There are two modes of operation for managing Check Point Gaia systems when you access the system through secure shell session. The default mode for running system-specific administrative tasks uses the clish shell environment. The second mode of operation is called the expert mode and runs in a bash shell environment. When running in the expert mode, you can perform administrative tasks that affect the underlying operating system.
To enter the expert mode, you enter the expert password. If you want to store and manage the password for the expert mode, you must specify a local administrative account for the system. The local administrative account must have the privileges that are required to manage the password for expert mode. For example, the administrative account must have the following features enabled: selfpasswd, expert, expert-password, and version.
The local administrative account you specify for a system should be a dedicated account that is used exclusively by the Privileged Access Service. You can have the password for both the local administrative account and expert mode managed by the Privileged Access Service to avoid password changes by other users who have administrative privileges.
If you want to store and manage the password for expert mode, there are restrictions on the actions available for both the expert mode password and the local administrative account that has access to the expert mode. For example, you cannot select the Login action for the expert mode password because that action could be used to compromise the login shell for the local administrative account. Similarly, because the local administrative account is used internally to provide access to the expert mode password, you cannot select the Login, Checkout, Rotate Password, or Delete actions when you select an account currently designed as the local administrative account on a Check Point Gaia system.