Create a Post
Showing results for 
Search instead for 
Did you mean: 

Change Expert Password For many FW

Hi Mates,

It is possible to change the expert password for many FW at the same time?

We have many FW managed for a Server Magament R 77.30 and we need to change the expert password for about 30 FW 1430.



Labels (1)
0 Kudos
4 Replies

Solution 1

Create a little Bash script that executes the following command for every gateway and run on your firewall management:

$CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set expert password-hash NEW_HASH>'


Solution 2

Use an expect script on your firewall management to login to all your appliances and change the expert password. Example:


set HOST     ""
set LOGIN    "admin"
set PASSWORD "password"
set COMMAND  "set expert password-hash NEW_HASH"
set timeout  60

spawn ssh -C -x -l $LOGIN $HOST
expect {
"fingerprint" {
    send "yes\n"
    expect "word: $"
    send "$PASSWORD\n"
"word: $" {
    send "$PASSWORD\n"
expect ">"
send "$COMMAND\n"
expect ">"
send "save config\n"
expect ">"
send "exit\n"

anything that is available in cprid is also available using the "run script" Management API command.

run script command: Check Point - Management API reference 

So either using the mgmt_cli executable on the Management server, or from the command-line inside SmartConsole GUI, or using REST calls with your favorite scripting language, should be something like:

run-script script-name "changing expert password" script "set expert password-hash NEW_HASH" targets.1 "corporate-gateway" targets.2 "branchOfficeGW" 

Please note that run-script returns a task, and that task should be polled to see whether it succeeded or failed using the show tasks command: Check Point - Management API reference 


FYI: For the 30x 1430 SMB Appliances that this thread was opened for there is a limitation when trying to execute scripts directly from within the GUI.

0 Kudos

I didn't notice the appliance, sorry.. I suppose the API / command-line option would not work in this case either because it calls the same cprid wrapper, even though this is possible with cprid.

0 Kudos