What can I do here?
On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages.
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > UserCheck |
UserCheck objects lets the Security Gateway communicate with users. Use them in the Rule Base to:
If a UserCheck object is set as the action on in a policy rule, the user's browser redirects to the UserCheck web portal on port 443 or 80. The portal shows the notifications to the user.
UserCheck client adds the option to send notifications for applications that are not in a web browser. The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when the notification cannot be displayed in a browser.
Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network. To enable UserCheck , enable a blade that has the UserCheck functionality.
The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.
To configure UserCheck on a Security Gateway:
The Gateway Properties window opens.
The UserCheck page opens.
In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.
If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.
Note - The Main URL field must be manually updated if:
The aliases must be resolved to the portal IP address on the corporate DNS server
By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
Note - After you download your certificate, you can click Replace to replace it with a different certificate, and click View to see the certificate information.
Users are sent to the UserCheck portal if they connect:
Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.
If the Main URL is set to an external interface, you must set the Accessibility option to one of these:
Source |
Destination |
VPN |
Services & Applications |
Action |
Any |
Security Gateway on which UserCheck client is enabled |
Any |
UserCheck |
Accept |
Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?
To block an application or category of applications and tell the user about the policy violation:
The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.
Note - This Rule Base example contains only those columns that are applicable to this subject.
Name |
Source |
Destination |
Services & Applications |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
Block Porn |
Any |
Internet |
Pornography (category) |
Drop |
Log |
Policy Targets |
The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.
Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal. |
These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:
Name |
Action Type |
Description |
---|---|---|
Access Approval |
Inform |
|
Access Notification |
Inform |
Shows when the action for the rule is inform. It informs users what the company policy is for that site. |
Blocked Message - Access Control |
Block |
Shows when the action for the rule is Block, when a request is blocked. |
Cancel Page - Access Control |
Cancel |
Shows after a user gets an Inform or Ask message and clicks Cancel. |
Company Policy |
Ask |
Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site. |
If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.
For example, you can create a message with Content Awareness fields.
You can show these UserCheck message previews:
If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.
To create a UserCheck object that includes a message:
The UserCheck Interaction window opens on the Message page.
This creates the UserCheck object and web page notification for the portal.
If you define a custom UserCheck message, you can use predefined Field variables in the message.
Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:
According to the company policy, this action is intended for work-related use only. Details: - File Name is classified as Data Types - Access to Application name - Category Category [ ] I will use this site/application and data in accordance with company policy. Reference: Incident ID |
After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.
Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.
To support more languages:
You can set the number of times that users get UserCheck messages for accessing applications that are not permitted by the policy. You can also set if the notifications are based on accessing the rule, application category, or application itself.
To set how often UserCheck notifications show:
The options are:
Example:
In a rule that contains:
Services & Applications |
Action |
---|---|
Social Networking category |
Inform |
If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per rule:
A user who accesses Facebook and then LinkedIn on the same day gets one Inform message.
If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per application:
A user who accesses Facebook and then LinkedIn on the same day gets one Inform message for Facebook and one for LinkedIn.
In new installations, the Confirm UserCheck Scope default is Per category.
In upgrades from a version before R75.40, the Confirm UserCheck default is Per Rule.
For each UserCheck interaction object you can configure these options from the Settings page UserCheck object:
Then the notification displays in Japanese.
You can use the usrchk
command in the gateway command line to show or clear the history of UserCheck objects.
To use the usrchk
commands, you must enable UserCheck on the gateway, and create a rule with a UserCheck interaction object.
Description |
|
---|---|
Syntax |
usrchk [debug] [hits] |
Parameters
Parameter |
Description |
---|---|
debug |
Controls debug messages |
hits |
Shows user incident options: list - Options to list user incidents
clear - Options to clear user incidents
db - user hits database options |
Examples:
usrchk hits list all
: usrchk hits clear user <username>
Notes:
user <username>
if:usrchk hits list all
to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:
://<IP of gateway>/UserCheck/RevokePage
If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.
After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.
Administrators can use the usrchk
command of the CLI to revoke incidents for one user, all users, or a specified interaction object.