CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 3 of 3

Thread: Need some basic help with understanding checkpoint roles

  1. #1
    Join Date
    Rep Power

    Default Need some basic help with understanding checkpoint roles

    Ive just started here in a checkpoint shop - new to me, and one of my first assignments is to do some security audits. we use 2 factor (radius) authentication to get into the console, but at that point, roles are applied to the user by the smartview monitor system. I see domain manager, global manager, domain superuser and multidomain superuser. no, we don't have identity management blade, this is the basic stuff.

    on our old auditing sheets, however, I see these roles tied to permissions, such as:

    multi-domain super user - admin

    I need to give only the rights the techs need to perform pushes, t.shoot, etc, but where I come from "admin" should NEVER be assigned to anyone - and we got a bunch of them.

    We do have a multi domain setup, but im thinking I need to remove the admin attribute, and replace it with something a little lesser. not sure what that is, though. not finding much clear documentation about roles/permissions. Im hoping to find some sort of matrix that displays different roles and what they can do??



  2. #2
    Join Date
    Ottawa Canada
    Rep Power

    Default Re: Need some basic help with understanding checkpoint roles

    Check out the "Multi-Domain Security Management R77 Versions Administration Guide"

    Section: Administrator Management -> Selecting an Administrator Type

    Multi-Domain Superuser
    Manages the Multi-Domain Security Management deployment, including all Domains, Multi-Domain Servers, Domain Management Servers, and administrator accounts.

    Multi-Domain superusers can do these tasks for Multi-Domain Servers:
    Add, edit or delete Multi-Domain Servers and Multi-Domain Log Servers.
    Allow or block access the SmartDomain Manager.

    Domain Superuser
    Manages networks for all Domains using the SmartDomain Manager and SmartConsole clients. Domain superusers can create, edit and delete Domains as well as see all Domain network objects.

    Domain superusers can manage Global Managers, Domain Managers and None administrators. They cannot configure the Multi-Domain Server environment or manage Multi-Domain Superusers.

    Global Manager
    Manages global policies, global objects and specified Domain networks. Global managers can see information or do actions according to their permissions profile settings.

    Global managers can manage Domain Managers and None administrators. Global managers can only see network objects in their assigned Domains. They cannot create new Domains.

    Domain Manager
    Manages specified Domain networks. Domain managers can use SmartConsole clients to see information or do actions according to their permissions profile settings.

    Domain Managers can manage None administrators. They cannot access the Global SmartDashboard to manage global objects and global policies.

    Do not have permissions to manage Multi-Domain Security Management or use the SmartDomain Manager. None administrators can manage specified Domain networks, using the SmartConsole clients.


  3. #3
    Join Date
    Rep Power

    Default Re: Need some basic help with understanding checkpoint roles

    it helps - thanks. Ive also learned I don't have the admin guides, so ill look for those.

    It will take me some time to get my head around exactly what type of access do we need. perhaps an example will help. what would the typical group of technicians have if they were tasked daily with staging and then pushing rules in a multi domain environment? Seldom do we add/change/remove domains, of course, and the last thing we want is someone being able to add/change or delete accounts.

    perhaps the sweet spot will be a combination of roles and permissions profile settings.



Similar Threads

  1. Some basic Intro-to-Checkpoint questions...
    By VenisonMogambi in forum General Exam Topics
    Replies: 4
    Last Post: 2012-05-18, 10:26
  2. Help Help Some basic questions on checkpoint NG
    By metramo in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2009-11-23, 18:22
  3. Basic doubts with CheckPoint
    By anthonws in forum Installing And Upgrading
    Replies: 2
    Last Post: 2008-07-31, 09:42
  4. Help understanding Checkpoint
    By pluto in forum Miscellaneous
    Replies: 2
    Last Post: 2007-09-23, 10:11
  5. NGX roles export and import
    By Faceoff in forum Miscellaneous
    Replies: 3
    Last Post: 2006-01-27, 16:12


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts