Many times we keep switching between standard (clish) and expert (bash) modes and we wish we didnt have to type the password every time we enter expert mode. This can be very easily achieved by adding a command in clish.
How to do
In clish, type the following
add command exp path /bin/bash description ExpertShell
After doing this, you need to logout and login again in clish. Now just the exp command will take you to expert mode
You can make the command permanent by using ‘save config’
Use it at your own risk. Not a best practice.
Do you miss the restore options that were available in SPLAT but not in GAIA? If yes, here’s a good news. The restore still works in GAIA, however it is not supported by Check Point.
I’ve tried it in R76.
How to do?
From expert mode, run the command /bin/restore
What do you get from this?
Well you have the option to choose if you would like to restore only the OS / system configuration or CP product configuration.
Not recommended by Check Point, so it may disappear in future versions.
As you know that GAiA defaults to 32-bit mode when it finds less than 6GB RAM, you can however switch it to 64-bit, here’s how it works
How to check the current mode?
In clish type the following to see the current mode – show version os edition
In expert mode you can use the uname command as below:
uname -m (gives x86_64 for 64 bit and i686 for 32 bit)
uname -r (appends x86_64 at the end of the kernel version only for 64-bit)
How to switch the mode?
Run the following command in clish –
set edition default 64-bit
set edition default 32-bit
save and reboot after running this command and you are in the new mode
If you have clusterXL set to HA or LS (unicast) mode, at the time of failover, the MAC address for the Virtual IP switches to the one of the active member or the pivot.
Though gratituous arp is sent for the update, some devices do not register this and have to be cleared from cache or wait for time
Use Virtual MAC (VMAC) so that all members use the same MAC address and hence there is no need to change MAC during a fail over.
How to do
Just set the kernel parameter ‘fwha_vmac_global_param_enabled’ to 1.
This can be done in two ways:
1) Works till the machine is running – fw ctl set int fwha_vmac_global_param_enabled 1
2) Works permanently – Add the following to an existing or newly created
file – fwkern.conf
in path – $FWDIR/boot/modules
line to add:
Traditionally clusters are configured with members having IPs of the same subnet as of the virtual IP, however Check Point’s ClusterXL supports member network and VIP network to be different.
You are currently having a single gateway and wish to convert it to a cluster of 3 members but do not have the additional public IPs for the members.
In this case you can use any private IP address range for the external interfaces of the members and use the current gateway’s external IP as the Cluster IP.
- Add static routes to the members to route VIP network traffic through the external interface IP
- Automatic proxy arp will not work as the NATd IPs will not be on the member network, however manual proxy arp can be done
- In case of internal VIP being of different subnet, the interface topology must include both networks (member and VIP)
Moving away from the console for a while logs you out. Dont want that to happen??
You can increase the timeout and have a coffee break
Run this command in Check Point shell
- (SecurePlatform – cpshell) – idle 30
- (GAiA – clish) – set inactivity-timeout 30
Do you like being in Expert Mode most of the time?? Here’s a good news for you..
You can set the expert shell as default when you log on
How to do that:
- Login in Expert Mode by entering the command – expert and providing the password
- Type the following – chsh -s /bin/bash admin