This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
davidso
Explorer
‎2020-06-29 10:54 PM
Jump to solution

Export Firewall configuration

Hi Mates,

I am using 2 x CheckPoint 5600 Firewall in my workplace.
We are requested by our Internal Audit that we need to export and review the Firewall configuration periodically.
I am the only person here who hold the Firewall Administrator password, and I am not allow to share out the admin pwd.

Can anyone guide me on how to create a READ ONLY account that can export the FireWall Configuration file?

thank you very much.
---david

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2020-06-30 05:33 AM
In response to davidso
Jump to solution

Incorrect. You already have built-in monitor user in Gaia. Alternatively, create a new and assign monitorOnly role to it.

This user (you will have to reset its password) is allowed to SSH, CLISH only. It can run "show..." commands. In this context, "show configuration" is what you are looking for.

It will not "export" config out, but will allow auditors to see output of config as part of the ssh session. They can log the session and use the data. 

You do not want to give read-only users access to expert. If you are looking for a capability to send a file out, that is exactly the issue. Expert mode trumps all CLISH restrictions.

View solution in original post

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2020-06-30 01:21 AM
Jump to solution

What kind of export? MGMT database? OS settings? Please elaborate

0 Kudos
davidso
Explorer
‎2020-06-30 02:18 AM
In response to _Val_
Jump to solution

Only the OS settings.  thank you.

0 Kudos
_Val_
Admin
Admin
‎2020-06-30 02:34 AM
In response to davidso
Jump to solution

You need to set up a new OS account and assign it to monitorOnly role

Read the Gaia admin guide for more details.https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topi...

0 Kudos
davidso
Explorer
‎2020-06-30 02:45 AM
In response to _Val_
Jump to solution

Hi _Val_, The two READ ONLY accounts that i mentioned were exactly in the MonitorRole.  But they seem do not have the privilege to export the configuration nor ssh-in.  thanks. --david 

0 Kudos
_Val_
Admin
Admin
‎2020-06-30 05:33 AM
In response to davidso
Jump to solution

Incorrect. You already have built-in monitor user in Gaia. Alternatively, create a new and assign monitorOnly role to it.

This user (you will have to reset its password) is allowed to SSH, CLISH only. It can run "show..." commands. In this context, "show configuration" is what you are looking for.

It will not "export" config out, but will allow auditors to see output of config as part of the ssh session. They can log the session and use the data. 

You do not want to give read-only users access to expert. If you are looking for a capability to send a file out, that is exactly the issue. Expert mode trumps all CLISH restrictions.

0 Kudos
davidso
Explorer
‎2020-07-01 02:11 AM
In response to _Val_
Jump to solution

thank you!

0 Kudos
_Val_
Admin
Admin
‎2020-07-01 04:49 AM
In response to davidso
Jump to solution

you are welcome

0 Kudos
davidso
Explorer
‎2020-06-30 02:20 AM
In response to _Val_
Jump to solution

according to some experts they mention something adding a RULE to allow these READ ONLY accounts to access SSH and the WEB interface that can serve the same purpose.  Can you please guide me through how to set this rule(s)?  Many Many thanks. --david

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events