The Umbrella Virtual Appliances (VAs) run on the Ubuntu operating system, which is a Linux distribution based on Debian. Not all of the commands typically available in Linux are available to customers within the VA's "Configuration Mode" command line. Instead, the VAs utilize a restricted shell environment which provides a number of troubleshooting / diagnostic commands, as well as config commands to change relevant settings within the VAs.
For more information about configuring the VAs using the Configuration Mode, see https://docs.umbrella.com/deployment-umbrella/docs/5-configuring-the-vas
The following commands are available as of VA software version 3.1.1:
1) The tunnel subcommand is used for enabling and configuring the support tunnels, similar to doing so via Ctrl+B from the VA console.
config tunnel enable <optional time open, default is 72hrs>
config tunnel disable <optional time open, default is 72hrs>
config tunnel disable
config tunnel status
2) The snmp subcommand is used for enabling and configuring SNMP support.
config snmp enable
config snmp configure -v2 -c <community string>
config snmp status
3) The anycast subcommand is used to configure AnyCast BGP.
config anycast enable <anycast ip> <ASN:ROUTER-IP:HOP-COUNT of BGP router>
config anycast status
config anycast disable
config anycast stats
config anycast add <ASN:ROUTER-IP:HOP-COUNT of BGP router>
config anycast delete <BGP router IP address>
4) The va subcommand is used for all of the routine configurations on the VAs.
config va status
config va name <New name for the VA>
config va interface <interface name> <ip address> <subnet mask> <gateway>
config va interface6 <interface name> <IPv6 address/prefix> <IPv6 gateway>
config va show
config va localdns <internal DNS1> <internal DNS2> <internal DNS3> <etc>
config va ssh enable
config va dmz enable
config va dnssec enable
config va per-ip-rate-limit enable <packets/sec> <burst rate>
For more information about configurating rate-limiting, see https://docs.umbrella.com/deployment-umbrella/docs/appendix-e-other-configurations#section-configure-rate-limiting
For more information about configuring DNSSEC support, see https://docs.umbrella.com/deployment-umbrella/docs/appendix-e-other-configurations#section-configure-dnssec-support
As of version 2.8, it is also possible to configure the VAs to use specific resolvers using the resolvers subcommand. It is not possible to configure a custom resolver however, so you will be limited to the following options:
(Note: the US-Only resolvers are not yet in generally available status)
config va resolvers US (Uses 220.127.116.11 and 18.104.22.168)
config va resolvers US-v6 (Uses 2620:119:17::76 and 2620:119:76::76)
config va resolvers global (Uses 22.214.171.124 and 126.96.36.199)
config va resolvers global-v6 (Uses 2620:119:35::35 and 2620:119:53::53)
config va resolvers alternate (Uses 188.8.131.52 and 184.108.40.206)
5) The ntp subcommand can be used to define custom NTP servers on the VAs.
config ntp add <New NTP server>
config ntp show
6) The admap subcommand is the command used to configure identity association timeouts as well as viewing or clearing the AD Mapping. As this time, it is possible only to clear clear out the mappings of an individual IP address. There is not currently a way to clear all AD mappings from the restricted shell.
config admap view <ip address>
config admap clear <ip address>
config admap set-user-timeout 28800 (This would set it for 8hrs)
config admap show-timeout
7) The logexport subcommand is used to export audit logs, health logs, and/or internal DNS request logs to a remote syslog server. It is new to version 3.1.1. For more information, see:
8) The localdns subcommand is used to configure conditional forwarding of internal domains to specific internal DNS servers. It is new to version 3.2. For more information, see:
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/df.1.html
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/free.1.html
Links are included at the top of this article for each available command
iostat displays CPU statistics and input/output statistics for devices and partitions.
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/iostat.1.html
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man8/netstat.8.html
Running a lookup using the above syntax will cause the VA to send the query to our public resolvers rather than to itself. In order to successfully perform a lookup for an internal domain, you will need to specify your internal DNS server:
nslookup <Internal Domain> <Internal DNS Server IP>
To run an internal or external lookup from the VA against itself, you would run as follows:
nslookup <domain> 127.0.0.1
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/nslookup.1.html
You will then be prompted for the old password, then the new one. Alternatively, you can reset the password to the default from the Sites and Active Directory section of your dashboard.
Most common usage would generally be as follows:
ping -c 4 <Domain or IP>
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/ping.1.html
Most common usage would be as follows:
ping6 -c 4 <Domain or IPv6 address>
For more information, see http://manpages.ubuntu.com/manpages/focal/en/man1/ping6.1.html
For more information, see the man page: die.net - tcptraceroute Linux man page
traceroute <domain or IP>
For more information, see https://manpages.ubuntu.com/manpages/precise/en/man1/traceroute.db.1.html
For more information, see https://manpages.ubuntu.com/manpages/focal/man8/traceroute6.iputils.8.html