Consumers - Security Gateways Using Identity and Trust for Access Control

After you configure Identity and Trust to collect directory and identity information, you can configure a Security Gateway to act as a consumer of Identity and Trust. It retrieves identity information from Identity and Trust and uses it to enforce identity‑based access control.

This chapter explains the configuration steps and how to use the retrieved identity information in access control rules.

Configuration

If the Security Management Server is already connected with the Check Point Portal, skip this step.

  1. Open SmartConsole and log in to your Security Management Server.

  2. From the left toolbar, select Infinity Services.

  3. In the Connect to Check Point Portal to use Infinity Services section, click Get Started.

    The Instructions window opens.

  4. In the Create Check Point Portal account step, if you do not have a Check Point Portal account, click Create Account and follow the steps in the Check Point Portal. If you already have a Check Point Portal account, skip this step.

  5. In the Create trust step, click Get Token.

    The Check Point Portal opens.

  6. Follow the steps in the Check Point Portal to open the relevant account and copy the token.

  7. Paste the token into the Instructions window in SmartConsole.

  8. In the Instructions window, in the Gateways Connection Details section, select which Security Gateways to connect to the Check Point Portal.

  9. In the Instructions window, in the Gateways Connection Details section, select when to establish connection from the Check Point Portal to Security Gateways:

  10. In the Instructions window, click Connect.

    In SmartConsole, the Infinity Services tab shows a card that says "CONNECTED TO INFINITY PORTAL" and shows the name of the Check Point Portal account you connected to the Management Server.

  11. In the Check Point Portal, make sure your Management Server is connected.

    1. Open the Check Point Portal account that you connected to the Management Server.

    2. In the upper left corner, click the menu button .

    3. In the Hybrid Mesh Network Security section, click Management & (Undefined variable: Vars_CloudGuard.tp_smart1_cloud_old).

      The Security Management screen opens.

    4. In the Connected Managements tab, make sure that your Security Management server appears with Active status.

      The Identity Provider defined on the Check Point Portal is now available as a read-only object in SmartConsole.

  1. In SmartConsole, from the left toolbar, click Gateways & Servers.

  2. Double-click on the table row for the relevant Security Gateway object.

    The Check Point Gateway window opens.

  3. From the left tree menu, expand Identity Awareness and click Identity Sharing.

  4. In the Identity Sharing section, select Get identities from Identity and Trust.

  5. Click OK.

  6. Install the policy.

Note - If you already created access roles for directories from Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways for identity enforcement, you can download the Identity Collector package from the Support Center., these roles continue to apply after the same Identity Collector instance is integrated with Identity and Trust.

  1. In SmartConsole, from the right toolbar, open the Objects tab.

  2. Click Users/Identities.

  3. Click Access Roles.

  4. To create a new Access RoleClosed Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules., right click an empty area in the Access Roles menu and then click Access Role. Or, double click on an existing Access Role to edit it.

    The Access Role window opens.

  5. Open the Users tab.

  6. Select Specific users/groups.

  7. Click the + (plus sign) button.

    A new window opens.

  8. In the top left corner of the new window, next to the search bar, select a directory that the Security Gateway gets from Identity and Trust (for example: My_Entra_ID_Directory).

  9. Finish creating the Access Role.

  10. Install the policy.

Monitoring and Troubleshooting the Connection between Identity and Trust and Security Gateways

If a user logs in successfully but does not get access to resources located behind a Security Gateway as expected, follow these steps to troubleshoot the issue.

  1. In Identity and Trust, from the left toolbar, open the Active sessions tab.

  2. At the top of the Active Sessions menu, select By users.

  3. Search the table for the relevant username.

    If the username appears in the table, keep Identity and Trust open and continue to the next step.

  4. On the CLI of the Security Gateway, run:

    pep show network intelligence

    If the username does not appear in the table, then there is a problem with the connection between Identity and Trust and the IdP.

    The output of the command is a table. In the Network column of the table, look for the network that appears in the table row for the username in the Identity and Trust UI. If you find the network, check if Identity and Trust appears in the Related Intelligence column.

    If the user's network appears, continue to the next step.

    If the user's network does not appear, then there is a problem with the connection between Identity and Trust and the Security Gateway.

  5. On the CLI of the Security Gateway, run:

    pep show user all

    The output of the command is a table. If the username appears in the Username@Machine column in the table, and Identity and Trust appears in the ID (PDP; UID) column, this means that the Security Gateway received the identity from Identity and Trust. The Access Control rule is not configured properly in SmartConsole, or there is a problem with the connection between the Security Gateway and the internal resource.

    If the username does not appear in the table, then there is a problem with the connection between Identity and Trust and the Security Gateway.

Verifying Connectivity Between the Security Gateway and Identity and Trust

After the Security Gateway and Identity and Trust synchronize information (about 15 minutes), a Security Gateway consumer card appears on the Integrations page.

Logs show related Security Gateway events. For example:

  • When a Security Gateway is configured to work with Identity and Trust

  • When a Security Gateway is removed

  • When a Security Gateway status changes from connected to disconnected