topic Re: R80.40 unlock database in Firewall and Security Management

R80.40 unlock database

Christos_B — Wed, 15 Jul 2020 17:50:33 GMT

hello all

i have a small virtual R80.40 lab and i was trying to understand the Lock/Unlock feature

When i use the command lock database override i am able to transfer the lock from one admin to another admin between 2 ssh sessions.

According to https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topics-GAG/Configuration-Locks.htm

same thing should be achieved with unlock database but it is not working for me. instead i see the message

"CLICMD0201 Config-lock is not owned by this clish session" when i run this command from the admin without the Lock. if i run it on the admin with Lock it is executed but still the Lock remains to the this same admin

What am i missing?

Re: R80.40 unlock database

PhoneBoy — Fri, 17 Jul 2020 20:37:36 GMT

Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected.
@Tal_Martsiano

Re: R80.40 unlock database

Christos_B — Sat, 18 Jul 2020 13:44:53 GMT

first of all thank you very much for the help

now since you mentioned the uid i tried to revalidate these findings as first time i did not bother to change anything else than just the creation of a second admin.

so with different uids as i said to me it looks that only the lock database override works.

now i deleted the second admin and recreated it with uid=0 (in the show configuration output is with this line "add user chris uid 0 homedir /home/chris") and it looks to me that none of those two commands work now running from this second admin

fw1> show config-lock
Configuration locked by admin from 192.168.1.120, facility command line, 291 seconds to expiration
fw1> lock database override
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)
fw1> unlock database
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)

Re: R80.40 unlock database

PhoneBoy — Sat, 18 Jul 2020 15:30:15 GMT

Believe it still works, I think it just displays the wrong name in this case.

Re: R80.40 unlock database

Christos_B — Sun, 19 Jul 2020 11:25:42 GMT

yeah you are right. i saw the name and i did not try to make a change on the cli. I see it works or at least as you said it appears to be working when uid = 0

Is this normal practice to make the uid=0 for different admin user? Is it something that we should keep in mind?

Re: R80.40 unlock database

PhoneBoy — Sun, 19 Jul 2020 17:33:27 GMT

It depends.
There are certain functions (particularly in expert mode) that require admin users to be uid 0.
If you're sticking to clish, I don't believe it is strictly required.

Re: R80.40 unlock database

Christos_B — Mon, 20 Jul 2020 13:21:55 GMT

ok thank you very much for all the assistane

i believe the original question has been answered. I guess if you opened TAC case that CP will fix it

regards

Chris