This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leonardo_Tessar
Participant
‎2019-03-29 09:48 AM
Jump to solution

Define user with specific privileges

I need to define a user with only the privileges to execute the "pdp control revoke_ip x.x.x.x" command.
Do you know if is it possible?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-04-02 08:38 AM
In response to Leonardo_Tessar
Jump to solution

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-26 08:55 AM
In response to asher
Jump to solution

The easiest thing to do is write a script that calls the binary with the specific allowed options.
Then you can add that script as a command as shown here.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-03-30 08:59 AM
Jump to solution

Yes, using the Dynamic CLI and Role Based Access. Create the relevant command via the Dynamic CLI feature, assign the specific command to a specific role in Gaia, and assign the desired user that specific role.

0 Kudos
Leonardo_Tessar
Participant
‎2019-04-01 09:20 AM
In response to PhoneBoy
Jump to solution

Thank you, I've installed the Dynamic CLI but I can't find an equivalent command to "pdp control".
Could you explain how to create it via Dynamic CLI ?
0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-01 06:58 PM
In response to Leonardo_Tessar
Jump to solution

I was mistaken that Dynamic CLI is required. Instead, you need to use a feature in Gaia called "User Defined (Extended) Commands" as described in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_Gaia_AdminGuide/html_f...

0 Kudos
Leonardo_Tessar
Participant
‎2019-04-02 12:16 AM
In response to PhoneBoy
Jump to solution

I checked the list of available extended commands but I didn't find the "pdp".

I tried anyway to add the new command:

> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp "Revoke session from the given ip"

but I get this error:

CLINFR0329 Invalid command

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-02 08:38 AM
In response to Leonardo_Tessar
Jump to solution

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

0 Kudos
asher
Contributor
‎2020-04-26 08:18 AM
In response to PhoneBoy
Jump to solution

Hi

 

"If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested"

Can you please explain how to allow user run only spesific option on command?

 

We have user that access to bin bash shell from phyton and we want to allow him run only: fw hashta and not all fw tree options.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-26 08:55 AM
In response to asher
Jump to solution

The easiest thing to do is write a script that calls the binary with the specific allowed options.
Then you can add that script as a command as shown here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events