 2016 FireEye

Release 7.9

show fenet dti configuration

show fenet dti configuration To view information about active and available DTI servers, use the show fenet dti configuration command in standard mode.

Syntax show fenet dti configuration

User Role Monitor, Operator, or Admin role

Release Information This command was introduced as follows: l

NX Series: Release 7.5.0

l

CM Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

Description The DTI source from which software updates (such as guest images, security content, and appliance images) are downloaded can be changed using the fenet dti source command. This command displays the current DTI sources and the other sources that can be configured. Although this command output also includes DTI upload and Malware Intelligence Lab (MIL) server information, and Advanced URL Detection (FAUDE) server information for EX Series appliances running Release 7.8.0 or later, only download servers can be configured. For more information, see the "DTI Network" chapter of your System Administration Guide or Administration Guide. By default, appliances and the CM Series platform communicate over an SSH port for management traffic and an HTTPS port for DTI network traffic. To simplify the complexity of firewall rules and Network Address Translation (NAT) mapping, you can enable singleport communication on the appliance. In this configuration, all traffic goes through the SSH port. When this feature is enabled, the active settings in the command output include "singleport." For more information, see the "CM Series Integration" chapter of the System Adminstration Guide.

© 2016 FireEye

1567

CLI Reference Guide

PART III: Commands

Parameters None

Examples This example shows the DTI servers for a CM Series platform and its managed appliances. The Faude service setting is displayed in this example because the CM Series platform manages an EX Series appliance running Release 7.8.0.

hostname # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode: : online Download source: : CDN ([email protected]) Upload destination : DTI ([email protected]) Mil service: : DTI ([email protected]) Faude service : DTI ([email protected]) ACTIVE SETTINGS FOR MANAGED APPLIANCES: Download source : CMS Upload destination : CMS Mil service : CMS Faude service : CMS AVAILABLE OPTIONS: ---------------------------------------------------------------Download User Address ---------------------------------------------------------------CDN DTIUser cloud.fireeye.com CMS DTIUser 10.2.0.0 DTI DTIUser staticcloud.fireeye.com ---------------------------------------------------------------Upload User Address ---------------------------------------------------------------CMS DTIUser 10.2.0.0 DTI DTIUser up-staticcloud.fireeye.com ---------------------------------------------------------------MIL User Address ---------------------------------------------------------------CMS DTIUser 10.2.0.0 DTI DTIUser mil-staticcloud.fireeye.com ---------------------------------------------------------------FAUDE User Address ---------------------------------------------------------------CMS DTIUser 10.2.0.0 DTI DTIUser faude.fireeye.com

This example shows the DTI servers for a managed appliance on which single-port communication is enabled.

1568

© 2016 FireEye

Release 7.9

show fenet dti configuration

hostname # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode: : online Download source: : CMS ([email protected] : singleport) - Managed by CMS Upload destination : CMS ([email protected] : singleport) - Managed by CMS Mil service: : CMS ([email protected] : singleport) - Managed by CMS AVAILABLE OPTIONS: ---------------------------------------------------------------Download User Address ---------------------------------------------------------------CDN DTIUser cloud.fireeye.com CMS DTIUser 10.2.0.0 DTI DTIUser staticcloud.fireeye.com ---------------------------------------------------------------Upload User Address ---------------------------------------------------------------CMS DTIUser 10.2.0.0 DTI DTIUser up-staticcloud.fireeye.com ---------------------------------------------------------------MIL User Address ---------------------------------------------------------------CMS DTIUser 10.2.0.0 DTI DTIUser mil-staticcloud.fireeye.com

© 2016 FireEye

1569

CLI Reference Guide

PART III: Commands

show fenet guest-images status Description Displays Dynamic Threat Intelligence (DTI) network (also referred to as MPC) settings for Guest Images downloads as well as automatic settings, schedules, and email notifications.

Syntax show fenet guest-images status

Parameters None

Example The following example displays Guest Images status information. hostname (config) # show fenet guest-images status

DTI Guest-images Server Settings:

Dynamic Threat Intelligence Service Update source

:

Enabled

: yes

Address

: fenet1.fireeye.com

Username

: engtest

Guest-images Automatic actions Action

: update

Email Notify

: no

Scheduled

: daily at 00:00

1570

© 2016 FireEye

Release 7.9

show fenet hx-agent image available

show fenet hx-agent image available Lists supported operating systems, FireEye Endpoint Agent versions, and the content IDs associated with each available agent image.

Syntax show fenet hx-agent image available

Parameters None

Example The following example shows the output produced by the show fenet hx-agent image available command: hostname (config) # show fenet hx-agent image available Installed HX Image: 3.1.0.443228 HX Agent Available on DTI: OS_TYPE VERSION CONTENT_ID win 11.7.10 IMAGE_HX_AGENT_WIN_11.7.10 win 11.8.5 IMAGE_HX_AGENT_WIN_11.8.5 win 11.9.7 IMAGE_HX_AGENT_WIN_11.9.7 win 11.11.7 IMAGE_HX_AGENT_WIN_11.11.7 win 20.40.0 IMAGE_HX_AGENT_WIN_20.40.0 win 20.40.1 IMAGE_HX_AGENT_WIN_20.40.1 win 21.23.0 IMAGE_HX_AGENT_WIN_21.23.0 HX Agent Fetched from DTI: OS_TYPE VERSION

CONTENT_ID

HX Agent Hosted Locally: OS_TYPE VERSION

CONTENT_ID

User Role Admin or fe_services

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.6

© 2016 FireEye

1571

CLI Reference Guide

PART III: Commands

Related Commands

1572

l

fenet hx-agent autoupdate enable

l

fenet hx-agent image apply

l

fenet hx-agent image check

l

fenet hx-agent image fetch

l

fenet hx-agent metadata refresh

© 2016 FireEye

Release 7.9

show fenet image

show fenet image Description Displays information about the FireEye Dynamic Threat Intelligence (DTI) network (also referred to as the MPC) system image.

Syntax show fenet image configuration status show fenet image list show fenet image status show fenet image version

Parameters configuration status Displays system image information. list

Displays a list of available images.

status

Displays the latest image activity.

version

Displays the system image version.

Example The following example displays the system image version. hostname (config) # show fenet image version 5.1.0.xxxxx

© 2016 FireEye

1573

CLI Reference Guide

PART III: Commands

show fenet key Description Displays Dynamic Threat Intelligence (DTI) network (also referred to as the MPC) security key information.

Syntax show fenet key {public | status | with-signature}

Parameters public

Displays the appliance's public key as text.

status

Displays the latest key activity.

with-signature Displays signature information.

Example The following example displays the latest security key activity. hostname (config) # show fenet key status Progress of latest action taken: action showPublicKey initiated Thu Apr 4 09:38:14 2013 exporting appliance key done action showPublicKey completed Thu Apr 4 09:38:14 2013 appliance key fingerprint not available status

1574

© 2016 FireEye

Release 7.9

show fenet license

show fenet license Displays information about the license update service and activity.

Syntax show fenet license

Parameters None

Example The following example displays the current status of the license update service and activity. hostname # show fenet license fenet License Update Service Licensing service: Administratively enabled Last time licensing service was contacted: 2014/08/11 10:50:04 Last time licensing service was contacted successfully: 2014/08/11 10:50:04 Last time keys from licensing service were applied: 2014/08/07 17:50:03

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.4.0

l

CM Series: Release 7.4.0

l

NX Series: Release 7.5.0

l

FX Series: Release 7.5.0

l

EX Series: Release 7.6.0

Related Commands For a list of related commands, see License Management Command Family on page 103.

© 2016 FireEye

1575

CLI Reference Guide

PART III: Commands

show fenet metadata status To display the Dynamic Threat Intelligence (DTI) network status, use the show fenet metadata status command in standard mode.

Syntax show fenet metadata status

User Role Administrator, Monitor, or Operator

Release Information Command introduced in Release 7.6.0.

Parameters None

Example The following example displays DTI network status: hostname > show fenet metadata status MPC Metadata Information: Installed Image Version: 7.6.0 Latest Image Version: 7.6.0 Latest Installed: yes Supported Upgrades: Version 7.6.0

Revision 346934

Size 578328059

Product Versions: Product: emps Version 6.3.0 6.3.1 6.3.2 6.5.0 6.5.1 7.1.0 7.1.1

1576

(Latest Version: 7.6.0)

Revision 134103 146827 162029 182560 222846 180577 203808

Size 497348289 498274385 498306952 524079218 525019252 524070965 525394031

© 2016 FireEye

Release 7.9

7.1.2 7.1.3 7.1.4 7.1.5 7.5.0 7.5.90 7.6.0

show fenet metadata status

264486 275126 281642 327551 304125 340488 345975

Product: fmps Version 6.4.1 7.1.0 7.5.0 7.5.90

Version 2.5.0 2.5.3 2.6.0

(Latest Version: 7.5.90)

Revision 166850 222864 278696 340496

Product: hx

Revision 297065 313851 346268

Version 1.1.0 1.6.0 1.7.0 2.0.0 2.1.0

Version 1.0.0 1.1.0 1.2.0 1.2.1 2.0.0

© 2016 FireEye

Size 541682727 582994457 588074159 586063582 563229219 575217213

(Latest Version: 2.1.0)

Revision 203781 226647 250906 265127 297152

Product: msm

Size 923551131

(Latest Version: 7.5.90)

Revision 207258 253235 268147 278590 286325 340493

Product: mcloud

Size 510940339 510944445 561689825

(Latest Version: 1.0.0)

Revision 141119

Product: mas Version 7.1.0 7.4.0 7.4.1 7.4.2 7.5.0 7.5.90

Size 564583752 532985025 551824870 559701506

(Latest Version: 2.6.0)

Product: maas Version 1.0.0

523902479 523966652 524050887 524106186 559324901 563629628 600616184

Size 833924490 833983269 844008498 844092010 763795861

(Latest Version: 2.0.1)

Revision 267426 268181 289307 289307 324859

Size 666677810 666679888 667091609 667087157 607827597

1577

CLI Reference Guide

2.0.1

347402

Product: wmps Version 7.4.0 7.4.2 7.5.0 7.5.1 7.5.2 7.5.90

1578

PART III: Commands

565209140

(Latest Version: 7.5.90)

Revision 254758 286857 309665 318703 346605 340446

Size 671635919 674449777 592428233 592928676 594581035 599276801

© 2016 FireEye

Release 7.9

show fenet security-content

show fenet security-content Description Displays the configuration, status, and version of FireEye security content installed on the appliance.

Syntax show fenet security-content {auto-gen status | status [progress] | version}

Parameters auto-gen Displays security content auto-generation configuration. status status Displays status information about the security content on the appliance. Option [progress] to display the progress of the latest action taken. version

Displays the version number of the security content on the appliance.

Example The following example displays the security status for the FireEye network. hostname (config) # show fenet security-content status

DTI Security Content Status Information:

Dynamic Threat Intelligence Service Update source

:

Update channel

: devel

Enabled

: yes

Address

: fenet1.fireeye.com

Username

: engtest

SC acceptance level : long_beta SC type connected

: yes

Online Analysis Service: Service available

: yes

AV-suite enabled

: yes

Local Security Content Auto-Generate:

© 2016 FireEye

1579

CLI Reference Guide

PART III: Commands

Enabled

: yes

Infections enable

: yes

Callbacks enabled

: yes

Security Content Autoupdate Enabled Action

: yes : update with upload

Notify (uploads)

: no

Notify (downloads) : no Scheduled

: daily at 11:14

Security Content Uploads Enabled

: yes

Last Uploaded At Status

: 2014/02/21 12:46:29

: apply-info: Uploaded new security contents successfully

Security Content Updates Enabled

: yes

Last Checked At Last Applied At Status

: 2014/02/21 12:46:01 : 2014/02/21 12:46:01

: apply-done: Updates installed successfully

Security Content Version: 323-lb.147

1580

© 2016 FireEye

Release 7.9

show fenet security-content status

show fenet security-content status Displays the status of the security content on the appliance. To view the status information of the latest action taken, use the show fenet security-content status progress sub-command.

Syntax show fenet security-content status

Parameters None

Example The following example displays the security status for the FireEye network. hostname (config) # show fenet security-content status DTI Security Content Status Information: Dynamic Threat Intelligence Service Update source : Update channel : devel Enabled : yes Address : fenet1.fireeye.com Username : engtest SC acceptance level : long_beta SC type connected : yes Online Analysis Service: Service available : yes AV-suite enabled : yes Local Security Content Auto-Generate: Enabled : yes Infections enable : yes Callbacks enabled : yes Security Content Autoupdate Enabled : yes Action : update with upload Notify (uploads) : no Notify (downloads) : no Scheduled : daily at 11:14 Security Content Uploads Enabled : yes Last Uploaded At : 2014/02/21 12:46:29 Status : apply-info: Uploaded new security contents successfully

© 2016 FireEye

1581

CLI Reference Guide

PART III: Commands

Security Content Updates Enabled : yes Last Checked At : 2014/02/21 12:46:01 Last Applied At : 2014/02/21 12:46:01 Status : apply-done: Updates installed successfully Security Content Version: 389.148

User Role admin, analyst, monitor, and operator

Command List enable and configuration

Releae Information The command was introduced as follows:

1582

l

AX Series: Before release 6.4

l

CM Series: Before relesae 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

NX Series: Before relesae 6.4

© 2016 FireEye

Release 7.9

show fenet stats-content

show fenet stats-content Description Displays current statistics content configuration and status information.

Syntax show fenet stats-content {aggregator aggname | status}

Parameters aggregator aggname

status

Available aggregators: l

db-aggr

l

dmesg-aggr

l

feusage-aggr

l

jconf-aggr

l

jlog-aggr

l

jpri-aggr

l

jstats-aggr

l

malware-aggr

l

pcaf-rtstats-aggr

l

pcaps-aggr

l

perfstats-aggr

l

rt-stats-aggr

l

sysconf-aggr

l

syslog-aggr

l

techinfo-aggr

l

wuilog-aggr

Displays status.

Example The following example shows the status content for the db-aggr aggregator. hostname (config) # show fenet stats-content aggregator db-aggr db-aggr aggregates new database entries since last run. it includes the following tables:

© 2016 FireEye

1583

CLI Reference Guide

PART III: Commands

events incidents  cnc_services  cnc_services_events   jurls  os_changes

1584

© 2016 FireEye

Release 7.9

show fenet status

show fenet status Description Displays the status of the Dynamic Threat Intelligence (DTI) network (also referred to as the MPC).

Syntax show fenet status

Parameters None

Example The following example displays status information for the DTI network. hostname (config) # show fenet status

Dynamic Threat Intelligence Service:

Update source : Enabled

: yes

Address

: fenet1.fireeye.com

Username

: engtest

HTTP Proxy:

Address

:

Username

:

User-agent

:

Request Session:

Timeout Retries

: 30 :3

Speed Time Max Time

© 2016 FireEye

: 60 : 14400

1585

CLI Reference Guide

Rate Limit

PART III: Commands

:

Dynamic Threat Intelligence Lockdown:

Enabled

: no

Locked

: no

Lock After

: 5 failed attempts

UPDATES Enabled Notify Scheduled

Last Updated At

------- ------ -------------- --------------Security contents: yes Stats contents : yes

1586

no

hourly none

1970/01/01 00:00:00 1990/01/01 00:00:00

© 2016 FireEye

Release 7.9

show fenet update config

show fenet update config Shows the default upgrade settings.

Syntax show fenet update config

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Task

Upgrade task

Timeout

Time in seconds before task quits

Max retry

Maximum number of times a task is retried

Parallel exec

Whether this task will execute in parallel

Examples The following example shows the default upgrade settings for an appliance: hostname > show fenet update config Update Config: Task: gi-check Timeout: 60 Max retry: 0 Parallel exec: no Task: gi-download Timeout: 86400 Max retry: 2 Parallel exec: no Task: gi-install Timeout: 600 Max retry: 2 Parallel exec: no Task: image-boot-next Timeout: 300 Max retry: 2 Parallel exec: no Task: image-check Timeout: 60 Max retry: 2 Parallel exec: yes

© 2016 FireEye

1587

CLI Reference Guide

PART III: Commands

Task: image-fetch Timeout: 600 Max retry: 2 Parallel exec: no Task: image-install Timeout: 600 Max retry: 2 Parallel exec: no Task: image-prep-reboot Timeout: 600 Max retry: 2 Parallel exec: no Task: image-reboot Timeout: 900 Max retry: 2 Parallel exec: no

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1588

© 2016 FireEye

Release 7.9

show fenet update operations

show fenet update operations Shows the operations and included tasks associated with an upgrade.

Syntax show fenet update operations

Parameters None

Examples The following example shows three upgrade operations and the tasks included in them. hostname > show fenet update operations Update Operations: Operation id: 1 Operation name: image-update Operation cli: fenet update cluster system-image Task: image-check Task: image-fetch Task: image-install Task: image-rename Task: image-boot-next Task: image-prep-reboot Task: image-reboot Operation id: 2 Operation name: gi-update Operation cli: fenet update cluster guest-image Task: gi-check Task: gi-download Task: gi-install Operation id: 3 Operation name: image-gi-update Operation cli: fenet update cluster Task: image-check Task: gi-check Task: image-fetch Task: image-install Task: image-rename ...

User Role Admin, Operator, or Monitor

Command Mode Standard

© 2016 FireEye

1589

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

1590

© 2016 FireEye

Release 7.9

show fenet update status appliance {brief | detail}

show fenet update status appliance {brief | detail} Shows the status of an appliance's upgrade.

Syntax show fenet update status appliance brief show fenet update status appliance detail

Parameters applianceName

The name of the appliance.

Examples The following example shows the brief update status of vx-1: hostname > show fenet update status appliance vx-1 brief Appliance Update Status: Name Operation Percent Status ------------------ -----vx-1 gi-update 100.00 complete Node ---vx-1

Task ---03/03 gi-install

100.00

complete

The following example shows the detailed update status of vx-1: cm-1 > show fenet update status appliance vx-1 detail Appliance Update Status: Appliance: vx-1 Status: complete Current operation: gi-update Current task: gi-install Percent done: 100.00 % Percent complete: 100.00 % Current num nodes: 1 Total num nodes: 1 Version: Last updated at: 2016/07/07 22:18:49.335 Last updated op: gi-update Start time: 2016/07/07 21:18:35.455 End time: 2016/07/07 22:18:49.335 Node: Status: Percent done:

© 2016 FireEye

vx-1 complete 100.00 %

1591

CLI Reference Guide

PART III: Commands

Percent complete: 100.00 % Task (01/03): gi-check Status: complete Percent done: 100.00 % Retry count: 0 Return code: 0 Start time: 2016/07/07 21:18:35.456 End time: 2016/07/07 21:18:37.068 Return message: Downloading server manifest. Task (02/03): gi-download Status: complete Percent done: 100.00 % Retry count: 0 Return code: 0 Start time: 2016/07/07 21:18:37.071 End time: 2016/07/07 22:18:09.230 Return message: The following new profiles will be downloaded: win7-sp1 - 16.0615 winxp-sp3 - 16.0615 win7x64-sp1 - 16.0615 Downloading guest-images Run 'show guest-images download' to check status. Task (03/03): gi-install Status: complete Percent done: 100.00 % Retry count: 0 Return code: 0 Start time: 2016/07/07 22:18:09.232 End time: 2016/07/07 22:18:49.335 Return message: Found guest-images that can be installed Installing guest-images Terminating running workorders and virtual analysis subsystem ........ Restarting WebUI .... Installation complete!

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.9.0

1592

© 2016 FireEye

Release 7.9

show fenet update status appliance {brief | detail}

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1593

CLI Reference Guide

PART III: Commands

show fenotify alerts Available on the NX Series appliance. Displays NX alert configuration. On an IPS-enabled platforms, the display of FireEye event notification alerts includes IPS events for each notification method. FireEye threat prevention platforms support notifications by sending email, posting to Web servers, logging messages to a remote syslog server, and sending SNMP traps. You can also run this command remotely from the command line of an integrated FireEye CM Series central management platform using the CMC proxying mechanism.

Syntax show fenotify alerts

Parameters None

Example The following example displays the fenotify configuration for alerts: hostname # show fenotify alerts FireEye Notification Enabled: yes FireEye Alerts: email http rsyslog snmp -------------------------------Global yes no no no ---- ---- ---- ---domain-match yes |yes yes yes yes infection-match yes |yes yes yes yes ips-event yes |yes yes yes yes malware-callback yes |yes yes yes yes web-infection yes |yes yes yes yes Digest notification: Time : 12:00 Enabled : yes

User Role All roles. Support for notifications of IPS events on IPS-enabled platforms requires Operation user role.

Command Mode Enable

1594

© 2016 FireEye

Release 7.9

show fenotify alerts

Release Information l

NX Series: Before Release 6.3

l

CM Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1595

CLI Reference Guide

PART III: Commands

show fenet update status appliance Shows the status of an appliance's upgrade.

Syntax show fenet update status appliance

Parameters applianceName

The name of the appliance.

Examples The following example shows the status of the vx-1 upgrade: hostname > show fenet update status appliance vx-1 Appliance Update Status: Appliance: vx-1 Status: complete Current operation: gi-update Current task: gi-install Percent done: 100.00 % Start time: 2016/07/07 21:18:35.455 End time: 2016/07/07 22:18:49.335 Node: Status: Percent done: Task (01/03): Status: Percent done: Task (02/03): Status: Percent done: Task (03/03): Status: Percent done:

vx-1 complete 100.00 % gi-check complete 100.00 % gi-download complete 100.00 % gi-install complete 100.00 %

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.9.0

1596

© 2016 FireEye

Release 7.9

show fenet update status appliance

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1597

CLI Reference Guide

PART III: Commands

show fenet update status cluster Shows the upgrade status of a cluster.

Syntax show fenet update status cluster

Parameters clusterName

The name of the cluster.

Examples The following example shows the status of a cluster named Cluster-Acme: hostname > show fenet update status cluster Cluster-Acme Cluster Update Status: Cluster: Cluster-Acme Status: complete Current operation: image-update Current task: image-reboot Percent done: 100.00 % Start time: 2016/07/18 18:58:33.168 End time: 2016/07/18 19:22:56.424 Node: Status: Percent done: Task (01/07): Status: Percent done: Task (02/07): Status: Percent done: Task (03/07): Status: Percent done: Task (04/07): Status: Percent done: Task (05/07): Status: Percent done: Task (06/07): Status: Percent done: Task (07/07): Status: Percent done: Node: Status:

1598

vx-2 complete 100.00 % image-check complete 100.00 % image-fetch complete 100.00 % image-install complete 100.00 % image-rename complete 100.00 % image-boot-next complete 100.00 % image-prep-reboot complete 100.00 % image-reboot complete 100.00 % vx-1 complete

© 2016 FireEye

Release 7.9

Percent done:

show fenet update status cluster

100.00 %

...

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1599

CLI Reference Guide

PART III: Commands

show fenet update status cluster {brief | detail} Shows the status of a cluster's upgrade.

Syntax show fenet update status cluster brief show fenet update status cluster detail

Parameters clusterName

The name of the cluster.

Examples The following example shows the brief status of the Cluster-Acme upgrade: hostname > show fenet update status cluster Cluster-Acme brief Cluster Update Status: Name Operation Percent Status ------------------ -----Cluster-Acme image-update 100.00 complete Node Task ------vx-2 07/07 image-reboot 100.00 complete vx-1 07/07 image-reboot 100.00 complete

The following example shows the detailed status of the Cluster-Acme upgrade: hostname > show fenet update status cluster Cluster-Acme detail Cluster Update Status: Cluster: Cluster-Acme Status: complete Current operation: image-update Current task: image-reboot Percent done: 100.00 % Percent complete: 100.00 % Current num nodes: 2 Total num nodes: 2 Version: Last updated at: 2016/07/18 19:22:56.424 Last updated op: image-update Start time: 2016/07/18 18:58:33.168 End time: 2016/07/18 19:22:56.424 Node: vx-2 Status: complete Percent done: 100.00 % Percent complete: 100.00 % Task (01/07): image-check

1600

© 2016 FireEye

Release 7.9

show fenet update status cluster {brief | detail}

Status: complete Percent done: 100.00 % Retry count: 0 Return code: 0 Start time: 2016/07/18 18:58:33.174 End time: 2016/07/18 18:58:43.331 Return message: Operation initiated in the background. Run 'show fenet image status' for status Task (02/07): image-fetch Status: complete Percent done: 100.00 % Retry count: 0 Return code: 0 Start time: 2016/07/18 18:58:43.461 End time: 2016/07/18 18:59:23.833 Return message: ...

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: CM Series: Release 7.9.0

Related Commands For a list of related commands, see: DTI Cache Proxy Command Family on page 79.

© 2016 FireEye

1601

CLI Reference Guide

PART III: Commands

show fenotify email Displays email notifications. This command is available for the NX, AX, and EX Series appliances. You can also run this command remotely from the command line of an integrated FireEye CM Series central management platform using the CMC proxying mechanism.

Syntax show fenotify email

Parameters None

Examples The following example displays email notification information: hostname # show fenotify email Notification Protocol: email Configuration: Protocol Enabled: return-address

yes [email protected]

Alerts: domain-match infection-match ips-event malware-callback malware-object web-infection

no no yes yes yes yes

Consumers:

User Role All roles

Command Mode Enable

1602

© 2016 FireEye

Release 7.9

show fenotify email

Release Information l

AX Series: Before Release 6.3

l

CM Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1603

CLI Reference Guide

PART III: Commands

show fenotify http Displays HTTP notifications. This command is available for the NX, AX, and EX Series appliances. You can also run this command remotely from the command line of an integrated FireEye CM Series central management platform using the CMC proxying mechanism.

Syntax show fenotify http

Parameters None

Example The following example displays HTTP notification information: hostname # show fenotify http Notification Protocol: http Configuration: Protocol Enabled: no default-delivery per-event default-provider generic provider-generic-message-format xml-normal Alerts: domain-match infection-match ips-event malware-callback malware-object web-infection

yes yes no yes yes yes

Consumers:

User Role All roles

Command Mode Enable

1604

© 2016 FireEye

Release 7.9

show fenotify http

Release Information l

AX Series: Before Release 6.3

l

CM Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1605

CLI Reference Guide

PART III: Commands

show fenotify preferences Displays whether HTTP notifications are currently sent through the FireEye network proxy server. This command also displays information about IPS event notification delivery mode, delivery option for HTTP or HTTPS notifications, a delivery option for Rsyslog notifications. You can also run this command remotely from the command line of an integrated FireEye CM series platform using the central management platform proxying mechanism.

Syntax show fenotify preferences

Parameters None

Output Fields The following table describes the output fields for the show fenotify preferences command. Fields are listed in the approximate order in which they appear in the output. Field Name IPS delivery mode

Description Delivery mode for IPS event notifications: l

l

l

1606

instant—Send only when an IPS event is detected. This is the default value. confirmation—Send only when an attack has been confirmed (either positive or negative). dual—Send both when an IPS event is detected and when an attack has been confirmed.

© 2016 FireEye

Release 7.9

show fenotify preferences

Field Name HTTP(s) notification using fenet proxy

Description Delivery mode for event messages posted to Web servers using HTTP or HTTPS: l

l

yes—System sends HTTP or HTTPS event notifications using an FENET proxy. no—System does not send HTTP or HTTPS event notifications using an FENET proxy.

You can use the following CLI commands to configure the system to pst event messages to Web servers using HTTP or HTTPS: fenet proxy auth, fenet proxy host, and fenet proxy user-agent. For more information, see the NX Series IPS Feature Guide. Rsyslog notification Delivery option to strip off line feedback for event notifications Stripping off line sent to a remote syslog server: feedback l yes—System strips off line feedback. This is the default mode. l

no—System does not strip off line feedback.

You can use the following CLI commands to configure the system to send event notifications to a remote syslog server: fenotify rsyslog default, fenotify rsyslog enable, and fenotify rsyslog service. For more information, see the NX Series IPS Feature Guide. SIEM Riskware support

Notification option: l

l

Normalize IPS Event

no—You do not receive riskware-callback and riskwareobject notifications.

Notification data format: l

l

© 2016 FireEye

yes—You receive riskware-callback and riskware-object notifications.

yes—Alert notifications use src/smac/sport for the network traffic source and use dst/dmac/dport as the network traffic destination. no—Alert notifications use src/smac/sport as the network traffic destination (victim) and use dst/dmac/dport as the network traffic source (attacker).

1607

CLI Reference Guide

PART III: Commands

Field Name Notification CPUSender Ratio

Description Use the fenotify preferences sender-cpu-ratio CLI command to configure the notification CPU-sender ratio. The range of values is 1 to 1024. When the ratio is set to 1, the performance is highest, but more resources are used. When the ratio is set to 1024, the performance is lowest, but less resources are used.

Example The following example displays the status about the customized notification preferences: hostname # show fenotify preferences Notification customized settings: IPS delivery mode: confirmation HTTP(s) notification using fenet proxy: yes Rsyslog notification Stripping off line feedback: yes Notification timeout: 600 seconds SSL cipher list: compatible SSL minimum protocol version: tls1 SIEM Riskware support: no Normalize IPS Event: yes Fetch Original Alert in Notification: no Include OS-Changes in Normal/Extended Alert in Notification: yes Translating Layer Severn Protocol in Alert in Notification: no Notification CPU-Sender Ratio: 4 Maximize resource usage: no Preserve Original Http Header Seperator: no Alert ATI Updates: yes CEF Compliance: yes Mask off http AU elements: yes

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced before Release 7.5.0. l

1608

NX Series: Release 7.5.0. Command output enhanced for IPS-enabled NX Series platforms to include IPS delivery mode. Command output enhanced to include Advanced Threat Intelligence (ATI) alert updates for notifications through HTTP and email protocols in Release 7.7.0. Command output enhanced for NX and CM Series platforms to include notification data format in Release 7.8.0. Command

© 2016 FireEye

Release 7.9

show fenotify preferences appliance-id

output enhanced for NX and CM Series platforms to include SIEM riskware support in Release 7.9.1.

Related Commands For a list of related commands, see Event Notification Commands on page 87.

show fenotify preferences appliance-id Use this command to show the MAC address and Appliance ID of the appliance. It also shows whether you are using appliance ID to identify the appliance on your FireEye network.

Syntax show fenotify preferences appliance-id

Parameters None

Example The following example enables the block by proxy feature: hostname (config) # show fenotify preferences appliance-id Appliance-ID Usage Related Settings: =================================================== Appliance-ID : 0025908754E0 MAC Address : 00:25:90:87:54:E0 Using Appliance ID : no ===================================================

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

© 2016 FireEye

1609

CLI Reference Guide

PART III: Commands

show fenotify preferences bbp Use this command to show the block-by-proxy settings.

Syntax show fenotify preferences bbp

Parameters None

Example The following example enables the block by proxy feature: hostname (config) # show fenotify preferences bbp Block-by-proxy Related Notification Settings: =================================================== FireEye Secure Web Gateway Configuration Related Settings: SWG Scan Enabled: no SWG Block-By-Proxy Enabled: no SWG scan malicious url lookback: 3600 SWG scan callback url lookback: 3600 SWG Block-By-Proxy match string: __FIREEYE_BLOCK_BY_PROXY__ Wait for Blocked-By-Proxy Confirmation: yes Max Wait Time for Blocked-By-Proxy Confirmation (sec): 10 EMail Subject Line Prefix for Blocked: Blocked by Web Proxy EMail Subject Line Prefix for Non-Blocked: Not Blocked by Web Proxy ===================================================

User Role Administrator and operator

Command Mode Enable and Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Commands For a list of related commands, see: Block by Proxy Commands on page 64.

1610

© 2016 FireEye

Release 7.9

show fenotify preferences json

show fenotify preferences json Displays whether OS changes are included in JSON notifications for duplicate alerts.

Syntax show fenotify preferences json

Parameters None

Example The following example displays whether OS changes are included in JSON notifications for duplicate alerts: hostname # show fenotify preferences json JSON Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1611

CLI Reference Guide

PART III: Commands

show fenotify preferences text Displays whether OS changes are included in text notifications for duplicate alerts.

Syntax show fenotify preferences text

Parameters None

Example The following example displays whether OS changes are included in text notifications for duplicate alerts: hostname # show fenotify preferences text text Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

1612

© 2016 FireEye

Release 7.9

show fenotify preferences xml

show fenotify preferences xml Displays whether OS changes are included in XML notifications for duplicate alerts.

Syntax show fenotify preferences xml

Parameters None

Example The following example displays whether OS changes are included in XML notifications for duplicate alerts: hostname # show fenotify preferences xml XML Related Notification Settings: =================================================== Include Original OS-changes for duplicate-alert: yes ===================================================

User Role Administrator or Operator

Command Mode Enabled

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

l

EX Series: Release 7.9.0

l

NX Series: Release 7.9.2

Related Commands For a list of related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1613

CLI Reference Guide

PART III: Commands

show fenotify rsyslog Displays rsyslog notifications. This command is available for the NX, AX, and EX Series appliances. You can also run this command remotely from the command line of an integrated FireEye CM Series central management platform using the CMC proxying mechanism.

Syntax show fenotify rsyslog

Parameters None

Examples The following example displays rsyslog notification information: hostname # show fenotify rsyslog Notification Protocol: rsyslog Configuration: Protocol Enabled: default-delivery default-format default-send-as Alerts: domain-match infection-match ips-event malware-callback malware-object web-infection

no per-event cef warning

yes yes yes yes yes yes

Consumers:

User Role All roles

Command Mode Enable

1614

© 2016 FireEye

Release 7.9

show fenotify rsyslog

Release Information l

AX Series: Before Release 6.3

l

CM Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1615

CLI Reference Guide

PART III: Commands

show fenotify snmp Displays SNMP notifications. This command is available for the NX, AX, and EX Series appliances. You can also run this command remotely from the command line of an integrated FireEye CM Series central management platform using the CMC proxying mechanism.

Syntax show fenotify snmp

Parameters None

Examples The following example displays SNMP notification information: hostname # show fenotify snmp Notification Protocol: snmp Configuration: Protocol Enabled: default-delivery default-version Alerts: domain-match infection-match ips-event malware-callback malware-object web-infection

no per-event 2c

yes yes no yes yes yes

Consumers:

User Role All roles

Command Mode Enable

1616

© 2016 FireEye

Release 7.9

show fenotify snmp

Release Information l

AX Series: Before Release 6.3

l

CM Series: Before Release 6.3

l

EX Series: Before Release 6.3

l

NX Series: Before Release 6.3

Related Commands For related commands, see Event Notification Commands on page 87.

© 2016 FireEye

1617

CLI Reference Guide

PART III: Commands

show files Description Displays the file system information, lists the debug, statistics, or TCP dump files on the system, or displays the contents of a specific debug file.

Syntax show files {debug-dump [file_name] | stats | system [detail | all] | tcpdump}

Parameters debugdump [  file_ name]

Displays the list of debug-dump files or the contents of the specified file (enabled or configuration mode required).

stats   

Displays the list of statistical reports (enabled or configuration mode required).

system [detail | all]

Displays the file system information. Use the detail option to display additional detailed information (see example below). Use the all option to display a comprehensive list of system information.

tcpdump   Displays the list of TCP dump files.

Example The following example displays file system information details. MPS (config) # show files system detail Statistics for /config filesystem: Space Total 190 MB Space Used 5 MB Space Free 185 MB Space Available 175 MB Space Percent Free 97% Inodes Total 50400 Inodes Used 23 Inodes Free 50377 Inodes Percent Free 99% Device Name /dev/sda8 Statistics for /var filesystem: Space Total 8068 MB Space Used 970 MB Space Free 7098 MB Space Available 6689 MB Space Percent Free 87%

1618

© 2016 FireEye

Release 7.9

show files

Inodes Total 1050400 Inodes Used 903 Inodes Free 1049497 Inodes Percent Free 99% Device Name /dev/sda9 Statistics for /data filesystem: Space Total 448683 MB Space Used 52258 MB Space Free 396425 MB Space Available 373633 MB Space Percent Free 88% Inodes Total 58359808 Inodes Used 2227 Inodes Free 58357581 Inodes Percent Free 99% Device Name /dev/sda10

© 2016 FireEye

1619

CLI Reference Guide

PART III: Commands

show file-analysis Displays statistics about the total number of file objects that were analyzed. This command displays cumulative statistics such as the total number of files that were submitted for analysis and the total number of events that were detected. It also shows the total number of objects with each system status type. For more information, see the FX Series Threat Management Guide.

Syntax show file-analysis

Parameters None

Example The following command displays file analysis statistics: hostname # show file-analysis Total Objects Submitted

: 24978

   Objects Analyzed

: 24978

   Objects identified as Malicious       - VM verified

: 15229

: 15175

      - Duplicate to VM verified

:

54

      - Known checksum match

:

Total events

: 97165

   vm-signature-match events

: 32577

   os-change-anomaly events    checksum-match

0

: 30626

events

: 25083

   vm-outbound-comm events

: 8879

Objects break down by system status, Total : 24978    Submitted for VM analysis    VM Submit Error    Duplicate    Static Analysis Only    Aborted

: 20259 :

20

: 3657 :

5

: 1037

User Role Administrator, Operator, Monitor, or Analyst

1620

© 2016 FireEye

Release 7.9

show file-analysis

Command Mode Enable

Release Information This command was introduced as follows: l

FX Series: Before Release 7.5. The command output was enhanced to display the additional static analysis statistics in Release 7.7.

© 2016 FireEye

1621

CLI Reference Guide

PART III: Commands

show file-analysis all To view details about all malware records, use the show file-analysis all command in standard mode.

Syntax show file-analysis all

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command returns information such as the file URL, the MD5 sum, the state of the analysis, the status of the file, and so on. The file analysis jobs are listed in descending order by malware ID. For more information, see the FX Series Threat Management Guide.

Parameters None

Example The following example shows the first two file analysis jobs returned by this command. hostname > show file-analysis all Malware ID 598 Analysis Type: Sandbox URL: file:1504.malware Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name:  Profile ID:  Md5Sum: 94978a14a9a3329b28a0735c8992d75a State: done Status:Whitelisted Submitted Time: 2014-09-17 04:00:05 UTC Run End Time: 2014-09-17 04:00:07 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: 593 Malware ID 597

1622

© 2016 FireEye

Release 7.9

show file-analysis all

Analysis Type: Sandbox URL: file:1424.malware Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name:  Profile ID:  Md5Sum: d20d280fbe104baa35809c1865fdecfb State: done Status:Whitelisted Submitted Time: 2014-09-17 04:00:05 UTC Run End Time: 2014-09-17 04:00:07 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: 590

© 2016 FireEye

1623

CLI Reference Guide

PART III: Commands

show file-analysis done To view details about all file analysis jobs whose analysis has been completed, use the show file-analysis done command in standard mode.

Syntax show file-analysis done

User Account Requirement Monitor, Analyst, Operator or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command returns information such as the file URL, the MD5 sum, the state of the analysis, the status of the file, and so on. The file analysis jobs are listed in descending order by malware ID. For more information, see the FX Series Threat Management Guide.

Parameters None

Example The following example shows the first two malware records returned by this command. hostname > show file-analysis done Malware ID 308007 Analysis Type: sandbox URL: file:5650.exe Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name: Profile ID: Md5Sum: 943478a14a4a3329b28a0875c8992d75a State: done Status: aborted by user Submitted Time: 2014-09-26 11:04:22 UTC Run End Time: 2014-09-26 11:06:13 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: Malware ID 308006

1624

© 2016 FireEye

Release 7.9

show file-analysis done

Analysis Type: sandbox URL: file:7654.exe Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name: Profile ID: Md5Sum: d20d280fbe104baa35809c1865fdecfb State: done Status: Aborted by user Submitted Time: 2014-09-17 04:00:05 UTC Run End Time: 2014-09-17 04:00:07 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: 590

© 2016 FireEye

1625

CLI Reference Guide

PART III: Commands

show file-analysis events To view file analysis jobs with events, use the show file-analysis events command in standard mode.

Syntax show file-analysis events

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command returns the file analysis jobs with events and includes event information such as the event's type, occurrence time, name, match type, and so on. The malware records are listed in descending order by malware ID. For more information, see the FX Series Threat Management Guide.

Parameters None

Example The following example shows one of the file analysis jobs returned by this command. hostname > show file-analysis events Malware ID 308001 Analysis Type: sandbox URL: file:5650.file-51.pdf Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name: Profile ID: Md5Sum: d60e9d9d44b3a912955ff563e2a22986 State: done Status: Aborted by user Submitted Time: 2014-09-26 11:06:49 UTC Run End Time: 2014-09-26 11:06:52 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: State: done

1626

© 2016 FireEye

Release 7.9

show file-analysis events

Status: Aborted by user Submitted Time: 2014-09-17 04:00:05 UTC Run End Time: 2014-09-17 04:00:07 UTC IM: NO Number of Events: 0 Children Malware ID(s): Parent Malware ID: 590 Event 273821: Occurrence Time : 2014-09-26 11:06:53 UTC Event Type : checksum-match Analysis Type : Malware Trace ID : 305976 Malware ID : 305976 Original Malware ID :0 Name : Pdf.Exploit.CVE_2010_ Match Type : av-match EDP URL : https//abc.xyc.com/nnn.ppp?sname=Pdf.Exploit.CVE_2020_

© 2016 FireEye

1627

CLI Reference Guide

PART III: Commands

show file-analysis id To view information about a specific file analysis job, use the show file-analysis id command in standard mode.

Syntax show file-analysis id malwareID

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command displays details about a specific file-analysis job. The show file-analysis list command displays a list of file analysis jobs by their file analysis job number, or malware ID. For more information, see the FX Series Threat Management Guide.

Parameters malwareID The file analysis job number.

Example The command in this example displays information about job number 1240. hostname > show file-analysis id 1240 Malware ID 1240 Analysis Type: sandbox URL: file:1424.-51.pdf Analysis Timeout: 240 Analysis Priority: normal Force: false Profile Name: Profile ID: Md5Sum: k60e9d4d78b3a912955bb563e2a22986 State: done Status: Aborted by user Submitted Time: 2014-09-26 11:06:49 UTC Run End Time: 2014-09-26 11:06:52 UTC IM: NO Number of Events: 0

1628

© 2016 FireEye

Release 7.9

show file-analysis id

Children Malware ID(s): Parent Malware ID: -

© 2016 FireEye

1629

CLI Reference Guide

PART III: Commands

show file-analysis list To view a list of all file analysis jobs, use the show file-analysis list command in standard mode.

Syntax show file-analysis list

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command returns a full list of all file analysis jobs, in descending order by the job number, or malware ID (MID). For details about each job, use the show file-analysis all, show file-analysis done, and show file-analysis id commands. For more information, see the FX Series Threat Management Guide.

Parameters None

Example The following example is an excerpt form a list of all file analysis jobs. hostname > show file-analysis list MID MD5 NumEvents (ID/Type) Detection Date/Time 598 d20d280fbe104baa35809c1865fdecfb 0 (  ) 2014-09-08 20:54:08 UTC 587 76b7becf31da7b1f001ca057a352634a 5 ( 266,262:na 263267:oc 198: cm to 7 ) misc 2014-0907 04:27:39 UTC 579 c557ff5b8254007ecb5163582ccc763a 0 (  ) 2014-09-05 15:39:54 UTC

1630

© 2016 FireEye

Release 7.9

show file-analysis md5

show file-analysis md5 To view the file analysis jobs that match a specific MD5 checksum, use the show fileanalysis md5 command in standard mode.

Syntax show file-analysis md5 md5Sum

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command deprecated in FX Series 7.5.0 and later releases.

Description This command allows you to view all jobs with matching MD5 sums. For more information, see the FX Series Threat Management Guide.

Parameters md5Sum The 32-digit MD5 checksum.

Example The following example reports the jobs that match the a5b700a9df4ab35bca69eb2d8cf70b45 MD5 checksum. hostname > show file-analysis md5 a5b700a9df4ab35bca69eb2d8cf70b45 Malware ID MD5SUM 14 a5b700a9df4ab35bca69eb2d8cf70b45 594 a5b700a9df4ab35bca69eb2d8cf70b45 596 a5b700a9df4ab35bca69eb2d8cf70b45

© 2016 FireEye

1631

CLI Reference Guide

PART III: Commands

show fmps file config To view file scanning parameters, use the show fmps file config command in standard mode.

Syntax show fmps file config

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command available in FX Series releases.

Description This command displays the values of the parameters you can configure using the fmps file config maxsize, fmps file config analysis_tmo, fmps file config scan_delay, fmps config wins_server, and fmps file config share-timeout commands. For more information, see the FX Series Threat Management Guide.

Parameters None

Example hostname > show fmps file config Max File Size (MB): 5 Analysis Timeout (sec): 240 Scan Delay: 3 min 0 sec Wins Server:  Share Timeout (sec): 300

1632

© 2016 FireEye

Release 7.9

show fmps file shares

show fmps file shares To view the configuration of a share or view its configured scans and their status, use the show fmps file shares command in standard mode.

Syntax show fmps file shares shareName [scan-id]

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command available in FX Series releases.

Description This command displays configuration information about the specified share. If you include the scan-id parameter, the command displays the scans that are configured on the share and their status. For more information, see the FX Series Threat Management Guide.

Parameters shareName The name of the share. scan-id Displays a list of configured scans and their status instead of share configuration information.

Examples The following example displays configuration information about the Acme_IT share. hostname > show fmps file shares Acme_IT Share Name:  Acme_IT Enabled: yes Description:  ******** Share URL:  //10.14.40.30/IX1 Mount command prefix: --no-mtab -t cifs -o sec=ntlmsspi Share user:  fmps-dfs\Administrator Share password: ********

The following example lists the scans configured on the Acme_HR share and shows their status. hostname > show fmps file shares Acme_HR scan-id Scan Status Start End

© 2016 FireEye

1633

CLI Reference Guide

24 Configured 8 Aborted 2014-09-05 15:34:51.460615 49 Done 2014-09-16 04:00:00.169294 Files Bad Files 533 0

1634

PART III: Commands

2014-09-05 15:34:51.460615 2014-09-16 04:02:26.556986

Total

© 2016 FireEye

Release 7.9

show fmps scan-id

show fmps scan-id To view statistics about a scan, use the show fmps scan-id command in standard mode.

Syntax show fmps scan-id scanID

User Account Requirement Monitor, Analyst, Operator, or Admin role

Release Information Command available in FX Series releases.

Description This command displays details about a specific scan and its results. For more information, see the FX Series Threat Management Guide.

Parameters scanID The scan identification number.

Example Completed Scan Results The following example displays the results of a completed scan. This is the format for instant ("now") scans and continuous scans that are completed, running, or aborted. hostname > show fmps scan-id 1 Scan ID: 1 (State: Completed Description: Scan completed) Scan type: Now Scan name: HRScan Share name: Acme_HR Share URL: //10.14.40.30/IX1 Filetype whitelist: 7zip asf cdf Selected filetypes: com exe ppt Quarantine repository name: local_QF Good repository name: Acme-good Unknown repository name: Acme-Unknown Whitelisted repository name: Acme-Whitelist Only files modified: after 2014-01-01 08:09:00 Advanced: Timestamp type: change Rescan: false Started at: 2014-10-08 15:10:38 Ended at: 2014-10-08 15:15:03

© 2016 FireEye

1635

CLI Reference Guide

PART III: Commands

Duration: 00:04:25.073049 Total number of files in the share: 533 (Scannable 533) Scanned: 533 (2.0 files/sec => ~173778 files/day) Analyzed: 2 (~0.4% of the share) Good: 0 (~0.0% of the share) Unknown: 526 (~98.7% of the share) Whitelisted: 5 (~0.9% of the share) Duplicates: 0 (~0.0% of the share) Malicious: 2 (~0.4% of the share) -------------------------------------------------------------------Filetypes Statistics -------------------------------------------------------------------File type Analyzed Malicious Good Sec per analysis Duplicates Duplicate percentage Whitelisted Whitelisted percentage exe 2 2 0 163 0 0.0 1 33.3 zip 0 0 0 0 0 0.0 4

100.0

Configured Scan Results The following example displays the results of a scan that is configured but has not yet run. hostname > show fmps scan-id 231 Scan ID: 231 (State: Configured Description: Scan configured) Scan type: Now Scan name: HRScan Share name: Acme_HR Share URL: //10.14.40.30/IX1 Filetype whitelist: xls Selected filetypes: com exe ppt pdf Quarantine repository name: local_QF Good repository name: Acme-good Unknown repository name: Acme-Unknown Whitelisted repository name: Acme-Whitelist Only files modified: Subdirectories: Employees Advanced: Timestamp type: change Rescan: false

Prescan Results The following example displays the results of a completed prescan. hostname > show fmps scan-id 93 Scan ID: 93 (State: Completed Description: Scan completed) Scan type: Prescan Scan name: HRPre Share name: Acme_HR Share URL: //10.14.40.30/IX1 Filetype whitelist: Selected filetypes: Quarantine repository name: Good repository name: Unknown repository name: Whitelisted repository name: -

1636

© 2016 FireEye

Release 7.9

show fmps scan-id

Only files modified: Advanced: Timestamp type: change Rescan: false Started at: 2014-10-09 14:26:22 Ended at: 2014-10-09 14:26:29 Duration: 00:00:07.505747 Total number of files in the share: 10 (Scannable 10) Scanned: 10 (1.4 files/sec => ~123429 files/day) Analyzable: 5 (~50.0% of the share) Whitelisted: 0 (~0.0% of the share) Skipped: 5 (~50.0% of the share) -----------------------------------------------------Filetypes Statistics -----------------------------------------------------File type Analyzable Sec per analysis Whitelisted Whitelisted percentage doc 1 0 0 0.0 docx 1 0 0 0.0 pdf 3 0 0 0.0

Scheduled Scan Results The following example displays the results of a scan that is scheduled but has not yet run. hostname > show fmps scan-id 68 Scan ID: 68 (State: Scheduled Description: Scan scheduled) Scan type: Schedule parameters: Status: active Type: weekly Day: Sunday Time: 05:00 Scans from schedule: Scan name: HRWeekly Share name: Acme_HR Share URL: //10.14.40.30/IX1 Filetype whitelist: avi Selected filetypes: doc pdf ppt Quarantine repository name: Acme-quar Good repository name: Unknown repository name: Whitelisted repository name: Only files modified: Advanced: Timestamp type: change Rescan: false

Completed Scheduled Scan Results The following example displays the results of a scheduled scan that was completed. (The schedule parameters are not included in these results.) hostname > show fmps scan-id 84 Scan ID: 84 (State: Completed Description: Scan completed) Scan type: Scheduled

© 2016 FireEye

1637

CLI Reference Guide

PART III: Commands

Schedule parameters: Schedule ID: 83 Scan name: HRWeekly Share name: Acme_HR Share URL: //10.14.40.30/IX1 Filetype whitelist: Selected filetypes: Quarantine repository name: Good repository name: Unknown repository name: Whitelisted repository name: Only files modified: Advanced: Timestamp type: change Rescan: false Started at: 2014-10-08 00:31:20 Ended at: 2014-10-08 00:32:07 Duration: 00:00:47.543062 Total number of files in the share: 10 (Scannable 10) Scanned: 10 (0.2 files/sec => ~18383 files/day) Analyzed: 1 (~10.0% of the share) Good: 3 (~30.0% of the share) Unknown: 5 (~50.0% of the share) Whitelisted: 0 (~0.0% of the share) Duplicates: 4 (~40.0% of the share) Malicious: 2 (~20.0% of the share) -------------------------------------------------------------------Filetypes Statistics -------------------------------------------------------------------File type Analyzed Malicious Good Sec per analysis Duplicates Duplicate percentage Whitelisted Whitelisted percentage doc 0 0 1 0 1 100.0 0 0.0 docx 0 0 1 0 1 100.0 0 0.0 pdf 1 2 1 73 2 66.7 0 0.0

Deleted Scheduled Scan The following example displays the results of a scheduled scan that was deleted. hostname > show fmps scan-id 14 Scan ID: 14 (State: Scheduled Description: Scan scheduled) Scan type: Schedule parameters: Status: retired Type: weekly Day: Sunday Time: 05:00 Scans from schedule: Scan name: ITWeekly Share name: Acme_IT Share URL: //10.14.40.30/IX2 Filetype whitelist: avi Selected filetypes: doc pdf ppt

1638

© 2016 FireEye

Release 7.9

show fmps scan-id

Quarantine repository name: Acme-quar Good repository name: Unknown repository name: Whitelisted repository name: Only files modified: Advanced: Timestamp type: change Rescan: false

© 2016 FireEye

1639

CLI Reference Guide

PART III: Commands

show fmps share Displays the configuration of an individual file share.

Syntax show fmps share

Parameters

The name of the file share.

Examples The following example displays the p_library file share. odb-6 (config) # show fmps share p_library Share Name: p_library Share Type: Source Status: Share is mounted and connected Share URL: //10.14.68.12/sites/site_collection1/site1/library1 Protocol: webdav Share user: sharepointfarmadmin Mount command prefix: -t davfs CA file: Server name: SharePoint - 443

User Roles l

Operator

l

Administrator

Command Mode Configuration

Release Information Command introduced in Release 7.7.0 for FX Series appliances.

1640

© 2016 FireEye

Release 7.9

show forensic analysis

show forensic analysis Displays whether the integration with the Solera Networks packet analyzer application is enabled. If it is enabled, the integration can be configured on the Settings: Forensics page in the Web UI.

Syntax show forensic analysis

Parameters None

Example The following example displays the current forensic analysis status for Solera Networks integration. hostname # show forensic analysis Forensic Analysis Enabled: yes

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Forensic Analysis Command Family on page 94.

© 2016 FireEye

1641

CLI Reference Guide

PART III: Commands

show fume content-version Displays the details about all the plug-in content versions that are pushed through security content to the NX Series appliance and delivered to Silverfish without a software upgrade. This capability improves malicious object and multiflow detection. You can also view details of the different FUME content rule versions.

Syntax show fume content-version

Parameters None

Example The following example displays the plug-in content versions and FUME content versions: hostname # show fume content-version Silverfish plugins:             Name            Version              xap              1.2              javascript       1.2              exe              1.2              jar              1.2             swf               1.2       ba_plugin               1.2             html              1.2 JabePie:           3.1.461626d Foxd:              2_3 Fe-ruleformat      1 Suricata rules:                  custom.rules                  debug.rules                  ftp.rules 15.1109                  identification.rules 15.1012                  jparse.rules 15.1109                  pageurl.rules 15.1109                  suricata.rules          Missing Version

1642

© 2016 FireEye

Release 7.9

show fume content-version

                 suspicious.rules 15.1208                  uncategorized.rules 15.1109                  whitelist_nocode.rules 15.1109 Keywords:           KEYWORD file versions          Version 1, Version 2             COMBO file versions  INCIDENT-CREATOR file versions          NO VERSION

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see FUME Command Family on page 95.

© 2016 FireEye

1643

CLI Reference Guide

PART III: Commands

show fume network stats Displays the network statistics (such as packet count, byte count, or flow count) based on the Web traffic that the NX Series appliance monitors in your network.

Syntax show fume network stats

Parameters None

Output Fields The following table describes the output fields for the show fume network stats command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Start

Date and time when the appliance starts to track the network statistics.

Capture

Date and time when the network statistics were captured.

Elapsed

Time elapsed since the start of the analysis.

Polls

Number of minutes that the appliance polls for network statistics based on the Web traffic.

Packet

Total number of packets tracked per minute and per second.

Byte

Total number of bytes tracked per minute and per second.

Gigabytes

Total number of gigabytes tracked per minute and per second.

Flow Count

Total number of cumulative flows detected per minute and per second.

Asym Count

Total number of asymmetric flows detected per minute and per second.

Reassembly Gaps

Total number of TCP reassembly memory gaps tracked per minute and per second.

Internal Drops

Total number of internal drops tracked per minute and per second.

Example The following example displays the network statistics based on the Web traffic that the NX Series appliance monitors in your network: hostname # show fume network stats

1644

© 2016 FireEye

Release 7.9

show fume network stats

Time: Start: Thu Sep 17 15:57:08 2015 Capture: Thu Sep 17 16:43:58 2015 Elapsed: 46m 50s Poll: 60s

Statistics: Count

Total Rate/sec(avg) Rate/sec(curr) Rate/min(cur)

Packet

3219

Byte

1.15

1997818

Gigabits

0.00

710.97

0

0.00

0.00

0.00

0.00

0.00

0.00

Flow Count

60

0.02

0.00

0.00

Asym Count

0

0.00

0.00

0.00

Reassembly Gaps Internal Drops

0 0

0.00 0.00

0.00 0.00

0.00 0.00

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

Related Commands For a list of related commands, see FUME Command Family on page 95.

© 2016 FireEye

1645

CLI Reference Guide

PART III: Commands

show fume object stats Displays the statistics of malware objects (such as PDFs, EXEs, DLLs, or Microsoft Office files) based on the incoming Web traffic that the NX Series appliance monitors in your network. The FireEye Unified Multiflow Engine (FUME) allows the NX Series appliance to send suspicious URLs or objects to the virtual machine (VM) for a complete analysis.

Syntax show fume object stats

Parameters None

Output Fields The following table describes the output fields for the show fume object stats command. Fields are listed in the approximate order in which they appear in the output. Field Start

Description Date and time when the appliance starts to send suspicious URLs or objects to the VM for analysis.

Capture Date and time when the statistics for incoming Web traffic were captured. Elapsed Time elapsed since the start of the analysis. Poll

Number of minutes that the appliance polls for the most suspicious URLs or objects.

WEB

Total number of URLs submitted per minute based on incoming Web traffic.

OBJECT Total number of particular malware objects submitted per minute based on incoming Web traffic.

Example The following example displays a summary of malware objects based on the incoming Web traffic that the NX Series appliance monitors in your network: hostname # show fume object stats Time: Start: Thu Sep 17 15:57:08 2015 Capture: Thu Sep 17 16:44:58 2015 Elapsed: 47m 50s Poll: 60s

1646

© 2016 FireEye

Release 7.9

show fume object stats

Incoming Traffic Stats: WEB url

Total

Rate/min(avg)

56

1.171

OBJECT

Total

Rate/min(curr) 0.000

Rate/min(avg)

Rate/min(curr)

pdf_file

0

0.000

0.000

swf_file

8

0.167

0.000

cab

0

0.000

xml_file

0

exe

6

0.000 0.125

0.000 0.000 0.000

jnlp_file

0

0.000

0.000

xdp_file

0

0.000

0.000

js_file

0

0.000

0.000

img

0

0.000

0.000

chm

0

0.000

0.000

macho

0

xap

0

0.000

html_file jar

19 0

hwp

0

0.000

0

xar

0

dmg

0.000 0.000

0 0

0.000 0.000

0.397 0.000

class

dll

0.000

0.000 0.000

0.000 0.000 0.000 0.000 0.000 0.000 0.000

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows:

© 2016 FireEye

1647

CLI Reference Guide

l

PART III: Commands

NX Series: Release 7.7

Related Commands For a list of related commands, see FUME Command Family on page 95.

1648

© 2016 FireEye

Release 7.9

show guest-images

show guest-images Description Displays a list of all virtual machine Guest Images, or the details and profile for specific Guest Images. The show guest-images available profiles command can be used to determine which profile ID you want to configure. The show guest-images config command can be used to determine which profile ID you want to reconfigure. Related commands: guest-images configure

Syntax show guest-images [ [available {bundles | defaults | profiles} ] | config | download] [file-associations]

Parameters available {bundles | defaults | profiles}

Displays available Guest Images bundles, defaults, or profiles. config

Displays the current Guest Images configuration. download

Displays the status of the current 6.3.0 or later downloaded Guest Images available on the system.

Examples The following example displays the available default Guest Images. hostname # show guest-images available defaults The default bundle contains the following profiles: winxp-sp3 - Windows XP sp3 English 32-bit (AMD). win7-sp1 - Windows 7 SP1 English 32-bit (AMD) . win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD).

The following example displays the available Guest Images profiles. hostname # show guest-images available profiles The following profiles are available: [0] winxp-sp3 - Windows XP sp3 English 32-bit (AMD). [1] win7-sp1 - Windows 7 SP1 English 32-bit (AMD) . [2] win7x64-sp1 - Windows 7 sp1 English 64-bit (AMD).

© 2016 FireEye

1649

CLI Reference Guide

PART III: Commands

The following example displays downloaded and installed Guest Images. hostname (config) # show guest-images download The following Guest-image profiles are installed:   winxp-sp3 (Version 15.0107): Windows XP sp3 English 32-bit (AMD).   win7-sp1 (Version 15.0107): Windows 7 SP1 English 32-bit (AMD) .   win7x64-sp1 (Version 15.0107): Windows 7 sp1 English 64-bit (AMD).

Status of most recent guest-images operation:

Check-Done: completed check for updates

Fenet source: DTI (fenet1.fireeye.com)

The following example displays the available file associations. hostname # show guest-images file-associations TYPE GUEST-OS ENABLED APPLICATION 3gp win7-sp1 [no] QuickTime Player 7.7 3gp win7x64-sp1 [no] QuickTime Player 7.7 3gp winxp-sp3 [no] QuickTime Player 7.6 applet win7-sp1 [no] InternetExplorer 9.0 applet win7x64-sp1 [no] InternetExplorer 11.0 applet winxp-sp3 [yes] InternetExplorer 7.0 asf win7-sp1 [no] Windows Media Player 12.0 asf win7x64-sp1 [no] Windows Media Player 12.0 asf winxp-sp3 [no] Windows Media Player 11.0 avi win7-sp1 [no] Windows Media Player 12.0 avi win7x64-sp1 [no] Windows Media Player 12.0 avi winxp-sp3 [no] Windows Media Player 11.0 bat win7-sp1 [no] Windows Explorer bat win7x64-sp1 [yes] Windows Explorer bat winxp-sp3 [yes] Windows Explorer chm win7-sp1 [no] Microsoft Compiled HTML Help chm win7x64-sp1 [yes] Microsoft Compiled HTML Help chm winxp-sp3 [yes] Microsoft Compiled HTML Help cmd win7-sp1 [no] Windows Explorer cmd win7x64-sp1 [yes] Windows Explorer cmd winxp-sp3 [yes] Windows Explorer com win7-sp1 [no] Windows Explorer com win7x64-sp1 [yes] Windows Explorer com winxp-sp3 [yes] Windows Explorer csv win7-sp1 [no] Multiple MS Excel X csv win7x64-sp1 [no] MS Excel 2013 csv winxp-sp3 [no] Multiple MS Excel X

1650

© 2016 FireEye

Release 7.9

show guest-images

dll win7-sp1 [no] RunDLL 1.0 dll win7x64-sp1 [yes] RunDLL 1.0 dll winxp-sp3 [yes] RunDLL 1.0 doc win7-sp1 [yes] Multiple MS Word X doc win7x64-sp1 [no] MS Word 2013 doc winxp-sp3 [yes] Multiple MS Word X docx win7-sp1 [yes] Multiple MS Word X docx win7x64-sp1 [no] MS Word 2013 docx winxp-sp3 [yes] Multiple MS Word X eeml win7-sp1 [yes] MS Outlook 2010 eeml win7x64-sp1 [no] MS Outlook 2013 eeml winxp-sp3 [no] MS Outlook 2007 eml win7-sp1 [yes] MS Outlook 2010 eml win7x64-sp1 [no] MS Outlook 2013 eml winxp-sp3 [no] MS Outlook 2007 exe win7-sp1 [no] Windows Explorer exe win7x64-sp1 [yes] Windows Explorer exe winxp-sp3 [yes] Windows Explorer flv win7-sp1 [no] RealPlayer 16.0 flv win7x64-sp1 [no] RealPlayer 16.0 flv winxp-sp3 [no] VLC Media Player 2.0 gif win7-sp1 [no] InternetExplorer 9.0 gif win7x64-sp1 [no] InternetExplorer 11.0 gif winxp-sp3 [no] InternetExplorer 7.0 hlp win7-sp1 [no] Microsoft Windows Help File hlp win7x64-sp1 [no] Microsoft Windows Help File hlp winxp-sp3 [yes] Microsoft Windows Help File hml win7-sp1 [no] Hancom Office. hml winxp-sp3 [no] Hancom Office htm win7-sp1 [yes] InternetExplorer 9.0 htm win7x64-sp1 [no] InternetExplorer 11.0 htm winxp-sp3 [no] InternetExplorer 7.0 hwp win7-sp1 [yes] Hancom Office. hwp winxp-sp3 [yes] Hancom Office hwt win7-sp1 [yes] Hancom Office. hwt winxp-sp3 [yes] Hancom Office ico win7-sp1 [no] InternetExplorer 9.0 ico win7x64-sp1 [no] InternetExplorer 11.0 ico winxp-sp3 [no] InternetExplorer 7.0 jar win7-sp1 [no] Java JDK JRE 8.0 jar win7x64-sp1 [yes] Java JDK JRE 8.0 jar winxp-sp3 [yes] Java JDK JRE 7.13 jpg win7-sp1 [no] InternetExplorer 9.0 jpg win7x64-sp1 [no] InternetExplorer 11.0 jpg winxp-sp3 [no] InternetExplorer 7.0 js win7-sp1 [no] Windows Scripting Host js win7x64-sp1 [no] Windows Scripting Host js winxp-sp3 [yes] Windows Scripting Host lnk win7-sp1 [no] Windows Explorer lnk win7x64-sp1 [yes] Windows Explorer lnk winxp-sp3 [yes] Windows Explorer mht win7-sp1 [yes] InternetExplorer 9.0 mht win7x64-sp1 [no] InternetExplorer 11.0 mht winxp-sp3 [no] InternetExplorer 7.0 midi win7-sp1 [no] Windows Media Player 12.0

© 2016 FireEye

1651

CLI Reference Guide

PART III: Commands

midi win7x64-sp1 [no] Windows Media Player 12.0 midi winxp-sp3 [no] Windows Media Player 11.0 mov win7-sp1 [no] QuickTime Player 7.7 mov win7x64-sp1 [no] QuickTime Player 7.7 mov winxp-sp3 [no] QuickTime Player 7.6 mp3 win7-sp1 [no] Windows Media Player 12.0 mp3 win7x64-sp1 [no] Windows Media Player 12.0 mp3 winxp-sp3 [no] Windows Media Player 11.0 mp4 win7-sp1 [no] QuickTime Player 7.7 mp4 win7x64-sp1 [no] QuickTime Player 7.7 mp4 winxp-sp3 [no] QuickTime Player 7.6 mpg win7-sp1 [no] Windows Media Player 12.0 mpg win7x64-sp1 [no] Windows Media Player 12.0 mpg winxp-sp3 [no] Windows Media Player 11.0 msg win7-sp1 [no] MS Outlook 2010 msg win7x64-sp1 [no] MS Outlook 2013 msg winxp-sp3 [no] MS Outlook 2007 msi win7-sp1 [no] Windows Explorer msi win7x64-sp1 [no] Windows Explorer msi winxp-sp3 [no] Windows Explorer pdf win7-sp1 [yes] Multiple Adobe Reader X pdf win7x64-sp1 [no] Multiple Adobe Reader X pdf winxp-sp3 [yes] Multiple Adobe Reader X png win7-sp1 [no] InternetExplorer 9.0 png win7x64-sp1 [no] InternetExplorer 11.0 png winxp-sp3 [no] InternetExplorer 7.0 ppsx win7-sp1 [yes] Multiple MS PowerPoint X ppsx win7x64-sp1 [no] MS PowerPoint 2013 ppsx winxp-sp3 [yes] Multiple MS PowerPoint X ppt win7-sp1 [yes] Multiple MS PowerPoint X ppt win7x64-sp1 [no] MS PowerPoint 2013 ppt winxp-sp3 [yes] Multiple MS PowerPoint X pptx win7-sp1 [yes] Multiple MS PowerPoint X pptx win7x64-sp1 [no] MS PowerPoint 2013 pptx winxp-sp3 [yes] Multiple MS PowerPoint X qt win7-sp1 [no] QuickTime Player 7.7 qt win7x64-sp1 [no] QuickTime Player 7.7 qt winxp-sp3 [no] QuickTime Player 7.6 rm win7-sp1 [no] RealPlayer 16.0 rm win7x64-sp1 [no] RealPlayer 16.0 rm winxp-sp3 [no] RealPlayer 12.0 rmi win7-sp1 [no] Windows Media Player 12.0 rmi win7x64-sp1 [no] Windows Media Player 12.0 rmi winxp-sp3 [no] Windows Media Player 11.0 rtf win7-sp1 [yes] Multiple MS Word X rtf win7x64-sp1 [no] MS Word 2013 rtf winxp-sp3 [yes] Multiple MS Word X swf win7-sp1 [yes] InternetExplorer 9.0 swf win7x64-sp1 [no] InternetExplorer X swf winxp-sp3 [yes] InternetExplorer 7.0 tiff win7-sp1 [no] InternetExplorer 9.0 tiff win7x64-sp1 [no] InternetExplorer 11.0 tiff winxp-sp3 [no] InternetExplorer 7.0 url win7-sp1 [no] InternetExplorer 9.0 url win7x64-sp1 [no] InternetExplorer 11.0

1652

© 2016 FireEye

Release 7.9

url vbs vbs vbs vcf vcf vcf vcs vcs vcs wav wav wav wma wma wma wsf wsf wsf xdp xdp xdp xls xls xls xlsx xlsx xlsx xml xml xml

winxp-sp3 [no] win7-sp1 [no] win7x64-sp1 [yes] winxp-sp3 [yes] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [no] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [no] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [no] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [no] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [no] win7-sp1 [yes] win7x64-sp1 [no] winxp-sp3 [yes] win7-sp1 [yes] win7x64-sp1 [no] winxp-sp3 [yes] win7-sp1 [yes] win7x64-sp1 [no] winxp-sp3 [yes] win7-sp1 [no] win7x64-sp1 [no] winxp-sp3 [yes]

show guest-images

InternetExplorer 7.0 Windows Scripting Host Windows Scripting Host Windows Scripting Host Windows Explorer Windows Explorer Windows Explorer Windows Explorer Windows Explorer Windows Explorer Windows Media Player 12.0 Windows Media Player 12.0 Windows Media Player 11.0 Windows Media Player 12.0 Windows Media Player 12.0 Windows Media Player 11.0 Windows Scripting Host Windows Scripting Host Windows Scripting Host Multiple Adobe Reader X Multiple Adobe Reader X Multiple Adobe Reader X Multiple MS Excel X MS Excel 2013 Multiple MS Excel X Multiple MS Excel X MS Excel 2013 Multiple MS Excel X InternetExplorer 9.0 InternetExplorer 11.0 InternetExplorer 7.0

Release Information Command deprecated in Release 7.5.0 for the CM Series platform.

© 2016 FireEye

1653

CLI Reference Guide

PART III: Commands

show ha configuration Displays the configuration settings for a CM Series High Availability (HA) cluster. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha configuration

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

CMS HA Cluster Settings License installed

Whether the HA license is installed.

Virtual IP address

The virtual IP (VIP) address used to access the Web UI.

Authkey md5sum

The authentication key used to encrypt the traffic between the two nodes. The same key is shown for both nodes because the key is shared.

Auto-failover

Whether the primary node will automatically fail over to the secondary node if certain conditions are met.

Split-brain autoshutdown

Whether the secondary node's cluster engine will automatically be stopped in a split-brain condition after the cluster manager selects the primary node.

Replicating

Configuration—Whether the replication of configuration data is enabled.

NOTE: The value for this field is 0.0.0.0 if no VIP address is configured.

Alerts—Whether replication of alert data is enabled. Security content—Whether replication of software downloads from the DTI network is enabled.

1654

© 2016 FireEye

Release 7.9

show ha configuration

Field

Description

Cluster Communications Default Interface

The name of the default HA interface, whether it is enabled, and the IP address and hostname of each node in the cluster for which the interface is configured.

Backup Interface

The name of the backup HA interface, whether it is enabled, and the IP address and hostname of each node in the cluster for which the interface is configured.

Cluster Resources sys_disk_ monitor enabled

Whether the resource agent that monitors available disk space is enabled.

sys_ether1_ monitor enabled

Whether the resource agent that monitors the management (ether1) interface is enabled.

fe_address enabled

Whether the resource agent that monitors and manages the cluster virtual IP (VIP) address is enabled.

fe_correlator enabled

Whether the resource agent that monitors and manages the correlation of malicious URL events detected by a managed NX Series appliance with email events detected by a managed EX Series appliance is enabled.

fe_aggregator enabled

Whether the resource agent that monitors and manages the aggregation of alert data from managed appliances is enabled.

fe_fedb enabled

Whether the resource agent that monitors and manages the FireEye database service is enabled.

fe_webui enabled Whether the resource agent that monitors and manages the Web UI service is enabled. fe_peer_service enabled

Whether the resource agent that monitors and manages the service that handles interactions among CM Series platforms in different domains that are licensed to use the CMS Peer Service is enabled.

fe_notification enabled

Whether the resource agent that monitors and manages the service that sends malware alert notifications is enabled.

fe_http enabled

Whether the resource agent that monitors and manages CM Series Web services is enabled.

© 2016 FireEye

1655

CLI Reference Guide

PART III: Commands

Examples The following example displays the cluster configuration on node1 in the default singleinterface configuration. In this configuration, ether1 is the default HA interface, and there is no backup HA interface, VIP address, or IP routing. node1 # show ha configuration CMS HA Cluster Settings: License installed:  yes Authkey md5sum:  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Virtual IP address: 0.0.0.0 Auto-failover: yes Split-brain auto-shutdown: no Replicating: Configuration: yes Alerts: yes Security content: yes Cluster Communications: Default Interface: ether1 Enabled: yes Members (ether1): 10.0.1.1/node1, 10.0.1.2/node2 Backup Interface: ether3 Enabled: no Members (ether3): 0.0.0.0/node1, Cluster Resources: sys_disk_monitor enabled: yes sys_ether1_monitor enabled:  yes fe_address enabled: no fe_correlator enabled:  yes fe_aggregator enabled:  yes fe_fedb enabled: yes fe_webui enabled: yes fe_peer_service enabled: yes fe_notification enabled:  yes fe_http enabled: yes

The following example displays the cluster configuration on node1 in the dual-interface LAN configuration. node1 # show ha configuration CMS HA Cluster Settings: License installed:  yes Authkey md5sum:  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Virtual IP address: 0.0.0.0 Auto-failover: yes Split-brain auto-shutdown: no Replicating: Configuration: yes Alerts: yes Security content: yes Cluster Communications: Default Interface: ether3 Enabled: yes Members (ether1): 10.0.0.1/node1, 10.0.0.2/node2,

1656

© 2016 FireEye

Release 7.9

show ha configuration

Backup Interface: ether3 Enabled: yes Members (ether3): 10.0.1.1/node1, 10.0.1.2/node2, Cluster Resources: sys_disk_monitor enabled: yes sys_ether1_monitor enabled:  yes fe_address enabled: no fe_correlator enabled:  yes fe_aggregator enabled:  yes fe_fedb enabled: yes fe_webui enabled: yes fe_peer_service enabled: yes fe_notification enabled:  yes fe_http enabled: yes

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The output fields changed in Release 7.7.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

1657

CLI Reference Guide

PART III: Commands

show ha image check status Displays information about the readiness of the primary node in a CM Series HA cluster to be updated and reloaded. Run this command before you download and install a new system image, and then run it again before you reload the node to complete the update. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha image check status

Parameters None

Example The following example shows that node1 is ready to be updated. node1 # show ha image check status node1 node2 Network_Connectivity_using_SSH pass pass Backup_HA_Interface_Upgrade_Check up up Peer_Service_Upgrade_Check off running Cluster_Resource_Manager_Upgrade_Check running running Correlator_Service_Upgrade_Check off running Disk_Monitoring_Service_Upgrade_Check running running VIP_Service_Upgrade_Check disabled disabled Notification_Service_Upgrade_Check off running Alerts_Replication_Upgrade_Check running running FireEye_Database_Upgrade_Check running running Webui_Service_Upgrade_Check off running Default_HA_Interface_Upgrade_Check up up Httpd_Service_Upgrade_Check running running Security_Content_Replication_Upgrade_Check running running Configuration_Replication_Upgrade_Check running running Configuration_Sync_Status yes yes Ether1_Monitoring_Service_Upgrade_Check running running Cluster_Communication_Engine_Upgrade_Check running running Aggregator_Service_Upgrade_Check off running Disk_Space_Upgrade_Check pass pass Overall_Cluster_Status running running UPGRADE CHECK COMPLETE: Node is in healthy condition to upgrade to newer image

User Role Admin, Operator, or Monitor

1658

© 2016 FireEye

Release 7.9

show ha image check status

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Release 7.9.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

1659

CLI Reference Guide

PART III: Commands

show ha interfaces Displays the status of the default and backup HA interfaces on a CM Series High Availability (HA) cluster. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha interfaces

Parameters None

Output Fields HA interface status values: l

Up—All links of the same type are up.

l

Off—The interface is disabled in the configuration.

l

Down—The interface is configured, but is down. Either all links of the same type are down, or the primary node interface is not connected to the secondary node interface.

Example The following example displays the status of the HA interfaces on node1 in a dualinterface configuration. node1 # show ha interfaces Interfaces default: up backup: up

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The output fields changed in Release 7.7.

1660

© 2016 FireEye

Release 7.9

show ha interfaces

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

1661

CLI Reference Guide

PART III: Commands

show ha members Displays the nodes that are members of the CM Series High Availability (HA) cluster and that are currently online. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha members

Parameters None

Examples The following example displays the online nodes in the cluster. node1 # show ha members node1 node2

The following example displays only node1, because node2 is currently offline. node1 # show ha members node1

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

1662

© 2016 FireEye

Release 7.9

show ha members all

show ha members all Displays the nodes that are members of the CM Series High Availability (HA) cluster. Both nodes are displayed, whether they are currently online or offline. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha members all

Parameters None

Example The following example displays both nodes in the cluster. node1 # show ha members node1 node2

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

1663

CLI Reference Guide

PART III: Commands

show ha replication status Displays the replication status of the configuration data, alert data, and security content. For more information about CM Series HA, see the CM Series High Availability Guide.

Syntax show ha replication status

Parameters None

Examples The following example displays the default status of the data replication services on node1. node1 # show ha replication status configuration: running alerts: running security content: running

The following example displays the status of the data replication services on node2. This example is from a Disaster Recovery (DR) deployment, where alert replication and security content replication were explicitly disabled to reduce traffic on lower bandwidth links. node2 # show ha replication status configuration: running alerts: off security content: off

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The output fields changed in Release 7.7.

1664

© 2016 FireEye

Release 7.9

show ha replication status

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

© 2016 FireEye

1665

CLI Reference Guide

PART III: Commands

show ha resources Displays the current status of the resource agents in a CM Series High Availability (HA) cluster.

Syntax show ha resources

Parameters None

Output Fields The output of this command shows the number of resource agents, lists the resource agents, and shows their status on each node. HA resource agent status values: l

Running—The agent is running.

l

Stopped—The agent is stopped.

l

Starting—The agent is starting.

l

Error—The agent failed to start.

l

Off—The agent is disabled in the configuration.

l

Unknown—The node is not accessible, so the status cannot be reported.

Description A resource agent allows the cluster engine to interact with a specific service or resource. The following table describes each resource agent and shows its normal status in the primary and secondary nodes. (For more information about resource agents, see the CM Series High Availability Guide.) Resource Agent Name

Purpose

Primary Normal State

Secondary Normal State

sys_disk_ monitor

Monitors available disk space.

Running Running

sys_ ether1_ monitor

Monitors the management (ether1) interface.

Running Running

1666

© 2016 FireEye

Release 7.9

Resource Agent Name

show ha resources

Purpose

Primary Normal State

Secondary Normal State Off

fe_address

Monitors and manages the cluster virtual IP (VIP) address, which is shared by both nodes and used to access the Web UI of the primary node.

Off

fe_ correlator

Monitors and manages the correlation of malicious URL events detected by an NX Series appliance with email events detected by an EX Series appliance. This pertains to a CM Series platform that manages both appliance types.

Running Off

fe_ aggregator

Monitors and manages the aggregation of alert data from managed appliances.

Running Off

fe_fedb

Monitors and manages the FireEye database service.

Running Running

fe_webui

Monitors and manages the Web UI service.

Running Off

fe_peer_ service

Monitors and manages the service that handles interactions among CM Series platforms in different domains. This pertains to CM Series platforms that are licensed to use the CMS Peer Service.

Running Off

fe_ Monitors and manages the service that sends notification malware alert notifications.

Running Off

fe_http

Running Running

Monitors and manages CM Series Web services.

Example The following example displays the resource agent status. node1 # show ha resources Resource Status node1 node2 Resources Resources 10 sys_disk_monitor:  running running sys_ether1_monitor:  running running fe_address: off off fe_correlator: running off fe_aggregator:  running off fe_fedb: running stopped fe_webui: running off fe_peer_service:  running off

© 2016 FireEye

1667

CLI Reference Guide

PART III: Commands

fe_notification:  running off fe_http:  running stopped

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The output fields changed in Release 7.7.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71

1668

© 2016 FireEye

Release 7.9

show ha status (for CM)

show ha status (for CM) Displays the current status of a CM Series High Availability (HA) cluster.

Syntax show ha status

Parameters None

Output Fields The following table describes the output fields for this command. Field Status

Description The state of the cluster: l

l

l

l

l

l

l

Primary Node

© 2016 FireEye

Running—All services are running, all communication links are up, and all nodes are online. Stopped—At least one service is not running on at least one node. Starting—At least one service is starting up on at least one node, or the database synchronization is being set up on the secondary node. Updating—A software upgrade or downgrade is being performed on a node in the cluster. Degraded—Backup links of the same type are down, or the secondary node is configured, but currently offline. Error—Communication links are down or broken, or a service failed to start. Unknown—The node is not accessible.

The hostname of the primary node. If you are viewing the status from the primary node CLI, (self) is also displayed.

1669

CLI Reference Guide

PART III: Commands

Field Nodes Status

Description The state of each node in the cluster: l

l

l

l

l

l

l

Interfaces

Running—All services are running, all communication links are up, and all nodes are online. Stopped—At least one service is not running on at least one node. Starting—At least one service is starting up on at least one node, or the database synchronization is being set up on the secondary node. Updating—A software upgrade or downgrade is being performed on a node in the cluster. Degraded—Backup links of the same type are down, or the secondary node is configured, but currently offline. Error—Communication links are down or broken, or a service failed to start. Unknown—The node is not accessible.

The state of the HA interfaces on the primary and secondary nodes: Up—All links of the same type are up. Off—The interface is disabled in the configuration. Down—The interface is configured, but is down. Either all links of the same type are down, or the primary node interface is not connected to the secondary node interface.

1670

© 2016 FireEye

Release 7.9

show ha status (for CM)

Field Services

Description The state of the following services: Cluster Communication Engine sends messages between the two nodes in the cluster, handles failover and split-brain occurrences, and so on. Cluster Resource Manager manages the resource agents that monitor and manage cluster resources and services. Data Replication Services (Configuration, Alerts, Security Content) manage the replication of alert data (if enabled), configuration data, and security content between the two nodes in the cluster. State values: l

Running—The service is running.

l

Stopped—The service is stopped.

l

Starting—The service is starting, or the database synchronization is being set up on the secondary node.

l

Error—The service failed to start.

l

Off—The service is disabled in the configuration.

l

Unknown—The node is not accessible, so the status cannot be reported.

Resources The state of each resource agent: l

Running—The agent is running.

l

Stopped—The agent is stopped.

l

Starting—The agent is starting.

l

Error—The agent failed to start.

l

Off—The agent is disabled in the configuration.

l

Unknown—The node is not accessible, so the status cannot be reported.

For a description of the resource agents and their normal states on the primary and secondary nodes, see show ha resources on page 1666.

Example The following example shows the cluster status displayed from the primary node in a single-interface configuration. The output is the same when you display the status from the secondary node, except (self) is not displayed in the Primary Node: line.

© 2016 FireEye

1671

CLI Reference Guide

PART III: Commands

node1 # show ha status Cluster Status Status: updating Primary Node:  node1 (self) Nodes Status node1 node2 Status: running updating Interfaces Default: up up Backup: up up Services Cluster Communication Engine: running running Cluster Resource Manager: running running Data Replication Services Configuration: running starting Alerts:  running starting Security content: running starting Resources sys_disk_monitor: running running sys_ether1_monitor: running running fe_address: off off fe_correlator: running off fe_aggregator: running off fe_fedb: running running fe_webui: running off fe_peer_service: running off fe_notification: running off fe_http: running running

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: CM Series: Before Release 6.4. The output fields changed in Release 7.7. The detail and monitor parameters were deprecated in Release 7.7.

Related Commands For a list of related commands, see: CM Series High Availability (HA) Command Family on page 71 For more information about CM Series HA, see the CM Series High Availability Guide.

1672

© 2016 FireEye

Release 7.9

show ha status (for NX)

show ha status (for NX) Displays the current status of an NX Series appliance that is a member of an NX Series High Availability (HA) pair.

Syntax show ha status

Parameters None

Output Fields The following table describes the output fields for this command. Field High Availability

Description l

l

Enabled—The appliance is in the HA pair. Disabled—The appliance has never been added to the pair or has been removed from it.

HA Cluster Name

The name of the HA pair.

HA Peer Name

The hostname of the other NX Series appliance in the pair.

HA Peer ID

The unique ID of the other appliance in the pair.

© 2016 FireEye

1673

CLI Reference Guide

PART III: Commands

Field HA Status

Description The state of the pair: l

l

l

l

l

l

l

l

l

Control port link is down—The control port link is down. If the cable is properly connected, this condition usually clears with no intervention. Data port link is down—The data port link is down. If the cable is properly connected, this condition usually clears with no intervention. Heartbeat not received—Heartbeat messages were not exchanged. This condition usually clears with no intervention. Data port connectivity not connected properly—The data port is not healthy or is not connected to the peer appliance. HA pair is not compatible—The appliances are not running the same version of the NX Series software image. HA model is not compatible—The NX Series appliance hardware models do not match. HA pair is not compatible due to license check—A restricted license is active on both appliances. (A full license must be active on at least one appliance.) HA peer verification failed—The peer verification failed for one or more of the following reasons: the appliances do not have an established connection between them, the appliance hardware models do not match, the NX Series software images do not match, or a license check failed. Init Check failed—The initial handshake failed, so the appliances cannot communicate with each other. This status usually clears with no intervention.

HA Status Description

A brief description of the state of the pair.

HA License

Full or Restricted—A full license must be installed on one of the appliances in the pair. A restricted or a full license can be installed on the other appliance.

HA Grace Period Status

Disabled if the appliance with the restricted license has already been added to the pair. Enabled if the restricted appliance has not been added to the pair. The grace period is 90 days. If the restricted appliance is not added to the pair before the grace period ends, that appliance will lose its detection capabilities.

1674

© 2016 FireEye

Release 7.9

show ha status (for NX)

Field HA Grace Period Days Left

Description The number of days remaining before the grace period ends. This value is reduced by one for each day the appliance is not added to the pair. (If the HA Grace Period Status value is Disabled, the value of this field is always 90.)

Examples The following example shows the status of the nx-1 appliance. This appliance is the member with the full NX Series product license. nx-1 # show ha status High Availability: Enabled HA Cluster Name: Acme_NXHA HA Peer Name: nx-2 HA Peer ID: 1XXXXXXXXXXX HA Status: Good HA Status Description: OK HA License: Full

The following example shows the status of the nx-2 appliance. This appliance is the member with the restricted NX Series product license. nx-2 # show ha status High Availability: Enabled HA Cluster Name: Acme_NXHA HA Peer Name: nx-1 HA Peer ID: 2XXXXXXXXXXX HA Status: Good HA Status Description: OK HA License: Restricted HA Grace Period Status: Disabled HA Grace Period Days Left: 90

The following example shows the status of the nx-2 appliance after it was removed from the NX Series HA pair. Removing it from the pair causes the restricted license grace period to be enabled. nx-2 # show ha status High Availability: Disabled

The following example shows the status of the nx-1 appliance while its peer is rebooting. While nx-2 is rebooting, the status of nx-1 is Init Check failed. nx-1 # show ha status High Availability: Enabled HA Cluster Name: Acme_NXHA HA Peer Name: nx-2 HA Peer ID: 1XXXXXXXXXXX HA Status: Degraded HA Status Description: Init Check failed HA License: Full

© 2016 FireEye

1675

CLI Reference Guide

PART III: Commands

User Role Admin, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: NX Series: Release 7.8.0

Related Commands For a list of related commands, see NX Series High Availability (HA) Command Family on page 117. For more information about NX Series HA, see the NX Series High Availability Guide.

1676

© 2016 FireEye

Release 7.9

show hosts

show hosts Description Displays the hostname of the FireEye appliance, the Domain Name Service (DNS) name server addresses, the list of specified domain names, and the static host/IP address mappings. Related commands: ip domain-list, ip name-server.

Syntax show hosts

Parameters None

Example The following example shows all host information. hostname > show hosts Hostname. Quest3 Name server: 10.1.10.2 (configured) Domain name: fireeye.com (configured) IP 10.1.10.3 maps to hostname localhost IPv6maps to hostname localhostAutomatically map hostname to loopback address: yes Automatically map hostname to IPv6 loopback address: no

© 2016 FireEye

1677

CLI Reference Guide

PART III: Commands

show hx agent Displays the agent configuration information for the HX Series appliance.

Syntax show hx agent

Parameters None

Example The following example shows the output produced when you enter the show hx agent command: hostname (config) # show hx agent HX Endpoint Agent Configuration: Poll Interval: 10 min Fast Poll Interval: 1 min Refresh Indicator Interval: 30 min Real Time Detection: enabled Maximum CPU Usage: 100% Event Buffer Size: 120 MB Resource Use Exception: disabled Exception Maximum CPU Usage: 50% Exception Event Buffer Size: 10 MB Concurrent Host Exception: disabled Concurrent Host Limit: 50 Server 1 Hostname: 15.55.725.230 Provisioning: enabled Legacy Primary: enabled

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows:

1678

© 2016 FireEye

Release 7.9

l

show hx agent

HX Series: Release 2.5

Related Commands l

hx agent concurrent host-exception enable

l

hx agent concurrent host-exception limit

l

hx agent event buf-size

l

hx agents events enable

l

hx agent fastpoll

l

hx agent indicator

l

hx agent max-cpu

l

hx agent poll

l

hx agent resource-exception enable

l

hx agent resource-exception event-buf-size

l

hx agent resource-exception max-cpu

© 2016 FireEye

1679

CLI Reference Guide

PART III: Commands

show hx agent aging Displays the agent aging-related settings.

Syntax show hx agent aging

Parameters None

Example The following example shows the output produced when you enter the show hx agent aging command: hostname (config) # show hx agent aging HX Agent Aging values: Enable: enabled Inactive Period: 90 days New Orphan Period: 1 day

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

1680

l

hx agent aging enable

l

hx agent aging inactive-period

l

hx agent aging new-orphan-period

l

hx agent fastpoll

© 2016 FireEye

Release 7.9

show hx agent inactivity

show hx agent inactivity Displays agent inactivity-related settings. If agents exceed this inactivity period, they are included in the count of inactive agents on the Web UI Dashboard. You can set this inactivity period using the hx agent inactivity period command.

Syntax show hx agent inactivity

Parameters None

Example The following example shows the output produced when you enter the show hx agent inactivity command: hostname (config) # show hx agent inactivity HX Agent Inactivity values: Period: 30 days

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx agent inactivity period

© 2016 FireEye

1681

CLI Reference Guide

PART III: Commands

show hx app-proc Displays application processing information for the HX Series appliance and the appliance's current state.

Syntax show hx app-proc

Parameters None

Example The following example shows the output produced by the show hx app-proc command: hostname (config) # show hx app-proc HX App Proc Configuration: Quiesce Mode: disabled State: running

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

1682

hx server app-proc quiesce

© 2016 FireEye

Release 7.9

show hx ecosystem

show hx ecosystem Displays ecosystem-related settings for the HX Series appliance, including information about any DMZ appliances.

Syntax show hx ecosystem

Parameters None

Example The following example shows the output produced by the show hx ecosystem command: hostname (config) # show hx ecosystem HX Ecosystem Configuration: Appliance Role: master No DMZ appliances configured.

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx ecosystem dmz attach

© 2016 FireEye

1683

CLI Reference Guide

PART III: Commands

show hx pki Displays the HX series appliance and public key infrastructure (PKI) settings.

Syntax show hx pki

Parameters None

Example The following example shows the output produced by the show hx pki command: hostname (config) # show hx pki HX PKI Configuration: Prefix: /C=US/ST=VA/L=RESTON/O=FIREEYE/OU=PRODUCT/ Agent CA days: 7300 Agent CA key bits: 2048 Agent cert days: 1825 Server CA days: 7300 Server cert key bits: 2048 Server cert days: 1825 Server CRL days: 30 Provisioning cert use enabled: yes CA: comms valid from: "Apr 29 18:16:11 2015 GMT" to "Apr 29 18:16:11 2035 GMT" subject: /C=US/ST=VA/L=RESTON/O=FIREEYE/OU=PRODUCT/CN=PRODCA fingerprint: C0:29:E3:76:09:45:FF:52:A7:FA:74:5F:3C:4D:6B:AA:69:CB:D2:82 CA: distro valid from: "Oct 16 14:58:28 2012 GMT" to "Oct 16 14:58:28 2032 GMT" subject: /C=US/ST=Virginia/L=Reston/O=Mandiant/CN=root.mandiant.com fingerprint: E9:18:B3:4E:75:79:B2:B5:49:B4:17:19:AC:82:24:B3:34:89:7E:01 CA: agent valid from: "Apr 29 18:16:09 2015 GMT" to "Apr 29 18:16:09 2035 GMT" subject: /C=US/ST=VA/L=RESTON/O=FIREEYE/OU=PRODUCT/CN=PRODCA fingerprint: 46:6E:03:59:7F:26:86:80:79:C9:58:9E:25:46:F6:9A:4D:F1:51:23 CRL: comms issued: "Apr 29 18:16:13 2015 GMT" and expires on "May 29 18:16:13 2015 GMT" number: 1430331369 fingerprint: FD:A0:CB:EF:98:35:CE:EE:F7:E3:DB:28:41:7D:C3:A4:B2:9E:3B:6B CRL: distro issued: "Feb 24 15:41:36 2015 GMT" and expires on "Feb 23 15:41:36 2017 GMT" number: 4 fingerprint: B0:0E:98:98:B8:32:84:18:54:43:88:6C:45:02:E7:01:BE:7F:C4:35

1684

© 2016 FireEye

Release 7.9

show hx pki

host: fireeye-907288 role: ca last ping: 2015-05-11T15:17:45.228Z

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx pki agent ca-days on page 871

l

hx pki agent cert-bits on page 872

l

hx pki agent cert-days on page 873

l

hx pki export file on page 874

l

hx pki import file on page 875

l

hx pki provisioning on page 876

l

hx pki regenerate on page 877

l

hx pki regenerate crl on page 878

l

hx pki regenerate subordinate on page 879

l

hx pki server ca-days on page 880

l

hx pki server cert-bits on page 881

l

hx pki server cert-days on page 882

l

hx pki server crl-days on page 883

l

hx pki server crl-upload on page 884

l

hx pki subject prefix on page 885

© 2016 FireEye

1685

CLI Reference Guide

PART III: Commands

show hx server containment Displays general HX server containment-related settings.

Syntax show hx server containment

Parameters None

Example The following example shows the output produced by the show hx server containment command: hostname (config) # show hx server containment HX Server Containment Configuration: Containment: enabled Containment Feature Block: disabled Containment Notification: disabled Notification Content Type: custom Containment Task Timeout: 14 days No whitelist hosts configured.

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

1686

l

hx server containment blocked

l

hx server containment enable

l

hx server containment notification enable

l

hx server containment notification source

© 2016 FireEye

Release 7.9

l

hx server containment task-timeout

l

hx server containment whitelist

© 2016 FireEye

show hx server containment

1687

CLI Reference Guide

PART III: Commands

show hx server containment notification Displays HX server containment notification-related settings. When the command is specified with the notification custom parameter, the output shows the notification text sent to the endpoints when they are contained. When it is specified with the notification url parameter, the output shows the URL for endpoint containment notifications.

Syntax show hx server containment notification [custom | url]

Parameters These optional parameters are mutually exclusive. You can specify only one of them. notification custom

Displays the notification text sent to the endpoints when they are contained. notification url

Displays the URL for endpoint containment notifications.

Example The following example shows the output produced by the show hx server containment notification url command: hostname (config) # show hx server containment notification url Notification URL: https://12.34.567.90

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands

1688

l

hx server containment notification custom

l

hx server containment notification url

© 2016 FireEye

Release 7.9

show hx server detection

show hx server detection Displays detection-related settings for the HX appliance, including the indicator aging and alert aging intervals.

Syntax show hx server detection

Parameters None

Example The following example shows the output produced by the show hx server detection command: hostname (config) # show hx server detection HX Server Detection Configuration: Generated Indicator Aging: enabled Generated Indicator Aging Period: 14 days Alert Aging Period: 30 days False Positive Alert Aging Period: 1 day Intel Matching: enabled Legacy notification listener active: no Malicious.URL Indicator Generation (legacy): yes Suspicious (noisy) Indicator Generation (legacy): no Inbound alert poll interval: 5 minutes Inbound alert minimum severity: majr No ignored alert types. Last bookmark ID: 0

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 2.5

© 2016 FireEye

1689

CLI Reference Guide

PART III: Commands

Related Commands

1690

l

hx server detection aging alert fp-period

l

hx server detection aging alert period

l

hx server detection aging indicator generated enable

l

hx server detection aging indicator generated period

l

hx server detection inbound bookmark

l

hx server detection inbound ignore-type

l

hx server detection inbound min-threshold

l

hx server detection inbound poll-interval

l

hx server detection intel matching

l

hx server detection legacy enable

l

hx server detection legacy malicious-url

l

hx server detection legacy noisy-indicator

© 2016 FireEye

Release 7.9

show hx server exd

show hx server exd Displays the agent settings related to Exploit Guard functions (exploit detection).

Syntax show hx server exd

Parameters None

Example The following example shows the output produced when you enter the show hx server exd command: hostname (config) # show hx server exd HX Server ExD Configuration: ExD enabled by user: disabled ExD Whitelist: enabled Path 1: 'test' Path 2: 'test2 ExD Exception Policy Whitelist: disabled No entries

User Role All roles except API Analysts and API Admins

Command Mode Configuration

Release Information This command was introduced as follows: l

HX Series: Release 3.1

Related Commands l

hx server exd enable

© 2016 FireEye

1691

CLI Reference Guide

PART III: Commands

show hx server general Displays general server configuration information for the HX Series appliance. This includes information about the sysinfo collection interval, triage settings, and other acquisition settings.

Syntax show hx server general

Parameters None

Example The following example shows the output produced by the show hx server general command: hostname (config) # show hx server general HX General Server Configuration: Sysinfo Interval: 1 day Sysinfo Dispatch Duration: disabled Sysinfo Task Timeout: 14 days Auto-Triage: enabled Per Agent Limit: 1 Period: 30 min Per Agent/Condition Limit: 1 Period: 12 hr Per Condition Limit: 20 Period: 12 hr Per Indicator Limit: 20 Period: 12 hr IOC: Limit: 75 Period: 6 hr ExD: Limit: 75 Period: 6 hr Global: Limit: 100 Period: 6 hr Triage Prior Window: 10 min Triage After Window: 10 min Triage Task Limit: 100 Triage Task Timeout: 14 days Triage Extract Task Timeout: 5 min Triage Extract Task Limit: 2 Triage Extract Retry Limit: 5 Triage Aging: enabled Triage Aging Disk Storage Limit: 256000 mb Triage Aging Periods: completed: none failed: none pending: 14 days Script Aging Period: 7 days Agent Aging Period: 90 days Agent Aging Orphan Period: 1 day Agent Inactive Period: 30 days

1692

© 2016 FireEye

Release 7.9

show hx server general

Task Aging Period: 1 day Agent Upgrade Task Limit: 5000 Agent Upgrade Task Timeout: 14 days Acquisitions: enabled zip passphrase for acquired files: unzip-me

User Role All roles except API Analysts and API Admins

Command Mode Configuration mode.

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server acquisition aging completed-period

l

hx server acquisition aging disk-limit

l

hx server acquisition aging enable

l

hx server acquisition aging failed-period

l

hx server acquisition aging pending-period

l

hx server acquisition default-zip-passphrase

l

hx server acquisition enable

l

hx server script aging period

l

hx server sysinfo dispatch-duration

l

hx server sysinfo task-timeout

l

hx server sysinfo-interval

l

hx server task aging period

l

hx server triage auto enable

l

hx server triage auto throttle agent limit

l

hx server triage auto throttle agent period

l

hx server triage auto throttle agent-condition limit

l

hx server triage auto throttle agent-condition period

l

hx server triage auto throttle condition limit

l

hx server triage auto throttle condition period

© 2016 FireEye

1693

CLI Reference Guide

1694

l

hx server triage auto throttle global limit

l

hx server triage auto throttle global period

l

hx server triage auto throttle indicator limit

l

hx server triage auto throttle indicator period

l

hx server triage auto throttle ioc limit

l

hx server triage auto throttle ioc period

l

hx server triage extraction retry-limit

l

hx server triage extraction task-limit

l

hx server triage extraction timeout

l

hx server triage task-limit

l

hx server triage task-timeout

l

hx server triage window after

l

hx server triage window prior

l

hx server upgrade task-limit

l

hx server upgrade task-timeout

PART III: Commands

© 2016 FireEye

Release 7.9

show hx server msm-link

show hx server msm-link Displays settings related to Mobile Threat Prevention (MTP) for the HX Series appliance.

Syntax show hx server msm-link

Parameters None

Example The following example shows the output produced by the show hx server msm-link command: hostname (config) # show hx server msm-link HX Server MSM-Link values: Enable: disabled Hostname: Prefix: API Key: API Secret: API Domain Hash:

User Role All roles except API Analysts and API Admins

Command Mode Configuration mode

Release Information This command was introduced as follows: l

HX Series: Release 2.5

Related Commands l

hx server msm-link api domain-hash on page 915

l

hx server msm-link api key on page 916

l

hx server msm-link api secret on page 917

l

hx server msm-link enable on page 918

© 2016 FireEye

1695

CLI Reference Guide

1696

l

hx server msm-link hostname on page 919

l

hx server msm-link prefix on page 1

PART III: Commands

© 2016 FireEye

Release 7.9

show hx server search

show hx server search Displays the number of unique issues reported by each HX Series Enterprise Search that are related to malformed or unexpected data on host endpoints encountered during the search.

Syntax show hx server search

Parameters None

Example The following example shows the output produced by the show hx server search command: hostname (config) # show hx server search Search issues item limit: 20

User Role All roles except API Analysts and API Admins

Command Mode Configuration mode

Release Information This command was introduced as follows: l

HX Series: Release 3.2

Related Commands l

hx server search issues items-limit on page 922

© 2016 FireEye

1697

CLI Reference Guide

PART III: Commands

show images Description Displays all appliance boot images on the system and the image installed on each partition. Identifies the active partition and the default boot partition. Related commands: image install

Syntax show images

Parameters None

Example The following example shows the current appliance boot image information. hostname (config) # show imagesImages available to be installed: image-lms.img hydra HYDRA (LMS) 6.1.0.00000 #00000 2012-03-15 15:51:39 x86_64 build@vbrat_el m:FireEye (build) Installed images:  Partition 1: hydra HYDRA (LMS) 6.1.0.00000 #00000 2012-03-15 01:12:03 x86_64build@vbrat_el m:FireEye (build) Partition 2: hydra HYDRA (LMS) 6.1.0.00000 #00000 2012-03-15 15:51:39 x86_64 build@vbrat_el m:FireEye (build) Last boot partition: 2 Next boot partition: 2 Boot manager password is set. No image install currently in progress.

1698

© 2016 FireEye

Release 7.9

show incident all

show incident all Displays the statistics about all the Web analysis incident jobs that are confirmed malicious, in descending order by job number. This command does not show incident information that was not deemed malicious. For details about displaying a list of all malicious and nonmalicious events, see Malware Object Analysis Command Family on page 107.

Syntax show incident all

Parameters None

Output Fields The following table describes the output fields for the show incident all command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Analysis Incident

Specific web analysis incident job number.

Target OS

Guest image profile that was the target of the malware.

Target Application

Application that was the target of the malware.

Page URL

Page URL submitted to the virtual machine (VM) as a confirmed incident.

Source IP

IP address of the source.

Noticed At

Date and time that the confirmed incident was seen.

Updated At

Date and time that the confirmed incident was updated.

Events found

Number of events involved in the confirmed incident.

URLs

Number of URLs involved in the confirmed incident.

ContentType

Type of retrieved object, such as application or text.

© 2016 FireEye

1699

CLI Reference Guide

PART III: Commands

Example The following example displays partial output of the statistics for all the Web analysis incident jobs that are confirmed: hostname # show incident all Web Analysis Incident: 6237    Target OS

: Microsoft Windows7 32-bit 6.1 sp1 15.0826

   Target Application    Page URL

: InternetExplorer 9.0 : perfectlearningsystems.com/38XTR9WQ.php?id=624200

   Source IP

: 34.232.235.10

   Noticed At

: 2015-09-24 22:26:31 PDT

   Updated At

: 2015-09-24 22:30:50 PDT

   Events found    URLs

: (1) 13(OS) : (6)

   ContentType

URL

   -------------------------   text/html

infantstrollerandcarseat.com/27.mp3?rnd=91095

   text/html

infantstrollerandcarseat.com/16201.mp3?rnd=19734

   text/html

perfectlearningsystems.com/38XTR9WQ.php?id=624200

   text/html

infantstrollerandcarseat.com/201403/_ev.htm

   appl/x-shockwave-flash infantstrollerandcarseat.com/7815.swf    appl/x-silverlight-app infantstrollerandcarseat.com/1704.xap Web Analysis Incident: 6235    Target OS

: Microsoft WindowsXP 32-bit 5.1 sp3 15.0826

   Target Application    Page URL

: InternetExplorer 7.0 : www.17gamo.com/co/ie7.htm

   Source IP

: 115.52.174.36

   Noticed At

: 2015-09-24 22:23:22 PDT

   Updated At

: 2015-09-24 22:27:45 PDT

   Events found    URLs

: (3) 9(NA) 8(SP) 7(OS) : (3)

   ContentType

URL

   -------------------------   appl/octet-stream    text/html

1700

www.steoo.com/admin/win.exe

www.17gamo.com/co/ie7.htm

© 2016 FireEye

Release 7.9

   text/html

show incident all

xn--18ba.xiaolen.com/

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Incident Command Family on page 98.

© 2016 FireEye

1701

CLI Reference Guide

PART III: Commands

show incident list Displays a full list of all incident jobs, in descending order by incident number. This command does not show incidents that were not confirmed to be malicious. For details about displaying a list of all malicious and nonmalicious events, see Malware Object Analysis Command Family on page 107.

Syntax show incident list

Parameters None

Output Fields The following table describes the output fields for the show incident list command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Incident

Specific confirmed incident job number.

URLs

Number of URLs involved in the confirmed incident.

Target OS

Guest image profile that was the target of the malware.

App

Application that was the target of the malware.

Page URL

Page URL submitted to the virtual machine (VM) as a confirmed incident.

Source IP

IP address of the source.

Noticed At

Date and time that the confirmed incident was seen.

Example The following example displays partial output of all Web incident jobs that are confirmed malicious: hostname # show incident list Incident E URL TargetOS App

PageURL

SrcIP

--------------------------------------------------------------------------------

Noti

cedAt

-----

6680 2 4 MWXP32-5 IE8.0 www.rxktpnjr.cjb.net/63bh 6.169.35.252 06:19:41 PDT

2015

6673 5 3 MWXP32-5 IE6.0 de-my-page.info/forum/ind 103.169.252.110 2015 06:13:02 PDT

1702

-09-25 -09-25

© 2016 FireEye

Release 7.9

show incident list

6668 4 4 MWXP32-5 IE8.0 www.rxktpnjr.cjb.net/63bh 6.118.103.60 06:09:53 PDT

2015

-09-25

6667 1 1 MWXP32-5 IE6.0 de-my-page.info/forum/ccr 57.88.45.101 06:06:45 PDT

2015

-09-25

6663 1 7 MWXP32-5 IE8.0 kbl-ludwigsfelde.de/2014- 87.180.89.178 2015 06:03:36 PDT

-09-25

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Incident Command Family on page 98.

© 2016 FireEye

1703

CLI Reference Guide

PART III: Commands

show incident Displays information for a specific Web analysis incident job that is confirmed as malicious on the appliance. This command does not show incident information that was not deemed malicious. For details about displaying a list of all malicious and nonmalicious events, see Malware Object Analysis Command Family on page 107.

Syntax show incident

Parameters None

Output Fields The following table describes the output fields for the show incident command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Analysis Incident

Specific Web analysis incident job number.

Target OS

Guest image profile that was the target of the malware.

Target Application

Application that was the target of the malware.

Page URL

Page URL submitted to the virtual machine (VM) as a confirmed incident.

Source IP

IP address of the source.

Noticed At

Date and time that the confirmed incident was seen.

Updated At

Date and time that the confirmed incident was updated.

Events found

Number of events involved in the confirmed incident.

URLs

Number of URLs involved in the confirmed incident.

ContentType

Type of retrieved object, such as application or text.

Example The following example displays the information about job number 6680: hostname # show incident 6680 Web Analysis Incident: 6680

1704

© 2016 FireEye

Release 7.9

show incident  

   Target OS

: Microsoft WindowsXP 32-bit 5.1 sp3 15.0826

   Target Application    Page URL

: InternetExplorer 8.0 : www.rxktpnjr.cjb.net/63bhputj/?2

   Source IP

: 6.169.35.252

   Noticed At

: 2015-09-25 06:19:41 PDT

   Updated At

: 2015-09-25 06:21:58 PDT

   Events found    URLs

: (2) 1581(NA) 1580(OS) : (4)

   ContentType

URL

   -------------------------   appl/octet-stream

www.rxktpnjr.cjb.net/63bhputj/?2dc6ba8fd447903e571c060d5

   text/html

www.rxktpnjr.cjb.net/63bhputj/?2dc6ba8fd447903e571c060d5

   text/html

www.rxktpnjr.cjb.net/63bhputj/?2

   appl/octet-stream

www.rxktpnjr.cjb.net/63bhputj/?362f56117ea4eb38415e5b5d0

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Incident Command Family on page 98.

© 2016 FireEye

1705

CLI Reference Guide

PART III: Commands

show interfaces Description Displays the status and traffic statistics for one or all interfaces. You can also view a brief summary of the status information (no traffic statistics) or just the interface configuration. Monitoring (pether3 to pether_n) ports are not displayed using the show interfaces command. To see the status of these ports, use the show interfaces name command.

Syntax show interfaces [name] [brief | configured]

Parameters name

Interface name (such as “ether1,” “tap0,” or “lo” for loopback).

brief

Displays a brief summary of the status information (no traffic statistics).

configured

Displays just the configured settings for the enabled interfaces.

Example The following example shows status and traffic statistics for all interfaces. hostname # show interfaces Interface ether1 state Admin up:           yes Link up:            yes IP address:         192.168.0.69 Netmask:            255.255.255.0 Speed:              1000Mb/s (auto) Duplex:             full (auto) Interface type:     ethernet MTU:                1500 HW address:         00:0C:29:5D:D7:28 RX bytes:           11668267 RX packets:         107222RX mcast packets:   0 RX discards:        0 RX errors:          0 RX overruns:        0 RX frame:           0 TX bytes:           4458023 TX packets:         13155 TX discards:        0 TX errors:          0 TX overruns:        0 TX carrier:         0 TX collisions:      0

1706

© 2016 FireEye

Release 7.9

show interfaces

Interface ether2 state Admin up:           yes Link up:            yes

The following example shows status and traffic statistics for the pether3 interface. hostname # show interfaces pether3

© 2016 FireEye

1707

CLI Reference Guide

PART III: Commands

show ip Displays all static and dynamic routes in the routing table, only the static routes, or only the active or static default gateway.

Syntax show ip {route [static] | default-gateway [static] | dhcp}

Parameters route [static]

Displays all static and dynamic IP routes, or only static routes.

default-gateway [static]

Displays the active default gateway, or the manually-defined (static) default gateway.

dhcp

Displays DHCP-related configuration information.

Example The following example shows all IP routes. hostname # show ip route Destination Mask Gateway default 0.0.0.0 172.16.1.1 172.16.0.0 255.240.0.0 0.0.0.0

1708

Interface Source ether1 static ether1 interface

© 2016 FireEye

Release 7.9

show ip filter

show ip filter Description Displays the operative list of rules, regardless of where they came from. Rules that came from the user's configuration are numbered with sequence numbers matching the ones they have in the configuration. There is no way to operate on the unnumbered rules directly from the CLI. Related commands: ip filter enable , ipv6 enable , show ipv6 filter , ip filter options include-bridges , ip filter chain

Syntax show ip filter [all] [configured]

User Role Admin role

Release Information Command introduced in NX, HX and CMS Series Release 7.5.0.

Parameters [all]

Displays all IP filters.

[configured] Displays the current set of rules in configuration. The rules should match the numbered rules listed by "show ip filter" (assuming IP filtering is enabled).

Example The following example shows ip filter rules. hostname (config) # show ip filter Packet filtering for IPv4: enabled Apply filters to bridges: no All active IPv4 filtering rules:

Chain 'INPUT' #

© 2016 FireEye

Target Proto Source Destination DROP icmp all all

Other icmp timestamprequest

1709

CLI Reference Guide

PART III: Commands

DROP 1

Policy: DROP Chain 'OUTPUT' # 1

icmp all

ACCEPT all ACCEPT all ACCEPT all

all all all

all all all all

Target Proto Source Destination ACCEPT all all all ACCEPT all DROP all

all all

all all

icmp timestampreply inb ether+ inb lo inb tun0

Other outb ether+ outb lo outb tun0

Policy: DROP Chain 'FORWARD' No rules. Policy: DROP

1710

© 2016 FireEye

Release 7.9

show ipmi

show ipmi Displays the Intelligent Platform Management Interfaces (IPMI) configuration and its actual state.

Syntax show ipmi

User Role Administrator

Release Information Command introduced before Release 7.6.0.

Parameters None

Example The following example displays the current IPMI configuration. hostname (config) # show ipmi IPMI LAN Settings ---------------------------------------Admin Shut Down : yes Shut Down : yes IP Address Source : Static Address IP Address : 0.0.0.0 Subnet Mask : 0.0.0.0 Default Gateway IP : 0.0.0.0 IPMI Firmware Installed ------------------------------Firmware Version: 2.63 Device: 1 IPMI Version: 2.0 IPMI Firmware Available For Update -------------------------------------------------------------------------New Firmware Version: 2.67 New Firmware Filename: FireEye_V267.bin Firmware Update Notice: IPMI firmware version 2.67 is strongly recommended with this release. It may be installed with the CLI command: ipmi firmware update latest Note: IPMI configuration and logs are reset to factory defaults on

© 2016 FireEye

1711

CLI Reference Guide

PART III: Commands

update. See the release notes and user manual for more information.

IPMI Firmware Availability Notice is enabled

1712

© 2016 FireEye

Release 7.9

show ipmi interface

show ipmi interface Description Displays Intelligent Platform Management Interface (IPMI) and network interface settings.

Syntax show ipmi interface

User Role Admin.

Release Information Command introduced in FX Series Release 7.5.0.

Parameters None

Example The following example displays the current IPMI and network interface settings: hostname # show ipmi interface IPMI LAN Settings ---------------------------------------IP Address Source : DHCP Address IP Address : 172.16.100.200 Subnet Mask : 255.240.0.0 Default Gateway IP : 172.16.1.1

© 2016 FireEye

1713

CLI Reference Guide

PART III: Commands

show ipmi log Description Displays the Intelligent Platform Management Interfaces (IPMI) event log.

Syntax show ipmi log

User Role Admin.

Parameters None

Example The following example displays an IPMI event log. hostname # show ipmi log IPMI Event Log: IPMI Event Log: 1 | 02/06/2014 | 22:31:48 | Watchdog 2 #0xca | Timer interrupt | Asserted 2 | 02/06/2014 | 22:31:49 | Watchdog 2 #0xca | Timer expired | Asserted 3 | 02/07/2014 | 18:01:20 | Watchdog 2 #0xca | Timer interrupt | Asserted 4 | 02/07/2014 | 18:01:21 | Watchdog 2 #0xca | Timer expired | Asserted {...entries omitted from this example} 1aa | 02/11/2014 | 02:59:50 | Watchdog 2 #0xca | Hard reset | Asserted 1ab | 02/11/2014 | 03:08:25 | Watchdog 2 #0xca | Timer interrupt | Asserted 1ac | 02/11/2014 | 03:08:26 | Watchdog 2 #0xca | Hard reset | Asserted {...entries omitted from this example} 1b1 | 04/21/2014 | 18:16:51 | Power Supply #0x55 | Failure detected | Asserted 1b2 | 04/21/2014 | 18:17:26 | Power Supply #0x55 | Failure detected | Deasserted 1b3 | 04/21/2014 | 18:18:17 | Power Supply #0x55 | Failure detected | Asserted 1b4 | 04/21/2014 | 18:19:04 | Power Supply #0x55 | Failure detected | Deasserted 1b5 | 04/21/2014 | 18:19:29 | Power Supply #0x55 | Failure detected | Asserted 1b6 | 04/21/2014 | 18:20:23 | Power Supply #0x55 | Failure

1714

© 2016 FireEye

Release 7.9

detected | Deasserted 1b7 | 06/03/2014 | 15:08:07 | Watchdog 2 #0xca Asserted 1b8 | 06/03/2014 | 15:08:08 | Watchdog expired | Asserted 1b9 | 07/02/2014 | 22:21:08 | Watchdog 2 #0xca Asserted 1ba | 07/02/2014 | 22:21:09 | Watchdog expired | Asserted

© 2016 FireEye

show ipmi log

| Timer interrupt | 2 #0xca | Timer | Timer interrupt | 2 #0xca | Timer

1715

CLI Reference Guide

PART III: Commands

show ipmi version Description Displays Intelligent Platform Management Interface (IPMI) and firmware version information.

Syntax show ipmi version

User Role Admin.

Release Information Command introduced in FX Series Release 7.5.0.

Parameters None

Example The following example displays the current IPMI and firmware version information: hostname # show ipmi version IP Address Source : Static Address IPMI Version Information ---------------------------Firmware Version: 2.63 Device: 1 IPMI Version: 2.0 IPMI Firmware Update Information -------------------------------------------------Update Version: 2.63 Update Filename: FireEye_V263.bin Update Notice: Firmware is up to date for this release.

1716

© 2016 FireEye

Release 7.9

show ipmi version include-firmware-update-notice

show ipmi version include-firmware-update-notice Description Use this command to display firmware update information, even if the firmware is already up to date.

Syntax show ipmi version include-firmware-update-notice

Parameters None

Example The following example displays firmware update information: hostname # show ipmi version include-firmware-update-notice IPMI Firmware Installed ----------------------------------------Firmware Version: 2.19 Device: 1 IPMI Version: 2.0 IPMI Firmware Available For Update ----------------------------------------------------------------------------------New Firmware Version: 2.19 New Firmware Filename: H8QG6219-FireEYe.ima.xz Firmware Update Notice: Firmware is up to date for this release. IPMI firmware version 2.19 is available and recommended with this release. Check your current release notes for security fixes and update advisories The new version may be installed with the CLI command: ipmi firmware update latest ...

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows:

© 2016 FireEye

1717

CLI Reference Guide

1718

l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

l

VX Series: Release 7.9.1

PART III: Commands

© 2016 FireEye

Release 7.9

show ips reconnaissance

show ips reconnaissance Displays the IPS detection thresholds for reconnaissance activity and brute-force attacks, provided that IPS detection of reconnaissance activity is enabled. You can also run this command remotely from the command line of an integrated FireEye CM series platform using the central management platform proxying mechanism.

Syntax show ips reconnaissance

Parameters None

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field Name

Field Description

IPS reconnaissance is disabled IPS detection of reconnaissance activity is disabled. No threshold settings are displayed. Ping sweep threshold

The platform triggers an IPS ping sweep event when the number of ICMP exchanges to or from the same IP address within a rolling 60-second window exceeds this value.

Port scan threshold

The platform triggers an IPS port scan event when the number of TCP or UDP exchanges to or from the same IP address within a rolling 60-second window exceeds this value.

Brute force threshold

The platform triggers an IPS brute-force event when the number of .failed login attempts to or from the same IP address within a rolling 60-second window exceeds this value.

Example show ips reconnaissance (Detection Disabled)

hostname # show ips reconnaissance IPS reconnaissance is disabled

© 2016 FireEye

1719

CLI Reference Guide

PART III: Commands

show ips reconnaissance (Detection Enabled With Default Settings)

hostname # show ips reconnaissance Ping sweep threshold : 20 Port scan threshold : 200 Brute force threshold : 5

User Role Monitor, Analyst, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.5.0

Related Commands For a list of related commands, see IPS Commands on page 102.

1720

© 2016 FireEye

Release 7.9

show ips signatures

show ips signatures Displays the overrides about disabled or forced blocking or suppression applied to vulnerabilities or IPS rules active on the appliance monitoring interfaces. For information about disabled or forced blocking or suppression applied to vulnerabilities or IPS rules, refer to the NX Series IPS Feature Guide. For information about disabled or forced blocking for all rules activated on the appliance, refer to the NX Series IPS Feature Guide. You can also run this command remotely from the command line of an integrated FireEye CM series platform using the central management platform proxying mechanism.

Syntax show ips signatures

Parameters None

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field Name SIGNATURE

Description Signature for an event that is eligible for inline blocking. Can be either of the following: l

l

signatureID—Eight-digit integer that identifies the signature. signatureName—Text string that identifies the signature. Names are truncated to 32 characters.

INTF

Name of the appliance monitoring interface.

VICTIM IP

IP address of the victim (destination).

ATTACKER IP IP address of the attacker (source). ACTION

© 2016 FireEye

Type of action that was taken. The action indicates whether the signature blocks, allows, or suppresses matched traffic on the specified interface.

1721

CLI Reference Guide

PART III: Commands

Examples The following example displays the parameters when there are no blocked or suppressed vulnerabilities or rules from a particular IP address: hostname #show ips signatures ACTION TABLE     SIGNATURE                        INTF       VICTIM IP       ATTACKER IP         ACTION

The following example displays the parameters that you configured to disable or force blocking on a vulnerability or an individual IPS rule on an interface from a particular IP address: hostname #show ips signatures ACTION TABLE SIGNATURE                   INTF      VICTIM IP            ATTACKER IP    ACTION 85305159                    ALL       105.35.227.216/32    137.163.95.91/32    block Trojan.Ramnit Inf Pg Dnload ALL       105.35.227.216/32    137.163.95.91/32 block

The following example displays blocked or suppressed vulnerabilities or rules from a particular IP address: hostname #show ips signatures ACTION TABLE SIGNATURE                        INTF      VICTIM IP           ATTACKER IP    ACTION 85305159                         ALL       107.182.166.198/32  183.244.186.168/32    suppress MS XML CoreSvcs UninitObjAcc     ALL       239.244.150.249/32  103.244.26.221/32    block Trojan.Ramnit Inf Pg Dnload      ALL       107.182.166.198/32  183.244.186.168/32    suppress

User Role Monitor, Operator, or Administrator

Command Mode Enable

1722

© 2016 FireEye

Release 7.9

show ips signatures

Release Information This command was introduced as follows: l

NX Series: Release: 7.7

Related Commands For a list of related commands, see IPS Commands on page 102.

© 2016 FireEye

1723

CLI Reference Guide

PART III: Commands

show ipv6 Description Displays all dynamic routes in the IPv6 routing table. Related commands: ipv6 route

Syntax show ipv6 {route [static]  | default-gateway | neighbors [static]}

Parameters route [static]

Displays all IPv6 routes. To display static IPv6 routes only, use the static option.

default- Displays the active default gateway. gateway neighbors Displays all IPv6 neighbors, including both static entries and dynamic NDP [static] entries. To display all statically-configured IPv6 neighbors, use the static option.

Example The following example shows all static and dynamic IPv6 routes. hostname(config)# show ipv6 route Destination       Mask              Gateway default           0.0.0.0           192.168.0.1 192.168.0.0       255.255.255.0     0.0.0.0

1724

© 2016 FireEye

Release 7.9

show ipv6 filter

show ipv6 filter Description Displays the operative list of rules for IPv6, regardless of where they came from. Rules that came from the user's configuration are numbered with sequence numbers matching the ones they have in the configuration. There is no way to operate on the unnumbered rules directly from the CLI. Related commands: ip filter enable , ipv6 enable , show ip filter , ip filter options includebridges , ip filter chain

Syntax show ip v6 filter [all] [configured]

User Role Admin role

Release Information Command introduced in NX, HX and CMS Series Release 7.5.0.

Parameters [all]

Displays all IP filters.

[configured] Displays the current set of rules in configuration. The rules should match the numbered rules listed by "show ip filter" (assuming IP filtering is enabled).

Example The following example shows ip6 filter rules. hostname (config) # show ip6 filter Packet filtering for IPv6: enabled Apply filters to bridges: no All active IPv6 filtering rules:

Chain 'INPUT' # 1

© 2016 FireEye

Target Proto Source Destination Other ACCEPT all : : / : : / 0 inb ether+ 0

1725

CLI Reference Guide

PART III: Commands

ACCEPT all

: 0 ACCEPT all : 0 ACCEPT tcp : 0 ACCEPT tcp : 0 ACCEPT udp : 0 ACCEPT icmpv6 : 0 DROP all : 0 Policy: DROP Chain 'OUTPUT' # 1

: / : : / 0

inb lo

: / : : / 0

: / : : / 0

inb tun0, state RELATED,ESTABLISHED inb tun0, dpt 22, state NEW inb tun0, dpt 443, state NEW inb tun0, dpt 161

: / : : / 0

inb tun0

: / : : / 0

inb tun0

: / : : / 0 : / : : / 0

Target Proto Source Destination ACCEPT all : : / : : / 0 0 ACCEPT all : : / : : / 0 0 ACCEPT all : : / : : / 0 0 ACCEPT tcp : : / : : / 0 0 ACCEPT udp : : / : : / 0 0 ACCEPT icmpv6 : : / : : / 0 0 DROP all : : / : : / 0 0

Other outb ether+ outb lo outb tun0, state RELATED,ESTABLISHED outb tun0, dpt 443, state NEW outb tun0, dpt 162 outb tun0 outb tun0

Policy: DROP Chain 'FORWARD' No rules. Policy: DROP

1726

© 2016 FireEye

Release 7.9

show jobs

show jobs Description Displays configuration and status for all jobs, for a specified job ID, or for a specific job owner. Related commands: job

Syntax show jobs [job_id | job_owner]

Parameters job_id

References a specific job ID.

job_owner References a specific job owner.

Example The following example displays all configured jobs. hostname # show jobs Job 333:    Status:

inactive

   Enabled:

yes

   Continue on failure: no

   Schedule type:    Interval:

periodic

1m

   Absolute start:

(no limit)

   Absolute end:

2014/12/31 23:59:59 +0000

   Last exec time:

N/A

   Next exec time:

N/A

   Commands:       Command 1: backup profile config+fedb to usb

© 2016 FireEye

1727

CLI Reference Guide

PART III: Commands

show lcd Description Displays the current liquid crystal display (LCD) configuration.

Syntax show lcd

Parameters None

Example The following example shows the LCD configuration. hostname > show lcd LCD enabled:             yes Synchronize to clock:    yes Inactivity timeout:      5.0 minutes Blank screen on timeout: no Brightness level:        9 Contrast level:          4 Password:                (none)

1728

© 2016 FireEye

Release 7.9

show ldap

show ldap To display Active Directory using LDAP settings, use the show ldap command in enable mode. Related commands: ldap

Syntax show ldap

Parameters None

User Role Administrator, Operator, or Monitor

Release Information Command introduced before Release 7.6.0.

Example The following example displays all LDAP information. hostname # show ldap User base DN : ou=users,dc=example,dc=com User search scope : subtree Login attribute : sAMAccountName Bind DN : Bind password : ******** Group base DN : Group attribute : member LDAP version :3 Referrals : yes Server port : 389 Search Timeout : 5 Bind Timeout : 5 Search Filter : SSL mode : tls Server SSL port : 636 (not active) SSL cert verify : yes SSL ca-list : default-ca-list SSL min version : tls1 SSL cipher list : fips No LDAP servers configured.

© 2016 FireEye

1729

CLI Reference Guide

PART III: Commands

show licenses Displays appliance license information.

Syntax show licenses

Parameters None

Examples The following example shows the current license information. hostname # show licenses License 1: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0   Feature:          CONTENT_UPDATES   Valid:            yes  SContent sharing: all (ok)   Active:           yes License 2: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000-0L R00000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-F0 BD0000-0000-0000-0000   Feature:          FIREEYE_APPLIANCE  Valid:            yes  Type:             EVAL (ok)   Agreement:        EULA (ok)  Tied to host ID:  e25b18d52d5d (ok)  Product:          malware-analysis (ok)   Op Mode:          tap (ok) Tied to MAC addr: 00:E0:81:C1:C0:59 (ok)   End date:         2012/2/31 (ok)   Active:           yes

The following example shows partial output for the license information for the Essentials edition of an NX Series appliance. hostname # show licenses License 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000-0L R00000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-F0 BD0000-0000-0000-0000

1730

© 2016 FireEye

Release 7.9

  Feature:   Description:   Valid:   Start date:

show licenses

FIREEYE_APPLIANCE FireEye Appliance yes 2015/12/28 (ok)

  Tied to MAC addr: 00:25:90:5C:5F:5A (ok)   Product:   Type:

MPS (ok) PROD (ok)

  Agreement:   Op Mode:   Active:

EULA (ok) inline (ok) yes

  Product Edition: Essentials   Sharing requirement: all   DTI Callback Alerts: no   URL Correlation: no   PX integration: no License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000-000   Feature:   Description:   Valid:

CONTENT_UPDATES Content updates yes

  Start date:

2015/12/30 (ok)

  End date:

2016/12/30 (ok)

  Tied to MAC addr: 00:25:90:5C:27:3E (ok)   Sharing:   Active:

all (ok) yes

The following example shows the partial output for the license information for the Power edition of an NX Series appliance. License 1: LK2-FIREEYE_APPLIANCE--0000-0000-0000-0000-0000-0000-0000-0000-0000-0L R0-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-0000-F0 BD0000-0000-0000-0000   Feature:   Description:   Valid:   Start date:

FIREEYE_APPLIANCE FireEye Appliance yes 2015/12/28 (ok)

  Tied to MAC addr: 00:25:90:5C:5F:5A (ok)   Product:

© 2016 FireEye

MPS (ok)

1731

CLI Reference Guide

  Type:

PART III: Commands

PROD (ok)

  Agreement:   Op Mode:   Active:

EULA (ok) inline (ok) yes

 Product Edition: Power  Sharing requirement: none  DTI Callback Alerts: yes  URL Correlation: yes  PX integration: yes License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000-00000000-0000-0000-000   Feature:   Description:   Valid:

CONTENT_UPDATES Content updates yes

  Start date:

2015/12/30 (ok)

  End date:

2016/12/30 (ok)

  Tied to MAC addr: 00:25:90:5C:27:3E (ok)   Sharing:   Active:

all (ok) yes

. . .

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows:

1732

l

AX Series: Before Release 7.5

l

EX Series: Before Release 7.5

l

FX Series: Before Release 7.5

© 2016 FireEye

Release 7.9

l

NX Series: Before Release 7.5

l

CM Series: Before Release 7.5

show licenses

Related Commands For a list of related commands, see License Management Command Family on page 103.

© 2016 FireEye

1733

CLI Reference Guide

PART III: Commands

show licenses tokens Displays detailed running state for license tokens.

Syntax show licenses tokens

Parameters None

Examples The following example shows the current running state for license tokens. hostname # show licenses tokens Token Summary : Token Active : Token Required :

yes no

Token Lease : Lease Active : no Lease Time Remaining :

0 min

Token Grace Period : Grace Period Active : no Grace Period Available : no Grace Period Remaining : 0 min Token Server Current Time : 1970/01/01 00:00:00 Token Details: Next Token : (not fetched) Active Token : (not fetched) Previous Token :(not fetched)

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows:

1734

© 2016 FireEye

Release 7.9

l

show licenses tokens

CM Series: Release 7.9.0 0 for virtual NX Series appliances and virtual CM Series platforms.

Related Commands For a list of related commands, see License Management Command Family on page 103. system virtual bootstrap reset on page 1267 show licenses tokens on the previous page show system entropy on page 1967

© 2016 FireEye

1735

CLI Reference Guide

PART III: Commands

show licenses tokens configured Displays configuration for license tokens.

Syntax show licenses tokens configured

Parameters None

Examples The following example shows the configuration for license tokens. hostname # show licenses tokens configured License token configuration: Query Enabled: yes Query lead time: 25 Query Retry interval: 60

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

CM Series: Release 7.9.0 0 for virtual NX Series appliances and virtual CM Series platforms.

Related Commands For a list of related commands, see License Management Command Family on page 103.

1736

© 2016 FireEye

Release 7.9

show localsig

show localsig To display the current status of the local signature generation, use the show localsig command in configuration mode. Related commands: localsig enable

Syntax show localsig

User Role Admin

Release Information Command was introduced in Release 7.5.0 for NX Series appliances and CM Series platforms. Command was introduced in Release 7.6.0 for EX Series appliances.

Parameters None

Description Signatures are generated for Web Infection, Malware Object, and CnC callback alert types. Each generated signature is associated with the relevant alert ID. You cannot verify that the signatures are generated correctly. However, you can verify the current status of the local signature generation.

Example The following example displays the current local signature generation status, rule version, and the number of active rules. hostname (config) # show localsig LocalSig Generator    Enabled : YES    Running : running Rule Versions : 1.0 Active rules : 26

© 2016 FireEye

1737

CLI Reference Guide

PART III: Commands

show log Description Displays the active log file, a list of all log files, an archived log file, or selected entries in the active log. You can also display log entries continuously as they are added to the active log.

Syntax show log [files [log_id] | continuous | matching regular_expression | not matching regular_expression]

Parameters files [log_ id]

Lists the name and ID number of each log file, and the date and time of its first and last entries. To view the entries in an archived log, specify their log ID (to view the active log, enter show log).

continuous Displays each log entry as it is added to the active log. matching Displays the log entries in the active log that match the specified regular regular_ expression. All special characters supported by the UNIX grep utility can be expression used here, such as “*” to indicate any string of text and “?” to indicate any single character. not matching regular_ expression

Displays the log entries in the active log that do not match the specified regular expression. All special characters supported by the UNIX grep utility can be used here, such as “*” to indicate any string of text and “?” to indicate any single character.

Example The following example displays the log entries for the standard log format. hostname # show log pegasus/nim/mon/entity/aa:00:75:df:95:ac/outpkts: 80 Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[406]=/ pegasus/nim/mon/entity/aa:00:75:df:85:ac : aa:00:75:df:85:ac Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[407]=/ pegasus/nim/mon/entity/aa:00:75:df:85:ac/inbytes: 0 Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[408]=/ pegasus/nim/mon/entity/aa:00:75:df:85:ac/inpkts: 0 Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[409]=/ pegasus/nim/mon/entity/aa:00:75:df:85:ac/ip: 172.16.117.7 Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[410]=/

1738

© 2016 FireEye

Release 7.9

show log

pegasus/nim/mon/entity/aa:00:75:df:85:ac/mac: AA:00:75:DF:85:AC Oct 27 11:11:56 docs lms[1959]: [lmsd.NOTICE]: lms_proxy: query iterate[411]=/ . . .

© 2016 FireEye

1739

CLI Reference Guide

PART III: Commands

show log audit Description Displays the active audit log file, a list of all audit log files, an archived audit log file, or selected entries in the active audit log. You can also display audit log entries continuously as they are added to the active log.

Syntax show log audit [files [log_id] | continuous | matching regular_expression | not matching regular_expression]

Parameters files [log_ id]

Lists the name and ID number of each log file, and the date and time of its first and last entries. To view the entries in an archived log, specify their log ID (to view the active log, enter show log).

continuous Displays each log entry as it is added to the active log. matching Displays the log entries in the active log that match the specified regular regular_ expression. All special characters supported by the UNIX grep utility can be expression used here, such as “*” to indicate any string of text and “?” to indicate any single character. not matching regular_ expression

Displays the log entries in the active log that do not match the specified regular expression. All special characters supported by the UNIX grep utility can be used here, such as “*” to indicate any string of text and “?” to indicate any single character.

Example The following example displays the audit log entries for the standard log format. Jan 24 00:00:00 Belize mgmtd[6768]: [mgmtd.NOTICE]: AUDIT: Action ID 1256: requested by: user fenet (FENet Process) (UNCONFIRMED) via Mdreq (session ID 40557) Jan 24 00:00:00 Belize mgmtd[6768]: [mgmtd.NOTICE]: AUDIT: Action ID 1256: descr: Run the aggregator Jan 24 00:00:00 Belize mgmtd[6768]: [mgmtd.NOTICE]: AUDIT: Action ID 1256: param: aggregator name: "rt-stats-aggr" Jan 24 00:00:00 Belize mgmtd[6768]: [mgmtd.NOTICE]: AUDIT: Action ID 1256: param: action: "bundle" Jan 24 00:00:00 Belize mgmtd[6768]: [mgmtd.NOTICE]: AUDIT: Action ID 1256: param: archive file: "/data/fenet/stats-content/.upload/rt-stats-aggr.tbz2" Jan 24 00:00:00 Belize cli[8101]: [cli.NOTICE]: AUDIT: user #0/0: Executing command: en Jan 24 00:00:00 Belize cli[8101]: [cli.NOTICE]: AUDIT: user #0/0: Executing command: show version

1740

© 2016 FireEye

Release 7.9

show log audit

Jan 24 00:00:00 Belize cli[8101]: [cli.NOTICE]: AUDIT: user #0/0: Executing command: show clock Jan 24 00:00:00 Belize cli[8101]: [cli.NOTICE]: AUDIT: user #0/0: Executing command: show guestimages . . .

© 2016 FireEye

1741

CLI Reference Guide

PART III: Commands

show log audit files all Description Displays the selected archived audit log file.

Syntax show log audit files all {matching [regularExpression] | not matching[regularExpression]}

Parameters matching [  regularExpression]

Displays entries from the selected audit log file that match a given regular expression.

not matching [  regularExpression]  

Displays entries from the selected audit log file that do not meet certain criteria.

Example The following example displays the selected log file: show log audit files all

1742

© 2016 FireEye

Release 7.9

show log files all

show log files all Description Displays the selected single log file.

Syntax show log files all {matching [regularExpression] | not matching [regularExpression]}

Parameters matching [  regularExpression]

Displays entries from the selected log file that match a given regular expression.

not matching [  regularExpression]  

Displays entries from the selected log file that do not meet certain criteria.

Example The following example displays the selected log file: show log files all

© 2016 FireEye

1743

CLI Reference Guide

PART III: Commands

show logging To display the current logging configuration, use the show logging command in standard mode. Related commands: logging and logging files rotation

Syntax show logging

Parameters None

User Role Administrator, Monitor, or Operator

Release Information Command introduced before Release 7.6.0

Example The following example shows the current logging configuration. hostname > show logging Local logging level:

notice

Remote syslog default level: notice No remote syslog servers configured. Receive messages from remote hosts: no Log file rotation: Log rotation size threshold: Archived log files to keep: Log format: Subsecond timestamp field:

1744

256 megabytes 40

disabled

© 2016 FireEye

Release 7.9

show malware all

show malware all Displays the statistics about the last 100 malware analysis and submission jobs. The malware analysis jobs are listed in descending order by malware ID.

Syntax show malware all [limit ]

Parameters limit

(Optional) Displays the specified number of entries about the malware analysis and submission jobs. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware all command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile that the MVX engine uses for the current malware analysis job.

© 2016 FireEye

1745

CLI Reference Guide

PART III: Commands

Field

Description

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays the information for one malware submission job: hostname # show malware all limit 1 Malware ID 608 Submission ID 461     Analysis Type:     URL:

sandbox 8.swf

    Analysis Timeout:

500

    Analysis Priority:

normal

    Force:

true

    Profile Name:     Profile ID:

winxp-sp3 43

    Application:

InternetExplorer-7.0

    Md5Sum:

eb02952066726821f810a219817386c9

    State:

1746

done

© 2016 FireEye

Release 7.9

show malware all

    Status:

success

    Submitted Time:

2015-07-27 19:39:33 UTC

    Run Start Time:

2015-07-27 20:54:00 UTC

    Run End Time:

2015-07-27 21:03:00 UTC

    IM:

NO

    Number of Events:

3

    Children Malware ID(s)     Parent Malware ID

461

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1747

CLI Reference Guide

PART III: Commands

show malware config Displays the settings that you configured for live malware analysis and sandbox analysis.

Syntax show malware config

Parameters None

Output Fields The following table describes the output fields for the show malware config command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware Analysis Mode Enabled

Whether malware analysis mode is enabled.

Malware Download Timeout

Number of seconds after which the malware stops downloading.

Malware Analysis VMs

Percentage of virtual machines (VMs) that are allocated for malware analysis. The percentage is always set to 100% on AX Series appliances.

Default Gateway

IP address of the default gateway for the ether2 network interface.

External IP

External IP address for the ether2 port.

Internal IP

Internal IP address.

Name Server

IP address of the name server that is used for MVX guest images for the Domain Name System (DNS).

Http Proxy

IP address of the HTTP proxy server.

Force Data Interface For Prefetch

Prefetch option in live malware analysis.

Sandbox Proxy URL

URL or the domain of the proxy server.

1748

© 2016 FireEye

Release 7.9

show malware config

Example The following example displays the malware analysis settings: hostname # show malware config Malware Analysis Mode Enabled: yes Malware Download Timeout Malware Analysis VMs

: 120 (sec)

: 100 (percent)

Live Analysis Configuration Default Gateway: 192.168.211.1 External IP: 192.168.211.129/24 Internal IP: 169.254.100.1/24 Name Server: 8.8.8.8 Http Proxy: 0.0.0.0:0 Force Data Interface For Prefetch: no Sandbox Analysis Configuration Sandbox Proxy URL: http://malware.repo.com

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1749

CLI Reference Guide

PART III: Commands

show malware done Displays the statistics about the last 100 malware analysis and malware submission jobs that have been completed. This command returns information such as the type of file, status of the malware submission, number of analysis objects that are associated with the malware analysis job, and so on. The malware analysis jobs are listed in descending order by malware ID.

Syntax show malware done [limit ]

Parameters limit

(Optional) Displays the specified number of entries that have completed the malware analysis and submission jobs. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware done command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

1750

© 2016 FireEye

Release 7.9

show malware done

Field Profile ID

Description Guest image profile ID number.

Application Application used to test submitted content. Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays malware analysis information for job ID 4: hostname # show malware done limit 1 Malware ID 608 Submission ID 461

© 2016 FireEye

1751

CLI Reference Guide

PART III: Commands

    Analysis Type:

sandbox

    URL:

8.swf

    Analysis Timeout:

500

    Analysis Priority:

normal

    Force:

true

    Profile Name:

winxp-sp3

    Profile ID:

43

    Application:

InternetExplorer-7.0

    Md5Sum:

eb02952066726821f810a219817386c9

    State:

done

    Status:

success

    Submitted Time:

2015-07-27 19:39:33 UTC

    Run Start Time:

2015-07-27 20:54:00 UTC

    Run End Time:

2015-07-27 21:03:00 UTC

    IM:

NO

    Number of Events:

3

    Children Malware ID(s)     Parent Malware ID

461

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1752

© 2016 FireEye

Release 7.9

show malware events

show malware events Displays the last 100 malware analysis jobs with events. This command returns the malware analysis jobs with events and includes event information such as the event's type, occurrence time, name, analysis type, and so on. The malware records are listed in descending order by malware ID.

Syntax show malware events [limit ]

Parameters limit

(Optional) Displays the specified number of entries with events. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware events command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

© 2016 FireEye

1753

CLI Reference Guide

PART III: Commands

Field

Description

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID (s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Occurrence Time

Time that the event occurred.

Event Type

Type of event that was identified.

Trace ID

Specific trace job number that is associated with a workorder.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

1754

© 2016 FireEye

Release 7.9

show malware events

Example The following example displays one malware analysis job with an event: hostname # show malware events limit 1 Malware ID 607 Submission ID 429     Analysis Type:

sandbox

    URL:

ms_cdf_8450274

    Analysis Timeout:

500

    Analysis Priority:

normal

    Force:

true

    Profile Name:

winxp-sp3

    Profile ID:

43

    Application:

Multiple-MS-Excel-X

    Md5Sum:

7fdde3aa553a11da085bb70fc29c66d8

    State:

done

    Status:

success

    Submitted Time:

2015-07-27 19:39:33 UTC

    Run Start Time:

2015-07-27 20:45:21 UTC

    Run End Time:

2015-07-27 21:02:24 UTC

     IM:

NO

     Number of Events:

1

     Children Malware ID(s)      Parent Malware ID

429

  Event 4557:    Occurrence Time    Event Type    Analysis Type    Trace ID    Malware ID

: 2015-08-27 20:39:16 UTC : checksum-match : Malware

: 1385 : 1385

   Original Malware ID :    Name

: Trojan.SWF

   Match Type

: av-suite

   EDP URL

: https://mil.fireeye.com/edp.php?sname=Trojan.SWF

© 2016 FireEye

1755

CLI Reference Guide

PART III: Commands

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1756

© 2016 FireEye

Release 7.9

show malware file analysis_tmo

show malware file analysis_tmo Displays the number of seconds after which file analysis stops within a guest image in unattended mode.

Syntax show malware file analysis_tmo

Parameters None

Example The following example displays that file analysis stops after 240 seconds within a guest image in unattended mode: hostname # show malware file analysis_tmo EMA file analysis timeout (seconds): 240

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5

Related Commands For a list of related commands, see AX Series Command Family on page 134

© 2016 FireEye

1757

CLI Reference Guide

PART III: Commands

show malware file repositories Displays the configuration of the network share settings and profile repositories.

Syntax show malware file repositories

Parameters None

Output Fields The following table describes the output fields for the show malware file repositories command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Enabled

Whether the AX Series appliance can communicate with the network share site.

Share URL

SMB or CIFS path to the network share.

User

Username that is configured for the network share.

Pass

Password that is configured for the network share.

Guest OS ID

The OS for each guest image.

Input (src)

Repository for the Input (src) path in which files are submitted for each guest image.

Input (good)

Repository for the Input (Good) path in which files were analyzed and found to be nonmalicious for each guest image.

Input (bad) Repository for the Input (Bad) path in which files were analyzed and found to be malicious for each guest image. Poll Interval (min)

Number of minutes that the appliance polls the repositories.

Example The following example displays the configuration of the repositories: hostname # show malware file repositories Shared Point:

1758

© 2016 FireEye

Release 7.9

show malware file repositories

  Enabled

: yes

  Share URL

: cifs://172.16.220.88/puertorico

  Auth     Enabled

: yes

    User

: root

    Pass

: ********

Profile Repositories:   Guest OS ID: 23 winxp-sp2m     Enabled

: yes

    Input (src) : sp2     Input (good) : sp2/good     Input (bad) : sp2/bad    Guest OS ID: 43 winxp-sp3m      Enabled

: yes

     Input (src) : sp3      Input (good) : sp3/good      Input (bad) : sp3/bad    Guest OS ID: 65 win7-sp1m       Enabled

: yes

      Input (src) : w7       Input (good) : w7-sp1/good       Input (bad) : w7-sp1/bad     Guest OS ID: 66 win7x64-sp1m       Enabled

: yes

      Input (src) : w7-64-sp1       Input (good) : w7-64-sp1/good       Input (bad) : w7-64-sp1/bad     Guest OS ID: 90 osx-10.8.2       Enabled

: yes

      Input (src) : 10.8.2       Input (good) : 10.8.2/good       Input (bad) : 10.8.2/bad     Guest OS ID: 91 osx-10.9       Enabled

: yes

      Input (src) : 10.9

© 2016 FireEye

1759

CLI Reference Guide

PART III: Commands

      Input (good) : 10.9/good       Input (bad) : 10.9/bad      Poll Interval (min): 5

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1760

© 2016 FireEye

Release 7.9

show malware id

show malware id Displays information about a specific malware analysis and malware submission job.

Syntax show malware id

Parameters None

Output Fields The following table describes the output fields for the show malware id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

© 2016 FireEye

1761

CLI Reference Guide

PART III: Commands

Field

Description

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID (s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Occurrence Time

Time that the event occurred.

Event Type

Type of event that is identified with the analysis.

Analysis Type

Type of analysis that is associated with the event.

Example The following example displays malware analysis information for job number 979: hostname # show malware id 979 Malware ID 979 Submission ID 979

1762

© 2016 FireEye

Release 7.9

show malware id

  Analysis Type:

sandbox

  URL: http://172.17.69.101/samples/14R2/newFeatures/GI-2265/clean_ cryptofiles/file1.ppt   Analysis Timeout:

120

  Analysis Priority:

normal

  Force:

true

  Profile Name:

winxp-sp3

  Profile ID:

43

  Application:

Multiple-MS-PowerPoint-X

  Md5Sum:

88fa84068380c9ceff73450de484d9d8

  State:

done

  Status:

success

  Submitted Time:

2015-08-21 19:22:07 UTC

  Download Start Time: 2015-08-21 19:49:55 UTC   Download End Time:

2015-08-21 19:52:43 UTC

  Run Start Time:

2015-08-21 19:49:55 UTC

  Run End Time:

2015-08-21 19:52:43 UTC

  IM:

NO

  Number of Events:

1

  Children Malware ID(s)   Parent Malware ID

-

 Event 5157:   Occurrence Time   Event Type   Analysis Type   Trace ID   Malware ID

: 2015-08-21 19:52:43 UTC : os-change-anomaly : Malware

: 979 : 979

  OS Change Analysis:                        success    true

© 2016 FireEye

1763

CLI Reference Guide

PART III: Commands

   system-version.json    1.01                Suspicious startup behaviour        EDP URL    PCAP URL    PCAP (text)

: https://mil.fireeye.com/edp.php?sname=Malware.Binary.ppt : https://172.16.197.50/event_stream/send_pcap_file?ev_id=5157   : https://172.16.197.50/event_stream/send_pcap_ascii?ev_id=5157

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1764

© 2016 FireEye

Release 7.9

show malware list

show malware list Displays a full list of all malware analysis jobs, in descending order by job number, or malware ID (MID). For more information, refer to the AX Series Threat Management Guide.

Syntax show malware list

Parameters None

Example The following example displays partial output of a list of all malware analysis jobs: hostname # show malware list MID MD5 Date/Time 600 599

NumEvents (ID/TYPE)

69e9125cbee713b96c09db95188fd138 2 ( 1189:oc 1188:cm to 200 isc 2015-07-27 21:28:05 UTC f6cf30da321f9c298f25a41b46afe0d2 2 ( 1187:oc 1186:cm to 199 isc 2015-07-27 21:28:05 UTC

Detection ) m ) m

598

f858e249e7397f2a517773c436fb66ca 2 ( 1185:oc 1184:cm to 198 isc 2015-07-27 21:28:03 UTC

) m

583

e163a49901f77d41ceaed07dbc01cce2 2 ( 1183:oc 1182:cm to 183 isc 2015-07-27 21:28:01 UTC

) m

597

38e5c9b87e3169809d39f83d1f5197bd 2 ( 1181:oc 1180:cm to 197 isc 2015-07-27 21:28:01 UTC

) m

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1765

CLI Reference Guide

PART III: Commands

show malware md5 Displays the malware analysis jobs that match a specific MD5 checksum attachment.

Syntax show malware md5

Parameters None

Example The following example displays the jobs that match the MD5 eb02952066726821f810a219817386c9 checksum: hostname # show malware md5 eb02952066726821f810a219817386c9 MalwareID

MD5SUM

603

eb02952066726821f810a219817386c9

608

eb02952066726821f810a219817386c9

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1766

© 2016 FireEye

Release 7.9

show malware mode

show malware mode Displays the results about the live and sandbox malware analysis and submission jobs.

Syntax show malware mode [limit ]

Parameters mode

The mode used to perform malware analysis. The following modes are available: l

live—Displays the results of the live malware analysis jobs.

l

sandbox—Displays the results of the sandbox malware analysis jobs.

limit

(Optional) Displays results for the specified number of malware analysis jobs. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware mode command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

© 2016 FireEye

1767

CLI Reference Guide

PART III: Commands

Field

Description

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays the information for one sandbox malware analysis job: hostname # show malware mode sandbox limit 1 Malware ID 800 Submission ID 800   Analysis Type:   URL:

1768

sandbox http://172.16.146.53/AllObjects/pdf_7602255

© 2016 FireEye

Release 7.9

show malware mode

  Analysis Timeout:

500

  Analysis Priority:

normal

  Application:

Multiple Adobe Reader X

  Force:

true

  Profile Name:

win7x64-sp1

  Profile ID:

66

  Md5Sum:

69e9125cbee713b96c09db95188fd138

  State:

done

  Status:

success

  Submitted Time:

2015-08-27 20:54:21 UTC

  Download Start Time: 2015-08-27 20:54:21 UTC   Download End Time:

2015-08-27 20:54:22 UTC

  Run Start Time:

2015-08-27 23:06:02 UTC

  Run End Time:

2015-08-27 23:15:00 UTC

  IM:

YES

  Number of Events: (null)   Children Malware ID(s)   Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1769

CLI Reference Guide

PART III: Commands

show malware no-events Displays information about malware analysis jobs with no events.

Syntax show malware no-events [limit ]

Parameters limit

(Optional) Displays the specified number of entries for jobs with no events. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware no-events command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application Application used to test submitted content.

1770

© 2016 FireEye

Release 7.9

show malware no-events

Field

Description

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays one malware analysis and submission job with no events: hostname # show malware no-events limit 1 Malware ID 29 Submission ID 29     Analysis Type:     URL:

sandbox http://172.16.146.53/AllObjects/ms_cdf_8450274

    Analysis Timeout:

© 2016 FireEye

500

1771

CLI Reference Guide

PART III: Commands

    Analysis Priority:     Force:

normal

true

    Profile Name:

win7-sp1

    Profile ID:

65

    Application:

-

    Md5Sum:

2222db949455dcf5c9ade4ae18403330

    State:

done

    Status:

success

    Submitted Time:

2015-07-27 19:39:28 UTC

    Download Start Time: 2015-07-27 19:39:31 UTC     Download End Time:

2015-07-27 19:48:19 UTC

    Run Start Time:

2015-07-27 19:39:32 UTC

    Run End Time:

2015-07-27 19:48:21 UTC

    IM:

NO

    Number of Events:

0

    Children Malware ID(s) 602, 601     Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1772

© 2016 FireEye

Release 7.9

show malware no-os-change-anomaly

show malware no-os-change-anomaly Displays malware analysis jobs with no operating system change anomaly events.

Syntax show malware no-os-change-anomaly [limit ]

Parameters limit

(Optional) Displays the specified number of entries for jobs with no operating system change anomaly events. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware no-os-changeanomaly command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

© 2016 FireEye

1773

CLI Reference Guide

PART III: Commands

Field

Description

Application Application used to test submitted content. Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID (s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays one malware analysis and submission job with no operating system change anomaly events: hostname # show malware no-os-change-anomaly limit 1 Malware ID 916 Submission ID 916     Analysis Type:

1774

sandbox

© 2016 FireEye

Release 7.9

show malware no-os-change-anomaly

    URL: http://malrepo.eng.fireeye.com/repo/windows/Windows-Ebryx/test_data/malware_ families/Gapz_756f1576aaf50357662a885e6ef80c06     Analysis Timeout:

120

    Analysis Priority:

normal

    Force:

true

    Profile Name:

winxp-sp3

    Profile ID:

43

    Application:

-

    Md5Sum:

756f1576aaf50357662a885e6ef80c06

    State:

done

    Status:

success

    Submitted Time:

2015-08-26 00:44:12 UTC

    Download Start Time: 2015-08-26 01:07:03 UTC     Download End Time:

2015-08-26 01:11:56 UTC

    Run Start Time:

2015-08-26 01:08:01 UTC

    Run End Time:

2015-08-26 01:11:57 UTC

    IM:

YES

    Number of Events:

0

    Children Malware ID(s) 1295     Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1775

CLI Reference Guide

PART III: Commands

show malware no-vm-outbound-comm Displays malware analysis jobs with no virtual machine outbound communication events.

Syntax show malware no-vm-outbound-comm [limit ]

Parameters limit

(Optional) Displays the specified number of entries for jobs with no virtual machine outbound communication events. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware no-vm-outboundcomm command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

1776

© 2016 FireEye

Release 7.9

show malware no-vm-outbound-comm

Field

Description

Application Application used to test submitted content. Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays one malware analysis and submission job with no virtual machine outbound communication events: hostname # show malware no-vm-outbound-comm limit 1 Malware ID 1 Submission ID 1     Analysis Type:

© 2016 FireEye

sandbox

1777

CLI Reference Guide

PART III: Commands

    URL:

http://172.16.146.53/AllObjects/doc_1369124

    Analysis Timeout:

500

    Analysis Priority:

normal

    Force:

true

    Profile Name:

win7-sp1

    Profile ID:

65

    Application:

Multiple-MS-Word-X

    Md5Sum:

a42cdbbd16464eca96fa77247b91c31b

    State:

done

    Status:

success

    Submitted Time:

2015-07-27 19:39:28 UTC

    Download Start Time: 2015-07-27 19:39:29 UTC     Download End Time:

2015-07-27 19:48:15 UTC

    Run Start Time:

2015-07-27 19:39:30 UTC

    Run End Time:

2015-07-27 19:48:15 UTC

    IM:

YES

    Number of Events:

0

    Children Malware ID(s)     Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1778

© 2016 FireEye

Release 7.9

show malware priority

show malware priority Displays information about malware analysis and malware submission jobs based on priority.

Syntax show malware priority [limit ]

Parameters priority

The priority of the malware analysis jobs. The following modes are available: l

normal—Displays the results of the analysis jobs with normal priority.

l

urgent—Displays the results of the analysis jobs with urgent priority.

limit

(Optional) Displays the results for the specified number of malware analysis jobs based on priority. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware priority command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue.

Force

Force the AX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

© 2016 FireEye

1779

CLI Reference Guide

PART III: Commands

Field

Description

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile that the MVX engine uses for the current malware analysis job.

Application Application used to test submitted content. Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Download Start Time

Start time of the download.

Download End Time

End time of the download.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the AX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays the information for one malware analysis job with normal priority:

1780

© 2016 FireEye

Release 7.9

show malware priority

hostname # show malware priority normal limit 1 Malware ID 608 Submission ID 461     Analysis Type:

sandbox

    URL:

8.swf

    Analysis Timeout:

500

    Analysis Priority:

normal

    Force:

true

    Profile Name:

winxp-sp3

    Profile ID:

43

    Application:

InternetExplorer-7.0

    Md5Sum:

eb02952066726821f810a219817386c9

    State:

done

    Status:

success

    Submitted Time:

2015-07-27 19:39:33 UTC

    Run Start Time:

2015-07-27 20:54:00 UTC

    Run End Time:

2015-07-27 21:03:00 UTC

    IM:

YES

    Number of Events:

(null)

    Children Malware ID(s)     Parent Malware ID

461

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

© 2016 FireEye

1781

CLI Reference Guide

PART III: Commands

show malware queued Displays the malware analysis and submission jobs that are in the queue waiting to be analyzed.

Syntax show malware queued [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are in the queue. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show malware queued command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application Application used to test submitted content. State

1782

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

© 2016 FireEye

Release 7.9

show malware queued

Field

Description

Submitted Time

Date and time when the malware analysis job was submitted.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays one malware analysis job that is in the queue: hostname # show malware queued Malware ID 2 Submission ID 2   Analysis Type:   URL:

sandbox http://qa-server.eng.fireeye.com/QA/xli/mas/test-infection.pdf

  Analysis Timeout:

100

  Analysis Priority:

normal

  Profile Name:

win7-sp1m

  Profile ID:

65

  Application:

-

  State:

queued

  Status:

-

  Submitted Time:   Number of Events:

2015-09-02 23:01:24 UTC 0

  Children Malware ID(s)   Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

© 2016 FireEye

1783

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1784

© 2016 FireEye

Release 7.9

show malware running

show malware running Displays the total number of malware analysis jobs that are currently in process and have not completed.

Syntax show malware running

Parameters None

Output Fields The following table describes the output fields for the show malware running command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware analysis job number.

Submission name

Specific malware submission name.

Total files analyzed

Total number of files that have been analyzed.

Analysis timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

File type

File type that is associated with the malware analysis job.

Force analyze

Force the AX Series appliance to always submit a malware sample to be analyzed on a VM.

Initial weight

Initial weight is always set to zero for a particular malware sample.

Submission time

Date and time when the malware analysis job was submitted.

Analysis start time

Start time of the analysis.

Example The following example displays the total number of malware analysis jobs that are currently in process and have not yet completed: hostname # show malware running

© 2016 FireEye

1785

CLI Reference Guide

PART III: Commands

Number of malware running :

1

  Malware ID 5555   Submission name

: www.google.com

  Total files analyzed

:1

  Analysis timeout(s)

: 60

  File type

: url

  Force analyze   Initial weight

:t :0

  Submission time   Analysis start time

: 2015-09-11 16:33:49.355561 : 2015-09-11 16:33:50.398915

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. Command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1786

© 2016 FireEye

Release 7.9

show malware

show malware Displays the statistics about the total number of malware objects that were analyzed. This command displays cumulative statistics such as the total number of malware objects that are in the queue waiting to be analyzed, total number of malware objects that are currently running, total number of malware objects that were submitted for analysis, and the total number of events that were detected. It also shows the total number of objects with each system status type. For more information, refer to the AX Series Threat Management Guide.

Syntax show malware

Parameters None

Output Fields The following table describes the output fields for the show malware command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total Objects Submitted

Total number of malware objects that were submitted for analysis.

Objects Queued

Total number of malware objects that are in the queue waiting to be analyzed.

Objects Running

Total number of malware objects that are currently being analyzed.

Objects Analyzed

Total number of malware objects that have been analyzed.

Objects identified as Malicious

Total number of malware objects that were detected as malicious.

Total events

Total number of events that were detected.

Objects break down by system status

Total number of objects with each system status type.

Example The following example displays the malware analysis statistics: hostname # show malware

© 2016 FireEye

1787

CLI Reference Guide

PART III: Commands

Total Objects Submitted

: 1337

  Objects Queued

:

10

  Objects Running

:

2

  Objects Analyzed

: 1325

  Objects identified as Malicious    - VM verified

: 1084

: 1084

   - Duplicate to VM verified

:

   - Known checksum match Total events

0 :

1

: 5237

  vm-signature-match events

:

  os-change-anomaly events   checksum-match

585 : 1280

events

: 2978

  vm-outbound-comm events

:

394

Objects break down by system status, Total : 1337   Submitted for VM analysis   Submit Disabled   Invalid

: 1268 :

:

  Static Analysis Only

3

55 :

11

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.5. The command output was enhanced to display additional statistics about the total number of malware objects that are in the queue waiting to be analyzed, and the total number of malware objects that are currently being analyzed in Release 7.7.

Related Commands For a list of related commands, see AX Series Command Family on page 134.

1788

© 2016 FireEye

Release 7.9

show management interface

show management interface Description Displays the access control list (ACL) for the management interface.

Syntax show management interface allow

Parameters allow Allowed IP addresses

Example The following example displays the ACL for the management interface. hostname (config) # show management interface allow

© 2016 FireEye

1789

CLI Reference Guide

PART III: Commands

show managed-defense vpn connection Use this command to check the status of the VPN connection.

Syntax show managed-defense vpn connection

User Role Admin role

Parameters None

Example show managed-defense vpn connection

Release Information This command was introduced as follows:

1790

l

NX Series: Release 7.5.0

l

CM Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

FX Series: Release 7.7.0

l

AX Series: Release 7.7.0

l

HX Series: Release 3.0

© 2016 FireEye

Release 7.9

show media disk

show media disk To display disk configuration for all disks as well as smart and rebuild status, use the show media disk command in configuration mode.

Syntax show media disk

Parameters None

Example The following example shows the disk configuration for four disks. hostname (config) # show media disk 0123

© 2016 FireEye

1791

CLI Reference Guide

PART III: Commands

show media disk rebuild Description This command shows the rebuild status on a disk.

Syntax show media disk diskID rebuild

Parameters diskID A number that identifies the disk.

Example The following example shows the rebuild status on disk 0. show media disk 0 rebuild

1792

© 2016 FireEye

Release 7.9

show media disk smart

show media disk smart Description This command shows the smart status on the selected disk.

Syntax show media disk diskID smart

Parameters diskID A number that identifies the disk.

Example The following example shows the smart status on disk 0. show media disk 0 smart

© 2016 FireEye

1793

CLI Reference Guide

PART III: Commands

show media usb To display the USB device configuration and status, use the show media usb command in configuration mode.

Syntax show media usb

User Role Admin

Release Information Command was introduced before Release 7.5.0.

Parameters None

Description This command displays the USB device configuration and status about local web access, top-level directory for web access, and whether a USB device is mounted.

Example The following example shows the current USB device configuration and status: hostname (config) # show media usb USB auto-mount configuration: Enabled:

no

Local web access: yes Top-level directory: fireeye

USB auto-mount status: Device mounted: Access URL:

1794

no N/A

© 2016 FireEye

Release 7.9

show memory

show memory Description Displays the total system memory and the amount currently in use.

Syntax show memory

Parameters None

Example The following example displays the system memory information. hostname > show memory Buffers: 166 MB Cache: 5366 MB Total Buffers/Cache: 15533 MB

© 2016 FireEye

1795

CLI Reference Guide

PART III: Commands

show msm [common] Use this command to show FireEye MTP settings for an MX Series appliance deployed as an MTP Management Appliance.

Syntax show msm [common]

Parameters common

(Optional) Show common MTP management settings.

Examples The following example shows MTP management settings on an MX 900 appliance: hostname # show msm MSM Settings: Deployment Mode : on-premise Management Interface setup : no Management Interface Gateway : 0.0.0.0 MDM configuration : no DB Min Pool Size : 1 DB Max Pool Size : 200 DB Idle Conn Test Period : 300 DB Max Idle Time : 600 URL Base : https://mobile.fireeyecloud.com MTP Result Refresh Interval : 86400 Threat Score for High-Risk App : 8 Threat Score for Medium-Risk App : 5 Max Upload File Size : 524288000 Device Auth Validity Period : 300

The following example shows common MTP management settings on an MX 900 appliance: hostname # show msm common MSM Common settings: Proxy Traffic Type : split Log Period : 1209600 (shown in secs; code gets in secs; setting in hours) Log Level : ERROR Support URL : csportal.fireeye.com Support Email : [email protected] Support Phone : 1-877-FIREEYE (1-877-347-3393) or (+1) 408-321-6300 DB Stats: Total Size : 357.50 GB Used : 3.820 GB Free : 353.68 GB (98%)

1796

© 2016 FireEye

Release 7.9

show msm [common]

Command Output Fields The following table describes the settings returned by the show msm and show msm common commands. Setting

Description

Deployment Mode

The on-premise setting indicates that the MTP management console is deployed on a FireEye MX Series appliance.

Management Interface Setup

no—Appliance management traffic is not physically segregated to ether2.

Management Interface Gateway

IP address of the default gateway for ether2. Default: 0.0.0.0

yes—Appliance management traffic is physically segregated to ether2.

Default: no

MDM no—The appliance is not integrated with an MDM server. configuration yes—The appliance is integrated with an MDM server. Default: no DB Min Pool Size

The minimum number of open database connections to maintain.

DB Max Pool The maximum number of open database connections to maintain. Size DB Idle Conn Test Period

The maximum number of seconds before an idle connection is tested to keep it alive.

DB Max Idle Time

The maximum number of seconds before an idle database connection closes.

URL Base

The base URL of the Mobile Threat Prevention (MTP) service.

MTP Result Refresh Interval

The time period after which FireEye MTP considers threat analysis data invalid. The default value is 8640  seconds (2  hours). FireEye MTP updates the threat scores for apps installed on a device only if the information in the cache is more than 24 hours old.

Threat Score for HighRisk App

The minimum threat score that an app can receive before it is considered to be a high risk. By default, apps receive a high-risk rating if their threat level is 8-10.

© 2016 FireEye

1797

CLI Reference Guide

PART III: Commands

Setting

Description

Threat Score for MediumRisk App

The minimum threat score that an app can receive before it is considered to be a medium risk. By default, apps receive a medium-risk rating if their threat level is 5-7.

Max Upload File Size

The maximum size of apps that can be uploaded and scanned for malware. The default value is 524,288,000 bytes (500 MB).

Device Auth Validity Period

The time window between each API request (such as a refresh, APK upload, or device scan) and the current system time. If the request is within the validity period, the request is accepted; otherwise it is rejected. The default value is 300 seconds (5 minutes).

Log Period

The amount of time before a new log should be started. The default value is 1209600 seconds (336 hours, or 14 days).

Log Level

The minimum level of messages to log. The default value is INFO, which means that FATAL, ERROR, WARN, and INFO messages are logged, but not DEBUG and TRACE messages.

Contact Info

Contact information for FireEye Customer Support.

DB Stats

Information about current database disk usage.

User Role Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: FireEye MTP Management Appliance Release 1.1.0.

Related Commands For a list of related commands, see MTP Command Family on page 111.

1798

© 2016 FireEye

Release 7.9

show mvx cluster enrollment status

show mvx cluster enrollment status Displays a sensor's MVX cluster enrollment status.

Syntax show mvx cluster enrollment status

Parameters None

Example The following example displays the output of the show mvx cluster enrollment status command: nx-1 (config # show mvx cluster enrollment status MVX Cluster Enrollment Status Enrollment Client : Status ok : yes Status description : enrolled Last checked at : 2016/07/28 20:51:03 Enrollment Service : Auto enabled : yes Service address : CMS ([email protected] : singleport) Preferred cluster : any (less loaded) Broker Info : Cluster Name : Cluster-Acme Broker Name : vx-1 Broker ID : 002590F4EE38 Broker Address : 10.11.121.12 Broker State : Connected Failure Reason : None Last Connection Attempt : 2016/07/20 18:15:14 Connection Last Formed : 2016/07/20 18:15:14 Connection Last Broken :

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows:

© 2016 FireEye

1799

CLI Reference Guide

l

NX Series: Release 7.9.0 (sensor)

l

VX Series: Release 7.9.0 (broker)

PART III: Commands

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113 and CMC Client Server Command Family on page 73.

1800

© 2016 FireEye

Release 7.9

show mvx node queuemgr status

show mvx node queuemgr status Displays the status of the MVX engine queue on a broker.

Syntax show mvx node queuemgr status

Parameters None

Example The following example displays the output of the show mvx node queuemgr status command: vx-1 (config) # show mvx node queuemgr status QueueMgr Queue Stats: Queue Name : high Queue Size :0 Running submissions : 0 Queue Name : low Queue Size :0 Running submissions : 0 Queue Name : normal Queue Size :0 Running submissions : 0 Queue Name : urgent Queue Size :0 Running submissions : 0 QueueMgr Cluster Node Status: Ip address : 10.11.121.12 Running : true

Output Fields Field

Description

QueueMgr Queue Stats Queue Name

Priority of the submissions in the named queue (high, low, normal, or urgent).

Queue Size

Number of submissions in the queue.

© 2016 FireEye

1801

CLI Reference Guide

PART III: Commands

Field Running Submissions

Description Number of submissions being analyzed.

QueueMgr Cluster Node Status IP address

IP address of the broker.

Running

Whether the queue process is running on the broker.

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113 and CMC Client Server Command Family on page 73.

1802

© 2016 FireEye

Release 7.9

show mvx node status

show mvx node status Displays information about the VX Series node in an MVX cluster.

Syntax show mvx node status

Parameters None

Example The following example displays the output of the show mvx node status command: vx-1 (config) # show mvx node status MVX Cluster: Node Status Broker Role: Enabled : yes Ready : yes SSH port : 22 Submission Interface : ether1 Cluster Interface : ether1 Key Hash : f4:5e:4a:c9:ef:56:86:5e:1e:68:[...] Health Information: Overall Status Ok : yes Overall Status Desc : healthy Sensor information: Number of connected sensors : 2 Sensor ID list: Sensor ID : 0025905C273E Sensor Hostname : nx-2 Sensor Address : 12.34.56.78 Sensor ID : 002590AEE8XX Sensor Hostname : nx-1 Sensor Address : 171.88.76.54 Node information: Cluster Name : Cluster-Acme Broker Name : vx-1 (self) Broker ID : 002590F4EEXX (self) Broker Address : 12.34.56.79 (self) Broker State : N/A Failure Reason : N/A Last Connection Attempt : N/A Connection Last Formed : N/A Connection Last Broken : N/A

© 2016 FireEye

1803

CLI Reference Guide

PART III: Commands

Sensor information is only displayed on broker nodes.

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113 and CMC Client Server Command Family on page 73.

1804

© 2016 FireEye

Release 7.9

show mvx node status full

show mvx node status full Displays detailed information about the VX Series node in an MVX cluster.

Syntax show mvx node status full

Parameters None

Example The following example displays the output of the show mvx node status full command: vx-1 (config) # show mvx node status full MVX Cluster: Node Status Broker Role: Enabled : yes Ready : yes SSH port : 22 Submission Interface : ether1 Cluster Interface : ether1 Key Hash : f4:5e:4a:c9:ef:56:86:5e:1e:68:dc:[...] Health Information: Overall Status Ok : yes Overall Status Desc : healthy Detailed Health Information: CCD Ok : yes. MvxClient Ok : yes. Healthy Guest Images Ok : yes. Installed Notification Client Ok : yes. Healthy WSAPI Ok : yes. Running Queuemgr Ok : yes. Healthy Sensor information: Number of connected sensors : 2 Sensor ID list: Sensor ID : 0025905C273E Sensor Hostname : nx-2 Sensor Address : 10.13.65.14 Sensor ID : 002590AEE884 Sensor Hostname : nx-1 Sensor Address : 172.17.74.50 Node information: Cluster Name

© 2016 FireEye

: Cluster-Acme

1805

CLI Reference Guide

PART III: Commands

Broker Name : vx-1 (self) Broker ID : 002590F4EE38 (self) Broker Address : 10.11.121.12 (self) Broker State : N/A Failure Reason : N/A Last Connection Attempt : N/A Connection Last Formed : N/A Connection Last Broken : N/A

Sensor information is only displayed on broker nodes.

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113 and CMC Client Server Command Family on page 73.

show mvx status Displays information about the NX Series sensor in an MVX cluster.

Syntax show mvx status

Parameters None

Output Fields The following table describes the output fields for the show mvx status command. Field Sensor Config Enabled

1806

Description Whether the NX Series appliance is enabled as a sensor.

© 2016 FireEye

Release 7.9

show mvx status

Field

Description

Current Operating Mode

Current operating mode (for example, "sensor")

Mode Reboot Required

Whether you need to reload the appliance after changing the operating mode for the change to take effect.

Submission Interface

Name of the interface used for communication between the sensor and broker.

Modes Supported

Operating mode for this NX Series model: l

mvx configurable—The appliance has an MVX analysis engine. It

can operate as an integrated appliance, in which its own MVX engine performs the analysis. It can also be converted to sensor mode, in which it submits objects to an MVX cluster instead of its own MVX engine. l

mvx sensor-only—The appliance has no MVX engine engine, and

must submit objects to an MVX cluster for analysis. l

mvx integrated-only—The appliance cannot submit objects to an

MVX cluster and must use its own MVX engine for analysis. Virtual Model

Whether this is a virtual NX Series appliance model.

Virtual System

Whether this is a virtual NX Series software image.

WSAPI Current The state of the Web services API process (running or not running) State

Example The following example shows the status of a virtual sensor. vNX-4 # show mvx status MVX Mode Status: Sensor Config Enabled: yes Current Operating Mode: sensor Mode Reboot Required: no Submission Interface: ether1 Modes Supported: mvx sensor-only Virtual Model: yes Virtual System: yes WSAPI Current State: running

The following example shows the status of a physical integrated NX Series appliance that was converted to a sensor.

© 2016 FireEye

1807

CLI Reference Guide

PART III: Commands

nx-06 # show mvx status MVX Mode Status: Sensor Config Enabled: yes Current Operating Mode: sensor Mode Reboot Required: no Submission Interface: ether1 Modes Supported: mvx configurable Virtual Model: no Virtual System: no WSAPI Current State: running

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Cluster Command Family on page 113.

1808

© 2016 FireEye

Release 7.9

show mvx submission

show mvx submission Displays summary statistics about all submissions that the cluster processed.

Syntax show mvx submission

Parameters None

Example The following example displays the output of the show mvx submission command: vx-1 (config) # show mvx submission Runtime Cluster Stats: Total queued Total running Cluster Utilization

:0 :0 : 0%

MVX Submission Stats: Total urls :0 Total files :0 Total submissions :0 Completed submissions :0 Malicious submissions count :0

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

© 2016 FireEye

1809

CLI Reference Guide

PART III: Commands

show mvx submission done Displays analysis results for all submissions that the cluster processed.

Syntax show mvx submission done

Parameters None

Example The following example displays the output of the show mvx submission done command: vx-1 (config) # show mvx submission done Sensor ID : 002590AEE884 UUID : 0352fc18-5b43-4e47-9a69-0d7557a00fe0 Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : TIMEOUT Sensor Sub ID : 14957 Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight :0

Sensor ID UUID Insert Time Start Time Complete Time Error Code Sensor Sub ID Malicious Riskware Files Analyzed Overall Weight ...

: 002590AEE884 : d5817f6f-d015-4aee-8f6e-3d7c4052d488 : 2016-07-15T22:35:18.432967 : 2016-07-15T22:35:19.323333 : 2016-07-15T22:35:19.323333 : TIMEOUT : 14956 : NO : NO :0 :0

Output Fields The following table describes the output fields for the show mvx submission done command. Fields are listed in the approximate order in which they appear in the output. Field Total queued

1810

Description Total number of submissions in the MVX engine queue on a broker waiting to be analyzed by a compute node.

© 2016 FireEye

Release 7.9

show mvx submission done

Field

Description

Total running

Total number of submissions that are currently running.

Cluster utilization

Cluster utilization, displayed as a percentage of capacity.

Total files

Total number of file submissions .

Total submissions

Total number of submissions.

Completed submissions

Total number of submissions that completed analysis.

Malicious submissions

Total number of submissions that were detected as malicious.

Sensor ID

Appliance ID of the sensor.

UUID

Unique universal identifier for the submission.

Insert Time

The date and time the submission was added to the MVX engine queue on the broker.

Start Time

Date and time the analysis began.

Complete Time

Date and time the analysis ended.

Error Code

Status of the analysis (for example, SUCCESS, TIMEOUT, STATIC_ ANALYSIS_ONLY, and so on).

Sensor Sub ID

ID of the sensor assigned to the submission.

Malicious

Whether the submission was detected as malicious.

Riskware

Whether the submission was detected as riskware.

Files Analyzed

Number of files in the submission.

Overall Weight

Weight that is assigned to the submission based on a set of rules and what the MVX engine detected during analysis.

Analysis Object Name

Name of the file that was analyzed.

SHA256

SHA-256 checksum of the file that was analyzed.

MD5SUM

MD5 checksum of the file that was analyzed.

File Type

Type of file that was analyzed.

© 2016 FireEye

1811

CLI Reference Guide

PART III: Commands

Field

Description

Static Analysis Weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis Weight

Weight that is assigned to a dynamic analysis job on a particular object.

Child

Whether the object is contained in another object, such as a PDF file in a ZIP file.

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1812

© 2016 FireEye

Release 7.9

show mvx submission done limit

show mvx submission done limit Displays analysis results for a specified number of submissions that the cluster processed.

Syntax show mvx submission done limit

Parameters number

The number of submissions to display.

Example The following example displays the output of the show mvx submission done limit command: vx-1 (config) # show mvx submission done limit 2 Sensor ID : 002590AEE8XX UUID : 0352fc18-5b43-4e47-9a69-0d7557a00fe0 Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : TIMEOUT Sensor Sub ID : 14957 Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight :0

Sensor ID UUID Insert Time Start Time Complete Time Error Code Sensor Sub ID Malicious Riskware Files Analyzed Overall Weight

: 002590AEE8XX : d5817f6f-d015-4aee-8f6e-3d7c4052d488 : 2016-07-15T22:35:18.432967 : 2016-07-15T22:35:19.323333 : 2016-07-15T22:35:19.323333 : TIMEOUT : 14956 : NO : NO :0 :0

User Role Administrator, Operator, or Monitor

Command Mode Enable

© 2016 FireEye

1813

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1814

© 2016 FireEye

Release 7.9

show mvx submission from to

show mvx submission from to Displays statistics for submissions that the MVX cluster processed over a specified time period.

Syntax show mvx submission from to

Parameters start-date

Date in // format. start-time

Time in :: format. end-date

Date in // format. end-time

Time in :: format.

Example The following example shows statistics for submissions that the MVX cluster processed from July 1, 2016 to July 8, 2016: vx-1 # show mvx submission from 2016/07/01 12:00:00 to 2016/07/08 12:00:00 Runtime Cluster Stats: Total queued Total running Cluster Utilization

:0 :3 : 2%

MVX Submission Stats: Total urls :0 Total files : 289 Total submissions : 1216 Completed submissions : 1505 Malicious submissions count : 8

User Role Administrator, Operator, or Monitor

Command Mode Enable

© 2016 FireEye

1815

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1816

© 2016 FireEye

Release 7.9

show mvx submission limit

show mvx submission limit Displays analysis results for the most recent specified number of submissions that the cluster processed.

Syntax show mvx submission limit

Parameters number

The number of submissions to display.

Example The following example shows the analysis results for the two most recent submissions. vx-1 # show mvx submission limit 2 Sensor ID : 001XXX... UUID : 289XXXX-XXXX... Insert time : 2016-07-15T22:35:22.45537 Start time : 2016-07-15T22:35:23.420921 Complete time : 2016-07-15T22:35:23.420921 Error Code : SUCCESS Sensor Sub ID : 2076 Malicious : NO Riskware : NO Files Analyzed : 1 Overall weight : 0 Sensor ID : 002XXX... UUID : 364XXXX-XXXX... Insert time : 2016-07-11T22:26:47.814274 Start time : 2016-07-11T22:17:38.337658 Complete time : 2016-07-11T22:17:34.412521 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 2073 Malicious : NO Riskware : NO Files Analyzed : 2 Overall weight : 0

User Role Administrator, Operator, or Monitor

Command Mode Enable

© 2016 FireEye

1817

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1818

© 2016 FireEye

Release 7.9

show mvx submission malicious

show mvx submission malicious Displays analysis results for malicious submissions that the cluster processed.

Syntax show mvx submission malicious

Parameters None

Example The following example displays the output of the show mvx submission malicious command: vx-1 (config) # show mvx submission malicious Sensor ID : 002590AEEXXX UUID : a320796a-15bd-40dc-8ac9-XXX Insert Time : 2016-07-15T20:41:40.429715 Start Time : 2016-07-15T20:32:30.642866 Complete Time : 2016-07-15T20:32:25.351821 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 14405 Malicious : YES Riskware : NO Files Analyzed :1 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d93779XXXXXXX MD5SUM : f422a0f9cd67c465aXXXXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO ...

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

© 2016 FireEye

1819

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1820

© 2016 FireEye

Release 7.9

show mvx submission malicious limit

show mvx submission malicious limit Displays analysis results for the most recent specified number of malicious submissions that the cluster processed.

Syntax show mvx submission malicious limit

Parameters number

Number of malicious submissions to display.

Example The following example displays the output of the show mvx submission malicious limit command: vx-1 (config) # show mvx submission malicious limit 2 Sensor ID : 002590AEEXXX UUID : a320796a-15bd-40dc-8ac9-XXX Insert Time : 2016-07-15T20:41:40.429715 Start Time : 2016-07-15T20:32:30.642866 Complete Time : 2016-07-15T20:32:25.351821 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 14405 Malicious : YES Riskware : NO Files Analyzed :1 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d93779XXXXXXX MD5SUM : f422a0f9cd67c465aXXXXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO Sensor ID UUID Insert Time Start Time ...

: 002590AEE884 : 1423efb2-d14b-4384-9a16-d61ec4178bd9 : 2016-07-15T12:29:48.596171 : 2016-07-15T12:21:55.948208

User Role Administrator, Operator, or Monitor

© 2016 FireEye

1821

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1822

© 2016 FireEye

Release 7.9

show mvx submission md5sum

show mvx submission md5sum Displays analysis results for submissions with the specified MD5 hash.

Syntax show mvx submission md5sum

Parameters md5sum

MD5 hash.

Example The following example displays the output of the show mvx submission md5sum command: vx-1 (config) # show mvx submission md5sum f422a0f9cd67c465a963610e74f5XXXX Sensor ID : 002590AEE884 UUID : 0352fc18-5b43-4e47-9a69-0d75XXXX Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 149XX Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d937792459e681e4798913d1001630d77d4[...] MD5SUM : f422a0f9cd67c465a963610e74XXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO ...

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows:

© 2016 FireEye

1823

CLI Reference Guide

l

PART III: Commands

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1824

© 2016 FireEye

Release 7.9

show mvx submission md5sum limit

show mvx submission md5sum limit Displays analysis results for the specified number of submissions with the specified MD5 hash.

Syntax show mvx submission md5sum limit

Parameters md5sum

MD5 hash. number

The number of submissions.

Example The following example displays the output of the show mvx submission md5sum limit command: vx-1 (config) # show mvx submission md5sum f422a0f9cd67c465a963610e74f5XXXX limit 2 Sensor ID : 002590AEE884 UUID : 0352fc18-5b43-4e47-9a69-0d75XXXX Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 149XX Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d937792459e681e4798913d1001630d77d4[...] MD5SUM : f422a0f9cd67c465a963610e74XXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO ...

User Role Administrator, Operator, or Monitor

© 2016 FireEye

1825

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1826

© 2016 FireEye

Release 7.9

show mvx submission sensor-id { | ALL}

show mvx submission sensor-id { | ALL} Displays submission information for the specified sensor.

Syntax show mvx submission sensor-id { | ALL}

Parameters sensor-id

ID of the sensor. ALL

Specifies all sensors.

Example The following example displays the output of the show mvx submission sensor-id ALL command: vx-1 (config) # show mvx submission sensor-id ALL

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9. (sensor)

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

© 2016 FireEye

1827

CLI Reference Guide

PART III: Commands

show mvx submission sha256 Displays analysis results for submissions with the specified SHA256 hash.

Syntax show mvx submission sha256

Parameters sha256

SHA256 hash.

Example The following example displays the output of the show mvx submission sha256 command: vx-1 (config) # show mvx submission sha256 483f85e90d937792459e681e4798913d100XXXX Sensor ID : 002590AEE884 UUID : 0352fc18-5b43-4e47-9a69-0d75XXXX Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 149XX Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d937792459e681e4798913d100[...] MD5SUM : f422a0f9cd67c465a963610e74XXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO ...

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows:

1828

© 2016 FireEye

Release 7.9

l

show mvx submission sha256

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

© 2016 FireEye

1829

CLI Reference Guide

PART III: Commands

show mvx submission sha256 limit Displays analysis results for submissions with the specified SHA256 hash.

Syntax show mvx submission sha256

Parameters sha256

SHA256 hash. limit

Number of submissions.

Example The following example displays the output of the show mvx submission sha256 limit command: vx-1 (config) # show mvx submission sha256 483f85e90d937792459e681e4798913d100XXXX limit 2 Sensor ID : 002590AEE884 UUID : 0352fc18-5b43-4e47-9a69-0d75XXXX Insert Time : 2016-07-15T22:35:22.45537 Start Time : 2016-07-15T22:35:23.420921 Complete Time : 2016-07-15T22:35:23.420921 Error Code : STATIC_ANALYSIS_ONLY Sensor Sub ID : 149XX Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight : 100 Analysis Object Name : watch.exe Start Time : 2016-07-15T20:32:25.351821 SHA256 : 483f85e90d937792459e681e4798913d100[...] MD5SUM : f422a0f9cd67c465a963610e74XXX File Type : exe Static Analysis Weight : 100 Dynamic Analysis Weight : 100 Child : NO ...

User Role Administrator, Operator, or Monitor

Command Mode Enable

1830

© 2016 FireEye

Release 7.9

show mvx submission sha256 limit

Release Information This command was introduced as follows: l

l

VX Series: Release 7.9.Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

Related Commands For a list of related commands, see .

© 2016 FireEye

1831

CLI Reference Guide

PART III: Commands

show mvx submission since Displays statistics for submissions that the MVX cluster processed since a specified time in the past.

Syntax show mvx submission since days show mvx submission since days hours show mvx submission since days hours minutes show mvx submission since days hours minutes seconds show mvx submission since hours show mvx submission since hours minutes show mvx submission since hours minutes seconds show mvx submission since minutes show mvx submission since minutes seconds show mvx submission since seconds

In this command, the parameter values precede the keywords.

Parameters days

Number of days. hours

Number of hours. minutes

Number of minutes. seconds

Number of seconds.

Example The following example shows statistics for submissions the MVX cluster processed since 5 days, 6 hours, 31 minutes, and 49 seconds ago: vx-1 (config) # show mvx submission since 5 days 6 hours 31 minutes 49 seconds Runtime Cluster Stats: Total queued :7 Total running :0 Cluster Utilization : 0%

1832

© 2016 FireEye

Release 7.9

show mvx submission since

MVX Submission Stats: Total urls :0 Total files :3 Total submissions :8 Completed submissions :8 Malicious submissions count :1

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

© 2016 FireEye

1833

CLI Reference Guide

PART III: Commands

show mvx submission tenant-id Displays submission information for a specific tenant.

Syntax show mvx submission tenant-id

Parameters tenant-id Tenant.

Example The following example displays the output of the show mvx submission tenant-id command: vx-1 (config) # show mvx submission tenant-id

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

1834

© 2016 FireEye

Release 7.9

show mvx submission uuid

show mvx submission uuid Displays analysis results for submissions with the specified universally unique identifier (UUID).

Syntax show mvx submission uuid

Parameters uuid

The UUID of the submission.

Example The following example displays the output of the show mvx submission uuid command: vx-1 (config) # show mvx submission uuid d5817f6f-d015-4aee-8f6e-3d7c405XX Sensor ID : 002590XX884 UUID : d5817f6f-d015-4aee-8f6e-3d7c405XX Insert Time : 2016-07-15T22:35:18.432967 Start Time : 2016-07-15T22:35:19.323333 Complete Time : 2016-07-15T22:35:19.323333 Error Code : TIMEOUT Sensor Sub ID : 14956 Malicious : NO Riskware : NO Files Analyzed :0 Overall Weight :0

User Role Administrator, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: l

VX Series: Release 7.9.

Related Commands For a list of related commands, see MVX Submission Command Family on page 115.

© 2016 FireEye

1835

CLI Reference Guide

PART III: Commands

show netwitness analysis Displays whether the integration with the RSA NetWitness packet analyzer application is enabled. If it is enabled, the integration can be configured on the Settings: Forensics page in the Web UI.

Syntax show netwitness analysis

Parameters None

Example The following example displays the current forensic analysis status for NetWitness integration. hostname # show netwitness analysis Netwitness Analysis Enabled: yes

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Forensic Analysis Command Family on page 94.

1836

© 2016 FireEye

Release 7.9

show network

show network Description Displays network statistics or traffic information.

Syntax show network {stats | traffic}

Parameters stats Displays network statistics, such as number of packets and number of bytes. traffic Displays network traffic information per protocol.

Example The following example displays the network statistical information. hostname # show network stats / (GiB, byte %age) Total : 2691380891/2158410457425 (2010.176 GiB) Non-Ethernet : 0/0 (0.000 GiB) VLAN Tagged : 0/0 (0.000 GiB) Ethernet : 2691380891/2158410457425 (2010.176 GiB) Other IP : 0/0 (0.000 GiB) ARP : 0/0 (0.000 GiB) Others : 0/0 (0.000 GiB) IPv4 : 2691380891/2158410457425 (2010.176 GiB) [Fragments: 0/0 (0.000 GiB      TCP : 2691380891 (100.00%)/2158410457425 (2010.176 GiB, 100.00%) HTTP : 2690661077 (99.97%)/2157932179629 (2009.731 GiB, 99.98%) HTTPS : 3355 (0.00%)/782071 (0.001 GiB, 0.00%) SSH : 90 (0.00%)/38312 (0.000 GiB, 0.00%) SMTP : 22943 (0.00%)/3020345 (0.003 GiB, 0.00%) POP : 0 (0.00%)/0 (0.000 GiB, 0.00%) IMAP : 0 (0.00%)/0 (0.000 GiB, 0.00%) SMB : 64 (0.00%)/8871 (0.000 GiB, 0.00%) RPC : 0 (0.00%)/0 (0.000 GiB, 0.00%) UDP : 0 (0.00%)/0 (0.000 GiB, 0.00%) DNS : 0 (0.00%)/0 (0.000 GiB, 0.00%) ICMP : 0 (0.00%)/0 (0.000 GiB, 0.00%) GRE : 0 (0.00%)/0 (0.000 GiB, 0.00%) IPv6 : 0/0 (0.000 GiB)]

© 2016 FireEye

1837

CLI Reference Guide

PART III: Commands

show npulse analysis Displays whether the integration with the PX Technology packet analyzer application is enabled. If it is enabled, the integration can be configured on the Settings: Forensics page in the Web UI. In Release 7.7.1, NX Series appliances running the Essentials edition cannot be integrated with a PX Series appliance.

Syntax show npulse analysis

Parameters None

Example The following example displays the current forensic analysis status for PX integration. hostname # show npulse analysis Npulse Analysis State ----------------------------Licensed subfeature: no Administratively enabled: yes Operationally enabled: no

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The NX Series Essentials edition cannot be integrated with a PX Series appliance in Release 7.7.1.

Related Commands For a list of related commands, see Forensic Analysis Command Family on page 94.

1838

© 2016 FireEye

Release 7.9

show ntp

show ntp Displays the current NTP runtime state and configuration.

Syntax show ntp

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Address

The IP address of the time source (NTP server or peer).

auth

The NTP authentication status: ok—The authentication succeeded. bad—An authentication key is configured, but the authentication failed. none—No authentication key is mapped to the NTP server. n/a—An authentication key is configured, but the server is not reachable yet.

Stratum

A value that denotes the relative distance from the reference clock, which is a stratum-0 device. A stratum-1 server receives its time from the reference clock, a stratum-2 server receives its time from a stratum-1 server, and so on.

Offset (msec)

The offset between the system clock and the time source, in milliseconds.

Ref Clock

The IP address of the reference clock of the time source.

Poll Interv (sec)

The number of seconds between NTP poll packets.

Last Resp (sec)

The number of seconds since the last response to a poll was received.

Example The following example shows the current NTP runtime state and configuration.

© 2016 FireEye

1839

CLI Reference Guide

PART III: Commands

hostname > show ntp NTP is administratively enabled. NTP Authentication is administratively enabled. Clock is synchronizated. Reference: 10.255.34.6 Offset: 1.713 ms. Active servers and peers: Poll Last Offset Ref Interv Resp Address auth Status Stratum (msec) Clock (sec) (sec) ======================================================================= 192.168.1.1 none candidat (+) 2 -0.233 10.2.3.4 64 60 10.2.3.4 none outlyer (-) 2 12.069 192.168.2.2 64 50 172.16.4.5 none candidat (+) 2 -0.958 10.5.6.7 64 50 10.255.34.6 none sys.peer (*) 2 1.713 172.16.3.4 64 45

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4. The NTP Authentication output line was introduced in EX Series Release 7.8.0. The auth output column replaced the Conf Type column in EX Series Release 7.8.0. FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Commands For a list of related commands, see Date and Time Commands on page 78.

1840

© 2016 FireEye

Release 7.9

show ntp authentication

show ntp authentication Displays the authentication status and keys for active NTP servers and peers.

Syntax show ntp authentication

Parameters None

Output Fields The following table describes the output fields for this command. Field

Description

Address

The IP address of the NTP server. (This command displays the IP address of the NTP server, even if you configured it with the hostname.)

reachable Whether the appliance can reach the NTP server. auth

The authentication status: ok—The authentication succeeded. bad—An authentication key is configured, but the authentication failed. none—No authentication key is mapped to the NTP server. n/a—An authentication key is configured, but the server not reachable yet.

keyid

The integer from 1—16 that identifies the authentication key.

Example The following example shows that the appliance can reach all three NTP servers. Authentication keys are configured for the first two servers, and the authentication succeeded. No authentication key is mapped to the third server. hostname > show ntp authentication NTP is administratively enabled. NTP authentication is administratively enabled. Active servers and peers: Address reachable auth keyid ============================================ 172.16.2.3 yes ok 2 10.30.4.3 yes ok 15 192.168.10.12 yes none none

© 2016 FireEye

1841

CLI Reference Guide

PART III: Commands

User Role Admin, Operator, Monitor

Command Mode Standard

Release Information This command was introduced as follows: EX Series: Release 7.8.0

Related Commands For a list of related commands, see Date and Time Commands on page 78.

1842

© 2016 FireEye

Release 7.9

show ntp authentication configured

show ntp authentication configured Displays configured authentication keys, including the hash algorithm and key. The hash value is masked.

Syntax show ntp authentication configured

Parameters None

Example The following example displays the two authentication keys configured on the system. hostname > show ntp authentication configured NTP enabled: yes NTP Authentication enabled: yes NTP Key Number 1 Type: md5 Key: ******** NTP Key Number 2 Type: sha1 Key: ********

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: EX Series: Release 7.8.0

Related Commands For a list of related commands, see Date and Time Commands on page 78.

© 2016 FireEye

1843

CLI Reference Guide

PART III: Commands

show ntp configured Displays the current NTP status, and the configured NTP servers and their settings.

Syntax show ntp configured

Parameters None

Output Fields The following table describes the output fields for this command. Field NTP enabled

Description Whether NTP is enabled on the appliance.

NTP Authentication Whether NTP authentication is enabled on the appliance. enabled No NTP peers configured

Indicates that no NTP peers are configured on the appliance.

NTP server

Information about the NTP server: l

l

l

l

IP address or hostname—The IP address or hostname that was used to configure the NTP server on the appliance. Enabled—Whether NTP is currently enabled on the NTP server. NTP version—The NTP version (3 or 4) running on the NTP server. Key—An integer from 1—16 that identifies the authentication key mapped to the server. If no key is mapped, none is displayed.

Example The following example shows the current NTP status and NTP server information. hostname > show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes

1844

© 2016 FireEye

Release 7.9

show ntp configured

NTP version: 4 Key: 10 NTP server 1.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: 12 NTP server 2.acme.pool.ntp.org Enabled: no NTP version: 4 Key: none

User Role Admin, Operator, or Monitor

Command Mode Standard

Release Information This command was introduced as follows: AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4. The NTP Authentication and Key output lines were introduced in EX Series Release 7.8.0. FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

Related Commands For a list of related commands, see Date and Time Commands on page 78.

© 2016 FireEye

1845

CLI Reference Guide

PART III: Commands

show object-analysis Displays information about malware objects that have been analyzed.

Syntax show object-analysis

Parameters None

Output Fields The following table describes the output fields for the show object-analysis command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total queued submission

Total number of malware submissions that are in the queue waiting to be analyzed from the past 24 hours.

Total running submissions

Total number of malware submissions that are currently being analyzed from the past 24 hours.

Total DA running submissions

Total number of dynamic analysis (DA) submissions that are currently running from the past 24 hours.

Total Objects Submitted

Total number of malware objects that were submitted for analysis.

Objects Analyzed

Total number of malware objects that have been analyzed.

Objects identified as Malicious

Total number of malware objects that were detected as malicious.

Total events

Total number of events that were detected.

Objects break down by system status

Total number of objects with each system status type.

Total salvaged object analysis entries

Total number of objects that have been salvaged.

Example The following example displays the malware object analysis statistics: hostname # show object-analysis Runtime Submission Stats:

1846

© 2016 FireEye

Release 7.9

show object-analysis

   Total queued submission

:

0

   Total running submissions

:

0

   Total DA running submissions

:

Total Objects Submitted

: 1751

   Objects Analyzed

: 1751

   Objects identified as Malicious       - VM verified

: 1628

: 1628

      - Duplicate to VM verified

:

0

      - Known checksum match Total events

:

47

:

536

: 9308

   vm-signature-match events    os-change-anomaly events    checksum-match

0

: 3129

events

: 4641

   vm-outbound-comm events

: 1002

Objects break down by system status, Total : 1751    Submitted for VM analysis    VM submit timeout

: 1628 :

123

Total salvaged object analysis entries

:

0

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display additional statistics about the total number of malware objects that are in the queue waiting to be analyzed, and the total number of malware objects that are currently being analyzed in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1847

CLI Reference Guide

PART III: Commands

show object-analysis all Displays the statistics about the last 100 malware object analysis and submission jobs. The malware object analysis jobs are listed in descending order by malware ID.

Syntax show object-analysis all [limit ]

Parameters limit

(Optional) Displays statistics about the specified number of malware object analysis and submission jobs. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show object-analysis all command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware object analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the NX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile that the MVX engine uses for the current malware analysis job.

1848

© 2016 FireEye

Release 7.9

show object-analysis all

Field

Description

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the NX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays the information for one malware submission job: hostname # show object-analysis all limit 1 Malware ID 1751 Submission ID 1751     Analysis Type:     URL:

sandbox ffca5eea85bb237901efe8f303a7ae84.bin

    Analysis Timeout:

240

    Analysis Priority:

normal

    Force:

false

    Profile Name:     Profile ID:

win7x64-sp1 66

    Application:

Windows-Explorer

    Md5Sum:

ffca5eea85bb237901efe8f303a7ae84

    State:

© 2016 FireEye

done

1849

CLI Reference Guide

PART III: Commands

    Status:

success

    Submitted Time:

2015-09-14 00:31:30 PDT

    Run Start Time:

2015-09-14 10:28:18 PDT

    Run End Time:

2015-09-14 10:37:44 PDT

    IM:

YES

    Number of Events:

4

    Children Malware ID(s)     Parent Malware ID

-

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

1850

© 2016 FireEye

Release 7.9

show object-analysis done

show object-analysis done Displays the statistics about the last 100 malware object analysis and malware submission jobs that have been completed. This command returns information such as the type of file, status of the malware submission, number of analysis objects that are associated with the malware object analysis job, and so on. The malware object analysis jobs are listed in descending order by malware ID.

Syntax show object-analysis done [limit ]

Parameters limit

(Optional) Displays statistics about the specified number completed malware object analysis and submission jobs. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show object-analysis done command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware object analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the NX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

© 2016 FireEye

1851

CLI Reference Guide

PART III: Commands

Field Profile ID

Description Guest image profile ID number.

Application Application used to test submitted content. Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the NX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Example The following example displays malware object analysis information for job ID 391: hostname # show object-analysis done limit 1 Malware ID 391 Submission ID 458     Analysis Type:     URL:

sandbox gzscanner.jar.html

    Analysis Timeout:

240

    Analysis Priority:

normal

1852

© 2016 FireEye

Release 7.9

show object-analysis done

    Force:

false

    Profile Name:

win7x64-sp1

    Profile ID:

66

    Application:

InternetExplorer-11.0

    Md5Sum:

6674fb9ac823c1c6eebab5094dfbaa41

    State:

done

    Status:

success

    Submitted Time:

2015-10-01 06:38:22 PDT

    Run Start Time:

2015-10-01 09:54:09 PDT

    Run End Time:

2015-10-01 10:05:51 PDT

    IM:

YES

    Number of Events:

2

    Children Malware ID(s)     Parent Malware ID

390

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1853

CLI Reference Guide

PART III: Commands

show object-analysis events Displays the last 100 malware object analysis jobs with events. This command returns the malware object analysis jobs with events and includes event information such as the event's type, occurrence time, name, analysis type, and so on. The malware records are listed in descending order by malware ID.

Syntax show object-analysis events [limit ]

Parameters limit

(Optional) Displays the specified number of entries with events. You can display up to 1000 entries.

Output Fields The following table describes the output fields for the show object-analysis events command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware object analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the NX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

1854

© 2016 FireEye

Release 7.9

show object-analysis events

Field

Description

Application

Application used to test submitted content.

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the NX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID(s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Occurrence Time

Time that the event occurred.

Event Type

Type of event that was identified.

Trace ID

Specific trace job number that is associated with a workorder.

Original Malware ID

If a malware sample is a duplicate of an original sample, the duplicate displays the information from the original malware analysis job number.

Source IP

IP address of the source.

Destination IP

IP address of the destination.

Source MAC

MAC address of the source.

Destination MAC

MAC address of the destination.

VLAN ID

Network VLAN job number that is associated with an event.

© 2016 FireEye

1855

CLI Reference Guide

PART III: Commands

Field

Description

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

Example The following example displays one malware analysis job with an event: hostname # show malware events limit 1 Malware ID 1751 Submission ID 1751     Analysis Type:

sandbox

    URL:

ffca5eea85bb237901efe8f303a7ae84.bin

    Analysis Timeout:

240

    Analysis Priority:

normal

    Force:

false

    Profile Name:

win7x64-sp1

    Profile ID:

66

    Application:

Windows-Explorer

    Md5Sum:

ffca5eea85bb237901efe8f303a7ae84

    State:

done

    Status:

success

    Submitted Time:

2015-09-14 00:31:30 PDT

    Run Start Time:

2015-09-14 10:28:18 PDT

    Run End Time:

2015-09-14 10:37:44 PDT

    IM:

YES

    Number of Events:

4

    Children Malware ID(s)     Parent Malware ID

-

  Event 9395:    Occurrence Time    Event Type    Analysis Type    Trace ID    Malware ID       Source IP

1856

: 2015-09-14 10:37:44 PDT : checksum-match : Binary Analysis

: 1751 : 1751 : 117.108.112.75

© 2016 FireEye

Release 7.9

show object-analysis events

      Destination IP

: 102.81.99.76

      Source MAC

: 00:47:43:6b:41:67

      Destination MAC       VLAN ID Attacked Port       IP Protocol

: 00:35:78:34:76:6b

:0 : 80 : tcp

      Original Malware ID :       Name

: Win.Trojan.Poseidon

      Match Type

: av-match

      EDP URL

: https://mil.fireeye.com/edp.php?sname=Win.Trojan.Poseidon

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The limit option was added and the command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1857

CLI Reference Guide

PART III: Commands

show object-analysis id from Displays information about the malware object analysis for a specified range of malware submission jobs. You can display up to 100 jobs by default. The malware object analysis jobs are listed in descending order by malware ID.

Syntax show object-analysis id from to

Parameters object_ID

The malware object ID for a specific job.

Output Fields The following table describes the output fields for the show object-analysis id from command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware object analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the NX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application

Application used to test submitted content.

1858

© 2016 FireEye

Release 7.9

show object-analysis id from

Field

Description

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the NX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID (s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Occurrence Time

Time that the event occurred.

Event Type

Type of event that is identified with the analysis.

Example The following example displays information about malware object analysis jobs from number 1639 to 1643: hostname # show object-analysis id from 1639 to 1643 Malware ID 1642 Submission ID 1638      Analysis Type:      URL:

sandbox fe953a86fd15840e2b4a548b9c4fb8bd.bin

     Analysis Timeout:

240

     Analysis Priority:

normal

© 2016 FireEye

1859

CLI Reference Guide

PART III: Commands

     Force:

false

     Profile Name:

win7x64-sp1

     Profile ID:

66

     Application:

Windows-Explorer

     Md5Sum:

fe953a86fd15840e2b4a548b9c4fb8bd

     State:

done

     Status:

success

     Submitted Time:

2015-09-13 21:33:13 PDT

     Run Start Time:

2015-09-14 07:32:35 PDT

     Run End Time:

2015-09-14 07:43:14 PDT

     IM:

YES

     Number of Events:

6

     Children Malware ID(s)      Parent Malware ID

-

Malware ID 1640 Submission ID 1635      Analysis Type:

sandbox

     URL:

fe944698b1fd86c126b660c152d22265.bin

     Analysis Timeout:

240

     Analysis Priority:

normal

     Force:

false

     Profile Name:

win7x64-sp1

     Profile ID:

66

     Application:

Windows-Explorer

     Md5Sum:

fe944698b1fd86c126b660c152d22265

     State:

done

     Status:

success

     Submitted Time:

2015-09-13 21:28:28 PDT

     Run Start Time:

2015-09-14 07:28:20 PDT

     Run End Time:

2015-09-14 07:40:43 PDT

     IM:

YES

     Number of Events:

8

     Children Malware ID(s)      Parent Malware ID

1860

-

© 2016 FireEye

Release 7.9

show object-analysis id from

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1861

CLI Reference Guide

PART III: Commands

show object-analysis id Displays information about a specific malware object analysis and malware submission job.

Syntax show object-analysis id

Parameters object_ID

The malware object ID for a specific job.

Output Fields The following table describes the output fields for the show object-analysis id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Malware ID

Specific malware object analysis job number.

Submission ID

Specific malware submission job number.

Analysis Type

Type of malware analysis (sandbox or live) that is associated with the malware submission job number.

URL

Single URL of the malware sample.

Analysis Timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

Analysis Priority

Priority setting for the current analysis, if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Force

Force the NX Series appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated.

Profile Name

Guest image profile that the MVX engine uses for the current malware analysis job.

Profile ID

Guest image profile ID number.

Application

Application used to test submitted content.

1862

© 2016 FireEye

Release 7.9

show object-analysis id

Field

Description

Md5Sum

Result of the MD5 checksum.

State

Whether the malware submission job has been completed, is in the queue waiting to be analyzed, or is currently running.

Submitted Time

Date and time when the malware analysis job was submitted.

Run Start Time

Start time of the analysis.

Run End Time

End time of the analysis.

IM

Whether the sample is malicious. The results can be Yes, No, or blank. If the entry is blank, the NX Series appliance cannot confirm a malicious attack. Further forensics might be required.

Number of Events

Number of events identified in the analysis.

Children Malware ID (s)

Specific child malware analysis job number that is associated with the parent malware submission.

Parent Malware ID

Specific parent malware analysis job number that is associated with the child malware submission.

Occurrence Time

Time that the event occurred.

Event Type

Type of event that is identified with the analysis.

Analysis Type

Type of analysis that is associated with the event.

Trace ID

Specific trace job number that is associated with a workorder.

Source IP

IP address of the source.

Destination IP IP address of the destination. Source MAC

MAC address of the source.

Destination MAC

MAC address of the destination.

VLAN ID

Network VLAN job number that is associated with an event.

© 2016 FireEye

1863

CLI Reference Guide

PART III: Commands

Field

Description

Attacked Port

Port number that is associated with an attack.

IP Protocol

Type of IP protocol that is used to transport the threat.

PCAP URL

Packet capture (PCAP) link that is associated with an event.

Example The following example displays malware analysis information for job number 1749: hostname # show object-analysis id 1749 Malware ID 1749 Submission ID 1749     Analysis Type:

sandbox

    URL:

ff8f8776833cf214d1febb7f6bc8d9b8.bin

    Analysis Timeout:

240

    Analysis Priority:

normal

    Force:

false

    Profile Name:

win7x64-sp1

    Profile ID:

66

    Application:

Windows-Explorer

    Md5Sum:

ff8f8776833cf214d1febb7f6bc8d9b8

    State:

done

    Status:

success

    Submitted Time:

2015-09-14 00:28:21 PDT

    Run Start Time:

2015-09-14 10:27:03 PDT

    Run End Time:

2015-09-14 10:35:39 PDT

    IM:

YES

    Number of Events:

4

    Children Malware ID(s)     Parent Malware ID

-

  Event 9386:    Occurrence Time    Event Type    Analysis Type    Trace ID    Malware ID

1864

: 2015-09-14 10:35:39 PDT  : os-change-anomaly : Binary Analysis

: 1749 : 1749

© 2016 FireEye

Release 7.9

      Source IP

show object-analysis id

: 77.87.102.78

      Destination IP

: 100.87.80.81

      Source MAC

: 00:35:56:37:68:49

      Destination MAC       VLAN ID

:0

      Attacked Port       IP Protocol

: 00:37:52:61:36:68

: unknown : unknown

   OS Change Analysis:                                    EDP URL

: https://mil.fireeye.com/edp.php?sname=Malware.Binary.exe

     PCAP URL

: https://172.16.146.41/event_stream/send_pcap_file?ev_id=9386

     PCAP (text)

: https://172.16.146.41/event_stream/send_pcap_ascii?ev_id=9386

   Event 9385:     Occurrence Time     Event Type

: 2015-09-14 10:35:39 PDT : os-change-anomaly

    Analysis Type     Trace ID

: Binary Analysis : 1749

    Malware ID        Source IP

: 1749 : 77.87.102.78

       Destination IP

: 100.87.80.81

       Source MAC

: 00:35:56:37:68:49

       Destination MAC        VLAN ID        Attacked Port        IP Protocol

: 00:37:52:61:36:68

:0 : unknown : unknown

    OS Change Analysis:                                   

© 2016 FireEye

1865

CLI Reference Guide

PART III: Commands

      EDP URL

: https://mil.fireeye.com/edp.php?sname=Malware.Binary.exe

      PCAP URL

: https://172.16.146.41/event_stream/send_pcap_file?ev_id=9385

      PCAP (text)

: https://172.16.146.41/event_stream/send_pcap_ascii?ev_id=9385

   Event 9384:     Occurrence Time     Event Type

: 2015-09-14 10:35:39 PDT : checksum-match

    Analysis Type

: Binary Analysis

    Trace ID

: 1749

    Malware ID

: 1749

       Source IP

: 77.87.102.78

       Destination IP

: 100.87.80.81

       Source MAC

: 00:35:56:37:68:49

       Destination MAC        VLAN ID

: 00:37:52:61:36:68

:0

       Attacked Port

: 80

       IP Protocol

: tcp

       Original Malware ID :        Name

: Dropper.DTI.DroppedFiles

       Match Type

: malware-intrinsic-analysis

       EDP URL

: https://mil.fireeye.com/edp.php?sname=Dropper.DTI.DroppedFiles

   Event 9383:     Occurrence Time     Event Type

: checksum-match

    Analysis Type     Trace ID

: Binary Analysis : 1749

    Malware ID     Source IP

: 1749    : 77.87.102.78

    Destination IP

   : 100.87.80.81

    Source MAC

   : 00:35:56:37:68:49

    Destination MAC     VLAN ID     Attacked Port     IP Protocol

: 2015-09-14 10:35:39 PDT

   : 00:37:52:61:36:68

   : 0    : 80    : tcp

    Original Malware ID    :     Name

1866

   : Trojan.Generic

© 2016 FireEye

Release 7.9

show object-analysis id

    Match Type

   : av-suite

    EDP URL

   : https://mil.fireeye.com/edp.php?sname=Trojan.Generic

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1867

CLI Reference Guide

PART III: Commands

show object-analysis list Displays a full list of all malware object analysis jobs, in descending order by malware ID (MID). For more information, refer to the NX Series User Guide.

Syntax show object-analysis list

Parameters None

Example The following example displays partial output of a list of all malware object analysis jobs: hostname # show object-analysis list MID MD5 Date/Time

SourceIP

NumEvents (ID/TYPE)

Detection

1020 a13a17bfe5d666dc58a45bb9d3f66a15 79.52.116.71 8 ( 5634,5633:na 5632,5631:oc 5630,5629,5628,5627:cm to 1020 ) misc 2015-09-13 12:03:35 PDT 1019 a08db33323cf181f1e4b7d9d0ba953b0 111.82.49.50 8 ( 5626,5625:na 5624,5623:oc 5622,5621,5620,5619:cm to 1019 ) misc 2015-09-13 11:59:30 PDT 1018 a0587c6b396da14e34b34ff14b4c0759 54.105.67.88 ) misc 2015-09-13 11:58:00 PDT

3 ( 5618,5617:oc 5616:cm to 1018

1017 a04c2a1bb788a9e10a19ab5eba24182b 100.107.115.111 6 ( 5615,5614:oc 5613,5612,5611,5610:cm to 1017 ) misc 2015-09-13 11:56:15 PDT 1016 a004566f912590828c5eba1bcf107e57 80.115.70.81 5 ( 5609,5608:oc 5607,5606,5605:cm to 1016 ) misc 2015-09-13 11:54:35 PDT 1015 9fb3212ecbab2751a1f823950051079f 109.75.71.120 ) misc 2015-09-13 11:53:05 PDT

3 ( 5604,5603:oc 5602:cm to 1015

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

1868

NX Series: Before Release 7.5

© 2016 FireEye

Release 7.9

show object-analysis list

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

© 2016 FireEye

1869

CLI Reference Guide

PART III: Commands

show object-analysis running Displays the total number of malware object analysis jobs that are currently in process and have not completed. The malware analysis job number in that specific malware submission is provided by using the show submission id command.

Syntax show object-analysis running

Parameters None

Output Fields The following table describes the output fields for the show object-analysis running command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Submission name

Specific malware submission name.

Total files analyzed

Total number of files that have been analyzed.

Analysis timeout

Number of seconds after which the malware analysis stops if the analysis is not complete.

File type

File type that is associated with the malware analysis job.

Force analyze

Force the NX Series appliance to always submit a malware sample to be analyzed on a VM.

Initial weight

Initial weight is always set to zero for a particular malware sample.

Submission time

Date and time when the malware analysis job was submitted.

Analysis start time

Start time of the analysis.

Example The following example displays one malware object analysis job that is currently in process and has not yet completed:

1870

© 2016 FireEye

Release 7.9

show object-analysis running

hostname # show object-analysis running Number of malware running :

1

  Submission ID 987   Submission name : 0a3de994abbfa1b7c4ba2be6ed66f09f935c241ac0c23d5e10c1c5c4f8d10824.bin   Total files analyzed

:1

  Analysis timeout(s)

: 240

  File type

: exe

  Force analyze

:f

  Initial weight

:0

  Submission time

: 2015-10-29 14:24:01.488632

  Analysis start time

: 2015-10-29 14:24:01.661643

The following example displays malware analysis job 850 that is provided for malware submission 987 by using the show submission id command: hostname # show submission id 987 Submission ID: 987  Malware ID

: 850

 Source IpAddress

: 21.83.95.243

 Destination IpAddress : 21.83.95.244  md5sum

: adb000352cc2cb248f00a4ee484e20cc

 File type

: exe

 Status

: success

 Malicious

: YES

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. Command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

© 2016 FireEye

1871

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see Malware Object Analysis Command Family on page 107.

1872

© 2016 FireEye

Release 7.9

show policymgr drop configuration

show policymgr drop configuration Displays the information about the policy manager drop-filter configuration.

Syntax show policymgr drop configuration

Parameters None

Output Fields The following table describes the output fields for the show policymgr drop configuration command. Fields are listed in the approximate order in which they appear in the output. Field Drop Out Interface

Description Gateway for an out-of-band block interface is enabled on either the ether1 management interface or the ether2 management interface.

HTTP Comfort Page Enabled

HTTP comfort page posting to the HTTP requester is enabled.

Type

Type of comfort page message.

Message

Text of the message.

TCP Reset Enabled

A TCP connection reset is enabled according to the configuration set.

to Server

A TCP server-side connection is reset according to the configuration set.

to Client

A TCP client-side connection is reset according to the configuration set.

UDP ICMP Port-Unreachable Enabled

The “icmp port unreachable” message is posted when infected UDP packets have been blocked.

Example The following example displays the information about the drop-filter configuration: hostname # show policymgr drop configuration Policy drop filter configuration:

© 2016 FireEye

1873

CLI Reference Guide

PART III: Commands

Drop Out Interface: ether2 Gateway:  Drop Out Interface Gateway:  Interface A: Out Interface

: ether1

:  ether2

HTTP Comfort Page: Enabled : no Type : access-denied Message : The page you are trying to access, http://%U, has a potential threat detected. UDP ICMP Port-Unreachable: Enabled : no Interface B: Out Interface

: ether2

HTTP Comfort Page: Enabled : no Type : access-denied Message : The page you are trying to access, http://%U, has a potential threat detected. TCP Reset : Enabled : no to Server : yes to Client : yes UDP ICMP Port-Unreachable: Enabled : no

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Policy Manager Command Family on page 118.

1874

© 2016 FireEye

Release 7.9

show policymgr

show policymgr Description Displays policy manager drop configuration information, and current policy status for signatures, interfaces, and networks. This command is available on the NX Series appliance. Related commands: policymgr drop interface, policymgr interface, policymgr network, policymgr refresh-policy

Syntax show policymgr drop configuration show policymgr interfaces show policymgr networks show policymgr signatures

Parameters drop configuration Displays policy manager drop configuration information. interfaces

Displays policy status for interfaces.

networks

Displays policy status for networks.

signatures

Displays policy status for signatures.

Examples The following example shows current drop configuration information. hostname # show policymgr drop configuration Policy drop filter configuration: Drop Out Interface: ether2 Gateway:  Drop Out Interface Gateway:  Interface A: Out Interface

: ether1

:  ether2

HTTP Comfort Page: Enabled : no Type : access-denied Message : The page you are trying to access, http://%U, has a potential threat detected. UDP ICMP Port-Unreachable: Enabled : no

© 2016 FireEye

1875

CLI Reference Guide

Interface B: Out Interface

PART III: Commands

: ether2

HTTP Comfort Page: Enabled : no Type : access-denied Message : The page you are trying to access, http://%U, has a potential threat detected. TCP Reset : Enabled : no to Server : yes to Client : yes UDP ICMP Port-Unreachable: Enabled : no

The following example shows the current policy status for interfaces: hostname # show policymgr interfaces Policy enabled :  yes Interface A Active :  yes on mode : tap (tapping) fail-safe : open policy : mixed tolerance : 1 Ports : pether3 pether4 QinQ : no QinQ-evet : 0x88a8 Interface B Active : yes op-mode : tap (tapping) fail-safe : open policy : mixed tolerance : 1 Ports : pether5 pether6 QinQ : no QinQ-evet : 0x88a8

1876

© 2016 FireEye

Release 7.9

show policymgr interfaces

show policymgr interfaces Displays the current policy for interfaces.

Syntax show policymgr interfaces

Parameters None

Example The example shows the current policy for interfaces on an NX Series model with four interface pairs. hostname # show policymgr interfaces Policy enabled : yes Interface A Active : yes op mode : monitor (permissive) fail-safe : close policy : mixed tolerance :1 mirror-port : Ports : pether3 pether4 QinQ : no QinQ-evet : 0x88a8 Interface B Active : yes op-mode : tap (tapping) fail-safe : close policy : mixed tolerance :1 mirror-port : Ports : pether5 pether6 QinQ : no QinQ-evet : 0x88a8 Interface C Active : yes op mode : tap (tapping) fail-safe : close policy : mixed tolerance :1 mirror-port : Ports : pether7 pether8 QinQ : no QinQ-evet : 0x88a8

© 2016 FireEye

1877

CLI Reference Guide

PART III: Commands

Interface D Active : yes op mode : tap (tapping) fail-safe : close policy : mixed tolerance :1 mirror-port : Ports : pether9 pether10 QinQ : no QinQ-evet : 0x88a8

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: NX Series: Before Release 6.4. The mirror-port output field was added in Release 7.7 to display mirror ports that are configured to receive a copy of traffic from monitoring interfaces, and then forward that traffic to another analysis device.

Related Commands For a list of related commands, see: Policy Manager Command Family on page 118.

1878

© 2016 FireEye

Release 7.9

show ips interfaces

show ips interfaces Displays details about monitoring interfaces associated with IPS policies on an IPS-enabled platform. Display the names of monitoring interfaces on the NX Series appliance or the names of active IPS policies. For more information, see the NX Series IPS Feature Guide. You can also run this command remotely from the command line of an integrated FireEye CM series platform using the central management platform proxying mechanism.

Syntax show ips interfaces

Parameters None

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field Name Interface

Description Identifier (A or B) of a monitoring interface that is associated with an IPS policy.

Policy applied Name of the IPS policy applied to the monitoring interface. Rule count

Number of IPS rules active on the monitoring interface.

Example show ips interfaces

hostname # show ips interfaces Interface : A Policy applied : Comprehensive Rule count : 6882 Interface : B Policy applied : myCustom1 Rule count : 1002

User Role Monitor, Analyst, Operator, or Administrator

© 2016 FireEye

1879

CLI Reference Guide

PART III: Commands

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.2.0

Related Commands For a list of related commands, see IPS Commands on page 102.

1880

© 2016 FireEye

Release 7.9

show ips policies

show ips policies Displays rule attributes associated with IPS policies defined on an IPS-enabled NX Series platform. Display attributes for IPS policies defined on an IPS-enabled appliance. By default, the command output displays non-match attributes for the specified IPS policy. You can include optional parameters to show match attributes or the exclusion list or inclusion list of the IPS policy. For more information, see the NX Series IPS Feature Guide. You can also run this command remotely from the command line of an integrated FireEye CM series platform using the central management platform proxying mechanism.

Syntax show ips policies []

Parameters

Name of the IPS policy whose attributes are to be displayed.

Output Fields The following table describes the output fields for the show ips policies command. Fields are listed in the approximate order in which they appear in the output.       Field Name      

Field Description

State Attributes

active

Indicates whether the IPS policy is active: l

yes—The policy is attached to one or more interfaces.

l

no—The policy is not attached to any interface. You cannot delete a policy while it is active. You cannot or edit a default policy.

© 2016 FireEye

1881

CLI Reference Guide

PART III: Commands

      Field Name       writeable

Field Description Indicates whether the IPS policy is configurable: l

l

yes—The policy is configurable. Only custom policies are configurable. no—The policy is not configurable. Only default policies are not configurable. You cannot delete or edit a default policy.

modified_date Date and time at which the IPS policy was last modified. version

IPS policy format internal version number.

Match Attributes

attack-target

Type of network host machine that the rule covers.

min-severity

Attack severity level of the rule is equal to or above this lower limit. Range: 1 – 10.

max-severity

Attack severity level of the rule is equal to or below this upper limit. Range: 1 – 10.

category

(Option for custom IPS policies) Category of the network attack that the rule covers.

sub_category

(Option for custom IPS policies) Subcategory of the network attack that the rule covers.

protocol

(Option for custom IPS policies) Network protocol covered by the rule. Rule-Exclusion and Rule-Inclusion Attributes

Inclusion list

(Option for custom IPS policies) List of signature IDs of IPS rules to be explicitly included in the policy selection.

Exclusion list

(Option for custom IPS policies) List of signature ID of IPS rules to be explicitly excluded from the policy selection.

Fingerprint

(Custom IPS policies only) Hexadecimal string that identifies the attributes of a custom IPS policy. IPS policies have the same fingerprint if the policies share the same match attributes, rule-exclusion attributes, and rule-inclusion attributes.

1882

© 2016 FireEye

Release 7.9

show ips policies

Example show ips policies ?

hostname # show ips policies ? Policy name> FireEye_Default Comprehensive Default_Client_Protection Default_Server_Protection myCustom1 myCustom2 show ips policies

hostname # show ips policies FireEye_Default active : yes version : 2 Comprehensive active : no version : 2 Default_Server_Protection active : no version : 2 Default_Client_Protection active : no version : 2 myCustom1 active : no version : 1 No. of included rules: 1 No. of excluded rules: 2 myCustom2 active : no version : 1 No. of included rules: 1 No. of excluded rules: 2 myCustom3 active : no version : 1 No. of included rules: 1 No. of excluded rules: 2 show ips policies myCustom1

hostname # show ips policies myCustom1 Policy attributes : active : no writable : yes modified_date : 2014/09/25 10:24:48 version : 9 Match attributes of policy : attack-target : client

© 2016 FireEye

1883

CLI Reference Guide

PART III: Commands

min-severity : 5 max-severity : 10 Inclusion list for policy : 85301782 Exception list for policy : 8530001,8530050 Fingerprint of policy : 2014/09/25 10:24:48 | 287fd1bda05326809e195cccf5e9798c

User Role Monitor, Analyst, Operator, or Administrator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.2.0. Parameters exclude, fingerprint, include, and rules removed in Release 7.5.0.

Related Commands For a list of related commands, see IPS Commands on page 102.

1884

© 2016 FireEye

Release 7.9

show ips status

show ips status Displays the status of IPS global settings. This command displays the platform-wide status of blocking by IPS rules, the status of the IPS policy manager daemon, and the status of the IPS license.

Syntax show ips status

Parameters None

Output Fields The following table describes the output fields for the command. Fields are listed in the approximate order in which they appear in the output. Field Name License status

Field Description Status of the IPS license: l

l

enabled—The IPS license is installed and valid. disabled—The IPS license is installed but not valid.

For more information, see the NX Series IPS Feature Guide. Auto-update rules for an active policy

Status of the auto-update rules feature for active IPS policies: l

enabled—The feature is enabled.

l

disabled—The feature is disabled.

This feature is enabled by default. For more information, see the NX Series IPS Feature Guide. IPS Global Blocking Status

© 2016 FireEye

1885

CLI Reference Guide

PART III: Commands

Field Name       IPS blockmode

Field Description Status of the platform-wide policy to allow, deny, or force blocking of traffic matched by IPS rules: l

l

l

enabled—Only IPS rules with blocking action block can drop matched traffic. disabled—All IPS rules act as monitoring-only rules. all—All IPS rules act as blocking rules.

IPS blockmode is enabled by default. For more information, see the NX Series IPS Feature Guide.       IPS blockmode last modified

Date and time of the last update to the configuration of appliance-wide disabling or enabling of the blocking actions of all IP rules.

IPS Configuration Status       Fully applied to system

Status of the rules engine with respect to IPS rules specified by the active IPS policies: l

l

l

      Config change ID of last change applied

N/A (no active policies)—No IPS policies are applied to monitoring interfaces. yes—Loading of IPS rules to the rules engine is complete. no—Loading of IPS rules to the rules engine is in progress.

(If the loading of IPS rules is still in progress) System identification number of the IPS configuration change being processed by the rules engine.

      Timestamp of last config change applied (If the loading of IPS rules is still in progress) Date and time at which the last IPS policy was applied to monitoring interfaces

1886

© 2016 FireEye

Release 7.9

show ips status

Example show ips status (No Active IPS  Policies)

hostname # show ips status License status : enabled Auto-update rules for an active policy : disabled IPS blockmode : disabled IPS blockmode last modified: 2014/10/20 20:59:14

IPS configuration status : Fully applied to system : N/A (no active policies) show ips status (Loading of IPS Rules Into Rules Engine is Complete)

hostname # show ips status License status : enabled Auto-update rules for an active policy : disabled IPS blockmode : disabled IPS blockmode last modified: 2014/10/20 20:59:14

IPS configuration status : Fully applied to system : yes show ips status (Loading of IPS Rules Into Rules Engine is In Progress)

hostname # show ips status License status : enabled Auto-update rules for an active policy : disabled IPS blockmode : disabled IPS blockmode last modified: 2014/10/20 20:59:14

IPS configuration status : Fully applied to system : no Config change ID of last change applied : 3026 Timestamp of last config change applied : 2014/10/27 17:55:08

User Role Monitor, Analyst, Operator, or Administrator

Command Mode Enable

© 2016 FireEye

1887

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

NX Series: Release 7.2.0. Support for IPS blockmode all was introduced in Release 7.5.0.

Related Commands For a list of related commands, see IPS Commands on page 102.

1888

© 2016 FireEye

Release 7.9

show raid

show raid Description This command shows RAID configuration as well as the results of consistency test.

Syntax show raid

Parameters None

Example The following example shows the RAID configuration and consistency test results. show raid

© 2016 FireEye

1889

CLI Reference Guide

PART III: Commands

show raid log Description This command shows the raid log.

Syntax show raid log

Parameters None

Example The following example shows the RAID log. show raid log

1890

© 2016 FireEye

Release 7.9

show radius

show radius Description Displays current RADIUS settings.

Syntax show radius

Parameters None

Example The following example displays RADIUS settings. hostname # show radius RADIUS defaults: Key: ******** Timeout: 3 Retransmit: 1 No RADIUS servers configured.

© 2016 FireEye

1891

CLI Reference Guide

PART III: Commands

show report Provides information about the system reports.

Syntax show report {email | schedule}

Parameters email Displays the current email configuration for report delivery. schedule Displays the current auto-generated report schedule.

Related Commands For a list of commands, see Report Generation Commands on page 121 l

report generate type alert_details (update) on page 1175

l

report generate type callback_server on page 1184

l

report generate type email_activity on page 1187

l

report generate type email_av_report on page 1190

l

report generate type email_executive_summary on page 1193

l

report generate type email_hourly_stat on page 1196

l

report generate type executive_summary on page 1199

l

report generate type File_Executive_Summary on page 1202

l

report generate type File_Executive_Summary on page 1202

l

report generate type infected_hosts_trend on page 1205

l

report generate type malware_activity on page 1208

l

report generate type web_av_report on page 1211

l

show report above

Example The following command shows the email settings for reports: hostname # show report email Report email configurations: SMTP server: SMTP server port: 25 SMTP Domain:

1892

© 2016 FireEye

Release 7.9

show report

SMTP Return addr: do-not-reply Email recipients: [email protected]

The following command shows the currently configured auto-generated reports: hostname # show report schedule Periodicity MonthDay WeekDay Time Transport Command 1 daily 15:30 email executive_summary report_format pdf time_frame past_week Total reporting jobs scheduled: 1.

User Role admin

Command Mode configuration and enable

Release Information AX Series: Before Release 6.4 CM Series: Before Release 6.4 EX Series: Before Release 6.4 FX Series: Before Release 6.4 NX Series: Before Release 6.4

© 2016 FireEye

1893

CLI Reference Guide

PART III: Commands

show restore status To display the details for the last restore operation, use the show restore status command in configuration mode.

Syntax show restore status

Parameters None

Example The following example shows the status of the restore operation: hostname (config) # show restore status Restore status: not-running Last restore profile: fedb Last restore source: usb Last restore start time: 2014/10/08 21:13:53.151 Last restore end time: 2014/10/08 21:13:53.151 Last restore result: success

Related Commands For a list of commands, see the Backup Command Family on page 62

User Role admin, operator, and monitor

Command Mode configuration and enable

Release Information AX Series: Release 7.7 CM Series: Release 7.5 EX Series: Release 7.6 FX Series: Release 7.7 HX Series: Release 2.5 NX Series: Release 7.5

1894

© 2016 FireEye

Release 7.9

show remote-correlation status

show remote-correlation status This command shows the status of the remote correlation feature.

Syntax show remote-correleation status

Parameters None

Example The following example shows the status of remote correlation between the NX series and EX series alerts: hostname (config) # show remote-correlation status Remote Correlation Status: Enabled : Yes Run Frequency : 3 mins Url Duration : 3 days

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.2

Related Commands For a list of related commands, see Remote Correlation Commands on page 119.

© 2016 FireEye

1895

CLI Reference Guide

PART III: Commands

show running-config To display the CLI commands for the settings in the running configuration, use the show running-config command in enable mode. The running configuration may include settings that have not been saved.

Syntax show running-config [full | subtree nodename]

User Role All

Release Information Command introduced before Release 7.6.0.

Parameters full

Includes CLI commands for the factory default settings.

subtree nodename

The root node of the node name for which commands are to be displayed.

Example The following example lists all CLI commands for the saved active configuration. hostname # show running-config ## ## Running database (file "initial" is currently active) ## Generated at 2015/04/28 20:25:48 +0000 ## Software version: cms CMS (CMS) 7.6.0.347971 #347971 2015-04-26 16:26:55 x86_ build@vta114:FireEye/mammoth-dev (eng debug) ## Last config change ID: 478 ## Hostname: IE-CM4400 ##

64

## ## License keys ## license install LK2-CONTENT_UPDATES-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxxxx-xxxx-xxx license install LK2-FIREEYE_APPLIANCE-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx -xxxxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxx license install LK2-FIREEYE_SUPPORT-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxxxx-xxxx-xxx license install LK2-RESTRICTED_CMDS-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx

1896

© 2016 FireEye

Release 7.9

show running-config

## ## Network interface configuration ## interface ether1 ip address 10.11.121.13 /24 ## ## Routing configuration ## ip default-gateway 10.11.121.1 ## ## Other IP configuration ## hostname IE-CM4400 ip domain-list fireeye.eng.com ip name-server 10.11.10.11 ssh client global known-host "172.17.74.54 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQ EA2G4QnBmXStMRE1P2XKQh6uNjZ+xp6rEH3k93rcAF3PBUXuSdvkVq+shYK18BxfkpMngh2EtoB b/aTr cuQeb6N7PPxn0gOCVCL8ZiVDUv8an9d/NNbhcD1Wgs0wGMOuunNCc9WjMISjcZF0VGKp9lrytz3 7UpCj

g7WWLaso7tdPh4+/tWdP66Oyhg4/BBCFKQ9wd7msJCZb467+tQrbJUcn1zHMi8C1zyKD2nXE7eX ggLHd 2+eriwqMmO1Jhy6D+becI/g9fT0F6JfyO05V+dvk5PrW6dIXI5hwjqYJByN9lTqTGM9VXB74HppA1vC W DnjoyhQ8IPaAm0q1SbNsmteQ==" ## ## Local user account configuration ## username admin password 7 $6$26eTwrZi$B09L6Wkb2Few.tqXs1exi6ykjjyORyt1Mi9ynWl NMyr5YBNybe5OfJKT1fLCokrGHtdPWZ/TAF6T00KhW.pvD1 ## ## AAA remote server configuration ## fenet ssl cipher-list fips # ldap bind-password ******** ldap ssl cipher-list fips ldap ssl mode tls # radius-server key ******** # tacacs-server key ******** ## ## AAA configuration ## aaa authentication password local length minimum 5 ## ## SNMP configuration ## snmp-server community QNBNkAa-5539GZm-D-qbf-S103-Ft79_ ro

© 2016 FireEye

1897

CLI Reference Guide

PART III: Commands

snmp-server notify community sYy48vnK357RJ__eV7Y-d9--2-4LRhts ## ## Process Manager configuration ## pm process cmsapi memory-limit 81919 pm process hx_aggregator launch auto pm process hx_aggregator launch enable no pm process openvpn launch enable no pm process openvpn-mgr launch auto no pm process openvpn-mgr launch enable pm process rngd shutdown order 9999 ## ## Network management configuration ## # fe-access proxy set username "" password ******** # email auth password ******** # email autosupport auth password ******** # fe-access set password * # fenet dti mil service type CMS username engtest password ****** # fenet dti mil service type DTI username engtest password ****** # fenet dti source type CDN username engtest password ****** # fenet dti source type CMS username engtest password ****** # fenet dti source type DTI username engtest password ****** # fenet dti upload destination type CMS username engtest password ****** # fenet dti upload destination type DTI username engtest password ****** # fenet user fea-oi6yqxpbwepcm password ******** # lcd password ******** # web proxy auth basic password ******** boot bootmgr password 7 * no cmc server backward-compatible enable email mailhub mailhost email notify recipient [email protected] class failure email notify recipient [email protected] class info no email notify recipient [email protected] detail email notify recipient [email protected] class failure email notify recipient [email protected] class info email notify recipient [email protected] detail email notify recipient [email protected] class failure email notify recipient [email protected] class info email notify recipient [email protected] detail email notify recipient [email protected] class failure email notify recipient [email protected] class info email notify recipient [email protected] detail email notify recipient [email protected] class failure email notify recipient [email protected] class info email notify recipient [email protected] detail no email notify recipient [email protected] class failure email notify recipient [email protected] class info email notify recipient [email protected] detail email return-addr [email protected] email ssl cipher-list fips email ssl mode tls fenet dti mil service type DTI address mil-fenet1.fireeye.com port 443

1898

© 2016 FireEye

Release 7.9

show running-config

no fenet license update enable no fenet proxy enable ipmi lan shutdown no lcd actions enable report email recipient [email protected] report email recipient [email protected] web client ssl cipher-list fips web server ssl cipher-list fips ## ## IPv4 packet filtering configuration ## ip filter chain INPUT rule append tail target ACCEPT dup-delete in-intf "ether+" ip filter chain OUTPUT rule append tail target ACCEPT dup-delete out-intf "ether+" ## ## IPv6 packet filtering configuration ## ipv6 filter chain INPUT rule append tail target ACCEPT dup-delete in-intf "ether+" ipv6 filter chain OUTPUT rule append tail target ACCEPT dup-delete out-intf "ether+" ## ## CMC configuration ## # cmc appliance IE-EX3400 auth password password ******** # cmc auth ssh-rsa2 identity admin private ******** # cmc client server auth password password ******** # cmc rendezvous client auth password password ******** # cmc rendezvous server auth default password password ******** cmc appliance IE-EX3400 cmc appliance IE-EX3400 address 172.17.74.54 cmc appliance IE-EX3400 auth password username admin cmc appliance IE-EX3400 auth ssh-dsa2 identity "" cmc appliance IE-EX3400 auth ssh-dsa2 username admin cmc appliance IE-EX3400 auth ssh-rsa2 identity "" cmc appliance IE-EX3400 auth ssh-rsa2 username admin cmc appliance IE-EX3400 authtype password cmc appliance IE-EX3400 check-status cmc appliance IE-EX3400 client-requests enable cmc appliance IE-EX3400 comment "" cmc appliance IE-EX3400 connection auto cmc appliance IE-EX3400 enable cmc appliance IE-EX3400 port 22 cmc appliance IE-EX3400 source address 0.0.0.0 cmc appliance IE-EX3400 source port 0 cmc appliance IE-EX3400 web port http 11000 cmc appliance IE-EX3400 web port https 443 cmc appliance IE-EX3400 web protocol http cmc auth ssh cipher-list fips cmc auth ssh host-key global-only cmc auth ssh host-key strict cmc auth ssh min-key-length 2048 cmc auth ssh-rsa2 identity admin public "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB AQCy7znhlKF4NmqKx2/HQvhljcc/o75ts8ixWOqZhj8RWiu2nwC2tEXG1yvHLsBET/pF0Bo3SxP/ul1 W

© 2016 FireEye

1899

CLI Reference Guide

PART III: Commands

uJecdGHAVfbmpXIKpYmxSHLP2trQ4PTnJtHi7tzSM4TIq3X4qaF5KCURPeyBdlOfHDu3qdcCCzlaD 0/0 QwyDP4cmpQfQAbFq6fXsaEg0O6UOag55al6CFgIZEu9+CI6rnainJxWfaUE2ojPbyMV0iMOH+X4w 8Og1 n3NjOVJddDqCbjafzdTaQyMV7D6MQgVzLXuVuroRMn6AuRVtk7fWWjMuqaQFmNcC4eLpGW0cG xWU4RhO 2EJ+vLjW9o1LavrgWqPboRH7" cmc client enable cmc group all appliance IE-EX3400 cmc group sysgroup.Email_MPS appliance IE-EX3400 cmc group sysgroup.Email_MPS comment "System Group: eMPS" cmc group sysgroup.File_MPS comment "System Group: fMPS" cmc group sysgroup.HX comment "System Group: HX" cmc group sysgroup.Web_MPS comment "System Group: wMPS" ## ## SSH and Key configuration ## ssh client global cipher-list fips ssh client min-key-length 2048 ssh server cipher-list fips ssh server min-key-length 2048 ## ## X.509 certificates configuration ## ## Certificate name system-self-signed, ID e4f9ff2582b3b428b8e7c142347b37cc0cc262b3 ## (public-cert config omitted since private-key config is hidden) crypto certificate min-key-size 2048 crypto certificate secure-hashes-only ## ## Managed Defense configuration ### managed-defense vpn http-proxy host "" port 0 auth-type none username "" password ********

## ## Compliance configuration ## compliance options fips-mode-crypto enable no compliance options ftp-file-transfer enable no compliance options http-file-transfer enable no compliance options manual-key-entry enable no compliance options restricted-license enable compliance options snmp-crypto-limit enable ## ## Miscellaneous other settings ## internal set modify - /pm/process/rngd/delete_trespassers value bool false

1900

© 2016 FireEye

Release 7.9

show signer-whitelist [disabled]

show signer-whitelist [disabled] Displays the local BA signer whitelist. By default, the command output lists enabled signers in the local BA signer whitelist. To view disabled signers in the local BA signer whitelist, include the disabled option. When the BA signer whitelist is in default mode, the feature is disabled. When the BA signer whitelist is set to insecure mode, the feature uses low-trust code signers, excluding signers that you explicitly disabled. FireEye distributes a list of high-trust code signers and a list of low-trust code signers through security content downloads to the appliance. High-trust and lowtrust signers own signing certificates that FireEye has associated with benign software and scripts only. A signer is categorized as high trust or low trust based on the amount of signing certificate data observed. The local BA signer whitelist contains the FireEye-specified low-trust code signers at all times. The signer-whitelist mode  changes whether this appliance-specific list is used, not its contents. To disable a specified signer in the list, use the signer-whitelist disabled  command. To restore specific signer in the list, use the signer-whitelist enabled  command.

Syntax show signer-whitelist [disabled]

Parameters None

Options disabled

List only the signers that are disabled in the local BA signer whitelist.

Output Fields The following table describes the output fields for this command. Fields are listed in the approximate order in which they appear in the output. Field Index

Description Index number of the signer within the local BA signer whitelist. To disable or enable a signer in the local BA signer whitelist, you use the signer-whitelist disable or signer-whitelist enable command and specify the signer index number.

Signer Name of a signing entity or individual in the local BA signer whitelist.

© 2016 FireEye

1901

CLI Reference Guide

PART III: Commands

Examples In the following example, the local BA signer whitelist is in insecure mode: hostname # show signer-whitelist |------------|------------------------------------------| | Index | Signer | |------------|------------------------------------------| | 1| Agricultural Bank of China | | 2| Kaspersky Lab | | 3| Bomgar Corporation | | 4| Kings Information & Network Co. | | 5 | Beijing Rising Information Technology Co | | 6| APOWERSOFT LIMITED | | 7| Spigot, Inc. | | 8| EbizNetWorks | | 9| UBISOFT ENTERTAINMENT INC. | | 10 | Verizon Internet Solutions | | 11 | ComponentOne | | 12 | Finarea SA | | 13 | POLL EVERYWHERE, INC. | | 14 | RaonSecure Co., Ltd. | | 15 | Smilebox, Inc. | | 16 | Beijing baidu Netcom science and technol | | 17 | YESFORM Co., Ltd. | | 18 | MetaQuotes Software Corp. | | 19 | ShopAtHome.com (Belcaro Group, Inc.) | | 20 | TAOBAO CHINA SOFTWARE CO.,LTD. | | 21 | Baidu (China) Co., Ltd. | | 22 | Ilja Herlein | | 23 | BeiJing Baidu Netcom Science Technology | | 24 | Biz Secure Labs Pvt. Ltd. | | 25 | Moca Service (New Media Holdings Ltd.) | | 26 | Limbic Entertainment GmbH | | 27 | thomson financial ltd | | 28 | Sangfor Technologies Co. | | 29 | Eric Lawrence | | 30 | VeriSign Class 3 Code Signing 2010 CA | | 31 | RECORD LLC | | 32 | Banyan Tree Technology Limited | | 33 | Faronics Corporation | | 34 | FreeBit Co. | | 35 | GMT | | 36 | Kings Information & Network Co. | | 37 | Skytouch Technology Co. | | 38 | ZDF | | 39 | CACAOWEB Ltd | | 40 | Embarcadero Technologies Inc. | | 41 | Sogou.com | | 42 | Parker Software Limited | | 43 | ALLEN SYSTEMS GROUP INC SUCURSAL EN ESPA | | 44 | Neowiz Internet | | 45 | The Phone Support Pvt. Ltd. | | 46 | Large & Small Business Cooperation Found |

1902

© 2016 FireEye

Release 7.9

show signer-whitelist [disabled]

| 47 | Thawte Consulting cc | | 48 | Thawte Consulting (Pty) Ltd. | | 49 | INBEE.COM | | 50 | VeriSign, Inc. | | 51 | Ubisoft Entertainment SA | | 52 | Softdeluxe Ltd. | |____________|__________________________________________|

In the following example, the local BA signer whitelist is in default mode: hostname # show signer-whitelist WARNING: Signers are NOT effective as current mode setting is: 'default' |------------|------------------------------------------| | Index | Signer | |------------|------------------------------------------| | 1| Agricultural Bank of China | | 2| Kaspersky Lab | | 3| Bomgar Corporation | | 4| Kings Information & Network Co. | | 5 | Beijing Rising Information Technology Co | | 6| APOWERSOFT LIMITED | | 7| Spigot, Inc. | | 8| EbizNetWorks | | 9| UBISOFT ENTERTAINMENT INC. | | 10 | Verizon Internet Solutions | | 11 | ComponentOne | | 12 | Finarea SA | | 13 | POLL EVERYWHERE, INC. | | 14 | RaonSecure Co., Ltd. | | 15 | Smilebox, Inc. | | 16 | Beijing baidu Netcom science and technol | | 17 | YESFORM Co., Ltd. | | 18 | MetaQuotes Software Corp. | | 19 | ShopAtHome.com (Belcaro Group, Inc.) | | 20 | TAOBAO CHINA SOFTWARE CO.,LTD. | | 21 | Baidu (China) Co., Ltd. | | 22 | Ilja Herlein | | 23 | BeiJing Baidu Netcom Science Technology | | 24 | Biz Secure Labs Pvt. Ltd. | | 25 | Moca Service (New Media Holdings Ltd.) | | 26 | Limbic Entertainment GmbH | | 27 | thomson financial ltd | | 28 | Sangfor Technologies Co. | | 29 | Eric Lawrence | | 30 | VeriSign Class 3 Code Signing 2010 CA | | 31 | RECORD LLC | | 32 | Banyan Tree Technology Limited | | 33 | Faronics Corporation | | 34 | FreeBit Co. | | 35 | GMT | | 36 | Kings Information & Network Co. | | 37 | Skytouch Technology Co. | | 38 | ZDF | | 39 | CACAOWEB Ltd |

© 2016 FireEye

1903

CLI Reference Guide

PART III: Commands

| 40 | Embarcadero Technologies Inc. | | 41 | Sogou.com | | 42 | Parker Software Limited | | 43 | ALLEN SYSTEMS GROUP INC SUCURSAL EN ESPA | | 44 | Neowiz Internet | | 45 | The Phone Support Pvt. Ltd. | | 46 | Large & Small Business Cooperation Found | | 47 | Thawte Consulting cc | | 48 | Thawte Consulting (Pty) Ltd. | | 49 | INBEE.COM | | 50 | VeriSign, Inc. | | 51 | Ubisoft Entertainment SA | | 52 | Softdeluxe Ltd. | |____________|__________________________________________|

In the following example, no signers are disabled in the local BA signer list: hostname # show signer-whitelist disabled % No signers found

In the following example, one signer is disabled in the local BA signer list: hostname # show signer-whitelist disabled |------------|------------------------------------------| | Index | Signer | |------------|------------------------------------------| | 1| Bomgar Corporation | |____________|__________________________________________|

User Role Admin, Analyst, fe_services, Monitor

Command Mode Enable

Related Commands For related commands, see Local BA Signer Whitelist Command Family on page 104.

Release Information This command was introduced as follows: l

1904

NX Series: Release: 7.7

© 2016 FireEye

Release 7.9

show signer-whitelist mode

show signer-whitelist mode To view the mode of the local BA signer whitelist, use the show signer-whitelist mode command. FireEye distributes a list of high-trust code signers and a list of low-trust code signers through security content downloads to the appliance. High-trust and lowtrust signers own signing certificates that FireEye has associated with benign software and scripts only. A signer is categorized as high trust or low trust based on the amount of signing certificate data observed. The local BA signer whitelist contains the FireEye-specified low-trust code signers at all times. The signer-whitelist mode  changes whether this appliance-specific list is used, not its contents. To disable a specified signer in the list, use the signer-whitelist disabled  command. To restore specific signer in the list, use the signer-whitelist enabled  command.

Syntax show signer-whitelist mode

Parameters None

Options None

Output Fields The following table describes the output fields for this command. Fields are listed in the approximate order in which they appear in the output. Field BA signer mode

Description Mode of the local BA signer whitelist:   ● default—The local BA whitelist is not in effect.   ● insecure—The local BA whitelist is in effect. It contains the low-trust signers but       excludes signers that are explicitly disabled.

© 2016 FireEye

1905

CLI Reference Guide

PART III: Commands

Field

Description

To change mode run command Use this CLI configuration command to change the mode of the local BA signer whitelist:   ● To change the mode from default to insecure: signer-whitelist mode insecure

  ● To change the mode from insecure to default: signer-whitelist mode insecure

Examples In the following example, the local BA signer whitelist is not in effect: hostname # show signer-whitelist mode BA signer mode: default To change mode run command: signer-whitelist mode *

In the following example, the local BA signer whitelist is in effect. It contains low-trust signers but excludes low-trust signers that are disabled: hostname # show signer-whitelist mode BA signer mode: insecure To change mode run command: signer-whitelist mode *

User Role Admin, Analyst, fe_services, Monitor

Command Mode Enable

Related Commands For related commands, see Local BA Signer Whitelist Command Family on page 104.

Release Information This command was introduced as follows: l

1906

NX Series: Release: 7.7

© 2016 FireEye

Release 7.9

show sizing stats

show sizing stats To view utilization statistics about your appliance, use the show sizing stats command in enable mode.

Syntax show sizing stats

User Role Monitor, Operator, or Admin

Release Information Command introduced in Release 7.9.1 for NX Series appliances.

Description There are recommended levels of utilization that are specific to each NX Series model. Exceeding these levels can cause reduced malware detection efficacy, packet loss, and queuing errors. The NX Series appliance continuously gathers and reports relevant data about its utilization.You can use the utilization data as a tool for future capacity planning. For more information, see the NX Series System Administration Guide.

Parameters None

Example As shown in the following example, this command displays the current status and value for each measurement, as well as the benchmarks from which the measurements are made. hostname # show sizing stats Stat

Value Warning Level Level Utilization summary: Warning 1 1 Web analysis MVX utilization(%): ok 9 75 Warning 888 750 950

© 2016 FireEye

Status

Critical 2 95

Total bandwidth (Mbps): 

1907

CLI Reference Guide

PART III: Commands

show snmp To display the current Simple Network Management Protocol (SNMP) configuration, use the show snmp command in standard mode.

Syntax show snmp engineID show snmp events show snmp host show snmp user

Parameters engineID Displays the engine ID of the local system. events

Displays a list of events for which SNMP traps will be sent.

host

Displays a list of notification sinks.

user

Displays the SNMP v3 user security settings.

Example The following example shows the SNMP configuration: hostname > show snmp SNMP enabled: yes SNMP port: 161 System contact: System location: Read-only communities: (DISABLED) QNBNkAa-5539GZm-D-qbf-S103-Ft79_ Interface listen enabled: no No Listen Interfaces.

1908

© 2016 FireEye

Release 7.9

show ssh client

show ssh client To display information about Secure Shell (SSH) client identities (public and private keys) and the list of authorized keys for your account, use the show ssh client command in enable mode.

Syntax show ssh client

User Role All roles

Release Information Command introduced before Release 7.6.0.

Parameters None

Example The following example shows SSH client configuration. hostname # show ssh client SSH client Strict Hostkey Checking: ask Minimum protocol version: 2 Cipher list: fips Minimum key length: 2048 bits SSH Global Known Hosts: Entry 1: Host: 172.17.74.54 Finger Print: sha1:3a:ca:aa:71:f5:b9:3f:57:ad:93:4c:92:b5:cc:91:1e:1f:41:ce:8e Key Length (bits): 2048 No SSH user identities. No SSH user authorized keys.

© 2016 FireEye

1909

CLI Reference Guide

PART III: Commands

show ssh server To display the configuration of the Secure Shell (SSH) server, use the show ssh server command in standard mode.

Syntax show ssh server [host-keys [interface interface_name [ipv4]]]

User Role Administrator, Monitor, or Operator

Release Information This command was introduced before Release 7.6.0. The interface option was introduced as follows: l

EX Series: 7.6.0

l

CM Series: 7.6.0

l

NX Series: 7.6.0

l

AX Series: 7.7.0

l

FX Series: 7.7.0

Parameters host-keys

Displays SSH server settings with full host-keys information.

interface_name

The interface name can be lo, ether2, ether1, ether3, or ether4. The ether1 option displays the IP address, not the hostname.

ipv4

Displays SSH server settings with full host keys and interface IPv4 address, rather than hostname.

Example The following example shows the SSH server configuration: hostname > show ssh server SSH server configuration: SSH server enabled: yes Minimum protocol version: 2 TCP forwarding enabled: yes X11 forwarding enabled: no Cipher list: fips Minimum key length: 2048 bits SSH server ports: 22 Interface listen enabled: yes No Listen Interfaces.

1910

© 2016 FireEye

Release 7.9

Host Key Finger Prints and Key Lengths: RSA v1 host key: (key missing or invalid) RSA v2 host key: sha1:7e:8b:b0:91:14:ab:a3:f7:34:ad:73:a5:86:0f:76:71:3b:64: DSA v2 host key: (key missing or invalid)

© 2016 FireEye

show ssh server

00:df (2048)

1911

CLI Reference Guide

PART III: Commands

show static-analysis config Displays the AV-Suite, AV-Check, embedded object, YARA, reset binary analysis cache configuration settings, Dropper Detection, Intrinsic Analysis settings, and Python-based static analysis tool settings.

Syntax show static-analysis config

Parameters None

Example The following example displays AV-Suite, AV-Check, embedded object, YARA, reset binary analysis cache configuration settings, Dropper Detection, Intrinsic Analysis settings, and Python-based static analysis tool settings. hostname (config) # show static-analysis config   Static Analysis enabled

: yes

    AV-suite enabled

: yes

    AV-check enabled

: yes

    Dropper enabled                      : yes     YARA enabled

: yes

    Malware Intrinsic Analysis enabled : yes (DTI)   Embedded object extraction enabled   Static info policy

: yes

: Enable

  Yara Configuration     Yara policy

: both

    Yara customer match limit

:5

    Yara customer default weight

:0

  Malware Whitelist Past Hours

: 24

  Malware Blacklist Past Hours

:4

Analysis reset duplicate since

: 2015/08/10 16:37:00

  Mobile Threat Prevention

: yes

User Role Administrator, Operator, Analyst, or Monitor

1912

© 2016 FireEye

Release 7.9

show static-analysis config

Command Mode Enable

Release Information This command was introduced as follows: l

l

l

l

AX Series: Release 7.5. The command output was enhanced to include the settings for Intrinsic Analysis, AV-Check, and the Python-based static analysis tool in Release 7.7. EX Series: Release 7.5. The command output was enhanced to include static analysis if the attachment contains an allowed file type, and it has been disabled for analysis from the file association in Release 7.6.0. The command output was enhanced to include the settings for Dropper Detection, Intrinsic Analysis (DTI or local), AV-Check, and the Python-based static analysis tool in Release 7.8. FX Series: Release 7.5. The command output was enhanced to include the settings for Intrinsic Analysis, AV-Check, and the Python-based static analysis tool in Release 7.7. NX Series: Release 7.5. The command output was enhanced to include the settings for Dropper Detection, Intrinsic Analysis, AV-Check, and the Python-based static analysis tool in Release 7.7. The command output was enhanced to include the settings for Intrinsic Analysis (DTI or local) in Release 7.9.

Related Commands For a list of related commands, see Static Analysis Tools Command Family on page 122.

© 2016 FireEye

1913

CLI Reference Guide

PART III: Commands

show stats Description Displays the average and peak CPU utilization, as well as the status and configuration for performance-based alarms.

Syntax show stats alarm [alarm_id] [cpu_util_indiv [rate-limit] | disk_io [rate-limit] | fs_mnt [rate-limit] | intf_util [rate-limit] | memory_pct_used [rate-limit] | paging [rate-limit]] show stats chd [chd_id] [cpu_util | cpu_util_ave | cpu_util_day | disk_device_io_hour | disk_io | fs_mnt_day | fs_mnt_month | fs_mnt_week | intf_day | intf_hour | intf_util | memory_day | memory_pct | paging | paging_day] show stats cpu show stats sample [cpu_util | disk_io | fs_mnt_bytes | fs_mnt_inodes | interface| intf_ util | memory | paging]

Parameters cpu_util

Displays average CPU utilization too high: percent utilization.

cpu_util_ave

Displays CPU utilization average.

cpu_util_day

Displays CPU utilization average per day.

disk_device_ io_hour

Displays storage device I/O read/write statistics for the last hour in bytes.

disk_io

Displays status and configuration for excessive swapping of data in and out of memory (KB/sec).

rate-limit

Displays Alarm Rate Limit statistics.

fs_mnt  

Displays the average and peak CPU utilization for the past hour.

fs_mnt_bytes

Displays the average and peak file system usage in bytes.

fs_mnt_day

Displays file system usage average per day, in bytes.

fs_mnt_inodes Displays the average and peak file system use of inodes. fs_mnt_month Displays file system usage average per month, in bytes. fs_mnt_week

Displays file system usage average per week, in bytes.

interface

Displays network interface statistics.

intf_day

Network interface statistics aggregation per day, in bytes.

intf_hour

Network interface statistics aggregation per hour, in bytes.

intf_util

Displays status and configuration for CPU utilization alarms.

memory

Displays status and configuration for excessive swapping of data in and out of memory.

1914

© 2016 FireEye

Release 7.9

show stats

memory_day

Average physical memory usage per day, in bytes.

memory_pct

Average physical memory usage percentage.

memory_pct_ used

Displays status and configuration for excessive swapping of data in and out of memory.

paging

Displays paging activity and paging faults.

paging_day

Displays paging activity and paging faults per day.

Example The following example shows whether any performance-based alarms have occurred. hostname > show stats alarm Alarm bad_char_count:                                       ok Alarm cpu_util_indiv (Average CPU utilization too high):    ok Alarm disk_io (Disk I/O per second too high): (disabled) Alarm fs_mnt (Free filesystem space too low):               ok Alarm intf_util (Network utilization too high): (disabled) Alarm memory_pct_used (Too much memory in use): (disabled) Alarm paging (Paging activity too high):                    ok hostname> The following example shows the CPU utilization for the past day. hostname > show stats alarm cpu_util_day Alarm cpu_util_indiv (Average CPU utilization too high): Enabled:                  yes Alarm state:              ok Rising error threshold:   90 percent utilization Rising clear threshold:   70 percent utilization Rate limit bucket counts: { 5, 20, 50 } Rate limit bucket windows: { 3600, 86400, 604800 } Current time:             2012/03/31 05:26:47 Last event time: CPU 0: Last reading taken at:           2012/03/31 05:26:44 Last read value:                 0 percent utilization Last rising error at: Last rising clear at: CPU 1: Last reading taken at: 2012/03/31 05:26:44 Last read value: 0 percent utilization Last rising error at: Last rising clear at:

© 2016 FireEye

1915

CLI Reference Guide

PART III: Commands

show stats group submission This command allows you to view the submission statistics sampling rate.

Syntax show stats group submission

Parameters None

Example The following example displays the current submission sampling rate. hostname (config) # show stats group submission Submission status sampling interval :    6 minutes.

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

CM Series: Release 7.9.1

l

NX Series: Release 7.9.1

Related Topics For a list of related commands, see: Submission Sampling Command Family on page 123. stats group submission sampling interval minutes on page 1 show stats group submission above

1916

© 2016 FireEye

Release 7.9

show submission

show submission Displays detailed statistics about the number of malware submissions that were analyzed during the past 24 hours. The fields for the total number of remote submissions are displayed only on an NX Series sensor or sensor-enabled integrated appliance. The fields for the total number of running submissions and the total number of dynamic analysis (DA) submissions are displayed only on an integrated NX Series appliance.

Syntax show submission

Parameters None

Output Fields The following table describes the output fields for the show submission command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total queued submissions

Total number of malware submissions that are in the queue waiting to be analyzed from the past 24 hours.

Queued submissions (url)

Total number of malware submissions for URLs that are in the queue waiting to be analyzed from the past 24 hours.

Queued submissions (file)

Total number of malware submissions for files that are in the queue waiting to be analyzed from the past 24 hours.

Total remote submissions

Total number of malware submissions that are currently being analyzed remotely from the past 24 hours.

Remote submissions (url)

Total number of malware submissions that are currently being analyzed remotely for URLs from the past 24 hours.

Remote submissions (file)

Total number of malware submissions that are currently being analyzed remotely for files from the past 24 hours.

Total running submissions

Total number of malware submissions that are currently being analyzed from the past 24 hours.

© 2016 FireEye

1917

CLI Reference Guide

Field

PART III: Commands

Description

Running submissions (url)

Total number of malware submissions that are currently running for URLs from the past 24 hours.

Running submissions (file)

Total number of malware submissions that are currently running for files from the past 24 hours.

Total DA running submissions

Total number of dynamic analysis (DA) submissions that are currently running from the past 24 hours.

DA running submissions(url)

Total number of DA submissions that are currently running for URLs from the past 24 hours.

DA running submissions(file)

Total number of DA submissions that are currently running for files from the past 24 hours.

Submissions

Total number of malware submissions and the number submitted per minute in the last 24 hours.

Submissions(url)

Total number of malware submissions and the number submitted per minute for URLs in the last 24 hours.

Submissions(file)

Total number of malware submissions and the number submitted per minute for files in the last 24 hours.

Completed submissions

Total number of malware submissions that were completed and the number submitted per minute in the last 24 hours.

Completed submissions(url)

Total number of malware submissions that were completed and the number submitted per minute for URLs in the last 24 hours.

Completed submissions(file)

Total number of malware submissions that were completed and the number submitted per minute for files in the last 24 hours.

Malicious submission count

Total number of DA submissions that were detected as malicious and the number submitted per minute in the last 24 hours.

URL Dynamic Analysis verified malicious count

Total number of DA submissions that were detected as malicious and the number submitted per minute for URLs in the last 24 hours.

File Dynamic Analysis verified malicious count

Total number of DA submissions that were detected as malicious and the number submitted per minute for files in the last 24 hours.

1918

© 2016 FireEye

Release 7.9

show submission

Examples The following example displays the total number of malware submissions that are in process, total number of malware submissions that are in the queue waiting to be analyzed, and cumulative submission statistics for the past 24 hours: hostname # show submission Runtime Submission Stats: Total queued submission

: 29

Queued submissions(url)

:0

Queued submissions(file)

: 29

Total running submissions

:7

Running submissions(url)

:1

Running submissions(file)

:6

Total DA running submissions

:1

DA running submissions(url)

:1

DA running submissions(file)

:0

Cumulative Stats in timespan 2015-08-10 10:10:43 to 2015-08-11 10:10:43                                                     : Total   Submissions

:Rate/minute : 22

    Submissions(url)

: 22

    Submissions(file)

:0

  Completed submissions

: 0.015 : 0.015 : 0.000 : 22

: 0.015

    Completed submissions(url)

: 22

: 0.015

    Completed submissions(file)

:0

: 0.000

  Malicious submission count

: 17

: 0.012

    URL Dynamic Analysis verified malicious count : 17     File Dynamic Analysis verified malicious count : 0

: 0.012 : 0.000

The following example displays the total number of malware submissions that are in process, total number of malware submissions that are in the queue waiting to be analyzed, total number of remote submissions, and cumulative submission statistics for the past 24 hours on an NX Series sensor or sensor-enabled integrated appliance: hostname # show submission Runtime Submission Stats:   Total queued submission

:0

    Queued submissions(url)

:0

    Queued submissions(file)

:0

© 2016 FireEye

1919

CLI Reference Guide

PART III: Commands

Remote Submissions   Total remote submissions

: 13

    Remote submissions(url)

:7

    Remote submissions(file)

:6

Cumulative Stats in timespan 2016-08-03 14:45:45 to 2016-08-04 14:45:45                                                    : Total   Submissions

: Rate/minute : 12612

: 8.758

   Submissions(url)

: 4393

: 3.051

   Submissions(file)

: 8219

: 5.708

 Completed submissions

: 12615

: 8.760

   Completed submissions(url)

: 4397

: 3.053

   Completed submissions(file)

: 8218

: 5.707

 Malicious submission count

: 9060

: 6.292

   URL Dynamic Analysis verified malicious count : 2136    File Dynamic Analysis verified malicious count : 6924

: 1.483 : 4.808

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include total number of remote submissions on an NX Series sensor or sensor-enabled integrated appliance in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

1920

© 2016 FireEye

Release 7.9

show submission done

show submission done Displays a list of all the malware submission jobs whose static and dynamic analysis have been completed. This command returns information such as the type of file, status of the malware submission, analysis object that is associated with the submission job, and so on. The malware submission jobs are listed in ascending order by submission ID. You can display up to 100 jobs by default.

Syntax show submission done [limit ]

Parameters limit

(Optional) Displays the specified number of entries that have completed static and dynamic analysis jobs. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission done command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

© 2016 FireEye

1921

CLI Reference Guide

PART III: Commands

Field

Description

Analysis File Type

Analysis file type that is associated with the malware submission job.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application name

Type of application.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis. Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays a limit of two malware submissions whose static and dynamic analysis jobs are finished: hostname # show submission done limit 2 Submission ID: 8    UUID

: e2e25565-20bd-4148-a435-2d761077a55b

   Malware ID

: 16

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 238.174.95.154    md5sum

: 77b6d8fa25ef0be3aced5c31bcec35fe

   File type

: exe

   Status

: success

   Malicious

1922

: YES

© 2016 FireEye

Release 7.9

show submission done

     Analysis Object ID

:7

     Analysis Object Name      Analysis File Type      md5sum

: 014s.exe

: exe : 77b6d8fa25ef0be3aced5c31bcec35fe

     Static Analysis weight : 100      Dynamic Analysis weight : 100      Dynamic Analysis jobs : 2      Static Analysis jobs

:4

           SA engine weight            SA job ID

: 100

: 17

                SA sub-engine name

: avs

                SA sub-engine signature                 SA sub-engine weight            SA engine weight            SA job ID

: Trojan.Generic : 100

: 80

: 18

                 SA sub-engine name

: clamd

                 SA sub-engine signature                  SA sub-engine weight            Job ID

: PUA.Win.Packer.Upack-48 : 80

: 12

           OS name

: win7x64-sp1

           Application name

: Windows Explorer

           OS Changes weight            CNC Match weight

: 100 :0

           Assigned time

: 2016-04-28 00:39:33.851213

           Complete time

: 2016-04-28 00:43:36.324287

           Job runtime

: 00:04:02.473074

           Signature            Job ID

: Malware.Binary.exe : 11

           OS name

: winxp-sp3

           Application name

: Windows Explorer

           OS Changes weight            CNC Match weight

: 100 :0

           Assigned time

: 2016-04-28 00:36:47.52572

           Complete time

: 2016-04-28 00:40:48.744118

           Job runtime

© 2016 FireEye

: 00:04:01.218398

1923

CLI Reference Guide

PART III: Commands

           Signature

: Malware.Binary.exe

Submission ID: 9    UUID

: 750a471f-a60c-44f8-be91-a1030ce05c3b

   Malware ID

:9

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 111.141.187.149    md5sum

: 38323e5d6d131656d2ea0206b6f9bbdb

   File type

: exe

   Status

: timeout

   Malicious

: NO

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

1924

© 2016 FireEye

Release 7.9

show submission dst

show submission dst Displays the malware submission jobs based on a destination IP address. You can display up to 100 jobs by default.

Syntax show submission dst [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are based on a destination IP address. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission dst command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission Specific malware submission job number. ID UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Examples The following example displays the malware submission jobs based on a particular destination IP address: hostname # show submission dst 85.175.101.221

© 2016 FireEye

1925

CLI Reference Guide

PART III: Commands

Submission ID: 90    UUID

: cc83d286-de6d-4d7c-845a-aab67f2e5d40

   Malware ID

: 74

   Source IpAddress

: 245.156.62.140

   Destination IpAddress : 85.175.101.221    md5sum

: 722c2e3cdf28d730977c5266b650f8a0

   File type

: jar

   Status

: success

   Malicious

: YES

Submission ID: 91    UUID

: d23f7070-dd69-4b7f-b09d-d4ecf0aea69b

   Malware ID

: 76

   Source IpAddress

: 245.156.62.140

   Destination IpAddress : 85.175.101.221    md5sum

: be95c26c782d3298370aa6b189276d31

   File type

: exe

   Status

: success

   Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

1926

© 2016 FireEye

Release 7.9

show submission from

show submission from Displays the detailed statistics for the malware submission jobs that were analyzed during a specified time period. The fields for the total number of remote submissions are displayed only on an NX Series sensor or sensor-enabled integrated appliance. The fields for the total number of running submissions and the total number of dynamic analysis (DA) submissions are displayed only on an integrated NX Series appliance.

Syntax show submission from to

Parameters start_date

Display the statistics for the malware submission job starting from this date. Start date is specified in the format of yyyy/mm/dd. start_time

Display the statistics for the malware submission job starting from this time. Start time is specified in the format of hh:mm:ss. end_date

Display the statistics for the malware submission job ending om this date. End date is specified in the format of yyyy/mm/dd. end_time

Display the statistics for the malware submission job ending at this time. End time is specified in the format of hh:mm:ss.

Output Fields The following table describes the output fields for the show submission from command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total queued submission

Total number of malware submissions that are in the queue waiting to be analyzed.

Total remote submissions

Total number of malware submissions that are currently being analyzed remotely from the past 24 hours.

© 2016 FireEye

1927

CLI Reference Guide

PART III: Commands

Field

Description

Remote submissions (url)

Total number of malware submissions that are currently being analyzed remotely for URLs from the past 24 hours.

Remote submissions (file)

Total number of malware submissions that are currently being analyzed remotely for files from the past 24 hours.

Total running submissions

Total number of malware submissions that are currently being analyzed.

Total DA running submissions

Total number of dynamic analysis (DA) submissions that are currently running.

Submissions

Total number of malware submissions and the number submitted per minute between a specified time period.

Completed submissions

Total number of malware submissions that were completed and the number submitted per minute between a specified time period.

Malicious submission count

Total number of DA submissions that were detected as malicious and the number submitted per minute between a specified time period.

Examples The following example displays the statistics of the malware submission jobs during a specified time period: hostname # show submission from 2015/08/09 12:00:00 to 2015/08/12 12:00:00 Runtime Submission Stats:   Total queued submission

: 78

  Total running submissions

: 72

  Total DA running submissions

: 96

Cumulative Stats in timespan 2015-08-09 12:00:00 to 2015-08-12 12:00:00                                                     : Total   Submissions   Completed submissions   Malicious submission count

: Rate/minute : 259

: 0.060 : 259 : 103

: 0.060 : 0.024

The following example displays the statistics of the malware submission jobs during a specified time period on an NX Series sensor or sensor-enabled integrated appliance: hostname # show submission from 2016/08/03 11:14:00 to 2016/08/04 11:14:00 Runtime Submission Stats:

1928

© 2016 FireEye

Release 7.9

show submission from

Total queued submission

:0

Queued submissions(url)

:0

Queued submissions(file)

:0

Remote Submissions Total remote submissions

: 17

Remote submissions(url)

:6

Remote submissions(file)

: 11

Cumulative Stats in timespan 2016-08-03 11:14:00 to 2016-08-04 11:14:00 : Total Submissions

: Rate/minute : 11915

: 8.274

Submissions(url)

: 4304

: 2.989

Submissions(file)

: 7611

: 5.285

Completed submissions

: 11920

: 8.278

Completed submissions(url)

: 4312

: 2.994

Completed submissions(file)

: 7608

: 5.283

: 8478

: 5.888

Malicious submission count

URL Dynamic Analysis verified malicious count : 2086 File Dynamic Analysis verified malicious count : 6392

: 1.449 : 4.439

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the total number of remote submissions on an NX Series sensor or sensor-enabled integrated appliance in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1929

CLI Reference Guide

PART III: Commands

show submission id Displays information for a specific malware submission job number.

Syntax show submission id

Parameters None

Output Fields The following table describes the output fields for the show submission id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed. This field also displays the status for a retroactive alert that is marked as dti_detection in the output field.

Malicious

Whether the malware submission job was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

1930

© 2016 FireEye

Release 7.9

show submission id

Field

Description

Analysis File Type

Analysis file type that is associated with the malware submission job.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application name

Type of application.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the information about job number 8: hostname # show submission id 8 Submission ID: 8    UUID

: e2e25565-20bd-4148-a435-2d761077a55b

   Malware ID

: 16

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 238.174.95.154    md5sum

: 77b6d8fa25ef0be3aced5c31bcec35fe

   File type

: exe

   Status

: success

© 2016 FireEye

1931

CLI Reference Guide

   Malicious

PART III: Commands

: YES

      Analysis Object ID

:7

      Analysis Object Name       Analysis File Type       md5sum

: 014s.exe

: exe : 77b6d8fa25ef0be3aced5c31bcec35fe

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 17

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Generic : 100

: 80

: 18

                  SA sub-engine name

: clamd

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: PUA.Win.Packer.Upack-48 : 80

: 12

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:39:33.851213

            Complete time

: 2016-04-28 00:43:36.324287

            Job runtime

: 00:04:02.473074

            Signature             Job ID

: Malware.Binary.exe : 11

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight           CNC Match weight

: 100 :0

          Assigned time

: 2016-04-28 00:36:47.52572

          Complete time

: 2016-04-28 00:40:48.744118

1932

© 2016 FireEye

Release 7.9

show submission id

          Job runtime

: 00:04:01.218398

          Signature

: Malware.Binary.exe

The following example displays the submission status for a retroactive alert that is marked as dti_detection in the output field: hostname # show submission id 305 Submission ID: 305  UUID

: ab967fd7-ec0c-452f-bf50-fddd5e2f725c

 Malware ID

: 377

 Source IpAddress

: 88.103.115.101

 Destination IpAddress : 87.113.80.75  md5sum

: aa53deab960b2977fe8d4b775c5b4a1e

 File type

: exe

 Status

: dti_detection

 Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1933

CLI Reference Guide

PART III: Commands

show submission limit Displays information for a specified number of malware submissions. You can display up to 100 jobs by default.

Syntax show submission limit

Parameters

Number of entries that are displayed. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission limit command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

1934

© 2016 FireEye

Release 7.9

show submission limit

Field

Description

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application name Type of application. OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the information for one malware submission: hostname # show submission limit 1 Submission ID: 7    UUID

: 9dffc29c-daad-4da6-9535-da033cb0c6be

   Malware ID

: 15

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 47.47.183.145    md5sum

: 7d07560e49c6eaec0bbad9999f16bc1c

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

:6

      Analysis Object Name       Analysis File Type       md5sum

: 0014.exe

: exe : 7d07560e49c6eaec0bbad9999f16bc1c

      Static Analysis weight : 100

© 2016 FireEye

1935

CLI Reference Guide

PART III: Commands

      Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 13

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Downloader : 100

: 80

: 14

                  SA sub-engine name

: clamd

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: PUA.Win.Packer.Upack-48 : 80

: 10

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:35:54.32882

            Complete time

: 2016-04-28 00:39:57.529021

            Job runtime

: 00:04:03.200201

            Signature             Job ID

: Malware.Binary.exe :9

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:35:25.960428

            Complete time

: 2016-04-28 00:39:33.7778

            Job runtime             Signature

: 00:04:07.817372 : Malware.Binary.exe

User Role Administrator, Monitor, or Analyst

1936

© 2016 FireEye

Release 7.9

show submission limit

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1937

CLI Reference Guide

PART III: Commands

show submission malicious Displays information about the malware submission jobs that are marked as malicious. You can display up to 100 jobs by default.

Syntax show submission malicious [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are marked as malicious. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission malicious command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

1938

© 2016 FireEye

Release 7.9

show submission malicious

Field

Description

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application Type of application. name OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the information about the malware submission job that is marked as malicious: hostname # show submission malicious Submission ID: 4    UUID

: 9351908a-0575-4666-9d2b-a7d5cc200a3d

   Malware ID    Source IpAddress

: 13 : 80.156.52.181

   Destination IpAddress : 190.246.12.141

© 2016 FireEye

1939

CLI Reference Guide

PART III: Commands

   md5sum

: 4a78c36e8be28a2fef57e69daa993d13

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

:2

      Analysis Object Name       Analysis File Type       md5sum

: load.exe

: exe : 4a78c36e8be28a2fef57e69daa993d13

      Static Analysis weight : 100       Dynamic Analysis weight : 300       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

:5

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: Trojan.Generic : 100

:4

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:34:21.253765

            Complete time

: 2016-04-28 00:35:25.881007

            Job runtime

: 00:01:04.627242

            Signature             Job ID

: Malware.Binary.exe :3

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 300 : 300

            Assigned time

: 2016-04-28 00:33:15.649557

            Complete time

: 2016-04-28 00:34:58.169366

            Job runtime             Signature

1940

: 00:01:42.519809 : Trojan.Rootkit.MVX

© 2016 FireEye

Release 7.9

show submission malicious

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1941

CLI Reference Guide

PART III: Commands

show submission md5sum Displays information about a malware submission job that matched a particular MD5 checksum attachment. You can display up to 100 jobs by default.

Syntax show submission md5sum [limit ]

Parameters MD5_checksum_attachment

MD5 checksum of the attachment. limit

(Optional) Displays the specified number of entries that matched a particular MD5 checksum attachment. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission md5sum command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

1942

© 2016 FireEye

Release 7.9

show submission md5sum

Field

Description

Analysis File Type

Analysis file type that is associated with the malware submission job.

md5sum

MD5 checksum of the attachment.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application name

Type of application.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the statistics for the job that matched the 7d07560e49c6eaec0bbad9999f16bc1c MD5 checksum attachment: hostname # show submission md5sum 7d07560e49c6eaec0bbad9999f16bc1c Submission ID: 7    UUID

: 9dffc29c-daad-4da6-9535-da033cb0c6be

   Malware ID

: 15

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 47.47.183.145    md5sum

: 7d07560e49c6eaec0bbad9999f16bc1c

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

:6

      Analysis Object Name

© 2016 FireEye

: 0014.exe

1943

CLI Reference Guide

PART III: Commands

      Analysis File Type       md5sum

: exe : 7d07560e49c6eaec0bbad9999f16bc1c

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 13

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Downloader : 100

: 80

: 14

                  SA sub-engine name

: clamd

                  SA sub-engine signature             SA sub-engine weight             Job ID

: PUA.Win.Packer.Upack-48

: 80

: 10

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:35:54.32882

            Complete time

: 2016-04-28 00:39:57.529021

            Job runtime

: 00:04:03.200201

            Signature             Job ID

: Malware.Binary.exe :9

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:35:25.960428

            Complete time

: 2016-04-28 00:39:33.7778

            Job runtime             Signature

1944

: 00:04:07.817372 : Malware.Binary.exe

© 2016 FireEye

Release 7.9

show submission md5sum

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1945

CLI Reference Guide

PART III: Commands

show submission queued Displays the malware submission jobs that are in the queue waiting to be analyzed from the past 24 hours. You can display up to 100 jobs by default.

Syntax show submission queued [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are in the queue. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission queued command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission Specific malware submission job number. ID UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Status of a specific malware submission job that is in the queue waiting to be analyzed from the past 24 hours.

Examples The following example displays the total number of malware submission jobs that are in the queue: hostname # show submission queued Submission ID: 914

1946

© 2016 FireEye

Release 7.9

   UUID

show submission queued

: 3cd96408-d919-4f4e-9875-9f40ea517424

   Source IpAddress

: 128.106.126.55

   Destination IpAddress : 128.71.184.26    md5sum

: b9118a3e62e3cbb6b28491604dfdba89

   File type

: zip

   Status

: queued

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1947

CLI Reference Guide

PART III: Commands

show submission range Displays the information for a specific range of malware submissions. The malware submission jobs are listed in ascending order by submission ID.

Syntax show submission range []

Parameters start_range_submissionID

The Submission ID of the first submission in the range. end_range_submissionID

(Optional) End range of the malware submissions.

Output Fields The following table describes the output fields for the show submission range command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

md5sum

Md5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

1948

© 2016 FireEye

Release 7.9

show submission range

Field

Description

Static Analysis weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS Name

Type of guest image profile.

Application name

Type of application.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the information for a specific range of malware submissions: hostname # show submission range 8 9 Submission ID: 8    UUID    Malware ID

© 2016 FireEye

: e2e25565-20bd-4148-a435-2d761077a55b : 16

1949

CLI Reference Guide

PART III: Commands

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 238.174.95.154    md5sum

: 77b6d8fa25ef0be3aced5c31bcec35fe

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

:7

      Analysis Object Name       Analysis File Type       md5sum

: 014s.exe

: exe : 77b6d8fa25ef0be3aced5c31bcec35fe

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 17

                  SA sub-engine name                   SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Generic : 100

: 80

: 18

                  SA sub-engine name                   SA sub-engine signature                   SA sub-engine weight             Job ID

: avs

: clamd : PUA.Win.Packer.Upack-48 : 80

: 12

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:39:33.851213

            Complete time

: 2016-04-28 00:43:36.324287

            Job runtime             Signature

            Job ID

1950

: 00:04:02.473074 : Malware.Binary.exe

: 11

© 2016 FireEye

Release 7.9

show submission range

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:36:47.52572

            Complete time

: 2016-04-28 00:40:48.744118

            Job runtime

: 00:04:01.218398

            Signature

: Malware.Binary.exe

Submission ID: 9    UUID

: 750a471f-a60c-44f8-be91-a1030ce05c3b

   Malware ID

:9

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 111.141.187.149    md5sum

: 38323e5d6d131656d2ea0206b6f9bbdb

   File type

: exe

   Status

: timeout

   Malicious

: NO

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include the UUID field on an integrated NX Series appliance or an NX Series sensor in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1951

CLI Reference Guide

PART III: Commands

show submission running Displays the total number of malware submissions that are currently running and have not yet completed. You can display up to 100 jobs by default. The show submission running command is not supported on an NX Series sensor or sensor-enabled integrated appliance.

Syntax show submission running [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are currently running. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission running command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

File type

File type that is associated with the malware submission job.

Status

Status of a specific malware submission job that is currently running.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application Type of application. name

1952

© 2016 FireEye

Release 7.9

show submission running

Field

Description

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Examples The following example displays the total number of malware submissions that are currently running and have not yet completed: hostname # show submission running Submission ID: 23781    File type

: url

   Status

: running

      Analysis Object ID

: 17395

      Analysis Object Name :http://lp.jzip.com/?sysid=102&appid=398&lpid=3828&subid=9575172300&id=52219       Analysis File Type             Job ID

: url : 12692

            OS name

: win7x64-sp1

            Application name

: Chrome 36.0

            OS Changes weight

:0

            CNC Match weight

:0

Submission ID: 23787    File type

: url

   Status

: running

      Analysis Object ID

: 17396

      Analysis Object Name       Analysis File Type             Job ID

: url : 12693

            OS name

: win7x64-sp1

            Application name             OS Changes weight             CNC Match weight

© 2016 FireEye

: http://www.zara.com/us/en/sale/woman/knitwear-c437626.html

: Chrome 36.0 :0 :0

1953

CLI Reference Guide

PART III: Commands

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

1954

© 2016 FireEye

Release 7.9

show submission since

show submission since Displays detailed statistics about the malware submission jobs that have been processed since a specified time. The fields for the total number of remote submissions are displayed only on an NX Series sensor or sensor-enabled integrated appliance. The fields for the total number of running submissions and the total number of dynamic analysis (DA) submissions are displayed only on an integrated NX Series appliance.

Syntax show submission since { | | | } {days | hours | minutes | seconds}

Parameters {days | hours | minutes | seconds}

Show statistics about the malware submission jobs processed during this number of days, hours, minutes, or seconds. days

Displays detailed statistics about the malware submission jobs that have been processed during a specified number of days. hours

Displays detailed statistics about the malware submission jobs that have been processed during a specified number of hours. minutes

Displays all statistics about the malware submission jobs that have been processed during a specified number of minutes. seconds

Displays all statistics about the malware submission jobs that have been processed during a specified number of seconds.

Output Fields The following table describes the output fields for the show submission since command. Fields are listed in the approximate order in which they appear in the output. Field Total queued submissions

© 2016 FireEye

Description Total number of malware submissions that are in the queue waiting to be analyzed.

1955

CLI Reference Guide

Field

PART III: Commands

Description

Queued submissions(url)

Total number of malware submissions for URLs that are in the queue waiting to be analyzed.

Queued submissions(file)

Total number of malware submissions for files that are in the queue waiting to be analyzed.

Total remote submissions

Total number of malware submissions that are currently being analyzed remotely from the past 24 hours.

Remote submissions (url)

Total number of malware submissions that are currently being analyzed remotely for URLs from the past 24 hours.

Remote submissions (file)

Total number of malware submissions that are currently being analyzed remotely for files from the past 24 hours.

Total running submissions

Total number of malware submissions that are currently being analyzed.

Running submissions(url)

Total number of malware submissions that are currently running for URLs.

Running submissions(file)

Total number of malware submissions that are currently running for files.

Total DA running submissions

Total number of dynamic analysis (DA) submissions that are currently running.

DA running submissions (url)

Total number of DA submissions that are currently running for URLs.

DA running submissions (file)

Total number of DA submissions that are currently running for files.

Submissions

Total number of malware submissions and the number submitted per minute since a given time.

Submissions(url)

Total number of malware submissions and the number submitted per minute for URLs since a given time.

Submissions(file)

Total number of malware submissions and the number submitted per minute for files since a given time.

Completed submissions

Total number of malware submissions that were completed and the number submitted per minute since a given time.

1956

© 2016 FireEye

Release 7.9

show submission since

Field

Description

Completed submissions(url)

Total number of malware submissions that were completed and the number submitted per minute for URLs since a given time.

Completed submissions(file)

Total number of malware submissions that were completed and the number submitted per minute for files since a given time.

Malicious submission count

Total number of DA submissions that were detected as malicious and the number submitted per minute since a given time.

URL Dynamic Analysis verified malicious count

Total number of DA submissions that were detected as malicious and the number submitted per minute for URLs since a given time.

File Dynamic Analysis verified malicious count

Total number of DA submissions that were detected as malicious and the number submitted per minute for files since a given time.

Examples The following example displays the statistics of the malware submission jobs that were submitted in the past ten days: hostname # show submission since 10 days Runtime Submission Stats:   Total queued submission

:0

    Queued submissions(url)

:0

    Queued submissions(file)

:0

  Total running submissions

:1

    Running submissions(url)

:1

    Running submissions(file)

:0

  Total DA running submissions

:1

    DA running submissions(url)

:1

    DA running submissions(file)

:0

Cumulative Stats in timespan 2015-08-03 17:46:19 to 2015-08-13 17:46:19                                                     : Total   Submissions

: Rate/minute : 24183

: 1.679

    Submissions(url)

: 2002

: 0.139

    Submissions(file)

: 22181

: 1.540

© 2016 FireEye

1957

CLI Reference Guide

PART III: Commands

  Completed submissions

: 24182

: 1.679

    Completed submissions(url)

: 2001

: 0.139

    Completed submissions(file)

: 22181

: 1.540

  Malicious submission count

: 414

: 0.029

    URL Dynamic Analysis verified malicious count : 130     File Dynamic Analysis verified malicious count : 284

: 0.009 : 0.020

The following example displays the statistics of the malware submission jobs that were submitted in the past five days on an NX Series sensor or sensor-enabled integrated appliance: hostname # show submission since 5 days Runtime Submission Stats:   Total queued submission

:0

    Queued submissions(url)

:0

    Queued submissions(file)

:0

Remote Submissions   Total remote submissions

: 27

    Remote submissions(url)

:9

    Remote submissions(file)

: 18

Cumulative Stats in timespan 2016-07-30 11:45:07 to 2016-08-04 11:45:07                                                    : Total   Submissions

: Rate/minute : 21426

: 2.976

    Submissions(url)

: 8294

: 1.152

    Submissions(file)

: 13132

: 1.824

  Completed submissions

: 21399

: 2.972

    Completed submissions(url)

: 8285

: 1.151

    Completed submissions(file)

: 13114

: 1.821

  Malicious submission count

: 14967

: 2.079

    URL Dynamic Analysis verified malicious count : 4133     File Dynamic Analysis verified malicious count : 10834

: 0.574 : 1.505

User Role Administrator, Monitor, or Analyst

Command Mode Enable

1958

© 2016 FireEye

Release 7.9

show submission since

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include total number of remote submissions on an NX Series sensor or sensor-enabled integrated appliance in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1959

CLI Reference Guide

PART III: Commands

show submission src Displays the malware submission jobs based on a source IP address. You can display up to 100 jobs by default.

Syntax show submission src [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are based on a source IP address. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show submission src command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission Specific malware submission job number. ID UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance or an NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Examples The following example displays the malware submission job based on a particular source IP address: hostname # show submission src 108.157.161.251

1960

© 2016 FireEye

Release 7.9

show submission src

Submission ID: 9    UUID

: 750a471f-a60c-44f8-be91-a1030ce05c3b

   Malware ID

:9

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 111.141.187.149    md5sum

: 38323e5d6d131656d2ea0206b6f9bbdb

   File type

: exe

   Status

: timeout

   Malicious

: NO

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Release 7.7

l

FX Series: Release 7.7

l

l

NX Series: Release 7.7. The command output was enhanced to include total number of remote submissions on an NX Series sensor or sensor-enabled integrated appliance in Release 7.9. EX Series: Release 7.8

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1961

CLI Reference Guide

PART III: Commands

show submission uuid Displays detailed statistics that uniquely identify analysis submission results on an NX Series sensor or sensor-enabled NX Series integrated appliance.

Syntax show submission uuid

Parameters None

Output Fields The following table describes the output fields for the show submission id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

UUID

Specific universally unique identifier that is associated with the malware submission on an integrated NX Series appliance and the NX Series sensor.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

1962

© 2016 FireEye

Release 7.9

show submission uuid

Field

Description

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Type of guest image profile.

Application name

Type of application.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the statistics for the job that matched the e2e25565-20bd4148-a435-2d761077a55b universally unique identifier: hostname # show submission uuid e2e25565-20bd-4148-a435-2d761077a55b Submission ID: 8    UUID

: e2e25565-20bd-4148-a435-2d761077a55b

   Malware ID

: 16

   Source IpAddress

: 108.157.161.251

   Destination IpAddress : 238.174.95.154    md5sum

: 77b6d8fa25ef0be3aced5c31bcec35fe

   File type

: exe

   Status

: success

   Malicious

© 2016 FireEye

: YES

1963

CLI Reference Guide

PART III: Commands

      Analysis Object ID

:7

      Analysis Object Name       Analysis File Type       md5sum

: 014s.exe

: exe : 77b6d8fa25ef0be3aced5c31bcec35fe

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 17

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Generic : 100

: 80

: 18

                  SA sub-engine name

: clamd

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: PUA.Win.Packer.Upack-48 : 80

: 12

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2016-04-28 00:39:33.851213

            Complete time

: 2016-04-28 00:43:36.324287

            Job runtime

: 00:04:02.473074

            Signature             Job ID

: Malware.Binary.exe : 11

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight           CNC Match weight

: 100 :0

          Assigned time

: 2016-04-28 00:36:47.52572

          Complete time

: 2016-04-28 00:40:48.744118

          Job runtime

1964

: 00:04:01.218398

© 2016 FireEye

Release 7.9

          Signature

show submission uuid

: Malware.Binary.exe

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.9.

Related Commands For a list of related commands, see Malware Submission Command Family on page 108.

© 2016 FireEye

1965

CLI Reference Guide

PART III: Commands

show stty Description Displays the terminal's baud rate setting.

Syntax show stty

Parameters None

Example hostname # show stty 38400

1966

© 2016 FireEye

Release 7.9

show system entropy

show system entropy Show status of entropy (random number generation) on this system.

Syntax show system entropy

Parameters None

Example The following example shows the status of system entropy on a virtual sensor: hostname > show system entropy Entropy bootstrap complete : yes Entropy bits available : 1164 Entropy refresh interval : 900 Entropy last fetch status : success Entropy last fetch success time: 2016/07/23 06:46:47

Output Fields Field

Description

Entropy bootstrap complete

Whether the system got sufficient initial entropy to generate keys for secure SSL and SSH communication.

Entropy bits available

The number of random bits that are currently available for applications that need random numbers.

Entropy refresh interval

The interval at which the virtual appliance requests entropy (every 900 seconds, or 15 minutes).

Entropy last fetch status

The status of the last entropy request.

Entropy last fetch success time

The date and time the last entropy request succeeded.

User Role Admin, Operator, or Monitor

Command Mode Standard

© 2016 FireEye

1967

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: CM Series: Release 7.9.0 NX Series: Release 7.9.0 VX Series: Release 7.9.0

Related Topics For a list of related commands, see: Virtual System Command Family on page 128 system virtual bootstrap reset on page 1267 show licenses tokens on page 1734 show system entropy on the previous page

1968

© 2016 FireEye

Release 7.9

show system hardware status

show system hardware status Description Displays information about the temperature, RAID, power, and fan for the appliance.

Syntax show system hardware status {temperature | raid | power | fan}

Parameters temperature Displays the appliance temperature, unit of measurement, and status. raid

Displays the overall RAID status and the status of each disk.

power

Displays the overall power status and the status of each power module.

fan

For each fan, displays the running speed, the unit of measurement, and the status.

Examples The following commands return status information about the hardware: High-level status: hostname (config) # show system hardware status

System hardware status summary: Temperature: Raid:

Good

Power: Fan:

Good

Good Good

Temperature: hostname (config) # show system hardware status temperature

System Temperature: Value:  Unit: 

31 Celsius

RAID disk: hostname (config) # show system hardware status raid

Overall raid status: Good

© 2016 FireEye

1969

CLI Reference Guide

PART III: Commands

Disk status: Disk 0:

Online

Disk 1:

Online

Power supply: hostname (config) # show system hardware status power

Overall power status: Good

Power Module:

Module 1: Status: Good

Fans: hostname (config) # show system hardware status fan

System Fan:

Fan 1: Speed: 9216 Unit: RPM Status: Ok

Fan 2: Speed: 10404 Unit: RPM Status: Ok

Fan 3: Speed: 9216 Unit: RPM Status: Ok

Fan 4: Speed: 9216

1970

© 2016 FireEye

Release 7.9

show system hardware status

Unit: RPM Status: Ok

Fan 5: Speed: 10404 Unit: RPM Status: Ok

© 2016 FireEye

1971

CLI Reference Guide

PART III: Commands

show system health Description Shows the current status of the appliance, including product-specific features.

Syntax show system health

Parameters None

Examples This command returns the following types of status messages about the appliance: hostname (config) # show system health Overall system feature status: Degraded Failure Reason: Licenses EMPS_URL_ATTACHMENT_SCAN are disabled hostname (config) # show system health Overall system feature status: Good

1972

© 2016 FireEye

Release 7.9

show system load

show system load Displays the current load as a percentage of the system load.

Syntax show system load

Parameters None

Example The following example shows the current load as 20% of the system load. hostname > show system load System Load = 20

User Role Admin, Operator, or Monitor

Command Mode Enable

Release Information This command was introduced as follows: AX Series: Before release 6.4 CM Series: Before release 6.4 EX Series: Before release 6.4. Command deprecated in EX Series Release 7.8 and later releases. FX Series: Before release 6.4 HX Series: Release 2.5 NX Series: Before release 6.4

© 2016 FireEye

1973

CLI Reference Guide

PART III: Commands

show system serial-number Description Displays the serial number of the FireEye appliance.

Syntax show system serial-number

Parameters None

Example The following example displays the FireEye appliance serial number. hostname (config) # show system serial-number

1974

© 2016 FireEye

Release 7.9

show tacacs

show tacacs Shows TACACS+ server configuration information.

Syntax show tacacs

Parameters None

Example This example shows sample TACACS+ server configuration information: host (config) # show tacacs TACACS+ defaults: Key: ******** Timeout: 5 Retransmit: 1 TACACS+ servers: 192.168.1.1:49 Enabled: yes Auth Type: pap Key: ******** Timeout: 5 (default) Retransmit: 1 (default) 192.168.1.3:49 Enabled: yes Auth Type: pap Key: ******** Timeout: 5 (default) Retransmit: 1 (default) 192.168.1.3:442 Enabled: yes Auth Type: pap Key: ******** Timeout: 5 (default) Retransmit: 1 (default) 192.168.1.3:43 Enabled: yes Auth Type: pap Key: ******** Timeout: 5 (default) Retransmit: 1 (default)

User Role Administrator, Operator, or Monitor

Command Mode Enable or Configuration

© 2016 FireEye

1975

CLI Reference Guide

PART III: Commands

Release Information This command was introduced as follows: l

AX Series: Before release 6.4

l

CM Series: Before release 6.4

l

EX Series: Before release 6.4

l

FX Series: Before release 6.4

l

HX Series: Before release 2.5

l

NX Series: Before release 6.4

Related Topics tacacs-server host on page 1268 tacacs-server key on page 1283 tacacs-server retransmit on page 1285 tacacs-server timeout on page 1287 show tacacs on the previous page tacacs-server host auth-port on page 1270 tacacs-server host auth-type on page 1272 tacacs-server host enable on page 1274 tacacs-server host key on page 1275 tacacs-server host prompt-key on page 1277 tacacs-server host retransmit on page 1279 tacacs-server host timeout on page 1281

1976

l

HX Series: Release 2.5

l

NX Series: Before release 6.4

© 2016 FireEye

Release 7.9

show tapsender health

show tapsender health Displays the following health states of the TAP sender module: l

l

l

l

l

Authenticated—The TAP sender has been authenticated with TAP and is in the process of connecting to the VPC within an AWS endpoint. Authentication Failure—The TAP sender failed to authenticate itself with TAP because either communication failed or the client certificate expired. Connected—The TAP sender is connected to the VPC within an AWS endpoint and is sending the network event logs. Failure—The TAP sender failed to connect to the VPC within an AWS endpoint. Not Authenticated—The TAP sender is in the process of authenticating itself to TAP. TAP integration is supported only on the NX Series 2500 appliance.

Syntax show tapsender health

Parameters None

Example The following example shows that the TAP sender has been authenticated with TAP and is in the process of connecting to the VPC within an AWS endpoint: hostname # show tapsender health Authenticated

User Role Administrator or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.9

© 2016 FireEye

1977

CLI Reference Guide

PART III: Commands

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

1978

© 2016 FireEye

Release 7.9

show tapsender stats

show tapsender stats Displays the event statistics about how often network event logs are generated by the NX Series appliance and sent to TAP. The network event logs are measured in events per second (EPS). EPS is part of event logging that is used to monitor and record every instance of events that are generated by the NX Series appliance. TAP integration is supported only on the NX Series 2500 appliance.

Syntax show tapsender stats

Parameters None

Example The following example shows the statistics about how often network event logs are generated by the NX Series appliance: hostname # show tapsender stats average EPS: {265} {last 5 samples}

User Role Administrator or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

© 2016 FireEye

1979

CLI Reference Guide

PART III: Commands

show tapsender status Displays the status of the connection between the NX Series 2500 appliance and the TAP VPC. TAP integration is supported only on the NX Series 2500 appliance.

Syntax show tapsender status

Parameters None

Example The following example shows the status of the connection between the NX Series 2500 appliance and the TAP VPC hostname # show tapsender status Tapsender status State: Platform support:

Enabled Supported

User Role Administrator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

1980

© 2016 FireEye

Release 7.9

show tapsender VPCIP

show tapsender VPCIP Displays the hostname of the Virtual Private Cloud (VPC) within an Amazon Web Services (AWS) endpoint. TAP integration is supported only on the NX Series 2500 appliance.

Syntax show tapsender VPCIP

Parameters None

Example The following example shows that the hostname of VPC within an AWS endpoint is tapVPC.fireeye.com: hostname # show tapsender VPCIP TAP VPC is tapVPC.fireeye.com

User Role Administrator or Operator

Command Mode Configuration

Release Information This command was introduced as follows: l

NX Series: Release 7.9

Related Commands For a list of related commands, see TAP Sender Module Command Family on page 124.

© 2016 FireEye

1981

CLI Reference Guide

PART III: Commands

show terminal Description Displays the current terminal length and width as well as the terminal type.

Syntax show terminal

Parameters None

Example The following example shows the terminal settings. hostname > show terminal CLI current session settings: Terminal width: 80 columns Terminal length: 37 rows Terminal type: xterm X display setting: (none)

1982

© 2016 FireEye

Release 7.9

show tpm

show tpm To display the trusted platform module (TPM) status, use the show tpm command in enable mode. Related commands: tpm enable, tpm rng enable

Syntax show tpm

User Role Administrator

Release Information Command introduced in Release 7.6.0.

Parameters None

Example The following example displays the status of the TPM: hhostname # show tpm Trusted Platform Module: Present: yes Enabled: yes Active: yes Random Number Generator: Enabled: yes Ready: yes Process state: running

© 2016 FireEye

1983

CLI Reference Guide

PART III: Commands

show users Description Displays the list of users who are currently logged in.

Syntax show users [roles | history [username {admin | analysis | cmcrendv | monitor}]]

Parameters roles

Displays the roles of all users who are currently logged in.

history [username {admin Displays the history of user logins, or a particular user’s login | analysis | cmcrendv | history, specified by username and role (such as admin, monitor}] monitor, and so on).

Examples The following example shows the current active users. hostname (config) # show users USERNAME    REMOTE USERNAME   LINE          HOST          IDLE admin2             pts/0  10.10.2.9 0d 0h 0m 7s monitor3

web/68

10.10.3.8

0d 0h 6m 54s

The following example shows the role of the current active users. hostname (config) # show users roles

USERNAME

REMOTE USERNAME

admin2

local

admin

monitor3

local

monitor

1984

AUTH BY

ROLES

© 2016 FireEye

Release 7.9

show usernames

show usernames To display a list of current user accounts and information about them, use the show usernames command in enable mode. For users with the Analyst and Auditor roles, this command only returns information about their own accounts.

Syntax show usernames {network | password-status | username username}

User Role All roles

Release Information The show usernames password-status and show usernames username username commands were introduced as follows: l

NX Series: Release 7.5.0

l

CM Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

The show usernames and show usernames network commands were introduced earlier.

Description The show usernames command shows information about user accounts, including roles. The network parameter shows any configured network information. The username parameter shows information about a specific user, including password status. The password-status parameter shows local password information pertaining to password change policies.

Parameters network Displays any network information configured for the user accounts. password-status Displays a list of all user accounts that have a local password set and the password status, such as its age and whether the user needs to change it.

© 2016 FireEye

1985

CLI Reference Guide

PART III: Commands

username username Displays full information about the specified user account. In addition to the basic show username command output, displays the age of the password and whether the user needs to change the password on the next login.

Examples show usernames

The following example shows information about current user accounts, including the roles. hostname (config) # show usernames USERNAME    FULL NAME               ROLE ACCOUNT STATUS admin       System Administrator    admin       Password set amy Amy Johnson auditor Local login disabled analysis    Malware Analysis User   analyst     Account locked out cmcrendv    CMC Rendezvous User     cmcrendv    Local password login disabled jose Jose Garcia monitor Password set monitor     System Monitor          monitor     Account disabled operator System Operator operator Password set Remote access for admin user: enabled show usernames network

The following example shows any configured network information for the current user accounts. hostname (config) # show usernames network USERNAME    FULL NAME               VLAN   SUBNET admin       System Administrator amy Amy Johnson analysis    Malware Analysis User cmcrendv    CMC Rendezvous User jose Jose Garcia 10.1.1.0/24                            monitor     System Monitor operator System Operator show usernames username username

The following example displays full information about Samuel's user account. The "Current role" line is included because someone other than Samuel ran the command; that user's role is shown. If Samuel ran the command, this line would be excluded. hostname (config) # show usernames username samuel Local username: samuel Full name: Account status: Password set Current role: admin Configured role:  operator VLAN: Not set Subnet: Not set Password last set:  Password age:  Must change password:

1986

2014/12/12 20:13:41 7 hr 20 min 27 sec yes (set by administrator)

© 2016 FireEye

Release 7.9

show usernames

show usernames password-status

The following command lists the user accounts with a local password set and the password status. In this example, Baker and Harry must change their passwords the next time they log in, as an administrator configured using the aaa authentication password local require-change force on page 210 command. hostname (config) # show usernames password-status USERNAME FULL NAME LOCAL PASSWORD AGE baker 11h 35m 44s yes (*) harry 7h 20m 29s yes (*) admin System Administrator 21d 11h 32m 41s no . . * Password change required by administrator regardless of age

© 2016 FireEye

CHANGE REQUIRED?

1987

CLI Reference Guide

PART III: Commands

show version Displays information about the installed version of the FireEye appliance boot image, recent patches, and Dynamic Threat Intelligence (DTI) status.

Syntax show version [concise]

Parameters concise

Displays the version information on one line without the field names.

Examples The following example shows the version information on a CM Series 7.6.0 platform: hostname # show version Product name: CMS [licensed] Product model: FireEyeCMS4400 Product release: CMS (CMS) 7.6.0.347971 Build ID: #347971 Build date: 2015-04-26 16:26:55 Build arch: x86_64 Built by: root@vta114 Version summary: cms CMS (CMS) 7.6.0.347971 #347971 2015-04-26 16:26:55 x86_64 build@vta114:FireEye/mammoth-dev (eng debug) Appliance ID: 0025908754E0 Product model: FireEyeCMS4400 Host ID: 67b4b3c43ae6 System serial num: FM1349CA03R System UUID: 49434d53-0200-ba51-e290-51bae290d1a9 Uptime: 9h 14m 45.180s CPU load averages: 0.16 / 0.24 / 0.30 Number of CPUs: 8 System memory: 1684 MB used / 62859 MB free / 64543 MB total Swap: 0 MB used / 32768 MB free / 32768 MB total

The following example shows partial output of the version information on the Essentials edition of an NX Series 7.7.1 appliance: hostname # show version Product name: Web MPS [licensed] Product model: FireEye4400 Product edition: Essentials Bandwidth: 100 Mb Product release: wMPS (wMPS) 7.7.0.430723

1988

© 2016 FireEye

Release 7.9

show version

Build ID: #433150 Build date: 2015-12-21 22:19:51 Build arch: x86_64 Built by: root@vta108 Version summary: wmps wMPS (wMPS) 7.7.0.430723 #433150 2015-12-21 22:19:51 x86_64 root@vta1084:FireEye/nx-lite-dev (eng debug) . . .

User Role Administrator, Monitor, or Operator

Command Mode Enable

Release Information This command was introduced as follows: l

AX Series: Before Release 7.5

l

EX Series: Before Release 7.5

l

FX Series: Before Release 7.5

l

NX Series: Before Release 7.5

l

CM Series: Before Release 7.5

Related Commands For a list of related commands, see Appliance Boot Image Commands on page 58.

© 2016 FireEye

1989

CLI Reference Guide

PART III: Commands

show web To display the current FireEye appliance Web-based management console configuration, use the show web command in enable mode.

Syntax show web

User Role Administrator, Monitor, or Operator

Release Information Command introduced as follows: l

AX Series: Before Release 6.4.0.

l

CM Series: Before Release 6.4.0. Command output changed in Release 7.9.1.

l

EX Series: Before Release 6.4.0.

l

FX Series: Before Release 6.4.0.

l

HX Series: Release 3.0.0.

l

NX Series: Before Release 6.4.0. Command output changed in Release 7.9.1.

l

VX Series: Release 7.9.0. Command output changed in Release 7.9.1.

Parameters None

Example The following example displays the Web-based management console configuration. hostname # show web Web User Interface server: Web interface enabled: HTTP enabled: HTTP port: HTTP redirect to HTTPS: HTTPS enabled: HTTPS port: HTTPS protocols: HTTPS minimum protocol version: HTTPS cipher list: HTTPS certificate name: HTTPS CA chain name:

1990

yes yes 80 yes yes 443 TLSv1 TLSv1 compatible web-cert apache05

© 2016 FireEye

Release 7.9

show web

Listen enabled: Listen Interfaces: Interface: ether1 Inactivity timeout: Session timeout: Session renewal:

yes

15 min 2 hr 30 min 30 min

Web file transfer proxy: Proxy enabled: no Web file transfer certificate authority: HTTPS server cert verify: yes HTTPS supplemental CA list: default-ca-list Web preferences: Global alerts auto refresh enabled: yes HTTPS client minimum protocol version: TLSv1 HTTPS client cipher list: compatible

© 2016 FireEye

1991

CLI Reference Guide

PART III: Commands

show web-analysis greylists dump-files Displays the greylist dump files that are generated for analysis.

Syntax show web-analysis greylists dump-files

Parameters None

Example The following example displays the greylist dump files: hostname # show web-analysis greylists dump-files priority-threshold-dev4200D-02-20100207-003218.csv priority-threshold-dev4200D-02-20100207-003315.csv priority-threshold-dev4200D-02-20100207-003306.csv

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

1992

© 2016 FireEye

Release 7.9

show web-analysis greylists ips

show web-analysis greylists ips Displays the greylist data that contains the specified greylist file that are generated for analysis. The IP addresses in that file are displayed.

Syntax show web-analysis greylists ips name

Parameters name

Displays a specified greylist file that contains the IP addresses.

Example The following example displays the specified greylist file and the IP addresses in that file for a malicious rule match: hostname # show web-analysis greylists ips name list55 223.166.77.200 211.31.87.186

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

© 2016 FireEye

1993

CLI Reference Guide

PART III: Commands

show web-analysis greylists urls Displays the greylist data that contains the specified greylist file that are generated for analysis. The URLs in that file are displayed.

Syntax show web-analysis greylists urls name

Parameters name

Displays a specified greylist file that contains the URLs.

Example The following example displays the specified greylist file and the URLs in that file for a malicious rule match: hostname # show web-analysis greylists urls name test www.fireeye.com/ www.google.com/ www.yahoo.com

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

1994

© 2016 FireEye

Release 7.9

show web-analysis greylists

show web-analysis greylists Displays the greylist files that contain either IP addresses or URLs that are generated for analysis.

Syntax show web-analysis greylists

Parameters None

Example The following example displays the greylist files that contain URLs or IP addresses: hostname # show web-analysis greylists Custom IP Greylists: % No IP Greylists Configured.

Custom URL Greylists: Name: Priority: Version: Downloaded Released web7 15.0 10.5.1.0 2014/07/25 01:07:57 2013/07/22 21:30:12

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

© 2016 FireEye

1995

CLI Reference Guide

PART III: Commands

show web-analysis ports Displays a list of Web ports on which traffic is captured for analysis.

Syntax show web-analysis ports

Parameters None

Example The following example displays the Web ports on which HTTP traffic is captured for analysis: hostname # show web-analysis ports web port list : 80, 8080

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

1996

© 2016 FireEye

Release 7.9

show web-analysis stats

show web-analysis stats Displays the statistics based on the Web traffic that the NX Series appliance monitors in your network.

Syntax show web-analysis stats

Parameters None

Output Fields The following table describes the output fields for the show web-analysis stats command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Confirmed Incidents

Total number of incidents confirmed per minute for URLs.

Incidents

Total number of incidents generated per minute for URLs.

Workorders

Total number of work orders generated per minute for URLs

Sources

Total number of incoming source IP addresses seen per minute.

Flows

Total number of flows detected per minute.

PDFs

Total number of incoming PDFs detected per minute.

URLs

Total number of incoming URLs detected per minute.

Packets

Total number of incoming packets detected per second.

Gigabytes

Total number of gigabytes tracked per minute and per second.

Webpcaf Packet Loss

Percentage of packets in the queue or submitted to FireEye Unified Multiflow Engine (FUME) that were lost.

Internal Packet Loss

Percentage of packets that were dropped through Web traffic.

Total Packet Loss

Total percentage of packet loss.

© 2016 FireEye

1997

CLI Reference Guide

PART III: Commands

Field

Description

Asymmetric Flows

Percentage of asymmetric flows that is monitored in Web traffic.

Missing Packet Flows

Percentage of packet flows that is monitored in Web traffic.

Data Loss

Percentage of data loss that is monitored in Web traffic.

Example The following example displays the statistics based on the Web traffic that the NX Series appliance monitors in your network: hostname # show web-analysis stats Start: 9/11/15 23:39:32 Elapsed: 5002m 17.909s Duration: 5002m 18.000s Browsing Hours: 0.2hrs Run Mode: normal Average Greylist Priority Boost: 0.000 Priority File Version: 387 Correlation File Version: 339

Summary Statistics

Statistic

Total

Confirmed Incidents: Incidents:

0 0

Workorders: Sources:

0

0.000

1860

0.372

1860

PDFs:

0

URLs:

1860

Statistic

Total

Packets:

847420

Gigabits:

1998

0.000 0.000

Flows:

Gigabytes:

Rate/minute

0.51 4.10

0.372 0.000 0.372

Rate/second 2.82 (all pkts) 0.00 (ether layer) 0.00 (ether layer)

© 2016 FireEye

Release 7.9

show web-analysis stats

Webpcaf Packet Loss: 0.0 Internal Packet Loss: 0.0 Total Packet Loss:

0.0

Asymmetric Flows:

0.0

Missing Packet Flows: 0.0 Data Loss:

0.0

User Role Administrator, Operator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the additional statistics from FUME in Release 7.7.

Related Commands For a list of related commands, see Web Analysis Command Family on page 129.

© 2016 FireEye

1999

CLI Reference Guide

PART III: Commands

show web-incident done Displays a list of all the Web incident jobs that have been completed. This command returns information such as the type of file and status of the malware submission. You can display up to 100 jobs by default.

Syntax show web-incident done [limit ]

Parameters limit

(Optional) Displays the specified number of Web incident jobs that have been completed. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show web-incident done command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Examples The following example displays up to three Web incident jobs: hostname # show web-incident done limit 3 Web Incident ID: 5782     Submission ID: 523        Submission name

2000

: http://www.rxktpnjr.cjb.net/63bhputj/?2

© 2016 FireEye

Release 7.9

show web-incident done

       Source IpAddress

: 6.169.35.252

       Destination IpAddress : 93.7.86.79        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5779     Submission ID: 520        Submission name        Source IpAddress

: http://www.megaupload.com/?c=account&n=1 : 103.106.113.43

       Destination IpAddress : 96.224.94.22        File type

: url

       Status

: success

       Malicious

: NO

    Submission ID: 522        Submission name        Source IpAddress

: http://www.megaupload.com/?c=filemanager : 103.106.113.43

       Destination IpAddress : 96.224.94.22        File type

: url

       Status

: success

       Malicious

: NO

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

© 2016 FireEye

2001

CLI Reference Guide

PART III: Commands

show web-incident dst Displays the Web incident jobs based on a destination IP address. You can display up to 100 jobs by default.

Syntax show web-incident dst [limit ]

Parameters limit

(Optional) Displays the specified number of Web incident entries that are based on a destination IP address. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show web-incident dst command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific Web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Examples The following example displays the Web incident job that is associated with the malware submission based on a particular destination IP address: hostname # show web-incident dst 49.76.73.107 Web Incident ID: 5757     Submission ID: 496        Submission name

2002

: http://utrust.in.ua/isj60tz/?3

© 2016 FireEye

Release 7.9

show web-incident dst

       Source IpAddress

: 78.37.42.174

       Destination IpAddress : 49.76.73.107        File type

: url

       Status

: success

       Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

© 2016 FireEye

2003

CLI Reference Guide

PART III: Commands

show web-incident id Displays information for a specific Web incident job number.

Syntax show web-incident id

Parameters None

Output Fields The following table describes the output fields for the show web-incident id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific Web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Examples The following example displays the information about Web incident job number 5713: hostname # show web-incident id 5713 Web Incident ID: 5713     Submission ID: 449     Submission name : http://e1.1c43e1.385aa4d.2080b.4b6569.057747.heziawei270.hairgasoline.in/

2004

© 2016 FireEye

Release 7.9

show web-incident id

    Source IpAddress

: 84.36.214.19

    Destination IpAddress : 76.244.17.92     File type

: url

    Status

: success

    Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

© 2016 FireEye

2005

CLI Reference Guide

PART III: Commands

show web-incident limit Displays information for the specified number of Web incident jobs. You can display up to 100 jobs by default.

Syntax show web-incident limit

Parameters

Number of entries that are displayed. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show web-incident limit command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific Web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Examples The following example displays the information for five Web incident jobs: hostname # show web-incident limit 5 Web Incident ID: 2435446     Submission ID: 139075        Submission name        Source IpAddress

2006

: http://www.popularmechanics.com/ : 128.31.190.67

© 2016 FireEye

Release 7.9

show web-incident limit

       Destination IpAddress : 128.118.22.183        File type

: url

       Status

: running

Web Incident ID: 2435268     Submission ID: 139069        Submission name        Source IpAddress

: http://coolrom.com/roms/snes/ : 128.95.251.173

       Destination IpAddress : 128.180.218.181        File type

: url

       Status

: no_profile_match

       Malicious

: NO

Web Incident ID: 2435584     Submission ID: 139070        Submission name : http://r13---sna5m7lner.c.youtube.com/videoplayback?id=a7d9a6861ff0be40&itag=134&source=youtube&cp=U0 hVSFRTV19KUENONV9MTUFKOnBpYldtSVRRbnVT&ratebypass=yes&gir=yes&clen=5123910&lm t=1360904184336838&sver=3&fexp=932200,914051,916611,930501,920704,912806,902000,919 512,929901,913605,906938,931202,931203,931401,908529,930803,920201,929602,930101,930 603,900824&upn=w0qWqUxaQFg&cpn=7zmR0HJGIfvqGTdl&ip=137.151.175.186&ipbits=8&expir e=1363489956&sparams=ip,ipbits,expire,id,itag,source,cp,ratebypass,gir,clen,lmt&signature=3AAA 3D5EF852A0301B453DD6DB7A661614D89A4A.03D27        Source IpAddress

: 128.53.30.85

       Destination IpAddress : 128.100.245.179        File type

: url

       Status

: running

Web Incident ID: 2435578     Submission ID: 139063        Submission name : http://crossdresserdate.xmatch.com/p/main.cgi?dcb=crossdresserdate.xmatch.com        Source IpAddress

: 128.84.48.36

       Destination IpAddress : 128.191.12.159        File type

: url

       Status

: running

Web Incident ID: 2435592     Submission ID: 139079        Submission name : http://csearch.naver.com/twitter/search.naver?where=uio&is_ utf8=1&display=1&q_me2User=tymee&q_twitUser=tymee_&uio_type=1&_ callback=nhn.uio.snsgroup_ellipsis.callback        Source IpAddress

© 2016 FireEye

: 128.144.66.141

2007

CLI Reference Guide

PART III: Commands

       Destination IpAddress : 128.7.31.101        File type

: url

       Status

: running

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

2008

© 2016 FireEye

Release 7.9

show web-incident malicious

show web-incident malicious Displays information about the Web incident jobs that are marked as malicious. You can display up to 100 jobs by default.

Syntax show web-incident malicious [limit ]

Parameters limit

(Optional) Displays the specified number of entries that are marked as malicious. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show web-incident malicious command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific Web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Examples The following example displays the information about the Web incident jobs that are marked as malicious: hostname # show web-incident malicious Web Incident ID: 5645     Submission ID: 363        Submission name        Source IpAddress

© 2016 FireEye

: http://www.sanhoapt.com/board/data/file/test/lndex.html : 3.124.152.157

2009

CLI Reference Guide

PART III: Commands

       Destination IpAddress : 84.36.238.205        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5664     Submission ID: 390        Submission name        Source IpAddress

: http://www.midiaapp.com/data/css/index.html : 55.122.111.169

       Destination IpAddress : 40.130.48.86        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5685     Submission ID: 416        Submission name        Source IpAddress

: http://www.mathlove.kr/shop/log/data/index.html : 74.95.252.100

       Destination IpAddress : 72.115.10.202        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5666     Submission ID: 391        Submission name        Source IpAddress

: http://www.mirage.co.kr/ : 6.201.100.124

       Destination IpAddress : 22.147.117.216        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5668     Submission ID: 393        Submission name        Source IpAddress

: http://www.chungjung.co.kr/xl/css.html : 64.28.181.208

       Destination IpAddress : 2.212.63.220        File type

: url

       Status

: success

2010

© 2016 FireEye

Release 7.9

       Malicious

show web-incident malicious

: YES

Web Incident ID: 5605     Submission ID: 314        Submission name        Source IpAddress

: http://www.mathlove.kr/shop/log/data/index.html : 10.48.154.65

       Destination IpAddress : 104.16.151.75        File type

: url

       Status

: success

       Malicious

: YES

Web Incident ID: 5683     Submission ID: 414        Submission name        Source IpAddress

: http://www.midiaapp.com/data/css/index.html : 7.146.187.207

       Destination IpAddress : 71.134.202.179        File type

: url

       Status

: success

       Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

© 2016 FireEye

2011

CLI Reference Guide

PART III: Commands

show web-incident src Displays the Web incident jobs based on a source IP address. You can display up to 100 jobs by default.

Syntax show web-incident src [limit ]

Parameters limit

(Optional) Displays the specified number of Web incident entries that are based on a source IP address. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show web-incident src command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Web Incident ID

Specific Web incident job number.

Submission ID

Specific malware submission job number.

Submission name

Name of malware submission.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Examples The following example displays the Web incident jobs based on a particular source IP address: hostname # show web-incident src 75.82.32.248 Web Incident ID: 6201     Submission ID: 492        Submission name

2012

: http://aevego.com/R.html

© 2016 FireEye

Release 7.9

show web-incident src

       Source IpAddress

: 75.82.32.248

       Destination IpAddress : 124.41.203.248        File type

: url

       Status

: success

       Malicious

: YES

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Release 7.7

l

EX Series: Release 7.8

Related Commands For a list of related commands, see Web Incident Command Family on page 130.

© 2016 FireEye

2013

CLI Reference Guide

PART III: Commands

show whoami To display the identity and role of the currently logged-in user, as well as authentication and session information, use the show whoami command in standard mode.

Syntax show whoami  

User Role All roles

Release Information This command output was modified as follows: l

NX Series: Release 7.5.0

l

CM Series: Release 7.5.0

l

EX Series: Release 7.6.0

l

AX Series: Release 7.7.0

l

FX Series: Release 7.7.0

Description This command displays authentication and session information about the user who is currently logged in. For details about authentication methods and password change policies, see your System Administration Guide or Administration Guide.

Parameters None

Example The following example shows the information that is displayed when Martha runs the command. hostname > show whoami Username: marthaj Local username:  marthaj Full name: Account Status:  Password set Role:  operator VLAN:  Subnet: 

2014

not set not set

© 2016 FireEye

Release 7.9

show whoami

Password last set:  2014/12/18 23:38:48 Password age:  1 day 6 hr 15 min 46 sec Password expires:  in 88 days 17 hr 44 min 14 sec Must change password:  no Login time:  2014/12/20 05:54:31.340 Auth method:  local (password) Remote address: 10.10.130.122 Line:  pts/0 Session ID:  116797

© 2016 FireEye

2015

CLI Reference Guide

PART III: Commands

show workorders all Displays the workorder information for all malware submissions. The malware submission jobs are listed in ascending order by submission ID.

Syntax show workorders all

Parameters None

Output Fields The following table describes the output fields for the show workorders all command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Incident ID

Specific confirmed incident job number.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

2016

© 2016 FireEye

Release 7.9

show workorders all

Field

Description

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS Name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays partial ouput of the workorder information for all malware submissions: hostname # show workorders all Submission ID: 27092    Malware ID

: 18586

   Source IpAddress

: 128.120.179.161

   Destination IpAddress : 183.62.114.139    File type

: zip

   Status

: submission_duplicate

   Original ID

: 25861

   Malicious

: NO

© 2016 FireEye

2017

CLI Reference Guide

PART III: Commands

Submission ID: 27093    Source IpAddress

: 128.120.179.161

   Destination IpAddress : 183.57.148.149    File type

: zip

   Status

: queued

Submission ID: 27094    Incident ID

: 27094

   Source IpAddress

: 121.185.58.215

   Destination IpAddress : 57.185.10.245    File type

: url

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 20623

      Analysis Object Name       Analysis File Type

: http://virgin-altantic.net/news/ask-index.php

: url

      Dynamic Analysis weight : 300       Dynamic Analysis jobs : 2             Job ID

: 24253

            OS name

: win7-sp1

            Application name

: InternetExplorer 9.0

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2015-10-30 15:56:57.80557

            Complete time

: 2015-10-30 15:57:32.91094

            Job runtime             Job ID

: 00:00:35.10537 : 24254

            OS name

: winxp-sp3

            Application name

: InternetExplorer 8.0

            OS Changes weight             CNC Match weight

: 300 :0

            Assigned time

: 2015-10-30 15:56:57.809846

            Complete time

: 2015-10-30 16:00:16.754813

            Job runtime

2018

: 00:03:18.944967

© 2016 FireEye

Release 7.9

show workorders all

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

© 2016 FireEye

2019

CLI Reference Guide

PART III: Commands

show workorders done Displays a list of all completed workorders for the malware submission jobs whose static and dynamic analysis have finished. This command returns information such as the type of file, status of the malware submission, analysis object that is associated with the submission job, and so on. The malware submission jobs are listed in ascending order by submission ID. You can display up to 100 jobs by default.

Syntax show workorders done [limit ]

Parameters limit

(Optional) Displays the specified number of entries that have completed static and dynamic analysis jobs. A higher number might increase command response time.

Output Fields The following table describes the output fields for the show workorders done command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Incident ID

Specific confirmed incident job number.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

2020

© 2016 FireEye

Release 7.9

show workorders done

Field

Description

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays a limit of one completed workorder for all malware submissions whose static and dynamic analysis jobs are finished: hostname # show workorders done limit 1 Submission ID: 27205    Incident ID

: 27205

   File type

: url

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 20700

      Analysis Object Name       Analysis File Type

: http://thisone.ishi.4pu.com/openstat/appropriate/promise-ourselves.php

: url

      Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2            Job ID            OS name

© 2016 FireEye

: 24327 : win7-sp1

2021

CLI Reference Guide

PART III: Commands

           Application name

: Firefox 13.0

           OS Changes weight            CNC Match weight

: 100 :0

           Assigned time

: 2015-10-30 17:08:38.748884

           Complete time

: 2015-10-30 17:09:43.842162

           Job runtime            Job ID

: 00:01:05.093278 : 24328

           OS name

: winxp-sp3

           Application name

: Firefox 6.0

           OS Changes weight            CNC Match weight

: 100 :0

           Assigned time

: 2015-10-30 17:08:38.787971

           Complete time

: 2015-10-30 17:09:22.81773

           Job runtime

: 00:00:44.029759

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2022

© 2016 FireEye

Release 7.9

show workorders id

show workorders id Displays workorder information for a specific malware submission job number.

Syntax show workorders id

Parameters None

Output Fields The following table describes the output fields for the show workorders id command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission job was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

© 2016 FireEye

2023

CLI Reference Guide

PART III: Commands

Field

Description

Static Analysis weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the workorder information about job number 1751: hostname # show workorders id 1751 Submission ID: 1751    Malware ID

: 1751

   Source IpAddress

: 117.108.112.75

   Destination IpAddress : 102.81.99.76    md5sum

2024

: ffca5eea85bb237901efe8f303a7ae84

© 2016 FireEye

Release 7.9

show workorders id

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 1581

      Analysis Object Name       Analysis File Type       md5sum

: ffca5eea85bb237901efe8f303a7ae84.bin

: exe : ffca5eea85bb237901efe8f303a7ae84

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 6322

                 SA sub-engine name

: clamd

                 SA sub-engine signature                  SA sub-engine weight             SA engine weight             SA job ID

: Win.Trojan.Poseidon-23 : 80

: 100

: 6324

                 SA sub-engine name

: malware_intrinsic_analysis

                 SA sub-engine signature                  SA sub-engine weight             Job ID

: Dropper.DTI.DroppedFiles : 100

: 3128

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight

: 100

            CNC Match weight

:0

            Assigned time

: 2015-09-14 17:35:35.804376

            Complete time

: 2015-09-14 17:37:37.570101

            Job runtime             Job ID

: 00:02:01.765725 : 3129

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight             Assigned time

© 2016 FireEye

: 100 :0

: 2015-09-14 17:36:18.84481

2025

CLI Reference Guide

PART III: Commands

            Complete time             Job runtime

: 2015-09-14 17:37:34.460841 : 00:01:15.616031

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2026

© 2016 FireEye

Release 7.9

show workorders pending

show workorders pending Displays the workorders from the past 24 hours that are in the queue waiting to be analyzed.

Syntax show workorders pending

Parameters None

Output Fields The following table describes the output fields for the show workorders pending command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Status of a specific malware submission job from the past 24 hours that is in the queue waiting to be analyzed.

Examples The following example displays the workorder information for the malware submission jobs that are in the queue: hostname # show workorders pending Submission ID: 27551    Source IpAddress

: 196.188.179.237

   Destination IpAddress : 71.253.175.116    File type

: exe

   Status

: queued

Submission ID: 27552    Source IpAddress

© 2016 FireEye

: 122.22.47.249

2027

CLI Reference Guide

PART III: Commands

   Destination IpAddress : 221.113.63.119    File type

: pdf

   Status

: queued

Submission ID: 27553    Source IpAddress

: 196.188.179.237

   Destination IpAddress : 23.86.175.255    File type

: exe

   Status

: queued

Submission ID: 27554    Source IpAddress

: 232.170.121.63

   Destination IpAddress : 42.126.37.35    File type

: pdf

   Status

: queued

Submission ID: 27555    Source IpAddress

: 232.170.121.63

   Destination IpAddress : 42.126.37.35    File type

: exe

   Status

: queued

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2028

© 2016 FireEye

Release 7.9

show workorders range

show workorders range Displays the workorder information for a specific range of malware submissions. The malware submission jobs are listed in ascending order by submission ID.

Syntax show workorders range []

Parameters start_range_workorderID

The workorder ID of the first workorder in the range. end_range_workorderID

(Optional) End of the range of the malware submissions.

Output Fields The following table describes the output fields for the show workorders range command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

md5sum

Md5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

© 2016 FireEye

2029

CLI Reference Guide

PART III: Commands

Field

Description

Analysis File Type

Analysis file type that is associated with the malware submission job.

Static Analysis weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS Name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the workorder information for a specific range of malware submissions: hostname # show workorders range 1730 1732

2030

© 2016 FireEye

Release 7.9

show workorders range

Submission ID: 1730    Malware ID

: 1733

   Source IpAddress

: 48.119.120.67

   Destination IpAddress : 100.53.48.73    md5sum

: feb430d8a66fbc095eec1394cb58e2dd

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 1568

      Analysis Object Name       Analysis File Type       md5sum

: feb430d8a66fbc095eec1394cb58e2dd.bin

: exe : feb430d8a66fbc095eec1394cb58e2dd

      Static Analysis weight : 100       Dynamic Analysis weight : 2100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 6270

                  SA sub-engine name                   SA sub-engine signature

: clamd : Win.Trojan.Cycbot-2623

                  SA sub-engine weight

: 80

                  SA sub-engine name

: sophos

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: 6272

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight

: Backdoor.DTI.Cycbot : 100

: 6269

                  SA sub-engine signature                   SA sub-engine weight

© 2016 FireEye

: malware_intrinsic_analysis

: 100

                  SA sub-engine name

            Job ID

: 100

: 100

                  SA sub-engine name

            SA job ID

: Mal/ZAccess-BL

: avs : Trojan.Generic : 100

: 3102

2031

CLI Reference Guide

PART III: Commands

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight

: 700

            CNC Match weight

: 1300

            Assigned time

: 2015-09-14 17:02:38.064663

            Complete time

: 2015-09-14 17:06:39.897613

            Job runtime

: 00:04:01.83295

            Job ID

: 3103

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight

: 700

            CNC Match weight

: 1400

            Assigned time

: 2015-09-14 17:02:43.078803

            Complete time

: 2015-09-14 17:06:47.402008

            Job runtime

: 00:04:04.323205

Submission ID: 1731    Malware ID    Incident ID

: 1728 : 4848

   Source IpAddress

: 73.50.121.119

   Destination IpAddress : 111.80.48.88    File type

: url

   Status

: timeout

   Malicious

: NO

Submission ID: 1732    Malware ID

: 1736

   Source IpAddress

: 116.48.102.118

   Destination IpAddress : 65.87.52.107    md5sum

: feb4a63326cd0b8649e5ad520534efa6

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 1569

      Analysis Object Name       Analysis File Type       md5sum

2032

: feb4a63326cd0b8649e5ad520534efa6.bin

: exe : feb4a63326cd0b8649e5ad520534efa6

© 2016 FireEye

Release 7.9

show workorders range

      Static Analysis weight : 100       Dynamic Analysis weight : 600       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 6273

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Trojan.Generic : 100

: 100

: 6274

                  SA sub-engine name

: clamd

                  SA sub-engine signature

: Trojan.Vbkrypt-150

                  SA sub-engine weight

: 80

                  SA sub-engine name

: sophos

                 SA sub-engine signature

: Mal/VBCheMan-C

                 SA sub-engine weight             SA engine weight             SA job ID

: 100

: 100

: 6276

                  SA sub-engine name

: malware_intrinsic_analysis

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: Virtool.DTI.Vbinject : 100

: 3104

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight

: 600

            CNC Match weight

:0

            Assigned time

: 2015-09-14 17:06:40.276143

            Complete time

: 2015-09-14 17:10:51.846534

            Job runtime             Job ID

: 00:04:11.570391 : 3105

            OS name

: win7x64-sp1

            Application name             OS Changes weight             CNC Match weight

© 2016 FireEye

: Windows Explorer : 600 :0

2033

CLI Reference Guide

PART III: Commands

            Assigned time

: 2015-09-14 17:06:48.059052

            Complete time

: 2015-09-14 17:11:02.739536

            Job runtime

: 00:04:14.680484

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2034

© 2016 FireEye

Release 7.9

show workorders running

show workorders running Displays the workorders for the total number of malware submissions that are currently running and have not yet completed.

Syntax show workorders running

Parameters None

Output Fields The following table describes the output fields for the show workorders running command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

File type

File type that is associated with the malware submission job.

Status

Status of a specific malware submission job that is currently running.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

md5sum

MD5 checksum of the attachment.

Job ID

Job number that is associated with the malware submission.

OS name

Guest image profile.

© 2016 FireEye

2035

CLI Reference Guide

PART III: Commands

Field

Description

Application Application used to test content. name OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the workorders for the total number of malware submissions that are currently running and have not yet completed: hostname # show workorders running Submission ID: 21    Source IpAddress

: 117.72.89.116

   Destination IpAddress : 112.82.103.51    md5sum

: 0325eae405d86ba5b506ea0d90f49290

   File type

: exe

   Status

: running

      Analysis Object ID

: 21

      Analysis Object Name       Analysis File Type       md5sum

: exe : 0325eae405d86ba5b506ea0d90f49290

           SA engine weight            SA job ID

: 0325eae405d86ba5b506ea0d90f49290.bin

:0

: 82

                 SA sub-engine name                  SA sub-engine signature                  SA sub-engine weight            SA engine weight

2036

: sophos : Troj/Zegost-GT : 100

:0

© 2016 FireEye

Release 7.9

           SA job ID

show workorders running

: 84

                 SA sub-engine name

: malware_intrinsic_analysis

                 SA sub-engine signature                  SA sub-engine weight            Job ID

: Dropper.DTI.DroppedFiles : 100

: 40

           OS name

: winxp-sp3

           Application name

: Windows Explorer

           OS Changes weight            CNC Match weight

: 200 :0

           Assigned time

: 2015-09-23 00:32:26.59365

           Complete time

: 2015-09-23 00:36:30.301305

           Job runtime            Job ID

: 00:04:03.707655 : 41

           OS name

: win7x64-sp1

           Application name            OS Changes weight            CNC Match weight

: Windows Explorer :0 :0

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

© 2016 FireEye

2037

CLI Reference Guide

PART III: Commands

show workorders stats Displays detailed workorder statistics about the number of malware submissions.

Syntax show workorders stats

Parameters None

Output Fields The following table describes the output fields for the show workorders stats command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total number of workorders running

Total number of workorders that are currently being analyzed.

Number of workorders (url) running

Total number of workorders that are currently running for URLs.

Number of workorders (file) running

Total number of workorders for files that are running.

Total number of submissions pending

Total number of malware submissions from the past 24 hours that are currently pending.

Number of submissions (url) pending

Total number of malware submissions from the past 24 hours that are currently pending for URLs.

Number of submissions (file) pending

Total number of malware submissions from the past 24 hours that are currently pending for files.

Total number of submissions running

Total number of malware submissions that are currently running from the past 24 hours.

Number of submissions (url) running

Total number of malware submissions from the past 24 hours that are currently running for URLs.

Number of submissions (file) running

Total number of malware submissions form the past 24 hours that are currently running for files.

Total number of submissions processed

Total number of malware submissions that were processed in the last 24 hours.

2038

© 2016 FireEye

Release 7.9

show workorders stats

Field Total number of submissions with anomaly

Description Total number of malware submissions that were detected as malicious after analysis in the last 24 hours.

Examples The following example displays the total number of workorders that are in process, total number of malware submissions that are in the queue waiting to be analyzed, total number of malware submissions that are in process, and cumulative submission statistics for the past 24 hours: hostname # show workorders stats Runtime Stats:  Workorder stats:    Total number of workorders running

:

2

     Number of workorders(url) running

:

0

     Number of workorders(file) running

:

2

 Submission stats:    Total number of submissions pending

:

2

     Number of submissions(url) pending

:

0

     Number of submissions(file) pending

:

2

   Total number of submissions running

:

4

     Number of submissions(url) running

:

0

     Number of submissions(file) running

:

4

Cumulative Stats in timespan between 2015-09-21 17:33:34.153661 to 2015-09-22 17:33:34.153661     Total number of submissions processed

:

    Total number of submissions with anomaly

26 :

20

Note: For more detailed stats refer to "show submission"

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows:

© 2016 FireEye

2039

CLI Reference Guide

l

PART III: Commands

NX Series: Before Release 7.5. The command output was enhanced to display statistics about the total number of workorders that are in process, total number of malware submissions that are in the queue waiting to be analyzed, total number of malware submissions that are in process, and cumulative submission statistics in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2040

© 2016 FireEye

Release 7.9

show workorders traces dst

show workorders traces dst Displays the workorder information that is ordered by traces for the malware submissions based on a destination IP address.

Syntax show workorders traces dst

Parameters None

Output Fields The following table describes the output fields for the show workorders traces dst command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

Static Analysis weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

© 2016 FireEye

2041

CLI Reference Guide

PART III: Commands

Field

Description

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the workorder information that is ordered by traces for the malware submissions based on a particular destination IP address: hostname # show workorders traces dst 50.110.99.114 Submission ID: 1741    Malware ID

: 1745

   Source IpAddress

: 101.82.55.107

   Destination IpAddress : 50.110.99.114    md5sum

: feb8f4dcaa7b6f575e1d896dfa0d5580

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 1575

      Analysis Object Name       Analysis File Type

2042

: feb8f4dcaa7b6f575e1d896dfa0d5580.bin

: exe

© 2016 FireEye

Release 7.9

      md5sum

show workorders traces dst

: feb8f4dcaa7b6f575e1d896dfa0d5580

      Static Analysis weight : 100       Dynamic Analysis weight : 600       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 6298

                  SA sub-engine name

: clamd

                  SA sub-engine signature

: Worm.Allaple-306

                  SA sub-engine weight

: 80

                  SA sub-engine name

: sophos

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: W32/Allaple-F : 100

: 100

: 6300

                  SA sub-engine name

: malware_intrinsic_analysis

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Worm.DTI.Allaple : 100

: 100

: 6297

                  SA sub-engine name

: avs

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: Worm.Email.Allaple : 100

: 3116

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight

: 600

            CNC Match weight

:0

            Assigned time

: 2015-09-14 17:21:14.787489

            Complete time

: 2015-09-14 17:25:15.96968

            Job runtime             Job ID

: 00:04:01.182191 : 3117

            OS name

: win7x64-sp1

            Application name             OS Changes weight

© 2016 FireEye

: Windows Explorer : 300

2043

CLI Reference Guide

PART III: Commands

            CNC Match weight

:0

            Assigned time

: 2015-09-14 17:21:34.813998

            Complete time

: 2015-09-14 17:22:49.255766

            Job runtime

: 00:01:14.441768

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2044

© 2016 FireEye

Release 7.9

show workorders traces src

show workorders traces src Displays the workorder information that are ordered by traces for the malware submissions based on a source IP address.

Syntax show workorders traces src

Parameters None

Output Fields The following table describes the output fields for the show workorders traces src command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Submission ID

Specific malware submission job number.

Malware ID

Specific malware analysis job number.

Source IpAddress

IP address of the source.

Destination IpAddress

IP address of the destination.

md5sum

MD5 checksum of the attachment.

File type

File type that is associated with the malware submission job.

Status

Whether the analysis succeeded or failed.

Malicious

Whether the malware submission was detected as malicious.

Analysis Object ID

Analysis object job number that is associated with the malware submission.

Analysis Object Name

Analysis object name that is associated with the malware submission job.

Analysis File Type

Analysis file type that is associated with the malware submission job.

Static Analysis weight

Weight that is assigned to a static analysis job on a particular object.

Dynamic Analysis weight

Weight that is assigned to a dynamic analysis job on a particular object.

© 2016 FireEye

2045

CLI Reference Guide

PART III: Commands

Field

Description

Dynamic Analysis jobs

Number of dynamic analysis jobs that have been processed on a particular object.

Static Analysis jobs

Number of static analysis jobs that have been processed on a particular object.

Job ID

Job number that is associated with the malware submission.

OS name

Guest image profile.

Application name

Application used to test the content.

OS Changes weight

Weight assigned based on a correlation between a set of rules and a set of operating system (OS) change activities detected by the virtual machine (VM) during dynamic analysis.

CNC Match weight

Weight that is assigned by a custom rule that is used for callback detection on a VM during dynamic analysis.

Assigned time

Timestamp generated when the malware submission job started the detection operation on a VM.

Complete time

Timestamp generated when the malware submission job completed the detection operation on a VM.

Job runtime

Time needed to complete the malware submission job.

Examples The following example displays the workorder information that is ordered by traces for the malware submissions based on a particular source IP address: hostname # show workorders traces src 116.98.71.72 Submission ID: 1743    Malware ID

: 1746

   Source IpAddress

: 116.98.71.72

   Destination IpAddress : 111.68.67.73    md5sum

: fefbe2912c3a7203b24315333d9b63bf

   File type

: exe

   Status

: success

   Malicious

: YES

      Analysis Object ID

: 1576

      Analysis Object Name       Analysis File Type

2046

: fefbe2912c3a7203b24315333d9b63bf.bin

: exe

© 2016 FireEye

Release 7.9

      md5sum

show workorders traces src

: fefbe2912c3a7203b24315333d9b63bf

      Static Analysis weight : 100       Dynamic Analysis weight : 100       Dynamic Analysis jobs : 2       Static Analysis jobs

:4

            SA engine weight             SA job ID

: 100

: 6302

                  SA sub-engine name

: pe_sign

                  SA sub-engine signature

: Solimba Aplicaciones S.L.

                  SA sub-engine weight

:0

                  SA sub-engine name

: clamd

                  SA sub-engine signature                   SA sub-engine weight             SA engine weight             SA job ID

: Win.Adware.Solimba-32 : 80

: 100

: 6304

                  SA sub-engine name

: malware_intrinsic_analysis

                  SA sub-engine signature                   SA sub-engine weight             Job ID

: Dropper.DTI.DroppedFiles : 100

: 3118

            OS name

: winxp-sp3

            Application name

: Windows Explorer

            OS Changes weight

: 100

            CNC Match weight

:0

            Assigned time

: 2015-09-14 17:22:49.876632

            Complete time

: 2015-09-14 17:24:52.07346

            Job runtime             Job ID

: 00:02:02.196828 : 3119

            OS name

: win7x64-sp1

            Application name

: Windows Explorer

            OS Changes weight             CNC Match weight

: 100 :0

            Assigned time

: 2015-09-14 17:24:52.967059

            Complete time

: 2015-09-14 17:26:54.859699

            Job runtime

© 2016 FireEye

: 00:02:01.89264

2047

CLI Reference Guide

PART III: Commands

User Role Administrator, Monitor, or Analyst

Command Mode Enable

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display the statistics about a specific malware submission job in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

2048

© 2016 FireEye

Release 7.9

show workorders

show workorders Displays detailed workorder statistics about the number of malware submissions that were analyzed during the past 24 hours. A workorder references a task for a malware sample that has been submitted to the Multivector Virtual Execution (MVX) Engine, formerly known as the VXE, for analysis.

Syntax show workorders

Parameters None

Output Fields The following table describes the output fields for the show workorders command. Fields are listed in the approximate order in which they appear in the output. Field

Description

Total number of workorders running

Total number of workorders that are currently being analyzed.

Number of workorders (url) running

Total number of workorders that are currently running for URLs.

Number of workorders (file) running

Total number of workorders for files that are running.

Total number of submissions pending

Total number of malware submissions from the past 24 hours that are currently pending.

Number of submissions (url) pending

Total number of malware submissions from the past 24 hours that are currently pending for URLs.

Number of submissions (file) pending

Total number of malware submissions from the past 24 hours that are currently pending for files.

Total number of submissions running

Total number of malware submissions that are currently running from the past 24 hours.

Number of submissions (url) running

Total number of malware submissions from the past 24 hours that are currently running for URLs.

Number of submissions (file) running

Total number of malware submissions form the past 24 hours that are currently running for files.

© 2016 FireEye

2049

CLI Reference Guide

PART III: Commands

Field

Description

Total number of submissions processed

Total number of malware submissions that were processed in the last 24 hours.

Total number of submissions with anomaly

Total number of malware submissions that were detected as malicious after analysis in the last 24 hours.

Example The following example displays the total number of workorders that are in process, total number of malware submissions that are in the queue waiting to be analyzed, total number of malware submissions that are in process, and cumulative submission statistics for the past 24 hours: hostname # show workorders Runtime Stats:  Workorder stats:    Total number of workorders running

:

2

     Number of workorders(url) running

:

0

     Number of workorders(file) running

:

2

 Submission stats:    Total number of submissions pending

:

151

     Number of submissions(url) pending

:

0

     Number of submissions(file) pending

:

151

   Total number of submissions running

:

4

     Number of submissions(url) running

:

0

     Number of submissions(file) running

:

4

Cumulative Stats in timespan between 2015-09-22 10:32:53.292013 to 2015-09-23 10:32:53.292013    Total number of submissions processed    Total number of submissions with anomaly

:

632 :

477

Note: For more detailed stats refer to "show submission"

User Role Administrator, Monitor, or Analyst

Command Mode Enable

2050

© 2016 FireEye

Release 7.9

show workorders

Release Information This command was introduced as follows: l

NX Series: Before Release 7.5. The command output was enhanced to display statistics about the total number of workorders that are in process, total number of malware submissions that are in the queue waiting to be analyzed, total number of malware submissions that are in process, and cumulative submission statistics in Release 7.7.

Related Commands For a list of related commands, see Workorder Command Family on page 133.

© 2016 FireEye

2051

CLI Reference Guide

PART III: Commands

show wsapi Description This command shows the current settings of the Web Services API Server

Platform CM-Series

Release This command was introduced on the CM Series 7.1.0 release.

Related Commands wsapi and wsapi rtstats

Syntax show wsapi

Output wsapi status: Server Enabled

:

Current State Max Alerts

yes

: :

running 200

Max Minute Threshold Max Day Threshold

2052

: :

10 1000

© 2016 FireEye

Release 7.9

Technical Support

For technical support, contact FireEye in the following ways: l

l

l

Visit the FireEye Customer Support Portal (login required): https://csportal.fireeye.com Call us at 1-877-FIREEYE (USA); +44 203 106 4828 (UK); +1 408.321.6300 (Outside the USA) Email us at [email protected]

Documentation Documentation for all FireEye products is available on the FireEye documentation portal: https://docs.fireeye.com/

© 2016 FireEye

2053

FireEye, Inc. | 1440 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.FIREEYE [email protected] | www.fireeye.com © 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.