cz-setup and cz-config commands

  • 7 minute read
Prev Next

Advanced configuration options using cz-setup and cz-config

These commands are run from the SSH command line.

cz-setup

You can run cz-setup at any time on a seeded Appliance. It can also be used for creating the first Controller. To use cz-setup you need to be root so use the command: sudo cz-setup

AppGate setup screen showing options to change password and configure settings.

Action

Description

passwd

Change the the “cz” user password (only applies if password is in use)

log levels

This allows you to change the daemon log level on the appliance. For more information, refer to System Logs > Daemon Logs.

nics

This allows you to assign eth0, eth1, etc to the network cards found in the system. This is done automatically, however you might need to use this when adding/changing the cards in an existing system.

cz-config commands

cz-config <action> is a family of commands to manage and configure the appliance at run-time. Below are some of the more useful functions, to see the full list: cz-config --help. To see help for each one: cz-config <action> --help

To use cz-config you need to be root so use the command: sudo cz-config <action>

subject

Action

Description

Alternative default route

set gateway/vpn/overrideRouteVia/ipv4 10.10.10.10
set gateway/vpn/overrideRouteVia/ipv6 ::1

del gateway/vpn/overrideRouteVia​

This configuration overrides the Alternative default route for all user traffic setting in Sites. This is useful when some of the Gateways on a Site sit in different physical locations.

To undo use the del option.

Appliance customization

set -j customization/enabled true/false

Enables the use of appliance customizations

Appliance OS hostname

set osHostname foo.example.com

There is an internal hostname used by the system (osHostname). This is normally set to the Appliance Hostname. If an IP address (i.e. 1.2.4.8) was used for the Appliance Hostname then appgate-1_2_4_8 will be generated. This command allows you to change the osHostname if required.

Appliance status

status

Shows metadata and status of the current Appliance.

Appliance upgrade

upgrade

This function will upgrade the Appliance (see Upgrading Appliances).

Appliance wipe

wipe-appliance --force

Wipes the appliance and returns it to a waiting_config state which means re-seeding is required.

Certificate add

keytool import --alias certname --certificate /path/to/cert

Tool to allow adding additional certs to java using keytool

--alias ALIAS, The alias to use for the certificate

--certificate FILENAME, The file containing the certificate. It is possible to use - to read from stdin.

Client request rate limiting

set -j controller/clientRequestRateLimitFactor X

del controller/clientRequestRateLimitFactor

Limits the rate of Client requests to the Controller.

X can be used in 3 ways:

  • X: (Positive Number) Rate limit will be X*{vCPU count}. So with X=4, a 4vCPU appliance will be rate limited to 16/sec.

  • -X: (Negative Number) Rate limit will be absolute{X}. So with X=-10 the appliance will be rate limited to 10/sec.

  • 0: Rate limiting will be disabled.

The rate limit is calculated as an average over a 2 sec sliding window. This will allow for bursts of Client requests as long as the average is below the set limit.

With no setting for X the default will be used which is 0/disabled.

To remove the rate limit factor use the del option.

Configuration apply

apply

Will reapply the current configuration.

Configuration rollback

rollback-configuration

This function will rollback to previous config received from the Controller. We always keep a pointer to the previous config, this function will make the previous config to be the current one.

Configuration update

pull-configuration

Force the Appliance to pull a new config from the controller. If the Appliance is a Controller it will re-apply the config already registered within it.

Connection rate limiting

set -j controller/clientRateLimitFactor X
set -j gateway/clientRateLimitFactor X

del controller/clientRateLimitFactor
del gateway/clientRateLimitFactor

Limits the rate of new Client connections to Controllers and Gateways.

X can be used in 3 ways:

  • X: (Positive Number) Rate limit will be X*{vCPU count}. So with X=4, a 4vCPU appliance will be rate limited to 16/sec.

  • -X: (Negative Number) Rate limit will be absolute{X}. So with X=-10 the appliance will be rate limited to 10/sec.

  • 0: Rate limiting will be disabled.

The rate limit is calculated as an average over a 5 sec sliding window. This will allow for bursts of Client connections as long as the average is below the set limit.

With no setting for X the defaults will be used which is 4 for both Gateways and Controllers.

If the appliance has both a Controller and Gateway rate limit factors set then the Controller one will be used.

To remove the rate limit factor use the del option.

Connector status

connector status

Shows the status and configuration of the Connector including vrrp (HA configuration).

Connector HA

vrrp status

set vrrp/advert_Appliance Troubleshootingint 2

set vrrp/nopreempt False

Displays the Virtual Router Redundancy Protocol NIC configuration including the VIP being used - if configured.

Specify the advertisement interval in seconds. The default value is 3 seconds. Note that this should match on all hosts sharing the virtual IP.

VRRP will normally preempt a lower priority machine when a higher priority machine comes online. "nopreempt" allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. The default value is True (preempt disabled).

Controller DB replication

bdr

Commands related to BDR database replication troubleshooting (see Appliance Troubleshooting).

Controller switch CA

ca-switch

Trigger appliance CA certificate switch

Controller switch CA status

ca-switch-status

Appliance CA certificate switch status

Controller nearest Site

set -j controller/localSiteIsAlwaysNearest true

Nearest Site detection will include local Sites (when enabled) - even when "Use for nearest Site selection" has not been enabled in the Site. By default this is false.

CRL update

update-crl

This will check the CRL Distribution Point URL and download the latest CRL. (see Certificates)

CZ user

user

Settings for the default cz user

Disk partitions

switch-partition

This function will just change the partition in use. When we upgrade an appliance the previous version will be kept on another partition (currently we use only 2 partitions), using this function you can revert the system to its previous state (after a bad upgrade).

IPv6 disable

set kernel/cmdlineOptions "ipv6.disable=1"

This will disable IPv6 in the kernel. The appliance requires rebooting for this to take effect.

Log download

collect-logs

Collects logs for the appliance in a similar way to the admin UI. Useful when the Controller is down. Use -h to show the optional arguments.

Log limiting

set -j audit/maxLogsOnDisk <value>

Sets the maximum number log records logd saves to disk. The default is 100,000.

Management network interface

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}]}'

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}], "services": ["icmp", "api"]}'

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}], "services": ["icmp", "api", ["custom-service", "tcp", 6666]]}'

del networking/managementNic

When enabled on an appliance, these services - ssh, icmp, snmp and Prometheus, will be routed to the specified management interface and onwards to the specified 'gateway'. They will no longer be available via the normal network interface. This applies when the command is used without the "services" option specified.

When "services" are specified as an option, then the exact list specified will be used. So to add the admin API to the default list you would need to specify: ssh, icmp, snmp, prometheus and api.

You can add your own protocol to the management interface by specifying a name, protocol (TCP or UDP) and port. Again the exact list specified will be used.

To remove the management interface configuration use the del option.

Scrips http use

set -j policyEvaluator/allowUnsafeHttp true

set -j policyEvaluator/allowUnsafeHttpRedirection true

Enables the use of http when making (external) calls from the javascript engine used in the Controller and Gateways for running scripts.  

SSH keys regenerate

regenerate-ssh-keys

This function will regenerate the ssh host keys.

SPA add rules

set -j spa/allowTcpSubnets '["192.168.1.0/24", "2010:2000:4e43:d406:8055:408d:e018:b360"]'

When an IP is authorized with SPA in UDP-TCP mode the sending IP address gets added to iptables to allow access to TCP 443 from that IP address. Using this command, multiple arbitrary manually configured IPv4 and/or IPv6 subnets can be added in iptables on receipt of a valid SPA packet as well as the original IP address. Example: with subnets 192.168.1.0/24, 2010:2000:4e43:d406:8055:408d:e018:b360 configured . When an IP 74.73.54.4 is authorized, the IPs 74.73.54.4, 192.168.1.0/24 and 2010:2000:4e43:d406:8055:408d:e018:b360 will be added to iptables.

SPA add mapped rules

set -j spa/allowMappedTcpSubnets '["10.10.0.0/16", "11.11.11.0/24"]'

When an IP is authorized with SPA in UDP-TCP mode the sending IP address gets added to iptables to allow access to TCP 443 from that IP address. Using this command, multiple mapped IPv4 and/or IPv6 subnets can be configured, and these will be added in iptables on receipt of a valid SPA packet instead of the original IP address. Example: with subnets 10.10.0.0/16, 11.11.11.0/24 configured . When an IP 74.73.54.4 is authorized, the IPs 10.10.54.4 and 11.11.11.4 will be added to iptables.

SPA get rules

get spa

Shows the current configured subnets and mapped subnets which will be added to iptables when a valid SPA packet is received while using SPA in UDP-TCP mode.

Spectre/Meltdown mitigations

set kernel/cmdlineOptions mitigations=off

This removes some of the recent mitigations for defects in the x86 architecture. These mitigations are not required when the machine running the appliance is dedicated (not shared). By removing these mitigations significant performance benefits can be realized. Appgate appliances are supplied with mitigations off.

NOTE: The Appgate SDP appliance requires rebooting after running this command.

This only removes mitigations from Appgate SDP appliance, the mitigations will also need removing from the host for the full benefits to be realized.

Auto suspend (when under heavy load)

get gateway/suspendWatermarks

get gateway/suspendWatermarks/numberOfSessions

set -j gateway/suspendWatermarks/numberOfSessions/high 50

set -j gateway/suspendWatermarks/numberOfSessions/low 40

set -j gateway/suspendWatermarks/numberOfSessions/enabled false

del gateway/suspendWatermarks/numberOfSessions

Get all watermarks for auto suspend.

Get specific watermark for auto suspend.

Set specific watermark high threshold.

Set specific watermark low threshold.

Disable a specific watermark.

Restore the defaults for a specific watermark.

URL access override

set -j gateway/forwardToNginx true/false

This configuration is not recommended for normal usage. Instead the appropriate number and size of Gateways should be specified for the expected loads.
If set to false then for a given Gateway all the HTTP up Actions will fall back to TCP up Actions. The users Entitlement tokens will need to be renewed for this change to be made effective.

Related articles