Solved: Re: R81.20 Grub password

S_E_ · ‎2022-12-05

Hi

after upgrade of a smart-1 appliance from R81.10 to R81.20 following appeared.

Warning! Grub default password hasn't been changed. Sign in to clish and use 'set grub2-password' to change it.
Breaking News: HCP version updated! To see an overview of your machine health, run 'hcp -r all'. For further information please see sk171436

Seems to be new that there is now a need to setup a grub-password. Could not see any details in R81.20 admin guide.

Regards

[Expert@SMS:0]# hcp -v
HCP Take: 58
HCP RPM Build: hcp-1-592021.i386

[Expert@fSMS:0]# cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 997000440
Is started: 1
Active status: active

G_W_Albrecht · ‎2022-12-05

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

sharonab · ‎2022-12-05

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi...

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

View solution in original post

the_rock · ‎2022-12-05

Hm, thats very odd, because I updated my R81.10 lab, though it was VM only, not smart-1, but never noticed that at all. Hope someone from CP can comment. Also did brand new R81.10 lab (mgmt + single gateway) and never seen it there either.

Andy

G_W_Albrecht · ‎2022-12-05

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2022-12-05

Thats weird then why I never got that when I upgraded my VM...unless it happens ONLY when you upgrade physical appliance?

S_E_ · ‎2022-12-05

ok, so 'can' sounds like optional and not mandatory.

Thanks,

Regards

sharonab · ‎2022-12-05

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi...

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

Magnus-Holmberg · ‎2023-08-01

The wording is GRUB default password has not been changed, what is the default password for it?

https://www.youtube.com/c/MagnusHolmberg-NetSec

sharonab · ‎2023-08-01

Why do you require the default password ?

You should set the password via available commands in clish/webui or during FTW.

if system is not available to set password and you require to enter maintenance mode/revert to snapshot via grub , please open support case , and they can assist .

the_rock · ‎2023-08-01

I remember when setting up brand new R81.20, it asked me to set grub password, so I just used same password as expert. Never had to use it, but it can be set with followint command in clish:

quantum-firewall> set grub
grub2-password - Set user admin Grub2 password by plain text
grub2-password-hash - Set user admin Grub2 password by salted hash
quantum-firewall> set grub2-password
quantum-firewall> set grub2-password
Enter new grub2 password:
Enter new grub2 password (again):
quantum-firewall> save config
quantum-firewall> exit
[Expert@quantum-firewall:0]#

sloddo · ‎2023-08-09

Is this something that can be set/scripted by the mgmt_cli command in batch mode?

G_W_Albrecht · ‎2022-12-06

This is a new level of security, now you have:

user PW for clish
expert PW for bash
grub PW for maintenance mode

It does make sense to differentiate here, but you can use the same PW for all if you want (less hassle for Lab deployments)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2023-08-01

Agree! Thats what I do in my lab as well.

Andy

Are you a member of CheckMates?

R81.20 Grub password