Showing results for 
Search instead for 
Did you mean: 
Create a Post

'run-script' api command restrictions for 3rd party management tools

Hello, dear colleagues!

Few weeks ago our company faced with an issue with integration between CheckPoint and 3rd party management solution(in our case - Skybox). According to Skybox documentation, since R80.10 version their system should use API commands instead of OPSEC CPMI protocol. What's more, CheckPoint also doesn't recommend to use OPSEC CPMI commands for R80 management considering this protocol as deprecated, look at sk63026. After some tests in lab enviroment we made conclusion that skybox really couldn't use CPMI protocol for R80.10+ versions and their decision to use API was right. But Skybox insist to use super-user account and it's totally unacceptable.

The point is that we don't trust to skybox product so much to assign them super-user privillege. Furthermore, we have strict responsobility boundary between IT and security department and skybox administrators are employees of security dept. who shouldn't have permissions to write into CheckPoint rulebase and configurtaion.

During investigation we understood that skybox didn't recieve 'netstat -rne' and 'ifconfig' after CheckPoint configuration polling. Skybox use 'run-script' API call to receive that information and of course we can give customized profile with read only permission + permission to use one-time scripts instead of super-user account. But it doesn't fully solve this issue because we can send any bash command to any gateway which is managing by our SmartManagement. For example, we can send 'rm -rf / --no-preserve-root' by run-script api call to each gateway and all other CheckPoint devices and it works well.

However, we tried to restrict API permissions with another customized profile which can run only with repository scripts, but unfortunately there are no API command to use repository scripts.

Dear CheckPoint stuff, are you going to implement 'run-script' permission restrictions? Or may be somebody know how to fetch routing table with netstat command and interface table with ifconfig command in API without any chance to interrupt system(I mean without permissions to do configuration changes, delete files, etc)?



Tags (3)
4 Replies

Re: 'run-script' api command restrictions for 3rd party management tools

As run-script commands run at expert level, there isn't any real restrictions on what they can do.

We have released an API for gateways, which may be more relevant: Gaia REST API: Read and send information to Check Point servers 

0 Kudos

Re: 'run-script' api command restrictions for 3rd party management tools

Dameon, thank you for answering.

I looked through Gaia API in Postman and I didn't find any requests related to the routing table.

And I hope that somebody from Skybox reads CheckMates, and they will join the discussion. For instance, Dror Bareket,  are you still here? I am sure that nobody in their right mind won't give super-user account for CheckPoint for 3rd party tool.


0 Kudos

Re: 'run-script' api command restrictions for 3rd party management tools

Maybe this is something we can add to the gateway API.

Alexander Kim


Re: 'run-script' api command restrictions for 3rd party management tools

Hello! Have you solved the problem with admin rights?
0 Kudos