Configuring UserCheck

Enable or disable UserCheck directly on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. When UserCheck is enabled, the user's Internet browser shows the UserCheck messages in a new window. If users connect to the Security Gateway remotely, set the internal interface of the Security Gateway (on the Topology page) to be the same as the Main URL for the UserCheck Portal.

To configure UserCheck on a Security Gateway

Step

Instructions

From the left navigation panel, click Gateways & Servers.

Double-click the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

In the left panel, click UserCheck.

Select Enable UserCheck for active blades.

In the UserCheck Web Portal section, the Main URL field shows the primary URL for the web portal that shows the UserCheck notifications.

You can use the suggested Main URL or manually enter a different Main URL.

Optional:

Click Aliases to add URL aliases that redirect different hostnames to the Main URL.

For example: usercheck.mycompany.com

The aliases must be resolved to the portal IP address on the corporate DNS server.

In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.).

This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority.

To prevent these warnings, import your own certificate from a recognized external authority.

Note - After you download your certificate, you can click Replace to replace it with a different certificate, and click View to see the certificate information.

In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed.

These options are based on the topology configured in the Security Gateway object.

You must configure the topology settings on the Network Manegment page.

Select the applicable option when the Security Gateway must send users to the UserCheck Portal based on how they connect:

Through all interfaces
Through internal interfaces (default)
- Including undefined internal interfaces
- Including DMZ internal interfaces
- Including VPN encrypted interfaces (default)
  
  Applies to interfaces used for establishing route-based VPN tunnels (VTIs)
According to the Firewall Policy

Select this option if there is an Access Control rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that determinces who can access the UserCheck Portal.

If the Main URL is set to an external interface, you must set the Accessibility to one of these:

Through all interfaces

You must select this option if this is a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. / VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster.
According to the Firewall Policy

UserCheck Client - The UserCheck Client is installed on user devices to communicate with the Security Gateway and show UserCheck Interaction notifications to users.

Activate UserCheck Client support

This enables UserCheck through the UserCheck Client.

Download Client

This downloads the installation file for the UserCheck Client.

Note - The link is not active until the UserCheck Portal is up.

See the R81.20 Quantum Security Gateway Guide > Chapter "UserCheck Client".

In the Mail Server section, configure a mail server for UserCheck.

This server sends notifications to users that the Security Gateway cannot notify using other means, if the server knows the email address of the user.

For example, if a user sends an email which matched on a rule, the Security Gateway cannot redirect the user to the UserCheck Portal because the traffic is not HTTP.

If the user does not have a UserCheck Client, UserCheck sends an email notification to the user.

Use the default settings

Click the link to see which mail server is configured.
Use specific settings for this gateway

Select this option to override the default mail server settings.
Send emails using this mail server

Select a mail server from the list, or click New and define a new mail server.

Click OK to close the Security Gateway / Cluster object.

If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy.

Example rule:

Source

Destination

VPN

Services & Applications

Action

Any

Security Gateway

on which

UserCheck Client

is enabled

Any

UserCheck

Install the Access Control Policy to enable UserCheck for these Access Control Software Blades.

Install the Threat Prevention Policy to enable UserCheck for these Threat Prevention Software Blades:

UserCheck CLI

See the R81.20 CLI Reference Guide - Chapter "Security Gateway Commands" - Section "usrchk".