User Directory

The Check Point User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. stores user-specific information.

Note - User Directory requires a special license. If you have the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., you have the User Directory license.

The User Directory lets you:

User Directory Considerations

Before you begin, plan your use of User Directory.

  • Decide whether to use the User Directory servers for user management, CRL retrieval, user authentication, or all of those.

    See Working with LDAP Account Units.

  • Decide how many Account Units you need.

    You can have one for each User Directory server, or you can divide branches of one User Directory server among different Account Units.

    See Account Units.

  • Decide whether to use High Availability setup.

    See Account Units and High Availability.

  • Determine the order of priority among the User Directory servers for High Availability and querying purposes.

    See Setting High Availability Priority.

  • Assign users to different Account Units, branches, and sub-branches, so that users with common attributes (such as their role in the organization, permissions, an so on) are grouped together.

    See Managing Users on a User Directory Server.

Deploying User Directory

User Directory integrates the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and an LDAP server and lets the Security Gateways use the LDAP information.

Item

Description

1

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. - Retrieves LDAP user information and CRLs

2

Internet

3

Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication

4

Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. - Uses User Directory to manage user information

5

LDAP server - Server that holds one or more Account Units

Enabling User Directory

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., enable the Security Management Server to manage users in the Account Unit. See Working with LDAP Account Units.

Note - You cannot use the SmartConsole User DatabaseClosed Check Point internal database that contains all users defined and managed in SmartConsole. when the User Directory LDAP server is enabled.

User Directory Schema for LDAP

The User Directory default schema is a description of the structure of the data in a user directory.

It has user definitions defined for an LDAP server.

This schema does not have Security Management Server or Security Gateway specific data, such as IKE-related attributes, authentication methods, or values for remote users.

You can use the default User Directory schema, if all users have the same authentication method and are defined according to a default template.

But if users in the database have different definitions, it is better to apply a Check Point schema to the LDAP server.

See User Directory Schema for LDAP.

The Check Point Schema adds Security Management Server and Security Gateway specific data to the structure in the LDAP server.

Use the Check Point Schema to extend the definition of objects with user authentication functionality.

For example, an Object Class entitled fw1Person is part of the Check Point schema.

This Object Class has mandatory and optional attributes to add to the definition of the Person attribute.

Another example is fw1Template.This is a standaloneClosed Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. attribute that defines a template of user information.

Schema Checking

When schema checking is enabled, User Directory requires that every Check Point object class and its associated attributes is defined in the directory schema.

Before you work with User Directory, make sure that schema checking is disabled. Otherwise the integration will fail.

After the Check Point object classes and attributes are applied to the User Directory server's schema, you must enable schema checking again.

OID Proprietary Attributes

Each of the proprietary object classes and attributes (all of which begin with "fw1") has a proprietary Object Identifier (OID), listed below.

Object Class OIDs

object class

OID

fw1template

1.3.114.7.4.2.0.1

fw1person

1.3.114.7.4.2.0.2

The OIDs for the proprietary attributes begin with the same prefix ("1.3.114.7.4.2.0.X").

Only the value of "X" is different for each attribute.

See User Directory Schema Attributes.

User Directory Schema Attributes

Fetch User Information Effectively

User Directory servers organize groups and members through different means and relations. User Directory operations are performed by Check Point on users, groups of users, and user templates where the template is defined as a group entry and users are its members. The mode in which groups/templates and users are defined has a profound effect on the performance of some of the Check Point functionality when fetching user information. There are three different modes:

  • Defining a "Member" attribute per member, or "Member" user-to-group membership mode. In this case, each member of a specific group gets the 'Member" attribute, where the value of this attribute is the DN of that member.

  • Defining a "Memberof" attribute per group, or "MemberOf" user-to-group membership mode. In this case, each group gets the "Memberof" attribute per group, where the value of this attribute is the DN of a group entry. This is referred to as "MemberOf" user-to-group membership mode.

  • Defining a "Memberof" attribute per member and group, or "Both" user-to-group membership mode. In this case both members and groups are given the "Memberof" attribute.

The most effective mode is the "MemberOf" and "Both" modes where users' group membership information is available on the user itself and no additional User Directory queries are necessary.

Setting User-to-Group Membership Mode

Set the user-to-group membership mode in the profile objects for each User Directory server in the objects_5_0.C file.

  • To specify the user-to-group and template-to-group membership mode set the GroupMembership attribute to one of the following values: "Member", "MemberOf", "Both" accordingly.

  • To specify the user-to-template membership mode set the TemplateMembership attribute to one of the following values: "Member", "MemberOf" accordingly.

After successfully converting the database, set the User Directory server profile in the objects_5_0.C file to the proper membership setting and start the Security Management Server.

Make sure to install policy/user database on all Security Gateways to enable the new configuration.

Profile Attributes