Adding Users to the Policy

In This Section:

Using Identity Awareness

The Identity Awareness Software Blade lets you configure the Security Gateways to enforce access control for individual users and groups. You can use Identity Sources to get information about users and groups to add flexibility and security for the Rule Base. Identity Awareness lets you create rules in the Access Control and Threat Prevention Rule Bases.

For more about using Identity Awareness, see the R80.30 Identity Awareness Administration Guide.

Identity Sources

After the Security Gateway acquires the identity of a user, user-based rules can be enforced on the network traffic. Identity Awareness can use these sources to identify users:

Browser-Based Authentication - Uses a Captive Portal to authenticate users. If Transparent Kerberos Authentication is configured, the browser attempts to transparently acquire users' identities using Kerberos tickets for users logged in to the domain, before redirecting users to the Captive Portal.
AD Query - Get identity data from Microsoft Active Directory (AD) servers.
Identity Agent - Client that is installed on endpoint computers connects to a Security Gateway and authenticates users.
Terminal Servers - A Terminal Server Identity Agent is used to identify individual user traffic coming from terminal servers. This is used in environments with application servers that host Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
RADIUS Accounting - You can configure a Security Gateway with Identity Awareness to use RADIUS Accounting to get user and computer identities directly from a RADIUS accounting client. Identity Awareness uses this information to apply access permissions to the connection.
Identity Collector - Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses and sends it to Check Point firewalls for identity enforcement. Identity Collector supports these sources:
- Microsoft Active Directory Domain Controllers
- Cisco Identity Services Engine (ISE) Servers, versions 1.3 and 2.0
The Identity Collector can connect with more than one Identity Source at a time. The Identity Sources are organized in Query Pools. The Identity Collector sends the Identity Server information from the Identity Sources selected in the Query Pool assigned to the gateway.
Identity Web API - The Identity Web API gives you a flexible method for creating identities. With the Identity Awareness Web API, you can:
- Create and revoke identities
- Query the Identity Awareness Software Blade regarding users, IPs, and computers.
Remote Access - Identities are acquired for Mobile Access clients and IPSec VPN clients configured to work in Office Mode when they connect to the Security Gateway. This option is enabled by default.
If there is more than one Security Gateway enabled with Identity Awareness that share identities with each other and have Office Mode configured, each gateway must be configured with different office mode ranges.

Browser-Based Authentication

Browser-Based Authentication uses the Internet browser to identify users. You can use these Browser-Based Authentication solutions:

Captive Portal
Transparent Kerberos Authentication

Captive Portal uses a web interface to authenticate users before they can access network resources. When users try to access a protected resource, they must log in to a web page to continue.

When Transparent Kerberos Authentication is enabled, the Transparent Authentication page tries to authenticate users before the Captive Portal web page opens. The Transparent Authentication page communicates with the AD to use the Kerberos protocol to authenticate the users. If the users are successfully authenticated, then they can access the network resources. If they are not authenticated, then they are redirected to the Captive Portal.

AD Query

The Security Gateway registers to receive security event logs from the AD domain controllers when the security policy is installed. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The gateway identifies the user based on the AD security event log, and enforces the appropriate Identity Awareness rule to the traffic that this user sends.

Enabling Identity Awareness

There is an Identity Awareness configuration wizard in SmartConsole that helps you enable and configure the Identity Awareness Software Blade. You can use the configuration wizard on these identity sources:

AD Query
Browser-Based Authentication
Terminal Servers

Using the Identity Awareness Configuration Wizard

Use the Identity Awareness Configuration wizard to configure how the Security Gateway gets information about users and computers. The wizard automatically creates an Account Unit.

This is an example of how to configure the AD query and browser-based methods for Identity Awareness.

To use the Identity Awareness configuration wizard:

In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.
The gateway properties window opens.
From the navigation tree, click General Properties.
From the Network Security tab, select Identity Awareness.
The Identity Awareness Configuration wizard opens.
Select AD Query and Browser-Based Authentication and then click Next.
The Integration With Active Directory window opens.
Select the AD domain and enter the Username and the Password.
Make sure that the AD account has domain administrator privileges. Alternatively, you can let non-administrators make AD connections.

Note - you can also select Create new domain and configure a new AD (Active Directory) Account Unit object.
Click Connect.
The message about user credentials shows.
Click Next.
The Browser-Based Authentication Settings window opens.
Enter the URL for the Captive Portal and then click Next.
The Identity Awareness is Now Active window opens.
Click Finish.
Install the policy.

Identity Awareness and Remote Access

Identity Awareness for Mobile Access and IPsec VPN clients works in Office Mode for Security Gateways. The Remote Access option is included as an identity source when you enable Identity Awareness.

To enable or disable Remote Access for Identity Awareness:

In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.
The gateway properties window opens.
From the navigation tree, click Identity Awareness.
Select or clear Remote Access.
Click OK.
Install the policy.

Creating Access Roles

After you enable Identity Awareness, you create Access Role objects.

You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:

Networks
Users and user groups
Computers and computer groups
Remote Access clients

To create an Access Role object:

In SmartConsole, open the Object Explorer (Ctrl+E).
Click New > Users > Access Role.
The New Access Role window opens.
Enter a Name and Comment (optional).
On the Networks page, select one of these:
- Any network
- Specific networks - Click the plus [+] sign and select a network > click the plus [+] sign next to the network name, or search for a known network
On the Users page, select one of these:
- Any user
- All identified users - Includes users identified by a supported authentication method.
- Specific users/groups - Click the plus [+] sign and select a user > click the plus [+] sign next to the username, or search for a known user or user group.
On the Machines page, select one of these:
- Any machine
- All identified machines - Includes computers identified by a supported authentication method
- Specific machines/groups - Click the plus [+] sign and select a device > click the plus [+] sign next to the device name, or search for a known device or group of devices
For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.
On the Remote Access Clients page, select one of these:
- Any Client
- Specific Client - Select the existing allowed client, or create a new allowed client.
Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.
Click OK.

Using Identity Awareness in the Access Control Policy

The Identity Awareness Software Blade lets you configure your Access Control Policy to allow connections for users regardless of what computer they are using. Use Access Role objects in the Source column of a rule, and Identity Awareness Software Blade will identify users based on those objects. You can also configure the Accept action to redirect traffic from an unidentified user to a Captive Portal.

Sample gateway workflow with Identity Awareness

The gateway inspects traffic that starts from a source that matches the Access Role object and tries to identify the user.

If the user is identified, the traffic is allowed.
If the user is not identified, the traffic is only allowed when the user authenticates to the Captive Portal. If Captive Portal is not enabled, or the user does not authenticate, then the traffic is dropped.

Adding an Access Role to a Rule

You can add rules with Access Role objects as the Source or Destination to the Access Control policy for Security Gateways that have the Identity Awareness Software Blade enabled.

Note - Rules that use Access Role objects cannot be enforced on Security Gateways that do not have Identity Awareness enabled.

To add an Access Role object to a rule:

Select a policy from the Access Control > Policy tree.
Click the plus sign in the Source or the Destination cell of a rule.
In the window that opens, click the Filter button and select Categories > Users > Access Roles.
Click the plus sign for every Access Role object you want to add.
Install the policy.

Redirecting to a Captive Portal

You can configure rules that use Access Role objects and the Accept action with the Action Settings option, to redirect HTTP traffic to a Captive Portal. The rule allows traffic when the users that match the source Access Role object are identified. If the Enable Identity Captive Portal option is enabled, the gateway identifies users this way:

The Identity Awareness source identifies the user
The user authenticates at the Captive Portal

Rules can redirect HTTP traffic according to these parameters:

Source - Includes an Access Role object
Action - Uses Accept

To enable Captive Portal for a rule:

Right-click the Action cell and select More.
The Action Settings window opens.
Select Enable Identity Captive Portal.
Click OK.
The Action column shows accept (display captive portal).
Install the policy.

Sample Identity Awareness Rules

This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.)

No.	Name	Source	Destination	Service	Action
1	CEO allow	John_Smith_ CEO	Any	Any	Accept Display Captive Portal
2	HR server allow	HR_Partners	HR_Server	Any	Accept Display Captive Portal
3	Drop non-identified HR traffic	Any	HR_Server	Any	Drop
4	Internet access	Guests All_Domain_ Users	Internet_proxy	HTTP and HTTPS proxy	Accept Display Captive Portal

CEO allow - Allows the CEO, John Smith, to access all the network resources. The CEO is identified by Identity Awareness AD Query or he authenticates to the Captive Portal.
HR server allow - Allows users that are defined in the HR_Partners Access Role object to access the HR_Server subnet. The HR users are identified by Identity Awareness AD Query or they authenticate to the Captive Portal.
Drop non-identified HR traffic - Drops all traffic to the HR_Server subnet. All authenticated users were allowed by the earlier rules.
Internet access - Allows HTTP and HTTPS traffic from the Guests and All_Domain_Users Access Role objects to the Internet. Domain users are identified by Identity Awareness or they authenticate to the Captive Portal. Guests authenticate to the Captive Portal.