FireEye CLI Reference Guide Release 7.9.pdf

(1)

CLI

CLI REFERENCE GUIDE

RELEASE 7.9

(2)

owners.

FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Release 7.9.1 Revision 2

FireEye Contact Information:

Website: www.fireeye.com Support Email: [email protected] Support Website: csportal.fireeye.com Phone: United States: 1.877.FIREEYE (1.877.347.3393) United Kingdom: 44.203.106.4828 Other: 1.408.321.6300

(3)

PART I: Introduction

45

Accessing the CLI 45

Online Help and Keyboard Shortcuts 46

CLI Modes 47

PART II: Command Groups

49

AAA Accounting Commands 51

AAA Authentication Commands 52

AAA Authorization Command Family 54

Advanced Threat Intelligence Commands 55

Alerts Command Family 56

Analysis Commands 57

Appliance Boot Image Commands 58

Appliance Upgrade Commands 59

ARP Command Family 60

AV Suite Command Family 61

Backup Command Family 62

Banner Command Family 63

Block by Proxy Commands 64

Bridge Command Family 65

Boot Manager Command Family 66

CAC Commands 67

CLI Session Commands 69

(4)

Compliance Commands 74

Configuration Management Commands 75

Cryptographic Commands 76

Date and Time Commands 78

DTI Cache Proxy Command Family 79

DTI Network Service Commands 80

Email Analysis Commands 82

Email Analysis Password Extraction Command Family 85

Email Command Family 86

Event Notification Commands 87

Events Database Configuration Commands 89

Events Database Management Commands 91

Events Commands 92

FMPS (FX) Scan Command Family 93

Forensic Analysis Command Family 94

FUME Command Family 95

Connect to FireEye as a Service Commands 96

Guest Images Commands 97

Incident Command Family 98

Intelligent Platform Management Interface (IPMI) Commands 99

Interface Commands 100

IP Addressing Commands 101

IPS Commands 102

License Management Command Family 103

Local BA Signer Whitelist Command Family 104

Local Signature Commands 105

Log Management Commands 106

Malware Object Analysis Command Family 107

Malware Submission Command Family 108

Media Disk Commands 109

Media USB Commands 110

(5)

MVX Appliance Command Family 112

MVX Cluster Command Family 113

MVX Submission Command Family 115

Network Deployment Check Commands 116

NX Series High Availability (HA) Command Family 117

Policy Manager Command Family 118

RAID Management Commands 119

Remote Correlation Commands 119

Report Email Commands 120

Report Generation Commands 121

Static Analysis Tools Command Family 122

Submission Sampling Command Family 123

TAP Sender Module Command Family 124

Third-Party IOC Feeds Command Family 125

User Account Commands 126

Virtual System Command Family 128

Web Analysis Command Family 129

Web Incident Command Family 130

Web Service API Commands 131

Web UI Configuration Commands 132

Workorder Command Family 133

AX Series Command Family 134

CM Series Command Family 135

EX Series Commands 137

FX Series Commands 140

HX Series Commands 142

PART III: Commands

147

aaa accounting changes default stop-only 148

(6)

aaa authentication attempts lockout enable 156 aaa authentication attempts lockout lock-time <seconds> 158 aaa authentication attempts lockout max-fail <failure_count> 160 aaa authentication attempts lockout unlock-time <seconds> 162 aaa authentication attempts reset all [no-clear-history | no-unlock] 164 aaa authentication attempts reset user <username> [no-clear-history | no-unlock] 166

aaa authentication attempts track downcase 168

aaa authentication attempts track enable 169

aaa authentication certificate crl delete filename <name_of_file> 170 aaa authentication certificate crl fetch url <URL> 171 aaa authentication certificate ocsp default url <URL> 173

aaa authentication certificate ocsp enable 175

aaa authentication certificate ocsp override-responder 176 aaa authentication certificate username x509-cert-san-email 177 aaa authentication certificate username x509-cert-san-email-username 178 aaa authentication certificate username x509-cert-san-upn 179 aaa authentication certificate username x509-cert-san-upn-username 180 aaa authentication certificate username x509-cert-subject 181 aaa authentication certificate username x509-cert-subject-cn 183 aaa authentication certificate validation allow-missing-basic-constraints 184

aaa authentication certificate web policy allowed 186

aaa authentication certificate web policy disabled 188

aaa authentication certificate web policy required 189

aaa authentication login default 190

aaa authentication password lcd length minimum 192

aaa authentication password local change allow-encrypt 193 aaa authentication password local change require-current 195 aaa authentication password local character-type <characterType> minimum 197

aaa authentication password local history clear 199

aaa authentication password local history compare 201

aaa authentication password local length 203

(7)

aaa authentication password local no-userid 207 aaa authentication password local require-change advance-warning 208 aaa authentication password local require-change force 210 aaa authentication password local require-change max-password-days 212 aaa authentication password local require-change new-account 214

aaa authorization certificate map-ldap enable 216

aaa authorization certificate map-ldap match-cert-field x509-cert-san-email 217 aaa authorization certificate map-ldap match-cert-field

x509-cert-san-email-username 218

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-username 221 aaa authorization certificate map-ldap match-cert-field x509-cert-subject 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cn 224 aaa authorization certificate map-ldap match-ldap-attribute mail 225 aaa authorization certificate map-ldap match-ldap-attribute sAMAccountName 226 aaa authorization certificate map-ldap match-ldap-attribute uid 228

aaa authorization certificate map-ldap search-filter 229

aaa authorization certificate map-ldap username-override 231

aaa authorization map default-user 233

aaa authorization map order 235

aaa authorization roles 238

aaa authorization rules enable 240

aaa authorization rules rule append tail <rule1> [<rule2> ...] 242 aaa authorization rules rule insert <rule-number> <rule> 246 aaa authorization rules rule modify <rule-number> <rule> 249 aaa authorization rules rule set <rule-number> <rule> 253

alerts whitelist src ip <ipAddress> 257

analysis live check-connection 259

analysis live default-gateway ip 260

(8)

analysis live proxy-authentication 265

arp <ipAddress> <macAddress> 266

ati auto-update enable 268

ati enable 270

av-suite enable 272

backup cancel 274

backup delete from <location> name <backupName> 275

backup profile <profile> to <location> 276

banner login <text> 280

banner login-local <text> 282

banner login-remote <text> 284

banner motd <text> 286

blacklist files auto past_hours <past_hours> 288

blat enable 289

boot bootmgr disable password 290

boot next fallback-reboot enable 291

boot system location 293

boot system next 295

bridge <interface> ageing-time <time> 297

bridge <interface> enable 299

bridge <interface> forward-time 301

bridge <interface> hello-time <time> 303

bridge <interface> max-age <time> 304

bridge <interface> priority <priority> 305

bridge <interface> spanning-tree enable 306

bridge <interface> 307

clear aaa authentication attempts all 308

clear aaa authentication attempts user 310

clear arp-cache 312

clear ipv6 neighbors 313

cli clear-history 314

(9)

cli disable-histor 317

cli enable-history 318

cli session auto-logout <minutes> 318

cli session paging enable 319

cli session prefix-modes {enable | show-config} 320

cli session progress enable 321

cli session terminal length <length> 322

cli session terminal resize 323

cli session terminal type <type> 324

cli session terminal width <width> 325

cli session x-display full <display-string> 325

clock set 327

clock timezone 328

cmc appliance 330

cmc appliance <appliance_name> auth password password <password> 333 cmc appliance <appliance_id> auth password username <username> 334 cmc appliance <appliance_name> auth ssh-dsa2 identity <identity> push

[username <username> password [<password>]] 335 cmc appliance <appliance_name> auth ssh-dsa2 identity <identity> 337 cmc appliance <appliance_name> auth ssh-dsa2 username <user_name> 338 cmc appliance <appliance_name> auth ssh-rsa2 identity <identity> push

[username <username> password [<password>]] 339 cmc appliance <appliance_name> auth ssh-rsa2 identity <identity> 341 cmc appliance <appliance_name> auth ssh-rsa2 username <user_name> 342 cmc appliance <appliance_name> authtype <authtype> 343

cmc auth 345

cmc cancel 347

cmc client 348

cmc client server 350

(10)

cmc ha nx <existingName> rename <newName> 358 cmc ha nx <pair> appliances <member1> <member2> enable-nx-ipv6 359 cmc ha nx <pair> comment <"comment"> 361 cmc ha nx <pair> sync <targetMember> config with <sourceMember> 363

cmc mvx cluster <cluster-name> 365

cmc mvx cluster <cluster-name> broker <node-name> enable 366

cmc mvx cluster <cluster-name> description 367

cmc mvx cluster <cluster-name> master <node-name> 368 cmc mvx cluster <cluster-name> node <node-name> 369

cmc mvx cluster <cluster-name> sync-config 370

cmc mvx sensor enrollment {enroll | unenroll} <sensorName> 371

cmc mvx status cluster-sizing enable 372

cmc mvx status cluster-sizing threshold critical <percentage> 373 cmc mvx status cluster-sizing threshold warning <percentage> 374

cmc profile <name> 375

cmc profile <name> apply appliance <applianceName> 376 cmc profile <name> apply appliance <applianceName> fail-continue 377 cmc profile <name> apply appliance <applianceName> no-save 379 cmc profile <name> apply group <groupName> 381 cmc profile <name> apply group <groupName> fail-continue 383 cmc profile <name> apply group <groupName> no-save 385

cmc profile <name> command 387

cmc profile <name> comment 388

cmc profile <name> copy <newProfile> 389

cmc profile <name> extract-from 391

cmc profile <name> rename 392

cmc rendezvous client 393

cmc rendezvous server 396

cmc rendezvous service-name 399

cmc server 400

cmc status 401

(11)

cms peer <peer_hostname> delete 403

cms peer <peer_hostname> enable 404

cms peer <peer_hostname> interaction dist-correlation enable 405 cms peer <peer_hostname> interaction dti enable 406 cms peer <peer_hostname> interaction dti proxy mode no-proxy 407 cms peer <peer_hostname> interaction dti proxy mode use-fenet 408

cms peer-service auth-token export 409

cms peer-service auth-token generate 410

cms peer-service auth-token import <peer_token> 412

cms peer-service enable 414

compliance apply standard 415

compliance declassify zeroize 416

compliance options fips-mode-crypto enable 417

compliance options ftp-file-transfer enable 418

compliance options http-file-transfer enable 419

compliance options manual-key-entry enable 420

compliance options restricted-license enable 421

compliance options secure-channel-logs enable 422

compliance options snmp-crypto-limit enable 423

compliance options user-key-access enable 424

compliance options webui enable 425

configuration audit max-changes <number> 426

configuration copy <file_name> <copy_name> 428

configuration delete <file_name> 430

configuration factory 431 configuration fetch 432 configuration jump-start 433 configuration merge 439 configuration move 440 Contents

(12)

configuration revert saved 444

configuration switch-to 446

configure terminal 447

configuration text 448

configuration upload 451

configuration write [to <file_name> [no-switch]] 452

custom content enable 453

custom content enable on lms <appliance> 455

crypto certificate bundle <bundle_name> cert-name <certificate_name> 457 crypto certificate bundle <bundle_name> comment <comment> 459 crypto certificate bundle <bundle_name> fetch url <url> 461

crypto certificate 463

crypto certificate ca-chain chain-name <chainName> web-server 467

crypto ipsec 470

debug generate 473

deployment check network clear 474

deployment check network duration 476

deployment check network start 478

disable 480

email 481

email-analysis adv-url-defense cache {whitelist | blacklist} 486

email-analysis adv-url-defense rewrite enable 487

email-analysis allowed-list 489

email-analysis blocked-list 492

email-analysis controlled-live-mode enable 495

email-analysis delete 497

email-analysis delete-message 498

email-analysis domain 499

email-analysis pass-extract add ignoreword <word> 500 email-analysis pass-extract add keyword <keyword> 501 email-analysis pass-extract add password <password> 502 email-analysis pass-extract delete ignoreword <word> 503

(13)

email-analysis pass-extract delete keyword <keyword> 504 email-analysis pass-extract delete password <password> 504 email-analysis pass-extract limit <number_of_passwords> 505

email-analysis filter 507

email-analysis flush-message 508

email-analysis interface <interface_name> 509

email-analysis mode 513

email-analysis mta certificate name 514

email-analysis mta smtp stop 515

email-analysis mta smtp start 517

email-analysis mta start 518

email-analysis mta stop 519

email-analysis policy adv-url-defense enable 520

email-analysis policy att-limit <count> 520

email-analysis policy congestion bypass-threshold <number> 521 email-analysis policy congestion high-threshold <number> 522

email-analysis policy congestion mode bypass enable 522

email-analysis policy congestion mode refuse-connection enable 523

email-analysis policy feature-extractor enable 524

email-analysis policy image-analysis enable 524

email-analysis policy max-size-limit <size> 525

email-analysis policy message-tracking max-days-records <days> 526

email-analysis policy message-tracking syslog-enable 527

email-analysis policy monitor backoff <seconds> 527 email-analysis policy monitor bypass-threshold <count> 528 email-analysis policy monitor defer-threshold <count> 529

email-analysis policy monitor enable 530

email-analysis policy monitor interval <minutes> 530 email-analysis policy notice admin <email_addr> 531

(14)

email-analysis policy notice from <email_addr> 534

email-analysis policy notice subject <subject> 534

email-analysis policy parse-https enable 535

email-analysis policy reload 536

email-analysis policy typosquatting enable 537

email-analysis policy url-images enable 538

email-analysis policy url-limit <count> 538

email-analysis policy url-phishing blacklist enable 539

email-analysis policy url-phishing whitelist enable 539

email-analysis policy use-header enable 540

email-analysis policy xheader enable 541

email-analysis policy yara-analysis enable 542

email-analysis quarantine 543

email-analysis reroute-message 544

email-analysis suppress 545

email-analysis url-dynamic-analysis enable 546

email-analysis url-dynamic-analysis 547

email auth enable 548

email auth password [<password>] 548

email auth username <username> 549

email autosupport enable 550

email autosupport event <event_name> 550

email dead-letter cleanup max-age <duration> 552

email dead-letter enable 553

email domain <domain_name> 554

email mailhub <host_or_ip_addr> 554

email mailhub-port <TCP_port> 555

email notify event <event> 556

email notify recipient <email_address> [class {failure | info} | detail] 558

email return-addr <username> 559

email return-host 560

(15)

email ssl 562

embedded-analysis enable 564

eml attachment limit <count> 565

eml recursive limit <count> 566

enable 567

exit 568

fe-access connect 569

fe-access enable 570

fe-access proxy enable 571

fe-access proxy set 572

fe-access proxy use-fenet 573

fe-access set 574

fedb backup 575

fedb events archival age days <number> 576

fedb events archival himark <number> 577

fedb events archival journal <size> 578

fedb events archival time <hour> 579

fedb events source ip resolve-dns 580

fedb events source ip resolve-dns-first 581

fedb events source ip resolve-netbios 582

fedb hold 583

fedb malware 584

fedb restore 585

fenet appliance image 586

fenet appliance manage 588

fenet appliance patch 589

fenet dti cache populate guest-images all 590

fenet dti cache populate guest-images appliance 592

fenet dti cache populate image product 594

(16)

fenet dti enrollment service default DTI 602

fenet dti enrollment service override enable 604

fenet dti enrollment service type DTI address <address> 606 fenet dti enrollment service type DTI username <username> password <password> 608

fenet dti faude service 610

fenet dti mil service 612

fenet dti proxy cache purge 614

fenet dti proxy cache purge auto 615

fenet dti proxy cache purge file 616

fenet dti proxy cache purge file-type 617

fenet dti proxy check-certificate 618

fenet dti source 619

fenet dti upload destination 624

fenet enable 626

fenet guest-images 627

fenet hx-agent autoupdate enable 629

fenet hx-agent image apply 630

fenet hx-agent image check 632

fenet hx-agent image fetch 633

fenet hx-agent metadata refresh 634

fenet image 635

fenet license update [force] 636

fenet license update enable 638

fenet metadata refresh 639

fenet op-mode local 640

fenet op-mode online 641

fenet op-mode proxy 642

fenet op-mode url 643

fenet proxy 644

fenet time sync 645

fenet proxy enable 646

(17)

fenet security-content custom rule enable 650

fenet session 651

fenet ssl 652

fenet stats-content aggregator <aggregator> enable 654

fenet stats-content upload {auto | now} 655

fenet update appliance <applianceName> 656

fenet update appliance <applianceName> cancel 657

fenet update appliance <applianceName> guest-image 658 fenet update appliance <applianceName> guest-image cancel 659 fenet update appliance <applianceName> guest-image delete 660 fenet update appliance <applianceName> guest-image download 661 fenet update appliance <applianceName> guest-image install 662 fenet update appliance <applianceName> guest-image resume 663 fenet update appliance <applianceName> no-reboot 664

fenet update appliance <applianceName> resume 665

fenet update appliance <applianceName> suspend 666

fenet update appliance <applianceName> system-image 667 fenet update appliance <applianceName> system-image no-reboot 668 fenet update appliance <applianceName> system-image reboot 669 fenet update appliance <applianceName> system-image version <version> 670 fenet update appliance <applianceName> version <version> 671

fenet update cluster <clusterName> 672

fenet update cluster <clusterName> cancel 674

fenet update cluster <clusterName> guest-image 675

fenet update cluster <clusterName> guest-image cancel 676 fenet update cluster <clusterName> guest-image delete 677 fenet update cluster <clusterName> guest-image download 678 fenet update cluster <clusterName> guest-image install 679 fenet update cluster <clusterName> guest-image resume 680

(18)

fenet update cluster <clusterName> system-image no-reboot 684 fenet update cluster <clusterName> system-image reboot 685 fenet update cluster <clusterName> system-image version <version> 686 fenet update cluster <clusterName> system-image 687 fenet update cluster <clusterName> version <version> 689 fenet update config task <task> parallel-execution 690 fenet update config task <task> retry <number> 692 fenet update config task <task> timeout <seconds> 694

fenet user 696

fenotify default timezone 697

fenotify email 698 fenotify enable 702 fenotify http alert 703 fenotify http default 704 fenotify http enable 706 fenotify http service 707

fenotify preferences alerts-update ati enable 711

fenotify preferences bbp enable 712

fenotify preferences bbp max-time-wait 712

fenotify preferences bbp subject-desc 713

fenotify preferences ips-delivery-mode 715

fenotify preferences json 716

fenotify preferences normalize-ips-event enable 717

fenotify preferences process-order 718

fenotify preferences rsyslog-strip-lnfb enable 719

fenotify preferences sender-cpu-ratio 720

fenotify preferences support-riskware enable 720

fenotify preferences text 722

fenotify preferences use-fenet-proxy enable 723

fenotify preferences xml 724

fenotify rsyslog alert <alert-type> enable 725

(19)

fenotify rsyslog enable 730

fenotify rsyslog trap-sink <sink_name> address 731

fenotify rsyslog trap-sink <sink_name> chunk-size 732

fenotify rsyslog trap-sink <sink_name> enable 733

fenotify rsyslog trap-sink <sink_name> port 734

fenotify rsyslog trap-sink <sink_name> prefer message delivery 735 fenotify rsyslog trap-sink <sink_name> prefer message format 737 fenotify rsyslog trap-sink <sink_name> prefer message item-order 740 fenotify rsyslog trap-sink <sink_name> prefer message send-as 741 fenotify rsyslog trap-sink <sink_name> prefer notification 743 fenotify rsyslog trap-sink <sink_name> protocol 745

fenotify rsyslog trap-sink <sink_name> user 746

fenotify rsyslog trap-sink <sink_name> 747

fenotify snmp 748 fenotify ssl 750 fenotify test-fire 752 file-analysis suppress 753 file debug-dump 754 file stats 755 file tcpdump 756

fmps scan abort <id> 757

fmps scan delete <id> 758

fmps scan pause <id> 759

fmps scan restart <id> 760

fmps scan resume <id> 761

fmps file config analysis_tmo 762

fmps file config maxsize 763

fmps file config scan_delay 764

fmps file config share-timeout 765

(20)

fmps scan configure start-time 770

fmps scan configure subdirectories 772

fmps scan configure target-shares 773

fmps scan create 775

fmps scan delete <scan-id> 776

fmps scan schedule 777

fmps scan start 778

fmps scan start scan-id listen 779

fmps share configure share-name auth 780

fmps share configure share-name ca-file 781

fmps share configure share-name protocol 782

fmps share configure share-name server 784

fmps share create quarantine 785

fmps share create source 786

fmps share create target 787

fmps share delete 788

fmps share mount 789

fmps share unmount 790

forensic analysis enable 791

gen-emps-rpt 792

guest-images configure 795

guest-images disable-list 797

guest-images download 798

guest-images file-association reset 801

guest-images install 802

guest-images limit-rate 803

ha address vip 804

ha engine failover 806

ha engine reset cluster-config 808

ha engine restart 810

ha engine split-brain shutdown auto 813

(21)

ha interface backup <name> 817

ha interface default <name> 818

ha node failover auto 819

ha node join 821

ha node leave 823

ha node <node> leave 825

ha replicate alerts enable 827

ha replicate updates enable 829

ha resource <resource> enable 831

help 834

homenet ip 835

hostname 836

hx agent agent-log-exception enable 837

hx agent agent-log-exception level 838

hx agent aging enable 840

hx agent aging inactive-period 841

hx agent aging new-orphan-period 842

hx agent concurrent-host-exception enable 843

hx agent concurrent-host-exception limit 844

hx agent config-poll 845

hx agent event-buf-size 846

hx agent events enable 847

hx agent events whitelist enable 848

hx agent events whitelist paths 849

hx agent fastpoll 851

hx agent inactivity period 852

hx agent indicator 853

hx agent max-cpu 854

hx agent poll 855

(22)

hx agent server hostname 859

hx agent server provisioning enable 860

hx agent server provisioning primary 861

hx config agent exd exceptions whitelist enable 862

hx config agent exd exceptions whitelist paths 863

hx config agent exd whitelist enable 865

hx config agent exd whitelist paths 866

hx ecosystem dmz attach 868

hx ecosystem dmz attach-initiate 869

hx ecosystem dmz provisioning-enabled 870

hx pki agent ca-days 871

hx pki agent cert-bits 872

hx pki agent cert-days 873

hx pki export file 874

hx pki import file 875

hx pki provisioning 876

hx pki regenerate 877

hx pki regenerate crl 878

hx pki regenerate subordinate 879

hx pki server ca-days 880

hx pki server cert-bits 881

hx pki server cert-days 882

hx pki server crl-days 883

hx pki server crl-upload 884

hx pki subject prefix 885

hx server acquisition aging completed-period 886

hx server acquisition aging disk-limit 887

hx server acquisition aging enable 888

hx server acquisition aging failed-period 889

hx server acquisition aging pending-period 890

hx server acquisition default-zip-passphrase 891

(23)

hx server app-proc quiesce 893

hx server containment blocked 894

hx server containment enable 895

hx server containment notification custom 896

hx server containment notification enable 897

hx server containment notification source 898

hx server containment notification url 899

hx server containment task-timeout 900

hx server containment whitelist 901

hx server detection aging alert fp-period 902

hx server detection aging alert period 903

hx server detection aging indicator generated enable 904

hx server detection aging indicator generated period 905

hx server detection inbound bookmark 906

hx server detection inbound ignore-type 907

hx server detection inbound min-threshold 908

hx server detection inbound poll-interval 909

hx server detection intel matching enable 910

hx server detection legacy enable 911

hx server detection legacy malicious-url enable 912

hx server detection legacy noisy-indicator enable 913

hx server exd enable 914

hx server msm-link api domain-hash 915

hx server msm-link api key 916

hx server msm-link api secret 917

hx server msm-link enable 918

hx server msm-link hostname 919

hx server msm-link prefix 920

hx server script aging period 921

(24)

hx server sysinfo-interval 925

hx server task aging period 926

hx server triage auto enable 927

hx server triage auto throttle agent limit 928

hx server triage auto throttle agent period 929

hx server triage auto throttle agent-condition limit 930

hx server triage auto throttle agent-condition period 931

hx server triage auto throttle condition limit 932

hx server triage auto throttle condition period 933

hx server triage auto throttle exd limit 934

hx server triage auto throttle exd period 935

hx server triage auto throttle global limit 936

hx server triage auto throttle global period 937

hx server triage auto throttle indicator limit 938

hx server triage auto throttle indicator period 939

hx server triage auto throttle ioc limit 940

hx server triage auto throttle ioc period 941

hx server triage extraction retry-limit 942

hx server triage extraction task-limit 943

hx server triage extraction timeout 944

hx server triage task-limit 945

hx server triage task-timeout 946

hx server triage window after 947

hx server triage window prior 948

hx server upgrade task-limit 949

hx server upgrade task-timeout 950

image boot location 950

image delete 952

image fetch 953

image install 954

image move 956

(25)

interface 958 ip default-gateway 961 ip dhcp 962 ip domain-list 963 ip filter chain 964 ip filter enable 968

ip filter options include-bridges 969

ip host 970

ip map-hostname 971

ip name-server 972

ip route 973

ipmi firmware reload 974

ipmi firmware update latest 975

ipmi firmware update notice enable 976

ipmi lan defgw 977

ipmi lan ipaddr 978

ipmi lan ipsrc 979

ipmi lan netmask 980

ipmi lan shutdown 981

ipmi log clear 982

ipmi user set password 983

ips auto-update enable 984

ips blockmode 986

ips brute-force threshold 988

ips detail-filter 989

ips reconnaissance enable 991

ips reconnaissance threshold 992

ips signature id <id> 994

ips signature name <name> 998

(26)

ipv6 map-hostname 1005 ipv6 neighbor 1006 ipv6 route 1007 job 1008 lcd 1009 ldap 1011 ldap ssl 1014 Syntax 1014 User Role 1014 Release Information 1014 Parameters 1014 Example 1015

license activation code <code> 1016

license activation reapply 1017

license delete 1018

license install 1021

localsig enable 1023

logging 1024

logging fields 1026

logging files audit upload 1027

logging files rotation 1028

logging files upload 1029

logging format 1030

logging local 1031

logging receive 1033

logging remote 1035

logging trap 1037

malware abort queued 1038

malware analyze live 1039

malware analyze sandbox 1040

malware delete 1042

(27)

Managed Defense vpn enable 1045

Managed Defense vpn http proxy 1046

malware-intrinsic-analysis dti 1048

malware-intrinsic-analysis local 1050

management interface allow 1051

media disk activity-light off 1052

media disk activity-light on 1053

media disk offline 1054

media disk online 1055

media disk rebuild cancel 1056

media disk rebuild start 1057

media usb auto-mount enable 1058

media usb eject 1059

media usb mount 1060

media usb web-access enable local 1061

media usb web-access top-dir 1062

msm admin password reset 1063

msm common certs deploy 1064

msm compatibility {old-hmac | ""} 1066

msm ip-security-policy clear 1069

msm mgmt-interface {false | true} 1070

msm mgmt-interface gw <ipAddress> 1072

mtp enable 1073

mvx cluster cloud enable 1074

mvx cluster {enroll | unenroll} now 1075

mvx cluster enrollment-service client enable 1076

mvx cluster enrollment-service preferred name <name> 1077

mvx node config cluster-if <interface> 1078

mvx node config submission-if <interface> 1079

(28)

mvx sensor enable 1083

netwitness analysis enable 1084

no aaa accounting changes 1085

no aaa accounting changes default 1086

no cmc ha nx <pair> appliance <member> 1087

no cmc profile <name> command 1089

no cmc profile <name> command <sequenceNumber> 1090

no mvx cluster enroll 1091

no mvx cluster enrollment-service client 1092

no mvx cluster enrollment-service 1093

no ntp authentication key 1094

no ntp server <server> authentication 1095

no raid alarm enable 1096

npulse analysis enable 1097

nslookup 1098 ntp authentication enable 1099 ntp authentication key 1101 ntp disable 1103 ntp enable 1105 ntp peer <peer> 1106

ntp peer <peer> authentication 1107

ntp peer <peer> disable 1108

ntp peer <peer> version 1109

ntp server <server> 1110

ntp server <server> authentication 1111

ntp server <server> disable 1112

ntp server <server> version 1114

ntpdate 1116

object-analysis salvage 1117

ping 1119

ping6 1121

(29)

policymgr interface <port-pair-name> drop http comfort-page enable 1124 policymgr interface <port-pair-name> drop http comfort-page response-type 1125 policymgr interface <port-pair-name> drop out-interface 1127 policymgr interface <port-pair-name> drop tcp reset client enable 1128 policymgr interface <port-pair-name> drop tcp reset enable 1129 policymgr interface <port-pair-name> drop tcp reset server enable 1130 policymgr interface <port-pair-name> drop udp icmpport-unreachable enable 1131

policymgr interface 1132

policymgr interface <interfacePair> mirror port 1134 policymgr interface <interfacePair> mirror clear 1136 policymgr interface <port-pair-name> op-mode block 1137 policymgr interface <port-pair-name> op-mode bypass 1139 policymgr interface <port-pair-name> op-mode monitor 1140 policymgr interface <port-pair-name> op-mode tap 1141

ips policy 1142

ips policy clone 1143

ips apply 1144

ips policy match 1146

ips policy rules 1151

policymgr network 1153 policymgr refresh-policy 1155 policymgr signature 1156 pup enable 1157 qserver enable 1158 radius-server 1159

raid alarm enable 1161

raid alarm silence 1162

raid log clear 1163

raid test consistency cancel 1164

(30)

remote-correlation run-frequency 1167

remote-correlation url-duration 1168

report delete <url> 1170

report email recipient 1172

report email snmp domain 1173

report email snmp port 1174

report generate type alert_details (update) 1175

report generate type alert_details 1181

report generate type callback_server 1184

report generate type email_activity 1187

report generate type email_av_report 1190

report generate type email_executive_summary 1193

report generate type email_hourly_stat 1196

report generate type executive_summary 1199

report generate type File_Executive_Summary 1202

report generate type infected_hosts_trend 1205

report generate type malware_activity 1208

report generate type web_av_report 1211

report schedule 1214

reset factory 1217

resolver cache flush 1219

resolver 1220

restore profile <profile> from <location> name <file> 1221

sharepoint ssl ca-list 1224

signer-whitelist disable <index> 1226

signer-whitelist enable <index> 1228

signer-whitelist mode <mode> 1230

slogin 1232

snmp-server 1235

snmp-server host 1237

ssh server listen enable 1238

(31)

snmp-server user 1241

ssh client 1243

ssh server 1247

ssh server listen enable 1249

ssh server listen interface <interface> 1250

static-info enable 1252

static-analysis av-check enable 1253

static-analysis av-suite enable 1254

static-analysis dropper enable 1255

static-analysis enable 1256

static-analysis malware-intrinsic-analysis enable 1257

static-analysis sa-python enable 1258

stats alarm 1259

stats chd 1261

stats clear-all 1262

stats export 1263

stats group submission sampling interval minutes 1263

stats sample 1265

stty baud 1266

system virtual bootstrap reset 1267

tacacs-server host 1268

tacacs-server host <ipaddress> auth-port 1270

tacacs-server host <ipaddress> auth-type 1272

tacacs-server host <ipaddress> enable 1274

tacacs-server host <ipaddress> key 1275

tacacs-server host <ipaddress> prompt-key 1277

tacacs-server host <ipaddress> retransmit 1279

tacacs-server host <ipaddress> timeout 1281

tacacs-server key 1283

(32)

tapsender VPC <hostname> 1290 tcpdump 1291 telnet 1295 terminal 1297 tpm enable 1298 tpm rng enable 1299 traceroute 1300 username 1302 username disable 1304

username fe services password 1305

username password 1306

web-analysis 1308

web auto-logout 1310

web client ssl 1312

web logging level 1314

web preferences config global alerts auto-refresh enable 1315

web server 1316

web server listen enable 1318

web server listen interface <interface> 1319

web server ssl ca-chain <chainName> 1321

web session renewal 1322

web session timeout 1324

write 1326

wsapi 1327

wsapi rtstats 1328

yara 1329

yara match limit 1330

yara policy 1331

yara weight default 1332

show aaa 1333

show aaa authentication certificate crl 1336

(33)

show aaa authentication attempts 1341

show aaa authentication password 1342

show aaa authentication password 1344

show aaa authorization certificate 1345

show aaa authorization rules 1347

show alerts 1350

show alerts whitelist src ip <ipAddress> 1354

show analysis live config 1355

show analysis summary by 1357

show arp 1359

show arp static 1360

show ati status 1361

show avc vms 1363

show backup available 1364

show backup estimate profile 1366

show backup status 1369

show banner 1370

show blat 1372

show bootvar 1374

show bottracker sigmatch 1375

show bottracker stats 1376

show bridges 1379

show cli 1380

show cli commands 1381

show clock 1383

show cmc appliances 1384

show cmc auth identities 1388

show cmc auth ssh 1390

show cmc client 1392

(34)

show cmc mvx cluster 1401

show cmc mvx cluster {brief | detail} 1402

show cmc mvx cluster enrollment status 1404

show cmc mvx cluster <name> nodes 1405

show cmc mvx cluster <cluster-name> stats daily 1406 show cmc mvx cluster <cluster-name> stats hourly 1408

show cmc mvx cluster <cluster-name> 1410

show cmc mvx status cluster-sizing config 1412

show cmc profiles 1413 show cmc rendezvous 1414 show cmc server 1416 show cmc status 1417 show cmc 1419 show cms peer-service 1420 show compliance 1424

show compliance options 1425

show compliance standard 1426

show configuration audit 1428

show configuration 1429

show configuration files 1434

show crypto certificate bundle 1435

show crypto certificate ca-chain 1439

show crypto certificate ca-chain brief 1440

show crypto certificate ca-chain chain-name <chainName> 1441 show crypto certificate ca-chain chain-name <chainName> brief 1443 show crypto certificate ca-chain chain-name <chainName> detail 1444

show crypto certificate ca-chain detail 1445

show crypto certificate decode raw pem 1446

show crypto certificate 1449

show crypto ipsec 1451

show custom content enable status 1452

(35)

show deployment check network 1456

show email 1462

show email-analysis 1463

show email-analysis all 1465

show email-analysis allowed-list statistics 1465

show email-analysis attachment 1466

show email-analysis blocked-list statistics 1467

show email-analysis done 1468

show email-analysis log 1470

show email-analysis message-queue max-num 1471

show email-analysis mta mynetworks 1473

show email-analysis mta status 1473

show email-analysis pass-extract ignorewords 1475

show email-analysis pass-extract keywords 1476

show email-analysis pass-extract passwords 1477

show email-analysis policy 1478

show email-analysis queued 1482

show email-analysis running 1483

show email-analysis statistics 1484

show email-analysis url 1485

show email-analysis url-dynamic-analysis 1487

show email-analysis yara-statistics 1489

show email-analysis adv-url-defense configuration 1491

show email-analysis adv-url-defense statistics 1493

show email-analysis mta status 1495

show email-analysis url-dynamic-analysis 1497

show email-analysis url 1500

show email-analysis policy 1502

show eml 1507

(36)

show events before 1514

show events between 1518

show events count 1523

show events on 1524

show events today 1528

show events type 1532

show events yesterday 1536

show events [<event_ID>] 1540

show fe-access 1543

show fedb backups 1544

show fedb events configuration 1545

show fenet 1547

show fenet appliance 1548

show fenet dti cache populate guest-images status 1549

show fenet dti cache populate images status 1551

show fenet dti proxy cached-content 1553

show fenet dti proxy cached-content freshness-info 1555

show fenet dti proxy cached-content show-stale 1558

show fenet dti proxy cached-content version 1560

show fenet dti proxy configuration 1562

show fenet dti proxy configuration all 1564

show fenet dti configuration 1567

show fenet guest-images status 1570

show fenet hx-agent image available 1571

show fenet image 1573

show fenet key 1574

show fenet license 1575

show fenet metadata status 1576

show fenet security-content 1579

show fenet security-content status 1581

show fenet stats-content 1583

(37)

show fenet update config 1587

show fenet update operations 1589

show fenet update status appliance <applianceName> {brief | detail} 1591

show fenotify alerts 1594

show fenet update status appliance <applianceName> 1596 show fenet update status cluster <clusterName> 1598 show fenet update status cluster <clusterName> {brief | detail} 1600

show fenotify email 1602

show fenotify http 1604

show fenotify preferences 1606

show fenotify preferences appliance-id 1609

show fenotify preferences bbp 1610

show fenotify preferences json 1611

show fenotify preferences text 1612

show fenotify preferences xml 1613

show fenotify rsyslog 1614

show fenotify snmp 1616

show files 1618

show file-analysis 1620

show file-analysis all 1622

show file-analysis done 1624

show file-analysis events 1626

show file-analysis id 1628

show file-analysis list 1630

show file-analysis md5 1631

show fmps file config 1632

show fmps file shares 1633

show fmps scan-id 1635

show fmps share 1640

(38)

show fume object stats 1646

show guest-images 1649

show ha configuration 1654

show ha image check status 1658

show ha interfaces 1660

show ha members 1662

show ha members all 1663

show ha replication status 1664

show ha resources 1666

show ha status (for CM) 1669

show ha status (for NX) 1673

show hosts 1677

show hx agent 1678

show hx agent aging 1680

show hx agent inactivity 1681

show hx app-proc 1682

show hx ecosystem 1683

show hx pki 1684

show hx server containment 1686

show hx server containment notification 1688

show hx server detection 1689

show hx server exd 1691

show hx server general 1692

show hx server msm-link 1695

show hx server search 1697

show images 1698

show incident all 1699

show incident list 1702

show incident <incident_ID> 1704

show interfaces 1706

show ip 1708

(39)

show ipmi 1711

show ipmi interface 1713

show ipmi log 1714

show ipmi version 1716

show ipmi version include-firmware-update-notice 1717

show ips reconnaissance 1719

show ips signatures 1721

show ipv6 1724

show ipv6 filter 1725

show jobs 1727

show lcd 1728

show ldap 1729

show licenses 1730

show licenses tokens 1734

show licenses tokens configured 1736

show localsig 1737

show log 1738

show log audit 1740

show log audit files all 1742

show log files all 1743

show logging 1744

show malware all 1745

show malware config 1748

show malware done 1750

show malware events 1753

show malware file analysis_tmo 1757

show malware file repositories 1758

show malware id <malware_ID> 1761

show malware list 1765

(40)

show malware no-os-change-anomaly 1773

show malware no-vm-outbound-comm 1776

show malware priority <priority> 1779

show malware queued 1782

show malware running 1785

show malware 1787

show management interface 1789

show managed-defense vpn connection 1790

show media disk 1791

show media disk rebuild 1792

show media disk smart 1793

show media usb 1794

show memory 1795

show msm [common] 1796

show mvx cluster enrollment status 1799

show mvx node queuemgr status 1801

show mvx node status 1803

show mvx node status full 1805

show mvx status 1806

show mvx submission 1809

show mvx submission done 1810

show mvx submission done limit <number> 1813

show mvx submission from <start-date> <start-time> to <end-date> <end-time> 1815

show mvx submission limit <number> 1817

show mvx submission malicious 1819

show mvx submission malicious limit <number> 1821

show mvx submission md5sum <md5sum> 1823

show mvx submission md5sum <md5sum> limit <number> 1825 show mvx submission sensor-id {<sensor-id> | ALL} 1827

show mvx submission sha256 <sha256> 1828

show mvx submission sha256 <sha256> limit <number> 1830 show mvx submission since <number of days or hours or minutes or seconds> 1832

(41)

show mvx submission tenant-id <tenant-id> 1834

show mvx submission uuid <uuid> 1835

show netwitness analysis 1836

show network 1837

show npulse analysis 1838

show ntp 1839

show ntp authentication 1841

show ntp authentication configured 1843

show ntp configured 1844

show object-analysis 1846

show object-analysis all 1848

show object-analysis done 1851

show object-analysis events 1854

show object-analysis id from 1858

show object-analysis id <object_ID> 1862

show object-analysis list 1868

show object-analysis running 1870

show policymgr drop configuration 1873

show policymgr 1875

show policymgr interfaces 1877

show ips interfaces 1879

show ips policies 1881

show ips status 1885

show raid 1889

show raid log 1890

show radius 1891

show report 1892

show restore status 1894

show remote-correlation status 1895

(42)

show sizing stats 1907

show snmp 1908

show ssh client 1909

show ssh server 1910

show static-analysis config 1912

show stats 1914

show stats group submission 1916

show submission 1917

show submission done 1921

show submission dst <IP_address> 1925

show submission from 1927

show submission id <submission_ID> 1930

show submission limit 1934

show submission malicious 1938

show submission md5sum 1942

show submission queued 1946

show submission range 1948

show submission running 1952

show submission since 1955

show submission src <IP_address> 1960

show submission uuid <UUID> 1962

show stty 1966

show system entropy 1967

show system hardware status 1969

show system health 1972

show system load 1973

show system serial-number 1974

show tacacs 1975

show tapsender health 1977

show tapsender stats 1979

show tapsender status 1980

(43)

show terminal 1982 show tpm 1983 show users 1984 show usernames 1985 show version 1988 show web 1990

show web-analysis greylists dump-files 1992

show web-analysis greylists ips 1993

show web-analysis greylists urls 1994

show web-analysis greylists 1995

show web-analysis ports 1996

show web-analysis stats 1997

show web-incident done 2000

show web-incident dst <IP_address> 2002

show web-incident id <web-incident_ID> 2004

show web-incident limit 2006

show web-incident malicious 2009

show web-incident src <IP_address> 2012

show whoami 2014

show workorders all 2016

show workorders done 2020

show workorders id <workorder_ID> 2023

show workorders pending 2027

show workorders range 2029

show workorders running 2035

show workorders stats 2038

show workorders traces dst <IP_address> 2041

show workorders traces src <IP_address> 2045

show workorders 2049

(44)

(45)

Release 7.9 Accessing the CLI

PART I: Introduction

This chapter describes how to use the command-line interface (CLI) to configure and administer the FireEye appliance.

l Accessing the CLI

l Online Help and Keyboard Shortcuts l CLI Modes

Accessing the CLI

You can access the CLI of a FireEye appliance in two ways as shown below. l Console

l SSH

Using the Console

To access the CLI of the FireEye appliance using the console port, follow these steps: 1. Connect the serial port of your computer directly to the DB-9 console port on the

FireEye appliance.

(46)

3. Configure the serial communication settings of your program as follows: l Bits per second: 115,200

l Data bits: 8 l Stop bit: 1 l Parity: None

4. When prompted, enter your username and password. By default, the admin username requires the password admin.

If the password field is left blank, the default will be used. Be sure to change the default password for the admin account after initial setup; the password must be at least 8 characters long.

5. Enable the CLI configuration mode:

hostname # enable

hostname # configure terminal

6. Start the configuration wizard:

hostname (config) # configuration jump-start

7. Answer the questions as described inconfiguration jump-starton page 433.

Using SSH

To remotely and securely access the CLI of the FireEye appliance over the network, follow these steps:

1. Open a terminal window on your system. 2. Use the ssh command to access the appliance.

For example, if the IP address of the appliance is 192.168.1.2, enter > ssh user_

[email protected]

3. When prompted, enter the admin password.

Online Help and Keyboard Shortcuts

To view the CLI online help, enter a “?” as follows:

l After the prompt to view a list of the commands available in the current mode l After a typed command to view the available parameters

l After a partially typed keyword to view the possible completions

The amount of help information displayed depends on the CLI mode you are in (refer toCLI Modes).

(47)

Release 7.9 CLI Modes

You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword. For example, the show configuration command can be abbreviated as sh co.

To identify a keyword’s minimum abbreviation, type one or more characters and press Tab. If you have entered enough characters, the keyword will be completed.

The following table summarizes the keyboard shortcuts.

Action Shortcut Description

Complete commands

Tab or Ctrl+I

Complete a partially typed keyword if enough characters are entered to uniquely identify it.

Recall commands Ctrl+P or ↑ Ctrl+N or ↓ Ctrl+L

Retrieve previous command from the CLI history. Retrieve next command from the CLI history. Redisplay the current command line.

Delete characters Ctrl+D Ctrl+H Ctrl+K Ctrl+U or Ctrl+W

Delete character at the cursor.

Delete character before the cursor (same as Backspace key). Delete all characters from the cursor to the end of the line. Delete all characters on the line.

Move cursor Ctrl+A Ctrl+B Ctrl+E Ctrl+F

Move the cursor to the start of the line. Move the cursor back one character. Move the cursor to the end of the line. Move the cursor forward one character. Transpose

characters

Ctrl+T Transpose the character at the cursor and the preceding character.

Interrupt command output

Ctrl+C Interrupt presentation of output on the screen. It may take a while for the interrupt to register and stop the command execution.

Exit

configuration mode or log out

Type

exit

Change from configuration mode to enabled mode or close the CLI session.

(48)

Mode Description How to Exit

standard Monitor system operation and issue some system commands, such as ping and traceroute. This is the default login mode. The following prompt is displayed:

hostname >

Enter exit to log out.

enabled Set up and monitor the system (includes all commands in the standard mode). To access the enabled mode, enter enable in the standard mode. The > in the prompt changes to a hash mark (#):

hostname > enable hostname #

Enter disable.

configuration Configure the FireEye application (includes all commands). To access configuration mode, enter configure terminal in the enabled mode. The prompt changes to indicate the mode:

hostname # configure terminal

Enter exit.

To determine the CLI mode for any of the commands in this guide, refer to the system prompt that is shown in the example or examples that accompany the command.

(49)

Release 7.9

PART II: Command Groups

(50)

(51)

Release 7.9 AAA Accounting Commands

AAA Accounting Commands

The following commands are used to configure AAA accounting on a FireEye appliance: aaa accounting changes default stop-onlyon page 148

no aaa accounting changeson page 1085 no aaa accounting changes defaulton page 1086 show aaaon page 1333

tacacs-server hoston page 1268 tacacs-server keyon page 1283 tacacs-server retransmiton page 1285 tacacs-server timeouton page 1287 show tacacson page 1975

tacacs-server host <ipaddress> auth-porton page 1270 tacacs-server host <ipaddress> auth-typeon page 1272 tacacs-server host <ipaddress> enableon page 1274 tacacs-server host <ipaddress> keyon page 1275

tacacs-server host <ipaddress> prompt-keyon page 1277 tacacs-server host <ipaddress> retransmiton page 1279 tacacs-server host <ipaddress> timeouton page 1281

(52)

AAA Authentication Commands

The following commands are used to configure AAA authentication on a FireEye appliance:

aaa authentication attempts class-override admin no-lockouton page 150

aaa authentication attempts class-override unknown hash-usernameon page 152 aaa authentication attempts class-override unknown no-trackon page 154 aaa authentication attempts lockout enableon page 156

aaa authentication attempts lockout lock-time <seconds> on page 158 aaa authentication attempts lockout max-fail <failure_count>on page 160 aaa authentication attempts lockout unlock-time <seconds> on page 162 aaa authentication attempts reset all [no-clear-history | no-unlock]on page 164 aaa authentication attempts reset user <username> [no-clear-history | no-unlock]on page 166

aaa authentication attempts track downcaseon page 168 aaa authentication attempts track enableon page 169 clear aaa authentication attempts allon page 308 clear aaa authentication attempts useron page 310 aaa authentication login defaulton page 190

aaa authentication certificate crl delete filename <name_of_file>on page 170 aaa authentication certificate crl fetch url <URL> on page 171

aaa authentication certificate ocsp default url <URL>on page 173 aaa authentication certificate ocsp enableon page 175

aaa authentication certificate ocsp override-responderon page 176 aaa authentication certificate username x509-cert-san-emailon page 177

aaa authentication certificate username x509-cert-san-email-usernameon page 178 aaa authentication certificate username x509-cert-san-upnon page 179

aaa authentication certificate username x509-cert-san-upn-usernameon page 180 aaa authentication certificate username x509-cert-subjecton page 181

aaa authentication certificate username x509-cert-subject-cnon page 183

aaa authentication certificate validation allow-missing-basic-constraintson page 184 aaa authentication certificate web policy allowedon page 186

(53)

Release 7.9 AAA Authentication Commands

aaa authentication certificate web policy requiredon page 189 show aaa authentication certificate crlon page 1336

show aaa authentication certificateon page 1338

aaa authentication password lcd length minimumon page 192 aaa authentication password local change allow-encrypton page 193 aaa authentication password local change require-currenton page 195

aaa authentication password local character-type <characterType> minimumon page 197 aaa authentication password local history clearon page 199

aaa authentication password local history compareon page 201 aaa authentication password local lengthon page 203

aaa authentication password local max-char-repeatson page 205 aaa authentication password local no-useridon page 207

aaa authentication password local require-change advance-warningon page 208 aaa authentication password local require-change forceon page 210

aaa authentication password local require-change max-password-dayson page 212 aaa authentication password local require-change new-accounton page 214

aaa authentication password lcd length minimumon page 192 aaa authentication password local change allow-encrypton page 193 aaa authentication password local change require-currenton page 195

aaa authentication password local character-type <characterType> minimumon page 197 aaa authentication password local history clearon page 199

aaa authentication password local history compareon page 201 aaa authentication password local lengthon page 203

aaa authentication password local max-char-repeatson page 205 aaa authentication password local no-useridon page 207

aaa authentication password local require-change advance-warningon page 208 aaa authentication password local require-change forceon page 210

aaa authentication password local require-change max-password-dayson page 212 aaa authentication password local require-change new-accounton page 214

(54)

AAA Authorization Command Family

The following commands are used to configure AAA authorization on a FireEye appliance: aaa authorization certificate map-ldap enableon page 216

aaa authorization certificate map-ldap match-cert-field x509-cert-san-emailon page 217 aaa authorization certificate map-ldap match-cert-field x509-cert-san-email-usernameon page 218

aaa authorization certificate map-ldap match-cert-field x509-cert-san-upnon page 219 aaa authorization certificate map-ldap match-cert-field x509-cert-san-upn-usernameon page 221

aaa authorization certificate map-ldap match-cert-field x509-cert-subjecton page 222 aaa authorization certificate map-ldap match-cert-field x509-cert-subject-cnon page 224 aaa authorization certificate map-ldap match-ldap-attribute mailon page 225

aaa authorization certificate map-ldap match-ldap-attribute sAMAccountNameon page 226

aaa authorization certificate map-ldap match-ldap-attribute uidon page 228 aaa authorization certificate map-ldap search-filteron page 229

aaa authorization certificate map-ldap username-overrideon page 231 aaa authorization map default-useron page 233

aaa authorization map orderon page 235 aaa authorization roleson page 238 aaa authorization rules enableon page 240

aaa authorization rules rule append tail <rule1> [<rule2> ...]on page 242 aaa authorization rules rule insert <rule-number> <rule>on page 246 aaa authorization rules rule modify <rule-number> <rule> on page 249 aaa authorization rules rule set <rule-number> <rule>on page 253 show aaa authorization certificateon page 1345

(55)

Release 7.9 Advanced Threat Intelligence Commands

Advanced Threat Intelligence Commands

This section describes the CLI commands used to enable or disable Advanced Threat Intelligence (ATI).

ati auto-update enableon page 1 ati enableon page 1

(56)

Alerts Command Family

The following commands are used to configure alers on a FireEye appliance: alerts whitelist src ip <ipAddress>on page 257

(57)

Release 7.9 Analysis Commands

Analysis Commands

The following commands are used to configure and test network settings used for controlled live mode and URL dynamic analysis on a FireEye appliance:

analysis live check-connectionon page 259 analysis live default-gateway ipon page 260 analysis live external ipon page 261

analysis live http-proxyon page 262 analysis live nameserver ipon page 264 analysis live proxy-authenticationon page 265 show analysis live configon page 1355

(58)

Appliance Boot Image Commands

image deleteon page 952

image fetchon page 953 image installon page 954 image moveon page 956 image optionson page 957 qserver enableon page 1158 show bootvaron page 1374 show imageson page 1698 show versionon page 1988

(59)

Release 7.9 Appliance Upgrade Commands

Appliance Upgrade Commands

These commands are used to download new versions of the appliance boot image and install them on a boot partition. You can then reboot the system to load the new boot image (refer toreloadon page 1166).

The appliance upgrade commands are: image booton page 1

image boot locationon page 950 image deleteon page 952 image fetchon page 953 image installon page 954 image moveon page 956 image optionson page 957 qserver enableon page 1158 show bootvaron page 1374 show imageson page 1698

(60)

ARP Command Family

The following commands are used to configure Address Resolution Protocol (ARP) commands on a FireEye appliance:

arp <ipAddress> <macAddress> on page 266 clear arp-cacheon page 312

show arpon page 1359 show arp staticon page 1360

(61)

Release 7.9 AV Suite Command Family

AV Suite Command Family

The following commands are used to configure the AV Suite feature on a FireEye appliance:

av-suite enableon page 272

show fenet security-content statuson page 1581 show static-analysis configon page 1912

(62)

Backup Command Family

This section describes the CLI commands used to administer the backup function on the appliance.

backup cancelon page 274

backup delete from <location> name <backupName>on page 275 backup profile <profile> to <location>on page 276

restore profile <profile> from <location> name <file>on page 1221 show backup availableon page 1364

show backup estimate profileon page 1366 show backup statuson page 1369

(63)

Release 7.9 Banner Command Family

Banner Command Family

This section describes the CLI commands used to administer the banner function on the appliance.

banner login <text>on page 280 banner login-local <text>on page 282 banner login-remote <text>on page 284 banner motd <text>on page 286 show banneron page 1370

(64)

Block by Proxy Commands

This chapter describes the application commands specific to the Block by Proxy feature. fenotify preferences bbp enableon page 712

(65)

Release 7.9 Bridge Command Family

Bridge Command Family

This section describes the CLI commands used to administer the bridge function on the appliance.

bridge <interface>on page 307 bridge <interface> enableon page 299 bridge <interface> forward-timeon page 301 bridge <interface> hello-time <time>on page 303 bridge <interface> max-age <time>on page 304 bridge <interface> priority <priority> on page 305 bridge <interface> spanning-tree enableon page 306 interface <interface> bridge-group <name>on page 1

interface <interface> bridge-group <name> path-cost <value>on page 1 interface <interface> bridge-group <name> priority <value>on page 1

(66)

Boot Manager Command Family

The following commands are used to configure the boot manager feature on a FireEye appliance:

boot bootmgr disable passwordon page 290 boot next fallback-reboot enableon page 291 boot system locationon page 293

boot system nexton page 295 image boot locationon page 950 show bootvaron page 1374 show imageson page 1698

(67)

Release 7.9 CAC Commands

CAC Commands

The following commands are used to configure the appliance to use the Common Access Card (CAC) for all user authentications.