This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2022-07-06 07:35 AM
Jump to solution

Admin account login alert

Hi,

We need to create a ‘break-glass’ type admin account in case of emergency if nobody from firewall admin group is available.

The account requires full admin but should ‘normally’ never be used.

We’re trying to find a way to get notified if the account is being used.

For console or ssh access we can use the .bash_profile of the account with sendmail & last commands

For SmartConsole access, we can’t find a way to get an alert but we could always schedule a daily report based on the Audit Overview view.

We can’t seem to find a way to get an alert or report for Web UI access. Anyway this can be done?

 

thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2022-07-08 06:49 AM
In response to flachance
Jump to solution

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

6 Replies
the_rock
Legend
Legend
‎2022-07-06 11:20 AM
Jump to solution

Not sure if below may help?

Andy

https://community.checkpoint.com/t5/Management/Administrator-last-login-report-view/m-p/142309#M2987...

0 Kudos
flachance
Advisor
‎2022-07-07 05:04 AM
In response to the_rock
Jump to solution

Helps with SmartConsole login but it doesn't look like it reports on logins from the web UI.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-07-07 05:09 AM
In response to flachance
Jump to solution

I would ask TAC if this is  possible at all - but i do not think so...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-07-08 06:49 AM
In response to flachance
Jump to solution

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
flachance
Advisor
‎2022-07-11 12:38 PM
In response to Timothy_Hall
Jump to solution

Thanks Timothy. I now can see Web UI logins in smartconsole logs.  Now I have to figure out SmartEvent to get a reaction for logins with a specific admin account.

0 Kudos
AaronCP
Advisor
‎2022-07-06 01:23 PM
Jump to solution

Do you use SmartEvent? If so, there seems are some suggestions on previous similar posts:

 

https://community.checkpoint.com/t5/Management/Alert-on-every-console-login/td-p/27263

 

https://community.checkpoint.com/t5/Management/Alert-on-Administrator-Login/td-p/31421

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events