Introduction to the Command Line Interface

In This Section:

This chapter gives an introduction to the Gaia command line interface (CLI). The default shell of the CLI is called clish.

To use the CLI:

Connect to the platform using a command-line connection (SSH or a console) over a TCP/IP network.
Log on using a user name and password.
Immediately after installation, the default user name and password are admin and admin.

Saving Configuration Changes

When you change the OS configuration with the CLI, changes are applied immediately to the running system only. To have the changes survive a reboot, you must run: save config

Commands and Features

Gaia commands are organized into groups of related features, with a basic syntax:

operation feature parameter

The most common operations are add, set, show, delete

Main operations	Description
`add`	Adds a new value to the system.
`set`	Sets a value in the system.
`show`	Shows a value or values from the system.
`delete`	Deletes a value from the system.

Other operations	Description
`save`	Saves the configuration changes made since the last save operation.
`reboot`	Restart the system.
`halt`	Turns the computer off.
`quit`	Exits from the CLI.
`exit`	Exits from the shell.
`Start`	Starts a transaction. Puts the CLI into transaction mode. All changes made using commands in transaction mode are applied at once or none of the changes are applied based on the way transaction mode is terminated.
`commit`	Ends transaction by committing changes.
`rollback`	Ends transaction by discarding changes.
`expert`	Enter the expert shell. Allows low-level access to the system, including the file system.
`ver`	Shows the version of the active Gaia image.
`revert`	Revert the database.
`help`	Get help on navigating the CLI and some useful commands.

To see the commands you have permissions to run: show commands

To see a list of all features: show commands feature <TAB>

To see all commands for a specific feature: show commands feature <featureName>

To see all commands for an operation of a feature: show commands [op <name>] [feature <name>]

To see all operations: show commands op <SPACE> <TAB>

At the More prompt:

To see the next page, press <SPACE>.

To see the next line, press <ENTER>.

To exit the CLI prompt, press Q.

Command Completion

You can automatically complete a command. This saves time, and can also help if you are not sure what to type next.

Press ...

To do this...

<TAB>

Complete or fetch the keyword. For example

Gaia> set in<TAB>

inactivity-timeout - Set inactivity timeout

interface          - Displays the interface related parameters

Gaia> set in

Show the arguments that the command for that feature accepts. For example:

Gaia> set interface <SPACE> <TAB>

eth0 eth1 lo

Gaia> set interface

See possible command completions. For example

Gaia> set inter<ESC><ESC>

set interface VALUE ipv4-address VALUE mask-length VALUE

set interface VALUE ipv4-address VALUE subnet-mask VALUE

set interface VALUE ipv6-address VALUE mask-length VALUE

set interface VALUE { comments VALUE mac-addr VALUE mtu VALUE state VALUE speed VALUE duplex VALUE auto-negotiation VALUE }

set interface VALUE { ipv6-autoconfig VALUE }

Gaia> set inter

Get help on a feature or keyword. For example

Gaia> set interface <?>

interface: {show/add/delete} interface "interface-name"

Gaia> set interface

UP/DOWN arrow

Browse the command history.

LEFT/RIGHT arrow

Edit command.

Enter

Run a command string. The cursor does not have to be at the end of the line.

You can usually abbreviate the command to the smallest number of unambiguous characters.

Command History

You can recall commands you have used before, even in previous sessions.

Command	Description
↓	Recall previous command.
↑	Recall next command.
history	Show the last 100 commands.
!!	Run the last command.
!nn	Run a specific previous command: The nn command.
!‑nn	Run the nnth previous command. For example, entering !‑3 runs the third from last command.
!str	Run the most recent command that starts with str.
!\?str\?	Run the most recent command containing str. The trailing ? may be omitted if str is followed immediately by a new line.
!!:s/str1/str2	Repeat the last command, replacing str1 with str2.

Command Reuse

You can combine word designators with history commands to refer to specific words used in previous commands. Words are numbered from the beginning of the line with the first word being denoted by 0. Use a colon to separate a history command from a word designator. For example, you could enter !!:1 to refer to the first argument in the previous command. In the command show interfaces, interfaces is word 1.

Word Designator	Meaning
`0`	The operation word.
`n`	The `n`th word.
`^`	The first argument; that is, word 1.
`$`	The last argument.
`%`	The word matched by the most recent `\?str\?` search.

Immediately after word designators, you can add a sequence of one or more of the following modifiers, each preceded by a colon:

Modifier	Meaning
`p`	Print the new command but do not execute
`s/str1/str2`	Substitute `new` for the first occurrence of old in the word being referred to.
`g`	Apply changes over the entire command. Use this modified in conjunction with `s`, as in `gs/str1/str2`.

Command Line Movement and Editing

You can back up in a command you are typing to correct a mistake. To edit a command, use the left and right arrow keys to move around and the Backspace key to delete characters. You can enter commands that span more than one line.

These are the keystroke combinations you can use:

Keystroke combination	Meaning
Alt-D	Delete next word.
Alt-F	Go to the next word.
Ctrl-Alt-H	Delete the previous word.
Ctrl-shift_	Repeat the previous word.
Ctrl-A	Move to the beginning of the line.
Ctrl-B	Move to the previous character.
Ctrl-E	Move to the end of the line.
Ctrl-F	Move to the next character.
Ctrl-H	Delete the previous character.
Ctrl-L	Clear the screen and show the current line at the top of the screen.
Ctrl-N	Next history item.
Ctrl-P	Previous history item.
Ctrl-R	Redisplay the current line.
Ctrl-U	Delete the current line.

Obtaining a Configuration Lock

Only one user can have Read/Write access to Gaia configuration settings at a time. All other users can log in with Read-Only access to see configuration settings, as specified by their assigned roles.

When you log in and no other user has Read/Write access, you get an exclusive configuration lock with Read/Write access. If a different user already has the configuration lock, you have the option to override their lock. If you:

Override the lock, the other user stays logged in with Read-Only access.
Do not override the lock, you cannot modify the settings.

Use the database feature to obtain the configuration lock.

The commands do the same thing: obtain the configuration lock from another administrator.

Description	Use the `lock database override` and `unlock database` commands to get exclusive read-write access to the database by taking write privileges to the database away from other administrators logged into the system.
Syntax	`lock database override` `unlock database`
Comments	Use these commands with caution. The admin whose write access is revoked does not receive notification.

Configuring Configuration Lock Behavior

The behavior of the configuration lock command is configured using: config-lock.

Description

Configures and shows the state of the configuration lock

Syntax

set config-lock {off | on [timeout <seconds>] override
show {config-lock | config-state}

Parameters

Parameter

Description

off | on

Turns the configuration lock on and off.

When you turn config‑lock on, the default timeout value is 300 seconds.

timeout

Enables config-lock for the specified interval in seconds (5‑900).

Comments

set config-lock on override is identical to lock database override
set config-lock off is identical to unlock database

32 and 64-bit Gaia Editions

64-bit support for a Gaia device depends on the appliance type (for a Check Point appliance) and hardware capabilities (for open servers).

For more on supported platforms and kernels, see the R77 Release notes.

Open servers always install a 32-bit kernel, but you can switch to the 64-bit kernel using the Edition feature.

Note - The open server hardware must support 64-bit for the Edition feature to work.

Description	Use the Edition feature to change the default between 32- and 64-bit versions of Gaia.
Syntax	`set edition default {32-bit \| 64-bit}`
Comments	Run the command from clish. The hardware platform must have at least 6 GB of memory for this to work. Remember to reboot the device.

To see which edition is running:

Go to the WebUI System Overview pane. The edition shows in the System Overview widget.
On the command line, run: show version os edition

Environment Commands

Description

Use these commands to set the CLI environment for a user for a particular session, or permanently.

Syntax

To show the client environment

show clienv {all | config-lock | debug | echo-cmd | on-failure | output | prompt | rows | syntax-check}

To set the client environment

set clienv {config-lock {on | off} | debug {0-6} | echo-cmd {on | off} | on-failure {continue | stop} | output {pretty | structured | xml} | prompt <prompt_string> | rows <row_number> | syntax-check {on | off}}

To save the client environment permanently

save clienv

Parameter	Description
`config-lock {on \| off}`	Default value of the clish `config-lock` parameter. If set to `on`, clish will lock the configuration when invoked, otherwise continue without a configuration lock. When the configuration is locked by clish, no configuration changes are possible in WebUI, until the lock is released.
`debug {0-6}`	Debug level. Predefined levels are: `0` - (Default) Do not debug, display error messages only `5` - Show `confd` requests and responses `6` - Show handler invocation parameters and results
`echo-cmd {on \| off}`	If set to `on`, echoes all commands before executing them, when the command execution is done through the `load configuration` command. The default is `off`.
`on-failure {continue \| stop}`	Action performed on failure: `continue` - Show error messages, but continue running commands from a file or a script `stop` - (Default) Stop running commands from a file or a script
`output {pretty \| structured \| xml}`	Command line output format. The default is `pretty`.
`prompt <`prompt_string`>`	Command prompt string. A valid prompt string can consist of any printable characters and a combination of these variables: `%H` - Replaced with the Command number `%I` - Replaced with the User ID `%M` - Replaced with the Hostname `%P` - Replaced with the Product I. `%U` - Replaced with the Username To set the prompt back to the default, use the keyword `default`.
`rows <`row_number`>`	Number of rows to show in your terminal window. If the window size is changed, the number of rows will also change, unless the value is set to 0 (zero).
`syntax-check {on \| off}`	Put the shell into syntax‑check mode. Commands you enter are checked syntactically and are not executed, but values are validated. The default is `off`.

Client Environment Output Format

These are the output formats that CLI supports:

Pretty
Output is formatted to be clear. For example, output of the command show user admin in pretty mode would look like this:

Uid Gid Home Dir. Shell Real Name
0 0 /home/admin /etc/cli.sh n/a
Structured
Output is delimited by semi-colons. For example, output of the command show user admin in structured mode would look like this:

Uid;Gid;Home Dir.;Shell;Real Name;
0;0;/home/admin;/etc/cli.sh;;
XML
Adds XML tags to the output. For example, output of the command show user admin in XML mode would look like this:

Gaia> set clienv output xml
Gaia> show user admin
<?xml version="1.0"?>
<CMDRESPONSE>
<CMDTEXT>show user admin</CMDTEXT>
<RESPONSE><System_User>
<Row>
<Uid>0</Uid>
<Gid>0</Gid>
<Home_Dir.>/home/admin</Home_Dir.>
<Shell>/etc/cli.sh</Shell>
<Real_Name></Real_Name>
</Row>
</System_User>
</RESPONSE>
</CMDRESPONSE>

Expert Mode

The default shell of the CLI is called clish. Clish is a restrictive shell (role-based administration controls the number of commands available in the shell). While use of clish is encouraged for security reasons, clish does not give access to low level system functions. For low level configuration, use the more permissive expert shell.

To use the expert shell, run: expert
To exit the expert shell and return to clish, run: exit

Expert- Password

A password protects that expert shell against authorized access. The expert password can be changed using the expert-password feature.

Description:

Use this command to set the expert password by plain text or MD5 salted hash. Use the MD5 salted hash option when upgrading or restoring using backup scripts.

Syntax:

set expert-password
set expert-password hash VALUE

Parameter	Description
`hash`	The password as an MD5 salted hash instead of plain text. Use this option when upgrading or restoring using backup scripts.

Example:

gw> set expert-password

Enter current expert password:

Enter new expert password:

Enter new expert password (again):

Password is only 5 characters long; it must be at least 6 characters in length.

Enter new expert password:

Enter new expert password (again):

Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).

Enter new expert password:

Enter new expert password (again):

gw> save config

Important - You must run save config to permanently set the new expert password.

User Defined (Extended) Commands

Description

Manage user defined (extended) commands in clish. Extended commands include:

Built in extended commands. These are mostly for configuration and troubleshooting of Gaia and Check Point products.
User defined commands.

You can do role based administration (RBA) with extended commands by assigning extended commands to roles and then assigning the roles to users or user groups.

Syntax

To show all extended commands

show extended commands

To show the path and description of a specified extended command

show command VALUE

To add an extended command

add command VALUE path VALUE description VALUE

To delete an extended command

delete command VALUE

Parameters

Parameter	Description
`command`	Name of the extended command
`path`	Path of the extended command
`description`	Description of the extended command

Example

To add the free command to the systemDiagnosis role and assign a user with that role:

To add the free command, run
add command free path /usr/bin/free description "Display amount of free and used memory in the system"
Save the configuration. Run
save config
Log out of Gaia and log in again.
To add the free command to the systemDiagnosis role, run
add rba role systemDiagnosis domain-type System readwrite-features ext_free
To assign user john with the systemDiagnosis role, run
add rba user john roles systemDiagnosis