This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Advisor
‎2024-08-26 04:17 AM

Allowing specific commands from expert mode

Hi All,

I want to grant expert mode access to certain administrators, allowing them to create bulk objects using the mgmt_cli command in expert mode as per SK113078. However, I only want them to have access to the commands for creating objects and making objects members of groups. Is this possible, and if so, how can I achieve it?

Thanks,

0 Kudos
14 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 05:48 AM

Hey bro,

What in particular do you want to allow?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ihenock1011
Advisor
‎2024-08-26 05:54 AM
In response to the_rock

Hi Andy,

I want this three commands to be allowed

vi <filename>.csv 

mgmt_cli add host --batch <filename>.csv

mgmt_cli set group --batch <filename>.csv

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 05:57 AM
In response to Ihenock1011

K, thats fair, BUT, what sort of access do they need to have?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 05:52 AM

Man, I remember this sk back from 2020 when I had TAC case about, when smart-1 cloud was fairly new. Here is what TAC guy told me, he was super nice and helpful about it, see if this helps.

Andy

*********************************************

 


--->To add address-range via API:
mgmt_cli add address-range --batch address-ranges_full.csv

#cat address-ranges_full.csv
name,ip-address-first,ip-address-last
range1,10.0.0.0,10.0.0.100

---> To add a network via API:
mgmt_cli add network --batch networks.csv

#cat networks.csv
name,subnet,subnet-mask
network1,10.10.10.0,255.255.255.0
network2,20.20.20.0,255.255.255.0
network3,30.30.30.0,255.255.255.0

---> To add a host 
mgmt_cli add host --batch test.csv

#cat test.csv
name,ip-address
obj1,192.168.1.1


For more info, please refer the: https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-host~v1.7%20

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 05:54 AM
In response to the_rock

@Ihenock1011 Forgot to mention, though it goes without saying, commands will not work, unless you create files first. Do touch, give it a name, then you can vi and keep adding entries, it works 100%, I tested it in the lab few times.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ihenock1011
Advisor
‎2024-08-26 05:57 AM
In response to the_rock

@the_rock For administrators to execute this task, they must have expert mode access. I want to implement the principle of least privilege, granting administrators only the necessary permissions in expert mode. Specifically, I want to restrict their access to the commands for creating objects and making objects members of groups.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 06:06 AM
In response to Ihenock1011

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.7%20

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ihenock1011
Advisor
‎2024-08-26 06:50 AM
In response to the_rock

@the_rock Granting a user GAIA API access will provide them with broad permissions. Is there a way to restrict this access to specific commands while denying others?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-26 06:54 AM
In response to Ihenock1011

Not sure, I would verify with TAC, as I dont see it in the documentation.

Andy

Best,
Andy
"Have a great day and if its not, change it"
PhoneBoy
Admin
Admin
‎2024-08-26 09:46 AM
In response to Ihenock1011

Similar to the Management API, Gaia has its own Roles that can be assigned to users.
The API permissions follow these same roles, as far as I know.

image.png

PhoneBoy
Admin
Admin
‎2024-08-26 09:42 AM

First of all, limiting access to specific commands in Expert Mode is not possible (e.g. only allowing access to mgmt_cli).
However, to access the management API, you do not need access to Expert Mode at all, you can use the "mgmt" command.
You won't be able to use any shell pipes and such, though, but they will not need access to Expert Mode.

For access to what can be done with the Management API, this is done through Administrator profiles.
Assign the relevant administrator users a permission profile that looks something like the following (with other checkboxes removed):

image.png

Lesley
MVP Gold
MVP Gold
‎2024-08-28 12:17 PM

Consider to move dynamic CLI: https://support.checkpoint.com/results/sk/sk144112

In this way it might you do not need expert mode anymore for certain users and you can run expert mode like commands via normal clish access

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Diamond
MVP Diamond
‎2024-08-28 12:24 PM
In response to Lesley

Interesting, never seen that before.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Martin_Raska
Advisor
Advisor
‎2024-08-29 02:36 AM
In response to the_rock

I would suggest creating it as a bash script and run it from SmartConsole

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events