If you’re new to Check Point Quantum Maestro, one of the fastest ways to create “mysterious” issues is to treat the environment like a traditional standalone gateway and run changes in the wrong CLI context.
In Maestro, consistency across SGMs is everything. That’s why understanding the difference between clish and gclish (Global clish) is a foundational skill.
1) What are clish and gclish?
clish (Gaia clish)
-
The standard Gaia OS command shell.
-
Provides a restricted, configuration-oriented CLI for system administration.
-
Scope is local: it affects only the appliance/node you are currently connected to.
-
Access and available commands are controlled by administrative roles and permissions.
-
Not intended for low-level OS operations (that’s what Expert mode is for).
gclish (Global clish)
-
A special shell for Scalable Platforms such as Quantum Maestro environments.
-
Designed to run commands globally across all SGMs in a Security Group.
-
Ideal when you need uniform configuration and consistent operational state across multiple members.
Why it exists: In Maestro, the “gateway” is distributed. gclish helps you operate it as a single logical system.
2) The key technical differences (practical view)
| Feature |
clish (Gaia clish) |
gclish (Global clish) |
| Scope |
Local (current node only) |
Global (all SGMs in the Security Group) |
| Where available |
Any Gaia appliance |
Maestro (Scalable Platforms) |
| Typical use |
Single-node config & checks |
Consistent changes and checks across all SGMs |
| Risk if misused |
Creates per-node drift in Maestro |
Can impact the entire Security Group if used carelessly |
| Best for |
Point troubleshooting, local inspection |
Fleet-wide configuration, global validation, uniform actions |
Field reality: A config change made in clish on one SGM can lead to drift—and drift is the root cause of many “intermittent”incidents in Maestro.
3) Most-used commands (starter set)
clish (Gaia clish) – common basics
show interface
set interface
show configuration
save config
show route
set static-route
show version all
To enter Expert mode:
expert
gclish (Global clish) – common basics
show interfaces
show configuration
save config
show route
set static-route
cpstop
cpstart
To enter gclish (from Expert mode):
gclish
To list global command help:
global help
Example:
show interfaces
This runs the command on all SGMs in the Security Group.
4) When to use which (simple rules that prevent 80% of mistakes)
Use clish when:
-
You are checking or troubleshooting one specific node/SGM.
-
You need a local view of interfaces/routes/config on the node you’re logged into.
-
The change is intentionally node-specific (rare in Maestro operational practice).
Use gclish when:
-
The configuration must be identical across all SGMs (interfaces, routes, global settings).
-
You want to collect the same output from all SGMs quickly (consistency validation).
-
You need to run a global administrative action and you fully understand the impact (e.g., restarting services on all members).
Avoid these common mistakes:
-
Do not use clish for global changes in Maestro unless you intentionally want per-node divergence.
-
Do not use gclish for single-node troubleshooting when you are trying to isolate an issue to one member—because you may affect the entire group.
5) Maestro-specific operational notes (high value)
-
When operating Maestro, think “Security Group” first, not “a single gateway node.”
-
If a change must be consistent across the group, use gclish and finish with:
save config
-
If you need low-level operations, use Expert mode, but prefer global commands when the action is meant to apply to the whole Security Group.
-
If you’re unsure which commands are supported globally:
global help
Quick visual summary
| Scenario |
Use clish |
Use gclish |
| Local configuration on one node |
✅ |
|
| Global Maestro configuration (uniform across SGMs) |
|
✅ |
| Troubleshooting on a single SGM |
✅ |
|
| Same action/check across all SGMs |
|
✅ |
