Expert mode without password

Description

Many times we keep switching between standard (clish) and expert (bash) modes and we wish we didnt have to type the password every time we enter expert mode. This can be very easily achieved by adding a command in clish.

How to do

In clish, type the following

add command exp path /bin/bash description ExpertShell

After doing this, you need to logout and login again in clish. Now just the exp command will take you to expert mode

You can make the command permanent by using ‘save config’

Warning

Use it at your own risk. Not a best practice.

 

SPLAT-like restore in GAiA (UNSUPPORTED)

Description
Do you miss the restore options that were available in SPLAT but not in GAIA? If yes, here’s a good news. The restore still works in GAIA, however it is not supported by Check Point.

I’ve tried it in R76.

How to do?
From expert mode, run the command /bin/restore

What do you get from this?

Well you have the option to choose if you would like to restore only the OS / system configuration or CP product configuration.

Note:

Not recommended by Check Point, so it may disappear in future versions.

Switching to 64-bit mode in GAiA with less than 6GB RAM

Description

As you know that GAiA defaults to 32-bit mode when it finds less than 6GB RAM, you can however switch it to 64-bit, here’s how it works

How to check the current mode?

In clish type the following to see the current mode – show version os edition

In expert mode you can use the uname command  as below:

uname -m (gives x86_64 for 64 bit and i686 for 32 bit)

uname -r (appends x86_64 at the end of the kernel version only for 64-bit)

How to switch the mode?

Run the following command in clish –

set edition default 64-bit

(OR)

set edition default 32-bit

save and reboot after running this command and you are in the new mode

Having trouble with switching MACs during failover?

Description

If you have clusterXL set to HA or LS (unicast) mode, at the time of failover, the MAC address for the Virtual IP switches to the one of the active member or the pivot.

Though gratituous arp is sent for the update, some devices do not register this and have to be cleared from cache or wait for time

Solution

Use Virtual MAC (VMAC) so that all members use the same MAC address and hence there is no need to change MAC during a fail over.

How to do

Just set the kernel parameter ‘fwha_vmac_global_param_enabled’ to 1.

This can be done in two ways:

1) Works till the machine is running – fw ctl set int fwha_vmac_global_param_enabled 1

2) Works permanently – Add the following to an existing or newly created

file – fwkern.conf

in path – $FWDIR/boot/modules

line to add:

fwha_vmac_global_param_enabled=1

Converting single gateway to cluster without additional public IPs

Traditionally clusters are configured with members having IPs of the same subnet as of the virtual IP, however Check Point’s ClusterXL supports member network and VIP network to be different.

The challenge
You are currently having a single gateway and wish to convert it to a cluster of 3 members but do not have the additional public IPs for the members.

Solution
In this case you can use any private IP address range for the external interfaces of the members and use the current gateway’s external IP as the Cluster IP.

Notes:

  • Add static routes to the members to route VIP network traffic through the external interface IP
  • Automatic proxy arp will not work as the NATd IPs will not be on the member network, however manual proxy arp can be done
  • In case of internal VIP being of different subnet, the interface topology must include both networks (member and VIP)

Idle timeout

Moving away from the console for a while logs you out. Dont want that to happen??

You can increase the timeout and have a coffee break

How:

Run this command in Check Point shell

  • (SecurePlatform – cpshell) – idle 30
  • (GAiA – clish) – set inactivity-timeout 30

Which Platform:

  • SecurePlaform / GAiA