Working with UserCheck

In This Section: Configuring the Security Gateway for UserCheck Revoking Incidents

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the navigation tree, click UserCheck.

   The UserCheck page opens.

3. Make sure Enable UserCheck for active blades is selected
4. In the UserCheck Web Portal section:

   In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

   If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

   Note - The Main URL field must be manually updated if:

   • The Main URL field contains an IP address and not a DNS name.
   • You change a gateway IPv4 address to IPv6 or vice versa.
5. Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

   The aliases must be resolved to the portal IP address on the corporate DNS server

6. In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server.

   By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

7. In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

   Users are sent to the UserCheck portal if they connect:

   • Through all interfaces
   • Through internal interfaces (default)
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces (default)

     Note: Make sure to add a rule to the Firewall Rule Base that allows the encrypted traffic.

   • According to the Firewall Policy. Select this option if there is a rule that states who can access the portal.

   If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

   • Through all interfaces - necessary in VSX environment
   • According to the Firewall Policy
8. Click OK.
9. If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

   Source	Destination	VPN	Services & Applications	Action
   Any	Security Gateway on which UserCheck client is enabled	Any	UserCheck	Accept

10. Install the Access Control Policy.

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

://<IP of gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the R80 SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.