UserCheck Interaction Objects for Threat Prevention Software Blades

This section describes how to configure UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. Interaction Objects.

UserCheck Interaction Objects add flexibility and give the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. a mechanism to communicate with users.

You use the UserCheck Interaction Objects in the Threat Prevention Policy to:

Help users with decisions that can be dangerous to the organization security.
Share the organization changing internet policy for web applications and sites with users, in real-time.

Note - You create and edit UserCheck Interaction objects for the Access Control policy only in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

UserCheck Interaction Action Types

Action Type	Description
Approve	Users get a message that the company policy approved their access to the requested site. See Selecting "Approved" and "Cancel" UserCheck Messages.
Ask	Users get a message that asks if they want to continue to the requested site. UserCheck Interaction with this action type appear in Threat Prevention Profiles > on the applicable Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. pages > in the section UserCheck Settings > in the menu Ask.
Block	Users get a message that the company policy blocked access to the requested site. UserCheck Interaction with this action type appear in Threat Prevention Profiles > in the applicable Software Blade pages > in the section UserCheck Settings > in the menu Prevent.
Cancel	After a user gets an Inform or Ask notification and clicks Cancel, they get a message that they cancelled their request to access a site. See Selecting "Approved" and "Cancel" UserCheck Messages.
Inform	Users get a message about the company policy for the requested site and they must click OK to continue to the site.

Default UserCheck Interaction Objects for Threat Prevention

Explanation

Notes:

These default objects open in the read-only view.
You can right-click each default object and click Clone.
To preview a default UserCheck Interaction object, click it.

From the left navigation panel, click Security Policies.
In the top panel, click Threat Prevention.
In the bottom panel, click Custom Policy Tools, click UserCheck.

These are the default UserCheck Interaction objects for Threat Prevention:

Default UserCheck Interaction Object	Action Type
Anti-Bot Blocked	Block
Anti-Virus Blocked	Block
Cancel Page Threat Prevention	Cancel
Company Policy Anti-Bot	Ask
Company Policy Anti-Virus	Ask
Company Policy Threat Emulation	Ask
Company Policy Threat Extraction	Ask
Company Policy Zero Phishing	Ask
Threat Emulation Blocked	Block
Threat Extraction Success Page	Approve
Zero Phishing Blocked	Block

Creating New UserCheck Interaction Objects for Threat Prevention

Procedure

From the left navigation panel, click Security Policies.
In the top panel, click Threat Prevention.
In the bottom panel Custom Policy Tools, click UserCheck.

From the top toolbar, click New > click the applicable UserCheck Interaction:

Note - You can right-click a default UserCheck Interaction object > click Clone, and then edit the cloned object as required.

Ask UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade, then internal users get a message that asks them if they want to continue with the request or not.

To continue with their request, users are expected to enter a reason.
Inform UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade, then internal users get an informative message.

Users can continue or cancel their request.
Block UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade, then internal users get a message that their request was blocked.

Optional: In the top corner, on the right side of the icon, click the downward arrow and select the desired color.
In the top field, enter an object name.
Optional: In the Comment field, enter the applicable text.

In the left panel, click the Message page:

To select a language for the message (English is the default), above the message section, click the Languages button > select the required languages > click OK.

Note - The corresponding tab appears for each language you select.

To insert a variable field into the message, from the top toolbar, click Insert Field and click the applicable variable.

Notes:

When the Ask, Inform, or Block action occurs, the UserCheck Portal and UserCheck Client replaces these variables with applicable values in the message.
To resolve the Username variable, you must enable the Identity Awareness Software Blade and configure the required settings. See the R81.20 Identity Awareness Administration Guide.

To add your logo, in the message body, click Add Logo > click > click Add new image > browse to the required image file and select it > click Open.

Notes:

The height of the image must be 176 pixels or less.
The width of the image must be 52 pixels or less.

To insert special fields for user input, from the top toolbar, click Insert User Input and click the applicable option.

Important:

To change the view to raw HTML code, click Source at the top.

To go back, click Design.
You can preview the final message after you save this object.

In the left panel, click the Settings page:

In the Languages section:

Select the language for the UserCheck page, if a user did not configure a default language in their web browser.

In the Faillback Action section:

Note - This section appears only in the UserCheck Interaction object of the type Ask and Inform.

Select the UserCheck action, if it is not possible to show a UserCheck notification on a user's computer:

Fallback Action	Behavior
Allow	Allows the user to access the website or application. The UserCheck Client (if installed) shows the notification.
Drop	The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, and the UserCheck Client is installed, the UserCheck Client shows the notification. Blocks the website or application, even if the user does not see the notification.

Fallback Action

Behavior

Allow

Allows the user to access the website or application.

The UserCheck Client (if installed) shows the notification.

Drop

The Security Gateway tries to show the notification in the application that caused the notification.

If it cannot, and the UserCheck Client is installed, the UserCheck Client shows the notification.

Blocks the website or application, even if the user does not see the notification.

In the Conditions section:

Note - This section appears only in the UserCheck Interaction object of the type Ask and Inform.

Select the required condition that users must meet to send their data through the Security Gateway:

Condition	Behavior
User accepted and selected the confirm checkbox	This applies if on the Message page, from the Insert User Input menu you inserted the element Confirm Checkbox. In the message, users must select the checkbox before they can access the application.
User filled some textual input	This applies if on the Message page, from the Insert User Input menu you inserted the element Textual Input. Users must enter text in the text field before they can access the application. For example, you might require that users to enter an explanation for use of the application.

Condition

Behavior

User accepted and selected the confirm checkbox

This applies if on the Message page, from the Insert User Input menu you inserted the element Confirm Checkbox.

In the message, users must select the checkbox before they can access the application.

User filled some textual input

This applies if on the Message page, from the Insert User Input menu you inserted the element Textual Input.

Users must enter text in the text field before they can access the application.

For example, you might require that users to enter an explanation for use of the application.

In the External Portal section:

Configure whether to redirect users to an external portal instead of showing a UserCheck notification or redirecting them to the UserCheck Portal on the Security Gateway. There is no notification to users about this redirect.

This can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the Security Gateway.

Select Redirect the user to external portal.
In the URL field, configure the required URL.
Optional: Select Add UserCheck Incident ID to the URL query to append an incident ID to the end of the URL query.

In the URL Template field, enter the path to an XML file on the external portal server, so that it can be sent back to the Security Gateway.

Note - This field appears only in the UserCheck Interaction object of the type Ask and Inform.

In the Pre-Shared Secret field, enter the required string that authenticates the external portal server to the Security Gateway.

Note - This field appears only in the UserCheck Interaction object of the type Ask and Inform.

Click OK.
Preview this UserCheck Interaction in the right pane in each available language and each available view:
- Regular View
- Mobile
- Agent
- Email
- R80.10 and Higher Gateways
- Earlier Gateways
Install the Threat Prevention Policy.

Selecting "Approved" and "Cancel" UserCheck Messages

Procedure

Step	Instructions
1	From the left navigation panel, click Manage & Settings.
2	In the top panel, click Blades.
3	In the Threat Prevention section, click Advanced Settings.
4	In the left panel, click UserCheck.
5	In the field Approved Page field, select the applicable UserCheck Interaction object. This field applies only to the Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Software Blade. When Threat Extraction sends you a clean file, you can select to download the original file. If a user chooses to download the original file, ther user gets a UserCheck success message. If a user chooses not to download the original file, the user gets a UserCheck cancel message.
6	In the field Cancel Page field, select the applicable UserCheck Interaction object. This field applies to all the Threat Prevention Software Blades. This message appears after a user chooses not to receive access to a web page or a file.
7	Click OK.
8	Install the Access Control Policy.
9	Install the Threat Prevention Policy.