https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80131#M6151 <P>I saw this info earlier already. Point is that&nbsp;<SPAN>User Defined (Extended) Commands requires path to the script.<BR />I am not good at scripting, and what if i would like to create extended command for already existing command like 'fw ctl conntab'?&nbsp; Is there already script written for that in the system that i could point to in the extended command?</SPAN></P> Sun, 29 Mar 2020 20:19:35 GMT trawa05 2020-03-29T20:19:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/79964#M6145 <P>Hey,</P><P>I got a very specific requirement to allow a user access the gateway and get info about 3 things:<BR />a) session table<BR />b) NAT session table<BR />c) arp table<BR /><BR />So i am looking how i could create a user profile that could execute 3 (and only 3) specific commands on CLI.<BR /><BR />I would be glad if you could come with any ideas.<BR /><BR />Thank you!</P> Fri, 27 Mar 2020 19:12:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/79964#M6145 trawa05 2020-03-27T19:12:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80050#M6146 Two topics you need to refer to in the Gaia Admin Guide: <A href="https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm" target="_blank">https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm</A><BR />User Defined (Extended) Commands<BR />Role Based Access<BR /><BR />Between those two features, you can achieve what you're after. Sat, 28 Mar 2020 02:41:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80050#M6146 PhoneBoy 2020-03-28T02:41:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80131#M6151 <P>I saw this info earlier already. Point is that&nbsp;<SPAN>User Defined (Extended) Commands requires path to the script.<BR />I am not good at scripting, and what if i would like to create extended command for already existing command like 'fw ctl conntab'?&nbsp; Is there already script written for that in the system that i could point to in the extended command?</SPAN></P> Sun, 29 Mar 2020 20:19:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80131#M6151 trawa05 2020-03-29T20:19:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80133#M6152 Giving access to generic binary like "fw" gives you access to a LOT of things.<BR /><BR />To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).<BR />This script would not be terribly complex.<BR />In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: <A href="https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m-p/72630" target="_blank">https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m-p/72630</A><BR /><BR />Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.<BR />See: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144112" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144112</A><BR /> Sun, 29 Mar 2020 21:34:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-20-restrict-user-access-to-perform-only-specific-commands/m-p/80133#M6152 PhoneBoy 2020-03-29T21:34:31Z