CP R81 Gaia AdminGuide

20 October 2020
GAIA
R81
Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
Gaia R81 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Check Point R81

For more about this release, see the R81 home page.
Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Gaia R81 Administration Guide | 3

Gaia R81 Administration Guide
Revision History
Date Description
20 October 2020 First release of this document

Table of Contents
Table of Contents
Glossary 14
Gaia Overview 23
Introduction to the Gaia Portal 24
Gaia Portal Overview 24
Working with the Configuration Lock 30
Using the Gaia Portal Interface Elements 31
Toolbar Accessories 31
Search Tool 31
Navigation Tree 31
Status Bar 31
Configuration Tab 32
Monitoring Tab 32
Unsupported Characters and Words 32
System Information Overview 33
Showing System Overview Information in Gaia Portal 33
Showing System Overview Information in Gaia Clish 35
Introduction to the Command Line Interface 37
Command Completion 38
Commands and Features 40
Command History 42
Command Line Movement and Editing 44
Configuration Locks 45
Environment Commands 47
Client Environment Output Format 49
Expert Mode 51
User Defined (Extended) Commands 53
Summary of Gaia Clish Commands 55
Configuring Gaia for the First Time 57
Running the First Time Configuration Wizard in Gaia Portal 58
Running the First Time Configuration Wizard in CLI Expert mode 68

Table of Contents
Centrally Managing Gaia Device Settings 76

Introduction of Gaia Central Management 76
Managing Gaia in SmartConsole 78
Running Command Scripts 78
Understanding One-Time Scripts 80
Running Repository Scripts 80
Backup and Restore 80
Backing up the System 81
Restoring the System 82
Opening Gaia Portal and Gaia Clish 83
Network Management 84
Network Interfaces 85
Physical Interfaces 86
Configuring Physical Interfaces in Gaia Portal 87
Configuring Physical Interfaces in Gaia Clish 88
Aliases 91
Configuring Aliases in Gaia Portal 91
Configuring Aliases in Gaia Clish 92
VLAN Interfaces 93
Configuring VLAN Interfaces in Gaia Portal 94
Configuring VLAN Interfaces in Gaia Clish 96
Access Mode VLAN and Trunk Mode VLAN 99
VXLAN Interfaces 101
Configuring VXLAN Interfaces in Gaia Portal 101
Configuring VXLAN Interfaces in Gaia Clish 104
Configuring VXLAN Interfaces on Cluster Members 107
Bond Interfaces (Link Aggregation) 109
Configuring Bond Interfaces in Gaia Portal 111
Configuring Bond Interfaces in Gaia Clish 113
Making Sure that Bond Interface is Working 121
Configuring Bond High Availability in VRRP Cluster 124
Bridge Interfaces 126
Configuring Bridge Interfaces in Gaia Portal 127

Table of Contents
Configuring Bridge Interfaces in Gaia Clish 128

Accept, or Drop Ethernet Frames with Specific Protocols 134
Loopback Interfaces 135
Configuring Loopback Interfaces in Gaia Portal 135
Configuring Loopback Interfaces in Gaia Clish 137
VPN Tunnel Interfaces 139
6in4 Tunnel Interfaces 146
Configuring 6in4 Tunnel Interfaces in Gaia Portal 147
Configuring 6in4 Tunnel Interfaces in Gaia Clish 149
GRE Interfaces 151
Configuring GRE Interfaces in Gaia Portal 152
Configuring GRE interfaces in Gaia Clish 154
Configuring GRE Interfaces on Cluster Members 157
PPPoE Interfaces 159
Configuring PPPoE Interfaces in Gaia Portal 160
Configuring PPPoE Interfaces in Gaia Clish 162
Gaia Management Interface 165
Selecting Management Interface in Gaia Portal 165
Selecting Management Interface in Gaia Clish 166
Detection of IP Address Conflicts 167
Configuration in Gaia Clish 167
Log Messages 170
Additional Information 171
CLI Reference (interface) 172
ARP 173
Configuring ARP in Gaia Portal 174
Configuring ARP in Gaia Clish 176
DHCP Server 178
Configuring a DHCP Server in Gaia Portal 179
Configuring a DHCP Server in Gaia Clish 182
Hosts and DNS 187
System Name 188
Configuring Host Name and Domain Name in Gaia Portal 188

Table of Contents
Configuring Host Name and Domain Name in Gaia Clish 188

Hosts 189
Configuring Hosts in Gaia Portal 189
Configuring Hosts in Gaia Clish 190
DNS 192
Configuring DNS in Gaia Portal 192
Configuring DNS in Gaia Clish 193
IPv4 Static Routes 195
Configuring IPv4 Static Routes in Gaia Portal 196
Configuring IPv4 Static Routes in Gaia Clish 199
IPv6 Static Routes 204
Troubleshooting 210
Configuring IPv6 Neighbor Entries 211
NetFlow Export 212
Introduction 212
Configuration Options in Gaia Portal 214
Configuration Options in Gaia Clish 214
Configuration Procedure 217
System Management 220
Time 221
Configuring the Time and Date in Gaia Portal 222
Configuring the Time and Date in Gaia Clish 223
Cloning Group 228
Configuring Cloning Groups in Gaia Portal 229
Configuring Cloning Groups in Gaia Clish 235
Cloning Group Modes 235
CLI Syntax 236
SNMP 242
Introduction 242
SNMP v3 - User-Based Security Model (USM) 243
Enabling SNMP 244

Table of Contents
SNMP Agent Address 244

SNMP Traps 244
Configuring SNMP in Gaia Portal 246
Configuring SNMP in Gaia Clish 251
Interpreting SNMP Error Messages 256
SNMP PDU 256
GetRequest 257
GetNextRequest 258
GetBulkRequest 258
Job Scheduler 259
Configuring Job Scheduler in Gaia Portal 260
Configuring Job Scheduler in Gaia Clish 262
Mail Notification 265
Introduction 265
Configuring Mail Notification in Gaia Portal 265
Configuring Mail Notification in Gaia Clish 266
Messages 267
Comparison 267
Configuring Messages in Gaia Portal 267
Configuring Messages in Gaia Clish 268
Limits 270
Display Format 271
Configuring Display Format in Gaia Portal 271
Configuring Display Format in Gaia Clish 272
Session 273
Configuring the Session in Gaia Portal 273
Configuring the Session in Gaia Clish 273
Crash Data 274
Introduction 274
Configuring Core Dumps in Gaia Portal 274
Configuring Core Dumps in Gaia Clish 276
System Configuration 278
Configuring IPv6 Support in Gaia Portal 279

Table of Contents
Configuring IPv6 Support in Gaia Clish 279

System Logging 281
Configuring System Logging in Gaia Portal 282
Configuring System Logging in Gaia Clish 285
Redirecting RouteD System Logging Messages 289
Configuring Log Volume 293
Network Access 294
Introduction 294
Configuring Telnet Access in Gaia Portal 294
Configuring Telnet Access in Gaia Clish 294
Host Access 295
Configuring Allowed Gaia Clients in Gaia Portal 295
Configuring Allowed Gaia Clients in Gaia Clish 296
LLDP 297
Configuring LLDP in Gaia Portal 297
Configuring LLDP in Gaia Clish 299
Viewing the LLDP neighbors in the Expert mode 302
Advanced Routing 303
User Management 304
Change My Password 305
Changing My Password in Gaia Portal 305
Changing My Password in Gaia Clish 305
Users 306
Managing User Accounts in Gaia Portal 307
Managing User Accounts in Gaia Clish 310
Roles 314
Configuring Roles in Gaia Portal 315
Configuring Roles in Gaia Clish 318
List of Available Features in Roles 322
List of Available Extended Commands in Roles 339
Password Policy 343
Configuring Password Policy in Gaia Portal 345
Procedure 345

Table of Contents
Password Strength 345

Password History 346
Mandatory Password Change 346
Deny Access to Unused Accounts 347
Deny Access After Failed Login Attempts 348
Configuring Password Policy in Gaia Clish 349
Monitoring Password Policy in Gaia Clish 356
Authentication Servers 357
Configuring RADIUS Servers 358
Configuring RADIUS Servers in Gaia Portal 358
Configuring RADIUS Servers in Gaia Clish 360
Configuring Gaia as a RADIUS Client 363
Configuring RADIUS Servers for Non-Local Gaia Users 364
Configuring TACACS+ Servers 366
Configuring TACACS+ Servers in Gaia Portal 366
Configuring TACACS+ Servers in Gaia Clish 369
Checking if the Logged In User is Enabled for TACACS+ 371
Configuring Gaia as a TACACS+ Client 372
Configuring TACACS+ Servers for Non-Local Gaia Users 374
System Groups 375
Introduction 375
Configuring System Groups in Gaia Portal 376
Configuring System Groups in Gaia Clish 378
GUI Clients 380
Configuring GUI Clients in Gaia Portal 380
Configuring GUI Clients in Command Line 381
High Availability 382
Understanding VRRP 382

Table of Contents
VRRP Terminology 383

VRRP on Gaia OS 384
VRRP Configuration Methods 385
Monitoring of VRRP Interfaces 385
How VRRP Failover Works 386
Typical VRRP Use Cases 387
Preparing a VRRP Cluster 390
Configuring Network Switches 390
Preparing VRRP Cluster Members 390
Configuring Global Settings for VRRP 391
Configuring Monitored Circuit/Simplified VRRP 393
Configuring Monitored Circuit/Simplified VRRP in Gaia Portal 393
Configuring Monitored Circuit/Simplified VRRP in Gaia Clish 396
Configuring the VRRP Cluster for Simplified VRRP in SmartConsole 399
Configuring Advanced VRRP 400
Changing from Advanced VRRP to Monitored Circuit/Simplified VRRP 400
Configuring Advanced VRRP in Gaia Portal 401
Configuring Advanced VRRP in Gaia Clish 404
Configuring the VRRP Cluster for Advanced VRRP in SmartConsole 408
Troubleshooting VRRP 409
Traces (Debug) for VRRP 409
General Configuration Considerations 410
Firewall Policies 411
Monitored-Circuit VRRP in Switched Environments 411
Maintenance 412
License Status 413
On Check Point Appliances 413
On Open Servers and Virtual Machines 413
Activating a License in Gaia Portal 414
Snapshot Management 416
Snapshot Options 417
Snapshot Prerequisites 418
Snapshot Management in Gaia Portal 419

Table of Contents
Snapshot Management in Gaia Clish - Regular Snapshots 421

Snapshot Management in Gaia Clish - Scheduled Snapshots 426
Restoring a Factory Default Image on Check Point Appliance 435
Download SmartConsole 436
Hardware Health Monitoring 437
Showing Hardware Health Information in Gaia Portal 437
Showing Hardware Health Information in Gaia Clish 438
Showing Hardware Information 439
Monitoring RAID Synchronization 443
Showing RAID Information in Gaia Portal 443
Showing RAID Information in Command Line 443
Shut Down 445
Rebooting and Shutting Down in Gaia Portal 445
Rebooting and Shutting Down in Gaia Clish 445
System Backup 446
Backing Up and Restoring the System 447
Backing Up and Restoring the System in Gaia Portal 447
Backing Up the System in Gaia Clish 450
Restoring the System in Gaia Clish 451
Configuring Scheduled Backups 452
Configuring Scheduled Backups in Gaia Portal 452
Configuring Scheduled Backups in Gaia Clish 454
Working with System Configuration in Gaia Clish 457
LVM Overview 458
Advanced Configuration 459
Configuring the Gaia Portal Web Server 459
Resetting the Expert Mode Password on a Security Gateway 460
CPUSE - Software Updates 461
Gaia API Proxy 462

Glossary
Glossary
A
Administrator
A user with permissions to manage Check Point security products and the network
environment.
API
In computer programming, an application programming interface (API) is a set of
subroutine definitions, protocols, and tools for building application software. In general
terms, it is a set of clearly defined methods of communication between various software
components.
Appliance
A physical computer manufactured and distributed by Check Point.
Bond
A virtual interface that contains (enslaves) two or more physical interfaces for
redundancy and load sharing. The physical interfaces share one IP address and one
MAC address. See "Link Aggregation".
Bonding
See "Link Aggregation".
Bridge Mode
A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Glossary
CA
Certificate Authority. Issues certificates to gateways, users, or computers, to identify
itself to connecting entities with Distinguished Name, public key, and sometimes IP
address. After certificate validation, entities can send encrypted data using the public
keys in the certificates.
Certificate
An electronic document that uses a digital signature to bind a cryptographic public key
to a specific identity. The identity can be an individual, organization, or software entity.
The certificate is used to authenticate one identity to another.
CGNAT
Carrier Grade NAT. Extending the traditional Hide NAT solution, CGNAT uses
improved port allocation techniques and a more efficient method for logging. A CGNAT
rule defines a range of original source IP addresses and a range of translated IP
addresses. Each IP address in the original range is automatically allocated a range of
translated source ports, based on the number of original IP addresses and the size of
the translated range. CGNAT port allocation is Stateless and is performed during policy
installation. See sk120296.
Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.
Cluster Member
A Security Gateway that is part of a cluster.
CoreXL
A performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.
CoreXL Firewall Instance

Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall
kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one
processing CPU core. These firewall instances handle traffic at the same time, and
each firewall instance is a complete and independent firewall inspection kernel.

Glossary
CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to
stick to a particular FWK daemon is done at the first packet of connection on a very high
level, before anything else. Depending on the SecureXL settings, and in most of the
cases, the SecureXL can be offloading decryption calculations. However, in some other
cases, such as with Route-Based VPN, it is done by FWK daemon.
CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you
can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
For details, see sk92449.
DAIP Gateway
A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the
IP address of the external interface is assigned dynamically by the ISP.
Data Type
A classification of data. The Firewall classifies incoming and outgoing traffic according
to Data Types, and enforces the Policy accordingly.
Database
The Check Point database includes all objects, including network objects, users,
services, servers, and protection profiles.
Distributed Deployment
The Check Point Security Gateway and Security Management Server products are
deployed on different computers.
Domain
A network or a collection of networks related to an entity, such as a company, business
unit or geographical location.

Glossary
Domain Log Server

A Log Server for a specified Domain, as part of a Multi-Domain Log Server. It stores and
processes logs from Security Gateways that are managed by the corresponding Domain
Management Server. Acronym: DLS.
Expert Mode
The name of the full command line shell that gives full system root permissions in the
Check Point Gaia operating system.
External Network
Computers and networks that are outside of the protected network.
External Users
Users defined on external servers. External users are not defined in the Security
Management Server database or on an LDAP server. External user profiles tell the
system how to identify and authenticate externally defined users.
Firewall
The software and hardware that protects a computer network by analyzing the incoming
and outgoing network traffic (packets).
Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.
Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restrictive shell (role-based administration controls the number of commands
available in the shell).
Gaia Portal
Web interface for Check Point Gaia operating system.

Glossary
Hotfix
A piece of software installed on top of the current software in order to fix some wrong or
undesired behavior.
ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.
Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.
IPv4
Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each
set can be from 0 - 255. For example, 192.168.2.1.
IPv6
Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
hexadecimal numbers, each set can be from 0 - ffff. For example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF.
Link Aggregation
Technology that joins (aggregates) multiple physical interfaces together into one virtual
interface, known as a bond interface. Also known as Interface Bonding, or Interface
Teaming. This increases throughput beyond what a single connection could sustain,
and to provides redundancy in case one of the links should fail.

Glossary
Log
A record of an action that is done by a Software Blade.
Log Server
A dedicated Check Point computer that runs Check Point software to store and process
logs in Security Management Server or Multi-Domain Security Management
environment.
Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this
mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.
Management Interface
Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
Gaia Security Gateway or Cluster member, through which Management Server
connects to the Security Gateway or Cluster member.
Management Server
A Check Point Security Management Server or a Multi-Domain Server.
Multi-Domain Log Server

A computer that runs Check Point software to store and process logs in Multi-Domain
Security Management environment. The Multi-Domain Log Server consists of Domain
Log Servers that store and process logs from Security Gateways that are managed by
the corresponding Domain Management Servers. Acronym: MDLS.
Multi-Domain Security Management

A centralized management solution for large-scale, distributed environments with many
different Domain networks.
Multi-Domain Server
A computer that runs Check Point software to host virtual Security Management Servers
called Domain Management Servers. Acronym: MDS.

Glossary
Network Object
Logical representation of every part of corporate topology (physical machine, software
component, IP Address range, service, and so on).
Open Server
A physical computer manufactured and distributed by a company, other than Check
Point.
Rule
A set of traffic parameters and other conditions in a Rule Base that cause specified
actions to be taken for a communication session.
Rule Base
Also Rulebase. All rules configured in a given Security Policy.
SecureXL
Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
Gateways for significant performance improvements.
Security Gateway
A computer that runs Check Point software to inspect traffic and enforces Security
Policies for connected network resources.
Security Management Server

A computer that runs Check Point software to manage the objects and policies in Check
Point environment.

Glossary
Security Policy
A collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.
SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over
SSL, for secure communication. This authentication is based on the certificates issued
by the ICA on a Check Point Management Server.
Single Sign-On
A property of access control of multiple related, yet independent, software systems. With
this property, a user logs in with a single ID and password to gain access to a
connected system or systems without using different usernames or passwords, or in
some configurations seamlessly sign on at each system. This is typically accomplished
using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases
on (directory) servers. Acronym: SSO.
SmartConsole
A Check Point GUI application used to manage Security Policies, monitor products and
events, install updates, provision new devices and appliances, and manage a multi-
domain environment and each domain.
SmartDashboard
A legacy Check Point GUI client used to create and manage the security settings in
R77.30 and lower versions.
SmartUpdate
A legacy Check Point GUI client used to manage licenses and contracts.
Software Blade
A software blade is a security solution based on specific business needs. Each blade is
independent, modular and centrally managed. To extend security, additional blades can
be quickly added.
SSO
See "Single Sign-On".

Glossary
Standalone
A Check Point computer, on which both the Security Gateway and Security
Management Server products are installed and configured.
Traffic
Flow of data between network devices.
Users
Personnel authorized to use network resources and applications.
VLAN
Virtual Local Area Network. Open servers or appliances connected to a virtual network,
which are not physically connected to the same network.
VLAN Trunk
A connection between two switches that contains multiple VLANs.
VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a
computer or cluster with virtual abstractions of Check Point Security Gateways and
other network devices. These Virtual Devices provide the same functionality as their
physical counterparts.
VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that
provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.

Gaia Overview
Gaia Overview
Gaia is the Check Point next generation operating system for security applications. In Greek mythology,
Gaia is the mother of all, which represents closely integrated parts to form one efficient system. The Gaia
Operating System supports the full portfolio of Check Point Software Blades, Gateway and Security
Management products.
Gaia is a unified security Operating System that combines the best of Check Point original operating
systems, and IPSO, the operating system from appliance security products. Gaia is available for all Check
Point Security Appliances and Open Servers.
Designed from the ground up for modern high-end deployments, Gaia includes support for:
n IPv4 and IPv6 - fully integrated into the Operating System.
n High Connection and Virtual Systems Capacity - 64-bit Linux kernel support.
n Load Sharing - ClusterXL and Interface bonding.
n High Availability - ClusterXL, VRRP, Interface bonding.
n Dynamic and Multicast Routing - BGP, OSPF, RIP, and PIM-SM, PIM-DM, IGMP.
n Easy to use Command Line Interface - Commands are structured with the same syntactic rules.
An enhanced help system and auto-completion simplifies user operation.
n Role-Based Administration - Lets Gaia administrators create different roles. Administrators can let
users define access to features in the users' role definitions. Each role can include a combination of
administrative (read/write) access to some features, monitoring (read-only) access to other
features, and no access to other features.
Gaia CPUSE:
n Get updates for licensed Check Point products directly through the operating system.
n Download and install the updates more quickly. Download automatically, manually, or periodically.
Install manually or periodically.
n Get email notifications for newly available updates and for downloads and installations.
n Easy rollback from new update.
Gaia API:
See sk143612 and Gaia API Reference.

Introduction to the Gaia Portal

This chapter gives a brief overview of the Gaia Portal interface and procedures for using the interface
elements.
Gaia Portal Overview

n The Gaia Portal is an advanced, web-based interface for Gaia platform configuration.
You can do almost all system configuration tasks through this Web-based interface.
n Easy Access - Simply connect with a web browser to:
https://<IP Address of Gaia Management Interface>
n Browser Support - Microsoft Edge, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and
Apple Safari.
n Powerful Search Engine - Makes it easy to find features or functionality to configure.
n Easy Operation - Two operating modes:
l Simplified mode, which shows only basic configuration options.
l Advanced mode, which shows all configuration options.
You can easily change these modes.
n Web-Based Access to Command Line - Clientless access to the Gaia Clish directly from your web
browser.
The Gaia Portal interface

Item Description
1 Navigation tree
2 Toolbar
3 Status bar
4 Overview page with widgets that show system information
5 Search tool
Note - The browser Back button is not supported. Do not use it.
Logging in to the Gaia Portal
To log in to the Gaia Portal:
Step Description
1 Enter this URL in your browser:

https://<IP Address of
Gaia Management
Interface>
2 Enter your user name and password.

Important:

Important:
SSL connection ports on Security Management Servers R80.40 and lower
n When you enable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port to these services automatically changes from
the default TCP port 443 to the TCP port 4434:
l Gaia Portal
Configuration URL and Port
Default https://<IP Address of Gaia Management

Interface>
New https://<IP Address of Gaia Management

Interface>:4434
l SmartView Web Application
Default https://<IP Address of Management

Server>/smartview/
New https://<IP Address of Management

Server>:4434/smartview/
l Management API Web Services (see Check Point Management API Reference)
Default https://<IP Address of Management Server>/web_

api/<command>
New https://<IP Address of Management

Server>:4434/web_api/<command>
n When you disable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port automatically changes back to the default TCP
port 443.

SSL connection ports on Security Management Servers R81 and higher
n A Security Management Server listens to SSL traffic for all services on the TCP port 443 in
these cases:
l If you performed a clean installation of a Security Management Server R81 and
enabled the Endpoint Policy Management Software Blade.
l If you upgraded a Security Management Server with disabled Endpoint Policy
Management Software Blade to R81 and enabled this Software Blade after the
upgrade.
In these cases, when Endpoint Security SSL traffic arrives at the TCP port 443, the Security
Management Server automatically redirects it (internally) to the TCP port 4434.
Service URL and Port
Gaia Portal https://<IP Address of Gaia Management

Interface>
SmartView Web Application https://<IP Address of Management

Server>/smartview/
Management API Web https://<IP Address of Management

Services Server>/web_api/<command>
(see Check Point
Management API Reference)
n If you upgraded a Security Management Server with enabled Endpoint Policy Management
Software Blade to R81, then the SSL port configuration remains as it was in the previous
version, from which you upgraded:
l A Security Management Server listens to Endpoint Security SSL traffic on the TCP port
443
l A Security Management Server listens to SSL traffic for all other services on the TCP
port 4434:
Service URL and Port
Gaia Portal https://<IP Address of Gaia

Management Interface>:4434
SmartView Web https://<IP Address of Management

Application Server>:4434/smartview/
Management API Web https://<IP Address of Management

Services Server>:4434/web_api/<command>
(see Check Point
Management API
Reference)

In R81 and higher, an administrator can manually configure different TCP ports for the Gaia
Portal (and other services) and Endpoint Security - 443 or 4434. For the applicable
procedures, see the R81 Endpoint Security Server Administration Guide > Chapter Endpoint
Security Architecture > Section Connection Port to Services on an Endpoint Security
Management Server.
Logging out from the Gaia Portal
Make sure that you always log out from the Gaia Portal (in the top right corner) before you close the web
browser. This is because the configuration lock stays in effect even when you close the web browser or
terminal window. The lock remains in effect until a different user removes the lock, or the defined
inactivity time-out period expires (default is 10 minutes).

Working with the Configuration Lock

Only one user can have Read/Write access to Gaia configuration settings at a time. All other users can log
in with Read-Only access to see configuration settings, as specified by their assigned roles (see "Roles" on
page 314).
When you log in and no other user has Read/Write access, you get an exclusive configuration lock with
Read/Write access. If a different user already has the configuration lock, you have the option to override
their lock. If you:
n Override the lock. The other user stays logged in with Read-Only access.
n Do not override the lock. You cannot modify the settings.
To override a configuration lock in the Gaia Portal
n Click the Configuration lock (above the toolbar). The pencil icon (Read/Write enabled)
replaces the lock.
n If you use a configuration settings page, click the Click here to obtain lock link. You can see this
link if a different user overrides your configuration lock.
Note - Only users with Read/Write access privileges can override a configuration lock.

Using the Gaia Portal Interface Elements

The Gaia Portal contains many elements that make the task of configuring features and system settings
easier.
Toolbar Accessories
You can use these toolbar icons to do these tasks
Item Description
Read/Write mode enabled.
Configuration locked (Read Only mode).
Opens the Console accessory for CLI commands.

Available in the Read/Write mode only.
Opens the Scratch Pad accessory for writing notes or for quick copy and paste operations.
Available in the Read/Write mode only.
Search Tool
You can use the search bar to find an applicable configuration page by entering a keyword. The keyword
can be a feature, a configuration parameter or a word that is related to a configuration page.
The search shows a list of pages related to the entered keyword. To go to a page, click a link in the list.
Navigation Tree
The navigation three lets you select a page. Pages are arranged in logical feature groups. You can show
the navigation tree in one of these view modes:
Mode Description
Basic Shows some standard pages.
Advanced Shows all pages. This is the default mode.
To change the navigation tree mode, click View Mode and select a mode from the list.
To hide the navigation tree, click the Hide icon.
Status Bar
The status bar, located at the bottom of the window, shows the result of the last configuration operation.
To see a history of the configuration operations during the current session, click the Expand icon.

Configuration Tab
The Configuration tab lets you see and configure parameters for Gaia features and settings groups. The
parameters are organized into functional settings groups in the navigation tree. You must have Read/Write
permissions for a settings group to configure its parameters.
Monitoring Tab
The Monitoring tab lets you see status and detailed operational statistics, in real time, for some routing
and high availability settings groups. This information is useful for monitoring dynamic routing and VRRP
cluster performance.
To see the Monitoring tab, select a routing or high availability feature settings group and then click the
Monitoring tab. For some settings groups, you can select different types of information from a menu.
Unsupported Characters and Words

To prevent possible Cross-Site Scripting (XSS) attacks, Gaia Portal does not accept some characters and
words when you enter them in various fields.
Unsupported Characters
Character Description
< Less than
> Greater than
& Ampersand
; Semi-colon
Unsupported Words
n after
n apply
n catch
n eval
n subset

System Information Overview

In This Section:
Showing System Overview Information in Gaia Portal 33

Showing System Overview Information in Gaia Clish 35
This chapter shows you how to see system information in the Gaia Portal and Gaia Clish.
Showing System Overview Information in Gaia

Portal
The Overview page shows status widgets.
You can add or remove widgets from the page, move them around the page and minimize or expand them.
Widgets
Widget Description
System System information, including:

Overview
n Installed product (for example: Check Point Security Management
Server, Check Point Security Gateway)
n Product version number (for example: R80.10)
n Kernel edition (32-bit, or 64-bit)
n Product build number
n System uptime
n hardware platform, on which Gaia is installed
n Computer serial number (on Check Point appliances)
Blades Installed Software Blades.

Those that are enabled in SmartConsole, are colored.
Those that are disabled in SmartConsole, are grayed out.
Network Interfaces, their IP Addresses and Link Status.

Configuration
CPU Monitor Graphical display of CPU usage.
Memory Graphical display of memory usage.

Monitor
Packet Rate Graphical display of the overall traffic packet rate.
Throughput Graphical display of the overall traffic throughput.

To add a widget to the page
Step Description
1 Scroll down to the bottom of this page.
2 Click Add Widget and select a widget to show.
To move a widget on the page
Step Description
1 Left-click the widget title bar.
2 Hold the left mouse button.
3 Drag the widget to the applicable location.
4 Release the left mouse button.

Showing System Overview Information in Gaia

Clish
You can use these commands to show system status:
The "show uptime" command
Description
Shows how long the Gaia system is up and running.
Syntax
show uptime

The "show version" command
Description
Shows the name and versions of the Gaia OS components.
Syntax
n To show the full system version information:
show version all
n To show version information for OS components:
show version os
build
edition
kernel
n To show name of the installed product:
show version product
Parameters
Parameter Description
all Shows all Gaia system information.
os build Shows the Gaia build number.
os edition Shows the Gaia kernel edition.
os kernel Shows the Gaia kernel build number.
product Shows the Gaia version.

Introduction to the Command Line Interface
Introduction to the Command Line

Interface
This chapter introduces the Gaia command line interface.
The default Gaia shell is called clish.
To use the Gaia Clish:
Step Description
1 Connect to the Gaia platform using one of these options:

n In SmartConsole (see "Centrally Managing Gaia Device Settings" on page 76).
n Using a command-line connection (SSH, or a console).
2 Log in using a user name and password.

Immediately after installation, the default user name and password are admin and admin.
Saving configuration changes:

When you change the OS configuration with in Gaia Clish, changes are applied immediately to the running
system only.
To have the changes survive a reboot, you must run this command:
save config

Command Completion
Command Completion
You can automatically complete a command.
This saves time, and can help if you are not sure what to type next.
Press ... To do this ...
<TAB> Complete or fetch the keyword.

Example:
HostName> set in<TAB>
inactivity-timeout - Set inactivity timeout
interface - Displays the interface related
parameters
HostName> set in
<SPACE><TAB> Show the arguments that the command for that feature accepts.
Example:
HostName> set interface<SPACE><TAB>
eth0 eth1 lo
HostName> set interface
<ESC><ESC> See possible command completions.

Example:
HostName> set inter<ESC><ESC>
set interface VALUE ipv4-address VALUE mask-length
VALUE
set interface VALUE ipv4-address VALUE subnet-mask
VALUE
set interface VALUE ipv6-address VALUE mask-length
VALUE
set interface VALUE {comments VALUE mac-addr VALUE mtu
VALUE state VALUE speed VALUE duplex VALUE auto-
negotiation VALUE}
set interface VALUE {ipv6-autoconfig VALUE}
HostName> set inter
? Get help on a feature or keyword.

Example:
HostName> set interface <?>
interface: specifies the interface name
This operation configures an existing interface
HostName>
UP arrow Browse the command history.

DOWN arrow

Command Completion
Press ... To do this ...
LEFT arrow Edit the command.

RIGHT arrow
Enter Run the command.

The cursor does not have to be at the end of the line.
You can usually abbreviate the command to the smallest number of unambiguous
characters.

Commands and Features

Gaia Clish commands are organized into groups of related features, with a basic syntax:
<Operation> <Feature> <Parameter>
See "Summary of Gaia Clish Commands" on page 55.
Main operations Description
add Adds or creates a new configuration in the system.
set Sets a value in the system.
show Shows a value or values in the system.
delete Deletes a configuration in the system.
Other
Description
operations
save Saves the configuration changes made since the last save operation.
reboot Restart the system.
halt Turns off the computer.
quit Exits from the Gaia Clish.
exit Exits from the shell, in which you work.
start Starts a transaction. Puts the Gaia Clish into transaction mode. All changes made using
commands in transaction mode are either applied at once, or none of the changes is
applied, based on the way transaction mode is terminated.
commit Ends transaction by committing changes.
rollback Ends transaction by discarding changes.
expert Enters the Expert shell. Allows low-level access to the system, including the file system.
ver Shows the version of the active Gaia image.
restore Restores the configuration of the system.
help Shows help on navigating the Gaia Clish and some useful commands.

n To see the commands, for which you have permissions, run:
show commands
n To see a list of all features, run:
show commands feature<SPACE><TAB>
n To see all commands for a specific feature, run:
show commands feature <FeatureName>
n To see all commands for an operation of a feature, run:
show commands [op <Name>] [feature <Name>]
n To see all operations, run:
show commands op<SPACE><TAB>
At the More prompt:

To see the next page, press <SPACE>.
To see the next line, press <ENTER>.
To exit from the More prompt, press Q.

Command History
Command History
You can recall commands you have used before, even in previous sessions.
Command Description
? Recall previous command.
? Recall next command.
history Show the last 100 commands.
!! Run the last command.
!nn Run a specific previous command: the nn command in the commands history
list.
!-nn Run the nnth previous command.

For example, entering !-3 runs the third from last command in the commands
history list.
!str Run the most recent command that starts with str.
!\?str\? Run the most recent command containing str.

You may omit the trailing ?, if a new line follows str immediately.
!!:s/str1/str2 Repeat the last command, replacing str1 with str2.
Command Reuse
You can combine word designators with history commands to refer to specific words used in previous
commands.
Words are numbered from the beginning of the line with the first word being denoted by 0 (digit zero).
Use a colon (:) to separate a history command from a word designator.
For example, you could enter !!:1 to refer to the first argument in the previous command.
In the command "show interfaces", the interfaces is word 1.
Word Designator Meaning
0 The operation word.
n The nth word.
^ The first argument; that is, word 1.
$ The last argument.
% The word matched by the most recent \?str\? search.

Command History
Immediately after word designators, you can add a sequence of one or more of these modifiers, each
preceded by a colon:
Modifier Meaning
p Print the new command, but do not execute.
s/str1/str2 Replace str1 with str2 in the first occurrence of the word, to which you refer.
g Apply changes over the entire command.

Use this modified in conjunction with s, as in gs/str1/str2.

Command Line Movement and Editing
Command Line Movement and Editing

You can back up in a command you are typing to correct a mistake.
To edit a command, use the left and right arrow keys to move around and the Backspace key to delete
characters.
You can enter commands that span more than one line.
You can use these keystroke combinations:
Keystroke combination Meaning
Alt D Delete next word (to the right of the cursor).
Alt F Go to the next word (to the right of the cursor).
Ctrl Alt H Delete the previous word (to the left of the cursor).
Ctrl Shift - Repeat the previous word (from the left of the cursor).
Ctrl A Move to the beginning of the line.
Ctrl B Move to the previous character (to the right of the cursor).
Ctrl E Move to the end of the line.
Ctrl F Move to the next character (to the right of the cursor).
Ctrl H Delete the previous character (to the left of the cursor).
Ctrl L Clear the screen and show the current line at the top of the screen.
Ctrl N Next history item.
Ctrl P Previous history item.
Ctrl R Redisplay the current line.
Ctrl U Delete the current line.

Configuration Locks
Configuration Locks
Only one user can have Read/Write access to Gaia configuration database at a time. All other users can
log in with Read-Only access to see configuration settings, as specified by their assigned roles (see
"Roles" on page 314).
When you log in and no other user has Read/Write access, you get an exclusive configuration lock with
Read/Write access. If a different user already has the configuration lock, you have the option to override
their lock. If you:
n Override the lock. The other user stays logged in with Read-Only access.
n Do not override the lock. You cannot modify the settings.
The "lock database" and "lock database" commands
Description
Use the "lock database override" and "unlock database" commands to get exclusive
read-write access to the Gaia database by taking write privileges away from other administrators
logged into the system.
Syntax
lock database override
unlock database
Comments
n Use these commands with caution.
The administrator, whose write access is revoked, does not receive a notification.
n The "lock database override" command is identical to the "set config-lock on
override" command.
n The "unlock database" command is identical to the "set config-lock off" command.

Configuration Locks
The "config-lock" commands
Description
Configures and shows the state of the configuration lock on Gaia configuration database.
Syntax
set config-lock
off
on [timeout <5-900>] override
show
config-lock
config-state
Parameters
off Turns off the configuration lock.
on Turns on the configuration lock.

The default timeout value is 300 seconds.
timeout <5-900> Optional parameter.

Turns on the configuration lock for the specified interval in seconds.
Comments
n The "set config-lock on override" command is identical to the "lock database
override" command.
n The "set config-lock off" command is identical to the "unlock database" command.

Environment Commands
Description
Use these commands to set the Gaia Clish environment for a user for a particular session, or permanently.
Syntax
To show the client environment

show clienv
all
config-lock
debug
echo-cmd
on-failure
output
prompt
rows
syntax-check
To configure the client environment

set clienv
config-lock {on | off}
debug {0-6}
echo-cmd {on | off}
on-failure {continue | stop}
output {pretty | structured | xml}
prompt <Prompt String>
rows <Number of Rows>
syntax-check {on | off}
To save the client environment configuration permanently

save clienv
Parameters
config-lock {on Default value of the Clish config-lock parameter.

| off} If set to on, Gaia Clish locks the configuration when invoked. Otherwise, it
continues without a configuration lock.
When the configuration is locked by Gaia Clish, no configuration changes
are possible in Gaia Portal, until the lock is released.

debug {0-6} Debug level.

Predefined levels are:
n 0 - (Default) Do not debug, display error messages only
n 5 - Show confd daemon requests and responses
n 6 - Show handler invocation parameters and results
echo-cmd {on | If set to on, echoes all commands before executing them, when the
off} command execution is done through the "load configuration"
command.
The default is off.
on-failure Action performed on failure:

{continue |
stop} n continue - Show error messages, but continue running
commands from a file or a script
n stop - (Default) Stop running commands from a file or a script
output {pretty | Command line output format.

structured | The default is pretty.
xml} See "Client Environment Output Format" on page 49.
prompt <Prompt Command prompt string.

String> A valid prompt string can consist of any printable characters and a
combination of these variables:
n %H - Replaced with the Command number
n %I - Replaced with the User ID
n %M - Replaced with the Hostname
n %P - Replaced with the Product ID
n %U - Replaced with the Username
To set the prompt back to the default, use the keyword default.
rows <Number of Number of rows to show in your terminal window.

Rows> If the window size is changed, the number of rows also changes, unless
the value is set to 0 (zero).
syntax-check {on Put the shell into syntax-check mode.

| off} Commands you enter are checked syntactically and are not executed, but
values are validated.
The default is off.

Client Environment Output Format

Gaia Clish supports these output formats:
Pretty
Output is formatted to be clear.

For example, output of the command show user admin in pretty mode would look like this:
gaia> set clienv output pretty
gaia> show user admin

Uid Gid Home Dir. Shell Real Name Privileges
0 0 /home/admin /bin/cli.sh Admin Admin-like shell
gaia>
Structured
Output is delimited by semi-colons.

For example, output of the command show user admin in structured mode would look like this:
gaia> set clienv output structured

Uid;Gid;Home Dir.;Shell;Real Name;Privileges;
0;0;/home/admin;/bin/bash;Admin;Admin-like shell;
gaia>

XML
Adds XML tags to the output.

For example, output of the command show user admin in XML mode would look like this:
gaia> set clienv output xml

<?xml version="1.0"?>
<CMDRESPONSE>
<CMDTEXT>show user admin</CMDTEXT>
<RESPONSE><System_User>
<Row>
<Uid>0</Uid>
<Gid>0</Gid>
<Home_Dir.>/home/admin</Home_Dir.>
<Shell>/bin/bash</Shell>
<Real_Name>Admin</Real_Name>
<Privileges>Admin-like shell</Privileges>
</Row>
</System_User>
</RESPONSE>
</CMDRESPONSE>
gaia>

Expert Mode
Expert Mode
The default Gaia shell is called clish.
Gaia Clish is a restrictive shell (role-based administration controls the number of commands available in
the shell).
While the use of Gaia Clish is encouraged for security reasons, Gaia Clish does not give access to low level
system functions.
For low-level configuration, use the more permissive Expert mode shell. In addition, see sk144112.
n To enter the Expert shell, run: expert
n To exit from the Expert shell and return to Gaia Clish, run: exit
Note - If a command is supported in Gaia Clish, it is not possible to run it in Expert

mode.
For example, you cannot run the ifconfig command in the Expert mode. Use the
"set interface" command in Gaia Clish instead.
Description
The Expert mode password protects the Expert shell against authorized access.
Use these commands to set the Expert password by plain text or MD5 salted hash.
Use the MD5 salted hash option when upgrading or restoring using backup scripts.
Syntax
set expert-password
set expert-password hash <Hash String>
Important - You must run the "save config" command to set the new Expert mode
password permanently.
Parameters
hash <Hash String> The password as an MD5 salted hash instead of plain text.
Use this option when you upgrade or restore using backup scripts.

Expert Mode
Example
gaia> set expert-password
Enter current expert password: *******
Enter new expert password: *****
Enter new expert password (again): *****
Password is only 5 characters long; it must be at least 6 characters
in length.
Enter new expert password: ******
Enter new expert password (again): ******
Password is not complex enough; try mixing more different kinds of
characters (upper case, lower case, digits, and punctuation).
Enter new expert password: *******
Enter new expert password (again): *******
gaia> save config

User Defined (Extended) Commands

Description
Manage user defined (extended) commands in Gaia Clish.
Extended commands include:
1. Built in extended commands.
These are mostly intended to configure and troubleshoot Gaia and Check Point products.
2. User defined commands.
You can do role-based administration (RBA) with extended commands:
1. Assign extended commands to roles.
2. Assign the roles to users or user groups.
Syntax
n To show all extended commands:
show extended commands
n To show the path and description of a specified extended command:
show command <Command>
n To add an extended command:
add command <Command> path <Path> description "<Text>"
n To delete an extended command:
delete command <Command>
Parameters
<Command> Name of the extended command
<Path> Path of the extended command
"<Text>" Description of the extended command (must enclose in double quotes)
See "List of Available Extended Commands in Roles" on page 339.

Example
To add the free command to the systemDiagnosis role and assign that role to the user john:
Step Description
1 To add the free command:

gaia> add command free path
/usr/bin/free description "Display
amount of free and used memory in
the system"
2 Save the configuration:

gaia> save config
3 Log out of Gaia.
4 Log in to Gaia again.
5 To add the free command to the systemDiagnosis role:

gaia> add rba role systemDiagnosis
domain-type System readwrite-
features ext_free
6 To assign the systemDiagnosis role to the user john:

gaia> add rba user john roles
systemDiagnosis

gaia> save config

Summary of Gaia Clish Commands

This section shows the list of commands available in Gaia Clish.
To show the list of all available Gaia Clish commands:
Step Description
1 Connect to the command line on your Gaia system.
2 Log in to Gaia Clish..
3 Press the <TAB> key on the keyboard.
To show the list of available Gaia Clish 'show' commands:
Step Description
2 Log in to Gaia Clish.
3 Type:
show
4 Press the <SPACE> key and then the <TAB> key on the keyboard.
To show the list of available Gaia Clish 'add' commands:
Step Description
3 Type:
add

To show the list of available Gaia Clish 'set' commands:
Step Description
3 Type:
set
To show the list of available Gaia Clish 'delete' commands:
Step Description
3 Type:
delete

Configuring Gaia for the First Time
Configuring Gaia for the First Time

After you install Gaia for the first time, use the First Time Configuration Wizard to configure the system and
the Check Point products on it.
You can run the First Time Configuration Wizard in:
n Gaia Portal
n CLI Expert mode

Running the First Time Configuration Wizard in Gaia Portal
Running the First Time Configuration Wizard in

Gaia Portal
To start the Gaia First Time Configuration Wizard:
Step Instructions
1 Connect a computer to the Gaia computer.

You must connect to the interface you configured during the Gaia installation (for example,
eth0).
2 On your connected computer, configure a static IPv4 address in the same subnet as the IPv4
address you configured during the Gaia installation.
3 On your connected computer, in a web browser, connect to the IPv4 address you configured
during the Gaia installation:
https://<IP address of Gaia Management Interface>
4 Enter the default username and password: admin and admin.
5 Click Login.
The Check Point First Time Configuration Wizard opens.
6 Follow the instructions on the First Time Configuration Wizard windows.

See the applicable chapters below for installing specific Check Point products.
Below you can find the description of the First Time Configuration Wizard windows and their fields.

Deployment Options window
In this window, you select how to deploy Gaia Operating System.
Section Options Description
Setup Continue with R81 Use this option to configure the installed Gaia and Check
configuration Point products.
Install Install from Check Point Use these options to install a Gaia version.
Cloud
Install from USB device
Recovery Import existing snapshot Use this option to import an existing Gaia snapshot.
If in the Deployment Options window, you selected Install from Check Point Cloud, the First Time
Configuration Wizard asks you to configure the connection to Check Point Cloud. These options appear
(applies only to Check Point appliances that you configured as a Security Gateway):
n Install major version - This option let you choose and install major versions available on Check
Point Cloud. The Gaia CPUSE performs the installation.
n Pull appliance configuration - This option lets you to apply initial deployment configuration
including different OS version on the appliance. You must prepare the initial deployment
configuration with the Zero Touch Cloud Service. For more information, see sk116375.

Management Connection window
In this window, you select and configure the main Gaia Management Interface. You connect to this IP
address to open the Gaia Portal or CLI session.
Field Description
Interface By default, First Time Configuration Wizard selects the interface you configured during
the Gaia installation (for example, eth0).
Note - After you complete the First Time Configuration Wizard and reboot,
you can select another interface as the main Gaia Management Interface
and configure its IP settings.
Configure Select how the Gaia Management Interface gets its IPv4 address:
IPv4
n Manually - You configure the IPv4 settings in the next fields.
n Off - None.
IPv4 Enter the applicable IPv4 address.

address
Subnet Enter the applicable IPv4 subnet mask.

mask
Default Enter the IPv4 address of the applicable default gateway.

Gateway
Configure Select how the Gaia Management Interface gets its IPv6 address:
IPv6
n Off - None.
IPv6 Enter the applicable IPv6 address.

Address
Mask Enter the applicable IPv6 mask length.

Length
Default Enter the IPv6 address of the applicable default gateway.

Gateway

Internet Connection window
Optional: In this window, you configure the interface that connects the Gaia computer to the Internet.
Interface Select the applicable interface on this computer.
Configure IPv4 Select how the applicable interface gets its IPv4 address:
n Off - None.
IPv4 address Enter the applicable IPv4 address.
Subnet mask Enter the applicable IPv4 subnet mask.
Configure IPv6 Optional. Select how the applicable interface gets its IPv6 address:
n Off - None.
IPv6 Address Enter the applicable IPv6 address.
Subnet Enter the applicable IPv6 subnet mask.
Device Information window
In this window, you configure the Host name, the DNS servers and the Proxy server on the Gaia
computer.
Field Description
Host Name Enter the applicable distinct host name.
Domain Name Optional: Enter the applicable domain name.
Primary DNS Server Enter the applicable IPv4 address of the primary DNS server.
Secondary DNS Optional: Enter the applicable IPv4 address of the secondary DNS server.
Server
Tertiary DNS Server Optional: Enter the applicable IPv4 address of the tertiary DNS server.
Use a Proxy server Optional: Select this option to configure the applicable Proxy server.
Address Enter the applicable IPv4 address or resolvable hostname of the Proxy
server.
Port Enter the port number for the Proxy server.

Date and Time Settings window
In this window, you configure the date and time settings on the Gaia computer.
Field Description
Set the time manually Select this option to configure the date and time settings manually.
Date Select the correct date.
Time Select the correct time.
Time Zone Select the correct time zone.
Use Network Time Select this option to configure the date and time settings automatically
Protocol (NTP) with NTP.
Primary NTP server Enter the applicable IPv4 address or resolvable hostname of the
primary NTP server.
Version Select the version of the NTP for the primary NTP server.
Secondary NTP server Optional: Enter the applicable IPv4 address or resolvable hostname of
the secondary NTP server.
Version Select the version of the NTP for the secondary NTP server.
Time Zone Select the correct time zone.
Installation Type window
In this window, you select which type of Check Point products you wish to install on the Gaia computer.
Field Description
Security Gateway and/or Security Select this option to install:

Management
n A Single Security Gateway.
n A Cluster Member.
n A Security Management Server, including
Management High Availability.
n An Endpoint Security Management Server.
n An Endpoint Policy Server.
n CloudGuard Controller.
n A dedicated single Log Server.
n A dedicated single SmartEvent Server.
n A Standalone.
Multi-Domain Server Select this option to install:

n A Multi-Domain Server, including Management
High Availability.
n A dedicated single Multi-Domain Log Server.

Products window
In this window, you continue to select which type of Check Point products you wish to install on the Gaia
computer.
n If in the Installation Type window, you selected Security Gateway and/or Security
Management, these options appear:
Field Description
Security Gateway Select this option to install:

l A single Security Gateway.
l A Cluster Member.
l A Standalone.
Security Select this option to install:

Management l A Security Management Server, including Management High
Availability.
l An Endpoint Security Management Server.
l An Endpoint Policy Server.
l CloudGuard Controller.
l A dedicated single Log Server.
l A dedicated single SmartEvent Server.
l A Standalone.
Unit is a part of a This option is available only if you selected Security Gateway .
cluster Select this option to install a cluster of dedicated Security Gateways,
or a Full High Availability Cluster.
Select the cluster type:
l ClusterXL - For a cluster of dedicated Security Gateways, or
a Full High Availability Cluster.

l VRRP Cluster - For a VRRP Cluster on Gaia.
Define Security Select Primary to install:

Management as l A Security Management Server.
l An Endpoint Security Management Server.
l An Endpoint Policy Server.
l CloudGuard Controller.
Select Secondary to install:

l A Secondary Management Server in Management High
Availability.
Select Log Server / SmartEvent only to install:
l A dedicated single Log Server.
l A dedicated single SmartEvent Server.
n If in the Installation Type window, you selected Multi-Domain Server, these options appear:
Field Description
Primary Multi-Domain Select this option to install a Primary Multi-Domain Server in

Server Management High Availability.

Field Description
Secondary Multi- Select this option to install a Secondary Multi-Domain Server in

Domain Server Management High Availability.
Multi-Domain Log Select this option to install a dedicated single Multi-Domain Log
Server Server.
Note - By default, the option Automatically download Blade Contracts, new

software, and other important data is enabled. See sk111080.
Dynamically Assigned IP window
In this window, you select if this Security Gateway gets its IP address dynamically (DAIP gateway).
Field Description
Yes Select this option, if this Security Gateway gets its IP address dynamically (DAIP gateway).
No Select this option, if you wish to configure this Security Gateway with a static IP address.
Secure Internal Communication (SIC) window
In this window, you configure a one-time Activation Key. You must enter this key later in SmartConsole
when you create the corresponding object and initialize SIC.
Field Description
Activation Key Enter one-time activation key (between 4 and 127 characters long).
Confirm Activation Key Enter the same one-time activation key again.
Security Management Administrator window
In this window, you configure the main administrator for this Security Management Server.
Use Gaia Select this option, if you wish to use the default Gaia administrator
administrator: admin (admin).
Define a new Select this option, if you wish to configure an administrator username
administrator and password manually.

Security Management GUI Clients window
In this window, you configure which computers are allowed to connect with SmartConsole to this
Security Management Server.
Field Description
Any IP Address Select this option to allow all computers to connect.
This machine Select this option to allow only a specific computer to connect.
By default, the First Time Configuration Wizard uses the IPv4 address of
your computer.
You can change it to another IP address.
Network Select this option to allow an entire IPv4 subnet of computers to connect.
Enter the applicable subnet IPv4 address and subnet mask.
Range of IPv4 Select this option to allow a specific range of IPv4 addresses to connect.
addresses Enter the applicable start and end IPv4 addresses.
Leading VIP Interfaces Configuration window
In this window, you select the main Leading VIP Interface on this Multi-Domain Server.
Field Description
Select leading interface Select the applicable interface.
Multi-Domain Server GUI Clients window
In this window, you configure which computers are allowed to connect with SmartConsole to this Multi-
Domain Server.
Field Description
Any host Select this option to allow all computers to connect.
IP Select this option to allow only a specific computer to connect.

address By default, the First Time Configuration Wizard uses the IPv4 address of your
computer.
You can change it to another IP address.

First Time Configuration Wizard Summary window
In this window, you can see the installation options you selected.
The Improve product experience section:
n By default, the option Send data to Check Point is enabled. For information about this option,
see sk111080.
n By default, the option Send crash data to Check Point that might contain personal data is
disabled.
If you enable this option, Gaia operating system uploads the detected core dump files to Check
Point Cloud.
This lets Check Point R&D analyze the crashes and issue fixes for them.
Notes:
n At the end of the First Time Configuration Wizard, the Gaia computer reboots and the
initialization process is performed in the background for several minutes.
n If you installed the Gaia computer as a Security Management Server or Multi-Domain Server,
only read-only access is possible with SmartConsole during this initialization time.
n To make sure the configuration is finished:
1. Connect to the command line on the Gaia computer.
2. Log in to the Expert mode.
3. Check that the bottom section of the /var/log/ftw_install.log file contains one of
these sentences:
l installation succeeded
l FTW: Complete
Run:
cat /var/log/ftw_install.log | egrep --color "installation

succeeded|FTW: Complete"

Example outputs:
l From a Security Gateway or Cluster Member:
[Expert@GW:0]# cat /var/log/ftw_install.log | egrep --

color "installation succeeded|FTW: Complete"
Dec 06, 19 19:19:51 FTW: Complete
[Expert@GW:0]#
l From a Security Management Server or a Standalone:
[Expert@SA:0]# cat /var/log/ftw_install.log | egrep --

Dec 06, 2019 03:48:38 PM installation succeeded.
06/12/19 15:48:39 FTW: Complete
[Expert@SA:0]#
l From a Multi-Domain Server:
[Expert@MDS:0]# cat /var/log/ftw_install.log | egrep --

Dec 06, 2019 07:43:15 PM installation succeeded.
[Expert@MDS:0]#

Running the First Time Configuration Wizard in CLI Expert mode
Running the First Time Configuration Wizard in

CLI Expert mode
Description
Use this command in the Expert mode to test and to run the First Time Configuration Wizard on a Gaia
system for the first time after the system installation.
Notes:
n The config_system utility is not an interactive configuration tool. It helps
automate the first time configuration process.
n The config_system utility is only for the first time configuration, and not for
ongoing system configurations.
Syntax
n To list the command options, run one of these:
Form Command
Short form config_system -h
Long form config_system --help
n To run the First Time Configuration Wizard from a specified configuration file, run one of these:
Form Command
Short form config_system -f <Path and Filename>
Long form config_system --config-file <Path and Filename>
n To run the First Time Configuration Wizard from a specified configuration string, run one of these:
Form Command
Short form config_system -s <String>
Long form config_system --config-string <String>
n To create a First Time Configuration Wizard Configuration file template in a specified path, run one
of these:
Form Command
Short form config_system -t <Path>
Long form config_system --create-template <Path>

n To verify that the First Time Configuration file is valid, run:
config_system --dry-run
n To list configurable parameters, run one of these:
Form Command
Short form config_system -l
Long form config_system --list-params
To run the First Time Configuration Wizard from a configuration string:
St
Description
ep
1 Run this command in Expert mode:

config_system --config-string <String of Parameters and Values>
A configuration string must consist of parameter=value pairs, separated by the ampersand (&).
You must enclose the whole string between quotation marks.
For example:
"hostname=myhost&domainname=somedomain.com&timezone='America/Ind
iana/Indianapolis'&ftw_sic_key=aaaa&install_security_
gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_
member=true&install_security_managment=false"
For more information on valid parameters and values, run the "config_system -h"
command.
2 Reboot the system.
To run the First Time Configuration Wizard from a configuration file:
Step Description

config_system -f
<File Name>
2 Reboot the system.
If you do not have a configuration file, you can create a configuration template and fill in the parameter
values as necessary.
Before you run the First Time Configuration Wizard, you can validate the configuration file you created.

To create a configuration file:
Step Description

config_system -t <File
Name>
2 Open the file you created in a text editor.
3 Edit all parameter values as necessary.
4 Save the updated configuration file.
To validate a configuration file:

Run this command in Expert mode:
config_system --config-file <File Name> --dry-run
Parameters
A configuration file contains the <parameter>=<value> pairs described in the table below.
Note - The config_system parameters can change from Gaia version to Gaia
version. Run the "config_system --help" command to see the available
parameters.
Table: The 'config_system' parameters
Parameter Description Valid values
install_ Installs Security Gateway, if its value is set to n true

security_ "true". n false
gw
gateway_ Configures the Security Gateway as Dynamic IP n true

daip (DAIP) Security Gateway, if its value is set to n false
"true".
Note - Must be set
to "false", if
ClusterXL or
Security
Management
Server is enabled.
gateway_ Configures the Security Gateway as member of n true

cluster_ ClusterXL, if its value is set to "true". n false
member

Table: The 'config_system' parameters (continued)

install_ Installs Security Management Server, if its value is n true

security_ set to "true". n false
managment
install_ Makes the installed Security Management Server n true

mgmt_ the Primary one. n false
primary Note - The value of the "install_
Note - Can only be
security_managment" parameter
set to "true", if the
must be set to "true".
value of the
"install_mgmt_
secondary"
parameter is set to
"false".
install_ Makes the installed Security Management Server a n true

mgmt_ Secondary one. n false
secondary Note - The value of the "install_
Note - Can only be
value of the
"install_mgmt_
primary"
parameter is set to
"false".
install_ Makes the installed Security Management Server n true

mds_ the Primary Multi-Domain Server. n false
primary Note - The value of the "install_
Note - Can only be
value of the
"install_mds_
secondary"
parameter is set to
"false".
install_ Makes the installed Security Management Server a n true

mds_ Secondary Multi-Domain Server. n false
secondary Note - The value of the "install_
Note - Can only be
value of the
"install_mds_
primary"
parameter is set to
"false".
install_ Installs Multi-Domain Log Server, if its value is set n true

mlm to "true". n false


install_ Specifies Multi-Domain Server management Name of the interface exactly

mds_ interface. as it appears in the device
interface configuration.
Examples: eth0, eth1
download_ Downloads Check Point Software Blade contracts n true

info and other important information, if its value is set to n false
"true".
For more information, see sk94508.
Best Practice - We highly recommended

you enable this optional parameter.
upload_ Uploads data that helps Check Point provide you n true
info with optimal services, if its value is set to "true". n false
Best Practice - We highly recommended

you enable this optional parameter.
mgmt_ Configures Management Server administrator. n Set the value to "gaia_

admin_ admin", if you wish to
radio Note - You must specify this parameter, if use the Gaia "admin"
you install a Management Server. account.
n Set the value to "new_
admin", if you wish to
configure a new
administrator account.
mgmt_ Configures the management administrator's A string of alphanumeric

admin_name username. characters.
Note - You must specify this parameter, if
the value of the "install_security_
managment" parameter is set to
"true".
mgmt_ Configures the management administrator's A string of alphanumeric

admin_ password. characters.
passwd Note - You must specify this parameter, if
the value of the "install_security_
managment" parameter is set to
"true".
mgmt_gui_ Specifies SmartConsole clients that can connect to n any

clients_ the Security Management Server. n range
radio n network
n this


mgmt_gui_ Specifies the first address of the range, if the value Single IPv4 address of a host.
clients_ of the "mgmt_gui_clients_radio" parameter Example:
first_ip_ is set to "range". 192.168.0.10
field
mgmt_gui_ Specifies the last address of the range, if the value Single IPv4 address of a host.
clients_ of the "mgmt_gui_clients_radio" parameter Example:
last_ip_ is set to "range". 192.168.0.20
field
mgmt_gui_ Specifies the network address, if the value of the IPv4 address of a network.
clients_ "mgmt_gui_clients_radio" parameter is set Example:
ip_field to "network". 192.168.0.0
mgmt_gui_ Specifies the netmask, if the value of the "mgmt_ A number from 1 to 32.
clients_ gui_clients_radio" parameter is set to
subnet_ "network".
field
mgmt_gui_ Specifies the netmask, if value of the "mgmt_gui_ Single IPv4 address of a host.
clients_ clients_radio" parameter is set to "this". Example:
hostname 192.168.0.15
ftw_sic_ Configures the Secure Internal Communication A string of alphanumeric

key key, if the value of the "install_security_ characters (between 4 and
managment" parameter is set to "false". 127 characters long).
admin_hash Configures the administrator's password. A string of alphanumeric

characters, enclosed between
single quotation marks.
iface Interface name (optional). Name of the interface exactly

as it appears in the device
configuration.
Examples:
eth0, eth1
ipstat_v4 Turns on static IPv4 configuration, if its value is set n manually

to "manually". n off
ipaddr_v4 Configures the IPv4 address of the management Single IPv4 address.
interface.
masklen_v4 Configures the IPv4 mask length for the A number from 0 to 32.
management interface.
default_ Specifies IPv4 address of the default gateway. Single IPv4 address.
gw_v4


ipstat_v6 Turns static IPv6 configuration on, if its value is set n manually
to "manually". n off
ipaddr_v6 Configures the IPv6 address of the management Single IPv6 address.
interface.
masklen_v6 Configures the IPv6 mask length for the A number from 0 to 128.
management interface.
default_ Specifies IPv6 address of the default gateway. Single IPv6 address.
gw_v6
hostname Configures the name of the local host (optional). A string of alphanumeric
characters.
domainname Configures the domain name (optional). Fully qualified domain name.
Example:
somedomain.com
timezone Configures the Area/Region (optional). The Area/Region must be

enclosed between single
quotation marks.
Examples:
'America/New_York'
'Asia/Tokyo'
Note - To see the
available Areas and
Regions, connect to
any Gaia computer,
log in to Gaia Clish,
and run this
command (names
of Areas and
Regions are case-
sensitive):
set timezone
Area
<SPACE><TAB>
ntp_ Configures the IP address of the primary NTP IPv4 address.

primary server (optional).
ntp_ Configures the NTP version of the primary NTP n 1

primary_ server (optional). n 2
version n 3
n 4
ntp_ Configures the IP address of the secondary NTP IPv4 address.

secondary server (optional).


ntp_ Configures the NTP version of the secondary NTP n 1

secondary_ server (optional). n 2
version n 3
n 4
primary Configures the IP address of the primary DNS IPv4 address.

server (optional).
secondary Configures the IP address of the secondary DNS IPv4 address.

server (optional).
tertiary Configures the IP address of the tertiary DNS IPv4 address.

server (optional).
proxy_ Configures the IP address of the proxy server IPv4 address, or Hostname.
address (optional).
proxy_port Configures the port number of the proxy server A number from 1 to 65535.
(optional).
reboot_if_ Reboots the system after the configuration, if its n true

required value is set to "true" (optional). n false

Centrally Managing Gaia Device Settings
Centrally Managing Gaia Device

Settings
In This Section:
Introduction of Gaia Central Management 76

Managing Gaia in SmartConsole 78
Running Command Scripts 78
Understanding One-Time Scripts 80
Running Repository Scripts 80
Backup and Restore 80
Opening Gaia Portal and Gaia Clish 83
Introduction of Gaia Central Management

SmartConsole lets you:
n Centrally configure network topology:
l IPv4 and IPv6 addresses
l IPv4 and IPv6 static routes
n Centrally configure device settings for these network services:
l DNS
l NTP
l Proxy server
n Do Backup and Restore operation
A compressed .tgz backup file captures the Gaia OS configuration and the Security Gateway
database.
n Do maintenance operations:
l By opening the Gaia Portal or command shell from SmartConsole
l By fetching settings from the device, or by pushing settings to the device
n Examine recent tasks:
The Recent Tasks tab, located in the bottom section of SmartConsole, shows recent Gaia Security
Gateway management tasks done using SmartConsole.
n Run command line scripts on the Security Gateway.
Output from the commands shows in the Recent Tasks window.

Double-click the task to see the complete output.

n Receive notification on local device configuration change
The Status column in the Gateways view indicates changes in the device configuration
n Implement configuration changes without a full policy install (Push Settings to Device action)
n Automate the configuration of Cloning Groups and synchronization between the members

Managing Gaia in SmartConsole

After enabling Central management, Gaia Security Gateways can be more effectively managed through
SmartConsole.
Running Command Scripts

One Time scripts
You can manually enter and run a command line script on the selected Gaia Security Gateways.
This feature is useful for scripts that you do not have to run on a regular basis.
To run a one-time script
Step Description
1 Right-click the Security Gateway.
2 Select Scripts > Run One Time Script.
3 The Run One Time Script window opens

You can:
n Enter the command in the Script Body text box and specify script
arguments, or
n Load the complete command from a text file
Notes:
l By default, the maximum size of a script is: 8 kilobytes.
l This value can be changed in SmartConsole > Main
application menu > Global properties > Advanced >

Configure > Central Device Management > device_
settings_max_script_length_in_KB.
4 Click Run.
The output from the script shows in the Tasks tab > Results column.
n Double-clicking the task shows the output in a larger window

n You can also right-click the task, and select View, and then Copy to
Clipboard
Notes:
l The Run One Time Script window does not support
interactive or continuous scripts. To run interactive or

continuous scripts, open a command shell.
l If the Security Gateways are not part of a Cloning Group,
you can run a script on multiple Security Gateways at the

same time.

To run a Repository script
Step Description
2 Select Scripts > Run Repository Script.
3 The Select Script window opens.

You can:
n Select a script from the drop-down box, or click New to create a new script for the
repository.
n Enter script arguments.
Note - The Select Script window does not support interactive or continuous
scripts. To run interactive or continuous scripts, open a command shell.
4 Click Run.
The output from the script shows in the Tasks tab > Results column.
n Placing the mouse in the Details column shows the output in a larger window.
n You can also right-click, and select View, or Copy to Clipboard.
Manage repository scripts

You can create new scripts, edit or delete scripts from the script repository.
To manage scripts
Step Description
2 Select Scripts > Manage Script Repository .
3 The Manage Scripts window opens.
Note - You can also run and manage scripts if you click Scripts in the Gateways view.

Understanding One-Time Scripts

If you specify a script:
n By default, the maximum size of a script is: 8 kB.
n The output from the script shows in the Tasks tab at the bottom of the Gateways & Servers view.
n The Run One Time Script window does not support interactive or continuous scripts. To run
interactive or continuous scripts, open a command shell.
Running Repository Scripts

You can run a predefined script from the script repository.
To run a script from the repository
Step Description
1 In the Gateways & Servers view, right-click the Security Gateways or Security Management
Servers, on which you want to run scripts.
2 Select Scripts > Scripts Repository .

The Scripts Repository window opens.
3 Do one of these steps:

n Select an existing script from the list, click Run, enter Arguments if needed, and click
Run.
n Click New to create a new script for the repository, or load it from a text file. Click OK.
The output from the script shows in the Tasks tab at the bottom of the Gateways & Servers view.
Notes:
n The Scripts Repository window does not support interactive or continuous
scripts. To run interactive or continuous scripts, open a command shell.
n You can run the script on multiple Security Gateways or Security
Management Servers at the same time.
n For a cluster object, the script will run automatically on all cluster members.
Backup and Restore

These options let you:
n Back up the Gaia OS configuration and the Firewall database to a compressed file
n Restore the Gaia OS configuration and the Firewall database from a compressed file
Best Practice - We recommended using System Backup to back up your system

regularly. Schedule system backups on a regular basis, daily or weekly, to preserve the
Gaia OS configuration and Firewall database.

Backing up the System
Note - After you install the Security Gateway for the first time, you must publish the
SmartConsole session before you perform a system backup operation.
To back up the system
Step Description
1 In the Gateways & Servers view, right-click the Security Gateway object you want to back
up.
2 Select Actions > System Backup.

The System Backup window opens.
3 Select the backup location. Use one of these options:

n The Backup server defined for this gateway - To define a backup server for this
Security Gateway, double-click the Security Gateway object, and click Network
Management > System Backup
n Enter the details of the backup server
Note - The path to the backup directory must start and end with forward slash (/)
character. For example: /ftroot/backup/, or just / for the root directory of the
server.
The file name must be according to this convention:
backup_<Name of Security Gateway object>_<Date of Backup>.tgz
4 Click OK.
The status of the backup operation shows in Tasks .
5 When the task is complete, double-click the entry to see the file path and name of the backup
file.
Notes:
n This name is necessary to do a system restore.
n You can do backup on multiple Security Gateways at the same time.
n When you back up a cluster, the system does backup on all members.

Restoring the System

To restore the system
Step Description
1 In the Gateways & Servers view, right-click the Security Gateway object you want to
restore.
2 Select Actions > System Restore.

The System Restore window opens.
3 Enter the required information.

Note - If you cannot find the name of the file in Tasks , or did not save the file name
after you completed the backup process:
a. Right-click the Security Gateway object.
b. Select Actions > Open Shell .
c. On the Security Gateway, run the Gaia Clish command:
show backup logs
d. Find the name of the compressed backup file.
The file is named according to this convention:
backup_<Name of Security Gateway object>_<Date of
Backup>.tgz
4 Click OK.
a. Connectivity to the Security Gateway is lost.
b. The Security Gateway automatically reboots.
5 Install the policy on the Security Gateway object.

The status of the restore operation shows in Tasks tab.

Opening Gaia Portal and Gaia Clish

In SmartConsole, you can open a Security Gateway's the command line window, or the Gaia Portal. You
can select the command line or the Gaia Portal from the right-click menu of a Security Gateway object, or
from the top toolbar > Actions button.
To open a command line window on the Security Gateway
Step Description
1 In SmartConsole, right-click the Security Gateway object.
2 Select Actions > Open Shell .
n Log in with your Gaia credentials.

n The Open Shell uses public key authentication.
n For a cluster object, select the member, to which you want to connect.
A command line window opens with default shell that was configured for the specified user.
To open a Security Gateway Gaia Portal
Step Description
1 In SmartConsole, right-click the Security Gateway object.
2 Select Actions > Gaia Portal .
Note - For a cluster, select the cluster member, for which you want to
open the Gaia Portal.
The Gaia Portal opens in the default web browser.

The URL is taken from the Platform Portal page of the Security Gateway object.

Network Management
Network Management
This chapter includes configuration procedures for:
n Interfaces (Physical, VLAN, Bond, Bridge, Loopback, VTI, Alias)
n ARP
n DHCP Server
n Hosts
n DNS
n Static Routes
n NetFlow Export

Network Interfaces
Network Interfaces
Gaia supports these network interface types:
n Ethernet physical interfaces
n Alias (Secondary IP addresses for different interface types. This is not supported in ClusterXL.)
n VLAN
n Bond
n Bridge
n Loopback
n 6in4 tunnel
n PPPoE
Note - When you add, delete or make changes to interface IP addresses, it is possible
that when you use the Get Topology option in SmartConsole in the Security Gateway
or Cluster object, the incorrect topology is shown. If this occurs, run the "cpstop" and
then the "cpstart" commands on the Security Gateway or Cluster Members.

Physical Interfaces
Physical Interfaces
In This Section:
Configuring Physical Interfaces in Gaia Portal 87

Configuring Physical Interfaces in Gaia Clish 88
This section has configuration procedures and examples for defining different types of interfaces on a Gaia
platform.
Gaia automatically identifies physical interfaces (NICs) installed on the computer.
You cannot add or delete a physical interface in the Gaia Portal or Gaia Clish.
You cannot add, change or remove physical interface cards while the Gaia computer is running.
To add or remove an interface card
Step Description
1 Turn off the Gaia computer:

n In Gaia Portal:
Click Maintenance > Shut Down, and
click Halt
n In Gaia Clish:
Run: halt
2 Add, remove, or replace the interface cards.
3 Turn on the Gaia computer.
Gaia automatically identifies the new or changed physical interfaces and assigns an interface name.
The physical interfaces show in the list in the Gaia Portal.

Physical Interfaces
Configuring Physical Interfaces in Gaia Portal

This section includes procedures for changing physical interface parameters in the Gaia Portal.
Note - There are settings that you can configure only in Gaia Clish.
To configure a physical interface
Step Description
1 In the navigation tree, click Network Management > Network Interfaces .
2 Select an interface from the list and click Edit.
3 Select the Enable option to set the interface status to UP.
4 In the Comment field, enter the applicable comment text (up to 100 characters).
5 On the IPv4 tab, do one of these:
n Select Obtain IPv4 address automatically to get the IPv4 address from the DHCPv4
server.
n Enter the IPv4 address and subnet mask in the applicable fields.
6 On the IPv6 tab (optional), do one of these:
n Select Obtain IPv6 address automatically to get the IPv6 address from the DHCPv6
server.
n Enter the IPv6 address and mask length in the applicable fields.
Important - First, you must enable the IPv6 Support and reboot (see "System
Configuration" on page 278). R81 does not support IPv6 Address on Gaia
Management Interface (Known Limitation 01622840).
7 On the Ethernet tab:
n Select Auto Negotiation, or select a link speed and duplex setting from the list.
n In the Hardware Address field, enter the Hardware MAC address (if not automatically
received from the NIC).
Caution - Do not manually change the MAC address unless you are sure that it is
incorrect or has changed. An incorrect MAC address can lead to a communication
failure.
n In the MTU field, enter the applicable Maximum Transmission Unit (MTU) value
(minimal value is 68, maximal value is 16000, and default value is 1500).
n Select Monitor Mode, if needed.
For configuration procedure, see the R81 Installation and Upgrade Guide > Chapter
Special Scenarios for Security Gateways > Section Deploying a Security Gateway in
Monitor Mode.
8 Click OK.

Physical Interfaces
Configuring Physical Interfaces in Gaia Clish
Syntax
To configure an interface
set interface <Name of Physical Interface>
auto-negotiation {on | off}
comments "Text"
ipv4-address <IPv4 Address> {subnet-mask <Mask> | mask-length
<Mask Length>}
ipv6-address <IPv6 Address> mask-length <Mask Length>
ipv6-autoconfig {on | off}
link-speed {10M/half | 10M/full | 100M/half | 100M/full |
1000M/full | 10000M/full}
mac-addr <MAC Address>
monitor-mode {on | off}
mtu <68-16000 | 1280-16000>
rx-ringsize <0-4096>
state {on | off}
tx-ringsize <0-4096>
To show all configured settings of all interfaces

show interfaces all
To show all configured settings of a specific interface

show interface <Name of Physical Interface>
To show the specific configured setting of a specific interface

show interface <Name of Physical Interface><SPACE><TAB>
Important - After you add, configure, or delete features, run the "save config"
command to save the settings permanently.
Parameters
CLI Parameters
interface <Name of Specifies a physical interface.

Physical Interface>
auto-negotiation {on | Configures automatic negotiation of interface link speed

off} and duplex settings:
n on - Enabled
n off - Disabled

Physical Interfaces
comments "Text" Configures an optional free text comment.

n Write the text in double-quotes.
n Text must be up to 100 characters.
n This comment appears in the Gaia Portal and in the
output of the "show configuration" command.
ipv4-address <IPv4 Configures the IPv4 address.

Address>

Address> Important - First, you must enable the IPv6
Support and reboot (see "System Configuration"
on page 278). R81 does not support IPv6
Address on Gaia Management Interface (Known
Limitation 01622840).
subnet-mask <Mask> Configures the IPv4 subnet mask using dotted decimal
notation (X.X.X.X).
mask-length <Mask Length> Configures the IPv4 or IPv6 subnet mask length using the
CIDR notation (integer between 2 and 32).
ipv6-autoconfig {on | off} Configures if this interface gets an IPv6 address from a
DHCPv6 Server:
n on - Gets an IPv6 address from a DHCPv6 Server
n off - Does not get an IPv6 address from a DHCPv6
Server (you must assign it manually)
Important - First, you must enable the IPv6

Support and reboot (see "System Configuration"
on page 278).
link-speed {10M/half | Configures the interface link speed and duplex status.
10M/full | 100M/half | Available speed and duplex combinations are:
100M/full | 1000M/full |
n 10M/half
1000M/full}
n 10M/full
n 100M/half
n 100M/full
n 1000M/full
n 10000M/full
mac-addr <MAC Address> Configures the hardware MAC address.

Physical Interfaces
monitor-mode {on | off} Configures Monitor Mode on this interface:

n on - Enabled
n off - Disabled
Default: off
For configuration procedure, see the R81 Installation and
Upgrade Guide > Chapter Special Scenarios for Security
Gateways > Section Deploying a Security Gateway in
Monitor Mode.
mtu <68-16000 | 1280- Configures the Maximum Transmission Unit size for an
16000> interface.
For IPv4:
n Range: 68 - 16000 bytes
n Default: 1500 bytes
For IPv6:
rx-ringsize <0-4096> Configures the receive buffer size.

n Default: Depends on the interface driver
state {on | off} Configures the interface state:

n on - Enabled
n off - Disabled
tx-ringsize <0-4096> Configures the transmit buffer size.

Example
gaia> set interface eth2 ipv4-address 40.40.40.1 subnet-mask
255.255.255.0
gaia> set interface eth2 mtu 1400
gaia> set interface eth2 state on
gaia> set interface eth2 link-speed 100M/full

Aliases
Aliases
In This Section:
Configuring Aliases in Gaia Portal 91

Configuring Aliases in Gaia Clish 92
This section shows you how to configure an alias in the Gaia Portal and Gaia Clish.
Interface aliases let you assign more than one IPv4 address to physical or virtual interfaces (Bonds,
Bridges, VLANs, and Loopbacks).
Notes:
n ClusterXL does not support aliases.
n You cannot change settings of an existing
interface alias.
Configuring Aliases in Gaia Portal

To add an interface alias
Step Description
2 Click Add > Alias .
3 On the IPv4 tab, enter the IPv4 address and subnet mask.
4 On the Alias tab, select the applicable interface, to which this alias is assigned.
5 Click OK.
Note - The new alias interface name is automatically created by adding a sequence
number to the interface name. For example, the name of first alias added to eth1 is
eth1:1. The second alias added is eth1:2, and so on.
To delete an interface alias
Step Description
2 Select an interface alias and click Delete.
3 Click OK, when the confirmation message shows.

Aliases
Configuring Aliases in Gaia Clish
Syntax
To add an alias
add interface <Name of Interface> alias <IPv4 Address>/<Mask Length>
Note - A new alias interface name is automatically created by adding a sequence

number to the original interface name. For example, the name of first alias added to
eth1 is eth1:1. The second alias added is eth1:2, and so on.
To see the configured aliases

show interface <Name of Interface> aliases
To delete an alias
delete interface <Name of Interface> alias <Name of Alias Interface>
Parameters
CLI Parameters
<Name of Specifies the name of the interface, on which to create an alias IPv4
Interface> address
<IPv4 Address> Assigns the alias IPv4 address
<Mask Length> Configures alias IPv4 subnet mask length using the CIDR notation (integer
between 2 and 32)
<Name of Alias Specifies the name of the alias interface in the format <IF>:XX, where XX
Interface> is the automatically assigned sequence number
Example
gaia> add interface eth1 alias 10.10.99.1/24
gaia> show interface eth1 aliases
gaia> delete interface eth1 alias eth1:2

VLAN Interfaces
VLAN Interfaces
In This Section:
Configuring VLAN Interfaces in Gaia Portal 94

Configuring VLAN Interfaces in Gaia Clish 96
Access Mode VLAN and Trunk Mode VLAN 99
This section shows you how to configure VLAN interfaces in the Gaia Portal and Gaia Clish.
You can configure virtual LAN (VLAN) interfaces on Ethernet interfaces.
VLAN interfaces let you configure subnets with a secure private link to Security Gateways and
Management Servers using your existing topology.
With VLAN interfaces, you can multiplex Ethernet traffic into many channels using one cable.
Important - In a Cluster, you must configure all the Cluster Members in the same way.
Notes:
n The name of a VLAN interface in Gaia is "<Name of Physical
Interface>.<VLAN ID>".
For example, the name of a VLAN interface with a VLAN ID of 5 on a physical
interface eth1 is "eth1.5".
n The VLAN tunnel is not secure, because it is not encrypted.

VLAN Interfaces
Configuring VLAN Interfaces in Gaia Portal

To add a VLAN interface
Step Description
2 Make sure that the physical interface, on which you add a VLAN interface, does not have an
IP address.
3 Click Add > VLAN.
4 In the Add VLAN window, select the Enable option to set the VLAN interface to UP.
You can optionally select the Obtain IPv4 address automatically option.
6 Optional: On the IPv6 tab, enter the IPv6 address and mask length.
Configuration" on page 278).
7 On the VLAN tab, enter or select a VLAN ID (VLAN tag) between 2 and 4094.
8 In the Member Of field, select the applicable physical interface.
9 Click OK.
To edit a VLAN interface
Step Description
2 Select a VLAN interface and click Edit.
3 Configure the applicable settings.
4 Click OK.
Note - You cannot change the VLAN ID or physical interface for an existing VLAN
interface. To change these parameters, delete the VLAN interface and then create
a new VLAN interface.

VLAN Interfaces
To delete a VLAN interface
Step Description
2 Select a VLAN interface and click Delete.

VLAN Interfaces
Configuring VLAN Interfaces in Gaia Clish
Important - Make sure that the physical interface, on which you wish to add a VLAN
interface, does not have an IP address.
Syntax
To add a new VLAN interface

add interface <Name of Physical Interface> vlan <VLAN ID>
To configure a VLAN interface

set interface <Name of Physical Interface>.<VLAN ID>
comments "Text"
ipv4-address <IPv4 Address>
subnet-mask <Mask>
mask-length <Mask Length>
mtu <68-16000 | 1280-16000>
state {on | off}
Note - You cannot change the VLAN ID or physical interface for an existing VLAN
interface. To change these parameters, delete the VLAN interface and then create
a new VLAN interface.
To show the configuration of a specific VLAN interface

show interface<SPACE><TAB>
show interface <Name of VLAN Interface>

delete interface <Name of Physical Interface> vlan <VLAN ID>
Parameters
CLI Parameters
<Name of Physical Specifies a physical interface.

Interface>

VLAN Interfaces
comments "Text" Defines the optional comment.

n This comment appears in the Gaia Portal and in the output of the
"show configuration" command.
<VLAN ID> Configures the ID of the VLAN interface (integer between 2 and 4094).
<IPv4 Address> Assigns the IPv4 address.
Important - First, you must enable the IPv6 Support and

reboot (see "System Configuration" on page 278).
subnet-mask <Mask> Configures the IPv4 subnet mask using the dotted decimal notation
(X.X.X.X) - integer between 2 and 32..
mask-length <Mask Configures the IPv6 subnet mask length using CIDR notation (/xx) -
Length> integer between 1 and 128.
ipv6-autoconfig Configures if this interface gets an IPv6 address from a DHCPv6

{on | off} Server:
n off - Does not get an IPv6 address from a DHCPv6 Server (you
must assign it manually)

mtu <68-16000 | Configures the Maximum Transmission Unit size for an interface.
1280-16000> For IPv4:
For IPv6:
state {on | off} Configures interface's state:

n on - Enabled
n off - Disabled

VLAN Interfaces
Example
gaia> add interface vlan eth1
gaia> set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask
255.255.255.0
gaia> set interface eth1.99 ipv6-address 209:99:1 mask-length 64
gaia> delete interface eth1 vlan 99

VLAN Interfaces
Access Mode VLAN and Trunk Mode VLAN

VLAN traffic can pass through a Bridge interface in one of these modes:
Access Mode VLAN
If you configure the switch ports in Access Mode, create the Bridge interface with two VLAN interfaces
as its slaves.
For VLAN translation, use different numbered VLAN interfaces to create the Bridge interface.
You can build multiple VLAN translation bridges on the same Security Gateway.
1. Configure two VLAN interfaces.
2. Create a Bridge interface and select the VLAN interfaces as its slaves (see "Bridge Interfaces" on
page 126).
Note - VLAN translation is not supported over bridged ports of a FONIC (Fail-Open
NIC, see sk85560).
Example topology:
Item Description
1 Security Gateway
2 Switch
3 Access mode bridge 1 with VLAN translation

VLAN Interfaces
Item Description
4 Access mode bridge 2 with VLAN translation
5 VLAN 3 (eth 1.3)
6 VLAN 33 (eth 2.33)
7 VLAN 2 (eth 1.2)
8 VLAN 22 (eth 2.22)
Trunk Mode VLAN
If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere
with the VLANs.
To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-
VLAN) interfaces as its slaves (see "Bridge Interfaces" on page 126).
The Security Gateway processes the tagged packet and does not remove VLAN tags from them.
The traffic passes with the original VLAN tag to its destination.
Note - VLAN translation is not supported in Trunk mode.

VXLAN Interfaces
VXLAN Interfaces
In This Section:
Configuring VXLAN Interfaces in Gaia Portal 101

Configuring VXLAN Interfaces in Gaia Clish 104
Configuring VXLAN Interfaces on Cluster Members 107
This section shows you how to configure VXLAN interfaces in the Gaia Portal and Gaia Clish.
Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the
scalability problems associated with large cloud computing deployments. VXLAN uses a VLAN-like
encapsulation technique to encapsulate OSI Layer 2 Ethernet frames within Layer 4 UDP datagrams. See
RFC 7348.
Notes:
n The name of a VXLAN interface in Gaia is "vxlan<VNI>".
For example, the name of a VXLAN interface with a VXLAN VNI of 5 is
"vxlan5".
n The VXLAN tunnel is not secure, because it is not encrypted.
Warning - By default, SecureXL does not accelerate traffic over a VXLAN tunnel.
n If you configure SecureXL to accelerate such traffic, the Firewall only inspects
the payload of VXLAN packets (it does not inspect the VXLAN data).
n To configure SecureXL to accelerate such traffic, set the value of the SecureXL
kernel parameter sim_enable_vxlan to 1 (one) in the
$PPKDIR/conf/simkern.conf file and reboot.
For more information, see the R81 Performance Tuning Administration Guide >
Chapter Working with Kernel Parameters on Security Gateway > Section
SecureXL Kernel Parameters.
Configuring VXLAN Interfaces in Gaia Portal

To add a VXLAN interface
Step Description
2 Click Add > VXLAN.
3 In the Add VXLAN window, select the Enable option to set the VXLAN interface to UP.
4 On the IPv4 tab, enter the local IPv4 address and subnet mask for the VXLAN interface.
You can optionally select the Obtain IPv4 Address automatically option.

VXLAN Interfaces
Step Description
5 Optional: On the IPv6 tab, enter the local IPv6 address and mask length for the VXLAN
interface.
6 On the VXLAN Tunnel tab:
a. In the VXLAN VNI field, enter or select the VXLAN Network Identifier (or VXLAN
Segment ID) between 1 and 16,777,215.
Important - This value must be the same on the VXLAN peers.
b. In the Member Of field, select the physical interface related to this VXLAN.
c. In the Local Address field, enter the IPv4 address of the applicable local physical
interface.
d. In the Remote Address field, enter the IPv4 address of the applicable physical
interface on the remote VXLAN peer.
e. In the DST Port field, enter or select the destination UDP port number between 1 and
65535 (default is 4789 - see IANA Service Name and Port Number Registry).
Important - This value must be the same on the VXLAN peers.
Best Practice - Use the default UDP port 4789.
7 Click OK.

VXLAN Interfaces
Example
Security Gateway "GW1" and Security Gateway "GW2" create a VXLAN.
[GW1] (physical interface eth1) (VXLAN interface) <==>

<==> (Internet) <==>
<==> (VXLAN interface) (physical interface eth2 [GW2]
The VXLAN interface configuration on these VXLAN peers:
Setting Security Gateway "GW1" Security Gateway "GW2"
Local physical interface eth1 with IPv4 10.10.10.11 / 24 eth2 with IPv4 172.30.40.22 / 24
(VXLAN) IPv4 Address 192.168.10.11 / 24 192.168.10.22 / 24
VXLAN VNI 33 33
Member Of eth1 eth2
Local Address 10.10.10.11 172.30.40.22
Remote Address 172.30.40.22 10.10.10.11
To edit a VXLAN interface
Step Description
2 Select a VXLAN interface and click Edit.
4 Click OK.
Note - You cannot change the VXLAN VNI, physical interface, local address, or
remote address for an existing VXLAN interface. To change these parameters,
delete the VXLAN interface and then create a new VXLAN interface.
To delete a VXLAN interface
Step Description
2 Select a VXLAN interface and click Delete.

VXLAN Interfaces
Configuring VXLAN Interfaces in Gaia Clish
Syntax
To add a VXLAN interface

add vxlan id <VXLAN VNI> dev <Name of local physical interface>
remote <IPv4 address of physical interface on remote peer> local
<IPv4 address of local physical interface> dstport <Destination UDP
port>
To configure a VXLAN interface

set vxlan id <VXLAN VNI>
comments "Text"
dev <Name of local physical interface>
dstport <Destination UDP port>
local <IPv4 address of local physical interface>
remote <IPv4 address of physical interface on remote peer>
set interface vxlan id <VXLAN VNI> state {on | off}
Note - You cannot change the VXLAN VNI, physical interface (dev), local address,
or remote address for an existing VXLAN interface. To change these parameters,
delete the VXLAN interface and then create a new VXLAN interface.
To show the configuration of a specific VXLAN interface

show vxlan id<SPACE><TAB>
show vxlan id <VXLAN ID>
To delete a VXLAN interface

set interface vxlan id <VXLAN VNI> state off
delete vxlan id <VXLAN VNI>

VXLAN Interfaces
CLI Parameters
id <VXLAN VNI> Configures the VXLAN Network Identifier (or VXLAN

Segment ID) of the VXLAN interface (integer between 1 and
16,777,215).
Important - This value must be the same on the

VXLAN peers.

n This comment appears in the Gaia Portal and in the
output of the "show configuration" command.
dev <Name of local Specifies a local physical interface.

physical interface>
dstport <Destination UDP Specifies the destination UDP port number between 1 and
port> 65535 (default is 4789 - see IANA Service Name and Port
Number Registry).
Important - This value must be the same on the

VXLAN peers.
Best Practice - Use the default UDP port 4789.
local <IPv4 address of Specifies the IPv4 address of the applicable local physical
local physical interface> interface.
remote <IPv4 address of Specifies the IPv4 address of the applicable physical
physical interface on interface on the remote VXLAN peer.
remote peer>

n on - Enabled
n off - Disabled

VXLAN Interfaces
Example
Security Gateway "GW1" and Security Gateway "GW2" create a VXLAN.
[GW1] (physical interface eth1) (VXLAN interface) <==>

<==> (Internet) <==>
<==> (VXLAN interface) (physical interface eth2 [GW2]
The VXLAN interface configuration on these VXLAN peers:
(VXLAN) IPv4 Address 192.168.10.11 / 24 192.168.10.22 / 24
VXLAN VNI 33 33
Dev (Member Of) eth1 eth2
Local Address 10.10.10.11 172.30.40.22
Remote Address 172.30.40.22 10.10.10.11
The VXLAN interface configuration on the Security Gateway "GW1":
gaia1> add vxlan id 33 dev eth1 remote 172.30.40.22 local

10.10.10.11 dstport 4789
The VXLAN interface configuration on the Security Gateway "GW2":
gaia2> add vxlan id 33 dev eth2 remote 10.10.10.11 local

172.30.40.22 dstport 4789

VXLAN Interfaces
Configuring VXLAN Interfaces on Cluster Members

For more information, see the R81 ClusterXL Administration Guide.
In Cluster, you have these options:
To use a VXLAN interface as a cluster interface with a Virtual IP address
1. Configure a VXLAN interface on all the Cluster Members.

You must configure the same VXLAN VNI and Remote Address on each Cluster Member.
2. Connect with SmartConsole to the Management Server.
3. From the left navigation panel, click Gateways & Servers .
4. Double-click the cluster object.
5. From the left tree, click Network Management.
6. From the toolbar, click Get Interfaces > Get Interfaces With Topology and confirm.
Make sure you see the new VXLAN interface from each Cluster Member.
7. Select the new VXLAN interface and click Edit.
8. From the left tree, click the General page.
9. In the General section, in the Network Type field, select Cluster.
10. In the IPv4 field, configure the applicable cluster Virtual IP address.
11. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each
Cluster Member.
12. Click OK.
13. Publish the SmartConsole session.
14. Install the Access Control Policy on this cluster object.
To use a VXLAN interface only on a specific Cluster Member
1. Configure a VXLAN interface on a specific Cluster Member.

Make sure you see the new VXLAN interface from the specific Cluster Member, on which you
configured it.
7. Select the new VXLAN interface and click Edit.
9. In the General section, in the Network Type field, select Private.

VXLAN Interfaces
10. Click OK.


Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces
into one virtual interface, known as a bond interface.
The bond interface share the load among many interfaces, which gives fault tolerance and increases
throughput. Check Point devices support the IEEE 802.3ad Link Aggregation Control Protocol (LCAP) for
dynamic link aggregation.
Item Description
1 Security Gateway
1A Interface 1
1B Interface 2
2 Bond Interface
3 Router
A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example:
bond1) and is assigned an IP address. The physical interfaces included in the bond are called slaves and
do not have IP addresses.

You can configure a bond interface to use one of these functional strategies:
n High Availability (Active/Backup): Gives redundancy when there is an interface or a link failure.
This strategy also supports switch redundancy. Bond High Availability works in Active/Backup
mode - interface Active/Standby mode. When an Active slave interface is down, the connection
automatically fails over to the primary slave interface. If the primary slave interface is not available,
the connection fails over to a different slave interface.
n Load Sharing (Active/Active): All slave interfaces in the UP state are used simultaneously. Traffic is
distributed among the slave interfaces to maximize throughput. Bond Load Sharing does not
support switch redundancy.
Note - Bonding Load Sharing mode requires SecureXL to be enabled on

Security Gateway or each Cluster Member.
You can configure Bond Load Sharing to use one of these modes:
l Round Robin - Selects the Active slave interfaces sequentially.
l 802.3ad (LACP) - Dynamically uses Active slave interfaces to share the traffic load. This
mode uses the LACP protocol, which fully monitors the interface link between the Check Point
Security Gateway and a switch.
l XOR - All slave interfaces in the UP state are Active for Load Sharing. Traffic is assigned to
Active slave interfaces based on the transmit hash policy: Layer 2 information (XOR of
hardware MAC addresses), or Layer 3+4 information (IP addresses and Ports).
For Bonding High Availability mode and for Bonding Load Sharing mode:
n The number of bond interfaces that can be defined is limited by the maximal number of interfaces
supported by each platform. See the R81 Release Notes.
n Up to 8 physical slave interfaces can be configured in a single bond interface.

Configuring Bond Interfaces in Gaia Portal
Step Description
2 Make sure that the slave interfaces, which you wish to add to the Bond interface, do not have IP
addresses.
3 For a new bond interface, select Add > Bond.

To edit an existing Bond interface, select the Bond interface and click Edit.
5 On the IPv6 tab (optional), enter the IPv6 address and mask length.
6 On the Bond tab:
a. Select or enter a Bond Group ID. This parameter is an integer between 0 and 1024.
b. Select the slave interfaces from the Available Interfaces list and then click Add.
Note - Make sure that the slave interfaces do not have any IP addresses or
aliases configured.
c. Select an Operation Mode:

n Round Robin (default) - Bond uses all slave interfaces sequentially (High
Availability + Load Sharing).
n Active-Backup - Bond uses one slave interface at a time (High Availability).
n XOR - Bond uses slave interfaces based on a hash function (High Availability +
Load Sharing).
n 802.3ad - Dynamic bonding according to IEEE 802.3ad (Load Sharing).
7 On the Advanced tab:
a. Configure the required MTU for your network (if not sure, leave the default value).
b. Configure the Monitor Interval - How much time to wait between checking each slave
interface for link-failure. The valid range is 1-5000 ms. The default is 100 ms.
c. Configure the Down Delay - How much time to wait, after sending a monitor request to a
slave interface, before bringing down the slave interface. The valid range is 1-5000 ms.
The default is 200 ms.
d. Configure the Up Delay - How much time to wait, after sending a monitor request to a
slave interface, before bringing up the slave interface. The valid range is 1-5000 ms. The
default is 200 ms.

Step Description
8 Additional configuration settings are available depending on the selected Bond Operation
Mode:
n If you selected the Round Robin bond operation mode, then there are no additional
configuration settings.
n If you selected the Active-Backup bond operation mode, then select the Primary
Interface.
By default, the first slave interface added to the bond group, becomes the primary.
Important - You must not configure the primary slave explicitly in ClusterXL
when you configure the Sync interface on a bonding group for redundancy. For
more information, see the R81 ClusterXL Administration Guide > Chapter
ClusterXL Requirements and Compatibility > Section Supported Topologies
for Synchronization Network.
n If you selected the XOR bond operation mode, then select the Transmit Hash Policy -
the algorithm for slave interface selection according to the specified TCP/IP Layer.
Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer 3+4
(uses Layer 3 and Layer 4 protocol data).
n If you selected the 802.3ad bond operation mode, then perform these two steps:
a. Select the Transmit Hash Policy - the algorithm for slave interface selection
according to the specified TCP/IP Layer.
Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer
3+4 (uses IP addresses and Ports).
b. Select the LACP Rate - how frequently the LACP partner should transmit
LACPDUs.
Select either Slow (every thirty seconds), or Fast (every one second).
9 Click OK.
Note - The name of a Bond interface in Gaia is "bond<Bond Group ID>". For
example, the name of a bond interface with a Bond Group ID of 5 is "bond5".

Configuring Bond Interfaces in Gaia Clish

In Gaia Clish, bond interfaces are called bonding groups .
Step Description
1 Make sure that the physical slave interfaces do not have IP addresses.
2 Add a new bonding group.
3 Set the state of the physical slave interfaces to UP.
4 Add slave interfaces to the bonding group.
5 Configure the bond operating mode.
6 Configure other bond parameters: primary interface, media monitoring, and delay rate.
7 Examine the bonding group configuration.
8 Save the configuration.
Note - You configure an IP address on a Bonding Group in the same way as you do on
a physical interface (see "Physical Interfaces" on page 86).
Syntax
To add a new Bonding Group
Syntax
add bonding group <Bond Group ID>
Example
gaia> add bonding group 777
Note - Do not change the state of bond interface manually using the "set
interface <Bond ID> state" command. This is done automatically by the
bonding driver.

To add a new slave interface to an existing Bonding Group
Syntax
add bonding group <Bond Group ID> interface <Name of Slave

Interface>
Important - Make sure that the slave interfaces, which you wish to add to the
Bonding Group, do not have IP addresses.
Example
gaia> add bonding group 777 interface eth4

Notes:
n The slave interfaces must not have IP addresses assigned to
them.
n The slave interfaces must not have aliases assigned to them.
n A bond interface can contain between two and eight slave
interfaces.
To configure an existing Bonding Group
Syntax
set bonding group <Bond Group ID>

mode active-backup [primary <Name of Slave Interface>]
mode round-robin
mode xor xmit-hash-policy {layer2 | layer3+4}
mode 8023AD
[lacp-rate {slow | fast}]
[xmit-hash-policy {layer2 | layer3+4}]
[up-delay <0-5000>]
[down-delay <0-5000>]

Configuring the Bond Operating Mode
Bond operating mode specifies how slave interfaces are used in a bond interface.
Syntax
set bonding group <Bond Group ID> mode

active-backup [primary <Name of Slave Interface>]
round-robin
xor xmit-hash-policy {layer2 | layer3+4}
8023AD
[lacp-rate {slow | fast}]
[xmit-hash-policy {layer2 | layer3+4}]
Example
gaia> set bonding group 1 mode active-backup primary eth2

gaia> set bonding group 2 mode xor xmit-hash-policy layer3+4
Notes:
n The Active-Backup mode supports configuration of the primary slave
interface.
n The XOR mode requires the configuration of the transmit hash policy.
n The 8023AD mode supports the configuration of the LACP packet
transmission rate and the transmit hash policy.
Configuring the Up Delay Time
The Up-Delay specifies show much time in milliseconds to wait before enabling a slave after link
recovery was detected.
Syntax
set bonding group <Bond Group ID> up-delay <0-5000>
Example
gaia> set bonding group 1 up-delay 100
Note - The default up-interval value is 200 ms.

Configuring the Down Delay Time
The Down-Delay specifies how much time in milliseconds to wait before disabling a slave after link
failure was detected
Syntax
set bonding group <Bond Group ID> down-delay <0-5000>
Example
gaia> set bonding group 1 down-delay 100
Note - The default down-interval value is 200 ms.
To delete a slave interface from an existing Bonding Group
Syntax
delete bonding group <Bond Group ID> [interface <Interface Name> |

force-ignore-routes]
Example
gaia> delete bonding group 777 interface eth4
Note - You must delete all non-primary slave interfaces before you remove the
primary slave interface.

To delete the bonding group
Syntax
delete bonding group <Bond Group ID> interface <Name of Slave

Interface 1>
Interface 2>
Interface ...>
Interface N>
delete bonding group <Bond Group ID>
Example
gaia> delete bonding group 777

Notes:
n You must delete all non-primary slave interfaces before you remove the
primary slave interface.
n You must delete all slave interfaces from the bonding group before you
remove the bonding group.
n Do not change the state of bond interface manually using the "set
interface bondID state" command. This is done automatically by the
bonding driver.
To show the Bonding Group configuration
Syntax
show bonding {group <Bond Group ID> | groups}
Parameters
CLI Parameters
<Bond Group ID> Configures the Bond Group ID.

n Range: 0 - 1024
n Default: No default value
<Name of Slave Specifies the name of the slave physical interface, which you
Interface> add to (or remove from) the bond group.
Make sure that the slave interfaces do not have any IP
addresses or aliases configured.

mode <Mode> Configures the Bond operating mode (see "Bond Interfaces
(Link Aggregation)" on page 109):
n round-robin
Bond uses all slave interfaces sequentially (High
Availability + Load Sharing).
This is the default mode.
n active-backup
Bond uses one slave interface at a time (High Availability)
n xor
Bond uses slave interfaces based on a hash function
(High Availability + Load Sharing)
n 8023AD
Dynamic bonding according to IEEE 802.3ad - LACP
(Load Sharing)
primary <Name of Slave Specifies the name of the primary slave interface in the bond.
Interface> By default, the first slave interface added to the bond group,
becomes the primary.
Important - You must not configure the primary slave
explicitly in ClusterXL when you configure the Sync
interface on a bonding group for redundancy. For
more information, see the R81 ClusterXL
Administration Guide > Chapter ClusterXL
Requirements and Compatibility > Section Supported
Topologies for Synchronization Network.
Note - Applies only to the Active-Backup bond mode.
up-delay <0-5000> Specifies the time in milliseconds to wait before enabling a slave
after link recovery was detected.
n Range: 0 - 5000 ms
n Default: 200 ms
down-delay <0-5000> Specifies the time in milliseconds to wait before disabling a slave
after link failure was detected.
n Range: 0 - 5000 ms
n Default: 200 ms

lacp-rate {fast | Specifies the Link Aggregation Control Protocol (LACP) packet
slow} transmission rate:
n slow- LACPDU packets are sent every 30 seconds
n fast- LACPDU packets are sent every second
Note - Applies only to the 802.3AD bond mode.
xmit-hash-policy Specifies the algorithm to use for assigning the traffic to Active
{layer2 | layer3+4} slave interfaces:
n layer2 - Based on the XOR of hardware MAC
addresses
n layer3+4 - Based on the IP addresses and Ports
Note - Applies only to the XOR and the 802.3AD bond

modes.
Examples
Example 1 - Configuring Bond in "Active-Backup" mode with default settings

gaia> set bonding group 1 mode active-backup primary eth2
gaia> show bonding group 1
Bond Configuration
xmit-hash-policy Not configured
down-delay 200
primary eth2
lacp-rate Not configured
mode active-backup
up-delay 200
mii-interval 100
Bond Interfaces
eth2
eth3
gaia>

Example 2 - Configuring Bond in "XOR" mode with default settings

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4
gaia> show bonding group 1
Bond Configuration
xmit-hash-policy layer3+4
down-delay 200
primary Not configured
lacp-rate Not configured
mode xor
up-delay 200
mii-interval 100
Bond Interfaces
eth2
eth3
gaia>

Making Sure that Bond Interface is Working
Step Instructions
1 Connect to the command line on the Security Gateway or Cluster Member.
2 Log in to the Expert mode.
3 Examine the Bond interface state and configuration:

[Expert@Gaia:0]# cat /proc/net/bonding/<Bond
Group ID>
Example 1 - Output for Bond Operating Mode "Round Robin"

[Expert@Gaia:0]# cat /proc/net/bonding/bond1
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)
Bonding Mode: load balancing (round-robin)

MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 200
Down Delay (ms): 200
Slave Interface: eth2

MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:50:56:a3:73:69

MII Status: up
[Expert@Gaia:0]#

Example 2 - Output for Bond Operating Mode "Active-Backup"

Bonding Mode: fault-tolerance (active-backup)

Primary Slave: eth2
Currently Active Slave: eth2
MII Status: up
Up Delay (ms): 200

MII Status: up

MII Status: up
[Expert@Gaia:0]#
Example 3 - Output for Bond Operating Mode "XOR"

Bonding Mode: load balancing (xor)

Transmit Hash Policy: layer2 (0)
MII Status: up
Up Delay (ms): 200

MII Status: up

MII Status: up
[Expert@Gaia:0]#

Example 4 - Output for Bond Operating Mode "802.3ad" (LACP)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation

Transmit Hash Policy: layer2 (0)
MII Status: up
Up Delay (ms): 200
802.3ad info
LACP rate: slow

MII Status: up
Aggregator ID: 1

MII Status: up
Aggregator ID: 1
[Expert@Gaia:0]#

Configuring Bond High Availability in VRRP Cluster

The R80.20 version introduced an improved Active/Backup Bond mechanism (Enhanced Bond) when
working in ClusterXL.
If you work with ClusterXL, the Enhanced Bond feature is enabled by default, and no additional
configuration is required.
If you change your cluster configuration from ClusterXL to VRRP (MCVR & VRRP), or configure the VRRP
(MCVR & VRRP) cluster from scratch, the Enhanced Bond feature is disabled by default.
If you change your cluster configuration from VRRP to ClusterXL, you must manually enable the Enhanced
Bond feature.
To enable the Enhanced Bond feature in VRRP Cluster, set the value of the kernel parameter fwha_
bond_enhanced_enable to 1 on each VRRP Cluster Member. You can set the value of the kernel
parameter temporarily, or permanently.
Setting the value of the kernel parameter temporarily
Important - This change does not survive reboot.
Step Description
1 Connect to the command line on each VRRP Cluster Member.
3 Set the value of the kernel parameter fwha_bond_enhanced_enable to 1:

fw ctl set int fwha_bond_enhanced_enable 1
4 Make sure the value of the kernel parameter fwha_bond_enhanced_enable was set to
1:
fw ctl get int fwha_bond_enhanced_enable

Setting the value of the kernel parameter permanently
Step Description
1 Connect to the command line on each Cluster Member.
3 Back up the current $FWDIR/boot/modules/fwkern.conf file:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
4 Edit the current $FWDIR/boot/modules/fwkern.conf file:

vi $FWDIR/boot/modules/fwkern.conf
5 Add this line to the file (spaces and comments are not allowed):
fwha_bond_enhanced_enable=1
6 Save the changes in the file and exit the editor.
7 Reboot the Cluster Member.
8 Make sure the value of the kernel parameter fwha_bond_enhanced_enable was set to
1:
fw ctl get int fwha_bond_enhanced_enable
Important - If you change your cluster configuration from VRRP to ClusterXL, you must
remove the kernel parameter configuration from each Cluster Member.

Bridge Interfaces
Bridge Interfaces
Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP
routing scheme. This is an important advantage for large-scale, complex environments.
Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every
Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge
ports participate in the same Broadcast domain (different from router port behavior). The security policy
inspects every Ethernet frame that passes through the bridge.
Important - Only two interfaces can be connected by one Bridge interface, creating a
virtual two-port switch. Each port can be a physical, VLAN, or bond device.
You can configure bridge mode with one Security Gateway or with a Cluster. The bridge functions without
an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on
a physical bridge. You can configure the topology for the bridge ports in SmartConsole. A separate
network or group object represents the networks or subnets that connect to each port.
Notes:
n Gaia OS supports bridge interfaces that implement native, Layer 2 bridging.
n Gaia OS does not support Spanning Tree Protocol (STP) bridges.
n A slave interface that is a part of a bond interface cannot be a part of a bridge
interface.
The bridge interfaces send traffic with Layer 2 addressing. On the same device, you can configure some
interfaces as bridge interfaces, while other interfaces work as Layer 3 interfaces. Traffic between bridge
interfaces is inspected at Layer 2. Traffic between two Layer 3 interfaces, or between a bridge interface
and a Layer 3 interface is inspected at Layer 3.

Configuring Bridge Interfaces in Gaia Portal
Configuring Bridge Interfaces in Gaia Portal

Note - For additional information, see the R81 Installation and Upgrade Guide >
Chapter Special Scenarios for Security Gateways > Section Deploying a Security
Gateway or a ClusterXL in Bridge Mode.
Step Description
1 In the left navigation tree, click Network Management > Network Interfaces .
2 Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have
IP addresses assigned.
3 Click Add > Bridge.

To configure an existing Bridge interface, select the Bridge interface and click Edit.
4 On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
5 Select the interfaces from the Available Interfaces list and then click Add.
Notes:
n Make sure that the slave interfaces do not have any IP addresses or aliases
configured.
n Do not select the interface that you configured as Gaia Management Interface.
n A Bridge interface in Gaia can contain only two slave interfaces.
7 On the IPv6 tab (optional), enter the IPv6 address and mask length.
8 Click OK.
Note - The name of a Bridge interface in Gaia is "br<Bridge Group ID>". For
example, the name of a bridge interface with a Bridge Group ID of 5 is "br5".

Configuring Bridge Interfaces in Gaia Clish

Note - For additional information, see the R81 Installation and Upgrade Guide >
Chapter Special Scenarios for Security Gateways > Section Deploying a Security
Gateway or a ClusterXL in Bridge Mode.
In Gaia Clish, bond interfaces are called bridging groups .
Note - You configure an IP address on a Bridging Group in the same way as you do on
Procedure
Step Description
1 Connect to the command line on the Security Gateway.
3 Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have
IP addresses assigned:
show interface <Name of Slave Interface> ipv4-address
show interface <Name of Slave Interface> ipv6-address
4 Add a new bridging group:

add bridging group <Bridge Group ID 0 - 1024>
interface <Bridge Group ID> state" command. This is done
automatically by the bridging driver.
5 Add slave interfaces to the new bridging group:

add bridging group <Bridge Group ID> interface <Name of First
Slave Interface>
add bridging group <Bridge Group ID> interface <Name of Second
Slave Interface>
Notes:
n Do not select the interface that you configured as Gaia Management Interface.
n Only Ethernet, VLAN, and Bond interfaces can be added to a bridge group.
n A Bridge interface in Gaia can contain only two slave interfaces.

Step Description
6 Assign an IP address to the bridging group.
Note - You configure an IP address on a Bridging Group in the same way as you do on
n To assign an IPv4 address, run:

set interface <Name of Bridging Group> ipv4-address <IPv4
Address> {subnet-mask <Mask> | mask-length <Mask Length>}
You can optionally configure the bridging group to obtain an IPv4 Address automatically.
n To assign an IPv6 address, run:
set interface <Name of Bridging Group> ipv6-address <IPv6
Address> mask-length <Mask Length>
You can optionally configure the bridging group to obtain an IPv6 Address automatically.

save config
Syntax
To add a new bridging group
Syntax
add bridging group <Bridge Group ID>

To add a new slave interface to an existing bridging group
Syntax
add bridging group <Bridge Group ID> interface <Name of Slave

Interface>
Example
gaia> add bridging group 56 interface eth1
Note - Make sure that the slave interfaces do not have any IP addresses or aliases
configured.
To add a fail-open interface to an existing bridging group
Syntax
add bridging group <Bridge Group ID> fail-open-interfaces <Name of

Slave Interface>
To configure an existing Bridging Group
Syntax
set interface <Name of Bridge Interface>

comments "Text"
ipv4-address <IPv4 Address>
subnet-mask <Mask>
mask-length <Mask Length>
mac-addr <MAC Address>
mtu <68-16000 | 1280-16000>
rx-ringsize <0-4096>
tx-ringsize <0-4096>
Example
gaia> set interface br1 ipv6-address 3000:40::1 mask-length 64

To delete a slave interface from an existing bridging group
Syntax
delete bridging group <Bridge Group ID> interface <Name of Slave

Interface>
Example
gaia> delete bridging group 56 interface eth1
To delete a fail-open interface from the bridging group
Syntax
delete bridging group <Bridge Group ID> fail-open-interfaces <Name

of Slave Interface>
To delete the bridging group
Syntax
delete bridging group <Bridge Group ID>

Notes:
n You must delete all slave interfaces from the bridging group before you
delete the bridging group.
n Do not change the state of bond interface manually using the "set
Example
gaia> delete bridging group 56
To show the slave interfaces of an existing bridging group
Syntax
show bridging group <Bridge Group ID>
To show the configured bridging groups
Syntax
show bridging groups

Parameters
CLI Parameters
<Bridge Group ID> Configures the Bridge Group ID.

n Range: 0 - 1024
<Name of Bridge Configures the name of the Bridge interface.

Interface>
<Name of Slave Specifies a physical slave interface.

Interface>
comments "Text" Configures an optional free text comment.

n This comment appears in the Gaia Portal and in the output of
the show configuration command.

Address>

Address>
subnet-mask <Mask> Configures the IPv4 subnet mask using dotted decimal notation
(X.X.X.X).
mask-length <Mask Configures the IPv4 or IPv6 subnet mask length using the CIDR
Length> notation (integer between 2 and 32).
ipv6-autoconfig Configures if this interface gets an IPv6 address from a DHCPv6

{on | off} Server:
n off - Does not get an IPv6 address from a DHCPv6 Server (you
must assign it manually)

mac-addr <MAC Configures the hardware MAC address.

Address>

mtu <68-16000 | Configures the Maximum Transmission Unit size for an interface.
1280-16000> For IPv4:
For IPv6:
rx-ringsize <0- Configures the receive buffer size.

4096>
tx-ringsize <0- Configures the transmit buffer size.

4096>
Example
gaia> add bridging group 56 interface eth1

gaia> set interface br1 ipv6-address 3000:40::1 mask-length 64
gaia> show bridging groups
gaia> delete bridging group 56 interface eth1
gaia> delete bridging group 56

Accept, or Drop Ethernet Frames with Specific Protocols
Accept, or Drop Ethernet Frames with Specific Protocols
By default, Security Gateway and Cluster in Bridge mode allows Ethernet frames that carry protocols other
than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.
Administrator can configure a Security Gateway and Cluster in Bridge Mode to either accept, or drop
Ethernet frames that carry specific protocols.
When Access Mode VLAN (VLAN translation) is configured, BPDU frames can arrive with the wrong VLAN
number to the switch ports through the Bridge interface. This mismatch can cause the switch ports to enter
blocking mode.
In Active/Standby Bridge Mode only, you can disable BPDU forwarding to avoid such blocking mode:
Step Description
1 Connect to the command line on the Security Gateway (each Cluster Member).
3 Backup the current /etc/rc.d/init.d/network file:

cp -v /etc/rc.d/init.d/network{,_BKP}
4 Edit the current /etc/rc.d/init.d/network file:

vi /etc/rc.d/init.d/network
5 After the line:

./etc/init.d/functions
Add this line:
/sbin/sysctl -w net.bridge.bpdu_forwarding=0
6 Save the changes in the file and exit the Vi editor.
7 Reboot the Security Gateway (each Cluster Member).
8 Make sure the new configuration is loaded:

sysctl net.bridge.bpdu_forwarding
The output must show:
net.bridge.bpdu_forwarding = 0

Loopback Interfaces
Loopback Interfaces
In This Section:
Configuring Loopback Interfaces in Gaia Portal 135

Configuring Loopback Interfaces in Gaia Clish 137
You can define a virtual loopback interface by assigning an IPv4 or IPv6 address to the lo (local) interface.
This can be useful for testing purposes or as a proxy interface for an unnumbered interface.
This section shows you how to configure a loopback interface in the Gaia Portal and Gaia Clish.
Configuring Loopback Interfaces in Gaia Portal

To add a loopback interface
Step Description
1 In the navigation tree, click Interface Management > Network Interfaces .
2 Click Add > Loopback .
3 In the Add loopback window:
1. The Enable option is selected by default to set the loopback interface status
to UP.
2. In the Comment field, enter the applicable comment text (up to 100
characters).
3. On the IPv4 tab, enter the IPv4 address and subnet mask.
These IPv4 addresses are not allowed:
n 0.x.x.x
n 127.x.x.x
n 224.x.x.x - 239.x.x.x (Class D)
n 240.x.x.x - 255.x.x.x (Class E)
n 255.255.255.255
4. On the IPv6 tab (optional), enter the IPv6 address and mask length.
Important - First, you must enable the IPv6 Support and reboot
(see "System Configuration" on page 278).
4 Click OK.
Note - When you add a new loopback interface, Gaia automatically assigns a name
in the format "loop<XX>", where XX is a sequence number that starts from 00. The
name of the first loopback interface is loop00. The name of the second loopback
interface is loop01. And so on.

Loopback Interfaces
To configure a loopback interface
Step Description
1 In the navigation tree, click Interface Management > Network Interfaces .
2 Select a loopback interface and click Edit.
3 In the Edit loop<NN> window:

a. If required, change the IPv4 address and subnet mask.
b. If required, change the IPv6 address and mask length.
4 Click OK.
To delete a loopback interface
Step Description
2 Select a loopback interface and click Delete.

Loopback Interfaces
Configuring Loopback Interfaces in Gaia Clish
Syntax
To add a loopback interface

add interface lo loopback <IPv4 Address>/<Mask Length>
Note - When you add a new loopback interface, Gaia automatically assigns a name
in the format "loop<XX>", where XX is a sequence number that starts from 00. The
name of the first loopback interface is loop00. The name of the second loopback
interface is loop01. And so on.
To configure a loopback interface
set interface <Name of Loopback Interface> {ipv4-address <options> |
ipv6-address <options>}
Note - You can only change IPv4 or IPv6 address on a loopback interface.
To show a loopback interface

show interface <Name of Loopback Interface>
To delete a loopback interface

delete interface lo loopback <Name of Loopback Interface>
Parameters
CLI Parameters
lo You must use the lo (local interface) keyword to define a loopback

interface
<IPv4 Address> Specifies the IPv4 address

These IPv4 addresses are not allowed:
n 0.x.x.x
n 127.x.x.x
n 224.x.x.x - 239.x.x.x (Class D)
n 240.x.x.x - 255.x.x.x (Class E)
n 255.255.255.255

Loopback Interfaces
<Mask Length> Configures the IPv4 subnet mask length using the CIDR notation
(integer between 2 and 32)
<Name of Loopback Specifies a loopback interface name

Interface>
Example
gaia> add interface lo loopback 10.10.99.1/24

gaia> delete interface lo loopback loop01

VPN Tunnel Interfaces

Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel.
Each peer Security Gateway has one VTI that connects to the VPN tunnel.
The VPN tunnel and its properties are defined by the VPN community that contains the two Security
Gateways.
You must define the VPN community and its member Security Gateways before you can create a VTI.
To learn more about Route Based VPN, see the R81 Site to Site VPN Administration Guide > Chapter
Route Based VPN.
Note - The name of a VPN Tunnel interface in Gaia is "vpnt<VPN Tunnel ID>".
For example, the name of a VPN Tunnel interface with a VPN Tunnel ID of 5 is "vpnt5".
Procedure:
1. Make sure that the IPsec VPN Software Blade is enabled on the applicable Security Gateways.
2. Create and configure the Security Gateways.
3. Define the VPN community in SmartConsole that includes the two peer Security Gateways.
Configuring VPN community
You must define the VPN Community and add the member Security Gateways to it before you
configure a VPN Tunnel Interface. This section includes the basic procedure for defining a Site-
to-Site VPN Community. To learn more about VPN communities and their definition procedures,
see the R81 Site to Site VPN Administration Guide.
Step Description
1 Connect with SmartConsole to the Management Server.
2 From the left navigation panel, click Security Policies .
3 In the Access Tools section, click VPN Communities .
4 From the top toolbar, click the New ( ) > select Star Community or Meshed
Community ..
5 Configure the VPN community:

a. Enter the VPN community name.
b. From the left tree, click Gateways .
Select the applicable Security Gateways.
c. From the left tree, click Encrypted Traffic .
Select Accept all encrypted traffic .
This automatically adds a rule to encrypt all traffic between Security Gateways
in a VPN community.
d. Configure other settings as necessary.

Step Description
6 Publish the SmartConsole session.
4. Make Route Based VPN the default option.

Do this procedure one time for each.
Configuring Route Based VPN
When Domain Based VPN and Route Based VPN are defined for a Security Gateway, Domain
Based VPN is active by default. You must do two short procedures to make sure that Route
Based VPN is always active.
The first procedure defines an empty encryption domain group for your VPN peer Security
Gateways. You do this step one time for each Security Management Server. The second step is
to make Route Based VPN the default option for all Security Gateways.
To define an empty group
Step Description
1 In the SmartConsole, click Objects menu > More object types > Network Object >
Group > New Network Group.
2 Enter a group name.
3 Do not add members to this group.
4 Click OK.
To make Route Based VPN the default choice
Do these steps for each Security Gateway.
Step Description
1 From the left navigation panel, click Gateways & Servers .
2 Double-click the applicable Security Gateway object.
3 From the left tree, click Network Management > VPN Domain.
4 Select Manually define and then select the empty Group object you created
earlier.
5 Install the Access Control Policy.
5. Define the VTI.

You can configure the VPN Tunnel Interfaces (VTI) in Gaia Portal or Gaia Clish.

Configuring VTI in Gaia Portal
Step Description
1 In the Gaia Portal, select Network Management > Network Interfaces .
2 Click Add > VPN Tunnel .

To configure an existing VTI interface, select the VTI interface and click Edit.
3 In the Add/Edit window, configure these parameters:

n VPN Tunnel ID - Unique tunnel name (integer from 1 to 99).
Gaia automatically adds the prefix "vpnt" to the Tunnel ID.
n Remote Peer Name - Alphanumeric character string as defined for the Remote
Peer Name in the VPN community.
You must define the two peers in the VPN community before you can define the
VTI.
n VPN Tunnel Type - Select the applicable type:
l Numbered - Uses a specified, static IPv4 addresses for local and remote
connections.
l Unnumbered - Uses the interface and the remote peer name to get IPv4
addresses.
n Local Address - Defines the local peer IPv4 address. Applies to the Numbered
VTI only.
n Remote Address - Defines the remote peer IPv4 address. Applies to the
Numbered VTI only.
n Physical Device - Local peer interface name. Applies to the Unnumbered VTI
only.
Configuring VTI in Gaia Clish

Syntax
n To add a VPN Tunnel Interface (VTI):
add vpn tunnel <Tunnel ID>

type
numbered local <Local IP address> remote
<Remote IP address> peer <Peer Name>
unnumbered peer <Peer Name> dev <Name of
Local Interface>
n To see the configuration of the specific VPN Tunnel Interface (VTI):
show vpn tunnel <Name of VTI>
n To see the configured VPN Tunnel Interfaces (VTIs):
show vpn tunnels
n To delete a VPN Tunnel Interface (VTI):
delete vpn tunnel <Tunnel ID>

Important - After you add, configure, or delete features, run the "save
config" command to save the settings permanently.
CLI Parameters
<Tunnel ID> Defines the unique Tunnel ID (integer from 1 to 99).

Gaia automatically adds the prefix 'vpnt' to the Tunnel ID.
Example: vnpt10
type numbered Defines a numbered VTI that uses static IPv4 addresses for
local and remote connections.
type unnumbered Defines an unnumbered VTI that uses the interface and the
remote peer name to get IPv4 addresses.
local <Local IP Defines the VPN Tunnel IPv4 address in dotted decimal format
address> on this Security Gateway or Cluster Member.
Applies to the Numbered VTI only.
remote <Remote Defines the VPN Tunnel IPv4 address in dotted decimal format
IP address> on the VPN peer.
Applies to the Numbered VTI only.
peer <Peer Name Specifies the name of the remote peer object as defined in the
VPN community in SmartConsole.
dev <Name of Specifies the name of the local interface on this Security
Local Interface> Gateway or Cluster Member.
The new VTI is bound to this local interface.
Applies to the Unnumbered VTI only.
Example
gaia> add vpn tunnel 20 type numbered local 10.10.10.1 remote
20.20.20.1 peer MyPeer
gaia> add vpn tunnel 10 type unnumbered peer MyPeer dev eth1
gaia> show vpn tunnels
gaia> delete vpn tunnel 10
6. Define Route Based VPN Rules.

Configuring Route Based VPN Rules
To make sure that your security rules work correctly with Route Based VPN traffic, you must add
directional matching conditions and allow OSPF traffic.
(A) Defining Directional Matching VPN Rules
This section contains the procedure for defining directional matching rules.

Directional matching is necessary for Route Based VPN when a VPN community is included in
the VPN column in the rule.
This is because without bi-directional matching, the rule only applies to connections between a
community and an encryption domain (Domain Based Routing).
Name Source Destination VPN Service Action
VPN Tunnel Any Any MyIntranet Any Accept
The directional rule must contain these directional matching conditions:

n Community > Community
n Community > Internal_Clear
n Internal_Clear > Community
VPN Any Any MyIntranet > Any Accept

Tunnel MyIntranet
MyIntranet >
Internal_Clear
Internal_Clear >
MyIntranet
Notes:
n MyIntranet is the name of a VPN Community.
n Internal_Clear refers to all traffic from IP addresses to and from the
specified VPN community.
n It is not necessary to define bidirectional matching rules if the VPN
column contains the value Any .
To enable VPN directional matching
Step Description
1 In SmartConsole, click Menu > Global properties > expand VPN > click
Advanced.
2 Select the Enable VPN Directional Match in VPN Column option and click
OK.
3 From the left navigation panel, click Gateways & Servers .
4 For each VPN member gateway:

a. Double-click the Security Gateway object.
b. From the left tree, click Network Management.
c. Click Get Interfaces > Get Interfaces with Topology .
This updates the topology to include the newly defined VTIs.
d. Click Accept.
e. Click OK.

To define a VPN directional matching rule
Step Description
1 From the left navigation panel, click Security Policies .
2 Click Access Control > Policy .
3 Right-click the VPN cell in the applicable rule and select Directional Match
Condition.
4 In the New Directional Match Condition window, select the source (Traffic
reaching from ) and destination (Traffic leaving to).
5 Click OK.
6 Repeat Step 3-5 for each set of matching conditions.
(B) Defining Rules to Allow OSPF Traffic
One advantage of Route Based VPN is the fact that you can use dynamic routing protocols to
distribute routing information between Security Gateways.
The OSPF (Open Shortest Path First) protocol is commonly used with VTIs.
To learn about configuring OSPF, see the R81 Gaia Advanced Routing Administration Guide.
Step Description
1 In the Gaia Portal or Gaia Clish, add the applicable VPN Tunnel Interfaces to the
OSPF configuration page.
2 In SmartConsole, add an Access Control rule that allows traffic to the VPN
community (or all communities) that uses the OSPF service:
Allow OSPF for Any Any MyIntranet ospf Accept

a VPN
Community

7. Install the policy and test.

Instructions
You must save your configuration to the database and install policies to the Security Gateways
before the VPN can be fully functional.
Step Description
2 Install the Access Control policy on the Security Gateways.
3 Make sure traffic passes over the VTI tunnel correctly.

6in4 Tunnel Interfaces

In This Section:
Configuring 6in4 Tunnel Interfaces in Gaia Portal 147

Configuring 6in4 Tunnel Interfaces in Gaia Clish 149
This section shows you how to configure 6in4 Tunnel Interfaces in the Gaia Portal and Gaia Clish.
6in4 is a transparent mechanism that transmits IPv6 traffic on existing IPv4 networks.
To do this, 6in4 does these functions:
n Encapsulates IPv6 packets in IPv4 packets for transmission on the IPv4 network.
n Routes traffic between 6in4 and "native" IPv6 networks.
Important - Before you can configure 6in4 Tunnel interfaces, you must enable the IPv6
Support and reboot (see "System Configuration" on page 278).
Note - The name of an 6in4 interface in Gaia is "sit_6in4_<Tunnel ID>". For

example, the name of a 6in4 interface with a Tunnel ID of 5 is "sit_6in4_5".

Configuring 6in4 Tunnel Interfaces in Gaia Portal

To add a 6in4 Tunnel interface
Step Description
2 Make sure that the physical interface, on which you add a 6in4 Tunnel interface, has an IPv4
address.
3 Click Add > 6in4 Tunnel .
4 In the Add 6in4 Tunnel window, select the Enable option to set the VLAN interface to UP.
5 Optional: On the IPv6 tab, enter the IPv6 address and mask length.
6 On the 6in4 Tunnel tab:
n In the Interface field, select the applicable physical interface.

n In the Tunnel ID field, enter or select the Tunnel ID between 2 and 999999.
Note - The ID must be unique for every 6in4 tunnel that terminates on this Gaia.
n In the TTL field, enter or select the Time-to-Live for the 6in4 packets between 0 and
255.
Note - This value must be the same on the peers. Default value is 0.
n In the Remote Address field, enter the IPv4 address at the remote end of the 6in4
tunnel.
7 Click OK.
To edit a VLAN interface
Step Description
2 Select a VLAN interface and click Edit.
3 On the IPv6 tab, enter the IPv6 address and mask length.
4 Click OK.
Note - You cannot change the settings on the 6in4 Tunnel tab. To change these
parameters, delete the 6in4 Tunnel interface and then create a new 6in4 Tunnel
interface.

To delete a 6in4 Tunnel interface
Step Description
2 Select a 6in4 Tunnel interface and click Delete.

Configuring 6in4 Tunnel Interfaces in Gaia Clish
Important - Make sure that the physical interface, on which you wish to add a 6in4
Tunnel interface, have an IPv4 address.
Syntax
To add a new 6in4 Tunnel interface

add interface <Name of Physical Interface> 6in4 <6in4 Tunnel ID>
remote <IPv4 Address on Remote Peer> [ttl <0-255>]
To configure a 6in4 Tunnel interface

set interface sit_6in4_<6in4 Tunnel ID>
comments "Text"
mtu <1280-16000>
state {on | off}
Note - You cannot change the 6in4 settings (Name of Physical Interface, 6in4
Tunnel ID, IPv4 Address on Remote Peer, or TTL). To change these parameters,
delete the 6in4 Tunnel interface and then create a new 6in4 Tunnel interface.
To show the configuration of a specific 6in4 Tunnel interface

show interface sit_6in4_<6in4 Tunnel ID><SPACE><TAB>
To delete a 6in4 Tunnel interface

delete interface sit_6in4_<6in4 Tunnel ID> 6in4 <6in4 Tunnel ID>
Parameters
CLI Parameters
<Name of Physical Specifies a physical interface.

Interface>
<6in4 Tunnel ID> Specifies the Tunnel ID between 2 and 999999.

Note - The ID must be unique for every 6in4 tunnel that terminates on
this Gaia.

<IPv4 Address on Specifies the IPv4 address at the remote end of the 6in4 tunnel.
Remote Peer>
ttl <0-255> Specifies the Time-to-Live for the 6in4 packets between 2 and 255.
Note - This value must be the same on the peers. Default value is 0.

the "show configuration" command.
mask-length <Mask Configures the IPv6 subnet mask length using CIDR notation (/xx) -
Length> integer between 1 and 128.
ipv6-autoconfig {on Configures if this interface gets an IPv6 address from a DHCPv6
| off} Server:
n off - Does not get an IPv6 address from a DHCPv6 Server
(you must assign it manually)
mtu <1280-16000> Configures the Maximum Transmission Unit size for an interface.

n on - Enabled
n off - Disabled
Example
gaia> add interface eth0 6in4 55 remote 192.168.20.30 ttl 200
gaia> set interface comments "6in4 ID 55 with peer 192.168.20.30"
gaia> delete interface sit_6in4_55 6in4 55

GRE Interfaces
GRE Interfaces
In This Section:
Configuring GRE Interfaces in Gaia Portal 152

Configuring GRE interfaces in Gaia Clish 154
Configuring GRE Interfaces on Cluster Members 157
This section shows you how to configure a GRE Interface in the Gaia Portal and the Gaia Clish.
Generic Routing Encapsulation (GRE) is an IP encapsulation protocol, which is used to transport IP
packets over a network.
GRE allows routing of IP packets between private IPv4 networks, which are separated over public IPv4
Internet.
Notes:
n The name of a GRE interface in Gaia is "gre<ID>".
For example, the name of a GRE interface with a GRE ID of 5 is
"gre5".
n The GRE tunnel is not secure, because it is not encrypted.
Warning - By default, SecureXL does not accelerate traffic over a GRE tunnel.
n If you configure SecureXL to accelerate such traffic, the Firewall only inspects
the payload of GRE packets (it does not inspect the GRE data).
n To configure SecureXL to accelerate such traffic, set the value of the SecureXL
kernel parameter sim_enable_gre to 1 (one) in the
$PPKDIR/conf/simkern.conf file and reboot.
For more information, see the R81 Performance Tuning Administration Guide >
Chapter Working with Kernel Parameters on Security Gateway > Section
SecureXL Kernel Parameters.

GRE Interfaces
Configuring GRE Interfaces in Gaia Portal

To add a GRE interface
Step Description
2 Click Add > GRE.
3 On the IPv4 tab, enter the local IPv4 address and subnet mask for the GRE interface.
4 On the GRE Tunnel tab:
a. In the GRE Interface ID field, enter or select the GRE Tunnel ID between 1 and 1024.
Note - This value must be the same on the GRE peers.
b. In the Peer Address field, enter the IPv4 address for the GRE interface on the remote
GRE peer.
c. In the Local Address field, enter the IPv4 address of the applicable local physical
interface.
d. In the Remote Address field, enter the IPv4 address of the applicable physical
interface on the remote GRE peer.
e. Optional: In the TTL field, enter or select the Time-to-Live for the GRE packets
between 0 and 255.
Note - This value must be the same on the GRE peers.
5 Click OK.
Example
Security Gateway "GW1" and Security Gateway "GW2" create a GRE Tunnel over a network.
[GW1] (physical interface eth1) (GRE Tunnel configuration) <==>

<==> (network) <==>
<==> (GRE Tunnel configuration) (physical interface eth2 [GW2]
The GRE interface configuration on these GRE peers:
(GRE) IPv4 Address 192.168.10.11 / 24 192.168.10.22 / 24
GRE Interface ID 33 33
Peer Address 192.168.10.22 192.168.10.11
Local Address 10.10.10.11 172.30.40.22
Remote Address 172.30.40.22 10.10.10.11

GRE Interfaces
To edit a GRE interface
Step Description
2 Select a GRE interface and click Edit.
4 Click OK.
To delete a GRE interface
Step Description
2 Select a GRE interface and click Delete.

GRE Interfaces
Configuring GRE interfaces in Gaia Clish
Syntax
To add a GRE interface

add gre id <GRE Tunnel ID> local <IPv4 address of local physical
interface> remote <IPv4 address of physical interface on remote
peer> ttl <TTL> ip <IPv4 address of local GRE interface> mask <IPv4
subnet mask of local GRE interface> peer <IPv4 address of GRE
interface on remote peer>
To see the configured GRE interface

show gre id <GRE Tunnel ID>
show configuration gre
To delete a GRE interface

delete gre id <GRE Tunnel ID>

GRE Interfaces
CLI Parameters
id <GRE Tunnel ID> Specifies the GRE Tunnel ID between 1 and

1024.
Note - This value must be the same on the GRE
peers.
local <IPv4 address of local Specifies the IPv4 address of the applicable local
physical interface> physical interface.
remote <IPv4 address of physical Specifies the IPv4 address of the applicable
interface on remote peer> physical interface on the remote GRE peer.
ttl <TTL> Specifies the Time-to-Live for the GRE packets

between 1 and 255.
Note - This value must be the same on the
GRE peers.
ip <IPv4 address of local GRE Specifies the local IPv4 address for the GRE
interface> interface.
mask <IPv4 subnet mask of local Specifies the local IPv4 subnet mask for the GRE
GRE interface> interface.
peer <IPv4 address of GRE Specifies the IPv4 address for the GRE interface
interface on remote peer> on the remote GRE peer.

GRE Interfaces
Example
Security Gateway "GW1" and Security Gateway "GW2" create a GRE Tunnel over a network.
[GW1] (physical interface eth1) (GRE Tunnel configuration) <==>

<==> (network) <==>
<==> (GRE Tunnel configuration) (physical interface eth2 [GW2]
The GRE interface configuration on these GRE peers:
(GRE) IPv4 Address 192.168.10.11 / 24 192.168.10.22 / 24
GRE Interface ID 33 33
Peer Address 192.168.10.22 192.168.10.11
Local Address 10.10.10.11 172.30.40.22
Remote Address 172.30.40.22 10.10.10.11
The GRE interface configuration on the Security Gateway "GW1":
gaia1> add gre id 33 local 10.10.10.11 remote 172.30.40.22 ttl <1-

255> ip 192.168.10.11 mask 255.255.255.0 peer 192.168.10.22
The GRE interface configuration on the Security Gateway "GW2":
gaia2> add gre id 33 local 172.30.40.22 remote 10.10.10.11 ttl <1-

255> ip 192.168.10.22 mask 255.255.255.0 peer 192.168.10.11

GRE Interfaces
Configuring GRE Interfaces on Cluster Members

For more information, see the R81 ClusterXL Administration Guide.
In Cluster, you have these options:
To use a GRE interface as a cluster interface with a Virtual IP address
1. Configure a GRE interface on all the Cluster Members.

You must configure the same GRE Interface ID and Remote Address on each Cluster Member.
Make sure you see the new GRE interface from each Cluster Member.
7. Select the new GRE interface and click Edit.
9. In the General section, in the Network Type field, select Cluster.
10. In the IPv4 field, configure the applicable cluster Virtual IP address.
11. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each
Cluster Member.
12. Click OK.
To use a GRE interface only on a specific Cluster Member
1. Configure a GRE interface on a specific Cluster Member.

Make sure you see the new GRE interface from the specific Cluster Member, on which you
configured it.
7. Select the new GRE interface and click Edit.
9. In the General section, in the Network Type field, select Private.

GRE Interfaces
10. Click OK.


PPPoE Interfaces
PPPoE Interfaces
In This Section:
Configuring PPPoE Interfaces in Gaia Portal 160

Configuring PPPoE Interfaces in Gaia Clish 162
This section shows you how to configure PPPoE Interfaces in the Gaia Portal and Gaia Clish.
The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames
inside Ethernet frames.
PPPoE is used mainly with DSL services, where individual users connect to the DSL modem over Ethernet
and in plain Ethernet networks.
Note - The name of a PPPoE interface in Gaia is "pppoe<Tunnel ID>". For

example, the name of a PPPoE interface with a Tunnel ID of 5 is "pppoe5".

PPPoE Interfaces
Configuring PPPoE Interfaces in Gaia Portal

To add a PPPoE interface
Step Description
2 Make sure that the physical interface, on which you add a PPPoE interface, does not have an
IP address.
3 Click Add > PPPoE.
4 In the Add PPPoE window, select the Enable option to set the PPPoE interface to UP.
5 On the PPPoE tab:
n In the PPPoE ID field, enter or select the ID between 0 and 999.

Note - This ID must be unique for every PPPoE interface.
n In the Interface field, select the applicable physical interface.
Gaia uses this interface to forward PPPoE frames.
n In the User Name field, enter the username needed to connect to the PPPoE server
at the Internet Service Provider (ISP). Get it from the ISP.
n In the Password field, enter the password needed to connect to the PPPoE server at
the Internet Service Provider (ISP). Get it from the ISP.
n Optional: Select Use Peer DNS to allow the ISP to define the IPv4 DNS server for the
Gaia. The ISP supplies either one IPv4 DNS server (the Primary) or two (Primary and
Secondary).
Important - If you select this option, the PPPoE Peer DNS servers overwrite
the IPv4 DNS servers configured in Network Management > Hosts and
DNS.
n Optional: Select Use Peer as Default Gateway to make the ISP server the Default
Gateway for the Gaia.
Important - If you select this option, Gaia does not use anymore the Default
Gateway configured in Network Management > IPv4 Static Routes .
9 Click OK.
To edit a PPPoE interface
Step Description
2 Select a PPPoE interface and click Edit.
4 Click OK.

PPPoE Interfaces
Note - You cannot change the PPPoE ID for an existing PPPoE interface. To change
this ID, delete the PPPoE interface and then create a new PPPoE interface.
To delete a PPPoE interface
Step Description
2 Select a PPPoE interface and click Delete.

PPPoE Interfaces
Configuring PPPoE Interfaces in Gaia Clish
Syntax
To add a new VLAN interface

add pppoe client id <PPPoE ID> interface <Name of Physical
Interface> user-name <PPPoE Username> {password <PPPoE Password> |
password_hash <PPPoE Password Hash>} [use-peer-dns {on | off}] [use-
peer-as-default-gateway {on | off}]
To configure a VLAN interface

set pppoe client id <PPPoE ID>
fake-peer-address <IPv4 Address>
interface <Name of Physical Interface>
password <PPPoE Password>
use-fake-peer-address {on | off}
use-peer-as-default-gateway {on | off}
use-peer-dns {on | off}
user-name <PPPoE Username>
Note - You cannot change the PPPoE ID for an existing PPPoE interface. To change
this parameters, delete the PPPoE interface and then create a new PPPoE
interface.
To show the PPPoE configuration

show configuration pppoe
show pppoe client id<SPACE><TAB>

show pppoe client id <PPPoE ID>

delete pppoe client id <PPPoE ID>

PPPoE Interfaces
Parameters
CLI Parameters
id <PPPoE ID> Specifies the ID between 0 and 999.

Note - This ID must be unique for every PPPoE interface.
interface <Name Specifies a local physical interface.

of Physical Gaia uses this interface to forward PPPoE frames.
Interface>
user-name Specifies the username needed to connect to the PPPoE server at the
<PPPoE Internet Service Provider (ISP). Get it from the ISP.
Username>
password <PPPoE Specifies the password needed to connect to the PPPoE server at the
Password> Internet Service Provider (ISP). Get it from the ISP.
password_hash Specifies the hash of the password needed to connect to the PPPoE server
<PPPoE Password at the Internet Service Provider (ISP). Get it from the ISP.
Hash>
use-peer-dns Optional: Specifies whether to allow the ISP to define the IPv4 DNS server
{on | off} for the Gaia. The ISP supplies either one IPv4 DNS server (the Primary) or
two (Primary and Secondary).
n on - Allow
n off - Do not allow
Important - If you enable this option, the PPPoE Peer DNS

servers overwrite the IPv4 DNS servers configured with the "set
dns" command.
use-peer-as- Optional: Specifies whether to make the ISP server the Default Gateway
default-gateway for the Gaia
{on | off}
n on - Allow
n off - Do not allow
Important - If you enable this option, Gaia does not use anymore
the Default Gateway configured with the "set static-route
default" command.
fake-peer- Optional. Configures the fake unicast peer IPv4 address (the default value
address <IPv4 is 0.0.0.0).
Address>

PPPoE Interfaces
use-fake-peer- Optional. Configures whether to use the configured fake peer IPv4
address {on | address:
off}
n on - Enabled
n off - Disabled
Example
gaia> add pppoe client id 1 interface eth0 user-name JohnDoe
password 123456 use-peer-dns on

Gaia Management Interface

This section shows you how to select the Gaia Management Interface.
This is the main interface, through which you connect to Gaia Operating System.
Note - You selected this interfaces during the Gaia First Time Configuration Wizard.
Selecting Management Interface in Gaia Portal

Procedure
Step Description
2 In the section Management Interface, click Set Management Interface.

You can see the name of the current Management Interface above this button.
3 In the Management Interface field, select an interface.
4 Click OK.

Selecting Management Interface in Gaia Clish
Syntax
To see the current interface

show management interface
To select a new interface

set management interface <Name of Interface>
Parameters
CLI Parameters
<Name of Specifies the name of the interface, on which to create an alias IPv4
Interface> address
Example
gaia> show management interface
gaia> set management interface eth2

Detection of IP Address Conflicts

From R81, the Gaia Operating System detects IPv4 address conflicts - if a different device on a directly
connected network uses an IPv4 address that belongs to one of the Gaia interfaces.
Example: Gaia interface eth1 has the IPv4 address 10.1.1.1, and some other device on the network
connected to eth1 uses the same IPv4 address 10.1.1.1. The device causes an IP address conflict.
Important - The detection of IP address conflicts:

n Is disabled by default.
n Supports only IPv4 addresses.
n Supports only interfaces with an assigned IPv4 address and with the state "on"
("enabled").
n Is configured only in Gaia Clish.
Configuration in Gaia Clish
Syntax
To see the current configuration

show ip-conflicts-monitor
interfaces
state
To configure settings
set ip-conflicts-monitor
interface {all | <Name of Interface>}
state {off | on}
To remove the current configuration

delete ip-conflicts-monitor
interface {all | <Name of Interface>}

Parameters
CLI Parameters
Command Description
set ip-conflicts-monitor interface Specifies the interfaces, on which Gaia

{all | <Name of Interface>} monitors for :
n all
Detect IP address conflicts (duplicate
IP addresses) on all supported
interfaces
n <Name of Interface>
Detect IP address conflicts on the
specified interface only
You can run this command for each
applicable interface
Best Practice - Enable this

feature only for interfaces
connected to your internal
networks. If you enable this
feature for all interfaces, or for
interfaces connected to external
networks, this feature generates
too many log messages in the
/var/log/messages file.
set ip-conflicts-monitor state {off Enables (on) and disables (off) the
| on} feature.
show ip-conflicts-monitor interfaces Shows the interfaces, on which Gaia

detects IP address conflicts.
show ip-conflicts-monitor state Shows the current state of the feature (off
or on).
delete ip-conflicts-monitor Specifies the interfaces, on which Gaia

interfaces {all | <Name of stops to detect IP address conflicts:
Interface>}
n all
Stop to detect IP address conflicts on
all supported interfaces
n <Name of Interface>
Stop to detect IP address conflicts on
the specified interfaces only

Example
gaia> show ip-conflicts-monitor state
IP conflict monitoring Disabled
gaia> set ip-conflicts-monitor interface eth2
gaia> set ip-conflicts-monitor on
gaia> show ip-conflicts-monitor state
IP conflict monitoring Enabled
gaia> show ip-conflicts-monitor interfaces
Monitored Interfaces: eth2

Log Messages
After you enable and configure this feature, it generates one of these messages in the
/var/log/messages file:
Log Message Description
new station Gaia detected a new MAC address on a directly connected network and a new
IP address is assigned to that MAC address.
changed Gaia detected that an IP address stored in the binding database is assigned to
ethernet a new MAC address on a directly connected network.
address
flip flop The second recent binding of a MAC address to an IP address is currently the
most recent binding in the binding database.
This potentially indicates an IP address conflict on the network.
reused old The third (or older) recent binding of a MAC address to an IP address is
ethernet currently the most recent binding in the binding database.
address This very likely indicates a 3-way (or greater) IP address conflict.
To see the applicable log messages:
Step Instructions
1 Connect to the command line.
3 Run:
grep "arpwatch:" /var/log/messages*
Example:
[Expert@MyGaia:0]# grep "arpwatch:" /var/log/messages*

Aug 3 19:23:16 2020 MyGaia arpwatch: listening on eth0
Aug 3 19:23:16 2020 MyGaia arpwatch: new station 192.168.3.51
00:50:56:a3:73:26
Aug 3 19:23:17 2020 MyGaia arpwatch: new station 192.168.3.29
00:50:56:a3:68:60
... ... (truncated for brevity) ... ...
[Expert@MyGaia:0]#

Additional Information
n The detection of IP address conflicts is based on the Linux arpwatch tool.
n When you enable this feature, Gaia runs the /bin/arpwatch_launcher deamon. This daemon
is responsible to run the /etc/rc.d/init.d/arpwatch service.
n Gaia saves the applicable configuration in the Gaia database and in the
/etc/sysconfig/arpwatch file.
Gaia generates the /etc/sysconfig/arpwatch file automatically.
n Gaia saves the MAC-to-IP address binding information in the
/var/lib/arpwatch/arp.dat.<Name of Interface> file.
The information includes:
l The detected MAC address
l The IP address assigned to that MAC address
l The time of detection (in Unix epoch format)
It can take several minutes for Gaia to populate this database.

CLI Reference (interface)
CLI Reference (interface)

This section summarizes the Gaia Clish interface command and its parameters.
Note - There are some command options and parameters that you cannot configure in
the Gaia Portal.
Description
Add, configure, and delete interfaces and interface properties.
Syntax
To add an interface
add interface<ESC><ESC>
To configure an interface
set interface<ESC><ESC>
To show an interface
show interfaces all
To delete an interface, or interface configuration

delete interface<ESC><ESC>
To work with Gaia Management Interface

show management interface
set management interface <Name of Interface>
To work with Gaia IP Conflict Detection

show ip-collisions-monitor
set ip-collisions-monitor
delete ip-collisions-monitor

ARP
ARP
The Address Resolution Protocol (ARP) allows a host to find the physical address of a target host on the
same physical network using only the target's IP address.
ARP is a low-level protocol that hides the underlying network physical addressing and permits assignment
of an arbitrary IP address to every machine.
ARP is considered part of the physical network system and not as part of the Internet protocols.

Configuring ARP in Gaia Portal

To show dynamic ARP entries
Step Description
1 In the navigation tree, click Network Management > ARP.
2 In the upper right corner, click the Monitoring tab.
To show static ARP entries
Step Description
2 In the upper right corner, click the Configuration tab.
To change static and dynamic ARP parameters
Step Description
3 In the ARP Table Settings section:
a. Enter the Maximum Entries .

This is the maximal number of entries in the ARP cache.
Range: 1024 - 16384 entries
Default: 4096 entries
Note - Make sure to configure a value large enough to accommodate at
least 100 dynamic entries, in addition to the maximum number of static
entries.
b. Enter the Validity Timeout.
This is the time, in seconds, to keep resolved dynamic ARP entries.
If the entry is not referred to and is not used by traffic before the time elapses, it is
deleted.
Otherwise, a request is sent to verify the MAC address.
Range: 60 - 86400 seconds (24 hours)
Default: 60 seconds

To add a static ARP entry
Step Description
3 In the Static ARP Entries section, click Add.
4 Enter the IP Address of the static ARP entry and the MAC Address used when forwarding
packets to the IP address.
5 Click OK.
To delete a static ARP entry
Step Description
3 In the Static ARP Entries section, select a Static ARP entry.
4 Click Remove.
To delete all dynamic ARP entries
Step Description
2 In the upper right corner, click the Monitoring tab.
3 Click Flush All .

Configuring ARP in Gaia Clish

Syntax
To add a static ARP entry

add arp static ipv4-address <IPv4 Address> macaddress <MAC Address>
To delete static and dynamic ARP entries

delete arp
dynamic all
static ipv4-address <IPv4 Address>
To configure ARP table parameters

set arp table
validity-timeout <Seconds>
cache-size <Number of Entries>
To show ARP table parameters

show arp
dynamic all
static all
table validity-timeout
table cache-size
Parameters
CLI Parameters
static Configures static ARP entries.
dynamic Configures dynamic ARP entries.
ipv4-address <IPv4 Configures IPv4 Address for a static ARP entry.

Address>
n Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255])
macaddress Configures the hardware MAC address (six hexadecimal octets

separated by colons) for a static ARP entry.
n Range: 00:00:00:00:00:00 - FF:FF:FF:FF:FF:FF

table validity- Configures the time, in seconds, to keep resolved dynamic ARP entries
timeout <Seconds> in the ARP cache table.
If the entry is not referred to and is not used by traffic before this time
elapses, the dynamic ARP entry is deleted from the ARP cache table.
Otherwise, an ARP Request will be sent to verify the MAC address.
n Range: 60 - 86400 seconds (24 hours)
n Default: 60 seconds
table cache-size Configures the maximal number of entries in the ARP cache table.
<Number of
Entries> n Range: 1024 - 16384
n Default: 4096
Note - Make sure to configure a value large enough to

accommodate at least 100 dynamic ARP entries, in addition
to the maximum number of static ARP entries.

DHCP Server
DHCP Server
You can configure the Gaia device to be a Dynamic Host Configuration Protocol (DHCP) server.
The DHCP server gives IP addresses and other network parameters to network hosts.
DHCP makes it unnecessary to configure each host manually, and therefore reduces configuration errors.
You configure DHCP server subnets on the Gaia device interfaces.
A DHCP subnet allocates these network parameters to hosts behind the Gaia interface:
n IPv4 address
n Default Gateway (optional)
n DNS parameters (optional):
l Domain name
l Primary, secondary and tertiary DNS servers
Allocating DHCP parameters to hosts (for the details, see the next section)
Workflow
Step Description
1 To define a DHCP subnet on a Gaia interface:

a. Enable DHCP Server on the Gaia network interface.
b. Define the network IPv4 address of the subnet on the interface.
c. Define an IPv4 address pool.
d. Optional: Define routing and DNS parameters for DHCP hosts.
2 Define additional DHCP subnets on other Gaia interfaces, as needed.
3 Enable the DHCP Server process for all configured subnets.
4 Configure the network hosts to use the Gaia DHCP server.

Configuring a DHCP Server in Gaia Portal

To allocate DHCP parameters to hosts
Step Description
1 In the navigation tree, click Network Management > DHCP Server.
2 In the DHCP Server Subnet Configuration section, click Add.

The Add DHCP window opens.
You now define a DHCP subnet on an Ethernet interface of the Gaia device.
Hosts behind the Gaia interface get IPv4 addresses from address pools in the subnet.
3 Select Enable DHCP to enable DHCP for the subnet you will configure.
4 On the Subnet tab:

Define the DHCP offer and lease settings:
In the Network IP Address field, enter the IPv4 address of the applicable interface's subnet.
In the Subnet mask field, enter the subnet mask.
Note - To do this automatically, click Get from interface and select the applicable
interface. Click OK.
In the Address Pool section, click Add to define the range of IPv4 addresses that the server
assigns to hosts.
a. In the Type field, select Include or Exclude.

This specifies whether to include or exclude this range of IPv4 addresses in the IP
pool.
b. In the Status field, select Enable of Disable.
This enables or disables the DHCP Server for this subnet, or the DHCP Server
process (depending on the context).
c. In the Start field, enter the first IPv4 address of the range.
d. In the End field, enter the last IPv4 address of the range.
e. Click OK.
Optional: In the Lease Configuration section, configure the DHCP lease settings:
a. In the Default lease field, enter the default lease time (in seconds), for host IPv4
addresses. This applies only if DHCP clients do not request a unique lease time. The
default is 43,200 seconds.
b. In the Maximum Lease field, enter the maximal lease time (in seconds), for host IPv4
addresses. The default is 86,400 seconds.

Step Description
5 Optional: On the Routing & DNS tab, define routing and DNS parameters for DHCP clients:
n In the Default Gateway field, enter the IPv4 address of the default gateway for the
DHCP clients.
n In the Domain Name field, enter the domain name for the DHCP clients (for example,
example.com).
n In the Primary DNS Server field, enter the IPv4 address of the Primary DNS server
for the DHCP clients.
n In the Secondary DNS Server field, enter the IPv4 address of the Secondary DNS
server for the DHCP clients (to use if the primary DNS server does not respond).
n In the Tertiary DNS Server field, enter the IPv4 address of the Tertiary DNS server
for the DHCP clients (to use if the primary and secondary DNS servers do not
respond).
6 Click OK.
7 Optional: Define DHCP subnets on other Gaia interfaces, as needed.
8 In the DHCP Server Configuration section, select Enable DHCP Server and click Apply .
9 The DHCP server on Gaia is now configured and enabled.

You can now configure your network hosts to get their network parameters from the DHCP
server on Gaia.
To change DHCP parameters in a subnet
Step Description
2 In the DHCP Server Subnet Configuration section, select the Subnet and click Edit.
3 Change the applicable settings.
4 Click OK.
To disable DHCP server on all interfaces
Step Description
2 In the DHCP Server Configuration section, clear the Enable DHCP Server.
3 Click Apply .

To delete DHCP subnet
Step Description
2 In the DHCP Server Subnet Configuration section, select the Subnet and click Delete.
3 Click OK to confirm.
Note - Before you delete the last DHCP subnet, you must disable DHCP server on
all interfaces.

Configuring a DHCP Server in Gaia Clish

Syntax
To add a DHCP Server subnet

add dhcp server subnet <Subnet Entry>
netmask <Mask>
include-ip-pool start <First IPv4 Address> end <Last IPv4
Address>
exclude-ip-pool start <First IPv4 Address> end <Last IPv4
Address>
To configure a DHCP Server subnet

set dhcp server subnet <Subnet Entry>
enable
disable
include-ip-pool <First IPv4 Address-Last IPv4 Address> {enable
| disable}
exclude-ip-pool <First IPv4 Address-Last IPv4 Address> {enable
| disable}
default-lease <Lease in Seconds>
max-lease <Maximal Lease in Seconds>
default-gateway <Default Gateway IPv4 Address>
domain <Domain Name for the DHCP Clients>
dns <DNS Server IPv4 Address>
To delete a DHCP Server subnet

delete dhcp server subnet <Subnet Entry>
include-ip-pool <First IPv4 Address-Last IPv4 Address>
exclude-ip-pool <First IPv4 Address-Last IPv4 Address>
To enable or disable the DHCP Server process

set dhcp server {enable | disable}
To show DHCP Server configuration

show dhcp server
all
status
subnet <Subnet Entry> ip-pools
subnets

Parameters
CLI Parameters
subnet <Subnet Entry> Specifies the IPv4 address of the DHCP subnet on an Ethernet
interface of the Gaia device. Hosts behind the Gaia interface get
IPv4 addresses from address pools in the subnet.
For example: 192.0.2.0
netmask <Mask> Specifies the IPv4 subnet mask in CIDR notation.

For example: 24
include-ip-pool start Specifies the IPv4 address that starts and the IPv4 address that
<First IPv4 Address> ends the included allocated IP Pool range.
end <Last IPv4 For example: 192.0.2.20 and 192.0.2.90
Address>
exclude-ip-pool start Specifies the IPv4 address that starts and the IPv4 address that
<First IPv4 Address> ends the excluded allocated IP Pool range.
end <Last IPv4 For example: 192.0.2.155 and 192.0.2.254
Address>
include-ip-pool <First Specifies the range of IPv4 addresses to include in the IP pool.
IPv4 Address-Last IPv4 For example: 192.0.2.20-192.0.2.90
Address>
exclude-ip-pool <First Specifies the range of IPv4 addresses to exclude from the IP
IPv4 Address-Last IPv4 pool.
Address> For example: 192.0.2.155-192.0.2.254
enable Enables the DHCP Server subnet, or the DHCP Server process
(depending on the context).
disable Disables the DHCP Server subnet, or the DHCP Server process
(depending on the context).
default-lease <Lease Specifies the default DHCP lease in seconds, for host IPv4
in Seconds> addresses. Applies only if DHCP clients do not request a unique
lease time. If you do not enter a value, the default is 43,200
seconds.
max-lease <Maximal Specifies the maximal DHCP lease in seconds, for host IPv4
Lease in Seconds> addresses. This is the longest lease available. If you do not enter
a value, the configuration default is 86,400 seconds.
default-gateway Optional. Specifies the IPv4 address of the default gateway for
<Default Gateway IPv4 the network hosts
Address>

domain <Domain Name Optional. Specifies the domain name of the network hosts.
for the DHCP Clients> For example: example.com
dns <DNS Server IPv4 Optional. Specifies the DNS servers that the network hosts will
Address> use to resolve hostnames. Optionally, specify a primary,
secondary and tertiary server in the order of precedence.
For example: 192.0.2.101, 192.0.2.102,
192.0.2.103
all Shows all DHCP Server's configuration settings.
subnets Configures the DHCP Server subnet settings.
subnet <Subnet Entry> The IP addresses pools in the DHCP Server subnet, and their
ip-pools status: Enabled or Disabled.
status The status of the DHCP Server process: Enabled or Disabled.

Example
gaia> add dhcp server subnet 192.168.2.0 netmask 24
gaia> add dhcp server subnet 192.168.2.0 include-ip-pool start

192.168.2.20 end 192.168.2.90

192.168.2.120 end 192.168.2.150
gaia> add dhcp server subnet 192.168.2.0 exclude-ip-pool start

192.168.2.155 end 192.168.2.254
gaia> set dhcp server subnet 192.168.2.0 include-ip-pool 192.168.2.20-

192.168.2.90 enable
gaia> set dhcp server subnet 192.168.2.0 include-ip-pool

192.168.2.120-192.168.2.150 disable
gaia> set dhcp server subnet 192.168.2.0 exclude-ip-pool

192.168.2.155-192.168.2.254 enable
gaia> set dhcp server subnet 192.168.2.0 default-lease 43200
gaia> set dhcp server subnet 192.168.2.0 max-lease 86400
gaia> set dhcp server subnet 192.168.2.0 default-gateway 192.168.2.103
gaia> set dhcp server subnet 192.168.2.0 domain example.com
gaia> set dhcp server subnet 192.168.2.0 dns 192.168.2.101,

192.168.2.102, 192.168.2.103
gaia> set dhcp server subnet 192.168.2.0 enable

172.30.4.10 end 172.30.4.99
gaia> set dhcp server subnet 172.30.4.0 include-ip-pool 172.30.4.10-

172.30.4.99 enable
gaia> set dhcp server subnet 172.30.4.0 disable

gaia> set dhcp server subnet 10.20.30.0 disable
gaia> show dhcp server all

DHCP Server Enabled
DHCP-Subnet 192.168.2.0
State Enabled
Net-Mask 24
Maximum-Lease 86400
Default-Lease 43200
Domain example.com
Default Gateway 192.168.2.103
DNS 192.168.2.101, 192.168.2.102, 192.168.2.103
Pools (Include List)
192.168.2.20-192.168.2.90 : enabled
192.168.2.120-192.168.2.150 : disabled
Pools (Exclude List)
192.168.2.155-192.168.2.254 : enabled
State Disabled
Net-Mask 24
Maximum-Lease 86400
Default-Lease 43200
Pools (Include List)
172.30.4.10-172.30.4.99 : enabled
State Disabled
Net-Mask 24
Maximum-Lease 86400
Default-Lease 43200
gaia>

Hosts and DNS
Hosts and DNS

This page lets you configure:
n System Name - Host Name and Domain Name (see "System Name" on page 188)
n Hosts (see "Hosts" on page 189)
n DNS settings (see "DNS" on page 192)

System Name
System Name
You set the host name (system name) during initial configuration. You can change the name.
Configuring Host Name and Domain Name in Gaia Portal
Step Description
1 In the navigation tree, click Network Management > Host and DNS.
2 In the System Name section, enter:
n Host Name - The network name of the Gaia device.

n Domain Name - Optional. For example, example.com.
Configuring Host Name and Domain Name in Gaia Clish
Description
Configure the host name of your platform.
Syntax
n To configure a hostname:
set hostname <Name of Host>
n To show the configured hostname:
show hostname
n To configure a domain name (optional):
set domainname <Domain>
n To show the configured domain name:
show domainname

Hosts
Hosts
You should add host addresses for systems that communicate frequently with the Gaia system.
You can:
n View the entries in the hosts table.
n Add an entry to the list of hosts.
n Modify the IP address of a host.
n Delete a host entry.
Configuring Hosts in Gaia Portal

To add a static host entry
Step Description
1 In the navigation tree, click Network Management > Hosts and DNS.
2 In the Hosts section, click Add.
3 Enter:
n Host Name - Must include only alphanumeric characters, dashes ('-'), and periods
('.'). Periods must be followed by a letter or a digit. The name may not end with a dash
or a period. There is no default value.
n IPv4 address
n IPv6 address
To edit the static host entry
Step Description
2 In the Hosts section, select a host entry and click Edit.
3 Edit:
n Host Name
n IPv4 address
n IPv6 address
To delete the static host entry
Step Description
2 In the Hosts section, select a host entry and click Delete.

Hosts
Configuring Hosts in Gaia Clish
Description
Add, edit, delete and show the name and IP addresses for hosts that communicate frequently with the Gaia
system.
Syntax
To add a static host entry

add host name <Name of Host>
ipv4-address <IPv4 Address of Host>
To edit the static host entry

set host name <Name of Host>
To delete the static host entry

delete host name <Name of Host> {ipv4 | ipv6}
To show the configured static host entry

show host name<SPACE><TAB>
show host name <Name of Host> {ipv4 | ipv6}
To show all configured IP addresses of all hosts

show host names [ipv4 | ipv6]

Hosts
Parameters
CLI Parameters
name <Name The name of a static host. Must include only alphanumeric characters, dashes
of Host> ('-'), and periods ('.'). Periods must be followed by a letter or a digit. The name
must not end in a dash or a period. There is no default value.
ipv4- The IPv4 address of the host.

address
<IPv4
Address of
Host>
ipv6- The IPv6 address of the host.

address
<IPv6
Address of
Host>

DNS
DNS
Gaia uses the Domain Name Service (DNS) to translate host names into IP addresses.
To enable DNS lookups, you must enter the primary DNS server for your system. You can also enter
secondary and tertiary DNS servers.
When the system resolves host names, it consults the primary name server. If a failure or time-out occurs,
the system consults the secondary name server, and if necessary, the tertiary.
You can also define a DNS Suffix, which is a search for host-name lookup.
Important - From R81, you can configure specific DNS settings in each Virtual System.
See the R81 VSX Administration Guide.
Configuring DNS in Gaia Portal

To configure the DNS Servers
Step Description
2 In the System Name section:

In the Domain Name field, enter the domain name (for example, example.com).
3 In the DNS section:
a. In the DNS Suffix field, enter the domain name suffix.

Specifies the name that is put at the end of all DNS searches if they fail.
By default, it must be the local domain name.
A valid domain name suffix is made up of subdomain strings separated by periods.
Subdomain strings must begin with an alphabetic letter and can consist only of
alphanumeric characters and hyphens.
The domain name syntax is described in RFC 1035 (modified slightly in RFC 1223).
Note - Domain names that are also valid numeric IP addresses (for
example: 10.19.76.100), although syntactically correct, are not permitted.
Example:
You configured the DNS Suffix "example.com" and you try to ping the host "foo"
(with the command "ping foo"). If Gaia cannot resolve "foo", then Gaia tries to
resolve "foo.example.com".
b. In the Primary DNS Server field, enter the IPv4 or IPv6 address of the Primary DNS
server.
c. Optional: In the Secondary DNS Server field, enter the IPv4 or IPv6 address of the
Secondary DNS server (to use if the primary DNS server does not respond).
d. Optional: In the Tertiary DNS Server field, enter the IPv4 or IPv6 address of the
Tertiary DNS server (to use if the primary and secondary DNS servers do not
respond).
e. Click Apply .

DNS
Configuring DNS in Gaia Clish
Description
Configure, show and delete the DNS servers and the DNS suffix for the Gaia computer.
Syntax
To configure the DNS servers and the DNS suffix

set dns
primary <IPv4 or IPv6 Address>
secondary <IPv4 or IPv6 Address>
tertiary <IPv4 or IPv6 Address>
suffix <Name for Local Domain>
To show the DNS servers and the DNS suffix

show dns
primary
secondary
tertiary
suffix
To delete the DNS servers and the DNS suffix

delete dns
primary
secondary
tertiary
suffix
Parameters
CLI Parameters
primary Specifies the IPv4 or IPv6 address of the primary DNS server, which resolve
<IPv4 or host names.
IPv6 This must be a host that runs a DNS server.
Address>
secondary Specifies the IPv4 or IPv6 address of the secondary DNS server, which resolves
<IPv4 or host names if the primary server does not respond.
Address>

DNS
tertiary Specifies the IPv4 or IPv6 address of the tertiary DNS server, which resolves
<IPv4 or host names if the primary and secondary servers do not respond.
Address>
suffix <Name Specifies the name that is put at the end of all DNS searches if they fail.
for Local By default, it must be the local domain name.
Domain> A valid domain name suffix is made up of subdomain strings separated by
periods.
Subdomain strings must begin with an alphabetic letter and can consist only of
alphanumeric characters and hyphens.
The domain name syntax is described in RFC 1035 (modified slightly in RFC
1223).
Note - Domain names that are also valid numeric IP addresses (for
example: 10.19.76.100), although syntactically correct, are not
permitted.
Example:
You configured the DNS Suffix "example.com" and you try to ping the host
"foo" (with the command "ping foo"). If Gaia cannot resolve "foo", then
Gaia tries to resolve "foo.example.com".

IPv4 Static Routes
IPv4 Static Routes

A static route defines the destination and one or more paths (next hops) to get to that destination.
You define static routes manually in the Gaia Portal, or in Gaia Clish with the "set static-route"
command.
Static routes let you add paths to destinations that are unknown by dynamic routing protocols. You can
define multiple paths (next hops) to a destination and define priorities for selecting a path. Static routes are
also useful for defining the default route.
Static route definitions include these parameters:
n Destination IPv4 address.
n Route type:
l Normal - Accepts and forwards packets to the specified destination.
l Reject - Drops packets and sends ICMP unreachable packet.
l Blackhole - Drops packets and does not send ICMP unreachable packet.
n Next-hop type:
l Address - Identifies the next hop gateway by its IPv4 address.
l Logical - Identifies the next hop gateway by the name of the local interface that connects to it.
Use this option only if the next hop gateway has an unnumbered interface.
n Gateway identifier - IPv4 address, or name of local interface.
n Priority (Optional) - Assigns a path priority when there are many different paths.
n Rank (Optional) - Selects a route when there are many routes to a destination that use different
routing protocols. You must use the Gaia Clish to configure the rank.

Configuring IPv4 Static Routes in Gaia Portal

You can configure IPv4 static routes one at a time, or many routes at once.
Configuring One IPv4 Static Route at a Time
Step Description
1 In the navigation tree, click Network Management > IPv4 Static Routes .
2 In the IPv4 Static Routes section, click Add.

The Add Destination Route window opens.
3 In the Destination field, enter the IPv4 address of destination host, or network.
4 In the Subnet mask field, enter the subnet mask.
5 In the Next Hop Type field, select one of these:
n Normal - To accept and forward packets

n Blackhole - To drop packets, and not send ICMP unreachable packet to the traffic
source
n Reject - To drop packets, and send ICMP unreachable packet to the traffic source
6 In the Rank field, leave the default value (60), or enter the relative rank of the IPv4 static
route (an integer from 1 to 255).
This value specifies the rank for the configured route when there are overlapping routes from
different protocols.
7 Select the Local Scope option, if needed.

Use this setting on a Cluster Member when the ClusterXL Virtual IPv4 address is in a
different subnet than the IPv4 address of a physical interface.
This lets the Cluster Member accept static routes on the subnet of the Cluster Virtual IPv4
address.
To make sure that the scopelocal attribute is set correctly, run the "cat
/etc/routed.conf" command. For more information, see sk92799.

Step Description
9 Click Add Gateway and select one of these options:
n Option 1:
a. Select IP Address to specify the next hop by its IPv4 address.
b. In the IPv4 Address field, enter the IPv4 address of the next hop gateway.
c. In the Priority field, either do not enter anything, or select an integer between 1
and 8.
d. Add Monitored IPs .
e. Click OK.
n Option 2:
a. Select Network Interface to specify the next hop by the name of the local
interface name that connects to it.
b. In the Local Interface field, select an interface that connects to the next hop
gateway.
c. In the Priority field, either do not enter anything, or select an integer between 1
and 8.
d. Add Monitored IPs .
e. Click OK.
Notes:
n Priority defines which next hop gateway to select when multiple next hop
gateways are configured. The lower the priority, the higher the preference -
priority 1 means the highest preference, and priority 8 means the lowest
preference. You can define two or more paths with the same priority to
specify a backup path with equal priority. A next hop gateway with no priority
configured is preferred over a next hop gateway with priority configured.
n Multihop ping in Static Routes uses ICMP Echo Request to monitor
reachability of an IP address multiple hops away. Multihop ping in Static
Routes updates the status of an associated next hop in accordance to the
reachability status. The next hop status becomes "down", if that IP address
is unreachable.
10 If you defined a next hop gateway by IP Address , you can select the Ping option, if you need
to monitor next hops for the IPv4 static route with the ping.
The Ping feature sends ICMP Echo Requests to make sure the next hop gateway for a static
route is working.
Gaia includes in the kernel forwarding table only next hop gateways, which are verified as
working.
When Ping is enabled, Gaia adds an IPv4 static route to the kernel forwarding table only after
at least one next hop gateway is reachable.
11 Click Save.
12 In the Advanced Options section, you can configure the Ping behavior.
If you changed the default settings, click Apply .

Configuring Many IPv4 Static Routes at Once
You can use the batch mode to configure multiple static routes in one step.
Note - This mode does not allow the configuration of static routes that use a logical
interface as the next hop.
Step Description
2 In the Batch Mode section, click Add Multiple Static Routes .
3 In the Add Multiple Routes window, select the Next Hop Type:

source
4 Add the routes in the text box, using this syntax:

<Destination IPv4 Address>/<Mask Length> <IPv4 Address of
Next Hop Gateway> ["<Comment>"]
Where:
n <Destination IPv4 Address>/<Mask Length> - Specifies the IPv4
address of destination host or network using the CIDR notation (IPv4 Address / Mask
Length).
Example: 192.168.2.0/24
You can use the default keyword instead of an IPv4 address when referring to the
default route.
n <IPv4 Address of Next Hop Gateway> - Specifies the IPv4 address of the
next hop gateway
n "<Comment>" - Optional. Free text comment for the static route.
Write the text in double-quotes. Maximal length of the text string is 100 characters.
Example:
default 192.0.2.100 192.0.2.1 "Default Route"
192.0.2.200/24 192.0.2.18 "My Backup Route"
5 Click Apply .
The newly configured static routes show in the IPv4 Static Routes section.
Note - The text box shows entries that contain errors with messages at the top of
the page.
6 Correct errors and reload the affected routes.
7 In the top right corner, click the Monitoring tab to make sure that the routes are configured
correctly.

Configuring IPv4 Static Routes in Gaia Clish

Description
Configure, show, and delete IPv4 static routes.
Syntax
Note - There are no "add" commands for the static route feature.
To add or configure a default static IPv4 route

set static-route default
comment {"Text" | off}
nexthop
gateway
address <IPv4 Address of Next Hop Gateway> [priority <Priority>] {on | off}
logical <Name of Local Interface> [priority <Priority>] {on | off}
blackhole
reject
ping {on | off}
rank <Rank>
scopelocal {on | off}
To add or configure a specific static IPv4 route

set static-route <Destination IPv4 Address>
nexthop
gateway
address <IPv4 Address of Next Hop Gateway>
{on | off}
monitored-ip <Monitored IP Address> {on | off}
monitored-ip-option {fail-all | fail-any | force-if-symmetry {on | off}}
[priority <Priority>]
logical <Name of Local Interface>
{on | off}
[priority <Priority>]
blackhole
reject
off
ping {on | off}
rank <Rank>
scopelocal {on | off}
To show all configured static IPv4 routes

show route static all
To remove a default static IPv4 route

set static-route default off
To remove a specific static IPv4 route

set static-route <Destination IPv4 Address> off
To remove a specific path only, when multiple next hop gateways are configured
set static-route <Destination IPv4 Address> nexthop gateway <IPv4 Address of Next Hop Gateway> off
set static-route <Destination IPv4 Address> nexthop gateway <Name of Local Interface> off

Parameters
CLI Parameters
default Defines the default static IPv4 route.
<Destination IPv4 Address> Specifies the IPv4 address of destination host or network
using the CIDR notation (IPv4 Address / Mask Length).
Example: 192.168.2.0/24
You can use the default keyword instead of an IPv4
address when referring to the default route.
comment {"Text" | off} Defines of removes the optional comment for the static
route.
n This comment appears in the Gaia Portal and in
the output of the "show configuration"
command.
nexthop Defines the next hop path, which can be a gateway,

blackhole, or reject.
gateway Specifies that this next hop accepts and sends packets to
the specified destination.
blackhole Specifies that this next hop drops packets, but does not
send ICMP unreachable packet to the traffic source.
reject Specifies that this next hop drops packets and sends
ICMP unreachable packet to the traffic source.
address <IPv4 Address of Specifies the IPv4 address of the next hop gateway.
Next Hop Gateway>
logical <Name of Local Identifies the next hop gateway by the name of the local
Interface> interface that connects to it.
Use this option only if the next hop gateway has an
unnumbered interface.

monitored-ip <Monitored IP Remote IPv4 address to monitor for the next hop
Address> {on | off} gateway.
Monitors IP address(es) configured with the "ip-
reachability-detection".
The next hop gateway becomes usable with respect to
reachability of IP address(es) reported from the "ip-
reachability-detection".
monitored-ip-option {fail- Set failure condition and flavor for the configured
all | fail-any | force-if- monitored IP address(es).
symmetry {on | off}}
n fail-all
Fails the next hop gateway when all monitored IP
addresses become unreachable.
Restores the next hop gateway when one of the
monitored IP addresses becomes reachable.
Default: off
n fail-any
Fails the next hop gateway when one of the
monitored IP addresses becomes unreachable.
Restores the next hop gateway when all monitored
IP addresses become reachable.
Default: on
n force-if-symmetry
Ignores IP reachability reports from IP addresses
with asymmetric traffic.
Default: off
priority <Priority> Defines which gateway to select as the next hop when
multiple gateways are configured.
The lower the priority, the higher the preference - priority
1 means the highest preference, and priority 8 means
the lowest preference.
You can define two or more paths with the same priority
to specify a backup path with equal priority.
A next hop gateway with no priority configured is
preferred over a next hop gateway with priority
configured
nexthop ... on Adds the specified next hop gateway.
nexthop ... off Deletes the specified next hop gateway.

If you specify a next hop gateway, only the specified path
is deleted.
If you do not specify a next hop gateway, the route and all
related paths are deleted.
off Removes the static route.

ping {on | off} Enables (on) or disables (off) the ping of specified next
hop gateways for IPv4 static routes.
The Ping feature sends ICMP Echo Requests to make
sure the next hop gateway for a static route is working.
Gaia includes in the kernel forwarding table only next hop
gateways, which are verified as working.
When Ping is enabled, Gaia adds an IPv4 static route to
the kernel forwarding table only after at least one next
hop gateway is reachable.
To configure the ping behavior, run:
set ping count <value>
set ping interval <value>
rank <Rank> Selects a route, if there are many routes to a destination

that use different routing protocols.
The route with the lowest rank value is selected.
Use the rank keyword in place of the nexthop keyword
with no other parameters.
Accepted values are: default (60), integer numbers
from 0 to 255.
In addition, see this command: "set protocol-rank
protocol <Rank>"
scopelocal {on | off} Defines a static route with a link-local scope.

Use this setting on a Cluster Member, when the
ClusterXL Virtual IPv4 address is in a different subnet
than the IPv4 address of a physical interface.
This lets the Cluster Member accept static routes on the
subnet of the Cluster Virtual IPv4 address.
To make sure that the scopelocal attribute is set
correctly, run the "cat /etc/routed.conf"
command.

Example
gaia> set static-route 192.0.2.0/24 nexthop gateway address 192.0.2.155 on
gaia> set static-route 192.0.2.0/24 nexthop gateway address 192.0.2.155 off
gaia> set static-route 192.0.2.0/24 nexthop gateway logical eth0 on
gaia> set static-route 192.0.2.0/24 off
gaia> set static-route 192.0.2.100/32 nexthop blackhole
gaia> set static-route 192.0.2.100/32 rank 2
gaia> show route static

Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
S 0.0.0.0/0 via 192.168.3.1, eth0, cost 0, age 164115

S 192.0.2.100 is a blackhole route
S 192.0.2.240 is a reject route
gaia>

IPv6 Static Routes
IPv6 Static Routes

In This Section:

Troubleshooting 210

You can configure IPv6 static routes only one route at a time.
Procedure
Step Description
2 In the IPv6 Static Routes section, click Add.
3 In the Destination / Mask Length field, enter the IPv6 address and prefix (default prefix is
64).
4 Select the Next Hop Type field select:

source
5 In the Rank field, leave the default value (60), or enter the relative rank of the IPv6 static
route (an integer from 1 to 255).
This value specifies the rank for the configured route when there are overlapping routes from
different protocols.
7 In the Add Gateway section, click Add.
8 In the Gateway Address field, enter the IPv6 address of the next hop gateway.

IPv6 Static Routes
Step Description
9 In the Priority field, either do not enter anything, or select an integer between 1 and 8.
Priority defines the order for selecting the next hop gateway when multiple next hop
gateways are configured.
The lower the priority, the higher the preference - priority 1 means the highest preference,
and priority 8 means the lowest preference.
A next hop gateway with no priority configured is preferred over a next hop gateway with
priority configured.
You cannot configure two next hop gateways with the same priority, because IPv6 Equal
Cost Multipath Routes are not supported.
10 Click OK.
11 Select the Ping6 option, if you need to monitor next hops for the IPv6 static route using
ping6.
The Ping6 feature sends ICMPv6 Echo Requests to make sure the next hop gateway for a
static route is working.
12 Click Save.
13 In the Advanced Options section, you can configure the Ping6 behavior.
If you changed the default settings, you must click Apply .

IPv6 Static Routes

Syntax
Note - There are no "add" commands for the static route feature.
To add or configure the default static IPv6 route

set ipv6 static-route default
nexthop
gateway <IPv6 Address of Next Hop Gateway>
[priority <Priority>] {on | off}
interface <Name of Local Interface> [priority <Priority>] {on | off}
blackhole
reject
off
ping6 {on | off}
rank <Rank>
To add or configure the specific static IPv6 route

set ipv6 static-route <Destination IPv6 Address>
nexthop
gateway <IPv6 Address of Next Hop Gateway>
[priority <Priority>] {on | off}
interface <Name of Local Interface> [priority <Priority>] {on | off}
blackhole
reject
off
ping6 {on | off}
rank <Rank>
To show all configured static IPv6 routes

show ipv6 route static all
To remove the default static IPv6 route

set ipv6 static-route default off
To remove the specific static IPv6 route

set ipv6 static-route <Destination IPv6 Address> off
To remove the specific path only, when multiple next hop gateways are configured
set ipv6 static-route <Destination IPv6 Address> nexthop gateway <IPv6 Address of Next Hop Gateway> off
set ipv6 static-route <Destination IPv6 Address> nexthop gateway <Name of Local Interface> off

IPv6 Static Routes
Parameters
CLI Parameters
default Defines the default static IPv6 route.
<Destination IPv6 Defines the IPv6 address of destination host or network using the
Address> CIDR notation (IPv6 Address / Mask Length).
Example: fc00::/64
Mask length must be in the range 8-128.
comment {"Text" | Defines of removes the optional comment for the static route.
off}
the "show configuration" command.
nexthop Defines the next hop path, which can be a gateway, blackhole,
or reject.
gateway Specifies that this next hop accepts and sends packets to the
specified destination.
blackhole Specifies that this next hop drops packets, but does not send ICMP
unreachable packet to the traffic source.
reject Specifies that this next hop drops packets and sends ICMP
unreachable packet to the traffic source.
address <IPv6 Defines the IPv6 address of the next hop gateway.
Address of Next Hop
Gateway>
interface <Name of Identifies the next hop gateway by the local interface that connects
Local Interface> to it.
Use this option only if the next hop gateway has an unnumbered
interface.
priority <Priority> Defines the order for selecting the next hop gateway when multiple
next hop gateways are configured.
The lower the priority, the higher the preference - priority 1 means
the highest preference, and priority 8 means the lowest preference.
A next hop gateway with no priority configured is preferred over a
next hop gateway with priority configured.
You cannot configure two next hop gateways with the same priority,
because IPv6 Equal Cost Multipath Routes are not supported.
nexthop ... on Adds the specified next hop gateway.

IPv6 Static Routes
nexthop ... off Deletes the specified next hop gateway.

If you specify a next hop, only the specified path is deleted.
If you do not specify a next hop, the route and all related paths are
deleted.
off Removes the static route.
ping6 {on | off} Enables (on) or disables (off) the ping of specified next hop
gateways for IPv6 static routes.
The Ping6 feature sends ICMPv6 Echo Requests to make sure the
next hop gateway for a static route is working.
Gaia includes in the kernel forwarding table only next hop gateways,
which are verified as working.
When Ping6 is enabled, Gaia adds an IPv6 static route to the kernel
forwarding table only after at least one next hop gateway is
reachable.
To configure the ping6 behavior, run:
set ping count <value>
set ping interval <value>
rank <Rank> Selects a route, if there are many routes to a destination that use
different routing protocols.
The route with the lowest rank value is selected.
Use the rank keyword in place of the nexthop keyword with no
other parameters.
Accepted values are: default (60), integer numbers from 0 to
255.
In addition, see this command: set protocol-rank
protocol <Rank>

IPv6 Static Routes
Example
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 on
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 interface eth3 on
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 priority 3 on
gaia> set ipv6 static-route 3100:192::0/64 nexthop reject
gaia> set ipv6 static-route 3100:192::0/64 nexthop blackhole
gaia> set ipv6 static-route 3100:192::0/64 off
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 off
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 interface eth3 off
gaia> show ipv6 route static

Codes: C - Connected, S - Static, B - BGP, Rg - RIPng, A - Aggregate,
O - OSPFv3 IntraArea (IA - InterArea, E - External),
K - Kernel Remnant, H - Hidden, P - Suppressed
S 3100:55::1/64 is directly connected

S 3200::/64 is a blackhole route
S 3300:123::/64 is a blackhole route
S 3600:20:20:11::/64 is directly connected, eth3

IPv6 Static Routes
Troubleshooting
Scenario - SmartConsole does not let you enable the VPN Software Blade in the Security
Gateway object
Symptoms
You cannot enable the VPN Software Blade. SmartConsole shows this message:
VPN blade demands gateway's IP address corresponding to the

interface's IP addresses
Cause
IPv6 feature is active on the Security Gateway, but the main IPv6 address is not configured in the
Security Gateway object in SmartConsole.
Next Steps
2. Double-click the Security Gateway object.
3. From the left tree, click General Properties .
4. Configure the main IPv6 address.
5. Click OK.
6. Install the Access Control Policy on the Security Gateway object.

Configuring IPv6 Neighbor Entries
Configuring IPv6 Neighbor Entries

Description
You can add and delete entries in the Gaia IPv6 Neighbor table.
Note - You can add or delete Neighbor entries only from the Gaia Clish
Syntax
n To add an IPv6 neighbor entry:
add neighbor-entry ipv6-address <IPv6 Address of Neighbor>

macaddress <MAC Address of Neighbor> interface <Name of Local
Interface>
n To show an IPv6 neighbor entry:
show neighbor<SPACE><TAB>
show neighbor TABLE
n To delete an IPv6 neighbor entry:
delete neighbor-entry ipv6-address <IPv6 Address of Neighbor>

interface <Name of Local Interface>
Parameters
<IPv6 Address of Specifies the IPv6 address of a new static Neighbor Discovery
Neighbor> entry
<MAC Address of Specifies the MAC address for respective IPv6 address
Neighbor>
<Name of Local Name of the local interface that connects to the Neighbor
Interface>

NetFlow Export
NetFlow Export
In This Section:
Introduction 212
Configuration Options in Gaia Portal 214
Configuration Options in Gaia Clish 214
Configuration Procedure 217
Introduction
NetFlow is an industry standard for traffic monitoring. Cisco developed this network protocol to collect
network traffic patterns and volume.
One host (the NetFlow Exporter) sends information about its network flows to a different host (the NetFlow
Collector).
A network flow is a unidirectional stream of packets that contain the same set of characteristics.
You can configure Security Gateways and Cluster Members as an Exporter of NetFlow records for all the
traffic that passes through.
Note - The state of the SecureXL on a Security Gateway is irrelevant for NetFlow export.
The NetFlow Collector is a different external server, and you configure it separately.
NetFlow Export configuration is a list of collectors, to which the service sends records:
n To enable NetFlow, configure at minimum one NetFlow Collector.
n To disable NetFlow, remove all NetFlow Collectors from the Gaia configuration.
You can configure a maxumum of three NetFlow Collectors. Gaia sends the NetFlow records go to all
configured NetFlow Collectors. If you configure three NetFlow Collectors, Gaia sends each NetFlow record
three times.
Regardless of which NetFlow export format you configure, Gaia exports values as set of fields.

NetFlow Export
The fields
n Source IP address.
n Destination IP address.
n Source port.
n Destination port.
n Ingress physical interface index (defined by SNMP).
n Egress physical interface index (defined by SNMP).
n Packet count for this flow.
n Byte count for this flow.
n Start of flow timestamp (FIRST_SWITCHED).
n End of flow timestamp (LAST_SWITCHED).
n IP protocol number.
n TCP flags from the flow (TCP only).
n VSX VSID.
Notes:
n The IP addresses and TCP/UDP ports the NetFlow reports are the ones, on
which the NetFlow expects to receive traffic.
Therefore, for NAT connections, the NetFlow reports one of the two
directions of the flow with the NATed address.
n NetFlow sends the connection records after the connections terminated.
If the connections are open for a long time, it can take time for the NetFlow to
sends the records.

NetFlow Export
Configuration Options in Gaia Portal

To configure and edit the NetFlow settings, navigate to the Network Management section > NetFlow
Export page.
Configuration Options in Gaia Clish

Syntax
n To configure a new NetFlow collector:
add netflow collector ip <IPv4 Address of Collector> port

<Destination Port on Collector> [srcaddr <Source IPv4 Address>
export-format {Netflow_V5 | Netflow_V9 | IPFIX} enable {yes|no}
n To change settings of an existing NetFlow collector:
set netflow collector

ip <IPv4 Address of Collector> port <Destination Port on
Collector> export-format {Netflow_V5 | Netflow_V9 | IPFIX}
[srcaddr <Source IPv4 Address> enable {yes|no}
for-ip <IPv4 Address of Collector>
ip <IPv4 Address of Collector> port <Destination
Port on Collector> export-format {Netflow_V5 | Netflow_V9 |
IPFIX} [srcaddr <Source IPv4 Address> enable {yes|no}
for-port <Destination Port on Collector> ip <IPv4
Address of Collector> port <Destination Port on Collector>
export-format {Netflow_V5 | Netflow_V9 | IPFIX} [srcaddr <Source
IPv4 Address> enable {yes|no}
n To configure for which traffic the NetFlow exports its records:
set netflow fwrule {1 | 0}

NetFlow Export
n To show the configured NetFlow collectors:
show netflow
all
collector
enable
export-format
ip
port
srcaddr
for-ip <IPv4 Address of Collector>
enable
export-format
port
srcaddr
for-port <Destination Port on Collector>
enable
export-format
srcaddr
n To show for which traffic the NetFlow exports its records:
show netflow fwrule
n To delete a configured NetFlow collector:
delete netflow collector for-ip <IPv4 Address of Collector>

[for-port <Destination Port on Collector>
CLI Parameters
ip <IPv4 Address Specifies the destination IPv4 address of the NetFlow Collector, to
of Collector> which Gaia sends the NetFlow packets.
This parameter is mandatory.
port <Destination Specifies the destination UDP port number on the NetFlow Collector,
Port on Collector> on which the collector listens.
There is no default or standard port number for NetFlow.
srcaddr <Source Optional: Specifies the source IPv4 address of the NetFlow packets.
IPv4 Address> This must be an IPv4 address of the local host.
The default is an IPv4 address of the network interface, from which
Gaia sends the NetFlow packets.
We recommend the default.

NetFlow Export
export-format The NetFlow protocol version to use:

{Netflow_V5 |
Netflow_V9 | n Netflow_V5 - Protocol NetFlow v5
IPFIX} n Netflow_V9 - Protocol NetFlow v9 (default)
n IPFIX - Known as protocol "NetFlow v10"
Each NetFlow protocol version has a different packet format.
for-ip <IPv4 These parameters specify the configured NetFlow Collector.

Address of Notes:
Collector>
for-port n If you configured only one collector, it is not
necessary to use these parameters.
<Destination Port
n If you configured two or three collectors with different
on Collector>
IP addresses, use the "for-ip" parameter.
n If you configured two or three collectors with the
same IP address and different UDP ports, you must
use the "for-ip" and "for-port" parameters to
identify the collectors.
set netflow fwrule Specifies for which traffic the NetFlow exports its records:
{1 | 0}
n By default (value 1) the NetFlow export is enabled for traffic
accepted by all Access Control rules.
Note - If you upgraded to R81, and use this default
configuration, then delete the Access Control rules
with the Track option Log and Accounting you
configured in SmartConsole for this Security Gateway
(Cluster).
n Set the value 0 to enable the NetFlow export only for traffic
accepted by Access Control rules with the Track option Log
and Accounting you configured in SmartConsole.
Important - If you set the value 0, you must configure

the applicable Access Control rules.
show netflow Shows for which traffic the NetFlow exports its records:
fwrule
n Yes - The NetFlow export is enabled for traffic accepted by all
Access Control rules.
n No - The NetFlow export is enabled only for traffic accepted by
Access Control rules with the Track option Log and Accounting
you configured in SmartConsole.

NetFlow Export
Configuration Procedure
1. Configure the NetFlow Export settings in Gaia
You can configure these settings in Gaia Portal, or in Gaia Clish.
Configuring the NetFlow settings in Gaia Portal
a. In the left navigation tree, click Network Management > NetFlow Export.
b. In the Collectors section, click Add.
c. Enter the required data for each collector:
IP Address The destination IPv4 address, to which Gaia sends the NetFlow
packets.
UDP Port The destination UDP port number, on which the collector listens.
Number This parameter is mandatory.
There is no default or standard port number for NetFlow.
Export The NetFlow protocol version to use:

Format n Netflow_V5 - Protocol NetFlow v5
n Netflow_V9 - Protocol NetFlow v9
n IPFIX - Known as protocol "NetFlow v10"
Each protocol version has a different packet format.
The default is Netflow_V9.
Source IP Optional: The source IPv4 address of the NetFlow packets.

address This must be an IPv4 address of the local host.
The default is an IPv4 address of the network interface, from which
Gaia sends the NetFlow packets.
We recommend the default.
Enable Select this option to enable the configured NetFlow Collector.
d. Click OK.

NetFlow Export
e. In the Advanced Options section, the NetFlow Fw rule option controls for which traffic
the NetFlow exports its records:
n By default (this option is cleared) the NetFlow export is enabled for traffic
accepted by all Access Control rules.
Note - If you upgraded to R81, and use this default

configuration, then delete the Access Control rules with the
Track option Log and Accounting you configured in
SmartConsole for this Security Gateway (Cluster).
n Select this option to enable the NetFlow export only for traffic accepted by Access
Control rules with the Track option Log and Accounting you configured in
SmartConsole.
If you selected this option, you must click Apply .
Important - If you selected this option, you must configure the

applicable Access Control rules.
Configuring the NetFlow settings in Gaia Clish
a. Configure a new NetFlow collector:
add netflow collector ip <IPv4 Address of Collector> port

<Destination Port on Collector> [srcaddr <Source IPv4
Address> export-format {Netflow_V5 | Netflow_V9 | IPFIX}
enable {yes|no}
b. Configure for which traffic the NetFlow exports its records:
set netflow fwrule {1 | 0}
2. In SmartConsole, configure the explicit Access Control rule

Important - This step is necessary only in these cases:
n In Gaia Portal you selected the option "NetFlow Fw rule"
n In Gaia Clish you ran the command "set netflow
fwrule 0".
a. From the left navigation panel, click Security Policies .

b. Open the applicable policy.
c. In the top left corner, click Access Control > Policy .

NetFlow Export
d. Add an explicit rule for the traffic that you wish to export with NetFlow:
Important - In the Track column, you must select Log and Accounting.
Services &
Source Destination VPN Content Action Track
Applications
Source Destination *Any Applicable * Any Accept Log

Host or Host or service Accounting
Network Network objects
objects objects
e. Publish the SmartConsole session.

f. Install the Access Control policy on the Security Gateway or Cluster object.

System Management
System Management
This chapter includes procedures and reference information for:
n Time and Date
n Cloning Groups
n SNMP
n Job Scheduler
n Mail Notification
n Login Messages
n Session in Gaia Portal and Gaia Clish
n Core Dump Files
n System Logging
n Network Access over Telnet
n GUI Clients for Security Management Server
n LLDP

Time
Time
All Security Management Servers, Security Gateways, and Cluster Members must synchronize their
system clocks.
This is important for these reasons:
n SIC trust can fail if devices are not synchronized correctly.
n Cluster synchronization requires precise clock synchronization between members.
n SmartEvent Correlation uses time stamps that must be synchronized to approximately one a
second.
n To make sure that cron jobs run at the correct time.
n To do certificate validation for applications based on the correct time.
You can use these methods to set the system date and time:
n Network Time Protocol (NTP).
n Manually, in the Gaia Portal, or Gaia Clish.
Network Time Protocol (NTP)

Network Time Protocol (NTP) is an Internet standard protocol used to synchronize the clocks of computers
in a network to the millisecond.
NTP runs as a background client program on a client computer. It sends periodic time requests to specified
servers to synchronize the client computer clock.
Best Practice - Configure more than one NTP server for redundancy.

Configuring the Time and Date in Gaia Portal
Configuring the Time and Date in Gaia Portal

Configuring the Time and Date manually
Step Description
1 In the navigation tree, click System Management > Time.
2 Click Set Time and Date.
3 Enter the time and date in the applicable fields.
4 Click OK.
Configuring the Time and Date automatically with NTP
Step Description
2 Click Set Time and Date.
3 In the Time and Date Settings window, select Set Time and Date automatically using
Network Time Protocol (NTP).
4 Enter the Hostname or IP address of the primary and (optionally) secondary NTP servers.
Best Practice - Configure more than one NTP server for redundancy.
5 Select the NTP version for the applicable server.
6 Click OK.
Configuring the Time Zone
Step Description
2 Click Set Time Zone and select the time zone from the list.
3 Click OK.

Configuring the Time and Date in Gaia Clish
Showing the current system Date and Time
Syntax
show clock
Example
gaia> show clock

Wed Jan 8 15:20:00 2020 GMT+1
gaia>
Configuring and showing the Time
Syntax
n To configure the time:
set time <Time of the Day>
n To show the current time:
show time
Parameters
<Time of the Day> The current system time in HH:MM:SS format.

Configuring and showing the Date
Syntax
n To configure a date:
set date <Date>
n To configure the configured date:
show date
Parameters
<date> The date in the YYYY-MM-DD format.
Example
To configure the 20th of January 2020, run:
gaia> set date 2020-01-20

Configuring and showing the Time Zone
Syntax
n To configure the time zone:
set timezone <Area> / <Region>
Important - The spaces before and after the slash character (/) are mandatory.
n To show the configured time zone:
show timezone
Parameters
<Area> Continent or geographic area (case sensitive).

To see the valid values, press <SPACE> and <TAB>:
<Region> Region within the specified area (case sensitive).

To see the valid values, press <SPACE> and <TAB>:
Examples
gaia> set timezone America / Detroit

gaia> set timezone Asia / Tokyo

Configuring and showing the NTP
Syntax
n To add a new NTP server:
set ntp
active {on | off}
server
primary <IPv4 address or Hostname of NTP Server>
version {1|2|3|4}
secondary <IPv4 address or Hostname of NTP Server>
version {1|2|3|4}
n To show NTP configuration:
show ntp
active
current
servers
n To delete an NTP server:
delete ntp server <IPv4 address or Hostname of NTP Server>
Parameters
active Shows the NTP status (enabled or disabled).
current Shows the IP address or Host name of the NTP server Gaia uses right now.
servers Shows the configured NTP servers.
active {on | Enables (on) or disables (off) NTP.

off}
server Keyword that identifies the NTP server - time server, from which Gaia
synchronizes its clock.
The specified time server does not synchronize to the local clock of Gaia.
primary Configures the IP address or Host name of the primary NTP server.
secondary Configures the IP address or Host name of the secondary NTP server.
Best Practice - Configure more than one NTP server for

redundancy.

version Configures the version number of the NTP - 1, 2, 3, or 4.

{1|2|3|4}
Best Practice - Run NTP version 3.
Example
gaia> set ntp server primary pool.ntp.org version 3

gaia> set ntp active on
gaia> show ntp servers
IP Address Type Version
pool.ntp.org Primary 3

Cloning Group
Cloning Group
A Cloning Group is a collection of Gaia Security Gateways that synchronize their OS configurations and
settings for a number of shared features, for example DNS or ARP.

Configuring Cloning Groups in Gaia Portal

To create a new Cloning Group
Step Description
1 With a web browser, connect to Gaia Portal at:

2 Click System Management > Cloning Group.
3 Click Start Cloning Group Creation Wizard.

The Cloning Group Creation Wizard opens.
4 Select Create a new Cloning Group.

The New Gaia Cloning Group window opens.
a. In the Cloning Group Name field, enter a name for the Cloning Group.
b. In the IP for cloning field, select an IPv4 address (interface) for synchronizing settings
between member Security Gateways.
Select an interface on a secure internal network.
c. In the Password field, enter a password for the administration account (cadmin).
This password is necessary to:
n Manage the Cloning Group
n Add other Security Gateways to the Cloning Group
n Create encrypted traffic between members of the Cloning Group
d. In the Confirm Password field, enter the password again.
5 In the Shared Features screen, select features to clone to other members of the Cloning
Group.
Pay attention to the features you want to clone.
For example, you might not want to clone static routes to Security Gateways that are
members of a cluster.
6 Click Next for the Wizard Summary .
7 Click Finish.

List of Shared Features
The features are listed in the same order, in which they are shown in Gaia Portal.
Table: Shared Features in Gaia Portal
Shared Feature Description
SNMP Configure SNMP.
Banner Configure banner messages.

Messages
Job Scheduler Schedule automated tasks that perform actions at a specific time.
DNS Configure DNS servers.
ARP Configure static ARP entries and proxy ARP entries, control dynamic ARP
entries.
System Logging Configure system logging settings.
Host Access Configure which hosts are allowed to connect to the cluster devices.
Control
Proxy Settings Configure proxy settings.
Host Address Configure known hosts.

Assignment
NTP Configure Network Time Protocol for synchronizing the system's clock over
a network.
Password Policy Configure password and account policies.
Time Configure the time and date of the system.
Network Access Configure network access to Gaia.
Display Format Configure how the system displays time, date and netmask.
Mail Notification Configure email address, to which Gaia sends mail notifications.
Inactivity timeout Configure session parameters, such as inactivity timeout.
Users and Roles Configure users and roles settings.
Static Routes Configure static routes.
DHCP Relay Configure relay of DHCP and BOOTP messages between clients and
servers on different IPv4 Networks.
IPv6 DHCP Relay Configure relay of DHCPv6 messages between clients and servers on
different IPv6 Networks.

Table: Shared Features in Gaia Portal (continued)

Shared Feature Description
BGP Configure dynamic routing via the Border Gateway Protocol.
IGMP Establish multicast group memberships via the Internet Group Management
Protocol.
PIM Configure Protocol-Independent Multicast.
Static Multicast Configure static multicast routes.

Routes
RIP Configure IPv4 dynamic routing via the Routing Information Protocol.
RIPng Configure IPv6 dynamic routing via the Routing Information Protocol.
OSPF Configure IPv4 dynamic routing via the Open Shortest-Path First v2
protocol.
IPv6 OSPF Configure IPv6 dynamic routing via the Open Shortest-Path First v3
protocol.
Route Create a supernet network from the combination of networks with a

Aggregation common routing prefix.
Inbound Route Configure Inbound Route Filters for RIP, OSPFv2, BGP, and OSPFv3
Filters (supports IPv4 and IPv6).
IP Reachability Configure reachability detection of IP Addresses.

Detection
Route Configure advertisement of routing information from one protocol to another

Redistribution (supports IPv4 and IPv6).
Route Map Configure dynamic routing route maps.
Prefix Lists and Configure dynamic routing prefix lists and trees.
Trees
Routing Options Configure protocol ranks and trace (debug) options.
Policy Based Configure policy based routing (PBR) priority rules and action tables.
Routing
Scheduled Configure Gaia scheduled backups.

Backups

To manage a Cloning Group
Step Description
1 Sign out of the Gaia Portal.
2 Sign in to the same Gaia Portal using the cadmin account and password.
(Alternatively, log in to the Gaia Portal on the Security Gateway using the cadmin
credentials.)
Important - No unique URL or IP address is needed to access the Cloning Group

Portal or Clish command line. Use the URL or IP address of the member Security
Gateway.
3 In System Management > Cloning Group, select features from the Shared Features .
4 Click Set Shared Features .

The shared features are propagated to all members of the group.
If, for example, you then configure a primary DNS server on one member of the Cloning
Group, and DNS is one of the Shared Features , then the DNS settings are propagated to all
members of the group. The DNS settings in the Portal of each member are grayed out.
Note - A user that gets cloning group administration privileges (the RBA role
CloningGroupManagement), can manage specific Cloning Groups features
granted by the administrator and grant Cloning Group capabilities to other users,
including remote users. When these privileges are assigned, the Group Mode
button shows in Gaia Portal.
To manage a Cloning Group as an assigned administrator
Step Description
1 Connect to the Gaia Portal on a Cloning Group member Security Gateway.

With a web browser, connect to Gaia Portal at:
https://<IP address of Gaia Management
Interface>
2 At the top, click Group Mode.

The Security Gateway switches to Cloning Group management mode.

To join a Cloning Group
Step Description
1 Connect to the Gaia Portal on a Security Gateway.

2 In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
The Cloning Group Wizard opens.
3 Select Join an existing Cloning Group.
4 The Join Existing Cloning Group window opens.
n In the Remote Member Address field, enter the IPv4 address of a remote member of
the Cloning Group.
n In the IP for cloning field, select an IP address (interface) for synchronizing the
settings between Security Gateways.
Select an interface on a secure internal network. Make sure there is a physical
connectivity to the Gaia computer that runs the Cloning Group, to which you wish to
join.
n In the Password field, enter a password for the Cloning Group administration account
(cadmin).
(The same password you entered when you created the Cloning Group, to which you
wish to join.)
The cadmin password:
l Lets you log in to the cadmin account
l Is used to create authentication credentials for members during
synchronization
5 Click Finish.

To create a Cloning Group that follows ClusterXL
Select this option, if the Security Gateway is a member of a ClusterXL.
Step Description
1 Connect to the Gaia Portal on a Security Gateway.

2 In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
The Cloning Group Creation Wizard opens.
3 Select Cloning group follows ClusterXL.
n Enter the Cloning Group name.

n Enter a password for the Cloning Group administration account (cadmin).
4 Click Next for the Wizard Summary .
5 Click Finish.
6 Repeat Steps 1-5 for all members of the cluster.

Configuring Cloning Groups in Gaia Clish

In This Section:
Cloning Group Modes 235

CLI Syntax 236
Note - When run from the cadmin account, these commands apply to all members of
the Gaia group.
Cloning Group Modes

You can create Cloning Groups in either Manual mode, or ClusterXL mode.
To Create the first Cloning Group member in Manual mode
Step Description
1 Set the cloning group mode to manual.
2 Set the cloning group local IP address.
3 Set the cloning group password.
4 Set the cloning group state to on.
5 Optional: Set a name for the Cloning Group.
To Add other Security Gateways to the Cloning Group in Manual mode
Perform these steps on each of the Security Gateways.
Step Description
1 Set the cloning group mode to manual.
2 Set the cloning group local IP address.
4 Run the "join cloning group" command to join the Cloning Group.

To Create Cloning Group members in ClusterXL mode
Perform these steps on all member Security Gateways.
Step Description
1 Set the cloning group mode to ClusterXL.
3 Set the cloning group state to on.
CLI Syntax
To Create and configure a Cloning Group
Syntax
set cloning-group
local-ip <IPv4 address>
mode {manual | cluster-xl}
name <Name of Cloning Group>
password <Password>
state {on | off}
Parameters
local-ip <IPv4 The IPv4 address used to synchronize shared features between members
address> of the Cloning Group.
mode {manual | The mode determines whether the Cloning Group is defined manually, or
cluster-xl} through ClusterXL.
name <Name of Name of the Cloning Group.

Cloning Group>
password Password for the administrator's (cadmin) account, used to access the
<Password> Cloning Group configuration in the Gaia Portal, or Gaia Clish.
When prompted, enter and confirm the password.
state {on | Enables (on) or disables (off) the Cloning Group feature.

off}
Important - When you configure the state "off", the Security
Gateway is removed from the Cloning Group.

To add Shared Features
Syntax
add cloning-group shared-feature <Feature>
Parameters
< The name of the feature to be synchronized between the members of the Cloning
Feature> Group.
List of Shared Features
The features are listed in the same order, in which they are shown in Gaia Clish when you run the
"show cloning-group shared-feature" command.
Table: Shared Features in Gaia Clish
Name of Shared
Description
Feature
aggregate Configure route aggregation - create a supernet network from the

combination of networks with a common routing prefix.
bgp Configure dynamic routing via the Border Gateway Protocol.
bootp Configure IPv4 DHCP Relay - relay of DHCP and BOOTP messages
between clients and servers on different IPv4 Networks.
cron Configure job scheduler - schedule automated tasks that perform actions
at a specific time.
dhcp6relay Configure IPv6 DHCP Relay - relay of DHCPv6 messages between clients
and servers on different IPv6 Networks.
dns Configure DNS servers.
hosts Configure known hosts.
igmp Establish multicast group memberships via the Internet Group

Management Protocol.
inboundfilters Configure Inbound Route Filters for RIP, OSPFv2, BGP, and OSPFv3
(supports IPv4 and IPv6).
ipreachdetect Configure reachability detection of IP Addresses.
time Configure the time and date of the system.
ntp Configure Network Time Protocol (NTP) for synchronizing the system's
clock over a network.

Table: Shared Features in Gaia Clish (continued)

Name of Shared
Description
Feature
message Configure banner messages.
ospf Configure IPv4 dynamic routing via the Open Shortest-Path First v2
protocol.
ospf3 Configure IPv6 dynamic routing via the Open Shortest-Path First v3
protocol.
password- Configure password and account policies.

controls
mailrelay Configure email address, to which Gaia sends mail notifications.
display-format Configure how the system displays time, date and netmask.
http Configure session parameters, such as inactivity timeout.
net-access Configure network access to Gaia.
users-and- Configure users and roles settings.

roles
arp Configure static ARP entries and proxy ARP entries, control dynamic ARP
entries.
syslog Configure system logging settings.
proxy Configure proxy settings.
host-access Configure which hosts are allowed to connect to the cluster devices.
pbr Configure policy based routing (PBR) priority rules and action tables.
pim Configure Protocol-Independent Multicast.
prefix Configure dynamic routing prefix lists and trees.
redistribution Configure route redistribution - advertisement of routing information from

one protocol to another (supports IPv4 and IPv6).
rip Configure IPv4 dynamic routing via the Routing Information Protocol.
ripng Configure IPv6 dynamic routing via the Routing Information Protocol.
routemap Configure dynamic routing route maps.
routingoptions Configure protocol ranks and trace (debug) options.
static Configure static routes.

Table: Shared Features in Gaia Clish (continued)

Name of Shared
Description
Feature
static-mroute Configure static multicast routes.
snmp Configure SNMP.
backup Configure Gaia scheduled backups.
To delete Shared Features
Syntax
delete cloning-group shared-feature <Feature>
Parameters
<Feature> The name of the feature to be deleted from the list of shared features.
To see the list of the enabled Shared Features:
a. Enter:
delete cloning-group shared-feature
b. Press <SPACE> and <TAB>.
To join a Cloning Group
Syntax
join cloning-group remote-ip <IPv4 address of Cloning Group>
Parameters
<IPv4 address of Cloning The IPv4 address of the Cloning Group member, to which
Group> you join.
Note - This option is not available, if you are

logged into the cadmin account.
To remove a member from a Cloning Group

leave cloning-group

To remove an inaccessible Cloning Group member
Syntax
delete cloning-group disconnected-member <IPv4 address of Member>
Parameters
<IPv4 address of The IPv4 address of the Cloning Group member that became
Member> inaccessible.
Important - Use this command only for troubleshooting purposes, when the remote
Cloning Group member is not accessible. A normal way to remove a member from a
Cloning Group is to run the "leave cloning-group" command on that
member.
Notes:
n The Cloning Group configuration on the remote member itself does not
change, and as soon as the device regains connectivity, it joins the Cloning
Group again.
n This command can only be run if the Cloning Group is in Manual mode.
To view the Cloning Group configuration
Syntax
show cloning-group
local-ip
members
mode
name
shared-feature
state
status

Parameters
local-ip The IPv4 address used to synchronize shared features between the members of
the Cloning Group.
members Shows the members of the Cloning Group.
mode Shows the Cloning Group mode - Manual, or Cluster XL
name Shows the name of the Cloning Group
shared- Lists the shared features that are enabled to be used by all members of the
feature Cloning Group.
state Shows the Cloning Group state - enabled, or disabled.
status Shows the status of the Cloning Group member.
Note - This option is not available, if you are logged into the cadmin
account.
To synchronize a member in the Cloning Group

re-synch cloning-group
To Enable or disable the Cloning Group management mode
When a user (local or remote) receives Cloning Group management privileges, the user can enable (or
disable) the Cloning Group management mode, to create, delete, and edit Cloning Groups.
Syntax
set cloning-group-management {on | off}
Parameters
on Enables the Cloning Group management mode.
off Disables the Cloning Group management mode.

SNMP
SNMP
In This Section:
Introduction 242
SNMP v3 - User-Based Security Model (USM) 243
Enabling SNMP 244
SNMP Agent Address 244
SNMP Traps 244
Introduction
Simple Network Management Protocol (SNMP) is an Internet standard protocol. SNMP is used to send and
receive management information to other network devices. SNMP sends messages, called protocol data
units (PDUs), to different network parts. SNMP-compliant devices, called agents, keep data about
themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.
Through the SNMP protocol, network management applications can query a management agent using a
supported MIB. The Check Point SNMP implementation lets an SNMP manager monitor the system and
modify selected objects only. You can define and change one read-only community string and one
read-write community string. You can set, add, and delete trap receivers and enable or disable various
traps. You can also enter the location and contact strings for the system.
Check Point Gaia supports SNMP v1, v2, and v3.
To view detailed information about each MIB that the Check Point implementation supports (also, see
sk90470):
MIB Location
Standard MIBs /usr/share/snmp/mibs/*.txt
Check Point MIBs $CPDIR/lib/snmp/chkpnt.mib

$CPDIR/lib/snmp/chkpnt-trap.mib
Check Point Gaia trap MIB /etc/snmp/GaiaTrapsMIB.mib
Notes:
n The Check Point implementation also supports the User-based Security model
(USM) portion of SNMPv3.
n The Gaia implementation of SNMP is built on NET-SNMP. Changes were made
to the first version to address security and other fixes. For more information, see
Net-SNMP.
Warning - If you use SNMP, we recommend that you change the community strings for
security purposes. If you do not use SNMP, disable SNMP or the community strings.

SNMP
SNMP, as implemented on Check Point platforms, enables an SNMP manager to monitor the device using
GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps.
The Check Point implementation also supports using SetRequest to change these attributes:
sysContact, sysLocation, and sysName. You must configure read-write permissions for set
operations to work.
Use Gaia to run these tasks:
n Define and change one read-only community string.
n Define and change one read-write community string.
n Enable and disable the SNMP daemon.
n Create SNMP users.
n Change SNMP user accounts.
n Add or delete trap receivers.
n Enable or disable the various traps.
n Enter the location and contact strings for the device.
SNMP v3 - User-Based Security Model (USM)

Gaia supports the user-based security model (USM) component of SNMPv3 to supply message-level
security. With USM (described in RFC 3414), access to the SNMP service is controlled based on user
identities. Each user has a name, an authentication pass phrase (used for identifying the user), and an
optional privacy pass phrase (used for protection against disclosure of SNMP message payloads).
The system uses the MD5 hashing algorithm to supply authentication and integrity protection and DES to
supply encryption (privacy).
Best Practice - Use authentication and encryption. You can use them independently
by specifying one or the other with your SNMP manager requests. The Gaia responds
accordingly.
SNMP users are maintained separately from system users. You can create SNMP user accounts with the
same names as existing user accounts or different. You can create SNMP user accounts that have no
corresponding system account. When you delete a system user account, you must separately delete the
SNMP user account.

SNMP
Enabling SNMP
The SNMP daemon is disabled by default.
If you choose to use SNMP, enable and configure it according to your security requirements.
At minimum, you must change the default community string to something other than public.
You can choose to use all versions of SNMP (v1, v2, and v3) on your system, or to grant SNMPv3 access
only.
Best Practice - If your SNMP management station supports SNMP v3, select only
SNMP v3 on Gaia. SNMPv3 limits community access. Only requests from users with
enabled SNMPv3 access are allowed, and all other requests are rejected.
Note - If you do not plan to use SNMP to manage the network, disable it. Enabling
SNMP opens potential attack vectors for surveillance activity. It lets an attacker learn
about the configuration of the device and the network.
SNMP Agent Address

An SNMP Agent address is a specified IP address, on which the SNMP agent listens and reacts to
requests.
The default behavior is for the SNMP agent to listen to and react to requests on all interfaces. If you specify
one or more agent addresses, the system SNMP agent listens and responds only on those interfaces.
You can use the agent address as a different method to limit SNMP access. For example: you can limit
SNMP access to one secure internal network that uses a specified interface. Configure that interface as
the only agent address.
SNMP Traps
Managed devices use trap messages to report events to the Network Management Station (NMS).
When some types of events occur, the platform sends a trap to the management station.
The Gaia proprietary traps are defined in the /etc/snmp/GaiaTrapsMIB.mib file.
Gaia supports these types of SNMP traps:
Table: SNMP Traps in Gaia
Type of Trap Description
coldStart Notifies when the SNMPv2 agent is re-initialized.
linkUpLinkDown Notifies when one of the links changes state to up or down.
authorizationError Notifies when an SNMP operation is not properly authenticated.
configurationChange Notifies when a change to the system configuration is applied.
configurationSave Notifies when a permanent change to the system configuration occurs.

SNMP
Table: SNMP Traps in Gaia (continued)

Type of Trap Description
lowDiskSpace Notifies when space on the system disk is low.

Sent if the disk space utilization in the / partition has reached 80 percent
or more of its capacity.
powerSupplyFailure Notifies when a power supply for the system fails.

This trap is supported only on platforms with two power supplies installed
and running.
fanFailure Notifies when a CPU or chassis fan fails.
overTemperature Notifies when the temperature rises above the threshold.
highVoltage Notifies if one of the voltage sensors exceeds its maximum value.
lowVoltage Notifies if one of the voltage sensors falls below its minimum value.
raidVolumeState Notifies if the raid volume state is not optimal.

This trap works only if RAID is supported on the Gaia computer.
To make sure that RAID monitoring is supported, run the command
raid_diagnostic and confirm that it shows the RAID status.
biosFailure Notifies when the Primary BIOS failure is detected.

Sent once the event occurs. Applies to computers with Dual BIOS.
vrrpv2AuthFailure Notifies when the VRRP Cluster Member has packet an authentication
failure in VRRPv2 (IPv4) and VRRPv3 (IPv6).
Sent each polling interval.
vrrpv2NewMaster Notifies when the VRRP Cluster Member transitioned to VRRP Master

state in VRRPv2 (IPv4).
vrrpv3NewMaster Notifies when the VRRP Cluster Member transitioned to VRRP Master
state in VRRPv3 (IPv6).
vrrpv3ProtoError Notifies when the VRRP Cluster Member has a protocol error in VRRPv2
(IPv4) and VRRPv3 (IPv6).

Configuring SNMP in Gaia Portal

For detailed information, see sk90860: How to configure SNMP on Gaia OS.
To enable SNMP
Step Description
1 In the navigation tree, click System Management > SNMP.
2 Select Enable SNMP Agent.
3 In the Version drop down list, select the version of SNMP to run:
n 1/v2/v3 (any)
Select this option if your SNMP management station does not support SNMPv3.
n v3-Only
Select this option if your SNMP management station supports v3.
SNMPv3 provides a higher level of security than v1 or v2.
4 In SNMP Location String, enter a string that contains the location for the system.
The maximum length for the string is 128 characters.
That includes letters, numbers, spaces, special characters
For example: Bldg 1, Floor 3, WAN Lab, Fast Networks, Speedy, CA
5 In SNMP Contact String, enter a string that contains the contact information for the device.
The maximum length for the string is 128 characters.
That includes letters, numbers, spaces, special characters.
For example: John Doe, Network Administrator, (111) 222-3333
6 Click Apply .
To set an SNMP Agent interface
Step Description

The SNMP Addresses table shows the applicable interfaces and their IP addresses.
2 By default, all interfaces are selected. You can select the individual interfaces.
Note - If you do not specify agent addresses, the SNMP protocol responds to
requests from all interfaces.

To configure the SNMP community strings
Step Description
1 In the V1/V2 Settings section, in Read Only Community String, set a string other than
public .
You must always use this is a basic security precaution.
2 Optional.
Set a Read-Write Community String.
Warning - Set a read-write community string only if you have reason to enable set
operations, and if your network is secure.

To add a USM user
Step Description
2 In the V3 - User-Based Security Model (USM) section, click Add.

The Add New USM User window opens.
3 In the User Name, enter the applicable user name that is between 1 and 31 alphanumeric
characters with no spaces, backslash, or colon characters.
This can be the same as a user name for system access.
4 In the Security Level , select one of these options from the drop-down list:
n authPriv - The user has authentication and privacy pass phrases and can connect
with privacy encryption.
n authNoPriv - The user has only an authentication pass phrase and can connect only
without privacy encryption.
5 In the User Permissions , select one of these options from the drop-down list:
n read-only
n read-write
6 In the Authentication Protocol , select one of these options from the drop-down list:
n MD5
n SHA1
The default is MD5.
7 In the Authentication Pass Phrase, enter a password for the user that is between 8 and 128
characters in length.
8 In the Privacy Protocol , select:
n DES
n AES
The default is DES.
9 In the Privacy Pass Phrase, enter a pass phrase that is between 8 and 128 characters in
length.
Used for protection against disclosure of SNMP message payloads.
10 Click Save.
The new user shows in the table.

To delete a USM user
Step Description
2 In the V3 - User-Based Security Model (USM) section, select the user and click Remove.
The Deleting USM User Entry window opens.
3 The window shows this message:

Are you sure you want to delete "username" entry?.
Click Yes .
To edit a USM user
Step Description
2 In the V3 - User-Based Security Model (USM) section, select the user and click Edit.
The Edit USM User window opens.
3 You can change the Security Level , User Permissions , the Authentication Protocol , the
Authentication Passphrase, or the Privacy Protocol .
4 Click Save.
To enable or disable SNMP trap types
Step Description
2 In the Enabled Traps section, click Set.

The Add New Trap Receiver window opens.
n To enable a trap:
Select from the Disabled Traps list, and click Add>
n To disable a trap:
Select from the Enabled Traps list, and click Remove>
3 Click Save.
4 Add a USM user.

You must do this even if you use only SNMPv1 or SNMPv2.
In the Trap User, select an SNMP user.
5 In Polling Frequency , specify the number of seconds between polls.
6 Click Apply .

To configure SNMP trap receivers
Step Description
2 In the Trap Receivers Settings section, click Add.

The Add New Trap Receiver window opens.
3 In the IPv4 Address , enter the IP address of an SNMP receiver.
4 In the Version, select the SNMP Version for the specified receiver.
5 In the Community String, enter the SNMP community string for the specified receiver.
6 Click Save.
To edit SNMP trap receivers
Step Description
2 In the Trap Receivers Settings section, select the SNMP receiver and click Edit.
The Edit Trap Receiver window opens.
3 You can change the SNMP version or the SNMP community string.
4 Click Save.
To delete SNMP trap receivers
Step Description
2 In the Trap Receivers Settings section, select the SNMP trap receiver and click Remove.
The Deleting Trap Receiver Entry window opens.
3 The window shows this message: Are you sure you want to delete "IPv4 address" entry?
Click Yes .

Configuring SNMP in Gaia Clish

For detailed information, see sk90860: How to configure SNMP on Gaia OS.
Best Practice:
For commands that include "auth-pass-phrase", "privacy-pass-phrase", or
both, use the hashed commands.
To get the hashed password, run the "show configuration snmp" command.
Syntax for the 'set' commands

Note - To see all available commands:
1. Enter:
set snmp
2. Press <SPACE>
3. Press <ESC><ESC>
Syntax
set snmp agent {on | off}

set snmp agent-version {any | v3-Only}
set snmp clear-trap interval <Value> retries <Value>

set snmp custom-trap <Custom Trap Name> <Property> <Value>
set snmp traps coldStart-threshold <Seconds>
set snmp traps polling-frequency <Seconds>
set snmp traps receiver <IPv4 address> version {v1 | v2 | v3}
community <String>
set snmp traps trap {authorizationError | biosFailure | coldStart |
configurationChange | configurationSave | fanFailure | highVoltage |
linkUpLinkDown | lowDiskSpace | lowVoltage | overTemperature |
powerSupplyFailure | raidVolumeState | vrrpv2AuthFailure |
vrrpv2NewMaster | vrrpv3NewMaster | vrrpv3ProtoError}
set snmp traps trap-user <UserName>
set snmp community <String> {read-only | read-write}
set snmp contact <Contact Information>

set snmp location <Location Information>
set snmp mode {default | vs}

set snmp usm user <UserName> security-level authPriv auth-pass-

phrase <Pass Phrase> privacy-pass-phrase <Privacy Pass Phrase>
privacy-protocol {DES | AES} authentication-protocol {MD5 | SHA1}
set snmp usm user <UserName> security-level authPriv auth-pass-
phrase-hashed <Hashed Pass Phrase> privacy-pass-phrase <Privacy Pass
Phrase> privacy-protocol {DES | AES} authentication-protocol {MD5 |
SHA1}
set snmp usm user <UserName> security-level authNoPriv auth-pass-
phrase <Pass Phrase> authentication-protocol {MD5 | SHA1}
set snmp usm user <UserName> security-level authNoPriv auth-pass-
phrase-hashed <Hashed Pass Phrase>
set snmp usm user <UserName> {usm-read-only | usm-read-write}
set snmp usm user <UserName> vsid {all | <IDs of allowed Virtual
Devices> }
set snmp vs-direct-access {on | off}
Description of commands
Command Description
set snmp agent- Configures the supported SNMP version:

version {any | v3-
Only} n all - Support SNMP v1, v2 and v3.
n v3-Only - Support SNMP v3 only.
set snmp agent {on | Enables (on) or disables (off) the SNMP Agent.
off}
set snmp clear-trap Configures the indication of a custom SNMP trap termination.
...
set snmp community Configures the SNMP community password and if this password
<String> {read-only lets you only read the values of SNMP objects (read-only), or set
| read-write} the values as well (read-write).
set snmp contact ... Configures the contact name for the SNMP community.
set snmp custom-trap Configures the custom SNMP trap.

...
set snmp location Configures the contact location for the SNMP community.
...

Command Description
set snmp mode Configures how to run the SNMP daemon:

{default | vs}
n default
l On non-VSX Gateway, this is the only supported mode.
l On VSX Gateway, SNMP daemon runs only in the
context of VS0.
n vs
l For VSX Gateway only.
l Each Virtual Device has a separate SNMP daemon
running in the context of that Virtual Device.
set snmp traps Configures the threshold for the SNMP coldStart trap.
coldStart-threshold
<Seconds>
set snmp traps Configures the polling interval for the SNMP traps.
polling-frequency
<Seconds>
set snmp traps Configures the IPv4 address of the SNMP Trap Sink.
receiver ...
set snmp traps trap- Configures the user, which will generate the SNMP traps.
user <UserName>
set snmp traps trap Configures the Gaia built-in SNMP traps.
...
set snmp usm user Configures the SNMPv3 USM user.

<UserName> ...
set snmp vs-direct- Enables (on) and disables (off) the SNMP direct queries on the IP
access {on | off} address of a Virtual System (not only VS0), or Virtual Router.
This mode works only when SNMP vs mode is enabled.
See the R81 VSX Administration Guide.
Syntax for the 'add' commands

1. Enter:
add snmp
2. Press <SPACE>
3. Press <ESC><ESC>
Syntax
add snmp interface <Name of Interface>

add snmp traps receiver <IPv4 address> version {v1 | v2 | v3}

community <String>
add snmp custom-trap <Custom Trap Name> oid <Value> operator
<Logical Operator> threshold <Value> frequency <Value> message
<Text>
add snmp usm user <UserName> security-level authPriv auth-pass-

phrase <Pass Phrase> privacy-pass-phrase <Privacy Pass Phrase>
privacy-protocol {DES | AES} authentication-protocol {MD5 | SHA1}
add snmp usm user <UserName> security-level authPriv auth-pass-
phrase-hashed <Hashed Pass Phrase> privacy-pass-phrase <Privacy Pass
Phrase> privacy-protocol {DES | AES} authentication-protocol {MD5 |
SHA1}
add snmp usm user <UserName> security-level authNoPriv auth-pass-
phrase <Pass Phrase> authentication-protocol {MD5 | SHA1}
add snmp usm user <UserName> security-level authNoPriv auth-pass-
phrase-hashed <Hashed Pass Phrase>
Command Description
add snmp custom-trap Adds a customer SNMP trap.

...
add snmp interface Adds a local interface to the list of local interfaces, on which the
... SNMP daemon listens.
add snmp traps Adds a SNMP Trap Sink.

receiver ...
add snmp usm user Adds an SNMPv3 USM user.

...
Syntax for the 'delete' commands

1. Enter:
delete snmp
2. Press <SPACE>
3. Press <ESC><ESC>
Syntax
delete snmp clear-trap

delete snmp traps coldStart-threshold
delete snmp traps polling-frequency
delete snmp traps receiver <IPv4 address>
delete snmp traps trap-user <UserName>
delete snmp custom-trap <Custom Trap Name>

delete snmp community <String>
delete snmp contact <Contact Information>

delete snmp location <Location Information>
delete snmp interface <Name of Interface>
delete snmp usm user <UserName>
Command Description
delete snmp clear-trap Removes the indication of a custom SNMP trap termination.
delete snmp community Removes the SNMP community password.

<String>
delete snmp contact ... Removes the contact name for the SNMP community.
delete snmp custom-trap Removes the custom SNMP trap.

<Custom Trap Name>
delete snmp interface Removes the local interface from the list of local interfaces,
<Name of Interface> on which the SNMP daemon listens.
delete snmp location ... Removes the contact location for the SNMP community.
delete snmp traps Removes the threshold for the SNMP coldStart trap.
coldStart-threshold
delete snmp traps polling- Removes the polling interval for the SNMP traps.
frequency
delete snmp traps receiver Removes the IPv4 address of the SNMP Trap Sink.
<IPv4 address>
delete snmp traps trap- Removes the user, which will generate the SNMP traps.
user <UserName>
delete snmp usm user Removes the SNMPv3 USM user.

<UserName>

Interpreting SNMP Error Messages

This section lists and explains certain common error status values that can appear in SNMP messages.
SNMP PDU
Within the SNMP PDU, the third field can include an error-status integer that refers to a specific problem.
The integer zero (0) means that no errors were detected.
When the error field is anything other than 0, the next field includes an error-index value that identifies the
variable, or object, in the variable-bindings list that caused the error.
This table lists the error status codes and their meanings:
Error status code Meaning Error status code Meaning
0 noError 10 wrongValue
1 tooBig 11 noCreation
2 NoSuchName 12 inconsistentValue
3 BadValue 13 resourceUnavailable
4 ReadOnly 14 commitFailed
5 genError 15 undoFailed
6 noAccess 16 authorizationError
7 wrongType 17 notWritable
8 wrongLength 18 inconsistentName
9 wrongEncoding
Note - You might not see the codes. The SNMP manager or utility interprets the codes
and then logs the appropriate message.
Within the SNMP PDU, the fourth field, contains the error index when the error-status field is nonzero.
That is, when the error-status field returns a value other than zero, which indicates that an error occurred.
The error-index value identifies the variable, or object, in the variable-bindings list that caused the error.
The first variable in the list has index 1, the second has index 2, and so on.

Within the SNMP PDU, the fifth field, is the variable-bindings field.

This field consists of a sequence of pairs:
n The first element in a pair is the identifier.
n The second element in a pair is one of these options: value, unSpecified, noSuchOjbect,
noSuchInstance, or EndofMibView.
This table describes the elements:
Variable-bindings
Description
element
value Value that is associated with each object instance. This value is specified in a
PDU request.
unSpecified A NULL value is used in retrieval requests.
noSuchObject Indicates that the agent does not implement the object, to which it refers by this
object identifier.
noSuchInstance Indicates that this object does not exist for this operation.
endOfMIBView Indicates an attempt to reference an object identifier that is beyond the end of
the MIB at the agent.
GetRequest
This table lists possible value field sets in the response PDU or error-status messages when performing an
SNMP GetRequest.
Value Field Set Description
noSuchObject If a variable does not have an OBJECT IDENTIFIER prefix that exactly matches
the prefix of any variable accessible by this request, its value field is set to
noSuchObject.
noSuch If the variable's name does not exactly match the name of a variable, its value field
Instance is set to noSuchInstance.
genErr If the processing of a variable fails for any other reason, the responding entity
returns genErr and a value in the error-index field that is the index of the problem
object in the variable-bindings field.
tooBig If the size of the message that encapsulates the generated response PDU exceeds
a local limitation or the maximum message size of the request's source party, then
the response PDU is discarded and a new response PDU is constructed. The new
response PDU has an error-status of tooBig, an error-index of zero, and an
empty variable-bindings field.

GetNextRequest
The only values that can be returned as the second element in the variable-bindings field to a
GetNextRequest when an error-status code occurs are unSpecified or endOfMibView.
GetBulkRequest
The GetBulkRequest minimizes the number of protocol exchanges and lets the SNMPv2 manager
request that the response is large as possible.
The GetBulkRequest PDU has two fields that do not appear in the other PDUs: non-repeaters and
max-repetitions. The non-repeaters field specifies the number of variables in the variable-bindings list, for
which a single-lexicographic successor is to be returned. The max-repetitions field specifies the number of
lexicographic successors to be returned for the remaining variables in the variable-bindings list.
If at any point in the process, a lexicographic successor does not exist, the endofMibView value is
returned with the name of the last lexicographic successor, or, if there were no successors, the name of
the variable in the request.
If the processing of a variable name fails for any reason other than endofMibView, no values are
returned. Instead, the responding entity returns a response PDU with an error-status of genErr and a
value in the error-index field that is the index of the problem object in the variable-bindings field.

Job Scheduler
Job Scheduler
You can schedule regular jobs.
You can configure the jobs to run at the dates and times that you specify, or at startup.

Configuring Job Scheduler in Gaia Portal

To schedule jobs
Step Description
1 In the navigation tree, click System Management > Job Scheduler.
2 Click Add.
The Add A New Scheduled Job window opens.
3 In the Job Name, enter the name of the job.

Use alphanumeric characters only, and no spaces.
4 In the Command to Run, enter the name of the command.

The command must be a UNIX command.
Note - If you wish to run a Check Point command, then use this syntax (see
sk90441):
source /etc/profile.d/CP.sh ; <your command>
5 Below the Schedule, select the frequency (Daily , Weekly , Monthly , At startup) for this job.
Where applicable, enter the Time of day for the job, in the 24-hour clock format (HH:MM).
6 Click OK.
The job shows in the Scheduled Jobs table.
7 In the E-mail Notification, enter the e-mail address, to which Gaia should send the
notifications.
Note - You must also configure a Mail Server (see "Mail Notification" on page 265).
8 Click Apply .
To delete scheduled jobs
Step Description
2 In the Scheduled Jobs table, select the job to delete.
3 Click Delete.
(Click Cancel to abort.)

To edit the scheduled jobs
Step Description
2 In the scheduled Jobs table, select the job that you want to edit.
3 Click Edit.
The Edit Scheduled Job opens.
4 Enter the changes.
5 Click OK.

Configuring Job Scheduler in Gaia Clish

Description
Use these commands to configure Gaia to schedule jobs. The jobs run on the dates and times you specify.
You can define an email address, to which Gaia sends the output of the scheduled job.
Syntax
To add scheduled jobs

add cron job <Job Name> command <Command> recurrence
daily time <HH:MM>
monthly month <1-12> days <1-31> time <HH:MM>
weekly days <1-31> time <HH:MM>
system-startup
To change existing scheduled jobs

set cron job <Job Name>
command <Command>
recurrence
daily time <HH:MM>
monthly month <1-12> days <1-31> time <HH:MM>
weekly days <1-31> time <HH:MM>
system-startup
set cron mailto <Email Address>
To monitor configured scheduled jobs

show cron
job <Job Name>
command
recurrence
jobs
mailto
To delete scheduled jobs

delete cron
all
job <Job Name>
mailto
Note - Only the show commands provide an output.

Parameters
CLI Parameters
<Job Name> The name of the job that will be scheduled.
<Command> The command that will be scheduled.
recurrence daily time Specifies that the job should run once a day - every day, at
<HH:MM> specified time.
Enter the time of day in the 24-hour clock format -
<Hours>:<Minutes>.
Example: 14:35
recurrence monthly month Specifies that the job should run once a month - on
<1-12> days <1-31> time specified months, on specified dates, and at specified
<HH:MM> time.
Months are specified by numbers from 1 to 12:
n January = 1
n February = 2
n ...
n December = 12
Dates of month are specified by numbers from 1 to 31.
To specify several consequent months, enter their
numbers separate by commas.
Example: For January, February, and March, enter
1,2,3
To specify several consequent dates, enter their numbers
separate by commas.
Example: For 1st, 2nd and 3rd day of the month, enter
1,2,3
recurrence weekly days <1- Specifies that the job should run once a week - on
31> time <HH:MM> specified days of week, and at specified time.
Days of week are specified by numbers from 0 to 6:
n Sunday = 0
n Monday = 1
n Tuesday = 2
n Wednesday = 3
n Thursday = 4
n Friday = 5
n Saturday = 6
To specify several consequent days of a week, enter their

Example: For Sunday, Monday, and Tuesday, enter
0,1,2
recurrence system-startup Specifies that the job should at every system startup.

mailto <Email Address> Specifies the email address, to which Gaia sends the jobs'
results.
Enter one email address for each command. You must
also configure a mail server (see "Mail Notification" on
page 265).

Mail Notification
Mail Notification
In This Section:
Introduction 265
Configuring Mail Notification in Gaia Portal 265
Configuring Mail Notification in Gaia Clish 266
Introduction
Mail notifications (also known as Mail Relay) allow you to send email from the Security Gateway.
You can send email interactively or from a script. The email is relayed to a mail hub that sends the email to
the final recipient.
Mail notifications are used as an alerting mechanism when a Firewall rule is triggered. It is also used to
email the results of cron jobs to the system administrator.
Gaia supports these mail notification features:
n Presence of a mail client or Mail User Agent (MUA) that can be used interactively or from a script.
n Presence of a Sendmail-like replacement that relays mail to a mail hub by using SMTP.
n Ability to specify the default recipient on the mail hub.
Gaia does not support these mail notification features:
n Incoming e-mail.
n Mail transfer protocols other than outbound SMTP.
n Telnet to port 25.
n E-mail accounts other than admin or monitor.
Configuring Mail Notification in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Mail Notification.
2 In the Mail Server field, enter the IPv4 Address or Hostname of the mail server.
For example: mail.example.com
3 In the User Name field, enter the user name.

For example: [email protected]
4 Click Apply .

Mail Notification
Configuring Mail Notification in Gaia Clish

Description
Use this group of commands to configure mail notifications.
Syntax
n To configure the mail server that receives the mail notifications:
set mail-notification server <IPv4 Address or Hostname>
n To configure the user on the mail server that receives the mail notifications:
set mail-notification username <User Name>
n To show the configured mail server and user:
show mail-notification
server
username
Parameters
server <IPv4 Address or The IPv4 address or Hostname of the mail server, to which Gaia
Hostname> sends mail notifications.
Example: mail.company.com
username <User Name> The username on the mail server that receives the admin or
monitor mail notifications.
Example: johndoe
Example
gaia> set mail-notification server mail.company.com

gaia> set mail-notification username johndoe
gaia> show mail-notification server
Mail notification server: mail.company.com
gaia> show mail-notification username
Mail notification user: johndoe

Messages
Messages
In This Section:
Comparison 267
Configuring Messages in Gaia Portal 267
Configuring Messages in Gaia Clish 268
Limits 270
You can configure Gaia to show a Banner Message and a Message of the Day to users when they log in.
Comparison
Banner Message Message of the Day
Default Message This system is for authorized You have logged into
use only the system
When shown in Browser login page, before logging in After logging in to the system
Gaia Portal
When shown in When logging in, before entering the After logging in to the system
Gaia Clish password
Default state Enabled Disabled
Configuring Messages in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Messages .
2 To enter a Banner message, select Banner message.
3 To enter a Message of the Day, select Message of the day .
4 Enter the message text.

See the Limits section below.
5 Click Apply .

Messages
Configuring Messages in Gaia Clish

Syntax for Banner message
n To show if the banner message is enabled or disabled:
show message banner status
show message all status
n To show the configured banner message:
show message banner
show message all
n To define a new single-line banner message:
set message banner on msgvalue <Banner Text>

Example:
gaia> set message banner on msgvalue "This system is private and
confidential"
n To define a new multi-line banner message:
set message banner on line msgvalue <Banner Text for Line #1>
set message banner on line msgvalue <Banner Text for Line #2>
n To enable or disable the configured banner message:
set message banner on
set message banner off
n To delete the configured banner message perform these two steps:

1. Delete the user-defined banner message:
delete message banner
Note - This deletes the configured banner message, and replaces it

with the default banner message "This system is for
authorized use only."
2. Disable the default banner:
set message banner off

Messages
Syntax for Message of the Day
n To show the configured message of the day:
show message motd
show message all
n To show if the message of the day is enabled or disabled:
show message motd status
show message all status
n To define a new single-line message of the day:
set message motd on msgvalue <Message Text>

Example:
gaia> set message motd on msgvalue "Hi all - no changes allowed
today"
n To define a new multi-line message of the day:
set message motd on line msgvalue <Message Text for Line #1>
set message motd on line msgvalue <Message Text for Line #2>

n To enable or disable the configured message of the day:
set message motd on
set message motd off
n To delete the configured message of the day, perform these two steps:
1. Delete the user-defined message of the day:
delete message motd
Note - This deletes the configured message of the day, and replaces it
with the default message of the day "You have logged into
the system."
2. Disable the default message of the day:
set message motd off

Messages
Limits
Maximal supported Maximal supported Maximal supported
total number total number number of
Message type
of characters of lines characters
in the message in the message in each line
Banner 1600 20 80
Message of the day 1200 20 400

Display Format
Display Format
In This Section:
Configuring Display Format in Gaia Portal 271

Configuring Display Format in Gaia Clish 272
You configure format for the Time, Date, and IPv4 netmask on Gaia.
Configuring Display Format in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Display Format.
2 In Time, select one of these options:
n 12-hour
n 24-hour
3 In Date, select one of these options:
n dd/mm/yyyy
n mm/dd/yyyy
n yyyy/mm/dd
n dd-mmm-yyyy
4 In IPv4 netmask , select one of these options:
n Dotted-decimal notation
n CIDR notation
5 Click Apply .

Display Format
Configuring Display Format in Gaia Clish

Syntax for the Time
n To show the current time format:
show format time
show format all
n To configure the time format:
set format time

12-hour
24-hour
Syntax for the Date

n To show the current date format:
show format date
show format all
n To configure the date format:
set format date

dd/mm/yyyy
mm/dd/yyyy
yyyy/mm/dd
dd-mmm-yyyy
Syntax for the IPv4 netmask

n To show the current IPv4 netmask format:
show format netmask
show format all
n To configure the IPv4 netmask format:
set format netmask

dotted
length

Session
Session
You can manage inactivity timeout for Gaia Portal and Gaia Clish.
Configuring the Session in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Session.
2 In the Command Line Shell section, configure the inactivity timeout for the Gaia Clish.
3 In the Web UI section, configure the inactivity timeout for the Gaia Portal.
n Range: 1 - 720 minutes

n Default: 10 minutes
Configuring the Session in Gaia Clish
Syntax
n To configure the timeout:
set inactivity-timeout <Timeout>
n To show the configured timeout:
show inactivity-timeout
Parameters
<Timeout> The inactivity timeout (in minutes) for the Gaia Clish.
n Range: 1 - 720 minutes
n Default: 10 minutes

Crash Data
Crash Data
In This Section:
Introduction 274
Configuring Core Dumps in Gaia Portal 274
Configuring Core Dumps in Gaia Clish 276
Introduction
A process core dump file consists of the recorded status of the working memory of the Gaia computer at
the time that a Gaia process terminated abnormally.
When a process terminates abnormally, it produces a core dump file in the
/var/log/dump/usermode/ directory.
If the /log partition has less than 200 MB, no core dumps are created, and all core dumps are deleted to
create space. This prevents the core dump files from filling the /log partition.
Configuring Core Dumps in Gaia Portal

To configure core dumps, enable the feature and then configure parameters.
Procedure
Step Description
1 In the navigation tree, click System Management > Crash Data.
2 Select Enable Core Dumps and configure the parameters.

This option configures Gaia operating system create core dump files.
2 Optional: Select Send crash data which might contain personal data to Check Point.
If you enable this option, Gaia operating system uploads the detected core dump files to
Check Point Cloud.
This lets Check Point R&D analyze the crashes and issue fixes for them.
3 Click Apply .

Crash Data
Parameters
Total space limit The maximum amount of disk space in MB that is used for storing core dumps.
If disk space is required for a core dump, the oldest core dump is deleted.
The per-process limit is enforced before the space limit.
n Range: 1 - 99999 MB
n Default: 1000 MB
Dumps per The maximum number of dumps that are stored for each process executable
process (program) file.
A new core dump overwrites the oldest core dump.
n Range: 1 - 99999
n Default: 2
Example
There are two programs "A" and "B", and the per-process limit is limit is 2.
Program "A" terminates 1 time and program "B" terminates 3 times.
The core dumps that remain are:
n 1 core dump for program "A"
n 2 core dumps for program "B"
n Core dump 3 for program "B" is deleted because of the per-process limit.

Crash Data
Configuring Core Dumps in Gaia Clish

Syntax
n To enable or disable core dumps:
set core-dump {enable | disable}
n To set the total disk space usage limit in MB:
set core-dump total <0-99999>
n To set the number of core dumps per process:
set core-dump per_process <0-99999>
n To show the total disk space usage limit:
show core-dump total
n To show the number of core dumps per process:
show core-dump per_process

Crash Data
Parameters
total <0- The maximum amount of space that is used for core dumps. If space is
99999> required for a dump, the oldest dump is deleted.
n Range: 1 - 99999 MB
n Default: 1000 MB
per_process The maximum number of core dumps that are stored for each process
<0-99999> executable (program) file.
A new core dump overwrites the oldest core dump.
n Range: 1 - 99999
n Default: 2
Example
There are two programs "A" and "B", and the per-process limit is limit is 2.
Program "A" terminates 1 time and program "B" terminates 3 times.
The core dumps that remain are:
n 1 core dump for program "A"
n 2 core dumps for program "B"
n Core dump 3 for program "B" is deleted because of the per-process
limit.

System Configuration
In This Section:
Configuring IPv6 Support in Gaia Portal 279

Configuring IPv6 Support in Gaia Clish 279
Important:
n Security Management Server R81 does not support IPv6 Address on Gaia
Management Interface (Known Limitation 01622840).
n Multi-Domain Server R81 does not support IPv6 at all (Known Limitation PMTR-
14989).
Before you can configure IPv6 addresses and IPv6 static routes, you must:
Step Description
1 Enable the IPv6 support.
2 Reboot.
3 To configure IPv6 addresses, see "Network Interfaces" on page 85.

To configure IPv6 static routes, see "IPv6 Static Routes" on page 204.
To enforce a Security Policy for IPv6 traffic:
Step Description
1 Enable the IPv6 support in Gaia OS on both the Security Management Server and the Security
Gateway (each Cluster Member).
2 Connect with SmartConsole to the Management Server.
3 Create the applicable IPv6 objects.
4 Create the applicable IPv6 rules in the Access Control Policy.
5 Install the Access Control Policy on the Security Gateway (the Cluster) object.

Configuring IPv6 Support in Gaia Portal

Step Instructions

2 From the navigation tree, click System Management > System Configuration.
3 In the IPv6 Support section, select On.
4 Click Apply .
5 When prompted, select Yes to reboot.
Important - IPv6 support is not available until you reboot.
Configuring IPv6 Support in Gaia Clish

n To configure IPv6 support:
set ipv6-state {on | off}
Important - This change requires reboot.
n To show the state of IPv6 support:
show ipv6-state
Procedure
Step Instructions
1 Connect to the command line on Gaia.
3 Enable the IPv6 support:

set ipv6-state on

Step Instructions
4 Save the changes:

save config
5 Reboot:
reboot
Important - IPv6 support is

not available until you
reboot.

System Logging
System Logging
You can configure the settings for the system logs, including sending them to a remote server.
Make sure to configure the remote server to receive the system logs.

Configuring System Logging in Gaia Portal

This section includes procedures for configuring System Logging and Remote System Logging.
System Logging configures if Gaia sends these logs:
n Gaia syslog messages to its Check Point Management Server
n Gaia audit logs upon successful configuration to its Check Point Management Server
n Gaia audit logs upon successful configuration to Gaia syslog facility
Remote System Logging configures a remote syslog server, to which Gaia sends its syslog messages.
Note - There are settings that you can configure only in Gaia Clish.
To configure System Logging
Step Description
1 In the navigation tree, click System Management > System Logging.
2 In the System Logging section, select the applicable options:
n Send Syslog messages to management server

Specifies if the Gaia sends the Gaia system logs to a Check Point Management
Server.
Default: Not selected
Note - You can configure this option in Gaia Clish with the "set syslog cplogs
{on | off}" command.
n Send audit logs to management server upon successful configuration

Specifies if the Gaia sends the Gaia audit logs (for configuration changes that
authorized users make) to a Check Point Management Server.
Default: Selected
Note - You can configure this option in the Gaia Clish with the "set syslog
mgmtauditlogs {on | off}" command.
n Send audit logs to syslog upon successful configuration

Specifies if the Gaia saves the logs for configuration changes that authorized users
make.
Otherwise, Gaia uses the default /var/log/messages file.
Default: Selected
To specify a Gaia configuration audit log file, run this command:
set syslog filename </<Path>/<File>>
Note - This option is configured in the Gaia Clish with the "set syslog auditlog
{disable | permanent}" command.
3 Click Apply .

To configure Remote System Logging
Step Description
2 In the Remote System Logging section, click Add.
3 In the IP Address field, enter the IPv4 address of the remote syslog server.
4 In the Priority field, select the severity level of the logs that are sent to the remote server.
These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):
n All - All messages
n Debug - Debug-level messages
n Info - Informational messages
n Notice - Normal but significant condition
n Warning - Warning conditions
n Error - Error conditions
n Critical - Critical conditions
n Alert - Action must be taken immediately
n Emergency - System is unusable
5 Click OK.
Important - Do not to configure two Gaia computers to send system logs to each
other - directly, or indirectly. Such configuration creates a syslog forwarding loop,
which causes all syslog message to repeat indefinitely on both Gaia computer.
To edit Remote System Logging settings
Step Description
2 In the Remote System Logging section, select the remote server.
3 Click Edit.
4 In the IP Address field, enter the IPv4 address of the remote syslog server.
5 In the Priority field, select the severity level of the logs that are sent to the remote server.
6 Click OK.

To delete Remote System Logging settings
Step Description
2 In the Remote System Logging section, select the remote syslog server.
3 Click Delete.
4 In the confirmation window, click Yes .

Configuring System Logging in Gaia Clish

Description
You can configure the System Logging and Remote System Logging.
System Logging configures the Gaia to sends these logs:
n Gaia syslog messages to its Check Point Management Server
n Gaia audit logs upon successful configuration to its Check Point Management Server
n Gaia audit logs upon successful configuration to Gaia syslog facility
Remote System Logging configures a remote server, to which Gaia sends its syslog messages.
Note - There are some command options and parameters, which you cannot configure
in the Gaia Portal.
Syntax for System Logging configuration
n To send the Gaia system logs to a Check Point Management Server:
set syslog cplogs {on | off}
n To send the Gaia configuration audit logs to a Check Point Management Server:
set syslog mgmtauditlogs {on | off}
n To save the Gaia configuration audit logs:
set syslog auditlog {disable | permanent}
n To configure the file name of the Gaia configuration audit log:
set syslog filename /<Path>/<File>
n To show the Gaia system logging configuration:
show syslog
all
auditlog
cplogs
filename
mgmtauditlogs

Syntax for Remote System Logging configuration
n To send Gaia system logs to a remote syslog server:
add syslog log-remote-address <IPv4 Address> level <Severity>
n To show the Gaia system logging configuration:
show syslog
all
log-remote-address <IPv4 Address>
log-remote-addresses
n To stop sending Gaia system logs to the specific remote server:
delete syslog log-remote-address <IPv4 Address> [level

<Severity>]
CLI Parameters
cplogs {on | Specifies if the Gaia sends the Gaia system logs to a Check Point
off} Management Server:
n on - Send Gaia system syslogs
n off - Do not send Gaia syslogs
Default: off
Note - This command corresponds to the Send Syslog messages
to management server option in the Gaia Portal > System
Management > System Logging.
mgmtauditlogs Specifies if the Gaia sends the Gaia audit logs (for configuration changes that
{on | off} authorized users make) to a Check Point Management Server:
n on - Send Gaia audit logs
n off - Do not send Gaia audit logs
Default: on
Note - This command corresponds to the Send audit logs to
management server upon successful configuration option in the
Gaia Portal > System Management > System Logging.

auditlog Specifies if the Gaia saves the logs for configuration changes that authorized
{disable | users make:
permanent}
n disable - Disables the Gaia audit log facility
n permanent - Enables the Gaia audit log facility to save information
about all successful changes in the Gaia configuration. To specify a
destination file, run the set syslog filename </Path/File>
command (otherwise, Gaia uses the default /var/log/messages
file).
Default: permanent
Note - This command corresponds to the Send audit logs to syslog
upon successful configuration option in the Gaia Portal > System
Management > System Logging.
/< Configures the full path and file name of the system log.
Path>/<File> Default: /var/log/messages
Note in Gaia Portal does not let you configure this setting.
log-remote- Configures Gaia to send system logs to a remote syslog server.

address Important - Do not configure two Gaia computers to send system
logs to each other - directly, or indirectly. Such configuration creates
a syslog forwarding loop, which causes all syslog messages to
repeat indefinitely on both Gaia computers.
Note - This command corresponds to the Gaia Portal > System

Management > Remote System Logging.
<IPv4 IPv4 address of the remote syslog server, to which Gaia sends its system logs.
Address>
n Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255])

<Severity> Syslog severity level for the system logging.

These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):
n emerg - System is unusable
n alert - Action must be taken immediately
n crit - Critical conditions
n err - Error conditions
n warning - Warning conditions
n notice - Normal but significant condition
n info - Informational messages
n debug - Debug-level messages
n all - All messages
Notes:
n Until you configure at least one severity level for a given
remote server, Gaia does not send syslog messages.
n If you specify multiple severities, the most general least
severe severity always takes precedence.
Example
gaia> set syslog auditlog permanent
gaia> set syslog filename /var/log/system_logs.txt
gaia> set syslog mgmtauditlogs on
gaia> set syslog cplogs on
gaia> set syslog log-remote-address 192.168.2.1 level all
gaia> show syslog all

Syslog Parameters:
Remote Address 192.168.2.1
Levels all
Auditlog permanent
Destination Log Filename /var/log/system_logs.txt
gaia>
gaia>show syslog auditlog

permanent
gaia>
gaia> show syslog cplogs

Sending syslog syslogs to Check Point's logs is enabled
gaia>
gaia> show syslog mgmtauditlogs

Sending audit logs to Management Serever is enabled
gaia>
gaia> show syslog filename

/var/log/system_logs.txt
gaia>

Redirecting RouteD System Logging Messages

It is possible to configure the RouteD daemon to write its log messages (for example, OSPF or BGP errors)
to one of these log files:
Log File Description
/var/log/routed_ Dedicated file that contains only the RouteD log messages.
messages In Gaia versions R80 and higher, the RouteD writes to this file by
default.
/var/log/messages This file contains log messages from different daemons and from the
operating system.
In Gaia versions R77.30 and lower, the RouteD writes to this file by
default.
Important - When you upgrade Gaia from R77.30 and lower,

the RouteD continues to write to this file.
Best Practice - Configure the RouteD to write its log

messages to the /var/log/routed_messages file.
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n When you change this configuration, it is not necessary to restart the RouteD
daemon, or reboot.

Configuration in the Gaia Portal
Step Description
1 From the left navigation tree, click Advanced Routing > Routing Options .
2 In the Routing Process Message Logging Options section, select Log Routed Separately .
3 In the Maximum File Size field, enter the size (in megabytes) for each log file.
The default size is 1 MB.
When the active log file /var/log/routed_messages reaches the maximal configured
size, the Gaia OS rotates it and creates
the new /var/log/routed_messages file.
4 In the Maximum Number of Files field, enter the maximal number of log files to keep.
The default is to keep 10 log files:
n /var/log/routed_messages
n /var/log/routed_messages.0
n ...
If the number of all log files reaches the maximal configured number, the Gaia OS deletes
the oldest file, and rotates the existing files.
The file names end with a number suffix. The greater the suffix number, the older the file.
5 Click Apply .

Configuration in Gaia Clish
Step Description
3 Enable the logging of RouteD messages to a dedicated log file:

set routedsyslog on
4 Configure the size (in megabytes) for each log file:

set routedsyslog size <Number of MB between 1 and 2047>
The default size is 1 MB.
When the active log file /var/log/routed_messages reaches the maximal configured
size, the Gaia OS
rotates it and creates the new /var/log/routed_messages file.
5 Configure the maximal number of log files to keep:

set routedsyslog maxnum <Number of Files between 1 and
4294967295>
The default is to keep 10 log files:
n /var/log/routed_messages
n ...
When the number of log files reaches the maximal configured number, the Gaia OS deletes
the oldest log file and rotates the existing log files.
The file names end with a number suffix. The greater the suffix number, the older the log file.

save config

How to examine the configuration in CLI
Examine the configuration in Gaia Clish, or the Expert mode.
She
Command Expected output
ll
Gai show n If default values were used for "maxnum" and "size":
a configurat
set routedsyslog on
Clis ion
h routedsysl n If custom values were configured for "maxnum" and "size":
og set routedsyslog on
set routedsyslog maxnum <Configured_Value>
set routedsyslog size <Configured_Value>
Exp grep n If default values were used for "maxnum" and "size":
ert routedsysl
routed:instance:default:routedsyslog t
mo og
de /config/ac n If custom values were configured for "maxnum" and "size":
tive routed:instance:default:routedsyslog t
routed:instance:default:routedsyslog:size
<Configured_Value>
routed:instance:default:routedsyslog:files
<Configured_Value>

Configuring Log Volume
Configuring Log Volume

If there is enough available disk space, you can increase the size of the log partition.
Note - Disk space is added to the log volume by subtracting it from the disk space used
to store Gaia backup images.
Use the lvm_manager tool in the Expert mode.
Step Description
1 Connect to the Gaia system over console.
2 Reboot:
reboot
3 During boot, press any key to enter the Boot menu.
Note - You have approximately 5 seconds.
4 Select Start in maintenance mode.
5 Enter the Expert mode password.
6 Use the interactive lvm_manager tool as described in the sk95566:

lvm_manager
7 Reboot:
reboot
Related information
See "LVM Overview" on page 458.

Network Access
Network Access
Introduction
Telnet is not recommended for remote login, because it is not secure.
SSH, for example, provides much of the functionality of Telnet with good security.
Network access to Gaia using Telnet is disabled by default. You can allow Telnet access.
Configuring Telnet Access in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Network Access .
2 Select Enable Telnet.
3 Click Apply .
Configuring Telnet Access in Gaia Clish

Syntax
n To configure Telnet access:
set net-access telnet {on | off}
n To show the configured Telnet access:
show net-access telnet

Host Access
Host Access
You can configure hosts or networks that are allowed to connect to the Gaia Portal or Gaia Clish on the
Gaia device.
Configuring Allowed Gaia Clients in Gaia Portal

Step Description
1 In the navigation tree, click System Management > Host Access .
2 Click Add.
The Add a New Allowed Client window opens.
3 Select one of these options:

n Any host - All remote hosts can access the Gaia Portal, or
Gaia Clish.
n Host - Enter the IPv4 address of one host.
n Network - Enter the IPv4 address of a network and subnet
mask.
4 Click OK.

Host Access
Configuring Allowed Gaia Clients in Gaia Clish

Syntax
n To add an allowed client:
add allowed-client
host
any-host
ipv4-address <Host IPv4 Address>
network ipv4-address <Network IPv4 Address> mask-length <1-
31>
n To show the configured allowed clients:
show allowed-client all
n To delete an allowed client:
delete allowed-client
host
any-host
host ipv4-address <Host IPv4 Address>
network ipv4-address <Network IPv4 Address>
Parameters
<Host IPv4 Address> The IPv4 address of the allowed host in dotted decimal format
(X.X.X.X)
<Network IPv4 The IPv4 address of the allowed network in dotted decimal format
Address> (X.X.X.X)
Example
gaia> add allowed-client host any-host

gaia> show allowed-client all
Type Address Mask
Length
Host Any
gaia>

LLDP
LLDP
You can configure Gaia to advertise and receive information from other network devices over the Link
Layer Discovery Protocol (LLDP) protocol.
The LLDP is a vendor-neutral link layer protocol that network devices use to advertise their identity,
capabilities (and so on) and to receive information about their neighbors on a local area network based on
IEEE 802 standard.
The gathered information may include:
n System Name
n System Description
n System Capabilities (switching, routing, etc.)
n Port Description
n Management Address
Important - By default, LLDP is disabled in the Gaia operating system.
Configuring LLDP in Gaia Portal

Step Description
1 In the navigation tree, click System Management > LLDP.
2 In the Type Length Value (TLV) section, select which information to send in the LLDP packets,
and click Apply :
n System Name
To send the Gaia hostname.
n System Description
To send the formatted output of the "uname -msr" command
(which contains kernel name, kernel release, and kernel machine hardware name).
n System Capabilities
To send the string "station" (regardless of the Check Point configuration).
n Port Description
To send the name of the interface.
n Management Address
To send the IP address of the interface.

LLDP
Step Description
3 In the Timers section, configure the applicable values, and click Apply :
n Transmit Interval
This interval controls how frequently Gaia To send LLDP packets on the selected
interfaces.
Enter a value between 8 and 32768 (default is 30) seconds.
n Hold Time Multiplier
This multiplier controls the Time-to Live (TTL) of the LLDP packets:
TTL = (Transmit Interval) x (Hold Time Multiplier).
This TTL is the duration, for which the receiving neighbor stores the LLDP information in
its database.
Enter a value between 2 and 10 (default is 4).
Note - These values are global and apply to all selected interfaces.
4 In the Interfaces section, add the applicable interfaces.
n To add all configured interfaces:

a. Click Add All .
b. Click Yes to confirm.
c. The default LLDP mode for all interfaces is Transmit and Receive.
To change the LLDP mode:
i. Select an interface.
ii. Click Edit.
iii. Select the applicable LLDP mode.
iv. Click Save.
n To add a specific interface:
a. Click Add.
b. In the Interface Name field, select an interface.
c. In the Mode field, select the applicable LLDP mode.
d. Click Save.
The available LLDP modes are:
n Transmit and Receive - The interface transmits and receives the LLDP packets.
n Transmit only - The interface only transmits the LLDP packets, but does not receive the
LLDP packets.
n Receive only - The interface only receives the LLDP packets, but does not transmit the
LLDP packets.
5 In the LLDP Configuration section, select Enable LLDP, and click Apply .

LLDP
Configuring LLDP in Gaia Clish

Syntax
n To configure LLDP:
set lldp
hold-time-multiplier <2-10>
interface <Name of Interface>
receive {on | off}
transmit {on | off}
transmit-and-receive {on | off}
state {on | off}
tlv
port-description {on | off}
system-name {on | off}
system-description {on | off}
system-capabilities {on | off}
management-address {on | off}
transmit-interval <8-32768>
n To show the LLDP configuration:
show lldp status

interface <Name of Interface>
timers
tlv

LLDP
Parameters
hold-time-multiplier This multiplier controls the Time-to Live (TTL) of the LLDP
packets:
TTL = (Transmit Interval) x (Hold Time Multiplier).
This TTL is the duration, for which the receiving neighbor
stores the LLDP information in its database.
Enter a value between 2 and 10 (default is 4).
interface <Name of Specifies the name of an interface, which sends or receives

Interface> the LLDP packets.
interface <Name of Enables (on) and disables (off) the LLDP mode on the
Interface> receive {on | interface as "receive only".
off} The interface only receives the LLDP packets, but does not
transmit the LLDP packets.
Interface> transmit {on | interface as "transmit only".
off} The interface only transmits the LLDP packets, but does not
receive the LLDP packets.
Interface> transmit-and- interface as "transmit and receive".
receive {on | off} The interface transmits and receives the LLDP packets.
state {on | off} Enables (on) and disables (off) the LLDP on the specified
interface.
tlv port-description {on | Enables (on) and disables (off) the LLDP-enabled
off} interface to send the Port Description information in the
LLDP packets.
Sends the name of the interface.
tlv system-name {on | off} Enables (on) and disables (off) the LLDP-enabled
interface to send the System Name information in the LLDP
packets.
Sends the Gaia hostname.
tlv system-description {on | Enables (on) and disables (off) the LLDP-enabled
off} interface to send the System Description information in the
LLDP packets.
Sends the formatted output of the "uname -msr"
command
(which contains kernel name, kernel release, and kernel
machine hardware name).

LLDP
tlv system-capabilities {on Enables (on) and disables (off) the LLDP-enabled
| off} interface to send the System Capabilities information in the
LLDP packets.
Sends the string "station" (regardless of the Check Point
configuration).
tlv management-address {on | Enables (on) and disables (off) the LLDP-enabled
off} interface to send the Management Address information in
the LLDP packets.
Send the IP address of the interface.
transmit-interval <8-32768> This interval controls how frequently the LLDP-enabled

interface sends the LLDP packets.
Enter a value between 8 and 32768 (default is 30) seconds.
timers Shows the configured LLDP timers:

n Hold Time Multiplier
n Transmit Interval
Example - Viewing the LLDP status
MyGaia> show lldp status

LLDP server enabled
Interfaces
eth0 - receive
eth1 - receive and transmit
eth2 - transmit
Optional Information
port-description off
system-name on
system-description off
system-capabilities on
management-address on
Timers
Hold time multiplier 5
Transmit interval 20
MyGaia>

LLDP
Viewing the LLDP neighbors in the Expert mode

1. Connect to the command line on Gaia.
2. Log in to the Expert mode.
3. Run:
lldpneighbors
Example output
[Expert@MyGaia:0]# lldpneighbors
Read 512 bytes. Total size is now: 512
Buffer is: 0xFFADB704 and Temporary Buffer is 0xFFADB700.
Read 282 bytes. Total size is now: 794
Buffer is: 0xFFADB704 and Temporary Buffer is 0xFFADB700.
OpenLLDP Neighbor Info:
Interface 'eth0' has 0 LLDP Neighbors:
Interface 'eth1' has 2 LLDP Neighbors:
Neighbor 1:
Chassis ID: MA
Port ID: Interface Name - eth0
Time To Live: 120 seconds
End Of LLDPDU:
Neighbor 2:
Chassis ID: MA
Port ID: Locally Assigned - Eth1/37
Time To Live: 120 seconds
Port Description: Ethernet1/37
System Name: SecureOsLabFL6ApplianceSwitch.SecreOS_LAB6
System Description: Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-20XX, Cisco Systems, Inc. All rights reserved.
System Capabiltiies:
Bridge/Switch (disabled)
Router (enabled)
Management Address: IPv4 - 172.23.95.1 (ifIndex - 83886080) (OID: Standard LLDP MIB)
Organizationally Specific:
End Of LLDPDU:
[Expert@MyGaia:0]#

Advanced Routing
Advanced Routing
Dynamic Routing is fully integrated into the Gaia Portal and Gaia Clish.
BGP, OSPF and RIP are supported.
Dynamic Multicast Routing is supported, with PIM (Sparse Mode (SM), Dense Mode (DM), Source-Specific
Multicast (SSM), and IGMP.
To learn about dynamic routing, see the R81 Gaia Advanced Routing Administration Guide.

User Management
User Management
This chapter describes how to manage passwords, user accounts, roles, authentication servers, system
groups, and Gaia Portal clients.
Note - When a user logs in to Gaia, the Gaia Portal navigation tree displayed and Gaia
Clish commands that are available depend on the role or roles assigned to the user. If
the user's roles do not provide access to a feature, the user does not see the feature in
the Gaia Portal navigation tree or in the list of commands. If the user has read-only
access to a feature, they can see the Gaia Portal page, but the controls are disabled.
Similarly, the user can run "show commands, but not "set", "add" or "delete"
commands.

Change My Password
Change My Password
A Gaia user can change their Gaia password.
Changing My Password in Gaia Portal

Step Description
1 In the navigation tree, click User Management > Change My Password.
2 In the Old Password field, enter your old password.
3 In the New Password field, enter the new password.
4 In the Confirm New Password field, enter the new password again.
5 Click Apply .
Changing My Password in Gaia Clish

Description
Change your own Gaia password, in an interactive dialog.
Syntax
set selfpasswd
Warning - We do not recommend to use this command:
set selfpasswd oldpass <Old Password> passwd <New
Password>
This is because the passwords are stored as plain text in the command history.
Instead, use the "set selfpasswd" command.

Users
Users
Use the Gaia Portal and Gaia Clish to manage user accounts.
You can:
n Add users to your Gaia system.
n Edit the home directory of the user.
n Edit the default shell for a user.
n Give a password to a user.
n Give privileges to users.
These users are created by default and cannot be deleted:
User Description
admin Has full read/write capabilities for all Gaia features, from the Gaia Portal and the Gaia Clish.
This user has a User ID of 0, and therefore has all of the privileges of a root user.
monitor Has read-only capabilities for all features in the Gaia Portal and the Gaia Clish, and can
change its own password.
You must give a password for this user before the account can be used.
New users have read-only privileges to the Gaia Portal and the Gaia Clish by default.
You must assign one or more roles before the new users can log in.
Notes:
n You can assign permissions to all Gaia features or a subset of the features
without assigning a user ID of 0.
If you assign a user ID of 0 to a user account (you can do this only in the Gaia
Clish), the user is equivalent to the Admin user and the roles assigned to that
account cannot be modified.
n Do not define a new user for external users.
An external user is one that is defined on an authentication server (such as
RADIUS or TACACS), and not on the local Gaia system.
When you create a user, you can add pre-defined roles (privileges) to the user. For more information, see
"Roles" on page 314.
Warning - A user with read and write permission to the Users feature can change the
password of another user, or an admin user. Therefore, write permission to the Users
feature should be assigned with caution.

Managing User Accounts in Gaia Portal

To see a list of all configured users
In the navigation tree, click User Management > Users .

You can also see your username in the top right corner of the Gaia Portal.
To add a new user
Step Description
1 In the navigation tree, click User Management > Users .
2 Click Add.
3 In the Login Name field, enter the username.

The valid characters (between 1 and 32 characters) are alphanumeric characters, dash (-),
and underscore (_).
4 In the Password field, enter the user's password.

All printable characters are allowed. Length is between 6 and 128 characters.
Important - Do not use the asterisk (*) character in the password. User with such
password will not be able to log in.
5 In the Confirm Password field, enter the user's password again.
6 In the Real Name field, enter the user's real name or other informative text.
This is an alphanumeric string that can contain spaces.
The default is the user's Login Name with capitalized first letter.
7 In the Home Directory field, enter the user's home directory.

This is the full Linux path name of a directory, to which the user will log in.
Must be a sub-directory of /home/ directory.
If the sub-directory does not already exist, it is created.
8 In the Shell field, select the user's default login shell.

See the explanations in the "Login Shells " section below.
9 Select User must change password at next logon, if you wish to force the user to change
the configured password during the next login.
Note - If the user does not log in within the time limit configured in the Gaia Portal >
User Management > Password Policy page > Mandatory Password Change
section > Lockout users after password expiration > Lockout user after X days ,
the user may not be able to log in at all.
10 Optional: In the UID field, enter or select the applicable User ID:
n 0 for administrator users (this is the default option)
n An integer between 103 and 65533 for non-administrator users

Step Description
11 In the Access Mechanisms section:
n Select Web to allow this user to access Gaia Portal.

n Select Clish Access to allow this user to access Gaia Clish.
12 In the Available Roles list:

a. Select the roles you wish to assign to this user.
To select several roles:
i. Press and hold the CTRL key on the keyboard.
ii. Left-click the applicable roles. The selected roles become highlighted.
b. Click Add > . The selected roles move to the Assigned Roles list.
13 Click OK.
Login Shells
Shell Description
/etc/cli.sh This is the default option.

Lets the user work with the full Gaia Clish.
By default, some basic networking commands (such as ping) are also
available.
The Extended Commands in the assigned roles makes it possible to add
more Linux commands that can be used (see "List of Available Extended
Commands in Roles" on page 339).
User can run the expert command to enter the Bash shell (Expert
mode).
/bin/bash BASH Linux shell.

Lets the user work with the Expert mode.
User can run the clish command to enter the Gaia Clish.
/bin/csh CSH Linux shell.

/bin/sh SH Linux shell.

/bin/tcsh TCSH Linux shell.

/usr/bin/scponly User is not allowed to log in to Gaia.

User can only connect to Gaia over SCP and transfer files to and from the
system.
Other commands are forbidden.
/sbin/nologin User is not allowed to log in to Gaia.

Shell Description
/bin/p1shell Obsolete. Do not use this option anymore.
Important - The p1shell is not supported (Known Limitation

PMTR-45085).
To change a user configuration
Step Description
2 Select the user.
3 Click Edit.
4 In the Real Name field, enter the user's real name or other informative text.
5 In the Home Directory field, enter the user's home directory.
6 In the Shell field, select the user's default login shell.
7 Select User must change password at next logon, if you wish to force the user to change
the configured password during the next login.
8 In the Available Roles list, select the roles you wish to assign to this user and click Add > .
9 In the Assigned Roles list, select the roles you wish to remove from this user and click
Remove > .
10 Click OK.
Note - For the default users admin and monitor, you can only change the Shell and Roles.
To delete a user
Step Description
2 Select the user.
3 Click Delete.
Note - You cannot delete the default users admin and monitor.

Managing User Accounts in Gaia Clish

Note - You can use the "add user" command to add new users, but you must use the
"set user <username> password" command to set the password and allow the
user to log on to the system.
Syntax
To add a local user account

add user <UserName> uid <User ID> homedir <Path>
To add a RADIUS user account

add user <UserName> uid 0 homedir <Path>
To modify a user account

set user <UserName>
force-password-change {yes | no}
gid <System Group ID>
homedir <Path>
lock-out off
newpass <Password>
password
password-hash <Password Hash>
realname <Name>
shell <Login Shell>
uid <User ID>}
Note - For the default users admin and monitor, you can only change the Shell and Roles.
To show summary information about all users

show users
To show information about a specific user

show user <UserName>
[force-password-change]
[gid]
[homedir]
[lock-out]
[realname]
[shell>]
[uid]
To delete a configured user

delete user <User ID>

Note - You cannot delete the default users admin and monitor.
Parameters
CLI Parameters
user <UserName> Configures unique login username - an alphanumeric string, from 1 to 32

characters long, that can contain dashes (-) and underscores (_), but not
spaces.
uid <User ID> Optional. Configures unique User ID to identify permissions of the user:
n 0 for administrator users and RADIUS user account (this is the
default option)
n An integer between 103 and 65533 for non-administrator user
Note - If a value is not specified, Gaia OS automatically

assigns the next free sequential number.
homedir <Path> Configures user's home directory.

This is the full Linux path name of a directory, to which the user will log in.
Must be a sub-directory of /home/ directory.
If the sub-directory does not already exist, it is created.
force-password- If you wish to force the user to change the configured password during the
change {yes | next login, set the value to yes.
no} Note - If the user does not log in within the time limit configured by
the "set password-controls expiration-lockout-
days" command, the user may not be able to log in at all.
gid <System Configures System Group ID (0-65535) for the primary group, to which a
Group ID> user belongs.
The default is 100.
You can add the user to several groups.
Use the "add group" and "set group" commands to manage the
groups.
lock-out off Unlocks the user, if the user was locked-out.

The password expiration date is adjusted, if necessary.

newpass Configures a new password for the user.

<Password> Gaia does not ask to verify the new password.
The password you enter shows on the terminal command line in plain text,
and is stored in the command history as plain text.
password Configures a password for the new user.

The command runs in interactive mode.
You must enter the password twice, to verify it.
The password you enter is not visible on the terminal command line.
password-hash Configures the password using an encrypted representation of the

<Password Hash> password.
The password is not visible as text on the terminal command line, or in the
command history.
Use this option if you want to change passwords using a script.
You can generate the hash version of the password using standard Linux
hash generating utilities.
realname <Name> Configures user's description - most commonly user's real name.
This is an alphanumeric string that can contain spaces.
The default is the username with capitalized first letter.
shell <Login Configures the user's default login shell.

Shell> See the explanations in the "Login Shells " section below.
Login Shells
Shell Description
/etc/cli.sh This is the default option.

Lets the user work with the full Gaia Clish.
By default, some basic networking commands (such as ping) are also
available.
The Extended Commands in the assigned roles makes it possible to add
more Linux commands that can be used (see "List of Available Extended
Commands in Roles" on page 339).
User can run the expert command to enter the Bash shell (Expert
mode).
/bin/bash BASH Linux shell.

Lets the user work with the Expert mode.
/bin/csh CSH Linux shell.

/bin/sh SH Linux shell.


Shell Description
/bin/tcsh TCSH Linux shell.

/usr/bin/scponly User is not allowed to log in to Gaia.

User can only connect to Gaia over SCP and transfer files to and from the
system.
Other commands are forbidden.
/sbin/nologin User is not allowed to log in to Gaia.
/bin/p1shell Obsolete. Do not use this option anymore.
Important - The p1shell is not supported (Known Limitation

PMTR-45085).

Roles
Roles
Role-based administration (RBA) lets you create administrative roles for users. With RBA, an administrator
can allow Gaia users to access specified features by including those features in a role and assigning that
role to users. Each role can include a combination of administrative (read/write) access to some features,
monitoring (read-only) access to other features, and no access to other features.
You can also specify, which access mechanisms (Gaia Portal, or Gaia Clish) are available to the user.
Note - When users log in to the Gaia Portal, they see only those features, to which they
have read-only or read/write access. If they have read-only access to a feature, they
can see the settings pages, but cannot change the settings.
Gaia includes these predefined roles:
Role Description
adminRole Gives the user read/write access to all features.
monitorRole Gives the user read-only access to all features.
Notes:
n You cannot delete or change the predefined roles.
n Do not define a new user for external users.
An external user is one that is defined on an authentication server (such as
RADIUS or TACACS), and not on the local Gaia system.

Configuring Roles in Gaia Portal

You define roles on the User Management > Roles page of the Gaia Portal.
This page also shows a list of existing roles.
To add new role
Step Description
1 In the navigation tree, click User Management > Roles .
2 Click Add.
3 In the Role Name field, enter the applicable name.

The role name must start with a letter and can be a combination of letters, numbers and the
underscore (_) character.
4 On the Features tab:

In the R/W column, click the ? icon near the feature you wish to configure in this role and
select the permission: None, Read Only , or Read / Write.
Important - A user with Read/Write permission to the User Management feature

can change a user password, including that of the admin user. Be careful when
assigning roles that include this permission!
See "List of Available Features in Roles" on page 322.
5 On the Extended Commands tab:

Select the commands you wish to configure in this role.
n To select several commands:
a. Press and hold the CTRL key on the keyboard.
b. Left-click the applicable commands (in the Name, Description, or Path
column).
The selected commands become highlighted.
c. In the top right corner, select the option Check selected as .
The checkboxes of the selected commands become checked.
n To clear several selected commands:
column).
c. In the top right corner, clear the option Check selected as .
The checkboxes of the selected commands become cleared.
See "List of Available Extended Commands in Roles" on page 339.
6 Click OK.

To change features and commands in an existing role
Step Description
2 Select the role.
3 Click Edit.
4 On the Features tab:

In the R/W column, click the ? icon near the feature you wish to configure in this role and
select the permission: None, Read Only , or Read / Write.
Important - A user with Read/Write permission to the User Management feature
can change a user password, including that of the admin user. Be careful when
assigning roles that include this permission!
5 On the Extended Commands tab:

Select the commands you wish to configure in this role.
n To select several commands:
column).
c. In the top right corner, select the option Check selected as .
The checkboxes of the selected commands become checked.
n To clear several selected commands:
column).
c. In the top right corner, clear the option Check selected as .
The checkboxes of the selected commands become cleared.
6 Click OK.
To delete a role
Step Description
2 Select the role.
3 Click Delete.
Note - You cannot delete the default roles adminRole or monitorRole.

To assign users to a role
Step Description
2 Select the role.
3 Click Assign Members .
4 In the Available Users list, left-click the user you wish to add to the role.
To select several users:

b. Left-click the applicable commands. The selected users become
highlighted.
5 Click Add > .

The selected users move to the Users with Role list.
6 Click OK.
To remove users from a role
Step Description
2 Select the role.
3 Click Assign Members .
4 In the Users with Role list, left-click the user you wish to remove from the role.

b. Left-click the applicable commands. The selected users become
highlighted.
5 Click Remove > .

The selected users move to the Available Users list.
6 Click OK.
Note - You can assign a user to many roles on the Users page (see "Users" on page 306).

Configuring Roles in Gaia Clish

You can:
n Add, change, or delete roles.
n Add or remove users to or from existing roles.
n Add or remove access mechanism permissions for a specified user.
Syntax
To add an RBA role

add rba role <New Role Name> domain-type System
all-features
readonly-features <List of RO Features>
readwrite-features <List of RW Features>}
Note - You can add "readonly-features" and "readwrite-features" in

the same command.
To choose which VSX Virtual Systems this role can access

add rba role <Existing Role Name>
virtual-system-access 0
virtual-system-access all
virtual-system-access VSID1,VSID2,...,VSIDn
To assign Gaia access mechanisms to a user

add rba user <User Name>
access-mechanisms Web-UI
access-mechanisms CLI
access-mechanisms Web-UI,CLI
To assign an RBA role to a user

add rba user <User Name> roles <Role1,Role2,...,RoleN>
To show RBA roles information

show rba
all
role <Role Name>
roles
user <User Name>
users
To delete an entire RBA role

delete rba role <Role Name>

To delete features from an RBA role

delete rba role <Role Name>
readonly-features <List of RO Features>
readwrite-features <List of RW Features>
Note - You can delete "readonly-features" and "readwrite-features" in

the same command.
To remove Gaia access mechanisms from a user

delete rba user <User Name>
access-mechanisms Web-UI
access-mechanisms CLI
access-mechanisms Web-UI,CLI
To remove an RBA role from a user

delete rba user <User Name> roles <Role1,Role2,...,RoleN>
Notes:
n There are no "set" commands for configured roles.
n You cannot delete the default roles adminRole or
monitorRole.
Parameters
CLI Parameters
role <Role Name> Role name as a character string that contains letters, numbers or
the underscore (_) character.
The role name must start with a letter.
domain-type System Reserved for future use.
virtual-system-access Specifies which VSX Virtual Systems this role can access:
{0 | all | VSID1,
VSID2, ..., VSIDn} n 0 - Access only to VSX Gateway (VSX Cluster Member)
itself (context of VS0).
n all - Access to all Virtual Systems.
n VSID1,VSID2,...,VSIDn - Access only to specified
Virtual Systems. This is a comma-separated list of Virtual
Systems IDs (spaces are not allowed in this syntax).

all-features Grants read-write permissions to all features.
Important - This is equivalent to the admin role!
readonly-features A comma-separated list of Gaia features that have read-only

<List of RO Features> permissions in the specified role.
See:
n "List of Available Features in Roles" on page 322
n "List of Available Extended Commands in Roles" on
page 339
Notes:
n Press <SPACE><TAB> to see the list of available
features.
n You can add read-only and read-write feature
lists in the same "add rba role <Role
Name> domain-type System ..."
command.
readwrite-features A comma-separated list of Gaia features that have read-write

<List of RW Features> permissions in the specified role.
See:
n "List of Available Features in Roles" on page 322
n "List of Available Extended Commands in Roles" on
page 339
Notes:
n Press <SPACE><TAB> to see the list of available
features.
n You can add read-only and read-write feature
lists in the same "add rba role <Role
Name> domain-type System ..."
command.
Important - A user with read/write permission to the

user feature can change a user password, including
that of the admin user. Be careful when assigning roles
that include this permission!
user <User Name> User, to which access mechanism permissions and roles are
assigned.
roles Comma-separated list of role names that are assigned to or

< removed from the specified user (spaces are not allowed in this
Role1,Role2,...,RoleN> syntax).

access-mechanisms Defines the access mechanisms that users can work with to
{Web-UI | CLI | Web- manage Gaia:
UI,CLI}
n Web-UI - Access only to Gaia Portal
n CLI - Access only to Gaia Clish
n Web-UI,CLI - Access to both Gaia Portal and Gaia Clish
(spaces are not allowed in this syntax)
Example
gaia> add rba role NewRole domain-type System readonly-features vpn,ospf,rba readwrite-features snmp
gaia> show rba role NewRole

Role
NewRole
domain-type System
read-write-feature snmp
read-only-feature vpn,ospf,rba
gaia>
gaia> add rba user John roles NewRole
gaia> add rba user John access-mechanisms Web-UI,CLI
gaia> show rba user John

User
John
access-mechanism CLI
access-mechanism Web-UI
role NewRole
gaia>
gaia> delete rba user John roles NewRole
gaia> delete rba role NewRole

List of Available Features in Roles

Table: List of Available Features in Roles
Feature
name in Feature name in Affected commands
Description
Gaia Gaia Clish in Gaia Clish
Portal
Authentica aaa-servers Configure set aaa radius-servers *

tion authenticatio set aaa tacacs-servers *
Servers n through delete aaa radius-servers *
external delete aaa tacacs-servers *
RADIUS or add aaa radius-servers *
TACACS+ add aaa tacacs-servers *
server. show aaa radius-servers *
show aaa tacacs-servers *
Advanced adv-vrrp Configure set vrrp *

VRRP the show vrrp *
Advanced
Virtual
Router
Redundancy
Protocol
(VRRP)
Appliance prod-maintain Overview

Maintenan page for
ce Appliance
Maintenanc
e.
ARP arp Control static add arp *

ARP entries delete arp *
and proxy set arp *
ARP entries. show arp *
Control
dynamic
ARP entries.
Banner message Control set message *

Messages Banner delete message *
Message show message *
and
Message of
the Day.

Table: List of Available Features in Roles (continued)

Feature
Description
Portal
BGP bgp Configure set as *

dynamic set router-id *
routing set bgp *
through the show route bgp *
Border show as *
Gateway show router-id *
Protocol show bgp *
(BGP).
Blades blades Show

Summary summary for
enabled
Software
Blades.
cdt cdt Central show cdt *

Deployment set cdt *
Tool start cdt *
Certificate certificate_ Control cpca_client

Authority authority Certificate
Authority.
Change selfpasswd Change your set selfpasswd *

My user account
Password password.
Cloning CloningGroup Control Gaia set cloning-group *

Group Cloning add cloning-group *
Groups. delete cloning-group *
join cloning-group *
re-synch cloning-group *
leave cloning-group *
show cloning-group *
Cloning CloningGroupManag Control set cloning-group-management *

Group ement managemen
Managem t of Gaia
ent Cloning
Groups.
Cloud cloud-config Control of show cloud-config *

Config Zero Touch. set cloud-config *
delete cloud-config *


Feature
Description
Portal
Cluster cluster Control add cluster *

clustering. set cluster *
delete cluster *
show cluster *
Core core-dump Control core set core-dump *

Dump dumps. show core-dump *
DHCP bootp Control set bootp *

Relay Relay of IPv4 show bootp *
DHCP and
IPv4 BOOTP
messages
between
DHCP clients
and DHCP
servers on
different
IPv4
Network.
DHCP dhcp Control set dhcp service *

Server DHCP delete dhcp service *
Server on set dhcp client *
Gaia. delete dhcp client *
add dhcp client *
set dhcp server *
delete dhcp server *
add dhcp server *
show dhcp service *
show dhcp client *
show dhcp server *
DHCPv6 dhcp6relay Control set ipv6 dhcp6relay *

Relay Relay of show ipv6 dhcp6relay *
DHCPv6
messages
between
DHCP clients
and DHCP
servers on
different
IPv6
Network.


Feature
Description
Portal
Display configuration Save and save configuration *

Configurati show Gaia show configuration *
on configuratio
n.
Display format Control how set format *

Format the system show format *
displays
time, date
and
netmask.
DNS dns Control DNS set dns *

servers on delete dns *
Gaia. show dns *
Domain domainname Control the set domainname *

Name domain delete domainname
name on show domainname
Gaia.
Download smart-console Download N/A

SmartCon SmartConsol
sole e from Gaia
Portal.
Expert expert Access to expert

Mode the Expert
mode shell.
Expert expert-password Change the set expert-password

Password Expert mode
password
(interactive).
Expert expert-password- Change the set expert-password-hash *

Password hash Expert mode
Hash password
using
password
hash.


Feature
Description
Portal
Extended command Control the add command *

Command ability to delete command *
s define show command *
additional show commands
Extended show extended *
Commands
for the Gaia
Clish.
Factory fcd Restore set fcd *

Defaults Gaia OS to show fcd *
Factory
Defaults.
Firewall firewall_ Control mgmt *

Managem management Login and
ent Logout from
Managemen
t Server.
Front lcd Control the set lcd *

Panel front panel show lcd *
LCD display
available on
some Check
Point
appliances.
Hardware hw-monitor Hardware show sysenv all

Health sensor cpstat -f sensors os
monitoring.
High high-avail-group Overview

Availability page for
High
Availability.
Host host-access Control add allowed-client *

Access which hosts delete allowed-client *
are allowed show allowed-client *
to connect to
Gaia.
Host host Control add host *

Address known hosts set host *
and their IP delete host *
addresses show host *
on Gaia.


Feature
Description
Portal
Host Name hostname Control the set hostname *

Gaia show hostname *
hostname.
IGMP igmp Control set igmp *

multicast show igmp *
group
membership
s through the
Internet
Group
Managemen
t Protocol
(IGMP).
Inactivity inactto Control set inactivity-timeout *

timeout inactivity show inactivity-timeout *
timeout for
Gaia Portal
and Gaia
Clish.
Inbound import Configure set inbound-route-filter *

Route IPv4
Filters Inbound
Route Filters
for RIP,
OSPFv2,
and BGP
IPv4.
Inbound import6 Configure set ipv6 inbound-route-filter

Route IPv6 *
Filters Inbound
Route Filters
for RIPng,
OSPFv3,
and BGP
IPv6.
Installation ftw Run the Gaia

First Time
Configuratio
n Wizard.


Feature
Description
Portal
Interface interface-name Set a set interface-name *

Naming different
name for an
existing
interface
(requires a
reboot and
reconfigurati
on of the
interface)
IP iphelper Control set iphelper *

Broadcast forwarding of show iphelper *
Helper UDP
broadcast
traffic to
other
interfaces.
IP ipreachdetect Control set ip-reachability-detection

Reachabili reachability *
ty of IP show ip-reachability-detection
Detection Addresses. *
IPv4 Static static-route Configure set static-route *

Routes IPv4 static show route static *
routes on
Gaia.
IPv6 ipv6rdisc6 Control IPv6 set ipv6 rdisc6 *

Router router show ipv6 rdisc6 *
Discovery discovery.
IPv6 State ipv6-state Control IPv6 set ipv6-state *

stack on show ipv6-state
Gaia.
IPv6 Static static6 Control IPv6 set ipv6 static-route *

Routes static routes show ipv6 route static *
on Gaia.
IPv6 VRRP vrrp6 Control the set ipv6 vrrp6 *

IPv6 Virtual show ipv6 vrrp6 *
Router
Redundancy
Protocol
(VRRPv3).


Feature
Description
Portal
Job cron Control add cron *

Scheduler scheduled set cron *
automated delete cron *
tasks that show cron *
perform
actions at a
specific time.
License license_ Access to cplic

Activation activation "Activate
Licenses".
License license Access to cplic

Configurati "Manage
on License".
Lights Out lom Show Lights show lom *

Managem Out
ent (LOM) Managemen
Configurati t (LOM)
on Configuratio
n.
Mail ssmtp Control mail set mail-notification *

Notification notifications show mail-notification *
sent by Gaia.
Maintenan maintenance-group Overview N/A

ce page for
Maintenanc
e.
Managem management_ Control set management *

ent interface which show management *
Interface interface is
used for
managemen
t (main
interface).
NDP neighbor Control IPv6 add neighbor-entry *

Neighbor set neighbor *
Discovery delete neighbor-entry *
Protocol. show neighbor *


Feature
Description
Portal
NetFlow netflow Control add netflow *

Export NetFlow set netflow *
Export on delete netflow *
Gaia. show netflow *
Network netaccess Control set net-access *

Access TELNET show net-access *
access to
Gaia.
Network interface Control set interface *

Interfaces Physical add interface *
interfaces, delete interface *
Aliases, add bonding *
Bridges, set bonding *
Bonds, delete bonding *
VLANs, add bridging *
PPPoE. set bridging *
delete bridging *
add pppoe *
delete pppoe *
set pppoe *
add gre *
delete gre *
show interface *
show interfaces
show bonding *
show bridging *
show pppoe *
show gre *
Network interface-group Overview show interface *

Managem page for show interfaces *
ent Network set interface *
Managemen
t.
NTP ntp Control add ntp *

Network set ntp *
Time delete ntp *
Protocol for show ntp *
synchronizin
g the Gaia
clock.


Feature
Description
Portal
OSPF ospf Control IPv4 set ospf *

dynamic show ospf *
routing show route ospf *
through the
Open
Shortest-
Path First
protocol
(OSPFv2).
OSPF v3 ospf3 Control IPv6 set ipv6 ospf3 *

dynamic set router-id *
routing show ipv6 ospf3 *
through the show ipv6 route ospf3 *
Open show router-id *
Shortest-
Path First
protocol v3
(OSPFv3).
Password password-controls Control set password-controls *

Policy password show password-controls *
and account
policies on
Gaia.
Performan perf Control set multi-queue *

ce Multi-Queue show multi-queue *
Optimizati on Security
on Gateway.
PIM pim Control set pim *

Protocol- show pim *
Independent show mfc *
Multicast
(PIM).
Policy pbr-combine- Control set pbr *

Based static policy based set pbrroute *
Routing routing rules show pbr *
and action show pbrroute *
tables.
Policy pbr-routing-group Overview set pbr *

Routing page for set pbrroute *
Policy Based show pbr *
Routing. show pbrroute *


Feature
Description
Portal
Prefix Lists prefix Control set prefix-tree *

and Prefix Prefix Lists set prefix-list *
Trees and Prefix
Trees used
in routing
policy.
Proxy proxy Control set proxy *

Settings Proxy server delete proxy *
on Gaia. show proxy *
RAID raid-monitor Overview raidconfig

Monitoring page for raid_diagnostic
RAID
volumes
monitoring.
RIP rip Control set rip *

dynamic show rip *
routing
through the
Routing
Information
Protocol for
IPv4 (RIP).
RIPng ripng Control set ipv6 ripng *

dynamic show ipv6 ripng *
routing
through the
Routing
Information
Protocol for
IPv6
(RIPng).
Roles rba Control user add rba *

roles on delete rba *
Gaia. show rba *
Route route Show IPv4 show route *

and IPv6 show ipv6 route *
routing table
on Gaia.


Feature
Description
Portal
Route aggregate Create a set aggregate *

Aggregatio supernet show route aggregate *
n network from
the
combination
of networks
with a
common
routing
prefix.
Route route-injection Control the set kernel-routes *

Injection Route show route kernel *
Mechanis Injection
m Mechanism
(RIM) on
Gaia.
Route Map routemap Configure set routemap *

route maps show routemap *
on Gaia. show routemaps *
Route export Control set route-redistribution *

Redistribut advertiseme
ion nt of IPv4
routing
information
from one
protocol to
another.
Route export6 Control set ipv6 route-redistribution

Redistribut advertiseme *
ion nt of IPv6
routing
information
from one
protocol to
another.
Routed routed-cluster Control how set routed-clusterxl *

ClusterXL RouteD show routed-clusterxl *
daemon
interacts with
ClusterXL on
Gaia.


Feature
Description
Portal
Router rdisc Control set rdisc *

Discovery ICMP Router show rdisc *
Discovery on
Gaia.
Router router-service- Overview

Service group page for
Routing
Services.
Routing show-route-all View show route *

Monitor summary
information
about routes
on Gaia.
Routing route-options Configure set routedsyslog *

Options protocol set trace *
ranks and set tracefile *
trace set max-path-splits *
(debug) set nexthop-selection *
options on set protocol-rank *
Gaia. set router-options *
show trace *
show routed *
show protocol-rank *
show router-options *
SAM sam Deprecated - show sam *

(Accelerat SAM card is
or Card) not
supported.
Monitor
Security
Acceleration
Module for
information
on usage
and
connections.
Scheduled scheduled_backup Create add backup-scheduled *

Backup scheduled set backup-scheduled *
backups of delete backup-scheduled *
the Gaia for show backup-scheduled
events of
data loss.


Feature
Description
Portal
Scratchpa scratchpad Control N/A

d Scratchpad
Configurati in Gaia
on Portal.
Security mgmt-gui-clients Control

Managem allowed
ent GUI Security
Clients Managemen
t GUI Clients.
Shutdown reboot_halt Shut down halt *

and reboot reboot *
the Gaia.
Snapshot snapshot Create full add snapshot *

backups set snapshot *
(snapshots) delete snapshot *
of the Gaia. show snapshots
show snapshot *
SNMP snmp Control Gaia add snmp *

monitoring set snmp *
through the delete snmp *
Simple show snmp *
Network
Managemen
t Protocol
(SNMP).
Software installer_conf CPUSE - For more information, see sk92449.

Updates Manage installer restore_policy *
Policy deployment set installer *
Managem policy and set installer download_mode *
ent mail set installer install_mode *
notifications set installer download_mode
for software schedule *
updates. set installer install_mode
schedule *
Static static-mroute Configure set static-mroute *

Multicast multicast show static-mroute *
Routes static routes
on Gaia.


Feature
Description
Portal
System asset Show show asset *

Asset hardware
asset
summary.
System backup Create add backup *

Backup backup of set backup *
the Gaia backup *
system for restore *
events of delete backup *
data loss. show backups
show backup *
show restore *
System sysconfig System show configuration *

Configurati Configuratio
on n.
System group Control Gaia add group *

Groups OS user set group *
groups, for delete group *
advanced show groups
managemen show group *
t of
privileges.
System syslog Control add syslog *

Logging system set syslog *
logging on delete syslog *
Gaia. show syslog *
System system-group Overview

Managem page for
ent System
Managemen
t.
System sysenv Hardware show sysenv *

Status sensor
monitoring.
TACACS_ tacacs_enable Control tacacs_enable *

Enable TACACS+ show tacacs_enable *
mechanism
on Gaia.


Feature
Description
Portal
Time clock-date Configure set clock *

the time and set date *
date of the set time *
Gaia system. set timezone *
show clock *
show date *
show time *
show timezone *
Upgrade upgrade Upgrade the upgrade *

Gaia. add upgrade *
Deprecated - delete upgrade *
use the show upgrade *
CPUSE
instead.
Upgrades installer CPUSE - For more information, see sk92449.

(CPUSE) Show the show installer *
update add installer *
packages installer *
status and set installer *
manage
package
downloads
and
installations
on Gaia.
Upgrades software-updates- Overview For more information, see sk92449.

(CPUSE) group page for show installer *
CPUSE. set installer *
installer agent *
User security-access- Overview

Managem group page for
ent User
Managemen
t.
Users user Control user add user *

accounts on set user *
Gaia. delete user *
show user *
show users *


Feature
Description
Portal
Version version Shows the show version *

version of
the installed
Check Point
product, and
Gaia build
and kernel.
Virtual- virtual-system Control VSX add virtual-system *

System Virtual set virtual-system *
Systems delete virtual-system *
(CLI only). show virtual-system *
You must
configure all
Virtual
Systems in
SmartConsol
e only.
VPNT vpnt Control VPN add vpn *

Tunneling on set vpn *
Gaia. delete vpn *
VRRP vrrp Control the set vrrp *

IPv4 Virtual add mcvr *
Router set mcvr *
Redundancy delete mcvr *
Protocol show vrrp *
(VRRPv2) - show mcvr *
Monitored
Circuit/Simpli
fied VRRP.
VSX vsx Enable or set vsx *

Disable the show vsx *
VSX mode
(to be used
only by
Check Point
Support
only).
Web web Control Gaia set web *

configurati Portal. generate web *
on show web *

List of Available Extended Commands in Roles

Table: List of Available Extended Commands in Roles
Command name Command name
Description
in Gaia Portal in Gaia Clish
api ext_api Start, stop, or check status of API server
config_system ext_config_ Run Gaia First Time Configuration tool in Expert mode.
system
cp_conf ext_cp_conf Check Point configuration utility for some local settings.
cpca ext_cpca Run Check Point Internal Certificate Authority (ICA).
cpca_client ext_cpca_ Control Check Point Internal Certificate Authority (ICA).

client
cpca_create ext_cpca_ Create Check Point Internal Certificate Authority (ICA)

create database.
cpca_dbutil ext_cpca_ Control Check Point Internal Certificate Authority (ICA)

dbutil database.
cpca_dbutil ext_cpca_ Control Check Point Internal Certificate Authority (ICA)

dbutil database.
cpconfig ext_cpconfig Check Point software configuration utility for Security

Management Server and Security Gateway.
cphaprob ext_cphaprob Access to clustering commands.
cphastart ext_cphastart Enable the clustering feature on Security Gateway.
cphastop ext_cphastop Disable the clustering feature on Security Gateway.
cpinfo ext_cpinfo Collect Check Point diagnostics information.
cplic ext_cplic Control Check Point licenses.
cpshared_ver ext_cpshared_ Show Check Point SVN Foundation version.

ver
cpstart ext_cpstart Start the installed Check Point products.
cpstat ext_cpstat Show Check Point statistics history information for

Software Blades and Gaia.
cpstop ext_cpstop Stop the installed Check Point products.
cpview ext_cpview Show advanced Check Point statistics information for

Software Blades and Gaia in real-time.

Table: List of Available Extended Commands in Roles (continued)

Description
cpwd_admin ext_cpwd_admin Control Check Point WatchDog administration tool.
diag ext_diag Send system diagnostics information.
dtps ext_dtps Control Endpoint Policy Server commands.
etmstart ext_etmstart Start QoS Software Blade.
etmstop ext_etmstop Stop QoS Software Blade.
fgate ext_fgate Control QoS Software Blade.
fips ext_fips Control FIPS mode.
fw ext_fw Access to Security Gateway commands for IPv4.
fw6 ext_fw6 Access to Security Gateway commands for IPv6.
fwaccel ext_fwaccel Access to SecureXL commands for IPv4.
fwaccel6 ext_fwaccel6 Access to SecureXL commands for IPv6.
fwm ext_fwm Access to Security Management Server commands.
ifconfig ext_ifconfig Deprecated. Use "show interface", or "set interface"

commands instead.
ips ext_ips Control IPS Software Blade.
lomipset ext_lomipset Configure LOM card IP address.
LSMcli ext_LSMcli Access to SmartProvisioning command line.
LSMenabler ext_LSMenabler Enable SmartProvisioning.
mds_backup ext_mds_backup Create backup of the Multi-Domain Server.
mds_restore ext_mds_ Restore backup of the Multi-Domain Server.

restore
mdscmd ext_mdscmd Access to Multi-Domain Server command line.
mdsconfig ext_mdsconfig Check Point software configuration utility for Multi-

Domain Server.
mdsstart ext_mdsconfig Check Point software configuration utility for Multi-

Domain Server.
mdsstart ext_mdsstart Start Multi-Domain Server.


Description
mdsstart_ ext_mdsstart_ Start specific Domain Management Server.

customer customer
mdsstat ext_mdsstat Show the status of Multi-Domain Server and all Domain
Management Servers.
mdsstop ext_mdsstop Stop Multi-Domain Server.
mdsstop_ ext_mdsstop_ Stop specific Domain Management Server.

customer customer
netstat ext_netstat Print network connections, routing tables and interface

statistics.
ping ext_ping Ping a host using IPv4.
ping6 ext_ping6 Ping a host using IPv6.
raid_ ext_raid_ Access to RAID Monitoring tool.

diagnostic diagnostic
raidconfig ext_raidconfig Access to RAID Configuration and Monitoring tool.
rtm ext_rtm Control the Monitoring Software Blade.
rtmstart ext_rtmstart Start the Monitoring Software Blade.
rtmstop ext_rtmstop Stop the Monitoring Software Blade.
rtmtopsvc ext_rtmtopsvc Monitor top services using the Monitoring Software

Blade.
SDSUtil ext_SDSUtil Access to Software Distribution Server utility.
sim ext_sim Access to SecureXL SIM device commands for IPv4.
SnortConvertor ext_ Access to IPS Snort conversion tool.

SnortConvertor
tecli ext_tecli Access to Threat Emulation Blade shell.
top ext_top Show the most active system processes.
traceroute ext_traceroute Trace the route to a host.
vpn ext_vpn Control the VPN kernel module for IPv4.
vpn6 ext_vpn6 Control the VPN kernel module for IPv6.


Description
vsx_util ext_vsx_util Control managed VSX Gateways on a Management

Server.

Password Policy
Password Policy
This section explains how to configure your platform:
n To enforce creation of strong passwords.
n To monitor and prevent use of already used passwords.
n To force users to change passwords at regular intervals.
One of the important elements of securing your Check Point cyber security platform is to set user
passwords and create a good password policy.
Note - The password policy does not apply to nonlocal users that authentication
servers such as RADIUS manage their login information and passwords. In addition, it
does not apply to non-password authentication, such as the public key authentication
supported by SSH.
To set and change user passwords, see "Users" on page 306 and "User Management" on page 304.
Password Strength
Strong, unique passwords that use a variety of character types and require password changes, are key
factors in your overall cyber security.
Password History Checks

The password history feature prevents from users using a password they have used before when they
change their password.
The number of already used passwords that this feature checks against is defined by the history length.
Password history check is enabled by default.
The password history check:
n Applies to user passwords set by the administrator and to passwords set by the user.
n Does not apply to SNMPv3 USM user pass phrases.
These are some considerations when using password history:
n The password history for a user is updated only when the user successfully changes password.
If you change the history length, for example: from ten to five, the stored passwords number does
not change.
Next time the user changes password, the new password is examined against all stored passwords,
maybe more than five.
After the password change succeeds, the password file is updated to keep only the five most recent
passwords.
n Passwords history is only stored if the password history feature is enabled when the password is
created.
n The new password is checked against the previous password, even if the previous password is not
stored in the password history.

Password Policy
Mandatory Password Change

The mandatory password change feature requires users to use a new password at defined intervals.
Forcing users to change passwords regularly is important for a strong security policy.
You can set user passwords to expire after a specified number of days.
When a password expires, the user is forced to change the password the next time the user logs in.
This feature works together with the password history check to get users to use new passwords at regular
intervals.
The mandatory password change feature does not apply to SNMPv3 USM user pass phrases.
Deny Access to Unused Accounts

You can deny access to unused accounts. If there were no successful login attempts within a set time, the
user is locked out and cannot log in.
You can also configure the allowed number of days of non-use before a user is locked-out.
Deny Access After Failed Login Attempts

You can deny access after too many failed login attempts. The user cannot log in during a configurable
time.
You can also allow access again after a user was locked out.
In addition, you can configure the number of failed login attempts that a user is allowed before being locked
out.
When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.

Configuring Password Policy in Gaia Portal

In This Section:
Procedure 345
Procedure
Step Description
1 In the navigation tree, click User Management > Password Policy .
2 Configure the password policy options:

n Password Strength
n Password History
n Mandatory Password Change
n Deny Access to Unused Accounts
n Deny Access After Failed Login Attempts
See the corresponding sections below.
3 Click Apply .
Password Strength
Minimum The minimum number of characters in a Gaia user, or an SNMP user

Password Length password.
Does not apply to passwords that were already configured.
n Range: 6 - 128
n Default: 6
Disallow A palindrome is a sequence of letters, numbers, or characters that can be read

Palindromes the same in each direction.
n Default: Selected

Password The required number of character types:

Complexity
n 1 - Don't check
n 2 - Require two character types (default)
n 3 - Require three character types
n 4 - Require four character types
Character types are:
n Upper case alphabetic (A-Z)
n Lower case alphabetic (a-z)
n Digits (0-9)
n Other (everything else)
Changes to this setting do not affect existing passwords.
Password History
Check for Check for reuse of passwords for all users.

Password Reuse Enables or disables password history checking and password history recording.
When a user's password is changed, the new password is checked against the
recent passwords for the user.
An identical password is not allowed. The number of passwords kept in the
record is set by History Length.
Does not apply to SNMP passwords.
n Default: Selected
History Length The number of former passwords to keep and check against when a new
password is configured for a user.
n Range: 1 - 1000
n Default: 10
Password Expiration The number of days, for which a password is valid. After that time, the
password expires.
The count starts when the user changes the password.
Users are required to change an expired password the next time they
log in.
Does not apply to SNMP users.
n Range: 1 - 1827, or Passwords never expires
n Default: Passwords never expires

Warn users before password How many days before the user's password expires to start
expiration generating warnings to the user that user must change the password.
A user that does not log in, does not see this warning.
n Range: 1 - 366
n Default: 7
Lockout users after Lockout users after password expiration.

password expiration After a user's password has expired, user has this number of days to
log in and change it.
If a user does not change the password within that number of days,
the user is unable to log in - the user is locked out.
The administrator can unlock a user that is locked out from the User
Management > Users page.
n Range: 1 - 1827, or Never lockout users after
password expires
n Default: Never lockout users after password
expires
Force users to change Forces a user to change password at first login, after the user's
password at first login after password was changed using the command "set user
password was changed from <UserName> password", or from the Gaia Portal User
Users page Management > Users page.
n Default: Not selected
Deny access to unused Denies access to unused accounts.

accounts If there were no successful login attempts within a set time, the user is
locked out and cannot log in.
Days of non-use before Configures the number of days of non-use before locking out the unused
lock-out account.
This only takes effect, if Deny access to unused accounts is enabled.
n Range: 30 - 1827
n Default: 365

Deny access after If the configured limit is reached, the user is locked out (unable to log in) for a
failed login attempts configured time.
Warning - Enabling this leaves you open to a "denial of service" - if
an attacker makes unsuccessful login attempts often enough, the
affected user account is locked out. Consider the advantages and
disadvantages of this option, in light of your security policy, before
enabling it.
Block admin user This option is available only if Deny access after failed login attempts is
enabled.
If the configured limit of failed login attempts for the admin user is reached,
the admin user is locked out (unable to log in) for a configured time.
Maximum number of This only takes effect if Deny access after failed attempts is enabled.
failed attempts The number of failed login attempts that a user is allowed before being
allowed locked out.
After making that many successive failed attempts, future attempts fail.
When one login attempt succeeds, counting of failed attempts stops, and the
count is reset to zero.
n Range: 2 - 1000
n Default: 10
Allow access again This only takes effect, if Deny access after failed login attempts is
after time enabled.
Allow access again after a user was locked out (due to failed login attempts).
The user is allowed access after the configured time, if there were no login
attempts during that time.
n Range: 60 - 604800 seconds
n Default: 1200 seconds (20 minutes)
Examples:
n 60 = 1 minute
n 300 = 5 minutes
n 3600 = 1 hour
n 86400 = 1 day
n 604800 = 1 week

Configuring Password Policy in Gaia Clish

In This Section:

Use these commands to configure a policy for managing user passwords.
Password Strength
Syntax
n To configure the password strength:
set password-controls
complexity <1-4>
min-password-length <6-128>
palindrome-check {on |off}
n To show the configured password strength:
show password-controls
complexity
min-password-length
palindrome-check
show password-controls all

Parameters
complexity <1-4> The required number of character types:

n 1 - Don't check
n 2 - Require two character types (default)
n 3 - Require three character types
n 4 - Require four character types
Character types are:
n Upper case alphabetic (A-Z)
n Lower case alphabetic (a-z)
n Digits (0-9)
n Other (everything else)
Changes to this setting do not affect existing passwords.
n Range: 1 - 4
n Default: 2
min-password- The minimum number of characters in a Gaia user, or an SNMP user

length <6-128> password.
Does not apply to passwords that were already configured.
n Range: 6 - 128
n Default: 2
palindrome-check A palindrome is a sequence of letters, numbers, or characters that can

{on | off} be read the same in each direction.
n Range: on, or off

n Default: on
Password History
Syntax
n To configure the password history:
history-checking {on | off}
history-length <1-1000>
n To show the configured password history:
history-checking
history-length

Parameters
history- Check for reuse of passwords for all users.

checking Enables or disables password history checking and password history recording.
{on | When a user's password is changed, the new password is checked against the
off} recent passwords for the user. An identical password is not allowed. The number of
passwords kept in the record is set by history-length.
Does not apply to SNMP passwords.
n Range: on, or off
n Default: on
history- The number of former passwords to keep and check against when a new password
length is configured for a user.
<1-1000>
n Range: 1 - 1000
n Default: 10

Syntax
n To configure the mandatory password change:
expiration-lockout-days <1-1827 | never>
expiration-warning-days <1-366>
force-change-when {no | password}
password-expiration <1-1827 | never>
n To show the configured mandatory password change:
expiration-lockout-days
expiration-warning-days
force-change-when
password-expiration

Parameters
expiration- Lockout users after password expiration.

lockout-days After a user's password has expired, user has this number of days to log in
<1-1827 | and change it.
never> If a user does not change the password within that number of days, the user
is unable to log in - the user is locked out.
The administrator can unlock a user that is locked out from the User
Management > Users page.
n Range: 1 - 1827, or never
n Default: never
expiration- How many days before the user's password expires to start generating
warning-days warnings to the user that user must change the password.
<1-366> A user that does not log in, does not see this warning.
n Range: 1 - 366
n Default: 7
force-change- Forces a user to change password at first login, after the user's password
when {no | was changed using the command "set user <UserName> password",
password} or from the Gaia Portal User Management > Users page.
n Range:
l no - Disables this functionality.
l password - Forces users to change their password after their
password was changed.

n Default: no
password- The number of days, for which a password is valid. After that time, the
expiration password expires.
<1-1827 | The count starts when the user changes the password.
never> Users are required to change an expired password the next time they log in.
Does not apply to SNMP users.
n Range: 1-1827, or never
n Default: never


Syntax
n To configure the denial of access to unused accounts based on the number of days:
set password-controls deny-on-nonuse

allowed-days <30-1827>
enable {on | off}
n To show the configured denial of access to unused accounts:
show password-controls deny-on-nonuse
Parameters
deny-on-nonuse Configures the number of days of non-use before locking out the
allowed-days <30- unused account.
1827> This only takes effect, if the "set password-controls deny-
on-nonuse enable" is set to "on".
n Range: 30 - 1827
n Default: 365
deny-on-nonuse Denies access to unused accounts. If there were no successful login

enable {on | off} attempts within a set time, the user is locked out and cannot log in.
n Range: on, or off

n Default: off


Syntax
n To configure the denial of access to unused accounts based on the number of failed login
attempts:
set password-controls deny-on-fail

allow-after <60-604800>
block-admin {on | off}
enable {on | off}
failures-allowed <2-1000>
n To show the configured denial of access to unused accounts:
show password-controls deny-on-fail
Parameters
allow-after Allow access again after a user was locked out (due to failed login attempts).
<60-604800> The user is allowed access after the configured time, if there were no login
attempts during that time.
n Range: 60 - 604800 seconds
n Default: 1200 seconds (20 minutes)
Examples:
n 60 = 1 minute
n 300 = 5 minutes
n 3600 = 1 hour
n 86400 = 1 day
n 604800 = 1 week
block-admin This only takes effect if "set password-controls deny-on-fail

{on | off} enable" is set to "on".
If the configured limit of failed login attempts for the admin user is reached,
the admin user is locked out (unable to log in) for a configured time.
n Range: on, or off

n Default: off

enable {on | If the configured limit is reached, the user is locked out (unable to log in) for a
off} configured time.
Warning - Enabling this leaves you open to a "denial of service" - if
an attacker makes unsuccessful login attempts often enough, the
affected user account is locked out. Consider the advantages and
disadvantages of this option, in light of your security policy, before
enabling it.
n Range: on, or off

n Default: off
failures- This only takes effect if "set password-controls deny-on-fail

allowed <2- enable" is set to "on".
1000> The number of failed login attempts that a user is allowed before being locked
out.
After making that many successive failed attempts, future attempts fail.
When one login attempt succeeds, counting of failed attempts stops, and the
count is reset to zero,
n Range: 2 - 1000
n Default: 10

Monitoring Password Policy in Gaia Clish
Monitoring Password Policy in Gaia Clish

Syntax
all
complexity
deny-on-fail
allow-after
block-admin
enable
failures-allowed
deny-on-nonuse
allowed-days
enable
expiration-lockout-days
expiration-warning-days
force-change-when
history-checking
history-length
min-password-length
palindrome-check
password-expiration
Example
gaia> show password-controls all
Password Strength
Minimum Password Length 6
Password Complexity 2
Password Palindrome Check on
Password History
Password History Checking off
Password History Length 10

Password Expiration Lifetime 5
Password Expiration Warning Days 8
Password Expiration Lockout Days never
Force Password Change When no
Configuration Deny Access to Unused Accounts

Deny Access to Unused Accounts off
Days Nonuse Before Lockout 365
gaia>

Authentication Servers
Authentication Servers
You can configure Gaia to authenticate Gaia users even when they are not defined locally.
This is a good way of centrally managing the credentials of multiple Security Gateways.
To define non-local Gaia users, you define Gaia as a client of an authentication server.
Gaia supports these types of authentication servers:
Server Description
RADIUS RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication

system that supports remote-access applications. User profiles are kept in a central
database on a RADIUS authentication server. Client computers or applications connect to
the RADIUS server to authenticate users.
You can configure your Gaia computer to connect to more than one RADIUS server. If the
first server in the list is unavailable, the next RADIUS server in the priority list connects.
TACACS+ The TACACS+ (Terminal Access Controller Access Control System) authentication
protocol users a remote server to authenticate users for Gaia. All information sent to the
TACACS+ server is encrypted.
Gaia supports TACACS+ for authentication only. Challenge-response authentication,
such as S/Key, is not supported.
You can configure TACACS+ support separately for different services. The Gaia Portal
service is one of those, for which TACACS+ is supported and is configured as the
HTTP service. When TACACS+ is configured for use with a service, Gaia contacts the
TACACS+ server each time it needs to examine a user password. If the server fails or is
unreachable, the user is authenticated via local password mechanism. If the user fails to
authenticate via the local mechanism, the user is not allowed access.
Note - For TACACS authentication to work on a Virtual System, see the R81 VSX
Administration Guide.

Configuring RADIUS Servers

In This Section:
Configuring RADIUS Servers in Gaia Portal 358

Configuring RADIUS Servers in Gaia Clish 360
Configuring RADIUS Servers in Gaia Portal

To configure a RADIUS server
Step Description
1 In the navigation tree, click User Management > Authentication Servers .
2 In the RADIUS Servers section, click Add.
3 Enter the RADIUS Server parameters:
n Priority
The RADIUS server priority is an integer between -999 and 999 (default is 0).
When there two or more configured RADIUS servers, Gaia connects to the RADIUS server with the
highest priority.
Low numbers have the higher priority.
n Host
Host name or IP address (IPv4 or IPv6) of RADIUS server.
n UDP Port
UDP port used on RADIUS server.
The default port is 1812 as specified by the RADIUS standard.
The range of valid port numbers is from 1 to 65535.
Port 1645 is non-standard, but is commonly used as alternative to port 1812.
Warning - Firewall software frequently blocks traffic on port 1812. Make sure that you
define a Firewall rule to allow traffic on UDP port 1812 between the RADIUS server and
Gaia.
n Shared Secret
Shared secret used for authentication between the RADIUS server and the Gaia client.
Enter the shared secret text string up to 256 characters, without any whitespace characters and
without a backslash.
Make sure that the shared string defined on the Gaia matches the shared string defined on the
RADIUS server.
RFC 2865 recommends that the secret be at least 16 characters in length.
Some RADIUS servers have a maximum string length for shared secret of 15 or 16 characters.
See the documentation for your RADIUS server.
n Timeout in
Optional: Enter the timeout in seconds (from 1 to 5), during which Gaia waits for the RADIUS server
to respond. The default value is 3.
If there is no response after the configured timeout, Gaia tries to connect to a different configured
RADIUS server.
Set this timeout, so that the sum of all RADIUS server timeouts is less than 50.
4 Click OK.

Step Description
5 Optional: Select the Network Access Server (NAS) IP address.

This setting applies to all configured RADIUS servers.
This parameter records the IP address, from which Gaia sends the RADIUS packet.
This IP address is stored in the RADIUS packet, even when the packet goes through NAT, or some other address translation that changes the
source IP address of the packet.
The "NAS-IP-Address" is defined in RFC 2865.
If no NAS IP Address is chosen, the IPv4 address of the Gaia Management Interface is used (click Network Management > Network
Interfaces > see the Management Interface section).
6 Optional: Select RADIUS Users Default Shell (for details about the shells, see "Users" on page 306).
7 Optional: Select the Super User ID - 0 or 96.

If the UID is 0, there is no need to run the sudo command to get super user permissions (see "Configuring RADIUS Servers for Non-
Local Gaia Users" on page 364).
8 Click Apply .
To edit a RADIUS server
Step Description
2 Select the RADIUS server.
3 Click Edit.
4 You can edit only the Host, UDP Port, Shared secret, and Timeout.
5 Click OK.
To delete a RADIUS server
Step Description
2 Select the RADIUS server.
3 Click Delete.

Configuring RADIUS Servers in Gaia Clish
Description
Use the "aaa radius-servers" commands to add, configure, and delete Radius authentication
servers.
Syntax
To configure RADIUS for use in a single authentication profile

add aaa radius-servers priority <Priority> host <Hostname, or IP
Address of RADIUS Server> [port <1-65535>]
prompt-secret timeout <1-50>
secret <Shared Secret> timeout <1-50>
To change the configuration of a specific RADIUS server

set aaa radius-servers priority <Priority>
host <Hostname, or IP Address of RADIUS Server>
new-priority <New Priority>
port <1-65535>
prompt-secret
secret <Shared Secret>
timeout <1-50>
To change the configuration that applies to all configured RADIUS servers

set aaa radius-servers
NAS-IP<SPACE><TAB>
default-shell<SPACE><TAB>
super-user-uid <0 | 96>
To show a list of all configured RADIUS servers associated with an authentication profile
show aaa radius-servers list
To show the configuration of a specific RADIUS server

show aaa radius-servers priority <Priority>
host
port
timeout
To show the configuration that applies to all configured RADIUS servers

show aaa radius-servers
NAS-IP
default-shell
super-user-uid
To delete a specific RADIUS server

delete aaa radius-servers
priority <Priority>

To delete the configuration that applies to all configured RADIUS servers

delete aaa radius-servers
NAS-IP
Parameters
CLI Parameters
priority Configures the RADIUS server priority. Enter an integer between -999
<Priority> and 999 (default is 0).
When there two or more configured RADIUS servers, Gaia connects to
the RADIUS server with the highest priority.
Low numbers have the higher priority.
new-priority <New Configures the new priority for the RADIUS server.
Priority>
host <Hostname, or Configures the Host name or IP address (IPv4 or IPv6) of RADIUS
IP Address of server.
RADIUS Server>
port <1-65535> Configures the UDP port used on RADIUS server.

The default port is 1812 as specified by the RADIUS standard.
The range of valid port numbers is from 1 to 65535. Port 1645 is non-
standard, but is commonly used as alternative to port 1812.
Warning - Firewall software frequently blocks traffic on port
1812. Make sure that you define a Firewall rule to allow
traffic on UDP port 1812 between the RADIUS server and
Gaia.
prompt secret The system will prompt you to enter the Shared Secret.
secret <Shared Configures the shared secret used for authentication between the
Secret> RADIUS server and the Gaia.
Enter the shared secret text string up to 256 characters, without any
whitespace characters and without a backslash.
Make sure that the shared string defined on the Gaia matches the
shared string defined on the RADIUS server.
RFC 2865 recommends that the secret be at least 16 characters in
length.
Some RADIUS servers have a maximum string length for shared
secret of 15 or 16 characters.
See the documentation for your RADIUS server.

timeout <1-50> Configures the timeout in seconds (from 1 to 5), during which Gaia
waits for the RADIUS server to respond.
The default value is 3.
If there is no response after the configured timeout, Gaia tries to
connect to a different configured RADIUS server.
Set this timeout, so that the sum of all RADIUS server timeouts is less
than 50.
default- Optional: Configures the default shell for RADIUS Users (for details
shell<SPACE><TAB> about the shells, see "Users" on page 306).
super-user-uid <0 Optional: Configures the UID for the RADIUS super user.
| 96> If the UID is 0, there is no need to run the sudo command to get super
user permissions (see "Configuring RADIUS Servers for Non-Local
Gaia Users" on page 364).
NAS-IP<SPACE><TAB> Optional: This parameter records the IP address, from which Gaia
sends the RADIUS packet.
This IP address is stored in the RADIUS packet, even when the packet
goes through NAT, or some other address translation that changes the
source IP address of the packet.
The "NAS-IP-Address" is defined in RFC2865.
If no NAS IP Address is chosen, the IPv4 address of the Gaia
Management Interface is used (run the "show management
interface" command).

Configuring Gaia as a RADIUS Client
Configuring Gaia as a RADIUS Client

Gaia acts as a RADIUS client. You must define a role for the RADIUS client, and the features for that role.
To allow login with non-local users to Gaia, you must define a default Gaia role for all non-local users that
are configured in the RADIUS server.
The default role can include a combination of:
n Administrative (read/write) access to some features
n Monitoring (read-only) access to other features
n No access to other features.
To configure Gaia as a RADIUS Client
Step Description
1 Define the role for the RADIUS client:

n If no group is defined on the RADIUS server for the client, define this role:
radius-group-any
n If a group is defined on RADIUS server for the client (group XXX, for example), define
this role:
radius-group-<XXX>
2 Define the features for the role.
Example for Gaia Clish
gaia> add rba role radius-group-any domain-type System readonly-

features arp
For instructions, see "Roles" on page 314.
Note - Do not define a new user for external users. An external user is one that is
defined on an authentication server (such as RADIUS or TACACS), and not on the
local Gaia system.

Configuring RADIUS Servers for Non-Local Gaia Users

Non-local users can be defined on a RADIUS server and not in Gaia.
When a non-local user logs in to Gaia, the RADIUS server authenticates the user and assigns the
applicable permissions.
You must configure the RADIUS server to correctly authenticate and authorize non-local users.
Important - If you define a RADIUS user with a null password (on the RADIUS server),
Gaia cannot authenticate that user.
To configure a RADIUS server for non-local Gaia users
In addition, see sk72940.
Step Instructions
1 Copy the applicable dictionary file to your RADIUS server.
Example for the "Steel-Belted RADIUS server "
a. Copy this file from the Gaia to the RADIUS server:

/etc/radius-dictionaries/checkpoint.dct
b. Add these lines to the vendor.ini file on the RADIUS server (keep in alphabetical
order with the other vendor products in this file):
vendor-product = Check Point Gaia
dictionary = nokiaipso
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
c. Add this line to the dictiona.dcm file:
"@checkpoint.dct"
Example for the "FreeRADIUS server "
a. Copy this file from the Gaia to the RADIUS server to the /etc/freeradius/
directory:
/etc/radius-dictionaries/dictionary.checkpoint
b. Add this line to the /etc/freeradius/dictionary file:
"$INCLUDE dictionary.checkpoint"
Example for the "OpenRADIUS server "
a. Copy this file from the Gaia to the RADIUS server to the
/etc/openradius/subdicts/ directory:
/etc/radius-dictionaries/dict.checkpoint
b. Add this line /etc/openradius/dictionaries file immediately after the
dict.ascend:
$include subdicts/dict.checkpoint

Step Instructions
2 Define the user roles on Gaia.

Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user
configuration file:
CP-Gaia-User-Role = "role1,role2,...
For example:
CP-Gaia-User-Role = "adminrole, backuprole, securityrole"
3 Define the Check Point users that must have superuser access to the Gaia shell.
Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user
configuration file:
n If this user should not receive superuser permissions:
CP-Gaia-SuperUser-Access = 0
n If this user can receive superuser permissions:
CP-Gaia-SuperUser-Access = 1
To log in as a superuser
A user with super user permissions can use the Gaia shell to do system-level operations, including
working with the file system.
Super user permissions are defined in the Check Point Vendor-Specific Attributes.
Users that have a UID of 0 have super user permissions.
They can run all the commands that the root user can run.
Users that have a UID of 96 must run the sudo command to get super user permissions.
The UIDs of all non-local users are defined in the /etc/passwd file.
To get super user permissions (for users that have a UID of 96)
Step Description
3 Run:
sudo /usr/bin/su -
The user now has superuser permissions.

Configuring TACACS+ Servers

In This Section:
Configuring TACACS+ Servers in Gaia Portal 366

Configuring TACACS+ Servers in Gaia Clish 369
Checking if the Logged In User is Enabled for TACACS+ 371
Configuring TACACS+ Servers in Gaia Portal

To configure a TACACS+ server
Step Description
2 In the TACACS+ Configuration section, select Enable TACACS+ authentication.

This setting applies to all configured TACACS+ servers.
3 Click Apply .
4 In the TACACS+ Servers section, click Add.

Step Description
5 Configure the TACACS+ parameters:

n Priority
The priority of the TACACS+ server - from 1 to 20.
Must be unique for this operating system.
Gaia uses the priority:
l To determine the order, in which Gaia connects to the TACACS+ servers.
First, Gaia connects to the TACACS+ server with the lowest priority number.
For example: Three TACACS+ servers have a priority of 1, 5, and 10
respectively.
Gaia connects to these TACACS+ servers in that order, and uses the first
TACACS+ server that responds.
l To identify the TACACS+ server in commands. A command with priority 1
applies to the TACACS+ server with priority 1.

n Server
IPv4 address of the TACACS+ server.
n Shared Key
The Shared Secret used for authentication between the TACACS+ server and Gaia.
Enter the shared secret text string up to 256 characters, without any whitespace
characters and without a backslash.
Make sure that the shared string defined on the Gaia matches the shared string
defined on the TACACS+ server.
n Timeout in Seconds
Enter the timeout in seconds (from 1 to 60), during which Gaia waits for the TACACS+
server to respond.
The default value is 5.
If there is no response after the configured timeout, Gaia tries to connect to a different
configured TACACS+ server.
6 Click OK.
7 Optional: In the TACACS+ Servers Advanced Configuration section, select the User UID
- 0, or 96 and click Apply .
To disable TACACS+ authentication
Step Description
2 In the TACACS+ configuration section, clear Enable TACACS+ authentication.

3 Click Apply .

To delete a TACACS+ server
Step Description
2 In the TACACS+ Servers section, select a TACACS+ server.
3 Click Delete.

Configuring TACACS+ Servers in Gaia Clish
Syntax
To configure TACACS+ server for use in a single authentication profile

add aaa tacacs-servers priority <Priority> server <IPv4 Address of
TACACS+ Server> key <Shared Secret> timeout <1-60>
To change the configuration of a specific TACACS+ server

set aaa tacacs-servers priority <Priority>
server <IPv4 Address of TACACS+ Server>
new-priority <New Priority>
key <Shared Secret>
timeout <1-60>
To change the configuration that applies to all configured TACACS+ servers

set aaa tacacs-servers
state {on | off}
user-uid <0 | 96>
To show a list of all configured TACACS+ servers associated with an authentication profile
show aaa tacacs-servers list
To show the configuration of a specific TACACS+ server

show aaa tacacs-servers priority <Priority>
server
timeout
To show the configuration that applies to all configured TACACS+ servers

show aaa tacacs-servers
state
user-uid
To delete a specific RADIUS server

delete aaa tacacs-servers
priority <Priority>
To delete the configuration that applies to all configured TACACS+ servers

delete aaa tacacs-servers
NAS-IP

Parameters
CLI Parameters
priority <Priority> The priority of the TACACS+ server - from 1 to 20.

Must be unique for this operating system.
The priority is used:
n To determine the order, in which Gaia connects to the
TACACS+ servers.
First, Gaia connects to the TACACS+ server with the lowest
priority number.
For example: Three TACACS+ servers have a priority of 1, 5,
and 10 respectively.
Gaia connects to these TACACS+ servers in that order, and
uses the first TACACS+ server that responds.
n To identify the TACACS+ server in commands. A command
with priority 1 applies to the TACACS+ server with
priority 1.
Values:
n Range: 1 - 20
n Default: No default
server <IPv4 Address IPv4 address of the TACACS+ server.

of TACACS+ Server>
key <Shared Secret> The Shared Secret used for authentication between the TACACS+
server and Gaia.
Enter the shared secret text string up to 256 characters, without any
whitespace characters and without a backslash.
Make sure that the shared string defined on the Gaia matches the
shared string defined on the TACACS+ server.
timeout <1-60> Enter the timeout in seconds, during which Gaia waits for the
TACACS+ server to respond.
If there is no response after the configured timeout, Gaia tries to
connect to a different configured TACACS+ server.
n Range: 1 - 60
n Default: 5
new-priority <New Configures the new priority for the TACACS+ server.
Priority>
state {on | off} Configures the state of TACACS+ authentication.

n Range: on, or off
n Default: off

Example
gaia> set aaa tacacs-servers priority 2 server 10.10.10.99 key
MySharedSecretKey timeout 10
Checking if the Logged In User is Enabled for TACACS+

Procedure
Step Description
3 Run:
show tacacs_enable

Configuring Gaia as a TACACS+ Client

Gaia acts as a TACACS+ client for Gaia users that are defined on the TACACS+ server and are not defined
locally on Gaia.
The admin user must define a role called TACP-0 for the TACACS+ users, and the allowed features for
the TACP-0 role.
Privilege Escalation
The Gaia admin user can define roles that make it possible for Gaia users to get temporarily higher
privileges, than their regular privileges.
For example, Gaia user Fred needs to configure the interfaces, but his role does not support interfaces
configuration. To configure the interfaces, Fred enters his user name together with a password given
him by the admin user. This password lets him change his default role to the role that allows him to
configure the interfaces.
There are sixteen different privilege levels (0 - 15) defined in TACACS+.
Each level can be mapped to a different Gaia role.
For example:
n Privilege level 0 - monitor-only
n Privilege level 1 - basic network configuration
n Privilege level 15 - admin user
By default, all non-local TACACS+ Gaia users are assigned the role TACP-0.
The Gaia admin can define for them roles with the name TACP-N that give them different privileges,
where N is a privilege level - a number from 1 to 15.
The TACACS+ users can changes their own privileges by moving to another TACP-N role.
To do this, the TACACS+ users need to get a password from the Gaia admin user.
To configure Gaia as a TACACS+ Client
Step Description
1 Connect to Gaia OS as the admin user.
2 Define the role TACP-0.
3 Define the features for the role.

For instructions, see "Roles" on page 314.
4 Optional: Define one or more roles with the name TACP-N where N is a privilege level - a
number from 1 to 15, and define the features for each role.
To raise "TACP" privileges
You can raise the "TACP" privileges in either Gaia Portal, or Gaia Clish.

Raising "TACP" privileges in Gaia Portal
Step Description
1 In your web browser, connect to Gaia Portal.
2 Enter the username and password of the TACACS+ user.

After the TACACS server authentication, you have the privileges of the TACP-0 role.
3 To raise the privileges to the TACP-N role (N is a number from 1 to 15), click Enable at the
top of the Overview page.
4 Enter the password for the user.
Raising "TACP" privileges in Gaia Clish
Step Description
1 Connect to the command line.
2 Log in to the Gaia Clish using the username and password of the TACACS+ user.
3 After you are authenticated by the TACACS server, you get the Gaia Clish prompt.
At this point, you have the privileges of the TACP-0 role.
Run:
tacacs_enable TACP-<N>
Where N is the new TACP role (an integer from 1 to 15).
4 When prompted, enter the applicable password.
To go back to the TACP-0 role, press CTRL+D, or enter exit at the command prompt.
The user automatically exits the current shell and goes back to TACP-0.
Note - Do not define a new user for external users. An external user is one that is
defined on an authentication server (such as RADIUS, or TACACS), and not on the
local Gaia system.
To show if the currently logged in user is authenticated by TACACS+
Step Description
3 Run:
show tacacs_enable

Configuring TACACS+ Servers for Non-Local Gaia Users
Configuring TACACS+ Servers for Non-Local Gaia Users

You can define Gaia users on a TACACS server instead of defining them on the Gaia computer.
Gaia users that are defined on a TACACS server are called non-local users.
Cisco ACS servers are the most commonly used TACACS+ servers.
For help with the configuration of a Cisco ACS server as a TACACS+ server for Gaia clients, see sk98733
(as an example of best practices and not a replacement for the official Cisco documentation).
When a non-local user logs in to Gaia, the TACACS server authenticates the user and assigns the
permissions to the user.
You must configure the TACACS server to correctly authenticate and authorize non-local Gaia users.
Important - If you define a TACACS user with a null password (on the TACACS server),
Gaia cannot authenticate that user.

System Groups
System Groups
In This Section:
Introduction 375
Configuring System Groups in Gaia Portal 376
Configuring System Groups in Gaia Clish 378
Introduction
You can define and configure groups with Gaia as you can with equivalent Linux-based systems.
This function is retained in Gaia for advanced applications and for retaining compatibility with Linux.
Use groups for these purposes:
n Specify Linux file permissions.
n Control who can log in through SSH.
For other functions that are related to groups, use the role-based administration feature, described in
"Roles" on page 314.
All users are assigned by default to the users group. You can edit a user's primary group ID (using Gaia
Clish) to be something other than the default. However, you can still add the user to the users group. The
list of members of the users group includes only users, who are explicitly added to the group. The list of
does not include users added by default.

System Groups
Configuring System Groups in Gaia Portal

To see a list of all groups
In the navigation tree, click User Management > System Groups .
To add a System Group
Step Description
1 In the navigation tree, click User Management > System Groups .
2 Click Add.
3 In the Group Name field, enter the applicable unique name - between 1 and 16
alphanumeric characters without spaces.
4 In the Group ID field, enter a unique Group ID number - between 101 and 65530:
n Group ID range 0-100 and range 65531-65535 are reserved for system use.
n Group ID 0 is reserved for users with root permissions.
n Group ID 10 is reserved for the predefined Users groups.
If you specify a value in the reserved ranges, an error message is displayed.
5 Click OK.
To add a user to a System Group
Step Description
2 Select the System Group.
3 Click Edit.
4 In the Available Members list, select a user.


b. Left-click the applicable users.
The selected users become highlighted.
5 Click Add > .

The selected users move to the Members of Group list.
6 Click OK.

System Groups
To remove a user from a System Group
Step Description
3 Click Edit.
4 In the Members of Group list, select a user.

a. Press and hold the Ctrl key on the keyboard.

b. Left-click the applicable users.
The selected users become highlighted.
5 Click Add > .

The selected users move to the Available Members list.
6 Click OK.
To delete a System Group
Step Description
3 Click Delete.

System Groups
Configuring System Groups in Gaia Clish

Syntax
To add a System Group

add group <Group Name> gid <Group ID>
To add a user to a System Group

add group <Group Name> member<SPACE><TAB>
add group <Group Name> member <UserName>
To change the Group ID of a System Group

set group <Group Name> gid <Group ID>
To show users in a System Group

show group <Group Name>
To show all configured System Groups

show groups
To remove a user from a System Group

delete group <Group Name> member<SPACE><TAB>
delete group <Group Name> member <UserName>
To delete a System Group

delete group <Group Name>
Parameters
CLI Parameters
group <Group Unique name of System Group - between 1 and 16 alphanumeric

Name> characters without spaces

System Groups
gid <Group ID> Unique Group ID number - between 101 and 65530:
n Group ID range 0-100 and range 65531-65535 are reserved for
system use.
n Group ID 0 is reserved for users with root permissions.
n Group ID 10 is reserved for the predefined Users groups.
If you specify a value in the reserved ranges, an error message is displayed.
member Name of an existing user.

<UserName>

GUI Clients
GUI Clients
In This Section:
Configuring GUI Clients in Gaia Portal 380

Configuring GUI Clients in Command Line 381
If this is a Security Management Server, you can configure which computers can connect to this Security
Management Server with SmartConsole.
Note - This section does not show, if this is a Multi-Domain Server.
Configuring GUI Clients in Gaia Portal

Step Description
1 In the navigation tree, click User Management > GUI Clients .
2 Click Add.
The Add GUI Client window opens.
3 Define the GUI clients (trusted hosts).

These are the values:
n Any IP Address
All clients are allowed to log in, regardless of their IP address.
This option only shows if Any was not defined during the initial
configuration.
n This machine - IP address
n Network
n Range of IPv4 addresses

GUI Clients
Configuring GUI Clients in Command Line

Step Description
1 Connect to the command line on the Security Management Server.
2 Run:
cpconfig
For more information, see the R81 CLI Reference Guide > Chapter Security Management
Server Commands > Section cpconfig.
3 Enter 3 for the GUI Clients option.
4 A list of hosts selected to be GUI clients shows.

You can add or delete hosts, or create a new list.
You can add new GUI clients in these formats:
n IP address - One computer defined by its IPv4 or IPv6 address.
n Machine name - One computer defined by its hostname.
n "Any" - An IPv4 address without restriction.
You must:
a. Enter the word Any with capital letter "A"
b. Press the Enter key
c. Press the CTRL+D keys.
n IP/Netmask - A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0) or IPv6 addresses (for example, 2001::1/128).
n A range of addresses - A limited range of IPv4 addresses (for example,
192.168.10.8-192.168.10.16), or IPv6 addresses (for example, 2001::1-
2001::10).
n Wild cards (IPv4 only) - A limited range of IPv4 addresses only (for example,
192.168.10.*).

High Availability
High Availability
In This Section:
Understanding VRRP 382

VRRP Terminology 383
VRRP on Gaia OS 384
VRRP Configuration Methods 385
Monitoring of VRRP Interfaces 385
How VRRP Failover Works 386
Typical VRRP Use Cases 387
Understanding VRRP
Virtual Routing Redundancy Protocol (VRRP) is a high-availability solution, where two Gaia Security
Gateways can provide backup for each other. Gaia offers two ways to configure VRRP:
n Monitored Circuit/Simplified VRRP - All the VRRP interfaces automatically monitor other VRRP
interfaces.
n Advanced VRRP - Every VRRP interface must be explicitly configured to monitor every other VRRP
interface.
Important:
n You cannot have a Standalone deployment (Security Gateway and Security
Management Server on the same computer) in a Gaia VRRP cluster.
n You cannot use both the Monitored Circuit/Simplified VRRP and Advanced
VRRP together on the same Cluster Member.
Virtual Router Redundancy Protocol (VRRP) provides dynamic failover of IP addresses from one router to
another in the event of failure. This increases the availability and reliability of routing paths through
gateway selections on an IP network. Each VRRP router has a unique identifier known as the Virtual
Router Identifier (VRID), which is associated with at least one Virtual IP Address (VIP). Neighboring
network nodes connect to the VIP as a next hop in a route or as a final destination. Gaia supports VRRP as
defined in RFC 3768.

High Availability
VRRP Terminology
The conceptual information and procedures in this chapter use standard VRRP terminology.
This glossary contains basic VRRP terminology and a reference to related Check Point ClusterXL terms.
VRRP ClusterXL
Definition
Term Term
VRRP Cluster A group of Security Gateways that provides redundancy.

Cluster
VRRP Member A Security Gateway using the VRRP protocol that is a member of one or more
Router Virtual Router. In this guide, a VRRP Router is commonly called a Security
Gateway.
Master Active The Security Gateway (Security Gateway) that handles traffic to and from a
Virtual Router. The Master is the Security Gateway with the highest priority in
a group. The Master inspects traffic and enforces the security policy.
Backup Standby A redundant Security Gateway (Security Gateway) that is available to take
over for the Master in the event of a failure.
VRID Cluster Unique Virtual Router identifier The VRID is the also last byte of the MAC
name address.
VIP Cluster Virtual IP address assigned to a Virtual Router. VIPs are routable from
Virtual IP internal and/or external network resources.
address
The VIP is called Backup Address in the Gaia Portal.
VMAC VMAC Virtual MAC address assigned to a Virtual Router.
VRRP Failover Automatic change over to a backup Security Gateway when the primary
Transition Security Gateway fails or is unavailable. The term 'failover' is used frequently
in this guide.

High Availability
VRRP on Gaia OS
On Gaia, VRRP can be used with ClusterXL enabled or with ClusterXL disabled.
VRRP with
Description
ClusterXL
VRRP with This is the most common use case.

ClusterXL You can deploy only an Active/Backup environments.
enabled VRRP supports a maximum of one VRID with one Virtual IP Address (VIP) for each
interface.
You must configure VRRP, so that the same node is the VRRP Master for all VRIDs.
Therefore, you must configure each VRID to monitor every other VRRP-enabled
interface.
You must also configure priority deltas to allow a failover to the VRRP Backup node,
when the VRID on any on interface fails over.
VRRP with You can deploy an Active/Active environment.

ClusterXL You can configure two VRIDs on the same interface, with one VIP for each VRID.
disabled This configuration supports only static routes on the VRRP interfaces.
You must disable the VRRP monitoring of the Check Point Firewall (see "Preparing
a VRRP Cluster" on page 390).

High Availability
VRRP Configuration Methods

VRRP Method Description
Monitored To configure this simplified VRRP method, in the Gaia Portal go to High

Circuit/Simplified Availability > VRRP.
VRRP This method contains all of the basic parameters, and is applicable for most
environments.
You configure each Virtual Router as one unit and configure the same VRID on all
interfaces.
Monitored Circuit VRRP automatically monitors all VRRP interfaces. This make a
complete node failover possible.
You can configure only one VRID, which is automatically added to all the VRRP
interfaces.
If the VRID on any of the VRRP-enabled interfaces fails, the configured priority
delta is decremented on the other VRRP-enabled interfaces to allow the VRRP
Backup node to take over as the new VRRP Master.
Advanced VRRP To configure this advanced VRRP method, in the Gaia Portal go to High
Availability > Advanced VRRP.
This method allows configuration of different VRIDs on different interfaces.
You configure a VRID on each interface individually. In addition, each VRRP-
enabled interface must be monitored by each VRID together with an appropriate
priority delta. This ensures that when one interface fails, all the other VRIDs can
transition to VRRP Backup state
n With ClusterXL enabled, you must configure each VRID to monitor every
other VRRP interface.
You must also configure priority deltas that allow complete node failover.
Advanced VRRP also makes it possible for a VRID to monitor interfaces that
do not run VRRP.
n With ClusterXL disabled, you can configure two VRIDs on each interface,
with one VIP for each VRID.
Monitoring of VRRP Interfaces

The monitoring of all VRRP-enabled interfaces by all VRIDs is important to avoid connection issues with
asymmetric routes.
For example, when an external interface fails, the VRRP Master fails over only for the external Virtual
Router. The VRRP Master for the internal Virtual Router does not fail over. This can cause connectivity
problems when the internal Virtual Router accepts traffic and is unable to connect to the new external
VRRP Master.
Another tool for avoiding asymmetric issues during transitions is the VRRP interface delay setting.
Configure this when the Preempt Mode of VRRP was turned off. This VRRP global setting is useful when
the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that
handles the traffic, but is configured with a lower priority. Sometimes, interfaces that come up, take longer
than the VRRP timeout to process incoming VRRP Hello packets. The interface delay extends the time that
VRRP waits to receive VRRP Hello packets from the existing VRRP Master.

High Availability
How VRRP Failover Works

Each Virtual Router (VRRP Group) is identified by a unique Virtual Router ID (VRID).
A Virtual Router contains one VRRP Master Security Gateway and at least one VRRP Backup Security
Gateway.
The VRRP Master sends periodic VRRP advertisements (known as VRRP Hello messages) to the VRRP
Backup Security Gateways.
VRRP advertisements broadcast the operational status of the VRRP Master to the VRRP Backup.
Gaia uses dynamic routing protocols to advertise the VIP of the Virtual Router (Virtual IP address or
Backup IP address).
Notes:
n Gaia supports OSPF on VPN tunnels that terminate at a VRRP group.
n Active/Backup VRRP environments are supported with ClusterXL enabled.
If ClusterXL is disabled, Active/Active environments can be deployed.
n Active/Active VRRP environments support only static routes. In addition, you
must disable the monitoring of the Check Point Firewall by VRRP.
If the VRRP Master fails, or its VRRP-enabled interfaces fail, VRRP uses a priority algorithm to make the
decision if failover to a VRRP Backup is necessary. Initially, the VRRP Master is the Security Gateway that
has the highest defined priority value. You define a priority for each Security Gateway when you create a
Virtual Router or change its configuration. If two VRRP Security Gateways have same priority value, the
platform that comes online and broadcasts its VRRP advertisements first becomes the VRRP Master.
Gaia also uses priorities to select a VRRP Backup Security Gateway upon failover (when there is more
than one VRRP Backup available). In the event of failover, the Virtual Router priority value is decreased by
a predefined Priority Delta value to calculate an Effective Priority value. The Virtual Router with the highest
effective priority becomes the new VRRP Master. The Priority Delta value is a Check Point proprietary
parameter that you define when configuring a Virtual Router. If you configure your system correctly, the
effective priority will be lower than the VRRP Backup Security Gateway priority in the other Virtual Routers.
This causes the problematic VRRP Master to fail over for the other Virtual Routers as well.
Note - If the effective priority for the current VRRP Master and VRRP Backup are the
same, the Security Gateway with the highest IP address becomes the VRRP Master.

High Availability
Typical VRRP Use Cases

These are examples of some VRRP environments.
VRRP Use Case 1 - Internal Network High Availability
This is a simple VRRP use case, where Security Gateway 1 is the VRRP Master, and Security Gateway
2 is the VRRP Backup.
Virtual Router redundancy is available only for connections to and from the internal network.
There is no redundancy for external network traffic.
Item Description
1 VRRP Master Security Gateway
2 VRRP Backup Security Gateway
3 Virtual Router VRID 5 - Virtual IP Address (Backup Address) is 192.168.2.5
4 Internal Network and hosts

High Availability
VRRP Use Case 2 - Internal and External Network High Availability
This use case shows an example of an environment, where there is redundancy for internal and
external connections.
Here, you can use Virtual Routers for the two Security Gateways - for internal and for external
connections.
The internal and external interfaces must be on different subnets.
Define one Security Gateway as the VRRP Master and one Security Gateway as the VRRP Backup.
Item Description
1 Virtual Router VRID 5 - External Virtual IP Address (Backup Address) is 192.168.2.5
2 VRRP Master Security Gateway
3 VRRP Backup Security Gateway
4 Virtual Router VRID 5 - Internal Virtual IP Address (Backup Address) is 192.168.3.5
5 Internal network and hosts

High Availability
VRRP Use Case 3 - Internal Network Load Sharing
This use case shows an example of an Active/Active Load Sharing environment for internal network
traffic.
This environment gives load balancing, as well as full redundancy.
This configuration is supported with ClusterXL disabled. Only Static Routes are supported.
The monitoring of the Check Point Firewall by VRRP must be disabled (it is enabled by default).
A maximum of two VRIDs is supported per interface.
Security Gateway 1 is the VRRP Master for VRID 5, and Security Gateway 2 is the VRRP Backup.
Security Gateway 2 is the VRRP Master for VRID 7, and Security Gateway 1 is the VRRP Backup.
The two Security Gateways are configured to back each other up. If one fails, the other takes over its
VRID and IP addresses.
Item Description
1 VRRP Master Security Gateway for VRID 5 and VRRP Backup for VRID 7
2 VRRP Backup Security Gateway for VRID 5 and VRRP Master for VRID7
3 Virtual Router, VRID 5 Virtual IP Address (Backup Address) is 192.168.2.5
4 Virtual Router, VRID 7 Virtual IP Address (Backup Address) is 192.168.2.7
5 Internal network and hosts

Preparing a VRRP Cluster

In This Section:
Configuring Network Switches 390

Preparing VRRP Cluster Members 390
Configuring Global Settings for VRRP 391
Configuring Network Switches

Recommendations
Best Practice - If you use the Spanning Tree protocol on Cisco switches connected
to Check Point VRRP clusters, we recommend that you enable PortFast. It sets
interfaces to the Spanning Tree forwarding state, which prevents them from waiting
for the standard forward-time interval.
If you use switches from a different vendor, we recommend that you use the equivalent feature for that
vendor. If you use the Spanning Tree protocol without PortFast, or its equivalent, you may see delays
during VRRP failover.
Preparing VRRP Cluster Members

Procedure
Step Description
1 Install the VRRP Cluster Members

See the R81 Installation and Upgrade Guide > Chapter Installing a ClusterXL, VSX Cluster,
VRRP Cluster > Section Installing a VRRP Cluster..
2 Synchronize the system time on the VRRP Cluster Members.
Best Practice - Enable NTP (Network Time Protocol) on all Security Gateways
(see "Time" on page 221).
You can also manually change the time and time zone on each Security Gateway to match
the other members.
In this case, you must synchronize member times to within a few seconds.
3 Optional: Add host names and IP address pairs to the host table on each Security Gateway
(see "Hosts" on page 189).
This lets you use host names as an alternative to IP addresses or DNS servers.

Step Description
4 Enable Virtual Routers:

a. With a web browser, connect to Gaia Portal at:
b. In the navigation tree, click High Availability > VRRP.
c. Configure the VRRP Global Settings.
See the section "Configuring Global Settings for VRRP" below.
d. If the Disable All Virtual Routers option is currently selected, clear it.
e. Click Apply Global Settings .
5 Configure your Virtual Routers in either Gaia Portal, or Gaia Clish.

See:
n "Configuring Monitored Circuit/Simplified VRRP" on page 393
n "Configuring Advanced VRRP" on page 400
Configuring Global Settings for VRRP

This section shows you how to configure the global settings that apply to all Virtual Routers.
Procedure
Step Description
1 In the navigation tree, click one of these:

n High Availability > VRRP.
n High Availability >Advanced VRRP.
2 In the VRRP Global Settings section:
n Cold Start Delay - Configures the delay period in seconds before a Security Gateway
joins a Virtual Router. Default = 0.
n Interface Delay - Configure this when the Preempt Mode of VRRP was turned off.
This is useful when the VRRP node with a higher priority is rebooted, but must not
preempt the existing VRRP Master that is handling the traffic, but is configured with a
lower priority. Sometimes interfaces that come up take longer than the VRRP timeout
to process incoming VRRP Hello packets. The Interface Delay extends the time that
VRRP waits to receive Hello packets from the existing VRRP Master.
n Disable All Virtual Routers - Select this option to disable all Virtual Routers defined
on this Gaia system. Clear this option to enable all Virtual Routers. By default, all
Virtual Routers are enabled.
n Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway
and automatically take appropriate action. This is enabled by default, which is the
recommended setting when using VRRP with ClusterXL enabled. This must be
disabled when using VRRP with ClusterXL disabled.
Important - If you disable Monitor Firewall State, VRRP can assign VRRP
Master status to a Security Gateway before it completes the boot process.
This can cause more than one Security Gateway in a Virtual Router to have
VRRP Master status.

Step Description
3 Click Apply Global Settings .
Notes
Gaia starts to monitor the Firewall after the cold start delay completes.
This can cause some problems:
n If all the interfaces in a Virtual Router fail, all VRRP Cluster Members become VRRP Backups.
None of the VRRP Cluster Members can become the VRRP Master and no traffic is allowed.
n If you change the time on any of the VRRP Cluster Members, a VRRP failover occurs
automatically.
n In certain situations, installing a policy causes a failover.
This can happen if it takes a long time to install the policy.

Configuring Monitored Circuit/Simplified VRRP

In This Section:
Configuring Monitored Circuit/Simplified VRRP in Gaia Portal 393

Configuring Monitored Circuit/Simplified VRRP in Gaia Clish 396
Configuring the VRRP Cluster for Simplified VRRP in SmartConsole 399
This section includes the procedure for configuring Monitored Circuit/Simplified VRRP.
Configuring Monitored Circuit/Simplified VRRP in Gaia

Portal
Procedure
Step Description
1 In the navigation tree, click High Availability > VRRP.
2 Configure the VRRP Global Settings .

See "Preparing a VRRP Cluster" on page 390.
3 In the Virtual Routers section, click Add.

Step Description
4 In the Add Virtual Router window, configure these parameters:
n Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid
values is 1 to 255.
n Priority - Enter the priority value, which selects the Security Gateway that takes over in
the event of a failure. The Security Gateway with the highest available priority
becomes the new VRRP Master. The range of valid values 1 to 254. The default value
is 100.
n Hello Interval - Optional. Enter or select the number of seconds, after which the VRRP
Master sends its VRRP advertisements. The valid range is between 1 (default) and
255 seconds.
All VRRP routers on a Security Gateways must be configured with the same hello
interval. Otherwise, more than one Security Gateway can be in the VRRP Master
state.
The Hello interval also defines the failover interval (the time a VRRP Backup router
waits to hear from the existing VRRP Master before it takes on the VRRP Master role).
The value of the failover interval is three times the value of the Hello interval (default -
3 seconds).
n Authentication:
l None - To disable authentication of VRRP packets
l Simple - To authenticate VRRP packets using a plain-text password
You must use the same authentication method for all Security Gateways in a
Virtual Router.
n Priority Delta - Enter the value to subtract from the Priority to create an effective
priority when an interface fails. The range is 1-254.
If an interface fails on the VRRP Backup, the value of the priority delta is subtracted
from its priority. This gives a higher effective priority to another Security Gateway
member.
If the effective priority of the current VRRP Master is less than that of the VRRP
Backup, the VRRP Backup becomes the VRRP Master for this Virtual Router. If the
effective priority for the current VRRP Master and VRRP Backup are the same, the
gateway with the highest IP address becomes the VRRP Master.
n Auto-deactivation - When an interface is reported as DOWN, a cluster member's
Priority value is reduced by the configured Priority Delta amount. If another cluster
member exists with a higher Priority, it will then take over as VRRP Master to heal the
network.
By default, some Cluster Member is elected as VRRP Master, even if all Cluster
Members have issues and are reporting a Priority of zero.
The auto-deactivation option can be enabled to change this behavior and ensure that
no Cluster Member is elected as VRRP Master, if all Cluster Members have a Priority
of zero.
When this option is enabled, Priority Delta should be set equal to the Priority value, so
that Priority becomes zero, if an interface goes down.

Step Description
5 In the Backup Addresses section, click Add.

Configure these parameters in the Add Backup Address window:
n IPv4 address - Enter the interface IPv4 address.

n VMAC Mode - For each Virtual Router, a Virtual MAC (VMAC) address is assigned to
the Virtual IP address. The VMAC address is included in all VRRP packets as the
source MAC address. The physical MAC address is not used.
Select one of these Virtual MAC modes:
l VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically
set to the same value on all Security Gateways in the Virtual Router. This is the
default setting.
l Interface - Sets the VMAC to the local interface MAC address. If you define this
mode for the VRRP Master and the VRRP Backup, the VMAC is different for
each. VRRP IP addresses are related to different VMACs. This is because they
are dependent on the physical interface MAC address of the currently defined
VRRP Master.
Note -If you configure different VMACs on the VRRP Master and VRRP Backup,
you must make sure that you select the correct proxy ARP setting for NAT.
l Static - Manually set the VMAC address. Enter the VMAC address in the
applicable field.
l Extended - Gaia dynamically calculates and adds three bytes to the interface
MAC address to generate VMAC address that is more random. If you select this
mode, Gaia constructs the same MAC address for VRRP Master and VRRP
Backups in the Virtual Router.
Note - If you set the VMAC mode to Interface or Static , syslog error
messages show when you restart the computer, or during VRRP
failover. This is caused by duplicate IP addresses for the VRRP
Master and VRRP Backup. This is expected behavior because the
VRRP Master and VRRP Backups temporarily use the same Virtual IP
address until they get to the VRRP Master and VRRP Backup
statuses.
Click OK.
The new VMAC mode shows in the in the Backup Address table.
6 To remove a Backup Address, select an address and click Delete.

The address is removed from the Backup Address table.
7 Click Save.

Configuring Monitored Circuit/Simplified VRRP in Gaia Clish

Syntax
To add Monitored Circuit/Simplified VRRP
1. Configure the priority:
add mcvr vrid VALUE priority VALUE priority-delta VALUE

[authtype {none | simple VALUE} hello-interval VALUE
2. Configure the backup address:
add mcvr vrid VALUE backup-address VALUE vmac-mode VALUE
To configure Monitored Circuit/Simplified VRRP

set mcvr vrid VALUE
authtype {none | simple VALUE}
auto-deactivation {on | off}
backup-address VALUE vmac-mode VALUE [static-mac VALUE]
hello-interval VALUE
preempt-mode {on | off}
priority VALUE
priority-delta VALUE
To show Monitored Circuit/Simplified VRRP configuration

show mcvr
vrid VALUE
all
authtype
backup-address VALUE
backup-addresses
hello-interval
priority
priority-delta
vrids
To delete Monitored Circuit/Simplified VRRP

delete mcvr vrid VALUE [backup-address VALUE]

Parameters
CLI Parameters
vrid VALUE Configures the Virtual Router ID.

n Range: 1 - 255
authtype {none Configures authentication for the given Virtual Router.

| simple You must use the same authentication method for all Security Gateways in a
VALUE} Virtual Router.
n Range:
l none - Disables authentication
l simple <plain-text password> - Authenticates VRRP
packets using a plain-text password

auto- When an interface is reported as DOWN, a cluster member's Priority value is

deactivation reduced by the configured Priority Delta amount. If another cluster member
{on | off} exists with a higher Priority, it will then take over as VRRP Master to heal the
network.
By default, some cluster member will be elected as VRRP Master, even if all
cluster members have issues and are reporting a Priority of zero.
The auto-deactivation option can be enabled to change this behavior and
ensure that no cluster member is elected as VRRP Master, if all cluster
members have a Priority of zero.
When this option is enabled (on), Priority Delta should be set equal to the
Priority value, so that Priority will become zero, if an interface goes down.
n Range: on, or off
n Default: off
backup-address Configures the IPv4 address of the VRRP Backup Security Gateway.
VALUE You can define more than one address for a Virtual Router.
The backup address (Virtual IP Address) is the IP address that VRRP backs
up, in order to improve network reliability. The Virtual IP Address is typically
used as the default gateway for hosts on that network. VRRP ensures this IP
address remains reachable, as long as at least one physical machine in the
VRRP cluster is functioning and can be elected as the VRRP Master.

vmac-mode Configures how the Virtual MAC (VMAC) address is calculated for the given
{default-vmac Virtual IP Address.
| extended- Each Virtual IP Address for a Virtual Router implies the existence of a virtual
vmac | network interface.
interface-vmac
n Range:
| static-vmac
l default-vmac - Generates the VMAC using the standard
VALUE}
method described in Section 7.3 of RFC 3768.
l extended-vmac - Generates the VMAC using an extended
range of uniqueness by dynamically calculating 3 bytes of the

VMAC instead of only 1.
l interface-vmac - Configures the VMAC to use the
interface hardware MAC address.

l static-vmac <VALUE>- Configures the Virtual Router to
use a specified static VMAC address.

n Default: default-vmac
Note - If you set the VMAC mode to "interface-vmac" or

"static-vmac", syslog error messages show when you restart
the computer, or during VRRP failover. This is caused by duplicate
IP addresses for the VRRP Master and VRRP Backup. This is
expected behavior because the VRRP Master and VRRP Backups
temporarily use the same Virtual IP address until they get to the
VRRP Master and VRRP Backup statuses.
hello-interval The interval in seconds, at which the VRRP Master sends VRRP
VALUE advertisements. For a given Virtual Router, all VRRP cluster members
should have the same value for Hello Interval.
n Range: default, or 1 - 255

n Default: 1
preempt-mode Configures Preempt Mode for the given Virtual Router.

{on | off} When the Preempt Mode is enabled, if the Virtual Router has a higher
Priority than the current VRRP Master, it preempts the VRRP Master.
In the Preempt Mode is disabled, all Virtual Routers that have monitored
interfaces, are participating to avoid potential split-brain network topology.
For more information on the implications of disabling Preempt Mode, see
the help text for the "set mcvr vrid <VALUE> monitor-vrrp"
command.
n Range: on, or off
n Default: off

priority VALUE Configures the Priority to use in the VRRP Master election.
This is the maximum priority that can be achieved when all monitored
interfaces are up.
The VRRP cluster member with the highest Priority value will be elected as
the VRRP Master. Each cluster member should be given a different Priority
value, such that a specific member is the preferred VRRP Master. This will
ensure consistency in the outcome of the election process.
n Default: 100
priority-delta Updates the Priority Delta of the given Virtual Router.

VALUE For a given Virtual Router, the VRRP cluster member with the highest
Priority is elected as the VRRP Master. For each monitored interface with a
status of DOWN, the Priority Delta value is subtracted from the Virtual
Router's overall Priority. Thus, the VRRP Master will be the Virtual Router
having the best list of working interfaces.
The Priority Delta value should be selected such that the Priority value will
not become a negative number when the Priority Delta is subtracted from it
for each non-operational interface.
Configuring the VRRP Cluster for Simplified VRRP in

SmartConsole
Follow the R81 Installation and Upgrade Guide > Chapter Installing a ClusterXL, VSX Cluster, VRRP
Cluster > Section Installing a VRRP Cluster.

Configuring Advanced VRRP

In This Section:
Changing from Advanced VRRP to Monitored Circuit/Simplified VRRP 400

Configuring Advanced VRRP in Gaia Portal 401
Configuring Advanced VRRP in Gaia Clish 404
Configuring the VRRP Cluster for Advanced VRRP in SmartConsole 408
Advanced VRRP lets you configure Virtual Routers at the interface level.
This section contains only those procedures that are directly related to Advanced VRRP configuration.
The general procedures for configuring VRRP clusters are described in "Configuring Monitored
Circuit/Simplified VRRP" on page 393.
With Advanced VRRP, you must configure every Virtual Router to monitor every configured VRRP
interface.
Changing from Advanced VRRP to Monitored

Circuit/Simplified VRRP
Procedure
Step Description
1 Delete all existing Virtual Routers.
2 Create new Virtual Routers in accordance with the procedures.
You cannot move a Backup Address from one interface to another while a Security Gateway is a VRRP
Master.
Perform these steps to delete and add new interfaces with the necessary IP addresses:
Step Description
1 Cause a failover from the VRRP Master to the VRRP Backup.
2 Reduce the priority, or disconnect an interface.
3 Delete the Virtual Router on the interface.
4 Create new Virtual Router using the new IP address.
5 Configure the Virtual Router as before.

Configuring Advanced VRRP in Gaia Portal

Procedure
Step Description
1 In the navigation tree, click High Availability >Advanced VRRP.
2 Configure the VRRP Global Settings (see "Preparing a VRRP Cluster" on page 390).
3 In the Virtual Routers section, click Add.
4 In the Add New Virtual Router window, configure these parameters:
n Interface - Select the interface for the Virtual Router.
n Virtual Router ID - Enter or select the ID number of the Virtual Router.
n Priority - Enter or select the priority value.

The priority value determines, which router takes over in the event of a failure. The
router with the higher priority becomes the new VRRP Master. The range of values for
priority is 1 to 254. The default value is 100.
n Hello Interval - Enter or select the number of seconds, at which the VRRP Master
sends VRRP advertisements.
The range is 1 to 255 seconds. The default value is 1.
All nodes of a given Virtual Router must have the same hello Interval. If not, VRRP
discards the packet and both platforms go to VRRP Master state.
The VRRP Hello interval also determines the failover interval - how long it takes a
VRRP Backup router to take over from a failed VRRP Master. If the VRRP Master
misses three VRRP Hello advertisements, it is considered to be down, because the
minimal VRRP Hello interval is 1 second. Therefore, the minimal failover time is 3
seconds (3 * Hello Interval).
n Preempt Mode - If you keep it selected (the default), when the original VRRP Master
fails, a VRRP Backup system becomes the acting VRRP Master. When the original
VRRP Master returns to service, it becomes VRRP Master again.
If you clear it, when the original VRRP Master fails, a VRRP Backup system becomes
the acting VRRP Master, and the original does not become VRRP Master again when
it returns to service.
n Auto-deactivation - If you clear it (the default), a Virtual Router with the lowest priority
available (1) can become VRRP Master, if no other Security Gateways exist on the
network.
If you selected it, the effective priority can become 0. With this priority, the Virtual
Router does not become the VRRP Master, even if there are no other Security
Gateways on the network.
If you selected it, you should also configure the Priority and Priority Delta values to
be equal, so that the effective priority becomes 0, if there is a VRRP failure.

Step Description
n VMAC Mode - For each Virtual Router, a Virtual MAC (VMAC) address is assigned to
the Virtual IP address. The VMAC address is included in all VRRP packets as the
source MAC address. The physical MAC address is not used.
Select the mode:
l VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically
set to the same value on all Security Gateways in the Virtual Router. This is the
default setting.
l Interface - Sets the VMAC to the local interface MAC address. If you define this
mode for the VRRP Master and the VRRP Backup, the VMAC is different for
each. VRRP IP addresses are related to different VMACs. This is because they
are dependent on the physical interface MAC address of the currently defined
VRRP Master.
Note - If you configure different VMACs on the VRRP Master and
VRRP Backup, you must make sure that you select the correct proxy
ARP setting for NAT.
l Static - Manually set the VMAC address. Enter the VMAC address in the
applicable field.
l Extended - Gaia dynamically calculates and adds three bytes to the interface
MAC address to generate VMAC address that is more random. If you select this
mode, Gaia constructs the same MAC address for VRRP Master and VRRP
Backups in the Virtual Router.
Note - If you set the VMAC mode to Interface or Static , syslog error
messages show when you restart the computer, or during VRRP failover.
This is caused by duplicate IP addresses for the VRRP Master and VRRP
Backup. This is expected behavior because the VRRP Master and VRRP
Backups temporarily use the same Virtual IP address until they get to the
VRRP Master and VRRP Backup statuses.
n Authentication:
l None - To disable authentication of VRRP packets.
l Simple - To authenticate VRRP packets using a plain-text password.
You must use the same authentication method for all Security Gateways in a Virtual
Router.
5 In the Backup Addresses section:
a. Click Add.
b. In the IPv4 address field, enter the IPv4 address.
c. Click OK.
To change a Backup Address, select a Backup IP address and click Edit.
To remove a Backup Address, select a Backup IP address and click Delete.

Step Description
6 In the Monitored Interfaces section:
a. Click Add.
Gaia shows a warning that adding a Monitored Interface will lock the Interface for this
Virtual Router.
b. Click OK to confirm.
c. In the Interface field, select the interface.
d. In Priority Delta field, enter or select the number to subtract from the priority.
This creates an effective priority when an interface related to the VRRP Backup fails.
The range is 1-254.
e. Click OK.
To change a Monitored Interface, select a Monitored Interface and click Edit.
To remove a Monitored Interface, select a Monitored Interface and click Delete.
7 Click Save.

Configuring Advanced VRRP in Gaia Clish

Syntax
To configure Advanced VRRP

set vrrp
accept-connections {on | off}
coldstart-delay VALUE
disable-all-virtual-routers {on | off}
monitor-firewall {on | off}
interface-delay VALUE
To configure Advanced VRRP interface

set vrrp interface VALUE
authtype
none
simple VALUE
monitored-circuit vrid VALUE
auto-deactivation {on | off}
backup-address VALUE {on | off}
hello-interval VALUE
monitored-interface VALUE
on
off
priority-delta <default | 1 - 254>}
off
on
preempt-mode {on | off}
priority VALUE
vmac-mode
default-vmac
extended-vmac
interface-vmac
static-vmac VALUE
off
virtual-router legacy off
To show Advanced VRRP configuration

show vrrp
[interface VALUE]
[interfaces]
[stats]
[summary]

Parameters
CLI Parameters
accept-connections Controls the Accept Connections option.

{on | off} This option causes packets destined to VRRP Virtual IP Address(es)
to be accepted, and any required responses be generated.
Enabling this option enhances VRRP's interaction with network
management tools, which in turn allows for faster failure detection.
This option is required for High Availability applications (for example,
routing protocols), whose service is tied to a Virtual IP Address.
n Range: on, or off
n Default: off
coldstart-delay Specifies the number of seconds to wait after a system cold start
<VALUE> before VRRP becomes active, and this cluster member can be
elected as VRRP Master.
n Range: 0 - 3600
n Default: 0
disable-all- Enables or disables all IPv4 VRRP Virtual Routers.

virtual-routers {on If disabled, the VRRP configuration is preserved and can be enabled
| off} again.
n Range: on, or off
n Default: off
monitor-firewall Enables or disables VRRP monitoring of the Security Gateway state.

{on | off} If this option is enabled, and the Firewall is not ready, the cluster
member will refuse to be the VRRP Master.
n Range: on, or off
n Default: on
interface-delay The Interface Delay controls how long to wait (in seconds) after
<VALUE> receiving an interface UP notification before VRRP assesses whether
or not the related VRRP cluster member should increase its priority,
and possibly become the new VRRP Master. The delay ensures that
VRRP does not attempt to respond to interfaces, which are only
momentarily active.
Note - Same value should be configured for both VRRPv2 and
VRRPv3 if both protocols are configured.
n Range: 0 - 3600
n Default: 0
interface VALUE The name of the interface, on which to enable the VRRP.

authtype {none | Configures authentication for the given Virtual Router.

simple VALUE} You must use the same authentication method for all Security
Gateways in a Virtual Router.
n Range:
l none - Disables authentication
l simple <plain-text password> - Authenticates
VRRP packets using a plain-text password

monitored-circuit Configures the Virtual Router ID.

vrid <VALUE>
n Range: 1 - 255
monitored-circuit When an interface is reported as DOWN, a cluster member's Priority

vrid VALUE auto- value is reduced by the configured Priority Delta amount. If another
deactivation {on | cluster member exists with a higher Priority, it will then take over as
off} VRRP Master to heal the network.
By default, some cluster member will be elected as VRRP Master,
even if all cluster members have issues and are reporting a Priority of
zero.
The auto-deactivation option can be enabled to change this behavior
and ensure that no cluster member is elected as VRRP Master, if all
cluster members have a Priority of zero.
When this option is enabled (on), Priority Delta should be set equal to
the Priority value, so that Priority will become zero, if an interface goes
down.
n Range: on, or off
n Default: off
monitored-circuit Configures the IPv4 address of the VRRP Backup Security Gateway.
vrid VALUE backup- You can define more than one address for a Virtual Router.
address VALUE {on | The backup address (Virtual IP Address) is the IP address that VRRP
off} backs up, in order to improve network reliability. The Virtual IP
Address is typically used as the default gateway for hosts on that
network. VRRP ensures this IP address remains reachable, as long
as at least one physical machine in the VRRP cluster is functioning
and can be elected as the VRRP Master.
monitored-circuit The interval in seconds, at which the VRRP Master sends VRRP
vrid VALUE hello- advertisements. For a given Virtual Router, all VRRP cluster members
interval VALUE should have the same value for Hello Interval.

n Default: 1

monitored-interface Configures the list of monitored interfaces names for the given Virtual
VALUE {on | off | Router.
priority-delta
n on - Creates a VRRP Virtual Router
<default | 1 -
254>} n off - Removes a VRRP Virtual Router
n priority-delta - Configures the Priority Delta value
When an interface fails, VRRP causes the backup cluster member to
take over for that interface. The VRRP interface should also fail over
when a different interface fails (if traffic is routed between the
interfaces).
Otherwise, network destinations will become unreachable, etc. This
coordinated failover is achieved by adding all dependent interfaces to
the list of monitored interfaces.
The relative importance of each monitored interface is expressed by
its Priority Delta value. More important interfaces should have higher
Priority Deltas. Priority Delta causes the correct failover decision, if
both cluster members are experiencing failures on different
interfaces.
Refer to the following commands for additional details:
n set vrrp interface <VALUE> monitored-
circuit vrid <VALUE> priority
n set vrrp interface <VALUE> monitored-
circuit vrid <VALUE> monitored-interface
<VALUE> priority-delta
monitored-circuit Creates (on) or removes (off) a VRRP Virtual Router.

vrid VALUE {on |
off}
monitored-circuit Configures Preempt Mode for the given Virtual Router.

vrid VALUE preempt- When Preempt Mode is enabled, if the Virtual Router has a higher
mode {on | off} Priority than the current VRRP Master, it preempts the VRRP Master.
In Preempt Mode is disabled, all Virtual Routers that have monitored
interfaces, are participating to avoid potential split-brain network
topology.
For more information on the implications of disabling Preempt Mode,
see the help text for the set mcvr vrid <VALUE> monitor-
vrrp command.
n Range: on, or off
n Default: off

monitored-circuit Configures the Priority to use in the VRRP Master election.

vrid VALUE priority This is the maximum priority that can be achieved when all monitored
VALUE interfaces are up.
The VRRP cluster member with the highest Priority value will be
elected as the VRRP Master. Each cluster member should be given a
different Priority value, such that a specific member is the preferred
VRRP Master. This will ensure consistency in the outcome of the
election process.
n Default: 100
monitored-circuit Configures how the Virtual MAC (VMAC) address is calculated for the
vrid VALUE vmac- given Virtual IP Address.
mode {default-vmac Each Virtual IP Address for a Virtual Router implies the existence of a
| extended-vmac | virtual network interface.
interface-vmac |
n Range:
static-vmac VALUE}
l default-vmac - Generates the VMAC using the
standard method described in Section 7.3 of RFC 3768.

l extended-vmac - Generates the VMAC using an
extended range of uniqueness by dynamically

calculating 3 bytes of the VMAC instead of only 1.
l interface-vmac - Configures the VMAC to use the
interface hardware MAC address.

l static-vmac <VALUE>- Configures the Virtual
Router to use a specified static VMAC address.

n Default: default-vmac
set vrrp interface Deletes all Virtual Routers from the interface.
VALUE off
set virtual-router Disables legacy VRRPv2 configuration.

legacy off Legacy Virtual Router configuration may exist due to an upgrade from
an older IPSO OS configuration. For reference purposes, these
settings may be preserved after upgrade, but are not supported.
Hence, you must replace all legacy "virtual-router"
configuration commands using the equivalent "monitored-
circuit" configuration commands.
Configuring the VRRP Cluster for Advanced VRRP in

SmartConsole
Follow the R81 Installation and Upgrade Guide > Chapter Installing a ClusterXL, VSX Cluster, VRRP
Cluster > Section Installing a VRRP Cluster.

Troubleshooting VRRP
In This Section:
Traces (Debug) for VRRP 409

General Configuration Considerations 410
Firewall Policies 411
Monitored-Circuit VRRP in Switched Environments 411
This section shows known issues with VRRP configurations and fixes.
Read this section before contacting Check Point Support.
Traces (Debug) for VRRP

You can log information about errors and events for troubleshooting VRRP.
To enable traces for VRRP
Step Description
1 In the navigation tree, click Routing > Routing Options .
2 In the Trace Options section, in the Filter Visible Tables Below drop down list, select
VRRP.
3 In the VRRP table, select the applicable options.

We recommend you select All .
To select several specific options:

b. Left-click on the applicable options. The selected options become highlighted.
To select several consecutive options:

a. Left-click on the first consecutive applicable option.
b. Press and hold the SHIFT key on the keyboard.
c. Left-click on the last consecutive applicable option. The selected options become
highlighted.
4 Click Add.
The selected options show Enabled.
5 Scroll to the top of this page.

Step Description
6 In the Routing Options section, click Apply .

The Gaia restarts the routing subsystem and signals it to reread its configuration.
The debug information is saved in /var/log/routed.log* files and /var/log/routed_messages*
files.
Note - As an example, see sk84520 - How to debug OSPF and RouteD daemon
on Gaia.
To disable traces for VRRP
Step Description
1 In the navigation tree, click Routing > Routing Options .
2 In the Trace Options section, in the Filter Visible Tables Below drop down list, select
VRRP.
In the VRRP table, select All .
3 Click Remove.
The options do not show Enabled anymore.
4 Scroll to the top of this page.
5 In the Routing Options section, click Apply .

The Gaia restarts the routing subsystem and signals it to reread its configuration.
General Configuration Considerations

If VRRP failover does not occur as expected, make sure that the configuration of these items.
n All Security Gateways in a Virtual Router must have the same system times. The simplest method to
synchronize times is to enable NTP on all Security Gateways of the Virtual Router. You can also
manually change the time and time zone on each Security Gateway to match the other Security
Gateways. It must be no more than seconds apart.
n All routers of a Virtual Router must have the same VRRP Hello Interval.
n The Priority Delta must be sufficiently large for the Effective Priority to be lower than the VRRP
Master router. Otherwise, when you pull an interface for a Monitored-Circuit VRRP test, other
interfaces do not release IP addresses.
n Each unique Virtual Router ID must be configured with the same Backup Address on each Security
Gateway.
n The VRRP monitor in the Gaia Portal might show one of the interfaces in initialize state. This might
suggest that the IP address used as the Backup Address on that interface is invalid or reserved.
n An SNMP "Get" request on interfaces may list the incorrect IP addresses. This results in incorrect
policy. An SNMP "Get" request fetches the lowest IP address for each interface. If interfaces are
created when the Security Gateway is the VRRP Master, the incorrect IP address might be included.
Repair this problem. Edit the interfaces by hand, if necessary.

Firewall Policies
Configure the Access Control Policy to accept VRRP packets to and from the Gaia platform. The multicast
destination assigned by the IANA for VRRP is 224.0.0.18. If the Access Control Policy does not accept
packets sent to 224.0.0.18, Security Gateways in one Virtual Router take on VRRP Master state.
Monitored-Circuit VRRP in Switched Environments

With Monitored-Circuit VRRP, some Ethernet switches might not recognize the VRRP MAC address after a
change from VRRP Master to VRRP Backup. This is because many switches cache the MAC address
related to the Ethernet device attached to a port. When failover to a VRRP Backup router occurs, the
Virtual Router MAC address becomes associated with a different switch port. Switches that cache the MAC
address might not change the associated cached MAC address to the new port during a VRRP change.
To repair this problem, you can take one of these actions
1. Replace the switch with a hub.
2. Disable MAC address caching on the switch, or switch ports, to which the VRRP cluster members
are connected.
It might be not possible to disable the MAC address caching. If so, set the address aging value
sufficiently low that the MAC addresses age out after a one second or two seconds. This causes
more overhead on the switch. Therefore, find out if this is a viable option for your switch model.
The Spanning Tree Protocol (STP) prevents Layer 2 loops across multiple bridges. Spanning-Tree can be
enabled on the ports connected to the two sides of a VRRP cluster. It can also "see" multicast VRRP Hello
packets coming for the same MAC address on two different ports. When the two occur, it can suggest a
loop, and the switch blocks traffic on one port. If a port is blocked, the VRRP cluster members cannot get
VRRP Hello packets from each other. As a result, both VRRP cluster members enter the VRRP Master
state.
If possible, turn off Spanning-Tree on the switch to resolve this issue. However, this can have harmful
effects, if the switch is involved in a bridging loop. If you cannot disable Spanning-Tree, enable PortFast on
the ports connected to the VRRP cluster members. PortFast causes a port to enter the Spanning-Tree
forwarding state immediately, by passing the listening and learning states.

Maintenance
Maintenance
This chapter includes procedures and reference information for:
n Working with License
n Snapshot Management
n Download of SmartConsole
n Hardware Health Monitoring
n Monitoring RAID Synchronization
n Shut Down and Reboot
n System Backup

License Status
License Status
In This Section:
On Check Point Appliances 413

On Open Servers and Virtual Machines 413
Activating a License in Gaia Portal 414
You can view, add, or delete licenses in one of these ways:

n In Gaia Portal > Maintenance section > License Status page.
n With the "cplic db_add" and "cplic del" commands (see the R81 CLI Reference Guide).
Note - While all the "cplic" commands are available in Gaia, they are not
grouped into a Gaia feature.
On Check Point Appliances

If a Management Server and its managed Security Gateways are able to connect to Check Point User
Center, licenses and contracts activated and updated automatically.
If a Management Server and its managed Security Gateways are not able to connect to Check Point User
Center, then manage licenses and contracts in either SmartConsole or the command line.
On Open Servers and Virtual Machines

If a Management Server and its managed Security Gateways are able to connect to Check Point User
Center, then activate the license during the Gaia First Time Configuration Wizard, or later in Gaia Portal,
SmartConsole, or the command line. After the activation is completed, licenses and contracts are updated
automatically.
If a Management Server and its managed Security Gateways are not able to connect to Check Point User
Center, then manage licenses and contracts in either SmartConsole or the command line.

License Status
Activating a License in Gaia Portal

To activate a license manually online
Step Description
1 If this Security Management Server, Domain Management Server, or Security Gateway (or
Cluster Members) connects to the Internet through a proxy server, then configure the
applicable proxy in SmartConsole:
Note - The prerequisite for Security Gateways and Cluster Members is to establish
a Secure Internal Communication (SIC Trust) with a Management Server.
n To configure the same default proxy for all objects:

a. Click Menu > Global properties > Proxy .
b. Select Use proxy server.
c. Enter the proxy server address (Hostname or IP address).
d. Enter the proxy server port.
e. Click OK.
f. Publish the SmartConsole session.
g. Click Menu > Install database > select all objects > click Install .
h. Install the Access Control Policy on all managed Security Gateways and
Clusters.
n To configure specific proxy in an object:
a. From the left navigation panel, click Gateways & Servers .
b. Double-click the applicable object.
c. From the left tree, click Network Management > Proxy .
d. Select Use custom proxy settings for this network object.
e. Select Use proxy server.
f. Enter the proxy server address (Hostname or IP address).
g. Enter the proxy server port.
h. Click OK.
i. Publish the SmartConsole session.
j. Complete the configuration:
l If this object is a Management Server:
Click Menu > Install database > select the Management Server object >
click Install .
l If this object is a Security Gateway or Cluster:
Install the Access Control Policy.

3 In the navigation tree, click Maintenance > License Status .
4 Click Activate Now.

Gaia fetches the license, and the status changes to Activated.
The Software Blades enabled by the license appear in the table.

License Status
To activate a license manually offline
Step Description

3 Click Offline Activation.
4 Click New.
5 Enter the license data manually, or click Paste License to enter the data automatically.
The Paste License button only appears in Internet Explorer.
For other web browsers, paste the license strings into the empty text field.
6 Click OK.
To delete an installed license
Step Description

Interface>
3 Click Offline Activation.
4 Select the license.
5 Click Delete.
6 Click OK.
Note - To delete a license in the command line, use the "cplic del" command
(see the R81 CLI Reference Guide).

Snapshot Management
Snapshot Management
A snapshot is a backup of the system settings and products. It includes:
n File system, with customized files
n System configuration (interfaces, routing, hostname, and similar)
n Software Blades configuration
n Management database (on a Security Management Server or a Multi-Domain Server)
A snapshot is very large. A snapshot includes the entire root partition, part of the /var/log partition, and
other important files.
For this reason, snapshots cannot be scheduled the same way that Backups can.
Backup and Restore is the preferred method of recovery.
Notes:
n When Gaia creates a snapshot, all system processes and services continue to
run.
Policy enforcement is not interrupted.
n You can import a snapshot created on a different software release or on this
software release.
You must import a snapshot on the appliance or open server of the same
hardware model, from which it was exported.
n After importing the snapshot, you must activate the device license from the Gaia
Portal or the User Center.
n We do not recommend to use snapshots as a way of regularly backing up your
system.
System Backup is the preferred method.
Schedule system backups on a regular basis, daily or weekly, to preserve the
Gaia OS configuration and Firewall database.
Important - See sk98068: Gaia Limitations after Snapshot Recovery.
Best Practice for creating snapshots:

n Immediately after Gaia installation and first time configuration.
n Before making a major system change, such as installing a hotfix or route
changes.

Snapshot Options
Snapshot Options
Option Description
Revert Reverts to a user created image.

Reverts to a factory default image, which is automatically created on Check Point appliances
by the installation or upgrade procedure.
Delete Deletes an image from the local file system.
Export Exports an existing image.

This creates a compressed version of the image.
You can download the exported image to a different computer and delete the exported image
from the local file system.
This saves disk space.
Import Imports an exported image.
View Shows a list of images that are stored locally.
Notes:
n You must not rename the exported image. If you rename a snapshot image, it is
not possible to revert to it.
n You can import a snapshot only on the machine of the same hardware type,
from which it was exported.

Snapshot Prerequisites
Snapshot Prerequisites
Before you create a snapshot image, make sure the appliance or storage destination meets these
prerequisites:
n To create the snapshot image requires free space on the disk.
The required free disk space is the size of the system root partition multiplied by 1.15.
Note - A snapshot image is created in unallocated space on the disk.

Not all of the unallocated space on a disk can be used for snapshots.
To find out if you have enough free space for snapshots:
Step Instructions
1 Connect to the command line on the Gaia computer.
3 Run:
show snapshots
The output shows the amount of space on the disk
available for snapshots.
The value in the output does not represent all of the
unallocated space on the disk.
n The free disk space required in the export file location is the size of the snapshot image multiplied by
2.
The minimal size of a snapshot image is 2.5GB.
Therefore, the minimal necessary free disk space in the export file location is 5GB.

Snapshot Management in Gaia Portal

Before you create a snapshot image, make sure the appliance or storage destination meets the
prerequisites.
Creating a new snapshot image
Step Description
1 In the navigation tree, click Maintenance > Snapshot Management.
2 Click New.
The New Image window opens.
3 In the Name field, enter a name for the image.

Optional: In the Description field, enter a description for the image.
4 Click OK.
Exporting an existing snapshot image
Step Description
2 Select a snapshot.
3 Check the snapshot size.
4 Make sure that there is enough free disk space in the /var/log/ partition:
a. Connect to the command line on Gaia.

b. Log in to the Expert mode.
c. Run:
df -kh | egrep "Mounted|/var/log"
Check the value in the Avail column.
5 In Gaia Portal, select a snapshot.
6 Click Export.
The Export Image window opens.
7 Click Start Export.
Important - You must not rename the exported image. If you rename a snapshot
image, it is not possible to revert to it.

Importing a snapshot
To use the snapshot on another appliance, it has to be the same type of appliance you used to export
the image.
Step Description
2 Click Import.
The Import Image window opens.
3 Click Browse to select the snapshot file for upload.
4 Click Upload.
5 Click OK.
Reverting to an existing snapshot image
Important - Reverting to the selected snapshot overwrites the existing running

configuration and settings. Make sure you know credentials of the snapshot, to
which you revert.
Step Description
1 In the navigation tree, click Maintenance > Image Management.
3 Click Revert.
The Revert window opens.
Important - Pay close attention to the warnings about

overwriting settings, the credentials, and the reboot
and the image details.
4 Click OK.
Deleting a snapshot
Step Description
3 Click Delete.
The Delete Image window opens.
4 Click OK.

Troubleshooting
n If a snapshot was not created, examine these files:
/var/log/messages*
n If a snapshot was created, but there were some issues, examine this file:
/var/log/CPsnapshot/<Snapshot Name>_<Timestamp>
Snapshot Management in Gaia Clish - Regular Snapshots

prerequisites.
Description
Manage system images (snapshots).
Syntax
Creating a new snapshot image
These commands only create a new snapshot image.
To create a new snapshot image as a local LVM volume

add snapshot-onetime name <Name of Snapshot> [description
"<Description of Snapshot>"]
Note - Gaia Snapshots are not files, but Logical Volume Management (LVM)
volumes. Gaia stores these snapshots as a disk partition. To show the list of
virtual drives, run the "lvs" command in the Expert mode.
To create a new snapshot image and export it to a local file

"<Description of Snapshot>"] target local path <Local Path>
To create a new snapshot image as a file and upload it to an FTP server

"<Description of Snapshot>"] target ftp ip <IPv4 Address of FTP
Server> path <Path on FTP Server> username <User Name on FTP
Server> password <Password in Plain Text>
To create a new snapshot image as a file and upload it to an SCP server

"<Description of Snapshot>"] target scp ip <IPv4 Address of SCP
Server> path <Path on SCP Server> username <User Name on SCP

Exporting an existing snapshot image
These commands only export an existing snapshot image from a local LVM volume.
To export an existing snapshot image and save it as a local file

set snapshot-onetime export <Name of Exported Snapshot> target
local path <Local Path>
To export an existing snapshot image as a file and upload it to an FTP server

set snapshot-onetime export <Name of Exported Snapshot> target ftp
path <Path on FTP Server> ip <IPv4 Address of FTP Server> username
<User Name on FTP Server> password <Password in Plain Text>
To export an existing snapshot image as a file and upload it to an SCP server

set snapshot-onetime export <Name of Exported Snapshot> target scp
path <Path on SCP Server> ip <IPv4 Address of SCP Server> username
<User Name on SCP Server> password <Password in Plain Text>
Importing an existing snapshot image
These commands only import an existing snapshot image file and store it on Gaia as a local LVM
volume.
To import an existing snapshot image from a local file

set snapshot-onetime import <Name of Imported Snapshot> target
local path <Local Path>
To import an existing snapshot image from an FTP server

set snapshot-onetime import <Name of Imported Snapshot> target ftp
ip <IPv4 Address of FTP Server> path <Path on FTP Server> username
<User Name on FTP Server> password <Password in Plain Text>
To import an existing snapshot image from an SCP server

set snapshot-onetime import <Name of Imported Snapshot> target scp
ip <IPv4 Address of SCP Server> path <Path on SCP Server> username
<User Name on SCP Server> password <Password in Plain Text>

Importing and reverting to an existing snapshot image
These commands import an existing snapshot image, store it on Gaia as a local LVM volume, and then
revert to that imported snapshot image.
Important - When Gaia reverts to a snapshot, it overwrites the existing running

configuration and settings. Make sure you know credentials of the snapshot, to
which you revert.
To import and revert an existing snapshot image from a local LVM volume
set snapshot-onetime revert target lvm name <External Name of
Snapshot>
Note - Gaia Snapshots are not files, but disk volumes. Gaia stores these
snapshots as a disk partition. To show the list of virtual drives, run the "lvs"
command in the Expert mode.
To import and revert an existing snapshot image from a local file

set snapshot-onetime revert target local name <Imported Name of
Snapshot> path <Local Path>
To import and revert an existing snapshot image from an FTP server

set snapshot-onetime revert target ftp name <Imported Name of
Snapshot> path <Path on FTP Server> ip <IPv4 Address of FTP
Server> username <User Name on FTP Server> password <Password in
Plain Text>
To import and revert an existing snapshot image from an SCP server

set snapshot-onetime revert target scp name <Imported Name of
Snapshot> path <Path on SCP Server> ip <IPv4 Address of SCP
Server> username <User Name on SCP Server> password <Password in
Plain Text>
Viewing existing snapshot images

show snapshots
show snapshot <Name of Snapshot>

all
date
description
size
Deleting a local snapshot image

delete snapshot <Name of Snapshot>

Parameters
name <Name of Configures the name of the new snapshot image.

Snapshot> You must enter a string that does not contain spaces.
name <Name of Configures the name, under which the exported snapshot image
Exported Snapshot> file is stored.
You must enter a string that does not contain spaces.
You must not add an extension.
name <Name of Configures the name, under which the imported snapshot image
Imported Snapshot> is stored on this Gaia.
You must enter a string that does not contain spaces.
description Optional.
"<Description of Configures the description of the snapshot image.
Snapshot>" You must enclose the text in double quotes, or enter the string
that does not contain spaces.
export <Name of Exports the snapshot image by the specified name.

import <Name of Imports the snapshot image by the specified name.

target When you create or export a snapshot, specifies the destination

for the snapshot image.
When you import a snapshot, specifies the source of the
snapshot image.
n target lvm - Local LVM volume on this Gaia

n target local - Local file on this Gaia
n target ftp - Remote FTP server
n target scp - Remote SCP server
ip Specifies the IPv4 address of the remote server:

n ip <IPv4 Address of FTP Server>
Specifies the IPv4 address of the remote FTP server.
n ip <IPv4 Address of SCP Server>
Specifies the IPv4 address of the remote SCP server.

path Specifies the path to the snapshot image file.

When you export, this is the path to the directory (/path_
to/directory/).
When you import, this is the path to the directory and the
snapshot image (/path_to/directory/snapshot).
n path <Local Path>
Specifies the local absolute path on this Gaia.
n path <Path on FTP Server>
Specifies the path on the remote FTP server.
n path <Path on SCP Server>
Specifies the path on the remote SCP server.
username Specifies the login username on the remote server:

n username <User Name on FTP Server>
Specifies the user name required to log in to the remote
FTP server.
n username <User Name on SCP Server>
SCP server.
password <Password in Specifies the password (in plain text) required to log in to the
Plain Text> remote server.
Examples
n Creating a new snapshot image locally as a file:
gaia> add snapshot-onetime name 1st_image_after_install

description "First image after installation" target local path
/var/log/
n Creating a new snapshot image as a file and uploading it to an SCP server:
gaia> add snapshot-onetime name 1st_image_after_install

description "First image after installation" target scp ip
192.168.20.30 path /var/log/ username scp_admin password 123456
n Importing an existing snapshot image from an SCP server:
gaia> set snapshot-onetime import 1st_image_after_install target

scp ip 192.168.20.30 path /var/log/ username scp_admin password
123456

Troubleshooting
/var/log/messages*
Snapshot Management in Gaia Clish - Scheduled

Snapshots
prerequisites.
Description
Manage system images (snapshots).
From R81, you can also configure scheduled system images (snapshots).
Notes:
n R81 supports only one scheduled snapshot task.
n It is not possible to change any of the settings in the scheduled snapshot task.
You must configure the task from scratch.
n In Gaia Portal, you can only:
l Enable or disable the snapshot schedule
l View the scheduled snapshot configuration
Syntax
1. Configure the schedule snapshot task
R81 supports only one of these scheduled snapshot tasks.

You can only configure one task for a local LVM volume, one task for an FTP server, or one task
for an SCP server.
To create a new snapshot image as a local LVM volume

set snapshot-scheduled settings snapshot-name-prefix <Prefix
of Snapshot Name> [description "<Description of Snapshot>"]
target lvm
Note - Gaia Snapshots are not files, but Logical Volume Management
(LVM) volumes. Gaia stores these snapshots as a disk partition. To show
the list of virtual drives, run the "lvs" command in the Expert mode.

To create a new snapshot image as a file and upload it to an FTP server

target ftp ip <IPv4 Address of FTP Server> path <Path on FTP
Server> username <User Name on FTP Server> password <Password
in Plain Text>
To create a new snapshot image as a file and upload it to an SCP server

target scp ip <IPv4 Address of SCP Server> path <Path on SCP
Server> username <User Name on SCP Server> password <Password
in Plain Text>
2. Configure the snapshot schedule recurrence

To run each day
set snapshot-scheduled recurrence daily time <HH:MM>
To run each month on specified date and time

set snapshot–scheduled recurrence monthly month <1-12> days
<1-31> time <HH:MM>
To run each week on specified day of week and time

set snapshot-scheduled recurrence weekly days <1-6> time
<HH:MM>
3. Configure the snapshot retention policy

Important:
n This step applies only if you save the new snapshot image as a local
LVM volume.
n The retention policy applies only to the new snapshots (and does not
apply to existing snapshots).
n When Gaia creates new snapshots, it deletes the oldest snapshot that
exceeds the configured policy parameters.
To configure the maximum number of snapshot images to save
set snapshot-scheduled retention-policy max-snapshots-to-keep
<1-9999>
To configure the minimum number of snapshot images to save

set snapshot-scheduled retention-policy min-snapshots-to-keep
<1-9999>

To configure the amount of free disk space to maintain
This command lets you configure how much of the disk space must remain free at all times:
set snapshot-scheduled retention-policy keep-disk-space-above-

in-GB <Limit>
The limit you need to configure with this command is:
Limit = (Available free disk space for all snapshot images) -

(Free disk space to maintain)
Where:
Available free disk space for all snapshot images =

= (Output of: vgdisplay | grep Free) - 1.1*(Output of: lvs |
egrep "LSize|lv_current")
Example

a. Log in to the Expert mode.
b. Get the free disk space in volume groups:
[Expert@MyGaia:0]# vgdisplay | grep Free

Free PE / Size 4090 / 127.81 GiB
[Expert@MyGaia:0]#
c. Get the free disk space in the "lv_current" partition:
[Expert@MyGaia:0]# lvs | egrep "LSize|lv_current"

LV VG Attr LSize Pool Origin
Data% Meta% Move Log Cpy%Sync Convert
lv_current vg_splat -wi-ao---- 40g
[Expert@MyGaia:0]#
d. Calculate the free disk space available for snapshot images:
Available free disk space for all snapshot images =

= (Output of "vgdisplay" command) - 1.1*(Output of
"lvs" command) =
= (127.81) - 1.1*(40) = 83.81 GB
e. Calculate the limit for the scheduled snapshot task:

For example, you need to maintain 30 GB of free disk space at all times.
Limit = (Available free disk space for all snapshot

images) - (Free disk space to maintain) =
= (83.81 GB) - (30 GB) = 53.81 GB

f. Log in to Gaia Clish.

g. Configure the limit (round up or round down the limit you calculated in the previous
step):
set snapshot-scheduled retention-policy keep-disk-

space-above-in-GB 54
save config
4. Enable the scheduled snapshot feature
n To control this feature in Gaia Clish:

l To enable the snapshot schedule:
set snapshot-scheduled activation enabled

Important:
o You must run this command after you configure a
scheduled snapshot for the first time.
o You must run this command after any change in the
existing configuration of a scheduled snapshot.
l To disable the snapshot schedule:
set snapshot-scheduled activation disabled
n To control this feature in Gaia Portal:

a. In the navigation tree, click Maintenance > Snapshot Management.
b. In the section Scheduled Snapshots :
l To enable the snapshot schedule, select Activate / Deactivate.
l To disable the snapshot schedule, clear Activate / Deactivate.
c. Click Apply .
To show the scheduled snapshot configuration
n To view this configuration in Gaia Clish:
show snapshot-scheduled<SPACE><TAB>
n To view this configuration in Gaia Portal:

1. In the navigation tree, click Maintenance > Snapshot Management.
2. Refer to the section Scheduled Snapshots .
To delete a scheduled snapshot
You can only disable the snapshot schedule to stop the scheduled task:
set snapshot-scheduled activation disabled


Parameters
snapshot-name-prefix The final name of the snapshot consists of two parts - the prefix
<Prefix of Snapshot (configured by the user) and the time stamp (format is hard-
Name> coded):
<Prefix>_<YYYY_MM_DD__HH_mm>
n The prefix maximal length is 15 characters.

n The prefix can consist only of letters, numbers, or
underscore "_".
n Default prefix: snap.
description Optional.
"<Description of Configures the description of the snapshot image.
Snapshot>" You must enclose the text in double quotes, or enter the string
that does not contain spaces.
Default description : default_snapshot
target Specifies the destination for the snapshot image:

n target lvm - Local LVM volume on this Gaia (this is
the default)
n target ftp - Remote FTP server
n target scp - Remote SCP server
ip Specifies the IPv4 address of the remote server:

n ip <IPv4 Address of FTP Server>
Specifies the IPv4 address of the remote FTP server.
n ip <IPv4 Address of SCP Server>
Specifies the IPv4 address of the remote SCP server.
path Specifies the path to the snapshot image file:

n path <Local Path>
Specifies the local absolute path on this Gaia to save the
snapshot image file (/path_to/directory/).
n path <Path on FTP Server>
Specifies the path on the remote FTP server where to
upload the snapshot image file (/path_
to/directory/).
n path <Path on SCP Server>
Specifies the path on the remote SCP server where to
upload the snapshot image file (/path_
to/directory/).

username Specifies the login username on the remote server:

n username <User Name on FTP Server>
FTP server.
n username <User Name on SCP Server>
SCP server.
<Hours>:<Minutes>.
Example: 14:35
recurrence monthly Specifies that the job should run once a month - on specified
month <1-12> days <1- months, on specified dates, and at specified time.
31> time <HH:MM> Months are specified by numbers from 1 to 12: January = 1,
February = 2, ..., December = 12.
To specify several consequent months, enter their numbers
separate by commas.
Example: for January through March, enter 1,2,3
separate by commas.
Example: for 1st, 2nd and 3rd day of month, enter 1,2,3
recurrence weekly days Specifies that the job should run once a week - on specified
<0-6> time <HH:MM> days of week, and at specified time.
Days of week are specified by numbers from 0 to 6: Sunday =
0, Monday = 1, Tuesday = 2, Wednesday = 3, Thursday = 4,
Friday = 5, Saturday = 6.
Example: for Sunday, Monday, and Tuesday, enter 0,1,2
The default recurrence: every Monday at 01:00.

retention-policy Configures the retention policy when you save the new
snapshot image as a local LVM volume:
(when Gaia creates new snapshots, it deletes the oldest
snapshot that exceeds the configured policy parameters)
n max-snapshots-to-keep <1-9999>
Specifies the maximum number of snapshot images to
save. The default threshold is: 9999.
n min-snapshots-to-keep <1-9999>
Specifies the minimum number of snapshot images to
save. The default threshold is: 1.
n keep-disk-space-above-in-GB <1-Max>
Specifies the amount of free disk space to maintain
between 1 GB and the maximum available space.
activation {enabled | Enables or disables the snapshot schedule.

disabled}
Examples
n Creating a daily snapshot image as a local LVM volume:
gaia> set snapshot-scheduled settings snapshot-name-prefix Daily

description "Daily snapshot image" target lvm
gaia> set snapshot-scheduled recurrence daily time 22:00
gaia> set snapshot-scheduled retention-policy max-snapshots-to-
keep 10
gaia> set snapshot-scheduled retention-policy min-snapshots-to-
keep 3.
gaia> set snapshot-scheduled retention-policy keep-disk-space-
above-in-GB 50
gaia> set snapshot-scheduled activation enabled
gaia> save config
gaia> show snapshot-scheduled<SPACE><TAB>
n Creating a monthly snapshot image as a file and uploading it to an SCP server:
gaia> set snapshot-scheduled settings snapshot-name-prefix

Monthly description "Monthly snapshot image" target scp ip
192.168.20.30 path /var/log/ username scp_admin password 123456
gaia> recurrence monthly month 1,2,3,4,5,6,7,8,9,10,11,12 days 1
time 22:00
gaia> set snapshot-scheduled activation enabled
gaia> save config
gaia> show snapshot-scheduled<SPACE><TAB>

Troubleshooting
If a scheduled snapshot task fails, there is no notification about it. You must manually check if a snapshot
was created.
/var/log/messages*

Restoring a Factory Default Image on Check Point Appliance
Restoring a Factory Default Image on Check Point

Appliance
Factory default images on Check Point appliances are created automatically when you install or upgrade
an appliance to another release.
You can restore your Check Point appliance to the factory default image for a specified release.
Important - This procedure overwrites all existing configuration settings.
Best Practice - We recommend that you create a snapshot image before you restore
a factory default image.
Restoring a Factory Default image in Gaia Portal
Step Description
2 Use the revert option.
3 Follow the instructions on the screen.
4 In the navigation tree, click Maintenance > Shut Down.
5 Click Reboot.
Restoring a Factory Default image in Gaia Clish
Step Description
1 Connect to the command line on your appliance.
3 Run:
set fcd revert<SPACE><TAB>
set fcd revert <Name of
Default Image>
4 Follow the instructions on the screen.
5 Reboot:
reboot

Download SmartConsole
Download SmartConsole
You can download the SmartConsole application package from the Gaia Portal of your Security
Management Server or Multi-Domain Server.
After you download the SmartConsole package, you can install it and use it to connect to the Security
Management Server or Multi-Domain Server.
Step Description

Interface>
2 In the navigation tree, select one of these options:

n Click Overview. At the top of the page, click Download
Now!
n Click Maintenance > Download SmartConsole >
Download.

Hardware Health Monitoring

In This Section:
Showing Hardware Health Information in Gaia Portal 437

Showing Hardware Health Information in Gaia Clish 438
Showing Hardware Information 439
You can monitor these hardware elements:

n Fan sensors - Shows the fan number, status, and speed.
n System Temperature sensors
n Voltage sensors
n Power Supplies (on servers that support it)
In addition, see sk119232 - Hardware sensors thresholds on Check Point appliances.
Showing Hardware Health Information in Gaia Portal

In the navigation tree, click Maintenance > Hardware Health.
Note - The Hardware Health page appears only on supported hardware.
You can see the status of the machine fans, system temperature, the voltages, and (for supported
hardware only) the power supply.
For each component sensor, the table shows the value of its operation, and the status: OK, Low, or High.
n To see the health history of a component, select the component sensor. A graph shows the values
over time.
n To change the time intervals that the graph shows, click the Minute arrows.
n To view different times, click the Forward/Backward arrows.
n To refresh, click Refresh.

Showing Hardware Health Information in Gaia Clish

Description
These commands display the status for various system hardware components.
Components, for which the status can be shown, include BIOS, cooling fans, power supplies, temperature,
and voltages.
Note - The command returns information only for installed hardware components and
only on supported hardware.
Syntax
show sysenv
all
bios
fans
ps
temp
volt
Parameters
all Shows all system and hardware information.
bios Shows BIOS information.
fans Shows speed of cooling fans.
ps Shows voltages and states of power supplies.
temp Shows information from temperature sensors.
volt Shows voltages information.
Example
gaia> show sysenv all
Hardware Information
Name Value unit type status Maximum Minimum

+12V 29.44 Volt Voltage 0 12.6 11.4
+5V 6.02 Volt Voltage 0 5.3 4.75
VBat 3.23 Volt Voltage 0 3.47 2.7
gaia>

Showing Hardware Information

You can see information about the hardware, on which Gaia is installed using these commands:
Command Description
show asset<SPACE><TAB> You can run it in Gaia Clish only.
cpstat os -f sensors You can run it in Gaia Clish, or Expert mode.
The "show asset" command
Description
Shows information about the hardware, on which Gaia is installed.
You can run this command in Gaia Clish only.
The information shown depends on the type of hardware.
Common types of information shown are:
n Serial number
n Amount of physical RAM
n CPU frequency
n Number of disks in the system
n Disk capacity
Syntax
show asset<SPACE><TAB>
show asset all
show asset <Category Name>
Parameters
<SPACE><TAB> Press these keys to show a list of asset categories, such as system and
disk.
The available categories depend on the type of hardware.
all Shows all available hardware information.

The information shown depends on the type of hardware.
<Category Shows available information for a specified category.

Name>

Example 1
gaia> show asset
system all
gaia> show asset
Example 2
gaia> show asset system
Platform: Check Point 5800
Serial Number: XXX
CPU Model: Intel(R) Xeon(R) E3-1285Lv4
CPU Frequency: 3400
Disk Size: 500GB
Number of Cores: 8
CPU Hyperthreading: Enabled
gaia>

The "cpstat os -f sensors" command
Description
Shows information from supported hardware sensors.
You can run this command in Gaia Clish, or the Expert mode.
Syntax
cpstat os -f sensors

Example

Monitoring RAID Synchronization

You can monitor the RAID status of the disks to see when the hard disks are synchronized.
If you reboot the appliance before the hard disks are synchronized, the synchronization starts again at the
next boot.
Showing RAID Information in Gaia Portal

In the navigation tree, click Maintenance > RAID Monitoring.
You can see the information about RAID Volumes and RAID Volume Disks .
Showing RAID Information in Command Line

Run one of these commands in Gaia Clish or Expert mode:
n The "raid_diagnostic" command
Description
This command shows data about the RAID and hard disks, with the percent synchronization
done.
Syntax
raid_diagnostic
Example output from a Smart-1 225 appliance
l DiskID 0 is the left hard disk.

l DiskID 1 is the right hard disk.
n The "cpstat os -f raidInfo" command
Description
This command shows almost the same information as the "raid_diagnostic" command, in
tabular format.
Syntax
cpstat os -f raidInfo

Example output

Shut Down
Shut Down
There are two ways to shut down:
n Reboot: Shuts down the system and then immediately restarts it.
n Halt: Shuts down the system. You start the system manually with the power switch.
Rebooting and Shutting Down in Gaia Portal

To shut down the system and then immediately restart it
Step Description
2 Click Reboot.
To shut down the system completely
Step Description
2 Click Halt.
Rebooting and Shutting Down in Gaia Clish

To shut down the system and then immediately restart it
reboot
To shut down the system completely

halt

System Backup
System Backup
n Back up the configuration of the Gaia operating system and of the Security Management Server
database.
You can restore a previously saved configuration.
You can run the backup manually, or on a schedule.
The configuration is saved to a *.tgz file.
You can store backups locally, or remotely to a TFTP, SCP or FTP server.
n Save your Gaia system configuration settings as a ready-to-run CLI shell script.
This lets you quickly restore your system configuration after a system failure or migration.
Note - You can only do a migration using the same Gaia version on the source and
target computers.
Important - When you create a backup on a Security Management Server, make sure
to close all SmartConsole clients. Otherwise, backup does not start.

Backing Up and Restoring the System

In This Section:
Backing Up and Restoring the System in Gaia Portal 447

Backing Up the System in Gaia Clish 450
Restoring the System in Gaia Clish 451
Backing Up and Restoring the System in Gaia Portal

To create a backup
Step Description
1 In the navigation tree, click Maintenance > System Backup.
2 Click Backup.
3 Select the location of the backup file:

n This appliance
To store the collected backup locally
n Management
To send the collected backup to the Management Server that manages this Security
Gateway.
n SCP server
To send the collected backup to an SCP server.
Enter the IPv4 address, User name, Password and Upload path.
n FTP server
To send the collected backup to an FTP server.
n TFTP server
To send the collected backup to a TFTP server
Enter the IPv4 address.
Note - Gaia Portal does not support the change of backup file names. You can
change a backup file name in the Expert mode. Make sure not to use special
characters.
To restore from a locally saved backup
Step Description
2 Select the backup file.
3 Click Restore.

To restore from a remotely saved backup
Step Description
2 Click Restore Remote Backup.
3 Enter the full name of the backup file on a remote server.
4 Select the location of the backup file:

n Management
To restore the backup from the Management Server that manages this Security
Gateway
n SCP server
To restore the backup from an SCP server.
n FTP server
To restore the backup from an FTP server.
n TFTP server
To restore the backup from a TFTP server.
Enter the IPv4 address.
5 Click Restore.
To export an existing backup
Step Description
3 Click Export.
Make sure you have enough free disk space on your computer.
To import a backup
Step Description
3 Click Import.
4 Click Browse and select the backup file on your computer.
5 Click Import.

To delete a backup
Step Description
3 Click Delete.

Backing Up the System in Gaia Clish
Syntax
To collect a backup and store it locally

add backup local [interactive]
To collect a backup and upload it to an SCP server

add backup scp ip <IPv4 Address of SCP Server> path <Path on SCP
Server> username <User Name on SCP Server> [password <Password in
Plain Text>] [interactive]
To collect a backup and upload it to an FTP server

add backup ftp ip <IPv4 Address of FTP Server> path <Path on FTP
Server> username <User Name on FTP Server> [password <Password in
Plain Text>] [interactive]
To collect a backup and upload it to a TFTP server

add backup tftp ip <IPv4 Address of TFTP Server> [interactive]
To show the status of the latest backup

show backup {last-successful | logs | status}
To show the list of local backups and their location

show backups
Note - Gaia Clish does not support change of file names. You can change a file name
in the Expert mode. Make sure not to use special characters.
Example
gaia> add backup local
Creating backup package. Use the command 'show backups' to monitor
creation progress.
gaia>
gaia> show backup status
Performing local backup
gaia>
gaia> show backups
backup_gw-8b0891_22_7_2012_14_29.tgz Sun, Jul 22, 2012 109.73 MB
gaia>

Restoring the System in Gaia Clish
Syntax
To restore a backup from a local hard disk

set backup restore local<SPACE><TAB>
To restore a backup from an SCP Server

set backup restore scp ip <IPv4 Address of SCP Server> path <Path on
SCP Server> file <Name of Backup File> username <User Name on SCP
Server> [password <Password in Plain Text>] [interactive]
To restore a backup from an FTP Server

set backup restore ftp ip <IPv4 Address of FTP Server> path <Path on
FTP Server> file <Name of Backup File> username <User Name on FTP
Server> [password <Password in Plain Text>] [interactive]
To restore a backup from a TFTP Server

set backup restore tftp ip <IPv4 Address of TFTP Server> file <Name
of Backup File> [interactive]
Note - To restore the Gaia OS configuration quickly after a system failure or migration,
use the Gaia Clish "configuration" feature (see "Working with System
Configuration in Gaia Clish" on page 457).

Configuring Scheduled Backups

In This Section:
Configuring Scheduled Backups in Gaia Portal 452

Configuring Scheduled Backups in Gaia Clish 454
Important - When you create a backup on a Security Management Server, make sure
to close all SmartConsole clients. Otherwise, scheduled backup does not start.
Configuring Scheduled Backups in Gaia Portal

To add a scheduled backup
Step Description

Refer to the Scheduled Backup section.
2 Click Add Scheduled Backup.
3 In the Backup Name field, enter the name of the job.
n The maximal length is 15 characters.

n The name can consist only of letters, numbers, or underscore "_".
4 In the Backup Type section, configure the location of the backup file:
n This appliance
To store the collected backup locally
n Management
To send the collected backup to the Security Management Server that manages this
Security Gateway.
n SCP server
To send the collected backup to an SCP server.
Enter the IP address, User name, Password and Upload path.
n FTP server
To send the collected backup to an FTP server.
Enter the IP address, User name, Password and Upload path.
n TFTP server
To send the collected backup to a TFTP server.
Enter the IP address.
5 In the Backup Schedule section, configure the frequency (Daily , Weekly , Monthly ) for this
backup.
6 Click Add.
The scheduled backup appears in the Scheduled Backups table.

To delete a scheduled backup
Step Description

Refer to the Scheduled Backup section.
2 Select the backup to delete.
3 Click Delete.

Configuring Scheduled Backups in Gaia Clish
Syntax
To add a backup schedule that stores the backup file locally

add backup-scheduled name <Name of Schedule> local
To add a backup schedule that uploads the backup file to an FTP server
add backup-scheduled name <Name of Schedule> ftp ip <IPv4 Address of
FTP Server> path <Path on FTP Server> username <User Name on FTP
To add a backup schedule that uploads the backup file to an SCP server
add backup-scheduled name <Name of Schedule> scp ip <IPv4 Address of
SCP Server> path <Path on SCP Server> username <User Name on SCP
To add a backup schedule that uploads the backup file to a TFTP server
add backup-scheduled name <Name of Schedule> tftp ip <IPv4 Address
of TFTP Server>
To configure the backup schedule to run each day

set backup-scheduled name <Name of Schedule> recurrence daily time
<HH:MM>
To configure the backup schedule to run each month on specified date and time
set backup-scheduled name <Name of Schedule> recurrence monthly
month <1-12> days <1-31> time <HH:MM>
To configure the backup schedule to run each week on specified day of week and time
set backup-scheduled name <Name of Schedule> recurrence weekly days
<0-6> time <HH:MM>
To show the scheduled backup configuration

show backup-scheduled<SPACE><TAB>
show backup-scheduled <Name of Schedule>
To delete a scheduled backup

delete backup-scheduled<SPACE><TAB>
delete backup-scheduled <Name of Schedule>

Parameters
CLI Parameters
name <Name of Schedule> Defines the name of the scheduled backup:

n The maximal length is 15 characters.
n The name can consist only of letters, numbers, or
underscore "_".
ftp ip <IPv4 Address of Specifies the IPv4 address of the remote FTP server.
FTP Server>
scp ip <IPv4 Address of Specifies the IPv4 address of the remote SCP server.
SCP Server>
tftp ip <IPv4 Address Specifies the IPv4 address of the remote TFTP server.
of TFTP Server>
path <Path on FTP Specifies the path on the remote FTP server where to upload
Server> the backup file.
path <Path on SCP Specifies the path on the remote SCP server where to upload
Server> the backup file.
username <User Name on Specifies the user name required to log in to the remote FTP
FTP Server> server.
username <User Name on Specifies the user name required to log in to the remote SCP
SCP Server> server.
<Hours>:<Minutes>.
Example: 14:35
recurrence monthly Specifies that the job should run once a month - on specified
month <1-12> days <1- months, on specified dates, and at specified time.
31> time <HH:MM> Months are specified by numbers from 1 to 12: January = 1,
February = 2, ..., December = 12.
To specify several consequent months, enter their numbers
separate by commas.
Example: for January through March, enter 1,2,3
separate by commas.
Example: for 1st, 2nd and 3rd day of month, enter 1,2,3

recurrence weekly days Specifies that the job should run once a week - on specified
<0-6> time <HH:MM> days of week, and at specified time.
Days of week are specified by numbers from 0 to 6: Sunday =
0, Monday = 1, Tuesday = 2, Wednesday = 3, Thursday = 4,
Friday = 5, Saturday = 6.
Example: for Sunday, Monday, and Tuesday, enter 0,1,2

Working with System Configuration in Gaia Clish
Working with System Configuration in Gaia Clish

You can save your Gaia configuration settings as a ready-to-run CLI shell script.
This feature lets you quickly restore your system configuration after a system failure or migration.
Note - You can only do a migration using the same Gaia version on the source and
target computers.
Syntax
To save the system configuration to a CLI script

save configuration <Name of Script>
To restore configuration settings

load configuration <Name of Script>
To see the latest configuration settings

show configuration
Example
This example shows part of the configuration settings as last saved to a CLI shell script:
mygaia> show configuration

#
# Configuration of mygaia
# Language version: 10.0v1
#
# Exported by admin on Mon Mar 19 15:06:22 2012
#
set hostname mygaia
set timezone Asia / Jerusalem
set password-controls min-password-length 6
set password-controls complexity 2
set password-controls palindrome-check true
set password-controls history-checking true
set password-controls history-length 10
set password-controls password-expiration never
set ntp active off
set router-id 6.6.6.103
set ipv6-state off
set snmp agent off
set snmp agent-version any
set snmp community public read-only
set snmp traps trap authorizationError disable
set snmp traps trap coldStart disable
set snmp traps trap configurationChange disable
... ... ...[truncated for brevity]... ... ...
mygaia>

LVM Overview
LVM Overview
Description
The Gaia Clish command "show system lvm overview" shows information about system logical
volumes.
Syntax
show system lvm overview
Example
gaia> show system lvm overview

LVM overview
============
Size(GB) Used(GB) Configurable Description
lv_current 38 8 yes Check Point OS and products
lv_log 56 2 yes Logs volume
upgrade reserved 42 N/A no Reserved space for version upgrade
swap 16 N/A no Swap memory volume
unallocated space 148 N/A no Unused space
------- ----
total 300 N/A no Total size
gaia>
Related information
See "Configuring Log Volume" on page 293.

Advanced Configuration
In This Section:
Configuring the Gaia Portal Web Server 459

Resetting the Expert Mode Password on a Security Gateway 460
Configuring the Gaia Portal Web Server

Description
You can configure the server responsible for the Gaia Portal.
Syntax
n To configure Gaia Portal web server:
set web
daemon-enable {on | off}
session-timeout <Timeout>
ssl-port <Port>
ssl3-enabled {on | off}
table-refresh-rate <Rate>
n To show the Gaia Portal web server configuration:
show web
daemon-enable
session-timeout
ssl-port
ssl3-enabled
table-refresh-rate
Parameters
daemon- Enables or disables the Gaia Portal web daemon.

enable {on
| off} n Range: on, or off
n Default: on

session- Configures the time (in minutes), after which the HTTPS session to the Gaia
timeout Portal terminates.
<Timeout>
n Range: 1 - 720
n Default: 15
ssl-port Configures the TCP port number, on which the Gaia Portal can be accessed over
<Port> HTTPS.
n Range: 1 - 65535
n Default: 443
Use this command for initial configuration only.
Changing the port number on the command line may cause inconsistency with
the setting defined in SmartConsole. Use SmartConsole to set the SSL port for
the Portal.
Note - This setting does not affect HTTP connections. Normally this
port should be left at the default 443. If you change the port number,
you must change the URL used to access the Gaia Portal from
https://<Hostname or IP Address>/ to
https://<Hostname or IP Address>:<PORTNUMBER>
ssl3- Enables or disables the HTTPS SSLv3 connection to Gaia Portal.

enabled {on
| off} n Range: on, or off
n Default: off
table- Configures the refresh rate (in seconds), at which some tables in the Gaia Portal
refresh- are refreshed.
rate <Rate>
n Range: 10 - 240
n Default: 10
Resetting the Expert Mode Password on a

Security Gateway
If you forget your Expert mode password for a Security Gateway or Cluster Member, follow sk106490.

CPUSE - Software Updates
CPUSE - Software Updates

With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
The software update packages and full images are for major releases, minor releases and Hotfixes. All of
the CPUSE processes are handled by the Deployment Agent daemon (DA).
Gaia automatically locates and shows the available software update packages and full images that are
applicable to the Gaia operating system version installed on the computer, the computer's role (Security
Gateway, Security Management Server, Standalone), and other specific properties. The images and
packages can be downloaded from the Check Point Support Center and installed.
You can add a private package to the list of available packages. A private package is a Hotfix, which is
located on the Check Point Support Center, and is only available to limited audiences.
When you update Check Point software, make sure to:
n Define the CPUSE policy for downloads and installation.
Downloads can be:
l Manual
l Automatic
l Scheduled (daily, weekly, monthly, or one time only).
Installations are:
l Hotfixes are downloaded and installed automatically by default
l Full installation and upgrade packages must be installed manually
n Define mail notifications for completed package actions and for the new package updates.
n Run the software download and installation.
Note - You must have a CPUSE policy defined, before you download and run upgrades.
For details, see sk92449.

Gaia API Proxy
Gaia API Proxy

Check Point products support API commands. See the Check Point API Reference.
With the Gaia API Proxy feature on a Management Server, you run the Gaia API commands on managed
Security Gateways and Cluster Members:
1. An administrator connects with an API Client to a Management Server.
2. From the Management Server, an administrator runs the Gaia API commands on managed Security
Gateways and Cluster Members.
The Gaia API Proxy feature on the R81 Management Server works with all managed Security Gateways
and Cluster Members that support the Gaia API.
Example diagram
Item Description
1 An API Client
2 A Management Server with the Gaia API Proxy feature
3 A managed Security Gateway
4 A managed ClusterXL
A Management API communication
B Gaia API communication

Gaia API Proxy
Workflow:
1. Run the Management API "login" command to log in to the Management Server
When you work with an API Client, run the Check Point API "login" command to log in to the
Management Server (see the Check Point Management API Reference).
Important - The administrator that logs in must have the Run One Time
Script permission enabled in the assigned permission profile:
a. Connect with SmartConsole to the Management Server.
b. From the left navigation panel, click Manage & Settings .
c. In the top section, click Permissions & Administrators > Permission
Profiles .
d. Open the applicable permission profile.
e. From the left tree, click Overview.
n If you selected Read/Write All , then click Cancel .
The required permission is already enabled.
n If you selected Customized, then:
i. From the left tree, click Gateways .
ii. In the Scripts section, select Run One Time Script.
iii. Click OK.
iv. Publish the SmartConsole session
2. Run the Gaia API commands on managed Security Gateways and Cluster Members
The Management API "login" command returns the Session Unique Identifier (SID) token.
In the same API Client, use this SID token in the "X-chkp-sid" field of the Gaia API commands
you run on managed Security Gateways and Cluster Members.
Gaia API Syntax:
POST https://<IP Address of Management Server>/web_api/gaia-

api/<Gaia API Version>/<Gaia API Command>
See the Check Point Gaia API Reference.

The body of the Gaia API command must identify the managed Security Gateway or Cluster
Member by one of these parameters:
n Object name
n Object primary IP address
n Object UID
3. The Gaia API Proxy logs in to the specified Security Gateway or Cluster Member
The Gaia API Proxy on the Management Server interprets the Gaia API command and logs in to
the specified Security Gateway or Cluster Member.
a. This login returns the SID for the Security Gateway or Cluster Member.
b. The Gaia API Proxy uses this SID to run the Gaia API commands.

Gaia API Proxy
c. The Gaia API Proxy saves this SID in its database:

n The SID timeout is 580 seconds on the Management Server.
n The SID timeout is 10 minutes on a Security Gateway or Cluster Member.
4. The Gaia API Proxy forwards the response from the Security Gateway or Cluster
Member to the API client
n To increase performance, the Gaia API Proxy saves the response in the Gaia API Proxy
cache on the Management Server.
n If the Gaia API Proxy gets the same Gaia API request during the cache timeout, it returns
the Gaia API response from its cache and updates the cache.
n An administrator can configure these cache parameters in the
$FWDIR/api/conf/cache.conf file on the Management Server:
Note - After you change the $FWDIR/api/conf/cache.conf file,

you must reload the API server configuration with the "api reconf"
command in the Expert mode.
Accepted
Values
timeout 0, or Specifies the time, after which the next Gaia API command
greater triggers a cache update for that Gaia API command:
l 0 - The Gaia API proxy does not use cache
l <integer> - The Gaia API proxy saves the Gaia API
responses in its cache for the specified number of

seconds (default: 60 seconds)
total_ integer Specifies the number of unique Security Gateways and

gateways Cluster Members, from which to save the Gaia API
responses.
maximum_ integer Specifies the number of unique Gaia API commands to save
entries for each Security Gateway and Cluster Member.
Important - The Gaia API Proxy sends Gaia API command over HTTPS. The Access
Control policy for the Security Gateway or ClusterXL must explicitly allow HTTPS traffic
from the Management Server to the Security Gateway or Cluster Members.

Gaia API Proxy
Examples
Gaia API command "show-hostname"
In this example, we identify the managed Security Gateway by the object primary IP address.
Request
POST https://<IP Address of Management Server>/gaia-api/show-

hostname
Content-Type: application/json
X-chkp-sid: <Session ID>
{
"target" : "192.168.1.1"
}
Response
{
"command-name" : "show-hostname",
"response-message" : {
"name" : "gw-832546"
}
}

Gaia API Proxy
Gaia API command "show-interface"
In this example, we identify the managed Security Gateway by the object name.
Request
POST https://<IP Address of Management Server>/gaia-api/v1.4/show-

interfaces
{
"target" : "gw-832546",
"name" : "eth0"
}
Response
{
"command-name" : "v1.4/show-interfaces",
"ipv6-local-link-address": "Not Configured",
"type": "physical",
"name": "eth0",
"ipv6-mask-length": "Not-Configured",
"ipv6-address": "Not-Configured",
"ipv6-autoconfig": "Not configured",
"ipv4-address": "192.168.1.1",
"enabled": true,
"comments": "",
"ipv4-mask-length": "24"
}
}

Gaia API Proxy
Gaia API command "show-diagnostics"
In this example, we identify the managed Security Gateway by the object UID.
Request
POST https://<IP Address of Management Server>/gaia-api/v1.4/show-

diagnostics
{
"target" : "52048978-c507-8243-9d84-074d11154616",
"category" : "os",
"topic" : "disk"
}
Response
{
"command-name" : "v1.4/show-diagnostics",
"to": 3,
"total": 3,
"from": 1,
"objects": [
{
"total": "34342961152",
"partition": "/",
"used": "5718065152",
"free": "28624896000"
},
{
"total": "304624640",
"partition": "/boot",
"used": "26991616",
"free": "277633024"
},
{
"total": "34342961152",
"partition": "/var/log",
"used": "455684096",
"free": "33887277056"
}
]
}
}

CP R81 Gaia AdminGuide

Uploaded by

Copyright:

Available Formats

CP R81 Gaia AdminGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP R81 Gaia AdminGuide

Uploaded by

Copyright:

Available Formats

20 October 2020

RESTRICTED RIGHTS LEGEND:

Check Point R81

Latest Version of this Document in English

Gaia R81 Administration Guide | 3

20 October 2020 First release of this document

Gaia R81 Administration Guide | 4

Gaia R81 Administration Guide | 5

Centrally Managing Gaia Device Settings 76

Gaia R81 Administration Guide | 6

Configuring Bridge Interfaces in Gaia Clish 128

Gaia R81 Administration Guide | 7

Configuring Host Name and Domain Name in Gaia Clish 188

Gaia R81 Administration Guide | 8

SNMP Agent Address 244

Gaia R81 Administration Guide | 9

Configuring IPv6 Support in Gaia Clish 279

Gaia R81 Administration Guide | 10

Password Strength 345

Gaia R81 Administration Guide | 11

VRRP Terminology 383

Gaia R81 Administration Guide | 12

Snapshot Management in Gaia Clish - Regular Snapshots 421

Gaia R81 Administration Guide | 13

Gaia R81 Administration Guide | 14

CoreXL Firewall Instance

Gaia R81 Administration Guide | 15

Gaia R81 Administration Guide | 16

Domain Log Server

Gaia R81 Administration Guide | 17

Jumbo Hotfix Accumulator

Gaia R81 Administration Guide | 18

Management High Availability

Multi-Domain Log Server

Multi-Domain Security Management

Gaia R81 Administration Guide | 19

Security Management Server

Gaia R81 Administration Guide | 20

Gaia R81 Administration Guide | 21

Gaia R81 Administration Guide | 22

Gaia R81 Administration Guide | 23

Introduction to the Gaia Portal

Gaia Portal Overview

https://<IP Address of Gaia Management Interface>

The Gaia Portal interface

Gaia R81 Administration Guide | 24

4 Overview page with widgets that show system information

Logging in to the Gaia Portal

To log in to the Gaia Portal:

1 Enter this URL in your browser:

2 Enter your user name and password.

Gaia R81 Administration Guide | 25

Gaia R81 Administration Guide | 26

SSL connection ports on Security Management Servers R80.40 and lower

Configuration URL and Port

Default https://<IP Address of Gaia Management

New https://<IP Address of Gaia Management

l SmartView Web Application

Configuration URL and Port