Expert Mode

Description

The Expert mode password protects the Expert shell against unapproved access.

The default GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. shell is called clish.

Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). is a restrictive shell (role-based administration controls the number of commands available in the shell).

While the use of Gaia Clish is encouraged for security reasons, Gaia Clish does not give access to low level system functions.

For low-level configuration, use the more permissive Expert mode shell. In addition, see sk144112.

  • To enter the Expert shell, run: expert

  • To exit from the Expert shell and return to Gaia Clish, run: exit

Note - If a command is supported in Gaia Clish, it is not supported to run the corresponding command in Expert mode.

For example, to work with interfaces, Gaia Clish provides the commands "show interface" and "set interface".

Therefore, it is not supported to run the ifconfig command in the Expert mode.

Note - There is no default password for the Expert mode. You must configure a password for the Expert mode before you can use it.

Note - Refer to sk181230 to receive audit logs for the Expert mode login on Gaia servers.

Syntax to configure an Expert mode password in plain text

set expert-password

The password must contain at least 6 characters and a maximum of 30 characters.

Syntax to configure an Expert mode password as a salted hash

set expert-password hash <Hash String>

Important - You must run the "save config" command to set the new Expert mode password permanently.

Parameters

Parameter

Description

hash <Hash String>

The password as an MD5, SHA256, or SHA512 salted hash instead of plain text (the password string must contain at least 6 characters).

Use this option when you upgrade or restore using backup scripts.

You can generate the hash of the password with the "cpopenssl" command (run: cpopenssl passwd -help).

To configure the default hash algorithm, see:

Best Practice - Do not use MD5 hash because it is not secure.

Notes:

  • Format:

    $<Hash Standard>$<Salt>$<Encrypted>

  • The length of this hash string must be less than 128 characters.

  • <Hash Standard>

    One of these digits:

    • 1 = MD5

    • 5 = SHA256

    • 6 = SHA512

  • <Salt>

    A string of these characters:

    a-z A-Z 0-9 . / [ ] _ ` ^

    The length of this string must be between 2 and 16 characters.

  • <Encrypted>

    A string of these characters:

    a-z A-Z 0-9 . / [ ] _ ` ^

    The length of this string must be:

    • For MD5, less than 22 characters.

    • For SHA256, less than 43 characters.

    • For SHA512, less than 86 characters.

 
gaia> set expert-password
Enter current expert password: *******
Enter new expert password: *****
Enter new expert password (again): *****
Password is only 5 characters long; it must be at least 6 characters in length.
Enter new expert password: ******
Enter new expert password (again): ******
Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).
Enter new expert password: *******
Enter new expert password (again): *******
 
gaia> save config