Print Download PDF Send Feedback

Previous

Next

UserCheck Objects and Clients for DLP

In This Section:

Creating UserCheck Interaction Objects

Configuring the Security Gateway for UserCheck

Configuring R80 SmartConsole for DLP SSO

Localizing and Customizing the UserCheck Portal

UserCheck Client Overview

Enabling UserCheck Client

Getting the MSI File

UserCheck and Check Point Password Authentication

Creating UserCheck Interaction Objects

Create a UserCheck Interaction object from the Rule Base or from the UserCheck page of the DLP tab. The procedure below shows how to create the object from the Rule Base in SmartDashboard.

Note - You can only edit DLP UserCheck objects in SmartDashboard. You cannot create or edit them in R80 SmartConsole.

To create a UserCheck object that includes a message:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.

    The Action column uses these interaction modes:

    • Inform user - Show an informative message users. Users can continue to the application or cancel the request.
    • Ask user - Show a message to users that asks them if they want to continue with the request or not. To continue with the request, the user is expected to supply a reason.
    • Prevent - Show a message to users and block the application request.
  3. Right-click the cell for the rule and select the interaction mode > New.

    You can also double-click an existing interaction mode to edit it.

    The UserCheck Interaction window opens on the Message page.

  4. Enter a name for the UserCheck object and, optionally, a comment.
  5. Select a language (English is the default) from the Languages tabs.
  6. Click Add logo to add a graphic, such as company logo.

    Note - The graphic must have a height and width of 176 x 52 pixels.

  7. Click the text box adjacent to the picture and enter title text for the message.
  8. In the page title, message subject, and message body text boxes, enter the message content. You can:
    1. Use the formatting toolbar to change text color, alignment, add or remove bullets.
    2. Insert field variables for:
      • Username
      • Original URL
      • Source IP
      • Incident ID
      • Violation protocol
      • Email subject / File name
      • Matched Rules Notifications

      Variables are replaced with applicable values when the (Prevent, Ask, Inform) action occurs and the message shows. The Username can only be displayed if the Identity Awareness blade is enabled.

    3. Use the Insert User Input variable to add a:
      • Confirm checkbox - Users select a checkbox to continue
      • Textual Input - Users can enter an explanation for their activity or other text according to the instructions. Edit the default text in the Textual Input box based on your business needs.
      • Wrong report category - Users can click a link to report that an incorrect category was included in the message. Use this field with the Category variable.
  9. Optional: Click Preview in browser to see the results in your default browser.
  10. Click OK.
  11. Click Save and then close SmartDashboard.
  12. From R80 SmartConsole, install the policy.

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. If users connect to the gateway remotely, set the internal interface of the gateway (on the Topology page) to be the same as the Main URL for the UserCheck portal.

Note - The Main URL field must be manually updated if:

To configure a Security Gateway for UserCheck:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click UserCheck.
  3. Click Enable UserCheck for active blades.
  4. In the Main URL field, select the primary URL for the web portal that shows the UserCheck notifications.
  5. If the Main URL points to an external interface:
    1. In the Accessibility section, click Edit.
    2. In the Accessibility window, click the applicable setting:
    • Through all interfaces
    • According to the firewall policy
    1. Click OK.
  6. If necessary, click Aliases to add URL aliases that redirect different hostnames to the Main URL.

    For example: Usercheck.mycompany.com The aliases must resolve to the portal's IP address on the corporate DNS server.

  7. In the Certificate area, click Import to import a certificate that the portal uses to authenticate to the server.
  8. In the Accessibility area, click Edit to configure interfaces on the gateway through which the portal can be accessed. These options are based on the topology configured for the gateway. Users are sent to the UserCheck portal if they connect:
    • According to the Firewall policy. Select this option if there is a rule that states who can access the portal.
    • Through all interfaces
    • Through internal interfaces (default)
      • Including undefined internal interfaces
      • Including DMZ internal interfaces
      • Including VPN encrypted interfaces (default)

    Note - If Including VPN encrypted interfaces is selected, add a Firewall rule that looks like this:

    Source

    Destination

    VPN

    Service

    Action

    Any

    Gateway on which UserCheck client is enabled

    Any Traffic

    UserCheck

    Accept
  9. In the UserCheck Client area, select Activate UserCheck Client Support.
    • The UserCheck client enables user interaction notifications.
    • Click Download Client to download the installation file for the UserCheck client.

      Note: The link will not be active until the UserCheck portal is up.

  10. Click OK.
  11. Publish the changes and install policy.

Configuring R80 SmartConsole for DLP SSO

Configure the object in R80 SmartConsole for an LDAP Account Unit to support SSO.

To create a host object for the AD server:

  1. In R80 SmartConsole, click Objects > Object Explorer (Ctrl+E).
  2. Click New > Host.
  3. Configure the settings for the host.
  4. Click OK and publish the changes.

To configure the LDAP account unit:

  1. From the Object Explorer, click New > Server > LDAP Account Unit.
  2. In the General tab of the LDAP Account Unit Properties window, enter these settings:
    1. Enter the Name.
    2. In Profile, select Microsoft_AD.
    3. In the Domain field, enter the domain name.

      We recommended that you configure this field for existing account units that you want to use for Identity Awareness. This setting does not affect other LDAP Account Units.

    4. Select CRL retrieval and User management.
  3. Click Active Directory SSO configuration.
  4. In the Active Directory SSO configuration window, configure these settings:
    1. Select Use Kerberos Single Sign On.
    2. Enter the Domain Name.
    3. Enter the Account Name and Password for the AD account.
    4. Do not change the default settings for Ticket encryption method.
    5. Click OK.
  5. Configure these settings in the Servers tab:
    1. Click Add.
    2. In Host, select the host object for the AD server.
    3. Enter the Login DN of the user (added in the AD) for LDAP operations.
    4. Enter the Password and confirm it.
    5. In the Check Point Gateways are allowed to section, make sure that Read data from this server is selected.
  6. Click the Encryption tab, and configure these settings:
    1. Click Use Encryption (SSL).
    2. Click Fetch.
    3. Click OK.

    Note - LDAP over SSL is not supported by default. If you have not configured your domain controller to support LDAP over SSL, either skip step 6 or configure your domain controller to support LDAP over SSL.

  7. Click the Objects Management tab, and configure these settings:
    1. In the Manage objects on field, select the host object for the AD server
    2. Click Fetch Branches to configure the branches in use.
    3. Set the number of entries supported.
  8. Click the Authentication tab, and configure these settings:
    1. In the Users's default values section, click Default authentication scheme.
    2. Select Check Point Password.
  9. Click OK and publish the changes.

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see: sk83700.

The DLP UserCheck predefined notifications are in only English by default. If necessary, you can add more languages manually.

To support more languages for UserCheck:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click UserCheck.
  3. Select a UserCheck interaction object and click Edit.
  4. In the Message pane, click Languages.
  5. From the list, select the applicable language.
  6. Click OK.

    A tab for the language is added.

  7. Enter the necessary text and click OK.

UserCheck Client Overview

The UserCheck client is installed on endpoint computers to communicate with the gateway and show UserCheck interaction notifications to users. It works with these Software Blades:

DLP - Notifications of DLP incidents can be sent by email (for SMTP traffic) or shown in a popup from the UserCheck client in the system tray (for SMTP, HTTP and FTP).

Users select an option in the notification message to respond in real-time.

For DLP, administrators with full permissions or the View/Release/Discard DLP messages permission can also send or discard incidents from the R80 SmartConsole Logs & Monitor view Logs tab.

Workflow for installing and configuring UserCheck clients:

  1. Configure how the clients communicate with the gateway and create trust with it.
  2. Enable UserCheck and the UserCheck client on the gateway.
  3. Download the UserCheck client MSI file.
  4. Install the UserCheck client on the endpoint computers.
  5. Make sure that the UserCheck clients can connect to the gateway and receive notifications.

Enabling UserCheck Client

Enable UserCheck and the UserCheck client on the gateway in the Properties window of the gateway object in R80 SmartConsole. This is necessary to let clients communicate with the gateway.

To enable UserCheck and the UserCheck client on the gateway:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click UserCheck.
  3. Select Enable UserCheck for active blades.

    This enables UserCheck notifications from the gateway.

  4. In the UserCheck Client section, select Activate UserCheck Client support.

    This enables UserCheck notifications from the client.

  5. Click OK and publish the changes.
  6. Install the policy on the gateway.

Getting the MSI File

To get the MSI file:

  1. In R80 SmartConsole, in the Gateways & Servers view, open the General Properties window of the gateway object.
  2. From the navigation tree, select UserCheck.
  3. In the UserCheck Client section, click Download Client.

    Important - Before you can download the client msi file, the UserCheck portal must be up. The portal is up only after a Policy installation.

UserCheck and Check Point Password Authentication

 

 

You can see and edit Check Point users from Users and Administrators in the navigation tree.

To enable Check Point password authentication:

R80 SmartConsole Configuration

  1. Open R80 SmartConsole and open the Manage & Settings view.
  2. Click Permissions & Administrators > Administrators, and select an existing user or create a new user.
  3. In the General Properties page of the user, make sure that an email address is defined.
  4. In the Authentication Properties page of the user, set Authentication Scheme to Check Point Password and enter the password and password confirmation.
  5. Click OK.

UserCheck Client Configuration

Ask your users to configure their UserCheck client:

  1. On the UserCheck client computer, right click the UserCheck icon in the Notification Area (next to the system clock).
  2. Select Settings.
  3. Click Advanced.
  4. Select Authentication with Check Point user accounts defined internally in R80 SmartConsole.
31 March 2016 © 2016 Check Point Software Technologies Ltd. All rights reserved.