Hello, dear colleagues!
Few weeks ago our company faced with an issue with integration between CheckPoint and 3rd party management solution(in our case - Skybox). According to Skybox documentation, since R80.10 version their system should use API commands instead of OPSEC CPMI protocol. What's more, CheckPoint also doesn't recommend to use OPSEC CPMI commands for R80 management considering this protocol as deprecated, look at sk63026. After some tests in lab enviroment we made conclusion that skybox really couldn't use CPMI protocol for R80.10+ versions and their decision to use API was right. But Skybox insist to use super-user account and it's totally unacceptable.
The point is that we don't trust to skybox product so much to assign them super-user privillege. Furthermore, we have strict responsobility boundary between IT and security department and skybox administrators are employees of security dept. who shouldn't have permissions to write into CheckPoint rulebase and configurtaion.
During investigation we understood that skybox didn't recieve 'netstat -rne' and 'ifconfig' after CheckPoint configuration polling. Skybox use 'run-script' API call to receive that information and of course we can give customized profile with read only permission + permission to use one-time scripts instead of super-user account. But it doesn't fully solve this issue because we can send any bash command to any gateway which is managing by our SmartManagement. For example, we can send 'rm -rf / --no-preserve-root' by run-script api call to each gateway and all other CheckPoint devices and it works well.
However, we tried to restrict API permissions with another customized profile which can run only with repository scripts, but unfortunately there are no API command to use repository scripts.
Dear CheckPoint stuff, are you going to implement 'run-script' permission restrictions? Or may be somebody know how to fetch routing table with netstat command and interface table with ifconfig command in API without any chance to interrupt system(I mean without permissions to do configuration changes, delete files, etc)?
run-script
api