Change expert user

vaibhavyagnik — Mon, 28 Jul 2025 12:23:40 GMT

Dear Checkpoint Checkmates,

I have a Checkpoint 1570R security appliance. It is running Gaia 81.10.17. The firewall is locally managed. Let us say User A is expert mode and he has set expert password. Now User A has left the organisation. He has given me the password and I am able to log in to his account and even enter expert mode. However, I want to

1. Change expert user to User B who is now in charge of administring the firewall

2. Delete User A account after verifying that User B is able to login to expert mode.

I have tried to login the firewall with User B login and do a expert set-password, but it fails with expert password not set.

Also if I Login with User B and enter expert password set by User A, I get an incorrent login password error. Is it the expected behaviour? Is expert login linked to account which was used to set the expert password?

Thanks.

Re: Change expert user

PhoneBoy — Tue, 29 Jul 2025 22:29:10 GMT

The expert mode password is not tied to a specific user.
You may need to consult with TAC here.

Re: Change expert user

Steffen_Appel — Wed, 30 Jul 2025 14:55:25 GMT

No it isnt, expert mode password is independant of the users password.

Re: Change expert user

the_rock — Thu, 31 Jul 2025 01:50:40 GMT

For what is worth, here is AI explanatiion.

Andy

*************************

You're raising a very common and important question about expert mode management on locally managed Check Point 1570R appliances running Gaia Embedded (R81.10.17). Here's a clear explanation of the behavior you're seeing and how to transition expert access from User A to User B:

✅ Key Concepts of Expert Mode in Locally Managed SMB Appliances (e.g., 1570R)

Expert Mode Password is Global: Unlike Gaia OS on centrally managed systems, in locally managed SMB appliances, the expert password is not linked to a specific user account. It is a global password shared across users with CLI access.
But Entry into Expert Mode is Restricted: Only users with appropriate permissions (admin, cli-admin) can enter expert mode — and they must use the global expert password set previously.
Common Pitfall: If a new user (e.g., User B) is created after the expert password is set, and doesn't have the proper privileges, even if the expert password is correct, the user won't be allowed into expert mode.

🔍 Explanation of the Problem You're Seeing

User A had set the expert password while logged in as himself.
User B tries to use expert, but:
- expert password not set: This may appear if User B is lacking the correct privileges or shell.
- incorrect login password: This can happen if User B has the right permissions but the shell is misconfigured or environment is not correctly set up.

No, the expert password is not tied to a specific user — but user permissions and shell must be correct for that user to use expert.

✅ What You Should Do

Step 1: Ensure User B Has Proper Permissions

Check and adjust the permissions of User B to allow CLI access and expert mode:

Look at the role of User B. You want something like this:

Make sure shell is /bin/bash (or /etc/cli.sh for SMB appliances depending on firmware).
Ensure the role is admin or super-user.

You may need to delete and recreate User B if the role/shell are incorrect and cannot be modified directly.

Step 2: Test Expert Access with User B

Now login as User B and run:

When prompted, enter the existing expert password that was set by User A. It should succeed if permissions and shell are correct.

Step 3: Change the Expert Password (Optional)

If User B now has access to expert mode, he can reset the expert password:

This will prompt for a new expert password. From now on, this will be the global password for expert.

Step 4: Delete User A

Once you're sure everything works, you can safely remove User A:

✅ Summary

Task	Command/Action
Ensure User B has admin role	`set user UserB role admin`
Set shell to /bin/bash	`set user UserB shell /bin/bash`
Test expert login	Log in as User B, run `expert`
Change expert password	Inside expert mode: `set expert-password`
Delete old admin account	`delete user UserA`

topic Re: Change expert user in Spark Firewall (SMB)

Change expert user

Re: Change expert user

Re: Change expert user

Re: Change expert user

✅ Key Concepts of Expert Mode in Locally Managed SMB Appliances (e.g., 1570R)

🔍 Explanation of the Problem You're Seeing

✅ What You Should Do

Step 1: Ensure User B Has Proper Permissions

Step 2: Test Expert Access with User B

Step 3: Change the Expert Password (Optional)

Step 4: Delete User A

✅ Summary