topic Re: Strange R81.20 web UI issue in Firewall and Security Management

Strange R81.20 web UI issue

the_rock — Sat, 24 Dec 2022 14:40:35 GMT

Hey guys,

I know holidays are here, so I dont expect response any time soon, but wanted to mention super odd R81.20 web UI behavior I encountered in the lab and see if anyone may have an idea how to fix this. So, yesterday, I tried to log in to web UI (which I had many times since I created the lab few weeks ago) and noticed it kept saying "permission denied". Now, I use exact same password in my lab for regular shell and expert mode, so password was 100% right, as ssh worked just fine.

I then followed below link, no luck.

https://pingtool.org/adding-new-admin-user-to-checkpoint-gaia-with-expert-permissions/

I also tried from clich -> set user admin password

That asked me to enter new pass, which I did, save config, no luck. Any idea why this would happen at all? I even tried rebooting, same issue.

Keep in mind, there was absolutely no changes done at all to this firewall in last 10 days and I logged into web UI many times in that time period.

Happy holidays everyone!

Andy

Re: Strange R81.20 web UI issue

the_rock — Sun, 25 Dec 2022 03:39:05 GMT

Logs I see. Weird thing is, I dont even have any radius users, just a local admin user tryng to log in...

Dec 24 22:04:12 2022 QUANTUM-GATEWAY clish[18759]: cmd by admin: Start executing
: exit (cmd md5: f24f62eeb789199b9b2e467df3b1876b)
Dec 24 22:04:12 2022 QUANTUM-GATEWAY xpand[10811]: admin localhost t -volatile:c
lish:admin:18759
Dec 24 22:04:12 2022 QUANTUM-GATEWAY clish[18759]: User admin logged out from C
LI shell
Dec 24 22:04:43 2022 QUANTUM-GATEWAY xpand[10811]: admin localhost t +volatile:c
lish:admin:18874 t
Dec 24 22:04:43 2022 QUANTUM-GATEWAY clish[18874]: User admin logged in with Rea
dWrite permission
Dec 24 22:04:45 2022 QUANTUM-GATEWAY clish[18874]: cmd by admin: Start executing
: expert (cmd md5: b9b83bad6bd2b4f7c40109304cf580e1)
Dec 24 22:04:45 2022 QUANTUM-GATEWAY clish[18874]: cmd by admin: Processing : ex
pert (cmd md5: b9b83bad6bd2b4f7c40109304cf580e1)
Dec 24 22:05:18 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 24 22:05:21 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 24 22:11:03 2022 QUANTUM-GATEWAY pm[10793]: Restarted /rest_api/scripts/rest
_api_docs[19682], count=55
Dec 24 22:11:03 2022 QUANTUM-GATEWAY pm[19682]: init LD_LIBRARY_PATH for /rest_a
pi/scripts/rest_api_docs
Dec 24 22:11:04 2022 QUANTUM-GATEWAY pm[10793]: Reaped: rest_api_docs[19682]
Dec 24 22:11:04 2022 QUANTUM-GATEWAY pm[10793]: Scheduled rest_api_docs for +900
secs
Dec 24 22:23:25 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 24 22:23:27 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
[Expert@QUANTUM-GATEWAY:0]#

Re: Strange R81.20 web UI issue

the_rock — Mon, 26 Dec 2022 03:05:18 GMT

This is what I find most confusing. So file "server" in /etc/rdddb and /etc/tacdb directories , is exactly the same as on brand new R81.20 install and even in working R81.10, but same issue persists...honestly, makes no sense to me and Im not sure why it keeps giving the error below when I try to log into web UI. Even gave it permissions 0600 as indicated inside of file itself, but same problem.

Dec 25 21:27:07 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:27:09 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:29:25 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:29:27 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:31:33 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:31:35 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:36:26 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:36:29 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:39:28 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:39:31 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
[Expert@QUANTUM-GATEWAY:0]#

Re: Strange R81.20 web UI issue

Blason_R — Mon, 26 Dec 2022 02:43:34 GMT

Bug for sure?

Re: Strange R81.20 web UI issue

the_rock — Mon, 26 Dec 2022 13:00:44 GMT

I dont know mate, worked fine for about a month and stopped without any changes...I dont get it. Lets see if our friend from Israel @Ilya_Yusupov will be able to do his magic with this : - )

Merry Christmas by the way!

Re: Strange R81.20 web UI issue

Ambar — Tue, 27 Dec 2022 13:04:19 GMT

Hi @the_rock ,

The given print is not related to WEBUI login by local user

As you were able to login by SSH it means your password wasn’t denied by several unauthorized attempts

We couldn’t replicate this in-house, I would like to ask for 2 things:

Are you able to connect with a different user?

Would it be possible to have remote session to see this thru with you?

Thanks

Re: Strange R81.20 web UI issue

the_rock — Tue, 27 Dec 2022 13:14:08 GMT

Sure! Im free Wednesday any time.Btw, if you read my initial post, link I gave gives steps to give full admin permissions to a user, but no luck. That tells me its something fw, not user related, but we can check on remote session, that sounds good!

Andy

Re: Strange R81.20 web UI issue

the_rock — Wed, 28 Dec 2022 18:48:35 GMT

Thanks to Gilad and the guys in Israel for having remote session with me. We narrowed down that last time web UI worked was December 14th, when ISPR cpisp_update file was modified for issue customer was having (I replaced the actual file with one provided to me from R&D in the lab). Not sure how that broke web UI, but seems that it did. Anyway, since we could not fix it even after removing ispr config and also putting back old cpisp_update file, I decided to totally reinstall, which fixed the issue. One thing I found super odd is that ever time I tried deleting 2 ISP links on gateway object, would remove them, then I publish, go back and they were still there. I also tried removing any references of them in guidbedit, but could not locate them anywhere. Either way, easier to just reinstall : - )

Thanks again guys and happ holidays!