?
Solved

Change Password (CheckPoint FW-1 NG)

Posted on 2003-02-21
14
Medium Priority
?
9,799 Views
Last Modified: 2013-11-16
Can someone tell me how to change passwords for users and administrators in FW-1 NG?  Specifically, I need to know how to do it in Solaris.  The 3.x and 4.x stuff had it in a menu by running ./cpconfig, but that doesn't appear to have an entry for password management with NG??
0
Comment
Question by:dmaloy1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 1

Expert Comment

by:matt_t1
ID: 7998181
In the Policy Editor (SMARTdashboard if you're FP3...) go to the users tab.  The administrators and users are all defined in here.  Passwords, permissions, etc can all be changed.

A useful extra since they all got put in here is that you can now use external authentication schemes (e.g. SecurID) for administrators as well as VPN users.
0
 

Author Comment

by:dmaloy1
ID: 8005014
If I recall correctly, I went into this area and there was no administrator account defined.  The account that I am specifically trying to change is the "fwadmin" account on UNIX (Solaris) that you setup during the install.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8007938
Ah. policy administrators in FW-1 usually can't be set from the gui interface.
You would have to extrapolate from FW-1 4.1 (as I don't run NG here) but here is how it works in that application.

The default location on the unix server for the binaries is /etc/fw/bin. in there, you will find the program cpconfig, with the options "Administrators" and "Gui clients"
Now these two options actually alter /etc/fw/conf/fwmusers and /etc/fw/conf/gui-clients - good idea to back these two files up before making any changes (they are just ascii text so cping them to $HOME is fine)
Anyhow, back to the admin tool.
taking the cpconfig Administrators option will list all the defined administrators. if you attempt to add a administrator already listed, it will ask you if you want to change the password.
It is obviously Best Practice to create multiple accounts here, one per expected user, rather than sharing the fwadmin account - or if you really want shared accounts, set up limited accounts per role - logviewer with read-logs-only say, or usermanager with read log and read/write user database.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:dmaloy1
ID: 8017124
4.1 is not the same as NG.  In 4.1 there was an option by running cpconfig where you could manage passwords.  Has anyone specifically running SOLARIS with NG changed the password for the account that you originally used to install the software with??
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8017422
Not sure I am reading you correctly - are you talking about a solaris/unix account, rather than a fw/1 one?

If so, you simply log in as that account (or root) and type passwd ("passwd fwadmin" as root) to change password.
0
 

Author Comment

by:dmaloy1
ID: 8019133
No, not the o/s account.  That is not a problem changing.  I am talking about the account (typically fwadmin) that you install the software with.  When you install it, it asks for that password.  I now want to change it within FW-1, not at the o/s.  This utility used to be $FWDIR/cpconfig.  That is not an option in NG.  Does that make it clearer?
0
 

Expert Comment

by:Gruff66
ID: 8023691
Hmmm. Think I've got the thread on this now. However, Solaris ain't my strong point for CP, but this may help... found it on CP. Don't know if it works on NG.. so backup first please

1. Locate the file fwmusers in $FWDIR/conf.
2. Edit the file $FWDIR/conf/fwmusers using a text editor.
3. Each admin name appears in clear text. The passwords, however, are encrypted. Remove the entire line.
4. After the Admin line has been deleted, save the changes.
5. Using the cpconfig command for FireWall-1 4.1 and fwconfig for FireWall-1 4.0, reenter the Name, Admin rights and a new password.

Note: If changing only the existing administrator admin password or rights, step 5 is often sufficient. After reentering the existing account name, you will be prompted to change the password and/or rights.

This final note would imply that by simply trying to add the fwadmin account again in CPCONFIG then it would automatically give you an option to change the password, but as I ain't got no Solaris stuff, I can't tell you whether it will or not

Don't know if this is of use to you.

G
0
 

Author Comment

by:dmaloy1
ID: 8036158
I logged into the firewall and checked under "manage-->users&administrator" and there were none defined.  There has got to be a way to change the password for the user that you would install the software with on UNIX??  This used to be a user called "fwadmin".  The password is not at the o/s level, it is one within FW-1 NG that you need to supply when logging in to the PolicyEditor or LogViewer, etc...Anyone running this on Solaris who has done this????
0
 
LVL 1

Accepted Solution

by:
matt_t1 earned 200 total points
ID: 8056341
Hi,

Right.  Back in the office today, and sat in front of CP NG (FP3) on Solaris 2.8.

 * From the Solaris console, run cpconfig.
 * Option 2 is "Administrators"
 * Brings up a list of administrator accounts, of which "fwadmin" is one.
 * Option "y" to change this list
 * "D" to delete the existing admin account, and give it the account name
 * "n" when it asks to delete another one
 * "n" when it says you didn't define any administrators and asks if you want to continue - this will put you back at the administrators list
 * "A" to add an administrator
 * Give it the account name ("fwadmin")
 * Give it the password (twice)
 * "W" for Read/Write All perms
 * "Y" for permission to manage administrators
 * "n" to add another one
 * Option 8 to exit.

That's it - all done.

Regards,

Matt.
0
 
LVL 1

Expert Comment

by:matt_t1
ID: 8056346
One other thing...

All the way through I have been assuming that you are running the management module on this Solaris box.

If it is purely an enforcement point then it doesn't have an fwadmin account.  This is only a management module account.

Matt.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8056739
matt - what happens if you select ADD without first deleting the account? on 4.1, that allowed you to change the password.
0
 
LVL 1

Expert Comment

by:matt_t1
ID: 8057553
Dave

I have to confess I hadn't tried that before - so little trust in CP's ability to sanity check their input!

So... in the interests of experimentation... let's see if I can break my management module:

Doing the Add without deleting first....

Wow!  It works!  Add a new user called fwadmin, and it tells me they already exist.  You can change password or permissions.

Much neater than adding and deleting.

Thanks for the suggestion!  That's got to be worth some points - I'll put a "Points for DaveHowe" in security/firewalls.

Matt.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8058567
NP Matt. strangely though, dmaloy1 said that didn't work on his copy when I suggested it third comment down - which was why I was asking what yours did :)
0
 

Author Comment

by:dmaloy1
ID: 8320663
Matt,

Thanks for your help.  That was it.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question