Getting Identities for Active Directory Users

Organizations that use Microsoft Active Directory can use AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. to acquire identities.

When you set the AD Query option to get identities, you are configuring clientless employee access for all Active Directory users. To enforce access options, create rules in the Firewall Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that contain Access Role objects. An Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. object defines users, computers and network locations as one object.

Active Directory users that log in and are authenticated, get a seamless access to the resources that are based on Firewall rules.

Scenario: Laptop Access

Description:

James Wilson is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. policy permits access only from James' desktop, which is assigned a static IP address 10.0.0.19.

He received a laptop and wants to get an access to the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. contains a rule that lets James Wilson get an access to the HR Web Server from his laptop with a static IP (10.0.0.19).

Name	Source	Destination	VPN	Service	Action	Track
Jwilson to HR Server	Jwilson	HR_Web_Server	`Any Traffic`	`Any`	`accept`	`Log`

He wants to move around the organization and continue to have access to the HR Web Server.

To make this scenario work, the IT administrator does these steps:

Enables Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on a Security Gateway, selects AD Query as one of the Identity Sources and installs the policy.
Checks the logs in the Logs & Monitor view of SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to make sure the system identifies James Wilson in the logs.
Adds an Access Role object to the Firewall Rule Base that lets James Wilson gets an access to the HR Web Server from any computer and from any location.
Sees how the system tracks the actions of the Access Role in the Logs & Monitor view of SmartConsole.

User Identification in the Logs:

The logs in the Logs & Monitor view of SmartConsole show that the system recognizes James Wilson as the user behind IP 10.0.0.19. This log entry shows that the system maps the source IP to the user James Wilson from CORP.ACME.COM. This uses the identity acquired from AD Query.

Note - AD Query maps the users in dependence of their AD activity. This can take some time and depends on user activity. If James Wilson is not identified (the IT administrator does not see the log), he should lock and unlock the computer.

Using Access Roles:

To let James Wilson get an access to the HR Web Server from any computer, change the rule in the Access Control Policy Rule Base. Create an Access Role for James Wilson (see Creating Access Roles), from any network and any computer. In the rule, change the source object to be the Access Role object (for example, HR_Partner).

Name	Source	Destination	VPN	Services & Applications	Action	Track
HR Partner Access	HR_Partner	HR_Web_Server	`Any`	`Any`	`accept`	`None`

Install the policy. You can remove the static IP address from the laptop of James Wilson and give it a dynamic IP address. The Security Gateway James Wilson configured in the HR_Partner Access Role gets an access to the HR Web server from his laptop with a dynamic IP address.