UserCheck

What can I do here?

On the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. page, you can create, edit, and preview UserCheck interaction objects and their messages.

Getting Here - SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Access Control > Policy > Access Tools > UserCheck

UserCheck Interactions in the Access Control Policy

UserCheck objects lets the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. communicate with users. Use them in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. to:

Help users with decisions that can be dangerous to the organization's security.
Share the organization's changing internet policy for Web applications and sites with users, in real-time.

If a UserCheck object is set as the action on in a policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., the user's browser redirects to the UserCheck web portal on port 443 or 80. The portal shows the notifications to the user.

UserCheck client adds the option to send notifications for applications that are not in a web browser. The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when the notification cannot be displayed in a browser.

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. Make sure that the UserCheck is enabled on each Security Gateway in the network.

The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the Security Gateway or cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. reboots. Records of a user answering or receiving notifications are never lost.

To configure UserCheck on a Security Gateway:

In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

The Gateway Properties window opens.
From the navigation tree, click U serCheck.

The UserCheck page opens.
Make sure Enable UserCheck for active blades is selected
In the UserCheck Web Portal section:

In the Main URL field, enter the primary URL for the web portal that shows the UserCheck notifications.

If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface (in the Network Management page) is the same as the Main URL.

Note - The Main URL field must be manually updated if:
- The Main URL field contains an IP address and not a DNS name.
- You change a Security Gateway IPv4 address to IPv6 address, or the other way around.
Optional: Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

The aliases must be resolved to the portal IP address on the corporate DNS server
In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

Users are sent to the UserCheck portal if they connect:
- Through all interfaces
- Through internal interfaces
  - Including undefined internal interfaces
  - Including DMZ internal interfaces
  - Including VPN encrypted interfaces - Interfaces used for establishing route-based VPN tunnels (VTIs)
- According to the Firewall policy - Select this if there is a rule that states who can get an access to the portal.
If the Main URL is set to an external interface, you must set the Accessibility option to one of these:
- Through all interfaces - necessary in VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment
- According to the Firewall Policy
In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Gateway cannot redirect the user to the UserCheck portal because the traffic is not http. If the user does not have a UserCheck client, UserCheck sends an email notification to the user.
- Use the default settings - Click the link to see which mail server is configured.
- Use specific settings for thisgateway - Select this option to override the default mail server settings.
- Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.
Click OK.

If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy. This is a sample rule:

Source	Destination	VPN	Services & Applications	Action
Any	Security Gateway on which UserCheck client is enabled	Any	UserCheck	Accept

Install the Access Control Policy.

Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.

Create a rule that includes these components:

Services & Applications - Select the Pornography category.
Action - Drop, and a UserCheck Blocked Message - Access Control.

The message informs users that their actions are against company policy and can include a link to report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. if the website is included in an incorrect category.

Track - Log

Note - This Rule Base example contains only those columns that are applicable to this subject.

Name	Source	Destination	Services & Applications	Action	Track	Install On
Block Porn	Any	Internet	Pornography (category)	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company Security Policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication..

UserCheck for Access Control Default Messages

These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy:

Name	Action Type	Description
Access Approval	Inform
Access Notification	Inform	Shows when the action for the rule is inform. It informs users what the company policy is for that site.
Blocked Message - Access Control	Block	Shows when the action for the rule is Block, when a request is blocked.
Cancel Page - Access Control	Cancel	Shows after a user gets an Inform or Ask UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity. message and clicks Cancel.
Company Policy	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction Object.

For example, you can create a:

You can show these UserCheck message previews:

Regular view - Shows a preview of the UserCheck message on a computer.
Mobile - Shows a preview of the UserCheck message on a mobile device.
Agent - Shows a preview of the UserCheck message in the agent window.
Email - Shows a preview of the UserCheck message in an email.

Creating a UserCheck Interaction Object

If the default UserCheck messages do not fit your needs, you can create a UserCheck Interaction object.

To create a UserCheck object that includes a message:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Click Access Tools > UserCheck.
Click New, and select one of these interaction modes:
- AskUserCheck - Show a message to users that asks them if they want to continue with the request or not.
- Block UserCheck - Show a message to users and block the application request.
- Inform UserCheck - Show an informative message to users. Users can continue to the application or cancel the request.
The UserCheck Interaction window opens on the Message page.
Enter a name for the UserCheck object and, optionally, a comment.
Select a language (English is the default) from the Languages tabs.

Enter the message content. You can:

Use the formatting toolbar to change text color, alignment, add or remove bullets.

Use the Insert field variables. These include fields for Content Awareness.

In the Settings tab, configure optional settings. For example:
- Fallback Action - For a Block action type, when UserCheck notification cannot be displayed, this action is taken.
- External Portal - When selected, redirects the user to the specified External Portal (enter the URL), and the UserCheck message is not shown to the end-user
  Select Add UserCheck Incident ID to the URL query, to log the incident
Click OK.

This creates the UserCheck object and web page notification for the portal.

Example UserCheck Message Using Field Variables

If you define a custom UserCheck message, you can use predefined Field variables in the message.

Here is an example of a UserCheck message that you can define. This example uses some of the Insert Field variables for Application Control and Content Awareness rules:

According to the company policy, this action is intended for work-related use only.
               Details:
               - File Name is classified as Data Types
               - Access to Application name
               - Category Category
[ ] I will use this site/application and data in accordance with company policy.
Reference: Incident ID

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see sk83700.

Some of the UserCheck predefined notifications are translated to more than one language. For example, Access Notification is translated to English, French, Spanish, and Japanese.

To support more languages:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Click Access Tools > UserCheck.
Double-click the UserCheck object to edit it.
In the Message page, click Languages.
Select the Languages from the list.

UserCheck Frequency and Scope

You can set the number of times that users get UserCheck messages for accessing applications that are not permitted by the policy. You can also set if the notifications are based on accessing the rule, application category, or application itself.

To set how often UserCheck notifications show :

Select the Action cell of a rule in the Access Control Policy, and click More.
In the Action Settings window, select the UserCheck Frequency.

The options are:
- Once a day
- Once a week
- Once a month
- Custom frequency
Select Confirm UserCheck.

Possible notifications are:
- Per rule
- Per category
- Per application
- Per data type

Example:

In a rule that contains:

Services & Applications	Action
Social Networking category	Inform

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per rule:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message.

If you select a UserCheck Frequency of Once a day, and Confirm UserCheck of Per application:

A user who accesses Facebook and then LinkedIn on the same day gets one Inform message for Facebook and one for LinkedIn.

In new installations, the Confirm UserCheck Scope default is Per category.

In upgrades from a version before R75.40, the Confirm UserCheck default is Per Rule.

UserCheck Settings

For each UserCheck interaction object you can configure these options from the Settings page UserCheck object:

Languages - Set a language for the UserCheck message if the language setting in the user browser cannot be determined or is not implemented. For example:
- If the browser native language is Spanish
- The UserCheck message is in Japanese and French
- You select Japanese as the default language
Then the notification displays in Japanese.
Fallback Action (For Action Types Ask and Inform) - Select an alternative action (allow or block) for when the UserCheck notification cannot be shown in the browser or application that caused the notification. If UserCheck determines that the notification cannot be shown in the browser or application, the behavior is:
- If the Fallback Action is Allow (the default for Inform messages), the user is allowed to access the website or application, and the UserCheck client (if installed) shows the notification.
- If the Fallback Action is Block, the gateway tries to show the notification in the application that caused the notification. If it cannot and the UserCheck client is installed, it shows the notification through the client. The website or application is blocked, even if the user does not see the notification.
External Portal - Redirect the user to External Portal - Select this to redirect users to an external portal, not on the gateway.
- URL - Enter the URL for the external portal. The specified URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the gateway.
- Add UserCheck Incident ID to the URL query - An incident ID is added to the end of the URL query.
Conditions (For the Action Type Ask) - Select actions that must occur before users can access the application. Select one or more of these options:
- User accepted and selected the confirm checkbox - This applies if the UserCheck message contains a checkbox (Insert User Input > Confirm Checkbox). Users must accept the text shown and select the checkbox before they can access the application.
- User filled some textual input - This applies if the UserCheck message contains a text field (Insert User Input > Textual Input). Users must enter text in the text field before they can access the application. For example, you might require that users enter an explanation for use of the application.

UserCheck CLI

See the R81.10 CLI Reference Guide - Chapter Security Gateway Commands - Section usrchk.

Revoking Incidents

The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:

https://<IP Address of Security Gateway>/UserCheck/RevokePage

If users regret their responses to a notification and contact their administrator, the administrator can send users the URL.

After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in the SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards.

Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object.