Configuring Identity Awareness API
This section describes how to configure and work with Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. API.
Configuring Identity Awareness API Settings
-
In the Gateways & Servers view, double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
-
In the Identity Sources section of the Identity Awareness page, select Identity Web API and click Settings.
-
Go to the Identity Web API Settings window and configure:
-
Client Access Permissions
You must select Identity Awareness Gateway interfaces that can accept connections from Web API clients:
-
In the Client Access Permissions section of the Identity Web API Settings window, click Edit.
-
Select Security Gateway interfaces that can accept connections from Web API clients. The options are based on the topology configured for the Security Gateway. Web API clients can get an access to the Security Gateway, if they use networks connected to these interfaces.
The options are:
-
Through all interfaces
-
Through internal interfaces
-
Including undefined internal interfaces
-
Including DMZ internal interfaces
-
Including VPN encrypted interfaces - Interfaces used for establishing route-based VPN tunnels (VTIs)
-
-
According to the Firewall policy - Select this if there is a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that states who can get an access to the portal.
-
Important -The Through all interfaces and Through internal interfaces options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. You can download the Identity Collector package from Support Center. See sk134312. clients, connections continue to be permitted when one of these options is selected.
-
-
Authorized Clients and Selected Client Secret
An Identity Awareness Gateway accepts connections only from authorized Web API client computers.
To configure authorized Web API client computers:
-
In the Authorized Clients section of the Identity Collector Settings window, click the green [+] icon and select a Web API client from the list.
Notes:
-
To create a specified new host object:
-
Close the Web API Settings window.
-
Close the Identity Awareness Gateway Properties window.
-
From the top toolbar, click the Objects menu > More object types > Network Object > New Host.
Or from the right upper corner, click the Objects tab > New > Host.
-
-
To remove a current Identity Collector client from the list, select the client and click the red [-] icon.
-
-
Create an authentication secret for a selected Web API client:
-
Select the Web API client in the list.
-
Click Generate, or enter the applicable secret manually.
Notes:
Notes:
-
Each client has its own client secret.
-
To modify a client secret, change it manually.
-
-
-
Authentication Settings
In the Authentication Settings section of the Web API Settings window, click Settings.
The LDAP Account Units window opens.
Configure where the Identity Awareness Gateway can search for users, when they try to authenticate:
-
Internal users - The directory of configured internal users.
-
LDAP users - The directory of LDAP users:
-
All Gateway's Directories - Users from all configured LDAP servers.
-
Specific - Users from configured LDAP servers that you select.
-
-
External user profiles - The directory of users, who have external user profiles.
By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with
domain\username
. -
-