Deleting users in SmartDashboard

[Scrif]

Im kinda new to the checkpoint world and just need some clarification.

We run SmartDashboard and connect to our firewall managers. From there I can load the different policies for our Nokia Firewalls. I need to delete a couple of users. The users belong to a particular group, and the group is used in a rule in a particular policy. However, it doesn't matter which policy I have open, I can still see all the user object available. So to me, the user database is independent of the policies (so to speak)

My question is, can I just delete the user from the database? Do I need to verify/push the policy for the firewall that these users have access to (by virtue of their group)?

Thanks

[chillyjim]

You may just delete the users from the manage->users section of smartdashboard, save and install database. I would push policy just to be safe.

[Scrif]

Thanks for the reply.

What does 'install database' actually do? Maybe I dont fully understand how the user database is ued. Is it a local database on the Firewall Manager?

And is the only policy I need to push the one which uses the group to which the deleted users belong(ed)?

Thanks again.

[RayPesek]

You should always consider pushing the policy after deleting users as there were issues in earlier versions (propr to R60 HFA04).

If the user database is used in a rule, doing the Install Database thing can cause an inconsistency between the database and the security policy. sk31889 gives an example of Office Mode failing because of Install Database.

I would think you would be safe in just pushing the policy where the users are used.

Ray

[Scrif]

So you're saying do NOT do an Install Database? Just delete the users, and push the policy for the firewall which contains the group the users were in?

Thanks.

[RayPesek]

Yes, that will work fine. I never use Install Database.

Oh, and if you remove them from any group that they were created with and later try to delete them, you will get this message about an error and them not being deleted. Just add them back into their group and then delete them.

Ray

[Scrif]

Actually, I have one more question - the reverse now. If I create a user using Dashboard and give them Admin-RW, do they also get a shell (command line) account automatically? Or do I need to create a shell account for them as well?

If I do, what are the command to create the account?

Thanks again for all your help.

[RayPesek]

The SmartCenter account has nothing to do with access to the underlying operating system. What OS is the SmartCenter running on?

Ray

[Scrif]

I did a uname -o and it came back with GNU/Linux

[RobertGraham]

You'll need to add a normal OS level Linux user as if the SmartCenter never existed. Things you do in SmartCenter have nothing to do with the Linux OS. As such, it can't anything from SmartCenter as far as the users go.

BTW: In Linux this is usually done with the adduser command.