https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90145#M6896 <P>Hi Mates,</P><P>I am using 2 x CheckPoint 5600 Firewall in my workplace.<BR />We are requested by our Internal Audit that we need to export and review the Firewall configuration periodically.<BR />I am the only person here who hold the Firewall Administrator password, and I am not allow to share out the admin pwd.<BR /><BR />Can anyone guide me on how to create a READ ONLY account that can export the FireWall Configuration file?<BR /><BR />thank you very much.<BR />---david</P> Tue, 30 Jun 2020 05:54:48 GMT davidso 2020-06-30T05:54:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90145#M6896 <P>Hi Mates,</P><P>I am using 2 x CheckPoint 5600 Firewall in my workplace.<BR />We are requested by our Internal Audit that we need to export and review the Firewall configuration periodically.<BR />I am the only person here who hold the Firewall Administrator password, and I am not allow to share out the admin pwd.<BR /><BR />Can anyone guide me on how to create a READ ONLY account that can export the FireWall Configuration file?<BR /><BR />thank you very much.<BR />---david</P> Tue, 30 Jun 2020 05:54:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90145#M6896 davidso 2020-06-30T05:54:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90167#M6899 <P>What kind of export? MGMT database? OS settings? Please elaborate</P> Tue, 30 Jun 2020 08:21:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90167#M6899 _Val_ 2020-06-30T08:21:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90173#M6900 <P>Only the OS settings.&nbsp; thank you.</P> Tue, 30 Jun 2020 09:18:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90173#M6900 davidso 2020-06-30T09:18:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90174#M6901 <P>according to some experts they mention something adding a RULE to allow these READ ONLY accounts to access SSH and the WEB interface that can serve the same purpose.&nbsp; Can you please guide me through how to set this rule(s)?&nbsp; Many Many thanks. --david</P> Tue, 30 Jun 2020 09:20:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90174#M6901 davidso 2020-06-30T09:20:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90175#M6902 <P>You need to set up a new OS account and assign it to monitorOnly role<BR /><BR />Read the Gaia admin guide for more details.<A href="https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topics-GAG/Roles.htm?tocpath=User%20Management%7CRoles%7C_____0" target="_blank">https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topics-GAG/Roles.htm?tocpath=User%20Management%7CRoles%7C_____0</A></P> Tue, 30 Jun 2020 09:34:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90175#M6902 _Val_ 2020-06-30T09:34:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90181#M6903 <P>Hi _Val_, The two READ ONLY accounts that i mentioned were exactly in the MonitorRole.&nbsp; But they seem do not have the privilege to export the configuration nor ssh-in.&nbsp; thanks. --david&nbsp;</P> Tue, 30 Jun 2020 09:45:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90181#M6903 davidso 2020-06-30T09:45:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90193#M6905 <P>Incorrect. You already have built-in monitor user in Gaia. Alternatively, create a new and assign monitorOnly role to it.<BR /><BR />This user (you will have to reset its password) is allowed to SSH, CLISH only. It can run "show..." commands. In this context, "show configuration" is what you are looking for.</P> <P>It will not "export" config out, but will allow auditors to see output of config as part of the ssh session. They can log the session and use the data.&nbsp;</P> <P>You do not want to give read-only users access to expert. If you are looking for a capability to send a file out, that is exactly the issue. Expert mode trumps all CLISH restrictions.</P> Tue, 30 Jun 2020 12:33:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90193#M6905 _Val_ 2020-06-30T12:33:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90293#M6908 <P>thank you!</P> Wed, 01 Jul 2020 11:48:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90293#M6908 davidso 2020-07-01T11:48:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90309#M6909 <P>you are welcome</P> Wed, 01 Jul 2020 11:49:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Export-Firewall-configuration/m-p/90309#M6909 _Val_ 2020-07-01T11:49:04Z