Getting Identities in Application Control

You can use the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. and Application & URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. together to add user awareness, computer awareness, and application awareness to the Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. They work together in these procedures:

• In the Access Control Policy Layer with the Application & URL Filtering Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. enabled, use Identity Awareness Access Roles rules as the source of the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

• You can use all the types of identity sources to acquire identities of users who try get an access to applications.

• Logs and events display user and IP address accesses, and their applications.

Scenario: Identifying Users in Application Control Logs

Description

The ACME organization uses Identity Awareness to monitor outbound application traffic and learn what their employees are doing. The IT administrator must enable Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. and Identity Awareness. Logs and events display identity information for the traffic.

• To see the logs, open the Logs & Monitor > Logs tab.

• To see the events, open the Access Control > Logs & Monitor views.

Next, the IT department can add rules to block specific applications or track them differently in the Application & URL Filtering Layer of the policy to make it even more effective. See the R81 Quantum Security Gateway Guide.

Necessary SmartConsole Configuration

To make this scenario work, the IT administrator must:

1. Enable the Application Control blade on a Security Gateway.

   This adds a default rule to the Application Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. that allows traffic from known applications, with the tracking set to Log.

2. Enable Identity Awareness on a Security Gateway, selects AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. as one of the Identity Sources.

3. Install the Access Control Policy.

User Identification in the Logs

You can see data for identified users in the Logs and Events that relate to application traffic.

• To see the logs, open the Logs & Monitor > Logs tab.

• To see the events, open the Logs & Monitor view > Access Control views > Events.

The log entry shows that the system maps the source IP address with the user identity. In addition, it shows Application Control data.