topic Landing Expert Mode in Firewall and Security Management

Landing Expert Mode

ramakrishnan — Mon, 13 Mar 2023 17:20:01 GMT

HI All,

When I login into Security gateway over SSH I am taking to directly to expert prompt login as showing below:

*************************************************************************
[Expert@nwseg1-pd-fw01:0]# pwd
/home/_nonlocl

But when I change to clish and give expert password throwing wrong password. Firewall is integrated with RADIUS (ISE)

My ISE team told I will use same password for login. Am I am landing on expert level, how I can verify I have expert level access.

When I check our community when I land on nonlocal doesn't get into expert level

Re: Landing Expert Mode

Bob_Zimmerman — Mon, 13 Mar 2023 18:45:33 GMT

"Expert" is really just BASH with root-level permissions. You can't go from BASH into clish, then back into BASH.

To confirm you have root privileges, run 'whoami'. It should show you are 'admin'.

Re: Landing Expert Mode

the_rock — Mon, 13 Mar 2023 18:55:32 GMT

As @Bob_Zimmerman saud, you can run whoami and verify that. By the way, you can always change the mode by below command.

Lets assume admin username is simply admin, command would be as below:

chsh -s /etc/cli.sh admin

You can also do it from web UI from below screen:

[Expert@quantum-firewall:0]# whoami
admin
[Expert@quantum-firewall:0]#

Re: Landing Expert Mode

Scottc98 — Tue, 14 Mar 2023 16:41:33 GMT

" You can't go from BASH into clish, then back into BASH"

- Is that a limitation of an account via Radius or TACACS? On a local account (i.e Admin), if I set the 'Shell' to '/bin/bash', it does land in BASH upon a SSH login. Typing 'clish' puts me into clish mode. If you type 'exit' it does take you back to the shell. (I.e. have to exit twice to end the SSH session if in direct clish mode).

Am I missing something? I have inquiry for either TACAC or Radius to avoid 'sharing' the 'expert' password (i.e Admin users direct to BASH; read only users direct to clish) so curious myself if there is some limitations to consider.

@ramakrishnan If you are doing Radius, what is the Super User UID you have set under "User Management => Authentication Servers =>"Radius Servers Advance Configuration". Is it 96 or 0?

Re: Landing Expert Mode

Bob_Zimmerman — Tue, 14 Mar 2023 16:47:40 GMT

You can leave clish, but you can't start another BASH session. That is, you can't log in to BASH, then run 'clish' to get into clish, then run 'expert' to get back into BASH. People try that all the time and are confused when they can "no longer get into expert mode".