topic Re: WebUI login in General Topics

WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 17:10:05 GMT

Hi all,

We recently changed the local admin passwords for SSH and WebUI logins on several gateways. Apparently, on one of the gateways, the passwords got fat-fingered or something and we cannot log in to it. The gateway is centrally-managed. Is there any way I can create an account through SmartConsole with admin rights to the WebUI on a gateway? Or is factory-resetting the gateway my only option?

Thanks.

Re: WebUI login

AkosBakos — Mon, 09 Sep 2024 18:28:41 GMT

Hi @Jamie_Kelahan

Do you remember, you hit save config? Or did you do it from WEBUI?

If you have luck, and you were careful enough, you created a snapshot of the GW before the PWD change. in this situation reboot the GW and revert the snapshot:

Otherwise check this thread:

https://community.checkpoint.com/t5/Management/How-to-recovery-lost-admin-password/td-p/54311

How to set the R80.x Gaia Admin and Expert passwords with CentOS 7 LiveUSB

https://support.checkpoint.com/results/sk/sk163461

Akos

Re: WebUI login

the_rock — Mon, 09 Sep 2024 18:26:34 GMT

Thats actually really good question. let me investigate in the lab and will let you know.

Andy

Re: WebUI login

AkosBakos — Mon, 09 Sep 2024 18:40:05 GMT

hmmm, are you looking for this?:

https://community.checkpoint.com/t5/General-Topics/Password-reset-Collection/m-p/57445/highlight/true#M11557

https://support.checkpoint.com/results/sk/sk106490

Akos

Re: WebUI login

AkosBakos — Mon, 09 Sep 2024 18:41:45 GMT

Hi @Jamie_Kelahan

Maybe you can try this:

https://support.checkpoint.com/results/sk/sk106490

Generate hash for the new password - run the following command and save the generated hash string:

[Expert@HostName]# cpopenssl passwd {-1 | -5 | -6} <New Password>

For more information, run:

cpopenssl passwd -help

In addition, see the Gaia Administration Guide for your version, to see the supported hash algorithms.
Ensure that the Gaia OS database is unlocked on the remote Security Gateway/or secondary management server:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set config-lock on override'
Change the 'admin' user password:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set user admin password-hash <Password_Hash_from_Step_1>'
You can also change the Expert password:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set expert-password-hash <Password_Hash_from_Step_1>'

Re: WebUI login

the_rock — Mon, 09 Sep 2024 18:43:41 GMT

I tested something like below and it did work.

Andy

Just type save config as the last line, so it saves the config.

Re: WebUI login

the_rock — Mon, 09 Sep 2024 19:01:05 GMT

@Jamie_Kelahan

Sorry, forgot this line.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Roles-Gaia-Clish.htm

add rba user <User Name> roles <Role1,Role2,...,RoleN>

Re: WebUI login

the_rock — Mon, 09 Sep 2024 19:16:24 GMT

Here is script I used for new user and worked fine.

Andy

add user test1 uid 0 homedir /home/test1
set user test1 uid 0
set user test1 newpass test12

add rba user test1 roles adminRole

Andy

Re: WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 20:22:16 GMT

It was changed via the WebUI. I followed your link to reset using the CentOS USB and got the passwords updated. Thanks for your help!

Re: WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 20:31:03 GMT

Thanks for your efforts! I did try this and it reported as a "Success," however when I opened the details, there was an error saying the "add" command was not found and I was not able to log in. Adding the "add rba" line resulted in it failing, with the same error message - this time twice, since the "add" command was used twice.

In any case, I got the issue resolved by using the CentOS live USB instructions from above. A little more involved than your solution, but I'm able to log in again.

Thanks again!

Re: WebUI login

the_rock — Mon, 09 Sep 2024 20:33:35 GMT

Yes, of course, we are here to help, np! Not sure, maybe I mixed up the commands, but worked for me when I tested it.

Anyway, glad you got it going.

Andy

Re: WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 20:34:52 GMT

I was not able to do this, since I no longer have an on-prem management server, as we've transitioned to the CP cloud. As far as I'm aware, I don't have the ability to SSH to the cloud management and run these commands.

Thanks for your reply and suggestion!

Re: WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 20:36:33 GMT

Thanks for your suggestions. I replied to another post suggesting the same, but we're now using CP's cloud management, so I no longer have an on-prem management server that I can run these commands from.

Re: WebUI login

the_rock — Mon, 09 Sep 2024 20:37:04 GMT

You will be happy with S1C compared to on-prem mgmt...I been around it since covid days and it is SOOOOOOOOOO much better now, people love it.

Best,

Andy

Re: WebUI login

Jamie_Kelahan — Mon, 09 Sep 2024 20:42:00 GMT

Yes, so far so good! I had some minor issues when transitioning over - especially with some of the smaller Spark devices we have - that made me nervous, but it's been great since then!

Re: WebUI login

the_rock — Mon, 09 Sep 2024 20:45:54 GMT

As people say, every beginning is hard. I remember this customer and I spent who knows how many hours with same guy from TAC troubleshooting smart-1 cloud mgmt, but in all fairness, back then, there was only couple of people from TAC who had access to back end. These days, its way better, as more people have access, plus, customers can actually restart the mgmt instance from the portal. Keep in mind, restarting it does NOT mean reboot, its actually cpstop/cpstart process, if you need it rebooted, you need to call TAC.

Anyway, all in all, all our clients are very happy with it.

Andy