Configuring Identity Awareness

Enabling Identity Awareness on the Security Gateway

When you enable Identity Awareness Software Blade on a Security Gateway, an Identity Awareness Configuration wizard opens. You can use the wizard to configure one Security Gateway that uses the AD Query, Browser-Based Authentication, and Terminal Servers for acquiring identities. You cannot use the wizard to configure an environment with multiple Security Gateways, or to configure Identity Agent and Remote Access acquisition (other methods for acquiring identities).

When you complete the wizard and install an Access Policy, the system is ready to monitor Identity Awareness. You can see the logs for user and computer identity in the SmartConsole Logs & Monitor > Logs tab. You can see these events using the Columns Profile Access Control.

To enable Identity Awareness Software Blade on a Security Gateway:

1. Log in to SmartConsole.
2. From the left navigation Toolbar, click Gateways & Servers.
3. Double-click the Security Gateway or Security Cluster object.
4. On the Network Security tab, select Identity Awareness.

   The Identity Awareness Configuration wizard opens.

5. On the Methods For Acquiring Identity page, select the applicable Identity Sources:
   • AD Query
   • Browser-Based Authentication
   • Terminal Servers

   Notes:

   • After completing this wizard, you can select additional Identity Sources.
   • When you enable Browser-Based Authentication on Security Gateway that runs on an IP Series appliance with IPSO OS, make sure to set the Voyager management application port to a number other than 443 or 80.
6. Click Next.
7. On the Integration With Active Directory page, you can select or configure an Active Directory Domain.
   1. From the Select an Active Directory list, select the Active Directory to configure from the list that shows configured LDAP Account Units or create a new domain. If you have not set up Active Directory, you need to enter a domain name, username, password and domain controller credentials.

      When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.

   2. Enter the Active Directory credentials and click Connect to verify the credentials.
      Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient.
   3. If you selected Browser-Based Authentication or Terminal Servers, or do not wish to configure Active Directory, select I do not wish to configure Active Directory at this time and click Next.

   Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.

   With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain.

   If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.

   If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard.

   To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.

   The LDAP Account Unit name syntax is: <domain name>__AD

   For example, CORP.ACME.COM__AD.

8. Click Next.

   If you selected Browser-Based Authentication on the Methods For Acquiring Identity page, the Browser-Based Authentication Settings page opens.

9. In the Browser-Based Authentication Settings page, select a URL for the portal, where unidentified users will be directed.

   The list shows all IP addresses configured for the Security Gateway. The IP address selected by default is the Security Gateway main IP address. The same IP address can be used for other portals with different paths. For example:

   • Identity Awareness Browser-Based Authentication - 192.0.2.2/connect
   • DLP Portal - 192.0.2.2/DLP
   • Mobile Access Portal - 192.0.2.2/sslvpn

   By default, access to the portal is only through internal interfaces. To change this, click Edit. On a perimeter Security Gateway, we recommend that the Captive Portal can be accessed through only through internal interfaces.

10. Click Next.

    The Identity Awareness is Now Active page opens with a summary of the acquisition methods.

    If you selected Terminal Servers, the page includes a link to download the agent.

11. Click Finish.
12. Optional: In the Security Gateway or Security Cluster object, go to the Identity Awareness page and configure the applicable settings.
13. Click OK.
14. Install the Access Policy.

Creating Access Roles

After you enable Identity Awareness, you create Access Role objects.

You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:

• Networks
• Users and user groups
• Computers and computer groups
• Remote Access clients

To create an Access Role object:

1. In SmartConsole, open the Object Explorer (Ctrl+E).
2. Click New > Users > Access Role.

   The New Access Role window opens.

3. Enter a Name and Comment (optional).
4. On the Networks page, select one of these:
   • Any network
   • Specific networks - Click the plus [+] sign and select a network > click the plus [+] sign next to the network name, or search for a known network
5. On the Users page, select one of these:
   • Any user
   • All identified users - Includes users identified by a supported authentication method.
   • Specific users/groups - Click the plus [+] sign and select a user > click the plus [+] sign next to the username, or search for a known user or user group.
6. On the Machines page, select one of these:
   • Any machine
   • All identified machines - Includes computers identified by a supported authentication method
   • Specific machines/groups - Click the plus [+] sign and select a device > click the plus [+] sign next to the device name, or search for a known device or group of devices

   For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.

7. On the Remote Access Clients page, select one of these:
   • Any Client
   • Specific Client - Select the existing allowed client, or create a new allowed client.

   Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.

8. Click OK.

Using Identity Tags in Access Role Matching

Identity Tags let you include external identifiers (such as Cisco® Security Group Tags, or any other groups provided by any Identity Source) in Access Role matching. These external identifiers act like a tag that can be assigned to a certain user, machine or group.

To use Identity Tags in Access Role matching:

1. Create a new Identity Tag:
   1. Click Objects menu > More object types > User > Identity Tag.
   2. Enter a name for the object.

      Note - If you enter the External Identifier first, the Identity Tag object gets the same name.

   3. In the External Identifier field, enter one of these:
      • A Cisco Security Group Tag, as defined on the Cisco ISE server or acquired through Identity Collector.
      • A custom tag (defined on a third party product) acquired through the Check Point Identity Web API.

      Note - The External Identifier must be a unique name.

   4. Click OK.
2. Include the Identity Tag in an Access Role:
   1. Click Objects menu > More object types > User > New Access Role.
   2. On the Users tab or Machines tab, select Specific users/groups.
   3. Click the [+] icon.
   4. Click on the domain name button in the top left corner and select Identity Tags.
   5. Select the Identity Tag created in Step 1.
   6. Click OK.
3. Add this Access Role to the Source or Destination column of an Access Policy rule.
4. Install the Access Policy.