This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enyi_Ajoku
Collaborator
‎2018-08-28 03:20 AM

Read Only Access to Virtual System

I am trying to give certain users read only access to my virtual systems. Would appreciate if i can get some assistance setting this up. I created the users and the roles and i allowed read only to the individual virtual system but when i try using the user credentials to switch between virtual system it doesn't work. Thank You

12 Replies
_Val_
Admin
Admin
‎2018-08-28 05:16 AM

How do you mean? Are you talking about OS level read-only user access? if yes, You cannot create any user, full permissions, or otherwise, which is capable to access one particular VS only. VSX is using VRFs to build separate logical GWs on the same HW. They are not fully isolated environment. 

You still can create OS users with limited permissions, but they will be able to see any system settings on all VSs.

My question is, what are you trying to achieve?

0 Kudos
Enyi_Ajoku
Collaborator
‎2018-08-28 09:39 AM
In response to _Val_

Thank You for your response.

I am trying to provide certain users read only access to my virtual systems

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-28 10:24 AM
In response to Enyi_Ajoku

Depends what commands you want to give them. Read about role based access and roles. Technically it's all there. I just tried and it seems to work - I was logged into a specific VS clish shell. Then it depends what commands you will permit.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-28 10:28 AM
In response to Kaspars_Zibarts

Full list of commands is here List of Role-Based Access features in Gaia OS 

0 Kudos
_Val_
Admin
Admin
‎2018-08-28 11:51 PM
In response to Enyi_Ajoku

I get that. My question is, why? What purpose?

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-28 09:54 AM

You should be able to set if you define new RBA role, there is option under there

add rba role <role name>virtual-system-access

mind you you will only get clish shell not expert Smiley Happy

0 Kudos
_Val_
Admin
Admin
‎2018-08-28 11:51 PM
In response to Kaspars_Zibarts

Uh, I kinda missed that one. Thank Kaspars

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-28 11:56 PM
In response to _Val_

I suspected it was there as it rung the bell when I played with RBA on R80.10 when it came out so I had to try Smiley Happy Now I know myself too and it's not a bad thing at all - we might use it ourselves Smiley Happy

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-28 10:15 PM

Here is little more info after i did some tests this morning

First create a role, I named it "test", with access to VS 6 and then select commands that you want to allow to this role. Note that ext_xxxx commands do require read-write option as they are expert type commands, so be careful with those. They will still be executed from clish shell not bash though.

add rba role test virtual-system-access 6
add rba role test domain-type System readonly-features interface
add rba role test domain-type System readonly-features route
add rba role test domain-type System readwrite-features ext_cpview
add rba role test domain-type System readwrite-features ext_top
add rba role test domain-type System readwrite-features ext_ping
add rba role test domain-type System readwrite-features ext_cphaprob
add rba role test domain-type System readwrite-features ext_netstat‍‍‍‍‍‍‍‍
add rba role test domain-type System readwrite-features ext_traceroute

Then add a new user, I called it "testing" and couple it with the newly created role

add user testing uid 0 homedir /home/testing
set user testing password
add rba user testing roles test

Now you will have a user that has access to VS6 clish with named commands 

vsxext:0> show rba role test
Role
 test
 domain-type System
 virtual-system access: 6
 read-write-feature ext_cphaprob
 read-write-feature ext_cpview
 read-write-feature ext_netstat
 read-write-feature ext_ping
 read-write-feature ext_top
 read-write-feature ext_traceroute
 read-only-feature interface
 read-only-feature route
Enyi_Ajoku
Collaborator
‎2018-09-04 05:13 AM
In response to Kaspars_Zibarts

Thank you for the feedback. I had time to try this, for me i had to create line 2 first then insert line 1. I got this error "NMSRBA0099 no such role exists" when i did it your way.

Also i have multiple virtual systems and i was hoping i could have readonly access to those as well but i realize that when i have it all set for the individual virtual systems i cant move from one system to another. In essence i can't do "set virtual-system xx"

Thank you for your help

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-09-04 08:28 AM
In response to Enyi_Ajoku

Can you elaborate exactly which commands you are running and which order? As both adding role and adding user have lines 1&2

Regarding having access to multiple VSes, I had to play but you can resolve it by adding these commands to your role. In my example, user "testing" has role "test" associated with him and I'm adding access to VS 4. You will be able to use commands set virtual-system after this

add rba role test virtual-system-access 4
add rba role test domain-type System readwrite-features virtual-system
vsx1-ext:0> show rba role test
Role
 test
 domain-type System
 virtual-system access: 4,6
 read-write-feature ext_cphaprob
 read-write-feature ext_cpview
 read-write-feature ext_ifconfig
 read-write-feature ext_netstat
 read-write-feature ext_ping
 read-write-feature ext_top
 read-write-feature ext_traceroute
 read-write-feature virtual-system
 read-only-feature blades
 read-only-feature interface
 read-only-feature route
 read-only-feature vsx


vsx1-ext:4> set virtual-system 6
Context is set to vsid 6
vsx1-ext:6>
0 Kudos
Enyi_Ajoku
Collaborator
‎2018-09-10 11:07 AM
In response to Kaspars_Zibarts

I finally got it to work. Once i changed the rba role to 

add rba role test domain-type System readwrite-features virtual-system

i initially had my config to be read only.

Thank You for your help. Greatly appreciated

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events