Pages

Saturday, November 9, 2013

Smart-1 25 LOM password not valid after firmware upgrade

There is a SK article for upgrading the LOM firmware to overcome vulnerabilities present on the previous versions of LOM firmware.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk94228

We have a Smart-1 25 appliance that was affected by this vulnerability and we proceeded to upgrade the firmware to the recommended version.
Parter the upgrade it promoted to reset the admin password and I reset the password which was setup earlier.
After resetting the password I was prompted to log back in, and started the drama. It didn't accept my password.
Then I found a very useful article to reset the LOM settings in the CPUG group.
I proceeded to reset the password, the method worked fine for the first time and I was able to set the password again.
The procedure can be found in the following link
https://www.cpug.org/forums/showthread.php/12778-Reset-LOM-password?p=81394#post81394
I have to say that there is nothing wrong in this article, and it works fine.
But unfortunately I made the same mistake f entering a too complex password so I ended up in the sake issue as before.
For some weird reason I couldn't boot the LOM using reset user name.
But what I've noticed that the complex password I've setup in the WebUI works fine for the LOM
maintenance mode, i.e. after booting using bootfmh and hitting y when it's prompted to goto maintenance mode.
But the thing is you can no longer enter ./reset.sh
But what you can really do is issue find command to find the reset.sh file.
find /-name reset.sh
You will get the exact path if the file and from memory it is located in the www directory.
You can execute this script to reset the LOM configuration.

Unfortunately I didn't want to spend more time on this to look at the content of the script ( I was fed up doing the upgrade on the management server, in fact I ended up spending most of my time in resetting the LOM password  than upgrading the Smart-1 25 to R77 during the change window )



Multiple SNMP communities in GAiA R76 and R77

When using SPLAT, we can edit most of the OS level files do customisation. One such thing is the SNMP configuration file.
For instance if you need to add multiple SNMP read-only communities you can add all the communities by editing the /etc/snmp/snmpd.users.conf
With the the introduction of GAiA we can't edit the snmpd.conf manually, and there is no snmpd.users.conf file in the /etc/snmp directory.

In GAiA,bathe SNMP settings are configured either using the WebUI or using the clish commands. But using these two options you can only define one read-only and one read-write community.

But from R76 and above there is a built-in file in /etc/snmp directory for all the user defined snmp settings.
/etc/snmp/userDefinedSettings.conf 

This file can be used as the snmpd.user.conf file. Before editing this file, you have to stop the snmp agent.

So if you want to add an additional read-only community, you can edit this file and add the following line and save it.

rocommunity <additional ro community>

After saving this file, you need to re-enable the snmp agent.

The thing is, when you issue the clish command "show snmp communities" you will not see the additional communities that you have defined.

In the initial releases of GAiA the /etc/snmp/userDefinedSettings.conf file is not present.

The SK article sk79280 explains how to add SNMP user defined settings in detail. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk79280

This article is very useful if you are running GAiA versions below R76.