Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Platinum

Access to HTTPS decrypted data

Hello,

You all know that there is a way to gain access to HTTPS decrypted data via fw ctl set ... interface.

Now, we need to have second firewall admin with expert access, this cannot be avoided for many reasons.

However, because of the EU GDPR requirements he/she must not be able to gain any access to employees personal data because he is not authorized for that.

Certain categories (Health, Financial) are already bypassed and I am thinking to restrict that admin access to modify HTTPS Inspection policy but I am not sure that is good enough first because false categorization may happen and second it kind of limits that admin in his tasks to modify policy should another urgent reason arises.

So, is there any way to restrict access to fw ctl set ... for an admin with expert access or otherwise how do you recommend to handle such situation?

0 Kudos
5 Replies
Highlighted
Admin
Admin

If you give someone expert access, it's the same as giving them root shell access.
Which means: there's not really a way to restrict access to that.

The way I've seen other customers handle this is to log all the commands a user does in expert mode and audit what they do to ensure they don't access any commands of concern.
You can see how to do that here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Longer term, the goal is to eliminate any reason to go to expert mode to begin with.
That means adding more commands to clish and ensuring RBA can be used to control access to said commands.
0 Kudos
Highlighted
Platinum

Thanx, I though about that too but it is more like reactive measure and not proactive one as it should.

You happen to know how much long will be that "long term" ? 😉

0 Kudos
Highlighted
Admin
Admin

No specific timelines that I'm aware of.
May want to discuss an RFE with your local office.
Highlighted
Pearl

I'd probably try to configure a restricted Admin role with extended commands and see if that fits my needs.

image.png

Alternatively you could avoid access to the CLI by allowing this user to run a script within SmartConsole only that is preconfigured for fw ctl set..

And then there are SmartConsole extensions you could use to reach your goal providing access to specific fw ctl output via run-script. I'd be more than happy to assist you with that.

0 Kudos
Highlighted
Platinum

Plenty of good ideas Danny!

I have to think about it. Access is needed mostly for troubleshooting purposes and may be in case of DoS attack.

So, CPView, ccc and of course "super seven", fwmonitor, etc....

Setting kernel parameters isn't really daily task and I am fine with only one person having access to it.

I like the Smart Extensions idea but they are currently a bit buggy and annoying. Hope CP improves them soon...

0 Kudos