This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2023-08-30 07:51 AM

Web SmartConsole R81.20 - GUI Clients dependant, really?

hi guys

 

got a tricky one for your, here is the scenario of one of my clients device:

 

1. WebSmartConsole works perfectly when the Security Managment GUI Clients has "Type (Any) Hostname/IP Address (Any) Mask -

2. When you try to secure that to the IPv4 or IPv6 of ANY sort - Web SmartConsole shows you that your not authorised to use that from that computer - meaning it refuse to open

3. None of the tricks to make the GUI Clients with wider CIDR or whatever IP you can imagine work, meaning that ONLY making GUI Clients ANY/ANY make the Web SmartConsole works just perf. fine (logging in, using it - all in all).

 

Any ideas? Happy to provide config/sets if needed but overall the message is like that:

 

Only ANY/ANY in GUI Clients for that particular FWM works. Any IP you put + remove ANY/ANY afterwards makes Web SmartConsole NOT DISPLAYING any longer.

 

any hints/tips highly appreciated as always.

Jerry
0 Kudos
15 Replies
the_rock
Legend
Legend
‎2023-08-30 09:34 AM

Just to add to all this, @Jerry and I had separate discussion with @Ofir_Calif in below post. I personally believe this is a bug, as its hard to imagine it would be by design. I also had same issue in R81.20 jumbo 26, so definitely not an isolated case.

Andy

https://community.checkpoint.com/t5/Management/Web-SmartConsole-service-is-not-available/m-p/174781#...

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-30 01:09 PM

WebSmartConsole actually runs in a Docker container on the management server.
I suspect if you include the related network, you can make this work.
Figuring that out might require hacking around in Docker.

0 Kudos
Jerry
Mentor
Mentor
‎2023-08-31 01:15 AM
In response to PhoneBoy

Thanks Dameon however making the GUI Clients and Trusted Clients (via SMS MGMT) setup should have this sorted according to your documentation. If Docker ACL's are required please share with us of "how-to" do that so we can secure access to the WSC as well as the Access to the SmartConsole GUI Client at the very same time. It is a matter of Access Security so I believe we should have this narrowed down asap for the benefit of the entire community not just me or Andy 🙂

 

Cheers

Jerry
the_rock
Legend
Legend
‎2023-08-31 05:13 AM
In response to Jerry

Finally @Jerry , you are NOT being stroppy with me, which I greatly appreciate M8 ; - )

Sorry, I just love that word, its my favorite word in English now hahaha

Andy

Bob_Zimmerman
Authority
Authority
‎2023-08-31 07:20 AM
In response to Jerry

It's not that Docker ACLs would be required. It's that the Docker namespace running the web application has its own IP on a network entirely internal to the management server. You probably need to find that IP and add it as an allowed GUI client.

(2)
PhoneBoy
Admin
Admin
‎2023-08-31 11:06 AM
In response to Bob_Zimmerman

The actual container (called mwc) appears to only listen on TCP port 3100 on localhost (verified with the command docker inspect mwc as well as netstat).
I suspect the connection is relayed through the Multiportal infrastructure and the IP address is "lost" in the translation somewhere.

In any case, the following SK suggests it should be possible to do this: https://support.checkpoint.com/results/sk/sk173968
Which suggests this is not working as expected and should be reported via TAC: https://help.checkpoint.com 

0 Kudos
Jerry
Mentor
Mentor
‎2023-08-31 12:08 PM
In response to PhoneBoy

I've tried sk173968 before. Nothing really new Dameon. This wouldn't solve the issue and as Bob mentioned this indeed should be addressed by the R&D. Can anyone help and rise the SR for it if passible? 

Jerry
(1)
the_rock
Legend
Legend
‎2023-08-31 12:16 PM
In response to Jerry

I was thinking buddy of raising the case, but did not, since it was not for the customer, I just verified in my lab. If you do end up raising the case with TAC for your customer, you are more than welcome to reference this post and Im more than happy to do another test, if need be.

Cheers m8.

Andy

Jerry
Mentor
Mentor
‎2023-08-31 01:46 PM
In response to PhoneBoy

@PhoneBoy @Bob_Zimmerman - is there any way to modify the docker inspect mwc 

and make the WSC simply SECURE enough and have no need to put ANY/ANY into the GUI Clients ACL?

I can see in a docker:

"Config": {
"Hostname": "cp",
"Domainname": "",
"User": "1000",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PORT=3100",
"MGMT_URL=localhost",
"MGMT_VERSION=R81.20",
"IS_S1C_SERVER=0",
"IS_DEMO_SERVER=0",
"CLOUD_INFRA_ENV=N/A",
"ENV_TYPE=SMC",
"STORAGE_DIR=/app/storage",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TZ=Asia/Jerusalem",
"HTML_BASE_PATH=/smartconsole/",
"STATIC_FILES_PATH=dist/static_files/",
"NODE_ENV=production",
"VIEW_LOGS_UID=769F9EF8-606A-4956-A357-675E311C632A",
"MWC_VERSION=1.14.70"

Jerry
0 Kudos
the_rock
Legend
Legend
‎2023-09-01 05:22 AM
In response to Jerry

here is my output

Andy

 

[Expert@QUANTUM-MANAGEMENT:0]# docker inspect mwc
[
{
"Id": "2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b",
"Created": "2023-08-31T19:00:44.602164839Z",
"Path": "node",
"Args": [
"dist/index.mjs"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2610,
"ExitCode": 0,
"Error": "",
"StartedAt": "2023-08-31T19:00:49.942451064Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:c9561023c16df4bc947f60ff1afbd06a724f72544f8f396eceb6cbd89e85370a",
"ResolvConfPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/hostname",
"HostsPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/hosts",
"LogPath": "/var/lib/docker/containers/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b/2324ab71f19aa8328e311d4ab2dd5975f2132f9c42575a5eeb615a4ecaa8783b-json.log",
"Name": "/mwc",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/opt/CPsuite-R81.20/fw1/conf/mwc:/app/storage"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "host",
"PortBindings": {},
"RestartPolicy": {
"Name": "unless-stopped",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069-init/diff:/var/lib/docker/overlay2/d47cb39acef9464e212518a453993f383df626eee42c98b018f2d46c8be1cc76/diff:/var/lib/docker/overlay2/10dd820f8cbceadb60bd48dcc4dd6dd0ced35fee274ebd491fafd921ec26b88d/diff:/var/lib/docker/overlay2/04124a5926ee0a044ef633e752246cf1ff8e80cf247fc3902e89ac1d30678101/diff:/var/lib/docker/overlay2/9a6f3130b8048fb71b6615ed16a910fc1d81621d603171cb133653d74db0e035/diff:/var/lib/docker/overlay2/4924e0fef8a4beb11a03edba9e68a295dabb7bc84f4808dfe51c483620d714c8/diff:/var/lib/docker/overlay2/f231052f11422044ed812b1d4a9edbd3f6a0cd8fd38d057af95a1ed90db0d8f5/diff:/var/lib/docker/overlay2/667d184da282ea32a365b7de02d2b1b3fe6e81c351365663c2a36fe69d719862/diff",
"MergedDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/merged",
"UpperDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/diff",
"WorkDir": "/var/lib/docker/overlay2/5e8c7a4fb3be9d09761452288ff328143dff763b7d6e5752acf42a7d51798069/work"
}
},
"Mounts": [
{
"Type": "bind",
"Source": "/opt/CPsuite-R81.20/fw1/conf/mwc",
"Destination": "/app/storage",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "QUANTUM-MANAGEMENT",
"Domainname": "",
"User": "1000",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PORT=3100",
"MGMT_URL=localhost",
"MGMT_VERSION=R81.20",
"IS_S1C_SERVER=0",
"IS_DEMO_SERVER=0",
"CLOUD_INFRA_ENV=N/A",
"ENV_TYPE=SMC",
"STORAGE_DIR=/app/storage",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TZ=Asia/Jerusalem",
"HTML_BASE_PATH=/smartconsole/",
"STATIC_FILES_PATH=dist/static_files/",
"NODE_ENV=production",
"VIEW_LOGS_UID=769F9EF8-606A-4956-A357-675E311C632A",
"MWC_VERSION=1.14.70"
],
"Cmd": [
"node",
"dist/index.mjs"
],
"Image": "mwc:latest",
"Volumes": null,
"WorkingDir": "/app",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "a0e0930c21b283e062e8d710a95f2f5512f9eaf71f509bb43177935b21a71ba3",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/var/run/docker/netns/default",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"host": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "6473b3157b8637bb0bd55f988d1840e5618c181208b59eb2ecb4c83f93dd540b",
"EndpointID": "1e4e10638e6e786a85e9b2eddc9ac6c271ea247583c0ac370ae5627fe94badd8",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": ""
}
}
}
}
]
[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
Jerry
Mentor
Mentor
‎2023-09-01 01:55 AM
In response to PhoneBoy

made the SR, will PM you the number again,

6-xxxxxxx464

Jerry
Ofir_Calif
Employee
Employee
‎2023-09-02 12:21 AM
In response to Jerry

Thank you @Jerry .

we were unable to reproduce it, we will investigate it in the SR.

0 Kudos
the_rock
Legend
Legend
‎2023-09-02 07:07 PM
In response to Ofir_Calif

If you need me to test it again, no issues.

Andy

0 Kudos
Jerry
Mentor
Mentor
‎2023-09-05 06:08 AM
In response to Ofir_Calif

hi Ofir, hope our yesterday's session was good enough to start the "improvement process" on WSC.

Happy to help anytime, also I do believe that once you got the IPv6 fully supported by WSC you will let me know.

Cheers and once again, much appreciate your precious R&D time 🙂

Jerry
0 Kudos
the_rock
Legend
Legend
‎2023-08-31 12:53 PM
In response to Bob_Zimmerman

That makes total sense, but is there an easy way to find such an IP?

Regards,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events