Solved: Re: R81.10 has sessions for SuperUsers with " @maa...

Hug_for_my_Bug · ‎2021-07-19

Hi,

Noticed in R81.10 that there are a number of SuperUsers accounts
cachemanager@maas, healthcheck@maas, internal@maas, sessionmanager@maas, and web_mgmt_admin

The sessions tabs ALWAYS has live sessions for cachemanager@maas and we've not seen this prior to R81.10

Can anyone enlighten me on what these are?

Because they are MaaS we want to confirm their activity is not exfiltrating logs (or anything similar) from the environment.

I've raise a case with Check Point to ask them to advise but thought I'd ask here as well.

Thank you

Quantum Security Management

#R81 #MaaS

Itamar_Tubul · ‎2021-07-19

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix.

I hope it clears the things.

Itamar.

View solution in original post

Itamar_Tubul · ‎2021-07-19

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix.

I hope it clears the things.

Itamar.

PhoneBoy · ‎2021-07-19

They also show up in the Demo Mode servers as well, FYI.

StackCap43382 · ‎2023-01-12

Just to make it additionally clear this is not just on MAAS deployments of Endpoint servers.

Any r81 or above Endpoint deployment will contain the Endpoint web management portal and these accounts will be created and appear in the Management active administrator Sessions list from 127.0.0.1.

CCSME, CCTE, CCME, CCVS

PhoneBoy · ‎2023-01-12

They are also used for SmartConsole Web (available from R81 and above), thus it will also apply to Network Security management as well.

zaoar · ‎2023-04-05

Hi,

since those account kind of working locally in the background all the time, they make a mess in audit logs where i want to see and manage my actual users logs. Sure i can exclude them in the Rule above, but is there any plan from checkpoint to not show those users in administrators and audit logs since there is not much point?

What happens if I delete these accounts? Are they going to be created again automatically next time i use webUI?

thanks

Itamar_Tubul · ‎2023-04-07

Hi,

We are working on other alternatives that won't require us show those users in administrators and audit logs.

Currently, planned for next release.

We are also checking the option to fix it in Jumbo hotfix releases.

Itamar.

Greg_Harbers · ‎2023-12-19

Hi Itamar,

Is there any update on this? Running R81.20 T26 and are still seeing a lot of sessions from internal@mass and sessionmanager@mass.

Thanks

PhoneBoy · ‎2023-12-19

By "next release" I assume it means R82.

mormarko · ‎2025-02-20

Hi, I guess this is still relevant...

because I just upgraded a MGMT to R81.10 last recommended take 172 and suddenly I see those users that were not there before..

this is very annoying, why I need to see those users as currently active admins?

Tal_Paz-Fridman · ‎2025-02-20

We had a ticket opened for this issue and it was fixed in R82.

mormarko

but R82 is not recomended version yet.

there won't be any other solution for R81.10 or R81.20?

thanks

Are you a member of CheckMates?

R81.10 has sessions for SuperUsers with " @maas "