This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christos_B
Participant
‎2020-07-15 10:50 AM
Jump to solution

R80.40 unlock database

hello all

i have a small virtual R80.40 lab and i was trying to understand the Lock/Unlock feature

When i use the command lock database override i am able to transfer the lock from one admin to another admin between 2 ssh sessions.

According to https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topi... 

same thing should be achieved with unlock database but it is not working for me. instead i see the message

"CLICMD0201 Config-lock is not owned by this clish session" when i run this command from the admin without the Lock. if i run it on the admin with Lock it is executed but still the Lock remains to the this same admin

What am i missing?

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-07-17 01:37 PM
Jump to solution

Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected. 
@Tal_Martsiano 

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2020-07-17 01:37 PM
Jump to solution

Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected. 
@Tal_Martsiano 

Christos_B
Participant
‎2020-07-18 06:44 AM
In response to PhoneBoy
Jump to solution

first of all thank you very much for the help

now since you mentioned the uid i tried to revalidate these findings as first time i did not bother to change anything else than just the creation of a second admin.

so with different uids as i said to me it looks that only the lock database override works.

now i deleted the second admin and recreated it with uid=0 (in the show configuration output is with this line "add user chris uid 0 homedir /home/chris") and it looks to me that none of those two commands work now running from this second admin

fw1> show config-lock
Configuration locked by admin from 192.168.1.120, facility command line, 291 seconds to expiration
fw1> lock database override
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)
fw1> unlock database
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)

PhoneBoy
Admin
Admin
‎2020-07-18 08:30 AM
In response to Christos_B
Jump to solution

Believe it still works, I think it just displays the wrong name in this case.

0 Kudos
Christos_B
Participant
‎2020-07-19 04:25 AM
In response to PhoneBoy
Jump to solution

yeah you are right. i saw the name and i did not try to make a change on the cli. I see it works or at least as you said it appears to be working when uid = 0

Is this normal practice to make the uid=0 for different admin user? Is it something that we should keep in mind?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-19 10:33 AM
In response to Christos_B
Jump to solution

It depends.
There are certain functions (particularly in expert mode) that require admin users to be uid 0.
If you're sticking to clish, I don't believe it is strictly required.

0 Kudos
Christos_B
Participant
‎2020-07-20 06:21 AM
In response to PhoneBoy
Jump to solution

ok thank you very much for all the assistane

i believe the original question has been answered. I guess if you opened TAC case that CP will fix it

regards

Chris

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events