Retrieving Information from a User Directory Server

When a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. requires user information for authentication, it goes through this process:

  1. The Security Gateway searches for the user in the internal users database.

  2. If the specified user is not defined in the internal users database, the Security Gateway queries the LDAP server defined in the Account Unit with the highest priority.

  3. If the query against an LDAP server with the highest priority fails (for example, the connection is lost), the Security Gateway queries the server with the next highest priority.

    If there is more than one Account Unit, the Account Units are queried concurrently. The results of the query are taken from the first Account Unit to meet the conditions, or from all the Account Units which meet the conditions.

  4. If the query against all LDAP servers fails, the Security Gateway matches the user against the generic external user profile..

Running User Directory Queries

Use queries to get User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. user or group data. For best performance, query Account Units when there are open connections. Some connections are kept open by the Security Gateways, to make sure the user belongs to a group that is permitted to do a specified operation.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Manage & Settings > Blades.

  2. Click Configure in SmartDashboard.

    SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens.

  3. In the Objects Tree, click Users.

  4. Double-click the Account Unit to open a connection to the LDAP server.

  5. Right-click the Account Unit and select Query Users/Group.

    The LDAP Query Search window opens.

    Click Advanced to select specified objects types, such as Users, groups, or templates.

  6. Define the query.

  7. To add more conditions, select or enter the values and click Add.

Query conditions:

  • Attributes - Select a user attribute from the drop-down list, or enter an attribute.

  • Operators - Select an operator from the drop-down list.

  • Value - Enter a value to compare to the entry's attribute. Use the same type and format as the actual user attribute. For example, if Attribute is fw1expiration-date, then Value must be in the yyyymmdd syntax.

  • Free Form - Enter your own query expression. See RFC 1558 for information about the syntax of User Directory (LDAP) query expressions.

  • Add - Appends the condition to the query (in the text box to the right of Search Method).

If you create a query where:

  • Attributes=mail

  • Contains

  • Value=Andy

The server queries the User Directory with this filter:

filter:(&(|(objectclass=fw1person)(objectclass=person)
(objectclass=organizationalPerson)(objectclass=inetOrgPerson))
(|(cn=Brad)(mail=*Andy*)))

Querying Multiple LDAP Servers

The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and the Security Gateways can work with multiple LDAP servers concurrently. For example, if a Security Gateway needs to find user information, and it does not know where the specified user is defined, it queries all the LDAP servers in the system. (Sometimes a Security Gateway can find the location of a user by looking at the user DN, when working with certificates.)