The following topics show the command line supported by the ThreatSTOP Centralized Manager.


  • –help: The available help systems, this command may be used in several locations to load context sensitive help (where available) relative to the commands and switches being used.
  • –version: The version of tsadmin being accessed is displayed.
  • –show <device name>: All information on record about a specified device, including the DNS server addresses is displayed.
  • –update <device name>: Updates block and allow lists manually
  • –remove <device name>: Removes an unwanted device from the list of devices to manage.
  • –list: Displays a list of all devices currently being controlled by TSCM. Specifies the following information about the device:
    • Type: The type of firewall associated with the device, this will control which TSCM module is used to interface with the device.
    • Management IP: The IP address used to issue commands to the router.
    • Syslog IP: The IP address used by the router to provide event messages (block messages) to the ThreatSTOP client. Used by the VM to configure Syslog, to provide the associated IPs with routers.
    • Log Upload IP: The IP address to identify the log to ThreatSTOP. This must match what has been entered in the ThreatSTOP Portal.
    • Log size: What size the log is allowed to reach before being rotated out and scheduled for upload to ThreatSTOP for further analysis.
    • Device updates: Shows whether the device is setup to receive updates to the block and allow lists from ThreatSTOP.
    • Log uploads: Clearly shows if logs from this device will be gathered and uploaded to ThreatSTOP for analysis.
  • –add <device name>: Used to add a specified device to the TSCM. This is used to enter the device entry flow outlined in Adding a Device to the TSCM.
  • –configure <device name>: Allows the specified device to be reconfigured after initial setup. More information about configuring a device may be found in the configuration switches below.


All devices

  • –allow_list:ThreatSTOP Allow List Name. Default value: dns.threatstop.local
  • –block_list:ThreatSTOP Block List Name. Default value: basic.threatstop.local
  • –device:Management IP address. Default value: None
  • –dns_server:DNS server to use (use multiple times for more than one DNS server). Default:
  • –logsize:Syslog file size in Kb before it is rotated. Default value: 100.
  • –logupload:Enable log uploads. This has two valid statuses: enabled and disabled.
  • –loguploadip:External IP address of device (can be determined by a visit to our Valid IP page).
  • –maxpolicysize:Maximum number of entries allowed in block or allow object groups. This value will need to be adjusted based on the model of networking device. For example Cisco ASA models 5520 and higher will be ok with the default of 30000. However, other devices may have different sizes they can use.
  • –object_group_allow:Name of the network object group for the allow lists. Default value: threatstop-allow.
  • –object_group_block: Name of the network object group for the block lists. Default value: threatstop-block.
  • –password: API or SSH password, the password used to access the command line (Cisco, Fortinet) or Login password (PAN) on the firewall
  • –port: Port number to use for DNS queries, the default value is 53. Port 5353 can be used if Port 53 is unreachable on the internet in your network.
  • –syslogip: IP address from which to capture device logs
  • –updates:Enable device policy updates. Determines whether updates downloaded from ThreatSTOP will be applied to the device. Two states are available: enabled or disabled.
  • –username: SSH username (Cisco, Fortinet) or Login user (PAN)

Cisco ASA/ISR devices

  • –custom_username_prompt:Custom username prompt on the device
  • –custom_password_prompt:Custom password prompt on the device. Default value: None
  • –enable_pw:Enable password. Default value: None
  • –ssh_options:Options to pass to SSH. Default value: None. (ISR devices only)

Fortinet devices

  • –allow_address_group:Name of the address group for the allow lists. Default value: None
  • –block_address_group:Name of the address group for the block lists. Default value: None
  • –maxpolicygroupsize:Maximum number of entries allowed in block or allow address groups. Default value: None
  • –vdom: Virtual domain name (case-sensitive). Default value: None.
  • –vdom_support: Enable virtual domain support. Default value: None. Valid values: enabled, disabled

PanOS devices

  • –additional_devices:If in HA mode, these are the additional IP(s) (quoted, space-separated). Default value: None
  • –max_dynamic_lists:Number of dynamic lists to use (2-9). Default value: None. Valid values: [2,3,4,5,6,7,8,9]
  • –trusted_zone:The name of the trusted zone. Default value: None
  • –untrusted_zone:The name of the untrusted zone. Default value: None
  • –vsys_name: Virtual system name (case-sensitive). Default value: None.