Identity Tag

What can I do here?

Use this window to create a new Identity Tag or edit an existing one.

Getting Here - Object Explorer > New > User/Identities > Identity Tag

Using Identity Tags in Access Role Matching

Identity Tags let you include external identifiers (such as Cisco® Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Tags, or any other groups provided by any Identity Source) in Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. matching. These external identifiers act like a tag that can be assigned to a certain user, machine or group.

To use Identity Tags in Access Role matching:

1. Create a new Identity Tag:

   1. Click Objects menu > More object types > User > Identity Tag.

   2. Enter a name for the object.

      Note -If you enter the External Identifier first, the Identity Tag object gets the same name.

   3. In the External Identifier field, enter one of these:

      • A Cisco Security Group Tag, as defined on the Cisco ISE Cisco® Identity Services Engine. Provides highly secure network access to users and devices to streamline security policy management and reduce operating costs. Trademark of Cisco. server or acquired through Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. You can download the Identity Collector package from Support Center..

      • A custom tag (defined on a third party product) acquired through the Check Point Identity Web API.

      Note - The External Identifier must be a unique name.

   4. Click OK.

2. Include the Identity Tag in an Access Role:

   1. Click Objects menu > More object types > User > New Access Role.

   2. On the Users tab or Machines tab, select Specific users/groups.

   3. Click the [+] icon.

   4. Click on the domain name button in the top left corner and select Identity Tags.

   5. Select the Identity Tag created in Step 1.

   6. Click OK.

3. Add this Access Role to the Source or Destination column of an Access Control Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

4. Install the Access Control Policy.