This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2022-12-24 06:39 AM
Jump to solution

Strange R81.20 web UI issue

Hey guys,

I know holidays are here, so I dont expect response any time soon, but wanted to mention super odd R81.20 web UI behavior I encountered in the lab and see if anyone may have an idea how to fix this. So, yesterday, I tried to log in to web UI (which I had many times since I created the lab few weeks ago) and noticed it kept saying "permission denied". Now, I use exact same password in my lab for regular shell and expert mode, so password was 100% right, as ssh worked just fine.

I then followed below link, no luck.

https://pingtool.org/adding-new-admin-user-to-checkpoint-gaia-with-expert-permissions/

I also tried from clich -> set user admin password

That asked me to enter new pass, which I did, save config, no luck. Any idea why this would happen at all? I even tried rebooting, same issue.

Keep in mind, there was absolutely no changes done at all to this firewall in last 10 days and I logged into web UI many times in that time period.

 

Screenshot_1.png

Happy holidays everyone!

Andy

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2022-12-28 10:09 AM
In response to Ambar
Jump to solution

Thanks to Gilad and the guys in Israel for having remote session with me. We narrowed down that last time web UI worked was December 14th, when ISPR cpisp_update file was modified for issue customer was having (I replaced the actual file with one provided to me from R&D in the lab). Not sure how that broke web UI, but seems that it did. Anyway, since we could not fix it even after removing ispr config and also putting back old cpisp_update file, I decided to totally reinstall, which fixed the issue. One thing I found super odd is that ever time I tried deleting 2 ISP links on gateway object, would remove them, then I publish, go back and they were still there. I also tried removing any references of them in guidbedit, but could not locate them anywhere. Either way, easier to just reinstall : - )

Thanks again guys and happ holidays!

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2022-12-24 07:39 PM
Jump to solution

Logs I see. Weird thing is, I dont even have any radius users, just a local admin user tryng to log in...

Dec 24 22:04:12 2022 QUANTUM-GATEWAY clish[18759]: cmd by admin: Start executing
: exit (cmd md5: f24f62eeb789199b9b2e467df3b1876b)
Dec 24 22:04:12 2022 QUANTUM-GATEWAY xpand[10811]: admin localhost t -volatile:c
lish:admin:18759
Dec 24 22:04:12 2022 QUANTUM-GATEWAY clish[18759]: User admin logged out from C
LI shell
Dec 24 22:04:43 2022 QUANTUM-GATEWAY xpand[10811]: admin localhost t +volatile:c
lish:admin:18874 t
Dec 24 22:04:43 2022 QUANTUM-GATEWAY clish[18874]: User admin logged in with Rea
dWrite permission
Dec 24 22:04:45 2022 QUANTUM-GATEWAY clish[18874]: cmd by admin: Start executing
: expert (cmd md5: b9b83bad6bd2b4f7c40109304cf580e1)
Dec 24 22:04:45 2022 QUANTUM-GATEWAY clish[18874]: cmd by admin: Processing : ex
pert (cmd md5: b9b83bad6bd2b4f7c40109304cf580e1)
Dec 24 22:05:18 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 24 22:05:21 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 24 22:11:03 2022 QUANTUM-GATEWAY pm[10793]: Restarted /rest_api/scripts/rest
_api_docs[19682], count=55
Dec 24 22:11:03 2022 QUANTUM-GATEWAY pm[19682]: init LD_LIBRARY_PATH for /rest_a
pi/scripts/rest_api_docs
Dec 24 22:11:04 2022 QUANTUM-GATEWAY pm[10793]: Reaped: rest_api_docs[19682]
Dec 24 22:11:04 2022 QUANTUM-GATEWAY pm[10793]: Scheduled rest_api_docs for +900
secs
Dec 24 22:23:25 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 24 22:23:27 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
[Expert@QUANTUM-GATEWAY:0]#

0 Kudos
the_rock
Legend
Legend
‎2022-12-25 06:41 PM
In response to the_rock
Jump to solution

This is what I find most confusing. So file "server" in /etc/rdddb and /etc/tacdb directories , is exactly the same as on brand new R81.20 install and even in working R81.10, but same issue persists...honestly, makes no sense to me and Im not sure why it keeps giving the error below when I try to log into web UI. Even gave it permissions 0600 as indicated inside of file itself, but same problem.

Dec 25 21:27:07 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:27:09 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:29:25 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:29:27 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:31:33 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:31:35 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:36:26 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:36:29 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
Dec 25 21:39:28 2022 QUANTUM-GATEWAY httpauth: pam_radius_auth: Could not open c
onfiguration file /etc/raddb/server: Permission denied
Dec 25 21:39:31 2022 QUANTUM-GATEWAY httpd2: HTTP login denied from 172.16.10.10
3 for admin
[Expert@QUANTUM-GATEWAY:0]#

0 Kudos
Blason_R
Leader
Leader
‎2022-12-25 06:43 PM
In response to the_rock
Jump to solution

Bug for sure?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2022-12-25 06:45 PM
In response to Blason_R
Jump to solution

I dont know mate, worked fine for about a month and stopped without any changes...I dont get it. Lets see if our friend from Israel @Ilya_Yusupov will be able to do his magic with this : - )

Merry Christmas by the way!

0 Kudos
Ambar
Employee
Employee
‎2022-12-27 05:04 AM
In response to the_rock
Jump to solution

Hi @the_rock ,

The given print is not related to WEBUI login by local user

As you were able to login by SSH it means your password wasn’t denied by several unauthorized attempts

 

We couldn’t replicate this in-house, I would like to ask for 2 things:

Are you able to connect with a different user?

Would it be possible to have remote session to see this thru with you?

Thanks

0 Kudos
the_rock
Legend
Legend
‎2022-12-27 05:08 AM
In response to Ambar
Jump to solution

Sure! Im free Wednesday any time.Btw, if you read my initial post, link I gave gives steps to give full admin permissions to a user, but no luck. That tells me its something fw, not user related, but we can check on remote session, that sounds good!

Andy

0 Kudos
the_rock
Legend
Legend
‎2022-12-28 10:09 AM
In response to Ambar
Jump to solution

Thanks to Gilad and the guys in Israel for having remote session with me. We narrowed down that last time web UI worked was December 14th, when ISPR cpisp_update file was modified for issue customer was having (I replaced the actual file with one provided to me from R&D in the lab). Not sure how that broke web UI, but seems that it did. Anyway, since we could not fix it even after removing ispr config and also putting back old cpisp_update file, I decided to totally reinstall, which fixed the issue. One thing I found super odd is that ever time I tried deleting 2 ISP links on gateway object, would remove them, then I publish, go back and they were still there. I also tried removing any references of them in guidbedit, but could not locate them anywhere. Either way, easier to just reinstall : - )

Thanks again guys and happ holidays!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top