Advanced Password Management Settings

If your organization uses Microsoft Active Directory (AD) to manage users, you can use these password settings allow continuous remote access for your users.

Note - Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. does not support Microsoft Active Directory 2000.

Password Expiration Warning

Administrators can configure SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. to tell users to change their passwords before they expire. This is an efficient way to ensure that users have continuous access to resources. See sk33404.

Managing Expired Passwords

Passwords expire in these cases:

The password exceeds the maximum number of days set in the Active Directory Group Policy.
The User must change password at next logon option in the Active Directory configuration is enabled.

When the password expires, a message tells the user that the login failed. The administrator can configure a setting in SmartDashboard to give users the option to enter a new password after the old one expired. Users whose passwords expired then receive a message: Your password has expired. Enter a new password. They must then enter and confirm a new password to enter the Mobile Access or VPN client portal.

Configuring Password Change After Expiration

You can configure password change after expiration on Security Gateways R71 or higher. Make sure that the LDAP server is configured to work with LDAP over SSL.

To enable password change after expiration:

In SmartDashboard, select Global Properties > User Directory (LDAP).
Under User Directory (LDAP) Properties, select Enable Password change when a user's Active Directory password expires.
In the LDAP Account Unit Properties window, make sure the assigned Profile is Microsoft_AD.
Make sure that the Login DN for the LDAP server, as configured in SmartDashboard, has sufficient permissions to modify the passwords of Active Directory users.
In the LDAP Server Properties window in the Encryption tab, select Use Encryption (SSL).
If the LDAP schema of the Active Directory is not extended with Check Point's LDAP schema, use Database Tool (GuiDBEdit Tool) (see sk13009) to make these changes:
- Select Managed Objects > LDAP > Microsoft_AD > Common
- Find SupportOldSchema and change its value to 1

For more about LDAP and user management, see the R81 Security Management Administration Guide.

Session Visibility and Management Utility

Introduction to Session Visibility and Management

When the Session Visibility and Management Utility is enabled, each time a user connects remotely to a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the data is recorded in an SQL database.

You can run queries on this database with the Session Visibility and Management Utility.

You can use the Utility to:

Show session information based on constraints
Terminate user sessions based on constraints

The main commands are described below. You can also edit the configuration XML file to create custom commands. See sk104644 for advanced configuration.

These Check Point clients are fully supported with the Session Visibility and Management Utility:

Capsule Workspace for iOS and Android
Mobile Access Portal with SSL Network Extender A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX. (Application and Network modes)
Remote Access VPN as part of the Endpoint Security Suite
Remote Access clients: Endpoint Security VPN, Check Point Mobile for Windows, SecuRemote

These clients are supported but sessions on them cannot be terminated:

Capsule Connect
Capsule VPN
Windows 8.1 Check Point VPN Plugin

Enabling the Utility

By default the Session Visibility and Management Utility is disabled.

To enable or disable the Session Visibility and Management Utility:

For SecurePlatform only, run on the Security Gateway this long command:

$CVPNDIR/bin/cvpnd_settings $FWDIR/conf/sessionIS.C set "database_conf:dataDir" "/var${FWDIR}/datadir/postgres/sessions" nobackup ; chown cp_postgres /var$FWDIR/datadir/postgres/sessions/postgresql.conf
To enable: On the Security Gateway, run: RAsession_util on

To disable:On the Security Gateway, run: RAsession_util off
Run: cpstop
Run: cpstart
In a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. environment, make the change on all cluster members.

Seeing the Number of Open Sessions

To see the number of sessions open at a given time:

RAsession_util show sessions_num

Disconnecting Remote Access Users

To disconnect a user:

RAsession_util terminate {all | byuser <user> | bysession_id <id> | custom <SQL constraint>}

Parameter	Description
`all`	Disconnect all Remote Access users
`byuser`	Disconnect a user by user name
`bysession_id`	Disconnect the session with the given session ID
`custom`	Disconnect users that match an SQL constraint

Examples:

# RAsession_util terminate all

# RAsession_util terminate byuser james_wilson

# RAsession_util terminate bysession_id 521bd4788

# RAsession_util terminate custom "src_ip='1.1.1.1'"

Seeing User Data

To see data of connected users:

RAsession_util show users {all | byname <user_name> | where <where_clause>}

Parameter	Description
`all`	Show all users
`byuser`	Show data of the given user name
`where`	Show users by constraint
`certs`	Show user certificates by constraints

Examples:

# RAsession_util show users all

# RAsession_util show users byuser "james_wilson"

# RAsession_util show users where "client_name='Mobile Access Portal'"

(This command shows all the users connected from the Mobile Access Portal.)

Using Constraints

To disconnect or see data of users that match a non-default definition, use constraints. First, become familiar with the Check Point scheme for Remote Access sessions. Then, use the field names or types to run a terminate or show users command on matching users.

To see valid constraint fields:

RAsession_util show scheme

Examples:

This command shows the given fields where the client is the Mobile Access Portal, and the results are ordered according to the creation time:

RAsession_util show custom -FIELDS "session_id,user_name,client_name,browser_name,machine_name,os_name" -WHERE "client_name='Mobile Access Portal'" -ORDERBY "creation_time"

This command shows the given fields where the client type is Capsule Workspace:

RAsession_util show custom -FIELDS "user_name,sessionid,client_ver,client_build_number,os_name,os_ver,device_type" -WHERE "client_name='Capsule Workspace'"

Session Visibility and Management Commands

SCHEME

Description: Shows the table scheme of the database.

Usage: SCHEME

Parameters: None

SESSION_OP

Description: Performs an operation on a session or session based on the defined constraints.

Usage: SESSION_OP <Operation_type> <Sql_constraint [list_of_parameters]>

Parameters:

Parameter	Description
Operation_type	Type of operation to perform on sessions. Only `terminate` is supported in this release.
Sql_constraint	Criteria to select the sessions on which to perform the operation. For example, "username='aa'". It can also be a parametric SQL "`WHERE`" clause that includes $ signs instead of values, for example, `"username=$1 and srcip=$2".` The "`WHERE`" clause means that the first parameter in the `List_of_parameters` will be placed instead of $1, and the second will be as $2.
List_of_parameters	Can be empty or list of parameters to be placed instead of the $ signs in the "`WHERE`" clause.

Examples:

SESSION_OP terminate "username='James Wilson'"

SESSION_OP terminate "username=$1 and srcip=$2" "James Wilson,192.0.2.10"

SELECT

Description: Run a query on the sessions table.

Usage: SELECT <-FIELDS <fields>> [-WHERE <where_clause> [list_of_parameters]] [-GROUPBY <group_by_fields>] [-ORDERBY <order_by_fields>] [-LIMIT <limit_size> [-OFFSET <offset_number>]]

Parameters:

Parameter	Description
FIELDS <fields>	FIELDS flag with list of fields to select delimited by ",".
WHERE <where_clause>	WHERE flag with the SQL WHERE clause. <where_clause> can also include $ signs instead of values, for example, "username=$1 and srcip=$2". This where_clause means that the first parameter in the "List_of_parameters" will be placed instead of $1, and the second will be as $2 .
List_of_parameters	Can be empty or list of parameters to be placed instead of the $ signs in the WHERE clause.
GROUPBY <group_by_fields>	GROUPBY flag with list of fields to group by delimited by ",".
ORDERBY <order_by_fields>	ORDERBY flag with list of fields to order the result by delimited by ",".
LIMIT <limit_size>	LIMIT flag with the limit size.
OFFSET <offset_number>	OFFSET flag with the result offset.

Example:

SELECT -FIELDS "login name,clientname,sessionid" -WHERE "loginname='aa'" -ORDERBY "clientname"