Global Commands
The Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system includes a set of global commands that apply to all or specified Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members in a Security Group.
Working with Global Commands
Background
-
Gaia gClish
The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. commands apply globally to all Security Group Members in the Security Group, by default. -
Gaia gClish commands do not apply to Security Group Members that are DOWN in the Security Group. If you run a
setcommand while a Security Group Member is DOWN, the command does not update that Security Group Member. The Security Group Member synchronizes its database during startup and applies the changes after reboot. -
Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). commands apply only to the specific Security Group Member. They are documented in the R80.30SP Quantum Maestro Gaia Administration Guide.
Global Commands
|
Command |
Description |
|
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
Check Point Global Commands
These global commands apply to more than one Security Group Member. These global commands let you work with Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..
fw, fw6
Description
The fw and fw6 commands are global scripts that run the fw and fw6 commands on each Security Group Member.
Below are some examples:
Example 1
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> fw ctl -*- 2 blades: 1_01 1_02 -*- Usage: fw ctl command args... Commands: install, uninstall, pstat, iflist, arp, debug, kdebug, bench chain, conn, multik, conntab, fwghtab_bl_stats > |
Example 2
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> fw ctl iflist -*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*- 0 : BPEth0 1 : BPEth1 2 : eth1-Mgmt4 3 : eth2-Mgmt4 4 : eth1-01 5 : eth1-CIN 6 : eth2-CIN 8 : eth2-01 16 : Sync 17 : eth1-Mgmt1 18 : eth2-Mgmt1 > |
fw dbgfile
Description
Use the fw dbgfile commands in Gaia gClish to debug the system.
Syntax to collect the debug
> fw dbgfile collect -f <debug_file_path> [-buf <buf_size>] [-m <debug_module_1> <debug_flags_1> [-m <debug_module_2> <debug_flags_2>] ... [-m <debug_module_N> <debug_flags_N>]]
|
Syntax to show the collected debug
> fw dbgfile view [<debug_file_path>] [-o <agg_file_path>]
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Collects the Security Gateway debug information. |
|
|
Shows the collected debug information. |
|
|
Specifies the full path of the debug file. |
|
|
Specifies the debug buffer size. Always set the maximal size 8200. |
|
|
Specifies Security Gateway debug modules and debug flags in those modules. You can specify more than one debug module. |
|
|
Uses an aggregate debug file.
|
Below are some examples:
Example - Collect debug information
|
|
Example - Show the collected debug information
|
|
|
|
Important - For complete debug procedure, see the R80.30SP Quantum Maestro Security Gateway Guide - Chapter Kernel Debug on Security Groups. |
fwaccel, fwaccel6
Description
The fwaccel commands control the acceleration for IPv4 traffic.
The fwaccel6 commands control the acceleration for IPv6 traffic.
When you run the fwaccel and fwaccel6 commands in Gaia gClish, they show combined information from all Security Group Members, for most parameters.
Syntax for IPv4
|
|
Syntax for IPv6
|
|
Parameters and Options
For more information, see the R80.30SP Quantum Maestro Performance Tuning Administration Guide - Chapter SecureXL - Section SecureXL Commands - Subsection 'fwaccel' and 'fwaccel6'.
General Global Commands
Global commands apply to more than one Security Group Member.
See the syntax of the global commands in Global Operating System Commands.
These commands are available in Gaia Clish and Gaia gClish:
|
In Gaia Clish and Gaia gClish |
In the Expert mode |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Below are some global commands
Viewing the List of Global Commands (global help)
Description
The global help command in Gaia gClish shows the list of global commands you can use in Gaia gClish and how they are generally used.
Syntax
|
|
Below are some examples:
Example output in Gateway mode
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> global help Usage: <command_name> [-b SGMs] [-a -l -r --] <native command arguments>Executes the specified command on specified blades. Optional Arguments: -b blades: in one of the following formats 1_1,1_4 or 1_1-1_4 or 1_01,1_03-1_08,1_10 all (default) chassis1 chassis2 chassis_active -a : Force execution on all SGMs (incl. down SGMs). -l : Execute only on local blade. -r : Execute only on remote SGMs.
|
Example output in VSX mode
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> global help Usage: <command_name> [-b SGMs] [-a -l -r --] <native command arguments>Executes the specified command on specified blades. Optional Arguments: -b blades: in one of the following formats 1_1,1_4 or 1_1-1_4 or 1_01,1_03-1_08,1_10 all (default) chassis1 chassis2 chassis_active -a : Force execution on all SGMs (incl. down SGMs). -l : Execute only on local blade. -r : Execute only on remote SGMs.
|
Updating Configuration Files (update_conf_file)
Description
Use the update_conf_file command in Gaia gClish or the g_update_conf_file command in the Expert mode to add, update, and remove variables from configuration files.
|
|
Important - After you change the configuration files, you must reboot all Security Group Members.. |
Syntax
|
|
|
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Full path and name of the configuration file to update You do not need to specify the full path for these files (only specify the file name):
|
|
|
Name of the variable to update |
|
|
New value for the variable |
Examples
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> [Global] MyChassis-ch01-01> update_conf_file /home/admin/MyConfFile.txt var1=hello [Global] MyChassis-ch01-01> [Global] MyChassis-ch01-01> cat /home/admin/MyConfFile.txt -*- 3 blades: 2_01 2_02 2_03 -*- var1=hello [Global] MyChassis-ch01-01> update_conf_file /home/admin/MyConfFile.txt var2=24h [Global] MyChassis-ch01-01> [Global] MyChassis-ch01-01> cat /home/admin/MyConfFile.txt -*- 3 blades: 2_01 2_02 2_03 -*- var2=24h var1=hello [Global] MyChassis-ch01-01> update_conf_file /home/admin/MyConfFile.txt var1=goodbye [Global] MyChassis-ch01-01> [Global] MyChassis-ch01-01> cat /home/admin/MyConfFile.txt -*- 3 blades: 2_01 2_02 2_03 -*- var2=24h var1=goodbye [Global] MyChassis-ch01-01> update_conf_file /home/admin/MyConfFile.txt var2= [Global] MyChassis-ch01-01> [Global] MyChassis-ch01-01> cat /home/admin/MyConfFile.txt -*- 3 blades: 2_01 2_02 2_03 -*- var1=goodbye [Global] MyChassis-ch01-01> |
Notes:
-
This command works with configuration files in a specified format. It is composed of lines where each line defines one variable:
<variable>=<value>The
$FWDIR/boot/modules/fwkern.confand$PPKDIR/conf/simkern.conffiles use this format. -
Variable name must not include an equal sign (
=). -
If the specified configuration file does not exist, this command creates it.
-
This command makes the required changes on all Security Group Members.
It is not necessary to copy the updated file to other Security Group Members with the "
asg_cp2blades" command.
Setting Firewall Kernel Parameters (g_fw ctl set)
Description
Use these commands in the Expert mode to set or show specified Firewall kernel parameters.
Syntax for viewing the current value of a variable
|
|
Syntax for setting a value of a variable
|
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Shows the specified parameter and its value. |
|
|
Change the parameter value to the specified value. |
|
|
Type of parameter value:
Note - You must enter the correct parameter type. |
|
|
Parameter name. |
|
|
Parameter value. |
Note - To make changes persistent, you must manually add the applicable kernel parameters and their values in the $FWDIR/boot/modules/fwkern.conf. Use the g_update_conf_file command in the Expert mode. See Updating Configuration Files (update_conf_file).
For more information, see the R80.30SP Quantum Maestro Security Gateway Guide - Chapter Working with Kernel Parameters on Security Groups.
Copying Files Between Security Group Members (asg_cp2blades)
Description
Use the asg_cp2blades command in Gaia gClish or the Expert mode to copy files from the current Security Group Member to other Security Group Members.
Syntax
|
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Applies to Security Group Members as specified by
|
|
|
Copy folders and directories that contain files. |
|
|
Save a local copy of the old file on each Security Group Member The copy is saved in the same directory as the new file. The old file has the same name with this at the end:
|
|
<source_path> |
Full path and name of the file to copy |
|
<dest_path> |
Full path of the destination If not specified, the command copies the file to the relative source file location. |
Example
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01 > asg_cp2blades /home/admin/note.txt Operation completed successfully [Global] MyChassis-ch01-01 > [Global] MyChassis-ch01-01 > cat /home/admin/note.txt -*- 3 blades: 2_01 2_02 2_03 -*- hello world [Global] MyChassis-ch01-01> |
Deleting Connections from the Connections Table (asg_clear_table)
Description
Deleting Connections from the Connections Table (asg_clear_table)
Description
Use the asg_clear_table command in Gaia gClish or the Expert mode to delete connections from the Security Gateway Connections table.
The command runs up to 15 times, or until there are less than 50 connections left.
Note - If you are connected to the machine with SSH, your connection is disconnected.
Syntax
|
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Applies to Security Group Members as specified by
Note - With this option, you can only select Security Group Members from one Site. |
Viewing Information about Interfaces on Security Group Members (show interface)
Description
Use the show interface command in Gaia gClish to view information about the interfaces on the Security Group Members.
For more information, see the R80.30SP Quantum Maestro Gaia Administration Guide - Chapter Network Management - Section Network Interfaces.
Syntax
|
|
|
|
Example
[Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> show interface eth1-01 ipv4-address 1_01: ipv4-address 4.4.4.10/24 1_02: ipv4-address 4.4.4.10/24 1_03: ipv4-address 4.4.4.10/24 1_04: ipv4-address 4.4.4.10/24 1_05: Blade 1_05 is down. See "/var/log/messages". 2_01: ipv4-address 4.4.4.10/24 2_02: ipv4-address 4.4.4.10/24 2_03: ipv4-address 4.4.4.10/24 2_04: ipv4-address 4.4.4.10/24 2_05: ipv4-address 4.4.4.10/24 [Global] MyChassis-ch01-01> |