topic Re: Define user with specific privileges in Firewall and Security Management

Define user with specific privileges

Leonardo_Tessar — Fri, 29 Mar 2019 16:48:46 GMT

I need to define a user with only the privileges to execute the "pdp control revoke_ip x.x.x.x" command.
Do you know if is it possible?

Re: Define user with specific privileges

PhoneBoy — Sat, 30 Mar 2019 15:59:53 GMT

Yes, using the Dynamic CLI and Role Based Access. Create the relevant command via the Dynamic CLI feature, assign the specific command to a specific role in Gaia, and assign the desired user that specific role.

Re: Define user with specific privileges

Leonardo_Tessar — Mon, 01 Apr 2019 16:20:45 GMT

Thank you, I've installed the Dynamic CLI but I can't find an equivalent command to "pdp control".
Could you explain how to create it via Dynamic CLI ?

Re: Define user with specific privileges

PhoneBoy — Tue, 02 Apr 2019 01:58:32 GMT

I was mistaken that Dynamic CLI is required. Instead, you need to use a feature in Gaia called "User Defined (Extended) Commands" as described in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_Gaia_AdminGuide/html_frameset.htm

Re: Define user with specific privileges

Leonardo_Tessar — Tue, 02 Apr 2019 07:16:26 GMT

I checked the list of available extended commands but I didn't find the "pdp".

I tried anyway to add the new command:

> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp "Revoke session from the given ip"

but I get this error:

CLINFR0329 Invalid command

Re: Define user with specific privileges

PhoneBoy — Tue, 02 Apr 2019 15:38:44 GMT

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place.
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
debug - control debug messages
tracker - tracker options
connections - pdp connections information
network - pdp network information
status - pdp status information
control - pdp control commands
monitor - display monitoring data
update - recalculate users and machines group membership (deleted accounts will not be updated)
vpn - display connected vpn gateways that send vpn client identity data
ad - operations related to AD Query
timers - show pdp timers information
nested_groups - nested groups configuration
auth - authentication/authorization options
radius - radius accounting options
ifmap - monitor/control IFMAP
idc - operations related to Identity Collector
tasks_manager - the task manager menu
topology_map - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

Re: Define user with specific privileges

asher — Sun, 26 Apr 2020 15:18:51 GMT

"If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested"

Can you please explain how to allow user run only spesific option on command?

We have user that access to bin bash shell from phyton and we want to allow him run only: fw hashta and not all fw tree options.

Re: Define user with specific privileges

PhoneBoy — Sun, 26 Apr 2020 15:55:03 GMT

The easiest thing to do is write a script that calls the binary with the specific allowed options.
Then you can add that script as a command as shown here.