Working with User Awareness

In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities for logging and configuration purposes.

User AwarenessClosed A Check Point software blade designed to associate users to IP addresses for logging and control purposes. lets you configure the Quantum Spark Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

Workflow

  1. Turn on the User Awareness Software Blade.

  2. Click the Configuration wizard to enable and configure the blade.

  3. Select the identification methods to get information about users and user groups and configure the identity sources.

  4. After initial configuration, you can select the Active Directory Queries, Browser-Based Authentication, or Identity Collector checkboxes in the Policy Configuration section and click Configure for more advanced settings.

  5. After the gateway acquires the identity of a user, you can enforce user-based rules on the network traffic in the Access Policy.

Identity Sources

User Awareness can use these sources to identify users:

  • AD Query (Active Directory Queries) - Seamlessly queries the Active Directory servers to get user information.

    The Quantum Spark Appliance registers to receive security event logs from the AD domain controllers when the security policy is installed. This requires administrator privileges for the AD server. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Quantum Spark Appliance can then identify the user based on the AD security event log.

  • Browser-Based Authentication - Uses a portal to authenticate either locally defined users or as a backup to other identification methods.

    • Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This identifies locally defined users or users that were not successfully identified by other methods.

    • You can configure the Browser-Based Authentication to appear for all traffic. This identification method is commonly configured to appear when you access only specific network resources or the Internet to avoid the overhead required from end users when they identify themselves.

    • For traffic that is not HTTP based, you can also configure that all unidentified users are blocked from accessing the configured resources or Internet until they identify themselves first through the Browser-Based Authentication.

  • Identity Collector - Collects information about identities and their associated IP addresses and sends it to the Security Gateway for identity enforcement.

    Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

Enabling User Awareness

  1. Select the On or Off option.

    Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

  2. Click the Configuration wizard link.

    The User Awareness Wizard opens.

  3. Select one or more user identification methods and click Next.

  4. Follow the rest of the steps and click Finish.

  5. After initial configuration, you can select the Active Directory Queries or Browser-Based Authentication checkboxes under Policy Configuration and click Configure to configure more advanced settings.

Active Directory Queries:

If you have an existing Active Directory server, click Use existing Active Directory servers.

  1. Select Active Directory Queries and click Configure.

    The Active Directory Queries window opens.

  2. Select Define a new Active Directory server.

  3. Enter:

    • Domain

    • IPv4 address

    • IPv6 address

    • User name

    • Password

    • User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.

  4. To select user groups from specific branches, select the checkbox Use user groups from specific branch only.

    Click Add and enter a branch path in the AD Branch field.

  5. Click Apply

You can also add a new AD Domain in the Users & Objects > Authentication Servers page.

Follow one of these procedures:

In WebUI:

  1. Connect to the WebUI on the Quantum Spark Gateway / each Cluster MemberClosed A Security Gateway that is part of a cluster..

  2. Click the Device view > Advanced section > Advanced Settings page.

  3. In the top search field, enter: ntlm

  4. Double-click the parameter User Awareness - Use NTLMv2 protocol for Active Directory Queries.

  5. Select Use NTLMv2 protocol for Active Directory Queries.

  6. Click Save.

In Gaia Clish:

  1. Connect to the command line on the Quantum Spark Gateway / each ClusterClosed Two Quantum Spark Appliances connected to each other for High Availability. Member.

  2. If the default shell is the Expert mode, go to Gaia ClishClosed The default shell of the Gaia CLI:

    clish

  3. Run:

    set user-awareness advanced-settings use-ntlmv2 true

Browser-Based Authentication

  1. To block access for unauthenticated users when the portal is not available, select Block unauthenticated users when the captive portal is not applicable.

    This configuration option forces users using non-HTTP traffic to log in first through Browser-Based Authentication.

  2. Select if unidentified users are redirected to Captive Portal for All traffic or Specific destinations.

    In most cases, all traffic is not used because it is not a seamless identification method.

  3. Under Specific destinations, select Internet or Selected network objects.

    If you select Selected network objects, select the objects from the list or create new objects.

  4. Click Finish.

  1. Under Policy Configuration, select Browser-Based Authentication and click Configure.

  2. In the Identification tab, you can edit settings configured in the wizard if necessary.

  3. In the Customization tab, select the relevant options:

    • Users must agree to the following conditions - You can require that users agree to legal conditions. In the text box, enter the conditions that are shown to the user.

    • Upload - Lets you upload a company logo. Browse to the logo file and click Apply. The logo is shown in the Displayed Logo section.

    • Use Default - Uses the default logo.

  4. In the Advanced tab:

    • Portal Address - Keep the default setting which is the address the Captive Portal runs on the Quantum Spark Appliance or enter a different portal address.

    • Session timeout - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.

    • Enable Unregistered guests login - Allow an unregistered, guest user to be identified in the logs by name and not only by IP address.

      An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

      Configure the Guest Session timeout. This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes.

      Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

      Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

    • Force quick cache timeout if user closes portal window - When the portal is closed, the user is logged out within 5 - 10 minutes.

  5. Click Apply

Identity Collector

Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

Quantum Spark Locally Managed appliances support Identity Collector as an Identity Source in versions R81.10.05 and higher.

  1. In the Policy Configuration section, select Identity Collector and click Configure.

    The Authorized Clients window opens.

  2. For each client, enter this information:

    • IPv4 address - The IP address of the client.

    • Secret - Password

      • Optional - Click Show to display the secret.

  3. Click Apply

For more information about Identity Collector configuration, see Identity Awareness Clients Administration Guide.

Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.