cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80 GUI Admin locked out and unable to unlock


Does anyone know how to unlock a GUI admin once locked out ? the CLI command seems to be removed and we have no idea how to unlock and admin account once it is locked besides deleting and recreating

Tags (2)
7 Replies

Re: R80 GUI Admin locked out and unable to unlock

The R77.XX "fwm lock_admin" command is no longer available in R80 and the unlock-administrator command in the R80 mgmt_cli appears to only be for MDM/Provider-1 as it complains about not being in the System Domain when you try to execute it.  This doesn't appear to be possible at all from clish/bash/mgmt_cli.

Only workaround I've been able to find is to uncheck the "Lockout Administrator's Account after X failed authentication attempts" checkbox under Manage & Settings...Permissions & Administrators...Advanced...Login Restrictions in the R80 SmartConsole.  Publish the change and any active administrator lockouts will be immediately cleared (an "Install Database" operation is not necessary).  Don't forget to recheck that box!

If all administrator accounts are locked out and you can't wait the default 30 minutes for the lockouts to clear, you'll have to run cpconfig on the SMS and create a new GUI Administrator account.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Employee+
Employee+

Re: R80 GUI Admin locked out and unable to unlock

Hi Tim Hall

In SMC installation you also has this domain:

cpm=# select name,comments,dtype  from domainbase_data where dtype = 'SystemDomain';

    name     |                                   comments                                    |    dtype

-------------+-------------------------------------------------------------------------------+--------------

System Data | This domain holds all the system data such as Administrators, Domains, etc... | SystemDomain

In order to unlock administrator in SMC just type command like this:

mgmt_cli -r true unlock-administrator name "admin" --format json -d "System Data"

{

  "message" : "OK"

}

---------------------------------------------

Time: [18:22:19] 25/11/2016

---------------------------------------------

"Publish operation"  succeeded  (100%)

Highlighted
Admin
Admin

Re: R80 GUI Admin locked out and unable to unlock

This can also be done in SmartConsole by right-clicking on the relevant administrator and selecting Unlock Administrator.

Employee
Employee

Re: R80 GUI Admin locked out and unable to unlock

When SmartConsole is connected to a security management server
1. Open a command prompt on the management server

2. Login to the system data domain:
mgmt login user <admin name> password <admin password> domain "system data"

3. Use the "mgmt_cli" utility to run the unlock-administrator API command
mgmt_cli -s id.txt unlock-administrator name <name of locked admin>

When SmartConsole is connected to a multi-Domain server, you can run the “unlock-administrator” command directly on the API command line.
unlock-administrator name <name of locked admin>

Employee
Employee

Re: R80 GUI Admin locked out and unable to unlock

There's also a technical training video:

https://www.youtube.com/watch?v=RJP-GuSGXD0&feature=youtu.be

Employee
Employee

Re: R80 GUI Admin locked out and unable to unlock

Update:  The unlock admin feature  (in gui and CLI) only works if "Check Point password" is the method used to authenticate to the security management server.

Employee+
Employee+

Re: R80 GUI Admin locked out and unable to unlock

Hi all,

You also could refer our Security Management R80.10 Administration Guide Section:Unlocking Administrators

We also provide a video about how to modify the lock configuration.

0 Kudos