Print Download PDF Send Feedback

Previous

Next

Managing Users and Objects

In This Section:

Users

Administrators

Authentication Servers

Services

Service Groups

Network Objects

URL Lists

This section describes how to set up and manage users (User Awareness, users, administrators, and authentication servers) and network resources.

Users

In the Users & Objects > Users page you can create local users and user groups. To use these objects in the Access Policy, make sure to activate User Awareness.

User objects are used to define the different terms under which users can operate. These include:

To add a new local user:

  1. Click New > Local User.
  2. Enter a User name, Password, and Comments (optional). You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  3. For temporary or guest users, click Temporary user.

    Enter the expiration date and time.

  4. To give the user remote access permissions, select Remote Access permissions.
  5. Click Apply.

    The user is added to the table on the page.

To add a new local users group with remote access permissions:

  1. Click New > Users Group.
  2. Enter a Group name.
  3. To give the group remote access permissions, select Remote Access permissions.
  4. To select initial users to add to the group, click the relevant checkboxes from the user list or click New to create new users.

    You can see a summary of the group members above the user list.

  5. To remove a user, click the X next to the user name.
  6. Click Apply.

    The group is added to the table on the page.

To automatically delete expired local users:

  1. Go to Device > Advanced Settings.
  2. Select User Management.
  3. Click Edit.

    The User Management window opens.

  4. Click the checkbox for Automatically delete expired local users.
  5. Click Apply.

    Expired local users are automatically deleted every 24 hours (after midnight).

To edit a user or group:

  1. Select the user or group from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete a user or group:

  1. Select the user or group from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The user or group is deleted.

Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

  1. Click New.

    The Add Administrator page opens.

  2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  3. Select the Administrator Role.
  4. Click Apply.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

  1. Select the administrator from the table and click Edit.
  2. Make the relevant changes.
  3. Click Apply.

To delete a locally defined administrator:

  1. Select an administrator from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

  1. Make sure administrators are defined in the remote RADIUS server.
  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.

    Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

  3. When you have a configured RADIUS server, click edit permissions.

    The RADIUS Authentication window opens.

  4. Click the Enable RADIUS authentication for administrators checkbox.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:
    • Super Admin
    • Read only
    • Networking Admin
  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.
  8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.
  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.
  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.
  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.
  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.
  7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To configure a Steel-Belted RADIUS server for non-local appliance users:

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines to the file:

    @radius.dct

    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]

    ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string) r
    ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer) r
  2. Add the following lines to the vendor.ini file on RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Appliance
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000
  3. Add to the dictiona.dcm file the line:
    “@checkpoint.dct”
  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure a FreeRADIUS server for non-local appliance users:

  1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server:

    #
    # Check Point dictionary file for freeradius AAA server
    #
    VENDOR CheckPoint 2620
    ATTRIBUTE CP-Gaia-User-Role 229 string CheckPoint
    ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer CheckPoint
  2. Add to /etc/freeradius/dictionary the line:
    “$INCLUDE dictionary.checkpoint”
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure an OpenRADIUS server for non-local appliance users:

  1. Create the dictionary file dict.checkpoint in
    /etc/openradius/subdicts/
    on the RADIUS server:

    # Check Point Gaia vendor specific attributes
    # (Formatted for the OpenRADIUS RADIUS server.)
    # Add this file to etc/openradius/subdicts/ and add the line
    # "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries
    # right after dict.ascend.

    $add vendor 2620 CheckPoint

    $set default vendor=CheckPoint
    space=RAD-VSA-STD
    len_ofs=1 len_size=1 len_adj=0
    val_ofs=2 val_size=-2 val_type=String
    nodec=0 noenc=0

    $add attribute 229 CP-Gaia-User-Role
    $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

     
  2. Add the line
    $include subdicts/dict.checkpoint
    to
    /etc/openradius/dictionaries
    immediately after dict.ascend
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
  2. Log in to the clish shell using your user name and password.
  3. Run Expert
  4. Enter the expert password.

Authentication Servers

In the Users & Objects > Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for administrators in that database.

You can define this type of authentication server:

To add a RADIUS server:

  1. Click RADIUS servers.
  2. In the Primary tab, enter this information:
    • IP address - Where the RADIUS server is deployed.
    • Port - The port number to which the RADIUS server communicates with clients. The default is 1812.
    • Shared secret - The secret between the RADIUS server and the Check Point Appliance.
      • Show - Displays the shared secret.
    • Timeout (seconds) - A timeout value in seconds.
  3. Repeat step 2 for a Secondary RADIUS server if applicable.
  4. Click Apply.

    The primary and/or secondary servers are added to the RADIUS section on the page.

To edit a RADIUS server:

  1. Click the IP address link of the RADIUS server you want to edit.
  2. Make the necessary changes.
  3. Click Apply.

    The changes are updated in the RADIUS server.

To delete a RADIUS server:

Click the Remove link next to the RADIUS server you want to delete.

The RADIUS server is deleted.

Services

The Users & Objects > Services page lists the system services configured in the system. In this page you can add new services, edit services, and delete services.

You use service objects to easily define the different network protocols. This is usually with IP protocol and ports (used by the TCP and UDP IP protocols).

You can use these objects to define policy based routing in the Device > Routing page.

To create a new service:

  1. Click New.
  2. In the Service tab, enter information in the fields that apply to the type of service you select. Note that not all fields may show:
    • Name - Enter the service's name.
    • Type - Select the service type from the list:
      • TCP
      • UDP
      • ICMP - Select this option if it is necessary to represent a specified option in the ICMP protocol. Note that this is an advanced option.
      • Other - Select this option to represent any IP protocol other than TCP or UDP.
    • Ports - Enter the port(s) if you selected Type - TCP or UDP. Port numbers and/or ranges can be entered by separating with commas.
    • IP Protocol - Enter the IP protocol if you selected Type - Other.
    • ICMP type and ICMP code - Enter the ICMP type and code that you want the service object to represent as listed in RFC 792. This option is only relevant if you selected Type - ICMP.
    • Comments - Enter an optional comment.
    • Disable inspection for this service – Select this checkbox to disable deep inspection of traffic matching this service. This option is only available for built-in services.
  3. Click Apply.

To edit a service:

  1. Select a service from the list.
  2. Click Edit.
  3. Make the necessary changes. Note that not all fields can be edited.
  4. Click Apply.

To delete a service:

  1. Select the service from the list. Note that you can only delete a user defined service.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified service:

  1. In the Type to filter box, enter the service name or part of it.
  2. As you enter text, the list is filtered and shows matching results.

Service Groups

The Users & Objects > Service Groups page lists the service groups defined in the system. In this page you can add new service groups, and edit or delete existing service groups.

There are built in service groups for common services.

To create a new service group:

  1. Click New.

    The New Service Group window opens.

  2. Enter a Name for the group and Comments (optional).
  3. Click Select to show the full list of available services and select the relevant checkboxes.
  4. Click New if the existing list does not contain the services you need. For information on creating a new service object, see the Users & Objects > Services page.
  5. Click Apply.

    The New Service Group window opens and shows the services you selected.

  6. You can also click New from the New Service Group window.
  7. To remove a service object from the group list, select it and click Remove.
  8. Click Apply.

    The service group is added to the list of groups.

To edit a service group:

  1. Select a group from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a service group:

  1. Select the group from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified service group:

  1. In the Type to filter box, enter the service group name or part of it.
  2. As you enter text, the list is filtered and shows matching results.

Network Objects

The Users & Objects > Network Objects page lists the network objects defined in the system. In this page you can add new network objects, edit network objects, and delete network objects. In most cases, the most common use for these objects is to define a security policy and exceptions to it. These objects can be used as hosts for the internal DNS service and their IP addresses can be configured as fixed for the internal DHCP service.

Note - 1100 appliances support only IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

These are the available network object types:

To create a Single IP network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Single IP.
  3. Enter an IP address and Object name.
  4. Select or clear these options as necessary:
    • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks, the name of the server/network object is translated to its IP address.
    • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP address of this server/network object to anyone.
      • Reserve IP address in DHCP service for MAC - The internal DHCP service distributes the configured IP address only to this server/network object based on its MAC address.
      • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Computers page, the MAC address is detected automatically.
  5. Click Apply.

To create an IP Range network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select IP Range.
  3. In the Start IP and End IP fields, enter the IP addresses that represent the start of the IP range and end of the IP range.
  4. Enter the Object name.
  5. Select or clear this option as necessary:
    • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone.
  6. Click Apply.

To create a Network type network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Network.
  3. Enter a Network address and Subnet mask.
  4. Enter the Object name.
  5. Click Apply.

To edit a network object:

  1. Select a network object from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a network object:

  1. Select the network object from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified network object:

  1. In the Type to filter box, enter the name of the network object or part of it.
  2. As you enter text, the list is filtered and shows matching results.

URL Lists

The Users & Objects > URLs Lists page lets you override central management's URL filtering policy in your local Check Point Appliance. Use this feature to define URL blacklists and whitelists exceptions to the global policy, whose content can be edited per gateway. Before you use this feature, the system administrator of the Security Management Server that centrally manages this gateway must complete prerequisite steps.

You can use this page to manage URLs lists:

Prerequisite steps for the system administrator of the Security Management Server:

  1. Turn on the Application Control blade for the gateway object that represents this Check Point Appliance.
  2. Configure custom applications in SmartDashboard with these guidelines:
    1. Use the prefix: LOCAL_ (case-sensitive) when naming a custom application.
      For example, LOCAL_whitelist or LOCAL_blacklist.
    2. Enter at least one URL for this custom application, it can be a dummy URL. The actual list of URLs to allow or block is defined locally in the Check Point Appliance.
  3. Create rules in the Application Control Rule Base using the custom defined applications with the LOCAL_ prefix. Make sure to add the rules in positions that make sense in the Rule Base.
  4. Install policy (on the specified gateway).

Steps for the system administrator of this Check Point Appliance:

  1. On this page, set Local URLs Lists Management to ON.
  2. Add URLs/IP addresses or regular expressions to the predefined URLs lists (the custom applications defined in Security Management Server).

    Note - The names of the predefined URLs lists does NOT show the LOCAL_ prefix that was used to define the application in Security Management Server.
    For example, LOCAL_whitelist is shown as just whitelist.

    Important -

    • If Application Control is turned off or no custom applications have been defined in the Security Management Server, this page is empty and shows a message that informs that local URLs can only be defined after URLs lists are predefined in the appliance's security policy.
    • If a list was removed or renamed in the Security Management Server, a warning shows above the table and next to the URLs List in the table.

To create a new URLs list entry:

  1. Click New.
  2. Select URL/IP Address or Regular Expressions.

    The New URL/IP Address or New Regular Expressions window opens.

  3. Select the applicable URLs list from the list.
  4. Enter a URL/IP Address or a regular expression for the URLs list.
  5. Click Apply.

    The URL is added to the list of entries for the specified URLs list in the table.

To edit a URLs list entry:

  1. Select an entry from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a URLs list entry:

  1. Select an entry from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified URLs list:

Do one of these:

22 February 2018 © 2018 Check Point Software Technologies Ltd. All rights reserved.