Client Auth
What can I do here?
Use this window to define:
- How to handle a Client Authentication user when the allowed location in the User definition is different than the location allowed to the user in the Rule.
- The Sign On method
- Tracking for successful authentications.
|
Getting Here - Security Policies > Access Control > Policy > Action column > More > In the actions settings window select Client Auth > click pencil icon:
Note - The Client Auth option is available for layers that only have the firewall blade enabled.
|
Understanding Client Authentication
Client Authentication can be used to authenticate any service. It allows access from a specific IP address for an unlimited number of connections. The user working on a client performs the authentication by successfully meeting an authentication challenge, but it is the client machine that is granted access.
Client authentication can be used with any one of five different sign on methods. These sign on methods provide a choice of Authentication Methods for authenticated and other services. For all sign on methods other than Manual Client Authentication, the Check Point Security Gateway is transparent to the user. This means that the user authenticates directly to the destination host.
There is one other choice to make with Client Authentication: whether to use Standard Sign On or Specific Sign On.
At the end of the session, the user can sign off. When a user signs off, he or she is signed off from all services, and the connection is closed by the remote host.
Client Auth - General Options
Source and Destination
- Intersect with User Database means that if a user who successfully authenticates is at a source or trying to reach a destination which is allowed to the user according to the rule, but the User Properties for that user do not allow this location, the user will be denied.
- Ignore User Database - Users who would otherwise denied as a result of the allowed source or destination defined in the User Properties are allowed anyway.
Due to the nature of Client Authentication, it is not possible for the Client authentication process to know where the client may be connecting to when the Required sign On is set to Standard, so the user's allowed destinations cannot be checked.
- Apply Rule Only if Desktop Configuration Options are Verified controls the Secure Client Verification (SCV) for SecureClient connections. These connections can be either encrypted, for clients connecting via remote access, or unencrypted, where the SecureClient is on a LAN. If a user is successfully Client authenticated, they are only allowed access if the client machine is verified to be secure.
Sign On
- Standard allows the user to log in and be automatically authorized for all services that the rule allows, without having to perform authentication for each service.
- Specific requires the user to individually authorize each service and each host he/she will be trying to contact.
Sign On Method
- Manual - Manual Sign on is available for any service, as long as it is specified in the Client Authentication rule.
In Manual Sign On, the user must first connect to the gateway in order to authenticate (in other words, the authentication is not transparent). The user must authenticate in one of the two ways:
- A TELNET session to the gateway on port 259.
- An HTTP connection to the gateway on port 900, through a Web browser. The requested URL must include the gateway name and the port number, such as http://gateway:900
- Partially Automatic - If the service is RLOGIN, Telnet, HTTP, or FTP, User Authentication can be used to perform a Standard Sign On. Other services cannot be authenticated in this way.
As part of the configuration, make sure that port 80 is accessible on the gateway machine.
- Fully Automatic - Fully Automatic Sign On is available for any service, as long as the required service are specified in the Client Authentication rule.
If the user attempts a connection to a remote host using an authenticated service (TELNET, FTP, HTTP, and RLOGIN), he or she are asked to authenticate by means of User Authentication. If the user attempts a connection to a remote host using any other service, he or she are asked to authenticate by means of the Session Authentication agent, which must be properly installed.
As part of the configuration, make sure that port 80 is accessible on the gateway machine.
- Agent Automatic Sign On - Agent Automatic Sign On is available for any service, as long as the required service are specified in the Client Authentication rule, and as long as the Session Authentication agent is properly installed. If the user attempts a connection to a remote host using any service, he or she are asked to authenticate by means of the Session Authentication agent.
- Single Sign On - Single Sign On is available for any service, as long as the required service are specified in the Client Authentication rule. UserAuthority must be installed. Single Sign On is the Check Point address management feature that provides transparent network access. In this method, the Check Point Security Gateway consults the user IP address records to determine which user is logged on at a given IP address. If a connection matches a Single Sign On enabled rule, the Check Point Security Gateway sends a query to the UAS (UserAuthority server) with the packet's source IP. The UAS returns the name of the user who is registered to the IP. If the user's name is authenticated, the packet is accepted; if not, it is dropped.
Successful Authentication Tracking
- None means nothing is logged when a user authenticates successfully against this rule.
- Log generates a log entry upon successful authentication.
- Alert sends the Alert defined in the Global Properties.