Maintaining SMART Client Management Users

[BarryStiefel]

Maintaining SMART Client Management Users



In FireWall-1 NG FP2 and above, it is possible to add/delete administrator users from the Policy Editor/Smart Dashboard application. You can also use the command line method described below. However, users created in one place don't show up in the other.

In FireWall-1 4.1 and earlier, use the command "fwm" to do this (on NT, this is "fw fwm"). The command line flags given to fwm are as follows (relevant to 4.0 and 4.1): Command Option Description ---------------------------------------------------------------------------------------- -a foo Adds or updates the user name ‘foo’ -wX Sets permissions for this user. X can be: w: Read/Write (all permissions) u: User Edit (read-only for all others) r: Read-Only (can view rulebases and objects) m: Monitor Only (cannot use Policy Editor, but can use the other apps) lxxxxxxxx: Specific permissions (4.1 and above). See below. -s abc123 Sets the user’s password to “abc123” (requires –a) -r foo Removes the user ‘foo’ -p Prints a list of administrative (GUI) users -g rulebase.W Imports the file rulebase.W into the rulebases.fws file, which contains all the rulebases on your management console.Specific permissions is an 8-digit hexadecimal number that is determined by which "permissions" you want to give the user. Start with a binary number, 0 being the least significant bit. For each permission you want to give the user, set the appropriate bit to 1. Convert the resulting binary number into hexadecimal.

Bit Description ------------------------------------- 0 Log Viewer Read 1 Log Viewer Read/Write 2 System Status 4 Edit User Database 6 Security Policy Rules Read 7 Security Policy Rules Read/Write 9 Bandwidth Rules Read 10 Bandwidth Rules Read/Write 12 Compression Rules Read 13 Compression Rules Read/Write 15 Redundant Policy Read 16 Redundant Policy Read/Write 18 Objects Write 20 CE (Log Consolidator) 22 Reporting Tool Read 23 Reporting Tool Read/WriteFor example, if you wanted read-only access to the log viewer, system status viewer, and policy editor, bits 0, 2, and 5 would be ones, everything else would be a zero. This is equal to 45 in hexadecimal, i.e. you'd use 00000045.



-- PhoneBoy - 16 Jan 2004

FAQForm FAQs.Class: SmartClientsFAQs FAQs.OS: FAQs.Version: