https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6937#M299 <HTML><HEAD></HEAD><BODY><P>In Gaia, various OS-level configuration files are maintained in a central configuration database.</P><P>You manipulate that database using the WebUI and clish, which in turn talks to confd, which updates the various configuration files periodically.</P><P>If you use&nbsp;a Linux command like&nbsp;chsh to change the shell, it only updates the OS configuration file, not the Gaia configuration.</P><P>As such, those changes are subject to get overwritten.</P></BODY></HTML> Mon, 02 Oct 2017 16:26:21 GMT PhoneBoy 2017-10-02T16:26:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6934#M296 <HTML><HEAD></HEAD><BODY><P>Had to extract the cpinfo from the vSEC on AWS.</P><P>For some reason, using # chsh -s /bin/bash , while successfully changing the shell in session, had no effect for WinSCP, as it continue to complain about shell every time I was trying to connect</P><P></P><P>Running cpinfo with -z option on vSEC did not produce the compressed file.</P><P>had to compress it manually, move it to /var/CPbackup/backups/ and download via WebUI.</P><P></P><P>I was not sure about the integrity of the resultant file and ended up enabling</P><P>"Global Properties/Security Management/Improve product experience by sending information to Check Point" and running cpinfo on vSEC again with upload to SR parameters.</P><P></P><P>While this approach is acceptable in the lab, it hardly is optimal for production environments.</P><P>It would be nice to have the option of uploading cpinfo from selected vSECs to SR without changing Global Settings and pushing policy.</P><P></P><P>Please let me know if there is a better solution than the one I've ended-up using.</P><P></P><P>Thank you,</P><P>Vladimir</P></BODY></HTML> Sun, 01 Oct 2017 17:40:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6934#M296 Vladimir 2017-10-01T17:40:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6935#M297 <HTML><HEAD></HEAD><BODY><P>If you want to change the shell a user uses (eg for SCP), you need to do it in the Gaia WebUI or in clish.</P><P>In clish, the commands are:</P><P style="padding-left: 30px;"><STRONG style="font-family: 'andale mono', monospace;">set user username shell /bin/bash</STRONG></P><P style="padding-left: 30px;"><STRONG style="font-family: 'andale mono', monospace;">save config</STRONG></P></BODY></HTML> Sun, 01 Oct 2017 18:30:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6935#M297 PhoneBoy 2017-10-01T18:30:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6936#M298 <HTML><HEAD></HEAD><BODY><P>Thank you.</P><P>Can you explain the difference between the effect of changing shell using chsh -s /bin/bash and set username shell /bin/bash &nbsp;for SCP and when each of those is preferable?</P><P></P><P>There was a discussion some time ago about creating a dedicated account for scp access, but there were caveats as to its ability to access the files created by different users.</P></BODY></HTML> Sun, 01 Oct 2017 21:07:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6936#M298 Vladimir 2017-10-01T21:07:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6937#M299 <HTML><HEAD></HEAD><BODY><P>In Gaia, various OS-level configuration files are maintained in a central configuration database.</P><P>You manipulate that database using the WebUI and clish, which in turn talks to confd, which updates the various configuration files periodically.</P><P>If you use&nbsp;a Linux command like&nbsp;chsh to change the shell, it only updates the OS configuration file, not the Gaia configuration.</P><P>As such, those changes are subject to get overwritten.</P></BODY></HTML> Mon, 02 Oct 2017 16:26:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6937#M299 PhoneBoy 2017-10-02T16:26:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6938#M300 <HTML><HEAD></HEAD><BODY><P>I would like to understand what conditions would cause the changes in shell to be overridden.&nbsp; I have not used the CLISH commands only the Linux chsh command haven't had an issue, yet.&nbsp; Now I am a little concerned.</P></BODY></HTML> Mon, 02 Oct 2017 18:16:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6938#M300 Eduardo_Aguila 2017-10-02T18:16:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6939#M301 <HTML><HEAD></HEAD><BODY><P>Two specific ones I can think of:</P><P></P><P>1. Anything you do in the Gaia WebUI around user accounts</P><P>2. A reboot (all config files are refreshed)</P></BODY></HTML> Mon, 02 Oct 2017 18:19:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6939#M301 PhoneBoy 2017-10-02T18:19:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6940#M302 <HTML><HEAD></HEAD><BODY><P>In my experience, managing on-premises appliances we've never had any issues with using chsh. </P><P></P><P>First time I have encountered it was connecting to AWS vSEC.</P><P></P><P>vlad@eversecgroup.com</P><P>+1.973.558.2738</P></BODY></HTML> Mon, 02 Oct 2017 18:20:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connecting-to-vSEC-in-AWS-using-WinSCP/m-p/6940#M302 Vladimir 2017-10-02T18:20:50Z