CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Confusion Between the various levels of access

  1. #1
    Join Date
    2017-05-16
    Posts
    15
    Rep Power
    0

    Default Confusion Between the various levels of access

    I am pretty confused with these modes of access: expert, bash (clish), netadmin and governor.

    I roughly know that clish is equivalent to the user mode in cisco and expert mode is the configuration mode in cisco. But what about netadmin and governor?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Confusion Between the various levels of access

    Gaia itself has a fairly flexible set of permissions that can be enforced with role-based access RBA, either for users that are defined locally or on an external AAA server (RADIUS, TACACS+).
    One of the permissions you can define with RBA is access to the bash shell (expert mode).
    The other names you mention are not defined in Gaia's RBA.
    I recommend reading the Gaia administration guide for more details.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: Confusion Between the various levels of access

    Quote Originally Posted by custom View Post
    I am pretty confused with these modes of access: expert, bash (clish), netadmin and governor.

    I roughly know that clish is equivalent to the user mode in cisco and expert mode is the configuration mode in cisco. But what about netadmin and governor?
    In the classes I teach I spend a fair amount of time talking about the "Gaia OS side of the house" which is Red Hat Linux with some OS enhancements added by Check Point, and the "Check Point side of the house" which is the INSPECT driver, SecureXL/CoreXL, SmartConsole, etc. This is not a crystal-clear line of demarcation on the firewall however, from the Gaia OS side there is visibility into the Check Point side of things (i.e. "fw stat") and from the Check Point side there is visibility into the Gaia OS (viewing route table from the SmartView Monitor).

    For effective troubleshooting it is important to know which side of things is potentially responsible since 90% of troubleshooting is knowing the right place to look. The Gaia OS side is where things like interfaces, VLAN tags, static routes and such are defined. The Check Point side is where things like security policies, NAT, VPNs, APCL/URLF and Threat Prevention are defined. To summarize:

    Gaia OS side:
    Administrators defined directly in Gaia can change things in the OS from:
    • Gaia Web interface
    • clish (appliance-like custom CLI shell via set/show/delete/add commands with command completions available)
    • expert mode (traditional Unix root shell, not recommended to make changes here, use clish)
    • Sample commands: ping, netstat, top, tcpdump

    Check Point side:
    • Administrators can run SmartConsole applications
    • dbedit/GUIdbedit
    • Management CLI (R80+ Only)
    • User accounts defined in SmartConsole, LDAP, RADIUS/TACACS etc can authenticate to the firewall for purposes of passing through it for network access
    • Sample commands: fw ctl zdebug drop, fw stat, fw unloadlocal, fw ctl arp, fw monitor, cpstat
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. IPS Protections Severity Levels
    By PhoneBoy in forum IPS Blade (Formerly SmartDefense)
    Replies: 3
    Last Post: 2017-03-10, 12:47
  2. Confusion about new VPN models
    By legendario in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2013-09-04, 13:22
  3. VLAN Confusion
    By amani in forum Off-Topic
    Replies: 7
    Last Post: 2011-12-13, 14:17
  4. Space Confusion
    By sleepytom in forum Check Point UTM-1 Appliances
    Replies: 3
    Last Post: 2011-09-28, 09:54
  5. What are the security levels on the Safe@/Nokia IP30?
    By roadrunner in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2005-08-13, 16:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •