Enable Command History in Check Point Firewall (GAIA): A Step-by-Step Guide

While Check Point firewalls based on GAIA (the Security Management Operating System) don't have a built-in command history feature, there's a way to achieve a similar outcome. Here's how you can enable command history functionality for your workflow:

Understanding the Limitation:

Check Point GAIA doesn't offer a persistent command history accessible across sessions. However, we can leverage the bash shell's built-in capabilities to create a session-specific history.

Steps to Enable Command History:

1. Edit the /etc/bashrc file:

   Use a text editor like vi or nano to modify the /etc/bashrc file. You'll typically need root privileges for this task. Here's the command to open the file in vi:

   vi /etc/bashrc

2. Modify the HISTFILESIZE Parameter:

   Within the /etc/bashrc file, locate the line containing HISTFILESIZE. By default, it might be set to 0 (disabled). Change this value to your desired history size. A larger value allows you to store more commands in the history. Here's an example with a value of 99999:

   export HISTFILESIZE=99999

3. Save and Exit the Editor:

   In vi, press ESC to enter command mode. Then, type :wq and press Enter to save your changes and exit the editor.

Now you can enjoy a command history!

Checkpoint Fiirewall Command history Example

[Expert@FW01:0]#
[Expert@FW01:0]# cat /etc/bashrc
# /etc/bashrc

# System wide functions and aliases
# Environment stuff goes in /etc/profile

# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
else
        umask 007
fi

# are we an interactive shell?
if [ "$PS1" ]; then
    case $TERM in
        xterm*)
                if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
                        PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
                else
                PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}"; echo -ne "\007"'
                fi
                ;;
        screen)
                if [ -e /etc/sysconfig/bash-prompt-screen ]; then
                        PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
                else
                PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}"; echo -ne "\033\\"'
                fi
                ;;
        *)
                [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
            ;;
    esac
    # Turn on checkwinsize
    shopt -s checkwinsize
    [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
fi

if ! shopt -q login_shell ; then # We're not a login shell
        # Need to redefine pathmunge, it get's undefined at the end of /etc/profile
    pathmunge () {
                if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then
                        if [ "$2" = "after" ] ; then
                                PATH=$PATH:$1
                        else
                                PATH=$1:$PATH
                        fi
                fi
        }

        for i in /etc/profile.d/*.sh; do
                if [ -r "$i" ]; then
                        . $i
        fi
        done
        unset i
        unset pathmunge
fi

if [ "`/bin/is_mbs.sh 2>/dev/null`" == "mbs" ]; then
        alias setup="/bin/sysconfig"
fi

# Gaia specific setup
if [ -f "/etc/appliance_config.xml" ] ; then
         alias cpconfig="/bin/cpconfig_start"
         alias reboot="/bin/system_reboot"
         alias cpview="/bin/cpview_start.sh"
         alias ifconfig="/bin/cp-ifconfig.sh"
fi

# SPLAT specific setup
IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`"
[ -z "$IDLE" ] && IDLE=3
export TMOUT=`expr $IDLE \* 60`
export SHELL=/bin/bash
export HISTFILESIZE=99999

if [ -f /proc/self/vrf ]; then
    VRF_NUMBER=`cat /proc/self/vrf`
else
    VRF_NUMBER=""
fi

if [ -f /etc/profile.d/vsenv.sh ] && [ -n "${VRF_NUMBER}" ]; then
   export PS1='[Expert@$HOSTNAME:`cat /proc/self/vrf`]# '
   vsenv $VRF_NUMBER 1>/dev/null 2>&1
else
   export PS1='[Expert@$HOSTNAME]# '
fi

_list_vds() {

                ISCLUSTER="$(cpprod_util fwishighavail)"
                if [ "$ISCLUSTER" -eq "0" ]  ; then
                        for CURRVSID in `dbget -c instance` ; do
                                CURRVSNAME=`dbget instance:$CURRVSID:name`
                                echo $CURRVSNAME
                        done
                else
                        VS0DIR="$(echo $FWDIR | grep -Po '^.*/fw1')"
                        VS0NAMEDIR="$VS0DIR/conf/vsname"
                        VS0NAME="$(cat $VS0NAMEDIR)"
                        PREFIX=$VS0NAME"_"
                        PREFIXLENGTH=${#PREFIX}
                        for CURRVSID in `dbget -c instance` ; do
                                CURRVSNAME=`dbget instance:$CURRVSID:name`
                                echo ${CURRVSNAME:$PREFIXLENGTH}
                        done
                fi
}

_vsenv() {

        _opts="$(_list_vds)"
        COMPREPLY=()
        cur="${COMP_WORDS[COMP_CWORD]}"
        COMPREPLY=( $(compgen -W "${_opts}" -- ${cur}) )
        return 0
}

complete -F _vsenv vsenv

export LVM_SUPPRESS_FD_WARNINGS=1

# vim:ts=4:sw=4
[Expert@FW01:0]#

[Expert@FW01:0]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
                       30G  4.7G   23G  18% /
/dev/sda1             289M   24M  251M   9% /boot
tmpfs                 1.9G  4.0K  1.9G   1% /dev/shm
/dev/mapper/vg_splat-lv_log
                       15G  1.1G   13G   8% /var/log
[Expert@FW01:0]#
[Expert@FW01:0]# fw ver
This is Check Point's software version R80.20 - Build 255
[Expert@FW01:0]#
[Expert@FW01:0]# history
    1  cat /etc/bashrc
    2  vi  /etc/bashrc
    3  cat /etc/bashrc
    4  df -h
    5  fw ver
    6  history
[Expert@FW01:0]#