Print Download PDF Send Feedback



Introduction to the Command Line Interface

In This Section:

Saving Configuration Changes

Commands and Features

Command Completion

Command History

Command Line Movement and Editing

Obtaining a Configuration Lock

32 and 64-bit Gaia Editions

Environment Commands

Expert Mode

User Defined (Extended) Commands

This chapter gives an introduction to the Gaia command line interface (CLI). The default shell of the CLI is called clish.

To use the CLI:

  1. Connect to the platform using a command-line connection (SSH or a console) over a TCP/IP network.
  2. Log on using a user name and password.

    Immediately after installation, the default user name and password are admin and admin.

Saving Configuration Changes

When you change the OS configuration with the CLI, changes are applied immediately to the running system only. To have the changes survive a reboot, you must run: save config

Commands and Features

Gaia commands are organized into groups of related features, with a basic syntax:

operation feature parameter

The most common operations are add, set, show, delete

Main operations



Adds a new value to the system.


Sets a value in the system.


Shows a value or values from the system.


Deletes a value from the system.

Other operations



Saves the configuration changes made since the last save operation.


Restart the system.


Turns the computer off.


Exits from the CLI.


Exits from the shell.


Starts a transaction. Puts the CLI into transaction mode. All changes made using commands in transaction mode are applied at once or none of the changes are applied based on the way transaction mode is terminated.


Ends transaction by committing changes.


Ends transaction by discarding changes.


Enter the expert shell. Allows low-level access to the system, including the file system.


Shows the version of the active Gaia image.


Revert the database.


Get help on navigating the CLI and some useful commands.

To see the commands you have permissions to run: show commands

To see a list of all features: show commands feature <TAB>

To see all commands for a specific feature: show commands feature <featureName>

To see all commands for an operation of a feature: show commands [op <name>] [feature <name>]

To see all operations: show commands op <SPACE> <TAB>

At the More prompt:

To see the next page, press <SPACE>.

To see the next line, press <ENTER>.

To exit the CLI prompt, press Q.

Command Completion

You can automatically complete a command. This saves time, and can also help if you are not sure what to type next.

Press ...

To do this...


Complete or fetch the keyword. For example

Gaia> set in<TAB>
inactivity-timeout - Set inactivity timeout
interface          - Displays the interface related parameters
Gaia> set in


Show the arguments that the command for that feature accepts. For example:

Gaia> set interface <SPACE> <TAB>
eth0 eth1 lo
Gaia> set interface


See possible command completions. For example

Gaia> set inter<ESC><ESC>
set interface VALUE ipv4-address VALUE mask-length VALUE
set interface VALUE ipv4-address VALUE subnet-mask VALUE
set interface VALUE ipv6-address VALUE mask-length VALUE
set interface VALUE { comments VALUE mac-addr VALUE mtu VALUE state VALUE speed VALUE duplex VALUE auto-negotiation VALUE }
set interface VALUE { ipv6-autoconfig VALUE }
Gaia> set inter


Get help on a feature or keyword. For example

Gaia> set interface <?>
interface: {show/add/delete} interface "interface-name"
Gaia> set interface

UP/DOWN arrow

Browse the command history.


Edit command.


Run a command string. The cursor does not have to be at the end of the line.

You can usually abbreviate the command to the smallest number of unambiguous characters.

Command History

You can recall commands you have used before, even in previous sessions.



Recall previous command.

Recall next command.


Show the last 100 commands.


Run the last command.


Run a specific previous command: The nn command.


Run the nnth previous command. For example, entering !‑3 runs the third from last command.


Run the most recent command that starts with str.


Run the most recent command containing str. The trailing ? may be omitted if str is followed immediately by a new line.


Repeat the last command, replacing str1 with str2.

Command Reuse

You can combine word designators with history commands to refer to specific words used in previous commands. Words are numbered from the beginning of the line with the first word being denoted by 0. Use a colon to separate a history command from a word designator. For example, you could enter !!:1 to refer to the first argument in the previous command. In the command show interfaces, interfaces is word 1.

Word Designator



The operation word.


The nth word.


The first argument; that is, word 1.


The last argument.


The word matched by the most recent \?str\? search.

Immediately after word designators, you can add a sequence of one or more of the following modifiers, each preceded by a colon:




Print the new command but do not execute


Substitute new for the first occurrence of old in the word being referred to.


Apply changes over the entire command. Use this modified in conjunction with s, as in gs/str1/str2.

Command Line Movement and Editing

You can back up in a command you are typing to correct a mistake. To edit a command, use the left and right arrow keys to move around and the Backspace key to delete characters. You can enter commands that span more than one line.

These are the keystroke combinations you can use:

Keystroke combination



Delete next word.


Go to the next word.


Delete the previous word.


Repeat the previous word.


Move to the beginning of the line.


Move to the previous character.


Move to the end of the line.


Move to the next character.


Delete the previous character.


Clear the screen and show the current line at the top of the screen.


Next history item.


Previous history item.


Redisplay the current line.


Delete the current line.

Obtaining a Configuration Lock

Only one user can have Read/Write access to Gaia configuration settings at a time. All other users can log in with Read-Only access to see configuration settings, as specified by their assigned roles.

When you log in and no other user has Read/Write access, you get an exclusive configuration lock with Read/Write access. If a different user already has the configuration lock, you have the option to override their lock. If you:

Use the database feature to obtain the configuration lock.

The commands do the same thing: obtain the configuration lock from another administrator.


Use the lock database override and unlock database commands to get exclusive read-write access to the database by taking write privileges to the database away from other administrators logged into the system.


  • lock database override
  • unlock database


Use these commands with caution. The admin whose write access is revoked does not receive notification.

Configuring Configuration Lock Behavior

The behavior of the configuration lock command is configured using: config-lock.


Configures and shows the state of the configuration lock


set config-lock {off | on [timeout <seconds>] override
show {config-lock | config-state}




off | on

Turns the configuration lock on and off.

When you turn config‑lock on, the default timeout value is 300 seconds.


Enables config-lock for the specified interval in seconds (5‑900).



  • set config-lock on override is identical to lock database override
  • set config-lock off is identical to unlock database

32 and 64-bit Gaia Editions

64-bit support for a Gaia device depends on the appliance type (for a Check Point appliance) and hardware capabilities (for open servers).

For more on supported platforms and kernels, see the R77 Release notes.

Open servers always install a 32-bit kernel, but you can switch to the 64-bit kernel using the Edition feature.

Note - The open server hardware must support 64-bit for the Edition feature to work.


Use the Edition feature to change the default between 32- and 64-bit versions of Gaia.


set edition default {32-bit | 64-bit}


  • Run the command from clish.
  • The hardware platform must have at least 6 GB of memory for this to work.
  • Remember to reboot the device.

To see which edition is running:

Environment Commands


Use these commands to set the CLI environment for a user for a particular session, or permanently.


To show the client environment

show clienv {all | config-lock | debug | echo-cmd | on-failure | output | prompt | rows | syntax-check}


To set the client environment

set clienv {config-lock {on | off} | debug {0-6} | echo-cmd {on | off} | on-failure {continue | stop} | output {pretty | structured | xml} | prompt <prompt_string> | rows <row_number> | syntax-check {on | off}}


To save the client environment permanently

save clienv



config-lock {on | off}

Default value of the clish config-lock parameter. If set to on, clish will lock the configuration when invoked, otherwise continue without a configuration lock. When the configuration is locked by clish, no configuration changes are possible in WebUI, until the lock is released.

debug {0-6}

Debug level. Predefined levels are:

  • 0 - (Default) Do not debug, display error messages only
  • 5 - Show confd requests and responses
  • 6 - Show handler invocation parameters and results

echo-cmd {on | off}

If set to on, echoes all commands before executing them, when the command execution is done through the load configuration command. The default is off.

on-failure {continue | stop}

Action performed on failure:

  • continue - Show error messages, but continue running commands from a file or a script
  • stop - (Default) Stop running commands from a file or a script

output {pretty | structured | xml}

Command line output format. The default is pretty.

prompt <prompt_string>

Command prompt string. A valid prompt string can consist of any printable characters and a combination of these variables:

  • %H - Replaced with the Command number
  • %I - Replaced with the User ID
  • %M - Replaced with the Hostname
  • %P - Replaced with the Product I.
  • %U - Replaced with the Username

To set the prompt back to the default, use the keyword default.

rows <row_number>

Number of rows to show in your terminal window. If the window size is changed, the number of rows will also change, unless the value is set to 0 (zero).

syntax-check {on | off}

Put the shell into syntax‑check mode. Commands you enter are checked syntactically and are not executed, but values are validated. The default is off.

Client Environment Output Format

These are the output formats that CLI supports:

Expert Mode

The default shell of the CLI is called clish. Clish is a restrictive shell (role-based administration controls the number of commands available in the shell). While use of clish is encouraged for security reasons, clish does not give access to low level system functions. For low level configuration, use the more permissive expert shell.

Expert- Password

A password protects that expert shell against authorized access. The expert password can be changed using the expert-password feature.


Use this command to set the expert password by plain text or MD5 salted hash. Use the MD5 salted hash option when upgrading or restoring using backup scripts.


  • set expert-password
  • set expert-password hash VALUE





The password as an MD5 salted hash instead of plain text. Use this option when upgrading or restoring using backup scripts.



gw> set expert-password

Enter current expert password:

Enter new expert password:

Enter new expert password (again):

Password is only 5 characters long; it must be at least 6 characters in length.

Enter new expert password:

Enter new expert password (again):

Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).

Enter new expert password:

Enter new expert password (again):

gw> save config

Important - You must run save config to permanently set the new expert password.

User Defined (Extended) Commands


Manage user defined (extended) commands in clish. Extended commands include:

  1. Built in extended commands. These are mostly for configuration and troubleshooting of Gaia and Check Point products.
  2. User defined commands.

You can do role based administration (RBA) with extended commands by assigning extended commands to roles and then assigning the roles to users or user groups.


To show all extended commands

show extended commands

To show the path and description of a specified extended command

show command VALUE

To add an extended command

add command VALUE path VALUE description VALUE

To delete an extended command

delete command VALUE





Name of the extended command


Path of the extended command


Description of the extended command



To add the free command to the systemDiagnosis role and assign a user with that role:

  1. To add the free command, run

    add command free path /usr/bin/free description "Display amount of free and used memory in the system"

  2. Save the configuration. Run

    save config

  3. Log out of Gaia and log in again.
  4. To add the free command to the systemDiagnosis role, run

    add rba role systemDiagnosis domain-type System readwrite-features ext_free

  5. To assign user john with the systemDiagnosis role, run

    add rba user john roles systemDiagnosis