Print Download Documentation Send Feedback

Previous

Next

UserCheck

What can I do here?

On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages.

Getting Here

Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > UserCheck

UserCheck Interactions in the Access Control Policy

UserCheck objects lets the Security Gateway communicate with users. Use them in the Rule Base to:

If a UserCheck object is set as the action on in a policy rule, the user's browser redirects to the UserCheck web portal on port 443 or 80. The portal shows the notifications to the user.

UserCheck client adds the option to send notifications for applications that are not in a web browser. The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when the notification cannot be displayed in a browser.

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click UserCheck.

    The UserCheck page opens.

  3. Make sure Enable UserCheck for active blades is selected
  4. In the UserCheck Web Portal section:

    In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

    If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

    Note - The Main URL field must be manually updated if:

    • The Main URL field contains an IP address and not a DNS name.
    • You change a gateway IPv4 address to IPv6 or vice versa.
  5. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

    The aliases must be resolved to the portal IP address on the corporate DNS server

  6. In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server.

    By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

  7. In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

    Users are sent to the UserCheck portal if they connect:

    • Through all interfaces
    • Through internal interfaces (default)
      • Including undefined internal interfaces
      • Including DMZ internal interfaces
      • Including VPN encrypted interfaces (default)

      Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.

    • According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.

    If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

    • Through all interfaces - necessary in VSX environment
    • According to the Firewall Policy
  8. In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Gateway cannot redirect the user to the UserCheck portal because the traffic is not http. If the user does not have a UserCheck client, UserCheck sends an email notification to the user.
    • Use the default settings - Click the link to see which mail server is configured.
    • Use specific settings for this gateway - Select this option to override the default mail server settings.
    • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.
  9. Click OK.
  10. If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

    Source

    Destination

    VPN

    Services & Applications

    Action

    Any

    Security Gateway on which UserCheck client is enabled

    Any

    UserCheck

    Accept

  11. Install the Access Control Policy.
Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

  1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
  2. Choose a Layer with Applications and URL Filtering enabled.
  3. Create a rule that includes these components:
    • Services & Applications - Select the Pornography category.
    • Action - Drop, and a UserCheck Blocked Message - Access Control

      The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.

    • Track - Log

      Note - This Rule Base example contains only those columns that are applicable to this subject.

      Name

      Source

      Destination

      Services & Applications

      Action

      Track

      Install On

      Block Porn

      Any

      Internet

      Pornography (category)

      Drop
      Blocked Message

      Log

      Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

UserCheck for Access Control Default Messages

These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:

Name

Action Type

Description

Access Approval

Inform

 

Access Notification

Inform

Shows when the action for the rule is inform. It informs users what the company policy is for that site.

Blocked Message - Access Control

Block

Shows when the action for the rule is Block, when a request is blocked.

Cancel Page - Access Control

Cancel

Shows after a user gets an Inform or Ask message and clicks Cancel.

Company Policy

Ask

Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

For example, you can create a message with Content Awareness fields.

You can show these UserCheck message previews:

Creating a UserCheck Interaction Object

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

To create a UserCheck object that includes a message:

  1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
  2. Click Access Tools > UserCheck.
  3. Click New, and select one of these interaction modes:
    • Ask UserCheck- Show a message to users that asks them if they want to continue with the request or not.
    • Block UserCheck- Show a message to users and block the application request.
    • Inform UserCheck - Show an informative message to users. Users can continue to the application or cancel the request.

    The UserCheck Interaction window opens on the Message page.

  4. Enter a name for the UserCheck object and, optionally, a comment.
  5. Select a language (English is the default) from the Languages tabs.
  6. Enter the message content. You can:
    • Use the formatting toolbar to change text color, alignment, add or remove bullets.
    • Use the Insert field variables. These include fields for Content Awareness.
  7. In the Settings tab, configure optional settings. For example:
    • Fallback Action - For a Block action type, when UserCheck notification cannot be displayed, this action is taken.
    • External Portal - When selected, redirects the user to the specified External Portal (enter the URL), and the UserCheck message is not shown to the end-user
      Select Add UserCheck Incident ID to the URL query, to log the incident
  8. Click OK.

    This creates the UserCheck object and web page notification for the portal.

Example UserCheck Message Using Field Variables

If you define a custom UserCheck message, you can use predefined Field variables in the message.

Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

According to the company policy, this action is intended for work-related use only.

Details:

- File Name is classified as Data Types

- Access to Application name

- Category Category

[ ] I will use this site/application and data in accordance with company policy.

Reference: Incident ID

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.

Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.

To support more languages:

  1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
  2. Click Access Tools > UserCheck.
  3. Double-click the UserCheck object to edit it.
  4. In the Message page, click Languages.
  5. Select the Languages from the list.
UserCheck Frequency and Scope

You can set the number of times that users get UserCheck messages for accessing applications that are not permitted by the policy. You can also set if the notifications are based on accessing the rule, application category, or application itself.

To set how often UserCheck notifications show:

  1. Select the Action cell of a rule in the Access Control Policy, and click More.
  2. In the Action Settings window, select the UserCheck Frequency.

    The options are:

    • Once a day
    • Once a week
    • Once a month
    • Custom frequency
  3. Select Confirm UserCheck. This sets if the notifications are:
    • Per rule
    • Per category
    • Per application
    • Per data type

Example:

In a rule that contains:

Services & Applications

Action

Social Networking category

Inform

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per rule:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message.

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per application:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message for Facebook and one for LinkedIn.

In new installations, the Confirm UserCheck Scope default is Per category.

In upgrades from a version before R75.40, the Confirm UserCheck default is Per Rule.

UserCheck Settings

For each UserCheck interaction object you can configure these options from the Settings page UserCheck object:

UserCheck CLI

You can use the usrchk command in the gateway command line to show or clear the history of UserCheck objects.

To use the usrchk commands, you must enable UserCheck on the gateway, and create a rule with a UserCheck interaction object.

Description

usrchk

Syntax

usrchk [debug] [hits]

Parameters

Parameter

Description

debug

Controls debug messages

hits

Shows user incident options:

list - Options to list user incidents

  • all - List all existing incidents.
  • user <username> - List incidents of a specified user.
  • uci <name of interaction object> - List incidents of a specified UserCheck interaction object

clear - Options to clear user incidents

  • all - Clear all existing incidents
  • user <username> - Clear incidents for a specified user
  • uci <name of interaction object> - Clear incidents of a specified UserCheck interaction object

db - user hits database options

Examples:

Notes:

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

://<IP of gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.