Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
trawa05
Explorer
Jump to solution

R80.20 restrict user access to perform only specific commands

Hey,

I got a very specific requirement to allow a user access the gateway and get info about 3 things:
a) session table
b) NAT session table
c) arp table

So i am looking how i could create a user profile that could execute 3 (and only 3) specific commands on CLI.

I would be glad if you could come with any ideas.

Thank you!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
Two topics you need to refer to in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_fram...
User Defined (Extended) Commands
Role Based Access

Between those two features, you can achieve what you're after.
trawa05
Explorer

I saw this info earlier already. Point is that User Defined (Extended) Commands requires path to the script.
I am not good at scripting, and what if i would like to create extended command for already existing command like 'fw ctl conntab'?  Is there already script written for that in the system that i could point to in the extended command?

0 Kudos
PhoneBoy
Admin
Admin
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events