Adding Users to the Policy

In This Section: Using Identity Awareness Using User Directory To Learn More About Adding Users to the Policy

Using Identity Awareness

The Identity Awareness Software Blade lets you configure the Security Gateways to enforce access control for individual users and groups. You can use Identity Sources to get information about users and groups to add flexibility and security for the Rule Base. Identity Awareness lets you create rules in the Access Control and Threat Prevention Rule Bases.

Identity Sources

After the Security Gateway acquires the identity of a user, user-based rules can be enforced on the network traffic. Identity Awareness can use these sources to identify users:

• Browser-Based Authentication - Uses a Captive Portal to authenticate users. If Transparent Kerberos Authentication is configured, the browser attempts to transparently acquire users' identities using Kerberos tickets for users logged in to the domain, before redirecting users to the Captive Portal.
• AD Query - Get identity data from Microsoft Active Directory (AD) servers.
• Identity Agent - Client that is installed on endpoint computers connects to a Security Gateway and authenticates users.
• Terminal Servers - A Terminal Server Identity Agent is used to identify individual user traffic coming from terminal servers. This is used in environments with application servers that host Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
• RADIUS Accounting - You can configure a Security Gateway with Identity Awareness to use RADIUS Accounting to get user and computer identities directly from a RADIUS accounting client. Identity Awareness uses this information to apply access permissions to the connection.
• Identity Collector - Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses and sends it to Check Point firewalls for identity enforcement. Identity Collector supports these sources:
  • Microsoft Active Directory Domain Controllers
  • Cisco Identity Services Engine (ISE) Servers, versions 1.3 and 2.0

  The Identity Collector can connect with more than one Identity Source at a time. The Identity Sources are organized in Query Pools. The Identity Collector sends the Identity Server information from the Identity Sources selected in the Query Pool assigned to the gateway.

• Identity Web API - The Identity Web API gives you a flexible method for creating identities. With the Identity Awareness Web API, you can:
  • Create and revoke identities
  • Query the Identity Awareness Software Blade regarding users, IPs, and computers.
• Remote Access - Identities are acquired for Mobile Access clients and IPSec VPN clients configured to work in Office Mode when they connect to the Security Gateway. This option is enabled by default.

  If there is more than one Security Gateway enabled with Identity Awareness that share identities with each other and have Office Mode configured, each gateway must be configured with different office mode ranges.

Browser-Based Authentication

Browser-Based Authentication uses the Internet browser to identify users. You can use these Browser-Based Authentication solutions:

• Captive Portal
• Transparent Kerberos Authentication

Captive Portal uses a web interface to authenticate users before they can access network resources. When users try to access a protected resource, they must log in to a web page to continue.

When Transparent Kerberos Authentication is enabled, the Transparent Authentication page tries to authenticate users before the Captive Portal web page opens. The Transparent Authentication page communicates with the AD to use the Kerberos protocol to authenticate the users. If the users are successfully authenticated, then they can access the network resources. If they are not authenticated, then they are redirected to the Captive Portal.

AD Query

The Security Gateway registers to receive security event logs from the AD domain controllers when the security policy is installed. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The gateway identifies the user based on the AD security event log, and enforces the appropriate Identity Awareness rule to the traffic that this user sends.

Enabling Identity Awareness

There is an Identity Awareness configuration wizard in SmartConsole that helps you enable and configure the Identity Awareness Software Blade. You can use the configuration wizard on these identity sources:

• AD Query
• Browser-Based Authentication
• Terminal Servers

Using the Identity Awareness Configuration Wizard

Use the Identity Awareness Configuration wizard to configure how the Security Gateway gets information about users and computers. The wizard automatically creates an Account Unit.

This is an example of how to configure the AD query and browser-based methods for Identity Awareness.

To use the Identity Awareness configuration wizard:

1. In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.

   The gateway properties window opens.

2. From the navigation tree, click General Properties.
3. From the Network Security tab, select Identity Awareness.

   The Identity Awareness Configuration wizard opens.

4. Select AD Query and Browser-Based Authentication and then click Next.

   The Integration With Active Directory window opens.

5. Select the AD domain and enter the Username and the Password.

   Make sure that the AD account has domain administrator privileges. Alternatively, you can let non-administrators make AD connections.

   Note - you can also select Create new domain and configure a new AD (Active Directory) Account Unit object.

6. Click Connect.

   The message about user credentials shows.

7. Click Next.

   The Browser-Based Authentication Settings window opens.

8. Enter the URL for the Captive Portal and then click Next.

   The Identity Awareness is Now Active window opens.

9. Click Finish.
10. Install the policy.

Identity Awareness and Remote Access

Identity Awareness for Mobile Access and IPsec VPN clients works in Office Mode for Security Gateways. The Remote Access option is included as an identity source when you enable Identity Awareness.

To enable or disable Remote Access for Identity Awareness:

1. In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.

   The gateway properties window opens.

2. From the navigation tree, click Identity Awareness.
3. Select or clear Remote Access.
4. Click OK.
5. Install the policy.

Working with Access Roles

After you enable Identity Awareness, you create Access Role objects.

You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:

• Networks
• Users and user groups
• Computers and computer groups
• Remote Access Clients

To create an Access Role object:

1. In SmartConsole, open the Object Explorer (Ctrl+E).
2. Click New > Users > Access Role.

   The New Access Role window opens.

3. Enter a Name and Comment (optional).
4. On the Networks page, select one of these:
   • Any network
   • Specific networks - Click the plus sign and select a network - click the plus sign next to the network name or search for a known network
5. On the Users page, select one of these:
   • Any user
   • All identified users - Includes users identified by a supported authentication method.
   • Specific users - Click the plus sign and select a user - click the plus sign next to the username or search for a known user or user group.
6. On the Machines page, select one of these:
   • Any machine
   • All identified machines - Includes computers identified by a supported authentication method
   • Specific machines - Click the plus sign and select a device - click the plus sign next to the device name or search for a known device or group of devices

   For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.

7. On the Remote Access Clients page, select the Allowed Clients or add new ones. For R77.xx Gateways or lower, you must choose Any.
8. Click OK.

Using Identity Awareness in the Access Control Policy

The Identity Awareness Software Blade lets you configure your Access Control Policy to allow connections for users regardless of what computer they are using. Use Access Role objects in the Source column of a rule, and Identity Awareness Software Blade will identify users based on those objects. You can also configure the Accept action to redirect traffic from an unidentified user to a Captive Portal.

Sample gateway workflow with Identity Awareness

The gateway inspects traffic that starts from a source that matches the Access Role object and tries to identify the user.

• If the user is identified, the traffic is allowed.
• If the user is not identified, the traffic is only allowed when the user authenticates to the Captive Portal. If Captive Portal is not enabled, or the user does not authenticate, then the traffic is dropped.

Adding an Access Role to a Rule

You can add rules with Access Role objects as the Source or Destination to the Access Control policy for Security Gateways that have the Identity Awareness Software Blade enabled.

Note - Rules that use Access Role objects cannot be enforced on Security Gateways that do not have Identity Awareness enabled.

To add an Access Role object to a rule:

1. Select a policy from the Access Control > Policy tree.
2. Click the plus sign in the Source or the Destination cell of a rule.
3. In the window that opens, click the Filter button and select Categories > Users > Access Roles.
4. Click the plus sign for every Access Role object you want to add.
5. Install the policy.

Redirecting to a Captive Portal

You can configure rules that use Access Role objects and the Accept action with the Action Settings option, to redirect HTTP traffic to a Captive Portal. The rule allows traffic when the users that match the source Access Role object are identified. If the Enable Identity Captive Portal option is enabled, the gateway identifies users this way:

1. The Identity Awareness source identifies the user
2. The user authenticates at the Captive Portal

Rules can redirect HTTP traffic according to these parameters:

• Source - Includes an Access Role object
• Action - Uses Accept

To enable Captive Portal for a rule:

1. Right-click the Action cell and select More.

   The Action Settings window opens.

2. Select Enable Identity Captive Portal.
3. Click OK.

   The Action column shows accept (display captive portal).

4. Install the policy.

Sample Identity Awareness Rules

This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.)

No.	Name	Source	Destination	Service	Action
1	CEO allow	John_Smith_ CEO	Any	Any	Accept Display Captive Portal
2	HR server allow	HR_Partners	HR_Server	Any	Accept Display Captive Portal
3	Drop non-identified HR traffic	Any	HR_Server	Any	Drop
4	Internet access	Guests All_Domain_ Users	Internet_proxy	HTTP and HTTPS proxy	Accept Display Captive Portal

1. CEO allow - Allows the CEO, John Smith, to access all the network resources. The CEO is identified by Identity Awareness AD Query or he authenticates to the Captive Portal.
2. HR server allow - Allows users that are defined in the HR_Partners Access Role object to access the HR_Server subnet. The HR users are identified by Identity Awareness AD Query or they authenticate to the Captive Portal.
3. Drop non-identified HR traffic - Drops all traffic to the HR_Server subnet. All authenticated users were allowed by the earlier rules.
4. Internet access - Allows HTTP and HTTPS traffic from the Guests and All_Domain_Users Access Role objects to the Internet. Domain users are identified by Identity Awareness or they authenticate to the Captive Portal. Guests authenticate to the Captive Portal.

Using User Directory

User Directory lets you integrate LDAP and other external user management servers with Check Point products and security solutions. These are some of the Software Blades that work with User Directory:

• Mobile Access
• Identity Awareness
• Data Loss Prevention

User Directory Features

• Use LDAP servers to manage user information for the network
• Security Gateways can retrieve CRLs (Certificate Revocation Lists)
• Security Management Server can use LDAP information to authenticate users
• High Availability can duplicate and backup user information across multiple LDAP servers
• Create multiple Account Units to work with distributed databases
• Use profiles to support multiple LDAP vendors
• Encrypt User Directory connections

Deploying User Directory

User Directory integrates the Security Management Server and an LDAP server and lets the Security Gateways use the LDAP information.

Item	Description
1	Security Gateway - Retrieves LDAP user information and CRLs
2	Internet
3	Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication
4	Security Management Server - Uses User Directory to manage user information
5	LDAP server - Server that holds one or more Account Units

Account Units

An Account Unit represents branches of user information on one or more LDAP servers. The Account Unit is the interface between the LDAP servers and the Security Management Server and Security Gateways.

You can have a number of Account Units representing one or more LDAP servers. Users are divided among the branches of one Account Unit, or between different Account Units.

Note - When you enable the Identity Awareness and Mobile Access Software Blades, SmartConsole opens a First Time Configuration Wizard. The Active Directory Integration window of this wizard lets you create a new AD Account Unit. After you complete the wizard, SmartConsole creates the AD object and Account Unit.

Working with LDAP Account Units

Use the LDAP Account Unit Properties window in SmartConsole to edit an existing Account Unit or to create a new one manually.

To edit an existing LDAP Account Unit:

1. In SmartConsole, open the Object Explorer (Ctrl+E).
2. Select Servers > LDAP Account Units.
3. Right-click the LDAP Account Unit and select Edit.

   The LDAP Account Unit Properties window opens.

4. Edit the settings in these tabs:
   • General - Configure how the Security Management Server uses the Account Unit
   • Servers - Manage LDAP servers that are used by this Account Unit
   • Objects Management - Configure the LDAP server for the Security Management Server to query and the branches to use
   • Authentication - Configure the authentication scheme for the Account Unit
5. Click OK.
6. Install the policy.

To create a new LDAP Account Unit:

1. In the Objects tab, click New > More > Server > LDAP Account unit.

   The LDAP Account Unit Properties window opens.

2. Configure the settings on these tabs:
   • General - Configure how the Security Management Server uses the Account Unit
   • Servers - Manage LDAP servers that are used by this Account Unit
   • Objects Management - Configure the LDAP server for the Security Management Server to query and the branches to use
   • Authentication - Configure the authentication scheme for the Account Unit
3. Click OK.
4. Install the policy.

General Tab

These are the configuration fields in the General tab:

• Name - Name for the Account Unit
• Comment - Optional comment
• Color - Optional color associated with the Account Unit
• Profile - LDAP vendor
• Domain - Domain of the Active Directory servers, when the same user name is used in multiple Account Units (this value is also necessary for AD Query and SSO)
• Prefix - Prefix for non-Active Directory servers, when the same user name is used in multiple Account Units
• Account Unit usage - Select applicable options:
  • CRL retrieval - The Security Management Server manages how the CA sends information about revoked licenses to the Security Gateways
  • User Management - The Security Management Server uses the user information from this LDAP server (User Directory must be enabled on the Security Management Server)

    Note - LDAP SSO (Single Sign On) is only supported for Account Unit objects that use User Management.

  • Active Directory Query - This Active Directory server is used as an Identity Awareness source.

    Note - This option is only available if the Profile is set to Microsoft_AD.

• Enable Unicode support - Encoding for LDAP user information in non-English languages
• Active Directory SSO configuration - Click to configure Kerberos SSO for Active Directory - Domain Name, Account Name, Password, and Ticket encryption method

Servers Tab

You can add, edit, or delete LDAP server objects.

To configure an LDAP server for the Account Unit:

1. To add a new server, click Add. To edit an existing one, select it from the table and click Edit.

   The LDAP Server Properties window opens.

2. From the Host drop-down menu, select the server object.

   If necessary, create a new SmartConsole server object:

   1. Click New.
   2. In the New Host window opens, enter the settings for the LDAP server.
   3. Click OK.
3. Enter the login credentials and the Default priority.
4. Select access permissions for the Check Point Gateways:
   • Read data from this server
   • Write data to this server
5. In the Encryption tab, configure the optional SSL encryption settings. To learn about these settings, see the Help. Click ? or press F1 in the Encryption tab.
6. Click OK.

To remove an LDAP server from the Account Unit:

1. Select a server from the table.
2. Click Remove.

If all the configured servers use the same login credentials, you can modify those simultaneously.

To configure the login credentials for all the servers simultaneously:

1. Click Update Account Credentials.

   The Update Account to All Servers window opens.

2. Enter the login credentials.
3. Click OK.

Objects Management Tab

Configure the LDAP server for the Security Management Server to query and the branches to fetch.

Note - Make sure there is LDAP connectivity between the Security Management Server and the LDAP Server that holds the management directory.

To configure LDAP query parameters:

1. From the Manage objects on drop-down menu, select the LDAP server object.
2. Click Fetch branches.

   The Security Management Server queries and shows the LDAP branches.

3. Configure Branches in use:
   • To add a branch, click Add and in the LDAP Branch Definition window that opens, enter a new Branch Path
   • To edit a branch, click Edit and in the LDAP Branch Definition window that opens, modify the Branch Path
   • To delete a branch, select it and click Delete
4. Select Prompt for password when opening this Account Unit, if necessary (optional).
5. Configure the number of Return entries that are stored in the LDAP database (the default is 500).

Authentication Tab

These are the configuration fields in the Authentication tab:

• Use common group path for queries - Select to use one path for all the LDAP group objects (only one query is necessary for the group objects)
• Allowed authentication schemes - Select one or more authentication schemes allowed to authenticate users in this Account Unit - Check Point Password, SecurID, RADIUS, OS Password, or TACACS
• Users' default values - The default settings for new LDAP users:
  • User template - Template that you created
  • Default authentication scheme - one of the authentication schemes selected in the Allowed authentication schemes section
• Limit login failures (optional):
  • Lock user's account after - Number of login failures, after which the account gets locked
  • Unlock user's account after - Number of seconds, after which the locked account becomes unlocked
• IKE pre-shared secret encryption key - Pre-shared secret key for IKE users in this Account Unit

Enabling User Directory

Configure SmartConsole to enable the Security Management Server to manage users in the Account Unit. You cannot use the SmartConsole User Database when the User Directory LDAP server is enabled.

To enable User Directory on the Security Management Server:

1. From the Menu, select Global Properties.

   The Global Properties window opens.

2. In the User Directory view, select Use User Directory for Security Gateways.
3. Configure other login and password settings.
4. Click OK.
5. Make sure that the User Directory Software Blade is enabled:
   1. In SmartConsole, open the Object Explorer (Ctrl+E).
   2. Go to Network Objects > Gateways and Servers.
   3. Double-click the Security Management Server object.

      The object properties window opens.

   4. Make sure that in the Management tab of the General Properties view, Network Policy Management and User Directory are selected.
   5. Click OK.
   6. Click Close.
6. Install the policy.

Managing LDAP Information

User Directory lets you use SmartDashboard to manage information about users and OUs (Organizational Units) that are stored on the LDAP server.

To manage LDAP information from SmartDashboard:

1. In SmartConsole, go to Manage & Settings > Blades.
2. Click Configure in SmartDashboard.

   SmartDashboard opens.

3. From the object tree, select Servers and OPSEC.
4. Double-click the Account Unit.

   The LDAP domain is shown.

5. Double-click the LDAP branch.

   The Security Management Server queries the LDAP server and SmartDashboard shows the LDAP objects.

6. Expand the Objects List pane.
7. Double-click the LDAP object.

   The Objects List pane shows the user information.

8. Right-click a user and select Edit.

   The LDAP User Properties window opens.

9. Edit the user information and settings and then click OK.

To Learn More About Adding Users to the Policy

To learn more about adding users to the Policy, see these guides:

• R80.10 Identity Awareness Administration Guide
• R80.10 Security Management Guide. Search for Managing User Accounts.