cli command reference guide - juniper networkstypeahostnamewhen prompted;donotinclude...

CLI Command Reference Guide

Modified: 2019-03-13

Copyright © 2019, Juniper Networks, Inc.

Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respectiveowners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

CLI Command Reference GuideCopyright © 2019 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2019, Juniper Networks, Inc.ii

https://support.juniper.net/support/eula/

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Creating a Service Request with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Chapter 1 CLI Command Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Hardware Appliance CLI Access via Keyboard and Monitor . . . . . . . . . . . 19

Configuration Wizard Command Prompt Progressions . . . . . . . . . . . . . . . . . 20

Hardware, Software and Virtual Appliance Access via SSH . . . . . . . . . . 22

CLI Help and Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

SPECIAL CHARACTER REQUIREMENT . . . . . . . . . . . . . . . . . . . . . . . . . . 24

CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

All-in-One CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Basic Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

CM Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Core Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Server Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Collector Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Diagnosis Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

All-in-One CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

cm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

iiiCopyright © 2019, Juniper Networks, Inc.

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

set honeypot (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

set traffic-monitoring (for JATP700 Appliances only) (collector

mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

set traffic-filter (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

set protocols (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

set proxy (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

set (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

set appliance-type (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

set ip interface (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

set (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

set system-alert (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

setupcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

show (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45


show (core mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

show (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

updateimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuration Wizard for the All-in-One Server . . . . . . . . . . . . . . . . . . . . . . . . 51

Core/CM Server CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52


CM Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53



Diagnosis Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

CoreCM CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

cm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

set (core mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

set system-alert (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Copyright © 2019, Juniper Networks, Inc.iv


set (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

set appliance-type (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64


setupcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

show (core mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

show (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

show (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

updateimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuration Wizard for the CoreCM Server . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Mac OS X Engine CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75




Diagnosis Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Mac OS X Detection Engine CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 77

capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

histroy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

set (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

set (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

setupcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

show (core mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

show (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

show (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

updateimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuration Wizard Command Prompt Responses . . . . . . . . . . . . . . . . . . . 93

Traffic Collector CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95


Collector Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Diagnosis Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96


vCopyright © 2019, Juniper Networks, Inc.

Table of Contents

Traffic Collector CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

set proxy (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

set honeypot (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105


set protocols (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

set (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

set appliance-type (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

set traffic-filter (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

set traffic-monitoring (for JATP700 and JATP400 Appliances) (collector

mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

setupcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110


show (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

show (server mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuration Wizard Command Prompt Progressions . . . . . . . . . . . . . . . . . 116

Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Copyright © 2019, Juniper Networks, Inc.vi


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Chapter 1 CLI Command Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 3: Table 4-1 Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Table 4: Table 1-1 Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 5: capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Table 6: cm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 7: collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 8: copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Table 9: core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Table 10: diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 11: exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 12: gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Table 13: help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Table 14: history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Table 15: ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 16: ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 17: reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 18: restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 19: server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 20: set honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Table 21: set traffic-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Table 22: set traffic-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 23: set protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 24: set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Table 25: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Table 26: set appliance-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 27: set ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 28: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Table 29: set system-alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Table 30: setupcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Table 31: show (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 32: show (collector mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Table 33: show (diagnosis mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Table 34: shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Table 35: traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 36: upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 37: updateimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table 38: wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

viiCopyright © 2019, Juniper Networks, Inc.

Table 39: Configuration Wizard for All-in-One Server . . . . . . . . . . . . . . . . . . . . . . . 51

Table 40: capture-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 41: cm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 42: core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Table 43: copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Table 44: diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 45: exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 46: gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 47: help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 48: history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 49: ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 50: ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Table 51: reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Table 52: restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Table 53: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 54: server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 55: set system-alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 56: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Table 57: set appliance-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Table 58: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65


Table 60: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Table 61: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Table 62: shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71


Table 64: upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72


Table 66: wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73


Table 68: copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Table 69: core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 70: diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 71: exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 72: gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 73: help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table 74: history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Table 75: ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Table 76: ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 77: reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 78: restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Table 79: server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Table 80: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Table 81: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87


Table 83: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Table 84: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 85: shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91



Copyright © 2019, Juniper Networks, Inc.viii


Table 88: upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Table 89: wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93


Table 91: collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Table 92: copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Table 93: diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Table 94: exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Table 95: gssreport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Table 96: help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Table 97: history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Table 98: ifrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Table 99: ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Table 100: reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Table 101: restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Table 102: server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Table 103: set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Table 104: set honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Table 105: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table 106: set protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table 107: set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Table 108: set appliance-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Table 109: set traffic-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Table 110: set traffic-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110


Table 112: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 113: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Table 114: show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Table 115: shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 116: traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 117: wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Table 118: Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

ixCopyright © 2019, Juniper Networks, Inc.

List of Tables

About the Documentation

• Documentation and Release Notes on page xi

• Documentation Conventions on page xi

• Documentation Feedback on page xiii

• Requesting Technical Support on page xiv

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®

technical documentation,

see the product documentation page on the Juniper Networks website at

https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page xii defines notice icons used in this guide.

xiCopyright © 2019, Juniper Networks, Inc.

https://www.juniper.net/documentation/

https://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2019, Juniper Networks, Inc.xii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between the mutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame line as the configuration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Represents graphical user interface (GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You

can use either of the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page

on the Juniper Networks TechLibrary site, and do one of the following:

xiiiCopyright © 2019, Juniper Networks, Inc.


https://www.juniper.net/documentation/index.html

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you

or if you have suggestions for improvement, and use the pop-up form to provide

feedback.

• E-mail—Send your comments to [email protected]. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

Copyright © 2019, Juniper Networks, Inc.xiv


mailto:[email protected]?subject=

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

https://www.juniper.net/support/warranty/

https://www.juniper.net/customers/support/

https://prsearch.juniper.net/

https://www.juniper.net/documentation/

https://kb.juniper.net/

https://www.juniper.net/customers/csc/software/

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Create a service request online: https://myjuniper.juniper.net

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.

• Visit https://myjuniper.juniper.net.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.

xvCopyright © 2019, Juniper Networks, Inc.


https://www.juniper.net/company/communities/

https://myjuniper.juniper.net

https://entitlementsearch.juniper.net/entitlementsearch/

https://myjuniper.juniper.net

https://support.juniper.net/support/requesting-support/

CHAPTER 1


• Preface on page 17

• Introduction on page 19

• All-in-One CLI Commands on page 25

• Core/CM Server CLI Commands on page 52

• Mac OS X Engine CLI Commands on page 75

• Traffic Collector CLI Commands on page 95

• Glossary of Terms on page 118

Preface

This preface contains the following sections:

• About This Guide on page 17

• Organization on page 17

• Typographical Conventions on page 18

• Related Documentation on page 18

About This Guide

This guide describes the commands that make up the command-line interface (CLI) of

the Juniper ATP Appliance.

This guide is intended for system administrators responsible for deploying, operating,

and maintaining the Juniper ATP Appliance.

Organization

This guide is organized as follows:

• “Introduction” on page 19—Includes an overview of CLI usage, CLI Modes and

information about how to access the Juniper ATP Appliance Command Line Interface.

• “All-in-One CLI Commands” on page 25—Provides information about system commands

for updating the product boot images, setting configurations, and defining system-level

settings for Collector and Detection Engine interfaces and network deployment services.

17Copyright © 2019, Juniper Networks, Inc.

• “Core/CM Server CLI Commands” on page 52—Provides information about commands

available to the Core and Central Manager for all hardware appliance, software

appliance, and virtual appliance models, including the commands used to manage

Detection Engines and Juniper ATP Appliance system configuration.

• “Mac OS X Engine CLI Commands” on page 75—Provides information about Mac Mini

Mac OS X Detection Engine-specific commands for configuration and status monitoring.

• “Traffic Collector CLI Commands” on page 95—Provides information about the Juniper

ATP Appliance Traffic Collector commands available for identifying, monitoring, and

configuring distributed Collector hardware, software and virtual appliances.

• “Glossary of Terms” on page 118—Provides a set Juniper ATP Appliance-specific as well

as cybersecurity industry terms and definitions.

Typographical Conventions

This guide uses the following typographical conventions for special terms and instructions.

Table 3: Table 4-1 Typographical Conventions

ExampleMeaningConvention

Enter the following command:

server set dns

Click Download IVP to perform endpointinfection verification.

Coding examples and text to be entered atthe command prompt

A left-mouse button click.

courier font

Click

Double-click the report name to open inthe integrated SIEM application.

A double-click of the left mouse button.Double-click

Right-click on the icon to view itsproperties.

A right mouse button click.Right-click

interfaces set stp <on | off >Option for selection of required parameterand/or value.

< | > (text in angle brackets; itemsseparated by the pipe symbols)

show device alarm [cpu_util | paging]Optional parameters and values, withselection options separated by the pipesymbol.

[ ] (text in square brackets)

or

[ | ] (text in square brackets, itemsseparated by pipe symbols)

Related Documentation

The following is a list of additional Juniper ATP Appliance documentation:

Copyright © 2019, Juniper Networks, Inc.18


• Juniper ATP Appliance Release Notes— Describes the latest release of the Juniper ATP

Appliance software.

• Juniper ATP Appliance Quick Start Guides— Quick Starts describe how to install and

initially configure a Juniper ATP Appliance; refer to the Quick Start for your device or

model.

• Juniper ATP Appliance Operator’s Guide— The Operator’s Guide describes usage of

all aspect of the Juniper ATP Appliance All-in-One or distributed defense system.

• Juniper ATP Appliance CEF/SYSLOG Support for SIEM — This guide provides

information about Juniper ATP Appliance CEF and Syslog Logging for SIEM.

• Juniper ATP Appliance Safety and Regulatory Guide—Contains conformance and safety

information for Juniper ATP Appliances.

• Juniper ATP Appliance HTTP API Reference Guide— Provides Juniper ATP Appliance

HTTP API functions and information about usage.

Introduction

This chapter explains how to use the Juniper ATP Appliance command line interface

(CLI) to configure and administer a Juniper ATP Appliance.

This chapter contains the following sections:

• Accessing the CLI on page 19

• Configuration Wizard Command Prompt Progressions on page 20

• CLI Help and Keyboard Shortcuts on page 22

• CLI Modes on page 24

Accessing the CLI

Hardware Appliance CLI Access via Keyboard andMonitor

1. Connect the end of the keyboard cable to any of the USB ports on the back panel of

the appliance.

2. Connect the end of the video monitor cable to the VGA port on the back panel of the

appliance.

3. At the CLI prompt, enter your username and password. By default, the admin user

name is admin and the password is 1JATP234.

Be sure to change the default password for the admin account after initial setup; the

password must be at least 8 characters in length.

4. To launch the configuration wizard, enter the command wizard.


Chapter 1: CLI Command Reference Guide

ConfigurationWizard Command Prompt Progressions

NOTE: Enter CTRL-C to exit the ConfigurationWizard at any time. If you exitwithout completing the configuration, you will be prompted again whetherto run the ConfigurationWizard.

Youmay also rerun the ConfigurationWizard at any time with the CLIcommandwizard.

Customer Responsefrom Collector

Customer Response from Coreor Mac Mini

Customer Response fromAll-in-One

Configuration Wizard Prompts

We strongly discouragethe use of DHCPaddressing because itchanges dynamically. Astatic IP address ispreferred.

Recommended:

Respond with no:

a. Enter an IP address

b. Enter a netmaskusing the form255.255.255.0.

c. Enter a gateway IPaddress.

d. Enter the DNS serverIP address

e. If yes, enter the IPaddress of thesecondary DNSserver.

f. Enter yes if you wantDNS lookups to use aspecific domain.

g. Enter spacedomain(s) separatedby spaces; forexample:example.comlan.com dom2.com

Enter yes to restart withthe new configurationsettings applied.

We strongly discourage the useof DHCP addressing because itchanges dynamically. A staticIP address is preferred.

Recommended:

Respond with no:


b. Enter a netmask using theform 255.255.255.0.

c. Enter a gateway IP address.

d. Enter the DNS server IPaddress

e. If yes, enter the IP addressof the secondary DNSserver.

f. Enter yes if you want DNSlookups to use a specificdomain.

g. Enter space domain(s)separated by spaces; forexample: example.comlan.com dom2.com

Enter yes to restart with thenew configuration settingsapplied.

We strongly discourage the useof DHCP addressing because itchanges dynamically. A staticIP address is preferred.

Recommended:

Respond with no:


b. Enter a netmask using theform 255.255.255.0.


d. Enter the DNS server IPaddress

e. If yes, enter the IP addressof the secondary DNSserver.

f. Enter yes if you want DNSlookups to use a specificdomain.

g. Enter space domain(s)separated by spaces; forexample: example.comlan.com dom2.com

Enter yes to restart with thenew configuration settingsapplied.

Use DHCP to obtain the IPaddress and DNS server addressfor the administrative interface(Yes/No)?

NOTE: Only if your DHCPresponse is no,enter thefollowing information whenprompted:

a. IP address

b. Netmask

c. Enter a gateway IP addressfor this management(administrative) interface:

d. Enter primary DNS server IPaddress.

e. Do you have a secondaryDNS Server (Yes/No).

f. Do you want to enter thesearch domains?

g. Enter the search domain(separate multiple searchdomains by space):

Restart the administrativeinterface (Yes/No)?



Type a hostname whenprompted; do not includethe domain; for example:

juniperatp1

Type a hostname whenprompted; do not include thedomain; for example:

juniperatp1

Type a hostname whenprompted; do not include thedomain; for example:

juniperatp1

Enter a valid hostname (enter aunique name)

NOTE: Only alpha-numericcharacters and hyphens (in themiddle of the hostname) areallowed.

[Traffic Collectors do notsend or receive Coreanalysis engine CnCnetwork traffic, so noeth2 interface isneeded.]

Refer to “Configuring anAlternate Analysis EngineInterface” in the Juniper ATPAppliance Operator’s Guide formore information.

Enter yes to configure analternate eth2 interface.

Enter the IP address for theeth2 interface.

Enter the eth2 netmask.

Enter the gateway IP address.

Enter the primary DNS serverIP Address for thealternate-exhaust (eth2)interface.

Enter yes or no to confirm ordeny an eth2 secondary DNSserver.

Enter yes or no to indicatewhether you want to entersearch domain.

Refer to “Configuring anAlternate Analysis EngineInterface” in the Juniper ATPAppliance Operator’s Guide formore information.

Enter yes to configure analternate eth2 interface.

Enter the IP address for theeth2 interface.



Enter the primary DNS serverIP Address for thealternate-exhaust (eth2)interface.

Enter yes or no to confirm ordeny an eth2 secondary DNSserver.

Enter yes or no to indicatewhether you want to entersearch domain.

[OPTIONAL] If the systemdetects a Secondary Core withan eth3 port, then the alternateCnC exhaust option is displayed:

Use alternate-exhaust for theanalysis engine exhaust traffic(Yes/No)?

Enter IP address for thealternate-exhaust (eth2)interface:

Enter netmask for thealternate-exhaust (eth2)interface: (example:255.255.0.0)

Enter gateway IP Address forthe alternate-exhaust (eth2)interface: (example:10.6.0.1)

Enter primary DNS server IPAddress for thealternateexhaust (eth2)interface: (example: 8.8.8.8)

Do you have a secondary DNSserver for the alternate-exhaust(eth2) interface?

Do you want to enter the searchdomains for thealternateexhaust (eth2)interface?

NOTE: A complete networkinterface restart can take morethan 60 seconds

Not applicable toCollector.

Enter yes to create a new SSLcertificate for the Juniper ATPAppliance Server Web UI.

If you decline the selfsignedcertificate by entering no, beprepared to install a certificateauthority (CA) certificate.

Enter yes to create a new SSLcertificate for the Juniper ATPAppliance Server Web UI.

If you decline the selfsignedcertificate by entering no, beprepared to install a certificateauthority (CA) certificate.

Regenerate the SSL self-signedcertificate (Yes/No)?



Enter Yes; the systemwill auto-set IP 127.0.0.1as the All-in- One IPaddress.

Enter the Juniper ATPAppliance Collector HostName; this identifies theCollector in the Web UI.

Enter a deviceDescription

Enter a user-definedPassPhrase to be usedto authenticate the Coreto the Central Manager.

Enter Yes; the system willauto-set IP 127.0.0.1 as theAll-in- One IP address.


Enter a device Description

Enter a user-definedPassPhrase to be used toauthenticate the Core to theCentral Manager.

Enter Yes; the system willauto-set IP 127.0.0.1 as theAll-in- One IP address.



Enter a user-definedPassPhrase to be used toauthenticate the Core to theCentral Manager.

Enter the following serverattributes:

Is this a Central Manager device:

Device Name: (must be unique)

Device Description

Device Key PassPhrase

NOTE: Remember thispassphrase and use it for alldistributed devices!

Hardware, Software and Virtual Appliance Access via SSH

To access the Juniper ATP Appliance CLI over the management network:

1. Start a terminal window session and use the ssh command to access the appliance.

For example, if the IP address of the appliance is 10.1.1.2, enter the following command:

xssh [email protected]

2. When prompted, enter your password. By default, the admin user name is admin and

the password is 1JATP234.

3. To launch the configuration wizard, enter the command wizard.

# wizard

See “Configuration Wizard Command Prompt Progressions” on page 20 for steps.

CLI Help and Keyboard Shortcuts

To display Juniper ATP Appliance CLI help, type the command help to display CLI keys

and auto-completion usage.

For context-sensitive help, alternatively, enter a “?” to display either a list of possible

command completions with summaries, or the full syntax of the current command. A

subsequent repeat of this key, when a command has been resolved, will display a detailed

reference, as described below.

• Enter “?” at the prompt to display a list of the available commands in the current mode.

• Enter “?” after you type a command to display its available options and parameters.

• Enter “?” after a partially typed keyword to display command matches for

auto-completions



mailto:[email protected]?subject=

You can enter commands in abbreviated form if you enter enough characters to uniquely

identify each keyword. For example, the show interface command can be abbreviated

as:

sh in

To identify a command’s minimum abbreviation, type a few characters then press Tab.

When you have entered enough characters, the keyword is completed.

The following table outlines the available CLI shortcuts.

Table 4: Table 1-1 Keyboard Shortcuts

DescriptionShortcutAction

Completes a partial command duringtyping if enough characters are typed touniquely identify it.

Enter, Tab or Space KeyAuto-Completion

Retrieve previous command from CLIhistory.

Retrieve next command from CLI history.

Clear the screen or Redisplay the currentcommand line.

Ctrl+P or ↑

Ctrl+N or ↓

Ctrl+L or Ctrl+R

Recall

Delete character.

Delete character before cursor(Backspace).

Delete all characters from cursor to endof line.

Delete all characters or words on line.

Ctrl+D

Ctrl+H

Ctrl+K

Ctrl+U or Ctrl+W

Delete

Move cursor to start of line.

Move cursor back a single character.

Move cursor to end of line.

Move cursor forward a single character.

Ctrl+A

Ctrl+B

Ctrl+E

Ctrl+F

Cursor move

Transpose character at the cursor withpreceding character.

Ctrl+TCharacter Transpose

Interrupt presentation of the CLI output.Ctrl+CInterrupt output

Substitute the last command line!!Replace

Substitute the Nth command line(absolute as per 'history' command)

!N

Substitute the command line entered Nlines before (relative)

!-N



Table 4: Table 1-1 Keyboard Shortcuts (continued)

Exit current mode or exit the CLI session.exitExit mode or logout

SPECIAL CHARACTER REQUIREMENT

You must enclose non-alphabet characters in double quotes in CLI commands; for

example:

Juniper ATP Appliance(server)# set passphrase “kfe$nd#$^S”

CLI Modes

The CLI commands that you can enter depend on your user privileges and the CLI

command mode. User roles are “admin” and “debugging.” The following table describes

the CLI command mode.

Note that the prompt in each mode includes the host name of the Juniper ATP Appliance.

How to ExitDescriptionMode

Enter exit to log out of theCLI.

Monitor system operation and issue basic system commands. This is thedefault login mode. The following prompt is displayed:

JATP#

Basic Mode

Enter exit to leave cmmode.

Monitor system history and upgrades from the Core or vCore in cm(Central Manager) mode.

JATP_Hostname# cm

JATP_Hostname (cm)# ?

CM Mode

Enter exit to leave servermode.

To access Core configuration mode in the Core/CM, All-in- One, and MacMini, enter “core” in Basic mode. The prompt changes to indicate themode in parentheses:

JATP_Hostname# core

JATP_Hostname (core)# ?

Core ConfigurationMode


Configure the Juniper ATP Appliance Collector (includes all commands).To access Collector configuration mode, enter “collector” in Basic mode.The prompt changes to indicate the mode in parentheses:

JATP_Hostname# collector

JATP_Hostname (collector)# ?

Collector ConfigurationMode

Enter exit to leavediagnosis mode.

Check Initial Setup, Diagnose, Monitor, Set GSS, and Configure the JuniperATP Appliance (includes all commands). To access Diagnosis mode,enter “diagnosis” in Basic mode. The prompt changes to indicate themode in parentheses:

JATP_Hostname# diagnosis

JATP_Hostname (diagnosis)# ?

Diagnosis PacketCapture, Monitoring,GSS Reporting andConfiguration Mode




Set up and monitor the system (includes all Basic commands plusserver-specific commands). To access Server configuration mode, enter“server” in Basic mode. The prompt changes to indicate the mode inparentheses:

JATP-Hostname# server

JATP-Hostname (server)# ?

Server ConfigurationMode

Enter exit to leave wizardmode.

Configure the system during installation and setup the managementnetwork and connected Juniper ATP Appliance components. To accesswizard configuration mode, enter “wizard” in Basic mode. The promptchanges to indicate the mode in parentheses:

JATP-Hostname# wizard

JATP-Hostname (wizard)# ?

Wizard ConfigurationMode

See Also All-in-One CLI Commands on page 25•

All-in-One CLI Commands

This chapter describes the administration commands for a Juniper ATP Appliance

All-in-One server appliance, software appliance or virtual appliance.

These commands are used to configure the Juniper ATP Appliance All-in-One appliance,

manage configurations, and set system-level settings for interfaces, network services,

and SIEM integration.

NOTE: Youmust enclose non-alphabet characters in double quotes in CLIcommands.

• Basic Mode Commands on page 25

• CM Commands on page 26

• Core Mode Commands on page 26

• Server Mode Commands on page 26

• Collector Mode Commands on page 27

• Diagnosis Mode Commands on page 27


• Configuration Wizard for the All-in-One Server on page 51

Basic Mode Commands

Use general system commands to configure the appliance, view appliance history, enter

other CLI modes, obtain help with CLI syntax, and to exit the CLI session.

The general commands are:



• cm on page 29

• core on page 30

• collector on page 29

• diagnosis on page 31

• exit on page 31

• help on page 33

• history on page 33

• server on page 36

• wizard on page 50

Refer to the sections in this guide to review CM Mode, Collector Mode, Core Mode,

Diagnosis Mode, Server Mode and Wizard mode commands per device-- All-in-One,

CoreCM, Traffic Collector and Mac OS X Detection Engine on a Mac Mini.

CMCommands

• exit on page 31

• help on page 33


• upgrade on page 49

CoreMode Commands

• exit on page 31

• help on page 33


• show (core mode) on page 46

• updateimage on page 50

Server Mode Commands

• exit on page 31

• help on page 33


• ifrestart on page 34

• ping on page 34

• reboot on page 35

• restart on page 35

• [Unresolved xref]



• set appliance-type (server mode) on page 41

• set system-alert (server mode) on page 44

• set (server mode) on page 42

• shutdown on page 48


• traceroute on page 49

Collector Mode Commands

• exit on page 31

• help on page 33


• set honeypot (collector mode) on page 37

• set traffic-monitoring (for JATP700 Appliances only) (collector mode) on page 37

• set traffic-filter (collector mode) on page 38

• set protocols (collector mode) on page 38

• set proxy (collector mode) on page 39

• show (collector mode) on page 45

Diagnosis Mode Commands

• capture-start on page 28

• copy on page 30

• exit on page 31

• gssreport on page 32

• help on page 33


• set (diagnosis mode) on page 40

• setupcheck on page 44

• show (diagnosis mode) on page 47

All-in-One CLI Commands


• cm on page 29


• copy on page 30

• core on page 30




• exit on page 31


• help on page 33



• ping on page 34





• set traffic-monitoring (for JATP700 Appliances only) (collector mode) on page 37






• set ip interface (server mode) on page 41













capture-start

Table 5: capture-start

Starts packet capture as a means for diagnosing and debugging network trafficand obtaining stats.

See Also:“diagnosis”onpage31 [mode]; “collector”onpage29[mode];“copy”on page 30

Description

All-in-One | CollectorProduct(s) CLI



Table 5: capture-start (continued)

DiagnosisMode(s)

capture-startSyntax

<interface_name><IP address>Parameters

NoneSub-Commands

The following example starts a packet capture process on interface eth1 for aTraffic Collector with IP address 8.8.8.8:

hostname # diagnosis

hostname (diagnosis)# capture-start eth1 8.8.8.8

NOTE: Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just ahost that the capture filters on.

Example

cm

Table 6: cm

Enters cm (Central Manager) mode.

See Also: basic [mode];

Description

All-in-One | CoreProduct(s) CLI

BasicMode(s)

cmSyntax

NoneParameters

exit | help | history | upgradeSub-Commands

The following command example enters cm configuration mode:

hostname # cm

hostname (cm)#

Example

collector

Table 7: collector

Enters the Collector configuration mode.

See Also: “server” on page 36[mode]

Description


BasicMode(s)



Table 7: collector (continued)

collectorSyntax

NoneParameters

“exit” on page 31;“help” on page 33;“history” on page 33;“set (server mode)” onpage 42;“show (collector mode)” on page 45

Sub-Commands

The following example enters collector configuration mode:

hostname # collector

hostname (collector)# ?

Example

copy

Table 8: copy

Uses Secure Copy (SCP) to copy and transfer packet capture or traceback (crash)data to a remote location, providing the same authentication and level of securityas an SSH transfer.

The copy traceback command, upon Customer Support's request, copies thetraceback files out of the box to a remote location.

See Also: “diagnosis” on page 31[mode]; “capture-start” on page 28

Description

All-in-One | Collector | Core-CM |Mac OSX EngineProduct(s) CLI

DiagnosisMode(s)

copy capture <scp source_file_name username@destination_host:destination_folder>| traceback {<tab> | ALL} <string URI as user@hostname:path

Syntax

copy capture <scp remote filename_location>

copy traceback <ALL | filename>

copy traceback <tab> [tab displays all available crash filenames]

Parameters

NoneSub-Commands

The following example copies the file "Eth1.txt" from the local host to a remote host:

hostname (diagnosis)# copy capture Eth1.txt

[email protected]:/some/remote/directory

Example

core

Table 9: core

Enters core mode.


Description



mailto:[email protected]:/some/remote/directory?subject=

Table 9: core (continued)

All-in-One | Collector | Core | Mac OS XDetection EngineProduct(s) CLI

BasicMode(s)

coreSyntax

NoneParameters

exit, help, history, show, updateimageSub-Commands

The following command example enters core configuration mode:

hostname # core

hostname (core)#

Example

diagnosis

Table 10: diagnosis

Enters the Diagnosis configuration and status check mode.

See Also: collector [mode], server [mode]

Description

All-in-One | Collector | Mac OS XDetection EngineProduct(s) CLI

BasicMode(s)

diagnosisSyntax

NoneParameters

“capture-start” on page 28;“copy” on page 30;“exit” on page 31;“gssreport” onpage 32;“help” on page 33;“history” on page 33;“set (server mode)” onpage42;“setupcheck”onpage44;“show(diagnosismode)”onpage47;“shutdown”on page 48

Sub-Commands

The following example enters diagnosis configuration and status checkmode:


hostname (diagnosis)# ?

Example

exit

Table 11: exit

Ends the CLI session.Description

All-in-One | Collector | Core CM |MacMini OS X Detection EngineProduct(s) CLI

Basic | Core | Collector | Diagnosis | ServerMode(s)



Table 11: exit (continued)

exitSyntax

NoneParameters

The following example ends a command mode or CLI session.

JATP# (diagnosis) exit

JATP#

JATP (core) exit

JATP# exit

Example

gssreport

Table 12: gssreport

Use the gssreport command to submit reports to Juniper Global Security Services(GSS), and to display the status of the current GSS report.

See Also:“gssreport” on page 32 ; “diagnosis” on page 31[mode]

Description


diagnosisMode(s)

gssreport status | submitSyntax

status - displays the status of the current GSS report.

submit - submits a report to Juniper ATP Appliance GSS.

Parameters

NoneSub-Commands

The following examples display the status of a GSS report submission:

hostname # diagnosishostname (diagnosis)# gssreport submitSuccessfully started GSS report

hostname (diagnosis)# gssreport statusGSS is currently enabledLast 5-minute GSS report at 2015-07-28 10:34:24.414322:successfully submittedLast hourly GSS report at 2015-07-28 10:34:24.468259:successfully submittedLast daily GSS report at 2015-07-28 10:34:28.225512:successfully submitted

Example



help

Table 13: help

Displays information about the CLI help system.Description



helpSyntax

NoneParameters

The following example shows some of the output of the help command.

CONTEXT SENSITIVE HELP[?] - Display context sensitive help. This is either a list of possible commandcompletions with summaries, or the full syntax of the current command. Asubsequent repeat of this key, when a command has been resolved, will displaya detailed reference.

AUTO-COMPLETIONThe following keys both perform auto-completion for the current command line.If the command prefix is not unique then the bell will ring and a subsequentrepeat of the key will display possible completions.

[enter] - Auto-completes, syntax-checks then executes a command.If there isasyntaxerror thenoffendingpartof thecommand linewill behighlightedand explained.

[tab] - Auto-completes[space] - Auto-completes, or if the command is already resolved inserts a space.

If “<cr>” is shown, that means that what you have entered so far is a completecommand, and youmay press Enter (carriage return) to execute it.

Use ? to learn command parameters and option:JATP (server)# show f?firewall Show the firewall configuration settingsinterfaceJATP (server)# show firewall?all Show the current iptables settingswhitelist Show the iptables whitelist settingsshow firewall whitelist?<cr>show firewall whitelist

Example

history

Table 14: history

Displays the current CLI session command line history.Description



historySyntax



Table 14: history (continued)

NoneParameters

The following examples returns command line history for the current CLI session.

JATP# (core) history

Example

ifrestart

Table 15: ifrestart

Restarts the interface driver and services using the interface.Description

All-in-One | Core CM |MacMini OS X Detection EngineProduct(s) CLI

ServerMode(s)

ifrestart eth0 | eth1Syntax

Restarts the management network administra interface.eth0

Restarts the monitoring network interface.eth1

Parameters

The following example restarts the eth0 interface for the management network.

<FireEye_name># ifrestart eth0

Example

ping

Table 16: ping

Sends ICMP (Internet Control Message Protocol) echo request packets to a specified hostname or IP address to verify that the destination is reachable over the network.

Description


ServerMode(s)

ping [-c count] [-h hops] [string]Syntax



Table 16: ping (continued)

Number of echo requests to send. By default, pings ar continuously until you pressCtrl+C.

-ccount

Number of next hops between pings (default is 1).-hhops

IP address, hostname or interface name used to ping device addressstring

Parameters

The following example sends three echo requests to the device with the IP Address10.10.10.1

<FireEye_name># ping -c 3 10.10.10.1

PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.64 bytes from 10.10.10.1: icmp_req=1 ttl=64 time=0.314ms64 bytes from 10.10.10.1: icmp_req=2 ttl=64 time=0.277ms64 bytes from v: icmp_req=3 ttl=64 time=0.274m

--- 10.10.10.1 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 1999msrtt min/avg/max/mdev = 0.274/0.288/0.314/0.022ms

Example

reboot

Table 17: reboot

Reboots the Juniper ATP Appliance.Description


ServerMode(s)

rebootSyntax

NoneParameters

The following example reboots the system.

hostname# reboot

Example

restart

Table 18: restart

Restarts Juniper ATP Appliance services.Description


ServerMode(s)

restart [all | behaviorengine | cm | collector | core | correlationengine | database |ntpserver | sshserver | staticengine | webserver]

Syntax



Table 18: restart (continued)

Restarts all Juniper ATP Appliance services.all

Restarts the Behavioral Analysis Enginebehaviorengine

Restarts the Central Manager Web UI service.cm

Restarts the Collector service.collector

Restarts the Core Detection Engine.core

Restarts the Correlation Engine.correlationengine

Restarts the Database.database

Restarts the NTP server.ntpserver

Restarts the SSH server.sshserver

Restarts the Static Analysis Engine.staticengine

Restarts the web server.webserver

Parameters

The following example restarts the Central manager service.

JATP# restart cm

Example

server

Table 19: server

Enters the server configuration mode.

See Also: “collector” on page 29

Description

All-in-One | Collector | Core/CM |MacMini Mac OS XProduct(s) CLI

BasicMode(s)

serverSyntax

“exit” on page 31; “help” on page 33; “history” on page 33; “ifrestart” on page 34;“ping” on page 34; “reboot” on page 35; [Unresolved xref]; “set (server mode)”on page 42; “upgrade” on page 49

Whitelist rules rely on normal service shutdown to be backed up.Powering off a VMdirectly will lose the whitelist state as rules cannot be saved in that case.

Sub-Commands

The following example enters server configuration mode:

hostname # serverhostname (server) # ?

Example



set honeypot (collector mode)

Table 20: set honeypot

Enables and disables the SSH-Honeypot feature for a Traffic Collector.

A honeypot can be deployed within a customer network to detect network activitygenerated by malware attempting to infect or attack other machines in a local areanetwork. These attempted SSH logins can be used to supplement detection oflateral spread.

There are two parameters that can be set for a honeypot:

• Enable/disable a honeypot

• Set a Static IP (IP, mask, and gateway) or DHCP of a publicly addressableinterface

See Also: show honeypot command in “show (collector mode)” on page 45

Description


collectorMode(s)

(collector)# set honeypot ssh-honeypot enable dhcp

(collector)# set honeypot ssh-honeypot enable address (IP address) netmask(subnet IP) gateway (IP address)

(collector):# set honeypot ssh-honeypot disable

Syntax

The following example enables the SMB parser for lateral detections:

(collector)# set honeypot ssh-honeypot enable address 1.2.3.4 netmask255.255.0.0 gateway 1.2.3.1

NOTE: The static IP configuration does not require configuring DNS. Honeypots donot require a DNS server at this time.

Example

set traffic-monitoring (for JATP700 Appliances only) (collector mode)

Table 21: set traffic-monitoring

Sets the traffic monitoring interface on the JATP700Description


collectorMode(s)

# set traffic-monitoring-ifc 1gb_ifc

Set the traffic monitoring interface to be the 1G interface.



NOTE: After making an interface type change, the system must be rebooted forthe change to take effect.

Syntax



set traffic-filter (collector mode)

Table 22: set traffic-filter

Sets traffic filter rules to avoid analysis on a set of configured traffic, which cannot be maderetroactive; for example: any analysis skipped as a result of the filtering cannot be reversed.This command can be applied to an entire network/subnet/ CIDR range.

See Also:“set (server mode)” on page 42;“show (diagnosis mode)” on page 47 [showtraffic-filter]

Description


collectorMode(s)

set traffic-filter {add <rule_name> <domain> <sourceaddress> <destination-address><source-port> <destination-port> <protocol> | remove <rule_name>}

Syntax

Adds a traffic filter rule where:traffic-filter add

“RuleString” is the name of the rule<RuleString>

“DomainString” is the domain to filter out<Dom ainString>

“source-address” is the source IPv4 address or network (CIDR)<sourc eaddress>

“destination-address” is the destination IPv4 address or network (CIDR)<destination-address>

“source-port” is the source port number (0-65535)<source-port>

“destination-port” is the destination port number<destinationport>

(0-65535)“protocol” is the protocol type: either IP, TCP, UDP or HTTP<protocol>

Parameters

The following example add a traffic filter rule to the Traffic Collector.

JATP-collector02(collector)# set traffic-rule add CustomRule2 headqrts.example.com10.2.00/16 20.0.0.2 90 120 tcp

where destination-address is 20.0.0.2, destination-port is 120, protocol is tcp, source-addressis 10.2.0.0/16 and source-port is 90 (in our example).

Example

set protocols (collector mode)

Table 23: set protocols

Enables and disables the HTTP or SMB parser for a Traffic Collector.

See Also: show protocols command in “show (collector mode)” on page 45

Description


collectorMode(s)



Table 23: set protocols (continued)

(collector)# set protocols {http [on|off] | smb [on|off]}Syntax


hostname (collector) set protocols smb on

Example

set proxy (collector mode)

Table 24: set proxy

Sets an Inside or Outside data path proxy from collector mode.

Deploy Traffic Collectors in locations where the monitoring interface is (1) placed“outside” between the proxy and the egress network for customer environments inwhich the proxy supports XFF (X-Forwarded-For), or (2) [the more typical deploymentscenario], the Collector is placed between the proxy and the internal network usingFQDN (if available) to identify the threat source for all types of incidents (“inside”proxy). When configured, the Juniper ATP Appliance Traffic Collector will monitor alltraffic and correctly identify source and destination hosts for each link in the kill chainwherever the data allows for it.

Note that if the “X-Forwarded-For” header is provided in the HTTP request, detectionwill identify threat targets when deployed outside of the proxy (customers can chooseto disable the XFF feature in the proxy setting, if desired).

See Also: “set (server mode)” on page 42[“set proxy” command for managementnetwork]; “set (diagnosis mode)” on page 40;

NOTE: The mitigation IP address of a CNC server is not be available for Inside proxydeployments. When a Juniper ATP Appliance is deployed behind a proxy, theMitigation-> Firewall page in the Juniper ATP Appliance Central Manager Web UI (whichtypically displays the CNC server IP address to mitigate) will be empty. The destinationIP address of any callback is made to the proxy server ip address, so it is not relevantto display the proxy server IP address on the Mitigation->Firewall page.

Description


collectorMode(s)

set proxy inside {add <proxy IP address> <proxy port> | remove <proxy IP address><proxy port>

set proxy outside {add <proxy IP address> | remove <proxy IP address>

Syntax



Table 24: set proxy (continued)

Sets the inside proxy IP addressesinside

outside Sets the outside proxy IP addressesoutside

a proxy configuration.add Adds

Removes a proxy configuration.remove

Parameters

The following example sets an inside data path proxy:

JATP (collector)# set proxy inside add 10.1.1.1 8080

The following example sets an outside data path proxy:

JATP (collector)# set proxy outside add 10.2.1.1

Example

set (diagnosis mode)

Table 25: set

Sets the logging levels for Juniper ATP Appliance components from diagnosismode.

See Also:“set (server mode)” on page 42; set (collector mode)

Description


diagnosisMode(s)

set loggingSyntax

Sets logging for all Juniper ATP Appliance components.all

Sets logging to the default parametersdefault

Sets logging at the debug level.debug

Sets logging at the info level.info

Sets logging at the warning level.warning

Sets logging at the error level.error

Sets logging at the critical level.critical

Parameters

The following example sets the default logging level for all Juniper ATP Appliancecomponents.

JATP# set logging all

Example



set appliance-type (server mode)

Table 26: set appliance-type

Change the appliance type at any time. For example, change from All-In-One toCore/CM. Note that if you change the appliance type after the initial installation,all data files related to the current type are lost and you must set up the applianceas you would a fresh box.

Description

All-in-One | Core CM | CollectorProduct(s) CLI

serverMode(s)

jatp:AIO#(server)# set appliance-type core-cmSyntax

all-in-one

core-cm

email-collector

traffic-collector

Parameters

The following example changes the form factor of the appliance from all-in-one(the default) to core-cm:

jatp:AIO#(server)# set appliance-type core-cmThis will result in the deletion of all data and configurations not relevant to thenew form factor.

Proceed? (Yes/No)? Yes

Example

set ip interface (server mode)

Table 27: set ip interface

Sets the management interface (eth0) and/or the alternate-exhaust interface(eth2) for the Juniper ATP Appliance.

Refer to the Operator’s Guide for information about configuring the optionalalternate analysis engine eth2 interface option (it moves CnC traffic during analysisengine processing off the enterprise’s eth0 management network).

See Also:“set (server mode)” on page 42;“set protocols (collector mode)” onpage 38;“show (coremode)” on page 46;“shutdown” on page 48

Description

All-in-One | Core CM | Mac Mini OS X Detection EngineProduct(s) CLI

serverMode(s)

(server) # set ip interfacemanagement <dhcp | address | netmask | gateway>

(server) # set ip interface alternate-exhaust <address | netmask | gateway>

Syntax



Table 27: set ip interface (continued)

Enables DHCP for the management or alternate-exhaust interface.dhcp

Sets the static IP address for the management (eth0) or lternate-exhaust (eth2) interface,address

Sets the netmask for the management network or the alternate-exhaust network.netmask

Sets the Gateway IP address for the management interfac or the optiona alternate-exhaustnetwork.

gateway

Parameters

The following example configures the management interface (eth0) for a JuniperATP Appliance Core device:

JATP (server)# set ip interfacemanagement address10.2.123.18 netmask 255.255.255.0 gateway 10.2.0.1

The following example configures the management interface (eth0) using DHCP:

JATP (server)# set ip interfacemanagement dhcp

This example configures the alternate-exhaust interface (eth2) for a Juniper ATPAppliance Core device:

JATP (server)# set ip interface alternate-exhaust address 10.2.123.12 netmask255.255.255.0 gateway 10.2.0.2

Example

set (server mode)

Table 28: set

Configure the system settings.Description

All-in-One | Collector | Core CM | Mac Mini OS X Detection EngineProduct(s) CLI

Server, See Also:“set (diagnosismode)” onpage40;“set traffic-filter (collectormode)” on page 38

Mode(s)

set [autoupdate {on | off} | cli timeout secs | clock | cm address | support{enable | disable} localmode {enable | disable}| passphrase string | dns |firewall {all <backup | flush> | whitelist} | hostname string | ip interface{management | alternate-exhaust}| ntpserver | password | proxy {config |enabled | remove} | timezone string | uipassword]

Syntax

Note: vCore for AWS does not use the following CLI commands:

set ip

set hostname

[Users cannot set static IP address or change the hostname directly on an EC2AWS instance]

server mode “set proxy” command is a management network proxy tool; for datapath Collector proxy configurations, refer to

“set proxy (collector mode)” on page 39

Parameters

(Columns below)



Table 28: set (continued)

Turn on or off automatic product updates. set autoupdate content on

Sets CLI timeout period in seconds (0 indicates no timeout).

Sets the current date and time.

Sets the IP address of the Central Manager and netmask using the slash notation;example: AAA.BBB.CCC.DD/X

Enables remote SSH login “support” account or localmode enable|/disable.

Sets DNS (or enables DHCP for DNS) for the management interface by defaultif interface is unspecified.

Backs up or flushes (clears) all current iptables for a firewall, or adds, deletes orflushes the current iptables whitelist-specific settings for the firewall.

The “add” option adds an IP address to the iptables outbound whitelist.

# set firewall whitelist add 10.1.1.1

Sets the system’s host name.

Sets the IP address, netmask, or default gateway, or enables DHCP for themanagement or alternate-exhaust interface.

autoupdate {content | software} {on |off}

cli timeout secs

clock

cm address

set support {enable | disable} |{localmode}

dns

firewall {all <backup | flush> | whitelist<add | delete | flush>}

hostname string

ip interface {management |alternateexhaust} <dhcp | address |netmask | gateway}

Sets the Network Time Protocol (NTP) server.

Sets the device key password; enter a string.

Sets a new password for the CLI administrator.

ntpserverpassphrase stringpassword

Config, enable/disable, or remove “all” proxy configs, or remove an HTTP-specificproxy server.

TIP: Tip: Config the proxy for “all” protocols first, and then change HTTP proxyas needed.

proxy {config <all|http> | enabled<on|off> | remove <all|http>}

Sets the timezone for the device.timezone string

Sets a new admin password for CM Web UI access.uipassword

The following example disables the CLI timeout counter.

JATP (server)# set cli timeout 0

The following example enables support:

JATP (server)# set support enable

Example



set system-alert (server mode)

Table 29: set system-alert

Configure the traffic threshold and checking interval for the Collector “monitoredtraffic” health status.

When the monitored traffic of a collector within the checking interval time is lowerthan the threshold, a system health alert is generated. You can send an emailnotification of the alert if email notifications of system health events are configured.

Description

All-in-One | Core CMProduct(s) CLI

Server, See Also:“set (diagnosis mode)” on page 40;“set traffic-filter (collectormode)” on page 38; show

Mode(s)

set system-alert traffic <integer> time <interval>

NOTE: Note that both "traffic" and "time" parameters are required in order to setthe threshold for both the minimum traffic and time.

Syntax

- the minimum traffic (in KB)traffic

- the checking interval (in minutes)interval

Parameters

JATP (server) # set system-alert traffic 100 time 30

This example sets the system alert such that, if the total monitored traffic of acollector within the last 30 minutes dips lower than 100KB, then a system healthalert will be generated (and users will receive an email notification of the alert ifemail notifications are configured for system health events).

By default this alert is disabled, and users must set the minimum traffic and intervalin order to enable it. Also note that all bytes seen on Ethernet frames are countedin the traffic.

The minimum interval for the "set system-alert traffic" time interval command is10 minutes. If the minimum interval is set to less than 10 minutes, no alerts will betriggered.

Example

setupcheck

Table 30: setupcheck

Checks and reports on basic configuration settings and analysis pipeline setup.Description


diagnosisMode(s)

setupcheck {all | report | basic | analysis}Syntax



Table 30: setupcheck (continued)

Checks both basic settings and analysis pipelinall

Shows report of last setupcheck.report

Checks basic configuration settings.basic

Checks the analysis pipeline.analysis

Parameters

The following example checks all basic configuration settings as well as the analysispipeline:

JATP (diagnosis) # setupcheck all

Example

show (collector mode)

Table 31: show (collector mode)

Displays the Traffic Collector HOMENET settings and all configured subnets, as wellas current traffic filters and the current XFF status (enabled or disabled)

Description


CollectorMode(s)

homenet | traffic-filter | proxy | honeypotSubcommands

showSyntax



Table 31: show (collector mode) (continued)

Shows all traffic filter rules.traffic-filter

Shows current HTTP or SMB protocol parser settingsprotocols

Shows Traffic Collector proxy for inside or outside configurations.proxy {inside|outside}

Shows the current honeypot configuration.honeypot

Parameters

The following example displays the current Collector proxy inside settings:

collector02(collector)# show proxy insideProxy IPs: 10.1.1.1

The following example displays the current traffic filter:

collector02 (collector)# show traffic-filterName: CustomRule2, Domain: headqtrs.example.com

The following example displays the current SMB protocol parser setting:

collector02 (collector)# show protocols

The following example displays the current honeypot configuration:

collector02 (collector)# show honeypot ssh-honeypot

Example


Table 32: show (collector mode)

Display the currently selected traffic monitoring interface.Description


CollectorMode(s)

collector02 (collector)#ow traffic-monitoring-ifc-type

Display the currently selected traffic monitoring interface

Syntax

show (coremode)

Displays the guest image(s) status or whitelist statistics.

See Also:“shutdown” on page 48; show (diagnostic mode)

Description

See Also: shutdown; show (diagnostic mode)Product(s) CLI

CoreMode(s)

showSyntax



Displays guest image update and status information.images

Displays the name, hit count and the time of last hit of a user configured whitelist.

Note that when a whitelist rule is deleted, it will be removed from the list. Updates to existing ruleare not affected by the presence of the rule in the output, but hit count could increment. Further,more than one rule can be hit by a single incident.

whitelist

Displays the status of the alternate exhaust interface eth2.alternate-exhaustinterface

Parameters

The following example demonstrates the show images command usage:

JATP(core)# show images

The following example demonstrates the show whitelist command usage:

JATP(core)# showwhitelist


Local Time of Last HitHit CountRule Name

Wed Sep 2 18:16:55 201510URI1

Wed Sep 2 18:16:55 201510URI2

Wed Sep 2 18:16:55 201510URI3

Wed Sep 2 18:20:00 201549greatfilesarey

The following example shows how to get the alternate-exhaust interface (eth2)status:

JATP(core)# show alternate-exhaust interface

Example

show (diagnosis mode)

Table 33: show (diagnosis mode)

Sets the logging levels for Juniper ATP Appliance components from diagnosis mode.

See Also:“shutdown” on page 48;show (coremode)

Description


diagnosisMode(s)

showSyntax



Table 33: show (diagnosis mode) (continued)

Display connected device statistics for Traffic Collector, CoreCM, or Mac Mini Detection EngineSecondary “slave core.”

device {collectorstatus | |corestatus | slavecorestatus}

Displays the session counts for network web or email protocols.protocol {web | email}

Displays the current number of file objects.objects

Displays the currently-configured logging level.

See Also: “set traffic-filter (collector mode)” on page 38

logging

Displays only the tracebacks (if any) generated by Juniper ATP Appliance OS process errorlogs. A traceback is a stack of functions that were executing when an error condition wasencountered.

log error traceback

Displays n [1-1000] lines of the contents of the common log file.log error last <integer: numberof lines to display>

Example: show log error last 12

Parameters

The following example displays the connected Traffic Collector status.

JATP(diagnosis)# show device collectorstatus<cr>

JATP (diagnosis)# show device collectorstatusWEB_COLLECTOR

IP : 10.2.9.68Enabled : TrueLast Seen : 2015-07-25 15:13:17.967000-07:00Install Date : 2015-06-25 19:03:38-07:00


This example displays the log error traceback

JATP(diagnosis)# show log error traceback<cr>

Example

shutdown

Table 34: shutdown

Shuts down the Juniper ATP Appliance server.Description


ServerMode(s)



Table 34: shutdown (continued)

shutdownSyntax

NoneParameters

The following example performs a shutdown of the current device.

JATP# shutdown

Example

traceroute

Table 35: traceroute

Displays the route packets trace to a host name or an IP address.Description


Server | CollectorMode(s)

tracerouteSyntax

Specifies the number of hops-h unsigned integer

Names the remote system to be traced.string

Parameters

The following example performs a traceroute of the named device.

JATP# traceroute -h 2MacMininOSX-Engine

Example

upgrade

Table 36: upgrade

Upgrade Juniper ATP Appliance software for the Core/CM device or vCore, and allconnected physical or virtual devices.

Description


cmMode(s)

upgrade <URI as user@hostname:path>Syntax

Specifies the software packages to copy .from a remo location for upgrading via the Core.<String_URI>Parameters

The following example copies Juniper ATP Appliance software to the Core from aremote location defined by the path provided.

CoreCM(cm)# upgrade [email protected]:some/remote/ directory

Example



updateimage

Table 37: updateimage

Update or correct the guest-image OS profile used by the detection and analysisbehavioral engine.

The updateimage command will update the guest images from the Juniper ATPAppliance update servers or a USB drive attached to the Juniper ATP Appliance.

Description

All-in-One | Core-CM |MacMini OS X Detection EngineProduct(s) CLI

CoreMode(s)

updateimageSyntax

Updates the guest-image on the detection Engine.built-inParameters

The following example performs a built-in profile update for the Core detectionengine.

JATP (core)# updateimage built-inInstalling image SC-XP-20150617.img...Previous version of SC-XP-20150617.img exists.Checking integrity...Image SC-XP-20150617.img is already installedInstalling image SC-W7-20150521.img...Previous version of SC-W7-20150521.img exists.Checking integrity...Image SC-W7-20150521.img is already installed

Example

wizard

Table 38: wizard

Enters the Configuration Wizard. For Configuration Wizard commands and response,see “Configuration Wizard for the All-in-One Server” in the next section to followcommand prompts and recommended responses.

Description

All-in-One | Core/CM | Collector | MacMini Mac OS XProduct(s) CLI

BasicMode(s)

wizardSyntax

NoneParameters

The following command starts the configuration wizard.

hostname #wizard

Example



ConfigurationWizard for the All-in-One Server

Table 39: ConfigurationWizard for All-in-One Server

Customer Response ActionsConfiguration Wizard Prompts

We strongly discourage the use of DHCP addressing becauseit changes dynamically. A static IP address is preferred.

Recommended: Respond with no:


b. Enter a netmask using the form 255.255.255.0.


d. Enter the DNS server IP address

e. If yes enter the IP address of the secondary DNS server.

f. Enter yes if you want DNS lookups to use a specific domain.

g. Enter search domain(s) separated by spaces; for example:example.com lan.com dom2.com

Enter yes to restart with the new configuration settingsapplied.

Use DHCP to obtain the IP address and DNS server address forthe administrative interface (Yes/No)?

Note: Only if your DHCP response is no ,enter the followinginformation when prompted:

a. IP address (no CIDR format)

b. Netmask

c. Enter a gateway IP address for this management(administrative) interface:

d. Enter primary DNS server IP address.

e. Do you have a secondary DNS Server (Yes/No).

f. Do you want to enter the search domains?

g. Enter the search domain (separate multiple search domainsby space):

Restart the administrative interface (Yes/No)?

Type a hostname when prompted; do not include the domain;for example: JuniperATP1.

NOTE: Only alphanumeric characters and hyphens (in themiddle of the hostname) are allowed.

Enter a valid hostname.

Refer to “Configuring an Alternate Analysis Engine Interface”in the Juniper ATP Appliance Operator’s Guide for moreinformation.

Enter yes to configure an alternate eth2 interface.

Enter the IP address for the eth2 interface.



Enter the primary DNS server IP Address for thealternate-exhaust (eth2) interface.

Enter yes or no to confirm or deny an eth2 secondary DNSserver.

Enter yes or no to indicate whether you want to enter searchdomain.

[OPTIONAL]

If the system detects a Secondary Core with an eth2 port, thenthe alternate CnC exhaust option is displayed:

Use alternate-exhaust for the analysis engine exhaust traffic(Yes/No)?

Enter IP address for the alternate-exhaust (eth2) interface:

Enter netmask for the alternate-exhaust (eth2) interface:(example: 255.255.0.0)

Enter gateway IP Address for the alternateexhaust (eth2)interface: (example:10.6.0.1)

Enter primary DNS server IP Address for the alternate-exhaust(eth2) interface: (example: 8.8.8.8)

Do you have a secondary DNS server for the alternate-exhaust(eth2) interface?

Do you want to enter the search domains for thealternate-exhaust (eth2) interface?

NOTE: A complete network interface restart can take morethan 60 seconds



Table 39: ConfigurationWizard for All-in-One Server (continued)

Enter yes to create a new SSL certificate for the Juniper ATPAppliance Server Web UI.

Regenerate the SSL self-signed certificate (Yes/No)?

See Also Core/CM Server CLI Commands on page 52•


Core/CMServer CLI Commands

This chapter describes the commands for available for Juniper ATP Appliance Core/CM

or vCore servers. These commands are used to configure devices and software, manage

security events, and show system information and status.

You must enclose non-alphabet characters in double quotes in CLI commands.


• CM Commands on page 53




• CoreCM CLI Commands on page 54

• Configuration Wizard for the CoreCM Server on page 74

Basic Mode Commands




• cm on page 29

• core on page 30


• exit on page 31

• help on page 33




Refer to the respective sections in this guide to review Diagnosis Mode, CM Mode, Collector

Mode and Server Mode commands per product device.



CMCommands

• exit on page 31

• help on page 33



CoreMode Commands

• exit on page 31

• help on page 33


• set (core mode) on page 62




• exit on page 31

• help on page 33



• ping on page 34







• show (server mode) on page 68






• copy on page 30



• exit on page 31


• help on page 33





CoreCMCLI Commands


• cm on page 55

• core on page 56

• copy on page 56


• exit on page 57


• help on page 58



• ping on page 60



• set (core mode) on page 62

















capture-start


Starts packet capture as a means for diagnosing and debugging network traffic and obtainingstats.

See Also:“diagnosis” on page 31[mode];“copy” on page 30

Description


DiagnosisMode(s)

capture-startSyntax

<IP address> <interface_name>Parameters

NoneSub-Commands

The following example starts a packet capture process on interface eth1 for a Traffic Collectorwith IP address 8.8.8.8:


hostname (diagnosis)# capture-start 8.8.8.8 eth1

NOTE: Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that thecapture filters on.

Example

cm

Table 41: cm

Enters cm (Central Manager) mode.


Description

All-in-One | CoreProduct(s) CLI

BasicMode(s)

cmSyntax

NoneParameters

exit | help | history | upgradeSub-Commands

The following command example enters cm configuration mode:

hostname # cm

hostname (cm)#

Example



core

Table 42: core

Enters core mode.


Description


BasicMode(s)

coreSyntax

NoneParameters


The following command example enters core configurationmode:

hostname # core

hostname (core)#

Example

copy

Table 43: copy

Uses Secure Copy (SCP) to copy and transfer packet capture or traceback (crash) data to a remotelocation, providing the same authentication and level of security as an SSH transfer.

The copy traceback command, upon Customer Support's request, copies the traceback files outof the box to a remote location.

See Also:“diagnosis” on page 31[mode];“capture-start” on page 55

Description


DiagnosisMode(s)

copy capture <scp source_file_name username@destination_host:destination_folder> | traceback{<tab> | ALL} <string URI as user@hostname:path

Syntax

copy capture <scp remote filename_location>

copy traceback <ALL | filename>

copy traceback <tab> [tab displays all available crash filenames]

Parameters

NoneSub-Commands



Table 43: copy (continued)

The following example copies the file "Eth1.txt" from the local host to a remote host:

hostname (diagnosis)# copy capture scp captureEth1.txt


Example

diagnosis

Table 44: diagnosis



Description


BasicMode(s)

diagnosisSyntax

NoneParameters

“capture-start” on page 55; “copy” on page 30; “exit” on page 31; “gssreport” onpage 32;“help” on page 33;“history” on page 33;“set (server mode)” onpage 42;“setupcheck” on page 44;“show (diagnosis mode)” on page 47;“show (servermode)” on page 68

Sub-Commands

The following example enters diagnosis configuration and status check mode:



Example

exit

Table 45: exit




exitSyntax

NoneParameters


JATP# (diagnosis) exitJATP#

Example




gssreport

Table 46: gssreport

Use the gssreport command to submit reports to Juniper Global Security Services (GSS), and todisplay the status of the current GSS report.

See Also:“gssreport” on page 32;“diagnosis” on page 31[mode]

Description


diagnosisMode(s)




Parameters

NoneSub-Commands




Example

help

Table 47: help




helpSyntax

NoneParameters



Table 47: help (continued)


CONTEXT SENSITIVE HELP[?] - Display context sensitive help. This is either a list of possible commandcompletions with summaries, or the full syntax of the current command. Asubsequent repeatof this key,whenacommandhasbeen resolved,will displaya detailed reference.

AUTO-COMPLETIONThe followingkeysbothperformauto-completion for thecurrent command line.If the command prefix is not unique then the bell will ring and a subsequentrepeat of the key will display possible completions.

[enter] - Auto-completes, syntax-checks then executes a command. If there isa syntax error thenoffendingpart of the command linewill be highlightedandexplained.

[tab] - Auto-completes[space] -Auto-completes, or if thecommand isalready resolved insertsaspace.If “<cr>” is shown, that means that what you have entered so far is a completecommand, and youmay press Enter (carriage return) to execute it.


Example

history

Table 48: history




historySyntax

NoneParameters

The following examples returns command line history for the current CLIsession.


Example

ifrestart

Table 49: ifrestart





Table 49: ifrestart (continued)

ServerMode(s)


eth0 Restarts the management network administra interface.

eth1 Restarts the monitoring network interface.

Parameters



Example

ping

Table 50: ping

Sends ICMP (Internet Control Message Protocol) echo request packets to a specified host name or IP address to verify that thedestination is reachable over the network.

Description

All-in-One | Collector | Core CM |MacMini OS X Detection EngineProduct(s)CLI

ServerMode(s)


Number of echo requests to send. By default, pings ar continuously until you press Ctrl+C.-ccount



Parameters

The following example sends three echo requests to the device with the IP Address 10.10.10.1




Example

reboot

Table 51: reboot





Table 51: reboot (continued)

ServerMode(s)

rebootSyntax

NoneParameters


hostname# reboot

Example

restart

Table 52: restart



ServerMode(s)


Syntax


Restarts the Behavioral Analysis Enginebehaviorengine

Restarts the Central Manager Web UI service.cm

Restarts the Collector service.collector

Restarts the Core Detection Engine.core

Restarts the Correlation Engine.correlationengine




Restarts the Static Analysis Engine.staticengine

Restarts the web server.webserver

Parameters


JATP# restart cm

Example



set (coremode)

Table 53: set

Resets the Secondary Core UUID, if the virtual core is cloned.Description

Core/CM (Virtual Core)Product(s) CLI

Core (for Virtual Core configurations)Mode(s)

set idSyntax

NoneSub-Commands

The following example sets the Virtual Core appliance id:

hostname # corehostname (core) # set id<cr>

Example

server

Table 54: server

Enters the server configuration mode.Description


BasicMode(s)

serverSyntax

“exit” on page 31;“help” on page 33;“history” on page 33;“ifrestart” on page 34;“ping” onpage34;“reboot”onpage35;[Unresolvedxref];“set (servermode)”onpage42;“show(servermode)” on page 68;“traceroute” on page 49;“upgrade” on page 49

Whitelist rules rely on normal service shutdown to be backed up.Powering off a VM directly willlose the whitelist state as rules cannot be saved in that case.

Sub-Commands



Example

set system-alert (server mode)

Table 55: set system-alert

Configure the traffic threshold and checking interval for the Collector “monitored traffic” health status.

When the monitored traffic of a collector within the checking interval time is lower than the threshold, asystem health alert is generated. You can send an email notification of the alert if email notifications ofsystem health events are configured.

Description




Table 55: set system-alert (continued)

Server, See Also:“set (diagnosis mode)” on page 40; set (collector mode); showMode(s)

set system-alert traffic <integer> time <interval>

NOTE: Note that both "traffic" and "time" parameters are required in order to set the threshold for boththe minimum traffic and time.

Syntax

traffic - theminimum traffic (in KB)

interval - the checking interval (in minutes)

Parameters

JATP (server) # set system-alert traffic 100 time 30

This example sets the system alert such that, if the total monitored traffic of a collector within the last30 minutes dips lower than 100KB, then a system health alert will be generated (and users will receivean email notification of the alert if email notifications are configured for system health events).

By default this alert is disabled, and users must set the minimum traffic and interval in order to enableit. Also note that all bytes seen on Ethernet frames are counted in the traffic.

The minimum interval for the "set system-alert traffic" time interval command is 10 minutes. If theminimum interval is set to less than 10 minutes, no alerts will be triggered.

Example

set (server mode)

Table 56: set



Server, See Also: “set (diagnosis mode)” on page 40; “set (coremode)” onpage 62; “show (coremode)” on page 46

Mode(s)

set [autoupdate {on | off} | cli timeout secs | clock | cm address | support{enable | disable} localmode {enable | disable}| passphrase string | dns| firewall {all <backup | flush> | whitelist} | hostname string | ip interface{management | alternate-exhaust}| ntpserver | password | proxy {config| enabled | remove} | timezone string | uipassword]

Syntax

Parameters

NOTE: vCore for AWS does not use thefollowing CLI commands:

set ip

set hostname

[Users cannot set static IP address or changethe hostname directly on an EC2 AWSinstance]

(See columns below)




Turn on or off automatic product updates.

set autoupdate content on

Sets CLI period in seconds (0 indicates no timeout).


Sets the IP address of the Central Manager and netmask using slash notation;ex: AAA.BBB.CCC.DD/X



Backs up or flushes (clears) all current iptables for a firewall, or adds, deletesor flushes the current iptables whitelist-specific settings for the firewall.





autoupdate {content | software} {on | off}

cli secs

clock

cm address

set support {enable | disable} |{localmode}

dns


hostname string


Sets the Network Time Protocol (NTP) server.


Sets a new password for the CLI administrator.

ntpserver

passphrase string

password

Config, enable/disable, or remove “all” proxy configs, or remove anHTTP-specific proxy server.

TIP: Config the proxy for “all” protocols first, and then change HTTP proxy asneeded.

proxy {config <all|http> | enable <on|off>| remove <all|http>}

Sets the timezone for the device.timezone string


The following example enables a proxy server.

JATP (server)# set proxy enable on

Examples




Description




Table 57: set appliance-type (continued)

serverMode(s)


all-in-one

core-cm

email-collector

traffic-collector

Parameters




Example


Table 58: set


See Also:“set (server mode)” on page 42

Description


diagnosisMode(s)

set logging allSyntax











Parameters



Example

setupcheck




diagnosisMode(s)


all Checks both basic settings and analysis pipelin

report Shows report of last setupcheck.

basic Checks basic configuration settings.

analysis Checks the analysis pipeline.

Parameters

The following example checks all basic configuration settings as well as the analysis pipeline:


Example

show (coremode)

Table 60: show

Displays the guest image(s) status or whitelist statistics.

See Also:“show (server mode)” on page 68; show (diagnostic mode)

Description



Table 60: show (continued)

See Also: shutdown; show (diagnostic mode)Product(s)CLI

CoreMode(s)

showSyntax


Displays the name, hit count and the time of last hit of a user configured whitelist.

Note that when a whitelist rule is deleted, it will be removed from the list. Updates to existingrule are not affected by the presence of the rule in the output, but hit count could increment.Further, more than one rule can be hit by a single incident.

whitelist


Parameters



The following example demonstrates the show whitelist command usage:



Local Time of Last HitHit CountRule Name

Wed Sep 2 18:16:55 201510URI1

Wed Sep 2 18:16:55 201510URI2

Wed Sep 2 18:16:55 201510URI3

Wed Sep 2 18:20:00 201549greatfilesarey

The following example shows how to get the alternate-exhaust interface (eth2) status:


Example



See Also:“show (server mode)” on page 68

Description


diagnosisMode(s)



showSyntax

Display connected device statistics for Traffic Collector, CoreCM, or Mac MiniDetection Engine Secondary “slave core.”

device {collectorstatus | | corestatus |slavecorestatus}

Displays the session counts for network web or email protocols.protocol {web | email}

Displays the current number of file objects.objects


See Also: set traffic-filter (collector mode) logging

logging

Displays only the tracebacks (if any) generated by Juniper ATP Appliance OS processerror logs. A traceback is a stack of functions that were executing when an errorcondition was encountered.

log error traceback

Displays n [1-1000] lines of the contents of the common log file.log error last <integer: number of lines todisplay>

Example: show log error last 12

Parameters






This example displays the log error traceback

JATP(diagnosis)# show log error traceback<cr>

Example

show (server mode)

Table 61: show

Display configurations and status information.Description


Server, See Also: “show (diagnosis mode)” on page 47Mode(s)




showSyntax

Parameters

(See Tables below)

Show the automatic update setting.autoupdate

Show the CLI timeout setting.cli timeout

Show the current date and time.clock

Show the Central Manager IP address.cm

Show the driver state for interfaces.controller

Show the remote SSH login support status.support

Show the server or system description.description

Show the device key.devicekey

Show the device type.devicetype

Show the DNS servers settings.dns

Show the End User License Agreement.eula

Show the firewall configuration settings.firewall [all <| whitelist]

Show the system’s host name.hostname

Show information about the management (administrative) network interface eth0, orthe monitoring interface (eth1), or the alternate-exhaust interface (eth2).

interface [management |monitoring | alternateexhaust]

Show the IP address of the management (administrative) interface eth0.See Also:

show controller

Results may show both private and public IP addresses if the AWS vCore has a publicIP.

ip

Show the server name.name

Show the Network Time Protocol (NTP) server settings.ntpserver

Shows the proxy configuration for the management network.

Show system statistics:

proxy




cpuload shows average CPU load in the system for running processes in the last 1, 5and 15 min intervals.

See also show (collector mode) forshow proxy inside/outside data path

disk shows the disk space usage in the system.

memoryshows the system memory usage.

show stats cpuload (0.06,0.13,0.13)

stats [cpuload | disk | memory]

Shows the current set system-alert settings.system-alert

Show the current timezone; example:

set timezone US/Pacific

TIP:

set timezone <tab> shows options.

timezone {US/Eastern |US/Central | US/ Mountain

Show how long the system has been running.uptime

Show the system UUID (universally unique ID).uuid

Show Juniper ATP Appliance software and content security

versions:

version




The following example displays information about the CoreCM server device type:

CoreCM(server)# show devicetypeDevice type: cm, core

The following example requests data about the alternate-exhaust interface (eth2):

CoreCM(server)# show interface alternate-exhaust

The following example shows details about the Collector’s monitoring interface (eth1):

CoreCM(server)# show interfacemonitoringInterface: monitoring (eth1) Enabled: Yes Link: Yes

IP Address: unknown Mask: unknown MTU: 1500

MAC Address: 90:d6:1f:22:70:g6 Speed: 1000Mb/s Duplex:

Full

Auto-negotiation: Yes Medium: Copper

RX packets: 1869032424 Bytes: 1716560257902 Errors: 0

Overruns: 0

TX packets: 409287 Bytes: 44607401 Errors: 0 Overruns: 0

Traffic rate for the last 5 seconds/1 minute/5 minutes

RX bits/sec: 108616/160176/442736

RX packets/sec: 44/46/91

TX bits/sec: 0/112/128

TX packets/sec: 0/0/0

Example

shutdown

Table 62: shutdown



ServerMode(s)

shutdownSyntax

NoneParameters



Table 62: shutdown (continued)


JATP# shutdown

Example

traceroute




ServerMode(s)

tracerouteSyntax



Parameters


JATP# traceroute -h 2 MacMininOSX-Engine

Example

upgrade

Table 64: upgrade

Upgrade Juniper ATP Appliance software for the Core/CM device or vCore, and all connected physical or virtual devices.Description

All-in-One | Core CMProduct(s)CLI

cmMode(s)

upgrade <URI as user@hostname:path>Syntax

Specifies the software packages to copy .from a remo location for upgrading via the Core.<String_URI>Parameters

The following example copies Juniper ATP Appliance software to the Core from a remote location defined by the path provided.

CoreCM(cm)# upgrade [email protected]:some/remote/ directory

Example



updateimage


Update or correct the guest-image OS profile used by the detection and analysis behavioral engine.

The updateimage command will update the guest images from a USB drive attached to the Juniper ATP Appliance.

Description

All-in-One | Core-CM |MacMini OS X Detection EngineProduct(s)CLI

CoreMode(s)

updateimageSyntax

Updates the guest-image on the detection Engine.built-inParameters

The following example performs a built-in profile update for the Core detection engine.

JATP (core)# updateimage built-inInstalling image SC-XP-20140617.img...Previous version of SC-XP-20140617.img exists.Checking integrity...Image SC-XP-20140617.img is already installedInstalling image SC-W7-20140521.img...Previous version of SC-W7-20140521.img exists.Checking integrity...Image SC-W7-20140521.img is already installed

Example

wizard

Table 66: wizard

Enters the Configuration Wizard. For Configuration Wizard commands and response, see“Configuration Wizard for the CoreCM Server” in the next section to follow commandprompts and recommended responses.

Description


BasicMode(s)

wizardParameters

NoneExample


hostname #wizard



ConfigurationWizard for the CoreCMServer

NOTE: Enter CTRL-C to exit the ConfigurationWizard at any time. If you exitwithout completing the configuration, you will be prompted again whetherto run the ConfigurationWizard.

Youmayalso reruntheConfigurationWizardatany timewith theCLIcommandwizard.

Customer Response ActionsConfigurationWizard Prompts

We strongly discourage the use of DHCP addressing because itchanges dynamically. A static IP address is preferred.






e. If yes, enter the IP address of the secondary DNS server.



Enter yes to restart with the new configuration settings applied.

Use DHCP to obtain the IP address and DNS server addressfor the administrative interface (Yes/No)?

NOTE: Only if your DHCP response is no,enter the followinginformation when prompted:


b. Netmask



e. Do you have a secondary DNS Server (Yes/No).


g. Enter the search domain (separate multiple searchdomains by space):

Restart the administrative interface (Yes/No)

Type a hostname when prompted; do not include the domain;for example: juniperatp1





Refer to “Configuring an Alternate Analysis Engine Interface” inthe Juniper ATP Appliance Operator’s Guide for moreinformation.






Enter yes or no to confirm or deny an eth2 secondary DNS server.


[OPTIONAL]

If the system detects a Secondary Core with an eth3 port,then the alternate CnC exhaust option is displayed:




Enter gateway IP Address for the alternateexhaust (eth2)interface: (example:10.6.0.1)






If you decline the self-signed certificate by entering no, beprepared to install a certificate authority (CA) certificate.

Regenerate the SSL self-signed certificate (Yes/No)?

Is this a Central Manager device?:

Enter Yes; the system will auto-set IP 127.0.0.1 as the All-in-OneIP address.

Enter a connected Juniper ATP Appliance Collector DeviceName; this identifies the Collector in the Web UI.


Enter a user-defined PassPhrase to be used to authenticate theCore to the Central Manager.

Enter the following server attributes:

Central Manager (CM) IP Address:




NOTE: Remember this passphrase and use it for alldistributed devices.



MacOS X Engine CLI Commands

This chapter describes the CLI commands available for the Mac Mini Mac OS X “Secondary

Core” detection engine device. There is no Collector Mode on this device.



NOTE: Youmust enclose non-alphabet characters in double quotes in CLIcommands.





• Mac OS X Detection Engine CLI Commands on page 77

• Configuration Wizard Command Prompt Responses on page 93

Basic Mode Commands




• core on page 30


• exit on page 31

• help on page 33

• histroy on page 82



Refer to the respective chapters in this guide to review Collector Mode, Diagnosis Mode

and Server Mode commands per device-- All-in-One, Mac OS X Engine, Traffic Collector

and CoreCM.

CoreMode Commands

• exit on page 31

• help on page 33





• exit on page 31

• help on page 33





• ping on page 34











• copy on page 30

• exit on page 31


• help on page 33





MacOS XDetection Engine CLI Commands


• copy on page 78

• core on page 79


• exit on page 80


• help on page 81



• ping on page 83

















capture-start


Starts packet capture as a means for diagnosing and debugging network traffic and obtainingstats.

See Also: “diagnosis” on page 31[mode];“copy” on page 30

Description


DiagnosisMode(s)

capture-startSyntax


NoneSub-Commands

The following example starts a packet capture process on interface eth1 for a Traffic Collectorwith IP address 8.8.8.8:



NOTE: Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that thecapture filters on.

Example

copy

Table 68: copy

Uses Secure Copy (SCP) to scp to copy and transfer packet capture ortraceback (crash) data to a remote location, providing the same authenticationand level of security as an SSH transfer.

See Also: “diagnosis” on page 31 [mode]; “capture-start” on page 55

Description





DiagnosisMode(s)

copy capture <scp source_file_nameusername@destination_host:destination_folder> | traceback all <stringURI as user@hostname:path>

Syntax

copy capture <scp remote filename_location>copy traceback all <path string>copy traceback <tab> [tab displays all available crash filenames]

Parameters

NoneSub-Commands

The following example copies the file "captureEth1.txt" from the local host toa remote host:



Example

core

Table 69: core

Enters core mode.


Description


BasicMode(s)

coreSyntax

NoneParameters


The following command example enters core configurationmode:

hostname # core

hostname (core)#

Example

diagnosis

Table 70: diagnosis



Description




Table 70: diagnosis (continued)


BasicMode(s)

diagnosisSyntax

NoneParameters

“capture-start” on page 55;“copy” on page 30;“exit” on page 31; “gssreport” on page 32;“help” onpage 33; “histroy” onpage82; “set (servermode)” onpage42;“setupcheck” onpage 44; “show (diagnosis mode)” on page 47; “shutdown” on page 48

Sub-Commands




Example

exit

Table 71: exit



Basic | Server | DiagnosisMode(s)

exitSyntax

NoneParameters



Example

gssreport

Table 72: gssreport

Use the gssreport command to submit reports to Juniper Global Security Services (GSS), and todisplay the status of the current GSS report.

See Also:“gssreport” on page 32;“diagnosis” on page 31[mode]

Description


diagnosisMode(s)




Table 72: gssreport (continued)



Parameters

NoneSub-Commands




Example

help

Table 73: help




helpSyntax

NoneParameters





CONTEXT SENSITIVE HELP[?] - Display context sensitive help. This is either a list of possible commandcompletions with summaries, or the full syntax of the current command. Asubsequent repeatof this key,whenacommandhasbeen resolved,will displaya detailed reference.

AUTO-COMPLETIONThe followingkeysbothperformauto-completion for thecurrent command line.If the command prefix is not unique then the bell will ring and a subsequentrepeat of the key will display possible completions.

[enter] - Auto-completes, syntax-checks then executes a command. If there isa syntax error thenoffendingpart of the command linewill be highlightedandexplained.

[tab] - Auto-completes[space] -Auto-completes, or if thecommand isalready resolved insertsaspace.If “<cr>” is shown, that means that what you have entered so far is a completecommand, and youmay press Enter (carriage return) to execute it.


Example

histroy

Table 74: history




historySyntax

NoneParameters

The following examples returns command line history for the current CLIsession.


Example

ifrestart

Table 75: ifrestart





Table 75: ifrestart (continued)

ServerMode(s)




Parameters

The following example restarts the eth0 interface for the managementnetwork.


Example

ping

Table 76: ping

Sends ICMP (Internet Control Message Protocol) echo request packets to a specified host name or IP address to verify that thedestination is reachable over the network.

Description


ServerMode(s)





Parameters

The following example sends three echo requests to the device with the IP Address 10.10.10.1




Example

reboot

Table 77: reboot




Table 77: reboot (continued)


ServerMode(s)

rebootSyntax

NoneParameters


hostname# reboot

Example

restart

Table 78: restart



ServerMode(s)


Syntax





Parameters


JATP# restart cm

Example

server

Table 79: server

Enters the server configuration mode.Description


BasicMode(s)

serverSyntax



Table 79: server (continued)

“exit” on page 31; “help” on page 33; “histroy” on page 82; “ifrestart” on page 34; “ping” onpage 34; “reboot” on page 35; [Unresolved xref]; “set (server mode)” on page 42; “show(server mode)” on page 68; “traceroute” on page 49; “updateimage” on page 50

Whitelist rules rely on normal service shutdown to be backed up.Powering off a VM directly willlose the whitelist state as rules cannot be saved in that case.

Sub-Commands



Example

set (server mode)

Table 80: set



Server, See Also: “set (diagnosis mode)” on page 40Mode(s)

set [autoupdate {on | off} | cli timeout secs | clock | cm address | support{enable | disable} localmode {enable | disable}| passphrase string | dns| firewall {all <backup | flush> | whitelist} | hostname string | ip interface{management | alternate-exhaust}| ntpserver | password | proxy {config| enabled | remove} | timezone string | uipassword]

Syntax

Parameters

(See table below)




Turn on or off automatic product updates.

set autoupdate content on

Set CLI timeout period in seconds (0 = no timeout).


Sets the IP address of the Central Manager and netmask using slash notation;ex: AAA.BBB.CCC.DD/X




Backs up or flushes (clears) all current iptables for a firewall, or adds, deletesor flushes the current iptables whitelist-specific settings for the firewall.





autoupdate {content | software} {on | off}

cli timeout secs

clock

cm address

setsupport {enable |disable} | {localmode}

passphrase string

dns


NOTE: Whitelist rules rely on normal serviceshutdown for backup.Powering off a VMdirectly loses the whitelist state as rulescannot be saved in that case.

hostname string


Sets the Network Time Protocol (NTP) server.ntpserver

Sets a new password for the CLI administrator.password

Config, enable/disable, or remove “all” proxy configs, or remove anHTTP-specific proxy server.


proxy {config <all|http> | enable <on|off>| remove <all|http>}



TIP: set timezone <tab> shows options.

timezone {US/ Eastern | US/ Central | US/Mountain


The following example sets an ip address for the device management interfaceeth0.

JATP# set ip interface 10.1.1.1

Examples




Table 81: set


See Also:“set (server mode)” on page 42

Description


diagnosisMode(s)

set loggingSyntax








Parameters



Example

setupcheck




diagnosisMode(s)





Checks both basic settings and analysis pipelin.all




Parameters

The following example checks all basic configuration settings as well as the analysispipeline:


Example

show (coremode)

Table 83: show

Displays the guest image(s) status.

See Also: “show(servermode)” onpage68; show(diagnosticmode)

Description


CoreMode(s)

showSyntax


Displays the name, hit count and the time of last hit of a userconfigured whitelist.

Note that when a whitelist rule is deleted, it will be removed fromthe list. Updates to existing rule are not affected by the presenceof the rule in the output, but hit count could increment. Further,more than one rule can be hit by a single incident.

whitelist


Parameters



The following example shows how to get the alternate-exhaust interface(eth2) status:


Example





See Also:“show (server mode)” on page 68

Description


diagnosisMode(s)

showSyntax

Display connected device statistics for Traffic Collector, CoreCM, or MacMini Detection Engine Secondary “slave core.”

NOTE: Not available from the Mac Mini CLI.


Displays the session counts for network web or email protocols.


protocol {web | email}

Displays the current number of file objects.


objects


See Also: set (diagnosis mode) logging

logging

Displays only the tracebacks (if any) generated by Juniper ATP ApplianceOS process error logs. A traceback is a stack

of functions that were executing when an error condition was encountered.

log error traceback

Displays n [1-1000] lines of the contents of the common log file.log error last <integer: number of lines to display>

Parameters


osx-1(server)# show devicetypeDevice type: slave_core.

Example

show (server mode)

Table 84: show



Server, See Also: “show (diagnosis mode)” on page 47Mode(s)

showSyntax




Parameters

(See the columns below)


Show the CLI setting.cli




Show support status.support








(administrative) network interface eth0, or the monitoring interface (eth1), or thealternate-exhaust interface (eth2).

See Also: show controller

interface [management | monitoring |alternateexhaust]

Show the IP address of the management (administrative) interface eth0.ip



Show current proxy configuration.proxy


• cpuload shows the average CPU load in the system for running processes in thelast 1, 5 and 15 minute intervals.

• disk shows the disk space usage in the system.

• memory shows the system memory usage.


Show the current timezone.timezone




Show the last manual upgrade-related information.upgrade


Show how long the system has been running.uptime

Show Juniper ATP Appliance software and content security versions.version

The following example displays information about the MacOSX cpuload statistics:

MacOSX (server)# # show stats cpuload(0.06, 0.13, 0.13)

The following example requests details for the Collector’s monitoring interface (eth1):

MacOSX(server)# show interfacemonitoring

Example

shutdown

Table 85: shutdown



ServerMode(s)

shutdownSyntax

NoneParameters


JATP# shutdown

Example

traceroute




ServerMode(s)

tracerouteSyntax



Table 86: traceroute (continued)



Parameters


MacOSX1# traceroute -h 2 MacMininOSX2-Engine

Example

updateimage


Update or correct the guest-image OS profile used by the detection andanalysis behavioral engine.

The updateimage command will update the guest images from a USB driveattached to the Juniper ATP Appliance.

Description

MacMini OS X Detection EngineProduct(s) CLI

CoreMode(s)

updateimageSyntax

Updates the guest-image on the Mac OSX Detection “Secondary core.”.built-inParameters

The following example performs a built-in profile update for the Coredetection engine.

MAC2(core)# updateimage built-inInstalling image SC-OSX-20131003.img...Previous version of SC-OSX-20131003.img exists. Checkingintegrity...Latest Image SC-OSX-20131003.img is already installedInstalling image SC-XP-20140617.img...Previous version of SC-XP-20140617.img exists. Checkingintegrity...Image SC-XP-20140617.img is already installedInstalling image SC-W7-20140521.img...Previous version of SC-W7-20140521.img exists. Checkingintegrity...Image SC-W7-20140521.img is already installed

Example



upgrade

Table 88: upgrade

Upgrade a configured Juniper ATP Appliance Mac OSX Mac Mini device. If the Mac Mini has already been upgraded to Ubuntu14.04, this upgrade command will not be visible at the CLI because it will not be needed.

Please note that this command will only show up for existing customers that have Mac Mini devices configured as Juniper ATPAppliance Mac OSX detection engine Secondary Cores (running Ubuntu 13.10). For new customers running Juniper ATP ApplianceRelease 3.2.5, each Mac Mini device is shipped with the new Ubuntu 14.04 version already installed, so in this case, the upgradecommand will again not be available from the Juniper ATP Appliance Mac OSX Engine CLI.

Description

MacMini OS X Detection EngineProduct(s)CLI

CoreMode(s)

upgradeSyntax

Updates the guest-image on the Mac OSX Detection “secondary core.”.built-inParameters

The following example performs a built-in Mac OS X profile update for the Mac Mini-based Secondary core detection engine..

MAC2(core)# upgrade

Example

wizard

Table 89: wizard

Enters the Configuration Wizard. For Configuration Wizard commands and response, see“Configuration Wizard for the CoreCM Server” in the next section to follow commandprompts and recommended responses.

Description


BasicMode(s)

wizardParameters

NoneExample


hostname #wizard

ConfigurationWizard Command Prompt Responses

Customer Response from theMacMiniConfigurationWizard Prompts



We strongly discourage the use of DHCP addressing because itchanges dynamically. A static IP address is preferred.










Use DHCP to obtain the IP address and DNS server addressfor the administrative interface (Yes/No)?

NOTE: Only if your DHCP response is no,enter the followinginformation when prompted:


b. Netmask



e. Do you have a secondary DNS Server (Yes/ No).


g. Enter the search domain (separate multiple searchdomains by space):

Restart the administrative interface (Yes/No)?

Type a hostname when prompted; do not include the domain;for example: juniperatp1



Refer to “Configuring an Alternate Analysis Engine Interface” inthe Juniper ATP Appliance Operator’s Guide for moreinformation.






Enter yes or no to confirm or deny an eth2 secondary DNS server.


[OPTIONAL]

If the system detects a Secondary Core with an eth2 port,then the alternate CnC exhaust option is displayed:




Enter gateway IP Address for the alternate-exhaust (eth2)interface: (example:10.6.0.1)






If you decline the self-signed certificate by entering no, beprepared to install a certificate authority (CA) certificate.

Regenerate the SSL self-signed certificate (Yes/ No)?



Required:Enter the IP address of the Juniper ATP ApplianceServer Core/CM or All-in-One.

Enter a Juniper ATP Appliance Mac Mini or Core/CM DeviceName; this identifies the Mac OS X or Core Engine in the WebUI.


Enter the same PassPhrase used to authenticate the Core orMac Mini to the Central Manager.




Device Description


NOTE: Remember this passphrase and use it for alldistributed devices!


Traffic Collector CLI Commands

This chapter describes the commands specific to the Juniper ATP Appliance Collector

CLI. The available commands are as follows:


• Collector Mode Commands on page 95





• Configuration Wizard Command Prompt Progressions on page 116

Basic Mode Commands



• exit on page 31

• help on page 33




Collector Mode Commands

• exit on page 31

• help on page 33












• copy on page 30

• exit on page 31


• help on page 33






• exit on page 31

• help on page 33



• ping on page 34











Traffic Collector CLI Commands



• copy on page 98


• exit on page 99


• help on page 100



• ping on page 102











• set traffic-monitoring (for JATP700 and JATP400 Appliances) (collector

mode) on page 110






capture-start


Starts packet capture as a means for diagnosing and debugging network trafficand obtaining stats.

See Also: “diagnosis”onpage31 [mode]; “collector”onpage29 [mode]; “copy”on page 30

Description


DiagnosisMode(s)



Table 90: capture-start (continued)

capture-startSyntax


NoneSub-Commands

The following example starts a packet capture process on interface eth1 for aTraffic Collector with IP address 8.8.8.8:



NOTE: Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just ahost that the capture filters on.

Example

collector

Table 91: collector

Enters the Collector configuration mode.

See Also: “server” on page 36 [mode]

Description


BasicMode(s)

collectorSyntax

NoneParameters

“exit” on page 31;“help” on page 33; “history” on page 33; “set proxy (collectormode)” on page 39; “show (collector mode)” on page 45

Sub-Commands

The following example enters collector configuration mode:

hostname # collectorhostname (collector)# ?

Example

copy

Table 92: copy

Uses Secure Copy (SCP) to scp to copy and transfer packet capture or traceback(crash) data to a remote location, providing the same authentication and levelof security as an SSH transfer.

The copy traceback command, upon Customer Support's request, copies thetraceback files out of the box to a remote location.

See Also: “diagnosis” on page 31 [mode]; “capture-start” on page 55

Description





DiagnosisMode(s)

copy capture <scp source_file_nameusername@destination_host:destination_folder> | traceback all <stringURI as user@hostname:path>

Syntax

copy capture <scp remote filename_location>copy traceback all <path string>copy traceback <tab> [tab displays all available crash filenames]

Parameters

NoneSub-Commands

The following example copies the file "captureEth1.txt" from the local host toa remote host:



Example

diagnosis

Table 93: diagnosis



Description


BasicMode(s)

diagnosisSyntax

NoneParameters

“capture-start” on page 55; “copy” on page 30; “exit” on page 31; “gssreport” onpage 32; “help” on page 33; “history” on page 33; “set (server mode)” on page 42;“setupcheck” on page 44; “show (diagnosis mode)” on page 47; “show (servermode)” on page 68

Sub-Commands




Example

exit

Table 94: exit






Table 94: exit (continued)

Basic | Server | Collector | DiagnosisMode(s)

exitSyntax

NoneParameters



Example

gssreport

Table 95: gssreport

Use the gssreport command to submit reports to Juniper Global Security Services(GSS), and to display the status of the current GSS report.

See Also: “gssreport” on page 32; “diagnosis” on page 31[mode]

Description


diagnosisMode(s)




Parameters

NoneSub-Commands




Example

help

Table 96: help







helpSyntax

NoneParameters


CONTEXT SENSITIVE HELP[?] - Display context sensitive help. This is either a list of possible commandcompletions with summaries, or the full syntax of the current command. Asubsequent repeat of this key, when a command has been resolved, willdisplay a detailed reference.

AUTO-COMPLETIONThe following keys both perform auto-completion for the current commandline. If the command prefix is not unique then the bell will ring and asubsequent repeat of the key will display possible completions.

[enter] - Auto-completes, syntax-checks then executes a command. If thereis a syntaxerror thenoffendingpart of the command linewill behighlightedand explained.

[tab] - Auto-completes[space] - Auto-completes, or if the command is already resolved inserts aspace.

If “<cr>” is shown, thatmeans thatwhat youhaveentered so far is a completecommand, and youmay press Enter (carriage return) to execute it.


Example

history

Table 97: history




historySyntax

NoneParameters

The following examples returns command line history for the current CLI session.

JATP# history

Example



ifrestart

Table 98: ifrestart



ServerMode(s)




Parameters



Example

ping

Table 99: ping

Sends ICMP (Internet Control Message Protocol) echo request packets to aspecified host name or IP address to verify that the destination is reachable overthe network.

Description


ServerMode(s)





Parameters

The following example sends three echo requests to the device with the IPAddress 10.10.10.1




Example



Table 102: server (continued)

BasicMode(s)

serverSyntax

“exit” on page 31; “help” on page 33; “history” on page 33; “ifrestart” on page 34;“ping” on page 34; “reboot” on page 35; [Unresolved xref]; “set (server mode)”on page 42; “show (server mode)” on page 68

Sub-Commands



Example

set proxy (collector mode)

Table 103: set proxy

Sets an Inside or Outside data path proxy from collector mode.

Deploy Traffic Collectors in locations where the monitoring interface is (1) placed“outside” between the proxy and the egress network for customer environmentsin which the proxy supports XFF (X-Forwarded-For), or (2) [the more typicaldeployment scenario], the Collector is placed between the proxy and the internalnetwork using FQDN (if available) to identify the threat source for all types ofincidents (“inside” proxy). When configured, the Juniper ATP Appliance TrafficCollector will monitor all traffic and correctly identify source and destinationhosts for each link in the kill chain wherever the data allows for it.

Note that if the “X-Forwarded-For” header is provided in the HTTP request,detection will identify threat targets when deployed outside of the proxy(customers can choose to disable the XFF feature in the proxy setting, if desired).

See Also: “set (servermode)” on page 42; “set (diagnosismode)” on page 40

NOTE: The mitigation IP address of a CNC server is not be available for Insideproxy deployments. When a Juniper ATP Appliance is deployed behind a proxy,the Mitigation-> Firewall page in the Juniper ATP Appliance Central ManagerWeb UI (which typically displays the CNC server IP address to mitigate) will beempty. The destination IP address of any callback is made to the proxy server ipaddress, so it is not relevant to display the proxy server IP address on theMitigation->Firewall page.

Description


collectorMode(s)

set proxy inside {add <proxy IP address> <proxy port> | remove <proxy IPaddress> <proxy port>

set proxy outside {add <proxy IP address> | remove <proxy IP address>

Syntax



Table 103: set proxy (continued)

Sets the inside proxy IP addressesinside

Sets the outside proxy IP addressesoutside

Adds a proxy configuration.add

Removes a proxy configuration.remove

Parameters

The following example sets an inside data path proxy:

JATP(collector)# set proxy inside 10.1.1.1 53

The following example sets an outside data path proxy:

JATP(collector)# set proxy inside 10.2.1.1

Example

set honeypot (collector mode)

Table 104: set honeypot

Enables and disables the SSH-Honeypot feature for a Traffic Collector.

A honeypot can be deployed within a customer network to detect network activitygenerated by malware attempting to infect or attack other machines in a localarea network. These attempted SSH logins can be used to supplement detectionof lateral spread.

There are two parameters that can be set for a honeypot:

• Enable/disable a honeypot

• Set a Static IP (IP, mask, and gateway) or DHCP of a publicly addressableinterface

See Also: show honeypot command in “show (collector mode)” on page 45

Description


collectorMode(s)

(collector)# set honeypot ssh-honeypot enable dhcp

(collector)#sethoneypotssh-honeypotenableaddress(IPaddress)netmask(subnet IP) gateway (IP address)

(collector):# set honeypot ssh-honeypot disable

Syntax


(collector)# set honeypot ssh-honeypot enable address 1.2.3.4 netmask255.255.0.0 gateway 1.2.3.1

NOTE: The static IP configuration does not require configuring DNS. Honeypotsdo not require a DNS server at this time.

Example




Table 105: set


See Also:“set (server mode)” on page 42 ; “set proxy (collector mode)” onpage 39

Description


diagnosisMode(s)

set loggingSyntax








Parameters



Example

set protocols (collector mode)

Table 106: set protocols

Enables and disables the HTTP or SMB parser for a Traffic Collector.

See Also: show protocols command in “show (collector mode)” on page 45

Description


collectorMode(s)

(collector)# set protocols {http [on|off] | smb [on|off]}Syntax


hostname (collector) set protocols smb on

Example



set (server mode)

Table 107: set



Server, See Also:“set(diagnosismode)”onpage40; “set proxy (collector mode)”on page 39

Mode(s)

set [autoupdate {on | off} | cli timeout secs | clock | cm address | support {on| off} | passphrase string | dns | firewall {all <backup | flush> | whitelist} |hostname string | ip {interface | dhcp | address | netmask | gateway} |ntpserver | password | proxy {config | enabled | remove} |timezone string| uipassword]

Syntax

Parameters

(See table below)

Turn on or off the automatic product update feature.

autoupdate {software| content} {on|off}

example: set autoupdate content on

autoupdate{software|content}{on|off}

Set CLI timeout period in seconds (0 indicates no timeout).cli timeout secs

Sets the current date and time.clock

Sets the IP address of the Central Manager and netmask using the slash notation;example: AAA.BBB.CCC.DD/x

cm address

Enables remote SSH login “support” account or localmode enable|/disable.set support {enable | disable} |{localmode}

Sets the device key password; enter a string.passphrase string

Sets the DNS servers (or enable DHCP for DNS) for the management interfaceeth0.

dns

Backs up or flushes (clears) all current iptables for a firewall, or adds, deletes orflushes the current iptables whitelist-specific settings for the firewall.



Whitelist rules rely on normal service shutdown to be backed up. Powering off aVM directly will lose the whitelist state as rules cannot be saved in that case


Sets the system’s host name.hostname string

Sets the IP address, netmask, or default gateway, or enables DHCP for themanagement interface eth0.

ip {interface | dhcp | address | netmask|gateway}




Sets the Network Time Protocol (NTP) server.ntpserver

Sets a new password for the CLI administrator.password

Config, enable/disable, or remove “all” proxy configs, or remove an HTTP-specificproxy server.


proxy{config<all|http> |enable<on|off>| remove <all|http>}



TIP: set timezone <tab> shows options.

timezone {US/ Eastern | US/ Central |US/ Mountain


The following example sets an ip address for the device management interfaceeth0.

JATP# set ip interface 10.1.1.1

Examples




Description


serverMode(s)




Table 108: set appliance-type (continued)

all-in-one

core-cm

email-collector

traffic-collector

Parameters




Example

set traffic-filter (collector mode)

Table 109: set traffic-filter

Sets traffic filter rules to avoid analysis on a set of configured traffic, which cannotbe made retroactive; for example: any analysis skipped as a result of the filteringcannot be reversed. This command can be applied to an entire network/subnet/CIDR range.

See Also: “set (servermode)” on page 42;“show (diagnosis mode)” on page 47[show traffic-filter]

Description


collectorMode(s)

set traffic-filter {add <rule_name> <domain> <sourceaddress><destination-address> <source-port> <destination-port> <protocol> |remove <rule_name>}

Syntac



Table 109: set traffic-filter (continued)

Adds a traffic filter rule where:traffic-filter add

“RuleString” is the name of the rule<RuleString>

“DomainString” is the domain to filter out<Dom-ainString>

“source-address” is the source IPv4 address or network (CIDR)<sourc-eaddress>

“destination-address” is the destination IPv4 address or network (CIDR)<destination-address>

“source-port” is the source port number (0-65535)<source-port>

“destination-port” is the destination port number<destinationport>

(0-65535)“protocol” is the protocol type: either IP, TCP, UDP or HTTP<protocol>

Parameters

The following example add a traffic filter rule to the Traffic Collector.

JATP-collector02(collector)# set traffic-rule add CustomRule2headqrts.example.com 10.2.00/16 20.0.0.2 90 120 tcp

where destination-address is 20.0.0.2, destination-port is 120, protocol is tcp,source-address is 10.2.0.0/16 and source-port is 90 (in our example).

Example

set traffic-monitoring (for JATP700 and JATP400 Appliances) (collector mode)

Table 110: set traffic-monitoring

Sets the traffic monitoring interface on the JATP700 and JATP400.Description


collectorMode(s)





NOTE: After making an interface type change, the system must be rebooted forthe change to take effect.

Syntax

setupcheck







diagnosisMode(s)


Checks both basic settings and analysis pipelin.all




Parameters

The following example checks all basic configuration settings as well as theanalysis pipeline:


Example


Table 112: show

Displays the Traffic Collector current traffic filters and the current XFF status(enabled or disabled)

Description


CollectorMode(s)

traffic-filter | proxy | honeypotSubcommands

showSyntax




Shows all traffic filter rules.traffic-filter

Shows current HTTP or SMB protocol parser settings.protocols

Shows Traffic Collector proxy for inside or outsideconfigurations. See also show proxy:

“show (server mode)” on page 68

proxy {inside |outside}

Shows the current honeypot configuration.

show honeypot ssh-honeypot

honeypot

Parameters

The following example displays the current Collector proxy inside settings:

collector02(collector)# show proxy insideProxy IPs: 10.1.1.1

The following example displays the current traffic filter:

collector02 (collector)# show traffic-filterName: CustomRule2, Domain: headqtrs.example.com

The following example displays the current SMB protocol parser setting:

collector02 (collector)# show protocols

Example


Table 113: show


See Also:“show(servermode)”onpage68; “show(collectormode)”onpage45

Description


diagnosisMode(s)

showSyntax




Display connected device statistics for Traffic Collector, CoreCM, or MacMini Detection Engine Secondary “slave core.”



Displays the session counts for network web or email protocols.


protocol {web | email}

Displays the current number of file objects.


objects


See Also: “set (diagnosis mode)” on page 40 logging

logging

Displays only the tracebacks (if any) generated by Juniper ATP ApplianceOS process error logs. A traceback is a stack

of functions that were executing when an error condition was encountered.

NOTE: Not available from the Collector CLI.

log error traceback

Displays n [1-1000] lines of the contents of the common log file.

NOTE: Not available from the Collector CLI.

log error last <integer: number of lines to display>

NOTE: Example: show log error last 12

Parameters






Example

show (server mode)

Table 114: show






Server, See Also: show (collector mode); “show (diagnosis mode)” on page 47Mode(s)

showSyntax

Parameters

(See the columns below)


Show the CLI timeout setting.cli timeout




Show the remote SSH login support status.support








Show information about the management (administrative) network interface eth0and the monitoring interface eth1.

interface

Show the IP address of the management (administrative) interface eth0.

Results may show both private and public IP addresses if the AWS vCore has apublic IP.

ip



Show current proxy configuration.proxy






• cpuload shows the average CPU load in the system

• disk shows the disk space usage in the system.

• memory shows the system memory usage.

# show stats cpuload(0.06, 0.13, 0.13)


Show the current timezone.timezone

Show the last manual upgrade-related information.uptime

Show Juniper ATP Appliance software and content security versions.version

The following example displays information about the All-in-One server devicetype:

All-in-One(server)# show devicetypeDevice type: cm, core, web_collector.

Example

shutdown

Table 115: shutdown



ServerMode(s)

shutdownSyntax

NoneParameters


JATP# shutdown

Example

traceroute




Server | CollectorMode(s)

tracerouteSyntax



Table 116: traceroute (continued)



Parameters


JATP# traceroute -h 2 8.8.8.8

Example


wizard

Table 117: wizard

Enters the Configuration Wizard. For Configuration Wizard commands and response,see “Configuration Wizard for the CoreCM Server” in the next section to followcommand prompts and recommended responses.

Description


BasicMode(s)

wizardSyntax

NoneParameters


hostname #wizard

Example

ConfigurationWizard Command Prompt Progressions

Table 118: ConfigurationWizard

Customer Response fromCollectorConfigurationWizard Prompts



Table 118: ConfigurationWizard (continued)

We strongly discourage the use of DHCP addressing because it changesdynamically. A static IP address is preferred.








g. Enter search domain(s) separated by spaces; for example: example.comlan.com dom2.com


Use DHCP to obtain the IP address andDNS server address for the administrativeinterface (Yes/No)?

NOTE: Only if your DHCP response is no,enter the following information whenprompted:


b. Netmask

c. Enter a gateway IP address for thismanagement (administrative)interface:


e. Do you have a secondary DNS Server(Yes/ No).

f. Do you want to enter the searchdomains?

g. Enter the search domain (separatemultiple search domains by space):

Restart the administrative interface(Yes/No)?

Type a hostname when prompted; do not include the domain; for example:juniperatp1

NOTE: Only alphanumeric characters and hyphens (in the middle of the hostname)are allowed.


Not applicable to Collector.Regenerate the SSL self-signed certificate(Yes/ No)?

Required: Enter the IP address of the Juniper ATP Appliance Server All-in-One CMor CoreCM to which you are connecting [another] Collector in order to register withand view the Collector in the CM Web UI.

Enter the Juniper ATP Appliance Collector Device

Name; this identifies the Collector in the Web UI.


Enter the same PassPhrase used to authenticate the Collector to the CentralManager.




Device Description


NOTE: Remember this passphrase anduse it for all distributed devices!

NOTE: Enter CTRL-C to exit the ConfigurationWizard at any time. If you exitwithout completing the





Glossary of Terms

An eth2 interface configured (optionally) to contain analysis engine CnC traffic off themanagement network (eth0).

Alternate Exhaust Interface

A Juniper ATP Appliance Advanced Threat Analytics (ATA) feature that allows for moredetailed endpoint and log ingestion handling, management and reporting; includes ActiveDirectory, Splunk and Direct Log Ingestion options.

Anti-SIEM

Amazon Web Services and EC2 management console from which Juniper ATP Applianceadministrators can configure vCore AMI images.

AWS

A list or register of entities to be denied a specified access or privilege. During detectionengine analysis, when content matches any pattern on the blacklist, the content is deemedmalicious and therefore an alert or block action is enacted immediately.

Blacklist

Juniper ATP Appliance’s Traffic inspection and object collection mechanismCollector

Command and control server that directs the operation of a botnet.CnC server

Command-line interface. The Juniper ATP Appliance has a CLI interface for administeringthe appliance.

CLI

The Juniper ATP Appliance Central Manager component that has a web-based graphicaluser interface.

CM

Currently unused address space.Darkspace

Dynamic Host Configuration Protocol.DHCP

Demilitarized zone. An area of the network where systems have direct access to the Internetor an external network.

DMZ

Domain Name Service.DNS

Indicates a type of security intrusion or attack.Event

Greylists provide control over the priority of workorders for known IP addresses and URLs.Greylists contain files that contain either URLs or IP addresses and are used by the JuniperATP Appliance analysis engines to check if the specified URLs or IP addresses contain amalicious rule match.

Greylist

Graphical user interface. The Juniper ATP Appliance uses a web-based GUI for managingthe appliance.

GUI

Events that are triggered when the appliance sees any of the common IRC bot commandsor detects any communication sent to known botnet servers.

Known botnet server bot command

East-west detection of malware within the enterprise spread from endpoint host to host.Lateral Detection

Malicious software used by attackers to disrupt, control, steal, cause data loss, spy upon,or gain unauthorized access to computer systems.

Malware



Network Time Protocol.NTP

Events that indicate modification of the operating system.OS-anomaly

Open Shortest Path First. A protocol that computes an optimal path for traffic in a TCP/IPnetwork.

OSPF

A mode in which malware is permitted to run, but results of the malware action arerestricted to the virtual machine and not permitted to escape.

Sandbox mode

Simple Network Management Protocol.SNMP

A type of malware installed on computers that collects small pieces of information aboutuser(s) it is spying on.

spyware

Secure Sockets Layer.SSL

Transport Layer Security.TLS

Virtual Local Area Network.VLAN

Virtual Machine. A software program that runs an instance of an operating system. Theoperating system runs on top of a program that emulates a hardware system.

VM

A self-replicating malware program that uses a computer network to send copies of itselfto other computers. This may be done without any user intervention.

Worm

An attack by malware that exploits unknown or newly discovered vulnerabilities in softwarebefore they become known or before security patches are applied to fix them

Zero-day attack

RelatedDocumentation



• Mac OS X Engine CLI Commands on page 75




cli command reference guide - juniper networkstypeahostnamewhen prompted;donotinclude...

Documents