Configuring AD Query

For the overview, see AD Query.

Important - Before you configure AD QueryClosed Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., you must:

Important - NTLMv1 and NTLMv2 authentication are supported. These are the default authentication modes in an R81.20 Security Gateway:

Security Gateway Version

Configuration Before the Security Gateway Upgrade

Default Authentication Mode

R81.20 - Clean Install

N / A

Note - Starting from R81.20, the default is NTLMv2.

NTLMv2

R81.20 - Upgrade from a lower version

Authentication mode was not changed using the adlogconfig command.

Note - In R81.10 and lower, the default is NTLMv1.

NTLMv2

R81.20 - Upgrade from a lower version

Authentication mode was changed to NTLMv1 using the adlogconfig command.

Note - In R81.10 and lower, the default is NTLMv1.

Example for R81.10 - An administrator changed the authentication mode from the default NTLMv1 to NTLMv2, and then from NTLMv2 back to NTLMv1.

NTLMv1

Procedure:

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Security Gateway or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

    3. On the General Properties page, select the Identity Awareness Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (if did not do so already).

    4. On the Identity Awareness page, select Active Directory Query.

    5. Click the Settings button.

      The Active Directory Query window opens.

    6. In the Active Directory Domains section:

      • Click the green plus sign [+] and select an existing LDAP Account Unit object to add it to the list.

      • Select an LDAP Account Unit object and click the red minus sign [-] to remove it from the list.

  2. You can configure AD Query to allow only one active account per IP address.

    When user A logs out before the timeout and user B logs in, user A's session closes automatically and his permissions are canceled.

    User B is the only active user account and only his permissions are valid.

    This feature is called Single User Assumption.

    Before you activate Single User Assumption, you must exclude all Service Accounts used by user computers.

    Note - Another way to reduce the occurrence of these issues is to increase the DHCP lease time.

    To activate the Single User Assumption:

    1. Exclude Service Accounts (Users, Computers, and Networks).

      You can manually exclude service accounts (users, computers, and networks) from the AD Query scan. In addition, you can configure AD Query to automatically detect and exclude suspected service accounts. Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. identifies service accounts as user accounts that are logged in to more than a specified number of computers at the same time.

      Excluding objects from Active Directory queries:

      1. On the Identity Awareness page, select Active Directory Query and click Settings.

      2. Click the Advanced button.

        The Active Directory Query Advanced window opens.

      3. In the Excluded Users / Computers section, enter the user or computer account name and click Add.

        You can use the * and ? wildcard characters or regular expressions (see Appendix: Regular Expressions) to select more than one account.

        Use this syntax for regular expressions: regexp:<Regular Expression>.

      4. Optional: Select Automatically exclude users which are logged into more than [ ] machines simultaneously.

        Enter the threshold number of computers in the related field.

      5. In the Excluded Networks section:

        • Click the green plus sign [+] and select an existing Network object (or click New to create an applicable object) to add it to the list.

        • Select a Network object and click the red minus sign [-] to remove it from the list.

      6. Click OK to close the Active Directory Query Advanced window.

    2. In the Active Directory Query window, select Assume that only one user is connected per computer.

      Note - To deactivate the Single User Assumption, clear this option.

    3. Click OK to close the Active Directory Query window.

    4. Click OK to close the Security Gateway or Cluster object.

    5. Install the Access Control Policy on the Security Gateway or Cluster object.

  3. When automatic exclusion is enabled, Identity Awareness looks for suspected service accounts every 10 minutes. Suspected Service Accounts are saved to a persistent database that survives reboot. When a new is detected, a log appears in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Logs & Monitor view > Logs tab.

    Use these commands to see and manage the suspected service account database:

    Notes:

    • You must run these commands in the Expert mode on the Identity Awareness Gateway.

    • In a Cluster, you must configure all the Cluster Members in the same way.

    Action

    Syntax

    Show all suspected Service Accounts

    adlog a control srv_accounts show

    Run the Service Accounts scan immediately

    adlog a control srv_accounts find

    This command is useful before you enable the Assume that only one user is connected option.

    Remove an account from the database

    adlog a control srv_accounts unmark <account name>

    Remove all accounts from the suspected database

    adlog a control srv_accounts clear

    Important - When you use the "adlog a control" command, you must run this command to save the configuration:

    adlog a control reconf

    For more information, see adlog control.

  4. Follow these steps to make sure the authentication mode uses NTLMv2:

      1. Connect to the command line.

      2. Log in to the Expert mode.

      3. Run:

        adlogconfig a

      4. Examine the section Authentication mode:

        • If [x] appears next to the option [x] Use NTLMv2, then skip to the next step, Use Automatic LDAP Group Update.

        • If [x] appears next to the option [x] Use NTLMv1, then enter the number of this option:

          Change authentication mode NTLMv1/NTLMv2

          Make sure [x] appears next to the option [x] Use NTLMv2.

      5. Enter the number of this option:

        Exit and save

      1. Connect to the command line.

      2. Log in to the Expert mode.

      3. Run:

        adlogconfig a

      4. Examine the section Authentication mode:

        • If [x] appears next to the option [x] Use NTLMv2, then skip to the next step, Use Automatic LDAP Group Update.

        • If [x] appears next to the option [x] Use NTLMv1, then enter the number of this option:

          Change authentication mode NTLMv1/NTLMv2

          Make sure [x] appears next to the option [x] Use NTLMv2.

      5. Enter the number of this option:

        Exit and save

      1. From the left navigation panel, click Gateways & Servers.

      2. Open the Security Gateway or Cluster object.

      3. In the General Properties pane, clear Identity Awareness. Do not click OK.

      4. In the General Properties pane, select Identity Awareness.

        The Identity Awareness Configuration window opens.

      5. Follow the Identity Awareness wizard.

      6. Click OK to close the Security Gateway or Cluster object.

      7. Install the Access Control Policy on the Security Gateway or Cluster object.

  5. Identity Awareness automatically recognizes changes to LDAP group membership and updates identity information, including Access Roles.

    Warning - When you add, move, or remove an LDAP nested group, the system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful when you deactivate user-related notifications.

    Important - Automatic LDAP group update works only with Microsoft Active Directory when AD Query is activated.

    LDAP Group Update is activated by default. You can deactivate LDAP Group Update.

    1. Connect to the command line on the Security Gateway / each Cluster Member.

    2. Log in to the Expert mode.

    3. Run:

      adlogconfig a

    4. Enter the number of this option:

      Turn LDAP groups update on/off.

      The LDAP groups update notifications status changes to [ ] (not active).

      If you select the option Turn LDAP groups update on/off when automatic LDAP group update is not active, the LDAP groups update notifications status changes to [X] (active).

    5. Enter the number of this option:

      Exit and save

    6. In SmartConsole, install the Access Control Policy on the Security Gateway or Cluster object.

    Note - You can use adlogconfig to configure the time between LDAP change notifications and to send notifications only for changes related to users.

    1. Connect to the command line on the Security Gateway / each Cluster Member.

    2. Log in to the Expert mode.

    3. Run

      adlogconfig a

    4. Enter the number of this option:

      Notifications accumulation time

    5. Enter the time between notifications in seconds (default = 10).

    6. Enter the number of this option control whether to send notifications only for changes related to users:

      Update only user-related LDAP changes

      Warning - Be very careful when you deactivate only user-related notifications. This can cause excessive CPU load on the Security Gateway / Cluster Member.

    7. Enter the number of this option:

      Exit and save

    8. In SmartConsole, install the Access Control Policy on the Security Gateway or Cluster object.

    Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for users and groups in the LDAP cache first. The information in the cache does not contain the updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is updated every 15 minutes.

    To get automatic LDAP Group Update assignments immediately, you must deactivate the LDAP cache. This action can cause Identity Awareness to work slower than expected.

    1. In SmartConsole, go to Menu > Global properties.

    2. In the left navigation tree, click User Directory.

    3. Change Timeout on cached users to zero.

    4. Change Cache size to zero.

    5. Click OK.

    6. Install the Access Control Policy on the Security Gateway or Cluster object.

  6. An organization Active Directory can have more than one sites, where each site has its own domain controllers that are protected by a Security Gateway. When all of the domain controllers belong to the same Active Directory, one LDAP Account Unit is created in SmartConsole.

    When AD Query is enabled on a Security Gateway, you can configure the Security Gateway to communicate with only some of the domain controllers. For each domain controller the AD Query needs to ignore, configure the default priority of the Account Unit to a value that is greater than 1000.

    Example:

    • The LDAP Account Unit ad.mycompany.com has 5 domain controllers - dc1, dc2, dc3, dc4, and dc5.

    • On the Identity Awareness Gateway, it is necessary to enable AD Query for only domain controllers dc2 and dc3. This means that priority of all other domain controllers (dc1, dc4, and dc5) must be set to a number greater than 1000 in the Identity Awareness Gateway object.

    To specify Domain Controllers for each Security Gateway (based on the example above):

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Security Gateway or Cluster object.

    3. In the left tree, click on the [+] near Other and click User Directory.

    4. Select the option Selected Account Units list.

    5. Click Add.

    6. Select the applicable Account Unit object.

      Important - The account that connects to Active Directory must be a service account, not a personal user account.

    7. Click OK.

    8. Clear the option Use default priorities.

    9. Configure the priority 1001 for dc1, dc4, and dc5:

      1. Select the domain controller.

      2. In the Priority field, enter 1001.

      3. Click Set.

    10. Click OK.

    11. Install the Access Control Policy on the Security Gateway or Cluster object.

  7. Make sure that the domain controllers are configured correctly.

    Examine with which domain controllers the Security Gateway communicates and which domain controllers it ignores.

    1. Connect to the command line on the Security Gateway / each Cluster Member.

    2. Log in to the Expert mode.

    3. Run:

      adlog a dc

    For more information, see adlog dc.