Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Tip of the Week - Gaia Dynamic CLI is now generally available

If you are tired of jumping between CLISH and Expert shell when configuring and tuning your Gaia based security devices, take a look at Dynamic CLI: Dynamic CLI: Enhancing CLISH with new Expert mode commands  

Also, if you are attending one of CPX360 events, come to Valeri Loukine‌'s sessions to see some demos.

;
TO READ THE FULL POST it's simple and free
35 Comments
Norbert_Bohusch
Advisor

It would be nice to supply the installation file not as a tgz with an rpm and installation scripts, but as CPUSE.

1. same installation process as for all fixes/etc.

2. possible to deploy via CDT

_Val_
Admin
Admin

I agree. Alexander Kim‌, can you comment please?

Alexander_Kim
Employee Alumnus
Employee Alumnus

Point taken. We will consider it. 

Norbert_Bohusch
Advisor

Btw. same goes for Gaia Rest API for sure 😉

Alexander_Kim
Employee Alumnus
Employee Alumnus

Of course

Martin_Raska
Advisor

Its NICE, is there any plan to include in JHF?

Alexander_Kim
Employee Alumnus
Employee Alumnus

JHF can be installed on top of it without problem. I will add a note in the SK

Martin_Raska
Advisor

One Error: it should know corexl


chkp-demo-gw> show security-gateway corexl
CLINFR0329 Invalid command:'show security-gateway corexl'.


[Expert@chkp-demo-gw:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 1 | 3 | 110
1 | Yes | 0 | 13 | 171

Norbert_Bohusch
Advisor

I already added this as comment to the SK, the command is not as documented but:

chkp-demo-gw> show security-gateway affinity statistics
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 9 | 114
1 | Yes | 2 | 9 | 131
2 | Yes | 1 | 10 | 120

Alexander_Kim
Employee Alumnus
Employee Alumnus

Thanks. Fixed

Martin_Valenta
Advisor

Tried to download and getting this while logged in to SC..

Pedro_Madeira
Contributor

I'm having the same problem with expert level access.

"The file you were trying to load could not be found or has been deleted."
 

Alexander_Kim
Employee Alumnus
Employee Alumnus

Pedro, can you try again now ?

Alexander_Kim
Employee Alumnus
Employee Alumnus

Martin, Pedro, 

Can you try again now, plz ?

Martin_Valenta
Advisor

Yes working now.

Pedro_Madeira
Contributor

Yeps,

Working perfectly now.

Thank you.

PM

JozkoMrkvicka
Leader
Leader

Is reboot really necessary ? I like the idea, but the fact I would need to reboot around 200 GWs ... it is showstopper for us.

Alexander_Kim
Employee Alumnus
Employee Alumnus

Well, actually killing clish and clishd should do it...

JozkoMrkvicka
Leader
Leader

What is the point that only R80+ is supported ? Why not support also R77.30 ?

Martin_Valenta
Advisor

Cause that's way how to push customers to upgrade their fw's  

JozkoMrkvicka
Leader
Leader

You just hit my first "assumption"

Alexander_Kim
Employee Alumnus
Employee Alumnus

Not in this case, no Smiley Happy no conspiracy... R77.30 would require us to make changes in underlying clish architecture (changes which are already present in R80.10), and in such case installation of this dynamic cli package would block jhf and any other hf on that gateway

JozkoMrkvicka
Leader
Leader

Thank you for detailed explanation Smiley Happy

Martin_Raska
Advisor

Sorry but that was not my question.

Alexander_Kim
Employee Alumnus
Employee Alumnus

Can you clarify then ? If the question is will this code be a part of JHF - then the answer is no. The packages are now available only in the SK, but they do not contradict with any other HF or JHF

Martin_Valenta
Advisor

would be great if also "grep" would be available in clish..

Alexander_Kim
Employee Alumnus
Employee Alumnus

We added some (which we found useful). They are documented in the SK :

 show system dmi-table search VALUEdmidecode | grep -i VALUE | more 
 show file VALUE search VALUE cat VALUE | grep -i VALUE | more
show syslog logs search VALUEcat /var/log/messages | grep -i VALUE | more
show syslog dmesg search VALUEdmesg | grep -i VALUE | more
G_W_Albrecht
Legend
Legend

I find this a valuable addition if special users shall be able to issue expert commands without havong expert password or role. But in daily life, i will rather open two ssh windows, one in clish, the other in expert mode, before replacing fw stat by show security-gateway policy .

JozkoMrkvicka
Leader
Leader

if you dont know expert pass and want to perform some commands from expert, simply change your shell (set user <my_clish_username> shell /bin/bash) and you are done Smiley Happy "security" on the highest level ...

Jerry
Leader
Leader

you won't be able to do "chsh -s /bin/bash user" or as you claimed from clish> - unless the user is in adminRole Smiley Happy regular user cannot make himself from cli.sh to bash I guess?

Norbert_Bohusch
Advisor

Correct, without adminRole (or a manual role with correct permissions) this is not possible.

_Val_
Admin
Admin

The question is, as I personally understand it, about having the package available through CPUSE and not only as tgz installable package

_Val_
Admin
Admin

The point is, you can now delegate certain actions to users who are below adminRole, which is in other words, godmode

Christian_Koehl
Contributor

Is there a plan to integrate the dynamic CLI directly into Gaia, so no manuell installation is necessary? Will it be part of a future version 80.x?

This will help the admins, if the have lot's of gateways...