How to Use The Check Point Remote Installation Daemon for Firewall System Administration

October 26, 2020 David Barker David Barker

5 Min Read

Long a feature of multitasking operating systems, a daemon is a computer program that runs in the background rather than under the direct control of a user. They typically work by forwarding service requests along to other programs or processes at a designated time. If your organization utilizes the Check Point platform to manage its endpoint security, you may be familiar with the Check Point Remote Installation Daemon (CPRID).

What is the Check Point Remote Installation Daemon (CPRID)?  

Originally designed as a way for Check Point management servers to push firewall upgrade packages to gateways via SmartUpdate, the CPRID is rarely used anymore. Since the preferred method of upgrades is now through CPUSE, this method has been unsupported since R77.30. 

However, did you know this powerful but underutilized utility can be used for system administration?  

The utility cprid_util utilizes the cprid daemon to communicate with gateways over tcp port 18208. This utility has some powerful built-in features. Here are some of the things that you can do with cprid_util:

  • Upload files to a gateway: cprid_util putfile
  • Download files from a gateway: cprid_util getfile
  • Get environment variables: cprid_util getenv
  • Set environment variables: cprid_util putenv
  • Make directories: cprid_util mkdir
  • Manipulate the firewall registry: cprid_util reg_addkey
  • Reboot a gateway: cprid_util reboot

Performing System Administration Tasks with the CPRID

The commands execute as the user admin, so cprid_util commands should have full system-level privileges. With some creativity, you can perform endless varieties of system administration tasks.

For example, say you locked yourself out of the admin account and needed to create a local user. The following commands can create a local user named “dbarker” with admin privileges on a gateway with the ip 1.1.1.1:

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "lock database override"

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "add user dbarker uid 0 homedir /home/dbarker"

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "add rba user dbarker roles adminRole"

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "set user dbarker gid 100 shell /bin/bash"

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "set user dbarker password-hash \$1\$Q43O\/bAm\$761B7deKoXgloZdbcjDYq\/"

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "save config"

 To only reset the admin password, you could have done the following:

cprid_util -server 1.1.1.1 -verbose rexec -rcmd /bin/clish -c "set user admin password-hash \$1\$Q43O\/bAm\$761B7deKoXgloZdbcjDYq\/"

In the previous examples, the password-hash is the hashed password of a password you already know. The clish command “show configuration user” will output the hashed passwords of the configured users on the system.

It would be trivial to paste these examples into a script to do things such as adding a user to all the gateways in your environment or changing the admin password on all gateways in your environment.

Additional CPRID Commands

Here are some more examples of things that can be done with cprid_util:

Say you needed to know the hotfix version on gateway 1.1.1.1:

cprid_util -server 1.1.1.1 -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'

This will give you output like: 

HOTFIX_R80_40_JUMBO_HF_MAIN Take:  67

Here’s a simple script that will allow you to execute single clish commands on a remote gateway:

#!/bin/bash

S=$1

shift

C=$@

echo "$C"

$CPDIR/bin/cprid_util -server $S -verbose rexec -rcmd /bin/clish -c "$C"

You could name it rcli.sh and this is an example of its usage:

[Expert@cpfw1:0]# ./rcli.sh 192.168.143.1 "show route"

show route

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),

       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),

       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,

       U - Unreachable, i - Inactive

S               0.0.0.0/0           via 192.168.145.1, eth2, cost 0, age 93300  

S               4.2.2.2/32          via 192.168.144.1, eth1, cost 0, age 93300  

S               8.8.8.8/32          via 192.168.145.1, eth2, cost 0, age 93300  

C               10.110.26.32/30     is directly connected, eth1.104  

S               13.89.113.17/32     via 192.168.144.1, eth1, cost 0, age 93300  

C               127.0.0.0/8         is directly connected, lo  

C               192.168.0.60/30     is directly connected, eth1.103  

C               192.168.143.0/24    is directly connected, eth0  

C               192.168.144.0/24    is directly connected, eth1  

C               192.168.145.0/24    is directly connected, eth2  

With a little imagination, you can perform quite a bit of system administration and automation. For example, cprid_util can be used to install hotfixes remotely. You can upload files to a gateway with the putfile option and then using the rexec option you could run commands on that file. Another function might be to use the cprid_util to download files from a gateway using the getfile option. This combined with the rexec option would allow you to run and collect debugs remotely from a gateway. The system administration possibilities are nearly endless.

Ready to Learn More About the Latest Cybersecurity Practices?

Like what you just learned? The Compuquip team is always on the lookout for tips and tricks to help our customers shore up their cybersecurity vulnerabilities. Subscribe to our blog today to find out what we’ve learned and see how you can apply those best practices to improve your cybersecurity and infrastructure. 

Download Now

cdo-guide-to-omnichannel-security