This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hug_for_my_Bug
Explorer
‎2021-07-19 04:02 AM
Jump to solution

R81.10 has sessions for SuperUsers with " @maas "

Hi,


Noticed in R81.10 that there are a number of SuperUsers accounts
cachemanager@maas, healthcheck@maas, internal@maas, sessionmanager@maas, and web_mgmt_admin

The sessions tabs ALWAYS has live sessions for cachemanager@maas and we've not seen this prior to R81.10

Can anyone enlighten me on what these are?

Because they are MaaS we want to confirm their activity is not exfiltrating logs (or anything similar) from the environment.

I've raise a case with Check Point to ask them to advise but thought I'd ask here as well.

Thank you

 

Quantum Security Management 

#R81 #MaaS

 

Quantum Security Management
Quantum Security Management
Quantum
0 Kudos
1 Solution

Accepted Solutions
Itamar_Tubul
Employee Alumnus
Employee Alumnus
‎2021-07-19 08:23 AM
Jump to solution

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).  

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix. 

I hope it clears the things. 

Itamar.

View solution in original post

11 Replies
Itamar_Tubul
Employee Alumnus
Employee Alumnus
‎2021-07-19 08:23 AM
Jump to solution

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).  

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix. 

I hope it clears the things. 

Itamar.

PhoneBoy
Admin
Admin
‎2021-07-19 12:42 PM
In response to Itamar_Tubul
Jump to solution

They also show up in the Demo Mode servers as well, FYI.

0 Kudos
StackCap43382
Collaborator
Collaborator
‎2023-01-12 02:20 AM
In response to Itamar_Tubul
Jump to solution

Just to make it additionally clear this is not just on MAAS deployments of Endpoint servers.

Any r81 or above Endpoint deployment will contain the Endpoint web management portal and these accounts will be created and appear in the Management active administrator Sessions list from 127.0.0.1.

 

 

CCSME, CCTE, CCME, CCVS
0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-12 08:17 AM
In response to StackCap43382
Jump to solution

They are also used for SmartConsole Web (available from R81 and above), thus it will also apply to Network Security management as well.

0 Kudos
zaoar
Participant
‎2023-04-05 08:22 AM
In response to PhoneBoy
Jump to solution

Hi,

 

since those account kind of working locally in the background all the time, they make a mess in audit logs where i want to see and manage my actual users logs. Sure i can exclude them in the Rule above, but is there any plan from checkpoint to not show those users in administrators and audit logs since there is not much point? 

What happens if I delete these accounts? Are they going to be created again automatically next time i use webUI? 

 

thanks

 

 

0 Kudos
Itamar_Tubul
Employee Alumnus
Employee Alumnus
‎2023-04-07 01:16 AM
In response to zaoar
Jump to solution

Hi,

We are working on other alternatives that won't require us show those users in administrators and audit logs.

Currently, planned for next release.

We are also checking the option to fix it in Jumbo hotfix releases.

 

Itamar. 

Greg_Harbers
Collaborator
‎2023-12-19 01:14 PM
In response to Itamar_Tubul
Jump to solution

Hi Itamar,

Is there any update on this? Running R81.20 T26 and are still seeing a lot of sessions from internal@mass and sessionmanager@mass

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-19 06:04 PM
In response to Greg_Harbers
Jump to solution

By "next release" I assume it means R82.

0 Kudos
mormarko
Participant
‎2025-02-20 02:48 AM
In response to Itamar_Tubul
Jump to solution

Hi, I guess this is still relevant...

because I just upgraded a MGMT to R81.10 last recommended take 172 and suddenly I see those users that were not there before..

this is very annoying, why I need to see those users as currently active admins?

 

Preview file
7 KB
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-02-20 04:16 AM
In response to mormarko
Jump to solution

We had a ticket opened for this issue and it was fixed in R82.

0 Kudos
mormarko
Participant
‎2025-03-27 05:55 AM
In response to Tal_Paz-Fridman
Jump to solution

but R82 is not recomended version yet.

there won't be any other solution for R81.10 or R81.20?

 

thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events