Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
S_E_
Advisor
Jump to solution

R81.20 Grub password

Hi

after upgrade of a smart-1 appliance from R81.10 to R81.20 following appeared.

Warning! Grub default password hasn't been changed. Sign in to clish and use 'set grub2-password' to change it.
Breaking News: HCP version updated! To see an overview of your machine health, run 'hcp -r all'. For further information please see sk171436

Seems to be new that there is now a need to setup a grub-password. Could not see any details in R81.20 admin guide.

Regards

 

[Expert@SMS:0]# hcp -v
HCP Take: 58
HCP RPM Build: hcp-1-592021.i386

[Expert@fSMS:0]# cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 997000440
Is started: 1
Active status: active

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSE CCTE CCSM SMB Specialist

View solution in original post

(1)
sharonab
Employee
Employee

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi... 

 

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

View solution in original post

0 Kudos
11 Replies
the_rock
Legend
Legend

Hm, thats very odd, because I updated my R81.10 lab, though it was VM only, not smart-1, but never noticed that at all. Hope someone from CP can comment. Also did brand new R81.10 lab (mgmt + single gateway) and never seen it there either.

Andy

0 Kudos
G_W_Albrecht
Legend
Legend

I have upgraded my ESX VMs from R81.10 to R81.20 and had the same warning both on SMS and GW !

Reason: See R81.20 (Titan) Release Notes: Software Changes

This section describes behavior changes from previous versions.

Gaia - The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password). You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.

--> This is a new feature as the former expert pass also was the grub / maintenance mode PW...

CCSE CCTE CCSM SMB Specialist
(1)
the_rock
Legend
Legend

Thats weird then why I never got that when I upgraded my VM...unless it happens ONLY when you upgrade physical appliance?

0 Kudos
S_E_
Advisor

ok, so 'can' sounds like optional and not mandatory.

Thanks,

Regards

0 Kudos
sharonab
Employee
Employee

More info can be found in admin guide :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi... 

 

if grub password has not been set post upgrade ,we recommend it is set post upgrade , via the clish/webui tools .

0 Kudos
Magnus-Holmberg
Advisor

The wording is GRUB default password has not been changed, what is the default password for it?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
sharonab
Employee
Employee

Why do you require the default password ?

You should set the password via available commands in clish/webui or during FTW.

if system is not available to set password and you require to enter maintenance mode/revert to snapshot via grub  , please open support case , and they can assist . 

 

0 Kudos
the_rock
Legend
Legend

I remember when setting up brand new R81.20, it asked me to set grub password, so I just used same password as expert. Never had to use it, but it can be set with followint command in clish:

quantum-firewall> set grub
grub2-password - Set user admin Grub2 password by plain text
grub2-password-hash - Set user admin Grub2 password by salted hash
quantum-firewall> set grub2-password
quantum-firewall> set grub2-password
Enter new grub2 password:
Enter new grub2 password (again):
quantum-firewall> save config
quantum-firewall> exit
[Expert@quantum-firewall:0]#

 

0 Kudos
sloddo
Explorer

Is this something that can be set/scripted by the mgmt_cli command in batch mode?

0 Kudos
G_W_Albrecht
Legend
Legend

This is a new level of security, now you have:

  • user PW for clish
  • expert PW for bash
  • grub PW for maintenance mode

It does make sense to differentiate here, but you can use the same PW for all if you want (less hassle for Lab deployments)

CCSE CCTE CCSM SMB Specialist
the_rock
Legend
Legend

Agree! Thats what I do in my lab as well.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events