cz-setup and cz-config commands

Alternative default route

set gateway/vpn/overrideRouteVia/ipv4 10.10.10.10
set gateway/vpn/overrideRouteVia/ipv6 ::1

del gateway/vpn/overrideRouteVia​

This configuration overrides the Alternative default route for all user traffic setting in Sites. This is useful when some of the Gateways on a Site sit in different physical locations.

To undo use the del option.

Appliance customization

set -j customization/enabled true/false

Enables the use of appliance customizations

Appliance OS hostname

set osHostname foo.example.com

There is an internal hostname used by the system (osHostname). This is normally set to the Appliance Hostname. If an IP address (i.e. 1.2.4.8) was used for the appliance hostname then appgate-1_2_4_8 will be generated. This command allows you to change the osHostname if required.

Appliance status

status

Shows metadata and status of the current appliance.

Appliance upgrade

upgrade

This function will upgrade the appliance (see Upgrading Appliances).

Appliance wipe

wipe-appliance --force

Wipes the appliance and returns it to a waiting_config state which means re-seeding is required.

Certificate add

keytool import --alias certname --certificate /path/to/cert

Tool to allow adding additional certs to java using keytool

--alias ALIAS, The alias to use for the certificate

--certificate FILENAME, The file containing the certificate. It is possible to use - to read from stdin.

Client request rate limiting

set -j controller/clientRequestRateLimitFactor X

del controller/clientRequestRateLimitFactor

Limits the rate of client requests to the Controller.

X can be used in three ways:

• X: (Positive Number) Rate limit will be X*{vCPU count}. So with X=4, a 4vCPU appliance will be rate limited to 16/sec.

• -X: (Negative Number) Rate limit will be absolute{X}. So with X=-10 the appliance will be rate limited to 10/sec.

• 0: Rate limiting will be disabled.

The rate limit is calculated as an average over a 2 sec sliding window. This will allow for bursts of client requests as long as the average is below the set limit.

With no setting for X the default will be used which is 0/disabled.

To remove the rate limit factor use the del option.

Configuration apply

apply

Will reapply the current configuration.

Configuration rollback

rollback-configuration

This function will rollback to previous config received from the Controller. We always keep a pointer to the previous config, this function will make the previous config to be the current one.

Configuration update

pull-configuration

Force the Appliance to pull a new config from the controller. If the appliance is a Controller it will re-apply the config already registered within it.

Connection rate limiting

set -j controller/clientRateLimitFactor X
set -j gateway/clientRateLimitFactor X

del controller/clientRateLimitFactor
del gateway/clientRateLimitFactor

Limits the rate of new client connections to Controllers and Gateways.

X can be used in three ways:

• X: (Positive Number) Rate limit will be X*{vCPU count}. So with X=4, a 4vCPU appliance will be rate limited to 16/sec.

• -X: (Negative Number) Rate limit will be absolute{X}. So with X=-10 the appliance will be rate limited to 10/sec.

• 0: Rate limiting will be disabled.

The rate limit is calculated as an average over a five second sliding window. This allows for bursts of client connections as long as the average is below the set limit.

With no setting for X the defaults will be used which is 4 for both Gateways and Controllers.

If the appliance has both a Controller and Gateway rate limit factors set then the Controller one will be used.

To remove the rate limit factor use the del option.

Connector status

connector status

Shows the status and configuration of the Connector including VRRP (HA configuration).

Connector HA

vrrp status

set vrrp/advert_Appliance Troubleshootingint 2

set vrrp/nopreempt False

Displays the Virtual Router Redundancy Protocol NIC configuration including the VIP being used.

Specify the advertisement interval in seconds. The default value is three seconds. Note that this should match on all hosts sharing the virtual IP.

VRRP will normally preempt a lower priority machine when a higher priority machine comes online. "nopreempt" allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. The default value is True.

Controller DB replication

bdr

Commands related to BDR database replication troubleshooting. See Appliance Troubleshooting for more information.

Controller switch CA

ca-switch

Trigger appliance CA certificate switch

Controller switch CA status

ca-switch-status

Appliance CA certificate switch status

Controller nearest Site

set -j controller/localSiteIsAlwaysNearest true

Nearest Site detection will include local Sites when enabled - even when Use for nearest Site selection has not been enabled in the Site. By default this is false.

CRL update

update-crl

This will check the CRL Distribution Point URL and download the latest CRL. See Certificates for more information.

CZ user

user

Settings for the default cz user

Detect termination of client-appliance connections

cz-config set -j reportBogusTLS/enabled true

Detects MitM issues caused by firewalls or network devices terminating the connection from the client. When a TLS connection lacks the expected extensions, the appliance raises a five minute warning that includes the source IP:port to help identify misconfigured devices.

NOTE

This will cause a lot of activity in the system during normal operations. It is therefore recommended to use this command only when troubleshooting.

Disk partitions

switch-partition

This function will just change the partition in use. When we upgrade an appliance the previous version will be kept on another partition (currently we use only two partitions), using this function you can revert the system to its previous state (after a bad upgrade).

IPv6 disable

set kernel/cmdlineOptions "ipv6.disable=1"

This will disable IPv6 in the kernel. The appliance requires rebooting for this to take effect.

Log download

collect-logs

Collects logs for the appliance in a similar way to the admin UI. Useful when the Controller is down. Use -h to show the optional arguments.

Log limiting

set -j audit/maxLogsOnDisk <value>

Sets the maximum number log records logd saves to disk. The default is 100,000.

Management network interface

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}]}'

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}], "services": ["icmp", "api"]}'

set -j networking/managementNic '{"nic": "eth1", "routes": [{"address": "10.97.235.67", "netmask": 32, "gateway": "10.97.174.3"}], "services": ["icmp", "api", ["custom-service", "tcp", 6666]]}'

del networking/managementNic

When enabled on an appliance, these services—ssh, icmp, snmp and Prometheus—will be routed to the specified management interface and onwards to the specified Gateway. They will no longer be available through the normal network interface. This applies when the command is used without the "services" option specified.

When "services" are specified as an option, then the exact list specified will be used. So to add the admin API to the default list you would need to specify: ssh, icmp, snmp, prometheus, and api.

You can add your own protocol to the management interface by specifying a name, protocol (TCP or UDP), and port. Again, the exact list specified will be used.

To remove the management interface configuration use the del option.

Resolver error calls before clearing the address cache

set -j gateway/nameResolution/nameMaxAllowedErrors <value>

Sets the allowed number of error calls before the address cache is cleared. Default is 10 error calls. The time this takes will be a multiple of the Update Interval of each resolver.

Rotate claims keys

rotate-claims-keys

Rotates the keys used to encrypt claims tokens

Scrips http use

set -j policyEvaluator/allowUnsafeHttp true

set -j policyEvaluator/allowUnsafeHttpRedirection true

Enables the use of http when making (external) calls from the javascript engine used in the Controller and Gateways for running scripts.  

SSH keys regenerate

regenerate-ssh-keys

This function will regenerate the ssh host keys.

SPA add rules

set -j spa/allowTcpSubnets '["192.168.1.0/24", "2010:2000:4e43:d406:8055:408d:e018:b360"]'

When an IP is authorized with SPA in UDP-TCP mode the sending IP address gets added to iptables to allow access to TCP 443 from that IP address. Using this command, multiple arbitrary manually configured IPv4 and/or IPv6 subnets can be added in iptables on receipt of a valid SPA packet as well as the original IP address. Example: with subnets 192.168.1.0/24, 2010:2000:4e43:d406:8055:408d:e018:b360 configured . When an IP 74.73.54.4 is authorized, the IPs 74.73.54.4, 192.168.1.0/24 and 2010:2000:4e43:d406:8055:408d:e018:b360 will be added to iptables.

SPA add mapped rules

set -j spa/allowMappedTcpSubnets '["10.10.0.0/16", "11.11.11.0/24"]'

When an IP is authorized with SPA in UDP-TCP mode the sending IP address gets added to iptables to allow access to TCP 443 from that IP address. Using this command, multiple mapped IPv4 and/or IPv6 subnets can be configured, and these will be added in iptables on receipt of a valid SPA packet instead of the original IP address. Example: with subnets 10.10.0.0/16, 11.11.11.0/24 configured . When an IP 74.73.54.4 is authorized, the IPs 10.10.54.4 and 11.11.11.4 will be added to iptables.

SPA get rules

get spa

Shows the current configured subnets and mapped subnets which will be added to iptables when a valid SPA packet is received while using SPA in UDP-TCP mode.

Spectre/Meltdown mitigations

set kernel/cmdlineOptions mitigations=off

This removes some of the recent mitigations for defects in the x86 architecture. These mitigations are not required when the machine running the appliance is dedicated (not shared). By removing these mitigations significant performance benefits can be realized. AppGate appliances are supplied with mitigations off.

NOTE

The AppGate ZTNA appliance requires rebooting after running this command. This only removes mitigations from the AppGate ZTNA appliance. The mitigations will also to be removed from the host for the full benefits to be realized.

Auto suspend (when under heavy load)

get gateway/suspendWatermarks

get gateway/suspendWatermarks/numberOfSessions

set -j gateway/suspendWatermarks/numberOfSessions/high 50

set -j gateway/suspendWatermarks/numberOfSessions/low 40

set -j gateway/suspendWatermarks/numberOfSessions/enabled false

del gateway/suspendWatermarks/numberOfSessions

Get all watermarks for auto suspend.

Get specific watermark for auto suspend.

Set specific watermark high threshold.

Set specific watermark low threshold.

Disable a specific watermark.

Restore the defaults for a specific watermark.

URL access override

set -j gateway/forwardToNginx true/false

This configuration is not recommended for normal usage. Instead the appropriate number and size of Gateways should be specified for the expected loads.
If set to false then for a given Gateway all the HTTP up actions will fall back to TCP up actions. The user’s entitlement tokens will need to be renewed for this change to be made effective.