Expert Mode

Important:

On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish of the applicable Security Group.
On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.
After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Overview

The default Gaia shell is called clish.

Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). is a restrictive shell (role-based administration controls the number of commands available in the shell).

While the use of Gaia Clish is encouraged for security reasons, Gaia Clish does not give access to low level system functions.

For low-level configuration, use the more permissive Expert mode shell.

In addition, see sk144112 - Dynamic CLI: Enhancing Gaia Clish with new "Expert" mode commands.

Moving Between Shells

To go from Gaia Clish to the Expert shell, run in Gaia Clish:

expert

To exit from the Expert shell and go back to Gaia Clish, run in the Expert mode:

exit

Notes

If a command is supported in Gaia Clish, it is not supported to run the corresponding command in the Expert mode.

For example, to work with interfaces, Gaia Clish provides the commands "show interface" and "set interface".

Therefore, it is not supported to run the "ifconfig" command in the Expert mode.
The Expert mode does not provide more privileges, only more configuration abilities.
The Expert mode is not a security feature. Rather, it offers protection against mistakes.
Refer to sk181230 to receive audit logs for the Expert mode login on Gaia servers.

Configuring the Expert mode Password

There is no default password for the Expert mode. You must configure a password for the Expert mode before you can use it.

Syntax to configure an Expert mode password in plain text

set expert-password

The password must contain at least 6 characters and a maximum of 30 characters.

Syntax to configure an Expert mode password as a salted hash

set expert-password-hash <Hash String>

CLI Parameters

Parameter

Description

expert-password-hash <Hash String>

The password as an MD5, SHA256, or SHA512 salted hash instead of plain text (the password string must contain at least 6 characters).

Use this option when you upgrade or restore using backup scripts.

You can generate the hash of the password with the "cpopenssl" command (run: cpopenssl passwd -help).

To configure the default hash algorithm, see:

Password Hashing Algorithm (in Gaia Portal Web interface for the Check Point Gaia operating system.)
Configuring Hashing Algorithm (in Gaia Clish)

Best Practice - Do not use MD5 hash because it is not secure.

Notes:

Format:

$<Hash Standard>$<Salt>$<Encrypted>

The length of this hash string must be less than 128 characters.
<Hash Standard>

One of these digits:
- 1 = MD5
- 5 = SHA256
- 6 = SHA512
<Salt>

A string of these characters:

a-z A-Z 0-9 . / [ ] _ ` ^

The length of this string must be between 2 and 16 characters.
<Encrypted>

A string of these characters:

a-z A-Z 0-9 . / [ ] _ ` ^

The length of this string must be:
- For MD5, less than 22 characters.
- For SHA256, less than 43 characters.
- For SHA512, less than 86 characters.

Example

gaia> set expert-password
Enter current expert password: *******
Enter new expert password: *****
Enter new expert password (again): *****
Password is only 5 characters long; it must be at least 6 characters in length.
Enter new expert password: ******
Enter new expert password (again): ******
Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).
Enter new expert password: *******
Enter new expert password (again): *******
 
gaia> save config

Running Gaia Clish Commands from the Expert mode

You can run Gaia Clish commands from the Expert mode.

You can configure and view Gaia OS settings only with Gaia Clish commands. You can automate various tasks for working with Gaia OS settings in the Expert mode.

Syntax on a Security Gateway / Cluster Member / Management Server / Log Server

clish ?

clish {-c <Gaia Clish Command> | -f <File> [-i]} [-s] [-o {pretty | structured | xml}] [-d <Debug Level>]

Syntax on a Scalable Platform Security Group

gclish ?

gclish {-c <Gaia Clish Command> | -f <File> [-i]} [-s] [-o {pretty | structured | xml}] [-d <Debug Level>]

CLI Parameters

Parameter

Description

?

Shows the built-in help.

-c <Gaia Clish Command>

Specifies the single Gaia Clish command to run.

The maximum length of the Gaia Clish command is 512 characters.

-f <File> [-i]

Specifies a full path to a plain-text file with Gaia Clish commands to run in the Batch Mode:

This file must contain only Gaia Clish commands (one command per line).
Each line is limited to 512 characters.
Every line that starts with the pound character "#" is treated as a comment and is not executed.

The optional parameter "-i" specifies to execute the next command in the file if the current command failed.

-s

Specify to run the Gaia Clish command "save config" at the end, to save the changes in the Gaia database.

-o <Output Format>

Specifies the output format on the screen:

pretty

Output is formatted to be clear.

This is the default.
structured

Output is delimited by semi-colons.
xml

Adds XML tags to the output.

For more information, see Client Environment Output Format.

-d <Debug Level>

Specifies the Debug Level (useful for Check Point R&D):

0 - Shows only errors (default)
from 1 to 3 - Shows more verbose messages
4 - Shows all messages (highest level of debug)

Note: The debug level can be set in these two ways:

In Gaia Clish, run:

set clienv debug <Debug Level>

save clienv

The debug level is saved in the /home/<username>/.clishrc file.

Gaia OS overwrites this file each time you run the Gaia Clish command "save clienv".

Example of a ".clishrc" file:

# It is SAFE to change values in this file.
#
History=100
Prompt=%M>
DebugLevel=4
EchoCommand=Off
OnFailure=Stop
SyntaxCheck=Off
OutputMode=Pretty
ConfigLock=On

In the Expert mode, run:

clish -d <Debug Level> {-c <Gaia Clish Command> | -f <File> [-i]}

Example

[Expert@MyGW:0]# clish -c "show version all"
Product version Check Point Gaia R81.10
OS build 123
OS kernel version 456
OS edition 64-bit
[Expert@MyGW:0]#