WARNING
This page contains advanced information targeted for Power Users. You may break client functionality if you are not a power user.
Ensure you are using a supported distribution of Linux:
https://www.appgate.com/support/software-defined-perimeter-support
Client logs
The regular client logs are in ~/.appgate/log/ or can be viewed using journalctl -t appgate-sdp
The headless client daemon logs can be viewed using journalctl -u appgateservice
Driver logs
The driver logs can be found in /var/log/appgate/driver.log.
Driver logs can also be viewed using journalctl -u appgatedriver.service which may require admin rights.
Client Settings
Settings are stored in ~/.config/appgatesdp-service/
DNS configuration
The client comes with a “set_dns” script that tries to change the network configuration when connecting to AppGate ZTNA, so that the AppGate ZTNA DNS is called for AppGate domains, while the regular DNS remains in charge of resolving everything else. To achieve this, the built-in script runs a DNS resolver (dnsmasq) which is executed locally under the name “appgate-resolver”. If systemd-resolved is detected to be running, then it will be used instead of dnsmasq. The script resets the network configuration when AppGate ZTNA disconnects.
The set_dns script has the following requirements:
dnsmasq or systemd-resolved
dbus
systemd as pid 1
This was tested against network-manager, wicd, and ifupdown.
Since the built-in script can’t cover every network configuration, it is possible to write a custom script that must use the same command line. More information about the command line can be found by running:
/opt/appgate/linux/set_dns --help
journalctl -u appgatedriver.service | grep set_dns
Such a script must be configured in /etc/appgate.conf and will then replace the built-in one.
Troubleshooting
If the network configuration is left in a strange state, you can restore it by performing the following steps:
/opt/appgate/linux/set_dns --reset
chattr -i /etc/resolv.conf
mv /etc/resolv.appgate /etc/resolv.conf
Once you have completed these steps, restart your network manager.
Cleaning Client settings
To clean client settings, run:
rm -rf ~/.config/appgate-ui ~/.config/appgatesdp-service ~/.local/share/appgatesdp-service
Then remove all stored passwords/certificates:
Run seahorse from terminal and delete all entries containing “AppGate”
Verifying package files
The Linux installer packages have been signed with GPG using the AppGate public key. Use the relevant tools for each distribution to verify the validity of the package. The AppGate public GPG key is included in the checksum archive under each version here:
https://www.appgate.com/support/software-defined-perimeter-support/
The AppGate public GPG key can also be found in the keyring installed along with the client by entering keyring /opt/appgate/appgate.gpg.
The fingerprint of the GPG key is: F36B 319B CE07 48F7 7930 52E6 F600 207F 0680 FA29
Fedora
For verification on Fedora the package rpm is needed. It is by default installed on all rpm-based distributions.
Make sure the AppGate public key has been installed.
sudo rpmkeys --import appgate.pub
If using the keyring installed with the client, the key needs to be exported first:
gpg --keyring /opt/appgate/appgate.gpg --export --armor > appgate.pub
Verify the package with:
rpmkeys --checksig PACKAGENAME
Ubuntu
For verification on Ubuntu systems the package dpkg-sig is needed:
sudo apt install dpkg-sig
Make sure the AppGate public GPG key has been installed:
gpg --import appgate.pub
Or if using the keyring installed with the client:
gpg --import /opt/appgate/appgate.gpg
Verify the package with:
dpkg-sig --verify PACKAGENAME