• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9838
  • Last Modified:

Change Password (CheckPoint FW-1 NG)

Can someone tell me how to change passwords for users and administrators in FW-1 NG?  Specifically, I need to know how to do it in Solaris.  The 3.x and 4.x stuff had it in a menu by running ./cpconfig, but that doesn't appear to have an entry for password management with NG??
0
dmaloy1
Asked:
dmaloy1
  • 5
  • 4
  • 4
  • +1
1 Solution
 
matt_t1Commented:
In the Policy Editor (SMARTdashboard if you're FP3...) go to the users tab.  The administrators and users are all defined in here.  Passwords, permissions, etc can all be changed.

A useful extra since they all got put in here is that you can now use external authentication schemes (e.g. SecurID) for administrators as well as VPN users.
0
 
dmaloy1Author Commented:
If I recall correctly, I went into this area and there was no administrator account defined.  The account that I am specifically trying to change is the "fwadmin" account on UNIX (Solaris) that you setup during the install.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Ah. policy administrators in FW-1 usually can't be set from the gui interface.
You would have to extrapolate from FW-1 4.1 (as I don't run NG here) but here is how it works in that application.

The default location on the unix server for the binaries is /etc/fw/bin. in there, you will find the program cpconfig, with the options "Administrators" and "Gui clients"
Now these two options actually alter /etc/fw/conf/fwmusers and /etc/fw/conf/gui-clients - good idea to back these two files up before making any changes (they are just ascii text so cping them to $HOME is fine)
Anyhow, back to the admin tool.
taking the cpconfig Administrators option will list all the defined administrators. if you attempt to add a administrator already listed, it will ask you if you want to change the password.
It is obviously Best Practice to create multiple accounts here, one per expected user, rather than sharing the fwadmin account - or if you really want shared accounts, set up limited accounts per role - logviewer with read-logs-only say, or usermanager with read log and read/write user database.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
dmaloy1Author Commented:
4.1 is not the same as NG.  In 4.1 there was an option by running cpconfig where you could manage passwords.  Has anyone specifically running SOLARIS with NG changed the password for the account that you originally used to install the software with??
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Not sure I am reading you correctly - are you talking about a solaris/unix account, rather than a fw/1 one?

If so, you simply log in as that account (or root) and type passwd ("passwd fwadmin" as root) to change password.
0
 
dmaloy1Author Commented:
No, not the o/s account.  That is not a problem changing.  I am talking about the account (typically fwadmin) that you install the software with.  When you install it, it asks for that password.  I now want to change it within FW-1, not at the o/s.  This utility used to be $FWDIR/cpconfig.  That is not an option in NG.  Does that make it clearer?
0
 
Gruff66Commented:
Hmmm. Think I've got the thread on this now. However, Solaris ain't my strong point for CP, but this may help... found it on CP. Don't know if it works on NG.. so backup first please

1. Locate the file fwmusers in $FWDIR/conf.
2. Edit the file $FWDIR/conf/fwmusers using a text editor.
3. Each admin name appears in clear text. The passwords, however, are encrypted. Remove the entire line.
4. After the Admin line has been deleted, save the changes.
5. Using the cpconfig command for FireWall-1 4.1 and fwconfig for FireWall-1 4.0, reenter the Name, Admin rights and a new password.

Note: If changing only the existing administrator admin password or rights, step 5 is often sufficient. After reentering the existing account name, you will be prompted to change the password and/or rights.

This final note would imply that by simply trying to add the fwadmin account again in CPCONFIG then it would automatically give you an option to change the password, but as I ain't got no Solaris stuff, I can't tell you whether it will or not

Don't know if this is of use to you.

G
0
 
dmaloy1Author Commented:
I logged into the firewall and checked under "manage-->users&administrator" and there were none defined.  There has got to be a way to change the password for the user that you would install the software with on UNIX??  This used to be a user called "fwadmin".  The password is not at the o/s level, it is one within FW-1 NG that you need to supply when logging in to the PolicyEditor or LogViewer, etc...Anyone running this on Solaris who has done this????
0
 
matt_t1Commented:
Hi,

Right.  Back in the office today, and sat in front of CP NG (FP3) on Solaris 2.8.

 * From the Solaris console, run cpconfig.
 * Option 2 is "Administrators"
 * Brings up a list of administrator accounts, of which "fwadmin" is one.
 * Option "y" to change this list
 * "D" to delete the existing admin account, and give it the account name
 * "n" when it asks to delete another one
 * "n" when it says you didn't define any administrators and asks if you want to continue - this will put you back at the administrators list
 * "A" to add an administrator
 * Give it the account name ("fwadmin")
 * Give it the password (twice)
 * "W" for Read/Write All perms
 * "Y" for permission to manage administrators
 * "n" to add another one
 * Option 8 to exit.

That's it - all done.

Regards,

Matt.
0
 
matt_t1Commented:
One other thing...

All the way through I have been assuming that you are running the management module on this Solaris box.

If it is purely an enforcement point then it doesn't have an fwadmin account.  This is only a management module account.

Matt.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
matt - what happens if you select ADD without first deleting the account? on 4.1, that allowed you to change the password.
0
 
matt_t1Commented:
Dave

I have to confess I hadn't tried that before - so little trust in CP's ability to sanity check their input!

So... in the interests of experimentation... let's see if I can break my management module:

Doing the Add without deleting first....

Wow!  It works!  Add a new user called fwadmin, and it tells me they already exist.  You can change password or permissions.

Much neater than adding and deleting.

Thanks for the suggestion!  That's got to be worth some points - I'll put a "Points for DaveHowe" in security/firewalls.

Matt.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
NP Matt. strangely though, dmaloy1 said that didn't work on his copy when I suggested it third comment down - which was why I was asking what yours did :)
0
 
dmaloy1Author Commented:
Matt,

Thanks for your help.  That was it.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now