28 March 2016

Identity Awareness

Pre-R80 Security Gateways with R80 Security Management

Administration Guide
Classification: [Protected]
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Check Point R80
For more about this release, see the R80 home page
http://supportcontent.checkpoint.com/solutions?id=sk108623.

Latest Version of this Document

Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=46529.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Identity
Awareness Pre-R80 Security Gateways with R80 Security Management Administration
Guide.

Searching in Multiple PDFs

To search for text in all the R80 PDF documents, download and extract the complete
R80 documentation package
http://supportcontent.checkpoint.com/documentation_download?ID=46577.
Use Shift-Control-F in Adobe Reader or Foxit reader.
To search for all text in the R77 PDF documents, download and extract the R77
documentation package
http://supportcontent.checkpoint.com/documentation_download?ID=26770.

Revision History
Date Description
28 March 2016 First release of this document
Contents
Important Information................................................................................................... 3
About this Guide ............................................................................................................ 5
R80 SmartConsole Toolbars ..................................................................................... 5
Getting Started With Identity Awareness ...................................................................... 7
Introduction to Identity Awareness ........................................................................... 7
Scenario: Laptop Access ........................................................................................... 8
User Identification in the Logs ........................................................................................ 9
Scenario: Guest Users from Unmanaged Device ...................................................... 9
Required R80 SmartConsole Configuration .................................................................... 9
Scenario: Recognized User from Unmanaged Device ............................................. 10
Required R80 SmartConsole Configuration ...................................................................10
User Identification in the Logs .......................................................................................11
Scenario: Endpoint Identity Agent Deployment and User Group Access ................. 12
Scenario: Identifying Users in Application Control Logs ......................................... 12
User Identification in the Logs .......................................................................................12
Configuring Identity Awareness .................................................................................. 13
Enabling Identity Awareness on the Security Gateway ........................................... 13
Working with Access Roles ..................................................................................... 15
Automatic LDAP Group Update ......................................................................................15
Using Identity Awareness in the Rule Base............................................................. 17
Access Role Objects.......................................................................................................18
Negate and Drop............................................................................................................18
Configuring Browser-Based Authentication in R80 SmartConsole......................... 19
Configuring Terminal Servers................................................................................. 20
Configuring the Shared Secret ......................................................................................20
Identity Sources .......................................................................................................... 21
Changing Portal Text in R80 SmartConsole ............................................................ 21
Advanced Endpoint Identity Agents Configuration ...................................................... 22
Customizing Parameters ........................................................................................ 22
Index............................................................................................................................ 23
CHAPTE R 1

About this Guide

This guide explains how to manage backward compatible (R77.xx and lower) Security Gateways
with the R80 SmartConsole.
This guide shows only the updated procedures. To learn more about earlier features, see the R77
documentation http://supportcontent.checkpoint.com/documentation_download?ID=26770.

R80 SmartConsole Toolbars

Global Toolbar (top left of R80 SmartConsole)
Description and Keyboard Shortcut
The main R80 SmartConsole Menu

The Objects menu.

Also leads to the Object Explorer Ctrl+E

Install policy on managed gateways

Ctrl+Shift+Enter

Navigation Toolbar (left side of R80 SmartConsole)

Description and Keyboard Shortcut
Gateway configuration view
Ctrl+1

Security Policies Access Control view

Security Policies Threat Prevention view
Ctrl+2

Logs & Monitor view

Ctrl+3

Manage & Settings view - review and configure the Security Management
Server settings
Ctrl+4

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 5
 About this Guide

Command Line Interface Button (left bottom corner of R80 SmartConsole)

Description and Keyboard Shortcut
Open a command line interface for management scripting and API
F9

What's New Button (left bottom corner of R80 SmartConsole)

Description and Keyboard Shortcut
Open a tour of the R80 SmartConsole

Objects and Validations Tabs (right side of R80 SmartConsole)

Description
Objects Manage security and network objects

Validations Validation warnings and errors

System Information Area (bottom of R80 SmartConsole)

Description
Task List Management activities, such as policy installation tasks

Server Details The IP address of the Security Management Server

Connected The administrators that are connected to the Security Management Server
Users

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 6
CHAPTE R 2

Getting Started With Identity

Awareness
In This Section:
Introduction to Identity Awareness ................................................................................7
Scenario: Laptop Access ................................................................................................8
Scenario: Guest Users from Unmanaged Device .........................................................9
Scenario: Recognized User from Unmanaged Device ................................................10
Scenario: Endpoint Identity Agent Deployment and User Group Access ..................12
Scenario: Identifying Users in Application Control Logs ............................................12

Introduction to Identity Awareness

Identity Awareness uses the source and/or destination IP addresses of network traffic to identify
users and computers. You can use these data elements as matching criteria in the Source and
Destination fields of your policy rules:
• User name
• Computer name
• Groups of users or computers
You can define a policy rule for specified users who send traffic from specified computers or from
any computer. Likewise, you can create a policy rule for any user on specified computers.
Identity Awareness shows the user and computer name together with the IP address in the logs
and reports.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 7
 Getting Started With Identity Awareness

You can see the logs based on user and computer name, and not just IP addresses, in the Logs &
Monitor > Logs tab. You can see events in the Logs & Monitor Access Control views.

Identity Awareness gets identities from these acquisition sources. You must enable them on the
Gateway, from the Identity Awareness page of the Gateway object:
• Browser-Based Authentication
• Active Directory (AD) Query
• Identity Agents (installed on the Endpoint)
• Terminal Servers Agent
• Radius Accounting
• Remote Access
Identity Awareness Security Gateways can share the identity information that they acquire with
Identity Awareness Security Gateways. In this way, users that need to pass through many Security
Gateways are only identified once. See Advanced Deployment (on page 21) for more information.

Scenario: Laptop Access

James Wilson is an HR partner in the ACME organization. ACME IT wants to limit access to HR
servers to designated IP addresses to minimize malware infection and unauthorized access risks.
Thus, the Security Gateway policy permits access only from John's desktop which is assigned a
static IP address 10.0.0.19.
He received a laptop and wants to access the HR Web Server from anywhere in the organization.
The IT department gave the laptop a static IP address, but that limits him to operating it only from

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 8
 Getting Started With Identity Awareness

his desk. The current Rule Base contains a rule that lets James Wilson access the HR Web Server
from his laptop with a static IP (10.0.0.19).

Name Source Destination VPN Service Action Track

Jadams to HR Jadams_PC HR_Web_Server Any Any accept Log
Server Traffic

He wants to move around the organization and continue to have access to the HR Web Server.
To make this scenario work, the IT administrator does these steps:
1. Enables Identity Awareness on a Security Gateway, selects AD Query as one of the Identity
Sources and installs the policy.
2. Checks the logs in the Logs & Monitor view of R80 SmartConsole to make sure the system
identifies James Wilson in the logs.
3. Adds an access role object to the Firewall Rule Base that lets James Wilson access the HR
Web Server from any computer and from any location.
4. Sees how the system tracks the actions of the access role in in the Logs & Monitor view of R80
SmartConsole.

User Identification in the Logs

The logs in the Logs & Monitor view of R80 SmartConsole show that the system recognizes James
Wilson as the user behind IP 10.0.0.19. This log entry shows that the system maps the source IP to
the user James Wilson from CORP.ACME.COM. This uses the identity acquired from AD Query.

Note - AD Query maps the users based on AD activity. This can take some time and
depends on user activity. If James Wilson is not identified (the IT administrator does not
see the log), he should lock and unlock the computer.

Scenario: Guest Users from Unmanaged Device

Guests frequently come to the ACME company. While they visit, the CEO wants to let them access
the Internet on their own laptops.
Amy, the IT administrator configures the Captive Portal to let unregistered guests log in to the
portal to get network access. She makes a rule in the Rule Base to let unauthenticated guests
access the Internet only.
When guests browse to the Internet, the Captive Portal opens. Guests enter their name, company,
email address, and phone number in the portal. They then agree to the terms and conditions
written in a network access agreement. Afterwards they are given access to the Internet for a
specified period of time.

Required R80 SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable Identity Awareness on a Security Gateway and select Browser-Based Authentication
as one of the Identity Sources, and click Settings.
2. In the Portal Settings window in the Users Access section, make sure that Unregistered
guest login is selected.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 9
 Getting Started With Identity Awareness

3. Click Unregistered guest login - Settings.

4. In the Unregistered Guest Login Settings window, configure:
• The data guests must enter.
• For how long users can access the network resources.
• If a user agreement is required and its text.
5. Create an Access Role rule in the Rule Base, to let identified users access the Internet from
the organization:
a) Right-click Source and select Access Role.
b) In the Users tab, select All identified users.
6. Create an Access Role rule in the Rule Base, to let Unauthorized Guests access only the
Internet:
a) Right-click Source and select Access Role.
b) In the Users tab, select Specific users > Unauthenticated Guests.
c) Select accept as the Action.
d) Right-click the Action column and select Edit Properties. The Action Properties window
opens.
e) Select Enable Identity Captive Portal.
f) Click OK.

Scenario: Recognized User from Unmanaged Device

The CEO of ACME recently bought her own personal iPad. She wants to access the internal
Finance Web server from her iPad. Because the iPad is not a member of the Active Directory
domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials
in the Captive Portal and then get the same access as on her office computer. Her access to
resources is based on rules in the Firewall Rule Base.

Required R80 SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable Identity Awareness on a Security Gateway, select Browser-Based Authentication as
one of the Identity Sources, and click Settings.
2. In the Portal Settings window in the User Access section, make sure that Name and password
login is selected.
3. Create a new rule in the Rule Base to let Daniel David access network destinations. Select
accept as the Action.
4. Right-click the Action column and select More.
The Action Settings window opens.
5. Select Enable Identity Captive Portal.
6. Click OK.
7. From the Source of the rule, right-click to create an Access Role.
a) Enter a Name for the Access Role.
b) In the Users page, select Specific users and choose Daniel David.
Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 10
 Getting Started With Identity Awareness

c) In the Machines page, make sure that Any machine is selected.

d) Click OK.
The Access Role is added to the rule.

Name Source Destination VPN Service Action Track

CEO Daniel David Finance_Server Any http Accept (Enable Log
Access Traffic Identity Captive
Portal)

User Identification in the Logs

The log entry in the Logs tab of the Logs & Monitor view shows how the system recognizes Daniel
David from his iPad. This uses the identity acquired from Captive Portal.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 11
 Getting Started With Identity Awareness

Scenario: Endpoint Identity Agent Deployment and User

Group Access
The ACME organization wants to make sure that only the Finance department can access the
Finance Web server. The current Rule Base uses static IP addresses to define access for the
Finance department.
Amy, the IT administrator wants to leverage the use of Endpoint Identity Agents so:
• Finance users will automatically be authenticated one time with SSO when logging in (using
Kerberos which is built-in into Microsoft Active Directory).
• Users that roam the organization will have continuous access to the Finance Web server.
• Access to the Finance Web server will be more secure by preventing IP spoofing attempts.
Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal. She
needs to configure:
• Endpoint Identity Agents as an identity source for Identity Awareness.
• Endpoint Identity Agent deployment for the Finance department group from the Captive Portal.
She needs to deploy the Full Endpoint Identity Agent so she can set the IP spoofing protection.
No configuration is necessary on the client for IP spoofing protection.
• A rule in the Rule Base with an access role for Finance users, from all managed computers
and from all locations with IP spoofing protection enabled.
After configuration and policy install, users that browse to the Finance Web server will get the
Captive Portal and can download the Endpoint Identity Agent.

Scenario: Identifying Users in Application Control Logs

The ACME organization wants to use Identity Awareness to monitor outbound application traffic
and learn what their employees are doing. To do this, the IT administrator must enable Application
Control and Identity Awareness. Identity information for the traffic then shows in the logs and
events. See the logs in the Logs & Monitor > Logs tab. See the events in the Logs & Monitor views,
in the Access Control categories.
Next, the IT department can add rules to block specific applications or track them differently in
the Application Control and URL Filtering Layer of the policy to make it even more effective. See
the R80 Application Control and URL Filtering Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=46526.

User Identification in the Logs

You can see data for identified users in the Logs and Events that relate to application traffic. See
Logs in the Logs & Monitor view Logs tab. See Events in the Logs & Monitor Access Control views,
and in the SmartEvent GUI client.
The log entry shows that the system maps the source IP address with the user identity. It also
shows Application Control data.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 12
CHAPTE R 3

Configuring Identity Awareness

In This Section:
Enabling Identity Awareness on the Security Gateway ............................................13
Working with Access Roles ..........................................................................................15
Using Identity Awareness in the Rule Base ................................................................17
Configuring Browser-Based Authentication in R80 SmartConsole...........................19
Configuring Terminal Servers .....................................................................................20

Enabling Identity Awareness on the Security Gateway

When you enable Identity Awareness on a Security Gateway, a wizard opens. You can use the
wizard to configure one Security Gateway that uses the AD Query, Browser-Based Authentication,
and Terminal Servers for acquiring identities. You cannot use the wizard to configure a multiple
Security Gateway environment or to configure Endpoint Identity Agent and Remote Access
acquisition (other methods for acquiring identities).
When you complete the wizard and install a policy, the system is ready to monitor Identity
Awareness. You can see the logs for user and computer identity in the Manage & Settings > Logs
tab. You can see events in the Logs & Monitor Access Control views.

To enable Identity Awareness:

1. Log in to R80 SmartConsole.
2. From the Gateways & Servers view, double-click the Security Gateway on which to enable
Identity Awareness.
3. On the Network Security tab, select Identity Awareness.
The Identity Awareness Configuration wizard opens.
4. Select one or more options. These options set the methods for acquiring identities of managed
and unmanaged assets.
• AD Query - Lets the Security Gateway seamlessly identify Active Directory users and
computers.
• Browser-Based Authentication - Sends users to a Web page to acquire identities from
unidentified users. If Transparent Kerberos Authentication is configured, AD users may be
identified transparently.
• Terminal Servers - Identify users in a Terminal Server environment (originating from one
IP address).
These are the methods of acquiring identities you can choose in the wizard. However, other
identity sources are supported.
Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on
an IP Series appliance, make sure to set the Voyager management application port to a port
other than 443 or 80.
5. Click Next.
The Integration with Active Directory window opens.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 13
 Configuring Identity Awareness

When the R80 SmartConsole client computer is part of the AD domain, R80 SmartConsole
suggests this domain automatically. If you select this domain, the system creates an LDAP
Account Unit with all of the domain controllers in the organization's Active Directory.
Note - We highly recommend that you go to the LDAP Account Unit and make sure that only
necessary domain controllers are in the list. If AD Query is not required to operate with some
of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard you can use existing LDAP Account units or
create a new one for one AD domain.
When creating new AD domain, if the SmartConsole computer is part of the domain, the wizard
fetches and configures all the domain controllers of the domain.
If you choose Create new domain, the LDAP account unit that the system creates contains
only the domain controller you set manually.
If it is necessary for AD Query to fetch data from other domain controllers, you must add them
at a later time manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers
> LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>_ _ AD
For example, CORP.ACME.COM_ _ AD.
6. From the Select an Active Directory list, select the Active Directory to configure from the list
that shows configured LDAP account units or create a new domain. If you have not set up
Active Directory, you need to enter a domain name, username, password and domain
controller credentials.
7. Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For
Browser-Based Authentication standard credentials are sufficient.
8. If you selected Browser-Based Authentication or Terminal Servers and do not wish to
configure Active Directory, select I do not wish to configure Active Directory at this time and
click Next.
9. Click Next.
If you selected Browser-Based Authentication on the first page, the Browser-Based
Authentication Settings page opens.
10. In the Browser-Based Authentication Settings page, select a URL for the portal, where
unidentified users will be directed.
All IP addresses configured for the Security Gateway show in the list. The IP address selected
by default is the Security Gateway main IP address. The same IP address can be used for other
portals with different paths. For example:
• Identity Awareness Browser-Based Authentication – 192.0.2.2./connect
• DLP Portal - 192.0.2.2/DLP
• Mobile Access Portal - 192.0.2.2/sslvpn
11. By default, access to the portal is only through internal interfaces. To change this, click Edit.
We do not recommend that you let the portal be accessed through external interfaces on a
perimeter Security Gateway.
12. Click Next. The Identity Awareness is Now Active page opens with a summary of the
acquisition methods.
If you selected Terminal Servers, the page includes a link to download the agent.
13. Click Finish.
14. Select Install Policy (Ctrl+Shift+Enter).
Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 14
 Configuring Identity Awareness

Working with Access Roles

After you enable Identity Awareness, you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access role
objects can include one or more of these objects:
• Networks
• Users and user groups
• Computers and computer groups
• Remote Access Clients

To create an Access Role object:

1. In R80 SmartConsole, open the Object Explorer (Ctrl+E).
2. Click New > Users > Access Role.
The New Access Role window opens.
3. Enter a Name and Comment (optional).
4. On the Networks page, select one of these:
• Any network
• Specific networks - Click the plus sign and select a network - click the plus sign next to the
network name or search for a known network
5. On the Users page, select one of these:
• Any user
• All identified users - Includes users identified by a supported authentication method.
• Specific users - Click the plus sign and select a user - click the plus sign next to the
username or search for a known user or user group.
6. On the Machines page, select one of these:
• Any machine
• All identified machines - Includes computers identified by a supported authentication
method
• Specific machines - Click the plus sign and select a device - click the plus sign next to the
device name or search for a known device or group of devices
For computers that use Full Endpoint Identity Agents, you can select (optional) Enforce IP
Spoofing protection.
7. On the Remote Access Clients page, select the Allowed Clients or add new ones. For R77.xx
Gateways or lower, you must choose Any.
8. Click OK.

Automatic LDAP Group Update

Identity Awareness automatically recognizes changes to LDAP group membership and updates
identity information, including access roles.
When you:
• Add an LDAP group to another LDAP group
• Remove an LDAP group from another LDAP group
• Move an LDAP from one LDAP group to another
Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 15
 Configuring Identity Awareness

The system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful
when you deactivate user-related notifications.
LDAP Group Update is activated by default. You can manually deactivate LDAP Group Update with
the CLI.

Important - Automatic LDAP group update works only with Microsoft Active Directory
when AD Query is activated.

To deactivate automatic LDAP group update:

1. From the Security Gateway command line, run:
adlogconfig a
The adlog status screen and menu opens.
2. Select Turn LDAP groups update on/off.
LDAP groups update notifications status changes to [ ] (not active). If you enter Turn LDAP
groups update on/off when automatic LDAP group update is not active, LDAP groups update
notifications status changes to [X] (active).
3. Enter Exit and save to save this setting and close the adlogconfig tool.
4. Install policy.
You can use adlogconfig to set the time between LDAP change notifications and to send
notifications only for user related changes.

To configure LDAP group notification options:

1. From the Security Gateway command line, run:
adlogconfig a
The adlog status screen and menu opens.
2. Enter the Notifications accumulation time to set the time between LDAP change notifications.
3. Enter the time between notifications in seconds (default = 10).
4. Enter Update only user-related LDAP changes to/not to send notifications only for user
related changes.
Be very careful when you deactivate only user-related notifications. This can cause excessive
gateway CPU load.
5. Enter Exit and save to save these settings and close the adlogconfig tool.
6. Install policy.
Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for
users and groups in the LDAP cache first. The information in the cache does not contain the
updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is
updated every 15 minutes.
You must deactivate the LDAP cache to get automatic LDAP Group Update assignments
immediately. This action can cause Identity Awareness to work slower.

To deactivate the LDAP cache:

1. In R80 SmartConsole, go to Menu > Global Properties > User Directory.
2. Change Timeout on cached users to 0.
3. Change Cache size to zero.
4. Install policy.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 16
 Configuring Identity Awareness

Using Identity Awareness in the Rule Base

The Security Gateway examines packets and applies rules in a sequential manner. When a
Security Gateway receives a packet from a connection, it examines the packet against the first rule
in the Rule Base. If there is no match, it then goes on to the second rule and continues until it
matches a rule.
In rules with access roles, you can add a property in the Action field to enable the Captive Portal. If
this property is added, when the source identity is unknown and traffic is HTTP, the user is
redirected to the Captive Portal. The packet is matched according to the other fields in the rule.
After the system gets the credentials from the Captive Portal, it can examine the rule for the next
connection.
In rules with access role objects, criteria matching works like this:
• When identity data for an IP is known:
• If it matches an access role, the rule is enforced and traffic is allowed or blocked based on
the action.
• If it does not match an access role, the next rule is examined.
• When identity data for an IP is unknown and:
• All rule fields match, other than the source field with an access role.
• The connection is http.
• The action is set to redirect to the Captive Portal.
If all the conditions apply, the traffic is redirected to the Captive Portal to get credentials
and see if there is a match.
If not all conditions apply, there is no match and the next rule is examined.
Note - When you set the option to redirect http traffic from unidentified IP addresses to the
Captive Portal, make sure to place the rule in the correct position in the Rule Base to avoid
unwanted behavior.

To redirect http traffic to the Captive Portal:

1. In a policy rule that uses an access role in the Source column, right-click the Action column
and select More.
The Action Settings window opens.
2. Select the Enable Identity Captive Portal.
3. Click OK.
The Action column shows that a redirect to the Captive Portal occurs.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 17
 Configuring Identity Awareness

This is an example of a Rule Base that describes how matching operates:

No. Source Destination Services & Action

Applications
1 Finance_Dept Finance_Web_ Server Any Accept (display Captive Portal)
(Access Role)

2 Admin_IP Any Any Accept

3 Any Any Any Drop

Example 1 - If an unidentified Finance user tries to access the Finance Web Server with http, a
redirect to the Captive Portal occurs. After the user enters credentials, the Security Gateway
allows access to the Finance Web Server. Access is allowed based on rule number 1, which
identifies the user through the Captive Portal as belonging to the Finance access role.
Example 2 - If an unidentified administrator tries to access the Finance Web Server with http, a
redirect to the Captive Portal occurs despite rule number 2. After the administrator is identified,
rule number 2 matches. To let the administrator access the Finance Web Server without
redirection to the Captive Portal, switch the order of rules 1 and 2 or add a network restriction to
the access role.

Access Role Objects

You can use Access Role objects as source and/or destination parameter in a rule. For example, a
rule that allows file sharing between the IT department and the Sales department access roles.

Name Source Destination VPN Services & Action

Applications
IT and Sales File Sharing IT_dept Sales_dept Any ftp accept

Negate and Drop

When you negate a source or destination parameter, it means that a given rule applies to all
sources/destinations of the request except for the specified source/destination object. When the
object is an access role, this includes all unidentified entities as well.
When you negate an access role, it means that the rule is applied to "all except for" the access
role and unidentified entities. For example, let's say that the below rule is positioned above the
Any, Any, Drop rule. The rule means that everyone (including unidentified users) can access the
Intranet Web Server except for temporary employees. If a temporary employee is not identified
when she accesses the system, she will have access to the Intranet Web Server. Right-click the
cell with the access role and select Negate Cell. The word [Negated] is added to the cell.

Source Destination VPN Services & Action

Applications
Temp_employees Intranet_web_server Any http accept
[Negated]

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 18
 Configuring Identity Awareness

To prevent access to unidentified users, add another rule that ensures that only identified
employees are allowed access.

Source Destination VPN Services & Action

Applications
Temp_employees Intranet_web_server Any http drop

Any_identified_employee Intranet_web_server Any http accept

Configuring Browser-Based Authentication in R80

SmartConsole
In the Identity Sources section of the Identity Awareness page, select Browser-Based
Authentication to send unidentified users to the Captive Portal.
If you configure Transparent Kerberos Authentication, the browser tries to identify AD users
before sending them to the Captive Portal.
If you already configured the portal in the Identity Awareness Wizard or R80 SmartConsole, its
URL shows below Browser-Based Authentication.

To configure the Browser-Based Authentication settings:

1. Select Browser-Based Authentication and click Settings.
2. From the Portal Settings window, configure:
• Portal Network Location
• Access Settings
• Authentication Settings
• Customize Appearance
• User Access
• Endpoint Identity Agent Deployment from the Portal

Note - When you enable Browser-Based Authentication on an IPSO Security Gateway

that is on an IP Series appliance, make sure to set the Voyager management
application port to a port other than 443 or 80.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 19
 Configuring Identity Awareness

Configuring Terminal Servers

Configuring the Shared Secret
You must configure the same password as a shared secret in the Terminal Servers Endpoint
Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security
Gateway enabled with Identity Awareness. The shared secret enables secure communication and
lets the Security Gateway trust the application server with the Terminal Servers functionality.
The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no
more than three consecutive digits, and must be eight characters long in length. In R80
SmartConsole, you can automatically generate a shared secret that matches these conditions.

To configure the shared secret on the Identity Server:

1. Log in to R80 SmartConsole.
2. From the Gateways & Servers view, double-click the Check Point Security Gateway that has
Identity Awareness enabled.
3. Go to the Identity Awareness page.
4. In the Identity Sources section, select Terminal Servers and click Settings.
5. To automatically configure the shared secret:
a) Click Generate to automatically get a shared secret that matches the string conditions.
The generated password is shown in the Pre-shared secret field.
b) Click OK.
6. To manually configure the shared secret:
a) Enter a password that matches the conditions in the Pre-shared secret field. Note the
strength of the password in the Indicator.
b) Click OK.

To configure the shared secret on the application server:

1. Open the Terminal Servers Endpoint Identity Agent.
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.
2. In the Advanced section, click Terminal Servers Settings.
3. In Identity Server Shared Secret, enter the shared secret string.
4. Click Save.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 20
CHAPTE R 4
CHAPTE R 5

Identity Sources

Changing Portal Text in R80 SmartConsole

To change the text that shows in R80 SmartConsole:
1. Go to Menu > Global Properties > Advanced.
2. Click Configure.
3. Go to Identity Awareness > Portal Texts.
4. Delete the word DEFAULT and type the new English text in the required field.
5. Click OK.
6. Install the policy.

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 21
CHAPTE R 6

Advanced Endpoint Identity Agents

Configuration

Customizing Parameters
You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent
behavior. You can change some of the settings in R80 SmartConsole and others using the
Endpoint Identity Agent Configuration tool.

To change Endpoint Identity Agents parameters in R80 SmartConsole:

1. Go to Menu > Global Properties > Advanced.
2. Click Configure.
3. Go to Identity Awareness > Agent.
4. Change the Endpoint Identity Agents parameters.
5. Click OK.
This is a sample list of parameters that you can change:

Parameter Description
Nac_agent_disable_settings Whether users can right click the Endpoint Identity Agent
client (umbrella icon on their desktops) and change
settings.

Nac_agent_email_for_sending_logs You can add a default email address for to which to send
client troubleshooting information.

Nac_agent_disable_quit Whether users can right click the Endpoint Identity Agent
client (umbrella icon on their desktops) and close the
agent.

Nac_agent_disable_tagging Whether to disable the packet tagging feature that

prevents IP Spoofing.

Nac_agent_hide_client Whether to hide the client (the umbrella icon does not
show on users' desktops).

Identity Awareness Administration Guide Pre-R80 Security Gateways with R80 Security Management
| 22
 U

Index
User Identification in the Logs • 9, 11, 12
Using Identity Awareness in the Rule Base • 17

W
A
Working with Access Roles • 15
About this Guide • 5
Access Role Objects • 18
Advanced Deployment • 21
Advanced Endpoint Identity Agents
Configuration • 23
Automatic LDAP Group Update • 15

C
Changing Portal Text in R80 SmartConsole • 22
Configuring Browser-Based Authentication in
R80 SmartConsole • 19
Configuring Identity Awareness • 13
Configuring Terminal Servers • 19
Configuring the Shared Secret • 19
Customizing Parameters • 23

E
Enabling Identity Awareness on the Security
Gateway • 13

G
Getting Started With Identity Awareness • 7

I
Identity Sources • 22
Important Information • 3
Introduction to Identity Awareness • 7

N
Negate and Drop • 18

R
R80 SmartConsole Toolbars • 5
Required R80 SmartConsole Configuration • 9,
10

S
Scenario
Endpoint Identity Agent Deployment and
User Group Access • 11
Guest Users from Unmanaged Device • 9
Identifying Users in Application Control Logs
• 12
Laptop Access • 8
Recognized User from Unmanaged Device •
10

T
Testing Identity Sources • 21