Working with UserCheck

In This Section:

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. The Gateways page in the Software Blade tab shows the Security Gateways that use that Software Blade. Make sure the UserCheck is enabled on each Security Gateway in the network. The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

When you configure the Main URL of the UserCheck portal, if it is set to an external interface, the Accessibility option must be set to one of these:

Through all interfaces
According to the firewall Policy

If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Topology page) is the same as the Main URL for the UserCheck portal.

If you are using internal encrypted traffic, add a new rule to the Firewall Rule Base. This is a sample rule:


Source		Destination	VPN	Service	Action
Any		Security Gateway on which UserCheck client is enabled	Any Traffic	UserCheck	Accept
	Note - When you enable UserCheck on an IP appliance, make sure to set the Voyager management application port to a port other than 443 or 80.

To configure UserCheck on a Security Gateway:

From the Network Objects tree, double-click to Security Gateway.
The Gateway Properties window opens.
From the navigation tree, click UserCheck.
The UserCheck page opens.
Select Enable UserCheck.
Enter the settings for the UserCheck portal:
1. In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.
  Note - The Main URL field must be manually updated if:
  - The Main URL field contains an IP address and not a DNS name.
  - You change a gateway IPv4 address to IPv6 or vice versa.
2. In IP Address, enter the IP address for the portal.
3. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.
  The aliases must be resolved to the portal IP address on the corporate DNS server
In the Certificate area, click Import to import a certificate that the portal uses to authenticate to the server.
By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
In the Accessibility area, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. Users are sent to the UserCheck portal if they connect:
- Through all interfaces
- Through internal interfaces (default)
  - Including undefined internal interfaces
  - Including DMZ internal interfaces
  - Including VPN encrypted interfaces (default)
  Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.
- According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.
Click OK.
Install the Policy.

UserCheck CLI

You can use the usrchk command in the gateway command line to show or clear the history of UserCheck objects.

Syntax: usrchk [debug] [hits]

Parameters:

Parameter

Description

debug

Controls debug messages

hits

Shows user incident options:

list - Options to list user incidents

all - List all existing incidents.
user <username> - List incidents of a specified user.
uci <name of interaction object> - List incidents of a specified UserCheck interaction object

clear - Options to clear user incidents

all - Clear all existing incidents
user <username> - Clear incidents for a specified user
uci <name of interaction object> - Clear incidents of a specified UserCheck interaction object

db - user hits database options

Examples:

To show all UserCheck interaction objects, run: usrchk hits list all
To clear the incidents for a specified user, run: usrchk hits clear user <username>

Notes:

You can only run a command that contains user <username> if:
- Identity Awareness is enabled on the gateway.
- Identity Awareness is used in the same policy rules as UserCheck objects.
To run a command that contains a specified UserCheck interaction object, first run usrchk hits list all to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

://<IP of gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in SmartView Tracker will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.