Threat Prevention and UserCheck

In This Section: Using the Threat Prevention UserCheck Pane Configuring the Security Gateway for UserCheck Creating Threat Prevention UserCheck Objects Editing UserCheck Objects Selecting Approved and Cancel UserCheck Messages

UserCheck handles specified threat incidents. UserCheck notifications inform the user of data capture. If the action is Ask, the user must provide a reason to allow the traffic. User decisions are logged. You can develop an effective prevention policy based on logged user responses.

For each Threat Prevention profile, you can define the action that is taken when a malicious file or activity is identified.

Action	Description
Ask	The Software Blade blocks the file or traffic until the user makes sure that the gateway should send it. The user decides if the file or traffic are allowed or not. The decision itself is logged in the User Response field in the Ask User log.
Prevent	The Software Blade blocks the file or traffic. You can show a UserCheck Prevent message to the user.
Detect	The Software Blade allows the file or traffic. The event is logged and is available for your review and analysis in the Logs & Monitor view.

For more about using UserCheck objects and settings, see the UserCheck chapters in the R80.10 Data Loss Prevention Administration Guide.

Using the Threat Prevention UserCheck Pane

On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages. It has these options:

Option	Meaning
New	Creates a new UserCheck object
Edit	Modifies an existing UserCheck object
Delete	Deletes an UserCheck object
Clone	Clones the selected UserCheck object

These are the default UserCheck messages:

Name	Action Type	Description
Software Blade Blocked	Block	Shows when a request is blocked.
Company Policy Software Blade	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.
Software Blade Success Page	Approve	Shows when the action for the rule is Approve. From the Success page you can download the links to the original file or receive the original email.
Cancel Page Anti-Malware	Cancel	The Ask and Approve pages include a Cancel button that you can click to cancel the request.

You can preview each message page in these views:

• Regular view - How the message shows in a web browser on a PC or laptop
• Mobile Device - How the message shows in a web browser on a mobile device
• Email - How the message shows in an email
• Agent -How the message shows in the UserCheck agent

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the navigation tree, click UserCheck.

   The UserCheck page opens.

3. Make sure Enable UserCheck for active blades is selected
4. In the UserCheck Web Portal section:

   In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

   If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

   Note - The Main URL field must be manually updated if:

   • The Main URL field contains an IP address and not a DNS name.
   • You change a gateway IPv4 address to IPv6 or vice versa.
5. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

   The aliases must be resolved to the portal IP address on the corporate DNS server

6. In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server.

   By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

7. In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

   Users are sent to the UserCheck portal if they connect:

   • Through all interfaces
   • Through internal interfaces (default)
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces (default)

     Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.

   • According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.

   If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

   • Through all interfaces - necessary in VSX environment
   • According to the Firewall Policy
8. In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Gateway cannot redirect the user to the UserCheck portal because the traffic is not http. If the user does not have a UserCheck client, UserCheck sends an email notification to the user.
   • Use the default settings - Click the link to see which mail server is configured.
   • Use specific settings for this gateway - Select this option to override the default mail server settings.
   • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.
9. Click OK.
10. If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

    Source	Destination	VPN	Services & Applications	Action
    Any	Security Gateway on which UserCheck client is enabled	Any	UserCheck	Accept

11. Install the Access Control Policy.

Creating Threat Prevention UserCheck Objects

Create a UserCheck Interaction object from the UserCheck page or Threat Prevention Software Blade profile Settings.

You can write the UserCheck message with formatting buttons, like Bold and bullets, or directly enter HTML code.

To show the Threat Prevention UserCheck objects:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click UserCheck.

   The UserCheck page opens.

To change text input modes:

From the menu-bar in the UserCheck object window, click the applicable option:

• Source - Enter HTML code
• Design - Enter text with formatting buttons and options

To create a new Threat Prevention UserCheck object:

1. From the UserCheck page, click New and select the object type.

   The window opens for the new UserCheck object.

2. Enter a Name.
3. Optional: Click Language and select one or more languages for the message.

   The default language for messages is English.

4. Enter the text for the message.
   • Title, subtitle, and body

   In the body of the message click these options for additional functionality:

   • Insert Field - Dynamic text such as: Original URL, Source IP address, and so on
   • Insert User Input - Such as: Confirm check box, Report Wrong Category and so on
5. Optional: Click Add logo to add a graphic to the message.

   The size of the graphic must be 176 x 52 pixels.

6. You can also click Settings from the navigation tree to configure one or more of these options:
   • Using a Fallback Action
   • Redirecting to an External Portal
   • Configuring User Interaction
7. Click OK.
8. Install the Threat Prevention policy.

Using a Fallback Action

Configure the default action for an Ask UserCheck object if the user cannot see the message. You can select one of these options:

• Drop - The connection or traffic is dropped and does not enter the internal network
• Accept - The connection or traffic is accepted and enters the internal network

To configure a fallback action for an Ask object:

1. From the navigation tree, click Settings.
2. In the Fallback Action section, select to Drop or Accept traffic when the user cannot see the UserCheck message.

Redirecting to an External Portal

You can configure UserCheck to redirect the user to an external UserCheck portal and the user does not see this UserCheck message.

To redirect a user to an external portal:

1. From the navigation tree, click Settings.
2. Click Redirect to External Portal.
3. In External Portal URL, enter the URL for the external portal.

   The specified URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the Security Gateway.

4. Optional: Select Add UserCheck Incident ID to the URL query to add an incident ID to the end of the URL query.

Configuring User Interaction

You can configure the necessary user interaction for an Ask UserCheck object. The traffic is allowed only after the user does the necessary actions.

The UserCheck message can contain these items that require user interaction (shown with sample messages):

• Confirm checkbox - I am ignoring the warning
• Textual input - Enter the reason that you are ignoring the Threat Prevention warning

To configure the necessary user interaction for an Ask object:

1. From the navigation tree, click Settings.
2. In the Conditions section, select one or more of these options:
   • User accepted and selected the confirm checkbox
   • User entered the required textual input in the user input field

   The traffic or connection is blocked until the user does the necessary actions.

Editing UserCheck Objects

To edit a UserCheck object:

1. Go to the Security Policies view > Threat Prevention > Threat Tools > UserCheck.
2. Right-click the UserCheck page and select Clone.

   The New Object Editor opens.

3. Enter a name for the new object.
4. Make the necessary changes.
5. Click OK.

Selecting Approved and Cancel UserCheck Messages

In this section, you can select Approved Page and Cancel Page:

• Approved Page - Only applicable for Threat Extraction. When Threat Extraction sends you a clean file, you can select to download the original file. If you select to download the original file, you receive a UserCheck success message. If you select not to download the original file, you receive a UserCheck cancel message.
• The Cancel Page - Applicable to all the Threat Prevention Software Blade. The page shows after you refuse to receive access to a page or a file.

To select Approved and Cancel pages:

1. Go to Manage & Settings > Blades > Threat Prevention > UserCheck.
2. From the drop-down menus, select an Approved Page, a Cancel Page or both.
3. Click OK.
4. Install Policy.