Advanced Gaia Configuration

Important:

On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia Portal Web interface for the Check Point Gaia operating system. of the applicable Security Group.
On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish of the applicable Security Group.

Configuring the Gaia Portal Web Server

Description

You can configure the server responsible for the Gaia Portal.

Syntax

To configure Gaia Portal web server:

set web

      daemon-enable {on | off}

      session-timeout <Timeout>

      ssl-port <Port>

      ssl3-enabled {on | off}

      table-refresh-rate <Rate>

To show the Gaia Portal web server configuration:

show web

      daemon-enable

      session-timeout

      ssl-port

      ssl3-enabled

      table-refresh-rate

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

Parameter

Description

daemon-enable {on | off}

Enables or disables the Gaia Portal web daemon.

Range: on, or off
Default: on

session-timeout <Timeout>

Configures the time (in minutes), after which the HTTPS session to the Gaia Portal terminates.

Range: 1 - 720
Default: 15

ssl-port <Port>

Configures the TCP port number, on which the Gaia Portal can be accessed over HTTPS.

Range: 1 - 65535
Default: 443

Use this command for initial configuration only.

Changing the port number on the command line may cause inconsistency with the setting defined in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. Use SmartConsole to set the SSL port for the Portal.

Note - This setting does not affect HTTP connections. Normally this port should be left at the default 443. If you change the port number, you must change the URL used to access the Gaia Portal from https://<Hostname or IP Address>/ to https://<Hostname or IP Address>:<PORTNUMBER>

ssl3-enabled {on | off}

Enables or disables the HTTPS SSLv3 connection to Gaia Portal.

Range: on, or off
Default: off

table-refresh-rate <Rate>

Configures the refresh rate (in seconds), at which some tables in the Gaia Portal are refreshed.

Range: 10 - 240
Default: 10

Resetting the Expert Mode Password on a Security Gateway

Follow sk106490 if you forget your Expert mode password for a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., Cluster Member Security Gateway that is part of a cluster., or Scalable Platform Security Group.

Configuring Supported SSH Ciphers, MACs, and KexAlgorithms

Description

You can configure different settings for the SSH daemon on the Gaia Operating System.

You can configure these SSH settings in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Description

Setting	Description
SSH Ciphers	SSH uses ciphers for privacy of data it sends over an SSH connection.
SSH Message Authentication Codes	SSH uses Message Authentication Codes to maintain the integrity of each message it sends over and SSH connection. This provides integrity between SSH peers.
SSH Key Exchange Algorithms	SSH uses Key Exchange Algorithms to exchange a shared session key securely with an SSH peer.
SSH Client Alive Interval	In SSHv2, this is a timeout interval (in seconds), after which if no data is received from an SSH client, the sshd daemon sends a message through the encrypted channel to request a response from the client. This controls the "`ClientAliveInterval`" parameter for the sshd daemon. By default, this feature is disabled (the default value is 0). See https://linux.die.net/man/5/sshd_config.
SSH Password Authentication	Specifies whether password authentication is allowed. This controls the "`PasswordAuthentication`" parameter for the sshd daemon. By default, this feature is enabled (the default value is "`yes`"). See https://linux.die.net/man/5/sshd_config.
SSH Permit Root Login	Specifies whether the root user can log in over SSH. This controls the "`PermitRootLogin`" parameter for the sshd daemon. By default, this feature is enabled (the default value is "`yes`"). See https://linux.die.net/man/5/sshd_config.
SSH DNS Usage	Specifies whether the sshd daemon needs to look up the remote hostname and make sure the resolved hostname for the remote IP address maps back to the same IP address. This controls the "`UseDNS`" parameter for the sshd daemon. By default, this feature is disabled (the default value is "`no`"). See https://linux.die.net/man/5/sshd_config.

Complete Syntax

set ssh server

cipher <Cipher>{on | off}

client-alive-interval 0-65535

kex <Key Exchange Algorithm> {on | off}

mac <Message Authentication Code> {on | off}

password-authentication {yes | no}

permit-root-login {yes | no | without-password | prohibit-password | forced-commands-only}

use-dns {yes | no}

show ssh server

cipher enabled

cipher supported

client-alive-interval

kex enabled

kex supported

mac enabled

mac supported

password-authentication

permit-root-login

use-dns

Syntax for SSH Ciphers

To view the supported SSH Ciphers:

show ssh server cipher supported

These are the supported SSH Ciphers:

3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
rijndael-cbc@lysator.liu.se

To view the enabled SSH Ciphers:

show ssh server cipher enabled

These are the SSH Ciphers that are enabled by default:

aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

To enable or disable the supported SSH Ciphers:

set ssh server cipher <Cipher> {on | off}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH Key Exchange Algorithms

To view the supported SSH Key Exchange Algorithms:

show ssh server kex supported

These are the supported SSH Key Exchange Algorithms:

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

To view the enabled SSH Key Exchange Algorithms:

show ssh server kex enabled

These are the SSH Key Exchange Algorithms that are enabled by default:

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

To enable or disable the supported SSH Key Exchange Algorithms:

set ssh server kex <Key Exchange Algorithm> {on | off}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH Message Authentication Codes (MACs)

To view the supported SSH Message Authentication Codes:

show ssh server mac supported

These are the supported SSH Message Authentication Codes:

hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com

To view the enabled SSH Message Authentication Codes:

show ssh server mac enabled

These are the SSH Message Authentication Codes that are enabled by default:

hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com

To enable or disable the supported SSH Message Authentication Codes:

set ssh server mac <Message Authentication Code> {on | off}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH Client Alive Interval

To view the current interval:

show ssh server client-alive-interval

To configure the required interval (in seconds):

set ssh server client-alive-interval 0-65535

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH Password Authentication

To view the current permission:

show ssh server password-authentication

To configure the required permission:

set ssh server password-authentication {yes | no}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH Permit Root Login

To view the current permission:

show ssh server permit-root-login

To configure the required permission:

set ssh server permit-root-login {yes | no | without-password | prohibit-password | forced-commands-only}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax for SSH DNS Usage

To view the current permission:

show ssh server use-dns

To configure the required permission:

set ssh server use-dns {yes | no}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.