UserCheck

What can I do here?

On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages.

Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > UserCheck

UserCheck Interactions in the Access Control Policy

UserCheck objects lets the Security Gateway communicate with users. Use them in the Rule Base to:

• Help users with decisions that can be dangerous to the organization's security.
• Share the organization's changing internet policy for Web applications and sites with users, in real-time.

If a UserCheck object is set as the action on in a policy rule, the user's browser redirects to the UserCheck web portal on port 443 or 80. The portal shows the notifications to the user.

UserCheck client adds the option to send notifications for applications that are not in a web browser. The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when the notification cannot be displayed in a browser.

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network. To enable UserCheck , enable a blade that has the UserCheck functionality.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the navigation tree, click UserCheck.

   The UserCheck page opens.

3. Make sure Enable UserCheck for active blades is selected
4. In the UserCheck Web Portal section:

   In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

   If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

   Note - The Main URL field must be manually updated if:

   • The Main URL field contains an IP address and not a DNS name.
   • You change a gateway IPv4 address to IPv6 or vice versa.
5. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

   The aliases must be resolved to the portal IP address on the corporate DNS server

6. In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server.

   By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

   Note - After you download your certificate, you can click Replace to replace it with a different certificate, and click View to see the certificate information.

7. In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

   Users are sent to the UserCheck portal if they connect:

   • Through all interfaces
   • Through internal interfaces (default)
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces (default)

     Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.

   • According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.

   If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

   • Through all interfaces - necessary in VSX environment
   • According to the Firewall Policy
8. In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Gateway cannot redirect the user to the UserCheck portal because the traffic is not http. If the user does not have a UserCheck client, UserCheck sends an email notification to the user.
   • Use the default settings - Click the link to see which mail server is configured.
   • Use specific settings for this gateway - Select this option to override the default mail server settings.
   • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.
9. Click OK.
10. If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

    Source	Destination	VPN	Services & Applications	Action
    Any	Security Gateway on which UserCheck client is enabled	Any	UserCheck	Accept

11. Install the Access Control Policy.

Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Choose a Layer with Applications and URL Filtering enabled.
3. Create a rule that includes these components:
   • Services & Applications - Select the Pornography category.
   • Action - Drop, and a UserCheck Blocked Message - Access Control

     The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.

   • Track - Log

     Note - This Rule Base example contains only those columns that are applicable to this subject.

     Name	Source	Destination	Services & Applications	Action	Track	Install On
     Block Porn	Any	Internet	Pornography (category)	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

UserCheck for Access Control Default Messages

These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:

Name	Action Type	Description
Access Approval	Inform
Access Notification	Inform	Shows when the action for the rule is inform. It informs users what the company policy is for that site.
Blocked Message - Access Control	Block	Shows when the action for the rule is Block, when a request is blocked.
Cancel Page - Access Control	Cancel	Shows after a user gets an Inform or Ask message and clicks Cancel.
Company Policy	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

For example, you can create a message with Content Awareness fields.

You can show these UserCheck message previews:

• Regular view - Shows a preview of the UserCheck message on a computer.
• Mobile - Shows a preview of the UserCheck message on a mobile device.
• Agent - Shows a preview of the UserCheck message in the agent window.
• Email - Shows a preview of the UserCheck message in an email.

Creating a UserCheck Interaction Object

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

To create a UserCheck object that includes a message:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Click Access Tools > UserCheck.
3. Click New, and select one of these interaction modes:
   • Ask UserCheck- Show a message to users that asks them if they want to continue with the request or not.
   • Block UserCheck- Show a message to users and block the application request.
   • Inform UserCheck - Show an informative message to users. Users can continue to the application or cancel the request.

   The UserCheck Interaction window opens on the Message page.

4. Enter a name for the UserCheck object and, optionally, a comment.
5. Select a language (English is the default) from the Languages tabs.
6. Enter the message content. You can:
   • Use the formatting toolbar to change text color, alignment, add or remove bullets.
   • Use the Insert field variables. These include fields for Content Awareness.
     If you define a custom UserCheck message, you can use predefined Field variables in the message.

     Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

     According to the company policy, this action is intended for work-related use only. Details: - File Name is classified as Data Types - Access to Application name - Category Category [ ] I will use this site/application and data in accordance with company policy. Reference: Incident ID

7. In the Settings tab, configure optional settings. For example:
   • Fallback Action - For a Block action type, when UserCheck notification cannot be displayed, this action is taken.
   • External Portal - When selected, redirects the user to the specified External Portal (enter the URL), and the UserCheck message is not shown to the end-user
     Select Add UserCheck Incident ID to the URL query, to log the incident
8. Click OK.

   This creates the UserCheck object and web page notification for the portal.

Example UserCheck Message Using Field Variables

If you define a custom UserCheck message, you can use predefined Field variables in the message.

Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

According to the company policy, this action is intended for work-related use only. Details: - File Name is classified as Data Types - Access to Application name - Category Category [ ] I will use this site/application and data in accordance with company policy. Reference: Incident ID

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.

Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.

To support more languages:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Click Access Tools > UserCheck.
3. Double-click the UserCheck object to edit it.
4. In the Message page, click Languages.
5. Select the Languages from the list.

UserCheck Frequency and Scope

You can set the number of times that users get UserCheck messages for accessing applications that are not permitted by the policy. You can also set if the notifications are based on accessing the rule, application category, or application itself.

To set how often UserCheck notifications show:

1. Select the Action cell of a rule in the Access Control Policy, and click More.
2. In the Action Settings window, select the UserCheck Frequency.

   The options are:

   • Once a day
   • Once a week
   • Once a month
   • Custom frequency
3. Select Confirm UserCheck. This sets if the notifications are:
   • Per rule
   • Per category
   • Per application
   • Per data type

Example:

In a rule that contains:

Services & Applications	Action
Social Networking category	Inform

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per rule:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message.

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per application:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message for Facebook and one for LinkedIn.

In new installations, the Confirm UserCheck Scope default is Per category.

In upgrades from a version before R75.40, the Confirm UserCheck default is Per Rule.

UserCheck Settings

For each UserCheck interaction object you can configure these options from the Settings page UserCheck object:

• Languages - Set a language for the UserCheck message if the language setting in the user browser cannot be determined or is not implemented. For example:
  • If the browser native language is Spanish
  • The UserCheck message is in Japanese and French
  • You select Japanese as the default language

  Then the notification displays in Japanese.

• Fallback Action (For Action Types Ask and Inform) - Select an alternative action (allow or block) for when the UserCheck notification cannot be shown in the browser or application that caused the notification. If UserCheck determines that the notification cannot be shown in the browser or application, the behavior is:
  • If the Fallback Action is Allow (the default for Inform messages), the user is allowed to access the website or application, and the UserCheck client (if installed) shows the notification.
  • If the Fallback Action is Block, the gateway tries to show the notification in the application that caused the notification. If it cannot and the UserCheck client is installed, it shows the notification through the client. The website or application is blocked, even if the user does not see the notification.
• External Portal - Redirect the user to External Portal - Select this to redirect users to an external portal, not on the gateway.
  • URL - Enter the URL for the external portal. The specified URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the gateway.
  • Add UserCheck Incident ID to the URL query - An incident ID is added to the end of the URL query.
• Conditions (For the Action Type Ask) - Select actions that must occur before users can access the application. Select one or more of these options:
  • User accepted and selected the confirm checkbox - This applies if the UserCheck message contains a checkbox (Insert User Input > Confirm Checkbox). Users must accept the text shown and select the checkbox before they can access the application.
  • User filled some textual input - This applies if the UserCheck message contains a text field (Insert User Input > Textual Input). Users must enter text in the text field before they can access the application. For example, you might require that users enter an explanation for use of the application.

UserCheck CLI

You can use the usrchk command in the gateway command line to show or clear the history of UserCheck objects.

To use the usrchk commands, you must enable UserCheck on the gateway, and create a rule with a UserCheck interaction object.

Description	usrchk
Syntax	usrchk [debug] [hits]

Parameters

Parameter	Description
debug	Controls debug messages
hits	Shows user incident options: list - Options to list user incidents all - List all existing incidents. user <username> - List incidents of a specified user. uci <name of interaction object> - List incidents of a specified UserCheck interaction object clear - Options to clear user incidents all - Clear all existing incidents user <username> - Clear incidents for a specified user uci <name of interaction object> - Clear incidents of a specified UserCheck interaction object db - user hits database options

Examples:

• To show all UserCheck interaction objects, run: usrchk hits list all
• To clear the incidents for a specified user, run: usrchk hits clear user <username>

Notes:

• You can only run a command that contains user <username> if:
  • Identity Awareness is enabled on the gateway.
  • Identity Awareness is used in the same policy rules as UserCheck objects.
• To run a command that contains a specified UserCheck interaction object, first run usrchk hits list all to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

://<IP of gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.