This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roadrunner88
Contributor
‎2025-02-25 11:44 PM

Possibility to limit User Access via Management Server

Hello Guys,

 

is it possible to limit the access for a user that has access to the management server, only to get view and/or access to dedicated firewalls that are present on the management server?

Thanks

0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-26 12:03 AM

Concerning what can be done in Dashboard: No, permissins are not that granular - see here how it can be restricted: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Cont...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tal_Paz-Fridman
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-02-26 12:06 AM

For access to the Security Gateway machine you can set individual Gaia administrators per machine with specific roles.

In Gaia Portal go to - User Management > Users or Roles

AkosBakos
MVP Silver
MVP Silver
‎2025-02-26 12:43 AM

Hi @Roadrunner88 

The Multi-Domain Management is the sholution for this:

https://www.checkpoint.com/quantum/multi-domain-security-management/

Akos

----------------
\m/_(>_<)_\m/
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-26 06:26 AM
In response to AkosBakos

This is not the solution - remember how expensive MDM licenses are, so if you need one SMS to manage your gateways, you will not pay x-times its price to get such options. I also do not know if this granular access does not only concern CMAs (as each CMA could have a different admin, a concept that makes sense).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-02-26 06:28 AM
In response to G_W_Albrecht

True, I had such kind of discussion with one of our customer. They didn't buy MDS....

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-02-26 06:19 AM

I believe what @Tal_Paz-Fridman said also makes lots of sense to me. See attached.

Andy

Best,
Andy
"Have a great day and if its not, change it"
Preview file
74 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-26 06:28 AM
In response to the_rock

NO - the question is about granular admin rights on SMS by Dashboard (user that has access to the management server can only view and/or access dedicated firewalls on the management server), not about GAiA portal access on different gateways.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Roadrunner88
Contributor
‎2025-02-26 06:31 AM
In response to G_W_Albrecht

thanks for the answers so far ...so it will not be so easy to archive

(1)
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-26 06:39 AM
In response to Roadrunner88

Rather impossible - only by using one CMA per GW in MDM, which is very expensive...

Better use admins that are trustable and let them swear on the bible that they will only touch their GW in Dashboard 😉 As all actions are recorded, you can always trace who did what when on which rule or GW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Roadrunner88
Contributor
‎2025-02-26 06:41 AM
In response to G_W_Albrecht

:D:D ok that workaround is even better, we will do that 😉

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-02-26 06:46 AM
In response to Roadrunner88

@Roadrunner88 

FWIW, here is what AI Copilot said, though to me, does not seem like it would work for you : - (

Andy

 

is it possible to limit the access for a user that has access to the management server, only to get view and/or access to dedicated firewalls that are present on the management server?
09:41 AM

Yes, it is possible to limit the access for a user to only view and/or access dedicated firewalls on the management server. This can be achieved by creating specific permission profiles and assigning them to the user. Here are the steps to do this:

  1. Create a Permission Profile:

    • Open SmartConsole and go to the "Manage & Settings" tab.
    • Under "Permissions & Administrators," select "Permission Profiles."
    • Click "New" to create a new permission profile.
    • Define the permissions for the profile. You can set the profile to allow only read access or specific access to certain features.

  2. Assign the Permission Profile to the User:

    • Go to "Manage & Settings" > "Permissions & Administrators" > "Administrators."
    • Select the user you want to modify or create a new user.
    • Assign the previously created permission profile to the user.

  3. Limit Access to Specific Firewalls:

    • In the same user settings, you can specify which firewalls (Security Gateways) the user has access to.
    • Under the "Permissions" tab, you can define the specific objects (firewalls) the user can access.

By following these steps, you can ensure that the user has limited access to only view and/or manage specific firewalls on the management server.

Learn more:
  1. R81.10 Quantum Security Management Administration Guide - Managing-User-and-Administrator-Accounts
  2. R80.40 Security Management Administration Guide - Managing-User-and-Administrator-Accounts
  3. R77 Security Management Administration Guide - 41613
  4. R81.20 Quantum Security Management Administration Guide - Managing-User-and-Administrator-Accounts
  5. R81 Quantum Security Management Administration Guide - Managing-User-and-Administrator-Accounts
  6. R81.20 Identity Awareness Administration Guide - Acquiring-Identities-for-Active-Directory-Users
  7. R81.10 Identity Awareness Administration Guide - Acquiring-Identities-for-Active-Directory-Users
  8. R82 Identity Awareness Administration Guide - Acquiring-Identities-for-Active-Directory-Users
  9. Quantum Spark R80.20.10 Centrally Managed Administration Guide for 1500 Appliances - Working-User-Aw...
  10. Quantum Spark R80.20.15 Centrally Managed Administration Guide for 1500 Appliances - Working-User-Aw...
Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-02-26 06:35 AM

I was thinking maybe with below, but dont see an option for specific gateways though...

Andy

Best,
Andy
"Have a great day and if its not, change it"
Preview file
95 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events