UserCheck Interaction Objects for Access Control Software Blades

This section describes how to configure UserCheck Interaction Objects.

UserCheck Interaction Objects add flexibility and give the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. a mechanism to communicate with users.

You use the UserCheck Interaction Objects in the "Action" column of the Access Control Policy to:

Help users with decisions that can be dangerous to the organization security.
Share the organization changing internet policy for web applications and sites with users, in real-time.

Note - You create and edit UserCheck Interaction objects for the Access Control policy only in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

UserCheck Interaction Action Types

Action Type	Description
Ask	Users get a message that asks if they want to continue to the requested site. UserCheck Interaction with this action type appear in Access Control rules Profiles > when you click in the Action column > in the menu Ask.
Block	Users get a message that the company policy blocked access to the requested site. UserCheck Interaction with this action type appear in Access Control rules Profiles > when you click in the Action column > in the menu Drop.
Cancel	After a user gets an Inform or Ask notification and clicks Cancel, they get a message that they cancelled their request to access a site.
Inform	Users get a message about the company policy for the requested site and they must click OK to continue to the site.

Default UserCheck Interaction Objects for Access Control

Explanation

Notes:

These default objects open in the read-only view.
You can right-click each default object and click Clone.
To preview a default UserCheck Interaction object, click it.

From the left navigation panel, click Security Policies.
In the top panel, click Access Control.
In the bottom panel, click Access Tools, click UserCheck.

These are the default UserCheck Interaction objects for Access Control:

Default UserCheck Interaction Object	Action Type
Company Policy	Ask
Blocked Message - Access Control	Block
Cancel Page - Access Control	Cancel
Access Approval	Inform
Access Notification	Inform

Creating New UserCheck Interaction Objects for Access Control

Procedure

From the left navigation panel, click Security Policies.
In the top panel, click Access Control.
In the bottom panel Access Tools, click UserCheck.

From the top toolbar, click New > click the applicable UserCheck Interaction:

Note - You can right-click a default UserCheck Interaction object > click Clone, and then edit the cloned object as required.

Ask UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., then internal users get a message that asks them if they want to continue with the request or not.

To continue with their request, users are expected to enter a reason.
Inform UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade, then internal users get an informative message.

Users can continue or cancel their request.
Block UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in the applicable Software Blade, then internal users get a message that their request was blocked.

Optional: In the top corner, on the right side of the icon, click the downward arrow and select the desired color.
In the top field, enter an object name.
Optional: In the Comment field, enter the applicable text.

In the left panel, click the Message page:

To select a language for the message (English is the default), above the message section, click the Languages button > select the required languages > click OK.

Note - The corresponding tab appears for each language you select.

To insert a variable field into the message, from the top toolbar, click Insert Field and click the applicable variable.

Notes:

When the Ask, Inform, or Block action occurs, the UserCheck Portal and UserCheck Client replaces these variables with applicable values in the message.
To resolve the Username variable, you must enable the Identity Awareness Software Blade and configure the required settings. See the R82 Identity Awareness Administration Guide.

To add your logo, in the message body, click Add Logo > click > click Add new image > browse to the required image file and select it > click Open.

Notes:

The height of the image must be 176 pixels or less.
The width of the image must be 52 pixels or less.

To insert special fields for user input, from the top toolbar, click Insert User Input and click the applicable option.

Important:

To change the view to raw HTML code, click Source at the top.

To go back, click Design.
You can preview the final message after you save this object.

In the left panel, click the Settings page:

In the Languages section:

Select the language for the UserCheck page, if a user did not configure a default language in their web browser.

In the Faillback Action section:

Note - This section appears only in the UserCheck Interaction object of the type Ask and Inform.

Select the UserCheck action, if it is not possible to show a UserCheck notification on a user's computer:

Fallback Action	Behavior
Allow	Allows the user to access the website or application. The UserCheck Client (if installed) shows the notification.
Drop	The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, and the UserCheck Client is installed, the UserCheck Client shows the notification. Blocks the website or application, even if the user does not see the notification.

Fallback Action

Behavior

Allow

Allows the user to access the website or application.

The UserCheck Client (if installed) shows the notification.

Drop

The Security Gateway tries to show the notification in the application that caused the notification.

If it cannot, and the UserCheck Client is installed, the UserCheck Client shows the notification.

Blocks the website or application, even if the user does not see the notification.

In the Conditions section:

Note - This section appears only in the UserCheck Interaction object of the type Ask and Inform.

Select the required condition that users must meet to send their data through the Security Gateway:

Condition	Behavior
User accepted and selected the confirm checkbox	This applies if on the Message page, from the Insert User Input menu you inserted the element Confirm Checkbox. In the message, users must select the checkbox before they can access the application.
User filled some textual input	This applies if on the Message page, from the Insert User Input menu you inserted the element Textual Input. Users must enter text in the text field before they can access the application. For example, you might require that users to enter an explanation for use of the application.

Condition

Behavior

User accepted and selected the confirm checkbox

This applies if on the Message page, from the Insert User Input menu you inserted the element Confirm Checkbox.

In the message, users must select the checkbox before they can access the application.

User filled some textual input

This applies if on the Message page, from the Insert User Input menu you inserted the element Textual Input.

Users must enter text in the text field before they can access the application.

For example, you might require that users to enter an explanation for use of the application.

In the External Portal section:

Configure whether to redirect users to an external portal instead of showing a UserCheck notification or redirecting them to the UserCheck Portal on the Security Gateway. There is no notification to users about this redirect.

This can be an external system that obtains authentication credentials from the user, such as a user name or password. It sends this information to the Security Gateway.

Select Redirect the user to external portal.
In the URL field, configure the required URL.
Optional: Select Add UserCheck Incident ID to the URL query to append an incident ID to the end of the URL query.

In the URL Template field, enter the path to an XML file on the external portal server, so that it can be sent back to the Security Gateway.

Note - This field appears only in the UserCheck Interaction object of the type Ask and Inform.

In the Pre-Shared Secret field, enter the required string that authenticates the external portal server to the Security Gateway.

Note - This field appears only in the UserCheck Interaction object of the type Ask and Inform.

Click OK.
Preview this UserCheck Interaction in the right pane in each available language and each available view:
- Regular View
- Mobile
- Agent
- Email
- R80.10 and Higher Gateways
- Earlier Gateways
Install the Access Control Policy.