Adding Check Point Gaia Systems

If you are adding Check Point Gaia systems, you must install and start the SSH server on the target system before you can connect using Privileged Access Service. You can add a user name and password for an account to be used to access the system using a secure shell session when adding the system or at a later time.

For any account you add, you can choose whether you want the Privileged Access Service to manage the account password. If you select Manage this credential, the Privileged Access Service automatically changes the password immediately after the account and system are added and each time the account is checked in.

If you select Manage this credential, keep in mind that the Privileged Access Service can only manage passwords for privileged user accounts that have sufficient rights to configure and save settings. In addition, if there are any pending changes for other user accounts, those changes will be saved when the Privileged Access Service updates a managed password.

However, if a user or a session selects the configuration lock or runs the command to unlock the system database to make configuration changes, the Privileged Access Service will not rotate or update any passwords until the lock is restored. By default, this might result in a password update being delayed by up to five minutes. You should also avoid setting the configuration lock by running the lock database override command because it could result in a password change not being saved until the next time the system is rebooted, which will lock the managed account and prevent it from being used.

If you must take over a managed account to make configuration changes, you should use the less forceful lock database command to prevent the Privileged Access Service from attempting to rotate or change a managed password before making your changes.

For more information about password and system management for Check Point Gaia systems, see the following topics:

Password Complexity Rules

All managed passwords generated by the Privileged Access Service consist of at least one upper case letter, one lower case letter, one number, and one special character regardless of the system type. For Check Point systems, the following additional password rules apply:

  • The password length is 6 to 128 characters
  • The password complexity policy states how many character classes should be included. For example, characters in the password are divided into upper case alphabetic (A-Z), lower case alphabetic (a-z), digits (0-9), and all other characters. Therefore, a password complexity value of 3 allows passwords like abc123! or abcDEF5, but not abcXYZ.
  • The password can include special characters, but the first character cannot be an asterisk (*) or the user will not be able to log on to the operating system.

If the first character of the password for the expert mode user is an asterisk (), a factory reset will be required. Therefore, the default password profile for Check Point Gaia systems does not include the asterisk () as a supported special character. If you clone the default profile or use another profile to create a custom password profile, you should be aware of the restrictions on special characters for the specific operating system you are using.

Using Expert Mode

There are two modes of operation for managing Check Point Gaia systems when you access the system through secure shell session. The default mode for running system-specific administrative tasks uses the clish shell environment. The second mode of operation is called the expert mode and runs in a bash shell environment. When running in the expert mode, you can perform administrative tasks that affect the underlying operating system.

To enter the expert mode, you enter the expert password. If you want to store and manage the password for the expert mode, you must specify a local administrative account for the system. The local administrative account must have the privileges that are required to manage the password for expert mode. For example, the administrative account must have the following features enabled: selfpasswd, expert, expert-password, and version.

The local administrative account you specify for a system should be a dedicated account that is used exclusively by the Privileged Access Service. You can have the password for both the local administrative account and expert mode managed by the Privileged Access Service to avoid password changes by other users who have administrative privileges.

If you want to store and manage the password for expert mode, there are restrictions on the actions available for both the expert mode password and the local administrative account that has access to the expert mode. For example, you cannot select the Login action for the expert mode password because that action could be used to compromise the login shell for the local administrative account. Similarly, because the local administrative account is used internally to provide access to the expert mode password, you cannot select the Login, Checkout, Rotate Password, or Delete actions when you select an account currently designed as the local administrative account on a Check Point Gaia system.