Enabling Identity Awareness on the Security Gateway
When you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., an Identity Awareness Configuration wizard opens. You can use the wizard to configure one Security Gateway that uses the AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate., and Terminal Servers for acquiring identities. You cannot use the wizard to configure an environment with multiple Security Gateway, or to configure Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. and Remote Access acquisition (other methods for acquiring identities).
When you complete the wizard and install an Access Control Policy, the system is ready to monitor Identity Awareness. You can see the logs for user and computer identity in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Logs & Monitor > Logs tab. You can see these events through the Columns Profile Access Control.
To enable Identity Awareness Software Blade on a Security Gateway you must select Identity Sources and configure an Active Directory Domain.
Selecting Identity Sources
Procedure:
-
Log in to SmartConsole.
-
From the left navigation Toolbar, click Gateways & Servers.
-
Double-click the Security Gateway or Security Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.
-
On the Network Security tab, select Identity Awareness.
-
The Identity Awareness Configuration wizard opens.
-
On the Methods For Acquiring Identity page, select the applicable Identity Sources:
Notes
-
After completing this wizard, you can select additional Identity Sources (see Identity Sources).
-
When you enable Browser-Based Authentication on Security Gateway that runs on an IP Series appliance with IPSO OS, make sure to set the Voyager management application port to a number other than 443 or 80.
-
-
Click Next
The Integration With Active Directory page opens.
You can select or configure an Active Directory Domain.
Configuring an Active Directory Domain
|
Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not necessary to work with some of the domain controllers, delete them from the LDAP Servers list.. |
Procedure:
-
If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.
If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (CTRL + E), and select Servers > LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is:
<domain name>__AD
For example,
CORP.ACME.COM__AD
. -
From the Select an Active Directory list, do one of these:
-
Select the Active Directory to configure from the list that shows configured LDAP Account Units.
-
Create a new domain. If you have not set up Active Directory, you need to enter a domain name, username, password and domain controller credentials.
When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.
-
-
Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient.
-
Optional: If you selected Browser-Based Authentication or Terminal Servers, or do not wish to configure Active Directory, select I do not wish to configure Active Directory at this time and click Next.
-
Click Next.
If you selected Browser-Based Authentication on the Methods For Acquiring Identity page, the Browser-Based Authentication Settings page opens.
-
In the Browser-Based Authentication Settings page, select a URL for the portal, where unidentified users get pointed.
The list shows all IP addresses configured for the Security Gateway. The IP address selected by default is the Security Gateway main IP address. The same IP address can be used for other portals with different paths. For example:
-
Identity Awareness Browser-Based Authentication - 192.0.2.2/connect
-
DLP Portal - 192.0.2.2/DLP
-
Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal - 192.0.2.2/sslvpn
By default, access to the portal is only through internal interfaces. To change this, click Edit. On a perimeter Security Gateway, we recommend that the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. can be accessed only through internal interfaces.
-
-
Click Next.
The Identity Awareness is Now Active page opens with a summary of the acquisition methods.
If you selected Terminal Servers, the page includes a link to download the agent (see the Identity Awareness Clients Administration Guide).
-
Click Finish.
-
Optional: In the Security Gateway or Security Cluster object, go to the Identity Awareness page and configure the applicable settings.
-
Click OK.
-
Install the Access Control Policy.