- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
When using SMB devices for remote company sites, ease of first time configuration is an important matter. When used with a central management by SMS / MDS, only some basic configuration is needed before first policy install. To be able to deploy locally managed SMB devices with (nearly) identical configuration would be much easier if a configured unit could be used to copy the needed settings to others.
But a R77.20.xx configuration file exported from WebGUI can only be restored to the same firmware version and the same model – 600/1100, 1200R and 700/1400 are three different models with its own firmware corresponding to the hardware changes. Backup / Restore between different models is supported from 6x0 to 7x0 and 11x0 to 14x0 appliances; only from 1200R a transfer is possible to all SMB HW types using firmware > R77.20.51 (see sk111334), as well as from 14xx to 15xx (see How to upgrade hardware from R77.20.87 to R80.20.15 or above ).
But it is always possible to dump a configuration by using a CLISH command :
[clish]# show config
will output a series of CLISH commands matching the current configuration, complete with comments explaining what is set using the next CLISH commands. Saving these lines from expert mode into a text file produces something very similar to an autoconf.clish (also see my article USB First Time Config using autoconf.clish files - How it works😞
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
But be aware that this is not a supported nor intended method and you also have to cope with SK164018 - Missing configuration items in output of the 'show configuration' command on SMB appliances !
These saved CLISH commands usually are not able to replicate the configuration completely, as, for example, configuring an existing interface uses "set internet-connection", as used in "show configuration" output, but to define a new interface from scratch as needed in a new or reset box, you would have to issue "add internet-connection" instead.
So you have to edit the text file and manually set the values needed for the next unit to deploy. It can then be read in in expert mode, see the next two lines:
[Expert]# clish -f /mnt/usb1/config.txt -v
[Expert]# clish -f /var/log/config.txt -v
First the config is read from USB1, the second example assumes it had been already transfered to directory /var/log/.
Details of the expert mode ‘clish’ command can be found in the CHECK POINT 600/700/1100/1200R/1400 APPLIANCE CLI Guide, Running CLISH Commands from Expert Mode, p.20. The produced text file does, of course, not contain a license, unlike the exported configuration file from WebGUI.
Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.
CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...
I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !
Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 8)
Also, adding services will fail. Services will no source port configured will generate a command with 'source-port "nil"', which will not be recognized and will fail. The correct syntax should be 'source-port "false"'
It will be necessary to replace these parts with the correct syntax.
Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.
CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...
Absolutely! For OS configuration this procedure is extremely useful.
With the correct adaptations, it is also a big help with the rule base.
Thank you for sharing!
I have tried to export config on a SMB 1800 running R81.10 (996000575).
I put the mentioned command in the expert mode:
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
this results in this message:
You can't start interactive session from another interactive session.
Exit expert mode and return to clish.
Exit expert mode let me not write the output of "show configuration" into a file.
What do I wrong?
I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !
Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 8)
Did it work for you now ?
Sorry for the late answer. I helped myself with the feature of putty to copy all output to clipboard to export the config.
But I have just tried it again with "bashUser on" and yes, this works very well now.
Thank you very much for your help. I will use it like this in the future.
Hello,
In the SMB 1530/1550 appliances, how can I save the configuration from the CLI of the devices?
The "save config" does not work here.
The changes that are made, either from the WebUI or from the CLI, are saved automatically?
Greetings.
You are correct. Settings from WEBUI/CLI are automatically saved and reflected to the configuration immediately when working with CLISH commands in Gaia Embedded.
Correct, this is one of the differences between Gaia and Embedded Gaia.
That is the topic here 😉 Use
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
Hello,
Checkpoint uses lua scripts for show configuration and other commands.
You have to find where the comman lua is
-> type lua = /pfrm2.0/bin/lua
if you then just type show followed by a tab for autocomplete you get all sorts of lua scripts which are the equivalent in CLISH
-> type showConfig.lua = /pfrm2.0/bin/cli/showConfig.lua
Now all we need is for your configuration
-> /pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua > /var/log/config.txt
And your entire configuration will end in that File config.txt
I was hoping to find the default gateway for the WAN Interface but no luck in the configuration. That's kind of weird.
Edit Internet connection WAN - Well I dig deeper 🙂
In expert mode you can execute the lua scripts which are the show configuration in admin mode
/pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua > /var/log/config.txt
Yes. Embedded GAiA has no save config...
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
17 | |
7 | |
7 | |
6 | |
4 | |
4 | |
2 | |
2 | |
2 | |
2 |
Wed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksWed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY