This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
MVP Silver
MVP Silver
‎2022-07-06 07:35 AM
Jump to solution

Admin account login alert

Hi,

We need to create a ‘break-glass’ type admin account in case of emergency if nobody from firewall admin group is available.

The account requires full admin but should ‘normally’ never be used.

We’re trying to find a way to get notified if the account is being used.

For console or ssh access we can use the .bash_profile of the account with sendmail & last commands

For SmartConsole access, we can’t find a way to get an alert but we could always schedule a daily report based on the Audit Overview view.

We can’t seem to find a way to get an alert or report for Web UI access. Anyway this can be done?

 

thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2022-07-08 06:49 AM
In response to flachance
Jump to solution

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

6 Replies
the_rock
MVP Gold
MVP Gold
‎2022-07-06 11:20 AM
Jump to solution

Not sure if below may help?

Andy

https://community.checkpoint.com/t5/Management/Administrator-last-login-report-view/m-p/142309#M2987...

Best,
Andy
0 Kudos
flachance
MVP Silver
MVP Silver
‎2022-07-07 05:04 AM
In response to the_rock
Jump to solution

Helps with SmartConsole login but it doesn't look like it reports on logins from the web UI.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-07-07 05:09 AM
In response to flachance
Jump to solution

I would ask TAC if this is  possible at all - but i do not think so...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-07-08 06:49 AM
In response to flachance
Jump to solution

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
flachance
MVP Silver
MVP Silver
‎2022-07-11 12:38 PM
In response to Timothy_Hall
Jump to solution

Thanks Timothy. I now can see Web UI logins in smartconsole logs.  Now I have to figure out SmartEvent to get a reaction for logins with a specific admin account.

0 Kudos
AaronCP
Advisor
Advisor
‎2022-07-06 01:23 PM
Jump to solution

Do you use SmartEvent? If so, there seems are some suggestions on previous similar posts:

 

https://community.checkpoint.com/t5/Management/Alert-on-every-console-login/td-p/27263

 

https://community.checkpoint.com/t5/Management/Alert-on-Administrator-Login/td-p/31421

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events