This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2023-08-28 07:57 AM
Jump to solution

Lost admin password and SIC between staging and deployment

Hello everyone.

I have run into a situation that one of the cluster members moved between staging environment to production is no longer allowing me to log in using admin password and there is no longer SIC between it and the management.

Since in staging there was no Syslog server, I have no record of the changed for that unit.

I strongly suspect that the client, for some reason, rerun FTW on that gateway, but no means of confirming that.

I still have LOM access to the unit.

Any suggestions on how to:

1. Reset the Gaia password using LOM (if possible)

2. Retrieve Gaia logs showing what was done on the unit.

The only prove that it was in a good state at some point are the old successful policy installation records in the audit logs.

I still have snapshots, backups and Gaia configs from the unit when it was in a good state and may attempt to recover from those.

Any suggestions on how to accomplish that using LOM console are appreciated.

 

Thank you,

Vladimir

 

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2023-08-28 11:46 AM
In response to Vladimir
Jump to solution

You can feed the LOM's KVMS interface an ISO image, which it will then present to the system as a DVD in a DVD-ROM drive connected via USB. It is possible to boot from this drive.

Reads from this virtual drive are streamed over the network, so they're pretty high-latency. They can actually perform worse than a real optical drive does. I recommend using a small live CD without a GUI. The CentOS minimal or NetInstall versions should work.

View solution in original post

Vladimir
Champion
Champion
‎2023-09-01 11:43 AM
Jump to solution

Just an update to put this issue to rest: for some unexplainable reason, authentication is now working and SIC was re-established. I suspect that there was some weird combination of networking issue and Zoom interference with keystrokes path-through at play, since there is nothing in the logs except failed logon attempts.

View solution in original post

8 Replies
the_rock
Legend
Legend
‎2023-08-28 09:49 AM
Jump to solution

I dont believe you can reset regular Gaia pw using LOM, at least, I never heard of such a possibility. As far as audit logs, do you see anything in /var/log/audit dir?

Andy

0 Kudos
Vladimir
Champion
Champion
‎2023-08-28 09:54 AM
In response to the_rock
Jump to solution

@the_rock , if I could read the /var/log/audit directory, I would be logged-in to the unit in question:)

There are few SKs describing boot from alternate media to reset the password, but to the best of my recollection they are referring to USB drives. I will be looking at the unit tomorrow again to see if there is option to mount remote USB bootable media via LOM to attempt the recovery.

Was wandering if anyone has run into similar situations already.

0 Kudos
the_rock
Legend
Legend
‎2023-08-28 09:57 AM
In response to Vladimir
Jump to solution

I realized my stupidity in audit comment as soon as I posted it, DUH : - ). Sorry mate, my bad. K, lets see if anyone may have ran into something similar.

 

Let us know how it gets solved.

Andy

0 Kudos
Vladimir
Champion
Champion
‎2023-08-28 10:11 AM
In response to the_rock
Jump to solution

No problem:)

I'd like to make a suggestion for Check Point to include preconfigured alternative bootable image (CentOS or Ubuntu, if I am not mistaken) in LOM boot from options to facilitate the recovery in these or similar situations.

Bob_Zimmerman
Authority
Authority
‎2023-08-28 11:46 AM
In response to Vladimir
Jump to solution

You can feed the LOM's KVMS interface an ISO image, which it will then present to the system as a DVD in a DVD-ROM drive connected via USB. It is possible to boot from this drive.

Reads from this virtual drive are streamed over the network, so they're pretty high-latency. They can actually perform worse than a real optical drive does. I recommend using a small live CD without a GUI. The CentOS minimal or NetInstall versions should work.

Vladimir
Champion
Champion
‎2023-08-28 12:02 PM
In response to Bob_Zimmerman
Jump to solution

Thank you @Bob_Zimmerman ! I'll give it a shot.

the_rock
Legend
Legend
‎2023-09-01 11:53 AM
In response to Bob_Zimmerman
Jump to solution

Thanks for sharing @Vladimir 

0 Kudos
Vladimir
Champion
Champion
‎2023-09-01 11:43 AM
Jump to solution

Just an update to put this issue to rest: for some unexplainable reason, authentication is now working and SIC was re-established. I suspect that there was some weird combination of networking issue and Zoom interference with keystrokes path-through at play, since there is nothing in the logs except failed logon attempts.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events