UserCheck

What can I do here?

On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages.

Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > UserCheck

UserCheck Interactions in the Access Control Policy

UserCheck objects lets the Security Gateway communicate with users. Use them in the Rule Base to:

• Help users with decisions that can be dangerous to the organization's security.
• Share the organization's changing internet policy for Web applications and sites with users, in real-time.

If a UserCheck object is set as the action on in a policy rule, the user's browser redirects to the UserCheck web portal on port 443 or 80. The portal shows the notifications to the user.

UserCheck client adds the option to send notifications for applications that are not in a web browser. The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when the notification cannot be displayed in a browser.

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the navigation tree, click UserCheck.

   The UserCheck page opens.

3. Make sure Enable UserCheck for active blades is selected
4. In the UserCheck Web Portal section:

   In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

   If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

   Note - The Main URL field must be manually updated if:

   • The Main URL field contains an IP address and not a DNS name.
   • You change a gateway IPv4 address to IPv6 or vice versa.
5. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

   The aliases must be resolved to the portal IP address on the corporate DNS server

6. In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server.

   By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

7. In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

   Users are sent to the UserCheck portal if they connect:

   • Through all interfaces
   • Through internal interfaces (default)
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces (default)

     Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.

   • According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.

   If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

   • Through all interfaces - necessary in VSX environment
   • According to the Firewall Policy
8. In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Gateway cannot redirect the user to the UserCheck portal because the traffic is not http. If the user does not have a UserCheck client, UserCheck sends an email notification to the user.
   • Use the default settings - Click the link to see which mail server is configured.
   • Use specific settings for this gateway - Select this option to override the default mail server settings.
   • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.
9. Click OK.
10. If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

    Source	Destination	VPN	Services & Applications	Action
    Any	Security Gateway on which UserCheck client is enabled	Any	UserCheck	Accept

11. Install the Access Control Policy.

Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Choose a Layer with Applications and URL Filtering enabled.
3. Create a rule that includes these components:
   • Services & Applications - Select the Pornography category.
   • Action - Drop, and a UserCheck Blocked Message - Access Control

     The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.

   • Track - Log

     Note - This Rule Base example contains only those columns that are applicable to this subject.

     Name	Source	Destination	Services & Applications	Action	Track	Install On
     Block Porn	Any	Internet	Pornography (category)	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

UserCheck for Access Control Default Messages

These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:

Name	Action Type	Description
Access Approval	Inform
Access Notification	Inform	Shows when the action for the rule is inform. It informs users what the company policy is for that site.
Blocked Message - Access Control	Block	Shows when the action for the rule is Block, when a request is blocked.
Cancel Page - Access Control	Cancel	Shows after a user gets an Inform or Ask message and clicks Cancel.
Company Policy	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

For example, you can create a message with Content Awareness fields.

You can show these UserCheck message previews:

• Regular view - Shows a preview of the UserCheck message on a computer.
• Mobile - Shows a preview of the UserCheck message on a mobile device.
• Agent - Shows a preview of the UserCheck message in the agent window.
• Email - Shows a preview of the UserCheck message in an email.

Creating a UserCheck Interaction Object

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

To create a UserCheck object that includes a message:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Click Access Tools > UserCheck.
3. Click New, and select one of these interaction modes:
   • Ask UserCheck- Show a message to users that asks them if they want to continue with the request or not.
   • Block UserCheck- Show a message to users and block the application request.
   • Inform UserCheck - Show an informative message to users. Users can continue to the application or cancel the request.

   The UserCheck Interaction window opens on the Message page.

4. Enter a name for the UserCheck object and, optionally, a comment.
5. Select a language (English is the default) from the Languages tabs.
6. Enter the message content. You can:
   • Use the formatting toolbar to change text color, alignment, add or remove bullets.
   • Use the Insert field variables. These include fields for Content Awareness.
     If you define a custom UserCheck message, you can use predefined Field variables in the message.

     Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

     According to the company policy, this action is intended for work-related use only. Details: - File Name is classified as Data Types - Access to Application name - Category Category [ ] I will use this site/application and data in accordance with company policy. Reference: Incident ID

7. In the Settings tab, configure optional settings. For example:
   • Fallback Action - For a Block action type, when UserCheck notification cannot be displayed, this action is taken.
   • External Portal - When selected, redirects the user to the specified External Portal (enter the URL), and the UserCheck message is not shown to the end-user
     Select Add UserCheck Incident ID to the URL query, to log the incident
8. Click OK.

   This creates the UserCheck object and web page notification for the portal.

Example UserCheck Message Using Field Variables

If you define a custom UserCheck message, you can use predefined Field variables in the message.

Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

According to the company policy, this action is intended for work-related use only. Details: - File Name is classified as Data Types - Access to Application name - Category Category [ ] I will use this site/application and data in accordance with company policy. Reference: Incident ID

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.

Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.

To support more languages:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Click Access Tools > UserCheck.
3. Double-click the UserCheck object to edit it.
4. In the Message page, click Languages.
5. Select the Languages from the list.

UserCheck Frequency and Scope

You can set the number of times that users get UserCheck messages for accessing applications that are not permitted by the policy. You can also set if the notifications are based on accessing the rule, application category, or application itself.

To set how often UserCheck notifications show:

1. Select the Action cell of a rule in the Access Control Policy, and click More.
2. In the Action Settings window, select the UserCheck Frequency.

   The options are:

   • Once a day
   • Once a week
   • Once a month
   • Custom frequency
3. Select Confirm UserCheck. This sets if the notifications are:
   • Per rule
   • Per category
   • Per application
   • Per data type

Example:

In a rule that contains:

Services & Applications	Action
Social Networking category	Inform

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per rule:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message.

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per application:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message for Facebook and one for LinkedIn.

In new installations, the Confirm UserCheck Scope default is Per category.

In upgrades from a version before R75.40, the Confirm UserCheck default is Per Rule.

UserCheck Settings

For each UserCheck interaction object you can configure these options from the Settings page UserCheck object:

• Languages - Set a language for the UserCheck message if the language setting in the user browser cannot be determined or is not implemented. For example:
  • If the browser native language is Spanish
  • The UserCheck message is in Japanese and French
  • You select Japanese as the default language

  Then the notification displays in Japanese.

• Fallback Action (For Action Types Ask and Inform) - Select an alternative action (allow or block) for when the UserCheck notification cannot be shown in the browser or application that caused the notification. If UserCheck determines that the notification cannot be shown in the browser or application, the behavior is:
  • If the Fallback Action is Allow (the default for Inform messages), the user is allowed to access the website or application, and the UserCheck client (if installed) shows the notification.
  • If the Fallback Action is Block, the gateway tries to show the notification in the application that caused the notification. If it cannot and the UserCheck client is installed, it shows the notification through the client. The website or application is blocked, even if the user does not see the notification.
• External Portal - Redirect the user to External Portal - Select this to redirect users to an external portal, not on the gateway.
  • URL - Enter the URL for the external portal. The specified URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the gateway.
  • Add UserCheck Incident ID to the URL query - An incident ID is added to the end of the URL query.
• Conditions (For the Action Type Ask) - Select actions that must occur before users can access the application. Select one or more of these options:
  • User accepted and selected the confirm checkbox - This applies if the UserCheck message contains a checkbox (Insert User Input > Confirm Checkbox). Users must accept the text shown and select the checkbox before they can access the application.
  • User filled some textual input - This applies if the UserCheck message contains a text field (Insert User Input > Textual Input). Users must enter text in the text field before they can access the application. For example, you might require that users enter an explanation for use of the application.

UserCheck CLI

You can use the usrchk command in the gateway command line to show or clear the history of UserCheck objects.

To use the usrchk commands, you must enable UserCheck on the gateway, and create a rule with a UserCheck interaction object.

Description	usrchk
Syntax	usrchk [debug] [hits]

Parameters

Parameter	Description
debug	Controls debug messages
hits	Shows user incident options: list - Options to list user incidents all - List all existing incidents. user <username> - List incidents of a specified user. uci <name of interaction object> - List incidents of a specified UserCheck interaction object clear - Options to clear user incidents all - Clear all existing incidents user <username> - Clear incidents for a specified user uci <name of interaction object> - Clear incidents of a specified UserCheck interaction object db - user hits database options

Examples:

• To show all UserCheck interaction objects, run: usrchk hits list all
• To clear the incidents for a specified user, run: usrchk hits clear user <username>

Notes:

• You can only run a command that contains user <username> if:
  • Identity Awareness is enabled on the gateway.
  • Identity Awareness is used in the same policy rules as UserCheck objects.
• To run a command that contains a specified UserCheck interaction object, first run usrchk hits list all to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

://<IP of gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.

UserCheck Client

UserCheck Client Overview

The UserCheck client is installed on endpoint computers to communicate with the gateway and show UserCheck interaction notifications to users.

It works with the Data Loss Prevention and Content Awareness Software Blades.

Notifications of incidents can be sent by email (for SMTP traffic) or shown in a popup from the UserCheck client in the system tray (for SMTP, HTTP and FTP).

UserCheck client adds the option to send notifications for applications that are not in a web browser, such as Skype, iTunes, or browser add-ons (such as radio toolbars). The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when:

• The notification cannot be displayed in a browser, or
• The UserCheck engine determines that the notification will not be shown correctly in the browser.

Users select an option in the notification message to respond in real-time.

For Data Loss Prevention (DLP), administrators with full permissions or the View/Release/Discard DLP messages permission can also send or discard incidents from the SmartConsole Logs & Monitor > Logs view.

Workflow for installing and configuring UserCheck clients:

1. Configure how the clients communicate with the gateway and create trust with it.
2. Enable UserCheck and the UserCheck client on the gateway.
3. Download the UserCheck client MSI file.
4. Install the UserCheck client on the endpoint computers.
5. Make sure that the UserCheck clients can connect to the gateway and receive notifications.

UserCheck Requirements

See UserCheck Client Requirements in the R80.20 Release Notes.

Enabling UserCheck Client

Enable UserCheck and the UserCheck client on the gateway in the Properties window of the gateway object in SmartConsole. This is necessary to let clients communicate with the gateway.

To enable UserCheck and the UserCheck client on the gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click UserCheck.
3. Select Enable UserCheck for active blades.

   This enables UserCheck notifications from the gateway.

4. In the UserCheck Client section, select Activate UserCheck Client support.

   This enables UserCheck notifications from the client.

5. Click OK and Install Policy.

Getting the MSI File

To get the MSI file:

1. In SmartConsole, in the Gateways & Servers view, open the General Properties window of the gateway object.
2. From the navigation tree, select UserCheck.
3. In the UserCheck Client section, click Download Client.

   Important - Before you can download the client msi file, the UserCheck portal must be up. The portal is up only after a Policy installation.

Distributing and Connecting Clients

After configuring the clients to connect to the gateway, install the clients on the user machines. You can use any method of MSI or EXE mass deployment and installation that you choose. For example, you can send users an email with a link to install the client. When a user clicks the link, the MSI file automatically installs the client on the computer.

Alternatively, users can download the installation package from the regular DLP UserCheck notifications.

To install the client for all user accounts on a Windows computer, see sk96107.

The installation is silent and generally, no reboot is required.

When the client is first installed, the tray icon indicates that it is not connected. When the client connects to the gateway, the tray icon shows that the client is active.

The first time that the client connects to the gateway, it asks for verification from the user and approval of the fingerprint.

Best Practices:

• Let the users know this will happen.
• Use a server certificate that is trusted by the certificate authority installed on users' computers. Then users do not see a message that says: Issued by unknown certificate authority.

If UserCheck for DLP is enabled on the gateway, users are required to enter their username and password after the client installs.

Example of message to users about the UserCheck client installation (for DLP):

Dear Users,

Our company has implemented a Data Loss Prevention automation to protect our confidential data from unintentional leakage. Soon you will be asked to verify the connection between a small client that we will install on your computer and the computer that will send you notifications.

This client will pop up notifications if you try to send a message that contains protected data. It might let you to send the data anyway, if you are sure that it does not violate our data-security guidelines.

When the client is installed, you will see a window that asks if you trust the DLP server. Check that the server is SERVER NAME and then click Trust.

In the next window, enter your username and password, and then click OK.

Note - If the UserCheck client is not connected to the gateway, the behavior is as if the client was never installed. Email notifications are sent for SMTP incidents and the Portal is used for HTTP incidents.

UserCheck and Check Point Password Authentication

You can see and edit Check Point users from Users and Administrators in the navigation tree.

To enable Check Point password authentication:

SmartConsole Configuration

1. Open SmartConsole and open the Manage & Settings view.
2. Click Permissions & Administrators > Administrators, and select an existing user or create a new user.
3. In the General Properties page of the user, make sure that an email address is defined.
4. In the Authentication Properties page of the user, set Authentication Scheme to Check Point Password and enter the password and password confirmation.
5. Click OK.

UserCheck Client Configuration

Ask your users to configure their UserCheck client:

1. On the UserCheck client computer, right click the UserCheck icon in the Notification Area (next to the system clock).
2. Select Settings.
3. Click Advanced.
4. Select Authentication with Check Point user accounts defined internally in SmartConsole.

Helping Users

If users require assistance to troubleshoot issues with the UserCheck client, you can ask them to send you the logs.

To configure the client to generate logs:

1. Right-click the UserCheck tray icon and select Settings.

   The Settings window opens.

2. Click Log to and browse to a pathname where the logs are saved.
3. Click OK.

To send UserCheck logs from the client:

1. Right-click the UserCheck tray icon and select Status.

   The Status window opens.

2. Click Advanced and then click the Collect information for technical support link.

   The default email client opens, with an archive of the collected logs attached.

UserCheck for Access Control Default Messages

These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:

Name	Action Type	Description
Access Approval	Inform
Access Notification	Inform	Shows when the action for the rule is inform. It informs users what the company policy is for that site.
Blocked Message - Access Control	Block	Shows when the action for the rule is Block, when a request is blocked.
Cancel Page - Access Control	Cancel	Shows after a user gets an Inform or Ask message and clicks Cancel.
Company Policy	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

For example, you can create a message with Content Awareness fields.

You can show these UserCheck message previews:

• Regular view - Shows a preview of the UserCheck message on a computer.
• Mobile - Shows a preview of the UserCheck message on a mobile device.
• Agent - Shows a preview of the UserCheck message in the agent window.
• Email - Shows a preview of the UserCheck message in an email.

Application and URL Filtering UserCheck Page

Ask and Inform pages include a Cancel button that users can click to cancel the request.

For Threat Prevention and Application and URL Filtering , you can show these UserCheck message previews:

• Regular view - Shows a preview of the UserCheck message on a computer.
• Mobile Device - Shows a preview of the UserCheck message on a mobile device.

For DLP, you can also show these UserCheck message previews:

• Email - Shows a preview of the UserCheck message in an email.
• Agent - Shows a preview of the UserCheck message in the DLP agent window.

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.

Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.

To support more languages:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Click Access Tools > UserCheck.
3. Double-click the UserCheck object to edit it.
4. In the Message page, click Languages.
5. Select the Languages from the list.