Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mortiis
Explorer

[R80.20] smartview on dedicated server

Hi All 🙂

 

In my CP topology, I have dedicated server for management (for example 10.1.1.101) and dedicated server for smartevent (for example 10.1.1.102).

I would like to grant access to smartview for my colleagues but only via web browser and only to 10.1.1.102 (https://10.1.1.102/smartview/). To achieve that, I created a new gaia user on 10.1.1.102 server where I have smartevent installed and attached this new user to monitorRole. Authentication is done by tacacs.

Unfortunately, this config doesn't work, I received "Authentication to server failed".

I assume, that something is wrong with my CP configuration, because I don't see any events on my tacacs server.

Did I miss something in configuration?

 

Thank you in advance!

0 Kudos
3 Replies
Amir_Senn
Employee
Employee

I don't think that creating a new Gaia user could be a solution for this.

I do have a few solutions for you:

1) Create an admin profile that has only logs and events permissions and maybe he could see some of the objects but he won't be able to edit anything

2) I did some experiments after reading your post and I succeeded partially with some rules in the access control policy. I created "Access Role" (this is done by using Identity Awareness) and allowed it to access my Mgmt with only https/https_proxy services (the rules looks something like - source=access role ; destination=Mgmt object ; services=https/https_proxy).

Since authenticating with primary Mgmt is done with CPM/CPMI services, the user still won't be able to connect with SmartConsole to the object.

Unfortunately this didn't work for SmartEvent on my test env since it looks like the authentication with SmartConsole to SmartEvent is done with https as well and I guess that the SmartEvent uses CPM/CPMI service to further check the authentication with Mgmt machine so this restriction won't help restricting the SmartEvent itself.

3) I'm not an active directory expert but I think you can restrict people from installing specific software. If you restrict them from installing SmartConsole without admin permission.

Kind regards, Amir Senn
Wolfgang
Authority
Authority

Users for access to Smartview are managed via Smartconsole not GAiA.

As @Amir_Senn mentioned, you should create a permission profile with only read rights for the logs.

I think there is no way to prevent from logging in via Smartconsole or restricting the access to the website without having a firewall in front of the management servers.

If your CheckPoint gateway is located between your users and your management-servers you can define normal rules to restrict the access to your smartview host. You can allow only HTTPS to 10.1.1.102 and with this they can't use Smartconsole, because they is using another port

Wolfgang

mortiis
Explorer

Hi,

Thanks to your suggestions I resolved my issue.

I created user on my management server (10.1.1.101) on SmartConsole and this solved my problem. Indeed, GAIA user is not needed.
Using Access Policy rules, I restricted access to https://10.1.1.102/smartview/ only.

 

Thank you for help 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events