You can definitely create multiple admins on CLM without a problem - however, as far as I know there is no way available to configure SecurID authentication or even otherwise. In a Provider-1 environment, MSP's have been facing issues related to CLM admin account management for quite some time, for example, you cannot manage these independent CLM's admin account via MDG and in a large deployment, this has caused consternation if not outright frustration among administrators. Perhaps, you can submit RFE and take it up with Check Point Account team to follow up.
my 2c, hth, Rajeev On 3/2/06, cisco4ng <[EMAIL PROTECTED]> wrote: > Chkp tech, > > I usally agree with you 99% of the time; however, I have to disagree with > you on this > issue. > > I've a live NGx R60A standalone log server) and I can create multiple > read/write > and read accounts on this stand alone log server. The command to do that > is "fwm -a xxx" where xxx is the username that I want to create. During the > "fwm -a xxx" process, I can assign read/write or read permission for xxx > user > account. After creating the account, I can log into SmartView Tracker with > xxx user account. If I want to delete xxx user account, I can use > "cpconfig" > to delete that account. To say that there can be ONLY 1 administrator > account > created at the command line is NOT accurate. Having said that, I am not > sure > if Checkpoint supports of having more than 1 Administrator. > > However, going back to my original question, I honestly think it is > possible to > authenticate users logging into the standalone log server via Smartview > Tracker with > RSA Securid because the standalone log server is an independent entity from > everything else so that there is NO SmartDashboard to create Adminstrator > accounts and assigned SecurID authentication Credentials. > > Thank you everyone for the replies. > > cisco4ng > > > chkp tech <[EMAIL PROTECTED]> wrote: > From what I understand, the standalone implementation of a CLM (stand alone > log server) can only have one login for that server. I haven't personally > tested this, but I have heard issues regarding this and it makes sense. > Here's what I've heard.... Since a CLM is managed by local users as opposed > to authenticating to an MLM, it can only have one administrator account > (created at the command line). Then since you can only login to the machine > read-only with the GUI, it isn't possible to create another admin/user. > From what I understand, this will be resolved in R61, but who knows if > that's the case. Again, I've never tried this in person so I can't say for > 100% certain. YMMV. > > Jason > > On 3/1/06, cisco4ng wrote: > > > > Hello gurus, > > > > I am helping out a friend. His Checkpoint contract expired two days ago > > and the > > contract renewal is waiting for renewal by bean counters and it could > > take up to three > > weeks to get this done. > > > > Can someone in this group help me with this problem? > > > > I have an NGx R60A CLM (aka standalone log server) running on SPLAT. > > I can receive logs from the SPLAT Enforcement Module just fine. I can > > log into this CLM Server with SmartView Tracker with the user account > > "admin" when run "cpconfig" and also with account when I run the > > command "fwm -a cisco4ng". Both of those accounts work fine. > > > > Now I would like to authenticate users when they use Smartview > > Tracker to log into the CLM via RSA SecurID. I know how to do this > > with Checkpoint Provider-1. In provider-1 environment, I just have > > to put the sdconf.rec into /var/ace directory, create an account and > > specify SecurID as a method of authentication. After that, I run > > "mdsstop;mdsstart" and I can authenticate users with SecurID when they > > log into the MDG. > > > > However, with the CLM, I can create the /var/ace directory on the CLM > > box, place the sdconf.rec in the /var/ace directory, run "cprestart". > > But how can I create the user to authenticate with SecurID > > authentication. > > Remember this is a standalone CLM, therefore, the is Smartdashboard > > interface for me to create user(s). > > > > I really do not know what to do. It seems like everytime I opened a > > TAC case with Checkpoint regarding SecurID, the checkpoint TAC > > knowledge about checkpoint and SecurID integration is just as bad > > as I am. > > > > Has anyone successfully done this before with stand alone CLM and > > RSA SecurID authentication? > > > > TIA > > cisco4ng > > > > > > > > --------------------------------- > > Yahoo! Mail > > Use Photomail to share photos without annoying attachments. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > --------------------------------- > Yahoo! Mail > Bring photos to life! New PhotoMail makes sharing a breeze. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
