Name: ProxySG

Text: Blue Coat® Systems
ProxySG® Appliance

Volume 11: Command Line Interface Reference

Version SGOS 5.3.x

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contactsupport
[email protected]
http://www.bluecoat.com

For concerns or feedback about the documentation: [email protected]

Copyright© 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be
reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or
translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title
and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems,
Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware Interceptor™, Scope™, ProxyRA Connector™,
ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue
Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The
Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo
logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the
Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR
IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS
SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR
ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

Document Revision: SGOS 5.3.1.4—10/2008

ii

Contents

Contact Information

Chapter 1: Introduction
Audience for this Document ....................................................................................................................................9
Organization of this Document ...............................................................................................................................9
Related Blue Coat Documentation ..........................................................................................................................9
Notes and Warnings ................................................................................................................................................10
SSH and Script Considerations ..............................................................................................................................10
Standard and Privileged Modes ............................................................................................................................10
Accessing Quick Command Line Help ................................................................................................................12
Chapter 2: Standard and Privileged Mode Commands
Standard Mode Commands ...................................................................................................................................13
> display ...............................................................................................................................................................15
> enable .................................................................................................................................................................16
> exit ......................................................................................................................................................................17
> help .....................................................................................................................................................................18
> ping ....................................................................................................................................................................19
> show ...................................................................................................................................................................20
> show access-log ............................................................................................................................................25
> show bandwidth-management .................................................................................................................26
> show bridge ..................................................................................................................................................27
> show commands .........................................................................................................................................28
> show diagnostics .........................................................................................................................................29
> show disk ......................................................................................................................................................30
> show exceptions ...........................................................................................................................................31
> show im .........................................................................................................................................................33
> show ip-stats .................................................................................................................................................34
> show sources ................................................................................................................................................35
> show ssl .........................................................................................................................................................36
> show streaming ............................................................................................................................................37
> traceroute ..........................................................................................................................................................38
Privileged Mode Commands .................................................................................................................................39
# acquire-utc .........................................................................................................................................................40
# bridge .................................................................................................................................................................41
# cancel-upload ....................................................................................................................................................42
# clear-arp .............................................................................................................................................................43
# clear-cache .........................................................................................................................................................44
# clear-errored-connections ...............................................................................................................................45
# clear-statistics ....................................................................................................................................................46
# configure ............................................................................................................................................................47
# disable ................................................................................................................................................................48
iii

# disk ..................................................................................................................................................................... 49
# display ............................................................................................................................................................... 50
# exit ...................................................................................................................................................................... 51
# help ..................................................................................................................................................................... 52
# hide-advanced .................................................................................................................................................. 53
# inline .................................................................................................................................................................. 54
# kill ....................................................................................................................................................................... 56
# licensing ............................................................................................................................................................. 57
# load ..................................................................................................................................................................... 58
# pcap .................................................................................................................................................................... 60
# pcap filter ...................................................................................................................................................... 61
# pcap start ....................................................................................................................................................... 63
# ping .................................................................................................................................................................... 65
# policy .................................................................................................................................................................. 66
# register-with-director ...................................................................................................................................... 67
# restart ................................................................................................................................................................. 68
# restore-sgos4-config ......................................................................................................................................... 69
# restore-defaults ................................................................................................................................................. 70
# reveal-advanced ............................................................................................................................................... 71
# show ................................................................................................................................................................... 72
# show adn ....................................................................................................................................................... 74
# show attack-detection ................................................................................................................................. 75
# show configuration ...................................................................................................................................... 76
# show content ................................................................................................................................................ 77
# show proxy-services .................................................................................................................................... 78
# show security ................................................................................................................................................ 79
# show ssh ........................................................................................................................................................ 80
# show ssl ......................................................................................................................................................... 81
# temporary-route ............................................................................................................................................... 83
# test ...................................................................................................................................................................... 84
# traceroute .......................................................................................................................................................... 85
# upload ................................................................................................................................................................ 86
Chapter 3: Privileged Mode Configure Commands
Configure Commands ............................................................................................................................................ 87
#(config) accelerated-pac ................................................................................................................................... 88
#(config) access-log ............................................................................................................................................. 89
#(config log log_name) .................................................................................................................................... 92
#(config format format_name) ........................................................................................................................ 96
#(config) adn ........................................................................................................................................................ 97
#(config) alert ..................................................................................................................................................... 103
#(config) archive-configuration ...................................................................................................................... 107
#(config) attack-detection ................................................................................................................................. 109
#(config client) ............................................................................................................................................... 111
#(config server) .............................................................................................................................................. 114
#(config) bandwidth-gain ................................................................................................................................ 116
#(config) bandwidth-management ................................................................................................................. 117
#(config bandwidth-management class_name) ......................................................................................... 118
#(config) banner ................................................................................................................................................ 120

iv

Volume 11: Command Line Interface Reference

#(config) bridge ................................................................................................................................................. 121
#(config bridge bridge_name) ....................................................................................................................... 122
#(config) caching ............................................................................................................................................... 124
#(config caching ftp) ..................................................................................................................................... 126
#(config)cifs ........................................................................................................................................................ 128
#(config)..................................................................................................................................................... clock 129
#(config) content ................................................................................................................................................ 130
#(config) content-filter ...................................................................................................................................... 131
#(config bluecoat) ......................................................................................................................................... 134
#(config i-filter) .............................................................................................................................................. 136
#(config intersafe) ......................................................................................................................................... 138
#(config iwf) ................................................................................................................................................... 140
#(config local) ................................................................................................................................................ 142
#(config optenet) ........................................................................................................................................... 144
#(config proventia) ....................................................................................................................................... 146
#(config smartfilter) ...................................................................................................................................... 148
#(config surfcontrol) ..................................................................................................................................... 150
#(config websense) ....................................................................................................................................... 152
#(config webwasher) .................................................................................................................................... 154
#(config) connection-forwarding .................................................................................................................... 156
#(config) diagnostics ......................................................................................................................................... 157
#(config service-info) .................................................................................................................................... 159
#(config snapshot snapshot_name) ............................................................................................................ 161
#(config) dns ...................................................................................................................................................... 162
#(config) event-log ............................................................................................................................................ 164
#(config) exceptions .......................................................................................................................................... 166
#(config exceptions [user-defined.]exception_id) ...................................................................................... 167
#(config) exit ...................................................................................................................................................... 168
#(config) external-services ............................................................................................................................... 169
#(config icap icap_service_name) ............................................................................................................... 171
#(config service-group service_group_name) .......................................................................................... 173
#(config websense websense_service_name) ........................................................................................... 175
#(config) failover ............................................................................................................................................... 177
#(config) forwarding ......................................................................................................................................... 179
#(config forwarding group_alias) .............................................................................................................. 182
#(config forwarding host_alias) .................................................................................................................. 184
#(config) front-panel ......................................................................................................................................... 186
#(config) ftp ........................................................................................................................................................ 187
#(config) general ................................................................................................................................................ 188
#(config) health-check ...................................................................................................................................... 189
#(config) hide-advanced .................................................................................................................................. 199
#(config) hostname ........................................................................................................................................... 200
#(config) http ..................................................................................................................................................... 201
#(config) icp ....................................................................................................................................................... 203
#(config) identd ................................................................................................................................................. 204
#(config) im ........................................................................................................................................................ 205
#(config) inline ................................................................................................................................................... 207
#(config) installed-systems .............................................................................................................................. 208
#(config) interface ............................................................................................................................................. 209

Contents

v

#(config interface interface_number) ......................................................................................................... 210
#(config) ip-default-gateway ........................................................................................................................... 212
#(config) license-key ......................................................................................................................................... 213
#(config) line-vty ............................................................................................................................................... 214
#(config) load ..................................................................................................................................................... 215
#(config)management-services ....................................................................................................................... 216
#(config http-console) ................................................................................................................................... 217
#(config https-console) ................................................................................................................................. 218
#(config ssh-console) .................................................................................................................................... 220
#(config telnet-console) ................................................................................................................................ 221
#(config snmp_service_name) .................................................................................................................... 222
#(config) mapi .................................................................................................................................................... 223
#(config) netbios ................................................................................................................................................ 224
#(config) no ........................................................................................................................................................ 225
#(config) ntp ....................................................................................................................................................... 226
#(config) policy .................................................................................................................................................. 227
#(config) profile ................................................................................................................................................. 229
#(config) proxy-client ....................................................................................................................................... 230
#(config proxy-client acceleration) ............................................................................................................. 232
#(config proxy-client acceleration adn) ..................................................................................................... 233
#(config proxy-client acceleration cifs) ...................................................................................................... 235
#(config proxy-client locations) .................................................................................................................. 236
#(config proxy-client web-filtering) ........................................................................................................... 239
#(config) proxy-services ................................................................................................................................... 242
#(config dynamic-bypass) ........................................................................................................................... 244
#(config static-bypass) .................................................................................................................................. 246
#(config aol-im) ............................................................................................................................................. 247
#(config cifs) .................................................................................................................................................. 248
#(config dns) .................................................................................................................................................. 249
#(config endpoint-mapper) ......................................................................................................................... 250
#(config ftp) ................................................................................................................................................... 251
#(config HTTP) .............................................................................................................................................. 252
#(config https-reverse-proxy) ..................................................................................................................... 254
#(config mms) ................................................................................................................................................ 256
#(config msn-im) ........................................................................................................................................... 257
#(config restricted-intercept) ....................................................................................................................... 258
#(config rtsp) ................................................................................................................................................. 259
#(config socks) ............................................................................................................................................... 260
#(config ssl) .................................................................................................................................................... 261
#(config tcp-tunnel) ...................................................................................................................................... 263
#(config telnet) ............................................................................................................................................... 265
#(config yahoo-im) ........................................................................................................................................ 266
#(config) restart ................................................................................................................................................. 267
#(config) return-to-sender ................................................................................................................................ 268
#(config) reveal-advanced ............................................................................................................................... 269
#(config) rip ........................................................................................................................................................ 270
#(config) security ............................................................................................................................................... 271
#(config security allowed-access) ............................................................................................................... 274
#(config security authentication-forms) .................................................................................................... 275

vi

Volume 11: Command Line Interface Reference

#(config security certificate) ........................................................................................................................ 277
#(config security coreid) .............................................................................................................................. 280
#(config security default-authenticate-mode) .......................................................................................... 283
#(config security destroy-old-password) .................................................................................................. 284
#(config security enable-password and hashed-enable-password) ...................................................... 285
#(config security enforce-acl) ...................................................................................................................... 286
#(config security front-panel-pin and hashed-front-panel-pin) ............................................................ 287
#(config security iwa) ................................................................................................................................... 288
#(config) security ldap ................................................................................................................................. 291
#(config) security local ................................................................................................................................. 295
#(config security local-user-list) .................................................................................................................. 297
#(config security management) .................................................................................................................. 299
#(config security novell-sso) ....................................................................................................................... 300
#(config) security password and hashed_password ............................................................................... 302
#(config) security password-display .......................................................................................................... 303
#(config security policy-substitution) ........................................................................................................ 304
#(config security radius) .............................................................................................................................. 306
#(config security request-storage) .............................................................................................................. 309
#(config security sequence) ......................................................................................................................... 310
#(config security siteminder) ...................................................................................................................... 312
#(config) security transparent-proxy-auth ................................................................................................ 316
#(config) security users ................................................................................................................................ 317
#(config) security username ........................................................................................................................ 318
#(config windows-sso) ................................................................................................................................. 319
#(config) security xml ................................................................................................................................... 321
#(config) service-groups ................................................................................................................................... 324
#(config) session-monitor ................................................................................................................................ 325
#(config) sg-client .............................................................................................................................................. 327
#(config) shell ..................................................................................................................................................... 328
#(config) show ................................................................................................................................................... 329
#(config) snmp ................................................................................................................................................... 330
#(config snmp community ) ................................................................................... 332
#(config snmp user ) ............................................................................................................... 334
#(config) socks-gateways ................................................................................................................................. 336
#(config socks-gateways gateway_alias) ................................................................................................... 338
#(config socks-gateways group_alias) ....................................................................................................... 340
#(config) socks-machine-id .............................................................................................................................. 342
#(config) socks-proxy ....................................................................................................................................... 343
#(config) ssh-console ........................................................................................................................................ 344
#(config) ssl ........................................................................................................................................................ 345
#(config ssl ccl list_name) ............................................................................................................................ 349
#(config ssl crl crl_list_name) ....................................................................................................................... 350
#(config ssl device-profile) .......................................................................................................................... 351
#(config ssl ssl__default_client_name) ...................................................................................................... 353
#(config ssl ocsp) ........................................................................................................................................... 355
#(config) static-routes ....................................................................................................................................... 358
#(config) streaming ........................................................................................................................................... 359
#(config) tcp-ip .................................................................................................................................................. 363
#(config) timezone ............................................................................................................................................ 364

Contents

vii

#(config) upgrade-path .................................................................................................................................... 365
#(config) virtual-ip ............................................................................................................................................ 366
#(config) wccp ................................................................................................................................................... 367

viii

Volume 11: Command Line Interface Reference

Chapter 1: Introduction

To configure and manage your Blue Coat® Systems ProxySG, Blue Coat developed a
software suite that includes an easy-to-use graphical interface called the Management
Console and a Command Line Interface (CLI). The CLI allows you to perform the
superset of configuration and management tasks; the Management Console, a subset.
This reference guide describes each of the commands available in the CLI.

Audience for this Document
This reference guide is written for system administrators and experienced users who
are familiar with network configuration. Blue Coat assumes that you have a functional
network topography, that you and your Blue Coat Sales representative have
determined the correct number and placement of the ProxySG, and that those
appliances have been installed in an equipment rack and at least minimally configured
as outlined in the Blue Coat Installation Guide that accompanied the device.

Organization of this Document
This document contains the following chapters:

Chapter 1 – Introduction
The organization of this document; conventions used; descriptions of the CLI modes;
and instructions for saving your configuration.

Chapter 2 – Standard and Privileged Mode Commands
All of the standard mode commands, including syntax and examples, in alphabetical
order. All of the privileged mode commands (except for the configure commands,
which are described in Chapter 3), including syntax and examples, in alphabetical
order.

Chapter 3 – # Configure Mode Commands
The #configure command is the most used and most elaborate of all of the CLI
commands.

Related Blue Coat Documentation
You can download the following and other Blue Coat documentation in PDF format
from the Blue Coat Web site at www.bluecoat.com. Note that the documents are on
WebPower: You must have a WebPower account to access them.
Table 1-1. Document Conventions

Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

9

Table 1-1. Document Conventions (Continued)
Courier font

Screen output. For example, command line text, file names, and Blue
Coat Content Policy Language (CPL).

Courier Italics

A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

Arial Boldface

Screen elements in the Management Console.

{ }

One of the parameters enclosed within the braces must be supplied

[ ]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must be
selected, but not both.

Notes and Warnings
The following is provided for your information and to caution you against actions that
can result in data loss or personal injury:
Note: Information to which you should pay attention.

Important: Critical information that is not related to equipment damage or personal
injury (for example, data loss).

WARNING:

Used only to inform you of danger of personal injury or physical damage
to equipment. An example is a warning against electrostatic discharge (ESD) when
installing equipment.

SSH and Script Considerations
Consider the following when using the CLI during an SSH session or in a script:
Case Sensitivity. CLI command literals and parameters are not case sensitive.
Command Abbreviations. You can abbreviate CLI commands, provided you supply
enough command characters as to be unambiguous. For example:
SGOS# configure terminal

Can be shortened to:
SGOS# conf t

Standard and Privileged Modes
The ProxySG CLI has three major modes—standard, privileged, and configure privileged. In
addition, privileged mode has several subordinate modes. See the introduction in
Chapter 2: "Standard and Privileged Mode Commands" on page 13 for details about the
different modes.

DocTitle

10



Standard mode prompt: >



Privileged mode prompt: #



Configure Privileged mode prompt: #(config)

11

Accessing Quick Command Line Help
You can access command line help at any time during a session. The following commands
are available in both standard mode and privileged mode.
To access a comprehensive list of mode-specific commands:
Type help or ? at the prompt.
The help command displays how to use CLI help. For example:
SGOS> help
Help may be requested at any point in a command
by typing a question mark '?'.
1. For a list of available commands, enter '?' at
the prompt.
2. For a list of arguments applicable to a command,
precede the '?' with a space (e.g. 'show ?')
3. For help completing a command, do not precede
the '?' with a space (e.g. 'sh?')

The ? command displays the available commands. For example:
SGOS> ?
display
enable
exit
help
ping
show
traceroute

Display a text based url
Turn on privileged commands
Exit command line interface
Information on help
Send echo messages
Show running system information
Trace route to destination

To access a command-specific parameter list:
Type the command name, followed by a space, followed by a question mark.
Note that you must be in the correct mode—standard or privileged—to access the
appropriate help information. For example, to get command completion help for pcap:
SGOS# pcap ?
bridge
filter
.
.
.

Setup the packet capture mode for bridges
Setup the current capture filter

To get command completion for configuring the time:
SGOS#(config) clock ?
day
hour
.
.
.

Set UTC day
Set UTC hour

To access the correct spelling and syntax, given a partial command:
Type the first letter, or more, of the command, followed by a question mark (no spaces).
Note that you must be in the correct mode—standard or privileged—to access the
appropriate help information. For example:
SGOS# p?
pcap
ping

DocTitle

purge-dns-cache

12

Chapter 2: Standard and Privileged Mode Commands

This chapter describes and provides examples for the Blue Coat ProxySG standard and privileged
mode CLI commands. These modes have fewer permissions than enabled mode commands.
Topics in this Chapter
This chapter includes information about the following topics:


Standard Mode Commands on page 13



Privileged Mode Commands on page 39



Privileged Mode Commands
Privileged mode provides a set of commands that enable you to view, manage, and change
ProxySG settings for features such as log files, authentication, caching, DNS, HTTPS, packet
capture filters, and security. You can cannot configure functionality such as SSL Proxy, HTTP
compression, and the like.
The prompt changes from a greater than sign (>) to a pound sign (#), acting as an indicator
that you are in privileged mode .
Enter privileged mode from standard mode by using the enable command:
SGOS> enable
Enable Password:********
SGOS#



Configuration Mode Commands
The configure command, available only in enabled mode, allows you to configure the Blue
Coat ProxySG settings from your current terminal session (configure terminal), or by
loading a text file of configuration settings from the network (configure network). Enabled
Mode commands are discussed in Chapter 3: Privileged Mode Configure
Commands on page 87.
The prompt changes from a pound sign (#) to a #(config) prompt, acting as an indicator that
you are in configuration mode .
Enter configuration mode from privileged mode by using the configure command:
SGOS# conf t
SGOS#(config)

No password is needed to enter enabled mode.

Standard Mode Commands
Standard mode is the default mode when you first log on. From standard mode, you can view
but not change configuration settings. This mode can be password protected, but it is not
required.
The standard mode prompt is a greater-than sign; for example:
ssh> ssh -l username IP_address
password: ******
SGOS>

Commands available in standard mode are:

13

> display on page 15
View the content for the specified URL.

> enable on page 16
Changes the mode from Standard to Privileged.

> exit on page 17
Exits Standard mode.

> help on page 18
> ping on page 19
Verifies that the system at hostname or IP address is active.

> show on page 20
Displays system information.

> traceroute on page 38
Traces the route to a destination.

Volume 11: Command Line Interface Reference

14

> display
Synopsis
Use this command to display the content (such as HTML or Javascript) for the specified URL. This
content is displayed one screen at a time. "—More—" at the bottom of the terminal screen indicates
that there is additional code. Press the to display the next batch of content; press
to display one additional line of content.
This command is used for general HTTP connectivity testing

Syntax
> display url

where url is a valid, fully-qualified text Web address.

Example
SGOS> display http://www.bluecoat.com
10.9.59.243 - Blue Coat SG200>display http://www.bluecoat.com
br />"http://www.w3.org/TR/html4/loose.dtd">


Blue Coat Systems


.
.
.

Chapter 2: Standard and Privileged Mode Commands

15

> enable
Synopsis
Use this command to enter Privileged mode. Privileged mode commands enable you to view and
change your configuration settings. A password is always required.

Syntax
> enable

The enable command has no parameters or subcommands.

For More Information


# disable on page 48



#(config) security username on page 318



#(config) security password and hashed_password on page 302

Example
SGOS> enable
Enable Password:******
SGOS# conf t
SGOS(config)

Where conf t is a shortcut to typing configure terminal.

Volume 11: Command Line Interface Reference

16

> exit
Synopsis
Use this command to exit the CLI. In privileged and configuration mode, exit returns you to the
previous prompt.

Syntax
> exit

The exit command has no parameters or subcommands.

Example
SGOS> exit

Chapter 2: Standard and Privileged Mode Commands

17

> help
See Accessing Quick Command Line Help on page 12 for information about this command.

Volume 11: Command Line Interface Reference

18

> ping
Synopsis
Use this command to verify whether a particular host is reachable across a network.

Syntax
> ping {hostname | ip_address}

Subcommands
> ping hostname
Specifies the name of the host you want to verify.
> ping ip_address
Specifies the IP address you want to verify.

Example
SGOS> ping 10.25.36.47
Type escape sequence to abort.
Sending 5, 64-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 0/0/1 ms
Number of duplicate packets received = 0

Chapter 2: Standard and Privileged Mode Commands

19

> show
Synopsis
Use this command to display system information. You cannot view all show commands, here, only
those available in the standard mode. You must be in privileged mode to show commands available.

Syntax
> show [subcommands]

Subcommands
Note: Hyperlinked (blue) options contain additional information.
> show accelerated-pac
Displays accelerated PAC file information.

> show access-log on page 25
Displays the current access log settings.
> show advanced-url
Displays the advanced URL for statistics...
> show appliance-name
Displays the name of the appliance.
> show archive-configuration
Displays the archive configuration settings
> show arp-table
Displays TCP/IP ARP table information.
> show bandwidth-gain
Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since,"
"substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features.

> show bandwidth-management on page 26
Displays bandwidth management configuration and statistics information.

> show bridge on page 27
Displays information about bridging on the system.
> show caching
Displays data regarding cache refresh rates and settings and caching policies.
> show cifs
Displays CIFS settings
> show clock
Displays the current ProxySG time setting.

> show commands on page 28
Displays the available CLI commands.
> show content-distribution
Displays the average sizes of objects in the cache.
> show cpu
Displays CPU usage.
> show cpu-monitor
Displays the state of the CPU monitor.

Volume 11: Command Line Interface Reference

20

> show diagnostics on page 29
Displays remote diagnostics information.

> show disk on page 30
Displays disk information, including slot number, vendor, product ID, revision and serial number,
capacity, and status, about all disks or a specified disk.
> show dns
Displays primary and alternate DNS server data.
> show dns-forwarding
Displays the DNS servers and the imputing name.
> show download-paths
Displays downloaded configuration path information, including the policy list, accelerated PAC file,
HTTP error page, ICP settings, RIP settings, static route table, upgrade image, and WCCP settings.
> show efficiency
Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects
and access patterns.
> show epmapper [statistics]
Displays proxy settings or statistics.
> show event-log [configuration]
Show the event-log configuration.

> show exceptions on page 31
Displays all exceptions or just the built-in or user-defined exception you specify.
> show external-services [statistics]
Displays external services or external services statistics information.
> show failover [group_address]
Displays failover settings for the specified group or all groups.
> show forwarding
Displays advanced forwarding settings, including download-via-forwarding, health check, and load
balancing status, and the definition of forwarding hosts/groups and advanced forwarding rules.
> show ftp
Displays the FTP settings on the system.
> show general
Displays the general settings.
> show health-checks
Displays health check information.
> show hostname
Displays the current hostname, IP address, and type.
> show http
Displays HTTP configuration information.
> show http-stats
Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by
HTTP, number of persistent connections that were reused, and the number of active client connections.
> show icp-settings
Displays ICP settings.
> show identd
Displays IDENTD service settings.

> show im on page 33
Displays IM information

Chapter 2: Standard and Privileged Mode Commands

21

> show installed-systems
Displays ProxySG system information, listing the current five version and release numbers, boot and
lock status, and timestamp information.
> show interface {all | interface_number}
Displays interface status and configuration information.
> show ip-default-gateway
Specifies the default IP gateway.
> show ip-route-table
Displays route table information.
> show ip-rts-table
Displays return-to-sender route table information.

> show ip-stats on page 34
Displays TCP/IP statistics
> show licenses
Displays license information.
> show management console
Diplays information about the managment services enabled or disabled on the system.
> show mapi
Displays settings for the MAPI proxy.
> show netbios
Displays NETBIOS settings.
> show ntp
Displays NTP servers status and information.
> show p2p [statistics]
Displays P2P statistics
> show policy [listing | order |policy]
Displays current state of the policy.
> show profile
Displays the system profile.
> show proxy-client
Displays the proxy client settings.
> show proxy-services
Displays information about proxy services.
> show reflect-client-ip
Displays the client IP reflection.
> show resources
Displays allocation of disk and memory resources.
> show restart
Displays system restart settings, including core image information and compression status.
> show return-to-sender
Displays "return to sender" inbound and outbound settings.
> show rip {default-route | parameters| routes | statistics}
Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP
statistics.
> show services
Displays information about services.

Volume 11: Command Line Interface Reference

22

> show service-groups
Displays proxy service groups.
> show sessions
Displays information about the CLI session.
> show shell
Displays the settings for the shell, including the maximum connections, the prompt, and the realm- and
welcome-banners.
> show snmp
Displays SNMP statistics, including status and MIB variable and trap information
> show socks-gateways
Displays SOCKS gateway settings.
> show socks-machine-id
Displays the identification of the secure sockets machine.
> show socks-proxy
Displays SOCKS proxy settings.

> show sources on page 35
Displays source listings for installable lists, such as the license key, policy files, ICP settings, RIP settings,
static route table, and WCCP settings files.

> show ssl on page 36
Displays ssl settings.
> show static-routes
Displays static route table information.
> show status
Displays current system status information, including configuration information and general status
information.

> show streaming on page 37
Displays QuickTime, RealNetworks, or Microsoft Windows Media information, and client and total
bandwidth configurations and usage.
> show tcp-ip
Displays TCP-IP parameters.
> show terminal
Displays terminal configuration parameters and subcommands.
> show timezones
Displays timezones used.
> show trust-destination-ip
Displays the trust destination IP
> show user-authentication
Displays Authenticator Credential Cache Statistics, including credential cache information, maximum
number of clients queued for cache entry, and the length of the longest chain in the hash table.
> show user-overflow-action
Displays the user overflow action.
> show version
Displays ProxySG hardware and software version and release information and backplane PIC status.
> show virtual-ip
Displays the current virtual IP addresses

Chapter 2: Standard and Privileged Mode Commands

23

> show wccp {configuration | statistics | status}
Displays WCCP configuration and statistics information. You can also view WCCP service-group
information.
> show xml-config
Displays the registry settings.

Examples
SGOS> show caching
Refresh:
Estimated access freshness is 100.0%
Let the ProxySG Appliance manage refresh bandwidth
Current bandwidth used is 0 kilobits/sec
Policies:
Do not cache objects larger than 1024 megabytes
Cache negative responses for 0 minutes
Let the ProxySG Appliance manage freshness
FTP caching:
Caching FTP objects is enabled
FTP objects with last modified date, cached for 10% of last modified time
FTP objects without last modified date, initially cached for 24 hours
SGOS> show resources
Disk resources:
Maximum objects supported:
Cached Objects:
Disk used by system objects:
Disk used by access log:
Total disk installed:
Memory resources:
In use by cache:
In use by system:
In use by network:
Total RAM installed:

1119930
0
537533440
0
18210036736
699203584
83230176
22872608
805306368

SGOS> show failover configuration group_address
Failover Config
Group Address: 10.25.36.47
Multicast Address
: 224.1.2.3
Local Address
: 10.9.17.159
Secret
: none
Advertisement Interval: 40
Priority
: 100
Current State
: DISABLED
Flags
: V M

Three flags exist, set as you configure the group.
V—Specifies the group name is a virtual IP address.
R—Specifies the group name is a physical IP address
M—Specifies this machine can be configured to be the master if it is available

Volume 11: Command Line Interface Reference

24

> show access-log
Synopsis
Displays the current access log settings.

Syntax
> show access-log [subcommands]

Subcommands
> show access-log default-logging
Display the access log default policy.
> show access-log format brief
Displays the access log format names.
> show access-log format format_name
Displays the access log with the specified format_name.
> show access-log format
Displays the access-log formats for all log types.
> show access-log log brief
Displays the access log log names.
> show access-log log log_name
Displays the access log with the specified log_name.
> show access-log log
Displays the access-log for all logs.
> show access-log statistics log_name
Displays access-log statistics for the specific log_name.
> show access-log statistics
Displays all access-log statistics.

For More Information


Volume 8: Access Logging

Example
> show access-log format brief
Formats:
squid
ncsa
main
im
streaming
websense
surfcontrol
smartreporter
surfcontrolv5
p2p
ssl
cifs
mapi

Chapter 2: Standard and Privileged Mode Commands

25

> show bandwidth-management
Synopsis
Displays the bandwidth management state (enabled or disabled) or statistics.

Syntax
> show bandwidth-management {configuration | statistics}

Subcommands
> show bandwidth-management configuration bandwidth_class
Displays the bandwidth-management configuration for the specified bandwidth class . If you do not
specify a bandwidth class, displays the bandwidth-management configuration for the system.
> show bandwidth-management statistics bandwidth_class
Displays the bandwidth-management statistics for the specified bandwidth class. If you do not specify a
bandwidth class, displays the bandwidth-management statistics for the system.

For More Information


Volume 5: Advanced Networking

Example
> show bandwidth-management configuration
Bandwidth Management Enabled

Volume 11: Command Line Interface Reference

26

> show bridge
Synopsis
Displays bridge configuration and statistics.

Syntax
> show bridge [subcommands]

Subcommands
> show bridge configuration [bridge_name]
Displays the bridge configuration for the specified bridge_name or for all interfaces on the system.
> show bridge fwtable [bridge_name]
Displays the bridge forwarding table for the specified bridge_name or for all interfaces on the system.
> show bridge statistics [bridge_name]
Displays the bridge statistics for the specified bridge_name or for all interfaces on the system.

For More Information


Volume 1: Getting Started

Example
> show bridge configuration
Bridge passthru-0 configuration:
Interface 0:0
Internet address: 10.9.59.246
Internet subnet: 255.255.255.0
MTU size:
1500
Spanning tree:
disabled
Allow intercept: enabled
Reject inbound:
disabled
Status:
autosensed full duplex, 100 megabits/sec network
Interface 0:1
MTU size:
1500
Spanning tree:
disabled
Allow intercept: enabled
Reject inbound:
disabled
Status:
autosensed no link

Chapter 2: Standard and Privileged Mode Commands

27

> show commands
Synopsis
Displays the available CLI commands.

Syntax
> show commands [subcommands]

Subcommands
> show commands delimited [all | privileged]

Delimited displays commands so they can be parsed.
> show commands formatted [all | privileged]
Formatted displays commands so they can be viewed easily.

Example
> show commands formatted
1:show
2:access-log
3:log
4:brief

3:format
4:brief

3:statistics

3:default-logging

Show running system information
Access log settings
Show Access log configuration
Show Access log names
Show Access log format configuration
Show Access log format names
Show Access log statistics
Show Access log default policy

> show commands delimited
1;show;Show running system information;sh;0;11
2;access-log;Access log settings;acces;0;11
3;log;Show Access log configuration;l;0;11
4;brief;Show Access log names;b;0;11
p;;*;*;0;14
3;format;Show Access log format configuration;f;0;11
4;brief;Show Access log format names;b;0;11
p;;*;*;0;14
3;statistics;Show Access log statistics;s;0;11
p;;*;*;0;14
3;default-logging;Show Access log default policy;d;0;11

Volume 11: Command Line Interface Reference

28

> show diagnostics
Synopsis
Displays remote diagnostics information, including version number, and whether the Heartbeats
feature and the ProxySG monitor are currently enabled.

Syntax
> show diagnostics [subcommands]

Subcommands
> show diagnostics configuration
Displays diagnostics settings.
> show diagnostics cpu-monitor
Displays the CPU Monitor results.
> show diagnostics service-info
Displays service-info settings.
> show diagnostics snapshot
Displays the snapshot configuration.

Example
> show diagnostics snapshot
Snapshot sysinfo
Target:
/sysinfo
Status:
Enabled
Interval:
1440 minutes
To keep:
30
To take:
Infinite
Next snapshot: 2006-03-18 00:00:00 UTC
Snapshot sysinfo_stats
Target:
/sysinfo-stats
Status:
Enabled
Interval:
60 minutes
To keep:
30
To take:
Infinite
Next snapshot: 2006-03-17 20:00:00 UTC

Chapter 2: Standard and Privileged Mode Commands

29

> show disk
Synopsis
Displays disk information, including slot number, vendor, product ID, revision and serial number,
capacity, and status, about all disks or a specified disk.

Syntax
> show disk {disk_number | all}

Subcommands
> show disk disk_number
Displays information on the specified disk.
> show disk all
Displays information on all disks in the system.

Example
> show disk 1
Disk in slot 1
Vendor: SEAGATE
Product: ST340014A
Revision: 8.54
Disk serial number: 5JVQ76VS
Capacity: 40020664320 bytes
Status: present

Volume 11: Command Line Interface Reference

30

> show exceptions
Synopsis
Displays all exceptions or just built-in or user defined exceptions.

Syntax
> show exceptions [built-in_id | user-defined_id]

For More Information


#(config)

exceptions on page 166

Example
> show exceptions
Built-in:
authentication_failed
authentication_failed_password_expired
authentication_mode_not_supported
authentication_redirect_from_virtual_host
authentication_redirect_off_box
authentication_redirect_to_virtual_host
authentication_success
authorization_failed
bad_credentials
client_failure_limit_exceeded
configuration_error
connect_method_denied
content_filter_denied
content_filter_unavailable
dns_server_failure
dns_unresolved_hostname
dynamic_bypass_reload
gateway_error
icap_communication_error
icap_error
internal_error
invalid_auth_form
invalid_request
invalid_response
license_exceeded
license_expired
method_denied
not_implemented
notify
notify_missing_cookie
policy_denied
policy_redirect
radius_splash_page
redirected_stored_requests_not_supported
refresh
server_request_limit_exceeded
silent_denied
spoof_authentication_error
ssl_client_cert_revoked
ssl_domain_invalid

Chapter 2: Standard and Privileged Mode Commands

31

ssl_failed
ssl_server_cert_expired
ssl_server_cert_revoked
ssl_server_cert_untrusted_issuer
tcp_error
transformation_error
unsupported_encoding
unsupported_protocol

Volume 11: Command Line Interface Reference

32

> show im
Synopsis
Displays Instant Messaging settings.

Syntax
> show im [subcommands]

Subcommands
> show im configuration
Displays IM configuration information.
> show im aol-statistics
Displays statistics of AOL IM usage.
> show im msn-statistics
Displays statistics of MSN IM usage.
> show im yahoo-statistics
Displays statistics of Yahoo! IM usage.

For More Information


Volume 3: Web Communication Proxies.

Example
> show im configuration
IM Configuration
aol-admin-buddy:
msn-admin-buddy:
yahoo-admin-buddy:
exceptions:
buddy-spoof-message:
http-handoff:
explicit-proxy-vip:
aol-native-host:
aol-http-host:
aol-direct-proxy-host:
msn-native-host:
msn-http-host:
yahoo-native-host:
yahoo-http-host:
yahoo-http-chat-host:
yahoo-upload-host:
yahoo-download-host:

Blue Coat SG
Blue Coat SG
Blue Coat SG
out-of-band

enabled

login.oscar.aol.com
aimhttp.oscar.aol.com
ars.oscar.aol.com
messenger.hotmail.com
gateway.messenger.hotmail.com
scs.msg.yahoo.com
shttp.msg.yahoo.com
http.chat.yahoo.com
filetransfer.msg.yahoo.com
.yahoofs.com

Chapter 2: Standard and Privileged Mode Commands

33

> show ip-stats
Synopsis
Displays TCP/IP statistics.

Syntax
> show ip-stats [subcommands]

Subcommands
> show ip-stats all
Display TCP/IP statistics.
> show ip-stats interface {all | number}
Displays TCP/IP statistics for all interfaces or for the specified number (0
to 7).
> show ip-stats ip
Displays IP statistics.
> show ip-stats memory
Displays TCP/IP memory statistics.
> show ip-stats summary
Displays TCP/IP summary statistics.
> show ip-stats tcp
Displays TCP statistics.
> show ip-stats udp
Displays UDP statistics.

Example
> show ip-stats summary
; TCP/IP Statistics
TCP/IP General Statistics
Entries in TCP queue: 12
Maximum entries in TCP queue: 19
Entries in TCP time wait queue: 0
Maximum entries in time wait queue: 173
Number of time wait allocation failures: 0
Entries in UDP queue: 2

Volume 11: Command Line Interface Reference

34

> show sources
Synopsis
Displays source listings for installable lists, such as the license key, policy files, ICP settings, RIP
settings, static route table, and WCCP settings files.

Syntax
> show sources [subcommands]

Subcommands
> show sources forwarding
Displays forwarding settings.
> show sources icp-settings
Displays ICP settings.
> show sources license-key
Displays license information
> show sources policy {central | local | forward | vpm-cpl | vpm-xml}
Displays the policy file specified.
> show sources rip-settings
Displays RIP settings.
> show sources socks-gateways
Displays the SOCKS gateways settings.
> show sources static-route-table
Displays the static routing table information.
> show sources wccp-settings
Displays WCCP settings.

Example
> show sources socks-gateways
# Current SOCKS Gateways Configuration
# No update
# Connection attempts to SOCKS gateways fail: closed
socks_fail closed
# 0 gateways defined, 64 maximum
# SOCKS gateway configuration
# gateway
#
[version=(4|5 [user= password=]
#
[request-compression=yes|no])]
# Default fail-over sequence.
# sequence ...
# The default sequence is empty.
# SOCKS Gateways Configuration Ends

Chapter 2: Standard and Privileged Mode Commands

35

> show ssl
Synopsis
Displays SSL settings

Syntax
> show ssl {ccl [list_name] | ssl-client [ssl_client]}

Subcommands
> show ssl ccl [list_name]
Displays currently configured CA certificate lists or configuration for the specified list_name.
> show ssl ssl-client [ssl_client]
Displays information about the specified SSL client.

Example
> show ssl ssl-client
SSL-Client Name
Keyring Name
-------------------------default


Volume 11: Command Line Interface Reference

Protocol
-----------SSLv2v3TLSv1

36

> show streaming
Synopsis
Displays QuickTime, RealNetworks, or Microsoft Windows Media information, and client and total bandwidth
configurations and usage.

Syntax
> show streaming [subcommands]

Subcommands
> show streaming configuration
Displays global streaming configuration.
> show streaming quicktime {configuration | statistics}
Displays QuickTime configuration and statistics.
> show streaming real-media {configuration | statistics}
Displays Real-Media configuration and statistics.
> show streaming windows-media {configuration | statistics}
Displays Windows-Media configuration and statistics.
> show streaming statistics
Displays client and gateway bandwidth statistics.

For More Information


Volume 3: Web Communication Proxies

Example
> show streaming configuration
; Streaming Configuration
max-client-bandwidth:
unlimited
max-gateway-bandwidth:
unlimited
multicast address:
224.2.128.0 - 224.2.255.255
multicast port:
32768 - 65535
multicast TTL:
16

Chapter 2: Standard and Privileged Mode Commands

37

> traceroute
Use this command to trace the route from the current host to the specified destination host.

Syntax
> traceroute [subcommands]

Subcommands
> traceroute ip_address
Specifies the IP address of the destination host.
> traceroute hostname
Specifies the name of the destination host.

Example
SGOS> traceroute 10.25.36.47
Type escape sequence to abort.
Tracing the route to 10.25.36.47
1 10.25.36.47 0 0 0

Volume 11: Command Line Interface Reference

38

Privileged Mode Commands
Privileged mode provides a robust set of commands that enable you to view, manage, and change
ProxySG settings for features such as log files, authentication, caching, DNS, HTTPS, packet capture
filters, and security.
Note: The privileged mode subcommand, configure, enables you to manage the ProxySG

features.

Chapter 2: Standard and Privileged Mode Commands

39

# acquire-utc
Synopsis
Use this command to acquire the Universal Time Coordinates (UTC) from a Network Time Protocol
(NTP) server. To manage objects, a ProxySG must know the current UTC time. Your ProxySG comes
pre-populated with a list of NTP servers available on the Internet, and attempts to connect to them in
the order they appear in the NTP server list on the NTP tab. If the ProxySG cannot access any of the
listed NTP servers, the UTC time must be set manually. For instructions on how to set the UTC time
manually, refer to Volume 1: Getting Started.

Syntax
# acquire-utc

The acquire-utc command has no parameters or subcommands.

Example
SGOS# acquire-utc
ok

Volume 11: Command Line Interface Reference

40

# bridge
Synopsis
This command clears bridge data.

Syntax
# bridge {subcommands]

Subcommands
# bridge clear-statistics bridge_name
Clears bridge statistics.
# bridge clear-fwtable bridge_name
Clears bridge forward table.

For More Information


Volume 1: Getting Started

Example
SGOS# bridge clear-statistics testbridge
ok

Chapter 2: Standard and Privileged Mode Commands

41

# cancel-upload
Synopsis
This command cancels a pending access-log upload. The cancel-upload command allows you to stop
repeated upload attempts if the Web server becomes unreachable while an upload is in progress. This
command sets log uploading back to idle if the log is waiting to retry the upload. If the log is in the
process of uploading, a flag is set to the log. This flag sets the log back to idle if the upload fails.

Syntax
# cancel-upload [subcommands]

Subcommands
# cancel-upload all
Cancels upload for all logs.
# cancel-upload log log_name
Cancels upload for a specified log.

For More Information


Volume 8: Access Logging

Example
SGOS# cancel-upload all
ok

Volume 11: Command Line Interface Reference

42

# clear-arp
Synopsis
The clear-arp command clears the Address Resolution Protocol (ARP) table. ARP tables are used to
correlate an IP address to a physical machine address recognized only in a local area network. ARP
provides the protocol rules for providing address conversion between a physical machine address
(also known as a Media Access Control or MAC address) and its corresponding IP address, and vice
versa.

Syntax
# clear-arp

The clear-arp command has no parameters or subcommands.

Example
SGOS# clear-arp
ok

Chapter 2: Standard and Privileged Mode Commands

43

# clear-cache
Synopsis
This command clears the byte, dns, or object cache. This can be done at any time. However, keep in
mind that if any cache is cleared, performance slows down until the cache is repopulated.
Note:

#clear-cache with no arguments can also be used to clear the object cache.

Syntax
# clear-cache [subcommands]

Subcommands
# clear-cache byte-cache

Clears the byte cache.
# clear-cache dns-cache
Clears the DNS cache.
# clear-cache object-cache
Sets all objects in the cache to expired.

Example
SGOS# clear-cache byte-cache
ok

Volume 11: Command Line Interface Reference

44

# clear-errored-connections
Synopsis
This command clears historical errored proxied sessions, errored bypassed connections, and errored
ADN inbound connections. To view errored proxied sessions in the Management Console, select
Statistics > Sessions > Errored Sessions > Proxied Sessions. To view errored bypassed connections in
the Management console, select Statistics > Sessions > Errored Sessions > Bypassed Connections. To
view errored ADN inbound connections in the Management Console, select Statistics > Active
Sessions > ADN Inbound Connections.

Syntax
#clear-errored-connections (subcommand)

Subcommands
# clear-errored-connections [proxied sessions | bypassed connections |
adn-inbound connections]
Clears the historical proxied sessions, bypassed connections, or ADN inbound connections.

Chapter 2: Standard and Privileged Mode Commands

45

# clear-statistics
Synopsis
This command clears the bandwidth-management, persistent, and Windows Media, Real Media, and
QuickTime streaming statistics collected by the ProxySG. To view streaming statistics from the CLI,
use either the show streaming {quicktime | real-media | windows-media} statistics or the
show bandwidth-management statistics [bandwidth_class] commands. To view streaming
statistics from the Management Console, go to either Statistics > Streaming History > Windows
Media/Real Media/Quicktime, or to Statistics > Bandwidth Mgmt.

Syntax
# clear-statistics [subcommands]

Subcommands
# clear-statistics bandwidth-management [class class_name]
Clears bandwidth-management statistics, either for all classes at one time or for the
bandwidth-management class specified
# clear-statistics efficiency
Clears efficiency statistics.
# clear-statistics epmapper
Clears Endpoint Mapper statistics.
# clear-statistics persistent [prefix]
Clears statistics that persist after a reboot. You can clear all persistent statistics, or, since statistics are kept
in a naming convention of group:stat, you can limit the statistics cleared to a specific group. Common
prefixes include HTTP, SSL, and SOCKS.
# clear-statistics quicktime
Clears QuickTime statistics.
# clear-statistics real-media
Clears Real Media statistics.
# clear-statistics windows-media
Clears Windows Media statistics.

Example
SGOS# clear-statistics windows-media
ok

Volume 11: Command Line Interface Reference

46

# configure
Synopsis
The privileged mode subcommand configure, enables you to manage the ProxySG features.

Syntax
# config t

Where conf refers to configure and t refers to terminal.
This changes the prompt to #(config). At this point you are in configure terminal mode
and can make permanent changes to the device.
# config network url

This command downloads a previously loaded web-accessible script, such as a configuration
file, and implements the changes in the script onto the system.

For More Information


Chapter 3: “Privileged Mode Configure Commands” on page 87

Example
# conf n http://1.1.1.1/fconfigure.txt

Chapter 2: Standard and Privileged Mode Commands

47

# disable
Synopsis
The disable command returns you to Standard mode from Privileged mode.

Syntax
# disable

The disable command has no parameters or subcommands.

For More Information


> enable on page 16



# exit on page 51

Example
SGOS# disable
SGOS>

Volume 11: Command Line Interface Reference

48

# disk
Synopsis
Use the disk command to take a disk offline or to re-initialize a disk.
On a multi-disk ProxySG , after issuing the disk reinitialize disk_number command, complete
the reinitialization by setting it to empty and copying pre-boot programs, boot programs and starter
programs, and system images from the master disk to the re-initialized disk. The master disk is the
leftmost valid disk. Valid indicates that the disk is online, has been properly initialized, and is not
marked as invalid or unusable.
Note: If the current master disk is taken offline, reinitialized or declared invalid or unusable, the

leftmost valid disk that has not been reinitialized since restart becomes the master disk. Thus
as disks are reinitialized in sequence, a point is reached where no disk can be chosen as the
master. At this point, the current master disk is the last disk. If this disk is taken offline,
reinitialized, or declared invalid or unusable, the ProxySG is restarted.
Reinitialization is done without rebooting the system, although the system should not proxy traffic
during reinitialization. The ProxySG operations, in turn, are not affected, although during the time the
disk is being reinitialized, that disk is not available for caching. Note that only the master disk
reinitialization might restart the ProxySG.

Syntax
# disk {subcommands]

Subcommands
# disk disk offline disk_number
Takes the disk specified by disk_number off line.
# disk disk reinitialize disk_number
Reinitializes the disk specified by disk_number.

Example
SGOS# disk offline 3
ok
SGOS# disk reinitialize 3
ok

Chapter 2: Standard and Privileged Mode Commands

49

# display
See > display on page 15 for more information.

Volume 11: Command Line Interface Reference

50

# exit
Synopsis
Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From
Standard mode, the exit command closes the CLI session.

Syntax
# exit

The exit command has no parameters or subcommands.

Example
SGOS# exit

Chapter 2: Standard and Privileged Mode Commands

51

# help
See Accessing Quick Command Line Help on page 12 for information about this command.

Volume 11: Command Line Interface Reference

52

# hide-advanced
Synopsis
Use this command to disable advanced commands.
Note: You can also use the configure command SGOS#(config) hide-advanced {all |
expand} to hide commands.

Syntax
# hide-advanced [subcommands]

Subcommands
# hide-advanced all
Hides all advanced commands.
# hide-advanced expand
Disables expanded commands.

For More Information


# reveal-advanced on page 71

Example
SGOS# hide-advanced expand
ok
SGOS# hide-advanced all
ok

Chapter 2: Standard and Privileged Mode Commands

53

# inline
Synopsis
Installs lists based on your terminal input.

Discussion
The easiest way to create installable lists, such as forwarding hosts, PAC files, and policy files, among
others, is to take an existing file and modify it, or to create the text file on your local system, upload the
file to a Web server, and download the file to the ProxySG. As an alternative, you can enter the list
directly into the ProxySG through the inline command, either by typing the list line by line or by
pasting the contents of the file.
If you choose to create a text file to contain the configuration commands and settings, be sure to assign
the file the extension .txt. Use a text editor to create this file, noting the following ProxySG
configuration file rules:


Only one command (and any associated parameters) permitted, per line



Comments must begin with a semicolon (;)



Comments can begin in any column, however, all characters from the beginning of the
comment to the end of the line are considered part of the comment and, therefore, are ignored



When entering input for the inline command, you can correct mistakes on the current line
using the backspace key. If you catch a mistake in a line that has already been terminated with
the Enter key, you can abort the inline command by typing . If the mistake is caught
after you terminate input to the inline command, you must re-enter the entire content.



The end-of-input marker is an arbitrary string chosen by the you to mark the end of input for
the current inline command. The string can be composed of standard characters and numbers,
but cannot contain any spaces, punctuation marks, or other symbols.

Tips:

Choose a unique end-of-input string that does not match any string of characters in the
configuration information. One recommended end-of-input string is ’’’ (three single quotes).

Syntax
# inline {subcommands}

Subcommands
# inline accelerated-pac eof_marker
Updates the accelerated pac file with the settings you include between the beginning eof_marker and
the ending eof_marker.
# inline authentication-form form_name eof_marker
Install an authentication form from console input
# inline authentication-forms eof_marker
Install all authentication form from console input
# inline banner eof_marker
Updates the login banner for the telnet and SSH consoles with the settings you include between the
beginning eof_marker and the ending eof_marker.

Volume 11: Command Line Interface Reference

54

# inline exceptions eof_marker
Install exceptions with the settings you include between the beginning eof_marker and the ending
eof_marker.
# inline forwarding eof_marker
Updates the forwarding configuration with the settings you include between the beginning
eof_marker and the ending eof_marker.
# inline icp-settings eof_marker
Updates the current ICP settings with the settings you include between the beginning eof_marker and
the ending eof_marker.
# inline license-key eof_marker
Updates the current license key settings with the settings you include between the beginning
eof_marker and the ending eof_marker.
# inline policy eof_marker
Updates the current policy settings—central, local, forward, vpm-cpl, and vpm-xml—with the settings
you include between the beginning eof_marker and the ending eof_marker.
# inline rip-settings eof_marker
Updates the current RIP settings with the settings you include between the beginning eof_marker and
the ending eof_marker.
# inline socks-gateways eof_marker
Updates the current SOCKS gateway settings with the settings you include between the beginning
eof_marker and the ending eof_marker.
# inline static-route-table eof_marker
Updates the current static route table settings with the settings you include between the beginning
eof_marker and the ending eof_marker.
# inline wccp-settings eof_marker
Updates the current WCCP settings with the settings you include between the beginning eof_marker
and the ending eof_marker.

For More Information



man pages for the specific component (wccp, acc pac, and the like)
# load on page 58

Example
SGOS# inline wccp eof
wccp enable eof
’’’

Chapter 2: Standard and Privileged Mode Commands

55

# kill
Synopsis
Terminates a CLI session.

Syntax
# kill session_number

where session_number is a valid CLI session number.

Example
> show sessions
Sessions:
# state type
start
elapsed
01 IDLE
02 PRIVL ssh
08 Aug 2006 21:27:51 UTC 23:08:04
03* NORML ssh 10 Aug 2006 20:35:40 UTC 00:00:15
...
> enable
Enable Password:
# kill 3
ok

Volume 11: Command Line Interface Reference

56

# licensing
Synopsis
Use these commands to request or update licenses.

Syntax
# licensing [subcommands]

Subcommands
# licensing request-key [force} user_id password
Requests the license key from Blue Coat using the WebPower user ID and password.
# licensing update-key [force]
Updates the license key from Blue Coat now.
# licensing register-hardware [force] user_ID password
Register hardware with Bluecoat.
# licensing mark-registered
Mark the hardware registered manually.
# licensing disable-trial
Disable trial period.
# licensing enable-trial
Enable trial period.

For More Information


Volume 1: Getting Started

Example
SGOS# licensing request-key
User ID: admin
Password: *****
...
ok

where “. . .” represents license download-in-progress information.

Chapter 2: Standard and Privileged Mode Commands

57

# load
Synopsis
Downloads installable lists or system upgrade images. These installable lists or settings also can be
updated using the inline command.

Syntax
# load accelerated-pac
Downloads the current accelerated pac file settings.
# load authentication-form form_name
Downloads the new authentication form.
# load authentication-forms
Downloads the new authentication forms.
# load exceptions
Downloads new exceptions.
# load forwarding
Downloads the current forwarding settings.
# load icp-settings
Downloads the current ICP settings.
# load license-key
Downloads the new license key.
# load policy {central | forward | local | vpm-cpl | vpm-xml}
Downloads the policy file specified
# load rip-settings
Downloads the current RIP settings.
# load socks-gateways
Downloads the current SOCKS gateways settings.
# load proxy-client-software
Loads the ProxyClient software to the Client Manager. To use this command, you must have previously
defined an upload location using #(config) sg-client on page 327. Messages display as
the software loads.
# load static-route-table
Downloads the current static route table settings.
# load upgrade [ignore-warnings]
Downloads the latest system image. The ignore-warnings option allows you to force an upgrade even if
you receive policy deprecation warnings. Note that using the load upgrade ignore-warnings command
to force an upgrade while the system emits deprecation warnings results in a policy load failure; all
traffic is allowed or denied according to default policy.
# load wccp-settings
Downloads the current WCCP settings.
# load timezone-database
Downloads a new time zone database.

For More Information


# inline on page 54

Volume 11: Command Line Interface Reference

58

Example
> show download-paths
Policy
Local:
Forward:
VPM-CPL:
VPM-XML:
Central: https://download.bluecoat.com/release/SG3/files/CentralPolicy.txt
Update when changed: no
Notify when changed: no
Polling interval:
1 day
Accelerated PAC:
ICP settings:
RIP settings:
Static route table:
Upgrade image:
bcserver1.bluecoat.com/builds/ca_make.26649/wdir/8xx.CHK_dbg
WCCP settings:
Forwarding settings:
SOCKS gateway settings:
License key:
Exceptions:
Authentication forms:
>en
Enable Password
# load upgrade
Downloading from
"bcserver1.bluecoat.com/builds/ca_make.26649/wdir/8xx.CHK_dbg"
Downloading new system software (block 2611)
The new system software has been successfully downloaded.
Use "restart upgrade" to install the new system software.

Chapter 2: Standard and Privileged Mode Commands

59

# pcap
Synopsis
The PCAP utility enables you to capture packets of Ethernet frames entering or leaving a ProxySG .
Packet capturing allows filtering on various attributes of the frame to limit the amount of data
collected. The collected data can then be transferred to the desktop for analysis.
Note: Before using the PCAP utility, consider that packet capturing doubles the amount of

processor usage performed in TCP/IP.
To view the captured packets, you must have a tool that can read Packet Sniffer Pro 1.1 files.

Syntax
# pcap [subcommands]

Subcommands
# pcap filter on page 61
Specifies filters to use for PCAP.
# pcap info
Displays the current packet capture information.

# pcap start on page 63
Starts the capture.
# pcap stop
Stops the capture.
# pcap transfer full_url/filename username password
Transfers captured data to an FTP site.

For More Information


Volume 9: Managing the Blue Coat SG Appliance.

Example 1
Capture transactions among a ProxySG (10.1.1.1), a server (10.2.2.2), and a client (10.1.1.2).
SGOS# pcap filter expr “host 10.1.1.1 || host 10.2.2.2 || host 10.1.1.2”

Example 2
This example transfers captured packets to the FTP site 10.25.36.47. Note that the username and
password are provided.
SGOS# pcap transfer ftp://10.25.36.47/path/filename.cap username password

If the folders in the path do not exist, they are not created. An error message is generated.

Volume 11: Command Line Interface Reference

60

# pcap filter
Synopsis
After a filter is set, it remains in effect until it is redefined; the filtering properties are persistent across
reboots. However, PCAP stops when a system is rebooted.

Syntax
# pcap filter [subcommands]

Subcommands
# pcap filter [direction {in | out | both}]
Specifies capture in the specified direction. If both is selected, both incoming and outgoing packets are
captured. The default setting is both.
# pcap filter [interface adapter_number:interface_number | all]
Specifies capture on the specified interface or on all interfaces. For example, 0:1. The interface number
must be between 0 and 16. The default setting is all.
# pcap filter [expr filter_expression]
Specifies capture only when the filter expression matches.
# pcap filter
No filtering specified (captures all packets in both directions---on all interfaces).

For More Information


Volume 9: Managing the Blue Coat SG Appliance.

Example
This example configures packet capturing in both directions, on all interfaces, to or from port 3035:
# pcap filter direction both interface all expr “port 3035”
ok

To verify the settings before starting PCAP, enter pcap info:
SGOS# pcap info
Current state:
Stopped
Filtering:
On
Filter:
direction both interface all expr "port 3035"
Packet capture information:
Packets captured:
Bytes captured:
Packets written:
Bytes written:
Coreimage ram used:
Packets filtered through:

Chapter 2: Standard and Privileged Mode Commands

0
0
0
0
0B
0

61

To start PCAP, enter pcap start. Then run pcap info to view the results of the packet capture.
SGOS# pcap start
ok
SGOS# pcap info
Current state:
Capturing
Filtering:
On
Filter:
direction both interface all expr "port 3035"
Packet capture information:
first count 4294967295 capsize 100000000 trunc 4294967295 coreimage 0
Packets captured:
2842
Bytes captured:
237403
Packets written:
2836
Bytes written:
316456
Coreimage ram used:
0B
Packets filtered through:
8147

After PCAP is stopped (using the pcap stop command), enter pcap info to view the results of your
PCAP session. You should see results similar to the following:
SGOS# pcap info
Current state:
Stopped
Filtering:
On
Filter:
direction both interface all expr "port 3035"
Packet capture information:
Packets captured:
Bytes captured:
Packets written:
Bytes written:
Coreimage ram used:
Packets filtered through:

Volume 11: Command Line Interface Reference

5101
444634
5101
587590
0B
10808

62

# pcap start
Synopsis
Start packet capture. The pcap start options are not persistent across reboots. You must reconfigure
them if you reboot the system.

Syntax
# pcap start [subcommands]

Subcommands
[buffering-method]

Syntax: [first | last] {[count ]|[capsize ]}
The buffering method specifies how captured packets are buffered in memory. The amount of
packets buffered cannot exceed a hard limit of 100MB.
[count] and [capsize]

The count option specifies that the buffer limit is controlled by the number of packets stored
in the buffer. The value of count must be between 1 and 1000000.
The capsize option specifies that the buffer limit is controlled by the total number of bytes of
packets stored in the buffer. The capsize value must be between 1 and 102400.
Note: The capsize n option is an approximate command; it captures an approximate
number of packets. The actual size of the file written to disk is a little larger than the capsize

value because of extra packet information such as time-stamps. If no parameters are specified,
the default is to capture until the stop subcommand is issued or the maximum limit reached.
[first] and [last]

The first and last options affect the buffering behavior when the buffer is full. When first
is specified, PCAP stops when the buffer limit is exceeded. When last is specified, PCAP
continues capturing even after the buffer limit has been exceeded. The oldest captured packets
are removed from buffer to make space for the newly captured packets: In this way, PCAP
captures the last N (or N K bytes of) packets. The saved packets in memory are written to disk
when the capture is terminated.
The packet capture file size is limited to 1% of total RAM, which might be reached before n
packets have been captured.
Note: The first option is a specific command; it captures an exact number of packets. If

no parameters are specified, the default is to capture until the stop subcommand is issued or
the maximum limit reached.
[coreimage n]
Specifies kilobytes of packets kept in a core image. The coreimage size must be between 0 and 102400.
By default, no packets are kept in the core image.
[trunc n]
The trunc n parameter collects, at most, n bytes of packets from each frame when writing to disk. The
range is 1 to 65535.

Chapter 2: Standard and Privileged Mode Commands

63

For More Information


Volume 9: Managing the Blue Coat SG Appliance.

Example 1
The following command captures the first 2000 packets that match the filtering expression:
# pcap start first count 2000

Note that the first option configures PCAP to stop capturing after the buffer limit of 2000 packets has
been reached. If the last option had been specified, PCAP keeps capturing packets even after the
buffer limit had been exceeded, until halted by the pcap stop command.

Example 2
The following command stops the capturing of packets after approximately three kilobytes of packets
have been collected.
SGOS# pcap start first capsize 3

Volume 11: Command Line Interface Reference

64

# ping
Synopsis
Use this command to verify that a particular IP address exists and can accept requests. Ping output
also tells you the minimum, maximum, and average time it took for the ping test data to reach the
other computer and return to the origin.

Syntax
# ping {ip_address | hostname}

where ip_address is the IP address and hostname is the hostname of the remote computer.

Example
SGOS# ping 10.25.36.47
Type escape sequence to abort.
Sending 5, 64-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Number of duplicate packets received = 0

Chapter 2: Standard and Privileged Mode Commands

65

# policy
Synopsis
Use this command to configure policy commands.
Note: Configuring the policy command to trace all transactions by default can significantly

degrade performance and should only be used in situations where a problem is being
diagnosed.

Syntax
# policy trace {all | none}

Use all to trace all transactions by default, and use none to specify no tracing except as specified
in policy files.

Example
policy trace all
ok
All requests will be traced by default;
Warning: this can significantly degrade performance.
Use 'policy trace none' to restore normal operation
SGOS# policy trace none
ok

Volume 11: Command Line Interface Reference

66

# register-with-director
Synopsis
The register-with-director command is a setup command that automatically registers the
ProxySG with a Blue Coat Director, thus enabling that Director to establish a secure administrative
session with the. During the registration process, Director can “lock out” all other administrative
access to the appliance so that all configuration changes are controlled and initiated by Director.
If your appliance does not have an appliance certificate, you must specify the registration password
that is configured on Director.

Syntax
# register-with-director dir_ip_address [appliance_name dir_serial_number]

Example
SGOS# register-with-director 192.168.0.x
Registration Successful

Chapter 2: Standard and Privileged Mode Commands

67

# restart
Synopsis
Restarts the system. The restart options determine whether the ProxySG should simply reboot the
ProxySG (regular), or should reboot using the new image previously downloaded using the load
upgrade command (upgrade).

Syntax
# restart [subcommands]

Subcommands
# restart abrupt
Reboots the system abruptly, according to the version of the ProxySG that is currently installed. Restart
abrupt saves a core image. Note that the restart can take several minutes using this option.
# restart regular
Reboots the version of the ProxySG that is currently installed
# restart upgrade
Reboots the entire system image and allows you to select the version you want to boot, not limited to the
new version on the system.

For More Information


# load on page 58

Example
SGOS# restart upgrade
ok
SGOS# Read from remote host 10.9.17.159: Connection reset by peer
Connection to 10.9.17.159 closed.

Volume 11: Command Line Interface Reference

68

# restore-sgos4-config
Restores the ProxySG to settings last used with SGOS 4.x. The ProxySG retains the network settings.
Note that a reboot is required to complete this command.

Syntax
# restore-sgos4-config

Example
SGOS# restore-sgos4-config
Restoring SGOS 4.x configuration requires a restart to take effect.
The current configuration will be lost and the system will be restarted.
Continue with restoring? (y/n)[n]: y
Restoring configuration ...

Or if there is no SGOS 4.x configuration found:
SGOS# restore-sgos4-config
%% No SGOS 4.x configuration is available on this system.

For More Information


# restore-defaults on page 70

Chapter 2: Standard and Privileged Mode Commands

69

# restore-defaults
Synopsis
Restores the ProxySG to the default configuration. When you restore system defaults, the ProxySG’s IP
address, default gateway, and the DNS server addresses are cleared. In addition, any lists (for
example, forwarding or bypass) are cleared. After restoring system defaults, you need to restore the
ProxySG’s basic network settings, as described in Volume 9: Managing the Blue Coat SG Appliance, and
reset any customizations.

Syntax
# restore-defaults [subcommands]

Subcommands
# restore-defaults factory-defaults
Reinitializes the ProxySG to the original settings it had when it was shipped from the factory
# restore-defaults force
Restores the system defaults without confirmation.

If you don’t use the force command, you are prompted to enter yes or no before the
restoration can proceed.
# restore-defaults keep-console [force]
Restores defaults except settings required for console access. Using the keep-console option retains
the settings for all consoles (Telnet-, SSH-, HTTP-, and HTTPS-consoles), whether they are enabled,
disabled, or deleted.

If you use the force command, you are not prompted to enter yes or no before restoration can
proceed.

For More Information


Volume 9: Managing the Blue Coat SG Appliance

Example
SGOS# restore-defaults
Restoring defaults requires a restart to take effect.
The current configuration will be lost and the system will be restarted.
Continue with restoring? (y/n)[n]: n
Existing configuration preserved.

Volume 11: Command Line Interface Reference

70

# reveal-advanced
Synopsis
The reveal-advanced command allows you to enable all or a subset of the advanced commands
available to you when using the CLI. You can also use SGOS#(config) hide-advanced {all |
expand} to reveal hidden commands.

Syntax
# reveal-advanced [subcommands]

Subcommands
# reveal-advanced all
Reveals all advanced commands.
# reveal-advanced expand
Enables expanded commands.

For More Information


# hide-advanced on page 53

Example
SGOS# reveal-advanced all
ok

Chapter 2: Standard and Privileged Mode Commands

71

# show
The # show command displays all the show commands available in the standard mode plus the show
commands available only in privileged mode and configuration mode. Only show commands
available in privileged mode are discussed here. For show commands also available in the standard
mode, see > show on page 20.

Synopsis
Use this command to display system information.

Syntax
# show [subcommands]

Subcommands
# show archive-configuration
Displays archive configuration settings.
# show adn
Displays ADN configuration.

# show attack-detection on page 75
Displays client attack-detection settings.

# show configuration on page 76
Displays system configuration.
# show connection-forwarding
Displays TCP connection forwarding status and peer IP address list.

# show content on page 77
Displays content-management commands.
# show content-filter {bluecoat | i-filter | intersafe | iwf | local | optenet |
proventia | smartfilter | surfcontrol | status | websense | webwasher}
Shows settings for Blue Coat Web Filter or the various third-party content-filtering vendors. You can get
information on current content-filtering status by using the # show content-filter status
command.

# show proxy-services on page 78
Displays information on static and dynamic bypass and proxy-service behavior.
# show realms
Displays the status of each realm.

# show security on page 79
Displays security settings.

# show ssh on page 80
Displays SSH settings.
# show proxy-client
Displays ProxyClient settings.

# show ssl on page 81
Also available in standard mode, the # show ssl command offers more options in privileged mode.
# show system-resource-metrics
Displays system resource statistics.

Volume 11: Command Line Interface Reference

72

Examples
# show archive-configuration
Archive configuration
Protocol: FTP
Host:
Path:
Filename:
Username:
Password: ************
# show content-filter status
Provider:
Blue Coat
Status:
Database unavailable
Download URL:
https://list.bluecoat.com/bcwf/activity/download/bcwf.db
Download Username:
Automatic download:
Enabled
Download time of day (UTC):
0
Download on:
sun, mon, tue, wed, thu, fri, sat
Category review message:
Disabled
Dynamic Categorization Service: Enabled
Dynamic Categorization Mode:
Real-time
Download log:
Blue Coat download at: Sat, 18 Mar 2006 01:57:24 UTC
Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
Requesting differential update
Differential update applied successfully
Download size:
84103448
Database date:
Thu, 09 Feb 2006 08:11:51 UTC
Database expires:
Sat, 11 Mar 2006 08:11:51 UTC
Database version:
2005040
# show realms
Local realm:
No local realm is defined.
RADIUS realm:
Realm name:
Display name:
Case sensitivity:
Primary server host:
Primary server port:
Primary server secret:
Alternate server host:
Alternate server port:
Alternate server secret:
Server retry count:
Cache duration:
Virtual URL:
Server timeout:
Spoof authentication:
One time passwords:
LDAP realm(s):
No LDAP realms are defined.

RADIUS1
RADIUS1
enabled
10.9.59.210
1812
************
1812
************
5
900
5
none
no

Chapter 2: Standard and Privileged Mode Commands

73

# show adn
Synopsis
Displays ADN settings and statistics.

Syntax
# show adn [subcommands]

Subcommands
# show adn byte-cache
Displays ADN byte-cache settings.
# show adn routing [advertise-internet-gateway | server-subnets]
Displays ADN routing settings.
# show adn tunnel
Displays ADN tunnel configuration.

For More Information


Volume 5: Advanced Networking

Example
# show adn
Application Delivery Network Configuration:
ADN:
disabled
Manager port:
3034
Tunnel port:
3035
Primary manager:
none
Backup manager:
none
External VIP:
none
Byte-cache Configuration:
Max number of peers: 10347
Max peer memory:
30
Tunnel Configuration:
proxy-processing http:
TCP window size:
reflect-client-ip :
Routing Configuration:
Internet Gateway:
Exempt Server subnet:
Exempt Server subnet:
Exempt Server subnet:

disabled
65536
use-local-ip
disabled
10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Volume 11: Command Line Interface Reference

74

# show attack-detection
Synopsis
Displays client attack-detection settings and client and server statistics.

Syntax
# show attack-detection [subcommands]

Subcommands
client [blocked | connections | statistics]
Displays client attack-detection settings.
client configuration
Displays attack-detection configuration.
server [statistics]
Displays server statistics

For More Information


Volume 5: Advanced Networking

Chapter 2: Standard and Privileged Mode Commands

75

# show configuration
Synopsis
Displays the current configuration, as different from the default configuration.

Syntax
# show configuration [subcommands]

Subcommands
# show configuration
Displays all settings
# show configuration brief
Displays the configuration without inline expansion.
# show configuration expanded
Displays the configuration with inline expansion.
# show configuration noprompts
Displays the configuration without --More-- prompts.
# show configuration post-setup
Displays the configuration made after console setup.

Example
Assuming non-default settings of:


policy = DENY



IP address of 10.167.42.38

# show configuration brief
interface 0:0 ;mode
ip-address 10.167.42.38
exit
# show configuration expanded
interface 0:0 ;mode
ip-address 10.167.42.38
exit
!
inline policy local "end-326998078-inline"

DENY
end-326998078-inline

Volume 11: Command Line Interface Reference

76

# show content
Synopsis
Displays content-management commands.

Syntax
# show content [subcommands]

Subcommands
# show content outstanding-requests
Displays the complete list of outstanding asynchronous content revalidation and distribute requests;
# show content priority [regex regex | url url]
displays the deletion priority value assigned to the regex or url, respectively
# show content url url
Displays statistics of the specified URL.

For More Information


Volume 7: Managing Content

Chapter 2: Standard and Privileged Mode Commands

77

# show proxy-services
Synopsis
Information about proxy services

Syntax
# show proxy-services [subcommands]

Subcommands
# show proxy-services
Displays all proxy services configured on the system.
# show proxy-services dynamic-bypass
Displays dynamic-bypass information.
# show proxy-services services bypass
Display services containing a bypass action.
# show proxy-services services intercept
Display services containing an intercept action.
# show proxy-services services name
Display services with name substring match.
# show proxy-services services proxy
Display services using a specific proxy.
# show proxy-services static-bypass
Displays static-bypass information.

For More Information


Volume 2: Proxies and Proxy Services

Volume 11: Command Line Interface Reference

78

# show security
Synopsis
Displays information about security parameters.

Syntax
# show security [subcommands]

Subcommands
# show security
Displays all security settings on the system.
# show security authentication-errors
Displays all authentication errors.
# show security authentication-forms
Displays authentication forms configured on the system.
# show security local-user-list
Displays the local user list configured on the system.
# show security local-user-list-group
Displays the groups in local user list.
# show security local-user-list-user
User in local user list

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
# show security
Account:
Username:
"admin"
Hashed Password: $1$it$24YXwuAGbmvQl7zhaeG5u.
Hashed Enable Password: $1$U1JZbCl1$itmTNhAwhymF2BNwBnum1/
Hashed Front Panel PIN: "$1$50KI$KR0RtYxQl02Z26cLy.Pq5."
Management console display realm name: ""
Management console auto-logout timeout: 900 seconds
Access control is disabled
Access control list (source, mask):
Flush credentials on policy update is enabled
Default authenticate.mode: auto
Transparent proxy authentication:
Method: cookie
Cookie type: session
Cookie virtual-url: "www.cfauth.com/"
IP time-to-live: 15
Verify IP: yes
Allow redirects: no
.
.
.

Chapter 2: Standard and Privileged Mode Commands

79

# show ssh
Synopsis
Displays the SSH service details.

Syntax
# show ssh [subcommands]

Subcommands
# show ssh client-key [username]
Displays the client key fingerprint for the specified username.
Note: If you upgraded from an older version of the ProxySG, you might not need to enter a
username.
# show ssh director-client-key [key_id]
Displays all client key fingerprints or the client key fingerprint of the specified key ID.
# show ssh host-public-key [sshv1 | sshv2]
Displays the sshv1 or sshv2 host public key. Both keys are displayed if you do not specify a version.
# show ssh user-list
Displays a list of users with imported RSA client keys.
# show ssh versions-enabled
Displays which SSH version or versions are enabled.

For More Information


Volume 1: Getting Started



Volume 2: Proxies and Proxy Services

Example
# show ssh versions-enabled
SSHv2 is enabled.

Volume 11: Command Line Interface Reference

80

# show ssl
Synopsis
Displays SSL settings.

Syntax
# show ssl [subcommands]

Subcommands
# show ssl ca-certificate name
Displays the CA certificate configuration
# show ssl ccl [list_name]
Displays currently configured CA certificate lists or configuration for the specified list_name. This
option can also be viewed from standard mode.
# show ssl certificate keyring_id
Displays the certificate configuration for the specified keyring.
# show ssl crl crl_id
Displays the SSL certificate Revocation List (CRL) of the specified ID.
# show ssl external-certificate name
Displays external certificate configuration of the specified name.
# show ssl intercept
Displays the SSL intercept configuration.
# show ssl keypair {des | des3 | unencrypted} keyring_id
Displays the keypair. If you want to view the keypair in an encrypted format, you can optionally specify
des or des3 before the keyringID. If you specify either des or des3, you are prompted for the
challenge entered when the keyring was created.
# show ssl keyring [keyring_id]
Displays all keyrings or the keyring of the specified ID.
# show ssl secure-signing-request keyring_id
Displays signed certificate signing request for the specified keyring.
# show ssl signing-request keyring_id
Displays the certificate signing request configuration for the specified keyring.
# show ssl ssl-client [ssl_client]
Displays information about all SSL clients or the specified SSL client. This option can also be viewed
from standard mode.
# show ssl ssl-nego-timeout
Displays the SSL negotiation timeout configuration.
# show ssl summary {ca-certificate | crl | external-certificate}
Displays the SSL summary information for CA certificates, CRLs, or external certificates.

For More Information


Volume 2: Proxies and Proxy Services

Chapter 2: Standard and Privileged Mode Commands

81

Example
# show ssl keyring
KeyringID: configuration-passwords-key
Is private key showable? yes
Have CSR? no
Have certificate? no
KeyringID: default
Is private key showable? yes
Have CSR? no
Have certificate? yes
Is certificate date range valid? yes
CA: Blue Coat SG200 Series
Expiration Date: Mar 02 22:25:32 2016 GMT
Fingerprint: B2:DE:C4:98:58:18:3C:E3:B3:4A:1C:FC:AB:B5:A4:74

Volume 11: Command Line Interface Reference

82

# temporary-route
This command is used to manage temporary route entries. After a reboot these routes are lost.

Syntax
# temporary-route [subcommands]

Subcommands
# temporary-route add destination_address netmask gateway_address
Adds a temporary route entry.
# temporary-route delete destination_address
Deletes a temporary route entry.

Chapter 2: Standard and Privileged Mode Commands

83

# test
This command is used to test subsystems. A test http get command to a particular origin server or
URL, for example, can verify Layer 3 connectivity and also verify upper layer functionality.

Syntax
# test http [subcommands]

Subcommands
# test adn IP_server_address port
Tests the ADN connection by connecting to a server.
# test dns {host_name | IP_address} [ipv4 | ipv6] [DNS_server_IP][bypass-cache]
Performs a DNS lookup and displays debugging information that describes the lookup.

If you invoke the DNS_server_IP option, the bypass-cache option is implied and is
not required.
Note:

# test http get url
Does a test GET of an HTTP object specified by url.
# test http loopback
Does a loopback test.

Example
SGOS# test http loopback
Type escape sequence to abort.
Executing HTTP loopback test
Measured throughput rate is 16688.96 Kbytes/sec
HTTP loopback test passed
SGOS# test http get http://www.google.com
Type escape sequence to abort.
Executing HTTP get test
* HTTP request header sent:
GET http://www.google.com/ HTTP/1.0
Host: www.google.com
User-Agent: HTTP_TEST_CLIENT
* HTTP response header recv'd:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 15 Jul 2003 22:42:12 GMT
Cache-control: private
Content-Type: text/html
Server: GWS/2.1
Content-length: 2691
Set-Cookie:
PREF=ID=500ccde1707c20ac:TM=1058308932:LM=1058308932:S=du3WuiW7FC_lJ
Rgn; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Measured throughput rate is 66.72 Kbytes/sec
HTTP get test passed

Volume 11: Command Line Interface Reference

84

# traceroute
Use this command to trace the route to a destination. The traceroute command can be helpful in
determining where a problem might lie between two points in a network. Use traceroute to trace the
network path from a ProxySG back to a client or to a specific origin Web server.
Note that you can also use the trace route command from your client station (if supported) to trace the
network path between the client, a ProxySG , and a Web server. Microsoft operating systems generally
support the trace route command from a DOS prompt. The syntax from a Microsoft-based client is:
tracert [ip | hostname].

Syntax
# traceroute [subcommands]
Subcommands
# traceroute IP_address
Indicates the IP address of the client or origin server.
# traceroute hostname
Indicates the hostname of the origin server.

Example
SGOS# traceroute 10.25.36.47
Type escape sequence to abort.
Executing HTTP get test
HTTP response code: HTTP/1.0 503 Service Unavailable
Throughput rate is non-deterministic
HTTP get test passed
10.25.36.47# traceroute 10.25.36.47
Type escape sequence to abort.
Tracing the route to 10.25.36.47
1 10.25.36.47 212 0 0 0

Chapter 2: Standard and Privileged Mode Commands

85

# upload
Uploads the current access log or running configuration.

Syntax
# upload {subcommands}

Subcommands
# upload access-log all
Uploads all access logs to a configured host.
# upload access-log log log_name
Uploads a specified access log to a configured host.
# upload configuration
Uploads running configuration to a configured host.

Example
SGOS# upload configuration
ok

Volume 11: Command Line Interface Reference

86

Chapter 3: Privileged Mode Configure Commands

Configure Commands
The configure command allows you to configure the Blue Coat ProxySG settings from your current
terminal session (configure terminal), or by loading a text file of configuration settings from the
network (configure network).

Syntax
configure {terminal | network url}
configure_command
configure_command
.
.
.

where configure_command is any of the configuration commands in this document. Type a question
mark after each of these commands for a list of subcommands or options with definitions.

87

Chapter 3: Privileged Mode Configure Commands

#(config) accelerated-pac
Synopsis
Set the path to download PAC files.

Discussion
Normally, a Web server serves the Proxy Auto-Configuration (PAC) file to client browsers. This feature
allows you to load a PAC file onto the ProxySG for high performance PAC file serving right from the
device. There are two ways to create an accelerated PAC file:


customize the default PAC file and save it as a new file



Create a new custom PAC file.

In either case, it is important that the client instructions for configuring ProxySG settings contain the
URL of the Accelerated-PAC file. Clients load PAC files from:
https://SG_IP_Address:8082/accelerated_pac_base.pac.

Syntax
#(config) accelerated-pac no path
Clears the network path to download PAC file.
#(config) accelerated-pac path url
Specifies the location to which the PAC file should be downloaded.

For More Information


# inline on page 54



# load on page 58



Volume 2: Proxies and Proxy Services

Example
#(config) accelerated-pac path url
#(config) load accelerated-pac

Volume 11: Command Line Interface Reference

88

Chapter 3: Privileged Mode Configure Commands

#(config) access-log
Synopsis
The ProxySG can maintain an access log for each HTTP request made. The access log can be stored in
one of three formats, which can be read by a variety of reporting utilities.

Syntax
#(config) access-log

This changes the prompt to:
#(config access-log)

Subcommands
#(config access-log) create log log_name
Creates an access log.
#(config access-log) create format format_name
Creates an access log format.
#(config access-log) cancel-upload all
Cancels upload for all logs.
#(config access-log) cancel-upload log log_name
Cancels upload for a log
#(config access-log) default-logging {cifs | epmapper | ftp | http |
https-forward-proxy | https-reverse-proxy | icp | im | mapi | mms | p2p | rtsp
| socks | ssl | tcp-tunnel | telnet} log_name
Sets the default log for the specified protocol.
#(config access-log) delete log log_name
Deletes an access log.
#(config access-log) delete format format_name
Deletes an access log format.
#(config access-log) disable
Disables access logging.
#(config access-log) early-upload megabytes
Sets the log size in megabytes that triggers an early upload.
#(config access-log) edit log log_name—changes the prompt (see #(config log log_name)
on page 92)
#(config access-log) edit format format_name—changes the prompt (see #(config format
format_name) on page 96)
#(config access-log) enable
Enables access logging.
#(config access-log) exit
Exits #(config access-log) mode and returns to #(config) mode.
#(config access-log) max-log-size megabytes
Sets the maximum size in megabytes that logs can reach.

89

Chapter 3: Privileged Mode Configure Commands

#(config access-log) no default-logging {cifs | epmapper | ftp | http |
https-forward-proxy | https-reverse-proxy | icp | im | mapi | mms | p2p | rtsp
| socks | ssl | tcp-tunnel | telnet}
Disables default logging for the specified protocol.
#(config access-log) overflow-policy delete
Deletes the oldest log entries (up to the entire log).
#(config access-log) overflow-policy stop
Stops access logging until logs are uploaded.
#(config access-log) upload all
Uploads all logs.
#(config access-log) upload log log_name
Uploads a log.
#(config access-log) view
Shows access logging settings.
#(config access-log) view [log [brief | log_name]]
Shows the entire access log configuration, a brief version of the access log configuration, or the
configuration for a specific access log.
#(config access-log) view [format [brief | format_name]]
Shows the entire log format configuration, a brief version of the log format configuration, or the
configuration for a specific log format.
#(config access-log) view [statistics [log_name]]
Shows access log statistics for all logs or for the specified log.
#(config access-log) view [default-logging]
Shows the access log default policy

For More Information


Volume 5: Advanced Networkingg



Volume 8: Access Logging

Example
SGOS#(config) access-log
SGOS#(config access-log) create log test
ok
SGOS#(config access-log) max-log-size 1028
ok
SGOS#(config access-log) overflow-policy delete
ok

View the results. (This is a partial output.)
SGOS#(config access-log) view log
Settings:
Log name: main
Format name: main
Description:
Logs uploaded using FTP client
Logs upload as gzip file
Wait 60 seconds between server connection attempts
FTP client:
Filename format: SG_%f_%l%m%d%H%M%S.log
Filename uses utc time
Use PASV: yes

Volume 11: Command Line Interface Reference

90

Chapter 3: Privileged Mode Configure Commands

Use secure connections: no
Primary host site:
Host:
Port: 21
Path:
Username:
Password: ************
Alternate host site:
Host:
Port: 21
Path:

91

Chapter 3: Privileged Mode Configure Commands

#(config log log_name)
Synopsis
Use these commands to edit an access log.

Syntax
#(config) access-log

This changes the prompt to:
#(config access-log)
#(config access-log) edit log log_name

This changes the prompt to:
#(config log log_name)

Subcommands
#(config log log_name) bandwidth-class bwm_class_name
Specifies a bandwidth-management class for managing the bandwidth of this log.In order to

bandwidth-manage this log, bandwidth management must be enabled. Bandwidth management is
enabled by default.
Note:

You must also create a bandwidth class for this access log (in bandwidth-management
mode) before you can select it here. See #(config) bandwidth-management on page 117 for more

information
#(config log log_name) client-type custom
Uploads log using the custom client.
#(config log log_name) client-type ftp
Uploads log using the FTP client.
#(config log log_name) client-type http
Uploads log using the HTTP client.
#(config log log_name) client-type none
Disables uploads for this log
#(config log log_name) client-type websense
Uploads log using the Websense client.
#(config log log_name) commands cancel-upload
Disables uploads for this log.
#(config log log_name) commands close-connection
Closes a manually opened connection to the remote server.
#(config log log_name) commands delete-logs
Permanently deletes all access logs on the ProxySG.
#(config log log_name) commands open-connection
Manually opens a connection to the remote server.
#(config log log_name) commands rotate-remote-log
Switches to a new remote log file.
#(config log log_name) commands send-keep-alive
Sends a keep-alive log packet to the remote server.

Volume 11: Command Line Interface Reference

92

Chapter 3: Privileged Mode Configure Commands

#(config log log_name) commands test-upload
Tests the upload configuration by uploading a verification file.
#(config log log_name) commands upload-now
Uploads access log now.
#(config log log_name) connect-wait-time seconds
Sets time to wait between server connect attempts.
#(config log log_name) continuous-upload
#(config log log_name) continuous-upload enable
Uploads access log continuously to remote server.
#(config log log_name) continuous-upload keep-alive seconds
Sets the interval between keep-alive log packets
#(config log log_name) continuous-upload lag-time seconds
Sets the maximum time between log packets (text upload only).
#(config log log_name) continuous-upload rotate-remote {daily rotation_hour
(0-23) | hourly hours [minutes]}
Specifies when to switch to new remote log file.
#(config log log_name) custom-client alternate hostname [port]
Configures the alternate custom server address.
#(config log log_name) custom-client primary hostname [port]
Configures the primary custom server address.
#(config log log_name) custom-client secure {no | yes}
Selects whether to use secure connections (SSL). The default is no. If yes, the hostname must match the
hostname in the certificate presented by the server.
#(config log log_name) description description
Sets the log description.
#(config log log_name) early-upload megabytes
Sets log size in megabytes that triggers an early upload.
#(config log log_name) encryption certificate certificate_name
Specifies access-log encryption settings.
#(config log log_name) exit
Exits #(config log log_name) mode and returns to #(config access-log) mode.
#(config log log_name) format-name format_name
Sets the log format.
#(config log log_name) ftp-client alternate {encrypted-password
encrypted_password | host hostname [port] | password password | path path |
username username}
Configures the alternate FTP host site.
#(config log log_name) ftp-client filename format
Configures the remote filename format
#(config log log_name) ftp-client no {alternate | filename | primary}
Deletes the remote filename format or the alternate or primary host parameters.
#(config log log_name) ftp-client pasv {no | yes}
Sets whether PASV or PORT command is sent.
#(config log log_name) ftp-client primary {encrypted-password encrypted_password
| host hostname [port] | password password | path path | username username}
Configures the primary FTP host site.

93

Chapter 3: Privileged Mode Configure Commands

#(config log log_name) ftp-client secure {no | yes}
Selects whether to use secure connections (FTPS). The default is no. If yes, the hostname must match
the hostname in the certificate presented by the server.
#(config log log_name) ftp-client time-format {local | utc}
Selects the time format to use within upload filename.
#(config log log_name) http-client alternate {encrypted-password
encrypted_password | host hostname [port] | password password | path path |
username username}
Configures the alternate HTTP host site.
#(config log log_name) http-client filename format
Configures the remote filename format.
#(config log log_name) http-client no {alternate | filename | primary}
Deletes the remote filename format or the alternate or primary host parameters.
#(config log log_name) http-client primary {encrypted-password encrypted_password
| host hostname [port] | password password | path path | username username}
Configures the primary HTTP host site.
#(config log log_name) http-client secure {no | yes}
Selects whether to use secure connections (HTTPS). The default is no. If yes, the hostname must match
the hostname in the certificate presented by the server
#(config log log_name) http-client time-format {local | utc}
Selects the time format to use within upload filename.
#(config log log_name) no {encryption | bandwidth-class | signing}
Disables access-log encryption, bandwidth management, or digital signing for this log.
#(config log log_name) periodic-upload enable
Uploads access log daily/hourly to remote server.
#(config log log_name) periodic-upload upload-interval {daily upload_hour (0-23)
| hourly hours [minutes]}
Specifies access log upload interval.
#(config log log_name) remote-size megabytes
Sets maximum size in MB of remote log files.
#(config log log_name) signing keyring_id
Specifies the keyring to be used for digital signatures.
#(config log log_name) upload-type {gzip | text}
Sets upload file type (gzip or text).
#(config log log_name) view
Shows log settings.
#(config log log_name) websense-client
Configures the alternate websense server address.
#(config log log_name) websense-client alternate hostname [port]
Configures the alternate websense server address.
#(config log log_name) websense-client no {primary | alternate}
Deletes the primary or alternate websense server information.
#(config log log_name) websense-client primary hostname [port]
Configures the primary websense server address.

For More Information


#(config) access-log on page 89

Volume 11: Command Line Interface Reference

94

Chapter 3: Privileged Mode Configure Commands



Volume 8: Access Logging

Example
SGOS#(config) access-log
SGOS#(config access-log) edit log testlog
SGOS#(config log testlog) upload-type gzip
ok
SGOS#(config log testlog) exit
SGOS#(config access-log) exit
SGOS#(config)

95

Chapter 3: Privileged Mode Configure Commands

#(config format format_name)
Synopsis
Use these commands to edit an access log format.

Syntax
#(config) access-log

This changes the prompt to:
#(config access-log) edit format format_name

This changes the prompt to:
#(config format format_name)

Subcommands
#(config format format_name) exit
Exits #(config format format_name) mode and returns to #(config access-log) mode.
#(config format format_name) multi-valued-header-policy log-all-headers
Sets multi-valued header policy to log all headers.
#(config format format_name) multi-valued-header-policy log-first-header
Sets multi-valued header policy to log the first header.
#(config format format_name) multi-valued-header-policy log-last-header
Sets multi-valued header policy to log the last header.
#(config format format_name) type custom format_string
Specifies custom logging format.
#(config format format_name) type elff format_string
Specifies W3C extended log file format.
#(config format format_name) view
Shows the format settings.

For More Information


#(config) access-log on page 89



Volume 8: Access Logging

Example
SGOS#(config) access-log
SGOS#(config access-log) edit format testformat
SGOS#(config format testformat) multi-valued-header-policy log-all-headers
ok
SGOS#(config format testformat) exit
SGOS#(config access-log) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

96

Chapter 3: Privileged Mode Configure Commands

#(config) adn
Synopsis
ADN optimization allows you to reduce the amount of tunneled TCP traffic across a WAN by means
of an overlay network called an Application Delivery Network, or ADN. ProxySG devices that
participate in the ADN utilize byte caching technology, which replaces large chunks of repeated data
with small tokens representing that data. ProxySG devices in the ADN also use gzip compression to
further reduce the amount of data flowing over the WAN.

Syntax
SGOS#(config) adn

The prompt changes to
SGOS#(config adn)

Subcommands
SGOS#(config adn) byte-cache
Configures byte caching parameters. The prompt changes to SGOS#(config adn byte-cache)
SGOS#(config adn byte-cache) exit
Exits the SGOS#(config adn byte-cache) submode and returns to SGOS#(config adn)
mode.
SGOS#(config adn byte-cache) max-disk-usage percentage
Sets the maximum percentage of disk space that can be used for byte caching. When this setting is
changed, an immediate resizing is done. If the statistics have changed since the last resizing, the
recommended dictionary sizes and the rankings for each peer might change. However, if there has
been no traffic (and it is still the same day), or if the changes balance out, there might be no change
to either the recommended dictionary sizes or the rankings.
SGOS#(config adn byte-cache) peer-size peer-id {size_in_megabytes | auto |
none}
Manually sets the amount of memory used to keep track of the byte-cache hash table or disables
compression to this peer.. Generally, the dynamic settings are acceptable; you do not need to change
the dictionary size. Only if you determine that the algorithm performance does not guarantee the
right dictionary size for a specific peer should you manually set the dictionary size.
SGOS#(config adn byte-cache) view
Views the current configuration of the byte caching parameters.
SGOS#(config adn) {enable | disable}
Enables or disables the ADN optimization network.
SGOS#(config adn) exit
Exits the SGOS#(config adn) submode and returns to SGOS#(config) mode.
SGOS#(config adn) load-balancing
Configures load-balancing parameters. The prompt changes to SGOS#(config adn
load-balancing).
SGOS#(config adn load-balancing) {enable | disable}
Enables or disables load-balancing functionality.
SGOS#(config adn load-balancing) exit
Exits the submode and returns to SGOS#(config adn) mode.
SGOS#(config adn load-balancing) external-vip IP_address
Sets the external VIP. The same VIP must be configured on each ProxySG in the cluster, and the VIP

97

Chapter 3: Privileged Mode Configure Commands

must exist on an external load balancing device. The external VIP is used in explicit external load
balancing.
SGOS#(config adn load-balancing) group group_name
Sets the group name for an ADN group. Groups are used in transparent load balancing.
SGOS#(config adn load-balancing) load-balance-only {enable | disable}
Specifies whether the node can take participate in load balancing (disable) or if it acts as a load
balancer only (enable).
SGOS#(config adn load-balancing) no {external-vip | group}
Removes the external VIP or group name.
SGOS#(config adn load-balancing) view
Views the load-balancing configuration.
SGOS#(config adn) manager
Configures manager parameters. The prompt changes to SGOS#(config adn manager).
SGOS#(config adn manager) approved-peers
Configures approved-peers. The prompt changes to SGOS#(config adn approved-peers).
SGOS#(config adn approved-peers) add peer-serial-number
SGOS#(config adn approved-peers) exit
Exits the SGOS#(config adn approved-peers) submode and returns to SGOS#(config
adn manager) mode.
SGOS#(config adn approved-peers) view [approved-peers | backup-manager-id
| pending-peers | primary-manager-id]
Views the list of approved devices and connections, as well as the device ID of the ADN
manager and backup manager.
SGOS#(config adn manager) backup-manager (IP_address [device_id]| self
Defines the backup ADN manager. While optional, defining a backup ADN manager is highly
recommended. If the primary ADN manager goes offline for any reason, routing updates are no
longer available which prevent nodes from learning when other nodes enter and leave the network.
Existing route information is still retained by the peers, however.
SGOS#(config adn manager) exit
Exits the SGOS#(config adn manager) submode and returns to SGOS#(config adn) mode.
SGOS#(config adn manager) no {backup-manager | primary-manager}
Clears the IP address of the specified ADN manager or backup manager.
SGOS#(config adn manager) pending-peers
Configures pending peers. The prompt changes to SGOS#(config adn pending-peers)
SGOS#(config adn pending-peers) {accept | reject} {device-id | all}
Allows or denies a specific peer or all peers that want to join a network.
SGOS#(config adn pending-peers) {enable | disable}
Enables or disables the pending-peers functionality.
SGOS#(config adn pending-peers) exit
Exits the SGOS#(config adn pending-peers) submode and returns to SGOS#(config
adn manager) mode.
SGOS#(config adn pending-peers) view
Views the list of pending devices and connections.
SGOS#(config adn manager) port port_number
Sets the port number for the primary and backup ADN managers. All ProxySG devices in the ADN
must use the same manager port number. The default is port 3034; it should not be changed.
SGOS#(config adn manager) primary-manager IP_address
Defines the primary ADN manager. The responsibility of the ADN manager is to keep up to date the

Volume 11: Command Line Interface Reference

98

Chapter 3: Privileged Mode Configure Commands

routing information from each ProxySG node on the WAN optimization network and to broadcast
that information to all the peers.
SGOS#(config adn manager) secure-port port_number
SGOS#(config adn manager) view
Views the adn manager configuration.
SGOS#(config adn) routing
Configures routing information. The prompt changes to SGOS#(config adn routing).
SGOS#(config adn routing) advertise-internet-gateway
Enters advertise-internet-gateway mode to enable the ProxySG as an Internet gateway.
Changes the prompt to SGOS#(config adn advertise-internet-gateway).
SGOS#(config adn routing advertise-internet-gateway) {disable | enable}
Enables or disables the ability for this peer to be used as an Internet gateway.
SGOS#(config adn routing advertise-internet-gateway) exempt-subnet {add
{subnet_prefix[/prefix_length]} clear-all | remove
{subnet_prefix[/prefix_length]} | view}
Manages subnets t that must not be routed to Internet gateway(s).
SGOS#(config adn routing advertise-internet-gateway) exit
Leaves the advertise-internet-gateway submode and returns to the routing submode.
SGOS#(config adn routing advertise-internet-gateway) view
Displays the advertise-internet-gateway parameters.
SGOS#(config adn routing) prefer-transparent {enable | disable}
Forces peers to always use advertised routes or to allows them to use transparent routes if they
are available.
SGOS#(config adn routing) exit
Exits the SGOS#(config adn routing) submode and returns to SGOS#(config adn) mode.
SGOS#(config adn routing) server-subnets
Configures server-subnets that will be advertised to other peers on the WAN optimization network.
The prompt changes to SGOS#(config adn routing server-subnets).
SGOS#(config adn routing server-subnets) add subnet_prefix[/prefix length]
Adds a subnet with the specified prefix and, optionally, the prefix length, to the ProxySG routes
that it sends to the ADN manager.
SGOS#(config adn routing server-subnets) clear-all
Deletes all subnets listed on the system.
SGOS#(config adn routing server-subnets) exit
Exits the SGOS#(config adn routing server-subnets) submode and returns to
SGOS#(config adn routing) submode.
SGOS#(config adn routing server-subnets) view
Views the current configuration of the server subnets.
SGOS#(config adn routing) view
Views the current parameters of the routing configuration.
SGOS#(config adn) security
Configures authorization parameters. Changes the prompt to SGOS#(config adn security).
SGOS#(config adn security) authorization
Enables connection authorization.

{enable | disable}

SGOS#(config adn security) device-auth-profile profile_name [no-authorization]
Select the ADN device-auth profile name. The profile must already exist.
SGOS#(config adn security) exit
Leaves the security submode. Returns to (config adn) mode.

99

Chapter 3: Privileged Mode Configure Commands

SGOS#(config adn security) manager-listening-mode {plain-only |
plain-read-only | secure-only| both}
Configure manager listening mode. Both refers to plain-only or secure-only.
SGOS#(config adn security) no device-auth-profile
Clears the profile name.
SGOS#(config adn security) secure-outbound {none | routing-only|
secure-proxies | all}
Configure outbound connection encryption, where none indicates the encryption is disabled,
routing-only enables encryption on outbound traffic, secure-proxies enables encryption on
secure proxy (that is, HTTPS or SSL) traffic, and all indicates that encryption is enabled on all
outbound connections.
SGOS#(config adn security) tunnel-listening-mode {plain-only | secure-only|
both}
Starts the specified tunnel listening mode.
SGOS#(config adn security) view
View security configuration
SGOS#(config adn) tunnel
Configures parameters for tunnel connections. Tunnel connections are established between ADN peers
in order to carry optimized traffic over the WAN. Changes the prompt to SGOS#(config adn
tunnel).
SGOS#(config adn tunnel) connect-transparent {enable | disable}
Control outbound ADN transparent tunnel initiation
SGOS#(config adn tunnel) exit
Exits the SGOS#(config adn tunnel) submode and returns to SGOS#(config adn) mode.
SGOS#(config adn tunnel) port port_number
Sets the port number for the client or data port used by ADN tunnel connections. Each ADN node
has a TCP listener on this port in order to receive tunnel connections. The default is port 3035; it
should not be changed.
SGOS#(config adn tunnel) preserve-dest-port {enable | disable}
Preserve destination port on outbound connections
SGOS#(config adn tunnel) proxy-processing http {enable | disable}
Enables HTTP handoff. This option should be used with care as both byte caching and object
caching require significant resources. Be sure that your ProxySG devices are sized correctly if you
intend to use this option.
SGOS#(config adn tunnel) reflect-client-ip (allow | deny | use-local-ip)
Allows the concentrator proxy to follow, deny, or ignore the branch proxy reflect-client-ip settings.
SGOS#(config adn tunnel) secure-port port_number
Configure listening port for secure ADN tunnel
SGOS#(config adn tunnel) tcp-window-size {auto | size_in_bytes}
Sets the TCP window size for ADN optimization tunnel connections based on current network
conditions and on the receiving host’s acknowledgement. Auto is the default; under most
circumstances, this option should not be set manually.
SGOS#(config adn tunnel) view
Views the current configuration ADN tunnel parameters.
SGOS#(config adn) view
Views the configuration of the WAN optimization parameters you created on this system.

For More Information


Volume 5: Advanced Networking

Volume 11: Command Line Interface Reference

100

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config adn)
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

adn) enable
adn) manager
adn manager) primary-manager 10.25.36.47
adn) backup-manager 10.25.36.48

SGOS#(config adn) tunnel
SGOS#(config adn tunnel) tcp-window-size 200000
SGOS#(config adn tunnel) exit
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

adn) routing
adn routing) server-subnets
adn routing server-subnets) clear-all
adn routing server-subnets) add 10.9.59.0/24
adn routing server-subnets) exit
adn routing) exit

SGOS#(config adn) byte-cache
SGOS#(config adn byte-cache) max-peer-memory 40
SGOS#(config adn byte-cache) exit

101

Chapter 3: Privileged Mode Configure Commands

SGOS#(config adn) view
Application Delivery Network Configuration:
ADN:
enabled
External VIP:

none

Manager Configuration:
Primary manager:
Backup manager:
Port:
Secure port:
Approved device
Allow pending devices:
Pending device

self
none
3034
3036
Connecting from
enabled
Connecting from

Byte-cache Configuration:
Max number of peers:
10347
Max peer memory:
30
Tunnel Configuration:
Port:
Secure port:
proxy-processing http:
accept-transparent:
connect-transparent:
preserve-dest-port:
TCP window size:
reflect-client-ip:

3035
3037
disabled
enabled
enabled
enabled
65536
use-local-ip

Routing Configuration:
Internet Gateway:
Exempt Server subnet:
Exempt Server subnet:
Exempt Server subnet:

disabled
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Security Configuration:
Device-auth-profile:
Manager-listening mode:
Tunnel-listening mode:
Authorization:
Secure-outbound:

bluecoat
plain-only
plain-only
enabled
none

Volume 11: Command Line Interface Reference

102

Chapter 3: Privileged Mode Configure Commands

#(config) alert
Synopsis
Configures the notification properties of hardware environmental metrics (called sensors) and the
threshold and notification properties of system resource health monitoring metrics. These health
monitoring metrics allow you to assess the health of the ProxySG.
Note:

Sensor thresholds are not configurable.

Syntax
#(config) alert threshold metric_name warning_threshold warning_interval
critical_threshold critical_interval
#(config) alert notification metric_name notification_method
#(config) alert severity sensor power-supply condition

Subcommands
#(config) alert threshold | notification cpu-utilization
Sets alert threshold and notification properties for CPU utilization metrics.
#(config) alert threshold | notification license-utilization license_type
Sets alert threshold and notification properties for licenses with user limits.
#(config) alert threshold | notification license-expiration license_type
Sets alert threshold and notification properties for license expiration.
#(config) alert threshold | notification memory-utilization
Sets alert threshold and notification properties for memory pressure metrics.
#(config) alert threshold | notification network-utilization adapter:interface
Sets alert threshold and notification properties for interface utilization metrics.
#(config) alert notification adn {connection|manager} notification_type
Sets alert notification properties for ADN.
#(config) alert notification disk-status disk_number notification_type
Sets alert notification properties for disk status messages.
#(config) alert notification health-check notification_type
Sets alert notification properties for health-checks globally.
#(config) alert notification sensor sensor_type
Sets alert notification properties for hardware environmentals. See “Sensors” on page 103 for a
description of the sensor types.

Sensors
The following table describes the sensor metrics. The hardware and environmental metrics are
referred to as sensors. Sensor threshold values are not configurable and are preset to optimal values.
For example, if the CPU temperature reaches 55 degrees Celsius, it is considered to have entered the
Warning threshold.

103

Chapter 3: Privileged Mode Configure Commands

Table 3-1. Sensor Health Monitoring Metrics
Metric

MIB

Threshold States

Disk status

Disk

Critical:
Bad
Warning:
Removed
Offline
OK:
Present
Not Present

Temperature

Sensor

Bus temperature
CPU temperature
Fan

Critical
Warning
OK

Sensor

CPU Fan

Critical
Warning
OK

Voltage

Sensor

Bus Voltage
CPU voltage
Power Supply voltage

Critical
Warning
OK

Thresholds
The following table describes the health monitoring metrics and default thresholds. Sensor thresholds
cannot be set.
Table 3-2. System Resource Health Monitoring Metrics
Metric

Units

Threshold and
Interval Defaults

Notes

CPU Utilization

Percentage

Critical: 95/120

Measures the value of CPU 0 on
multi-processor systems--not the average
of all CPU activity.

Warning: 80/120
Memory Utilization

Percentage

Critical: 95/120
Warning: 90/120

Network Utilization

Percentage

Critical: 90/120
Warning: 60/120

License Utilization

Percentage

Critical: 90/0
Warning: 80/0

Volume 11: Command Line Interface Reference

Memory pressure occurs when memory
resources become limited, causing new
connections to be delayed.
Measures the traffic (in and out) on the
interface to determine if it is approaching
the maximum allowable bandwidth.
For licenses that have user limits, monitors
the number of users.

104

Chapter 3: Privileged Mode Configure Commands

Table 3-2. System Resource Health Monitoring Metrics (Continued)
Metric

Units

License Expiration

Days

Threshold and
Interval Defaults

Notes

Critical: 0/0

Warns of impending license expiration.

Warning: 15/0
(For new ProxySG
appliances running
SGOS 5.3)

For license expiration metrics, intervals are
ignored. Refer to Volume 7: Managing the
Blue Coat ProxySG Appliance for more
information.

For the purposes of notification, thresholds are defined by two variables, the threshold level and the
threshold interval:


The threshold level describes the state of the metric: OK, Warning, or Critical.

Note:

Sensors have different threshold levels than OK, Warning, and Critical. See “Sensors” on page
103 for more information.


The threshold interval specifies the period of time that the metric must stay in the level before
an alert is triggered.

Consider the following command:
#(config) alert threshold cpu-utilization 80 20 90 20

The preceding command sets the cpu-utilization threshold values as follows:


Warning Threshold=80 (percent)



Warning Interval=20 (seconds)



Critical Threshold=90 (percent)



Critical Interval=20 (seconds)

In this example, if CPU activity hovers between 80% and 89% for 20 seconds, the cpu-utilization metric
is considered to be in the Warning condition.
Notification occurs when a threshold state changes, for example, from OK to Warning. See
“Notification Methods” on page 105 for more information.

Notification Methods
The following notification methods can be set. To set more than one type of notification, separate the
notification method by spaces. For example:
#(config)alert notification license-utilization users email log trap
Table 3-3. Alert Notification Methods
Method

Description

email

Notify using e-mail

log

Notify using Event log

trap

Notify using SNMP trap

none

Disable notification

105

Chapter 3: Privileged Mode Configure Commands

Licenses
The license utilization and expiration alert settings can be modified for the following licenses.
Table 3-4. Health Monitoring License Options
Method.

Description

sgos

Alert properties for SGOS (expiration only)

ssl

Alert properties for SSL Proxy (expiration only)

The threshold values for license expiration metrics are set in days until expiration. In this context, a
"critical" threshold indicates that license expiration is imminent. This is the only metric in which the
Critical threshold value should be smaller than the Warning threshold value. For example, if you set
the Warning threshold to 45, an alert is sent when there are 45 days remaining in the license period.
The Critical threshold would be less than 45 days, for example 5 days.
For the license expiration metrics, the threshold interval is irrelevant and is set by default to 0. The
Critical threshold is configured to 0, which means that a trap is immediately sent upon license
expiration.
You should set the Warning Threshold to a value that gives you ample time to renew your license.
For new ProxySG appliances running SGOS 5.3, the default Warning threshold for license
expiration is 15 days. For ProxySG appliances upgrading from earlier versions to SGOS 5.3,

the default Warning threshold remains at the same value prior to the upgrade. For example,
if the Warning threshold was 30 days prior to the upgrade, the Warning threshold will
remain at 30 days after the upgrade. Refer to the most current Release Notes for SGOS upgrade
information.
For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

Examples
#(config) alert threshold cpu-utilization 80 20 90 20
#(config) alert threshold license-utilization users 80 20 90 20
#(config) alert threshold license-expiration sgos 65 30
#(config) alert notification cpu-utilization trap
#(config) alert notification license-utilization users email log trap
#(config) alert notification sensor fan email
#(config) alert notification sensor voltage trap

Volume 11: Command Line Interface Reference

106

Chapter 3: Privileged Mode Configure Commands

#(config) archive-configuration
Synopsis
Archiving a ProxySG system configuration on a regular basis is always a good idea. In the rare case of
a complete system failure, restoring a ProxySG to its previous state is simplified by loading an
archived system configuration from an FTP, HTTP, or HTTPS server. The archive contains all system
settings differing from system defaults, along with any forwarding and security lists installed on the
ProxySG.

Unless you restore the SSL configuration-passwords-key keyring from the source device,
archives can only be restored onto the same device that was the source of the archive. This is
because the encrypted passwords in the configuration (login, enable, FTP, etc.) cannot be
decrypted by a device other than that on which it was encrypted.

Syntax
#(config) archive-configuration [subcommands]

Subcommands
#(config) archive-configuration archive-signing {enforce-signed (enable |
disable} | signing-keyring keyring-name | verify-ccl ccl-name}
Configures the archiving signing options. A signed archive is a configuration backup that is
cryptographically signed with a key known only to the signing entity—the digital signature guarantees
the integrity of the content and the identity of the originating device. You can then use a trusted CA
Certificate List (CCL) to verify the authenticity of the archive.
The enforce-signed option enforces installation of only signed archives. The signing-keyring option
specifies the keyring that will be used to sign archives. The verify-ccl option specifies the CCL to use
for verifying signed archives.
#(config) archive-configuration encrypted-password encrypted_password
Encrypted password for upload host (not required for TFTP)
#(config) archive-configuration filename-prefix filename
Specifies the prefix that should be applied to the archive configuration on upload. For example, %H
(Hour in 24-hour format). Refer to the backup chapter in Volume 1: Getting Started for a complete

list of file name prefixes.
#(config) archive-configuration host hostname
Specifies the HTTP, HTTPS, FTP, or TFTP host to which the archive configuration should be uploaded.
#(config) archive-configuration no signing-keyring
Disables the requirement for signed archives.
#(config) archive-configuration password password
Specifies the password for the host to which the archive configuration should be uploaded
#(config) archive-configuration path path
Specifies the path to the HTTP, HTTPS, or FTP host to which the archive configuration should be
uploaded. Not required for TFTP.
#(config) archive-configuration port port
Specifies the port to use for uploading the archive.
#(config) archive-configuration protocol {ftp | tftp | http | https}
Uploads the archive using the specified protocol—HTTP, HTTPS, FTP, or TFTP.
#(config) archive-configuration ssl-device-profile ssl-device-profile name
Specifies the device profile used for SSL connections. An SSL device profile contains the information
required for device authentication, including the name of the keyring that contains the private key and

107

Chapter 3: Privileged Mode Configure Commands

certificate this device uses to authenticate itself. The default keyring is appliance-key. (For information
on private and public keys, refer to Volume 4: Securing the Blue Coat ProxySG Appliance.)
#(config) archive-configuration username username
Specifies the username for the remote host to which the archive configuration should be uploaded. Not
required for TFTP.

For More Information


Volume 1: Getting Started

Example
SGOS#(config) archive-configuration host host3
ok

Volume 11: Command Line Interface Reference

108

Chapter 3: Privileged Mode Configure Commands

#(config) attack-detection
Synopsis
The ProxySG can reduce the effects of distributed denial of service (DDoS) attacks and port scanning,
two of the most common virus infections.
The ProxySG prevents attacks by limiting the number of TCP connections from each client IP address
and either will not respond to connection attempts from a client already at this limit or will reset the
connection.

Syntax
#(config) attack-detection

This changes the prompt to:
#(config attack-detection)

Subcommands
#(config attack-detection) client
Changes the prompt to #(config client) on page 111.
#(config attack-detection) exit
Leaves #(config attack-detection) mode and returns to #(config) mode.
#(config attack-detection) server
Changes the prompt to #(config server) on page 114.
#(config attack-detection) view client [blocked | connections | statistics]
Displays client information. The blocked option displays the clients blocked at the network level, the
connections option displays the client connection table, and the statistics option displays client
request failure statistics.
#(config attack-detection) view configuration
Allows you to view attack-detection configuration settings or the number of current connections.
#(config attack-detection) view server [statistics]
Displays server information. The statistics option displays server-connection failure statistics

For More Information


Volume 5: Advanced Networking

Example
#(config attack-detection) view configuration
Client limits enabled:
false
Client interval:
20 minutes
Default client limits:
Client connection limit:
100
Client failure limit:
50
Client warning limit:
10
Blocked client action:
Drop
Client connection unblock time:
unlimited

109

Chapter 3: Privileged Mode Configure Commands

Client limits for 10.9.59.210:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

Volume 11: Command Line Interface Reference

100
50
10
Drop
unlimited

110

Chapter 3: Privileged Mode Configure Commands

#(config client)
Synopsis
Configures a client for attack detection.

Syntax
#(config attack-detection) client

This changes the prompt to
#(config client)

Subcommands
#(config client) block ip_address [minutes]
Blocks a specific IP address for the number of minutes listed. If the optional minutes argument is
omitted, the client is blocked until explicitly unblocked.
#(config client) create ip_address or ip_address_and_length
Creates a client with the specified IP address or subnet.
#(config client) default {block-action {drop | send-tcp-rst} | connection-limit
number_of_tcp_connections | failure-limit number_of_requests | unblock-time
minutes | warning-limit number_of_warnings}
Default indicates the values that are used if a client does not have specific limits set. These

settings can over overridden on a per-client basis.
If they are modified on a per-client basis, the specified limits become the default for new
clients. To change the limits on a per-client basis, see edit, below.
System defaults for attack-detection limits are:


block-action: drop



connection-limit: 100



failure-limit: 50



unblock-time: unlimited



warning-limit: 10

#(config client) delete ip_address or ip_address_and_length
Deletes the specified client.
#(config client) {disable-limits | enable limits}
Enables (sets to true) or disables (sets to false) attack detection.
#(config client) edit ip_address
Changes the prompt to #(config client ip_address).
#(config client IP_address) block-action {drop | send-tcp-rst}
Indicates the behavior when the client is at the maximum number of connections or exceed the
warning limit: drop connections that are over the limit or send TCP RST for connections over the
limit. The default is drop.
#(config client IP_address) connection-limit number_of_tcp_connections
Indicates the number of simultaneous connections between 1 and 65535. The default is 100.
#(config client IP_address) exit
Exits the #(config client ip_address) submode and returns to #(config client)
mode.

111

Chapter 3: Privileged Mode Configure Commands

#(config client IP_address) failure-limit number_of_requests
Indicates the maximum number of failed requests a client is allowed before the proxy starts issuing
warnings. Default is 50. This limit can be modified on a per-client basis.
#(config client IP_address) no {connection-limit | failure-limit |
warning-limit | unblock-time}
Clears the specified limits on a per-client basis.

If you edit an existing client’s limits to a smaller value, the new value only applies to new
connections to that client. For example, if the old value was 10 simultaneous connections
and the new value is 5, existing connections above 5 are not dropped.
#(config client IP_address) unblock-time minutes
Indicates the amount of time a client is blocked at the network level when the client-warning-limit is
exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. The default is
unlimited.
#(config client IP_address) view
Displays the limits for this client.
#(config client IP_address) warning-limit number_of_warnings}
Indicates the number of warnings sent to the client before the client is blocked at the network level
and the administrator is notified. The default is 10; the maximum is 100.
#(config client IP_address) enable-limits
Enables attack detection. This is a global setting and cannot be configured individually for specific
clients.
#(config client IP_address) interval minutes
Indicates the amount of time, in multiples of 10 minutes, that client activity is monitored. The
default is 20. Note that this is a global limit and cannot be modified for individual clients.
#(config client IP_address) no default {connection-limit | failure-limit |
warning-limit | unblock-time}
Clears the specified limit settings. These settings are applied to all new clients.
#(config client IP_address) view [blocked | connections | statistics]
Views all limits for all clients, or you can show clients blocked at the network level, view the client
connection table, or view client request failure statistics.
#(config client IP_address) unblock ip_address
Releases a specific IP address.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) attack-detection
SGOS#(config attack-detection) client
SGOS#(config client) view
Client limits enabled:
true
Client interval:
20 minutes
Default client limits:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

Volume 11: Command Line Interface Reference

700
50
10
Drop
unlimited

112

Chapter 3: Privileged Mode Configure Commands

Client limits for 10.9.17.159:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

unlimited
unlimited
unlimited
Drop
unlimited

Client limits for 10.9.17.134:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

700
50
10
Drop
unlimited

113

Chapter 3: Privileged Mode Configure Commands

#(config server)
Synopsis
Configures a server for attack detection.

Syntax
#(config attack-detection) server

This changes the prompt to:
#(config server)

Subcommands
#(config server) create hostname
Creates a server or server group that is identified by the hostname.
#(config server) delete hostname
Deletes a server or server group.
#(config server) edit hostname
Changes the prompt to #(config server hostname)
#(config server hostname) add hostname
Adds an additional server to this server group.
#(config server hostname) exit
Exits the #(config server hostname) submode and returns to #(config server) mode.
#(config server hostname) request-limit number_of_requests
Indicates the number of simultaneous requests allowed from this server or server group. The default
is 1000.
#(config server hostname) view
Displays the request limit for this server or server group.
#(config server) exit
Exits the #(config server) submode and returns to #(config attack-detection) mode.
#(config server) view [statistics]
Displays the request limit for all servers or server groups.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) attack-detection
SGOS#(config attack-detection) server
SGOS#(config server) create test1
ok
SGOS#(config server) edit test1
SGOS#(config server test1) add 10.9.17.134
ok
SGOS#(config server test1) view
Server configuration for test1:
Request limit: 1000
Host:
10.9.17.134

Volume 11: Command Line Interface Reference

114

Chapter 3: Privileged Mode Configure Commands

115

Chapter 3: Privileged Mode Configure Commands

#(config) bandwidth-gain
Synopsis
Bandwidth gain is a measure of the effective increase of server bandwidth resulting from the client’s
use of a content accelerator. For example, a bandwidth gain of 100% means that traffic volume from
the ProxySG to its clients is twice as great as the traffic volume being delivered to the ProxySG from
the origin server(s). Using bandwidth gain mode can provide substantial gains in apparent
performance.
Keep in mind that bandwidth gain is a relative measure of the ProxySG’s ability to amplify traffic
volume between an origin server and the clients served by the device.

Syntax
#(config) bandwidth-gain disable
Disables bandwidth-gain mode
#(config) bandwidth-gain enable
Enables bandwidth-gain mode.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) bandwidth-gain enable
ok

Volume 11: Command Line Interface Reference

116

Chapter 3: Privileged Mode Configure Commands

#(config) bandwidth-management
Synopsis
Bandwidth management allows you to classify, control, and, if required, limit the amount of
bandwidth used by a class of network traffic flowing into or out of the ProxySG.

Syntax
#(config) bandwidth-management

This changes the prompt to:
#(config bandwidth-management)

Subcommands
#(config bandwidth-management) create class_name
Creates a bandwidth-management class.
#(config bandwidth-management) delete class_name
Deletes the specified bandwidth-management class. Note that if another class has a reference to the
specified class, this command fails.
#(config bandwidth-management) disable
Disables bandwidth-management.
#(config bandwidth-management) edit class_name—changes the prompt (see #(config
bandwidth-management class_name) on page 118)
#(config bandwidth-management) enable
Enables bandwidth-management.
#(config bandwidth-management) exit
Exits #(config bandwidth-management) mode and returns to #(config) mode.
#(config bandwidth-management) view configuration [bandwidth_class]
Displays bandwidth-management configuration for all bandwidth-management classes or for the class
specified.
#(config bandwidth-management) view statistics [bandwidth_class]
Displays bandwidth-management statistics for all bandwidth-management classes or for the class
specified.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) bandwidth-management
SGOS#(config bandwidth-management) enable
ok
SGOS#(config bandwidth-management) create Office_A
ok
SGOS#(config bandwidth-management) edit Office_A
SGOS#(config bw-class Office_A) exit
SGOS#(config bandwidth-management) exit
SGOS#(config)

117

Chapter 3: Privileged Mode Configure Commands

#(config bandwidth-management class_name)
Synopsis
This command allows you to edit a bandwidth-management class.

Syntax
#(config) bandwidth-management

This changes the prompt to:
#(config bandwidth-management)
#(config bandwidth-management) edit class_name

This changes the prompt to:
#(config bandwidth-management class_name)

Subcommands
#(config bandwidth-management class_name) exit
Exits #(config bandwidth-management class_name) mode and returns to #(config
bandwidth-management) mode.
#(config bandwidth-management class_name) max-bandwidth maximum_in_kbps
Sets the maximum bandwidth for this class.
#(config bandwidth-management class_name) min-bandwidth minimum_in_kbps
Sets the minimum bandwidth for this class
#(config bandwidth-management class_name) no max-bandwidth
Resets the maximum bandwidth of this bandwidth-management class to the default (unlimited—no
maximum)
#(config bandwidth-management class_name) no min-bandwidth
Resets the minimum bandwidth of this bandwidth-management class to the default (no minimum).
#(config bandwidth-management class_name) no parent
Clears the parent from this bandwidth-management class.
#(config bandwidth-management class_name) parent class_name
Makes the specified class a parent of the class being configured.
#(config bandwidth-management class_name) priority value_from_0_to_7
Sets the priority for this bandwidth-management class. The lowest priority level is 0 and the highest is 7.
#(config bandwidth-management class_name) view [children]
Displays the settings for this bandwidth-management class or displays the settings for the children of
this bandwidth-management class.

For More Information


Volume 5: Advanced Networking

Volume 11: Command Line Interface Reference

118

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) bandwidth-management
SGOS#(config bandwidth-management) edit CEO_A
SGOS#(config bw-class CEO_A) parent Office_A
ok
SGOS#(config bw-class CEO_A) priority 2
ok
SGOS#(config bw-class CEO_A) exit
SGOS#(config bandwidth-management) exit
SGOS#(config)

119

Chapter 3: Privileged Mode Configure Commands

#(config) banner
Synopsis
This command enables you to define a login banner for your users.

Syntax
#(config) banner login string
Sets the login banner to the value of string.
#(config) banner no login
Sets the login banner to null.

For More Information


Volume 2: Proxies and Proxy Services

Example
#(config) banner login “Sales and Marketing Intranet Web”
ok

Volume 11: Command Line Interface Reference

120

Chapter 3: Privileged Mode Configure Commands

#(config) bridge
Synopsis
Allows you to configure bridging.

Syntax
#(config) bridge

This changes the prompt to:
#(config bridge)

Subcommands
#(config bridge) bandwidth-class bridgename
Sets bridge bandwidth class.
#(config bridge) create bridgename
Creates a bridge. This bridge name is case insensitive. You cannot name one bridge “ABC” and

another bridge “abc”.
#(config bridge) delete bridgename
Deletes the bridge.
#(config bridge) edit bridgename
Changes the prompt to #(config bridge bridgename)
#(config bridge bridgename) exit
Exits the #(config bridge hostname) submode and returns to #(config bridge) mode.
#(config bridge) no bandwidth-class
Clears the bandwidth-class settings.
#(config bridge) view {configuration | statistics | fwtable} bridgename
Displays information for the specified bridge or fall all bridges.
Note:

To bandwidth-manage a bridge, bandwidth management must be enabled. Bandwidth
management is enabled by default if you have a valid bandwidth-management license. You must
also create a bandwidth class for bridging (in bandwidth-management mode) before you can
select it here. See #(config bandwidth-management class_name) on page 118 for more
information.

For More Information


Volume 1: Getting Started

Example
SGOS#(config) bridge
SGOS#(config bridge) create test
ok
SGOS#(config bridge) exit
SGOS#(config)

121

Chapter 3: Privileged Mode Configure Commands

#(config bridge bridge_name)
Synopsis
This command allows you to edit a bridge.

Syntax
#(config) bridge

This changes the prompt to:
#(config bridge)
#(config bridge) edit bridge_name

This changes the prompt to:
#(config bridge bridge_name)

Subcommands
#(config bridge bridgename) attach-interface adapter#:interface#
Attaches the interface to the bridge.
#(config bridge bridgename) clear-fwtable {static}
Clears bridge forwarding table.
#(config bridge bridgename) clear-statistics
Clears the bridge statistics.
#(config bridge bridgename) exit
Exits #(config bridge bridge_name) mode and returns to #(config bridge) mode.
#(config bridge bridgename) failover {group | mode} {parallel | serial}
Associates the bridge to a failover group or sets the bridge failover mode.
#(config bridge bridgename) mode ?
Sets the mode for network adapters that can be used as either a pass-through adapter or as a Network
Interface Card.
#(config bridge bridgename) no {interface | failover | static-fwtable-entry}
Clears the settings as follows:
interface: Removes the interface from the bridge.
failover: Negates failover settings.
static-fwtable-entry: Clears the static forwarding table entry.
#(config bridge bridgename) spanning-tree adapter#:interface# {enable | disable}
Enables or disables spanning tree participation.
#(config bridge bridgename) static-fwtable-entry adapter#:interface# mac-address
Adds a static forwarding table entry.
#(config bridge bridgename) view {configuration | statistics | fwtable}
Displays information for the specified bridge.

For More Information


Volume 1: Getting Started

Volume 11: Command Line Interface Reference

122

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) bridge
SGOS#(config bridge) edit b_1
SGOS#(config bridge b_1) attach interface 0:1
ok
SGOS#(config bridge b_1) failover mode parallel
ok
SGOS#(config bridge b_1) exit
SGOS#(config bridge) exit
SGOS#(config)

123

Chapter 3: Privileged Mode Configure Commands

#(config) caching
Synopsis
Objects can be stored and managed for later retrieval.

Discussion
When a stored HTTP object expires, it is placed in a refresh list. The ProxySG processes the refresh list
in the background, when it is not serving requests. Refresh policies define how the device handles the
refresh process.
The HTTP caching options allow you to specify:


Maximum object size



Negative responses



Refresh parameters

In addition to HTTP objects, the ProxySG can store objects requested using FTP. When the device
retrieves and stores an FTP object, it uses two methods to determine how long the object should stay
cached.


If the object has a last-modified date, the ProxySG assigns a refresh date to the object that is a
percentage of the last-modified date.



If the object does not have a last-modified date, the ProxySG assigns a refresh date to the
object based on a fixed period of time.

Syntax
#(config) caching

This changes the prompt to:
#(config caching)

Subcommands
#(config caching) always-verify-source
Specifies the ProxySG to always verify the freshness of an object with the object source.
#(config caching) exit
Exits the #(config caching) mode and returns to #(config) mode.
#(config caching) ftp—changes the prompt to #(config caching ftp) on page 126
#(config caching) max-cache-size megabytes
Specifies the maximum size of the cache to the value indicated by megabytes.
#(config caching) negative-response minutes
Specifies that negative responses should be cached for the time period identified by minutes
#(config caching) no always-verify-source
Specifies that the ProxySG should never verify the freshness of an object with the object source
#(config caching) refresh automatic
Specifies that the ProxySG should manage the refresh bandwidth.
#(config caching) refresh bandwidth kbps
Specifies the amount of bandwidth in kilobits to utilize for maintaining object freshness.
#(config caching) refresh no automatic
Specifies that the ProxySG should not manage the refresh bandwidth.

Volume 11: Command Line Interface Reference

124

Chapter 3: Privileged Mode Configure Commands

#(config caching) view
Displays caching parameters.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) caching
SGOS#(config caching)
ok
SGOS#(config caching)
ok
SGOS#(config caching)
ok
SGOS#(config caching)
ok
SGOS#(config caching)
SGOS#(config)

always-verify-source
max-cache-size 100
negative-response 15
refresh automatic
exit

125

Chapter 3: Privileged Mode Configure Commands

#(config caching ftp)
Synopsis
The FTP caching options allow you to specify:


Transparency



Maximum object size



Caching objects by date



Caching objects without a last-modified date: if an FTP object is served without a last
modified date, the ProxySG caches the object for a set period of time.

Syntax
#(config) caching

This changes the prompt to:
#(config caching)
#(config caching) ftp

This changes the prompt to:
#(config caching ftp)

Subcommands
#(config caching ftp) disable | enable}
Disables or enables caching FTP objects
#(config caching ftp) exit
Exits #(config caching ftp) mode and returns to #(config caching) mode.
#(config caching ftp) type-m-percent percent
Specifies the TTL for objects with a last-modified time.
#(config caching ftp) type-n-initial hours
Specifies the TTL for objects with no expiration.
#(config caching ftp) view
Shows the current FTP caching settings.

For More Information


Volume 2: Proxies and Proxy Services

Volume 11: Command Line Interface Reference

126

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config
SGOS#(config
ok
SGOS#(config
ok
SGOS#(config
ok
SGOS#(config
ok
SGOS#(config
SGOS#(config

caching) ftp
caching ftp) enable
caching ftp) max-cache-size 200
caching ftp) type-m-percent 20
caching ftp) type-n-initial 10
caching ftp) exit
caching) exit

127

Chapter 3: Privileged Mode Configure Commands

#(config)cifs
Synopsis
Syntax
SGOS#(config) cifs

This changes the prompt to:
SGOS#(config cifs)

Subcommands
SGOS#(config cifs) directory-cache-time seconds
This option determines how long directory information is kept in cache. Changes made to a directory by
clients not using the ProxySG are not visible to ProxySG clients if they occur within this time interval.
The default cache time is 30 seconds.
SGOS#(config cifs) exit
Returns to the (config submode.
SGOS#(config cifs) read-ahead {disable | enable}
This option is enabled by default and improves performance by attempting to fetch and cache blocks of
data that might be requested by a client before the actual request occurs. Disabling this option causes the
ProxySG to fetch and cache only data actually requested by clients.
SGOS#(config cifs) strict-directory-expiration {disable | enable}
This option is disabled by default. When this option is enabled and directory-cache-time has a
value of 0, directories are refreshed synchronously instead of in the background. This is needed when the
set of visible objects in a directory returned by a server can vary between users.
SGOS#(config cifs) view {configuration | statistics}
Views the configuration or statistics of CIFS.
SGOS#(config cifs) write-back (full | none}
This option is set to full by default, which improves performance by acknowledging client writes
immediately and sending them to the server in the background. Setting this option to none forces all
writes to be sent to the server synchronously.

For More Information


Volume 2: Proxies and Proxy Services

Example

Volume 11: Command Line Interface Reference

128

Chapter 3: Privileged Mode Configure Commands

#(config)clock
Synopsis
To manage objects in the cache, a ProxySG must know the current Universal Time Coordinates (UTC)
time. By default, the device attempts to connect to a Network Time Protocol (NTP) server to acquire
the UTC time. The ProxySG includes a list of NTP servers available on the Internet, and attempts to
connect to them in the order they appear in the NTP server list on the NTP tab. If the ProxySG cannot
access any of the listed NTP servers, you must manually set the UTC time using the clock command.

Syntax
#(config) clock [subcommands]

Subcommands
#(config) clock day day
Sets the Universal Time Code (UTC) day to the day indicated by day. The value can be any integer from
1 through 31.
#(config) clock hour hour
Sets the UTC hour to the hour indicated by hour. The value can be any integer from 0 through 23.
#(config) clock minute minute
Sets the UTC minute to the minute indicated by minute. The value can be any integer from 0 through
59.
#(config) clock month month
Sets the UTC month to the month indicated by month. The value can be any integer from 1 through 12.
#(config) clock second second
Sets the UTC second to the second indicated by second. The value can be any integer from 0 through 59.
#(config) clock year year
Sets the UTC year to the year indicated by year. The value must take the form xxxx.

For More Information


Volume 1: Getting Started

Example
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok

clock year 2003
clock month 4
clock day 1
clock hour 0
clock minute 30
clock second 59

129

Chapter 3: Privileged Mode Configure Commands

#(config) content
Synopsis
Use this command to manage and manipulate content distribution requests and re-validate requests.
The content command options are not compatible with transparent FTP.

Note:

Syntax
#(config) content [subcommands]

Subcommands
#(config) content cancel outstanding-requests
Specifies to cancel all outstanding content distribution requests and re-validate requests.
#(config) content cancel url url
Specifies to cancel outstanding content distribution requests and re-validate requests for the URL
identified by url.
#(config) content delete regex regex
Specifies to delete content based on the regular expression identified by regex.
#(config) content delete url url}
Specifies to delete content for the URL identified by url.
#(config) content distribute url [from_url]
Specifies that the content associated with url should be distributed from the origin server.
#(config) content priority {regex priority_0-7 regex
Specifies to add a content deletion policy based on the regular expression identified by regex.
#(config) content priority url priority_0-7 url
Specifies to add a content deletion policy for the URL identified by url.
#(config) content revalidate regex regex
Revalidates the content associated with the regular expression identified by regex with the origin
server.
#(config) content revalidate url url [from_url]
Revalidates the content associated with the url.

For More Information


Blue Coat Director Configuration and Management Guide

Example
SGOS#(config) content distribute http://www.bluecoat.com
Current time: Mon, 01 Apr 2003 00:34:07 GMT
SGOS#(config) content revalidate url http://www.bluecoat.com
Last load time: Mon, 01 Apr 2003 00:34:07 GMT
SGOS#(config) content distribute http://www.bluecoat.com
Current time: Mon, 01 Apr 2003 00:35:01 GMT
SGOS#(config) content priority url 7 http://www.bluecoat.com
SGOS#(config) content cancel outstanding-requests
SGOS#(config) content delete url http://www.bluecoat.com

Volume 11: Command Line Interface Reference

130

Chapter 3: Privileged Mode Configure Commands

#(config) content-filter
Synopsis
The ProxySG offers the option of using content filtering to control the type of retrieved content and to
filter requests made by clients. The ProxySG supports the following content filtering methods:


Local database
This method allows you to create and maintain your own content-filtering list locally, through
the ProxySG CLI or Management Console.



Blue Coat Web Filter (BCWF)
BCWF is a highly effective content-filtering service that can quickly learn and adapt to the
working set of its users. Also, BCWF can use Dynamic Real Time Rating (DRTR) to analyze
requested Web pages in real time, blocking new, unrated content on the fly, while providing
the database with instant updates that impact all users without service interruption.



Internet Watch Foundation® (IWF)
The IWF is a non-profit organization that provides enterprises with a list of known child
pornography URLs. The IWF database features a single category called IWF-Restricted, which
is detectable and blockable using policy. IWF can be enabled along with other content-filtering
services.



Vendor-based content filtering
This method allows you to block URLs using vendor-defined categories. For this method, use
content-filtering solutions from the following vendors:


i-FILTER



InterSafe™



Optenet



Proventia™



SmartFilter™



SurfControl™



Websense® (both locally on the ProxySG and remotely on a separate Websense Enterprise
Server)



WebWasher®

You can also combine this type of content filtering with the ProxySG policies, which use the
Blue Coat Policy Language.


Denying access to URLs through policy
This method allows you to block by URL, including filtering by scheme, domain, or
individual host or IP address. For this method, you define ProxySG policies, which use the
Blue Coat Policy Language.

131

Chapter 3: Privileged Mode Configure Commands

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter)

Subcommands
#(config content-filter) bluecoat
Enters configuration mode for Blue Coat Web Filter. See #(config bluecoat) on page 134.
#(config content-filter) categories
Shows available categories.
#(config content-filter) exit
Exits configure content filter mode and returns to configure mode.
#(config content-filter) i-filter
Enters configuration mode for i-FILTER. See #(config i-filter) on page 136.
#(config content-filter) intersafe
Enters configuration mode for InterSafe. See #(config intersafe) on page 138.
#(config content-filter) iwf
Enters configuration mode for IWF. See #(config iwf) on page 140.
#(config content-filter) local—changes the prompt (see #(config local) on page 142)
Enters configuration mode for Local database.
#(config content-filter) memory-allocation {high | low | normal}
Sets the amount of RAM that the content filter service can use.
#(config content-filter) no review-message
Specifies that vendor categorization review be turned off.
#(config content-filter) optenet
Enters configuration mode for Optenet. See #(config optenet) on page 144.
#(config content-filter) proventia
Enters configuration mode for Proventia. See #(config proventia) on page 146.
#(config content-filter) provider bluecoat {disable | enable | lookup-mode
{always | uncategorized}}
Enables or disables Blue Coat Web Filter database. The lookup-mode option specifies whether every
URL should be categorized by the downloaded filter.
#(config content-filter) provider local {disable | enable | lookup-mode {always |
uncategorized}}
Enables or disables a local user database. The lookup-mode option specifies whether every URL should
be categorized by the downloaded filter.
#(config content-filter) provider iwf {disable | enable | lookup-mode {always |
uncategorized}}
Enables or disables IWF filtering. The lookup-mode option specifies whether every URL should be
categorized by the downloaded filter.
#(config content-filter) provider 3rd-party i-filter
Selects i-FILTER content filtering.
#(config content-filter) provider 3rd-party intersafe
Selects InterSafe content filtering.
#(config content-filter) provider 3rd-party none
Specifies that a third-party vendor not be used for content filtering.

Volume 11: Command Line Interface Reference

132

Chapter 3: Privileged Mode Configure Commands

#(config content-filter) provider 3rd-party optenet
Selects Optenet content filtering.
#(config content-filter) provider 3rd-party proventia
Selects Proventia Web Filter content filtering.
#(config content-filter) provider 3rd-party smartfilter
Selects SmartFilter content filtering.
#(config content-filter) provider 3rd-party surfcontrol
Selects SurfControl content filtering.
#(config content-filter) provider 3rd-party websense
Selects Websense content filtering.
#(config content-filter) provider 3rd-party webwasher
Selects Webwasher URL Filter content filtering.
#(config content-filter) provider {local | bluecoat | iwf | 3rd-party}
lookup-mode {always | uncategorized}
Selects Lookup Mode. Default is Always.
#(config content-filter) review-message
Used for categorization review for certain Content Filtering vendors.The review-message setting enables
two substitutions that can be used in exceptions pages to allow users to review or dispute content
categorization results.
#(config content-filter) smartfilter
Enters configuration mode for SmartFilter. See #(config smartfilter) on page 148.
#(config content-filter) surfcontrol
Enters configuration mode for SurfControl. See #(config surfcontrol) on page 150.
#(config content-filter) test-url url
Displays categories for a URL assigned by the current configuration.
#(config content-filter) websense
Enters configuration mode for Websense. See #(config websense) on page 152.
#(config content-filter) webwasher
Enters configuration mode for WebWasher. See #(config webwasher) on page 154
#(config content-filter) view
Shows the current settings for the local database (if it is in use) and the selected provider (if one is
selected).

For More Information


Volume 7: Managing Content



Volume 10: Content Policy Language Guide

Example
SGOS#(config) content-filter
SGOS#(config content-filter) provider 3rd-party proventia
loading database....
ok
SGOS#(config content-filter) exit
SGOS#(config)

133

Chapter 3: Privileged Mode Configure Commands

#(config bluecoat)
Synopsis
Use this command to configure Blue Coat Web Filter content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) bluecoat

This changes the prompt to:
#(config bluecoat)

Subcommands
#(config bluecoat) download all-day
Checks for database updates all day.
#(config bluecoat) download auto
Enables automatic database downloads.
#(config bluecoat)download between-hours start stop
Sets the interval for automatic database update checks.
#(config bluecoat) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config bluecoat) download get-now
Initiates an immediate database download.
#(config bluecoat) download password password
Specifies the password for the database download server.
#(config bluecoat) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config bluecoat) download username username
Specifies the username for the database download server.
#(config bluecoat) exit
Exits configure bluecoat mode and returns to configure content-filter mode.
#(config bluecoat) no download auto
Disables automatic download.
#(config bluecoat) no download day-of-week {friday | monday | saturday | sunday |
thursday | tuesday | wednesday}
Clears day(s) of the week for automatic download.
#(config bluecoat) no download encrypted-password
Clears the encrypted password for the database download server.
#(config bluecoat) no download password
Clears the password for the database download server.
#(config bluecoat) no download url
Clears the URL for the database download server.
#(config bluecoat) no download username
Clears the username for the database download server.

Volume 11: Command Line Interface Reference

134

Chapter 3: Privileged Mode Configure Commands

#(config bluecoat) service {disable | enable}
Disables or enables the dynamic categorization service.
#(config bluecoat) service {forward | none}
Configures the forwarding host for use with dynamic categorization; stops forwarding of dynamic
service requests .
#(config bluecoat) service {secure}
Configures the security of the connection.
#(config bluecoat) service {socks-gateway | none}
Configures the SOCKS gateway for use with dynamic categorization; stops the use of a SOCKS gateway
with dynamic service requests .
#(config bluecoat) service {mode}
Configures the default service mode.
#(config bluecoat) service mode {background | realtime | none}
Configures dynamic categorization to run in the background, run in real time, or to not run.
#(config bluecoat) service secure {disable | enable}
Disables or enables using a secure connection to the service.
#(config bluecoat) view
Shows the current Blue Coat settings.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) service mode background
ok
SGOS#(config bluecoat) exit
SGOS#(config content-filter) exit
SGOS#(config)

135

Chapter 3: Privileged Mode Configure Commands

#(config i-filter)
Synopsis
Use this command to configure i-FILTER content filtering

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) i-filter

This changes the prompt to:
#(config i-filter)

Subcommands
#(config i-filter) download all-day
Checks for database updates all day.
#(config i-filter) download auto
Enables automatic database downloads.
#(config i-filter)download between-hours start stop
Sets the interval for automatic database update checks.
#(config i-filter) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config i-filter) download get-now
Initiates an immediate database download.
#(config i-filter) download password password
Specifies the password for the database download server.
#(config i-filter) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config i-filter) download username username
Specifies the username for the database download server.
#(config i-filter) exit
Exits configure i-filter mode and returns to configure content-filter mode.
#(config i-filter) no download auto
Disables automatic download.
#(config i-filter) no download encrypted-password
Clears the encrypted password for the database download server.
#(config i-filter) no download password
Clears the password for the database download server.
#(config i-filter) no download url
Clears the URL for the database download server.
#(config i-filter) no download username
Clears the username for the database download server.
#(config i-filter) view
Shows the current InterSafe settings.

Volume 11: Command Line Interface Reference

136

Chapter 3: Privileged Mode Configure Commands

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) i-filter
SGOS#(config i-filter) no download day-of-week mon
ok
SGOS#(config i-filter) no download day-of-week wed
ok
SGOS#(config i-filter) exit
SGOS#(config content-filter) exit
SGOS#(config)

137

Chapter 3: Privileged Mode Configure Commands

#(config intersafe)
Synopsis
Use this command to configure InterSafe content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) intersafe

This changes the prompt to:
#(config intersafe)

Subcommands
#(config intersafe) download all-day
Checks for database updates all day.
#(config intersafe) download auto
Enables automatic database downloads.
#(config intersafe)download between-hours start stop
Sets the interval for automatic database update checks.
#(config intersafe) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config intersafe) download get-now
Initiates an immediate database download.
#(config intersafe) download password password
Specifies the password for the database download server.
#(config intersafe) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config intersafe) download username username
Specifies the username for the database download server.
#(config intersafe) exit
Exits configure Intersafe mode and returns to configure content-filter mode.
#(config intersafe) no download auto
Disables automatic download.
#(config intersafe) no download encrypted-password
Clears the encrypted password for the database download server.
#(config intersafe) no download password
Clears the password for the database download server.
#(config intersafe) no download url
Clears the URL for the database download server.
#(config intersafe) no download username
Clears the username for the database download server.
#(config intersafe) view
Shows the current InterSafe settings.

Volume 11: Command Line Interface Reference

138

Chapter 3: Privileged Mode Configure Commands

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) intersafe
SGOS#(config intersafe) no download day-of-week mon
ok
SGOS#(config intersafe) no download day-of-week wed
ok
SGOS#(config intersafe) exit
SGOS#(config content-filter) exit
SGOS#(config)

139

Chapter 3: Privileged Mode Configure Commands

#(config iwf)
Synopsis
Use this command to configure Internet Watch Foundation content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) iwf

This changes the prompt to:
#(config iwf)

Subcommands
#(config iwf) download all-day
Checks for database updates all day.
#(config iwf) download auto
Enables automatic database downloads.
#(config iwf)download between-hours start stop
Sets the interval for automatic database update checks.
#(config iwf) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config iwf) download get-now
Initiates an immediate database download.
#(config iwf) download password password
(Optional) Specifies the password for the database download server.
#(config iwf) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config iwf) download username username
Specifies the username for the database download server.
#(config iwf) exit
Exits configure Intersafe mode and returns to #(configure content-filter) mode.
#(config iwf) no download auto
Disables automatic download.
#(config iwf) no download encrypted-password
Clears the encrypted password for the database download server.
#(config iwf) no download password
Clears the password for the database download server.
#(config iwf) no download url
Clears the URL for the database download server.
#(config iwf) no download username
Clears the username for the database download server.
#(config iwf) view
Shows the current InterSafe settings.

Volume 11: Command Line Interface Reference

140

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config content-filter) local
SGOS#(config iwf) download day-of-week all
ok
SGOS#(config iwf) exit
SGOS#(config content-filter) exit
SGOS#(config)

141

Chapter 3: Privileged Mode Configure Commands

#(config local)
Synopsis
Use this command to configure local content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) local

This changes the prompt to:
#(config local)

Subcommands
#(config local) clear
Clears the local database from the system.
#(config local) download all-day
Checks for database updates all day.
#(config local) download auto
Enables automatic database downloads.
#(config local)download between-hours start stop
Sets the interval for automatic database update checks.
#(config local) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config local) download get-now
Initiates an immediate database download.
#(config local) download password password
Specifies the password for the database download server.
#(config local) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config local) download username username
Specifies the username for the database download server.
#(config local) exit
Exits configure local database mode and returns to configure content-filter mode.
#(config local) no download auto
Disables automatic download.
#(config local) no download encrypted-password
Clears the encrypted password for the database download server.
#(config local) no download password
Clears the password for the database download server.
#(config local) no download url
Clears the URL for the database download server.
#(config local) no download username
Clears the username for the database download server.

Volume 11: Command Line Interface Reference

142

Chapter 3: Privileged Mode Configure Commands

#(config local) source
Shows the database source file.
#(config local) view
Shows the current local database settings.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) local
SGOS#(config local) download day-of-week all
ok
SGOS#(config local) exit
SGOS#(config content-filter) exit
SGOS#(config)

143

Chapter 3: Privileged Mode Configure Commands

#(config optenet)
Synopsis
Use this command to configure Optenet content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) optenet

This changes the prompt to:
#(config optenet)

Subcommands
#(config optenet) download all-day
Checks for database updates all day.
#(config optenet) download auto
Enables automatic database downloads.
#(config optenet)download between-hours start stop
Sets the interval for automatic database update checks.
#(config optenet) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config optenet) download password password
Specifies the password for the database download server.
#(config optenet) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config optenet) download username username
Specifies the username for the database download server.
#(config optenet) exit
Exits configure optenet mode and returns to configure content-filter mode.
#(config optenet) no download auto
Disables automatic download.
#(config optenet) no download encrypted-password
Clears the encrypted password for the database download server.
#(config optenet) no download password
Clears the password for the database download server.
#(config optenet) no download url
Clears the URL for the database download server.
#(config optenet) no download username
Clears the username for the database download server.
#(config optenet) view
Shows the current optenet Web Filter settings.

For More Information


Volume 7: Managing Content

Volume 11: Command Line Interface Reference

144

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) content-filter
SGOS#(config content-filter) optenet
SGOS#(config optenet) download time-of-day 20
ok
SGOS#(config optenet) exit
SGOS#(config content-filter) exit
SGOS#(config)

145

Chapter 3: Privileged Mode Configure Commands

#(config proventia)
Synopsis
Use this command to configure Proventia Web Filter content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) proventia

This changes the prompt to:
#(config proventia)

Subcommands
#(config proventia) download all-day
Checks for database updates all day.
#(config proventia) download auto
Enables automatic database downloads.
#(config proventia)download between-hours start stop
Sets the interval for automatic database update checks.
#(config proventia) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config proventia) download get-now
Initiates an immediate database download.
#(config proventia) download password password
Specifies the password for the database download server.
#(config proventia) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config proventia) download username username
Specifies the username for the database download server.
#(config proventia) exit
Exits configure proventia mode and returns to configure content-filter mode.
#(config proventia) no download auto
Disables automatic download.
#(config proventia) no download encrypted-password
Clears the encrypted password for the database download server.
#(config proventia) no download password
Clears the password for the database download server.
#(config proventia) no download url
Clears the URL for the database download server.
#(config proventia) no download username
Clears the username for the database download server.
#(config proventia) view
Shows the current proventia Web Filter settings.

Volume 11: Command Line Interface Reference

146

Chapter 3: Privileged Mode Configure Commands

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) proventia
SGOS#(config proventia) download time-of-day 20
ok
SGOS#(config proventia) exit
SGOS#(config content-filter) exit
SGOS#(config)

147

Chapter 3: Privileged Mode Configure Commands

#(config smartfilter)
Synopsis
Use this command to configure SmartFilter filters that control the type of content retrieved by the
ProxySG and filter requests made by clients.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) smartfilter

This changes the prompt to:
#(config smartfilter)

Subcommands
#(config smartfilter) allow-r
Allow reverse DNS for lookups.
#(config smartfilter) database-edition {sl | xl}
Sets the database edition to SL or XL.
#(config smartfilter) download all-day
Checks for database updates all day.
#(config smartfilter) download auto
Enables automatic database downloads.
#(config smartfilter)download between-hours start stop
Sets the interval for automatic database update checks.
#(config smartfilter) download get-now
Initiates immediate database download. If a full download is unnecessary, an incremental download is
initiated.
#(config smartfilter) download license license_key
The customer serial number assigned you by SmartFilter.
#(config smartfilter) download server IP_address_or_hostname
Enter the IP address or hostname of the server you should use for downloads if requested.
#(config smartfilter) exit
Exits configure smartfilter mode and returns to configure content-filter mode.
#(config smartfilter) no allow-rdns
Disallows reverse DNS for lookups.
#(config smartfilter) no download {auto | encrypted-password | password | url |
username}
Negates download commands.
#(config smartfilter) no use-search-keywords
Disables the ability to categorize search engines based on keywords in the URL query.
#(config smartfilter) use-search-keywords
Allows you to categorize search engines based on keywords in the URL query.
#(config smartfilter) view
Shows the current SmartFilter settings, database version, and download log.

Volume 11: Command Line Interface Reference

148

Chapter 3: Privileged Mode Configure Commands

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) smartfilter
SGOS#(config smartfilter) allow-rdns
ok
SGOS#(config smartfilter) exit
SGOS#(config content-filter) exit
SGOS#(config)

149

Chapter 3: Privileged Mode Configure Commands

#(config surfcontrol)
Synopsis
Use this command to configure SurfControl filters that control the type of content retrieved by the
ProxySG and filter requests made by clients.

Syntax
#(config) content-filter
This changes the prompt to:
#(config content-filter) surfcontrol

This changes the prompt to:
#(config surfcontrol)

Subcommands
#(config surfcontrol) download all-day
Checks for database updates all day.
#(config surfcontrol) download auto
Enables automatic database downloads.
#(config surfcontrol)download between-hours start stop
Sets the interval for automatic database update checks.
#(config surfcontrol) encrypted-password encrypted-password
Sets the download encrypted password. The username/password is assigned by Blue Coat.
#(config surfcontrol) download get-now
Initiates immediate database download. If a full download is unnecessary, an incremental download is
initiated.
#(config surfcontrol) download license license_key
The customer serial number assigned you by SurfControl.
#(config surfcontrol) download server IP_address_or_hostname
Enter the IP address or hostname of the server you should use for downloads if requested.
#(config surfcontrol) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config surfcontrol) download username username
Sets the download username. The username/password is assigned by Blue Coat.
#(config surfcontrol) exit
Exits configure surfcontrol mode and returns to configure content-filter mode
#(config surfcontrol) no download {auto | encrypted-password| username | password
| url}
Negates download commands.
#(config surfcontrol) view
Shows the current SurfControl settings.

For More Information


Volume 7: Managing Content

Volume 11: Command Line Interface Reference

150

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) content-filter
SGOS#(config content-filter) surfcontrol
SGOS#(config surfcontrol) no download url
ok
SGOS#(config surfcontrol) exit
SGOS#(config content-filter) exit
SGOS#(config)

151

Chapter 3: Privileged Mode Configure Commands

#(config websense)
Synopsis
Use this command to configure Websense filters that control the type of content retrieved by the
ProxySG and filter requests made by clients.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) websense

This changes the prompt to:
#(config websense)

Subcommands
#(config websense) always-apply-regexes
Forces an additional regular expression lookup for each URL to be categorized. Normally, regular expression
lookups are only performed when no category is found in the Websense database. This option causes them to
be performed always, even for categorized URLs. This can reduce lookup performance, but can allow certain
sites (such as translation, search engine, and link-cache sites) to be categorized more accurately.
#(config websense) download all-day
Checks for database updates all day.
#(config websense) download auto
Enables automatic database downloads.
#(config websense)download between-hours start stop
Sets the interval for automatic database update checks.
#(config websense) download email-contact email_address
Specifies an e-mail address that is sent to Websense when downloading the database.
#(config websense) download get-now
Initiates immediate database download. If a full download is unnecessary, an incremental download is
initiated.
#(config websense) download license license_key
Specifies the license key for the database download server.
#(config websense) download server {ip_address | hostname}
Specifies the server location of the database.
#(config websense) exit
Exits configure websense mode and returns to configure content-filter mode.
#(config websense) integration-service disable
Disables the integration service.
#(config websense) integration-service enable
Enables the integration service.
#(config websense) integration-service host (hostname or IP_address)
Set the integration service hostname or IP address. The IP address must match the IP address of the
Websense Log Server.
#(config websense) integration-service port {integer between 0 and 65535}
Configure the integration service port. Accepted values are between 0 and 65535.

Volume 11: Command Line Interface Reference

152

Chapter 3: Privileged Mode Configure Commands

#(config websense) log-forwarded-client-address

Allows you to log the X-Forwarded-For header (if present and a parseable IP address) in the
Websense Reporter log.
#(config websense) no always-apply-regexes
Specifies to not apply regular expression filters to categorized URLs.
#(config websense) no download {auto | email-contact | license | server}
Clears the download parameters.
#(config websense) no integration-service {host | port}
Clears the integration-service host or port.
#(config websense) no log-forwarded-client-address

Disables logging the X-Forwarded-For header in the Websense Reporter log.
#(config websense) view
Shows the current Websense settings.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) websense
SGOS#(config websense) no always-apply-regexes
ok
SGOS#(config websense) exit
SGOS#(config content-filter) exit
SGOS#(config)

153

Chapter 3: Privileged Mode Configure Commands

#(config webwasher)
Synopsis
Use this command to configure Webwasher URL Filter content filtering.

Syntax
#(config) content-filter

This changes the prompt to:
#(config content-filter) webwasher

This changes the prompt to:
#(config webwasher)

Subcommands
#(config webwasher) download all-day
Checks for database updates all day.
#(config webwasher) download auto
Enables automatic database downloads.
#(config webwasher)download between-hours start stop
Sets the interval for automatic database update checks.
#(config webwasher) download encrypted-password encrypted_password
Specifies the encrypted password for the database download server.
#(config webwasher) download get-now
Initiates an immediate database download. If a full download is unnecessary, an incremental download
is initiated.
#(config webwasher) download password password
Specifies the password for the database download server.
#(config webwasher) download url {default | url}
Specifies using either the default URL or a specific URL for the database download server.
#(config webwasher) download username username
Specifies the username for the database download server.
#(config webwasher) exit
Exits configure webwasher mode and returns to configure content-filter mode.
#(config webwasher) no download auto
Disables automatic download.
#(config webwasher) no download encrypted-password
Clears the encrypted password for the database download server.
#(config webwasher) no download password
Clears the password for the database download server.
#(config webwasher) no download url
Clears the URL for the database download server.
#(config webwasher) no download username
Clears the username for the database download server.
#(config webwasher) view
Shows the current webwasher Web Filter settings.

Volume 11: Command Line Interface Reference

154

Chapter 3: Privileged Mode Configure Commands

For More Information


Volume 7: Managing Content

Example
SGOS#(config) content-filter
SGOS#(config content-filter) webwasher
SGOS#(config webwasher) download time-of-day 20
ok
SGOS#(config webwasher) exit
SGOS#(config content-filter) exit
SGOS#(config)

155

Chapter 3: Privileged Mode Configure Commands

#(config) connection-forwarding
Synopsis
This command enables you to configure the TCP Connection Forwarding aspect of ADN transparent
tunnel load balancing and asymmetric routing.

Syntax
#(config) connection-forwarding

This changes the prompt to:
#(config connection-forwarding)

Subcommands
SGOS# (config connection forwarding) add ip_address
Add this ProxySG to a connection forwarding peer group.
SGOS# (config connection forwarding) port number
Specify the port used by all peers in the peer group to communicate connection information (each peer in
the group must use the same port number). The default is 3030.
SGOS# (config connection forwarding) [enable | disable]
Enables or disables connection forwarding on this ProxySG.
SGOS# (config connection forwarding) clear
Clear the list of forwarding peers from this ProxySG.
SGOS# (config connection forwarding) exit
Exits (config connection forwarding) mode and returns to #(config) mode.
SGOS# (config connection forwarding) view
View the TCP connection forwarding information.

For More Information
Volume 5: Advanced Networking

Example
SGOS#(config) connection-forwarding
SGOS#(connection-forwarding) add 10.9.59.100
ok
SGOS#(config connection-forwarding) port 3030
ok
SGOS#(config connection-forwarding) enable
ok

Volume 11: Command Line Interface Reference

156

Chapter 3: Privileged Mode Configure Commands

#(config) diagnostics
Synopsis
This command enables you to configure the remote diagnostic feature Heartbeat.

Syntax
#(config) diagnostics

This changes the prompt to:
#(config diagnostics)

Subcommands
#(config diagnostics) cpu-monitor {disable | enable}
Enables or disables the CPU monitor (the CPU monitor is disabled by default).
#(config diagnostics) cpu-monitor interval seconds
Sets the periodic interval of the CPU monitor from 1 to 59 seconds (the default setting is 5 seconds).
#(config diagnostics) exit
Exits #(config diagnostics) mode and returns to #(config) mode.
#(config diagnostics) heartbeat {disable | enable}
Enables or disables the ProxySG Heartbeat features.
#(config diagnostics) monitor {disable | enable}
Enables or disables the Blue Coat monitoring feature.
#(config diagnostics) send-heartbeat
Triggers a heartbeat report.
#(config diagnostics) service-info
Changes the prompt (see #(config service-info) on page 159)
#(config diagnostics) snapshot (create | delete} snapshot_name
Creates or deletes a snapshot job.
#(config diagnostics) edit snapshot_name
Changes the prompt to #(config snapshot snapshot_name) on page 161)
#(config diagnostics) view configuration
Displays diagnostics settings for Heartbeats, CPU monitor, automatic service-info, and snapshots.
#(config diagnostics) view cpu-monitor
Displays the CPU Monitor results.
#(config diagnostics) view service-info
Displays service-info settings and progress.
#(config diagnostics) view snapshot snapshot_name
Displays the snapshot settings (target, status, interval, to keep, to take, and next snapshot) for the
snapshot name specified.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

157

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) diagnostics
SGOS#(config diagnostics) heartbeat enable
ok
SGOS#(config diagnostics) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

158

Chapter 3: Privileged Mode Configure Commands

#(config service-info)
Synopsis
This command allows you to send service information to Blue Coat.

Syntax
#(config) diagnostics

This changes the prompt to:
#(config diagnostics) service-info

This changes the prompt to:
#(config service-info)

Subcommands
#(diagnostics service-info) auto {disable | enable}
Disables or enables the automatic service information feature.
#(diagnostics service-info) auto no sr-number
Clears the service-request number for the automatic service information feature.
#(diagnostics service-info) auto sr-number sr_number
Sets the service-request number for the automatic service information feature.
#(diagnostics service-info) bandwidth-class bw_class_name
Sets a bandwidth class used to manage the bandwidth of service-information transfers.

In order to do bandwidth-manage service-information transfers, bandwidth management
must be enabled. You must also create a bandwidth class for service-information transfers (in
bandwidth-management mode) before you can select it here.
#(diagnostics service-info) cancel all
Cancel all service information being sent to Blue Coat.
#(diagnostics service-info) cancel one_or_more_from_view_status
Cancel certain service information being sent to Blue Coat.
#(diagnostics service-info) exit
Exits #(config diagnostics service-info) mode and returns to #(config diagnostics)
mode.
#(diagnostics service-info) no bandwidth-class
Disables bandwidth-management for service-information transfers
#(diagnostics service-info) send sr_number
one_or_more_commands_from_view_available
Sends a specific service request number along with a specific command or commands (chosen from the
list provided by the view available command) to Blue Coat.
#(diagnostics service-info) view available
Shows list of service information than can be sent to Blue Coat.
#(diagnostics service-info) view status
Shows transfer status of service information to Blue Coat.

159

Chapter 3: Privileged Mode Configure Commands

For More Information


#(config) bandwidth-management on page 117



Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) diagnostics
SGOS#(config diagnostics) service-info
SGOS#(diagnostics service-info) view available
Service information that can be sent to Blue Coat
Name
Approx Size (bytes)
Event_log
188,416
System_information
Unknown
Snapshot_sysinfo
Unknown
Snapshot_sysinfo_stats
Unknown
SGOS#(diagnostics service-info) send 1-4974446 event_log system_information
snapshot_sysinfo
Sending the following reports
Event_log
System_information
Snapshot_sysinfo
SGOS#(diagnostics service-info) view status
Name
Transferred
Event_log
Transferred successfully
Snapshot_sysinfo
Transferred successfully
Event_log
Transferred successfully
System_information
Transferred successfully
SGOS#(diagnostics service-info) exit
SGOS#(config diagnostics) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

160

Chapter 3: Privileged Mode Configure Commands

#(config snapshot snapshot_name)
Synopsis
This command allows you to edit a snapshot job.

Syntax
#(config) diagnostics

This changes the prompt to:
#(config diagnostics) snapshot edit snapshot_name

This changes the prompt to:
#(config snapshot snapshot_name)

Subcommands
#(config snapshot snapshot_name) clear-reports
Clears all stored snapshots reports.
#(config snapshot snapshot_name) {disable | enable}
Disables or enables this snapshot job.
#(config snapshot snapshot_name) exit
Exits #(config diagnostics snapshot_name) mode and returns to #(config diagnostics
service-info) mode.
#(config snapshot snapshot_name) interval minutes
Specifies the interval between snapshots reports in minutes.
#(config snapshot snapshot_name) keep number_to_keep (from 1 - 100)
Specifies the number of snapshot reports to keep.
#(config snapshot snapshot_name) take {infinite | number_to_take}
Specifies the number of snapshot reports to take.
#(config snapshot snapshot_name) target object_to_fetch
Specifies the object to snapshot.
#(config snapshot snapshot_name) view
Displays snapshot status and configuration.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) diagnostics
SGOS#(config diagnostics) snapshot testshot
SGOS#(diagnostics snapshot testshot) enable
ok
SGOS#(diagnostics service-info) interval 1440
ok
SGOS#(diagnostics snapshot testshot) exit
SGOS#(config diagnostics) exit
SGOS#(config)

161

Chapter 3: Privileged Mode Configure Commands

#(config) dns
Synopsis
The dns command enables you to modify the DNS settings for the ProxySG. Note that the alternate
DNS servers are only checked if the servers in the standard DNS list return: “Name not found.”

Syntax
#(config) dns [subcommands]

Subcommands
#(config) dns alternate ip_address
Adds the new alternate domain name server indicated by ip_address to the alternate DNS server list.
#(config) dns clear alternate
Sets all entries in the alternate DNS server list to null.
#(config) dns clear imputing
Sets all entries in the name imputing list to null.
#(config) dns client-affinity {disable | enable}
Enable or disable client-affinity.
When enabled, requests from the same client resolve the hostname in the same order.
www.google.com resolves to 66.102.7.99, 66.102.7.147, and 66.102.7.104. If client-affinity is enabled and
the ProxySG receives a request (http, streaming or other proxy request) for www.google.com, it uses the
client’s IP address to determine the order of the resolved addresses. If client-affinity is disabled, the order
of the resolved addresses changed each time the ProxySG receives a request.
#(config) dns clear server
Sets all entries in the primary DNS server list to null.
#(config) dns imputing name
Identifies the file indicated by name as the name imputing list.
#(config) dns negative-cache-ttl-override seconds
Set the DNS negative cache time-to-live value for seconds.
A DNS request to an unknown domain name (klauwjdasd.bluecaot.com) is cached by the ProxySG. This
type of caching is called a negative cache because it does not resolve to an actual IP address. The TTL
value for a negative cache entry can be overwritten by this command.
#(config) dns no alternate ip_address
Removes the alternate DNS server identified by ip_address from the alternate DNS server list.
#(config) dns no imputing imputed_name
Removes the imputed name identified by imputed_name from the name imputing list.
#(config) dns no negative-cache-ttl-override
Do not override the negative cache time-to-live value.
#(config) dns no server ip_address
Removes the primary DNS server identified by ip_address from the primary DNS server list.
#(config) dns server ip_address
Adds the new primary domain name server indicated by ip_address to the primary DNS server list.
#(config) dns recursion (disable | enable)
Enable or disable DNS recursion. By default, recursion is disabled. When recursion is enabled, if a server
returns authoritative server information instead of an A record, the ProxySG follows the referrals until it
receives an answer or detects a recursion loop. If there are more than eight referrals, the ProxySG
assumes that there is a loop and aborts the request.

Volume 11: Command Line Interface Reference

162

Chapter 3: Privileged Mode Configure Commands

#(config) dns-forwarding (create | delete | edit | exit | view)
Create a DNS forwarding group, delete a DNS forwarding group, edit a DNS forwarding group , exit to
the (config) prompt, or view the DNS forwarding configuration.
#(config)test dns ip_address (inet | inet6)
Performs a DNS lookup and displays useful debugging information that describes the lookup.
Displays the configuration of all XML realms or just the configuration for realm_name if specified.

Submodes
#(config)dns-forwarding

This changes the prompt to:
#(config dns forwarding)

To edit groups in the dns forwarding mode:
#(config dns forwarding) edit group
Changes the prompt to edit the specified DNS forwarding group.

This changes the prompt to:
#(config dns forwarding group)

Commands in the dns forwarding group mode:
#(config dns forwarding group) add {domain | server}
Add domains or servers to this group.
#(config dns forwarding group) clear {domain | server}
Clear the domain or server list for this group.
#(config dns forwarding group) demote server_ip_address #
Demote the specified server IP address.
#(config dns forwarding group) exit
Return to the #(config) prompt.
#(config dns forwarding group) promote server_ip_address #
Promote the specified server IP address in the DNS server list the number of places indicated. Must be a
positive number. If the number is greater than the number of servers in the list, the server is promoted to
the first entry in the list.
#(config dns forwarding group) remove {domain | server}
Remove a domain or server from the list.
#(config dns forwarding group) view
View the DNS forwarding configuration for this group.
For More Information


Volume 1: Getting Started

Example
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok

dns clear server
dns server 10.253.220.249
dns clear alternate
dns alternate 216.52.23.101

163

Chapter 3: Privileged Mode Configure Commands

#(config) event-log
Synopsis
You can configure the ProxySG to log system events as they occur. Event logging allows you to specify
the types of system events logged, the size of the event log, and to configure Syslog monitoring. The
ProxySG can also notify you by e-mail if an event is logged.

Syntax
#(config) event-log

This changes the prompt to:
#(config event-log)

Subcommands
#(config event-log) exit
Exits #(config event-log) mode and returns to #(config) mode.
#(config event-log) level configuration
Writes severe and configuration change error messages to the event log.
#(config event-log) level informational
Writes severe, configuration change, policy event, and information error messages to the event log.
#(config event-log) level policy
Writes severe, configuration change, and policy event error messages to the event log.
#(config event-log) level severe
Writes only severe error messages to the event log.
#(config event-log) level verbose
Writes all error messages to the event log.
#(config event-log) log-size megabytes
Specifies the maximum size of the event log in megabytes.
#(config event-log) mail add email_address
Specifies an e-mail recipient for the event log output.
#(config event-log) mail clear
Removes all e-mail recipients from the event log e-mail output distribution list.
#(config event-log) mail no smtp-gateway
Clears the SMTP gateway used for notifications.
#(config event-log) mail remove email_address
Removes the e-mail recipient indicated by email_address from the event log e-mail output
distribution list.
#(config event-log) mail smtp-gateway {domain_name | ip_address}
Specifies the SMTP gateway to use for event log e-mail output notifications.
#(config event-log) syslog {disable | enable}
Disables the collection of system log messages.
#(config event-log) syslog facility {auth | daemon | kernel | local0 | local1 |
local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news |
syslog | user | uucp}
Specifies the types of system log messages to be collected in the system log.
#(config event-log) syslog loghost {domain_name | ip_address}
Specifies the host domain used for system log notifications.

Volume 11: Command Line Interface Reference

164

Chapter 3: Privileged Mode Configure Commands

#(config event-log) syslog no loghost
#(config event-log) view [configuration] [start [YYYY-mm-dd] [HH:MM:SS]] [end
[YYYY-mm-dd] [HH:MM:SS]] [regex regex | substring string]
View the event-log configuration, using the #(config event-log) configuration command, or view the
contents of the event-log, using the filters offered to narrow the view.
#(config event-log) when-full {overwrite | stop}
Specifies what should happen to the event log when the maximum size has been reached. overwrite
overwrites the oldest information in a FIFO manner; stop disables event logging.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) event-log
SGOS#(config event-log) syslog enable
ok

165

Chapter 3: Privileged Mode Configure Commands

#(config) exceptions
Synopsis
These commands allow you to configure built-in and user-defined exception response objects.

Syntax
#(config) exceptions

This changes the prompt to:
#(config exceptions)

Subcommands
#(config exceptions) create exception_id
Creates the given exception.
#(config exceptions) company-name name
Sets the name used for the $(exception.company_name) substitution.
#(config exceptions) delete exception_id
Deletes the exception specified by exception_id.
#(config exceptions) edit exception_id or user_defined_exception_id
Changes the prompt to #(config exceptions [user-defined.]exception_id) on page
167.
#(config exceptions) exit
Exits #(config exceptions) mode and returns to #(config) mode.
#(config exceptions) inline {contact | details | format | help | http {contact |
details | format | help | summary} | summary} eof_marker
Configures defaults for all exception objects.
#(config exceptions) load exceptions
Downloads new exceptions.
#(config exceptions) no path
Clears the network path to download exceptions.
#(config exceptions) path url
Specifies the network path to download exceptions.
#(config exceptions) user-defined inline {contact | details | format | help |
http {contact | details | format | help | summary} | summary} eof_marker
Configures the top-level values for user-defined exceptions.

For More Information


Volume 6: VPM and Advanced Policy

Example
SGOS#(config) exceptions
SGOS#(config exceptions) default contact
ok
SGOS#(config exceptions) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

166

Chapter 3: Privileged Mode Configure Commands

#(config exceptions [user-defined.]exception_id)
Synopsis
These commands allow you to edit an exception or a user-defined exception.

Syntax
#(config) exceptions

This changes the prompt to:
#(config exceptions) user_defined_exception_id

This changes the prompt to:
#(config exceptions user_defined_exception_id)

Subcommands
#(config exceptions [user-defined.]exception_id) exit
Exits #(config exceptions [user-defined] exception_id) mode and returns to #(config
exceptions) mode.
#(config exceptions [user-defined.]exception_id) http-code
numeric_http_response_code
Configures this exception's HTTP response code.
#(config exceptions [user-defined.]exception_id) inline {contact | details |
format | help | http {contact | details | format | help | summary} | summary}
eof_marker
Configures this exception's substitution values.

For More Information


Volume 6: VPM and Advanced Policy

Example
SGOS#(config) exceptions
SGOS#(config exceptions) edit testname
SGOS#(config exceptions user-defined testname) http-code 000
ok
SGOS#(config exceptions user-defined testname) exit
SGOS#(config exceptions) exit
SGOS#(config)

167

Chapter 3: Privileged Mode Configure Commands

#(config) exit
Synopsis
Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From
Standard mode, the exit command closes the CLI session.

Syntax
#(config) exit

The exit command has no parameters or subcommands.

Volume 11: Command Line Interface Reference

168

Chapter 3: Privileged Mode Configure Commands

#(config) external-services
Synopsis
These commands allow you to configure your external services.
Use the edit ICAP commands to configure the ICAP service used to integrate the ProxySG with a virus
scanning server. The configuration is specific to the virus scanning server and includes the server IP
address, as well as the supported number of connections. If you are using the ProxySG with multiple
virus scanning servers or multiple scanning services on the same server, add an ICAP service for each
server or scanning service.
Note:

When you define virus scanning policies, use the same service name. Make sure you type the
ICAP service name accurately, whether you are configuring the service on the ProxySG or defining
policies, since the name retrieves the other configuration settings for that service.

Syntax
#(config) external-services

This changes the prompt to:
#(config external-services)

Subcommands
#(config external-services) create icap icap_service_name
Creates an ICAP service.
#(config external-services) create service-group service_group_name
Creates a service group.
#(config external-services) create websense websense_service_name
Creates a Websense service.
#(config external-services) delete name
Deletes an external service.
#(config external-services) edit
Changes the prompt to one of three external service edit commands:

#(config icap icap_service_name) on page 171
#(config service-group service_group_name) on page 173
#(config websense websense_service_name) on page 175
#(config external-services) exit
Exits #(config external-services) mode and returns to #(config) mode.
#(config external-services) inline http {icap-patience-details |
icap-patience-header | icap-patience-help | icap-patience-summary}
Customizes ICAP patience page details for HTTP connections.
#(config external-services) icap feedback interactive patience-page {seconds}
For traffic associated with a Web browser, display a patience page after the specified duration.

169

Chapter 3: Privileged Mode Configure Commands

#(config external-services) icap feedback {interactive | non-interactive)
{trickle-start | trickle-end | none} {seconds}
For interactive traffic (associated with a Web browser) or non-traffic (originating from a client other than
a Web browser), employ a data trickling method so the user receives a small amount (trickle-start) or
large amount (trickle-end) of object data while waiting for the results of the content scan (ICAP). Begin
trickling after the specified duration.
#(config external-services) inline ftp icap-patience-details
Customizes ICAP patience page details for FTP connections.
#(config external-services) view
Shows external services and external service groups.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) external-services
SGOS#(config external-services) create websense testwebsense
ok
SGOS#(config external-services) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

170

Chapter 3: Privileged Mode Configure Commands

#(config icap icap_service_name)
Synopsis
These commands allow you to edit ICAP parameters.

Syntax
#(config) external-services

This changes the prompt to:
#(config external-services) create icap icap_service_name
#(config external-services) edit icap_service_name

This changes the prompt to:
#(config icap icap_service_name)

Subcommands
#(config icap icap_service_name) defer-threshold defer-threshold
Sets the deferred scanning threshold.
#(config icap icap_service_name) exit
Exits #(config ICAP name) mode and returns to #(config external-services) mode.
#(config icap icap_service_name) event-log connection-failure
Enables event log options
#(config icap icap_service_name) max-conn max_num_connections
Sets the maximum number of connections for the ICAP service.
#(config icap icap_service_name) methods {REQMOD | RESPMOD}
Sets the method supported by the ICAP service. REQMOD is request modification and RESPMOD is
response modification.
#(config icap icap_service_name) no defer-threshold
Disables the deferred scanning threshold.
#(config icap icap_service_name) no event-log connection-failure
Disables event log options
#(config icap icap_service_name) no send {client-address | server-address}
Specifies what should not be sent to the ICAP server.
#(config icap icap_service_name) no notify virus-detected
Specifies no notification to the administrator when a virus is detected.
#(config icap icap_service_name) no port {port | default}
Disables ports for both plain and secure ICAP .
#(config icap icap_service_name) no preview
Specifies that previews do not get sent.
#(config icap icap_service_name) no secure-port
Disables the secure ICAP mode.
#(config icap icap_service_name) no ssl-device-profile ssl-device-profile
Removes the selected SSL device profile.
#(config icap icap_service_name) no use-vendor-virus-page
Does not use the ProxySG’s virus detected exception.
#(config icap icap_service_name) notify virus-detected
Specifies notification when viruses are found.

171

Chapter 3: Privileged Mode Configure Commands

#(config icap icap_service_name) port {port | default}
Sets the plain ICAP port. Enter the desired port or the default port. The default port is 1344. To enter
another port, enter a value from 1– 65534.
#(config icap icap_service_name) preview-size bytes
Sets the preview size for the ICAP service.
#(config icap icap_service_name) secure-port {port | default}
Sets the secure ICAP port. Enter the desired port or the default port. The default port is 11344. To enter
another port, enter a value from 1– 65534. This command can only be used if an SSL device profile is not
specified.
#(config icap icap_service_name) send client-address
Specifies that the client address be sent to the ICAP service.
#(config icap icap_service_name) send server-address
Specifies that the server address be sent to the ICAP service.
#(config icap icap_service_name) sense-settings
Senses the service’s setting by contacting the server.
#(config icap icap_service_name) ssl-device-profile ssl-device-profile
Associates an SSL device profile with the ICAP service. No device profile is the default.
#(config icap icap_service_name) timeout seconds
Sets the connection timeout for the ICAP services.
#(config icap icap_service_name) url url
Sets the URL for the ICAP services.
#(config icap icap_service_name) use-vendor-virus-page
Use the ICAP vendor’s virus detected page.
#(config icap icap_service_name) view
Displays the service’s current configuration.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) external-services
SGOS#(config external-services) edit testicap
SGOS#(config icap testicap) send client-address
ok
SGOS#(config icap testicap) exit
SGOS#(config external-services) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

172

Chapter 3: Privileged Mode Configure Commands

#(config service-group service_group_name)
Synopsis
These commands allow you to edit service group parameters.

Syntax
#(config) external-services

This changes the prompt to:
#(config external-services) create service-group service_group_name
#(config external-services) edit service_group_name

This changes the prompt to:
#(config service-group service_group_name)

Subcommands
#(config service-group service_group_name) add entry_name
Adds an entry to this service group.
#(config service-group service_group_name) edit entry_name
Changes the prompt to #(config service-group service_group_name entry_name).
#(config service-group service_group_name entry_name) exit
Exits #(config service-group name/entry name) mode and returns to #(config
service-group name) mode.
#(config service-group service_group_name entry_name) view
Shows this entry’s configuration.
#(config service-group service_group_name entry_name) weight 0 to 255
Modifies this entry’s weight.
#(config service-group service_group_name) exit
Exits #(config service-group_name) mode and returns to #(config external-services)
mode.
#(config service-group service_group_name) view
Displays this service group’s configuration.

For More Information


Volume 7: Managing Content

Examples
SGOS#(config) external-services
SGOS#(config external-services) edit testgroup
SGOS#(config service-group testgroup) add testentry
ok
SGOS#(config service-group testgroup) exit
SGOS#(config external-services) exit
SGOS#(config)

173

Chapter 3: Privileged Mode Configure Commands

SGOS#(config) external-services
SGOS#(config external-services) edit testgroup
SGOS#(config service-group testgroup) edit testentry
SGOS#(config service-group testgroup testentry) weight 223
ok
SGOS#(config service-group testgroup testentry) exit
SGOS#(config service-group testgroup) exit
SGOS#(config external-services) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

174

Chapter 3: Privileged Mode Configure Commands

#(config websense websense_service_name)
Synopsis
These commands allow you to edit Websense parameters.

Syntax
#(config) external-services

This changes the prompt to:
#(config external-services) create websense websense_service_name
#(config external-services) edit websense_service_name

This changes the prompt to:
#(config websense websense_service_name)

Subcommands
#(config websense websense_service_name) apply-by-default
Applies Websense by default.
#(config websense websense_service_name) exit
Exits #(config websense websense_service_name) mode and returns to #(config
external-services) mode.
#(config websense websense_service_name) fail-open
Fail open if service is applied by default.
#(config websense websense_service_name) host hostname
Remote Websense hostname or IP address.
#(config websense websense_service_name) max-conn max_num_connections
Specifies the maximum number of concurrent connections
#(config websense websense_service_name) no apply-by-default
Does not apply service by default.
#(config websense websense_service_name) no fail-open
Fail closed if service is applied by default.
#(config websense websense_service_name) no send {client-address | client-info}
Negates send options.
#(config websense websense_service_name) no serve-exception-page
Serves Websense message when content is blocked.
#(config websense websense_service_name) port port
Port number of remote Websense server.
#(config websense websense_service_name) send client-address
Sends the client address to the Websense server.
#(config websense websense_service_name) send client-info
Sends the client information to the Websense server.
#(config websense websense_service_name) sense-categories
Sense categories configured on the Websense server.
#(config websense websense_service_name) serve-exception-page
Serves built-in exception page when content is blocked.
#(config websense websense_service_name) test-url url
Tests a url against the Websense server.

175

Chapter 3: Privileged Mode Configure Commands

#(config websense websense_service_name) timeout seconds
Sets the receive timeout in seconds.
#(config websense websense_service_name) version {4.3 | 4.4}
Sets the version of the Websense server.
#(config websense websense_service_name) view
Displays the service's current configuration.

For More Information


Volume 7: Managing Content

Example
SGOS#(config) external-services
SGOS#(config external-services) edit testwebsense
SGOS#(config websense testwebsense) send client-address
ok
SGOS#(config websense testwebsense) exit
SGOS#(config external-services) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

176

Chapter 3: Privileged Mode Configure Commands

#(config) failover
Synopsis
These commands allow you to configure redundancy into your network.

Syntax
#(config) failover

This changes the prompt to:
#(config failover)

Subcommands
#(config failover) create group_address
Creates a failover group.
#(config failover) delete group_address
Deletes a failover group.
#(config failover) edit group_address
Changes the prompt to #(config failover group_address).
#(config failover group_address) {disable | enable}
Disables or enables failover group indicated by group_address.
#(config failover group_address) encrypted-secret encrypted_secret
(Optional but recommended) Refers to an encrypted password shared only with the group.
#(config failover group_address) exit
Exits #(config failover group_address) mode and returns to #(config failover)
mode.
#(config failover group_address) interval interval_in_seconds
(Optional) Refers to the time between advertisements from the master to the multicast address. The
default is 40 seconds.
#(config failover group_address) master
Defines the current system as the master and all other systems as slaves.
#(config failover group_address) multicast-address multicast_address
Refers to a multicast address where the master sends the keepalives (advertisements) to the slave
systems.
#(config failover group_address) no interval
Resets the interval to the default value (40 seconds).
#(config failover group_address) no multicast-address
Removes the multicast address from the failover group.
#(config failover group_address) no master
Removes as configured master.
#(config failover group_address) no priority
Resets the priority to the default value (100).
#(config failover group_address) no secret
Clears the secret from the failover group.
#(config failover group_address) priority relative_priority
(Optional) Refers to the rank of slave systems. The range is from 1 to 253. (The master system, the
one whose IP address matches the group address, gets 254.)

177

Chapter 3: Privileged Mode Configure Commands

#(config failover group_address) secret secret
(Optional but recommended) Refers to a password shared only with the group. You can create a
secret, which is then hashed.
#(config failover group_address) view
Shows the current settings for the failover group indicated by group_address.
#(config failover) exit
Exits #(config failover) mode and returns to #(config) mode.
#(config failover) view {configuration [group_address | ] | statistics}
View the configuration of a group or all groups or view all statistics.

For More Information


Volume 5: Advanced Networking

Examples
SGOS#(config) failover
SGOS#(config failover) create 10.9.17.135
ok
SGOS#(config failover) exit
SGOS#(config)
SGOS#(config) failover
SGOS#(config failover) edit 10.9.17.135
SGOS#(config failover 10.9.17.135) master
ok
SGOS#(config failover 10.9.17.135) exit
SGOS#(config failover) exit

Volume 11: Command Line Interface Reference

178

Chapter 3: Privileged Mode Configure Commands

#(config) forwarding
Synopsis
Configures forwarding of content requests to defined hosts and groups through policy.

Syntax
#(config) forwarding

This changes the prompt to:
#(config forwarding)

Subcommands
#(config forwarding) create host host_alias host_name [http[=port] [https[=port]]
[ftp[=port]] [mms[=port]] [rtsp[=port]] [tcp[=port]] [telnet[=port]]
[ssl-verify-server[=yes | =no]] [group=group_name] [server | proxy]
#(config forwarding) create group group_name
Creates a forwarding host/group. The only required entries under the create option (for a host) are
host_alias, host_name, a protocol, and a port number. The port number can be defined explicitly
(i.e., http=8080), or it can take on the default port value of the protocol, if one exists (i.e., enter http,
and the default port value of 80 is entered automatically).

To create a host group, you must also include the group=group_name command. If this is
the first mention of the group, group_name, then that group is automatically created with this
host as its first member. Do not use this command when creating an independent host.
#(config forwarding) delete all
Deletes all forwarding hosts and groups.
#(config forwarding) delete group group_name
Deletes only the group identified by group_name.
#(config forwarding) delete host host_alias
Deletes only the host identified by host_alias.
#(config forwarding) download-via-forwarding {disable | enable}
Disables or enables configuration file downloading using forwarding.
#(config forwarding) edit host_or_group_alias
Changes the prompt to:


#(config forwarding group_alias) on page 182



#(config forwarding host_alias) on page 184

#(config forwarding) exit
Exits #(config forwarding) mode and returns to #(config) mode.
#(config forwarding) failure-mode {closed | open}
Sets the default forwarding failure mode to closed or open.
#(config forwarding) host-affinity http method {accelerator-cookie
[host_or_group_alias] | client-ip-address [host_or_group_alias] | default
[host_or_group_alias] | none [host_or_group_alias]}
Selects a host affinity method for HTTP. If a host or group alias is not specified for the
accelerator-cookie, client-ip-address, or none options, the global default is used. Use the
default option to specify default configurations for all the settings for a specified host or group.

179

Chapter 3: Privileged Mode Configure Commands

#(config forwarding) host-affinity ssl-method {accelerator-cookie
[host_or_group_alias] | client-ip-address [host_or_group_alias] | default
[host_or_group_alias] | none [host_or_group_alias] | ssl-session-id
[host_or_group_alias]}
Selects a host affinity method for SSL. If a host or group alias is not specified for the
accelerator-cookie, client-ip-address, none, or ssl-session-id options, the global
default is used. Use the default option to specify default configurations for all the settings for a
specified host or group.
#(config forwarding) host-affinity other method {client-ip-address
[host_or_group_alias] | default [host_or_group_alias] | none
[host_or_group_alias]}
Selects a host affinity method (non-HTTP or non-SSL). If a host or group alias is not specified for the
client-ip-address, or none options, the global default is used. Use the default option to specify
default configurations for all the settings for a specified host or group.
#(config forwarding) host-affinity timeout minutes
Sets the timeout in minutes for the host affinity.
#(config forwarding) integrated-host-timeout minutes
Sets the timeout for aging out unused integrated hosts.
#(config forwarding) load-balance {default [group_alias] | domain-hash
[group_alias] | least-connections [group_alias] | none [group_alias] |
round-robin [group_alias] | url [group_alias]}
Sets if and how load balancing hashes between group members. If a group alias is not specified for the
domain-hash, least-connections, round-robin, url, or none options, the global default is used.
Use the default option to specify default configurations for all the settings for a specified group.
#(config forwarding) load-balance method {default [host_alias] |
least-connections [host_alias] | none [host_alias] | round-robin
[host_alias]}
Sets the load balancing method. If a host alias is not specified for the least-connections,
round-robin, or none options, the global default is used. Use the default option to specify default
configurations for all the settings for a specified host.
#(config forwarding) no path
Negates certain forwarding settings.
#(config forwarding) path url
Sets the network path to download forwarding settings.
#(config forwarding) sequence add host_or_group_alias
Adds an alias to the end of the default failover sequence.
#(config forwarding) sequence clear
Clears the default failover sequence.
#(config forwarding) sequence demote host_or_group_alias
Demotes an alias one place towards the end of the default failover sequence.
#(config forwarding) sequence promote host_or_group_alias
Promotes an alias one place towards the start of the default failover sequence.
#(config forwarding) sequence remove host_or_group_alias
Removes an alias from the default failover sequence.
#(config forwarding) view
Displays the currently defined forwarding groups or hosts.

For More Information


Volume 5: Advanced Networking

Volume 11: Command Line Interface Reference

180

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) forwarding
SGOS#(config forwarding)
ok
SGOS#(config forwarding)
ok
SGOS#(config forwarding)
ok
SGOS#(config forwarding)
ok
SGOS#(config forwarding)
SGOS#(config)

download-via-forwarding disable
failure-mode closed
host-affinity method client-ip-address
load-balance hash domain group_name1
exit

181

Chapter 3: Privileged Mode Configure Commands

#(config forwarding group_alias)
Synopsis
These commands allow you to edit the settings of a specific forwarding group.

Syntax
#(config) forwarding

This changes the prompt to:
#(config forwarding) create host_alias hostname protocol=port group=group_alias
#(config forwarding) edit group_alias

This changes the prompt to:
#(config forwarding group_alias)

Subcommands
#(config forwarding group_alias) add
Adds a new group.
#(config forwarding group_alias) exit
Exits #(config forwarding group_alias) mode and returns to #(config forwarding)
mode.
#(config forwarding group_alias) host-affinity http {accelerator-cookie |
client-ip-address | default | none}
Changes the host affinity method (non-SSL) for this group.
#(config forwarding group_alias) host-affinity other {client-ip-address |
default | none}
Changes the other host affinity method for this group.
#(config forwarding group_alias) host-affinity ssl {accelerator-cookie |
client-ip-address | default | ssl-session-id | none}
Changes the host affinity method (SSL) for this group.
#(config forwarding group_alias) load-balance method {default | domain-hash |
least-connections | none | round-robin | url-hash}
Changes the load balancing method.
#(config forwarding group_alias) remove
Removes an existing group.
#(config forwarding group_alias) view
Shows the current settings for this forwarding group.

For More Information


Volume 5: Advanced Networking

Volume 11: Command Line Interface Reference

182

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) forwarding
SGOS#(config forwarding) edit test_group
SGOS#(config forwarding test_group) load-balance hash domain
ok
SGOS#(config forwarding test_group) exit
SGOS#(config forwarding) exit
SGOS#(config)

183

Chapter 3: Privileged Mode Configure Commands

#(config forwarding host_alias)
Synopsis
These commands allow you to edit the settings of a specific forwarding host.

Syntax
#(config) forwarding

This changes the prompt to:
#(config forwarding) create host_alias hostname protocol=port
#(config forwarding) edit host_alias

This changes the prompt to:
#(config forwarding host_alias)

Subcommands
#(config forwarding host_alias) exit
Exits #(config forwarding host_alias) mode and returns to #(config forwarding) mode.
#(config forwarding host_alias) ftp [port]
Changes the FTP port to the default port or to a port that you specify.
#(config forwarding host_alias) host host_name
Changes the host name.
#(config forwarding host_alias) host-affinity http {accelerator-cookie |
client-ip-address | default | none}
Changes the host affinity method (non-SSL) for this host.
#(config forwarding host_alias) host-affinity other {client-ip-address | default
| none}
Changes the other host affinity method for this host.
#(config forwarding host_alias) host-affinity ssl {accelerator-cookie |
client-ip-address | default | ssl-session-id | none}
Changes the host affinity method (SSL) for this host.
#(config forwarding host_alias) http [port]
Changes the HTTP port to the default port or to a port that you specify.
#(config forwarding host_alias) https [port]
Changes the HTTPS port to the default port or to a port that you specify.
#(config forwarding host_alias) load-balance method {default | least-connections
| round-robin | none}
Changes the load balancing method.
#(config forwarding host_alias) mms [port]
Changes the MMS port to the default port or to a port that you specify.
#(config forwarding host_alias) no {ftp | http | https | mms | rtsp |
ssl-verify-server | tcp | telnet}
Deletes a setting for this host.
#(config forwarding host_alias) proxy
Makes the host a proxy instead of a server; any HTTPS or TCP ports are deleted.
#(config forwarding host_alias) rtsp [port]
Changes the RTSP port to the default port or to a port that you specify.

Volume 11: Command Line Interface Reference

184

Chapter 3: Privileged Mode Configure Commands

#(config forwarding host_alias) server
Makes the host a server instead of a proxy.
#(config forwarding host_alias) ssl-verify-server
Sets SSL to verify server certificates.
#(config forwarding host_alias) tcp [port]
Changes the TCP port to the default port or to a port that you specify.
#(config forwarding host_alias) telnet [port]
Changes the Telnet port to the default port or to a port that you specify.
#(config forwarding host_alias) view
Shows the current settings for this forwarding host.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) forwarding
SGOS#(config forwarding) edit test_host
SGOS#(config forwarding test_host) server
ok
SGOS#(config forwarding test_host) exit
SGOS#(config forwarding) exit

185

Chapter 3: Privileged Mode Configure Commands

#(config) front-panel
Synopsis
Use this command to configure the front panel. For instance, the front-panel LCD behavior can be
configured using the backlight command.

Syntax
#(config) front-panel

This changes the prompt to:
#(config front-panel)

Subcommands
#(config front-panel) backlight flash
The front-panel LCD is configured to flash, which can, for instance, help you locate a particular
appliance in a room full of appliances.
#(config front-panel) backlight state {off | on | timeout}
The front-panel LCD is configured to be always turned on, always turned off, or to turn off after a
specified length of time (use the backlight timeout command to configure the length of time).
#(config front-panel) backlight timeout seconds
Configures the length of time before the front-panel LCD turns off. You must also set the backlight
state timeout command to configure timeout mode.
#(config front-panel) exit
Exits #(config front-panel) mode and returns to #(config) mode.
#(config front-panel) hashed-pin hashed_PIN
Specifies a front-panel PIN in hashed format.
#(config front-panel) no backlight flash
Stops the front-panel LCD from flashing.
#(config front-panel) pin PIN
Sets a four-digit PIN to restrict access to the front panel of the ProxySG. To clear the PIN, specify 0000
instead of a real PIN.
#(config front-panel) view
Displays the front panel settings.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
SGOS#(config) front-panel
SGOS#(config front-panel) backlight state timeout
ok
SGOS#(config front-panel) backlight timeout 60
ok
SGOS#(config front-panel) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

186

Chapter 3: Privileged Mode Configure Commands

#(config) ftp
Synopsis
Use this command to configure FTP parameters.

Syntax
#(config) ftp login-syntax {raptor | checkpoint}
Toggles between Raptor and Checkpoint login syntax. The default is Raptor.
#(config) ftp no welcome-banner
No text is displayed to an FTP client when a connection occurs.
#(config) ftp welcome-banner banner
Customizes the text displayed to an FTP client when a connection occurs.

For More Information


Volume 2: Proxies and Proxy Services



#(config caching ftp) on page 126

Example
SGOS #(config) ftp login-syntax checkpoint
ok

187

Chapter 3: Privileged Mode Configure Commands

#(config) general
Synopsis
Use these commands to set global defaults for user behavior when license limits are exceeded and
trusting client-provided destination IP addresses.

Syntax
SGOS#(config) general
This changes the prompt to:
SGOS#(config general)

Subcommands
SGOS#(config general) exit
Returns to #(config) prompt.
SGOS#(config general) reflect-client-ip {disable| enable}
Configures the client IP reflection.
SGOS#(config general) resource-overflow-action {bypass|drop}
Configures the resource overflow action by choosing to either bypass or drop new connections when
resources are scarce.
SGOS#(config general) trust-destination-ip {enable | disable}
Allows the ProxySG appliance to trust a client-provided destination IP address and not do a DNS
lookup.


Proxy Edition default: disable



MACH5 Edition default: enable

SGOS#(config general) user-overflow-action {bypass | none | queue}
Set overflow behavior when there are more licensed-user connections going through the system than is
allowed by the model license. The default is none.
SGOS#(config general) view
View general mode settings.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config general) trust-destination-ip enable
ok

Volume 11: Command Line Interface Reference

188

Chapter 3: Privileged Mode Configure Commands

#(config) health-check
Synopsis
Use this command to configure health check settings.

Syntax
#(config) health-check

This changes the prompt to:
#(config health-check)

Subcommands
(config health-check) copy source-alias target-alias
Copy from one health check to another (creating if necessary).
(config health-check) create {composite alias_name | http alias_name url | https
alias_name url | icmp alias_name hostname| ssl alias_name hostname [port]| tcp
alias_name hostname [port]}
Create a user-defined health check of the type specified.
(config health-check) default e-mail {healthy {enable |disable} | report-all-ips
{enable | disable} | sick {enable | disable}}
Configure defaults for e-mail options.
(config health-check) default event-log {healthy { disable |information | severe}|
report-all-ips {enable | disable} | sick {enable | disable}}
Configure defaults for event-log options. An informational or a severe event-log message is logged
depending on the setting chosen.
(config health-check) default failure-trigger {none | count}
Configure defaults for the failure-trigger options.
(config health-check) default interval {healthy seconds| sick seconds}
Configure defaults for interval options.
(config health-check) default snmp {healthy {enable |disable} | report-all-ips
{enable | disable} | sick {enable | disable}}
Configure defaults for snmp options.
(config health-check) default severity {critical|no-effect|warning}
Configure default severity for health checks.
(config health-check) default threshold {healthy count | response-time
milliseconds | sick count}
Configure defaults for threshold options.
(config health-check) delete alias_name
Delete the specified health check.
(config health-check) disable {healthy alias_name | sick alias_name}
Disable the specified health check and have it always report health or sick.
(config health-check)edit auth.test_name
Allows you to configure options for the health check you specified.
(config health-check auth.test_name) clear-statistics
Clears statistics for this health check.
(config health-check auth.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {default | enable | disable}| sick {default | enable | disable}}

189

Chapter 3: Privileged Mode Configure Commands

Sends e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check auth.test_name) event-log {healthy {default | disable |
information | severe}| report-all-ips {default | enable | disable}| sick
{default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses. An informational or a severe event-log message is logged depending on the setting
chosen.
(config health-check auth.test_name) exit
Exits the health check editing mode.
(config health-check auth.test_name) failure-trigger {default | none | count}
Configures options for the failure-trigger.
(config health-check auth.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configures intervals before the health check is re-run. The intervals can be different for health
checks that are reporting healthy and health checks that are reporting sick.
(config health-check auth.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check auth.test_name) severity
{critical|no-effect|default|warning}
Configures default severity for the health check.
(config health-check auth.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {default | enable | disable}| sick {default | enable | disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check auth.host_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Sets the level when health checks will report healthy or sick.
(config health-check auth.test_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check auth.test_name) view {configuration | events |statistics}
Displays the health check’s configuration, recent event-log messages or statistics.
(config health-check) edit composite_health_check
Edit the specified composite health check.
(config health-check user.composite_health_check) add member_name
Add the specified member to the composite health check group.
(config health-check user.composite_health_check) combine {all-healthy |
any-healthy | some-healthy}
Require that all, some, or any members of the group report as healthy to have the composite health
check report as healthy.
(config health-check user.composite_health_check) e-mail {healthy {default |
enable | disable}| report-all-ips {healthy {default | enable | disable}| sick
{default | enable | disable}}
Send e-mail notification when a health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check user.composite_health_check) event-log {healthy {default |
disable |information | severe}| report-all-ips {healthy {default | enable |
disable}| sick {default | enable | disable}}
Log an event when a health check reports healthy or sick, whether or not those reports are for all IP
addresses.

Volume 11: Command Line Interface Reference

190

Chapter 3: Privileged Mode Configure Commands

(config health-check user.composite_health_check) exit
Leaves the composite health check editing submode.
(config health-check user.composite_health_check) perform-health-check
Does a health check on the members of the composite immediately and reports the result.
(config health-check user.composite_health_check) remove member_name
Remove a member from the composite group.
(config health-check user.composite_health_check) snmp {healthy {default | enable
| disable}| report-all-ips {healthy {default | enable | disable}| sick {default |
enable | disable}}
Sends a trap when the health check reports healthy or sick, whether or not those reports are for all IP
addresses.
(config health-check user.composite_health_check) severity {critical | default|
no-effect | warning}
Sets the severity level of the health check, which determines how this health check affects the overall
health of the device.
(config health-check user.composite_health_check) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check user.composite_health_check) view {configuration |events
|statistics}
Views the composite health check’s configuration, event log messages, or statistics.
(config health-check)edit dns.test_name
Allows you to configure options for the health check you specified.
(config health-check dns.test_name) clear-statistics
Clears statistics for this health check.
(config health-check dns.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {default | enable | disable}| sick {default | enable | disable}}
Sends e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check dns.test_name) event-log {healthy {default | disable |
information | severe}| report-all-ips {default | enable | disable}| sick
{default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses. An informational or a severe event-log message is logged depending on the setting
chosen.
(config health-check dns.test_name) exit
Exits the health check editing mode.
(config health-check dns.test_name) failure-trigger {default | none | count}
Configures options for the failure-trigger.
(config health-check dns.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configures intervals before the health check is re-run. The intervals can be different for health
checks that are reporting healthy and health checks that are reporting sick.
(config health-check dns.test_name) hostname { default|hostname }
Sets the hostname for the DNS Server health check to the default hostname or to a user-defined
hostname.
(config health-check dns.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check dns.test_name) severity
{critical|no-effect|default|warning}
Configures default severity for the health check.

191

Chapter 3: Privileged Mode Configure Commands

(config health-check dns.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {default | enable | disable}| sick {default | enable | disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check dns.test_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Sets the level when health checks will report healthy or sick.
#(config health-check dns.test_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check dns.test_name) view {configuration | events |statistics}
Displays the health check’s configuration, recent event-log messages or statistics.
(config health-check) edit drtr.test_name
Allows you to configure options for the health check you specified.
(config health-check drtr.test_name) clear-statistics
Clears statistics for this health check.
(config health-check drtr.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check drtr.test_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check drtr.test_name) exit
Leaves the health check editing mode.
(config health-check drtr.test_name) failure-trigger {default | none | count}
Configure options for the failure-trigger.
(config health-check drtr.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check drtr.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check drtr.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check drtr.test_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check drtr.test_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check drtr.test_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit fwd.group_name
Allows you to configure options for the health check you specified.

Volume 11: Command Line Interface Reference

192

Chapter 3: Privileged Mode Configure Commands

(config health-check fwd.group_name) combine {all healthy | any-healthy |
some-healthy}
Combines the results when a group test is healthy.
(config health-check fwd.group_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check fwd.group_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check fwd.group_name) exit
Leaves the health check editing mode.
(config health-check fwd.group_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check fwd.group_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check fwd.group_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check fwd.group_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit fwd.host_name
Allows you to configure options for the health check you specified.
(config health-check fwd.host_name) authentication {basic | disable |
encrypted-password encrypted-password| password password| username username}
(Used with HTTP or HTTPS health checks.) To test Basic authentication, you can enter the username
and password of the target.
(config health-check fwd.host_name) clear-statistics
Clears statistics for this health check.
(config health-check fwd.host_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check fwd.host_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check fwd.host_name) exit
Leaves the health check editing mode.
(config health-check fwd.host_name) failure-trigger {default | none | count}
Configure options for the failure-trigger.

193

Chapter 3: Privileged Mode Configure Commands

(config health-check fwd.host_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check fwd.host_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check fwd.host_name) proxy-authentication {basic | disable |
encrypted-password encrypted-password | password password | username
username}
(Used with HTTP or HTTPS health checks, when intermediate proxies are between you and the
target.) Enter the username and password of the intermediate proxy.
(config health-check fwd.host_name) response-code {add codes | remove codes}
To manage a list of codes that are considered successes, you can add or remove codes, separated by
semi-colons. If a success code is received by the health check, the health check considers the HTTP/
HTTPS test to be successful.
(config health-check fwd.host_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check fwd.host_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check fwd.host_name) type (http URL | https URL | icmp hostname | ssl
hostname [port] | tcp hostname [port]}
Set the number of consecutive healthy or sick test results before the health check actually reports as
healthy or sick.
(config health-check fwd.host_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check fwd.host_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit health_check_name
Allows you to configure options for the health check you specified.
(config health-check user.health_check_name) authentication {basic | disable |
encrypted-password encrypted-password| password password| username username}
(Used with HTTP or HTTPS health checks.) To test Basic authentication, you can enter the username
and password of the target.
(config health-check user.health_check_name) clear-statistics
Clears statistics for this health check.
(config health-check user.health_check_name) e-mail {healthy {default | enable |
disable}| report-all-ips {healthy {default | enable | disable}| sick {default |
enable | disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check user.health_check_name) event-log {healthy {default |
disable |information | severe}| report-all-ips {healthy {default | enable |
disable}| sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check user.health_check_name) exit
Leaves the health check editing mode.

Volume 11: Command Line Interface Reference

194

Chapter 3: Privileged Mode Configure Commands

(config health-check user.health_check_name) failure-trigger {default | none |
count}
Configure options for the failure-trigger.
(config health-check user.health_check_name) interval {healthy {default |
seconds}| sick {default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check user.health_check_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check user.health_check_name) proxy-authentication {basic |
disable | encrypted-password encrypted-password | password password |
username username}
(Used with HTTP or HTTPS health checks, when intermediate proxies are between you and the
target.) Enter the username and password of the intermediate proxy.
(config health-check user.health_check_name) response-code {add codes | remove
codes}
To manage a list of codes that are considered successes, you can add or remove codes, separated by
semi-colons. If a success code is received by the health check, the health check considers the HTTP/
HTTPS test to be successful.
(config health-check user.health_check_name) snmp {healthy {default | enable |
disable}| report-all-ips {healthy {default | enable | disable}| sick {default |
enable | disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check user.health_check_name) threshold {healthy {default | count}
| response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check user.health_check_name) type (http URL | https URL | icmp
hostname | ssl hostname [port] | tcp hostname [port]}
Set the number of consecutive healthy or sick test results before the health check actually reports as
healthy or sick.
(config health-check user.health_check_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check user.health_check_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit icap.test_name
Allows you to configure options for the health check you specified.
(config health-check icap.test_name) clear-statistics
Clears statistics for this health check.
(config health-check icap.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check icap.test_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check icap.test_name) exit
Leaves the health check editing mode.

195

Chapter 3: Privileged Mode Configure Commands

(config health-check icap.test_name) failure-trigger {default | none | count}
Configure options for the failure-trigger.
(config health-check icap.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check icap.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check icap.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check icap.test_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check icap.test_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check icap.test_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit socks.test_name
Allows you to configure options for the health check you specified.
(config health-check socks.test_name) clear-statistics
Clears statistics for this health check.
(config health-check socks.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check socks.test_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check socks.test_name) exit
Leaves the health check editing mode.
(config health-check socks.test_name) failure-trigger {default | none | count}
Configure options for the failure-trigger.
(config health-check socks.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check socks.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check socks.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.

Volume 11: Command Line Interface Reference

196

Chapter 3: Privileged Mode Configure Commands

(config health-check socks.test_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check socks.test_name) type (http URL | https URL | icmp hostname |
ssl hostname [port] | tcp hostname [port]}
Set the number of consecutive healthy or sick test results before the health check actually reports as
healthy or sick.
(config health-check socks.test_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check socks.test_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) edit ws.test_name
Allows you to configure options for the health check you specified.
(config health-check ws.test_name) clear-statistics
Clears statistics for this health check.
(config health-check ws.test_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check ws.test_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check ws.test_name) exit
Leaves the health check editing mode.
(config health-check ws.test_name) failure-trigger {default | none | count}
Configure options for the failure-trigger.
(config health-check ws.test_name) interval {healthy {default | seconds}| sick
{default | seconds}}
Configure intervals before the health check is re-run. The intervals can be different for health checks
that are reporting healthy and health checks that are reporting sick.
(config health-check ws.test_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check ws.test_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check ws.test_name) test-url {default | url}
Sets the test URL to default.
(config health-check ws.test_name) threshold {healthy {default | count} |
response-time {default | none | milliseconds} | sick {default | count}}
Set the level when health checks will report healthy or sick.
(config health-check ws.test_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check ws.test_name) view {configuration | statistics}
Views the health check’s configuration or statistics.

197

Chapter 3: Privileged Mode Configure Commands

(config health-check) edit ws.group_name
Allows you to configure options for the health check you specified.
(config health-check ws.group_name) combine {all healthy | any-healthy |
some-healthy}
Combines the results when a group test is healthy.
(config health-check ws.group_name) e-mail {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Send e-mail notification when the health check reports healthy or sick, whether or not those reports
are for all IP addresses.
(config health-check ws.group_name) event-log {healthy {default | disable
|information | severe}| report-all-ips {healthy {default | enable | disable}|
sick {default | enable | disable}}
Log an event when the health check reports healthy or sick, whether or not those reports are for all
IP addresses.
(config health-check ws.group_name) exit
Leaves the health check editing mode.
(config health-check ws.group_name) perform-health-check
Starts the health check immediately and reports the result.
(config health-check ws.group_name) snmp {healthy {default | enable | disable}|
report-all-ips {healthy {default | enable | disable}| sick {default | enable |
disable}}
Sends a trap when the health check reports healthy, whenever an IP address health check reports
healthy, or when a health check reports sick.
(config health-check ws.group_name) use-defaults
Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values.
(config health-check ws.group_name) view {configuration | statistics}
Views the health check’s configuration or statistics.
(config health-check) enable alias_name
Enable the health check of the specified name.
(config health-check) exit
Leave the health-check configuration mode.
(config health-check) perform-health-check alias_name
Runs the specified health check.
(config health-check) view {configuration | quick-statistics | statistics}
Views the configuration or statistics for all health checks. You can also view a summary of the
health-check statistics.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) health-check
SGOS#(config health-check) create composite composite1
SGOS#(config health-check) edit composite1
SGOS#(config health-check user.composite1) view statistics
Enabled
Health check failed
DOWN

Volume 11: Command Line Interface Reference

198

Chapter 3: Privileged Mode Configure Commands

#(config) hide-advanced
See


# hide-advanced on page 53.

199

Chapter 3: Privileged Mode Configure Commands

#(config) hostname
Synopsis
Use this command to assign a name to an ProxySG. Any descriptive name that helps identify the
system is sufficient.

Syntax
#(config) hostname name
Associates name with the current ProxySG.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) hostname "Blue Coat Demo"
ok

Volume 11: Command Line Interface Reference

200

Chapter 3: Privileged Mode Configure Commands

#(config) http
Synopsis
Use this command to configure HTTP settings.

Syntax
#(config) http [no] add-header client-ip
Adds the client-ip header to forwarded requests.
#(config) http [no] add-header front-end-https
Adds the front-end-https header to forwarded requests.
#(config) http [no] add-header via
Adds the via header to forwarded requests.
#(config) http [no] add-header x-forwarded-for
Adds the x-forwarded-for header to forwarded requests.
#(config) http [no] byte-ranges
Enables HTTP byte-range support.
If byte-range support is disabled, then HTTP treats all byte range requests as non-cacheable. This means
that HTTP never even checks to see if the object is in the cache, but forwards the request to the
origin-server and does not cache the result. So the range request has no affect on the cache. For instance,
if the object was in the cache before a range request, it would still be in the cache afterward—the range
request does not delete any currently cached objects. Also, the Range header is not modified when
forwarded to the origin-server.
If the requested byte range is type 3 or 4, then the request is treated as if byte-range support is disabled.
That is, the request is treated as non-cacheable and has no affect on objects in the cache.
#(config) http [no] cache authenticated-data
Caches any data that appears to be authenticated.
#(config) http [no] cache expired
Retains cached objects older than the explicit expiration.
#(config) http [no] cache personal-pages
Caches objects that appear to be personal pages.
#(config) http [no] force-ntlm
Uses NTLM for Microsoft Internet Explorer proxy.
#(config) http ftp-proxy-url root-dir
URL path is absolute in relation to the root.
#(config) http ftp-proxy-url user-dir
URL path is relative to the user’s home directory.
#(config) http [no] parse meta-tag {cache-control | expires | pragma-no-cache}
Parses HTML objects for the cache-control, expires, and pragma-no-cache meta-tags.
#(config) http [no] persistent client
Enables support for persistent client requests from the browser.
#(config) http [no] persistent server
Enables support for persistent server requests to the Web server.
#(config) http [no] persistent-timeout client num_seconds
Sets persistent connection timeout for the client to num_seconds.
#(config) http [no] persistent-timeout server num_seconds
Sets persistent connection timeout for the server to num_seconds.

201

Chapter 3: Privileged Mode Configure Commands

#(config) http [no] pipeline client {requests | redirects}
Prefetches either embedded objects in client requests or redirected responses to client requests.
#(config) http [no] pipeline prefetch {requests | redirects}
Prefetches either embedded objects in pipelined objects or redirected responses to pipelined requests.
#(config) http [no] proprietary-headers
Enables the Blue Coat proprietary HTTP header extensions.
#(config) http receive-timeout client num_seconds
Sets receive timeout for client to num_seconds.
#(config) http receive-timeout refresh num_seconds
Sets receive timeout for refresh to num_seconds.
#(config) http receive-timeout server num_seconds
Sets receive timeout for server to num_seconds.
#(config) http [no] revalidate-pragma-no-cache
Revalidates "Pragma: no-cache."
#(config) http [no] strict-expiration refresh
Forces compliance with explicit expirations by never refreshing objects before their explicit expiration.
#(config) http [no] strict-expiration serve
Forces compliance with explicit expirations by never serving objects after their explicit expiration.
#(config) http [no] strip-from-header
Removes HTTP information from headers.
#(config) http [no] substitute conditional
Uses an HTTP "get" in place of HTTP 1.1 conditional get.
#(config) http [no] substitute ie-reload
Uses an HTTP "get" for Microsoft Internet Explorer reload requests.
#(config) http [no] substitute if-modified-since
Uses an HTTP "get" instead of "get-if-modified."
#(config) http [no] substitute pragma-no-cache
Uses an HTTP "get" instead of "get pragma: no-cache."
#(config) http [no] tolerant-request-parsing
Enables or disables the HTTP tolerant-request-parsing flag.
#(config) http upload-with-pasv disable
Disables uploading with Passive FTP.
#(config) http upload-with-pasv enable
Enables uploading with Passive FTP.
#(config) http version {1.0 | 1.1}
Indicates the version of HTTP that should be used by the ProxySG.
#(config) http [no] www-redirect
Redirects to www.host.com if host not found.
#(config) http [no] xp-rewrite-redirect
Rewrites origin server 302s to 307s for Windows XP IE requests.

For More Information


#(config HTTP) on page 252



#(config http-console) on page 217



Volume 2: Proxies and Proxy Services

Volume 11: Command Line Interface Reference

202

Chapter 3: Privileged Mode Configure Commands

#(config) icp
Synopsis
ICP is a caching communication protocol. It allows a cache to query other caches for an object, without
actually requesting the object. By using ICP, the ProxySG determines if the object is available from a
neighboring cache, and which device provides the fastest response.
After you have created the ICP or advanced forwarding configuration file, place the file on an FTP or
HTTP server so it can be downloaded to the ProxySG.

Syntax
#(config) icp no path
Negates the path previously set using the command icp path url.
#(config) icp path url
Specifies the network location of the ICP configuration file to download.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) icp path 10.25.36.47/files/icpconfig.txt
ok

203

Chapter 3: Privileged Mode Configure Commands

#(config) identd
Synopsis
IDENTD implements the TCP/IP IDENT user identification protocol. IDENTD operates by looking up
specific TCP/IP connections and returning the user name of the process owning the connection.

Syntax
#(config) identd

This changes the prompt to:
#(config identd)

Subcommands
#(config identd) client server-query-port port
Specifies the port to query on the client machines. The default is 113.
#(config identd) client timeout seconds
Specifies the timeout in seconds for identd. queries. The default is 30 seconds.
#(config identd) trim-whitespace (enable | disable}
Specify whether to trim leading and trailing whitespace in the username portion of the identd query
response. By default this is disabled.
If client identd servers are adding insignificant whitespace to the username field you might need to
enable this option to trim the username as expected.
#(config identd)exit
Exits configure identd mode and returns to configure mode.
#(config identd) server enable | disable
#(config identd) view
Displays current IDENTD settings.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) identd
SGOS#(config identd) enable
ok
SGOS#(config identd) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

204

Chapter 3: Privileged Mode Configure Commands

#(config) im
Synopsis
You can configure the IM proxy settings, assign an administrator buddy name for each client type, and
determine how exception messages are sent.

Syntax
#(config) im aol-admin-buddy buddy
Set AOL admin buddy name.
#(config) im aol-direct-proxy-host host
Set AOL direct proxy host.
#(config) im aol-http-host host
Set AOL HTTP host.
#(config) im aol-native-host host
Set AOL native host
#(config) im buddy-spoof-message message_text
Set buddy spoof message.
#(config) im exceptions {in-band | out-of-band}
in-band: Deliver IM exceptions in band.
out-of-band: Deliver IM exceptions out of band.
#(config) im explicit-proxy-vip virtual_IP_address
Set explicit proxy virtual IP address.
#(config) im msn-admin-buddy buddy
Set MSN admin buddy name.
#(config) im msn-http-host host
Set MSN HTTP host.
#(config) im msn-native-host host
Set MSN native host.
#(config) no explicit-proxy-vip
Disables explicit proxy VIP support.
#(config) im yahoo-admin-buddy buddy
Set Yahoo admin buddy name.
#(config) im yahoo-download-host host
Set Yahoo download host.
#(config) im yahoo-http-host host
Set Yahoo HTTP host.
#(config) im yahoo-http-chat-host host
Set Yahoo HTTP chat host.
#(config) im yahoo-native-host host
Set Yahoo native host.
#(config) im yahoo-upload-host host
Set Yahoo upload host.

For More Information


Volume 3: Web Communication Proxies

205

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) im exceptions in-band
ok
SGOS#(config) im yahoo-admin-buddy testname
ok

Volume 11: Command Line Interface Reference

206

Chapter 3: Privileged Mode Configure Commands

#(config) inline
See


# inline on page 54.

207

Chapter 3: Privileged Mode Configure Commands

#(config) installed-systems
Synopsis
Use this command to manage the list of installed ProxySG systems.

Syntax
#(config) installed-systems

This changes the prompt to:
#(config installed-systems)

Subcommands
#(config installed-systems) default system_number
Sets the default system to the system indicated by system_number.
#(config installed-systems) delete system_number
Deletes the system indicated by system_number.
#(config installed-systems) enforce-signed {enable | disable}
Restricts system image download and installation to signed images only. The default, disable, allows
all images to be downloaded.
#(config installed-systems) exit
Exits configure installed-systems mode and returns to configure mode.
#(config installed-systems) lock system_number
Locks the system indicated by system_number.
#(config installed-systems) no {lock system_number | replace}
lock system_number: Unlocks the system indicated by system_number if it is currently locked.
replace: Specifies that the system currently tagged for replacement should not be replaced. The default
replacement is used (oldest unlocked system).
#(config installed-systems) replace system_number
Specifies that the system identified by system_number is to be replaced next.
#(config installed-systems) view
Shows installed ProxySG systems.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) installed-systems
SGOS#(config installed-systems) default 2
ok
SGOS#(config installed-systems) lock 1
ok
SGOS#(config installed-systems) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

208

Chapter 3: Privileged Mode Configure Commands

#(config) interface
Synopsis
This command enables you to configure the network interfaces (both physical and Virtual LAN).
The built-in Ethernet adapter is configured for the first time using the setup console. If you want to
modify the built-in adapter configuration, or if you have multiple adapters, you can configure each
one using the command-line interface.

Syntax
#(config) interface fast-ethernet interface_number
where interface_number sets the number of the fast Ethernet connection to interface_number.
Valid values for interface_number are 0 through 3, inclusive.
#(config) interface interface_number
This changes the prompt to #(config interface interface_number)

209

Chapter 3: Privileged Mode Configure Commands

#(config interface interface_number)
Syntax
#(config) interface interface_number

This changes the prompt to #(config interface interface_number)

Subcommands
#(config interface interface_number) allow-intercept {enable | disable}
Allows interception on this interface.*
#(config interface interface_number) clear-all-vlans
Resets all VLAN parameters to their default values.
#(config interface interface_number) exit
Exits #(config interface number) mode and returns to #(config) mode.
#(config interface interface_number) full-duplex
Configures the interface for full-duplex.
#(config interface interface_number) half-duplex
Configures the interface for half-duplex.
#(config interface interface_number) ip-address ip-address[subnet_mask_for IPv4]
Sets the IP address and subnet mask for this interface.
#(config interface interface_number) instructions {accelerated-pac | central-pac
url | default-pac | proxy}
Configures client proxy instructions.
accelerated-pac: Configures the browser to use your accelerated pac file.
central-pac: Configures the browser to use your pac file.
default-pac: Configures the browser to use a Blue Coat pac file.
proxy: Configures the browser to use a proxy.
#(config interface interface_number) link-autosense {enable | disable}
Specifies that the interface should autosense speed and duplex.
#(config interface interface_number) mtu-size size
Specifies the MTU (maximum transmission unit) size.
#(config interface interface_number) native-vlan number
Sets the native VLAN value for this interface.
#(config interface interface_number) no {accept-inbound | link-autosense}
Negates the current accept-inbound or link-autosense settings.
#(config interface interface_number) reject-inbound {enable | disable}
Rejects inbound connections on the interface.
#(config interface interface_number) speed {10 | 100 | 1gb}
Specifies the interface speed.
#(config interface interface_number) vlan-trunk {enable | disable}
Enables VLAN trunking on this interface.

Volume 11: Command Line Interface Reference

210

Chapter 3: Privileged Mode Configure Commands

#(config interface interface_number) view
Displays the interface settings.

*The allow-intercept and reject-inbound commands are interface-level configurations and are
not bridge-specific. The reject-inbound command always has precedence.
The following table describes how traffic is handled for the three possible settings of these options.

rejectinbound

allow-intercept

Non-proxy ports
(mgmt-console,
ssh, etc)

Explicit
proxy ports

Transparent
proxy ports

Other ports

Disabled

Enabled

Terminated

Terminated

Terminated

Forwarded

Disabled

Disabled

Terminated

Terminated

Forwarded

Forwarded

Enabled

Enabled/Disabled

Silently dropped

Silently
dropped

Silently
dropped

Silently
dropped

For More Information


Volume 1: Getting Started

Example
#(config) interface 0
#(config interface 0) ip-address 10.252.10.54 255.255.255.0
ok
#(config interface 0) instructions accelerated-pac
ok
#(config interface 0) exit
SGOS#(config) interface 0:1
#(config interface 0:1) 10.252.10.72
ok
#(config interface 0:1) exit

211

Chapter 3: Privileged Mode Configure Commands

#(config) ip-default-gateway
Synopsis
A key feature of the ProxySG is the ability to distribute traffic originating at the cache through
multiple IP gateways. Further, you can fine tune how the traffic is distributed among gateways. This
feature works with any routing protocol (for example, static routes or RIP).
Note:

Load balancing through multiple IP gateways is independent from the per-interface load
balancing that the ProxySG automatically does when more than one network interface is installed.

Syntax
#(config) ip-default-gateway ip_address [preference group (1-10)] [weight
(1-100)]
Specifies the IP address of the default gateway to be used by the ProxySG.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) ip-default-gateway 10.25.36.47
ok

Volume 11: Command Line Interface Reference

212

Chapter 3: Privileged Mode Configure Commands

#(config) license-key
Synopsis
Use this command to configure license key settings.

Syntax
#(config) license-key auto-update {disable | enable}
Disables or enables auto-update of the Blue Coat license key.
#(config) license-key no path
Negates certain license key settings.
#(config) license-key path url
Specifies the network path to download the license key.

For More Information


Volume 1: Getting Started

Example
SGOS#(config) license-key no path
ok

213

Chapter 3: Privileged Mode Configure Commands

#(config) line-vty
Synopsis
When you have a CLI session, that session remains open as long as there is activity. If you leave the
session idle, the connection eventually times out and you must reconnect. The default timeout is five
minutes. You can set the timeout and other session-specific options using the line-vty command.

Syntax
#(config) line-vty

This changes the prompt to:
#(config line-vty)

Subcommands
#(config line-vty) exit
Exits configure line-vty mode and returns to configure mode.
#(config line-vty) length num_lines_on_screen
Specifies the number of lines of code that should appear on the screen at one time. Specify 0 to scroll
without pausing.
#(config line-vty) no length
Disables screen paging.
#(config line-vty) telnet {no transparent | transparent}
Indicates that this is a Telnet protocol-specific configuration. If you specify no transparent, carriage
returns are sent to the console as a carriage return plus linefeed. If you specify transparent, carriage
returns are sent to the console as a carriage return.
#(config line-vty) timeout minutes
Sets the line timeout to the number of minutes indicated by minutes.
#(config line-vty) view
Displays running system information.

Example
SGOS#(config) line-vty
SGOS#(config line-vty) timeout 60
ok
SGOS#(config line-vty) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

214

Chapter 3: Privileged Mode Configure Commands

#(config) load
See


# load on page 58.

215

Chapter 3: Privileged Mode Configure Commands

#(config)management-services
Synopsis
The ProxySG provides the following console services:


HTTP (Not enabled by default)



HTTPS



SSH



Telnet (Not created by default; a Telnet proxy service is created by default on port 23.)

The ProxySG also provides SNMP management services.

Syntax
#(config) management-services

This changes the prompt to:
#(config management-services)

Subcommands
The options below allow you to manage the console service.
#(config management-services) create {http-console | https-console | ssh-console
| telnet-console | snmp} service_name
Creates a console or SNMP service with the service name you choose.
#(config management-services) delete {service_name}
Deletes the specified console name or SNMP service name.
#(config management-services) edit {service_name}
Changes the prompt, depending on the console or SNMP service you choose:


#(config http-console) on page 217



#(config https-console) on page 218



#(config ssh-console) on page 220



#(config telnet-console) on page 221



#(config snmp_service_name) on page 222

#(config management-services) exit
Leaves management-services submode; returns to the config prompt.
#(config management-services) view
Views all console services.
Note:

If you create a console name with spaces, the name must be enclosed in quotes; for example,
"My Console1".

Volume 11: Command Line Interface Reference

216

Chapter 3: Privileged Mode Configure Commands

#(config http-console)
Synopsis
This console service intercepts HTTP traffic, usually on port 80. This console service is created but not
enabled due to security concerns.

Syntax
#(config management-services) edit http_console

This changes the prompt to:
#(config http_console)

Subcommands
#(config http_console) add {all | proxy_ip_address} port {enable | disable}
Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select
a specific proxy’s IP address. You must always choose a port. By default the listener is enabled.
#(config http_console) disable {all | proxy_ip_address} port
Disables the specified listener.
#(config http_console) enable {all | proxy_ip_address} port
Enables the specified listener.
#(config http_console) exit
Exits to the (config management-services) prompt.
#(config http_console) view
Views a summary of the console service’s configuration.

For More Information


“management-services” on page 216



Volume 2: Proxies and Proxy Services

Example
SGOS#(config) management-services
SGOS#(config management-services) create http-console http_console
SGOS#(config management-services) edit http_console
SGOS#(config http_console) add 10.25.36.47 80
SGOS#(config http_console) enable 10.25.36.47 80

217

Chapter 3: Privileged Mode Configure Commands

#(config https-console)
Synopsis
The HTTPS console intercepts traffic on ports 8082. You can create additional HTTPS consoles if
necessary.

Syntax
#(config management-services) edit https_console

This changes the prompt to:
#(config https_console)

Subcommands
#(config https_console) add {all | proxy_ip_address} port {enable | disable}
Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select
a specific proxy’s IP address. You must always choose a port. By default the listener is enabled.
#(config https_console) attribute cipher-suite cipher-suites
Associates one or more ciphers with the console service. A Cipher suite can be any combination of the
following:
rc4-md5
rc4-sha
des-cbc3-sha
des-cbc3-md5
rc2-cbc-md5
rc4-64-md5
des-cbc-sha
des-cbc-md5
exp1024-rc4-md5
exp1024-rc4-sha
exp1024-rc2-cbc-md5
exp1024-des-cbc-sha
exp-rc4-md5
exp-rc2-cbc-md5
exp-des-cbc-sha
aes128-sha
aes256-sha
#(config https_console) attribute keyring keyring_ID
Specifies the keyring ID you want to use with this console.
#(config https_console) attribute ssl-versions {sslv2 | sslv3 | tlsv1 | sslv2v3
|sslv2tlsv1 | sslv3tlsv1 | sslv2v3tlsv1}
Selects the SSL versions to use.
#(config https_console) disable {all | proxy_ip_address} port
Disables the specified listener.
#(config https_console) enable {all | proxy_ip_address} port
Enables the specified listener.
#(config https_console) exit
Exits to the (config management-services) prompt.
#(config https_console) view
Views a summary of the console service’s configuration.

Volume 11: Command Line Interface Reference

218

Chapter 3: Privileged Mode Configure Commands

For More Information


“management-services” on page 216



Volume 2: Proxies and Proxy Services

Example
SGOS#(config) management-services
SGOS#(config management-services) create https-console https_console
SGOS#(config management-services) edit https_console
SGOS#(config https_console) add 10.25.36.47 80
SGOS#(config https_console) enable 10.25.36.47 80
SGOS#(config https_console) attribute cipher-suite rc4-md5 des-cbc-sha
aes128-sha
Note:

For a discussion of available ciphers, refer to Volume 4: Securing the Blue Coat ProxySG
Appliance.

219

Chapter 3: Privileged Mode Configure Commands

#(config ssh-console)
Synopsis
The SSH console service allows to you to securely connect to the Command Line Interface. By default,
SSHv2 is enabled and assigned to port 22. You do not need to create a new host key unless you want to
change the existing configuration.
To manage new host keypairs or global settings for all SSH console services, use the
#(config) ssh-console command. For more information, see “ ssh-console” on page 344.

Syntax
#(config management-services)create ssh-console ssh_console_name
#(config management-services)edit ssh_console_name

This changes the prompt to:
#(config ssh_console_name)

Subcommands
#(config ssh_console_name) add {all | proxy_ip_address} port {enable | disable}
Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select
a specific proxy’s IP address. You must always choose a port. By default the listener is enabled.
#(config ssh_console_name) disable {all | proxy_ip_address} port
Disables the specified listener.
#(configssh_console_name) enable {all | proxy_ip_address} port
Enables the specified listener.
#(config ssh_console_name) exit
Exits to the (config management-services) prompt.
#(config ssh_console_name) remove {all | proxysg_ip port}
Removes the specified listener.
#(config ssh_console_name) view
Views a summary of the console service’s configuration.

For More Information


“management-services” on page 216



“ ssh-console” on page 344

Example
SGOS#(config) ssh-console
SGOS#(config ssh-console) create host-keypair
SGOS#(config management-services) edit ssh_console
SGOS#(config ssh_console) add 10.25.36.47 80
SGOS#(config ssh_console) enable 10.25.36.47 80

Volume 11: Command Line Interface Reference

220

Chapter 3: Privileged Mode Configure Commands

#(config telnet-console)
Synopsis
This console service provides access to the administrative CLI through Telnet. Due to security
concerns, use of this console is not recommended.
A shell Telnet proxy service is created on port 23. If you do decide to create a Telnet console, you must
first remove the Telnet proxy service and apply the changes. You can later re-add the Telnet proxy
service on a different port.

Syntax
#(config management-services) edit telnet_console

This changes the prompt to:
#(config telnet_console)

Subcommands
#(config telnet_console) add {all | proxy_ip_address} port {enable | disable}
Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select
a specific proxy’s IP address. You must always choose a port. By default the listener is enabled.
#(config telnet_console) disable {all | proxy_ip_address} port
Disables the specified listener.
#(config telnet_console) enable {all | proxy_ip_address} port
Enables the specified listener.
#(config telnet_console) exit
Exits to the (config management-services) prompt.
#(config telnet_console) view
Views a summary of the console service’s configuration.

For More Information


“management-services” on page 216



Volume 2: Proxies and Proxy Services

Example
SGOS#(config) management-services
SGOS#(config management-services) create telnet-console telnet_console
SGOS#(config management-services) edit telnet_console
SGOS#(config telnet_console) add 10.25.36.47 80
SGOS#(config telnet_console) enable 10.25.36.47 80

221

Chapter 3: Privileged Mode Configure Commands

#(config snmp_service_name)
Synopsis
The SNMP management service provides an explicit connection for communicating with the ProxySG.
You can create an SNMP listener for any available port and for all available ProxySG IP addresses or
for a specific IP address only.

Syntax
#(config management-services) edit snmp_service_name

This changes the prompt to:
#(config snmp_service_name)

Subcommands
#(config snmp_service_name) add {all| {enable|disable}
Add an SNMP listener to the management service. All selects all IP addresses on the proxy; alternatively,
you can select a specific proxy’s IP address. You must always choose a port. By default, the listener is
enabled.
#(config snmp_service_name) disable {all| }
Disable a specific SNMP listener.
#(config snmp_service_name) enable {all| }
Enable a specific SNMP listener.
#(config snmp_service_name) exit
Return to the (config management-services) prompt.
#(config snmp_service_name) remove {all| }
Remove an SNMP listener.
#(config snmp_service_name) view
Show the SNMP listener configuration.

For More Information


“management-services” on page 216



“ snmp” on page 330



Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) management-services
SGOS#(config management-services) create snmp mysnmp
ok
SGOS#(config management-services) edit mysnmp
SGOS#(config mysnmp) view
Service name:

my-snmp

Service:

SNMP

Destination IP

Port Range



161

Volume 11: Command Line Interface Reference

Enabled

222

Chapter 3: Privileged Mode Configure Commands

#(config) mapi
Synopsis
Configures MAPI

Syntax
SGOS#(config) mapi

This changes the prompt to:
SGOS#(config mapi) [subcommands]

Subcommands
SGOS#(config mapi) batching {enable | disable}
Enables or disables batching. The default is enabled.
SGOS#(config mapi) exit
Exits the mapi mode and returns to SGOS#(config) mode.
SGOS#(config mapi) handoff (enable | disable}
Use the endpoint-mapper service. The default is enabled.
SGOS#(config mapi) keep-alive duration 1-168
Sets the length of time, in hours, that the session is active. The default is 72 hours.
SGOS#(config mapi) keep-alive {enable | disable}
Enables the keep-alive configuration. The default is disabled.
SGOS#(config mapi) keep-alive interval 15-60
Sets the length of time, in minutes, before the service checks for new e-mail. The default is 30 minutes.
SGOS#(config map) keep-alive max-sessions 1-200
Sets the maximum number of active sessions at any given point. The default is 100 sessions. If the limit is
reached, the oldest session is dropped.
SGOS#(config mapi) view
Views the MAPI configuration.

For More Information


“#(config endpoint-mapper)” on page 250

Example
SGOS#(config mapi) view
Batching:
Keep-Alive:
Keep-Alive Duration (hours):
Keep-Alive Interval (minutes):
Keep-Alive Maximum Sessions:
Endpoint Mapper Handoff:

enabled
disabled
72
30
100
enabled

223

Chapter 3: Privileged Mode Configure Commands

#(config) netbios
Synopsis
Use this command to configure NetBIOS.

Syntax
#(config) netbios

This changes the prompt to:
#(config netbios)
#(config netbios) exit
Exits configure netbios mode and returns to configure mode.
#(config netbios) nbstat requester {retries | timeout} | responder {enable |
disable}
Requester is enabled by default and cannot be disabled, with three retries and a five-second timeout.
Responder is disabled by default. Note that the requestor is used only if you write policy that uses it. If
no features that trigger a request are used, no traffic is sent.
#(config netbios) view
Shows the NetBIOS settings.

Example
SGOS#(config) netbios
SGOS#(config netbios) nbstat responder enable
ok
SGOS#(config netbios) exit
SGOS#(config)
ok

Volume 11: Command Line Interface Reference

224

Chapter 3: Privileged Mode Configure Commands

#(config) no
Synopsis
Use this command to negate the current settings for the archive configuration, content priority, IP
default gateway, SOCKS machine, or system upgrade path.

Syntax
#(config) no archive-configuration
Clears the archive configuration upload site.
#(config) no bridge bridge_name
Clears the bridge configuration.
#(config) no content {priority {regex regex | url url} | outstanding-requests
{delete | priority | revalidate} regex}
priority {regex regex | url url: Removes a deletion regular expression policy or a deletion URL
policy.
outstanding-requests {delete | priority | revalidate} regex: Deletes a specific,
regular expression command in-progress (revalidation, priority, or deletion).
#(config) no ip-default-gateway ip_address
Sets the default gateway IP address to zero.
#(config) no serial-number
Removes the serial number.
#(config) no socks-machine-id
Removes the SOCKS machine ID from the configuration.
#(config) no upgrade-path
Clears the upgrade image download path.

For More information


Volume 1: Getting Started



Volume 5: Advanced Networking

Example
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok

no archive-configuration
no content priority regex http://.*cnn.com
no content priority url http://www.bluecoat.com
no ip-default-gateway 10.252.10.50
no socks-machine-id
no upgrade-path

225

Chapter 3: Privileged Mode Configure Commands

#(config) ntp
Synopsis
Use this command to set NTP parameters. Network Time Protocol (NTP) is a protocol that is used to
synchronize computer clock times in a network of computers. The ProxySG sets the UTC time by
connecting to an NTP server. The ProxySG includes a list of NTP servers available on the Internet. If an
NTP server is not available, you can set the time manually using the Management Console.

Syntax
#(config) ntp clear
Removes all entries from the NTP server list.
#(config) ntp disable
Disables NTP.
#(config) ntp enable
Enables NTP.
#(config) ntp interval minutes
Specifies how often to perform NTP server queries.
#(config) ntp no server domain_name
Removes the NTP server named domain_name from the NTP server list.
#(config) ntp server domain_name
Adds the NTP server named domain_name from the NTP server list.

For More Information


Volume 1: Getting Started

Example
SGOS#(config) ntp server clock.tricity.wsu.edu
ok

Volume 11: Command Line Interface Reference

226

Chapter 3: Privileged Mode Configure Commands

#(config) policy
Synopsis
Use this command to specify central and local policy file location, status, and other options.

Syntax
#(config) policy central-path url
Specifies the network path (indicated by url) from which the central policy file can be downloaded.
#(config) policy forward-path url
Specifies the network path (indicated by url) from which the forward policy file can be downloaded.
#(config) policy local-path url
Specifies the network path (indicated by url) from which the local policy file can be downloaded.
#(config) policy no central-path
Specifies that the current central policy file URL setting should be cleared.
#(config) policy no forward-path
Specifies that the current forward policy file URL setting should be cleared.
#(config) policy no local-path
Specifies that the current local policy file URL setting should be cleared.
#(config) policy no notify
Specifies that no e-mail notification should be sent if the central policy file should change.
#(config) policy no subscribe
Specifies that the current policy should not be automatically updated in the event of a central policy
change.
#(config) policy no vpm-cpl-path
Clears the network path to download VPM CPL policy.
#(config) policy no vpm-software
Clears the network path to download VPM software.
#(config) policy no vpm-xml-path
Clears the network path to download VPM XML policy.
#(config) policy notify
Specifies that an e-mail notification should be sent if the central policy file should change.
#(config) policy order order of v)pm, l)ocal, c)entral
Specifies the policy evaluation order.
#(config) policy poll-interval minutes
Specifies the number of minutes that should pass between tests for central policy file changes.
#(config) policy poll-now
Tests for central policy file changes immediately.
#(config) policy proxy-default {allow | deny}
allow: The default proxy policy is allow.
deny: The default proxy policy is deny.
#(config) policy reset
Clears all policies.
#(config) policy subscribe
Indicates that the current policy should be automatically updated in the event of a central policy change.
#(config) policy vpm-cpl-path url
Specifies the network path (indicated by url) from which the vpm-cpl policy file can be downloaded.

227

Chapter 3: Privileged Mode Configure Commands

#(config) policy vpm-software url
Specifies the network path to download the VPM software.
#(config) policy vpm-xml-path url
Specifies the network path (indicated by url) from which the vpm-xml policy file can be downloaded.

For More Information


Volume 6: VPM and Advanced Policy

Example
SGOS#(config) policy local-path http://www.server1.com/local.txt
ok
SGOS#(config) policy central-path http://www.server2.com/central.txt
ok
SGOS#(config) policy poll-interval 10

Volume 11: Command Line Interface Reference

228

Chapter 3: Privileged Mode Configure Commands

#(config) profile
Synopsis
Sets your system profile to normal (the default setting) or portal (to accelerate the server).

Syntax
#(config) profile bwgain
Sets your system profile to bandwidth gain.
#(config) profile normal
Sets your system profile to normal.
#(config) profile portal
Sets your system profile to portal.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) profile normal
ok

229

Chapter 3: Privileged Mode Configure Commands

#(config) proxy-client
Synopsis
Use this command to configure the Client Manager and client configuration options for the
ProxyClient. Replaces the earlier #(config) sg-client command.

Syntax
#(config) sg-client

or
#(config) proxy-client

This changes the prompt to:
#(config proxy-client)

Subcommands
#(config proxy-client) enable
Enable this appliance as the Client Manager. You can have only one Client Manager in your ADN
network.
#(config proxy-client) disable
Do not use this appliance as the Client Manager.
#(config proxy-client) client-manager host {from-client-address | host>}
Identify this appliance as the Client Manager in one of the following ways:


from-client-address: (Recommended.) Use this command if you want clients to download the
ProxyClient software, configuration, and updates from the host from which the clients originally
obtained the software.



ip-address or host: Use this command only if you want to change the host from which clients
download the ProxyClient software, configuration, and updates. Enter a fully-qualified host name
or IP address only; do not preface the with http:// or https://or downloads will fail.

In other words, this option enables you to change the host from which currently-installed
clients obtain future software and configuration updates. Use caution when selecting this
option because if clients are unable to connect to the host you enter in the adjacent field,
new installations from the Client Manager and updates to existing installations will fail.
Note: Blue Coat recommends you enter the fully-qualified host name. If you enter either an
unqualified host name or IP address and change it later, connections to all currently-connected
clients are dropped.
#(config proxy-client) client-manager install-port port
Port on which the host you entered in the preceding option listens for requests from clients. The default
is 8084.
#(config proxy-client) client-manager keyring keyring
Name of the keyring the Client Manager will use when clients connect to it.
#(config proxy-client) max-cache-disk-percent percentage
Maximum percentage of client disk space to use for caching objects, such as CIFS objects. Valid values
are 10—90; default is 10.

Volume 11: Command Line Interface Reference

230

Chapter 3: Privileged Mode Configure Commands

Note: The cache will always leave at least 1GB free on the cache directory volume. For more
information, see the chapter on configuring the ProxyClient in Volume 5: Advanced Networking.
#(config proxy-client) software-upgrade-path url
Sets the URL used to upload updated ProxyClient software to the Client Manager so it can make the
latest ProxyClient software available to update or to install on client machines.

Important: After you update the Client Manager, whenever users connect using the
ProxyClient, they will be required to update the ProxyClient software.
Upload the ProxyClient software from a URL in the following format:
https://host:port/path/ProxyClient.car

For example,
https://myapache.example.com:8088/images/ProxyClient.car

After you set the path from which to load the updates, see # load
proxy-client-software Loads the ProxyClient software to the Client
Manager. To use this command, you must have previously defined an
upload location using #(config) sg-client on page 328. Messages
display as the software loads. on page 58.
#(config proxy-client) tcp-window-size bytes
Sets the number of bytes allowed before acknowledgement (the value must be between 8192 and
4194304). If you know the bandwidth and roundtrip delay, the TCP window size you should is us
approximately 2 * bandwidth * delay. For example, if the bandwidth of the link is 8 Mbits/sec and
the round-trip delay is 0.75 seconds:

TCP window size = 2 * 8 Mbits/sec * 0.75 sec = 12 Mbits = 1.5 Mbytes
The setting in this example would be 1500000 bytes. This number goes up as either bandwidth
or delay increases, and goes down as they decrease. Because the bandwidth and delay for
mobile users can vary, Blue Coat recommends you test mobile client performance in a
controlled environment before deciding on a value to use in production.
#(config proxy-client) update-interval minutes
Frequency clients check with the Client Manager for updated ProxyClient software. Valid values are
10-432000 (that is, 300 days). Default is 120.
#(config proxy-client) view
View current Client Manager settings.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) client-manager host enable
SGOS#(config) client-manager host from-client-address
SGOS#(config) software-upgrade-path
https://myapache.example.com:8088/images/ProxyClient.car

231

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client acceleration)
Synopsis
Configure acceleration settings for ProxyClients.

Syntax
#(config) sg-client

This changes the prompt to:
#(config proxy-client)

Enter
#(config proxy-client) acceleration

This changes the prompt to:
#(config proxy-client acceleration)

Subcommands
#(config proxy-client acceleration) adn
Change to acceleration adn mode. For more information, see #(config proxy-client
acceleration adn) on page 233.
#(config proxy-client acceleration) cifs
Change to acceleration cifs mode. For more information, see #(config proxy-client
acceleration cifs) on page 235.
#(config proxy-client acceleration) disable
Disables all acceleration for ProxyClients; that is, gzip compression, CIFS protocol optimization, and
byte caching.
#(config proxy-client acceleration) enable
Enables acceleration for ProxyClients; that is, gzip compression, CIFS protocol optimization, and byte
caching.
#(config proxy-client acceleration) exit
Exits acceleration submode and returns to proxy-client mode.
#(config proxy-client acceleration) max-cache-disk-percent percentage
Maximum percentage of client disk space to use for caching objects, such as CIFS objects. Valid values
are 10—90; default is 10.
#(config proxy-client acceleration) view
Displays current ProxyClient acceleration settings.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config proxy-client acceleration) max-cache-disk-percent 15
SGOS#(config proxy-client acceleration) enable

Volume 11: Command Line Interface Reference

232

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client acceleration adn)
Synopsis
Configure ADN manager and ADN rules settings for ProxyClients.

Syntax
#(config) sg-client

This changes the prompt to:
#(config proxy-client)
#(config proxy-client) adn

This changes the prompt to:
#(config proxy-client acceleration adn)

Subcommands
#(config proxy-client acceleration adn) primary-manager ip-address
The IP address of the primary ADN manager. The ADN manager keeps track of and advertises the
routes of the appliances it knows about. You must specify a primary manager.

The ProxyClient obtains the routing table from the ADN manager.
#(config proxy-client acceleration adn) backup-manager ip-address
The IP address of the backup ADN manager. Configuring a backup ADN manager is optional but
recommended.

If the ADN manager becomes unavailable for any reason, the backup ADN manager takes
over the task of advertising routes to all ADN nodes, such as the ProxyClient.
#(config proxy-client acceleration adn) manager-port port
ADN manager and backup manager plain listen port. (To use the ProxyClient in your ADN network, the
ADN manager’s listening mode must be configured for Plain Only, Plain Read-Only, or Both.)
#(config proxy-client acceleration adn) port-list {exclude-ports | include-ports}
Determines whether you will use the include ports list or exclude ports list.
#(config proxy-client acceleration adn) {exclude-ports | include-ports} {port-list |
port-range}
Determines which TCP ports to exclude or include in ADN tunnels. Assuming clients using the
ProxyClient software can connect to an ADN peer that can optimize traffic to the destination IP address,
this setting determines ports the clients can use (or not use).

For example, you can exclude ports or port ranges because traffic coming from those ports has
already been encrypted.
For example, the following command excludes traffic from ports 22 and 443 from being routed
through ADN:
#(config proxy-client acceleration adn) exclude-ports 22,443

Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash
character).
#(config proxy-client acceleration adn) exclude-subnets
Configure the subnets excluded from ADN acceleration
#(config proxy-client acceleration adn exclude-subnets) {add | remove}
subnet_prefix[/prefix length]
Adds or removes subnets from the excluded subnets list, which is the list of subnets not included in
ADN tunnels. Use a comma-separated list of IP addresses and subnets in CIDR notation.

233

Chapter 3: Privileged Mode Configure Commands

For example, the following command excludes traffic from the IP address 128.211.168.0
and subnet 255.255.255.0 from being routed through the ADN tunnel:
#(config proxy-client acceleration adn exclude-subnets) add
128.211.168.0/24
#(config proxy-client acceleration adn exclude-subnets) clear
Removes all subnets from the current excluded subnet list. In other words, traffic from all IP
addresses and subnets will be routed through the ADN tunnel.
#(config proxy-client acceleration adn exclude-subnets) exit
Exits the exclude-subnets submode.
#(config proxy-client acceleration adn exclude-subnets) view
View the list of excluded subnets.
#(config proxy-client acceleration adn) exit
Exit the adn submode.

For More Information


Volume 5: Advanced Networking

Example
#(config proxy-client acceleration adn) exclude-ports
22,88,443,993,995,1352,1494,1677,3389,5900
#(config proxy-client acceleration adn) primary-manager 198.162.0.10

Volume 11: Command Line Interface Reference

234

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client acceleration cifs)
Synopsis
Configure CIFS settings for ProxyClients.

Syntax
#(config) proxy-client

This changes the prompt to:
#(config proxy-client)
#(config proxy-client) cifs

This changes the prompt to:
#(config proxy-client acceleration cifs)

Subcommands
#(config proxy-client acceleration cifs) directory-cache-time seconds
Number of seconds for directory listings to remain in the cache. Default is 30.
#(config proxy-client acceleration cifs) {disable | enable}
Disable or enable CIFS acceleration. CIFS acceleration is enabled by default.
#(config proxy-client acceleration cifs) exit
Exit the proxy-client cifs command.
#(config proxy-client acceleration cifs) write-back {full | none}
Determines whether or not users can continue sending data to the appliance while the appliance is
writing data on the back end.


full enables write-back, which in turn makes the appliance appear to the user as a file server; in
other words, the appliance constantly sends approval to the client and allows the client to send data
while the back end takes advantage of the compressed TCP connection.



none disables write-back. Disabling write-back can introduce substantial latency as clients send
data to the appliance and wait for acknowledgement before sending more data.

One reason to set this option to none is the risk of data loss if the link from the branch to the
core server fails. There is no way to recover queued data if such a link failure occurs.
#(config proxy-client acceleration cifs) view
View client CIFS settings.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config proxy-client acceleration cifs) enable
SGOS#(config proxy-client acceleration cifs) write-back full

235

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client locations)
Synopsis
Configure ProxyClient location settings.

Syntax
#(config) proxy-client

This changes the prompt to:
#(config proxy-client)
#(config proxy-client) locations

This changes the prompt to:
#(config proxy-client locations)

Subcommands
#(config proxy-client locations) acceleration {enable | disable}
Enable or disable acceleration as a default action; that is, if a client does not match any defined locations.
#(config proxy-client locations) webfilter {enable | disable}
Enable or disable Web filtering as a default action; that is, if a client does not match any defined
locations.
#(config proxy-client locations) clear
Remove all defined locations.
#(config proxy-client locations) exit
Exit locations submode and return to proxy-client mode.
#(config proxy-client locations) create name
Create location name.
#(config proxy-client locations) edit name
Edit location name. Changes to the #(config proxy-client name) mode.
#(config proxy-client name) dns
Define DNS server IP addresses as a condition for this location.
#(config proxy-client name dns) add ip-address
Add a DNS server IP address as a location condition. DNS servers are logically ANDed together so
a user must log in with all DNS servers defined to match this condition.
#(config proxy-client name dns) clear
Clear all DNS server IP addresses.
#(config proxy-client name dns) exit
Exit the dns submode and return to the proxy-client name mode.
#(config proxy-client name dns) remove ip-address
Remove a DNS server IP address from the location condition.
#(config proxy-client name dns) view
View the list of DNS servers in this location.
#(config proxy-client name) source
Define source IP addresses as a condition for this location.

Volume 11: Command Line Interface Reference

236

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client name source) add ip-address-range
Add a source IP address range as a location condition. Source IP address ranges servers are logically
ORd together so a user must log in from any source IP address in any range defined to match this
condition.
Source IP address range example: 10.0.0.0-10.255.255.255
#(config proxy-client name source) clear
Clear all IP source address ranges.
#(config proxy-client name source) exit
Exit the source submode and return to the proxy-client name mode.
#(config proxy-client name source) remove ip-address-range
Remove a source IP address range from the location condition.
Source IP address range example: 10.0.0.0-10.255.255.255
#(config proxy-client name source) view
View the list of IP source address ranges in this location.
#(config proxy-client name) vnic
Define virtual NIC IP addresses as a condition for this location. Virtual NIC IP address ranges
should be used for clients that log in using VPN software that creates a virtual network adapter (also
referred to as a virtual NIC) that is assigned its own IP address.
#(config proxy-client name vnic) add vnic-address-range
Add a VNIC IP address range as a location condition. VNIC IP address ranges servers are logically
ORd together so a user must log in from any VNIC IP address in any range defined to match this
condition.
VNIC IP address range example: 10.0.0.0-10.255.255.255
#(config proxy-client name vnic) clear
Clear all VNIC IP address ranges.
#(config proxy-client name vnic) exit
Exit the vnic submode and return to the proxy-client name mode.
#(config proxy-client name vnic) remove vnic-address-range
Remove a VNIC IP address range from the location condition.
VNIC IP address range example: 10.0.0.0-10.255.255.255
#(config proxy-client name vnic) view
View the list of VNIC IP address ranges in this location.
#(config proxy-client name) match-dns {enable | disable}
Enable or disable the use of DNS server IP address as a location condition.
#(config proxy-client name) match-source {enable | disable}
Enable or disable the use of source IP address ranges as a location condition.
#(config proxy-client name) match-vnic {enable | disable}
Enable or disable the use of VNIC IP address ranges as a location condition.
#(config proxy-client name) acceleration {enable | disable}
Enable or disable acceleration for this location. This setting enables or disables all forms of
acceleration (that is, gzip, CIFS protocol optimization, and byte caching).

237

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client name) webfilter {enable | disable}
Enable or disable Web filtering for this location.
#(config proxy-client locations) {promote location-name | demote location-name}
Moves the specified location-name up or down in the location rulebase. When a ProxyClient connects
to the Client Manager, the first match is applied. You should order locations in the rulebase from most
specific to least specific. For example, put a location with a source address range from 10.3.0.0 to
10.3.255.255 before a location with the 10.3.0.0. to 10.3.255.255 source address range first.
Use the #(config proxy-client locations) view command to view the current location
rulebase.

For More Information


Volume 5: Advanced Networking

Example
The following example creates a location named Mobile, adds two location conditions to it (DNS
server IP address and source IP address range), and enables acceleration and Web filtering for the
location.
#(config proxy-client locations) create Mobile
#(config
#(config
#(config
#(config
#(config

proxy-client
proxy-client
proxy-client
proxy-client
proxy-client

locations) edit Mobile
Mobile) dns
Mobile dns) add 198.162.1.10
Mobile dns) exit
Mobile) match-dns enable

#(config
#(config
#(config
#(config

proxy-client
proxy-client
proxy-client
proxy-client

Mobile) source
Mobile source) add 198.162.0.0-198.162.0.255
Mobile source) exit
Mobile) match-source enable

#(config proxy-client Mobile) acceleration enable
#(config proxy-client Mobile) webfilter enable

Volume 11: Command Line Interface Reference

238

Chapter 3: Privileged Mode Configure Commands

#(config proxy-client web-filtering)
Synopsis
Configure ProxyClient Web filtering settings.

Syntax
#(config) proxy-client

This changes the prompt to:
#(config proxy-client)
#(config proxy-client) web-filtering

This changes the prompt to:
#(config proxy-client web-filtering)

Subcommands
#(config proxy-client web-filtering) {enable | disable}
Enable or disable ProxyClient Web filtering.

Note: Before you can enable ProxyClient Web filtering, you must obtain a valid Blue Coat Web
Filter license and enable the Blue Coat Web Filter database on the Client Manager. For more
information, see #(config) content-filter on page 131.
#(config proxy-client web-filtering) {allow | block | warn} category-name
For the specified category-name, allow users to access the content, block users from accessing the
content, or warn users about accessing the content.
Content can be from any of the following sources:


BCWF database categories



Local database categories; for more information, see #(config local) on page 142



Policy categories; for more information, see Volume 10: Content Policy Language Guide.



System or Default categories

#(config proxy-client web-filtering) default-action {allow | block}
Set the default action to take in the event the user requests content that is not classified in any category
you selected. (This is also referred to as the Default category.)
#(config proxy-client web-filtering) {promote | demote} category-name
Moves category-name up or down one position in the Web filtering rulebase. Policy actions (allow,
block, warn) are applied to the first rule that matches the URL request. Because URLs are typically
classified in more than one category, the rulebase order is important.
#(config proxy-client web-filtering) {promote-to-top | demote-to-bottom}
category-name
Moves category-name to the top or bottom of the Web filtering rulebase with the caveat that the
Default category is always the last category.
#(config proxy-client web-filtering) exit
Exit web-filtering submode and return to proxy-client mode.
#(config proxy-client web-filtering) failure-mode {closed | open}
Specify the action to take if the BCWF license expires (usually because the database has not been updated
in a 30-day period). closed means users are not allowed to browse to any Web page. A Service

239

Chapter 3: Privileged Mode Configure Commands

Unavailable exception displays in the user’s Web browser. open means users are allowed to browse
anywhere; in other words, content is not filtered. Select this option if user Web access is more critical than
filtering or security.
#(config proxy-client web-filtering) https-filtering {disable | enable}
Set to enable to use Web filtering when the content request is sent over an SSL connection using the
default port 443. For exceptions to this behavior, see the ProxyClient Release Notes. Set to disable to not
filter HTTPS traffic from unsupported browsers.
#(config proxy-client web-filtering) safe-search {disable | enable}
Set to enable to force a search engine that supports Safe Search to enable its strictest search filter;
however, the quality of the filtering is based on the given engine’s built-in capabilities. The same search
string entered on one search engine might yield different results when entered on another search engine
(including varying levels of inappropriate content). Safe Search is supported on the following search
engines: A9, Altavista, MSN/Live, Google, Yahoo, ASK, Earthlink, and Orange.co.uk. With safe search
enabled, the search engine Web page displays Safe Search ON, Family Filter On, Safe Search Strict, or
another engine-specific string. Set to disable if you do not wish to enforce Safe Search.
#(config proxy-client web-filtering) inline exception {block | warn |
unavailable} data end-of-file-marker
Sets up exception pages to display to users when they attempt to access certain content. Set the exception
page for block to display a page when users attempt to access blocked content. Set the exception page
for warn to display a page when users attempt to access content that might violate company policies. Set
the exception page for unavailable to display a page when users attempt to access content that cannot
be categorized because the service point is not available.
data is the HTML code to display to users.
end-of-file-marker is discussed in the section on Tips in #(config) inline on page 207.
#(config proxy-client web-filtering) log
#(config proxy-client log) {enable | disable}
Enable or disable uploading of ProxyClient Web filtering user logs to an anonymous FTP server.
#(config proxy-client log) exit
Exit log submode and return to proxy-client mode.
#(config proxy-client log) {primary | alternate} host-or-ip-address[:port]
path
Specify the anonymous FTP server to which users upload ProxyClient Web filtering logs and the
path to which to upload the files.

Note: Because log files are uploaded using anonymous FTP, Blue Coat strongly recommends
you put your FTP server behind the corporate firewall. This way, you can be sure that only
authorized users can connect to the FTP server. Placing an FTP server outside the firewall has the
advantage that even mobile users can upload log files to it; however, it exposes the server and
your company to potentially serious malicious activity.
#(config proxy-client log) mode {all-requests | exceptions-only}
Enter all-requests to upload the entire client log. Enter exceptions-only to upload only
exceptions.
#(config proxy-client log) periodic-upload hours [minutes]
Enter the number of hours for clients to attempt to upload their logs to the anonymous FTP
server. Optionally enter the number of minutes, in addition to hours.
#(config proxy-client log) early-upload megabytes
Enter the maximum log file size, in megabytes, to trigger a log file upload. This value takes
precedence over the periodic-upload parameter. In other words, if you specify

Volume 11: Command Line Interface Reference

240

Chapter 3: Privileged Mode Configure Commands

periodic-upload 24 and early-upload 10, if the client log file size reaches 10 megabytes
after only 10 hours, the ProxyClient attempts to upload its log files to the FTP server.
#(config proxy-client log) view
View current ProxyClient Web filtering log settings.
#(config proxy-client web-filtering) view
View current ProxyClient Web filtering settings.

For More Information


Volume 5: Advanced Networking

Example
The following example enables Web filtering, sets up two categories—Sports/Recreation (set to deny)
and News/Media (set to allow)—and sets other options.
#(config proxy-client web-filtering) enable
#(config proxy-client web-filtering) allow News/Media
#(config proxy-client web-filtering) block Sports/Recreation
#(config proxy-client web-filtering) default-action allow
#(config proxy-client web-filtering) https-filtering enable
#(config proxy-client web-filtering) failure-mode closed

241

Chapter 3: Privileged Mode Configure Commands

#(config) proxy-services
Synopsis
Manages the proxy services on the ProxySG.

Syntax
#(config) proxy-services

This changes the prompt to:
#(config proxy-services)

Subcommands
Note:

Additional information is found under options that are hyperlinked (blue).

#(config proxy-services) create service_type service_name [service_group]
Creates a proxy service of the type and name that you specify. Optionally, specify a service group. If no
service group is specified the service is placed in the service group “Other.”For more information on
creating specific proxy services, see Available Service Types on page 242.
#(config proxy-services) delete service_name
Deletes the specified proxy service.
#(config proxy-services) dynamic-bypass
Changes the prompt to #(config dynamic-bypass) on page 244 to allow you to manage
dynamic-bypass settings.
#(config proxy-services) edit service_name
Allows you to edit a proxy service of the specified name. For more information on editing specific proxy
services, see Available Service Types on page 242.
#(config proxy-services) exit
Returns to the #(config) prompt.
#(config proxy-services) import {predefined-service | overwrite}
Imports a predefined service from the library. Optionally, an existing service may be replace by a service
from the library by entering the keyword overwrite.
#(config proxy-services) restricted-intercept
Changes the prompt to #(config restricted-intercept) on page 258 to allow you to restrict
interception to a limited number of clients and servers.
#(config proxy-services) static-bypass
Changes the prompt to #(config static-bypass) on page 246 to allow you to manage
static-bypass settings.
#(config proxy-services) view {dynamic-bypass | services| static-bypass}
Allows you to view proxy service parameters.

Available Service Types
You can create proxy services using the following service types:
Note: The service types listed below are not necessarily the service names you use. The syntax for
creating a service type is #(config proxy-services) create service_type service_name, where
service_type is one of those listed below and service_name is of your choosing.

Volume 11: Command Line Interface Reference

242

Chapter 3: Privileged Mode Configure Commands



#(config aol-im) on page 247



#(config dns) on page 249



#(config endpoint-mapper) on page 250



#(config ftp) on page 251



#(config HTTP) on page 252



#(config https-reverse-proxy) on page 254



#(config mms) on page 256



#(config msn-im) on page 257



#(config rtsp) on page 259



#(config socks) on page 260



#(config ssl) on page 261



#(config tcp-tunnel) on page 263




#(config telnet) on page 265
#(config yahoo-im) on page 266

For More Information


Volume 2: Proxies and Proxy Services

Example
#(config proxy-services) create tcp-tunnel tcp_tunnel_2
ok
#(config proxy-services) edit tcp_tunnel_2
#(config tcp_tunnel_2)?
add
Add a listener
attribute
Configure service attributes
bypass
Change a particular listener's action to bypass
exit
Return to (config proxy-services) prompt
intercept
Change a particular listener's action to intercept
remove
Remove a listener
view
Show proxy service configuration

243

Chapter 3: Privileged Mode Configure Commands

#(config dynamic-bypass)
Synopsis
Dynamic bypass provides a maintenance-free method for improving performance of the ProxySG by
automatically compiling a list of requested URLs that return various kinds of errors.

Syntax
#(config) proxy-services
#(config proxy-services) dynamic-bypass

The prompt changes to:
#(config dynamic-bypass)

Subcommands
#(config dynamic-bypass) clear
Clears all dynamic bypass entries.
#(config dynamic-bypass) disable
Disables dynamic bypass .
#(config dynamic-bypass) enable
Enables dynamic bypass.
#(config dynamic-bypass) exit
Exits to the #(config proxy-services) prompt.
#(config dynamic-bypass) max-entries number_of_entries
Specifies the maximum number of dynamic-bypass entries. Connections that match entries in the
dynamic bypass list are not intercepted by the application proxies. Entries in the dynamic bypass list
eventually time out based on the configuration. If the list grows beyond its configured size, the oldest
entry is removed
#(config dynamic-bypass) no trigger {all | connect-error | non-http |
receive-error | 400 | 403 | 405 | 406 | 500 | 502 | 503 | 504}
Disables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all
non-HTTP responses. Values are specified below.

Event Value

Description

all

Enables all dynamic bypass triggers.

non-http

Enables dynamic bypass for non-HTTP responses.

connect-error

Enables dynamic bypass for any connection failure to the origin content server,
including timeouts.

receive-error

Enables dynamic bypass for when a TCP connection to an origin content server
succeeds, but the cache does not receive an HTTP response.

400

Enables dynamic bypass for HTTP 400 responses.

401

Enables dynamic bypass for HTTP 401 responses.

403

Enables dynamic bypass for HTTP 403 responses.

405

Enables dynamic bypass for HTTP 405 responses.

406

Enables dynamic bypass for HTTP 406 responses.

Volume 11: Command Line Interface Reference

244

Chapter 3: Privileged Mode Configure Commands

Event Value

Description

500

Enables dynamic bypass for HTTP 500 responses.

502

Enables dynamic bypass for HTTP 502 responses.

503

Enables dynamic bypass for HTTP 503 responses.

504

Enables dynamic bypass for HTTP 504 responses.

#(config dynamic-bypass) server-threshold number_of_entries
Specifies the number of client entries for all clients to bypass a server. Each dynamic entry can be
identified by a server address or client/server address pair. A dynamic entry without a client address
means the client address is a wildcard address. For example, if the server threshold is set to 10 and there
are already nine dynamic entries with different client addresses for the same server address, the next
time a new dynamic entry is added to the same server address but contains a different client address, the
ProxySG compresses the nine dynamic entries into one dynamic entry with server address only; all
clients going to that server address are bypassed.
#(config dynamic-bypass) timeout minutes
Sets the dynamic-bypass timeout interval in minutes.
#(config dynamic-bypass) trigger {all | connect-error | non-http | receive-error
| 400 | 403 | 405 | 406 | 500 | 502 | 503 | 504}
Enables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all
non-HTTP responses.
#(config dynamic-bypass) view {configuration | filter {* | all |
client_ip_address | client_ip_address/subnet-mask} {* | all |
server_ip_address | server_ip_address/subnet-mask}} | }
Allows you to view the dynamic-bypass configuration or to filter the dynamic-bypass list on the
parameters above.

For More Information


Volume 2: Proxies and Proxy Services



Volume 10: Content Policy Language Guide

Example
#(config) proxy-services
#(config proxy-services) dynamic-bypass
#(config dynamic-bypass) clear
ok
#(config dynamic-bypass) enable
WARNING:
Requests to sites that are put into the dynamic bypass list will
bypass future policy evaluation. This could result in subversion
of on-box policy. The use of dynamic bypass is cautioned.
ok
#(config dynamic-bypass) trigger all
ok

245

Chapter 3: Privileged Mode Configure Commands

#(config static-bypass)
Synopsis
Static bypass prevents the ProxySG from transparently accelerating requests to servers that perform IP
authentication with clients. When a request matches an IP address and subnet mask specification, the
request is sent to the designated gateway without going through the ProxySG.

Syntax
#(config) proxy-services
#(config proxy-services) static-bypass
#(config static-bypass)

Subcommands
#(config static-bypass) add {all | client_ip_address | client_ip_address/
subnet-mask} {all | server_ip_address | server_ip_address/subnet-mask}
Allows you to add a listener with the parameters you specify
#(config static-bypass) exit
Exits from the #(config static-bypass) mode and returns to the #(config proxy-services)
mode.
#(config static-bypass) view {filter {* | all | client_ip_address |
client_ip_address/ subnet-mask} {* | all | server_ip_address |
server_ip_address/ subnet-mask}} | }
Allows you to view static bypass entries based on the filters you specify.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) static-bypass
SGOS #(config static-bypass) add 10.9.17.135 all
ok

Volume 11: Command Line Interface Reference

246

Chapter 3: Privileged Mode Configure Commands

#(config aol-im)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to :
#(config service_name)

Subcommands
#(config service_name) add all {ip_address | ip_address/subnet-mask} {port |
first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG’s IP address.
#(config service_name) bypass {all |ip_address | ip_address/subnet-mask} {port |
first_port-last_port}
Changes the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {all |ip_address | ip_address/subnet-mask} {port
| first_port-last_port}
Changes the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create aol-im aol1
SGOS#(config proxy-services) edit aol1
SGOS #(config aol1) attribute reflect-client-ip enable
ok

247

Chapter 3: Privileged Mode Configure Commands

#(config cifs)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | ip_address | ip_address/subnet-mask}
{port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name)) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {transparent | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create cifs cifs1
SGOS#(config proxy-services) edit cifs1
SGOS #(config cifs1) attribute adn-optimize enable
ok

Volume 11: Command Line Interface Reference

248

Chapter 3: Privileged Mode Configure Commands

#(config dns)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the # (config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create dns dns1
SGOS#(config proxy-services) edit dns1
SGOS #(config dns1) attribute reflect-client-ip enable
ok

249

Chapter 3: Privileged Mode Configure Commands

#(config endpoint-mapper)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config proxy-services service_name) add {all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute reflect-client-ip {disable | enable}}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {all | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create endpoint-mapper epmapper1
SGOS#(config proxy-services) edit epmapper1
SGOS#(config epmapper1) add all 10003
ok

Volume 11: Command Line Interface Reference

250

Chapter 3: Privileged Mode Configure Commands

#(config ftp)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {enable | disable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {all | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create ftp ftp1
SGOS#(config proxy-services) edit ftp1
SGOS #(config ftp1) intercept all 10004
ok

251

Chapter 3: Privileged Mode Configure Commands

#(config HTTP)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute authenticate-401 {disable | enable}
All transparent and explicit requests received on the port always use transparent authentication (cookie
or IP, depending on the configuration). This is especially useful to force transparent proxy authentication
in some proxy-chaining scenarios.
#(config service_name) attribute connect (disable | enable}
This command is deprecated. Policy should be used instead. For example:
; To block CONNECT destined to ports other then 443

url.port=!443 http.method=CONNECT deny
#(config service_name) attribute detect-protocol {disable | enable}
Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and
Endpoint Mapper.
#(config service_name) attribute head (disable | enable}
This command is deprecated. Policy should be used instead. For example:
; To block HEAD methods

http.method=HEAD deny
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.

Volume 11: Command Line Interface Reference

252

Chapter 3: Privileged Mode Configure Commands

#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create http http2
SGOS#(config proxy-services) edit http2
SGOS#(config http2) attribute authenticate-401 enable
ok

253

Chapter 3: Privileged Mode Configure Commands

#(config https-reverse-proxy)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters specified.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute ccl list_name
CA Certificate List used for verifying client certificates.
#(config service_name) attribute cipher-suite cipher-suite+
Allows you to specify the cipher suites you want to use with the https-reverse-proxy service.
#(config service_name) attribute forward-client-cert {disable | enable}
When used with the verify-client attribute, puts the extracted client certificate information

into a header that is included in the request when it is forwarded to the OCS. The name of the
header is Client-Cert. The header contains the certificate serial number, subject, validity dates
and issuer (all as name=value pairs). The actual certificate is not forwarded.
#(config service_name) attribute keyring keyring-ID
Allows you to specify the keyring you want to use with this service.
#(config service_name) attribute reflect-client-ip {disable | enable}}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) attribute ssl-versions {sslv2 |sslv3 | tlsv1 | sslv2v3 |
sslv2tlsv1 | sslv3tlsv1 |sslv2v3tlsv1}
Allows you to select which versions of SSL you want to support. The default is to support SSL v2 and v3
and enable TLS.
#(config service_name) attribute verify-client {disable | enable}
Requests and validates the SSL client certificate.
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Changes the behavior from intercept to bypass for the listener specified.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.

Volume 11: Command Line Interface Reference

254

Chapter 3: Privileged Mode Configure Commands

#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create https-reverse-proxy HTTPS_RP1
SGOS#(config proxy-services) edit HTTPS_RP1
SGOS#(config HTTPS_RP1) attribute reflect-client-ip enable
ok

255

Chapter 3: Privileged Mode Configure Commands

#(config mms)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create mms mms1
SGOS#(config proxy-services) edit mms1
SGOS#(config mms1) attribute reflect-client-ip enable
ok

Volume 11: Command Line Interface Reference

256

Chapter 3: Privileged Mode Configure Commands

#(config msn-im)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port}
Changes the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {all | ip_address | ip_address/subnet-mask} {port
| first_port-last_port}
Changes the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create msn-im msn1
SGOS#(config proxy-services) edit msn1
SGOS#(config msn1) attribute reflect-client-ip enable
ok

257

Chapter 3: Privileged Mode Configure Commands

#(config restricted-intercept)
Synopsis
By default, all clients and servers evaluate the entries in Proxy Services (Configuration > Services >
Proxy Services) where the decision is made to intercept or bypass a connection. To restrict or reduce
the clients and servers that can be intercepted by proxy services, use the restricted intercept list. The
restricted intercept list is useful in a rollout, prior to full production, where you only want to intercept
a subset of the clients. After you are in full production mode, the restricted intercept list can be
disabled.
Enabling restricted intercept only intercepts traffic specified in the client/server list. Disabling
restricted intercept results in normal interception.

Syntax
#(config) proxy-services
#(config proxy-services) restricted-intercept

The prompt changes to:
#(config restricted-intercept)

Subcommands
#(config restricted-intercept) {enable | disable}
Enables or disabled the restricted-intercept list.
#(config restricted-intercept) add {all | client_ip | client_ip/subnet-mask} | {all|
server_ip | server_ip/subnet-mask}
Adds an entry to the restricted list, either a client or a server.
#(config restricted-intercept) remove {all | client_ip | client_ip/subnet-mask} |
all| server_ip | server_ip/subnet-mask}
Clears the specified client or server from the restricted list.
#(config restricted-intercept) view { | filter {all | client_ip |
client_ip/subnet-mask} | {all| server_ip | server_ip/subnet-mask}
Allows you view the entire list or to filter on specific clients or servers.

For More Information


Volume 2: Proxies and Proxy Services

Example
#(config) proxy-services
#(config proxy-services) restricted-intercept
#(config restricted-intercept) add all 192.168.100.1

Volume 11: Command Line Interface Reference

258

Chapter 3: Privileged Mode Configure Commands

#(config rtsp)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create rtsp rtsp1
SGOS#(config proxy-services) edit rtsp1
SGOS#(config rtsp1) attribute reflect-client-ip enable
ok

259

Chapter 3: Privileged Mode Configure Commands

#(config socks)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {explicit | ip_address | ip_address/subnet-mask} {port
| first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute detect-protocol {disable | enable}
Detects the protocol being used. Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent,
FastTrack, Gnutella), SSL, and Endpoint Mapper.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {explicit | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {explicit | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create socks socks1
SGOS#(config proxy-services) edit socks1
SGOS#(config socks1) attribute adn-optimize enable
ok

Volume 11: Command Line Interface Reference

260

Chapter 3: Privileged Mode Configure Commands

#(config ssl)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | ip_address | ip_address/subnet-mask}
{port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {transparent | ip_address | ip_address/subnet-mask}
{port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) group service-group
Moves the service to a different service group.
#(config service_name) intercept {transparent | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) proxy-type proxy-type
Changes the proxy type.
#(config service_name) remove explicit | ip | ip/subnet-mask port |
first-port-last-port
Removes a listener.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

261

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config proxy-services) create ssl ssl1
SGOS#(config proxy-services) edit ssl1
SGOS#(config ssl1) add transparent 443

Volume 11: Command Line Interface Reference

262

Chapter 3: Privileged Mode Configure Commands

#(config tcp-tunnel)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name [service_group]
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute adn-optimize {disable | enable}
Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel.
#(config service_name) attribute detect-protocol {disable | enable}
Detects the protocol being used. Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent,
FastTrack, Gnutella), SSL, and Endpoint Mapper.
#(config service_name) attribute early-intercept {disable | enable}
Controls whether the proxy responds to client TCP connection requests before connecting to the
upstream server. When early intercept is disabled, the proxy delays responding to the client until after it
has attempted to contact the server.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) attribute use-adn {disable | enable}
Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) and network setup (for transparent deployment).
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

263

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config proxy-services) create tcp-tunnel TCP1
SGOS#(config proxy-services) edit TCP1
SGOS#(config TCP1) attribute early-intercept enable

ok

Volume 11: Command Line Interface Reference

264

Chapter 3: Privileged Mode Configure Commands

#(config telnet)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to
#(config service_name)

Subcommands
#(config service_name) add {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {transparent | explicit | all | ip_address |
ip_address/subnet-mask} {port | first_port-last_port}
Change the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create telnet telnet1
SGOS#(config proxy-services) edit telnet1
SGOS #(config telnet1) view
Service Name:
telnet1
Proxy:
Telnet
Attributes:
early-intercept
Destination IP
Port Range
Action

265

Chapter 3: Privileged Mode Configure Commands

#(config yahoo-im)
Synopsis
Enters the subcommand mode to allow you to manage a specific proxy service.

Syntax
#(config proxy-services) create service_type service_name
#(config proxy-services) edit service_name

This changes the prompt to:
#(config service_name)

Subcommands
#(config service_name) add {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port} [intercept | bypass]
Allows you to add a listener with the parameters you specify.
#(config service_name) attribute reflect-client-ip {disable | enable}
Enables or disables sending of client's IP address instead of the ProxySG's IP address.
#(config service_name) bypass {all | ip_address | ip_address/subnet-mask} {port |
first_port-last_port}
Changes the behavior from intercept to bypass for the listener you specify.
#(config service_name) exit
Exits to the #(config proxy-services) prompt.
#(config service_name) intercept {all | ip_address | ip_address/subnet-mask} {port
| first_port-last_port}
Changes the behavior from bypass to intercept for the listener you specify.
#(config service_name) view
Views the specified proxy service.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config proxy-services) create yahoo-im yahoo1
SGOS#(config proxy-services) edit yahoo1
SGOS#(config yahoo1) attribute reflect-client-ip enable
ok

Volume 11: Command Line Interface Reference

266

Chapter 3: Privileged Mode Configure Commands

#(config) restart
Synopsis
Use this command to set restart options for the ProxySG.

Syntax
#(config) restart core-image {context | full | keep number | none}
context: Indicates only core image context should be written on restart.
full: Indicates full core image should be written on restart.
keep numbers: Specifies a number of core images to keep on restart.
none: Indicates no core image should be written on restart.
#(config) restart mode {hardware | software}
hardware: Specifies a hardware restart.
software: Specifies a software restart.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance

Example
SGOS#(config) restart mode software
ok

267

Chapter 3: Privileged Mode Configure Commands

#(config) return-to-sender
Synopsis
The return-to-sender feature eliminates unnecessary network traffic when the three following
conditions are met:


The ProxySG has connections to clients or servers on a different subnet.



The shortest route to the clients or servers is not through the default gateway.



There are no static routes or RIP routes defined that apply to the IP addresses of the clients
and servers.

Under these conditions, if the return-to-sender feature is enabled, the ProxySG remembers the MAC
address of the last hop for a packet from the client or server and sends any responses or requests to the
MAC address instead of the default gateway.
Under the same conditions, if return-to-sender is disabled, the ProxySG sends requests or responses to
the default gateway, which then sends the packets to the gateway representing the last hop to the
ProxySG for the associated connection. This effectively doubles the number of packets transmitted on
the LAN compared to when return-to-sender is enabled.
Inbound return-to-sender affects connections initiated to the ProxySG by clients. Outbound
return-to-sender affects connections initiated by the ProxySG to origin servers.
Note:

Return-to-sender functionality should only be used if static routes cannot be defined for the
clients and servers or if routing information for the clients and servers is not available through RIP
packets.
With return-to-sender, you can use load balancing. By default, all traffic flows out of one card. If
return-to-sender is enabled, traffic is returned on the card it originally came from.

Syntax
#(config) return-to-sender inbound {disable | enable}
Enables or disables return-to-sender for inbound sessions.
#(config) return-to-sender outbound {disable | enable}
Enables or disables return-to-sender for outbound sessions.
#(config) return-to-sender version {1 | 2}
Enables return-to-sender (RTS) versions 1 or 2.
In version 1, the RTS route is created at Layer-3 and stored globally, thus being interface agnostic.
RTS version 2 was introduced to get around this multi-interface limitation. With version 2, TCP now
stores a per-socket RTS route that contains both the destination MAC address and interface information.
After the SYN is received by the ProxySG, all subsequent packets on that socket traverses the interface on
which the SYN was received.
Note: All current sockets tied to that interface will time out. However, subsequent and existing TCP
connections continue to function normally on the other interfaces.

Example
SGOS#(config) return-to-sender inbound enable
ok

Volume 11: Command Line Interface Reference

268

Chapter 3: Privileged Mode Configure Commands

#(config) reveal-advanced


# reveal-advanced on page 71.

269

Chapter 3: Privileged Mode Configure Commands

#(config) rip
Synopsis
Use this command to set RIP (Routing Information Protocol) configuration options.
Using RIP, a host and router can send a routing table list of all other known hosts to its closest
neighbor host every 30 seconds. The neighbor host passes this information on to its next closest
neighbor and so on until all hosts have perfect knowledge of each other. (RIP uses the hop count
measurement to derive network distance.) Each host in the network can then use the routing table
information to determine the most efficient route for a packet.
The RIP configuration is defined in a configuration file. To configure RIP, first create a text file of RIP
commands and then load the file by using the load command.

Syntax
#(config) rip disable
Disables the current RIP configuration.
#(config) rip enable
Enables the current RIP configuration.
#(config) rip no path
Clears the current RIP configuration path as determined using the rip path url command.
#(config) rip path url
Sets the path to the RIP configuration file to the URL indicated by url.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) rip path 10.25.36.47/files/rip.txt
ok

Volume 11: Command Line Interface Reference

270

Chapter 3: Privileged Mode Configure Commands

#(config) security
The #(config) security command is used for security, authentication, and authorization. The
security command, by itself, cannot be used. You must use security commands with the options
discussed in Subcommands below.

Synopsis
The ProxySG provides the ability to authenticate and authorize explicit and transparent proxy users
using industry-standard authentication services.

Syntax
#(config) security [subcommands]

Subcommands
Modes in the security command are divided into three categories:


Console Access and Authorization



Realms



Transparent Proxy

Note: While the commands are listed in functional order below, they are discussed in alphabetical
order in the pages that follow. Each of the options in blue are hyperlinked so you can go directly to the
command.

Console Access and Authorization
The options in this category do not enter a new submode. These options allow you to manage
passwords and usernames for the ProxySG itself.
#(config security allowed-access) on page 274
Adds or removes the specified IP address to the access control list.
#(config security default-authenticate-mode) on page 283
Sets the default authenticate.mode to auto or to sg2.
#(config security destroy-old-password) on page 284
Destroys recoverable passwords in configuration used by previous versions.
#(config security enable-password and hashed-enable-password) on page 285
Sets the console enable password to the password specified.
#(config security enforce-acl) on page 286
Enables or disables the console access control list.
#(config security front-panel-pin and hashed-front-panel-pin) on page 287
Sets a four-digit PIN to restrict access to the front panel of the ProxySG.
#(config security management) on page 299
Manages display settings.
#(config) security password and hashed_password on page 302
Specifies the console enable password in hashed format.
#(config) security password-display on page 303
Specifies format to display passwords in show config output.

271

Chapter 3: Privileged Mode Configure Commands

#(config) security users on page 317
Manages user log ins, log outs and refresh data
#(config) security username on page 318
Specifies the console username.

Realms
Multiple authentication realms can be used on a single ProxySG. Multiple realms are essential if the
enterprise is a managed provider or the company has merged with or acquired another company.
Even for companies using only one protocol, multiple realms might be necessary, such as the case of a
company using an LDAP server with multiple authentication boundaries. You can use realm
sequencing to search the multiple realms all at one time.
Note:

Up to 40 realms per type (such as certificate, authentication forms, and RADIUS) are allowed.

#(config security authentication-forms) on page 275
Creates forms for authentication and manage them.
#(config security certificate) on page 277
Creates and manages certificate realms.
#(config security coreid) on page 280
Creates and manages COREid realms.
#(config security iwa) on page 288
Creates and manages IWA realms.
#(config) security ldap on page 291
Creates and manages LDAP realms.
#(config) security local on page 295
Creates and manages local realms.
#(config security local-user-list) on page 297
Creates and manages local user lists.
#(config security novell-sso) on page 300
Creates and manages Novell SSO realms.
#(config security policy-substitution) on page 304
Creates and manage policy-substitution realms.
#(config security radius) on page 306
Creates and manages RADIUS realms.
#(config security request-storage) on page 309
Creates and manages request-storage realms.
#(config security sequence) on page 310
Creates and manages sequence realms.
#(config security siteminder) on page 312
Creates and manages SiteMinder realms.
#(config windows-sso) on page 319
Creates and manages Windows SSO realms.
#(config) security xml on page 321
Creates and manages XML realms.

Transparent Proxy
The transparent proxy authentication commands allows you

Volume 11: Command Line Interface Reference

272

Chapter 3: Privileged Mode Configure Commands

#(config) security transparent-proxy-auth on page 316
Specifies certain transparent proxy authentication settings.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) show security
Account:
Username:
“admin”
Hashed Password: $1$a2zTlEE$1b88R3SXUTXS.zO7lh8db0
Hashed Enable Password: $1$xQnqGerX$LU65b20trsIAF6yJox26L.
Hashed Front Panel PIN: "$1$ThSEiB1v$seyBhSxtTXEtUGDZ5NOB1/"
Management console display realm name: "Aurora"
Management console auto-logout timeout: Never
Access control is disabled
Access control list (source, mask):
Flush credentials on policy update is enabled
Default authenticate.mode: auto
Transparent proxy authentication:
Method: cookie
Cookie type: session
Cookie virtual-url: "www.cfauth.com/"
IP time-to-live: 15
Local realm:
No local realm is defined.
RADIUS realm:
No RADIUS realm is defined.
LDAP realm(s):
No LDAP realm is defined.
IWA realm(s):
No IWA realm is defined.
Certificate realm(s):
No certificate realms are defined.
SiteMinder realm(s):
No realms defined.
COREid realm(s):
No realms defined.
Policy-substitution realm(s):
No realms defined.
Realm sequence(s):
No realm sequences defined.

273

Chapter 3: Privileged Mode Configure Commands

#(config security allowed-access)
Synopsis
Adds or removes IP addresses to the console access control list.

Syntax
#(config) security allowed-access [subcommands]

Subcommands
#(config) security allowed-access add source_ip [ip_mask]
Adds the specified IP address to the access control list.
#(config) security allowed-access remove source_ip [ip_mask]
Removes the specified IP from the access control list.

For More Information


#(config security enforce-acl) on page 286



Volume 1: Getting Started

Example
#(config) security allowed-access add 10.25.36.47

Volume 11: Command Line Interface Reference

274

Chapter 3: Privileged Mode Configure Commands

#(config security authentication-forms)
You can use forms-based authentication exceptions to control what your users see during
authentication. link.
To create and put into use forms-based authentication, you must complete the following steps:


Create a new form or edit one of the existing authentication form exceptions



Set storage options



Set policies

Synopsis
Allows you to create and manage authentication forms.

Syntax
#(config) security authentication-forms [subcommands]

Subcommands
#(config) security authentication-forms copy [source_form_name
target_form_name
Changes the name of a form. Note that you cannot change the form type.
#(config) security authentication-forms create {authentication-form |
new-pin-form | query-form} form_name
Creates a new authentication form using the form type you specify.
#(config) security authentication-forms delete form_name
Deletes an authentication form
#(config) security authentication-forms inline form_name eof_marker
Installs an authentication form from console input.
#(config) security authentication-forms load form_name
Downloads a new authentication form.
#(config) security authentication-forms no path [form_name]
Negates authentication-form configuration.
#(config) security authentication-forms path [form_name] path
Specifies the path (URL or IP address) from which to load an authentication form, or the entire set of
authentication forms.
#(config) security authentication-forms view
Views the form specified or all forms.

For More Information


#(config security request-storage) on page 309



Volume 4: Securing the Blue Coat ProxySG Appliance

275

Chapter 3: Privileged Mode Configure Commands

Example
#(config) security authentication-forms
#(config authentication-forms) create form_type form_name
ok

where form_type indicates the default authentication-form, new-pin-form, or
query-form and form_name is the name you give the form.

Volume 11: Command Line Interface Reference

276

Chapter 3: Privileged Mode Configure Commands

#(config security certificate)
After an SSL session has been established, the user is asked to select the certificate to send to the
ProxySG. If the certificate was signed by a Certificate Signing Authority that the ProxySG trusts,
including itself, then the user is considered authenticated. The username for the user is the one
extracted from the certificate during authentication.
You do not need to specify an authorization realm if:


The policy does not make any decisions based on groups



The policy works as desired when all certificate realm-authenticated users are not in any
group

Synopsis
Allows you to create and manage certificate realms.

Syntax
#(config) security certificate [subcommands]

Subcommands
#(config) security certificate create-realm realm_name
Creates the specified certificate realm.
#(config) security certificate delete-realm realm_name
Deletes the specified certificate realm.
#(config) security certificate edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security certificate view [realm_name]
Displays the configuration of all certificate realms or just the configuration for realm_name if specified.

Submodes
#(config) security certificate edit-realm realm_name

This changes the prompt to:
#(config certificate_realm)

Commands in this submode:
#(config certificate certificate_realm) authorization {ignore-user-list {add | clear
| remove}
Manages the ignore-user-list, which is the list of those to ignore if they are returned as search results.
##(config certificate certificate_realm) authorization realm {none | realm-name
realm_name}
Specifies the authorization realm to use. Only LDAP , XML, and local realms are valid authorization
realms.
#(config certificate certificate_realm) authorization search-filter search_filter
Specifies the search filter that should be used during a search of the LDAP server. The filter can contain
policy substitutions including $(cs-username).
#(config certificate certificate_realm) authorization user-attribute {fqdn |
LDAP_attribute_name}
Specifies the user-attribute (fully qualified domain name or an LDAP attribute name) to be used during a
search of the LDAP server.

277

Chapter 3: Privileged Mode Configure Commands

#(config certificate certificate_realm) authorization username
{determine-by-search | use-full-username | username_for_authorization}
Specifies the way a username should be determined. The default is the attribute cn, which specifies the
user’s relative name.
#(config certificate certificate_realm) cookie {persistent {enable | disable} |
verify-ip {enable | disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config certificate certificate_realm) display-name display_name
Specifies the display name for this realm.
#(config certificate certificate_realm) exit
Exits #(config certificate_realm) mode and returns to (config) mode.
#(config certificate certificate_realm) identification append-base-dn {disable |
dn dn_to_append | enable}
Disables or enables appending of the base DN to the authenticated username, or specifies the base DN to
append. If no base DN is specified, then the first base DN in the LDAP authorization realm is used.
Applies to LDAP authorization realms only.
#(config certificate certificate_realm) identification container-attr-list
list_of_attribute_names
Specifies the attributes from the certificate subject to use in constructing the user DN. E.g. $(o)$(ou). The
list needs to be quoted if it contains spaces.
#(config certificate certificate_realm) identification no container-attr-list
Clears the container-attr-list.
#(config certificate certificate_realm) identification username-attribute
username_attribute
Specifies the username attribute. The default is cn.
#(config certificate certificate_realm) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config certificate certificate_realm) refresh-time {authorization-refresh
seconds | surrogate-refresh seconds}
Sets the refresh time for authorization and surrogates.
#(config certificate certificate_realm) rename new_realm_name
Renames this realm to new_realm_name.
#(config certificate certificate_realm) view
Displays this realm’s configuration.
#(config certificate certificate_realm) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

For More Information


#(config) security ldap on page 291



#(config) security local on page 295



#(config) security xml on page 321



Volume 4: Securing the Blue Coat ProxySG Appliance

Volume 11: Command Line Interface Reference

278

Chapter 3: Privileged Mode Configure Commands

Example
#(config) security certificate
#(config certificate testcert)
ok
#(config certificate testcert)
ok
#(config certificate testcert)
#(config)

edit-realm testcert
no container-attr-list
cache-duration 800
exit

279

Chapter 3: Privileged Mode Configure Commands

#(config security coreid)
Within the COREid Access System, BCAAA acts as a custom AccessGate. It communicates with the
COREid Access Servers to authenticate the user and to obtain a COREid session token, authorization
actions, and group membership information.

Synopsis
Allows you to create and manage COREid realms.

Syntax
#(config) security coreid [subcommands]

Subcommands
#(config) security coreid create-realm realm_name
Creates the specified COREid realm
#(config) security coreid delete-realm realm_name
Deletes the specified COREid realm.
#(config) security coreid edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security coreid view [realm_name]
Displays the configuration of all COREid realms or just the configuration for realm_name if specified.

Submodes
#(config) security coreid edit-realm realm_name

This changes the prompt to:
#(config coreid realm_name)

Commands in this submode:
#(config coreid realm_name) access-server-hostname hostname
The hostname of the primary Access Server.
#(config coreid realm_name) access-server-id id
The ID of the primary Access Server.
#(config coreid realm_name) access-server-port port
The port of the primary Access Server
#(config coreid realm_name) add-header-responses disable | enable
When enabled, authorization actions from the policy domain obtained during authentication are added
to each request forwarded by the ProxySG. Note that header responses replaces any existing header of
the same name; if no such header exists, the header is added. Cookie responses replace a cookie header
with the same cookie name; if no such cookie header exists, one is added.
#(config coreid realm_name) alternate-agent accessgate-id name
The ID of the alternate AccessGate agent.
#(config coreid realm_name) alternate-agent encrypted-secret
encrypted_shared_secret
The encrypted password associated with the alternate AccessGate. (Passwords can be up to 64 characters
long and are always case sensitive.) The primary use of the encrypted-secret command is to allow the
ProxySG to reload a password that it encrypted. If you choose to use a third-party encryption
application, be sure it supports RSA encryption, OAEP padding, and is Base64 encoded with no
newlines|

Volume 11: Command Line Interface Reference

280

Chapter 3: Privileged Mode Configure Commands

#(config coreid realm_name) alternate-agent host hostname
The hostname or the IP address of the alternate system that contains the agent.
#(config coreid realm_name) alternate-agent port port
The port where the alternate agent listens.
#(config coreid realm_name) alternate-agent secret shared_secret
The password associated with the alternate AccessGate. (Passwords can be up to 64 characters long and
are always case sensitive.)
#(config coreid realm_name) always-redirect-offbox {disable | enable}
Forces authentication challenges to always be redirected to an off-box URL.
#(config coreid realm_name) cache-duration seconds
Specifies the length of time in seconds that user and administrator credentials received are cached.
Credentials can be cached for up to 3932100 seconds. The default value is 900 seconds (15 minutes).
#(config coreid realm_name) case-sensitive {disable | enable}
Specifies whether the username and group comparisons on the ProxySG should be case-sensitive.
#(config coreid realm_name) certificate-path certificate_path
If Cert mode is used, the location on the BCAAA host machine where the key, server and CA chain
certificates reside. The certificate files must be named aaa_key.pem, aaa_cert.pem and aaa_chain.pem
respectively.
#(config coreid realm_name) cookie {persistent {enable | disable} | verify-ip
{enable | disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config coreid realm_name) display-name display_name
Equivalent to the display-name option in the CPL authenticate action. The default value for the display
name is the realm name. The display name cannot be longer than 128 characters and it cannot be null.
#(config coreid realm_name) encrypted-transport-pass-phrase encrypted_pass_phrase
If Simple or Cert mode is used, the Transport encrypted passphrase configured in the Access System.
#(config coreid realm_name) exit
Exits the #(config coreid) edit mode and returns to #(config) mode.
#(config coreid realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config coreid realm_name) log-out {challenge {enable | disable} | display-time
seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config coreid realm_name) no alternate-agent | certificate-path
Removes the alternate agent configuration or the certificate path.
#(config coreid realm_name) primary-agent accessgate-id name
The ID of the primary AccessGate agent.
#(config coreid realm_name) primary-agent encrypted-secret
encrypted_shared_secret
The encrypted password associated with the primary AccessGate. (Passwords can be up to 64 characters
long and are always case sensitive.) The primary use of the encrypted-secret command is to allow the
ProxySG to reload a password that it encrypted. If you choose to use a third-party encryption
application, be sure it supports RSA encryption, OAEP padding, and is Base64 encoded with no newline.
#(config coreid realm_name) primary-agent host hostname
The hostname or the IP address of the primary system that contains the agent.
#(config coreid realm_name) primary-agent port port
The port where the primary agent listens.

281

Chapter 3: Privileged Mode Configure Commands

#(config coreid realm_name) primary-agent secret shared_secret
The password associated with the primary AccessGate. (Passwords can be up to 64 characters long and
are always case sensitive.)
#(config coreid realm_name) protected-resource-name resource_name
The resource name defined in the Access System policy domain
#(config coreid realm_name) refresh-time {credential-refresh seconds |
rejected-credentials-refresh seconds | surrogate-refresh seconds}
Sets the refresh time for credential, rejected credentials cache, and surrogates.
#(config coreid realm_name) rename new_realm_name
Renames the realm to your request.
#(config coreid realm_name) security-mode {cert | open | simple}
The Security Transport Mode for the AccessGate to use when communicating with the Access System
#(config coreid realm_name) ssl {disable | enable}
Enable or disable SSL.
#(config coreid realm_name) ssl-device-profile ssl_device_profile_name
Specifies the device profile to use.
#(config coreid realm_name) timeout seconds
The length of time to elapse before timeout if a response from BCAAA is not received.
#(config coreid realm_name) transport-pass-phrase pass_phrase
If Simple or Cert mode is used, the Transport passphrase configured in the Access System.
#(config coreid realm_name) validate-client-IP {disable | enable}
Enables validation of the client IP address in SSO cookies. If the client IP address in the SSO cookie can
be valid yet different from the current request client IP address due to downstream proxies or other
devices, then disable client IP address validation. The WebGates participating in SSO with the ProxySG
should also be modified. The WebGateStatic.lst file should be modified to either set the ipvalidation
parameter to false or to add the downstream proxy/device to the IPValidationExceptions lists.
#(config coreid realm_name) view
Views the realm configuration.
#(config coreid realm_name) virtual-url url
The URL to redirect to when the user needs to be challenged for credentials. If the ProxySG is
participating in SSO, the virtual hostname must be in the same cookie domain as the other servers
participating in the SSO. It cannot be an IP address or the default.

For More Information


#(config security siteminder) on page 312



Volume 4: Securing the Blue Coat ProxySG Appliance

Example
SGOS#(config) security coreid
SGOS#(config coreid coreid_1)
SGOS#(config coreid coreid_1)
SGOS#(config coreid coreid_1)

Volume 11: Command Line Interface Reference

edit-realm coreid_1
access-server-hostname AccessServer_1
cache-duration 800
exit

282

Chapter 3: Privileged Mode Configure Commands

#(config security default-authenticate-mode)
Synopsis
Sets the default authenticate.mode to auto or to sg2.

Syntax
#(config) security default-authenticate-mode [auto | sg2]

Subcommands
#(config) security default-authenticate-mode auto
Enables the access control list.
#(config) security default-authenticate-mode sg2
Disables the access control list.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
SGOS#(config) security default-authenticate-mode auto

283

Chapter 3: Privileged Mode Configure Commands

#(config security destroy-old-password)
Synopsis
Destroys recoverable passwords in configuration used by previous versions.

Syntax
#(config) security destroy-old-password [force]

Subcommands
#(config) security destroy-old-password
Destroys passwords after prompting.
#(config) security destroy-old-password force
Destroys passwords without prompting.
Note:

Do not use this command if you intend to downgrade, as the old passwords are destroyed.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) destroy-old-password force

Volume 11: Command Line Interface Reference

284

Chapter 3: Privileged Mode Configure Commands

#(config security enable-password and hashed-enable-password)
Synopsis
Sets the console enable password to the password specified.

Syntax
#(config) security enable-password “password”
#(config) security hashed-enable-password hashed_password

Subcommands
#(config) security enable-password “password”
Note that the enable password must be in quotes. This is the password required to enter enable mode
from the CLI when using console credentials, the serial console, or RSA SSH.
#(config) security hashed-enable-password hashed_password
The enable password in hashed format. You can either hash the password prior to entering it, or you can
allow the ProxySG to hash the password.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security enable-password “test”

285

Chapter 3: Privileged Mode Configure Commands

#(config security enforce-acl)
Synopsis
Enables or disables the console access control list (ACL).

Syntax
#(config) security enforce-acl [enable | disable]

Subcommands
#(config) security enforce-acl enable
Enables the access control list.
#(config) security enforce-acl disable
Disables the access control list.

For More Information


#(config) alert on page 103

Example
#(config) security enforce-acl disable

Volume 11: Command Line Interface Reference

286

Chapter 3: Privileged Mode Configure Commands

#(config security front-panel-pin and hashed-front-panel-pin)
Synopsis
Sets a four-digit PIN to restrict access to the front panel of the ProxySG.

Syntax
#(config) security front-panel-pin PIN

Subcommands
#(config) security front-panel-pin PIN
Use of this command is recommended for security reasons.
Note:

To clear the PIN, specify 0000.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security front-panel-pin 1234

287

Chapter 3: Privileged Mode Configure Commands

#(config security iwa)
Integrated Windows Authentication (IWA) is an authentication mechanism available on Windows
networks. (The name of the realm has been changed from NTLM to IWA.)
IWA is a Microsoft-proprietary authentication suite that allows Windows clients (running on
Windows 2000 and higher) to automatically choose between using Kerberos and NTLM
authentication challenge/response, as appropriate. When an IWA realm is used and a resource is
requested by the client from the ProxySG appliance, the appliance contacts the client's domain account
to verify the client's identity and request an access token. The access token is generated by the domain
controller (in case of NTLM authentication) or a Kerberos server (in the case of Kerberos
authentication) and passed to (and if valid, accepted by) the ProxySG appliance.
Refer to the Microsoft Web site for detailed information about the IWA protocol.

Synopsis
Allows you to create and manage IWA realms.

Syntax
#(config) security iwa [subcommands]

Subcommands
#(config) security iwa create-realm realm_name
Creates the specified IWA realm.
#(config) security iwa delete-realm realm_name
Deletes the specified IWA realm.
#(config) security iwa edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security iwa view [realm_name]
Displays the configuration of all IWA realms or just the configuration for realm_name if specified.

Submodes
#(config) security IWA edit-realm realm_name

This changes the prompt to:
#(config IWA realm_name)

Commands in this submode:
#(config IWA realm_name) alternate-server host [port]
Specifies the alternate server host and port.
#(config IWA realm_name) cache-duration seconds
Specifies the length of time to cache credentials for this realm.
#(config IWA realm_name) cookie {persistent {enable | disable} | verify-ip {enable |
disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config IWA realm_name) credentials-basic {disable | enable}
Disables/enables support for Basic credentials in this realm. At least one of Basic or NTLM/Kerberos
credentials must be supported.

Volume 11: Command Line Interface Reference

288

Chapter 3: Privileged Mode Configure Commands

#(config IWA realm_name) credentials-kerberos {disable | enable}
Disables/enables support for Kerberos credentials in this realm. If Kerberos is enabled, NTLM must also
be enabled. At least one of Basic or NTLM/Kerberos credentials must be supported.
#(config IWA realm_name) credentials-ntlm {disable | enable}
Disables/enables support for NTLM credentials in this realm. If NTLM is enabled, Kerberos must also be
enabled. At least one of Basic or NTLM/Kerberos credentials must be enabled.
#(config IWA realm_name) display-name display_name
Specifies the display name for this realm.
#(config IWA realm_name) exit
Exits the iwa edit mode and returns to (config) mode.
#(config IWA realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config IWA realm_name) log-out {challenge {enable | disable} | display-time
seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config IWA realm_name) no alternate-server
Clears the alternate-server.
#(config IWA realm_name) primary-server host [port]
Specifies the primary server host and port.
#(config IWA realm_name) refresh-time {credential-refresh seconds |
rejected-credentials-refresh seconds | surrogate-refresh seconds}
Sets the refresh time for credential, rejected credentials cache time, and surrogates.
#(config IWA realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config IWA realm_name) spoof-authentication {none | origin | proxy}
Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy
authentication. Flush the entries for a realm if the spoof-authentication value is changed to ensure that
the spoof-authentication value is immediately applied.

You can only choose one.


If set to origin, the spoofed header is an Authorization: header.



If set to proxy, the spoofed header is a Proxy-Authorization: header.



If set to none, no spoofing is done.

#(config IWA realm_name) ssl {disable | enable}
Disables/enables SSL communication between the ProxySG and BCAAA.
#(config IWA realm_name)ssl-device-profile ssl_device_profile_name
Specifies the device profile to use.
#(config IWA realm_name) timeout seconds
Specifies the IWA request timeout.
#(config IWA realm_name) view
Displays this realm’s configuration.
#(config IWA realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

289

Chapter 3: Privileged Mode Configure Commands

Example
#(config) security IWA edit-realm testIWA
#(config IWA testIWA) cache-duration 1500
ok
#(config IWA testIWA) no alternate server
ok
#(config IWA testIWA) exit
#(config)

Volume 11: Command Line Interface Reference

290

Chapter 3: Privileged Mode Configure Commands

#(config) security ldap
Blue Coat supports both LDAP v2 and LDAP v3, but recommends LDAP v3 because it uses Transport
Layer Security (TLS) and SSL to provide a secure connection between the ProxySG and the LDAP
server.
An LDAP directory, either version 2 or version 3, consists of a simple tree hierarchy. An LDAP
directory might span multiple LDAP servers. In LDAP v3, servers can return referrals to others servers
back to the client, allowing the client to follow those referrals if desired.
Directory services simplify administration; any additions or changes made once to the information in
the directory are immediately available to all users and directory-enabled applications, devices, and
ProxySGs.
The ProxySG supports the use of external LDAP database servers to authenticate and authorize users
on a per-group or per-attribute basis.
LDAP group-based authentication for the ProxySG can be configured to support any LDAP-compliant
directory including:


Microsoft Active Directory Server



Novell NDS/eDirectory Server



Netscape/Sun iPlanet Directory Server



Other

Synopsis
Allows you to configure and manage LDAP realms.

Syntax
#(config) security ldap [subcommands]

Subcommands
#(config) security ldap create-realm realm_name
Creates the specified LDAP realm
#(config) security ldap delete-realm realm_name
Deletes the specified LDAP realm.
#(config) security ldap edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security ldap view [realm_name]
Displays the configuration of all LDAP realms or just the configuration for realm_name if specified.

Submodes
#(config) security ldap edit-realm realm_name

This changes the prompt to:
#(config ldap realm_name)

Commands in the ldap realm_name mode:
#(config ldap realm_name) alternate-server host [port]
Specifies the alternate server host and port.
#(config ldap realm_name) case-sensitive {disable | enable}
Specifies whether or not the LDAP server is case-sensitive.

291

Chapter 3: Privileged Mode Configure Commands

#(config ldap realm_name) cookie {persistent {enable | disable} | verify-ip {enable
| disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config ldap realm_name) default-group-name default_group_name
If the validate-authorized-user command is disabled and a default-group-name is configured,
the default-group-name is used as the group name for non-existent users.
#(config ldap realm_name) display-name display_name
Specifies the display name for this realm.
#(config ldap realm_name) distinguished-name user-attribute-type
user_attribute_type
Specifies the attribute type that defines the relative user name.
#(config ldap realm_name) distinguished-name base-dn {add | demote | promote |
remove} {base_dn | clear}
Adds/demotes/promotes/removes a base DN from the base DN list, or clears the base DN list.
#(config ldap realm_name) exit
Exits the ldap edit mode and returns to #(config) mode.
#(config ldap realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config ldap realm_name) log-out {challenge {enable | disable} | display-time
seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config ldap realm_name) membership-attribute attribute_name
Specifies the attribute that defines group membership.
#(config ldap realm_name) membership-type {group | user}
Specifies the membership type. Specify group if user memberships are specified in groups. Specify user
if memberships are specified in users.
#(config ldap realm_name) membership-username (full | relative)
Specifies the username type to use during membership lookups. The full option specifies that the
user's FQDN is used during membership lookups, and relative option specifies that the user's relative
username is used during membership lookups. Only one can be selected at a time.
#(config ldap realm_name) nested-group-attribute attribute_name
Specifies the attribute that defines nested group membership. For other, ad, and nds, the default
attribute name is member. For iPlanet, the default attribute name is uniqueMember.
#(config ldap realm_name) no alternate-server
Clears the alternate-server or membership-attribute values.
#(config ldap realm_name) no default-group-name
Clears the default group name.
#(config ldap realm_name) no membership-attribute
Clears the membership-attribute values.
#(config ldap realm_name) objectclass container {add | remove}
{container_objectclass | clear}
Adds/removes container objectclass values from the list (these values are used during VPM searches of
the LDAP realm), or clears all values from the container objectclass list.
#(config ldap realm_name) objectclass group {add | remove} {group_objectclass |
clear}
Adds/removes group objectclass values from the list (these values are used during VPM searches of the
LDAP realm), or clears all values from the group objectclass list.

Volume 11: Command Line Interface Reference

292

Chapter 3: Privileged Mode Configure Commands

#(config ldap realm_name) objectclass user {add | remove} {user_objectclass |
clear}
Adds/removes user objectclass values from the list (these values are used during VPM searches of the
LDAP realm), or clears all values from the user objectclass list.
#(config ldap realm_name) primary-server host [port]
Specifies the primary server host and port.
#(config ldap realm_name) protocol-version {2 | 3}
Specifies the LDAP version to use. SSL and referral processing are not available in LDAP v2.
#(config ldap realm_name) referrals-follow {disable | enable}
Disables/enables referral processing. This is available in LDAP v3 only.
#(config ldap realm_name) refresh-time {authorization-refresh seconds |
credential-refresh seconds | rejected-credentials-refresh seconds |
surrogate-refresh seconds}
Sets the refresh time for authorization, credential, rejected credentials cache, and surrogates.
#(config ldap realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config ldap realm_name) search anonymous {disable | enable}
Disables/enables anonymous searches.
#(config ldap realm_name) search dereference {always | finding | never |
searching}
Specifies the dereference level. Specify always to always dereference aliases. Specify finding to
dereference aliases only while locating the base of the search. Specify searching to dereference aliases
only after locating the base of the search. Specify never to never dereference aliases.
#(config ldap realm_name) search encrypted-password encrypted_password
Specifies the password to bind with during searches in encrypted format.
#(config ldap realm_name) search password password
Specifies the password to bind with during searches.
#(config ldap realm_name) search user-dn user_dn
Specifies the user DN to bind with during searches.
#(config ldap realm_name) server-type {ad | iplanet | nds | other}
Specifies the LDAP server type for this realm.
#(config ldap realm_name) spoof-authentication {none | origin | proxy}
Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy
authentication. Flush the entries for a realm if the spoof-authentication value is changed to ensure that
the spoof-authentication value is immediately applied.

You can only choose one.


If set to origin, the spoofed header is an Authorization: header.



If set to proxy, the spoofed header is a Proxy-Authorization: header.



If set to none, no spoofing is done.

#(config ldap realm_name) ssl {disable | enable}
Disables/enables SSL communication between the ProxySG and the LDAP server. This is only available
in LDAP v3.
#(config ldap realm_name) ssl-device-profile ssl_device_profile_name
Specifies the device profile to use.
#(config ldap realm_name) support-nested-groups {disable | enable}
Enables or disables the nested group feature.

293

Chapter 3: Privileged Mode Configure Commands

#(config ldap realm_name) timeout seconds
Specifies the LDAP server’s timeout.
#(config ldap realm_name) validate-authorized-user {enable | disable}
When validate-authorized-user is enabled, an authorization (not authentication) request
verifies that the user exists in the LDAP server. If the user does not exist, the authorization request fails
(authentication requests always require the user to exist).
When validate-authorized-user is disabled, no user existence check is made for an authorization
request. If the user does not exist, the authorization request succeeds
#(config ldap realm_name) view
Displays this realm’s configuration.
#(config ldap realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security ldap
#(config ldap testldap)
ok
#(config ldap testldap)
ok
#(config ldap testldap)

edit-realm testldap
server-type iplanet
spoof-authentication origin
exit

Volume 11: Command Line Interface Reference

294

Chapter 3: Privileged Mode Configure Commands

#(config) security local
Using a Local realm is appropriate when the network topography does not include external
authentication or when you want to add users and administrators to be used by the ProxySG
appliance only.
The Local realm (you can create up to 40) uses a Local User List, a collection of users and groups stored
locally on the ProxySG appliance. You can create up to 50 different Local User Lists. Multiple Local
realms can reference the same list at the same time, although each realm can only reference one list at a
time. The default list used by the realm can be changed at any time.

Synopsis
Allows you to configure and manage local realms.

Syntax
#(config) security local [subcommands]

Subcommands
#(config) security local create-realm realm_name
Creates the specified local realm.
#(config) security local delete-realm realm_name
Deletes the specified local realm.
#(config) security local edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security local view [realm_name]
Displays the configuration of all local realms or just the configuration for realm_name if specified.

Submodes
#(config) security local edit-realm realm_name

This changes the prompt to:
#(config local realm_name)

Commands found in this submode include:
#(config local realm_name) cache-duration seconds
Specifies the length of time to cache credentials for this realm.
#(config local realm_name) cookie {persistent {enable | disable} | verify-ip
{enable | disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config local realm_name) default-group-name default_group_name
If the validate-authorized-user command is disabled and a default-group-name is configured,
the default-group-name is used as the group name for non-existent users.
#(config local realm_name) display-name display_name
Specifies the display name for this realm.
#(config local realm_name) exit
Exits configure security local mode and returns to #(config) mode.
#(config local realm_name) refresh-time {authorization-refresh seconds |
surrogate-refresh seconds}
Sets the refresh time for authorization and surrogates.

295

Chapter 3: Privileged Mode Configure Commands

#(config local realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config local realm_name) local-user-list local_user_list_name
Specifies the local user list to for this realm.
#(config local realm_name) no default-group-name
Clears the default group name.
#(config local realm_name) rename new_realm_name
Renames this realm to new_realm_name
#(config local realm_name) spoof-authentication {none | origin | proxy}
Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy
authentication. You can only choose one.



If set to origin, the spoofed header is an Authorization: header.



If set to proxy, the spoofed header is a Proxy-Authorization: header.



If set to none, no spoofing is done.

Flush the entries for a realm if the spoof-authentication value is changed to ensure that the
spoof-authentication value is immediately applied.
#(config local realm_name) validate-authorized-user {disable | enable}
When validate-authorized-user is enabled, an authorization (not authentication) request
verifies that the user exists in the local user list. If the user does not exist in the list, the authorization
request fails (authentication requests always require the user to exist).
When validate-authorized-user is disabled, no user existence check is made for an authorization
request. If the user does not exist, the authorization request succeeds.
#(config local realm_name) view
Displays this realm’s configuration
#(config local realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

For More Information


#(config security local-user-list) on page 297



Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security local edit-realm testlocal
#(config local testlocal) cache-duration 1500
ok
#(config local testlocal) spoof-authentication proxy
ok
#(config local testlocal) exit
#(config)

Volume 11: Command Line Interface Reference

296

Chapter 3: Privileged Mode Configure Commands

#(config security local-user-list)
The local-user-list is only used in conjunction with local realms.

Synopsis
Manages the local-user-list used in local realms.

Syntax
#(config) security local-user-list [subcommands]

Subcommands
#(config) security local-user-list clear [force]
Clears all local user lists. Lists referenced by local realms and the default local user list are recreated but
empty. Specify force to clear realms without a prompt for confirmation.
#(config) security local-user-list create local-user-list
Creates the local user list with the name specified
#(config) security local-user-list default append-to-default {disable | enable}
Disables/enables appending uploaded users to the default local user list.
#(config) security local-user-list default list local_user_list
Specifies the default local user list. The default list is populated during password file uploads. The
default list is also the default list used by local realms when they are created
#(config) security local-user-list delete local-user-list [force]
Deletes the specified local user list. The default list and any lists used by local realms cannot be deleted.
Specify force to delete the list without a prompt for confirmation.
#(config) security local-user-list edit local-user-list
Changes the prompt. See Submodes.

Submodes
#(config) security local-user-list edit local_user_list

This changes the prompt to:
#(config local-user-list local_user_list)

Commands found in this submode include:
#(config local-user-list local_user_list) disable-all
Disables all user accounts in the specified list.
#(config local-user-list local_user_list) enable-all
Enables all user accounts in the specified list.
#(config local-user-list local_user_list) exit
Exits configure local-user-list mode and returns to configure mode.
#(config local-user-list local_user_list) group clear
Clears all groups from the list. The users remain but do not belong to any groups.
#(config local-user-list local_user_list) group create group_name
Creates the specified group in the local user list.
#(config local-user-list local_user_list) group delete group_name [force]
Deletes the specified group in the local user list.
#(config local-user-list local_user_list) lockout-duration seconds
The length of time a user account is locked out after too many failed password attempts. The default is
3600

297

Chapter 3: Privileged Mode Configure Commands

#(config local-user-list local_user_list) max-failed-attempts attempts
The number of failed attempts to login to an ProxySG before the user account is locked. The default is 60
attempts.
#(config local-user-list local_user_list) no [lockout-duration |
max-failed-attempts | reset-interval]
Disables the settings for this user list.
#(config local-user-list local_user_list) reset-interval seconds
The length of seconds to wait after the last failed attempt before resetting the failed counter to zero.
#(config local-user-list local_user_list) user clear
Clears all users from the list. The groups remain but do not have any users.
#(config local-user-list local_user_list) user create user_name
Creates the specified user in the local user list.
#(config local-user-list local_user_list) user delete user_name [force]
Deletes the specified user in the local user list.
#(config local-user-list local_user_list) user edit user_name
changes the prompt to #(config local-user-list local_user_list user_name)
Edits the specified user in the local user list.
#(config local-user-list local_user_list user_name) {disable | enable}
Disables/enables the user account.
#(config local-user-list local_user_list user_name) exit
Exits configure local-user-list user_list mode and returns to configure local-user-list mode.
#(config local-user-list local_user_list user_name) group {add | remove}
group_name
Adds/removes the specified group from the user.
#(config local-user-list local_user_list user_name) hashed-password
hashed_password
Specifies the user’s password in hashed format.
#(config local-user-list local_user_list user_name) password password
Specifies the user’s password.
#(config local-user-list local_user_list user_name) view
Displays the user account.
#(config local-user-list local_user_list) view
Displays all users and groups in the local user list.

For More Information


#(config) security local on page 295



Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security local-user-list edit testlul
#(config local-user-list testlul) user create testuser
ok
#(config local-user-list testlul) user edit testuser
#(config local-user-list testlul testuser) enable
ok
#(config local-user-list testlul testuser) exit
#(config local-user-list testlul) exit
#(config)

Volume 11: Command Line Interface Reference

298

Chapter 3: Privileged Mode Configure Commands

#(config security management)
Synopsis
Manages the automatic logging out of a user and sets the name of realm in the management console
challenge.

Syntax
#(config) security management [subcommands]

Subcommands
#(config) security management auto-logout-timeout seconds
Specifies the length of a management console session before the administrator is required to re-enter
credentials. The default is 900 seconds (15 minutes). Acceptable values are between 300 and 86400
seconds (5 minutes to 24 hours).
#(config) security management display-realm realm_name
Specifies the realm to display in the management console challenge. The default value is the IP address
of the ProxySG.
#(config) security management no auto-logout-timeout
Disables the automatic session logout.
#(config) security management no display-realm
Resets the display realm to be the IP address of the ProxySG.

For More Information


Volume 1: Getting Started

Example
#(config) security management auto-logout-timeout seconds

299

Chapter 3: Privileged Mode Configure Commands

#(config security novell-sso)
Synopsis
Allows you to configure and manage Novell SSO realms.

Syntax
#(config) security novell-sso [subcommands]

Subcommands
#(config) security novell-sso create-realm realm_name
Creates the specified Novell SSO realm.
#(config) security novell-sso delete-realm realm_name
Deletes the specified Novell SSO realm.
#(config) security novell-sso edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security novell-sso view [realm_name]
Displays the configuration of all Novell SSO realms or just the configuration for realm_name if
specified.

Submodes
#(config) security novell-sso edit-realm realm_name

This changes the prompt to:
#(config novell-sso realm_name)

Commands found in this submode include:
SGOS#(config novell-sso realm_name) alternate-agent {host hostname | port
port_number}
Specifies the alternate agent hostname and port number.
SGOS#(config novell-sso realm_name) authorization {realm-name
authorization-realm-name | username username | no {authorization-realm-name |
username} | self}
Specifies the realm name, which can be self, and username for authorization. No clears the realm and
username.
SGOS#(config novell-sso realm_name) cookie {persistent {disable | enable}|
verify-ip {disable | enable}}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
SGOS#(config novell-sso realm_name) exit
Leaves the novell-sso edit-realm mode.
SGOS#(config novell-sso realm_name) full-search {day-of-week | time-of-day}
Specifies the day of the week for full searches to occurs and the time of the day (UTC time) to search.
SGOS#(config novell-sso realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
SGOS#(config novell-sso realm_name) ldap monitor-server {add LDAP_host [LDAP_port]|
clear | remove LDAP_host [LDAP_port]}
Add an LDAP host to list of servers to be monitored, clear the list, or remove a specific LDAP host from
the list of servers to be monitored.

Volume 11: Command Line Interface Reference

300

Chapter 3: Privileged Mode Configure Commands

SGOS#(config novell-sso realm_name) ldap search-realm ldap_realm
Specifies the name of the realm to search and monitor.
SGOS#(config novell-sso realm_name) ldap-name {login-time LDAP_name| network-address
LDAP_name}
Specifies the name of the LDAP server for Novell directory attributes.
SGOS#(config novell-sso realm_name) no alternate-agent
Removes the alternate agent.
SGOS#(config novell-sso realm_name) primary-agent {host hostname | port port_number}
Specifies the primary agent hostname and port number.
SGOS#(config novell-sso realm_name) refresh-time {authorization-refresh seconds |
surrogate-refresh seconds}
Sets the refresh time for authorization and surrogates.
SGOS#(config novell-sso realm_name) rename new_realm_name
Renames the current realm to new_realm_name.
SGOS#(config novell-sso realm_name) ssl {enable | disable}
Enables or disables SSL between the ProxySG and the BCAAA service.
SGOS#(config novell-sso realm_name) ssl-device-profile ssl_device_profile_name
Specifies the device profile to use
SGOS#(config novell-sso realm_name) timeout seconds
The time allotted for each request attempt. The default is 60 seconds.
SGOS#(config novell-sso realm_name) view
Displays this realm’s configuration.
SGOS#(config novell-sso realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

301

Chapter 3: Privileged Mode Configure Commands

#(config) security password and hashed_password
Synopsis
Sets the console password to the password specified.

Syntax
#(config) security password “password”
#(config) security password hashed-password hashed_password

Subcommands
#(config) security password “password”
Note that the password must be in quotes. This is the password required to enter enable mode from the
CLI when using console credentials, the serial console, or RSA SSH.
#(config) security hashed-password hashed_password
The password in hashed format. You can either hash the password prior to entering it, or you can allow
the ProxySG to hash the password.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security password “good2test”

Volume 11: Command Line Interface Reference

302

Chapter 3: Privileged Mode Configure Commands

#(config) security password-display
Synopsis
Sets various display settings.

Syntax
#(config) security password-display [subcommands]

Subcommands
#(config) security password-display {encrypted | none}
Specifies the format to display passwords in show config output. Specify encrypted to display
encrypted passwords. Specify none to display no passwords.
#(config) security password-display keyring
Specifies the keyring to use for password encryption.
#(config) security password-display view
Displays the current password display settings.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security password-display view
Password display mode: Encrypted
Password encryption keyring: configuration-passwords-key

303

Chapter 3: Privileged Mode Configure Commands

#(config security policy-substitution)
A Policy Substitution realm provides a mechanism for identifying and authorizing users based on
information in the request to the ProxySG. The realm uses information in the request and about the
client to identify the user. The realm is configured to construct user identity information by using
policy substitutions.
The Policy Substitution realm is used typically for best-effort user discovery, mainly for logging and
subsequent reporting purposes, without the need to authenticate the user. Be aware that if you use
Policy Substitution realms to provide granular policy on a user, it might not be very secure because the
information used to identify the user can be forged.

Synopsis
Allows you to create and manage policy-substitution realms.

Syntax
#(config) security polity-substitution [subcommands]

Subcommands
#(config) security polity-substitution create-realm realm_name
Creates the specified policy-substitution realm
#(config) security polity-substitution delete-realm realm_name
Deletes the specified policy-substitution realm.
#(config) security polity-substitution edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security polity-substitution view [realm_name]
Displays the configuration of all policy-substitution realms or just the configuration for realm_name if
specified.

Submodes
#(config) security policy-substitution edit-realm realm_name

This changes the prompt to:
#(config policy-substitution realm_name)

Commands found in this submode include:
#(config policy-substitution realm_name) authorization-realm-name realm_name
This option is only required if you are associating an authorization realm with the Policy Substitution
realm.
#(config policy-substitution realm_name) cookie {persistent {disable | enable}|
verify-ip {disable | enable}}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config policy-substitution realm_name) exit
Leaves the windows-sso edit-realm mode.
#(config policy-substitution realm_name) full-username construction_rule
The full username as created through policy substitutions. The construction rule is made up any of the
substitutions whose values are available at client logon, listed in Appendix D, “CPL Substitutions,” in
Volume 10: Content Policy Language Guide.

Volume 11: Command Line Interface Reference

304

Chapter 3: Privileged Mode Configure Commands

Note: The username and full username attributes are character strings that contain policy
substitutions. When authentication is required for the transaction, these character strings are
processed by the policy substitution mechanism, using the current transaction as input. The
resulting string is stored in the user object in the transaction, and becomes the user’s identity.

To create full usernames for various uses in Policy Substitution realms, refer to Volume 10:
Content Policy Language Guide.
#(config policy-substitution realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config policy-substitution realm_name) no authorization-realm-name
Clears the authorization realm name.
#(config policy-substitution realm_name) refresh-time {authorization-refresh
seconds | surrogate-refresh seconds}
Sets the refresh time for authorization and surrogates.
#(config policy-substitution realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config policy-substitution realm_name) username construction_rule
The username as created through policy substitutions. Note that the username is only required if you are
using an authorization realm. The construction rule is made up any of the policy substitutions whose
values are available at client logon, listed in Appendix D, “CPL Substitutions,” in Volume 10: Content
Policy Language Guide.
Note: The username and full username attributes are character strings that contain policy
substitutions. When authentication is required for the transaction, these character strings are
processed by the policy substitution mechanism, using the current transaction as input. The
resulting string is stored in the user object in the transaction, and becomes the user’s identity.

To create usernames for the various uses of Policy Substitution realms, refer to Volume 10:
Content Policy Language Guide
#(config policy-substitution realm_name) view
Displays this realm’s configuration.
#(config policy-substitution realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual URL
is used.

For More Information


Volume 8: Access Logging



Volume 10: Content Policy Language Guide

Example
#(config) security policy-substitution edit-realm PS1
#(config policy-substitution PS1) authorization-realm-name LDAP1
#(config policy-substitution PS1) username $(netbios.messenger-username)
#(config policy-substitution PS1) full-username
cn=$(netbios.messenger-username),cn=users,dc=$(netbios.computer-domain),
dc=company,dc=com

305

Chapter 3: Privileged Mode Configure Commands

#(config security radius)
RADIUS is often the protocol of choice for ISPs or enterprises with very large numbers of users.
RADIUS is designed to handle these large numbers through centralized user administration that eases
the repetitive tasks of adding and deleting users and their authentication information. RADIUS also
inherently provides some protection against sniffing.
Some RADIUS servers support one-time passwords. One-time passwords are passwords that become
invalid as soon as they are used. The passwords are often generated by a token or program, although
pre-printed lists are also used. Using one-time passwords ensures that the password cannot be used in
a replay attack.
The ProxySG appliance’s one-time password support works with products such as Secure Computing
SafeWord synchronous and asynchronous tokens and RSA SecurID tokens.
The ProxySG appliance supports RADIUS servers that use challenge/response as part of the
authentication process. SafeWord asynchronous tokens use challenge/response to provide
authentication. SecurID tokens use challenge/response to initialize or change PINs.

Synopsis
Allows you to create and manage RADIUS realms.

Syntax
#(config) security radius [subcommands]

Subcommands
#(config) security radius create-realm realm_name
Creates the specified RADIUS realm
#(config) security radius delete-realm realm_name
Deletes the specified RADIUS realm.
#(config) security radius edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security radius view [realm_name]
Displays the configuration of all RADIUS realms or just the configuration for realm_name if specified.

Submodes
#(config) security radius edit-realm realm_name

This changes the prompt to:
#(config radius realm_name)

Commands found in this submode include:
#(config radius realm_name) alternate-server encrypted-secret encrypted_secret
Specifies the alternate server secret in encrypted format. Note that you must create the encrypted secret
before executing the host [port] command.
#(config radius realm_name) alternate-server host [port]
Specifies the alternate server host and port.
#(config radius realm_name) alternate-server secret secret
Specifies the alternate server secret. Note that you must create the secret before executing the host
[port] command
#(config radius realm_name) case-sensitive {disable | enable}
Specifies whether or not the RADIUS server is case-sensitive.

Volume 11: Command Line Interface Reference

306

Chapter 3: Privileged Mode Configure Commands

#(config radius realm_name) cookie {persistent {enable | disable} | verify-ip
{enable | disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config radius realm_name) display-name display_name
Specifies the display name for this realm.
#(config radius realm_name) exit
Exits configure radius-realm mode and returns to configure mode.
#(config radius realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config radius realm_name) log-out {challenge {enable | disable} | display-time
seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config radius realm_name) no alternate-server
Clears the alternate-server.
#(config radius realm_name) one-time-passwords {enable | disable}
Allows you to use one-time passwords for authentication. The default is disabled.
#(config radius realm_name) primary-server encrypted-secret encrypted_secret
Specifies the primary server secret in encrypted format.
#(config radius realm_name) primary-server host [port]
Specifies the primary server host and port.
#(config radius realm_name) primary-server secret secret
Specifies the primary server secret.
#(config radius realm_name) refresh-time {credential-refresh seconds |
rejected-credentials-refresh seconds | surrogate-refresh seconds}
Sets the refresh time for credential, rejected credentials cache, and surrogates.
#(config radius realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config radius realm_name) server-retry count
Specifies the number of authentication retry attempts. This is the number of attempts permitted before
marking a server offline. The client maintains an average response time from the server; the retry interval
is initially twice the average. If that retry packet fails, then the next packet waits twice as long again. This
increases until it reaches the timeout value. The default number of retries is 10.
#(config radius realm_name) spoof-authentication {none | origin | proxy}
Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy
authentication. You can only choose one.



If set to origin, the spoofed header is an Authorization: header.



If set to proxy, the spoofed header is a Proxy-Authorization: header.



If set to none, no spoofing is done.

Flush the entries for a realm if the spoof-authentication value is changed to ensure that the
spoof-authentication value is immediately applied.
#(config radius realm_name) timeout seconds
Specifies the RADIUS request timeout. This is the number of seconds the ProxySG allows for each
request attempt before giving up on a server and trying another server. Within a timeout multiple
packets can be sent to the server, in case the network is busy and packets are lost. The default request
timeout is 10 seconds.
#(config radius realm_name) server-charset charset
Allows you to select the character set you need. A character set is a MIME charset name. Any of the

307

Chapter 3: Privileged Mode Configure Commands

standard charset names for encodings commonly supported by Web browsers can be used. The default is
Unicode:UTF8.

One list of standard charset names is found at
http://www.iana.org/assignments/character-sets.
#(config radius realm_name) view
Displays this realm’s configuration.
#(config radius realm_name) virtual-url url
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security radius edit-realm testradius
#(config radius testradius) server-retry 8
ok
#(config radius testradius) spoof-authentication proxy
ok
#(config radius testradius) exit

Volume 11: Command Line Interface Reference

308

Chapter 3: Privileged Mode Configure Commands

#(config security request-storage)
When a request requiring the user to be challenged with a form contains a body, the request is stored
on the ProxySG while the user is being authenticated. Storage options include:


the maximum request size.



the expiration of the request.



whether to verify the IP address of the client requesting against the original request.



whether to allow redirects from the origin server

The storage options are global, applying to all form exceptions you use.
The global allow redirects configuration option can be overridden on a finer granularity in policy
using the authenticate.redirect_stored_requests(yes|no) action.

Synopsis
Used with authentication forms to store requests.

Syntax
#(config) security request-management [subcommands]

Subcommands
#(config) security request-management allow-redirects {disable | enable}
Specifies whether to allow redirects. The default is disable.
#(config) security request-management expiry-time seconds
Sets the amount of time before the stored request expires. The default is 300 seconds (five minutes).
#(config) security request-management max-size megabytes
Sets the maximum POST request size during authentication. The default is 50 megabytes.
#(config) security request-management verify-ip {disable | enable}
Enables or disables the verify-ip option. The default is to enable the ProxySG to verify the IP address
against the original request.

For More Information


#(config security authentication-forms) on page 275



Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config)
#(config)
#(config)
#(config)

security
security
security
security

request-storage
request-storage
request-storage
request-storage

max-size megabytes
expiry-time seconds
verify-ip enable | disable
allow-redirects enable | disable

309

Chapter 3: Privileged Mode Configure Commands

#(config security sequence)
Once a realm is configured, you can associate it with other realms to allow Blue Coat to search for the
proper authentication credentials for a specific user. That is, if the credentials are not acceptable to the
first realm, they are sent to the second, and so on until a match is found or all the realms are exhausted.
This is called sequencing.

Synopsis
Allows you to create and manage sequence realms.

Syntax
#(config) security sequence [subcommands]

Subcommands
#(config) security sequence create-realm realm_name
Creates the specified sequence realm
#(config) security sequence delete-realm realm_name
Deletes the specified sequence realm.
#(config) security sequence edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security sequence view [realm_name]
Displays the configuration of all sequence realms or just the configuration for realm_name if specified.
#(config) security sequence edit-realm realm_sequence_name

This changes the prompt to:
#(config sequence realm_sequence_name)

Submodes
Commands available in this submode include:
#(config sequence realm_sequence_name) display-name display_name
Specifies the display name for this realm.
#(config sequence realm_sequence_name) exit
Exits configure sequence-realm mode and returns to configure mode.
#(config sequence realm_sequence_name) IWA-only-once {disable | enable}
Specifies whether or not to challenge for credentials for the IWA realm one or multiple times.
#(config sequence realm_sequence_name) realm {add | demote | promote | remove}
{realm_name | clear}
Adds/demotes/promotes/removes a realm from the realm sequence, or clears all realms from the realm
sequence.
#(config sequence realm_sequence_name) rename new_realm_name
Renames this realm to new_realm_sequence_name.
#(config sequence realm_sequence_name) try-next-realm-on-error {disable | enable}

Use this command to specify that the next realm on the list should be attempted if
authentication in the previous realm has failed with a permitted error. The default value is to
not attempt the next realm and fall out of the sequence.
#(config sequence realm_sequence_name) view
Displays this realm’s configuration.

Volume 11: Command Line Interface Reference

310

Chapter 3: Privileged Mode Configure Commands

#(config sequence realm_sequence_name) virtual-url url
Specifies the virtual URL to use for this realm sequence. If no URL is specified the global transparent
proxy virtual URL is used.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security sequence edit-realm testsequence
#(config sequence testsequence) IWA-only-once disable
ok
#(config sequence testsequence) realm clear
ok
#(config sequence testsequence) exit

311

Chapter 3: Privileged Mode Configure Commands

#(config security siteminder)
Within the SiteMinder system, BCAAA acts as a custom Web agent. It communicates with the
SiteMinder policy server to authenticate the user and to obtain a SiteMinder session token, response
attribute information, and group membership information.
Custom header and cookie response attributes associated with OnAuthAccept and OnAccessAccept
attributes are obtained from the policy server and forwarded to the ProxySG appliance. They can (as
an option) be included in requests forwarded by the appliance.
Within the ProxySG system, BCAAA acts as its agent to communicate with the SiteMinder server. The
ProxySG appliance provides the user information to be validated to BCAAA, and receives the session
token and other information from BCAAA.
Each ProxySG SiteMinder realm used causes the creation of a BCAAA process on the Windows host
computer running BCAAA. A single host computer can support multiple ProxySG realms (from the
same or different ProxySG appliances); the number depends on the capacity of the BCAAA host
computer and the amount of activity in the realms.
Note:

Each (active) SiteMinder realm on the ProxySG appliance should reference a different agent
on the Policy Server.
Configuration of the ProxySG’s realm must be coordinated with configuration of the SiteMinder
policy server. Each must be configured to be aware of the other. In addition, certain SiteMinder
responses must be configured so that BCAAA gets the information the ProxySG appliance needs.

Synopsis
Allows you to create and manage SiteMinder realms.

Syntax
#(config) security siteminder [subcommands]

Subcommands
#(config) security siteminder create-realm realm_name
Creates the specified SiteMinder realm
#(config) security siteminder delete-realm realm_name
Deletes the specified SiteMinder realm.
#(config) security siteminder edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security siteminder view [realm_name]
Displays the configuration of all SiteMinder realms or just the configuration for realm_name if
specified.

Volume 11: Command Line Interface Reference

312

Chapter 3: Privileged Mode Configure Commands

Submodes
#(config) security siteminder edit-realm realm_name

This changes the prompt to:
#(config siteminder realm_name)

Commands in this submode include:
#(config siteminder realm_name) add-header-responses {enable | disable}
Enable if your Web applications need information from the SiteMinder policy server responses.
#(config siteminder realm_name) alternate-agent agent_name
Specifies the alternate agent.
#(config siteminder realm_name) alternate-agent encrypted-secret
encrypted-shared-secret
Specifies the alternate agent secret in encrypted format.
#(config siteminder realm_name) alternate-agent host
The host ID or the IP address of the system that contains the alternate agent.
#(config siteminder realm_name) alternate-agent port
The port where the agent listens.
#(config siteminder realm_name) alternate-agent shared-secret secret
Specifies the alternate agent secret.
#(config siteminder realm_name) alternate-agent always-redirect-offbox
Enables or disables SSO.
#(config certificate realm_name) authorization {ignore-user-list {add | clear |
remove}
Manages the ignore-user-list, which is the list of those to ignore if they are returned as search results.
##(config siteminder realm_name) authorization realm {none | realm-name
realm_name}
Specifies the authorization realm to use. Only LDAP, XML, and local realms are valid authorization
realms.
#(config siteminder realm_name) authorization search-filter search_filter
Specifies the search filter that should be used during a search of the LDAP server. The filter can contain
policy substitutions including $(cs-username).
#(config siteminder realm_name) authorization user-attribute {fqdn |
LDAP_attribute_name}
Specifies the user-attribute (fully qualified domain name or an LDAP attribute name) to be used during a
search of the LDAP server.
#(config siteminder realm_name) authorization username {determine-by-search |
use-full-username | username_for_authorization}
Specifies the way a username should be determined. The default is the attribute cn, which specifies the
user’s relative name.
#(config siteminder realm_name) always-redirect-offbox {enable | disable}
The ProxySG realm can be configured to redirect to an off-box authentication service always.

The URL of the service is configured in the scheme definition on the SiteMinder policy server.
The ProxySG realm is then configured with always-redirect-offbox enabled.
#(config siteminder realm_name) case-sensitive {enable | disable}
Specifies whether the SiteMinder server is case-sensitive.
#(config siteminder realm_name) cookie {persistent {enable | disable} | verify-ip
{enable | disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.

313

Chapter 3: Privileged Mode Configure Commands

#(config siteminder realm_name) display-name display_name
Specifies the display name for this realm.
#(config siteminder realm_name) exit
Exits configure siteminder-realm mode and returns to configure mode.
#(config siteminder realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config siteminder realm_name) log-out {challenge {enable | disable} |
display-time seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config siteminder realm_name) no alternate-agent
Clears the alternate agent configuration.
#(config siteminder realm_name) primary-agent agent_name
Specifies the primary agent.
#(config siteminder realm_name) primary-agent encrypted-secret
encrypted-shared-secret
Specifies the primary agent secret in encrypted format.
#(config siteminder realm_name) primary-agent host
The host ID or the IP address of the system that contains the primary agent.
#(config siteminder realm_name) primary-agent port
The port where the agent listens.
#(config siteminder realm_name) primary-agent shared-secret secret
Specifies the primary agent secret.
#(config siteminder realm_name) primary-agent always-redirect-offbox
Enables or disables the SSO-Only mode.
#(config siteminder realm_name) protected-resource-name resource-name
The protected resource name is the same as the resource name on the SiteMinder server that has rules
and policy defined for it.
#(config siteminder realm_name) refresh-time {credential-refresh seconds |
rejected-credentials-refresh seconds | surrogate-refresh seconds}
Sets the refresh time for credential , rejected credentials cache, and surrogates.
#(config siteminder realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config siteminder realm_name) server-mode {failover | round-robin}
Behavior of the server. Failover mode falls back to one of the other servers if the primary one is down.
Round-robin modes specifies that all of the servers should be used together in a round-robin approach.
Failover is the default
#(config siteminder realm_name) siteminder-server create server_name
Creates a SiteMinder server.
#(config siteminder realm_name) siteminder-server delete server_name
Deletes a SiteMinder server.
#(config siteminder realm_name) siteminder-server edit server_name
This changes the prompt to #(config siteminder realm_name server_name).
#(config siteminder realm_name server_name) accounting-port port_number
The default is 44441. The ports should be the same as the ports configured on the SiteMinder policy
server. The valid port range is 1-65535.
#(config siteminder realm_name server_name) authentication-port port_number
The default is 44442. The ports should be the same as the ports configured on the SiteMinder server. The
valid port range is 1-65535.

Volume 11: Command Line Interface Reference

314

Chapter 3: Privileged Mode Configure Commands

#(config siteminder realm_name server_name) authorization-port port_number
The default is 44443. The ports should be the same as the ports configured on the SiteMinder server. The
valid port range is 1-65535.
#(config siteminder realm_name server_name) connection-increment number
The default is 1. The connection increment specifies how many connections to open at a time if more are
needed and the maximum is not exceeded.
#(config siteminder realm_name server_name) exit
Leaves the server_name prompt and returns to the SiteMinder realm_name prompt.
#(config siteminder realm_name server_name) ip-address ip_address
The IP address of the SiteMinder server.
#(config siteminder realm_name server_name) max-connections number
The default is 256. The maximum number of connections is 32768.
#(config siteminder realm_name server_name) min-connections number
The default is 1.
#(config siteminder realm_name server_name) timeout seconds
The default is 60.
#(config siteminder realm_name server_name) view
Displays the server’s configuration.
#(config siteminder realm_name) ssl {enable | disable}
Disables/enables SSL communication between the ProxySG and BCAAA.
#(config siteminder realm_name) ssl-device-profile ssl_device_profile_name
Specifies the device profile to use.
#(config siteminder realm_name) timeout seconds
#(config siteminder realm_name) validate-client-ip {disable | enable}
Enables validation of the client IP address. If the client IP address in the SSO cookie might be valid yet
different from the current request client IP address, due to downstream proxies or other devices, disable
client IP validation. The SiteMinder agents participating in SSO with the ProxySG should also be
modified. The TransientIPCheck variable should be set to yes to enable IP validation and no to disable
it.

Enable is the default.
#(config siteminder realm_name) view
Displays this realm’s configuration.
#(config siteminder realm_name) virtual-url url
Specifies the virtual URL to use for this SiteMinder realm. If no URL is specified the global transparent
proxy virtual URL is used.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security siteminder edit-realm test2
#(config siteminder test2) server-mode round-robin
ok
#(config siteminder test2) ssl enable
ok
#(config siteminder test2) exit

315

Chapter 3: Privileged Mode Configure Commands

#(config) security transparent-proxy-auth
Synopsis
Configures authentication method for transparent proxies

Syntax
#(config) security transparent-proxy-auth [subcommands]

Subcommands
#(config) security transparent-proxy-auth method {ip | cookie}
Specifies whether to use IP or cookie surrogate credentials.

For More Information


Volume 1: Getting Started

Example
#(config) security transparent-proxy-auth method cookie

Volume 11: Command Line Interface Reference

316

Chapter 3: Privileged Mode Configure Commands

#(config) security users
Synopsis
Allows administrators to manage user log ins, logouts and refresh data.

Syntax
#(config) security users

This changes the prompt to:
#(config users) [subcommands]

Subcommands
#(config users) authorization-refresh {ip-addresses prefix [realm_name] | realms
[realm_name]| users glob_user_name [realm_name]}
Refreshes authorization data for the specified IP address, realm (or all realms), or user.
The IP address subnet notation is based on Classless Inter-Domain_Routing (CIDR):


1.2.3.4 : the IP address 1.2.3.4



1.2.3.0/24: the subnet 1.2.3.0 with netmask 255.255.255.0

The username pattern is a glob-based pattern, supporting three operators:


'*' : match zero or more characters



'?' : match exactly one character



'[x-y]': match any character in the character range from 'x' to 'y'

#(config users) credentials-refresh {ip-addresses prefix [realm_name] | realms
[realm_name]| users glob_user_name [realm_name]}
Refreshes credential data for the specified IP address, realm (or all realms), or user.
#(config users) log-out {ip-addresses prefix [realm_name] | realms [realm_name]|
users glob_user_name [realm_name]}
Logs out the specified IP address, realm (or all realms), or user.
#(config users) surrogates-refresh {ip-addresses prefix [realm_name] | realms
[realm_name]| users glob_user_name [realm_name]}
Refreshes surrogate data for the specified IP address, realm (or all realms), or user.
#(config users) view detailed {ip-addresses prefix [realm_name] | realms
[realm_name]| users glob_user_name [realm_name]}
See a detailed view of users, sorted by IP address, realm, or username.
#(config users) view {ip-addresses prefix [realm_name] | realms [realm_name] | users
glob_user_name [realm_name]}
See all logged-in users sorted by IP address, realm, or username.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security users
#(config users) surrogates-refresh ip-addresses 10.25.36.0/24

317

Chapter 3: Privileged Mode Configure Commands

#(config) security username
Synopsis
Sets the console username.

Syntax
#(config) security username name

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security username QATest

Volume 11: Command Line Interface Reference

318

Chapter 3: Privileged Mode Configure Commands

#(config windows-sso)
In a Windows SSO realm, the client is never challenged for authentication. Instead, the BCAAA agent
collects information about the current logged on user from the domain controller and/or by querying
the client machine. Then the IP address of an incoming client request is mapped to a user identity in
the domain. If authorization information is also needed, then another realm (LDAP or local) must be
created.

Synopsis
Allows you to create and manage Windows SSO realms.

Syntax
#(config) security windows-sso [subcommands]

Subcommands
#(config) security windows-sso create-realm realm_name
Creates the specified Windows SSO realm.
#(config) security windows-sso edit-realm realm_name
Changes the prompt to allow configuration for the specified realm_name.
SGOS#(config windows-sso realm_name) alternate-agent {host hostname | port
port_number}
Specifies the alternate agent hostname and port number.
SGOS#(config windows-sso realm_name) authorization {realm-name
authorization-realm-name | username username | no
{authorization-realm-name | username} | self}
Specifies the realm name, which can be self, and username for authorization. No clears the realm
and username.
SGOS#(config windows-sso realm_name) cookie {persistent {disable | enable}|
verify-ip {disable | enable}}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
SGOS#(config windows-sso realm_name) exit
Leaves the windows-sso edit-realm mode.
SGOS#(config windows-sso realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
SGOS#(config windows-sso realm_name) no alternate-agent
Removes the alternate agent.
SGOS#(config windows-sso realm_name) primary-agent {host hostname | port
port_number}
Specifies the primary agent hostname and port number.
SGOS#(config windows-sso realm_name) refresh-time {authorization-refresh
seconds | surrogate-refresh seconds}
Sets the refresh time for authorization and surrogates.
SGOS#(config windows-sso realm_name) rename new_realm_name
Renames the current realm to new_realm_name.
SGOS#(config windows-sso realm_name) ssl {enable | disable}
Enables or disables SSL between the ProxySG and the BCAAA service.

319

Chapter 3: Privileged Mode Configure Commands

SGOS#(config windows-sso realm_name) ssl-device-profile
ssl_device_profile_name
Specifies the device profile to use
SGOS#(config windows-sso realm_name) sso-type {query-client | query-dc |
query-dc-client}
Selects the method of querying: client, domain controller, or both. The default is domain controller.
SGOS#(config windows-sso realm_name) timeout seconds
The time allotted for each request attempt. The default is 60 seconds.
SGOS#(config windows-sso realm_name) view
Displays this realm’s configuration.
SGOS#(config windows-sso realm_name) virtual-url url
Specifies the virtual URL to use for this SiteMinder realm. If no URL is specified the global
transparent proxy virtual URL is used.
#(config) security windows-sso delete-realm realm_name
Deletes the specified Windows SSO realm.
#(config) security windows-sso view [realm_name]
Displays the configuration of all Windows SSO realms or just the configuration for realm_name if
specified.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
SGOS#(config) security windows-sso edit-realm test2
SGOS#(config windows-sso test2) ssotype query-client-dc
ok
SGOS#(config windows-sso test2) exit

Volume 11: Command Line Interface Reference

320

Chapter 3: Privileged Mode Configure Commands

#(config) security xml
An XML realm uses XML messages to request authentication and authorization information from an
HTTP XML service (the XML responder that runs on an external server). The XML realm (the XML
requestor) supports both HTTP GET and HTTP POST methods to request an XML response. The XML
messages are based on SOAP 1.2.
The XML responder service accepts XML requests from the ProxySG , communicates with an
authentication or authorization server, and responds with the result. When the realm is used to
authenticate users, it challenges for Basic credentials. The username and password are then sent to the
XML responder to authenticate and authorize the user.
The XML realm can place the username and password in the HTTP headers of the request or in the
body of the XML POST request. If the credentials are placed in the HTTP headers, the Web server must
do the authentication and the XML service just handles authorization. If credentials are placed in the
XML request body, the XML service handles both authentication and authorization.

Synopsis
Allows you to configure and manage XML realms.

Syntax
#(config) security xml [subcommands]

Subcommands
#(config) security xml create-realm realm_name
Creates the specified XML realm
#(config) security xml delete-realm realm_name
Deletes the specified XML realm.
#(config) security xml edit-realm realm_name
Changes the prompt. See Submodes for details.
#(config) security xml view [realm_name]
Displays the configuration of all XML realms or just the configuration for realm_name if specified.

Submodes
#(config) security xml edit-realm realm_name

This changes the prompt to:
#(config xml realm_name)

Commands in the xml realm_name mode:
#(config xml realm_name) alternate-responder {host | port}
Specifies the alternate responder host and port.
#(config xml realm_name) alternate-responder path {authenticate
authenticate_path | authorize authorize_path}
Specifies the alternate responder path for authentication and authorization requests.
#(config xml realm_name) authorization {default-group-name group-name | username
use-full-username | realm {none | username | self}}
Specifies the default group name, username, and realm for authorization.
#(config xml realm_name) connections count
Specifies the number of connections to the responder.

321

Chapter 3: Privileged Mode Configure Commands

#(config xml realm_name) cookie {persistent {enable | disable} | verify-ip {enable |
disable}
Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the
cookie.
#(config xml realm_name) display-name display_name
Specifies the display name for this realm.
#(config xml realm_name) exit
Exits configure xml-realm mode and returns to configure mode.
#(config xml realm_name) inactivity-timeout seconds
Specifies the amount of time a session can be inactive before being logged out.
#(config xml realm_name) log-out {challenge {enable | disable} | display-time
seconds}
Allows you to challenge the user after log out and define the log out page display time.
#(config xml realm_name) no alternate-responder
Removes the alternate-responder.
#(config xml realm_name) no default-group-name
Removes the default-group-name.
#(config xml realm_name) one-time-passwords {enable | disable}
Allows you to use one-time passwords for authentication. The default is disabled.
#(config xml realm_name) primary-responder {host | port}
Specifies the primary responder host and port.
#(config xml realm_name) primary-responder path {authenticate authenticate_path
| authorize authorize_path}
Specifies the primary responder path for authentication and authorization requests.
#(config xml realm_name) refresh-time {authorization-refresh seconds |
credential-refresh seconds | rejected-credentials-refresh seconds|
surrogate-refresh seconds}
Sets the refresh time for authorization, credential, rejected credentials cache, and surrogates.
#(config xml realm_name) rename new_realm_name
Renames this realm to new_realm_name.
#(config xml realm_name) retry count
Specifies the number of times for the system to retry a request. The default is not to retry a request.
#(config xml realm_name) spoof-authentication {none | origin | proxy}
Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy
authentication. Flush the entries for a realm if the spoof-authentication value is changed to ensure that
the spoof-authentication value is immediately applied.

You can only choose one.


If set to origin, the spoofed header is an Authorization: header.



If set to proxy, the spoofed header is a Proxy-Authorization: header.



If set to none, no spoofing is done.

#(config xml realm_name) timeout seconds
Specifies the XML request timeout. This is the number of seconds the ProxySG allows for each request
attempt before giving up on a server and trying another server. Within a timeout multiple packets can be
sent to the server, in case the network is busy and packets are lost. The default request timeout is 10
seconds
#(config xml realm_name) view
Displays this realm’s configuration.

Volume 11: Command Line Interface Reference

322

Chapter 3: Privileged Mode Configure Commands

#(config xml realm_name) virtual-url virtual URL
Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual
URL is used.
#(config xml realm_name) xml {credentials {header | request} | request-interested
{enable | disable} | username username_parameter}
Specifies the user credential location and the username parameter. The username parameter is passed in
the request when this realm is used for authentication or authorization.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
#(config) security xml edit-realm xml14
#(config xml xml14) display-name
ok
#(config xml xml14) spoof-authentication origin
ok
#(config xml xml14) exit

323

Chapter 3: Privileged Mode Configure Commands

#(config) service-groups
Synopsis
Use this command to configure the proxy service groups.

Syntax
#(config) service-groups

This changes the prompt to:
#(config service-groups)

Subcommands
#(config service-groups) bypass-all service-group

Sets all listeners in a service group to bypass.
#(config service-groups) create service-group

Creates a proxy service group.
#(config service-groups) delete service-group

Deletes a proxy service group.
#(config service-groups) exit

Returns to the #(config) prompt.
#(config service-groups) intercept-all service-group

Sets all listeners in a service group to intercept.
#(config service-groups) view service-group

Shows details about a service group. View details about all the service groups by pressing
.

For More Information


Volume 2: Proxies and Proxy Services

Example
Service Group:

Encrypted

Action:

intercept-all

Services:

HTTPS, IMAPS, POP3S

Service Group:

Interactive

Action:

intercept-all

Services:

Telnet, MS Terminal Services, Shell, SSH, VNC, X Windows

Service Group:

Intranet

Action:

mixed

Services:
Endpoint Mapper, CIFS, Novell GroupWise, Citrix ICA, IMAP,
Kerberos, LDAP, Lotus Notes, LPD, MS SQL Server, MySQL, NFS, Novell NCP, Oracle,
POP3, SMTP, SnapMirror, Sybase SQL

Volume 11: Command Line Interface Reference

324

Chapter 3: Privileged Mode Configure Commands

#(config) session-monitor
Synopsis
Use this command to configure options to monitor RADIUS accounting messages and to maintain a
session table based on the information in these messages.

Syntax
#(config) session-monitor

This changes the prompt to:
#(config session-monitor)

Subcommands
#(config session-monitor) cluster disable
Disables cluster support.
#(config session-monitor) cluster enable
Enables cluster support. The group address must be set before the cluster can be enabled.
#(config session-monitor) cluster grace-period seconds
Set the time to keep session transactions in memory while waiting for slave logins. This can be set to
allow session table synchronization to occur after the synchronization-delay has expired. The default is
30 seconds; the range is 0 to 2^31-1 seconds.
#(config session-monitor) cluster [no] group-address IP_Address
Set or clear (the default) the failover group IP address. This must be an existing failover group address.
#(config session-monitor) cluster port port
Set the TCP/IP port for the session replication control. The default is 55555.
#(config session-monitor) cluster synchronization-delay seconds
Set the maximum time to wait for session table synchronization. The default is zero; the range is from 0
to 2 ^31 -1 seconds. During this time evaluation of $(session.username) is delayed, so proxy traffic
might also be delayed.
#(config session-monitor) disable
Disable (the default) session monitoring.
#(config session-monitor) enable
Enable session monitoring.
#(config session-monitor) max-entries integer
The maximum number of entries in the session table. The default is 500,000; the range is from 1 to
2,000,000. If the table reaches the maximum, additional START messages are ignored.
#(config session-monitor) radius acct-listen-port port
The port number where the ProxySG listens for accounting messages.
#(config session-monitor) radius authentication {disable | enable}
Enable or disable (the default) the authentication of RADIUS messages using the shared secret. Note that
the shared secret must be configured before authentication is enabled.
#(config session-monitor) radius encrypted-shared-secret encrypted-secret
Specify the shared secret (in encrypted form) used for RADIUS protocol authentication. The secret is
decrypted using the configuration-passwords-key.
#(config session-monitor) radius no shared-secret
Clears the shared secret used for RADIUS protocol authentication.
#(config session-monitor) radius respond {disable | enable}
Enable (the default) or disable generation of RADIUS responses.

325

Chapter 3: Privileged Mode Configure Commands

#(config session-monitor) radius shared-secret plaintext_secret
Specify the shared secret used for RAIDUS protocol in plaintext.
#(config session-monitor) timeout minutes
The amount of time before a session table entry assumes a STOP message has been sent. The default is
120 minutes; the range is from 0 to 65535 minutes. Zero indicates no timeout.
#(config session-monitor) view
View the session-monitor configuration.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) session-monitor
SGOS#(config session-monitor) view
General:
Status: disabled
Entry timeout: 120 minutes
Maximum entries: 500000
Cluster support: disabled
Cluster port: 55555
Cluster group address: none
Synchronization delay: 0
Synchronization grace period: 30
Accounting protocol: radius
Radius accounting:
Listen ports:
Accounting: 1813
Responses: Enabled
Authentication: Disabled
Shared secret: ************

Volume 11: Command Line Interface Reference

326

Chapter 3: Privileged Mode Configure Commands

#(config) sg-client
Synopsis
Replaced by #(config) proxy-client. See #(config) proxy-client on page 230.

327

Chapter 3: Privileged Mode Configure Commands

#(config) shell
Synopsis
Use this command to configure options for the shell.
#(config) shell max-connections
Maximum number of shell connections. Allowed values are between 1 and 65535.
#(config) shell no
Disables the prompt, realm-banner, and welcome-banner strings.
#(config) shell prompt
Sets the prompt that the user sees in the shell. If the string includes white space, enclose the string in
quotes.
#(config) shell realm-banner
Sets the realm banner that the user sees when logging into a realm through the shell. If the string
includes white space, enclose the string in quotes.
#(config) shell welcome-banner
Sets the welcome banner that the users sees when logging into the shell. If the string includes white
space, enclose the string in quotes.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) shell prompt "Telnet Shell >"
ok
SGOS#(config) shell welcome-banner "Welcome to the Blue Coat Telnet Shell"
ok

Volume 11: Command Line Interface Reference

328

Chapter 3: Privileged Mode Configure Commands

#(config) show


# show on page 72.

329

Chapter 3: Privileged Mode Configure Commands

#(config) snmp
Synopsis
Use this command to set SNMP (Simple Network Management Protocol) options for the ProxySG.
The ProxySG can be viewed using an SNMP management station and supports MIB-2 (RFC 1213).

Syntax
#(config) snmp

This changes the prompt to:
#(config snmp)

Subcommands
#(config snmp) authentication-failure-traps {enable | disable}
Enables or disables traps for SNMP protocol authentication failures.
#(config snmp) create {community community_string | user username}
Creates a new SNMPv1–v2c community or new SNMPv3 user.
#(config snmp) delete {community community_string | user username}
Deletes an SNMPv1–v2c community string or SNMPv3 user.
#(config snmp) edit {community community_string | user username}
Allows you to edit an SNMPv1–v2c community’s access, traps, and informs, or edit an SNMPv3 user’s
configuration, access, traps, and informs. See #(config snmp community )
on page 332 and #(config snmp user ) on page 334.
# (config snmp) engine-id {default | set hexadecimal_string}
Sets the engine ID to the default value or allows you to set it with hexadecimal digits.
#(config snmp) exit
Exits configure SNMP mode and returns to configure mode.
#(config snmp) no {sys-contact | sys-location}
Clears the system contact string or the system location string.
#(config snmp) protocol snmpv1 {disable | enable}
Enables or disables the use of SNMPv1.
#(config snmp) protocol snmpv2c {disable | enable}
Enables or disables the use of SNMPv2c.
#(config snmp) protocol snmpv3 {disable | enable}
Enables or disables the use of SNMPv3.
#(config snmp) sys-contact string
Sets the appliance’s contact name for display in MIBs.
#(config snmp) sys-location string
Sets the appliance’s location for display in MIBs.
#(config snmp) test-trap string
Sends a policy test trap with the given text string to test communication. Quotes are required if the
message contains whitespace.
#(config snmp) traps {disable | enable}
Disables or enables the use of all traps and informs.
#(config snmp) view
Displays the SNMP configuration.

Volume 11: Command Line Interface Reference

330

Chapter 3: Privileged Mode Configure Commands

#(config snmp) view {communities | users}
Displays SNMPv1 and SNMPv2c communities or SNMPv3 users.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance



For details about configuring SNMPv1 and SNMPv2, see #(config snmp community
) on page 332. For details about configuring SNMPv3, see #(config
snmp user ) on page 334.

Example
SGOS#(config) snmp
SGOS#(config snmp) authorize-traps
ok
SGOS#(config snmp) exit
SGOS#(config)

331

Chapter 3: Privileged Mode Configure Commands

#(config snmp community )
Synopsis
Use this command to configure community strings for SNMPv1 and SNMPv2c, their access control,
and their trap and inform recipients.

Syntax
#(config snmp)edit community community_string
This changes the prompt to:
#(config snmp community community_string)

Subcommands
#(config snmp community community_string) add {inform | trap}
Adds an SNMPv2c inform receiver or a trap receiver for this community.
#(config snmp community community_string) add inform udp IP[:port]
Sends SNMPv2c UDP informs to this IP address.
#(config snmp community community_string) add trap {snmpv1 | snmpv2c}
Adds an SNMPv1 or SNMPv2c trap receiver.
#(config snmp community community_string) add trap snmpv1 udp IP[:port]
Sends SNMPv1 UDP traps to this IP address.
#(config snmp community community_string) add trap snmpv2c udp IP[:port]
Sends SNMPv2c UDP traps to this IP address.
#(config snmp community community_string) authorization access-list
Enables you to configure a list of allowed source addresses for SNMP requests; changes the prompt to
#(config snmp community access community_string).
#(config snmp community access community_string) add {IP | subnet}
Allows requests from the specified address.
#(config snmp community access community_string) clear
Clears the access list.
#(config snmp community access community_string) disable
Disables the use of the access list and allows requests from all addresses.
#(config snmp community access community_string) enable
Enables use of the access list.
#(config snmp community access community_string) exit
Returns to the #(config snmp community community_string) mode.
#(config snmp community access community_string) remove {IP | subnet}
Do not allow requests from this address.
#(config snmp community access community_string) view
Displays the community’s access list.
#(config snmp community community_string) authorization mode {none | read-only |
read-write}
Allows you to set the read or write access allowed for SNMP requests: none (do not allow any remote
access), read-only, or read-write.
#(config snmp community community_string) remove {inform | trap}
Removes an SNMPv2c inform receiver or an SNMPv1 trap receiver.

Volume 11: Command Line Interface Reference

332

Chapter 3: Privileged Mode Configure Commands

#(config snmp community community_string) remove inform udp IP[:port]
Stops sending SNMPv2c UDP informs to this address.
#(config snmp community community_string) remove trap {snmpv1 | snmpv2c}
Removes an SNMPv1 or SNMPv2c trap receiver.
#(config snmp community community_string) remove trap snmpv1 udp IP[:port]
Stops sending SNMPv1 UDP traps to this address.
#(config snmp community community_string) remove trap snmpv2c udp IP[:port]
Stops sending SNMPv2c UDP traps to this address.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance



For general SNMP commands, see #(config) snmp on page 330. To configure SNMP for
SNMPv3, see #(config snmp user ) on page 334.

333

Chapter 3: Privileged Mode Configure Commands

#(config snmp user )
Synopsis
Use this command to configure users for SNMPv3, their access control, and their trap and inform
recipients.

Syntax
#(config snmp)edit user username
This changes the prompt to:
#(config snmp user username)

Subcommands
#(config snmp user username) add {inform | trap}
Adds a trap or inform receiver for this user.
#(config snmp user username) add inform udp IP[:port]
Sends SNMPv3 UDP informs to this IP address.
#(config snmp user username) add trap udp IP[:port]
Sends SNMPv3 UDP traps to this IP address.

#(config snmp user username) authentication
Configures the user’s authentication settings.
#(config snmp user username) authentication encrypted_localized_key

Enter an encrypted localized key for an engine ID.
#(config snmp user username) authentication encrypted_passphrase passphrase>
Enter an encrypted passphrase.
#(config snmp user username) authentication localized-key
Enter a clear text localized key for an engine ID (in hexadecimal format).
#(config snmp user username) authentication mode {md5 | sha}
Enable authentication with MD5 or SHA based hashing.
#(config snmp user username) authentication mode none
Disable the use of authentication.
#(config snmp user username) authentication no localized_key
Remove a localized key.
#(config snmp user username) authorization
Conigures the access authorized for this user.
#(config snmp user username) authorization mode {none | read-only | read-write}
Allows you to set the read or write access allowed for SNMP requests: none (do not allow any remote
access), read-only, or read-write.
#(config snmp user username) exit
Returns to (config snmp) mode.
#(config snmp user username) privacy
Configures the user’s privacy settings.

Volume 11: Command Line Interface Reference

334

Chapter 3: Privileged Mode Configure Commands

#(config snmp user username) privacy encrypted_localized_key

Enter an encrypted localized key for the engine ID.
#(config snmp user username) privacy encrypted_passphrase

Enter an encrypted passphrase.
#(config snmp user username) privacy localized_key
Enter a clear text localized key for an engine ID (in hexadecimal format).
#(config snmp user username) privacy mode {none | aes | des}
Set the encryption mode to none (disable the use of privacy), or enable privacy with AES or DES
based encryption.
#(config snmp user username) privacy no localized_key
Remove a localized key.
#(config snmp user username) passphrase
Enter a clear text passphrase.
#(config snmp user username) remove inform udp IP[:port]
Stop sending SNMPv3 UDP informs to this IP address.
#(config snmp user username) remove trap udp IP[:port]
Stop sending SNMPv3 UDP traps to this IP address.
#(config snmp user username) view
Displays the user’s configuration, authorization, traps, and informs.

For More Information


Volume 7: Managing the Blue Coat ProxySG Appliance



For general SNMP commands, see #(config) snmp on page 330. To configure SNMP for
SNMPv1 and SNMPv2c, see #(config snmp community ) on
page 332.

335

Chapter 3: Privileged Mode Configure Commands

#(config) socks-gateways
Synopsis
Use this command to set the SOCKS gateways settings.

Syntax
#(config) socks-gateways

This changes the prompt to:
#(config socks-gateways)

Subcommands
#(config socks-gateways) create gateway_alias gateway_host SOCKS_port
[group=group-alias] [version={4 | 5 [user=username {password=password |
encrypted-password=encrypted-password}]
Creates a SOCKS gateway.
Note: The SOCKS compression feature is deprecated, as a more advanced version of this
functionality is now available as part of the Application Delivery Network features. Refer to
Volume 5: Advanced Networking for instructions on how to configure and use these features.
#(config socks-gateways) create {gateway | group group_name }
#(config socks-gateways) delete {all | gateway gateway_alias | group group_name}
Deletes a SOCKS gateway or group.
#(config socks-gateways) destroy-old-passwords
Destroys any cleartext passwords left after an upgrade.
#(config socks-gateways) edit gateway_alias
Changes the prompt. See #(config socks-gateways gateway_alias) on page 338.
#(config socks-gateways) edit group_alias
Changes the prompt. See#(config socks-gateways group_alias) on page 340.
#(config socks-gateways) exit
Exits configure socks-gateways mode and returns to configure mode.
#(config socks-gateways) failure-mode {open | closed}
Sets the default failure mode (that can be overridden by policy).
#(config socks-gateways) host-affinity http {default | none | client-ip-address |
accelerator-cookie} gateway_or_group_alias
Selects a host affinity method for HTTP. If a gateway or group alias is not specified for the
accelerator-cookie, client-ip-address, or none options, the global default is used. Use the
default option to specify default configurations for all the settings for a specified gateway or group.

Volume 11: Command Line Interface Reference

336

Chapter 3: Privileged Mode Configure Commands

#(config socks-gateways) host-affinity ssl {default | none | client-ip-address |
accelerator-cookie | ssl-session-id} gateway_or_group_alias
Selects a host affinity method for SSL. If a gateway or group alias is not specified for the
accelerator-cookie, client-ip-address, none, or ssl-session-id options, the global
default is used. Use the default option to specify default configurations for all the settings for a
specified gateway or group.
#(config socks-gateways) host-affinity other {default | client-ip-address | none}
gateway_or_group_alias
Selects a host affinity method (non-HTTP or non-SSL). If a gateway or group alias is not specified for the
client-ip-address, or none options, the global default is used. Use the default option to specify
default configurations for all the settings for a specified gateway or group.
#(config socks-gateways) load-balance gateway {default | none | round-robin |
least-connections} gateway_alias
Selects a host affinity method (non-HTTP or non-SSL). If a gateway alias is not specified for the
client-ip-address, or none options, the global default is used. Use the default option to specify
default configurations for all the settings for a specified gateway .
#(config socks-gateways) load-balance group {default | none | domain-hash | url-hash
| round-robin | least-connections} group_alias
#(config socks-gateways) no path
Clears network path to download SOCKS gateway settings.
#(config socks-gateways) path url
Specifies the network path to download SOCKS gateway settings.
#(config socks-gateways) sequence {add | demote | promote | remove} gateway_alias
Adds an alias to the end of the default failover sequence.
socks-gateways) sequence clear
Clears the default failover sequence.
#(config socks-gateways) view
Displays all SOCKS gateways.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) socks-gateways
SGOS#(config socks-gateways) failure-mode open
ok
SGOS#(config socks-gateways) exit
SGOS#(config)

337

Chapter 3: Privileged Mode Configure Commands

#(config socks-gateways gateway_alias)
Synopsis
These commands allow you to edit the settings of a specific SOCKS gateway.

Syntax
#(config) socks-gateways

This changes the prompt to:
#(config socks-gateways)
edit gateway_alias

This changes the prompt to:
#(config socks-gateways gateway_alias)

Subcommands
#(config socks-gateways gateway_alias) encrypted-password
Changes the version 5 encrypted password.
#(config socks-gateways gateway_alias) exit
Exits configure socks-gateways gateway_alias mode and returns to configure socks-gateways mode.
#(config socks-gateways gateway_alias) host
Changes the host name.
#(config socks-gateways gateway_alias) host-affinity http {accelerator-cookie |
client-ip-address | default | none}
Changes the host affinity method (HTTP) for this host.
#(config socks-gateways gateway_alias) host-affinity other {client-ip-address |
default | none}
Changes the host affinity other method for this host.
#(config socks-gateways gateway_alias) host-affinity ssl {accelerator-cookie |
client-ip-address | default | ssl-session-id | none}
Changes the host affinity method (SSL) for this host.
#(config socks-gateways gateway_alias) load-balance {default | least-connections
| round-robin | none}
Changes the load balancing method.
#(config socks-gateways gateway_alias) no {password | username}
Optional, and only if you use version 5. Deletes the version 5 password or username.
#(config socks-gateways gateway_alias) password
Optional, and only if you use version 5. Changes the version 5 password. If you specify a password, you
must also specify a username.
#(config socks-gateways gateway_alias) port
Changes the SOCKS port.
#(config socks-gateways gateway_alias) request-compression
Changes the SOCKS port to request compression.
#(config socks-gateways gateway_alias) user
Optional, and only if you use version 5. Changes the version 5 username. If you specify a username, you
must also specify a password.

Volume 11: Command Line Interface Reference

338

Chapter 3: Privileged Mode Configure Commands

#(config socks-gateways gateway_alias) version {4 | 5}
Changes the SOCKS version.
#(config socks-gateways gateway_alias) view
Shows the current settings for this SOCKS gateway.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) socks-gateways
SGOS#(config socks-gateways) edit testgateway
SGOS#(config socks-gateways testgateway) version 5
ok
SGOS#(config socks-gateways testgateway) exit
SGOS#(config socks-gateways) exit
SGOS#(config)

339

Chapter 3: Privileged Mode Configure Commands

#(config socks-gateways group_alias)
Synopsis
These commands allow you to edit the settings of a specific SOCKS gateway group.

Syntax
#(config) socks-gateways

This changes the prompt to:
#(config socks-gateways) create host_alias hostname protocol=port
group=group_alias
#(config socks-gateways) edit group_alias

This changes the prompt to:
#(config socks-gateways group_alias)

Subcommands
#(config socks-gateways group_alias) add
Adds a new group.
#(config socks-gateways group_alias) exit
Exits #(config socks-gateways group_alias) mode and returns to #(config
socks-gateways) mode.
#(config socks-gateways group_alias) host-affinity http {accelerator-cookie |
client-ip-address | default | none}
Changes the host affinity method (HTTP) for this group.
#(config socks-gateways group_alias) host-affinity other {client-ip-address |
default | none}
Changes the host affinity other method for this host.
#(config socks-gateways group_alias) host-affinity ssl {accelerator-cookie |
client-ip-address | default | ssl-session-id | none}
Changes the host affinity method (SSL) for this group.
#(config socks-gateways group_alias) load-balance method {default | domain-hash
| least-connections | none | round-robin | url-hash}
Changes the load balancing method.
#(config socks-gateways group_alias) remove
Removes an existing group.
#(config socks-gateways group_alias) view
Shows the current settings for this SOCKS gateway.

For More Information


Volume 5: Advanced Networking

Volume 11: Command Line Interface Reference

340

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) socks-gateways
SGOS#(config socks-gateways) edit test_group
SGOS#(config socks-gateways test_group) load-balance hash domain
ok
SGOS#(config socks-gateways test_group) exit
SGOS#(config socks-gateways) exit
SGOS#(config)

341

Chapter 3: Privileged Mode Configure Commands

#(config) socks-machine-id
Synopsis
Use this command to set the machine ID for SOCKS.
If you are using a SOCKS server for the primary or alternate gateway, you must specify the ProxySG
machine ID for the Identification (Ident) protocol used by the SOCKS gateway.

Syntax
#(config) socks-machine-id machine_id
Indicates the machine ID for the SOCKS server.

Example
SGOS#(config) socks-machine-id 10.25.36.47
ok

Volume 11: Command Line Interface Reference

342

Chapter 3: Privileged Mode Configure Commands

#(config) socks-proxy
Synopsis
Use this command to configure a SOCKS proxy on anProxySG. Only one server is permitted per
ProxySG. Both SOCKSv4 and SOCKSv5 are supported by Blue Coat, and both are enabled by default.
Note that the version of SOCKS used is only configurable through policy. For example, to use only
SOCKSv5:

socks.version=4 deny

Syntax
#(config) socks-proxy

Subcommands
#(config) socks-proxy accept-timeout seconds
Sets maximum time to wait on an inbound BIND.
#(config) socks-proxy connect-timeout seconds
Sets maximum time to wait on an outbound CONNECT.
#(config) socks-proxy max-connections num_connections
Sets maximum allowed SOCKS client connections.
#(config) socks-proxy max-idle-timeout seconds
Specifies the minimum timeout after which SOCKS can consider the connection for termination when
the max connections are reached.
#(config) socks-proxy min-idle-timeout seconds
Specifies the max idle timeout value after which SOCKS should terminate the connection.
#(config) socks-proxy pa-customer-id customer_id
Validates the license for the specified customer. (The customer_id is the Customer ID number you took
from the About t ab on the PA client. Use socks-proxy pa-customer-id 0 to disable the license.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) socks-proxy accept-timeout 120
ok

343

Chapter 3: Privileged Mode Configure Commands

#(config) ssh-console
Synopsis
Configures the SSH host and client keys. This CLI command also sets global options, such as the
welcome banner for all SSH Consoles on the system.
To create and edit additional SSH console services, see “#(config ssh-console)” on page 220.

Syntax
#(config) ssh-console

This changes the prompt to:
#(config ssh-console)

Subcommands
#(config ssh-console) create host-keypair {sshv1 | sshv2 | }
Creates a host-keypair for the SSH console of the specified version.
#(config ssh-console) delete client-key username key_id
Deletes the client key with the specified username and key ID.
#(config ssh-console) delete legacy-client-key key_id
Deletes the legacy client key.
#(config ssh-console) delete director-client-key key_id
Deletes the Director client key.
#(config ssh-console) delete host-keypair {sshv1 | sshv2 | }
Deletes the specified host keypair.
#(config ssh-console) inline {client-key | director-client-key |
sshv2-welcome-banner }
Allows you use the inline commands to add a client key, a Director client key, or a banner for those
logging to the ProxySG using SSHv2..
#(config ssh-console) no sshv2-welcome-banner
Disables the welcome banner.
#(config ssh-console) view {client-key | director-client-key | host-public-key |
user-list | versions-enabled}
Views the SSH console parameters.

For More Information


Volume 2: Proxies and Proxy Services



#(config ssh-console) on page 220

Example
#(config ssh-console) view versions-enabled

SSHv2 is enabled.

Volume 11: Command Line Interface Reference

344

Chapter 3: Privileged Mode Configure Commands

#(config) ssl
Synopsis
Use this command to configure HTTPS termination, including managing certificates, both self-signed
and those from a Certificate Signing Authority (CSA).
To configure HTTPS termination, you must complete the following tasks:


Configure a keyring



Configure the SSL client



Configure the HTTPS service

Note:

To do these steps, you must have a serial or SSH connection; you cannot use Telnet.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl)

Subcommands
#(config ssl) create ccl list_name
Creates a list to contain CA certificates.
#(config ssl) create certificate keyring_id
Creates a certificate. Certificates can be associated with a keyring.
You can create a self-signed certificate two ways: interactively or non-interactively.
Director uses non-interactive commands in profiles and overlays to create certificates.
#(config ssl) create crl crl_id
Create a Certificate Revocation List.
#(config ssl) create keyring {show | show-director | no-show} keyring_id
[key_length]
Creates a keyring, with a keypair, where:
show: Keyrings created with this attribute are displayed in the show configuration output, meaning
that the keyring can be included as part of a profile or overlay pushed by Director.
show-director: Keyrings created with this attribute are part of the show configuration output if
the CLI connection is secure (SSH/RSA) and the command is issued from Director.
no-show: Keyrings created with this attribute are not displayed in the show configuration output and
cannot be part of a profile. The no-show option is provided as additional security for environments
where the keys will never be used outside of the particular ProxySG.
#(config ssl) create device-authentication-profile device_authentication_profile
_name [keyring]
Creates a device authentication profile of the specified name and keyring. The keyring must already
exist. If you do not specify a keyring, the certificate is put in the appliance-key keyring.

345

Chapter 3: Privileged Mode Configure Commands

#(config ssl) create signing-request keyring_id
Creates a certificate signing request. The request must be associated with a keyring.
You can create a signing request two ways: interactively or non-interactively.
Director uses non-interactive commands in profiles and overlays to create signing requests.
#(config ssl) create ssl-client ssl_client_name
Associates the SSL client with a keyring. Only the default is permitted.
#(config ssl) delete ca-certificate name
Deletes a CA-certificate from the ProxySG.
#(config ssl) delete ccl list_name
Deletes a CCL list from the ProxySG.
#(config ssl) delete certificate keyring_id
Deletes the certificate associated with a keyring.
#(config ssl) delete crl list_name
Deletes the specified Certificate Revocation List.
#(config ssl) delete external-certificate name
Deletes an external certificate from the ProxySG.
#(config ssl) delete keyring keyring_id
Deletes a keyring, with a keypair.
#(config ssl) delete signing-request keyring_id
Deletes a certificate signing request.
#(config ssl) delete ssl-client ssl_client_name
Deletes an SSL client.
#(config ssl) edit ccl list_name
Changes the prompt. See #(config ssl ccl list_name) on page 349.
#(config ssl) edit crl crl_id
Changes the prompt. See #(config ssl crl crl_list_name) on page 350.
#(config ssl) edit device-authentication-profile profile_name.
Changes the prompt. See
#(config ssl) edit ssl-client ssl_client_name
Changes the prompt. Only default is permitted. See #(config ssl ssl__default_client_name)
on page 353.
#(config ssl) exit
Exits configure ssl mode and returns to configure mode.
#(config ssl) inline ca-certificate name eof
Imports a CA certificate.
#(config ssl) inline certificate keyring_id eof
Imports a certificate.
#(config ssl) inline crl list_name eof
Imports a Certificate Revocation List.
#(config ssl) inline external-certificate name eof
Imports a certificate without the corresponding private key.
#(config ssl) inline keyring {show | show-director | no-show} keyring_id eof
Imports a keyring, where:
show: Keyrings created with this attribute are displayed in the show configuration output, meaning
that the keyring can be included as part of a profile or overlay pushed by Director.

Volume 11: Command Line Interface Reference

346

Chapter 3: Privileged Mode Configure Commands

show-director: Keyrings created with this attribute are part of the show configuration output if
the CLI connection is secure (SSH/RSA) and the command is issued from Director.
no-show: Keyrings created with this attribute are not displayed in the show configuration output and
cannot be part of a profile. The no-show option is provided as additional security for environments
where the keys will never be used outside of the particular ProxySG.
eof: End-of-file marker. This can be anything, as long as it doesn’t also appear in the inline text. (If the
eof appears in the inline text, the inline command completes at that point.)
#(config ssl) inline signing-request keyring_id eof
Imports the specified signing request.
#(config ssl) load crl crl_list
Loads the specified CRL list.
#(config ssl) proxy client-cert-ccl {ccl_list_name | all | none}
Specifies the CCL to be used for the client. The default is all.
#(config ssl) proxy issuer-keyring keyring_name
Specifies the keyring to be used for SSL interception.
#(config ssl) proxy server-cert-ccl {ccl_list_name | all}
Specifies the CCL to be used for the server. The default is browser-trusted.
#(config ssl) request-appliance-certificate
Generates an appliance certificate.
#(config ssl) ssl-nego-timeout seconds
Configures the SSL-negotiation timeout period. The default is 300 seconds.
SGOS#(config ssl) view appliance-certificate-request
Displays the appliance certificate request generated by the request-appliance-certificate
command.
#(config ssl) view ca-certificate name
Displays the Certificate Authority certificate.
#(config ssl) view ccl
Displays the CA-certificate lists.
#(config ssl) view certificate keyring_id
Displays the certificate.
#(config ssl) view crl [list_name]
Displays the specified Certificate Revocation List.
SGOS#(config ssl) view device-authentication-profile
#(config ssl) view external-certificate name
Displays the external certificate.
#(config ssl) view keypair {des | des3 | unencrypted} keyring_id | keyring_id}
Displays the keypair. If you want to view the keypair in an encrypted format, you can optionally specify
des or des3 before the keyringID. If you specify either des or des3, you are prompted for the
challenge entered when the keyring was created.
#(config ssl) view keyring [keyring_id]
Displays the keyring.
#(config ssl) view signing-request keyring_id
Displays the certificate signing request.
#(config ssl) view ssl-client
Displays summary information of SSL clients.
#(config ssl) view ssl-nego-timeout
Displays SSL negotiation timeout period status summary.

347

Chapter 3: Privileged Mode Configure Commands

#(config ssl) view summary {ca-certificate | external-certificate} [name]
Displays a summary for all CA-certificate or external-certificate commands, or for the certificate name
specified.

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance

Example
SGOS#(config) ssl
SGOS#(config ssl) create keyring show keyring id [key length]
ok
SGOS#(config ssl) view keyring keyring id
KeyringID: default
Is private key showable? yes
Have CSR? no
Have certificate? yes
Is certificate valid? yes
CA: Blue Coat SG810
Expiration Date: Jan 23 23:57:21 2013 GMT
Fingerprint: EB:BD:F8:2C:00:25:84:02:CB:82:3A:94:1E:7F:0D:E3
SGOS#(config ssl) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

348

Chapter 3: Privileged Mode Configure Commands

#(config ssl ccl list_name)
Synopsis
Allows you to edit the CCL parameters.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl) edit ccl list_name

This changes the prompt to:
#(config ssl ccl list_name)

Subcommands
#(config ssl ccl list_name) add ca_certificate_name
Adds a CA certificate to this list. (The CA certificate must first be imported in configure ssl mode.)
#(config ssl ccl list_name) exit
Exits configure ssl ccl list_name mode and returns to ssl configure mode.
#(config ssl ccl list_name) remove
Removes a CA certificate from the specified list.
#(config ssl ccl list_name) view
Shows a summary of CA certificates in this list.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) ssl
SGOS#(config ssl) edit ccl list_name
SGOS#(config ssl ccl list_name) add CACert1
ok
SGOS#(config ssl ccl list_name) exit
SGOS#(config ssl) exit
SGOS#(config)

349

Chapter 3: Privileged Mode Configure Commands

#(config ssl crl crl_list_name)
Synopsis
Allows you to edit the specified Certificate Revocation List name.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl)
edit crl crl_list_name

This changes the prompt to:
#(config ssl crl crl_list_name)

Subcommands
#(config ssl crl crl_list_name) exit
Exits configure ssl crl crl_list_name mode and returns to ssl configure mode.
#(config ssl crl crl_list_name) inline
Imports a Certificate Revocation List.
#(config ssl crl crl_list_name) load
Downloads the specified Certificate Revocation List.
#(config ssl crl crl_list_name) path
Specifies the network path to download the specified Certificate Revocation List.
#(config ssl crl crl_list_name) view
View the specified Certificate Revocation List.

For More Information


Volume 2: Proxies and Proxy Services

Volume 11: Command Line Interface Reference

350

Chapter 3: Privileged Mode Configure Commands

#(config ssl device-profile)
Synopsis
Allows you to create or edit an SSL device profile.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl)
edit ssl-device-profile profile_name

This changes the prompt to:
#(config device-profile profile_name)

Subcommands
#(config device-profile profile_name) cipher-suite cipher-suite
Configures device authentication profile cipher suites. If you press , you can see the list of
available ciphers. The default is AES256-SHA. You can choose more than one cipher suite.
#(config device-profile profile_name) ccl ccl_name
Configures the device authentication profile CCL.
#(config device-profile profile_name) device-id device_ID
Configure device authentication profile of the specific device ID.
#(config device-profile profile_name) exit
Returns to the # (config ssl) prompt.
#(config device-profile profile_name) keyring-id keyring_ID
Configures the device authentication profile in the specified keyring.
#(config device-profile profile_name) protocol {sslv2 | sslv3 | tlsv1 | sslv2v3 |
sslv2tlsv1 | sslv3tlsv1 | sslv2v3tlsv1}
Specifies the protocol to use.
#(config device-profile profile_name) verify-peer {enable | disable}
Enables or disables device authentication peer verification.
#(config device-profile profile_name) view

For More Information


Volume 4: Securing the Blue Coat ProxySG Appliance



Volume 5: Advanced Networking

351

Chapter 3: Privileged Mode Configure Commands

Example
#(config device-profile test1) view
Name: test1
Usable for: client
Keyring:
CCL: browser-trusted
Device-id: $(subject.CN)
Cipher suite: rc4-sha
Protocol: SSLv2v3TLSv1
Verify-peer: enabled

Volume 11: Command Line Interface Reference

352

Chapter 3: Privileged Mode Configure Commands

#(config ssl ssl__default_client_name)
Synopsis
Allows you to edit the SSL client parameters. Only the default is permitted.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl)
edit ssl-client ssl_default_client_name

This changes the prompt to:
#(config ssl ssl_default_client_name)

Subcommands
#(config ssl ssl_default_client_name) ccl {ccl_name | all}
Configures the CA Certificate List to use.
#(config ssl ssl_default_client_name) cipher-suite
Specifies the cipher suite to use. The default is to use all cipher suites. If you want to change the default,
you have two choices:


interactive mode



non-interactive mode

Director uses non-interactive commands in profiles and overlays to create cipher suites.
The optional cipher-suite refers to the cipher-suites you want to use, space separated, such as
rc4-md5 exp-des-cbc-sha. If you want to use the interactive mode, do not specify a cipher suite.
#(config ssl ssl_default_client_name) exit
Exits configure ssl ssl-client ssl_default_client_name mode and returns to ssl
configure mode.
#(config ssl ssl_default_client_name) keyring-id keyring_id
Configures SSL client keyring id.
#(config ssl ssl_default_client_name) no keyring-id
Clears the keyring-id.
#(config ssl ssl_default_client_name) protocol {sslv2 | sslv3 | tlsv1 | sslv2v3 |
sslv2tlsv1| sslv3tlsv1 | sslv2v3tlsv1}
Configures SSL client protocol version.
#(config ssl ssl_default_client_name) view
Displays the SSL client details.

For More Information


Volume 2: Proxies and Proxy Services

353

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client ssl_default_client_name
SGOS#(config ssl ssl-client ssl_default_client_name) cipher-suite rc4-md5
exp-des-cbc-sha
ok
SGOS#(config ssl ssl-client ssl_default_client_name) exit
SGOS#(config ssl) exit
SGOS#(config)

Volume 11: Command Line Interface Reference

354

Chapter 3: Privileged Mode Configure Commands

#(config ssl ocsp)
Synopsis
Allows you to configure Online Certificate Status Protocol (OCSP) settings.

Syntax
#(config) ssl

This changes the prompt to:
#(config ssl)
#(config ssl)ocsp

This changes the prompt to:
#(config ssl ocsp)

Subcommands
#(config ssl ocsp)create responder_name
Creates a responder.
#(config ssl ocsp)default responder_name
Sets a responder to the default responder.
#(config ssl ocsp)delete responder_name
Deletes the specifed responder.
#(config ssl ocsp) exit
Exits the config ssl ocsp prompt and returns to the config ssl prompt.
#(config ssl ocsp)no
Clears the current default responder setting.
#(config ssl ocsp)view
Displays configuration information for each responder.
#(config ssl ocsp)edit responder_name
Configure this responder_name.
Changes the prompt to:
#(config ocsp responder_name)
#(config ocsp responder_name) exit
Exits the config ocsp responder_name prompt and returns to the config ssl ocsp
prompt.
#(config ocsp responder_name)extension nonce {disable | enable}
Enables or disables use of a nonce control in an OCSP request. When enabled, a nonce (unique
digits sequence) is included as one of the requestExtensions in each OCSP request. Default is
disable.
#(config ocsp responder_name)extension request-signing-keyring keyring-id
Configures the OCSP request to contain a signature along with certificates to help the OCSP
responder verify this signature. They keyring must already exist and have a certificate.
#(config ocsp responder_name)ignore expired-responder {enable | disable}
Specifies whether the OCSP request must contain a signature along with certificates to help the
OCSP responder verify this signature. They keyring must already exist and ave a certificate. By
default, invalid responder certificate dates cause the subject certificate verification to fail.
#(config ocsp responder_name)ignore ocsp-signing-purpose
{enable | disable}

355

Chapter 3: Privileged Mode Configure Commands

Specifies whether to ignore the enforcement of purpose field in the responder certificate.
Default is enable.
#(config ocsp responder_name)ignore request-failure {enable | disable}
Specifies whether to ignore connection failures and timeouts to the OCSP server. Default is
disable.
#(config ocsp responder_name)ignore unknown-status {enable | disable}
Specifies whether to treat “unknown” revocation status for a certificate as an error. By default,
unknown status is an error and causes subject certification verification to fail.
#(config ocsp responder_name)ignore untrusted-responder {enable | disable}
Specifies whether to bypass, during responder certificate verification, any untrusted certificate
errors. For example, a missing issuer certificate or a missing self-signed certificate. By default,
any untrusted certificate failure is an error and causes the subject certificate verification to fail.
#(config ocsp responder_name)issuer-ccl {CCL Name | all | none}
Sets the name of the CCL. This is the list of CA names which is associated with the certificate to
be checked for revocation. It may either be a server or client certificate, or a certificate that is
used for verifying system images.
#(config ocsp responder_name)no {extension}
Negates a specific extension and it also resets the name of the response CCL.
#(config ocsp responder_name)response-ccl {Response CCL Name | all}
Sets the name of the CCL.
#(config ocsp responder_name)ssl-device-profile SSL device-profile name
Sets the SSL device profile. The device profile is a unique set of SSL cipher-suites, protocols and
keyrings used when the ProxySG makes HTTPS connections with an OCSP responder. The
default value is the pre-created device profile named “default.”
#(config ocsp responder_name)ttl {auto | number_ of_days}
Configures the time to live (TTL) value. This value determines how long a response remains in
the cache. The auto option indicates that the response is cached until nextUpdate. If nextUpdate
is not present the response is not cached. The number_ of_days variable indicates that the
nextUpdate field in the response is to be overridden and that the respons is to be cached for the
indicated number of days. Default is auto.
#(config ocsp responder_name)url ocsp server url
Configures the time to live (TTL) value. This value determines how long a response remains in
the cache. The auto option indicates that the response is cached until nextUpdate. If nextUpdate
is not present the response is not cached. The number_ of_days variable indicates that the
nextUpdate field in the response is to be overridden and that the respons is to be cached for the
indicated number of days. Default is auto.
#(config ocsp responder_name) use-forwarding {disable | enable}
Sets the OCSP requests to use forwarding.
#(config ocsp responder_name) view
Displays the responder configurations.

For More Information


Volume 2: Proxies and Proxy Services

Volume 11: Command Line Interface Reference

356

Chapter 3: Privileged Mode Configure Commands

Example
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client ssl_default_client_name
SGOS#(config ssl ssl-client ssl_default_client_name) cipher-suite rc4-md5
exp-des-cbc-sha
ok
SGOS#(config ssl ssl-client ssl_default_client_name) exit
SGOS#(config ssl) exit
SGOS#(config)

357

Chapter 3: Privileged Mode Configure Commands

#(config) static-routes
Synopsis
Use this command to set the network path to download the static routes configuration file.
To use static routes on the ProxySG, you must create a routing table and place it on an HTTP server
accessible to the device. The routing table is a text file that contains a list of IP addresses, subnet masks,
and gateways. When you download a routing table, the table is stored in the device until it is replaced
by downloading a new table.
The routing table is a simple text file containing a list of IP addresses, subnet masks, and gateways. A
sample routing table is illustrated below:
10.63.0.0
10.64.0.0
10.65.0.0

255.255.0.0
255.255.0.0
255.255.0.0

10.63.158.213
10.63.158.213
10.63.158.226

When a routing table is loaded, all requested addresses are compared to the list, and routed based on
the best match.
After the routing table is created, place it on an HTTP server so it can be downloaded to the device. To
download the routing table to the ProxySG, use the load command.

Syntax
#(config) static-routes no path
Clears the network path location of the static route table
#(config) static-routes path url
Sets the network path location of the static route table to the specified URL.

For More Information


Volume 2: Proxies and Proxy Services

Example
SGOS#(config) static-routes path 10.25.36.47/files/routes.txt
ok

Volume 11: Command Line Interface Reference

358

Chapter 3: Privileged Mode Configure Commands

#(config) streaming
Synopsis
Use this command to configure general streaming settings and Microsoft Windows Media or
RealNetworks Real Media settings.

Syntax
#(config) streaming max-client-bandwidth kbps
Sets the maximum client bandwidth permitted to kbps.
#(config) streaming max-gateway-bandwidth kbps
Sets the maximum gateway bandwidth permitted to kbps.
#(config) streaming multicast address-range first_address - last_address
The IP address range for the ProxySG's multicast-station. Default is from 224.2.128.0 and 224.2.255.255.
#(config) streaming multicast port-range first_port - last_port
Port range for the ProxySG's multicast-station. Default is between 32768 and 65535.
#(config) streaming multicast ttl ttl
Time to live value for the multicast-station on the ProxySG, expressed in hops. Default is 5; a valid
number is between 1 and 255.
#(config) streaming no max-client-bandwidth
Clears the current maximum client bandwidth setting.
#(config) streaming no max-gateway-bandwidth
Clears the current maximum gateway bandwidth setting.
#(config) streaming quicktime http-handoff {disable | enable}
Disables or enables QuickTime HTTP handoff.
#(config) streaming quicktime max-client-bandwidth kbps
Sets the maximum connections allowed.
#(config) streaming quicktime max-connections number
Sets the maximum client bandwidth allowed.
#(config) streaming quicktime max-gateway-bandwidth kbps
Sets the maximum gateway bandwidth allowed.
#(config) streaming quicktime no {max-client-bandwidth | max-connections |
max-gateway-bandwidth}
Negates QuickTime parameters.
#(config) streaming real-media http-handoff {disable | enable}
Disables or enables Real Media HTTP handoff.
#(config) streaming real-media log-forwarding {disable | enable}
Sets Real Media client log forwarding.
#(config) streaming real-media max-client-bandwidth kbps
Limits the total bandwidth used by all connected clients. Changing the setting to no
max-client-bandwidth uses the maximum available bandwidth. Zero (0) is not an accepted value
#(config) streaming real-media max-connections number
Limits the concurrent number of client connections. Changing the setting to no max-connections
uses the maximum available bandwidth. Zero (0) is not an accepted value.
#(config) streaming real-media max-gateway-bandwidth kbps
Limits the total bandwidth used between the proxy and the gateway. Changing the setting to no
max-gateway-bandwidth, uses the maximum available bandwidth. Zero (0) is not an accepted value.

359

Chapter 3: Privileged Mode Configure Commands

#(config) streaming real-media multicast {disable | enable}
Disables or enables Real Media client multicast support.
#(config) streaming real-media no {max-client-bandwidth | max-connections |
max-gateway-bandwidth | refresh-interval}
Negates Real Media parameters.
#(config) streaming real-media refresh-interval hours
Sets the streaming content refresh interval.
#(config) streaming windows-media asx-rewrite number in_addr cache_proto
cache_addr [cache-port]
Provides proxy support for Windows Player 6.4.
If your environment does not use a Layer 4 switch or WCCP, the ProxySG can operate as a proxy for
Windows Media Player 6.4 clients by rewriting the .asx file (which links Web pages to Windows Media
ASF files) to point to the Windows Media streaming media cache rather than the Windows Media server.
number can be any positive number. It defines the priority of all the asx-rewrite rules. Smaller numbers
indicate higher priority. in_addr specifies the hostname. It can have a maximum of one wildcard
character. cache_proto rewrites the protocol on the ProxySG and can take any of the following forms:
mmsu (MMS-UDP)
mmst (MMS-TCP)
http (HTTP)
mms (MMS-UDP or MMS-TCP)
cache_addr rewrites the address on the ProxySG.
#(config) streaming windows-media broadcast-alias alias url loops date time
Enables scheduled live unicast or multicast transmission of video-on-demand content.
alias must be unique. url specifies the address of the video-on-demand stream. loops specifies the
number of times the stream should be played back. 0 means forever. date specifies the broadcast alias
starting date. To specify multiple starting dates, enter the date as a comma-separated string. date can
take any of the following formats:
yyyy-mm-dd
today
time specifies the broadcast-alias starting time. To specify multiple starting times within the same date,
enter the time as a comma-separated string. No spaces are permitted. time can take any of the following
formats:
hh:mm
midnight, 12am, 1am, 2am, 3am, 4am, 5am, 6am, 7am, 8am, 9am, 10am, 11am, noon,
12pm, 1pm, 2pm, 3pm, 4pm, 5pm, 6pm, 7pm, 8pm, 9pm, 10pm, 11pm.
#(config) streaming windows-media http-handoff {disable | enable}
Allows the Windows Media module to control the HTTP port when Windows Media streaming content
is present. The default is enabled.
#(config) streaming windows-media live-retransmit {disable | enable}
Allows the ProxySG to retransmit dropped packets sent through MMS-UDP for unicast. The default is
enabled.
#(config) streaming windows-media log-compatibility {disable | enable}
Disables or enables access log compatibility. When log-compatibility is enabled, the ProxySG generates
the MMS log the same way as Windows Media Server does. Three fields are affected when
log-compatibility is enabled:
c-ip

x-wm-c-ip (client address derived from client log)

c-dns

x-wm-c-dns (client hostname derived from client log)

Volume 11: Command Line Interface Reference

360

Chapter 3: Privileged Mode Configure Commands

c-uri-stem

cs-uri (use full URI instead of just the path)

#(config) streaming windows-media log-forwarding {disable | enable}
Enables or disables forwarding of the client log to the origin media server.
#(config) streaming windows-media max-client-bandwidth kpbs
Sets the maximum client bandwidth permitted to kbps.
#(config) streaming windows-media max-connections number
Limits the concurrent number of client connections. If this variable is set to 0, you effectively lock out all
client connections to the ProxySG. To allow maximum client bandwidth, enter streaming
windows-media no max-connections.
#(config) streaming windows-media max-fast-bandwidth kpbs
Sets the maximum fast start bandwidth per player.
#(config) streaming windows-media max-gateway-bandwidth kpbs
Sets the maximum limit, in kilobits per second (Kbps), for the amount of bandwidth Windows Media
uses to send requests to its gateway. If this variable is set to 0, you effectively prevent the ProxySG from
initiating any connections to the gateway. To allow maximum gateway bandwidth, enter streaming
windows-media no max-gateway-bandwidth.
#(config) streaming windows-media multicast-alias alias url [preload]
Creates an alias on the ProxySG that reflects the multicast station on the origin content server.
#(config) streaming windows-media multicast-station name {alias | url} ip port ttl
Enables multicast transmission of Windows Media content from the ProxySG. name specifies the name
of the alias. It must be unique. alias can be a unicast alias, a multicast-alias or a broadcast alias, as well
as a url to a live stream source. ip is an optional parameter and specifies the multicast station's IP
address. port specifies the multicast station's port value address. ttl specifies the multicast-station's
time-to-live value, expressed in hops (and must be a valid number between 1 and 255). The default ttl
is 5.
#(config) streaming windows-media no asx-rewrite number
Deletes the ASX rewrite rule associated with number.
#(config) streaming windows-media no broadcast-alias alias
Deletes the broadcast alias rule associated with alias.
#(config) streaming windows-media no max-client-bandwidth
Negates maximum client bandwidth settings.
#(config) streaming windows-media no max-connections
Negates maximum connections settings.
#(config) streaming windows-media no max-gateway-bandwidth
Negates maximum gateway bandwidth settings.
#(config) streaming windows-media no multicast-alias alias
Deletes the multicast alias rule associated with alias.
#(config) streaming windows-media no multicast-station name
Deletes the multicast station rule associated with name.
#(config) streaming windows-media no refresh-interval
Sets the current Windows Media refresh interval to “never refresh.”
#(config) streaming windows-media no server-auth-type cache_ip_address
Clears the authentication type associated with cache_ip_address.
#(config) streaming windows-media no unicast-alias alias
Deletes the unicast alias rule associated with alias. The name of the alias, such as “welcome1” that is
created on the ProxySG and reflects the content specified by the URL. The protocol is specified by the
URL if the protocol is mmst, mmsu, or http. If the protocol is mms, the same protocol as the client is used.

361

Chapter 3: Privileged Mode Configure Commands

#(config) streaming windows-media refresh-interval hours
Checks the refresh interval for cached streaming content. hours must be a floating point number to
specify refresh interval. 0 means always check for freshness.
#(config) streaming windows-media server-auth-type {basic | ntlm} cache_ip_address
Sets the authentication type of the ProxySG indicated by cache_ip_address to BASIC or NTLM.
#(config) streaming windows-media server-thinning {disable | enable}
Disables or enables server thinning.
#(config) streaming windows-media unicast-alias alias url
Creates an alias on the ProxySG that reflects the content specified by the URL. When a client requests the
alias content, the ProxySG uses the URL specified in the unicast-alias command to request the
content from the origin streaming server.

For More Information


Volume 3: Web Communication Proxies

Example
SGOS#(config) streaming windows-media http-handoff enable
ok
SGOS#(config) streaming windows-media live-retransmit disable
ok
SGOS#(config) streaming windows-media log-forwarding disable
ok
SGOS#(config) streaming windows-media max-connections 1600
ok
SGOS#(config) streaming windows-media no max-connections
ok

Volume 11: Command Line Interface Reference

362

Chapter 3: Privileged Mode Configure Commands

#(config) tcp-ip
Synopsis
Use the following commands to configure your TCP-IP settings.

Syntax
#(config) tcp-ip icmp-bcast-echo {disable | enable}
Enables or disables ICMP broadcast echo responses.
#(config) tcp-ip icmp-tstamp-echo {disable | enable}
Enables or disables ICMP timestamp echo responses.
#(config) tcp-ip ip-forwarding {disable | enable}
Enables or disables IP-forwarding.
#(config) tcp-ip pmtu-discovery {disable | enable}
Enables or disables Path MTU Discovery.
#(config) tcp-ip rfc-1323 {disable | enable}
Enables or disables RFC-1323 support (satellite communications).
#(config) tcp-ip tcp-newreno {disable | enable}
Enables or disables TCP NewReno support (improved fast recovery).
#(config) tcp-ip tcp-2msl seconds
Specifies the time_wait value for a TCP connection before completely closing.
#(config) tcp-ip tcp-loss-recovery-mode {aggressive | enhanced | normal}
Helps to recover throughput efficiently after packet losses occur and also addresses performance
problems due to a single packet loss during a large transfer over long delay pipes. The feature is enabled
(set to enhanced) by default.
#(config) tcp-ip window-size window_size
Specifies the TCP window size for satellite communications.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) tcp-ip ip-forwarding enable
ok
SGOS#(config) tcp-ip rfc-1323 enable
ok

363

Chapter 3: Privileged Mode Configure Commands

#(config) timezone
Synopsis
Use this command to set the local time zone on the ProxySG.

Syntax
#(config) timezone timezone_number
Enables you to set the local time zone. (Use (config) show timezones to display a list of supported
timezones.)

For More Information


Volume 1: Getting Started



#(config)clock on page 129

Example
SGOS#(config) timezone 3
ok

Volume 11: Command Line Interface Reference

364

Chapter 3: Privileged Mode Configure Commands

#(config) upgrade-path
Synopsis
Use this command to specify the network path to download system software.

Syntax
#(config) upgrade-path url
Indicates the network path to use to download ProxySG system software.

Example
SGOS#(config) upgrade-path 10.25.36.47
ok

365

Chapter 3: Privileged Mode Configure Commands

#(config) virtual-ip
Synopsis
This command allows you to configure virtual IP addresses.

Syntax
#(config) virtual-ip address ip_address
Specifies the virtual IP to add.
#(config) virtual-ip clear
Removes all virtual IP addresses.
#(config) virtual-ip no address ip_address
Removes the specified virtual IP from the list.

For More Information


Volume 5: Advanced Networking



#(config) failover on page 177

Example
SGOS#(config) virtual-ip address 10.25.36.47
ok

Volume 11: Command Line Interface Reference

366

Chapter 3: Privileged Mode Configure Commands

#(config) wccp
Synopsis
The ProxySG can be configured to participate in a WCCP (Web Cache Control Protocol) scheme, where
a WCCP-capable router collaborates with a set of WCCP-configured ProxySG to service requests.
WCCP is a Cisco-developed protocol. For more information about WCCP, refer to Volume 5: Advanced
Networking.
After you have created the WCCP configuration file, place the file on an HTTP server so it can be
downloaded to the ProxySG. To download the WCCP configuration to the ProxySG, use the load
command.

Syntax
#(config) wccp disable
Disables WCCP.
#(config) wccp enable
Enables WCCP.
#(config) wccp no path
Negates certain WCCP settings.
#(config) wccp path url
Specifies the network path from which to download WCCP settings.

For More Information


Volume 5: Advanced Networking

Example
SGOS#(config) wccp path 10.25.36.47/files/wccp.txt
ok

367

Chapter 3: Privileged Mode Configure Commands

Volume 11: Command Line Interface Reference

368

Document Path: ["157-blue-coat-instruction-proxysg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh