This tutorial describes the
procedure that a Check Point administrator should follow in order to
become able to use SFTP (Secure File Transfer Protocol) or SCP (Secure
Copy Protocol) for transferring files to/from a Check Point (CP)
SecurePlatform (SPLAT) or Gaia gateway.
The major question is why a CP SPLAT or Gaia gateway cannot be accessed with an SFTP/SCP client (e.g. WinSCP), even though the gateway is accessible via SSH (SecureShell, tcp port 22)?
Before proceeding and answering the above question, it is important to mention that an authorized user (for example the network security administrator) can use SSH to access a CP SPLAT/Gaia gateway in two modes:
“Why a CP SPLAT or Gaia gateway cannot be accessed by the use of a SFTP/SCP client via port 22 (SSH)” ?
The answer is simple:
If the administrator tries to access the gateway through a SFTP/SCP client, as the admin user (Standard Mode), he receives an “access denied” message since in Standard Mode, read (e.g. directory listing) and write permissions are restricted. Moreover, if the administrator tries to access the CP SPLAT/Gaia gateway using a SFTP/SCP client, as expert user (full root permissions), access is also denied. The reason is that Expert Mode cannot be directly accessible.
In order to solve our problem, we can follow a simple procedure:
1) Change the shell that is assigned to the admin user from /bin/cpshell (or bin/cli.sh in Gaia) that is assigned for Standard Mode access, to /bin/bash (Expert Mode)
2) Access the CP SPLAT/Gaia gateway from a SFTP/SCP client (e.g. WinSCP) as admin and perform all required file transfers
3) Re-assign the /bin/cpshell (or /bin/cli.sh) shell back to the admin user
The configuration for assigning different shells to the admin user is pretty straightforward. First, you need to access the CP SPLAT/Gaia gateway via SSH and then to execute the commands described below:
login as: adminadmin@x.x.x.x password:[CPFIREWALL]# expertEnter expert password:
You are in expert mode now.
[Expert@CPFIREWALL]# chsh –s /bin/bash admin
Changing shell for admin.
Shell changed.
[Expert@CPFIREWALL]#
Then you may proceed with accessing the CP SPLAT/Gaia gateway through an SFTP/SCP client, as admin.
[Expert@CPFIREWALL]# chsh –s /bin/cpshell adminChanging shell for admin.Warning: “/bin/cpshell” is not listed in /etc/shellsShell changed. [Expert@CPFIREWALL]#
The major question is why a CP SPLAT or Gaia gateway cannot be accessed with an SFTP/SCP client (e.g. WinSCP), even though the gateway is accessible via SSH (SecureShell, tcp port 22)?
Before proceeding and answering the above question, it is important to mention that an authorized user (for example the network security administrator) can use SSH to access a CP SPLAT/Gaia gateway in two modes:
- The Standard Mode which is
the default mode that an administrator first accesses (via SSH) the CP
SPLAT gateway by providing the “admin” user credentials. In this mode,
the user is logged in with administrator permissions and can perform
only a limited number of operations on the CP SPLAT gateway. The shell
assigned to a user that accesses a CP SPLAT gateway (via SSH) in
Standard Mode is the /bin/cpshell. For CP Gaia gateways, the /bin/cli.sh is the shell assigned for Standard Mode access (similarly to /bin/cpshell in SPLAT).
- The Expert Mode which provides the logged-in user with full UNIX root permissions and a full UNIX shell (/bin/bash).
It is important to keep in mind that an authorized user cannot use SSH
to login directly in Expert Mode. Instead, he has to login in Standard
Mode as a first step, then to type the command expert and to
provide the relevant password so as to enter Expert Mode. The /bin/bash
shell is defined in both SPLAT and Gaia gateways.
“Why a CP SPLAT or Gaia gateway cannot be accessed by the use of a SFTP/SCP client via port 22 (SSH)” ?
The answer is simple:
If the administrator tries to access the gateway through a SFTP/SCP client, as the admin user (Standard Mode), he receives an “access denied” message since in Standard Mode, read (e.g. directory listing) and write permissions are restricted. Moreover, if the administrator tries to access the CP SPLAT/Gaia gateway using a SFTP/SCP client, as expert user (full root permissions), access is also denied. The reason is that Expert Mode cannot be directly accessible.
In order to solve our problem, we can follow a simple procedure:
1) Change the shell that is assigned to the admin user from /bin/cpshell (or bin/cli.sh in Gaia) that is assigned for Standard Mode access, to /bin/bash (Expert Mode)
2) Access the CP SPLAT/Gaia gateway from a SFTP/SCP client (e.g. WinSCP) as admin and perform all required file transfers
3) Re-assign the /bin/cpshell (or /bin/cli.sh) shell back to the admin user
The configuration for assigning different shells to the admin user is pretty straightforward. First, you need to access the CP SPLAT/Gaia gateway via SSH and then to execute the commands described below:
login as: adminadmin@x.x.x.x password:[CPFIREWALL]# expertEnter expert password:
You are in expert mode now.
[Expert@CPFIREWALL]# chsh –s /bin/bash admin
Changing shell for admin.
Shell changed.
[Expert@CPFIREWALL]#
Then you may proceed with accessing the CP SPLAT/Gaia gateway through an SFTP/SCP client, as admin.
Figure 01: Login on CP SPLAT gateway with WinSCP (SFTP) as admin
Figure 02: Directory listing of CP SPLAT gateway after successful login with WinSCP client
After performing all required file transfers to/from the CP SPLAT/Gaia gateway you will have to re-assign the /bin/cpshell (or /bin/cli.sh for Gaia) to the admin user:[Expert@CPFIREWALL]# chsh –s /bin/cpshell adminChanging shell for admin.Warning: “/bin/cpshell” is not listed in /etc/shellsShell changed. [Expert@CPFIREWALL]#
How To Connect On A Check Point Splat Or Gaia Gateway With A Sftp/Scp Client >>>>> Download Now
ReplyDelete>>>>> Download Full
How To Connect On A Check Point Splat Or Gaia Gateway With A Sftp/Scp Client >>>>> Download LINK
>>>>> Download Now
How To Connect On A Check Point Splat Or Gaia Gateway With A Sftp/Scp Client >>>>> Download Full
>>>>> Download LINK 3X