Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Mentor
Mentor

Web SmartConsole R81.20 - GUI Clients dependant, really?

hi guys

 

got a tricky one for your, here is the scenario of one of my clients device:

 

1. WebSmartConsole works perfectly when the Security Managment GUI Clients has "Type (Any) Hostname/IP Address (Any) Mask -

2. When you try to secure that to the IPv4 or IPv6 of ANY sort - Web SmartConsole shows you that your not authorised to use that from that computer - meaning it refuse to open

3. None of the tricks to make the GUI Clients with wider CIDR or whatever IP you can imagine work, meaning that ONLY making GUI Clients ANY/ANY make the Web SmartConsole works just perf. fine (logging in, using it - all in all).

 

Any ideas? Happy to provide config/sets if needed but overall the message is like that:

 

Only ANY/ANY in GUI Clients for that particular FWM works. Any IP you put + remove ANY/ANY afterwards makes Web SmartConsole NOT DISPLAYING any longer.

 

any hints/tips highly appreciated as always.

Jerry
0 Kudos
15 Replies
the_rock
Legend
Legend

Just to add to all this, @Jerry and I had separate discussion with @Ofir_Calif in below post. I personally believe this is a bug, as its hard to imagine it would be by design. I also had same issue in R81.20 jumbo 26, so definitely not an isolated case.

Andy

https://community.checkpoint.com/t5/Management/Web-SmartConsole-service-is-not-available/m-p/174781#...

0 Kudos
PhoneBoy
Admin
Admin

WebSmartConsole actually runs in a Docker container on the management server.
I suspect if you include the related network, you can make this work.
Figuring that out might require hacking around in Docker.

0 Kudos
Jerry
Mentor
Mentor

Thanks Dameon however making the GUI Clients and Trusted Clients (via SMS MGMT) setup should have this sorted according to your documentation. If Docker ACL's are required please share with us of "how-to" do that so we can secure access to the WSC as well as the Access to the SmartConsole GUI Client at the very same time. It is a matter of Access Security so I believe we should have this narrowed down asap for the benefit of the entire community not just me or Andy 🙂

 

Cheers

Jerry
the_rock
Legend
Legend

Finally @Jerry , you are NOT being stroppy with me, which I greatly appreciate M8 ; - )

Sorry, I just love that word, its my favorite word in English now hahaha

Andy

Bob_Zimmerman
Authority
Authority

It's not that Docker ACLs would be required. It's that the Docker namespace running the web application has its own IP on a network entirely internal to the management server. You probably need to find that IP and add it as an allowed GUI client.

(2)
PhoneBoy
Admin
Admin

The actual container (called mwc) appears to only listen on TCP port 3100 on localhost (verified with the command docker inspect mwc as well as netstat).
I suspect the connection is relayed through the Multiportal infrastructure and the IP address is "lost" in the translation somewhere.

In any case, the following SK suggests it should be possible to do this: https://support.checkpoint.com/results/sk/sk173968
Which suggests this is not working as expected and should be reported via TAC: https://help.checkpoint.com 

0 Kudos
Jerry
Mentor
Mentor

I've tried sk173968 before. Nothing really new Dameon. This wouldn't solve the issue and as Bob mentioned this indeed should be addressed by the R&D. Can anyone help and rise the SR for it if passible? 

Jerry
(1)
the_rock
Legend
Legend

I was thinking buddy of raising the case, but did not, since it was not for the customer, I just verified in my lab. If you do end up raising the case with TAC for your customer, you are more than welcome to reference this post and Im more than happy to do another test, if need be.

Cheers m8.

Andy

Jerry
Mentor
Mentor

@PhoneBoy @Bob_Zimmerman - is there any way to modify the docker inspect mwc 

and make the WSC simply SECURE enough and have no need to put ANY/ANY into the GUI Clients ACL?

I can see in a docker:

"Config": {
"Hostname": "cp",
"Domainname": "",
"User": "1000",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PORT=3100",
"MGMT_URL=localhost",
"MGMT_VERSION=R81.20",
"IS_S1C_SERVER=0",
"IS_DEMO_SERVER=0",
"CLOUD_INFRA_ENV=N/A",
"ENV_TYPE=SMC",
"STORAGE_DIR=/app/storage",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TZ=Asia/Jerusalem",
"HTML_BASE_PATH=/smartconsole/",
"STATIC_FILES_PATH=dist/static_files/",
"NODE_ENV=production",
"VIEW_LOGS_UID=769F9EF8-606A-4956-A357-675E311C632A",
"MWC_VERSION=1.14.70"

Jerry
0 Kudos
the_rock
Legend
Legend

here is my output

Andy

 

[Expert@QUANTUM-MANAGEMENT:0]# docker inspect mwc
[
{
"Id": "2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b",
"Created": "2023-08-31T19:00:44.602164839Z",
"Path": "node",
"Args": [
"dist/index.mjs"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2610,
"ExitCode": 0,
"Error": "",
"StartedAt": "2023-08-31T19:00:49.942451064Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:c9561023c16df4bc947f60ff1afbd06a724f72544f8f396eceb6cbd89e85370a",
"ResolvConfPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/hostname",
"HostsPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/hosts",
"LogPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b-json.log",
"Name": "/mwc",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/opt/CPsuite-R81.20/fw1/conf/mwc:/app/storage"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "host",
"PortBindings": {},
"RestartPolicy": {
"Name": "unless-stopped",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069-init/diff:/var/lib/docker/overlay2/d47cb39acef9464e212518a453993f383df626eee42c98b018f2d46c8be1cc76/diff:/var/lib/docker/overlay2/10dd820f8cbceadb60bd48dcc4dd6dd0ced35fee274ebd491fafd921ec26b88d/diff:/var/lib/docker/overlay2/04124a5926ee0a044ef633e752246cf1ff8e80cf247fc3902e89ac1d30678101/diff:/var/lib/docker/overlay2/9a6f3130b8048fb71b6615ed16a910fc1d81621d603171cb133653d74db0e035/diff:/var/lib/docker/overlay2/4924e0fef8a4beb11a03edba9e68a295dabb7bc84f4808dfe51c483620d714c8/diff:/var/lib/docker/overlay2/f231052f11422044ed812b1d4a9edbd3f6a0cd8fd38d057af95a1ed90db0d8f5/diff:/var/lib/docker/overlay2/667d184da282ea32a365b7de02d2b1b3fe6e81c351365663c2a36fe69d719862/diff",
"MergedDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/merged",
"UpperDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/diff",
"WorkDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/work"
}
},
"Mounts": [
{
"Type": "bind",
"Source": "/opt/CPsuite-R81.20/fw1/conf/mwc",
"Destination": "/app/storage",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "QUANTUM-MANAGEMENT",
"Domainname": "",
"User": "1000",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PORT=3100",
"MGMT_URL=localhost",
"MGMT_VERSION=R81.20",
"IS_S1C_SERVER=0",
"IS_DEMO_SERVER=0",
"CLOUD_INFRA_ENV=N/A",
"ENV_TYPE=SMC",
"STORAGE_DIR=/app/storage",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TZ=Asia/Jerusalem",
"HTML_BASE_PATH=/smartconsole/",
"STATIC_FILES_PATH=dist/static_files/",
"NODE_ENV=production",
"VIEW_LOGS_UID=769F9EF8-606A-4956-A357-675E311C632A",
"MWC_VERSION=1.14.70"
],
"Cmd": [
"node",
"dist/index.mjs"
],
"Image": "mwc:latest",
"Volumes": null,
"WorkingDir": "/app",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "a0e0930c21b283e062e8d710a95f2f5512f9eaf71f509bb43177935b21a71ba3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/var/run/docker/netns/default",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"host": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "6473b3157b8637bb0bd55f988d1840e5618c181208b59eb2ecb4c83f93dd540b",
"EndpointID": "1e4e10638e6e786a85e9b2eddc9ac6c271ea247583c0ac370ae5627fe94badd8",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": ""
}
}
}
}
]
[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
Jerry
Mentor
Mentor

made the SR, will PM you the number again,

6-xxxxxxx464

Jerry
Ofir_Calif
Employee
Employee

Thank you @Jerry .

we were unable to reproduce it, we will investigate it in the SR.

0 Kudos
the_rock
Legend
Legend

If you need me to test it again, no issues.

Andy

0 Kudos
Jerry
Mentor
Mentor

hi Ofir, hope our yesterday's session was good enough to start the "improvement process" on WSC.

Happy to help anytime, also I do believe that once you got the IPv6 fully supported by WSC you will let me know.

Cheers and once again, much appreciate your precious R&D time 🙂

Jerry
0 Kudos
the_rock
Legend
Legend

That makes total sense, but is there an easy way to find such an IP?

Regards,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events