PDA

View Full Version : Checkpoint logs me into expert mode straight away



oharek
2013-01-24, 16:42
Hello,

I have taken over a Checkpoint firewall from a previous employee. I do have Smart Dashboard access to the device. But when i secure sheel to it and login it wont let me do anything ie the commands for sysconfig etc just wont configure anything. Its as if its expert mode already. Do you know what i need to do so i can set it up so that i can making changes via ssh as usual.

thanks
Kevin

alienbaby
2013-01-24, 17:06
Even when you're in expert mode, you should be able to execute sysconfig.. Unless the install is based on GAIA.

Are you able to execute cpshell? If yes, then you're running SecurePlatform and something is wrong.
Are you able to execute clish? If yes, you're running GAIA.

Bluebeetle
2013-01-24, 23:59
Based on what you've told us so far you could also be dealing with Red Hat Linux, or even Solaris but that should be even more obvious.

belongamick
2013-01-25, 08:18
If you are running secureplatform check file /etc/passwd

Its possible someone has changed default shell from /bin/cpshell (default) to /bin/bash (for example). But even if that was the case you should still be able to use sysconfig command.

Spawn
2013-01-25, 12:16
non expert mode :

#show version all
Product version Check Point Gaia R75.45
OS build 123
OS kernel version 2.6.18-92cp
OS edition 32-bit

Expert mode :

[Expert@FW]# fw ver -k
This is Check Point VPN-1(TM) & FireWall-1(R) R75.45 - Build 193
kernel: R75.45 - Build 193

slowfood27
2013-01-29, 10:53
You can change the default shell to the cpshell (non-expert mode) with:

chsh -s /etc/cpshell admin
save config (OR IT WILL NOT SURVIVE NEXT REBOOT)

Cheers

slowfood27
2013-01-29, 11:20
You can change the default shell to the cpshell (non-expert mode) with:

chsh -s /etc/cpshell admin
save config (OR IT WILL NOT SURVIVE NEXT REBOOT)

Cheers

Edit:

Since it's Gaia the default shell is cli.sh, hence the command to change is
chsh -s /etc/cli.sh admin

oharek
2013-02-27, 11:58
Hello,

How do i get past this prompt:

NokiaIP690:10>

How do i get into standard mode because i need to ping devices, etc

You can see below that i can login ok to the firewall via ssh but i cant do anything once i am in. I have taken this firewall over from a previous employee. I cant run any commands and need to get into standard mode and expert mode

regards,
Kevin



login as: xxxxx
This system is for authorized use only.Password:
Last login: Wed Feb 27 13:38:43 2013 from 10.x.x.x
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

IPSO 6.2-GA024 #1: 09.04.2009 042026
You have logged into Check Point IPSO Security Appliance.
erase ^?, kill ^U, intr ^C

NokiaIP690:11> icmp 172.17.19.241
CLINFR0329 Invalid command:'icmp 172.17.19.241'.
NokiaIP690:12> trace route 172.17.19.241
CLINFR0329 Invalid command:'trace route 172.17.19.241'.
NokiaIP690:13> sysconfig
CLINFR0329 Invalid command:'sysconfig'.
NokiaIP690:14> cpconfig
CLINFR0329 Invalid command:'cpconfig'.

jacobsen
2013-02-27, 16:19
thats an IP appliance or Nokia box.
whatever, you are within ipso's clish

you should be able to set admins login shell to bash with:
set user admin shell /bin/bash
save configuration

log out and login again. should be ok then.

btw: icmp 172.17.19.241
whats that? try ping instead of icmp.
and it should be traceroute instead of trace route.

oharek
2013-02-27, 16:52
Many thanks for your reply. Yes its a Checkpoint device R.70 with 16 slots along the front so i take it thats what you mean by an IP appliance

I have the administrator account and was able to set myself up with my own login via Smart Dashboard and the Webgui page which i have access to.

I will login again tommorrow morning and try your advice
I will try my ping command if i can get into the standard mode (i think it should be ok then)

Q. If i get into standard mode do i have to do anything else to enable expert mode before i can use it?



Kevin

mcnallym
2013-02-28, 03:52
Your are running an IP690 running IPSO 6.2-GA024. There is NO expert mode in IPSO. You have the standard shell and then from that can enter clish if need too.

expert mode is a SecurePlatform / Gaia thing.

You are running a different OS so if you know SecurePlatform then many things will be different. There is no sysconfig utility, upgrading is completely different as is seperate IPSO upgrades and Check Point packages.


Suggest you go and get the IPSO admin guides from the Check Point website to learn IPSO. Much of this as in clish will be useful still with GAIA afterwards.