- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
hello all
i have a small virtual R80.40 lab and i was trying to understand the Lock/Unlock feature
When i use the command lock database override i am able to transfer the lock from one admin to another admin between 2 ssh sessions.
According to https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topi...
same thing should be achieved with unlock database but it is not working for me. instead i see the message
"CLICMD0201 Config-lock is not owned by this clish session" when i run this command from the admin without the Lock. if i run it on the admin with Lock it is executed but still the Lock remains to the this same admin
What am i missing?
Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected.
@Tal_Martsiano
Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected.
@Tal_Martsiano
first of all thank you very much for the help
now since you mentioned the uid i tried to revalidate these findings as first time i did not bother to change anything else than just the creation of a second admin.
so with different uids as i said to me it looks that only the lock database override works.
now i deleted the second admin and recreated it with uid=0 (in the show configuration output is with this line "add user chris uid 0 homedir /home/chris") and it looks to me that none of those two commands work now running from this second admin
fw1> show config-lock
Configuration locked by admin from 192.168.1.120, facility command line, 291 seconds to expiration
fw1> lock database override
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)
fw1> unlock database
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)
Believe it still works, I think it just displays the wrong name in this case.
yeah you are right. i saw the name and i did not try to make a change on the cli. I see it works or at least as you said it appears to be working when uid = 0
Is this normal practice to make the uid=0 for different admin user? Is it something that we should keep in mind?
It depends.
There are certain functions (particularly in expert mode) that require admin users to be uid 0.
If you're sticking to clish, I don't believe it is strictly required.
ok thank you very much for all the assistane
i believe the original question has been answered. I guess if you opened TAC case that CP will fix it
regards
Chris
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY