Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Adding Users to the Security Policy

In This Section:

Using Identity Awareness

Using User Directory

Adding Users to the Rule Base

Using Identity Awareness

The Identity Awareness Software Blade lets you configure the Firewall to enforce access control for individual users and groups. You can use Identity Sources to get information about users and groups to create flexibility and additional security for the Rule Base. Identity Awareness lets you create rules that are for the specified users for these Rule Bases:

  • Firewall
  • URL Filtering and Application Control
  • DLP
  • Anti-Bot

For more about using Identity Awareness, see the R77 Identity Awareness Administration Guide.

Identity Sources

After the Security Gateway acquires the identity of a user, user-based rules can be enforced on the network traffic. Identity Awareness can use these sources to identify users:

  • AD Query - Seamlessly queries the AD (Active Directory) servers to get user information.
  • Browser-Based Authentication - Uses a Captive Portal to authenticate users.
  • Identity Agent - Client that is installed on endpoint computers connects to a Security Gateway and authenticates users.
  • Terminal Servers Identity Agent - An agent on a Terminal or Citrix server connects to a Security Gateway to get user information.
  • Remote Access Devices - Use Identity Awareness with the Mobile Access and VPN Software Blades (Office Mode only) to authenticate users that connect from a remote device.

AD Query

The Security Gateway registers to receive security event logs from the AD domain controllers when the security policy is installed. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The Firewall identifies the user based on the AD security event log. The user sends traffic that matches an Identity Awareness rule in the security policy. The Firewall can enforce the user-based rule on the traffic.

Browser-Based Authentication

Browser-Based Authentication uses the Internet browser to identify users. You can use these Browser-Based Authentication solutions:

  • Captive Portal
  • Transparent Kerberos Authentication

Captive Portal uses a web interface to authenticate users before they can access network resources. When users try to access a protected resource, they must log in to a web page to continue.

When Transparent Kerberos Authentication is enabled, the Transparent Authentication page tries to authenticate users before the Captive Portal web page opens. The Transparent Authentication page communicates with the AD to use the Kerberos protocol to authenticate the users. If the users are successfully authenticated, then they can access the network resources. If they are not authenticated, then they are redirected to the Captive Portal.

Enabling Identity Awareness

There is an Identity Awareness configuration wizard in SmartDashboard that helps you enable and configure the Identity Awareness Software Blade. You can use the configuration wizard on these identity sources:

  • AD Query
  • Browser-Based Authentication
  • Terminal Servers

Using the Identity Awareness Wizard

The Identity Awareness Configuration wizard configures how the Security Gateway gets information about users and computers.

This section gives an example of how to configure the AD query and browser-based methods for Identity Awareness.

To use the configuration wizard:

  1. From the Network Objects tree, double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click General Properties.
  3. From the Network Security tab, select Identity Awareness.

    The Identity Awareness Configuration wizard opens.

  4. Select AD Query and Browser-Based Authentication and then click Next.

    The Integration With Active Directory window opens.

  5. Select the AD domain and enter the Username and Password.

    Make sure that the AD account has domain administrator privileges.

  6. Click Connect.

    The Successfully connected message is shown.

  7. Click Next.

    The Browser-Based Authentication Settings window opens.

  8. Enter the URL for the Captive Portal and then click Next.

    The Identity Awareness is Now Active window opens.

  9. Click Finish and then install the policy.

Identity Awareness and Remote Access

Identity Awareness for Mobile Access and IPsec VPN clients works in Office Mode for Security Gateways. The Remote Access option is included as an identity source when you enable Identity Awareness.

To enable or disable Remote Access for Identity Awareness:

  1. From the Network Objects tree, double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click Identity Awareness.
  3. Select or clear Remote Access.
  4. Click OK and then install the policy.

Creating a New AD Object

The Identity Awareness configuration wizard helps you create a new AD (Active Directory) LDAP Account Unit object in SmartDashboard. Enter the AD settings in the Integration with Active Directory window.

To create new AD Account Unit with the Identity Awareness wizard:

  1. From the Integration with Active Directory window, select Create new domain.

    Integration_AD_Window

  2. Enter the settings for the AD domain controller.
  3. Click Connect.

    SmartDashboard connects to the AD server.

  4. Click Next and then follow the instructions and finish the wizard.

    SmartDashboard creates the new AD Account Unit.

Working with Access Roles

After you enable Identity Awareness, you create Access Role objects.

You can use Access Role objects as source and/or destination parameter in a rule. Access role objects can include one or more of these objects:

  • Users and user groups
  • Computers and computer groups
  • Networks

To create an Access Role object:

  1. Select Users and Administrators in the Objects Tree.
  2. Right-click Access Roles > New Access Role.

    The Access Role window opens.

  3. Enter a Name and Comment (optional) for the access role.
  4. In the Networks tab, select one of these:
    • Any network
    • Specific networks - Click the plus sign and select a network.

      Your selection is shown in the Networks node in the Role Preview pane.

  5. In the Users tab, select one of these:
    • Any user
    • All identified users - Includes users identified by a supported authentication method (internal users, AD users or LDAP users).
    • Specific users - Click the plus sign.

      A window opens. You can search for Active Directory entries or select them from the list.

  6. In the Machines tab, select one of these:
    • Any machine
    • All identified machines - Includes computers identified by a supported authentication method (AD).
    • Specific machines - Click the plus sign.

      You can search for AD entries or select them from the list.

  7. Optional: For computers that use Full Identity Agents, from the Machines tab select Enforce IP Spoofing protection.
  8. Click OK.

    The access role is added to the Users and Administrators tree.

Using Identity Awareness in the Firewall Rule Base

The Identity Awareness Software Blade lets you customize the Firewall for users regardless of what computer they are using. Use Access Role objects in a rule and Identity Awareness identifies users that match the rule. You can also enable an Accept action to redirect traffic from an unidentified user to a Captive Portal.

Sample Firewall Workflow with Identity Awareness

The Firewall inspects traffic that starts from a source that matches the Access Role object. The Identity Awareness source tries to identify the user.

  • If the user is identified, the traffic is allowed.
  • If the user is not identified, the traffic is only allowed when the user authenticates to the Captive Portal. If Captive Portal is not enabled, or the user does not authenticate, then the traffic is dropped.

Redirecting to a Captive Portal

You can configure rules that use an Access Role object and an Accept action, to redirect HTTP traffic to a Captive Portal. The rule allows traffic when the users for the Access Role are identified. If the Captive Portal action is enabled, these are the procedures for the Firewall to identify a user:

  • The Identity Awareness source identifies the user
  • The user authenticates at the Captive Portal

Rules can redirect HTTP traffic according to these parameters:

  • Source - Includes an Access Role object
  • Action - Uses Accept

To enable Captive Portal for a rule:

  1. Right-click the Action cell and select Edit Properties.

    The Action Properties window opens.

  2. Select the Redirect http connections to an authentication (captive) portal.
  3. Click OK.

    The Action column shows accept (display captive portal).

  4. Install the policy.

Sample Identity Awareness Rules

This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.)

No.

Name

Source

Destination

Service

Action

1
CEO allow
John_Smith_
CEO
Any
Any
Accept
Display Captive Portal
2
HR server allow
HR_Partners
HR_Server
Any
Accept
Display Captive Portal
3
Drop non-identified HR traffic
Any
HR_Server
Any
Drop
4
Internet access
Guests
All_Domain_
Users
Internet_proxy
HTTP and HTTPS proxy
Accept
Display Captive Portal
  1. CEO allow - Allows the CEO, John Smith, to access all the network resources. The CEO is identified by Identity Awareness AD Query or he authenticates to the Captive Portal.
  2. HR server allow - Allows users that are defined in the HR_Partners Access Role object to access the HR_Server subnet. The HR users are identified by Identity Awareness AD Query or they authenticate to the Captive Portal.
  3. Drop non-identified HR traffic - Drops all traffic to the HR_Server subnet. All authenticated users were allowed by the earlier rules.
  4. Internet access - Allows HTTP and HTTPS traffic from the Guests and All_Domain_Users Access Role objects to the Internet. Domain users are identified by Identity Awareness or they authenticate to the Captive Portal. Guests authenticate to the Captive Portal.

Using User Directory

User Directory lets you integrate LDAP and other external user management servers with Check Point products and security solutions. These are some of the Software Blades that work with User Directory:

  • Mobile Access
  • Identity Awareness
  • Data Loss Prevention

User Directory Features

  • Use LDAP servers to manage user information for the network
  • Security Gateways can retrieve CRLs (Certificate Revocation Lists)
  • Security Management Server can use LDAP information to authenticate users
  • High Availability can duplicate and backup user information across multiple LDAP servers
  • Create multiple Account Units to work with distributed databases
  • Use profiles to support multiple LDAP vendors
  • Encrypt User Directory connections

Deploying User Directory

User Directory integrates the Security Management Server and an LDAP server and lets the Security Gateways use the LDAP information.

Item

Description

1

Security Gateway - Retrieves LDAP user information and CRLs

2

Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication

3

Security Management Server - Uses User Directory to manage user information

4

LDAP server - Server that holds one or more Account Units

Creating an Account Unit

An Account Unit represents branches of user information on one or more LDAP servers. The Account Unit is the interface between the LDAP servers and the Security Management Server and Security Gateways.

When you enable the Identity Awareness and Mobile Access Software Blades, SmartDashboard opens a configuration wizard. The Active Directory Integration window of this wizard can create a new AD Account Unit. After you complete the wizard, SmartDashboard creates the AD object and Account Unit.

Editing an Account Unit

Use the LDAP Account Unit Properties window to edit an Account Unit or to create one manually.

To open the LDAP Account Unit Properties window:

  1. In SmartDashboard, select Manage > Servers and OPSEC Applications.

    The Servers and OPSEC Applications window opens.

    1. To create a new Account Unit, click New > LDAP Account Unit.
    2. To edit an Account Unit, double-click the Account Unit object.

      The LDAP Account Unit Properties window opens.

  2. Configure the settings in the applicable tabs.

    LDAP AU Prop

  3. Click OK and then click Close.

General Tab

The General tab lets you configure how the Security Management Server uses the Account Unit. You can select one or more of these options:

  • CRL retrieval - The Security Management Server manages how the CA sends information about revoked licenses to the Security Gateways.
  • User Management - The Security Management Server uses the user information from this LDAP server. Make sure that User Directory is enabled on the Security Management Server.
  • Active Directory Query - This AD (Active Directory) server is used as an Identity Awareness source. This option is only available if the Profile is set to Microsoft_AD.

LDAP SSO (Single Sign On) is only supported for Account Unit Objects that use User Management.

To configure the General tab:

  1. Enter the Name for the Account Unit.
  2. From Profile, select the LDAP vendor.
  3. Enter the prefix or domain for the Account Unit. This value is used when the same user name is used in multiple Account Units.
    • Prefix - For servers that do NOT use AD.
    • Domain - For AD servers. This value is also necessary for AD Query and SSO.
  4. Select one or more of the Account Unit usage options.
  5. For LDAP user information that uses non-English languages, select Enable Unicode support.
  6. To configure and enable Kerberos SSO for Identity Awareness:
    1. Click Active Directory SSO configuration.
    2. Configure the settings.
    3. Click OK.
  7. Configure the other tabs or click OK.

Servers Tab

The Servers tab lets you create and manage the LDAP servers that are used by this Account Unit. You can add LDAP server objects or create new ones.

Use the Update Account to All Servers window to configure the login parameters for all the servers for this Account Unit. If the servers use different login information, edit the parameters for each server.

To configure the login parameters for all the servers:

  1. Click Update Account Credentials.

    The Update Account to All Servers window opens.

  2. Enter the login parameters.
  3. Click OK.

To remove a server from the Account Unit:

Select the server and click Remove.

To manage the servers for the Account Unit:

  1. Do one of these actions for the server:
    • To add a server, click Add.
    • To edit a server, select the server and click Edit.

    The LDAP Server Properties window opens.

  2. If necessary, create a new SmartDashboard server object:
    1. Click New.

      The Host Node window opens.

    2. Enter the settings for the LDAP server.
    3. Click OK.
  3. From Host, select the server object.
  4. Configure the settings for the LDAP server.
  5. Optional: Click the Encryption tab and configure the SSL encryption settings.
  6. Click OK.
  7. Configure the other tabs or click OK.

Objects Management Tab

The Objects Management tab lets you select which LDAP server object SmartDashboard queries for the applicable connections and users. You can also enable password protection for this object.

To configure the Objects Management tab:

  1. From Manage objects on, select the LDAP server object.
  2. Click Fetch branches.

    The Security Management Server queries and shows the LDAP branches.

  3. Optional: Click Add, Edit and Delete to manage the LDAP branches.
  4. Optional: Select Prompt for password when opening this Account Unit.
  5. From Return entries, configure the number of entries that are stored in the LDAP database.
  6. Configure the other tabs or click OK.

Authentication Tab

The Authentication tab lets you configure the authentication scheme for the Account Unit. You can use a common group path to optimize group membership queries. One path for all the LDAP group objects is created and only one query is necessary for the group objects.

To configure the Authentication tab:

  1. Optional: Select Use common group path for queries.
  2. Select one or more authentication schemes that are used to authenticate users in this Account Unit.
  3. Select the default settings for new LDAP users:
    • User template - Template that you created
    • Default authentication scheme
  4. Optional: Select and configure the login failure settings.
  5. For IKE users in this Account Unit, enter the pre-shared secret key.
  6. Configure the other tabs or click OK.

Enabling User Directory

Configure SmartDashboard to enable the Security Management Server to manage users in the Account Unit. You cannot use the SmartDashboard User Database when the User Directory LDAP server is enabled.

For more about using the SmartDashboard User Database, see the R77 Security Management Administration Guide.

To enable User Directory on the Security Management Server:

  1. Select Policy > Global Properties > User Directory.

    The User Directory page opens.

  2. Select Use User Directory for Security Gateways.
  3. Configure other login and password settings.
  4. Click OK.
  5. Make sure that the User Directory Software Blade is enabled.
    1. From the Network Objects tree, double-click the Security Management Server object.
    2. Click Management and make sure that Network Policy Management and User Directory are selected.
  6. Click OK and install the policy.

Managing LDAP Information

User Directory lets you use SmartDashboard to manage information about users and OUs (Organizational Units) that are stored on the LDAP server.

To manage LDAP information from SmartDashboard:

  1. From the objects tree, select Users and Administrators.
  2. Double-click the Account Unit.

    The LDAP domain is shown.

  3. Double-click the LDAP branch.

    The Security Management Server queries the LDAP server and SmartDashboard shows the LDAP objects.

  4. Expand the Objects List pane.

  5. Double-click the LDAP object.

    The Objects List pane shows the user information.

  6. Right-click a user and select Edit.

    The LDAP User Properties window opens.

  7. Edit the user information and settings and then click OK.

Adding Users to the Rule Base

Identity Awareness and User Directory let you create rules for specified users, groups or OUs. Identity Awareness uses Access Roles that can put together users, networks gateways and other objects into a single SmartDashboard object that you can add to a rule. User Directory integrates an LDAP server and you can easily update SmartDashboard with user information.

Adding an Access Role to a Rule

Security Gateways that use the Identity Awareness Software Blade can add an Access Role as the Source or Destination of a rule. You can add SmartDashboard objects and LDAP information to the Access Role object and then use that object in the Firewall, URL Filtering, and Application Control Rule Base.

Note - Rules that use Access Role objects are enforced only on Security Gateways that have Identity Awareness enabled.

To add an Access Role to a rule:

  1. From the Policy page, click the plus sign in a Source or Destination cell.

    The SmartDashboard window opens.

  2. From the drop-down menu, select Access Roles.
  3. Click the Access Role and it is added to the cell.
  4. Install the policy.
 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print