This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2022-12-05 05:53 AM
Jump to solution

R81.20 Grub password

Hi

after upgrade of a smart-1 appliance from R81.10 to R81.20 following appeared.

Warning! Grub default password hasn't been changed. Sign in to clish and use 'set grub2-password' to change it.
Breaking News: HCP version updated! To see an overview of your machine health, run 'hcp -r all'. For further information please see sk171436

Seems to be new that there is now a need to setup a grub-password. Could not see any details in R81.20 admin guide.

Regards

 

[Expert@SMS:0]# hcp -v
HCP Take: 58
HCP RPM Build: hcp-1-592021.i386

[Expert@fSMS:0]# cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 997000440
Is started: 1
Active status: active

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-12-05 06:26 AM
Jump to solution

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
sharonab
Employee
Employee
‎2022-12-05 08:34 AM
In response to S_E_
Jump to solution

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi... 

 

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

View solution in original post

0 Kudos
11 Replies
the_rock
Legend
Legend
‎2022-12-05 05:57 AM
Jump to solution

Hm, thats very odd, because I updated my R81.10 lab, though it was VM only, not smart-1, but never noticed that at all. Hope someone from CP can comment. Also did brand new R81.10 lab (mgmt + single gateway) and never seen it there either.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-12-05 06:26 AM
Jump to solution

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
the_rock
Legend
Legend
‎2022-12-05 06:33 AM
In response to G_W_Albrecht
Jump to solution

Thats weird then why I never got that when I upgraded my VM...unless it happens ONLY when you upgrade physical appliance?

0 Kudos
S_E_
Advisor
‎2022-12-05 06:38 AM
In response to G_W_Albrecht
Jump to solution

ok, so 'can' sounds like optional and not mandatory.

Thanks,

Regards

0 Kudos
sharonab
Employee
Employee
‎2022-12-05 08:34 AM
In response to S_E_
Jump to solution

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi... 

 

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

0 Kudos
Magnus-Holmberg
Advisor
Advisor
‎2023-08-01 01:46 AM
In response to sharonab
Jump to solution

The wording is GRUB default password has not been changed, what is the default password for it?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
sharonab
Employee
Employee
‎2023-08-01 01:52 AM
In response to Magnus-Holmberg
Jump to solution

Why do you require the default password ?

You should set the password via available commands in clish/webui or during FTW.

if system is not available to set password and you require to enter maintenance mode/revert to snapshot via grub  , please open support case , and they can assist . 

 

0 Kudos
the_rock
Legend
Legend
‎2023-08-01 05:16 AM
In response to sharonab
Jump to solution

I remember when setting up brand new R81.20, it asked me to set grub password, so I just used same password as expert. Never had to use it, but it can be set with followint command in clish:

quantum-firewall> set grub
grub2-password - Set user admin Grub2 password by plain text
grub2-password-hash - Set user admin Grub2 password by salted hash
quantum-firewall> set grub2-password
quantum-firewall> set grub2-password
Enter new grub2 password:
Enter new grub2 password (again):
quantum-firewall> save config
quantum-firewall> exit
[Expert@quantum-firewall:0]#

 

0 Kudos
sloddo
Explorer
‎2023-08-09 08:36 AM
In response to the_rock
Jump to solution

Is this something that can be set/scripted by the mgmt_cli command in batch mode?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-12-06 12:46 AM
In response to S_E_
Jump to solution

This is a new level of security, now you have:

  • user PW for clish
  • expert PW for bash
  • grub PW for maintenance mode

It does make sense to differentiate here, but you can use the same PW for all if you want (less hassle for Lab deployments)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2023-08-01 05:16 AM
In response to G_W_Albrecht
Jump to solution

Agree! Thats what I do in my lab as well.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events