This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
trawa05
Explorer
‎2020-03-27 06:50 AM

R80.20 restrict user access to perform only specific commands

Jump to solution

Hey,

I got a very specific requirement to allow a user access the gateway and get info about 3 things:
a) session table
b) NAT session table
c) arp table

So i am looking how i could create a user profile that could execute 3 (and only 3) specific commands on CLI.

I would be glad if you could come with any ideas.

Thank you!

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-29 02:34 PM
In response to trawa05

Jump to solution
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin
‎2020-03-27 07:41 PM

Jump to solution
Two topics you need to refer to in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_fram...
User Defined (Extended) Commands
Role Based Access

Between those two features, you can achieve what you're after.
Reply
trawa05
Explorer
‎2020-03-29 01:19 PM
In response to PhoneBoy

Jump to solution

I saw this info earlier already. Point is that User Defined (Extended) Commands requires path to the script.
I am not good at scripting, and what if i would like to create extended command for already existing command like 'fw ctl conntab'?  Is there already script written for that in the system that i could point to in the extended command?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-03-29 02:34 PM
In response to trawa05

Jump to solution
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
Reply