Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hug_for_my_Bug
Explorer
Jump to solution

R81.10 has sessions for SuperUsers with " @maas "

Hi,


Noticed in R81.10 that there are a number of SuperUsers accounts
cachemanager@maas, healthcheck@maas, internal@maas, sessionmanager@maas, and web_mgmt_admin

The sessions tabs ALWAYS has live sessions for cachemanager@maas and we've not seen this prior to R81.10

Can anyone enlighten me on what these are?

Because they are MaaS we want to confirm their activity is not exfiltrating logs (or anything similar) from the environment.

I've raise a case with Check Point to ask them to advise but thought I'd ask here as well.

Thank you

 

Quantum Security Management 

#R81 #MaaS

 

0 Kudos
1 Solution

Accepted Solutions
Itamar_Tubul
Employee
Employee

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).  

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix. 

I hope it clears the things. 

Itamar.

View solution in original post

8 Replies
Itamar_Tubul
Employee
Employee

Hi,

These admins (and sessions) are related to Harmony Endpoint Web UI service.

They are created when running web UI script which generated API keys for them so it’s not static keys and they are not stored anywhere (we pass them as environment variables to the Docker container).  

They are created for background operation required by Web UI service when there is no active session (cache building and cache update).

Checking the option fixing it for the next jumbo hotfix. 

I hope it clears the things. 

Itamar.

PhoneBoy
Admin
Admin

They also show up in the Demo Mode servers as well, FYI.

0 Kudos
StackCap43382
Contributor

Just to make it additionally clear this is not just on MAAS deployments of Endpoint servers.

Any r81 or above Endpoint deployment will contain the Endpoint web management portal and these accounts will be created and appear in the Management active administrator Sessions list from 127.0.0.1.

 

 

CCSME, CCTE, CCME, CCVS
0 Kudos
PhoneBoy
Admin
Admin

They are also used for SmartConsole Web (available from R81 and above), thus it will also apply to Network Security management as well.

0 Kudos
zaoar
Participant

Hi,

 

since those account kind of working locally in the background all the time, they make a mess in audit logs where i want to see and manage my actual users logs. Sure i can exclude them in the Rule above, but is there any plan from checkpoint to not show those users in administrators and audit logs since there is not much point? 

What happens if I delete these accounts? Are they going to be created again automatically next time i use webUI? 

 

thanks

 

 

0 Kudos
Itamar_Tubul
Employee
Employee

Hi,

We are working on other alternatives that won't require us show those users in administrators and audit logs.

Currently, planned for next release.

We are also checking the option to fix it in Jumbo hotfix releases.

 

Itamar. 

Greg_Harbers
Collaborator

Hi Itamar,

Is there any update on this? Running R81.20 T26 and are still seeing a lot of sessions from internal@mass and sessionmanager@mass

Thanks

0 Kudos
PhoneBoy
Admin
Admin

By "next release" I assume it means R82.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events