This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosmos
Advisor
‎2021-06-24 07:35 PM

User realname, load configuration and other joys of Gaia

I've been migrating a few gateways with local users configured, and found the following true for clish in R80.40 (unrelated to sk110222):

  1. the realname field for a local user, when entered interactively or loaded via a configuration file, must be wrapped in quotes
  2. the output of the realname field for a local user, when exported from clish, is not wrapped in quotes.

This is problematic, as we can see below:

[Expert@fw-01:0]# clish
fw-01> set user test realname "test user"
fw-01> save config
fw-01> save configuration fw-01.conf
fw-01> quit
[Expert@fw-01:0]# clish -c "show configuration" | grep "test realname"
set user test realname test user
[Expert@fw-01:0]# grep "test realname" fw-01.conf
set user test realname test user
[Expert@fw-01:0]# clish
fw-01> set user test realname test user
CLINFR0329 Invalid command:'set user test realname test user'.
fw-01> quit
[Expert@fw-01:0]#

This also means the config file will not load from clish either, without set clienv on-failure continue

I wrote some crude regex to fix this and restore the quotes around usernames, so the configs can be easily ported between Gaia machines with the full username:

[Expert@fw-01:0]# cat fw-01.conf | sed 's/realname \([a-zA-Z0-9_ ]*\)/realname "\1"/g' > fw-01_fixed.conf
[Expert@fw-01:0]# grep "test realname" fw-01_fixed.conf
set user test realname "test user "

Forget about the space, we can live with that 🙂

I also found the following regarding clish config files:

  1. the file encoding must be ANSI, at least on kernel 2.6 / R80.30 as UTF-8 did not work
  2. EOL must be Unix (LF), Windows (CR/LF) is not supported
    1. dos2unix is helpful here

I'm considering the realname issue a bug and will log a TAC case. Note this does not affect the config db (flat file or SQLite):

[Expert@fw-01:0]# grep "test:realname" /config/db/initial
passwd:test:realname test\ user
[Expert@fw-01:0]# dbget passwd:test:realname
test user
[Expert@fw-01:0]#

I hope this is helpful for others.

2 Replies
PhoneBoy
Admin
Admin
‎2021-06-27 03:04 PM

Agree the best thing to do here is log a TAC case so we can make sure to fix this issue.
I know in the past importing the output of show configuration has had...mixed results. 

0 Kudos
the_rock
Legend
Legend
‎2021-06-27 06:17 PM

Interesting...personally, I copied show configuration few times in the past and it always worked, but its like backup/restore, has to be done on same type of appliance, otherwise it would not work. I recall Fortinet had a process at some point where you could make some modifications to backup file from one model and then re-import it into a different one and it would work, but there were lots of customers facing issues and it was not officially supported by them anyway, so they removed it from support site.

But again, goes without saying really, its totally logical to follow this on same firewall model.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events