Print Download PDF Send Feedback

Previous

Next

Acquiring Identities in Application Control

You can use the Identity Awareness and Application & URL Filtering together to add user awareness, computer awareness, and application awareness to the Check Point Security Gateway. They work together in these procedures:

Scenario: Identifying Users in Application Control Logs

The ACME organization wants to use Identity Awareness to monitor outbound application traffic and learn what their employees are doing. To do this, the IT administrator must enable Application Control and Identity Awareness. Identity information for the traffic then shows in the logs and events. See the logs in the Logs & Monitor > Logs tab. See the events in the Logs & Monitor views, in the Access Control categories.

Next, the IT department can add rules to block specific applications or track them differently in the Application & URL Filtering Layer of the policy to make it even more effective. See the R80.20 Next Generation Security Gateway Guide.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:

  1. Enable the Application Control blade on a Security Gateway.

    This adds a default rule to the Application Control Rule Base that allows traffic from known applications, with the tracking set to Log.

  2. Enable Identity Awareness on a Security Gateway, selects AD Query as one of the Identity Sources.
  3. Install the Access Policy.

User Identification in the Logs

You can see data for identified users in the Logs and Events that relate to application traffic. See Logs in the Logs & Monitor view Logs tab. See Events in the Logs & Monitor Access Control views.

The log entry shows that the system maps the source IP address with the user identity. It also shows Application Control data.