In order for LiveAssurance to run its full set of discovery and interrogation scripts, a /bin/bash user with a role of administrator needs to be used to connect your device. It is highly recommended that a unique username is created for auditing and security purposes.
Creating User on GAiA WebUI Portal
-
Log in to the Check Point WebUI.
-
Go to
-
Fill in the required information. It is important to set the Shell to /bin/bash and set the role to
adminRole.
Creating Users via CLI
-
Log in to the Check Point device using SSH
-
Make sure you are in Clish. If you have the shell set to /bin/bash, run the command
clish -
Add the user (in the example we are using the username indeni):
add user indeni uid 0 homedir /home/indeni -
Set the password for the user:
set user indeni password New password: [xxxx] Verify new password: [xxxx] -
Type the following to add the access role adminRole:
add rba user indeni roles adminRole -
Type the following to set the shell to /bin/bash:
set user indeni shell /bin/bash
Creating Chassis Users
Chassis users it’s only possible to be created via CLI. Follow this procedure to create the user:
-
Log in to the Check Point device using SSH
-
Make sure you are in Clish. If you have the shell set to /bin/bash, run the command
clish -
Add the user (in the example we are using the username indeni):
add user indeni uid 0 homedir /home/indeni -
Set the password for the user:
set user indeni password New password: [xxxx] Verify new password: [xxxx] -
Type the following to set the shell to /bin/bash:
set user indeni shell /bin/bash
How to add CheckPoint chassis to LiveAssurance
Monitoring of CheckPoint chassis is made through the Unique IP Address For Chassis (UIPC). To check which UIP has the chassis configured the firewall administrator should run into a chassis device following command:
show chassis id <chassis_id> general unique_ipwhere <chassis_id> could be:
- 1
- 2
- all
If chassis UIPC is not configured official documentation must be followed.
R76SP.50:
R80.20SP:
Creating Maestro MHO and Security Group Users
Users on Maestro MHO devices can be created following the procedures previously described as valid for any other GAiA device:
- Creating User on GAiA WebUI Portal
- Creating Users via CLI
In the case of Security Groups the procedure is the same but, to connect to a Security Group, the management IP of the Security Group must be used over HTTPS or SSH depending on the method chosen.
How to add CheckPoint Maestro appliances to LiveAssurance
Maestro deployments are composed of two types of appliances, Maestro Hyperscale Orchestrator (MHO in advance) and Gateways. Gateways are grouped in logical units called Security Groups which work as a independent cluster of gateways.
The following image is an example, where the MHO has one Security Group.
LiveAssurance learns the IP address of the single management object for Security Group 1.
In both cases management IP address is used to monitor the devices.
MHO
Management IP address to be allowed to connect via SSH.
If the MHO is clustered, both devices will be monitored automatically under the added MHO.
Security Group
Management IP address is defined when Security Group is created into SmartConsole.
To check management IPs defined for Security Groups the firewall administrator should run into MHO following CLI command:
show maestro security-group id <Security Group ID>where <Security Group ID> could be:
- 1
- 2
- …
Example:
If you are unable to connect to the Security Group, please refer to:
Creating via GAiA Embedded
-
Login to the webUI
-
Go to
-
Fill in the username and password and click Apply
-
Login with the user using SSH and type the command
expertfollowed by the commandbashUser on:
Connect using public/private SSH Keys
The SSH key is stored within the LiveAssurance application and not in the typical Linux OS location, therefore, device keys will need to be entered individually into the WebUI which can be doing by performing the following:
-
Log into the remote device
-
Make a note of which user LiveAssurance will connect with. This will be needed later. In our example below the username will be “indeni”
-
To create a public/private key pair, type the following:
ssh-keygen -t rsa -b 4096 -f indeni-ssh –N -
Create a folder called .ssh in the home folder of the user which will use Indeni, by typing in the following:
mkdir /home/indeni/.ssh -
Move the public key to the .ssh folder, and rename it to authorized_keys and set the correct permissions by typing the following:
mv indeni-ssh.pub /home/indeni/.ssh/authorized_keys chmod 700 /home/indeni/.ssh chmod 600 /home/indeni/.ssh/authorized_keysOPTIONAL: For increased security, perform the following to render the password for the “indeni” account useless, allowing only the SSH key to login:
dbset passwd:indeni:passwd “*” dbset save -
Get the output the private key by typing the following:
cat indeni-sshOUTPUT EXAMPLE—–BEGIN RSA PRIVATE KEY—–MIIJJQIBAAKCAgEAp5UbPfn36Y1NIqbvJLPWvd128IfZ1FH5gt/E=……—–END RSA PRIVATE KEY—– -
When adding the device into LiveAssurance, select SSH Private Key and input the entire content (including the dashes “
—–BEGIN RSA PRIVATE KEY —and— END RSA PRIVATE KEY —–” of the RSA output.
Frequently Asked Questions
I’ve setup the user as described, but I cannot add the device
The most common issue is that the user configured has the incorrect shell, and/or the incorrect permissions. Make sure that the shell is set to /bin/bash, the role is adminRole, has the correct password set and that the Uid is ‘0’ (zero). To verify this run, the following Clish command:
show user <username>and
show rba user <username>