The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Maintaining SMART Client Management Users

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


In FireWall-1 NG FP2 and above, it is possible to add/delete administrator users from the Policy Editor/Smart Dashboard application. You can also use the command line method described below. However, users created in one place don't show up in the other.

In FireWall-1 4.1 and earlier, use the command "fwm" to do this (on NT, this is "fw fwm"). The command line flags given to fwm are as follows (relevant to 4.0 and 4.1):

Command Option  Description
----------------------------------------------------------------------------------------
-a foo          Adds or updates the user name ‘foo’
-wX             Sets permissions for this user. X can be:
                  w: Read/Write (all permissions)
                  u: User Edit (read-only for all others)
                  r: Read-Only (can view rulebases and objects)
                  m: Monitor Only (cannot use Policy Editor, but can use the other apps)
                  lxxxxxxxx: Specific permissions (4.1 and above). See below.
-s abc123       Sets the user’s password to “abc123” (requires –a)
-r foo          Removes the user ‘foo’
-p              Prints a list of administrative (GUI) users
-g rulebase.W   Imports the file rulebase.W into the rulebases.fws file, which contains all
                the rulebases on your management console.

Specific permissions is an 8-digit hexadecimal number that is determined by which "permissions" you want to give the user. Start with a binary number, 0 being the least significant bit. For each permission you want to give the user, set the appropriate bit to 1. Convert the resulting binary number into hexadecimal.

Bit  Description
-------------------------------------
0    Log Viewer Read
1    Log Viewer Read/Write
2    System Status
4    Edit User Database
6    Security Policy Rules Read
7    Security Policy Rules Read/Write
9    Bandwidth Rules Read
10   Bandwidth Rules Read/Write
12   Compression Rules Read
13   Compression Rules Read/Write
15   Redundant Policy Read
16   Redundant Policy Read/Write
18   Objects Write
20   CE (Log Consolidator)
22   Reporting Tool Read
23   Reporting Tool Read/Write

For example, if you wanted read-only access to the log viewer, system status viewer, and policy editor, bits 0, 2, and 5 would be ones, everything else would be a zero. This is equal to 45 in hexadecimal, i.e. you'd use 00000045.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.