Tags

, , , , , , , , , , , , , ,

Check Point administrator should follow below steps in order to use SFTP (Secure File Transfer Protocol) or SCP (Secure Copy Protocol) for transferring files to/from a Check Point (CP) SecurePlatform (SPLAT) or Gaia gateway.

it is important to mention that an authorized user (for example the network security administrator) can use SSH to access a CP SPLAT/Gaia gateway in two modes:

  1. The Standard Mode which is the default mode that an administrator first accesses (via SSH) the CP SPLAT gateway by providing the “admin” user credentials. In this mode, the user is logged in with administrator permissions and can perform only a limited number of operations on the CP SPLAT gateway. The shell assigned to a user that accesses a CP SPLAT gateway (via SSH) in Standard Mode is the /bin/cpshell. For CP Gaia gateways, the /bin/cli.sh is the shell assigned for Standard Mode access (similarly to /bin/cpshell in SPLAT).
  2. The Expert Mode which provides the logged-in user with full UNIX root permissions and a full UNIX shell (/bin/bash). It is important to keep in mind that an authorized user cannot use SSH to login directly in Expert Mode. Instead, he has to login in Standard Mode as a first step, then to type the command expert and to provide the relevant password so as to enter Expert Mode. The /bin/bash shell is defined in both SPLAT and Gaia gateways.

“Why a CP SPLAT or Gaia gateway cannot be accessed by the use of a SFTP/SCP client via port 22 (SSH)” ?

The answer is simple:

If the administrator tries to access the gateway through a SFTP/SCP client, as the admin user (Standard Mode), he receives an “access denied” message since in Standard Mode,  read (e.g. directory listing) and write permissions are restricted. Moreover, if the administrator tries to access the CP SPLAT/Gaia gateway using a SFTP/SCP client, as expert user (full root permissions), access is also denied. The reason is that Expert Mode cannot be directly accessible.

In order to solve our problem, we can follow a simple procedure:

  1. Change the shell that is assigned to the admin user from /bin/cpshell (or bin/cli.sh in Gaia) that is assigned for Standard Mode access, to /bin/bash (Expert Mode)
  2. Access the CP SPLAT/Gaia gateway from a SFTP/SCP client (e.g. WinSCP) as admin and perform all required file transfers
  3. Re-assign the /bin/cpshell (or /bin/cli.sh) shell back to the admin user

The configuration for assigning different shells to the admin user is pretty straightforward. First, you need to access the CP SPLAT/Gaia gateway via SSH and then to execute the commands described below:

1

Then you may proceed with accessing the CP SPLAT/Gaia gateway through an SFTP/SCP client, as admin.

2

3

After performing all required file transfers to/from the CP SPLAT/Gaia gateway you will have to re-assign the /bin/cpshell (or /bin/clish for Gaia) to the admin user:

4

PS: If you change the default shell with the chsh command on a GAIA system, this will not survive reboot. So, to make it persistent, you have to use the following command within clish:

set user admin shell /bin/bash
 save config

 

But Remember, you should not make it persistent for a strictly secured environment.

Let me know if you have any questions. 🙂

Advertisements