Threat Prevention and UserCheck

Watch the Video

When you enable the UserCheckClosed Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. feature, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. sends messages to users about possible non-compliant behavior or dangerous Internet browsing, based on the rules an administrator configured in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. This helps users prevent security incidents and learn about the organizational security policy. You can develop an effective policy based on logged user responses.

These Software Blades support the UserCheck feature:

Configuring UserCheck on the Security Gateway

Enable or disable UserCheck directly on the Security Gateway. If users connect to the Security Gateway remotely, set the internal interface of the Security Gateway (on the Topology page) to be the same as the Main URL for the UserCheck Portal.

Step

Instructions

1

Go to the gateway editor, > UserCheck, and select Enable UserCheck for active blades.

2

In the UserCheck Web Portal section:

The Main URL field shows the primary URL for the web portal that shows the UserCheck notifications.

You can use the suggested Main URL or manually enter a different Main URL.

3

Optional:

Click Aliases to add URL aliases that redirect different hostnames to the Main URL. For example: Usercheck.mycompany.com

The aliases must be resolved to the portal IP address on the corporate DNS server.

4

In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

Note - After you download your certificate, you can click Replace to replace it with a different certificate, and click View to see the certificate information.

5

In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

6

UserCheck Client - The UserCheck Client is installed on Endpoint devices to communicate with the Security Gateway and show UserCheck Interaction notifications to users.

  • Activate UserCheck Client support - This enables UserCheck through the client.

  • Click Download Client to download the installation file for the UserCheck Client.

    Note - The link is not active until the UserCheck Portal is up.

For more information about installation and configuration of the UserCheck Client, see .

7

In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Security Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Security Gateway cannot redirect the user to the UserCheck Portal because the traffic is not HTTP.

  • Use the default settings - Click the link to see which mail server is configured.

  • Use specific settings for this gateway - Select this option to override the default mail server settings.

  • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.

8

Click OK.

9

If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy.

Source

Destination

VPN

Services & Applications

Action

Any

Security Gateway on which UserCheck Client is enabled

Any

UserCheck

Accept

10

Install the Access Control Policy.

The Threat Prevention UserCheck Interaction Objects

UserCheck Interaction objects add flexibility and give the Security Gateway a mechanism to communicate with users.

UserCheck Interaction objects:

  • Help users with decisions that can be dangerous to the organization security.

  • Share the organization's changing internet policy for web applications and sites with users, in real-time.

When UserCheck is enabled, the user's Internet browser shows the UserCheck Interaction messages in a new window.

The UserCheck page contains default UserCheck Interaction messages. You can edit, and preview UserCheck Interaction objects and their messages.

To see the existing UserCheck Interaction objects:

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Custom Policy Tools > UserCheck.

Name

Action Type

Description

[Software Blade] Blocked

Block

Shows when a request is blocked.

Company Policy [Software Blade]

AskClosed UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity.

Shows when the action for the rule is Ask. It informs users the company policy for the specific site, and they must click OK to continue to the site.

[Software Blade] Success Page

Approve

Shows when the action for the rule is Approve. From the Success page you can download the links to the original file or receive the original email.

Cancel Page Anti-Malware

Cancel

The Ask and Approve pages include a Cancel button that you can click to cancel the request.

You can preview each message page in these views:

  • Agent - How the message shows in the UserCheck agent

  • Email - How the message shows in an email

  • Mobile Device - How the message shows in a web browser on a mobile device

  • Regular view - How the message shows in a web browser on a PC or laptop

Creating Threat Prevention UserCheck Objects

Step

Instructions

1

In the UserCheck page, click New, and then select the object type:

  • Ask

    Shows a message to users that asks them if they want to continue with the request or not. To continue with the request, the user is expected to supply a reason.

  • Inform

    Shows an informative message to users. Users can continue to the application or cancel the request.

  • Block

    Shows a message to users and blocks the application request.

The window opens for the new UserCheck object.

2

Enter Object Name.

3

From the menu-bar in the UserCheck object window, click the applicable option:

  • Source - Enter HTML code

  • Design - Enter text with formatting buttons and options

4

Optional: Click Language and select one or more languages for the message.

The default language for messages is English.

5

Enter the text for the title, subtitle, and body of the message.
In Source mode, in the body of the message, click these options for additional functionality.

6

Click Add logo to add a graphic to the message.

The size of the graphic must be 176 x 52 pixels.

7

You can also click Settings from the navigation tree to configure one or more of these options.

  • Languages - Select a language in case the user browser language is not defined.

  • For the Ask and Inform UserCheck Interaction objects, you can select a Fallback Action if the user cannot see the message.
    Select one of these messages:

    • Drop - The connection or traffic is dropped and does not enter the internal network.

    • Accept - The connection or traffic is accepted and enters the internal network.

  • For an Ask UserCheck Interaction object, you can configure Conditions:

    The UserCheck message can contain these items that require user interaction (shown with sample messages). The traffic is allowed only after the user does the necessary actions. Select one or both options:

    • User accepted and selected the confirm checkbox - User is ignoring the warning and wishes to continue. This applies if on the Message page from the Insert User Input menu you inserted the element Confirm Checkbox.

    • User entered the required textual input in the user input field - The user must enter the reason for ignoring the Threat Prevention warning. This applies if on the Message page from the Insert User Input menu you inserted the element Textual Input

    Important - The traffic or connection is blocked until the user does the necessary actions.

  • Redirect the user to an external portal:

    You can configure UserCheck to redirect the user to an external UserCheck Portal and the user does not see this UserCheck message.

    In External Portal, enter the URL for the external portal. The URL can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the Security Gateway.

    Optional:

    Select Add UserCheck Incident ID to the URL query to add an incident ID to the end of the URL query.

    Confirmation sent to the gateway:

    • The URL template field points to an XML file. This file should be placed on the external portal so that it can be sent back to the Security Gateway.

    • The pre-shared secret authenticates the external portal to the Security Gateway.

8

Click OK.

9

Install the Threat Prevention policy.

Selecting Approved and Cancel UserCheck Messages

The Approved Page and Cancel Page:

  • Approved Page - Only applicable for Threat Extraction. When Threat Extraction sends you a clean file, you can select to download the original file. If you select to download the original file, you receive a UserCheck success message. If you select not to download the original file, you receive a UserCheck cancel message.

  • The Cancel Page - Applicable to all the Threat Prevention Software Blade. The page shows after you refuse to receive access to a page or a file.

To select the Approved Page and Cancel Page:

Step

Instructions

1

Go to Manage & Settings > Blades > Threat Prevention > UserCheck.

2

From the drop-down menus, select an Approved Page, a Cancel Page or both.

3

Click OK.

4

Install Policy.