Using Identity Tags in Access Role Matching

Identity Tags let you include external identifiers (such as Cisco® Security Group Tags, or any other groups provided by any Identity Source) in Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. matching. These external identifiers work like a tag that can be assigned to a certain user, machine or group.

To use Identity Tags in Access Role matching:

1. Create a new Identity Tag

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click theObjects pane > New > More > User/Identity > Identity Tag.

   2. Enter a name for the object.

      Note - If you enter the External Identifier first, the Identity Tag object gets the same name.

   3. In the External Identifier field, enter one of these:

      • A Cisco Security Group Name, as defined on the Cisco ISE server or acquired through Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312..

      • A custom tag (defined on a third party product) acquired through the Check Point Identity Web API.

      Note - The External Identifier must be a unique name.

   4. Click OK.

2. Include the Identity Tag in an Access Role

   1. In SmartConsole, click the Objects pane > New > More > User/Identity > New Access Role.

   2. On the Users tab or Machines tab, select Specific users/groups.

   3. Click the [+] icon.

   4. Click on the domain name button in the top left corner and select Identity Tags.

   5. Select the Identity Tag created in Step 1.

   6. Click OK.

3. Add this Access Role to the Source or Destination column of an Access Control Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

4. Install the Access Control Policy.