Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jamie_Kelahan
Participant
Jump to solution

WebUI login

Hi all,

We recently changed the local admin passwords for SSH and WebUI logins on several gateways.  Apparently, on one of the gateways, the passwords got fat-fingered or something and we cannot log in to it.  The gateway is centrally-managed.  Is there any way I can create an account through SmartConsole with admin rights to the WebUI on a gateway?  Or is factory-resetting the gateway my only option?

Thanks.

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Advisor
Advisor

Hi @Jamie_Kelahan 

Do you remember, you hit save config? Or did you do it from WEBUI?

If you have luck, and you were careful enough, you created a snapshot of the GW before the PWD change. in this situation reboot the GW and revert the snapshot:

akos_3-15-2015 3-08-10 PM.png

Otherwise check this thread:

https://community.checkpoint.com/t5/Management/How-to-recovery-lost-admin-password/td-p/54311

How to set the R80.x Gaia Admin and Expert passwords with CentOS 7 LiveUSB

https://support.checkpoint.com/results/sk/sk163461

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

0 Kudos
15 Replies
AkosBakos
Advisor
Advisor

Hi @Jamie_Kelahan 

Do you remember, you hit save config? Or did you do it from WEBUI?

If you have luck, and you were careful enough, you created a snapshot of the GW before the PWD change. in this situation reboot the GW and revert the snapshot:

akos_3-15-2015 3-08-10 PM.png

Otherwise check this thread:

https://community.checkpoint.com/t5/Management/How-to-recovery-lost-admin-password/td-p/54311

How to set the R80.x Gaia Admin and Expert passwords with CentOS 7 LiveUSB

https://support.checkpoint.com/results/sk/sk163461

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend

I tested something like below and it did work.

Andy

Screenshot_1.png

 Just type save config as the last line, so it saves the config.

the_rock
Legend
Legend

@Jamie_Kelahan 

Sorry, forgot this line.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Roles-G...

add rba user <User Name> roles <Role1,Role2,...,RoleN>

Jamie_Kelahan
Participant

Thanks for your efforts!  I did try this and it reported as a "Success," however when I opened the details, there was an error saying the "add" command was not found and I was not able to log in.  Adding the "add rba" line resulted in it failing, with the same error message - this time twice, since the "add" command was used twice.

In any case, I got the issue resolved by using the CentOS live USB instructions from above.  A little more involved than your solution, but I'm able to log in again.

Thanks again!

0 Kudos
the_rock
Legend
Legend

Yes, of course, we are here to help, np! Not sure, maybe I mixed up the commands, but worked for me when I tested it.

Anyway, glad you got it going.

Andy

Jamie_Kelahan
Participant

It was changed via the WebUI.  I followed your link to reset using the CentOS USB and got the passwords updated.   Thanks for your help!

the_rock
Legend
Legend

As people say, every beginning is hard. I remember this customer and I spent who knows how many hours with same guy from TAC troubleshooting smart-1 cloud mgmt, but in all fairness, back then, there was only couple of people from TAC who had access to back end. These days, its way better, as more people have access, plus, customers can actually restart the mgmt instance from the portal. Keep in mind, restarting it does NOT mean reboot, its actually cpstop/cpstart process, if you need it rebooted, you need to call TAC.

Anyway, all in all, all our clients are very happy with it.

Andy

0 Kudos
the_rock
Legend
Legend

Thats actually really good question. let me investigate in the lab and will let you know.

Andy

0 Kudos
AkosBakos
Advisor
Advisor
Jamie_Kelahan
Participant

I was not able to do this, since I no longer have an on-prem management server, as we've transitioned to the CP cloud.  As far as I'm aware, I don't have the ability to SSH to the cloud management and run these commands.

Thanks for your reply and suggestion!

the_rock
Legend
Legend

You will be happy with S1C compared to on-prem mgmt...I been around it since covid days and it is SOOOOOOOOOO much better now, people love it.

Best,

Andy

0 Kudos
Jamie_Kelahan
Participant

Yes, so far so good!  I had some minor issues when transitioning over - especially with some of the smaller Spark devices we have - that made me nervous, but it's been great since then!

0 Kudos
AkosBakos
Advisor
Advisor

Hi @Jamie_Kelahan 

Maybe you can try this:

https://support.checkpoint.com/results/sk/sk106490

  1. Generate hash for the new password - run the following command and save the generated hash string:

    [Expert@HostName]# cpopenssl passwd {-1 | -5 | -6} <New Password>

    For more information, run:

    cpopenssl passwd -help

    In addition, see the Gaia Administration Guide for your version, to see the supported hash algorithms.

  2. Ensure that the Gaia OS database is unlocked on the remote Security Gateway/or secondary management server:

    [Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set config-lock on override'
  3. Change the 'admin' user password:

    [Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set user admin password-hash <Password_Hash_from_Step_1>'
  4. You can also change the Expert password:

    [Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set expert-password-hash <Password_Hash_from_Step_1>'
----------------
\m/_(>_<)_\m/
Jamie_Kelahan
Participant

Thanks for your suggestions.  I replied to another post suggesting the same, but we're now using CP's cloud management, so I no longer have an on-prem management server that I can run these commands from.

 

0 Kudos
the_rock
Legend
Legend

Here is script I used for new user and worked fine.

Andy

add user test1 uid 0 homedir /home/test1
set user test1 uid 0
set user test1 newpass test12

add rba user test1  roles adminRole

 

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events