Configuring Security Groups in Gaia Clish
This section provides the configuration instructions for Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
To start working in Gaia Clish on the Quantum Maestro Orchestrator:
Step |
Instructions |
||
---|---|---|---|
1 |
Connect to the Command Line on the Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. (over SSH, or through the Console Port). |
||
2 |
Log in to the Gaia Portal Web interface for the Check Point Gaia operating system. with these default credentials:
|
These are the main commands in Gaia Clish on Quantum Maestro Orchestrators:
|
Notes:
|
Applicable configuration procedures are provided below.
See Workflow for Configuring Security Groups.
Description
This command configures the number of Maestro sites - Single Site (value 1), or Dual Site (value 2).
Syntax
|
Description
This command shows the configured number of Maestro sites.
Syntax
|
Example
|
Description
This command configures the number of Orchestrators on a Maestro Site.
Syntax
|
Description
This command shows the configured number of Orchestrators on a Maestro Site.
Syntax
|
Example
|
Description
This command configures the Site ID in Dual Site deployment.
The Quantum Maestro Orchestrators on a site that were installed earlier, must get the ID 1.
The Quantum Maestro Orchestrators on a site that were installed later, must get the ID 2.
Syntax
|
Description
This command shows the configured Site ID in Dual Site deployment.
Syntax
|
Description
This command configures the Base Site Sync VLAN ID. Quantum Maestro Orchestrators of the same site use this value to calculate internal VLAN ID used for internal synchronization between Quantum Maestro Orchestrators.
|
Important:
|
Quantum Maestro Orchestrators use this Base Site Sync VLAN ID internally to calculate their Site Sync VLAN IDs based on these formulas:
-
For the first Quantum Maestro Orchestrator on the same Site (Orchestrator ID 1_1 and Orchestrator ID 2_1):
<Site Sync VLAN ID> = <Base Site Sync VLAN ID> + 0
-
For the second Quantum Maestro Orchestrator on the same Site (Orchestrator ID 1_2 and Orchestrator ID 2_2):
<Site Sync VLAN ID> = <Base Site Sync VLAN ID> + 1
Example for the internal Site Sync VLAN ID calculation based on the default value of 3600:
Site ID |
Site Sync VLAN ID on Orchestrator ID 1_1 and Orchestrator ID 2_1 |
Site Sync VLAN ID on Orchestrator ID 1_2 and Orchestrator ID 2_2 |
---|---|---|
Site #1 |
3600 |
3601 |
Site #2 |
3600 |
3601 |
Syntax
|
Description
This command shows the configured Base Site Sync VLAN ID in Dual Site deployment.
Syntax
|
Description
This command adds a Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. with the specified ID on the Quantum Maestro Orchestrator.
|
Important - You must assign Security Appliances and applicable interfaces. See the corresponding configuration procedures. |
Syntax
|
Parameters
Parameter |
Description |
||
---|---|---|---|
|
Specifies the Security Group ID. To see the existing IDs and the available ID, press the Tab key.
|
Example - Security Groups with IDS 1 and 2 already exist, ID 3 is the next available ID
|
Description
This command deletes a Security Group with the specified ID on the Quantum Maestro Orchestrator.
Important - There is no prompt to confirm.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
Example
|
Description
This command adds the Network Configuration in a Security Group with the specified ID.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
|
Specifies the IPv4 address for the Security Group. |
|
Specifies the IPv4 address of the Default Gateway for the Security Group. |
Example
|
Description
This command removes the Network Configuration from a Security Group with the specified ID.
Important - There is no prompt to confirm.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
Example
|
Description
This command configures the First Time Wizard settings in a Security Group with the specified ID.
These settings are used to perform initial configuration of Security Appliances assigned to this Security Group.
|
Important - You must configure the First Time Wizard settings when you create a new Security Group. |
|
Warning - If you configure these settings in an existing Security Group (in which you already ran the First Time Configuration Wizard), then the change applies only after you reset each Security Appliance in that Security Group to factory defaults. |
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
|
Specifies the First Time Wizard settings for Security Appliances in the Security Group. |
|
Specifies the hostname for Security Appliances. |
|
Specifies the one-time activation key for Security Appliances. You use this activation key in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. when you create the corresponding Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. The key is between 4 and 127 characters long. |
|
Specifies the Expert mode password for the Security Group. |
|
Specifies whether to configure the Security Appliances in VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode. |
Example
|
Description
This command removes the First Time Wizard settings from a Security Group with the specified ID.
Important - There is no prompt to confirm.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
Example
|
|
Best Practice:
|
Description
This command assigns a Security Appliance with the specified Serial Number to a Security Group with the specified ID.
|
Important:
|
|
Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic. |
Syntax
|
Parameters
Parameter |
Description |
||
---|---|---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
||
|
Assigns one Security Appliance specified by its Serial Number. To see the available Serial Numbers, press the Tab key.
|
Example
|
Description
This command removes a Security Appliance with the specified Member ID or Serial Number from a Security Group with the specified ID.
|
Important:
|
Syntax to remove a Security Appliance with the specified Member ID
|
Syntax to remove a Security Appliance with the specified Serial Number
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
|
Specifies the Security Appliance by its Member ID in the Security Group. To see the available IDs, press the Tab key. |
|
Specifies the Security Appliance by its Serial Number. To see the available Serial Numbers, press the Tab key. |
Example of removing a Security Appliance with the specified Member ID
|
Example of removing a Security Appliance with the specified Serial Number
|
Description
This command assigns an interface with the specified name to a Security Group with the specified ID.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
|
Assigns one interface specified by its name. To see the available interfaces, press the Tab key. |
Example
|
Description
This command removes an interface with the specified name from a Security Group with the specified ID.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
|
Removes one interface specified by its name. To see the available interfaces, press the Tab key. |
Example
|
See Configuring VLAN Interfaces on Uplink Ports.
Description
This command shows the Security Group configuration, including VLAN interfaces configured on the Uplink Ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object..
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the ID of the Security Group. To see the existing IDs, press the Tab key. |
Description
This command shows and verifies the validity of all the configuration changes you made, but did not apply yet to Security Groups or ports.
|
Best Practice - Run this command after all changes in the configuration of Security Groups or ports. |
Syntax
|
Example 1 - No changes were made
|
Example 2 - Some changes were made
|
Description
This command applies all the configuration changes you made, but did not apply yet to Security Groups or ports.
|
Important - You must run this command after you make changes in the configuration of Security Groups or ports. |
Syntax
|
Example
|
Description
This command deletes all the configuration changes you made, but did not apply yet to Security Groups or ports.
Important - There is no prompt to confirm.
Syntax
|
Example
|
Description
These commands let you configure different settings on the Quantum Maestro Orchestrator's ports.
Syntax
|
Parameters
Parameter |
Description |
||||||
---|---|---|---|---|---|---|---|
|
Specifies the port to configure. The format is three numbers separated with a slash:
Examples:
Notes:
|
||||||
|
Configures the port administrative state:
|
||||||
|
Configures the port MTU. Valid range: 68 - 10236 bytes. Default: 10236 bytes. |
||||||
|
Configures the QSFP mode:
|
||||||
|
Configures the port type:
The parameter "
|
Example 1 - Viewing all available ports
|
Example 2 - Changing the port administrative state
|
Example 3 - Changing the port MTU
|
Example 4 - Changing the port QSFP mode
|
Example 5 - Changing the port type
|
Example 6 - Changing the port type with automatic confirmation
|
Description
These commands show the configured settings on the Quantum Maestro Orchestrator's ports.
Syntax
|
Parameters
Parameter |
Description |
||||
---|---|---|---|---|---|
|
Specifies the port to configure. The format is three numbers separated with a slash:
Examples:
Notes:
|
||||
|
Shows the port administrative state:
|
||||
|
Shows the port MTU. |
||||
|
Shows the information about the QSFP transceiver. |
||||
|
Shows the QSFP mode:
|
||||
|
Shows the port type:
|
||||
|
Shows the VLAN IDs configured on this port. |
Example 1 - Viewing all available ports
|
Example 2 - Viewing the port administrative state
|
Example 3 - Viewing the port MTU
|
Example 4 - Viewing the QSFP transceiver information
|
Example 5 - Viewing the port QSFP mode
|
Example 6 - Viewing the port type
|
Example 7 - Viewing the VLAN IDs
|
Description
This command shows the Security Group settings on the Quantum Maestro Orchestrator.
Syntax
|
Parameters
Parameter |
Description |
---|---|
|
Specifies the Security Group ID. To see the existing IDs, press the Tab key. |
Example
|