Non-Expert mode restriction(Gaia Clish):
Since non-expert mode does not allow bash commands like sed, post-processing of config is not possible.
Using the bash shell feature of expert mode, we can retrieve the global setting and other rules-related settings from the files like ICS.C, and Obecjs. c, etc. but non-expert mode is only capable of a certain set of commands.
Notes: There are some controls in expert mode that are supported, but not all of them are not supported in non-expert mode.
Qualys does not support the following controls in non-expert mode.
|
Control |
Statement |
|
10316 |
Status of the 'Users with Role based Access' setting. |
|
14289 |
List of VSX gateways configured in Checkpoint Firewall. |
|
18374 |
Status of the user accounts which have the shell other than '/etc/cli.sh'. |
|
22068 |
Status of the checkpoint version info. |
List of the controls supported in the non-expert mode (73).
|
Control ID |
Statement |
|
1115 |
Status of the 'Dynamic Host Configuration Protocol (DHCP) Server service. |
|
1204 |
Status of the ARP timeout. |
|
1861 |
Status of the 'telnet' service. |
|
8539 |
Content of the 'Login banner'. |
|
8540 |
Content of the 'MOTD banner' |
|
8550 |
Status of the 'SNMP Trap Server/receivers' setting. |
|
8579 |
Status of the Syslog Server Host. |
|
10254 |
Status of the 'Minimum Password Length' configured on the system. |
|
10255 |
Status of the 'Palindrome Password' setting. |
|
10256 |
Status of the 'password complexity' setting configured on the system. |
|
10257 |
Status of the 'Enforce password history' setting. |
|
10258 |
Status of the 'password history' setting configured on the system. |
|
10259 |
Status of the 'Maximum Password Age' setting. |
|
10260 |
Status of the number of days before a password expiration warning prompt is displayed at the login. |
|
10261 |
Status of the 'Account Lockout after a number of days of password expiration' setting. |
|
10262 |
Status of the 'Account Lockout' setting. |
|
10263 |
Status of the 'Account Lockout Threshold' configured on the system. |
|
10264 |
Status of the 'Reset Account Lockout Counter After' setting. |
|
10265 |
Status of the 'Deny access to unused accounts' setting. |
|
10266 |
Status of the 'Number of Days of non-use before lock-out' setting. |
|
10267 |
Status of the 'Force users to change password at first login after the password was changed from user page' setting. |
|
10268 |
Status of the SNMP agent. |
|
10269 |
Status of the SNMP version. |
|
10270 |
Status of the SNMP community strings. |
|
10271 |
Status of the SNMP community strings permission. |
|
10272 |
Status of the SNMP trap notifications. |
|
10273 |
Status of the SNMP users. |
|
10274 |
Status of the 'Allowed Client' setting. |
|
10275 |
Status of the 'AAA Radius-Server' setting. |
|
10276 |
Status of the 'Network Time Protocol (NTP) Active' setting. |
|
10277 |
Status of the 'Network Time Protocol (NTP) Server' setting. |
|
10278 |
Status of the 'Time Zone' setting. |
|
10279 |
Status of the 'Login Banner' setting. |
|
10280 |
Status of the 'MOTD Banner' setting. |
|
10281 |
Status of the Firewall Hostname. |
|
10282 |
Status of the IPv6 protocol. |
|
10283 |
Status of the 'DNS Suffix' setting. |
|
10284 |
Status of the primary DNS server. |
|
10285 |
Status of the secondary DNS server. |
|
10286 |
Status of the tertiary DNS server. |
|
10287 |
Status of the 'Management audit logs' setting. |
|
10288 |
Status of the 'cplogs' setting. |
|
10289 |
Status of the 'audit log' setting. |
|
10290 |
Status of the 'Secure web connection port' setting. |
|
10293 |
Status of the 'WebUI Session Time Out' setting. |
|
10294 |
Status of the 'Command Line Session Time Out' setting. |
|
10295 |
Status of the 'Core Dump' setting. |
|
10296 |
Status of the 'Config state' setting. |
|
10297 |
Status of the ' All Interfaces' setting |
|
10299 |
Status of the IPv4 Static Default Route. |
|
10300 |
Status of the users present on the device. |
|
10301 |
Status of the Groups present on the device. |
|
10302 |
Status of the 'AAA TACACS-Servers State' setting. |
|
10303 |
Status of the 'AAA TACACS Servers' setting. |
|
10510 |
Status of the 'System configuration Backup' setting. |
|
10511 |
Status of the 'snapshots' setting. |
|
12559 |
Status of the SMTP or mail notification server. |
|
14232 |
Status of the radius super-user ID. |
|
14233 |
Status of the ARP cache size. |
|
14235 |
Status of the 'proxy address' setting. |
|
14237 |
Status of the ARP announce level. |
|
14253 |
Status of the LOM (Lights Out Management) IP address configured in Checkpoint Firewall. |
|
14292 |
Status of the checkpoint Gaia OS web daemon-enable setting. |
|
14298 |
Status of the backup location. |
|
14299 |
List of last-successful backups. |
|
16559 |
Status of the 'ICMP Redirect' Setting using fw ctl get utility. |
|
16836 |
Status of the 'Maximum number of concurrent connections' using fw command. |
|
22078 |
Status of the 'ECHO services' setting. |
|
22079 |
Status of the 'web ssl3-enabled' setting. |
|
22080 |
Status of the 'clienv debug' setting. |
|
23240 |
Status of Secure Internal Communication (SIC) 'Trust State' on the device. |
|
10305 |
Status of the 'Verify the Default Boot Process setting. |
|
22081 |
Status of the installed Check Point licenses. |
Control that is not supported on the Gaia R81.10 platform via non-expert mode/expert mode.
|
Control ID |
Statement |
|
14253 |
Status of the 'LOM ip-address' Setting |
List of controls that are not supported on the Gaia R80.40 platform via non-expert mode/expert mode.
|
Control ID |
Statement |
|
16836 |
Status of the 'maximum concurrent connections' setting. |
|
22081 |
Status of installed Check Point licenses. |
|
16559 |
Status of the 'ICMP Redirects' setting. |
|
10305 |
Status of the Verify the Default Boot Process setting |