- CheckMates
- :
- Products
- :
- General Topics
- :
- Access to HTTPS decrypted data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access to HTTPS decrypted data
Hello,
You all know that there is a way to gain access to HTTPS decrypted data via fw ctl set ... interface.
Now, we need to have second firewall admin with expert access, this cannot be avoided for many reasons.
However, because of the EU GDPR requirements he/she must not be able to gain any access to employees personal data because he is not authorized for that.
Certain categories (Health, Financial) are already bypassed and I am thinking to restrict that admin access to modify HTTPS Inspection policy but I am not sure that is good enough first because false categorization may happen and second it kind of limits that admin in his tasks to modify policy should another urgent reason arises.
So, is there any way to restrict access to fw ctl set ... for an admin with expert access or otherwise how do you recommend to handle such situation?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which means: there's not really a way to restrict access to that.
The way I've seen other customers handle this is to log all the commands a user does in expert mode and audit what they do to ensure they don't access any commands of concern.
You can see how to do that here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Longer term, the goal is to eliminate any reason to go to expert mode to begin with.
That means adding more commands to clish and ensuring RBA can be used to control access to said commands.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanx, I though about that too but it is more like reactive measure and not proactive one as it should.
You happen to know how much long will be that "long term" ? 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May want to discuss an RFE with your local office.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd probably try to configure a restricted Admin role with extended commands and see if that fits my needs.
Alternatively you could avoid access to the CLI by allowing this user to run a script within SmartConsole only that is preconfigured for fw ctl set..
And then there are SmartConsole extensions you could use to reach your goal providing access to specific fw ctl output via run-script. I'd be more than happy to assist you with that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Plenty of good ideas Danny!
I have to think about it. Access is needed mostly for troubleshooting purposes and may be in case of DoS attack.
So, CPView, ccc and of course "super seven", fwmonitor, etc....
Setting kernel parameters isn't really daily task and I am fine with only one person having access to it.
I like the Smart Extensions idea but they are currently a bit buggy and annoying. Hope CP improves them soon...
