This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vaibhavyagnik
Explorer
‎2025-07-28 05:23 AM
Jump to solution

Change expert user

Dear Checkpoint Checkmates,

I have a Checkpoint 1570R security appliance. It is running Gaia 81.10.17. The firewall is locally managed. Let us say User A is expert mode and he has set expert password. Now User A has left the organisation. He has given me the password and I am able to log in to his account and even enter expert mode. However, I want to

1. Change expert user to User B who is now in charge of administring the firewall

2. Delete User A account after verifying that User B is able to login to expert mode.

I have tried to login the firewall with User B login and do a expert set-password, but it fails with expert password not set. 

Also if I Login with User B and enter expert password set by User A, I get an incorrent login password error. Is it the expected behaviour? Is expert login linked to account which was used to set the expert password?

Thanks.

0 Kudos
3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-07-29 03:29 PM
Jump to solution

The expert mode password is not tied to a specific user.
You may need to consult with TAC here.

View solution in original post

Steffen_Appel
Advisor
‎2025-07-30 07:55 AM
Jump to solution

No it isnt, expert mode password is independant of the users password.

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2025-07-30 06:50 PM
Jump to solution

For what is worth, here is AI explanatiion.

Andy

*************************

 

You're raising a very common and important question about expert mode management on locally managed Check Point 1570R appliances running Gaia Embedded (R81.10.17). Here's a clear explanation of the behavior you're seeing and how to transition expert access from User A to User B:

Key Concepts of Expert Mode in Locally Managed SMB Appliances (e.g., 1570R)

  1. Expert Mode Password is Global: Unlike Gaia OS on centrally managed systems, in locally managed SMB appliances, the expert password is not linked to a specific user account. It is a global password shared across users with CLI access.

  2. But Entry into Expert Mode is Restricted: Only users with appropriate permissions (admin, cli-admin) can enter expert mode — and they must use the global expert password set previously.

  3. Common Pitfall: If a new user (e.g., User B) is created after the expert password is set, and doesn't have the proper privileges, even if the expert password is correct, the user won't be allowed into expert mode.

🔍 Explanation of the Problem You're Seeing

  • User A had set the expert password while logged in as himself.

  • User B tries to use expert, but:

    • expert password not set: This may appear if User B is lacking the correct privileges or shell.

    • incorrect login password: This can happen if User B has the right permissions but the shell is misconfigured or environment is not correctly set up.

No, the expert password is not tied to a specific userbut user permissions and shell must be correct for that user to use expert.

What You Should Do

Step 1: Ensure User B Has Proper Permissions

Check and adjust the permissions of User B to allow CLI access and expert mode:

 

sh
# Log in as User A (who can still access expert mode) clish show users

 

 

Look at the role of User B. You want something like this:

 

sh
add user UserB uid 0 homedir /home/UserB shell /bin/bash set user UserB password set user UserB role admin

 

 

  • Make sure shell is /bin/bash (or /etc/cli.sh for SMB appliances depending on firmware).

  • Ensure the role is admin or super-user.

You may need to delete and recreate User B if the role/shell are incorrect and cannot be modified directly.

Step 2: Test Expert Access with User B

Now login as User B and run:

 

sh
expert

 

 

When prompted, enter the existing expert password that was set by User A. It should succeed if permissions and shell are correct.

Step 3: Change the Expert Password (Optional)

If User B now has access to expert mode, he can reset the expert password:

 

sh
set expert-password

 

 

This will prompt for a new expert password. From now on, this will be the global password for expert.

Step 4: Delete User A

Once you're sure everything works, you can safely remove User A:

 

sh
delete user UserA 

 

Summary

Task Command/Action
Ensure User B has admin role set user UserB role admin
Set shell to /bin/bash set user UserB shell /bin/bash
Test expert login Log in as User B, run expert
Change expert password Inside expert mode: set expert-password
Delete old admin account delete user UserA
Best,
Andy

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2025-07-29 03:29 PM
Jump to solution

The expert mode password is not tied to a specific user.
You may need to consult with TAC here.

Steffen_Appel
Advisor
‎2025-07-30 07:55 AM
Jump to solution

No it isnt, expert mode password is independant of the users password.

the_rock
MVP Platinum
MVP Platinum
‎2025-07-30 06:50 PM
Jump to solution

For what is worth, here is AI explanatiion.

Andy

*************************

 

You're raising a very common and important question about expert mode management on locally managed Check Point 1570R appliances running Gaia Embedded (R81.10.17). Here's a clear explanation of the behavior you're seeing and how to transition expert access from User A to User B:

Key Concepts of Expert Mode in Locally Managed SMB Appliances (e.g., 1570R)

  1. Expert Mode Password is Global: Unlike Gaia OS on centrally managed systems, in locally managed SMB appliances, the expert password is not linked to a specific user account. It is a global password shared across users with CLI access.

  2. But Entry into Expert Mode is Restricted: Only users with appropriate permissions (admin, cli-admin) can enter expert mode — and they must use the global expert password set previously.

  3. Common Pitfall: If a new user (e.g., User B) is created after the expert password is set, and doesn't have the proper privileges, even if the expert password is correct, the user won't be allowed into expert mode.

🔍 Explanation of the Problem You're Seeing

  • User A had set the expert password while logged in as himself.

  • User B tries to use expert, but:

    • expert password not set: This may appear if User B is lacking the correct privileges or shell.

    • incorrect login password: This can happen if User B has the right permissions but the shell is misconfigured or environment is not correctly set up.

No, the expert password is not tied to a specific userbut user permissions and shell must be correct for that user to use expert.

What You Should Do

Step 1: Ensure User B Has Proper Permissions

Check and adjust the permissions of User B to allow CLI access and expert mode:

 

sh
# Log in as User A (who can still access expert mode) clish show users

 

 

Look at the role of User B. You want something like this:

 

sh
add user UserB uid 0 homedir /home/UserB shell /bin/bash set user UserB password set user UserB role admin

 

 

  • Make sure shell is /bin/bash (or /etc/cli.sh for SMB appliances depending on firmware).

  • Ensure the role is admin or super-user.

You may need to delete and recreate User B if the role/shell are incorrect and cannot be modified directly.

Step 2: Test Expert Access with User B

Now login as User B and run:

 

sh
expert

 

 

When prompted, enter the existing expert password that was set by User A. It should succeed if permissions and shell are correct.

Step 3: Change the Expert Password (Optional)

If User B now has access to expert mode, he can reset the expert password:

 

sh
set expert-password

 

 

This will prompt for a new expert password. From now on, this will be the global password for expert.

Step 4: Delete User A

Once you're sure everything works, you can safely remove User A:

 

sh
delete user UserA 

 

Summary

Task Command/Action
Ensure User B has admin role set user UserB role admin
Set shell to /bin/bash set user UserB shell /bin/bash
Test expert login Log in as User B, run expert
Change expert password Inside expert mode: set expert-password
Delete old admin account delete user UserA
Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events