This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mick_OToole
Participant
‎2018-01-29 06:55 AM
Jump to solution

Modifying User Permissions

Good afternoon all,

We upgraded our Check Point Management server at the weekend with no problems, well, almost no problems!

Unfortunately we have a superuser account in SmartConsole of an ex-employee and all other accounts being either read only or administrator. 

We would like to escalate the privileges of one of the administrator accounts to be SuperUser however I am struggling to figure out how this can be done.

I have access to Clish and Expert mode but I can't see how to change the passwords of the user accounts using either of these options .... HELP!

0 Kudos
1 Solution

Accepted Solutions
EdesLC
Collaborator
‎2018-01-29 08:28 AM
In response to Mick_OToole
Jump to solution

Which one is your "admin" user? You can use "cpconfig" (for MDS: "mdsconfig") to delete this user and then you can create the "admin" user again and set up the password.

[Expert@mds:0]# mdsconfig


Welcome to Multi-Domain Server Configuration Program
=================================================================
This program will let you re-configure your Multi-Domain Server configuration.


Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13): 6

Configuring Administrators...
=============================
Following is a list of the currently defined Administrators
and their Multi-Domain permission levels:

1) user1 Domain Manager
2) user2 Multi-Domain Superuser
3) user3 Domain Manager
4) user4 Domain Manager

5) admin Multi-Domain Superuser

Do you want to add Administrators (y/n) [y] ?

*I used a MDS for example because I am already connected in this. Just an example.

View solution in original post

9 Replies
Daniel_Fischler
Contributor
Contributor
‎2018-01-29 08:01 AM
Jump to solution

you should be able to change the admin password (the default user) using the cpconfig. Try sk56520.

basicaly you have to delete the user called admin and in the same session you have to immediately add again the user admin. Then you can set a new password without knowing the old one.

This user should be able to do anything....

CCSM-E | CCVS
0 Kudos
EdesLC
Collaborator
‎2018-01-29 08:13 AM
Jump to solution

Can't you use "#fwm -a" to change this password?

0 Kudos
Mick_OToole
Participant
‎2018-01-29 08:19 AM
Jump to solution

This is not the admin password that I am trying to change. This is a SmartConsole user account. The previous admin was a SuperUser but we no longer have that users password. Is there a way to escalate one of the accounts that has Full-Access to Super User status? See attached image.SmartConsole Permissions and Administrators

0 Kudos
EdesLC
Collaborator
‎2018-01-29 08:28 AM
In response to Mick_OToole
Jump to solution

Which one is your "admin" user? You can use "cpconfig" (for MDS: "mdsconfig") to delete this user and then you can create the "admin" user again and set up the password.

[Expert@mds:0]# mdsconfig


Welcome to Multi-Domain Server Configuration Program
=================================================================
This program will let you re-configure your Multi-Domain Server configuration.


Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13): 6

Configuring Administrators...
=============================
Following is a list of the currently defined Administrators
and their Multi-Domain permission levels:

1) user1 Domain Manager
2) user2 Multi-Domain Superuser
3) user3 Domain Manager
4) user4 Domain Manager

5) admin Multi-Domain Superuser

Do you want to add Administrators (y/n) [y] ?

*I used a MDS for example because I am already connected in this. Just an example.

Vladimir
Champion
Champion
‎2018-01-29 08:26 AM
Jump to solution

Yep. So long as you have the credentials for the now absent admin.

Otherwise, as long as one of your existing users have permission to edit Gaia config, there was a trick of copy/pasting the non-expert user's password hash instead of the existing one and this should reset your expert-password to the known one.

Than you can proceed changing default user's credentials.

I.e.: 

GW8010> set user admin password-hash $1$BBXc[B`B$i?????????.????????Pp0AM1
GW8010> save config

GW8010> set expert-password-hash $1$UcDP?????????????????????L4wUwiF/
GW8010> save config
GW8010> expert
Enter expert password: NewExpertPassword

0 Kudos
Mick_OToole
Participant
‎2018-01-29 08:37 AM
Jump to solution

I'm not sure if I'm missing something here or if I'm not explaining myself properly so apologies in advance.

I have the admin password and I can log into clish and expert mode however this admin password cannot be used to log into SmartConsole. Only the users listed in the image in my last post can log into SmartConsole (none of them are the user "admin")

0 Kudos
EdesLC
Collaborator
‎2018-01-29 08:48 AM
In response to Mick_OToole
Jump to solution

Open "cpconfig" and go to Administrators, show us the result. Please.

0 Kudos
Vladimir
Champion
Champion
‎2018-01-29 08:41 AM
Jump to solution

What is the user name listed in cpconfig?

0 Kudos
Mick_OToole
Participant
‎2018-01-29 08:51 AM
Jump to solution

Sorry guys, I had a bit of a brain fart. Followed the suggestions above and got it sorted.

Thanks to all that responded

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events