Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Garci
Participant

Change Expert Password For many FW

Hi Mates,

It is possible to change the expert password for many FW at the same time?

We have many FW managed for a Server Magament R 77.30 and we need to change the expert password for about 30 FW 1430.

 

Thanks

Labels (1)
0 Kudos
Reply
4 Replies
Danny
Champion
Champion

Solution 1

Create a little Bash script that executes the following command for every gateway and run on your firewall management:

$CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set expert password-hash NEW_HASH>'

 

Solution 2

Use an expect script on your firewall management to login to all your appliances and change the expert password. Example:

#!/usr/bin/expect

set HOST     "192.168.10.1"
set LOGIN    "admin"
set PASSWORD "password"
set COMMAND  "set expert password-hash NEW_HASH"
set timeout  60

spawn ssh -C -x -l $LOGIN $HOST
expect {
"fingerprint" {
    send "yes\n"
    expect "word: $"
    send "$PASSWORD\n"
    }
"word: $" {
    send "$PASSWORD\n"
    }
}
expect ">"
send "$COMMAND\n"
expect ">"
send "save config\n"
expect ">"
send "exit\n"

anything that is available in cprid is also available using the "run script" Management API command.

run script command: Check Point - Management API reference 

So either using the mgmt_cli executable on the Management server, or from the command-line inside SmartConsole GUI, or using REST calls with your favorite scripting language, should be something like:

run-script script-name "changing expert password" script "set expert password-hash NEW_HASH" targets.1 "corporate-gateway" targets.2 "branchOfficeGW" 

Please note that run-script returns a task, and that task should be polled to see whether it succeeded or failed using the show tasks command: Check Point - Management API reference 

Danny
Champion
Champion

FYI: For the 30x 1430 SMB Appliances that this thread was opened for there is a limitation when trying to execute scripts directly from within the GUI.

0 Kudos
Reply

I didn't notice the appliance, sorry.. I suppose the API / command-line option would not work in this case either because it calls the same cprid wrapper, even though this is possible with cprid.

0 Kudos
Reply