Identifying Users behind an HTTP Proxy Server

If your organization uses an HTTP proxy server between the users and the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway, the Identity Awareness Gateway cannot see the identities of these users. As a result, the Identity Awareness Gateway cannot enforce policy rules based on user identities.

To let the Identity Awareness Gateway identify users behind a proxy server, you can use the X-Forward-For HTTP header, which the proxy server adds.

To do this, you have to:

  • Configure the XFF header on the Identity Awareness Gateway

  • Configure the XFF header on the Access Control Policy Layer

  • Use Access Roles in the Access Control Policy Layer, or use one of these advanced options in the Track column: Log, Detailed Log, Extended Log.

  1. Log in to SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. From the Navigation Toolbar, click Gateways & Servers.

  3. Open the Identity Awareness Gateway object.

  4. In the General Properties page > Network Security tab, make sure that Identity Awareness is enabled.

  5. In the left navigation tree, click on the [+] near the Identity Awareness and go to the Proxy page.

  6. Select Detect users located behind http proxy configured with X-Forwarded-For.

    • Optional: Select Hide X-Forwarded-For in outgoing traffic.

      With this option selected, internal IP addresses are not seen in requests to the internet.

    • Optional: Select Trust X-Forwarded-For from known proxies only and select the applicable Group object from the drop-down list (you need to configure such Group object in advance).

      The Identity Awareness Gateway reads the XFF header only from the trusted servers.

      Note - If this option is disabled, the Identity Awareness Gateway parses the XFF header only from internal network connections.

  7. Click OK.

  8. Install the Access Control Policy.

  1. Log in to SmartConsole.

  2. From the Navigation Toolbar, click Security Policies.

  3. In the Access Control section, right-click Policy and select Edit Policy.

  4. In the Access Control section:

    • If you already have Policy Layers configured, in the Policy Layer section, click and select Edit Layer.

    • If you do not have Policy Layers configured yet, then:

    1. Click on the plus [+] sign > New Layer.

    2. Configure the layer.

    3. Click OK to close the Layer Editor window.

    4. Click OK to close the Policy window.

    5. In the Access Control section, right-click Policy and select Edit Policy.

    6. In the Policy Layer section, click and select Edit Layer.

  5. In the Layer Editor window, go to Advanced page.

  6. In the Proxy Configuration section, select Detect users located behind http proxy configured with X-Forwarded-For.

  7. Click OK to close the Layer Editor window.

  8. Click OK to close the Policy window.

  9. Install the Access Control Policy.

See Using Identity Awareness in the Firewall Rule Base.

  1. Right-click in the Track column > click More.

    The Track Settings window opens.

    Note - For more information about each available option, click the (?) icon in the top right corner.

  2. In the Track field, select one of these applicable options:

    • Log

    • Detailed Log

    • Extended Log

    Note - Detailed Log and Extended Log are only available, if one or more of these Software Blades are enabled on the Layer: Application & URL Filtering, Content Awareness, or Mobile Access.

  3. In the Log Generation section, select one of these applicable options:

    • per Connection

    • per Session

  4. Click OK.

  5. Install the Access Control Policy.