Configuring AD Query
For the overview, see AD Query.
|
|
|
Important - NTLMv1 and NTLMv2 authentication are supported. These are the default authentication modes in an R81.20 Security Gateway:
|
Procedure:
-
Enable AD Query for a Security Gateway
-
From the left navigation panel, click Gateways & Servers.
-
Open the Security Gateway or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.
-
On the General Properties page, select the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (if did not do so already).
-
On the Identity Awareness page, select Active Directory Query.
-
Click the Settings button.
The Active Directory Query window opens.
-
In the Active Directory Domains section:
-
Click the green plus sign [+] and select an existing LDAP Account Unit object to add it to the list.
-
Select an LDAP Account Unit object and click the red minus sign [-] to remove it from the list.
-
-
-
Optional: Configure the Single User Assumption
You can configure AD Query to allow only one active account per IP address.
When user A logs out before the timeout and user B logs in, user A's session closes automatically and his permissions are canceled.
User B is the only active user account and only his permissions are valid.
This feature is called Single User Assumption.
Before you activate Single User Assumption, you must exclude all Service Accounts used by user computers.
Note - Another way to reduce the occurrence of these issues is to increase the DHCP lease time.
To activate the Single User Assumption:
-
Exclude Service Accounts (Users, Computers, and Networks).
ProcedureYou can manually exclude service accounts (users, computers, and networks) from the AD Query scan. In addition, you can configure AD Query to automatically detect and exclude suspected service accounts. Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. identifies service accounts as user accounts that are logged in to more than a specified number of computers at the same time.
Excluding objects from Active Directory queries:
-
On the Identity Awareness page, select Active Directory Query and click Settings.
-
Click the Advanced button.
The Active Directory Query Advanced window opens.
-
In the Excluded Users / Computers section, enter the user or computer account name and click Add.
You can use the * and ? wildcard characters or regular expressions (see Appendix: Regular Expressions) to select more than one account.
Use this syntax for regular expressions:
regexp:<Regular Expression>
. -
Optional: Select Automatically exclude users which are logged into more than [ ] machines simultaneously.
Enter the threshold number of computers in the related field.
-
In the Excluded Networks section:
-
Click the green plus sign [+] and select an existing Network object (or click New to create an applicable object) to add it to the list.
-
Select a Network object and click the red minus sign [-] to remove it from the list.
-
-
Click OK to close the Active Directory Query Advanced window.
-
-
In the Active Directory Query window, select Assume that only one user is connected per computer.
Note - To deactivate the Single User Assumption, clear this option.
-
Click OK to close the Active Directory Query window.
-
Click OK to close the Security Gateway or Cluster object.
-
Install the Access Control Policy on the Security Gateway or Cluster object.
-
-
Optional: Manage the Suspected Service Account List
When automatic exclusion is enabled, Identity Awareness looks for suspected service accounts every 10 minutes. Suspected Service Accounts are saved to a persistent database that survives reboot. When a new Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server. is detected, a log appears in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Logs & Monitor view > Logs tab.
Use these commands to see and manage the suspected service account database:
Notes:
-
You must run these commands in the Expert mode on the Identity Awareness Gateway.
-
In a Cluster, you must configure all the Cluster Members in the same way.
Action
Syntax
Show all suspected Service Accounts
adlog a control srv_accounts show
Run the Service Accounts scan immediately
adlog a control srv_accounts find
This command is useful before you enable the Assume that only one user is connected option.
Remove an account from the Service Account database
adlog a control srv_accounts unmark <account name>
Remove all accounts from the suspected Service Account database
adlog a control srv_accounts clear
Important - When you use the "
adlog a control
" command, you must run this command to save the configuration:adlog a control reconf
For more information, see adlog control.
-
-
Recommended: Configure the authentication mode to use NTLMv2
Follow these steps to make sure the authentication mode uses NTLMv2:
-
On the Security Management Server
-
Connect to the command line.
-
Log in to the Expert mode.
-
Run:
adlogconfig a
-
Examine the section Authentication mode:
-
If [x] appears next to the option [x] Use NTLMv2, then skip to the next step, Use Automatic LDAP Group Update.
-
If [x] appears next to the option [x] Use NTLMv1, then enter the number of this option:
Change authentication mode NTLMv1/NTLMv2
Make sure [x] appears next to the option [x] Use NTLMv2.
-
-
Enter the number of this option:
Exit and save
-
-
On the Security Gateway
-
Connect to the command line.
-
Log in to the Expert mode.
-
Run:
adlogconfig a
-
Examine the section Authentication mode:
-
If [x] appears next to the option [x] Use NTLMv2, then skip to the next step, Use Automatic LDAP Group Update.
-
If [x] appears next to the option [x] Use NTLMv1, then enter the number of this option:
Change authentication mode NTLMv1/NTLMv2
Make sure [x] appears next to the option [x] Use NTLMv2.
-
-
Enter the number of this option:
Exit and save
-
-
In SmartConsole, restart the Identity Awareness Configuration wizard and configure Identity Awareness
-
From the left navigation panel, click Gateways & Servers.
-
Open the Security Gateway or Cluster object.
-
In the General Properties pane, clear Identity Awareness. Do not click OK.
-
In the General Properties pane, select Identity Awareness.
The Identity Awareness Configuration window opens.
-
Follow the Identity Awareness wizard.
-
Click OK to close the Security Gateway or Cluster object.
-
Install the Access Control Policy on the Security Gateway or Cluster object.
-
-
-
Use Automatic LDAP Group Update
Identity Awareness automatically recognizes changes to LDAP group membership and updates identity information, including Access Roles.
Warning - When you add, move, or remove an LDAP nested group, the system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful when you deactivate user-related notifications.
Important - Automatic LDAP group update works only with Microsoft Active Directory when AD Query is activated.
LDAP Group Update is activated by default. You can deactivate LDAP Group Update.
Deactivating automatic LDAP group update-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
adlogconfig a
-
Enter the number of this option:
Turn LDAP groups update on/off.
The LDAP groups update notifications status changes to [ ] (not active).
If you select the option Turn LDAP groups update on/off when automatic LDAP group update is not active, the LDAP groups update notifications status changes to [X] (active).
-
Enter the number of this option:
Exit and save
-
In SmartConsole, install the Access Control Policy on the Security Gateway or Cluster object.
Note - You can use
adlogconfig
to configure the time between LDAP change notifications and to send notifications only for changes related to users.Configuring LDAP group notification options-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run
adlogconfig a
-
Enter the number of this option:
Notifications accumulation time
-
Enter the time between notifications in seconds (default = 10).
-
Enter the number of this option control whether to send notifications only for changes related to users:
Update only user-related LDAP changes
Warning - Be very careful when you deactivate only user-related notifications. This can cause excessive CPU load on the Security Gateway / Cluster Member.
-
Enter the number of this option:
Exit and save
-
In SmartConsole, install the Access Control Policy on the Security Gateway or Cluster object.
Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for users and groups in the LDAP cache first. The information in the cache does not contain the updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is updated every 15 minutes.
To get automatic LDAP Group Update assignments immediately, you must deactivate the LDAP cache. This action can cause Identity Awareness to work slower than expected.
Deactivating the LDAP-
In SmartConsole, go to > Global properties.
-
In the left navigation tree, click User Directory.
-
Change Timeout on cached users to zero.
-
Change Cache size to zero.
-
Click OK.
-
Install the Access Control Policy on the Security Gateway or Cluster object.
-
-
Configure Domain Controllers for each Security Gateway
An organization Active Directory can have more than one sites, where each site has its own domain controllers that are protected by a Security Gateway. When all of the domain controllers belong to the same Active Directory, one LDAP Account Unit is created in SmartConsole.
When AD Query is enabled on a Security Gateway, you can configure the Security Gateway to communicate with only some of the domain controllers. For each domain controller the AD Query needs to ignore, configure the default priority of the Account Unit to a value that is greater than 1000.
Example:
-
The LDAP Account Unit ad.mycompany.com has 5 domain controllers - dc1, dc2, dc3, dc4, and dc5.
-
On the Identity Awareness Gateway, it is necessary to enable AD Query for only domain controllers dc2 and dc3. This means that priority of all other domain controllers (dc1, dc4, and dc5) must be set to a number greater than 1000 in the Identity Awareness Gateway object.
To specify Domain Controllers for each Security Gateway (based on the example above):
-
From the left navigation panel, click Gateways & Servers.
-
Open the Security Gateway or Cluster object.
-
In the left tree, click on the [+] near Other and click User Directory.
-
Select the option Selected Account Units list.
-
Click Add.
-
Select the applicable Account Unit object.
Important - The account that connects to Active Directory must be a service account, not a personal user account.
-
Click OK.
-
Clear the option Use default priorities.
-
Configure the priority 1001 for dc1, dc4, and dc5:
-
Select the domain controller.
-
In the Priority field, enter 1001.
-
Click Set.
-
-
Click OK.
-
Install the Access Control Policy on the Security Gateway or Cluster object.
-
-
Examine the Status of Domain Controllers
Make sure that the domain controllers are configured correctly.
Examine with which domain controllers the Security Gateway communicates and which domain controllers it ignores.
-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
adlog a dc
For more information, see adlog dc.
-