Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
MVP Silver
MVP Silver
Jump to solution

Admin account login alert

Hi,

We need to create a ‘break-glass’ type admin account in case of emergency if nobody from firewall admin group is available.

The account requires full admin but should ‘normally’ never be used.

We’re trying to find a way to get notified if the account is being used.

For console or ssh access we can use the .bash_profile of the account with sendmail & last commands

For SmartConsole access, we can’t find a way to get an alert but we could always schedule a daily report based on the Audit Overview view.

We can’t seem to find a way to get an alert or report for Web UI access. Anyway this can be done?

 

thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

6 Replies
the_rock
MVP Gold
MVP Gold
0 Kudos
flachance
MVP Silver
MVP Silver

Helps with SmartConsole login but it doesn't look like it reports on logins from the web UI.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver

I would ask TAC if this is  possible at all - but i do not think so...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
flachance
MVP Silver
MVP Silver

Thanks Timothy. I now can see Web UI logins in smartconsole logs.  Now I have to figure out SmartEvent to get a reaction for logins with a specific admin account.

0 Kudos
AaronCP
Advisor
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events