Working with User Awareness

In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities, for logging and configuration purposes.

User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

To use User Awareness, you must configure identification methods to get information about users and user groups. After the gateway acquires the identity of a user, user-based rules can be enforced on the network traffic in the Access Policy.

User Awareness can use these sources to identify users:

  • Active Directory Queries - Seamlessly queries the AD (Active Directory) servers to get user information.

  • Browser-Based Authentication - Uses a portal to authenticate either locally defined users or as a backup to other identification methods.

AD Query

The Check Point Appliance registers to receive security event logs from the AD domain controllers when the security policy is installed. This requires administrator privileges for the AD server. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The Check Point Appliance can then identify the user based on the AD security event log.

Browser-Based Authentication

Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This is a method that identifies locally defined users or users that were not successfully identified by other methods. You can configure the Browser-Based Authentication to appear for all traffic but because this method of identification is not seamless to the end users, it is commonly configured to appear when you access only specific network resources or the Internet to avoid the overhead required from end users when they identify themselves. For traffic that is not HTTP based, you can also configure that all unidentified are blocked from accessing the configured resources or Internet until they identify themselves first through the Browser-Based Authentication.

To turn on User Awareness on or off:

Select the On or Off option.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

Use the User Awareness configuration wizard to enable and configure the blade. You can configure the basic details of the identity sources. After initial configuration, you can select the Active Directory Queries or Browser-Based Authentication checkboxes under Policy Configuration and click Configure to configure more advanced settings.

To configure User Awareness with the wizard:

  1. Click the configuration wizard link.

    The User Awareness Wizard opens.

  2. Select one or more user identification methods (see above for descriptions of methods) and click Next.

For Active Directory Queries:

If you have an existing Active Directory server, click Use existing Active Directory servers.

To add a new Active Directory Domain:

  1. Select Active Directory Queries and click Configure.

    The Active Directory Queries window opens.

  2. Select Define a new Active Directory server.

  3. Enter:

    • Domain

    • IPv4 address

    • User name

    • Password

    • User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.

  4. To select user groups from specific branches, select the checkbox Use user groups from specific branch only. Click Add and enter a branch path in the AD Branch field.

  5. Click Apply.

You can also add a new AD Domain in the Users & Objects > Authentication Servers page.

For Browser-Based Authentication:

  1. To block access for unauthenticated users when the portal is not available, select Block unauthenticated users when the captive portal is not applicable. This configuration option forces users using non-HTTP traffic to login first through Browser-Based Authentication.

  2. Select if unidentified users are redirected to Captive Portal for All traffic or Specific destinations. In most cases, all traffic is not used because it is not a seamless identification method.

  3. Under Specific destinations, select Internet or Selected network objects. If you select Selected network objects, select the objects from the list or create new objects.

  4. Click Finish.

To edit settings and configure portal customization for Browser-Based Authentication:

  1. Under Policy Configuration, select Browser-Based Authentication and click Configure.

  2. In the Identification tab, you can edit settings configured in the wizard if necessary.

  3. In the Customization tab, select the relevant options:

    • Users must agree to the following conditions - You can require that users agree to legal conditions. In the text box, enter the conditions that are shown to the user.

    • Upload - Lets you upload a company logo. Browse to the logo file and click Apply. The logo is shown in the Displayed Logo section.

    • Use Default - Uses the default logo.

  4. In the Advanced tab:

    • Portal Address - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address.

    • Session timeout - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.

    • Enable Unregistered guests login - Allow an unregistered, guest user to be identified in the logs by name and not only by IP address. An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

      Configure the Guest Session timeout. This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes.

      Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

    • Force quick cache timeout if user closes portal window - When the portal is closed, the user is logged out.

  5. Click Apply.

Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.