In This Section: |
UserCheck handles specified threat incidents. UserCheck notifications inform the user of data capture. If the action is Ask, the user must provide a reason to allow the traffic. User decisions are logged. You can develop an effective prevention policy based on logged user responses.
For each Threat Prevention profile, you can define the action that is taken when a malicious file or activity is identified.
Action |
Description |
---|---|
Ask |
The Software Blade blocks the file or traffic until the user makes sure that the gateway should send it. The user decides if the file or traffic are allowed or not. The decision itself is logged in the User Response field in the Ask User log. |
Prevent |
The Software Blade blocks the file or traffic. You can show a UserCheck Prevent message to the user. |
Detect |
The Software Blade allows the file or traffic. The event is logged and is available for your review and analysis in the Logs & Monitor view. |
For more about using UserCheck objects and settings, see the UserCheck chapters in the R80.10 Data Loss Prevention Administration Guide.
On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages. It has these options:
Option |
Meaning |
---|---|
New |
Creates a new UserCheck object |
Edit |
Modifies an existing UserCheck object |
Delete |
Deletes an UserCheck object |
Clone |
Clones the selected UserCheck object |
These are the default UserCheck messages:
Name |
Action Type |
Description |
---|---|---|
Software Blade Blocked |
Block |
Shows when a request is blocked. |
Company Policy Software Blade |
Ask |
Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site. |
Software Blade Success Page |
Approve |
Shows when the action for the rule is Approve. From the Success page you can download the links to the original file or receive the original email. |
Cancel Page Anti-Malware |
Cancel |
The Ask and Approve pages include a Cancel button that you can click to cancel the request. |
You can preview each message page in these views:
Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.
The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.
To configure UserCheck on a Security Gateway:
The Gateway Properties window opens.
The UserCheck page opens.
In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.
If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.
Note - The Main URL field must be manually updated if:
The aliases must be resolved to the portal IP address on the corporate DNS server
By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
Users are sent to the UserCheck portal if they connect:
Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.
If the Main URL is set to an external interface, you must set the Accessibility option to one of these:
Source |
Destination |
VPN |
Services & Applications |
Action |
Any |
Security Gateway on which UserCheck client is enabled |
Any |
UserCheck |
Accept |
Create a UserCheck Interaction object from the UserCheck page or Threat Prevention Software Blade profile Settings.
You can write the UserCheck message with formatting buttons, like Bold and bullets, or directly enter HTML code.
To show the Threat Prevention UserCheck objects:
The UserCheck page opens.
To change text input modes:
From the menu-bar in the UserCheck object window, click the applicable option:
To create a new Threat Prevention UserCheck object:
The window opens for the new UserCheck object.
The default language for messages is English.
In the body of the message click these options for additional functionality:
The size of the graphic must be 176 x 52 pixels.
Configure the default action for an Ask UserCheck object if the user cannot see the message. You can select one of these options:
To configure a fallback action for an Ask object:
You can configure UserCheck to redirect the user to an external UserCheck portal and the user does not see this UserCheck message.
To redirect a user to an external portal:
The specified URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the Security Gateway.
You can configure the necessary user interaction for an Ask UserCheck object. The traffic is allowed only after the user does the necessary actions.
The UserCheck message can contain these items that require user interaction (shown with sample messages):
To configure the necessary user interaction for an Ask object:
The traffic or connection is blocked until the user does the necessary actions.
To edit a UserCheck object:
The New Object Editor opens.
In this section, you can select Approved Page and Cancel Page:
To select Approved and Cancel pages: